CSIT560 Project Presentation
Network Security
Instructor: Mounir Hamdi
Group Members
Zhang Nan
Cao Zhe
Huang Qiankun
Zhang Weiwei
06766498
06766723
06767040
06767296
zhangnan@ust.hk
caozhe@ust.hk
qkhuang@ust.hk
jacko@ust.hk
AGENDA
 Introduction
 Firewall Technology
 Intrusion Prevention System (IPS)
 Virtual Private Network (VPN)
 Wireless Network Security Issues
Introduction
 Background
 25% of respondents detected system penetration from the
outside.
 27% of respondents detected denial of service attacks.
 79% detected employee abuse of Internet access privileges (for
example, downloading pornography or pirated software, or
inappropriate use of e-mail systems).
 85% detected computer viruses
 19% suffered unauthorized access or misuse within the last
twelve months.
 273 organizations that were able to quantify their losses reported
a total of $265,589,940
 ……
(From The Computer Security Institute)
Introduction
 Core Reason
Lack of security design in TCP/IP model
TCP/IP doesn’t verify
the authenticity and
validity of the source
address before establish
a connection.
3-way handshake in TCP/IP
Introduction
 Distributed Denial of Service (DDoS) Attack
Firewall
 What is Firewall?
A firewall is a security device which is configured to
permit, deny, or proxy data connections set and configured
by the organization's security policy. Firewalls can either
be hardware or software based.
Firewall
 Firewall Architecture
 Packet Filter Firewall
A packet filter firewall is a first-generation firewall technology
that analyzes network traffic at the transport protocol layer. Each
IP network packet is examined to see if it matches one of a set of
rules defining what data flows are allowed. These rules identify
whether communication is allowed based upon information
contained within the Internet and transport layer headers and the
direction in which the packet is headed (internal to external
network or vice-versa).
Firewall
 Firewall Architecture
 Circuit Level Firewall
A circuit level firewall is a second-generation firewall technology.
To validate a session, a circuit level firewall examines each
connection setup to ensure that it follows a legitimate handshake
for the transport layer protocol being used. In addition, data packets
are not forwarded until the handshake is complete. The firewall
maintains a table of valid connections and lets network packets
containing data pass through when network packet information
matches an entry in the virtual circuit table. Once a connection is
terminated, its table entry is removed, and that virtual circuit
between the two peer transport layers is closed.
Firewall
 Firewall Architecture
 Application Layer Firewall
An application layer firewall is a third-generation firewall
technology that evaluates network packets for valid data at the
application layer before allowing a connection. It examines the data
in all network packets at the application layer and maintains
complete connection state and sequencing information. In addition,
an application layer firewall can validate other security items that
only appear within the application layer data, such as user
passwords and service requests.
Firewall
 Firewall Architecture
 Dynamic Packet Filter Firewall
A dynamic packet filter firewall is a fourth-generation
firewall technology that allows modification of the security
rule base on the fly. This type of technology is most useful for
providing limited support for the UDP transport protocol. The
UDP transport protocol is typically used for limited
information requests and queries in application layer protocol
exchanges.
Firewall
 Cisco IOS Firewall Analysis
Cisco IOS Firewall is a stateful security software component of
Cisco IOS Software. Firewall integration in Cisco IOS routers
augments a router's inherent capabilities: multi-topology interfaces,
industry-standard routing protocols, and a broad range of services,
as well as an expanding group of other security features such as
VPN and IPS features. Cisco IOS Firewall interoperates with other
Cisco IOS Software technologies, including NAT, QoS, and IPSec
and SSL VPN, to become a vital component of an end-to-end
network security infrastructure.
Firewall
 Cisco IOS Firewall Analysis
 Configuration
S0 192.168.1.1/24
Router 1
192.168.1.2/24 S0
S1 192.168.2.1/24
Router 2
192.168.2.2/24 S0
Router 3
Router_2(config)#access-list
Router_1#ping
192.168.2.2
110 deny tcp any host 192.168.1.1 eq 23
Router_2(config)#access-list 110 permit ip any any
Type escape sequence to
Router_2(config)#int
s1 about.
Sending 5, 100-byte ICMP
Router_2(config-if)#ip
access-group
Echos to 192.168.2.2,
110 out
timeout is 2 seconds:
!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =
Router_2(config-if)#exit
1/2/4 ms
Router_2(config)#
Router_1#telnet 192.168.2.2
Trying 192.168.2.2 ...
% Destination unreachable; gateway or host down
Firewall
 Limitations of Firewall
 Firewall cannot prevent attacks from internal networks. If a
complainer from the internal network made an attack, since
he’s dataflow didn’t go through firewall, the firewall could
do nothing.
