DOC PREVIEW
U of I CS 498 - Network Security Architecture

This preview shows page 1-2-3-21-22-23-43-44-45 out of 45 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Network Security ArchitectureInformation AssuranceFall 2006Reading Material•Intrusion Detection: Chapter 25 from Computer Security, Matt Bishop•Network Security: Chapter 26 Computer Science: Art and Science•“Firewalls and Internet Security: Repelling the Wily Hacker”, Cheswick, Bellovin, and Rubin.–New second edition•“Firewall and Internet Security, the Second Hundred (Internet) Years” http://www.cisco.com/warp/public/759/ipj_2-2/ipj_2-2_fis1.html–A firewall overview article from 1999Overview•Network Security Architecture–Security Domains–VPN•Firewall Technology–Address Translation–Denial of Service attacks•Intrusion Detection•Both firewalls and IDS are introductions.–Both are covered in more detail in the Security Lab class. –IDS is covered in more detail in 463 – Computer Security.Security DomainsInternetCorporate NetworkControl NetworkPartnerNetworkPerimeter Defense•Is it adequate?–Locating and securing all perimeter points is quite difficult•Less effective for large border–Inspecting/ensuring that remote connections are adequately protected is difficult–Insiders attack is often the most damagingVirtual Private Networks•A private network that is configured within a public network•A VPN “appears” to be dedicated network to customer•The customer is actually “sharing” trunks and other physical infrastructure with other customers•Security?–Depends on implementing protocolMultiple VPN TechnologiesSSL•Confidentiality? Yes•Data integrity? Yes•User authentication? Yes•Network access control? No•In addition, limited trafficIPSec•Confidentiality? Yes•Data Integrity? Yes•User Authentication? Yes•Network access control? Yes•Client configuration required.VLAN – Layer 2 tunnelling technology•Confidentiality? No•Data Integrity? No•User authentication? Yes•Network access control? Yes•Not viable over non-VLAN internetworksSecurity Domains with VPNsInternetCorporate NetworkControl NetworkPartnerNetworkHomeNetwork“Typical” corporate networkWeb ServerMail forwardingMail server DNS (internal)DNS (DMZ)InternetFile ServerUser machinesUser machinesUser machinesWeb ServerDemilitarizedZone (DMZ)IntranetFirewallFirewallFirewall Goal•Insert after the fact security by wrapping or interposing a filter on network trafficInside OutsideApplication Proxy Firewall•Firewall software runs in application space on the firewall•The traffic source must be aware of the proxy and add an additional header•Leverage basic network stack functionality to sanitize application level traffic–Block java or active X–Filter out “bad” URLs–Ensure well formed protocols or block suspect aspects of protocol•Not used much anymorePacket Filter Firewall•Operates at Layer 3 in router or HW firewall•Has access to the Layer 3 header and Layer 4 header•Can block traffic based on source and destination address, ports, and protocol•Does not reconstruct Layer 4 payload, so cannot do reliable analysis of layer 4 or higher contentStateful Packet Filters•Evolved as packet filters aimed for proxy functionality•In addition to Layer 3 reassembly, it can reconstruct layer 4 traffic•Some application layer analysis exists, e.g., for HTTP, FTP, H.323–Called context-based access control (CBAC) on IOS–Configured by fixup command on PIX•Some of this analysis is necessary to enable address translation and dynamic access for negotiated data channels•Reconstruction and analysis can be expensive. –Must be configured on specified traffic streams–At a minimum the user must tell the Firewall what kind of traffic to expect on a port–Degree of reconstruction varies per platform, e.g. IOS does not do IP reassemblyTraffic reconstructionX YFTP: X to YGET /etc/passwdGET command causes firewall to dynamically open data channel initiate from Y to XMight have filter for files to block, like /etc/passwdAccess Control Lists (ACLs)•Used to define traffic streams–Bind ACL’s to interface and action•Access Control Entry (ACE) contains–Source address–Destination Address–Protocol, e.g., IP, TCP, UDP, ICMP, GRE–Source Port–Destination Port•ACL runtime lookup–Linear–N-dimensional tree lookup (PIX Turbo ACL)–Object Groups–HW classification assistsIngress and Egress Filtering•Ingress filtering–Filter out packets from invalid addresses before entering your network•Egress filtering–Filter out packets from invalid addresses before leaving your networkInside OutsideOwns network XEgress FilteringBlock outgoing traffic not sourced from network XIngress FilteringBlock incoming traffic from one of the set of invalid networksDenial of Service •Example attacks–Smurf Attack–TCP SYN Attack•DoS general exploits resource limitations–Denial by Consumption–Denial by Disruption–Denial by ReservationTCP SYN Attack•Exploits the three-way handshake S D SYNx LISTEN SYNy , ACKx+1 SYN_RECIEVED ACKy+1 CONNECTED Figure 1. Three-way Handshake S D Nonexistent (spoofed) SYN LISTEN SYN SYN SYN_RECEIVED SYN+ACK Figure 2. SYN Flooding AttackTCP SYN Attack Solutions•Intermediate Firewall/Router–Limit number of half open connections•Ingress and egress filtering to reduce spoofed addresses–Does not help against DDoS bot networks•Reactively block attacking addresses–Generally expensive to acquire technology to do fast enough•Fix Protocol - IPv6“Smurf”InternetPerpetratorVictim ICMP echo (spoofed source address of victim)Sent to IP broadcast addressICMP echo replySmurf Issues•Amplification attack–Small effort on attacker results in big impact on victim•Victim fails unexpectedly under high load–May just stop responding–May stop performing normal security checks•Exploiting protocol failure–Fixed in IPv6•Old attack–Blocked by most firewallsAddress Translation•Traditional NAT RFC 3022 Reference RFC•Map real address to alias address–Real address associated with physical device, generally an unroutable address–Alias address generally a routeable associated with the translation device•Originally motivated by limited access to publicly routable IP addresses–Folks didn’t want to pay for addresses and/or hassle with getting official addresses •Later folks said this also added security–By hiding structure of internal


View Full Document

U of I CS 498 - Network Security Architecture

Documents in this Course
Lecture 5

Lecture 5

13 pages

LECTURE

LECTURE

39 pages

Assurance

Assurance

44 pages

LECTURE

LECTURE

36 pages

Pthreads

Pthreads

29 pages

Load more
Download Network Security Architecture
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Network Security Architecture and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Network Security Architecture 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?