data security in local network using distributed firewall ppt

Data Security in LAN Data Security in LAN using Distributed using Distributed FirewallFirewall

1

Presented by Sabreen Irfana GMIT

Guided by: Mr. Santosh Kumar B.E ,M Tech Asst prof ,Dept ISE GMIT

AbstractAbstract

Computer and networking have become inseparable now .

A number of confidential transaction occur every second and today computers are used mostly for transaction rather than processing of data, so Data security is needed to prevent hacking of data and to provide authenticated data transfer

2

..ContdContd

Data security can be achieved by Firewall Conventional firewall relay on the notion of

restricted topology and controlled entry point

Restricting the network topology difficult in filtering certain protocols, expanding network and few more problems leads to the evolution of DISTRIBUTED FIREWALL

3

ContentsContents

Introduction to Security and Firewalls

Problems with traditional Firewalls Distributed Firewall Concept Distributed Firewall Implementation Conclusions

4

FirewallsFirewalls

Firewall is a device or set of instruments designed to permit or deny network transmissions based upon a set of rules and regulations which are frequently used to protect networks from unauthorized access

In most systems today, the firewall is the software that implements the “security policy” for a system

A firewall is typically placed at the edge of a system and acts as a filter for unauthorized traffic5

Security PolicySecurity Policy

A “security policy” defines the security rules of a system.

Without a defined security policy, there is no way to know what access is allowed or disallowed

An example policy: (simple)◦ Allow all connections to the web server◦ Deny all other access

6

Firewall ExampleFirewall Example

7

Firewall DrawbacksFirewall Drawbacks

Traditional Firewalls uses restricted topology of the network

Donot protect networks from internal attack

Certain protocols (FTP, Real-Audio) are difficult for firewalls to process

Assumes inside users are “trusted”

single points of access make firewalls hard to manage8

.contd.contd

1.Restricted topology

9

.contd .contd

2 .Assumes inside users are trusted

10

.contd .contd

3.Single point of failure or access

11

..Data security ThreatsData security Threats

IP Spoofing or IP masquerading

12

A10.10.10.1

B134.117.1.60

B

10.10.10.1

Src_IP

134.117.1.60

dst_IP

Any (>1024)

Src_port

80

dst_port

11.11.11.1

Src_IP

134.117.1.60

dst_IP

Any (>1024)

Src_port

80

dst_port

spoofed

.cont IP spoofing.cont IP spoofing

13

sender ip spoofed packet

victim

partnerdst: victim

src: partner

Oh, my partner sent me a packet. I’ll process this.

impersonation

.contd.contd

Session hijacking

14

contdcontd

Denial of service(DOS)

15

Distributed Firewall Distributed Firewall ConceptConcept

Destributed firewall is a mechanism to enforce a

network domain security policy through the use

of policy language

Security policy is defined centrally

Enforcement of policy is done by network endpoint(s) where is the hackers try to penetrate

16

..contdcontd

It filters traffic from both the internal and

internet network

They overcome the single point of failure concept

17

Architecture of Architecture of Distributed FirewallsDistributed Firewalls

The whole distributed firewall system consists of four main parts:

I. The management center

II. Policy actuator:

III.Remote endpoint connectors

IV.Log server

19

.contd.contd

20

PBNA SystemPBNA System

Policy Based Network Management System

21

Standard Firewall ExampleStandard Firewall Example

22

Corporate NetworkCorporateFirewall

Internet

InternalExternal

ExternalHost

InternalHost

1

InternalHost

2(untrusted)

Webserver

IntranetWebserver(companyprivate)

Standard Firewall Example Standard Firewall Example Connection to web serverConnection to web server

23


Internet

InternalExternal

ExternalHost

InternalHost

1

InternalHost

2(untrusted)

Webserver


Standard Firewall Example Standard Firewall Example Connection to intranetConnection to intranet

24


Internet

InternalExternal

ExternalHost

InternalHost

1

InternalHost

2(untrusted)

Webserver


blocked byfirewall connection

allowed,but should

not be

Distributed Firewall Distributed Firewall ExampleExample

25

Corporate NetworkInternet

InternalExternal

ExternalHost

InternalHost

1

InternalHost

2(untrusted)

Webserver


InternalHost

(telecommuting)

Distributed Firewall Example Distributed Firewall Example to web serverto web server

26


InternalExternal

ExternalHost

InternalHost

1

InternalHost

2(untrusted)

Webserver


InternalHost

(telecommuting)

Distributed Firewall Example Distributed Firewall Example to intranetto intranet

27


InternalExternal

ExternalHost

InternalHost

1

InternalHost

2(untrusted)

Webserver


InternalHost

(telecommuting)

Components of Components of Distributed FirewallsDistributed Firewalls

28

A Distributed Firewall is a mechanism to enforce a network domain

security policy through the use of the following:

Policy Language

Policy Distributed Scheme

Certificates

.contd.contd

29

Policy language The Policy language is used to create policies for each firewall.

