This preview shows page 1-2-3-4-5-6-7-8-55-56-57-58-59-60-61-62-111-112-113-114-115-116-117-118 out of 118 pages.
1Network SecurityDavid ParterUniversity of WisconsinComputer Sciences DepartmentComputer Systems LabCS640 27 November 20072Topics✔Background: Threats and Security Policies✔Tools and Defenses:–Firewalls–Virtual Private Networks–Network Intrusion Detection Systems–Port Scanning–Network & Configuration Management✔CSL Network Security3Threats and Security Policies4Analyze The Threats✔Analyze potential threats before choosing a defense✔Without knowing threats, it is impossible to assess the defenses5Types of Threats✔Data corruption– Specific alteration–Random alteration (vandalism)– Equally dangerous✔Data disclosure–Keep your secrets secret6Types of Threats✔Theft of service– network–bandwidth– computers–name ...✔Denial of service✔Damage to reputation7Damage to Reputation✔Financial Industry exec: #1 threat is a negative story “above the fold” in the Wall Street Journal or New York Times– That may have changed with new regulatory requirements8Cost of Data Disclosure✔Data Breach Notification Laws– CA Law, model for most states, including WI–Notify each individual if records released– Notify credit reporting agencies if more than 1000 records involved9Cost of Data Disclosure✔Very likely to be widely reported in the news media–Damage to reputation✔Liability/remediation–credit monitoring for all individuals?–Civil actions?10Example: Medical Industry✔Data corruption & Denial of service:– Could lead to incorrect diagnosis, treatment–Potentially life-threatening✔Data disclosure–Loss of patient record privacy–Many potential social, legal and business costs✔Damage to reputation11Example: Financial Industry✔Data corruption– Potential for incorrect (or less profitable) stock market trades–Account records can probably be reconstructed ✔Data disclosure– Loss of competitive advantage–Violation of securities laws12Example: A University Academic Department✔Data corruption:– Loss of experiments/experimental data–Incorrect experimental results✔Data disclosure–Disclosure of confidential data: human subjects data, industrial partner data, current research, student grades, exams, peer reviews, ...13Security Policies✔After threat analysis, develop security policies✔Policies provide guidance–to employees in ongoing operations,–to security/system administration staff✔Develop policies before a crisis hits14Tools and Defenses15Firewalls✔Background & Security model✔Type of firewalls✔Firewall rules16References and Resources✔Firewalls and Internet Security: Repelling the Wily Hacker (2nd ed) Cheswick, Bellovin and Rubin✔Building Internet Firewalls (2nd ed) Zwicky, Chapman and Cooper✔Firewall-wizards mailing list– http://honor.trusecure.com/mailman/listinfo/firewall-wizards17Security Model✔Perimeter security– Like a guard at the gate, checking ID badges–Assumes that “inside” is trusted, “outside” is not– Larger area “inside” perimeter -> more complexity, weaker security–Smaller perimeter -> more specific security✔Applies predefined access rules18Why Use a Firewall?✔Protect vulnerable services– Poorly designed protocols–Poorly implemented protocols/services✔Protect vulnerable computers/devices–Poorly configured– Can't be configured–Can't be patched19Why Use a Firewall?✔To protect an “appliance”✔Protect a system that can not be upgraded– Version/upgrade restrictions from vendor–ex: printers; data acquisition devices; scientific “instruments”; devices with customized & embedded versions of popular operating systems; devices with embedded web servers for configuration/control ...20Why Use a Firewall?✔Defeat some denial of service (DOS) attacks–If the firewall has enough bandwidth✔Considered an “easy” solution–Satisfy “check-box” requirements– Only need to deal with security in one place (not really an advantage from a total security point of view)21Perimeter Security and Defense in Depth22Improved Security:Reduced Perimeters23Types of Firewalls: Basic Technology options✔Basic Technology Options:– Packet Filtering (screening)–Application Proxy✔Other Factors:–Statefull vs. Stateless– Router vs. Bridge–Configuration/Security model24Packet Filtering✔Acts like a router or bridge– Does not modify network connections or packet headers✔Allow/Deny packets based on packet data✔Allow/Deny packets based on Input/Output interface–shorthand for source or destination25Allow/Deny packets based on packet data:✔Layer 2:– Source or Destination MAC addresses✔Layer 3:–Source or Destination addresses, ports–Protocol or Protocol details–ex: disallow IP Source Routing –disallow ICMP redirect packets– disallow common “malicious” packet signatures26Allow/Deny packets based on packet data:✔Layer 4:– Service-specific (ex: by URL)27Packet Filtering28Packet Filtering Rules✔Typically applied in a specific order– First match applies✔One filter per rule✔Default rule?–“Default Deny” safest–Warning: implied default rule: Deny or Allow?29Example Packet Filtering Rules: ✔Protect 128.105.0.0 network with Cisco router access control lists✔Apply rules from top to bottom:deny ip 128.105.0.0 0.0.255.255 anypermit tcp any 128.105.1.1 eq 25permit tcp any 128.105.1.2 eq 80permit tcp any 128.105.1.3 eq 22deny icmp any any redirect logpermit icmp any 128.105.1.4 echodeny icmp any any echo logdeny ip any any log30Example Packet Filtering Rules: ✔Protect 128.105.0.0 network with OpenBSD pf:block in log allblock in log quick on $campus_if from 128.105.0.0/16 to anypass in quick on $campus_if proto tcp from any to 128.105.1.1/32 port = 25...pass in quick on $cs_if proto tcp from 128.105.0.0/16 to any keep state31Packet Filtering Advantages✔Can be placed at a few “strategic” locations– Internet/Internal network border router–To isolate critical servers✔Efficient✔Simple concept32Packet Filtering Advantages✔Widely available– Implemented in most routers–Firewall appliances– Open Source operating systems and software–Specialized network interface cards with filtering capabilities–Download up to 64k rules to some33Packet Filtering Disadvantages✔Hard to configure– Rules can get complex✔Hard to test and verify rules✔Incomplete implementations✔Bugs often “fail unsafe” -- allow unintended traffic to pass34Packet Filtering
View Full Document
Unlocking...