network security using - cse crafts

smileybloatΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

66 εμφανίσεις


A

TECHNICAL PAPER


ON


NETWORK SECURITY USING FIREWALLS




PRESENTED BY:


P.J.Sudheer Kumar


S.V.S.ChaitanyaVarma

4
TH


B.Tech

CSE



4
TH

B.Tech

CSE

Email Ids:

sudheer.puthineedi@gmail.com

varma2270@gmail.com

BHIMAVARAM INSTITUTE OF ENGINEER
ING AND
TECHNOLOGY




INTRODUCTION:


This
paper discusses

the need
for and the

concept of network security. Some
solutions to implement network security
like firewalls, back
-
ups etc., are
discussed. It mainly emphasizes on
packet filtering firewalls
, their
advantages and disadvantages. It
concludes with the difficulties
encountered in the implementation of
network security.

Keywords:

network security, threats and
sources, firewalls, packet filtering.


The requirements of information
security have und
ergone three major
changes in the last three decades. The
first major change was the introduction
of the computer. The need for protecting
files and information became e
vident.
Collection of tools and
procedures
designed to protect data and to control
acce
ss to computing resources has the
generic name
computer security
. The
second major change was the
introduction of distributed systems,
networks, and facilities for data
communication. The third change is the
current, rapid development of wireless
networks
and mobile communications.
Wireless security
is therefore of high
priority today.


Network security
measures are needed
-


to protect data during transmission and
storage


to control access to networks and
network nodes.

Some terminology commonly used
wi
thin network security can be defined
as follows:


Data Integrity

P
rotection against change.


Data Availability


P
rotection against disruption of services.


Data Confidentiality

P
rotection against unauthorized
data.


Privacy

R
efers to the ability of a s
ender to
remain anonymous.


Accountability


T
he clear identification of responsibility.


Authorization

R
efers to the process of awarding,
monitoring.







“Taxonomy Diagram” shows the
fundamental properties of network
security
-

integrity, protection,
and
security administration


as an
interactive, animated Network Security
tree (Figure
2
).


Types and Sources of Network
Threats

-

1)
Denial
-
of
-
Service

-
The attacker's
program simply makes a connection on
some service port, perhaps forging the
packet
's header information that says
where the packet came from, and then
dropping the connection. If the host is
able to answer 20 requests per second,
and the attacker is sending 50 per
second, obviously the host will be
unable to service all of the attacker'
s
requests, much less any legitimate
requests.

2)
Unauthorized Access

-

The goal of
these attacks is to access some resource
that your machine should not provide the
attacker.

3
) Executing Commands Illicitly

-

An
attacker might wish to make
configuration
changes to a host for
which he gains administrator privileges.

4)
Destructive Behavior

-

There are two
major categories
-

(a)Data

Diddling
.
It is the data diddler
who actually works behind the scene
manipulating all the data, which would
be unaware to the
actual user.


(b)Data

Destruction
.


It includes the
destruction of data.



Solutions
-

1)

Hope

you have backups

-
This is
coordinated with a disaster recovery
plan.

2)

Don’t

put data where it doesn't
need to be

-
Information that doesn't
need to be accessi
ble from the outside
world sometimes is.


3)

Avoid

systems with single points of
failure

-
In security degree of
redundancy is good
, which helps

in
protection of any organization.

4)

Watch

for a person who is in
knowledge of the current operating
system p
atches.

Internet Firewalls


Encryption helps to solve many
security problems. However, it is not a
complete solution and is often
complimented with a
firewall
to restrict
the types of access permitted between a
company’s internal network and the r
est
of the Internet (i.e. a firewall protects
against unwanted Internet traffic).
In
order to provide some level of separation
between an organization's Intranet and
the Internet,
firewalls

have been
employed. A firewall is a system or
group of systems tha
t enforces an access
control policy between two networks. In
principle, the firewall can be thought of
as a pair of mechanisms: one, which
exists to block traffic, and the other,
which exists to permit traffic.

To be effective, all network
traffic either
entering or leaving the
organization must pass through the
firewall. In turn, the firewall implements
a defined security policy that rejects any
traffic that does not adhere to the policy.
Finally, the firewall is itself constructed
to be immune to securit
y attacks.
Firewalls help to define a security
perimeter; as such they can lower the
cost of providing adequate security.