 Firewalls offer weak defense from viruses so antiviral software
and an IDS/IPS which protects against Trojans and port scans
should also complement our firewall in the layering defense.
 A firewall protection is limited once you have an allowable
connection open. This is where another program should be in
place to catch Trojan horse viruses trying to enter your computer
as unassuming normal traffic.
Intrusion Prevention System
(IPS)
Background
Traditional security system:
Fire wall
designed to deny clearly suspicious traffic - such
as an attempt to telnet to a device when
corporate security policy forbids telnet access
completely
Intrusion detection systems (IDS)
effective at detecting suspicious activity, but do
not provide protection against attacks.
Current Systems
Firewall
will allow some traffic through-web
Intrusion detection systems
Do not provide protection against attacks. Recent
worms such as Slammer and Blaster have such fast
propagation speeds that by the time an alert is
generated, the damage is done and spreading fast.
IPS Systems
 IPS systems are proactive defence mechanisms
designed to detect malicious packets within
normal network traffic (something that the current
breed of firewalls do not actually do, for example)
and stop intrusions dead, blocking the offending
traffic automatically before it does any damage
rather than simply raising an alert as, or after, the
malicious payload has been delivered.
 Within the IPS market place, there are two main
categories of product: Host IPS and Network IPS.
Host IPS (HIPS)




As with Host IDS systems, the Host IPS relies on agents installed
directly on the system being protected. It binds closely with the
operating system kernel and services, monitoring and intercepting
system calls to the kernel or APIs in order to prevent attacks as well
as log them.
It may also monitor data streams and the environment specific to a
particular application (file locations and Registry settings for a Web
server, for example) in order to protect that application from generic
attacks for which no “signature” yet exists.
One potential disadvantage with this approach is that, given the
necessarily tight integration with the host operating system, future
OS upgrades could cause problems.
Since a Host IPS agent intercepts all requests to the system it
protects, it has certain prerequisites - it must be very reliable, must
not negatively impact performance, and must not block legitimate
traffic. Any HIPS that does not meet these minimum requirements
should never be installed in a host, no matter how effectively it
blocks attacks.
Network IPS (NIPS)
 The Network IPS combines features of a
standard IDS, an IPS and a firewall, and is
sometimes known as an In-line IDS or
Gateway IDS (GIDS). The next-generation
firewall - the deep inspection firewall - also
exhibits a similar feature set, though we do
not believe that the deep inspection firewall
is ready for mainstream deployment just
yet.
Network IPS (NIPS)
 As with a typical firewall, the NIPS has at
least two network interfaces, one designated
as internal and one as external. As packets
appear at the either interface they are passed
to the detection engine, at which point the
IPS device functions much as any IDS
would in determining whether or not the
packet being examined poses a threat.
Network IPS (NIPS)
 However, if it should detect a malicious
packet, in addition to raising an alert, it will
discard the packet and mark that flow as
bad. As the remaining packets that make up
that particular TCP session arrive at the IPS
device, they are discarded immediately.
Network IPS (NIPS)
Challenges
 In-line device fails, however, it can seriously
impact the performance of the network. Perhaps
latency rises to unacceptable values, or perhaps
the device fails closed, in which case you have a
self-inflicted Denial of Service condition on your
hands.
Network IPS (NIPS)
 As an integral element of the network fabric, the Network
IPS device must perform much like a network switch. It
must meet stringent network performance and reliability
requirements as a prerequisite to deployment, since very
few customers are willing to sacrifice network
performance and reliability for security. A NIPS that slows
down traffic, stops good traffic, or crashes the network is
of little use.
Requirements of IPS System








In-line operation
Reliability and availability
Resilience
Low latency
High performance
Unquestionable detection accuracy
Fine-grained granularity and control
Advanced alert handling and forensic analysis
capabilities -
NSS IPS Test
 The NSS Group has conducted the first comprehensive IPS
test of its kind. This exhaustive review will give readers a
complete perspective of the capabilities, maturity and
suitability of the products tested for their particular
needs.
 If a particular IPS has been designated as NSS Approved,
customers can be confident that the device will not
significantly impact network/host performance, cause
network/host crashes, or otherwise block legitimate
traffic.
Example CISCO IOS IPS









Cisco IOS IPS uses the underlying routing infrastructure to provide an
additional layer of security with investment protection.
Because Cisco IOS IPS is inline and supported on a broad range of routing
platforms, attacks can be effectively mitigated to deny malicious traffic
from both inside and outside the network.
