network security network review and firewalls
play

Network Security: Network Review and Firewalls Henning Schulzrinne - PowerPoint PPT Presentation

Apr 11, 2023 •208 likes •667 views

1 Network Security: Network Review and Firewalls Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 1999-2000, Henning Schulzrinne c Last modified September 21, 2000 2 Secure

  1. 1 Network Security: Network Review and Firewalls Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 � 1999-2000, Henning Schulzrinne c Last modified September 21, 2000

  2. 2 Secure Communications � Alice can send message to Bob; only Bob can read � Bob knows for sure that Alice sent it � Alice can’t deny she sent the message � but the basic communication is insecure: – wiretapping – switches and routers – redirection – storage – . . . � $ storage security

  3. 3 Security is analog, not binary... � there is no perfect security � cost of inconvenience vs. cost of breach � how long does it have to stay secret? � how sophisticated is the adversary? � value of information + value of service (DOS) � physical security + cryptographic � difference: attack from anywhere, automated (“script kiddies”) � most problems are not crypto problems � wire/fiber-tapping is hard

  4. 4 Terminology bad guy: avoid ‘hacker’; Trudy = intruder, impostor secret key: = symmetric = receiver and transmitter share secret key, nobody else public key: = asymmetric = two keys, one public, one private (secret) � confidentiality $ privacy: protect communications from all but intended recipients privacy laws

  5. 5 Dramatis Personae usually computers: Alice: first participant Bob, Carol, Dave: second, third, fourth participant Eve: evesdropper Mallory, Trudy: malicious active attacker Trent: trusted arbitrator Walter: warden; guarding Alice and Bob in some protocols Peggy: prover Victor: verifier

  6. 6 Kaufman Notation � ex-or, exclusive or j j ”secret” = ”joesecret” concatenation (e.g., ”joe” f message g K encrypted with key K f message g Bob encrypted with public key of Bob [ message ℄ Bob signed by Bob = using his private key

  7. 7 Network Primer layer name who e.g., PDU 7 application E-E SMTP message 6 presentation E-E MIME 5 session E-E ? 4 transport E-E TCP packet 3 network router IP packet 2 data link bridge, switch Ethernet frame 1 physical repeater Ethernet over coax bit stream

  8. 8 Network Services (Almost) any layer: error checking: checksum, drop bad packets reliability: retransmission (ARQ, ”ack”) or forward error correction (redundancy) ordering: ensure delivery order ! one lower-layer entity (e.g.,: telephony) multiplexing: several upper-layer entities inverse multiplexing: spread single message over several channels flow control: avoid overrunning slow receiver congestion control: avoid overrunning slow network encryption, authentication: obviously. . .

  9. 9 Directory Services � need (network-layer) address to communicate � more memorable, different assignment: – unique identifier – locator – name (administrative, “John Smith”, www.) � directory service: translation between addresses � scalability ➠ tree, hiearchy � e.g.,: clinton@whitehouse.gov � needed for security: public key � needs to be secured

  10. 10 Network Security Layers Physical layer: blackening Data link layer: wireless Ethernet encryption (802.11 WEP at 11 Mb/s), PPP authentication Network layer: IPsec Transport layer: secure socket layer (TLS, “https:”) Application: email (PGP, S/MIME), x -over-TLS, HTTP authentication, SHTTP, Kerberos infrastructure: DNS, routing, resource reservations, . . .

  11. 11 Security Approaches � Application security � OS security � Network infrastructure security � Procedural and operational security

  12. 12 Application Security � application software security (e.g., buffer overruns) � path encryption via secure application protocols (ssh) � isolating critical applications on single-purpose hosts

  13. 13 Host/OS Security � OS software integrity (most attacks on non-patched OS) � user-level access control (AAA, tokens) � block unneeded services (finger, ftp, DNS) � path encryption via IPsec � device-level access control (MAC, IP, DNS) in servers, routers, Ethernet switches � e.g., host firewalling (such as TCP wrappers, IP chains)

  14. 14 Network Infrastructure Security � service-blocking perimeter (port) � device-ID perimeter (IP address) � path encryption perimeter � path isolation via routers and switches � path isolation via separate infrastructure (“air gap”)

