network security technologies
DESCRIPTION
TRANSCRIPT
![Page 1: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/1.jpg)
Network SecurityNetwork SecurityTechnologiesTechnologies
CS490 - Security in Computing
Copyright © 2005 by Scott Orr and the Trustees of Indiana University
![Page 2: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/2.jpg)
ReferencesReferences
Security in Computing, 3Security in Computing, 3rdrd Ed. Ed. Chapter 7 (pgs. 457-479)Chapter 7 (pgs. 457-479)
![Page 3: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/3.jpg)
Section OverviewSection Overview
Firewall ComponentsFirewall Components
Firewall ArchitecturesFirewall Architectures
Network Intrusion SystemsNetwork Intrusion Systems
HoneypotsHoneypots
![Page 4: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/4.jpg)
Internet FirewallsInternet Firewalls
DMZDMZ
InternetInternetInternalInternalNetworkNetwork
![Page 5: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/5.jpg)
Firewall BenefitsFirewall Benefits
Host Service ProtectionHost Service Protection Host Access ControlHost Access Control Centralized Point of SecurityCentralized Point of Security Enhanced PrivacyEnhanced Privacy Increased Audit LoggingIncreased Audit Logging Policy EnforcementPolicy Enforcement
![Page 6: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/6.jpg)
Implementation IssuesImplementation Issues
Service RestrictionsService Restrictions Allowed Service VulnerabilitiesAllowed Service Vulnerabilities User BackdoorsUser Backdoors InsiderInsider Attacks Attacks VirusesViruses Network Throughput to/from InternetNetwork Throughput to/from Internet Single Point of FailureSingle Point of Failure
![Page 7: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/7.jpg)
Firewall ComponentsFirewall Components
Network PolicyNetwork Policy Advanced AuthenticationAdvanced Authentication Packet FilteringPacket Filtering Application GatewaysApplication Gateways
![Page 8: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/8.jpg)
Network PolicyNetwork Policy
Service Access PolicyService Access Policy Extension of Site Security PolicyExtension of Site Security Policy WhichWhich services are allowed to/from services are allowed to/from whichwhich hosts hosts Who is authorized to change policyWho is authorized to change policy
Firewall Design PolicyFirewall Design Policy HowHow Service Access Policy is implemented Service Access Policy is implemented Either…Either…
PermitPermit any service unless it is expressly denied any service unless it is expressly denied DenyDeny any service unless it is expressly permitted any service unless it is expressly permitted
![Page 9: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/9.jpg)
Advanced AuthenticationAdvanced Authentication
UnauthenticatedUnauthenticated AuthenticatedAuthenticated
Using one-time password techniquesUsing one-time password techniquesto allow access via certain servicesto allow access via certain services
InternetInternet Internal NetworkInternal Network
![Page 10: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/10.jpg)
Packet Filtering RoutersPacket Filtering Routers
Allowing/Restricting access based on:Allowing/Restricting access based on: IP Addresses (source/destination)IP Addresses (source/destination) Protocol (TCP/UDP/ICMP)Protocol (TCP/UDP/ICMP) TCP/UDP Ports (source/destination)TCP/UDP Ports (source/destination) ICMP Message TypeICMP Message Type Packet SizePacket Size Router Interface/DirectionRouter Interface/Direction
Single and multiple addresses/ports per Single and multiple addresses/ports per entryentry
ScreeningScreening Routers Routers
![Page 11: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/11.jpg)
Packet Filtering OptionsPacket Filtering Options
Send the packetSend the packet Reject the packetReject the packet Drop the packetDrop the packet Log information about the packetLog information about the packet Notify administrator (set off an Notify administrator (set off an
alarm)alarm)
![Page 12: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/12.jpg)
Packet Filtering WeaknessesPacket Filtering Weaknesses
Hard to configureHard to configure Hard to testHard to test More complex the rules, more More complex the rules, more
performance might be impactedperformance might be impacted No Advanced Authentication supportNo Advanced Authentication support
![Page 13: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/13.jpg)
Application GatewaysApplication Gateways
Service components allowed/denied based Service components allowed/denied based on rule seton rule set
Each packet repackaged after examinationEach packet repackaged after examination Information hidingInformation hiding Robust authentication and loggingRobust authentication and logging
![Page 14: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/14.jpg)
Application GW WeaknessesApplication GW Weaknesses
ScalabilityScalability Each service requires it’s own Each service requires it’s own proxyproxy
Difficult to manage Connectionless Difficult to manage Connectionless ProtocolsProtocols
PerformancePerformance Each packet gets repackagedEach packet gets repackaged
OS/Service BugsOS/Service Bugs
![Page 15: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/15.jpg)
Circuit GatewaysCircuit Gateways
Similar to Application GatewaySimilar to Application Gateway No packet processing done at the No packet processing done at the
gatewaygateway
![Page 16: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/16.jpg)
Stateful Multi-Layer Stateful Multi-Layer InspectionInspection
Inspects Inspects rawraw packets packets Inspection engine intercepts packet at Inspection engine intercepts packet at
the OSI Network Layerthe OSI Network Layer Context AwareContext Aware Creates a Creates a virtual statevirtual state for for
connectionless protocolsconnectionless protocols
Source: Source: Checkpoint SoftwareTechnologies Ltd.
