• No results found

Chapter 8 Network Security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Chapter 8 Network Security"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

Chapter 8 Network Security

[Computer networking, 5thed., Kurose]

Chapter 8 Network Security

8.1

What is network security?

8.2

Principles of cryptography

8.

r nc p es of cryptography

8.3

Message integrity

8 4

Securing e mail

8.4

Securing e-mail

8.5

Securing TCP connections: SSL

8.6

Network layer security: IPsec

8.7

Securing wireless LANs

g

8.8 Operational security: firewalls and IDS

38

Network Security

Firewalls

Firewalls

firewall

isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others.

administered public

network

p

(2)

Firewalls: Why

Firewalls: Why

prevent denial of service attacks: p

 SYN flooding: attacker establishes many bogus TCP

connections, no resources left for “real” connections

prevent illegal modification/access of internal data prevent illegal modification/access of internal data.

 e.g., attacker replaces CIA’s homepage with something else

allow only authorized access to inside network y (set of authenticated ( f users/hosts)

three types of firewalls:

t t l k t filt

 stateless packet filters  stateful packet filters  application gateways  application gateways

40

Network Security

Stateless packet filtering

Stateless packet filtering

Should arriving packet be allowed in? Departing packet let out?

ˆ

internal network connected to Internet via

router firewall

ˆ

router

filters packet-by-packet,

decision to

forward/drop packet based on:

(3)

Stateless packet filtering: example

Stateless packet filtering: example

ˆ

example 1: block incoming and outgoing

p

g

g g

datagrams with IP protocol field = 17 and with

either source or dest port = 23.



all incoming, outgoing UDP flows and telnet

connections are blocked.

l 2 Bl k i b

d TCP

t ith

ˆ

example 2: Block inbound TCP segments with

ACK=0.



prevents external clients from making TCP



prevents external clients from making TCP

connections with internal clients, but allows

internal clients to connect to outside.

internal clients to connect to outside.

42

Network Security

Stateless packet filtering: more examples

Policy Firewall Setting

Stateless packet filtering: more examples

Policy Firewall Setting

No outside Web access. Drop all outgoing packets to any IP address, port 80

No incoming TCP connections, except those for institution’s public Web server only

Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80

public Web server only.

Prevent Web-radios from eating

up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts.

Prevent your network from being

used for a smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (eg 130.207.255.255).)

Prevent your network from being tracerouted

(4)

Access Control Lists

Access Control Lists

ˆ

ACL:

table of rules, applied top to bottom to incoming

ti source dest t l source dest flag

pp p g

packets: (action, condition) pairs action

address address protocol port port

g bit allow 222.22/16 outside of 222 22/16 TCP > 1023 80 any 222.22/16 allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK allow 222.22/16 222.22/16outside of UDP > 1023 53 ---allow outside of 222 22/16

allow outside of 222.22/16

222.22/16

UDP 53 > 1023

----deny all all all all all all

44

Stateful packet filtering

Stateful packet filtering

ˆ

stateless packet filter: heavy-handed tool

p

y

 admits packets that “make no sense,” e.g., dest port =

80, ACK bit set, even though no TCP connection established: established: action source address dest address protocol source port dest port flag bit allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK

ˆ stateful packet filter: track status of every TCP connection

 track connection setup (SYN), teardown (FIN): can

d t i h th i i t i k t “ k ”

determine whether incoming, outgoing packets “makes sense”

 timeout inactive connections at firewall: no longer admit

(5)

Stateful packet filtering

Stateful packet filtering

ˆ ACL augmented to indicate need to check connection state ˆ ACL augmented to indicate need to check connection state

table before admitting packet

action addresssource addressdest proto sourceport destport flagbit conxioncheck allow 222 22/16 outside of TCP > 1023 80 any

allow 222.22/16 222.22/16 TCP > 1023 80 allow outside of 222.22/16 222.22/16 TCP 80 > 1023 ACK

x

allow 222.22/16 outside of 222.22/16 UDP > 1023 53

---x

allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ----

x

d ll ll ll ll ll ll

deny all all all all all all

46

Application gateways

gateway to remote

Application gateways

ˆ

filt

k t

host-to-gateway telnet session

gateway-to-remote host telnet session

ˆ

filters packets on

application data as well

as on IP/TCP/UDP fields

application

gateway router and filter

as on IP/TCP/UDP fields.