NEED FOR A FIREWALL
-




Probably the most important thing
to recognize about a firewall is that it is
designed to prevent unauth
orized
access

to or from a private
network

connected
to the Internet, especially
intranets
. They
can be implemented in both
hardware

and
software
, or a combination of both.
They sit between two or more networks
and mediate traffic.

General
-
purpose compute
r used to
control access between the internal
(private) network (Intranet) and the
Internet (or any other untrusted
network).

Types of Firewalls

1) Application

Gateways

-
Also known
as proxy gateways,
application proxy

or
application
-
level proxy
, it is an

application

program that runs on a
firewall

system between two
networks
.
These are made up of bastion hosts that
run special software to act as a proxy
server.

2) Packet

Filtering

-
Packet filtering is a
technique whereby routers have
ACLs

(Access Control

Lists) turned on. By
default, a router will pass all traffic sent
it, and will do so without any sort of
restrictions. Employing ACLs is a
method for enforcing your security
policy with regard to what sorts of
access you allow the outside world to
have to

your internal network, and vice
versa. There is less overhead in packet
filtering than with an application
gateway, because the feature of access
control is performed at a lower ISO/OSI
layer (typically, the transport or session
layer). Due to the lower o
verhead and
the fact that packet filtering is done with
routers, which are specialized computers
optimized for tasks related to
networking, a packet filtering gateway is
often much faster than its application
layer cousins. Figure
6

shows a packet
-
filterin
g gateway.



Packet filtering is a network
security mechanism that works by
controlling what data can flow to and
from a network. To transfer information
across a network, the information has to
be broken up into small pieces of data
called as packe
ts, each of which is sent
separately. Packets traversing an Internet
work (a network of networks) travel
from router to router until they reach
their destination.

A router has to make a routing
decision about each packet it receives; it
has to decide how t
o send that packet on
towards its ultimate destination. In
general, a packet carries no information.
The packet tells the router where it
wants to go, but not how to get there.
Routers communicate with each other
using "routing protocols" such as the
Routi
ng Information Protocol (
RIP
) to
build
routing tables

in memory to
determine how to get the packets to their
destinations. When routing a packet, a
router compares the packet's destination
address to entries in the routing table and
sends the packet onward

as directed by
the routing table.



A packet filtering firewall filter
inspection takes place at the network or
transportation layers, and they are
application independent. It is the least
secure form of firewall, as they do not
take account of the comm
unication
performed by different applications.




Packet filtering is based on:

The

address


of the

source


and
destination data.

The

session

and

application protocols
being used to transfer the data.


NEED FOR PACKET FILTERING

The main advantage

of packet filtering is
leverage: it allows you to provide, in a
single place, particular protections for an
entire network. Routers also present a
useful chokepoint all of the traffic
entering or leaving a network. Only
filtering routers can provide certa
in
protections.

Protocols Are Usually Bi
-
directional
-
Protocols is usually bi
-
directional; they
almost always involve one side sending
an inquiry or a command, and the other
side sending a response of some kind.


What Does a Packet look like?

A packet has t
wo parts: the header and
the body. The header contains protocol
information relevant to that layer, while
the body contains the data for that layer
which often consists of a whole packet
from the next layer in the stack. Each
layer treats the information i
t gets from
the layer above it as data, and applies its
own header to this data. At each layer,
the packet contains all of the information
passed from the higher layer; nothing is
lost. This process of preserving the data
while attaching a new header is kn
own
as

encapsulation
.






Filtering by Address

The simplest, although not the most
common, form of packet filtering is
filtering by address. Filtering in this way
lets you restrict the flow of packets
based on the source and/or destination
addresses of t
he packets, without having
to consider what protocols are involved.
Such filtering can be used to allow
certain external hosts to talk to certain
internal hosts, for example or to prevent
an attacker from injecting forged packets
(packets handcrafted
)

so t
hey appear to
come from somewhere other than their
true source into your network.

Risks of Filtering by Source Address

It's not necessarily safe to trust source
addresses because source addresses can
be forged. Unless you use some kind of
cryptographic aut
hentication between
you and the host you want to talk to, you
won't know if you're really talking to
that host, or to some other machine that
is pretending to be that host. The filters
we've discussed above will help you if
an external host is claiming to
be an
internal host, but they won't do anything
about an external host claiming to be a
different external host. There are two
kinds of attacks that rely on forgery:
source address

and
man in the middle
.