![Page 17: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/17.jpg)
Firewall ArchitecturesFirewall Architectures
Single DeviceSingle Device Screening RouterScreening Router Dual-Homed HostDual-Homed Host
Multi-DeviceMulti-Device Screened HostScreened Host Screened SubnetScreened Subnet Split-Screened SubnetSplit-Screened Subnet
![Page 18: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/18.jpg)
Screening RouterScreening Router
InternetInternetInternalInternalNetworkNetwork
ScreeningScreeningRouterRouter
![Page 19: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/19.jpg)
Dual-Homed GatewayDual-Homed Gateway
InternetInternet InternalInternalNetworkNetwork
ProxyProxyServerServer
InfoInfoServerServer
![Page 20: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/20.jpg)
Network Address Network Address TranslationTranslation
Not specifically for security (Not specifically for security (RFC 1918RFC 1918)) Hides internal network configurationHides internal network configuration 1 to 1 allocation1 to 1 allocation
StaticStatic DynamicDynamic
IP MasqueradingIP Masquerading Many internal addresses using 1 external Many internal addresses using 1 external
addressaddress Only internal hosts can initiate a connectionOnly internal hosts can initiate a connection
![Page 21: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/21.jpg)
Screened HostScreened Host
InternetInternet InternalInternalNetworkNetwork
BastionBastionHostHost
InternetInternetServerServer
ScreeningScreeningRouterRouter
![Page 22: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/22.jpg)
Screened SubnetScreened Subnet
InternetInternetInternalInternalNetworkNetwork
BastionBastionHostHost
InternetInternetServerServer
ScreeningScreeningRouterRouter
ScreeningScreeningRouterRouter
![Page 23: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/23.jpg)
Split Screened SubnetSplit Screened Subnet
InternetInternetInternalInternalNetworkNetwork
Dual-HomedDual-HomedProxyProxy
InternetInternetServerServer
ScreeningScreeningRouterRouter
ScreeningScreeningRouterRouter
IntranetIntranetServerServer
![Page 24: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/24.jpg)
Network Intrusion DetectionNetwork Intrusion DetectionInternetInternet
InternalInternalNetworkNetwork
Dual-HomedDual-HomedProxyProxy
ScreeningScreeningRouterRouter
ScreeningScreeningRouterRouter
AnalysisAnalysisStationStation
SensorsSensors
![Page 25: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/25.jpg)
IDS AnalysisIDS Analysis
Knowledge based (attack signatures)Knowledge based (attack signatures) Port ScansPort Scans Denial of ServiceDenial of Service Known Service AttacksKnown Service Attacks SpoofingSpoofing ContentContent
Behavioral basedBehavioral based
![Page 26: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/26.jpg)
IDS WeaknessesIDS Weaknesses
Very young technologyVery young technology False PositivesFalse Positives False NegativesFalse Negatives ScalabilityScalability
![Page 27: Network Security Technologies](https://reader033.vdocument.in/reader033/viewer/2022061218/54b7751b4a7959db2c8b4841/html5/thumbnails/27.jpg)
HoneypotsHoneypots
Sacrificial host used to lure attackersSacrificial host used to lure attackers Simulates a vulnerable systemSimulates a vulnerable system Used to study attacker techniquesUsed to study attacker techniques
Firewall/IDS traffic logsFirewall/IDS traffic logs System logsSystem logs File Integrity Checker logsFile Integrity Checker logs Keystroke capturingKeystroke capturing
Early Case – “Early Case – “BerferdBerferd””