  15. 15 Procedural and Operational Security � policies and education on safe computing practices � desktop configuration management � proactive probing for vulnerabilities � intrusion detection

  16. 16 Top-level Domains 2 letters: countries 3 letters: independent of geography (except edu, gov, mil) domain usage example domains (8/00) com business (global) research.att.com 17,050,817 edu U.S. 4 yr colleges cs.columbia.edu 5,673 gov U.S. non-military gov’t whitehouse.gov 730 mil U.S. military arpa.mil org non-profit orgs (global) www.ietf.org 248,489 net network provider nis.nsf.net 2,806,721 us U.S. geographical ietf.cnri.reston.va.us uk United Kingdom cs.ucl.ac.uk 194,686 de Germany fokus.gmd.de 262,708

  17. 17 Replicated Services � load sharing � availability � same information? � replay: change password to different server

  18. 18 Packet Switching � circuit switching: fixed-rate, reserved bit stream between parties for duration of communications (“wire”) � packet switching: chop application messages into packets ( < few kB, with upper bound): – interleaving from different sources – error recovery on single unit – flexible bandwidth ➠ encryption on messages or packets

  19. 19 Network Components link: connection between components, including wireless ➠ point-to-point (modem), multiple access (Ethernet) router, switch: forward packets node: router (= intermediate system), host (= end system) clients: access resources and services servers: provide resources and services (may also be client) dumb terminal: no local processing

  20. 20 Network Access and Interconnection regional network NAP NAP company point-of-presence firewall (POP) R 56kb/s national - 2Mb/s network R R R T3 Ethernet local modem telephone concentrator company regional network phone lines+ node PC phone telephone modem company switch

  21. 21 Destinations � interconnect local networks (links) of different technology � router: 1. get packet from source link, strip link layer header 2. find outgoing interface based on destination network address 3. find next link-layer address 4. wrap in link layer header and send

  22. 22 Internet Names and Addresses example organization 8:0:20:72:93:18 MAC address flat, permanent 132.151.1.35 IP address topological (mostly) www.ietf.org Host name hierarchical clinton@whitehouse.gov User name multiple DNS ; man y � to � man y ARP ; 1 � to � 1 ! ! host name IP address MAC address addresses can be forged ➠ check source

  23. 23 Tempest � every device is a radio transmitter � e.g., TV scanning � Europe: find unlicensed TV receivers � control zone

  24. 24 Threats for a Corporate/Campus Network � unauthorized access to hosts (clients, servers) � disclosure & modification of network data � denial-of-service attacks

  25. 25 Threats for the Internet/ISP � propagate false routing entries (“black holes”, www.citibank.com � ! www.mybank.az ) � domain name hijacking � link flooding � configuration changes (SNMP) � packet intercept

  26. 26 Application-Layer Threats � only limited ability of network intervention possible � shoulder-surfing � rogue applications emailing out confidential files � viruses, mail bombs, email attachments, . . .

  27. 27 General Strategies � hardening the OS and applications � encrypting sensitive data � reduce size of target � ! disable unneeded services � limit access of attacker to target systems

  28. 28 Network Infrastructure network infrastructure enterprise Internet network border edge interior

  29. 29 Trust Model � perimeter defense: defines trust zone � most attacks are from the inside � traveling users: virtual private networks – danger! � “extranets” for vendors, suppliers, . . . � internal hosts may not be managed or under control of network operator � defense in depth

  30. 30 Firewalls � computer between internal (“intranet”) and external network � = policy-based packet filtering � watch single point rather than every PC � limit in/out services, restrict incoming packets � can’t prevent people walking out with disks packet filter: restrict IP addresses ( address filtering ), ports connection filter: only allow packets belonging to authorized (TCP) connections encrypted tunnel: tunnel = layer same layer inside itself ➠ virtual network: connect intranets across Internet NA(P)T: network address (and port) translator are not firewalls, but can prevent all incoming connections

  31. 31 Network Address Translation alice.example.com 10.0.0.2/2345 −> 216.32.74.51/80 (10.0.0.2) 128.59.16.1/5678 −> 216.32.74.51/80 port addr/port 216.32.74.51/80 −> 10.0.0.2/2345 www.yahoo.com 5678 10.0.0.1/2345 (216.32.74.51) NAT 128.59.16.1/5678 <− 216.32.74.51/80 10.0.0.1 128.59.16.1 bob.example.com (10.0.0.3)