In a basic
source address

forgery
attack,

an attacke
r sends you packets that claim
to be from some trusted person, hoping
that you would take some action without
expecting to get any packets from you.
In fact, your responses will go to
whoever the attacker is pretending to be,
not to the attacker. There are

plenty of
attacks that can be carried out without
the attacker needing to see the results
directly. For example, suppose an
attacker issues a command to your
system that causes it to email your
password file to him; if your system is
going to send the att
acker the password
file in the mail, there is no need for him
to see it during the attack itself.

In many circumstances

-

particularly
those involving
TCP

connections

-

the
real machine (that the attacker is
pretending to be) will react to your
packets by
trying to reset the bogus
connection. Obviously, the attacker
doesn't want this to happen. He has to
ensure the attack completes before the
real machine gets the packets you're
sending, or before you get the reset
packets from the real machine. There are
a

number of ways to ensure this

-

for
example:

1)

Carrying out the attack while the
real machine is down

2)

Crashing the real machine so the
attack can be carried out

3)

Flooding the real machine while
the attack is carried out

4)

Confusing the routing betw
een
the real machine and the target

5)

Using an attack where only the
first response packet is required,
so that the reset doesn't matter
.

Filtering by Service

Blocking incoming forged packets, as
discussed previously, is just about the
only common use of

filtering solely by
address. Most other uses of packet
filtering involve filtering by service,
which is somewhat more complicated.
We're going to take a detailed look at
Telnet. Telnet allows a user to log in to
another system, as if the user had a
termin
al directly connected to that
system.

Outbound Telnet Service
-
In outbound
Telnet service, in which a local client (a
user) is talking to a remote server for
handling both outgoing and incoming
packets.

Inbound Telnet Service
-
In this a
remote client (a rem
ote user)
communicates with a local Telnet server.

Advantages of Packet Filtering

1) One screening router can help protect
an entire network

you gain
tremendous leverage on network
security

2)

Packet filtering doesn't requir
e user
knowledge or cooperation
,
custom
software or configuration of client
machines, nor does it require any special
training or procedures for users.

3) Packet filtering is widely available in
many routers

hardware and software
routing products, both commercial and
freely
available o
ver the Internet

Disadvantages of Packet Filtering
-

1)

Current filtering tools are not perfect
-
Despite the widespread availability of
packet filtering in various hardware and
software
packages
,

packet filtering is
still not a perfect tool.

2) The

packet f
iltering rules tend to be
hard to configure.
Although there is a
range

of difficulty, it mostly runs from
slightly mind
-
twisting to brain
-
numbingly impossible.

3)

Once

configured, the packet filtering
rules tend to be hard to test.

4)

The

packet filter
ing capabilities of
many of the products are incomplete,
making implementation of certain types
of highly desirable filters difficult or
impossible.


CONCLUSIONS
-

Network security implies restrictions
such as

network traffic filtering with
firewall tech
nology, defence against
distribution of malicious programs like
virus

prevention.
Security is a very
difficult topic. Everyone has a different
idea of what ``security'' is, and what
levels of risk are acceptable. The key for
building a secure network is to

define
what security means to your
organization
.
It's important to build
systems and networks in such a way that
the user is not constantly reminded of
the security system around him. Users
who find security policies and systems
too restrictive will find
ways around
them. It's important to get their feedback
to understand what can be improved, and
it's important to let them know
why

what
have

been done has been, the sorts of
risks that are deemed unacceptable, and
what has been done to minimize the
organization's exposure to them.

Security is everybody's business, and
only with everyone's cooperation, an
intelligent policy, and consistent
pra
ctices, will it be achievable.


REFERENCES:

.NET Messenger Service (2002).
Free
Instant Messaging service
. Retrieved
November 29, 2002 from the World
Wide Web

http://messenger.microsoft.com/default.a
sp?mkt=en
-
us



Bluetooth
. (2001). the Official Bluetoot
h
Wireless Info Site. Retrieved November
29, 2002 from the World Wide

http://www.bluetooth.com/