ˆ

example:

allow select

internal users to telnet

nternal users to telnet

outside.

1 require all telnet users to telnet through gateway

Firewall consisting of an app. gateway and a filter

1. require all telnet users to telnet through gateway.

2. for authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections

(6)

Limitations of firewalls and gateways

Limitations of firewalls and gateways

ˆ

IP spoofing:

router

ˆ

filters often use all or

ˆ

IP spoofing:

router

can’t know if data

“really” comes from

ˆ

filters often use all or

nothing policy for UDP.

ˆ

tradeoff:

degree of

claimed source

ˆ

if multiple app’s. need

i l

h

ˆ

tradeoff

degree of

communication with

outside world, level of

special treatment, each

has own app. gateway.

ˆ

cli nt s ft r must

security

ˆ

many highly protected

it till ff f

ˆ

client software must

know how to contact

gateway

sites still suffer from

attacks.

gateway.

 e.g., must set IP address

of proxy in Web bbrowser

48

Network Security

Intrusion detection systems

Intrusion detection systems

ˆ

packet filtering:

ˆ

packet filtering:



operates on TCP/IP headers only

l ti

h k i



no correlation check among sessions

ˆ

IDS: intrusion detection system



deep packet inspection:

look at packet contents

(e.g., check character strings in packet against

database of known virus attack strin s)

database of known virus, attack strings)



examine correlation

among multiple packets

• port scanning • port scanning • network mapping • DoS attack

(7)

Intrusion detection systems

Intrusion detection systems

ˆ

multiple IDSs may be used: different types

ˆ

multiple IDSs may be used: different types

of checking at different locations

application internal network pp firewall gateway Internet firewall Web IDS high-security region server FTP server DNS server demilitarized IDS sensors zone 50 Network Security lower-security region

Intrusion detection systems

y

ˆ

signature-based IDS:

h iff d k t ith th i t i

 compares each sniffed packet with the signatures in

database

 requires previous knowledge of the attackq p g

• blind to new attacks

 every packet must be compared with an extensive

collection of signatures collection of signatures

ˆ

anomaly-based IDS:

 creates a traffic profile as it observes traffic in normal  creates a traffic profile as it observes traffic in normal

operation.

 looks for packet streams that are statistically unusual

• e.g., inordinate percentage of ICMP packets, sudden exponential growth in port scans and ping sweeps.

 challenging problem to distinguish between normal traffic g g p g

and statistically unusual traffic

References

Download now ( PDF - 7 Page - 232.50 KB )

Related documents

Sonic Drive-In CASE STUDY. Sonic wanted a single-source Big Data solution that. could provide faster and easier access to insights

It’s baseline requirements satisfied, Sonic quickly started taking advantage of other opportunities the 1010data platform offered, including analytics of “mashups” that

Millennials\u27 Civics Inclinations: A Study of Civics Education\u27s Impact on Millennials\u27 Political Knowledge and Political Participation

By expanding the definition of civics education to include both inside and outside the classroom, and by studying how these agents of political socialization relate to

DAVID YATES Executive Vice President, Alternative Channels

 Example: Safaricom / M-PESA Kenya mobile users Western Union on Mobile Banking Western Union on Mobile Wallet.. Sender uses mobile wallet as source

Intensifying masculinity of sex ratios in India : new evidence 1981-1991

We use data from the 1981 and 1991 censuses of India to examine (a) sex ratios among infants aged under 2, (b) child mortality (q5) by sex, and (c) estimated period sex ratios

External Factors and Iranian EFL Teachers’ Performance: Examining the Effectiveness of Self- regulation

According to the results of this study t pre-service and in- service training and boundaries and expectation as external assets had a positive and significant effect on the

ANALGESIC EFFECT OF CUPPING THERAPY IN OSTEOARTHRITIS ON TIMELINE: AN OPEN COMPARATIVE CLINICAL STUDY

assessment was not much in knee OA where both the groups assessed the same percent relief, however; there was a considerable difference in pain assessment in

"They've been my Lifeline"

Target hardening refers to the strengthening of the security of an individual premises with a view to reducing or minimising the risk of attack.. The IDVA is line

Disruption of transfer entropy and inter-hemispheric brain functional connectivity in patients with disorder of consciousness

Keywords: disorder of consciousness, resting state, functional magnetic resonance imaging, BOLD signal, transfer entropy, partial correlation, functional connectivity, brain