Escolar Documentos
Profissional Documentos
Cultura Documentos
Reading
Ch. 25 (Intrusion Detection) Ch. 26 (Network Security) Optional: Firewalls and Internet Security, Cheswick, Bellovin, Rubin
The text about network security
Perimeter Defense
Perimeter
Internet
Intranet
Convenience
Can use less secure protocols and software inside perimeter Dont bother users with security protections unless they talk to the outside
Firewalls
Filter traffic going across perimeter boundary Various levels of sophistication
Firewall Internet
Intranet
Packet Filter
Filter IP packets based on their headers Fields may include:
IP address (source & destination) TCP/UDP ports (source & destination) Flags Options
Example Rules
allow proto=TCP AND port=80 deny proto=UDP AND port=1434 deny sourceIP=127.0.0.1 allow proto=TCP AND port=22 AND sourceIP=adminConsole
Example Policy
Firewall
Internet
Intranet
Option 2: DMZ
Mail Server
Desktop Desktop Desktop
DNS Server
Demilitarized Zone
Firewall Intranet
Internet
DMZ
DMZ principles
Restrict access
from Internet to the DMZ to protect servers from DMZ to intranet to protect against compromises
E.g.
Allow connections from Internet to mail server on port 25 (SMTP) Allow connections from intranet to mail server on port 993 (secure IMAP)
Policies
Firewall policies typically lists of allow or deny rules What should the default rule be? Default allow:
convenient since doesnt interfere with legitimate activity
Default deny:
more secure, since every allowed use undergoes security review if policy too restrictive, people complain and it gets fixed if policy too permissive, only learn about it after an attack -too late!
No connection semantics
Actions only on individual packets
No application semantics
Only indication of application protocol is port number Modern applications abuse this fact
Higher-level analysis
Packet filters cannot:
Forbid a particular URL Detect email viruses Block (malicious) ActiveX plugins
Alternate approaches:
Stateful firewall: reconstruct connections Application-level proxy: transform connections
Stateful Firewall
Reconstruct connection state Make decisions based on flows, not on packets Some application protocol parsing may also be done
GET su /foo.html root
Application-Level Proxy
Process incoming packets at application layer Generate transformed message stream
Block dangerous messages Normalize protocol semantics
Proxy
Trade-offs
Pro: Higher precision Con: Higher costs
Scalability: keep state for all connections for 1000s of computers Latency: proxy adds processing delays Flexibility: proxy needs to understand everything you do with a protocol
10.0.0.1
10.0.0.2
All datagrams leaving local network have same single source NAT IP address: 138.76.29.7, different source port numbers
Datagrams with source or destination in this network have 10.0.0/24 address for source, destination (as usual)
Internet
Intranet
Policies:
Firewalls: ACL-style policy on (packet) attributes NIDS: attack signatures, statistical anomalies
NIDS challenges:
Evasion False positives
VPNs
Firewall
Internet
Intranet
Home Network
VPN issues
Home networks less protected than corporate network Attacks can vector through VPN
Mitigation
Require protection on computers using VPN More restrictive FW policy on VPN connections
Host-based approaches
Host-based IDS
Earlier types of IDS were all host-based Can get better insight into host behavior But more susceptible to compromise
Host-based firewalls
Your laptop and desktop probably have this functionality already
Challenge: management
Require all users to install firewall / IDS product, manage policies, configuration, and logs centrally
Key points
Perimeter security is popular
Cheap, convenient, effective(?) Firewalls and IDSs most common tools for network security