When used in combination with Cisco IOS Firewall, VPN, and Network
Admission Control (NAC) solutions, Cisco IOS IPS provides superior
threat protection at all entry points into the network.
Cisco IOS IPS is supported by easy and effective management tools, reducing
operational complexity and expenditure (refer to Cisco Router and
Security Device Manager and CiscoWorks VPN/Security Management
Solution).
Whether threats are targeted at endpoints, servers, or the network
infrastructure, Cisco Systems® offers pervasive intrusion prevention solutions
that
are designed to integrate smoothly into the network infrastructure and
proactively protect vital resources.
Example CISCO IOS IPS
 Cisco IOS IPS has two main deployment
scenarios:
 Cisco IOS IPS protecting the Internet-facing
(untrusted) interface
 Cisco IOS IPS within the internal (trusted)
network
Cisco Deployment Scenario
Cisco Deployment Scenario
(1) Cisco IOS IPS Protecting the InternetFacing (Untrusted) Interface
Cisco recommends enabling Cisco IOS
IPS on the Internet traffic to protect the
network from attacks and exploits that
might come into the branch office or
telecommuter personal computers, which
could in turn affect the corporate network.
GENERAL CISCO IOS IPS STRUCTURE
Cisco IOS IPS uses technology from Cisco Intrusion Detection
System (IDS) and IPS sensor product lines, including Cisco IDS
4200 Series Sensors, Cisco Catalyst® 6500 Series IDS Services
Modules, and network module hardware IDS appliances. Cisco
IOS IPS relies on signature microengines (SMEs) to support IPS
signatures. Each engine categorizes a group of signatures, and
each signature detects patterns of misuse in network traffic.
Virtual Private Network
(VPN)
Introduction to VPN
 Virtual private network (VPN) is a cost effective and
secure way for different corporations to provide user
access to the corporate network and for remote
networks to communicate with each other across the
Internet.
 Usually VPN involves two parts: the protected or
"inside" network, which provides physical and
administrative security to protect the transmission; and
a less trustworthy, "outside" network. Between them,
there’s usually a firewall.
Applications for VPN
VPN Architecture
 Remote-access VPNs
allow one remote system
to connect to a network.
 The dashed-blue data
flow implies access to the
entire corporate LAN. In
practice, a remote-access
VPN tunnel can limit that
access through access
control lists (ACLs) or
firewall rules.
VPN Architecture
 A point-to-point VPN
connects two networks.
 An encrypted point-topoint connection between
two different networks
are created over some
untrusted medium.
Routers, firewalls and
dedicated VPN
concentrators or
servers,can be used as
VPN endpoints.
Technical Features





Encryption
Key Generation and management
Certification
Tunneling
Interoperability
Encryption
 Starting point of VPN solution
 Well-established encryption algorithms and
strong encryption keys can make VPN much
more effective.
Key Generation and management
 Key length: In general, the longer the key, the
tougher to break. Today, a key length of less than 56
bits is considered insecure.
 Key exchange: should be based on well-established
algorithms (e.g. Diffie–Hellman for encryption and
RSA for signature) as specified in strong key
management standards.
Key Generation and management
 Rate of key exchange: The more
frequently a key is automatically
exchanged, the more secure the encrypted
data is.
 Key generation: The use of true random
keys ensures the highest levels of security.
The best method of key generation is using
hardware.
Certification
 Certification is the registration and identification of
VPN components.
 It requires establishing well-defined secrets between
a centrally controlled Certification Authority and
any VPN device.
Tunneling
 Tunneling is the encapsulation and encryption of
entire transmitted packets.
 An effective tunneling mechanism hides the
networking data in addition to the application and
payload layers. A VPN solution which only
encrypts the payload is not sufficiently secure, as a
multitude of information is obtained by analyzing
networking parameters.
Interoperability
 The emerging Internet Protocol Security (IPSec)
standard is becoming the international standard for
VPN.
 IPSec has created a secure means for interoperable
security, which guarantees that encrypted information is
protected on its way from one network to another, while
also allowing partner companies to link their respective
VPNs together, even if their encryption systems were
manufactured by different vendors.
Wireless Network Security
Issues
Introduction
 The use of wireless networks is increasingly popular
among personal, academic, business, and government
users.
 With the increasing deployment of wireless networks
(802.11 architecture) in enterprise environments, IT
enterprises are working to implement security mechanisms
that are equivalent to those existing today for wire-based
networks.
What is 802.11?
