Screening
advertisement
Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University References Security in Computing, 3rd Ed. Chapter 7 (pgs. 457-479) Section Overview Firewall Components Firewall Architectures Network Intrusion Systems Honeypots Internet Firewalls DMZ Internet Internal Network Firewall Benefits Host Service Protection Host Access Control Centralized Point of Security Enhanced Privacy Increased Audit Logging Policy Enforcement Implementation Issues Service Restrictions Allowed Service Vulnerabilities User Backdoors Insider Attacks Viruses Network Throughput to/from Internet Single Point of Failure Firewall Components Network Policy Advanced Authentication Packet Filtering Application Gateways Network Policy Service Access Policy Extension of Site Security Policy Which services are allowed to/from which hosts Who is authorized to change policy Firewall Design Policy How Service Access Policy is implemented Either… Permit any service unless it is expressly denied Deny any service unless it is expressly permitted Advanced Authentication Internet Unauthenticated Internal Network Authenticated Using one-time password techniques to allow access via certain services Packet Filtering Routers Allowing/Restricting access based on: IP Addresses (source/destination) Protocol (TCP/UDP/ICMP) TCP/UDP Ports (source/destination) ICMP Message Type Packet Size Router Interface/Direction Single and multiple addresses/ports per entry Screening Routers Packet Filtering Options Send the packet Reject the packet Drop the packet Log information about the packet Notify administrator (set off an alarm) Packet Filtering Weaknesses Hard to configure Hard to test More complex the rules, more performance might be impacted No Advanced Authentication support Application Gateways Service components allowed/denied based on rule set Each packet repackaged after examination Information hiding Robust authentication and logging Application GW Weaknesses Scalability Difficult to manage Connectionless Protocols Performance Each service requires it’s own proxy Each packet gets repackaged OS/Service Bugs Circuit Gateways Similar to Application Gateway No packet processing done at the gateway Stateful Multi-Layer Inspection Inspects raw packets Inspection engine intercepts packet at the OSI Network Layer Context Aware Creates a virtual state for connectionless protocols Source: Checkpoint Software Technologies Ltd. Firewall Architectures Single Device Screening Router Dual-Homed Host Multi-Device Screened Host Screened Subnet Split-Screened Subnet Screening Router Screening Router Internet Internal Network Dual-Homed Gateway Internet Internal Network Info Server Proxy Server Network Address Translation Not specifically for security (RFC 1918) Hides internal network configuration 1 to 1 allocation Static Dynamic IP Masquerading Many internal addresses using 1 external address Only internal hosts can initiate a connection Screened Host Internet Internet Server Screening Router Bastion Host Internal Network Screened Subnet Internet Internal Network Internet Server Screening Router Screening Router Bastion Host Split Screened Subnet Internet Internal Network Internet Server Dual-Homed Proxy Screening Router Screening Router Intranet Server Network Intrusion Detection Internal Network Internet Dual-Homed Proxy Screening Router Screening Router Analysis Station Sensors IDS Analysis Knowledge based (attack signatures) Port Scans Denial of Service Known Service Attacks Spoofing Content Behavioral based IDS Weaknesses Very young technology False Positives False Negatives Scalability Honeypots Sacrificial host used to lure attackers Simulates a vulnerable system Used to study attacker techniques Firewall/IDS traffic logs System logs File Integrity Checker logs Keystroke capturing Early Case – “Berferd”