These policies are the collection of rules, which guides the firewall for evaluating the network traffic. It also defines which inbound and outbound connections on any component of the network policy domain are allowed.

.contd.contd

30

Policy Distribution Scheme

The policy distribution scheme should guarantee the integrity of the policy during transfer.

This policy is consulted before processing the incoming or outgoing messages.

The distribution of the policy can be different and varies with the implementation. It can be either directly pushed to end systems , or pulled when necessary

.contd.contd

31

Certificates There may be the chance of using IP address for the host identification by the distributed firewalls.

But a mechanism of security is more important. It is preferred to use certificate to identify hosts. IPSec provides cryptographic certificates. Unlike IP address, which can be easily spoofed, the digital certificate is much more secure and the authentication of the certificate is not easily forged. Policies are distributed by means of these

Advantages Advantages

32

1. Provides security for internet and intranet

2. Multiple access points

3. Insiders are no longer trusted

4. Security policy rules are distributed and established on needed basis

5 End to End can be easily done and filtering packets is easy

DisadvantageDisadvantage

33

1. Compliance of the security policy for insiders is one of the major issues of the distributed firewalls. This problem especially occurs when each ending host have the right of changing security policy. There can be some techniques to make modifying policies harder but it is not totally impossible to prevent it.2 It is not so easy to implement an intrusion detection system in a distributed firewall environment. It is possible to log suspicious connections on local server but these logs need to be collected and analyzed by security experts in central service

Distributed Firewall Distributed Firewall implementationimplementation....

Language to express policies and resolving requests (KeyNote system)

Using keynode and Ipsec allows control of mixed level

policies where authentication mechanism is applied

through public key cryptography

34

KeyNoteKeyNote

A language to describe security policies (RFC 2704)

Fields :◦ KeyNote Version – Must be first field, if present

◦ Authorizer – Mandatory field, identifies the issuer of the assertion

◦ Comment◦ Conditions – The conditions under which the Authorizer trusts the

Licensee

◦ Licensees – Identifies the authorized, should be public key, but can be IP address

◦ Signature – Must be last, if present

All field names are case-insensitive

35

KeyNote Example 1KeyNote Example 1

36

KeyNote Example 2KeyNote Example 2

37

KeyNote-Version: 2Authorizer: “rsa-hex:1023abcd”Licensee: “IP:158.130.6.141”Conditions: (@remote_port < 1024 &&

@local_port == 22 ) -> “true”;Signature: “rsa-sha1-hex:bee11984”

Note that this credential delegates to an IP address,

Application interaction Application interaction with keyNote with keyNote

38

Example of Connection to Example of Connection to a Distributed Firewalla Distributed Firewall

local host security policy:KeyNote-Version: 2

Authorizer: “POLICY”

Licensees: ADMINISTRATIVE_KEY

Assumes an IPSEC SA between hosts

39

Example of Connection to a Example of Connection to a Distributed FirewallDistributed Firewall

KeyNote-Version: 2

Authorizer: ADMINISTRATIVE_KEY

Licensees: USER_KEY

Conditions:

(app_domain == "IPsec policy" &&

encryption_algorithm == “yes" &&

local_address == "158.130.006.141")

-> "true";

(app_domain == "Distributed Firewall" &&

@local_port == 23 &&

encrypted == "yes" &&

authenticated == "yes") -> "true";

Signature: ...

40

Example of Connection to a Example of Connection to a Distributed FirewallDistributed Firewall

41

source

local host158.130.6.141

(running PolicyDaemon)

IPSEC SA

TCP connect (23)context created

local port=23encrypted="yes"

authenticated="yes"

Policy Daemonchecks context

vs.credential

continue TCPsession

Returns TRUE

ConclusionsConclusions

Distributed firewalls allows the network security policy to remain under control of the system administrators

Insiders may no longer be unconditionally treated as “trusted”

Does not completely eliminate the need for traditional firewalls

More research is needed in this area to increase robustness, efficiency,

42

Future WorkFuture Work

High quality administration tools NEED to exist for distributed firewalls to be accepted

Allow per-packet scanning as opposed to per-connection scanning

Policy updating

43

ReferencesReferences

[1] Sotiris Ioannidis, Angelos D. Keromytis, Steve M. Bellovin, Jonathan M. Smith, “Implementing a Distributed Firewall”, CCS ’00,Athens, Greece.

[2] Steven M. Bellovin, “Distributed Firewalls”, November 1999 issue of; login: pp. 37-39.

[3] W. R. Cheswick and S. M. Bellovin. “Firewalls and Internet Security”: Repelling the Wily Hacker. Addison-Wesley, 1994.

[4] [Robert Stepanek, “Distributed Firewalls”, [email protected], T-110.501 Seminar on Network Security, HUT TML 2001.

[5] Dr. Mostafa Hassan Dahshan “Security and Internet Protocol”, Computer Engineering

44