  32. 32 Application Gateway gateway global intranet net firewall firewall F2 F1 Ethernet DMZ � firewall F x : only to/from gateway � may only allow email, file transfer � hard to restrict large file transfers

Recommend

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Router Intranet Demilitarized Zone: DMZ publicly accessible servers and networks

746 views • 31 slides
Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks - NCSA Firewall Functional Summary Computer Security Usually, a

271 views • 10 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Network Security: Network Review and Firewalls Henning Schulzrinne Columbia University, New York

Network Security: Network Review and Firewalls Henning Schulzrinne Columbia University, New York

1 Network Security: Network Review and Firewalls Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 1999-2000, Henning Schulzrinne c Last modified September 21, 2000 Slide 1

579 views • 23 slides
CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Firewalls Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Firewalls A firewall ... is a physical barrier inside a building or vehicle,

555 views • 23 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin, and Rubin. New second edition Firewall and Internet Security, the Second Hundred (Internet)

801 views • 78 slides
Network Control: Firewalls CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Network Control: Firewalls CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Network Control: Firewalls CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 14, 2013 Game Plan Network

734 views • 38 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 6 Firewalls &amp; VPNs Topics Firewall Fundamentals Case study: Linux iptables

778 views • 46 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 6 Firewalls &amp; VPNs Topics Firewall Fundamentals Case

881 views • 51 slides
Firewalls Packet Filtering Recapitulation: IPv4 Task of IP (Network layer in general):

Firewalls Packet Filtering Recapitulation: IPv4 Task of IP (Network layer in general):

IN3210 Network Security Firewalls Packet Filtering Recapitulation: IPv4 Task of IP (Network layer in general): Packet forwarding incl. routing Properties: Connection-less Adressing: source + destination IP address No

725 views • 47 slides
Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014 Outline Network security characteristics and threats Denial of service attacks Traffic control mechanisms Firewalls

797 views • 67 slides
Network Technology Review and Security Concerns Computer Security I CS461/ECE422 Fall 2010

Network Technology Review and Security Concerns Computer Security I CS461/ECE422 Fall 2010

Network Technology Review and Security Concerns Computer Security I CS461/ECE422 Fall 2010 Outline Overview Issues and Threats in Network Security Review basic network technology TCP/IP in particular Attacks specific to

709 views • 54 slides
Network Technology Review and Security Concerns Computer Security I CS461/ECE422 Fall 2009

Network Technology Review and Security Concerns Computer Security I CS461/ECE422 Fall 2009

Network Technology Review and Security Concerns Computer Security I CS461/ECE422 Fall 2009 Outline Overview Issues and Threats in Network Security Review basic network technology TCP/IP in particular Attacks specific to

807 views • 55 slides
Authorization: Firewalls Prof. Tom Austin San Jos State University Networking Basics Network

Authorization: Firewalls Prof. Tom Austin San Jos State University Networking Basics Network

CS 166: Information Security Authorization: Firewalls Prof. Tom Austin San Jos State University Networking Basics Network Includes Computers Servers Routers Wireless devices Etc. Purpose is to transmit data

839 views • 64 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Firewalls What is a firewall? A machine to protect a network from malicious external

Firewalls What is a firewall? A machine to protect a network from malicious external

Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits between a LAN/WAN and the Internet Running special software to regulate network traffic Lecture 9 Page 1

602 views • 29 slides
WANWide Area Network. The internet at large, the outside. LANLocal Area

WANWide Area Network. The internet at large, the outside. LANLocal Area

Typical Network Topology SOHO Firewalls WAN 2006-11-25 (Internet) What is it: Networks and Firewalls / Routers firewall/ DMZ router Typical Network Topology LAN LAN LAN WANWide Area Network. The internet at large, the

624 views • 6 slides
Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on

CSE/ISE 311: Systems Administra5on Network Firewalls Don Porter CSE/ISE 311: Systems Administra5on Firewalls: An Essen2al Tool Previous Lectures: Every service

469 views • 20 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL:

CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL:

CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Midterm Grades (High is 83) 77-94 -- A (4)

930 views • 29 slides

More recommend