 Wireless Local Area Network (WLAN)
Protocol
 Defines Ethernet-like communication
channel using radios instead of wires
 Advantages over other standards - longer
ranges, higher speeds, simpler configurations
IEEE 802.11 (WLAN)
Wired vs. Wireless
 Wired networks offer more and better
security options than wireless
 More thoroughly established standards with
wired networks
 Wireless networks are much more
equipment dependent than wired networks
 Easier to implement security policies on
wired networks
Wireless Vs Wired
What is WEP
 WEP encodes your data using an encryption "key" before
sending it out into the air. Any receiving unit must know
the same key to decrypt the data. Keys can be 64- or 128bits long. The longer the key, the stronger the encryption.
 Keys are entered as strings of 10 or 26 hexadecimal digits.
A "Pass phrase" feature is an easy-tore member word or
phrase is entered, and an algorithm generates the
hexadecimal keys for you.
Is WEP Safe?
 Weaknesses in Wired Equivalent Privacy (WEP), the
original native security mechanism for wireless local area
networks (WLANs) in the Institute of Electrical and
Electronics Engineers (IEEE) 802.11 specification.
 With WEP enabled, an intruder equipped with the proper
tools and a moderate amount of technical knowledge could
gain unauthorized access to the wireless network via the
WLAN.
 Enterprises found it necessary to supplement WEP with
third-party security solutions such as VPN, IEEE 802.1X
authentication services servers, or add-on proprietary
technologies.
What is WPA
 Wi-Fi Protected Access (WPA and WPA2) is a class of
systems to secure wireless (Wi-Fi) computer networks.
 WPA replaces WEP with a strong new encryption
technology called Temporal Key Integrity Protocol (TKIP)
with Message Integrity Check (MIC).
 It also provides a scheme of mutual authentication using
either IEEE 802.1X/Extensible Authentication Protocol
(EAP) authentication or pre-shared key (PSK) technology.
 The Wi-Fi Alliance created WPA to enable introduction of
standard-based secure wireless network products prior to
the IEEE 802.11i group finishing its work.
What is WPA
 The Encrypted Key for WEP is a static sequence, meaning it
never changes. This means that if someone else figured the
Key out, they too would be able to access the network.
 To further strengthen wireless security, WPA was developed
which uses a Dynamic Key. These keys constantly change to
keep hackers out!
What is TKIP
 The Temporal Key Integrity Protocol, is part of the IEEE 802.11i
encryption standard for wireless LANs,which is used to secure 802.11
wireless LANs.
 Provides per- packet key (dynamic) mixing, a message integrity check
and a re- keying mechanism, thus fixing the flaws of WEP.
 Increases size of key from 40 to 128-bits
 Replaces WEP’s single static key with keys that are dynamically
generated and distributed by the authentication server
 Extra step of entering user name/password (in addition to WEP)
WPA and WPA2 Mode Types
How to authenticate
 WPA-Enterprise and WPA2-Enterprise mutual
authentication is initiated when a user associates with an
access point. The AP blocks access to the network until the
user can be authenticated. The user provides credentials
which are communicated to the authentication server.
 The authentication process is enabled by the IEEE
802.1X/EAP framework. Mutual authentication helps to
ensure that only authorized users access the network and
confirms that the client is authenticating to an authorized
server. It helps to protect users from accidentally
connecting to unauthorized ‘rogue’ APs.
WPA2
 WPA2 offers advanced protection from
wireless network attacks. Using AES,
government grade encryption and IEEE
802.1X/EAP authentication WPA2 provides
stronger standards-based mutual
authentication and advanced encryption to
protect the Wi-Fi network from a variety of
threats and attacks.
What is AES
 AES is a block cipher, a type of symmetric key cipher that
uses groups of bits of a fixed length - called blocks. A
symmetric key cipher is a cipher that uses the same key for
both encryption and decryption. The word cipher is used in
cryptography to describe the instructions or algorithm used
for encrypting and decrypting information.
 With AES, bits are encrypted in blocks of plaintext that are
calculated independently, rather than a key stream acting
across a plaintext data input stream. AES has a block size
of 128 bits with 3 possible key lengths 128, 192 and 256
bits as specified in the AES standard.
Conclusion
 One single technology cannot secure the whole
network environment. What we need is coordination.
(Firewall, IPS, VPN…)
 The security policy is the core of the security system.
The policy must be carefully designed, and once it has
been implemented, all people in the organization must
obey, or else the security is just a blank of paper.
 In the long run, an entirely new structure of the
Internet must be implemented instead of TCP/IP. We
imagine that a new structure with fine security
protection design will come out soon.