Network Security (II)

uptightexampleNetworking and Communications

Oct 24, 2013 (3 years and 11 months ago)

91 views

Information Networking Security and Assurance Lab

National Chung Cheng University

授課老師
:
鄭伯炤

Office: Dept. of Communication Rm #112

Tel: X33512

Email: bcheng@ccu.edu.tw

Network Security (II)

2

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Building Internet Firewalls

Application Proxy

Physical

Data Link

Network

Transport

Session

Presentation

Application

Stateful Inspection

Packet Filter

3

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Packet Filter Firewalls


Access control based upon several pieces of information
contained in a network packet:


The
source address

of the packet


The
destination address

of the packet


The type of traffic:


the specific network protocol being used to communicate between the
source and destination systems or devices (e.g., ICMP)


Possibly some characteristics of the Layer 4 communications sessions,
such as the
source and destination ports

of the sessions


Interface of the router the packet came from and which
interface of the router the packet is destined for


this is useful for routers with 3 or more network interfaces.

4

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Boundary Routers


The packet filter, referred to
as a
boundary router
, can
block certain attacks,
possibly filter un
-
wanted
protocols,
perform simple
access control
, and then
pass the traffic onto other
fire
-
walls that examine
higher layers of the OSI
stack.



Packet Filter used as Boundary Router

5

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Basic Weaknesses Associated with Packet
Filters


Do not examine upper
-
layer data


Cannot prevent attacks that employ application
-
specific vulnerabilities or
functions.


Limited information available to the firewall


Logging functionality present in packet filter firewalls is limited.


Do not support advanced user authentication schemes.


Network protocol weakness


Vulnerable to TCP/IP specification and protocol stack, such as network layer
address spoofing.


Small number of variables used in access control decisions


Susceptible to security breaches caused by improper configurations.


But …


Consequently, packet filter firewalls are very suitable for high
-
speed
environments where logging and user authentication with network resources
are not important.

6

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Packet Filter Rulesets


Actions:


Accept


Deny


Discard


By default:


Any type of access from the inside to the outside is allowed.


No access originating from the outside to the inside is allowed
except for SMTP and HTTP.


SMTP and HTTP servers are positioned “behind” the firewall.

7

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Stateful Inspection Firewalls


More secure


Tracks client ports individually rather than opening all
high
-
numbered ports for external access.


Useful or applicable only within TCP/IP
network infrastructures.


Representing a superset of packet filter
firewall functionality.

8

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Application
-
Proxy Gateway Firewalls


Combine lower layer access control with upper layer
(Layer 7 . Application Layer) functionality.


For Example: Web Proxy


In addition to the ruleset, include authentication of
each individual network user:



User ID and Password Authentication,



Hardware or Software Token Authentication,



Source Address Authentication, and



Biometric Authentication.

9

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University


Dedicated Proxy Servers


Are useful for web and email content scanning


Java applet or application filtering


ActiveX control filtering


JavaScript filtering,


Blocking specific Multipurpose Internet Multimedia
Extensions (MIME) types . for example, .application/msword.
for Microsoft Word documents


Virus scanning and removal,


Macro virus scanning, filtering, and removal,


Application
-
specific commands, for example, blocking the
HTTP .delete. command, and


User
-
specific controls, including blocking certain content
types for certain users.


10

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Dedicated Proxy Servers Deployments

11

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University


Network Address Translation


Developed in response to two major issues:


Hiding the network
-
addressing schema present behind a firewall
environment.


The depletion of the IP address space has caused some
organizations to use NAT for mapping non
-
routable IP addresses
to a smaller set of legal addresses, according to RFC 1918.


10.0.0.0 to 10.255.255.255 (Class A)


172.16.0.0 to 172.31.255.255 (Class B)


192.168.0.0 to 192.168.255.255 (Class C)


Accomplished in three fashions:


Static Network Address Translation


Port Address Translation (PAT)

12

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

IANA
-
allocated, Non
-
Internet routable
IP address

American Registry for Internet Numbers (ARIN)

IP address

Public

Private

Address Class

Network Address Range

A

B

C

10.0.0.0 ~ 10.255.255.255

172.16.0.0 ~ 172.31.255.255

192.168.0.0 ~ 192.168.255.255

recommend non
-
routable IP for home networks

13

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Static Network Address Translation

Each internal system on the private network has a
corresponding external, routable IP address associated with it.

14

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

PAT

15

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University


Personal Firewalls/Personal Firewall
Appliances


Personal Firewall:


Installed on the system it is meant to protect;


Usually do not offer protection to other systems or resources


Personal Firewall Appliance:


Usually run on specialized hardware and integrate some other
form of network infrastructure components


Cable Modem WAN Routing,


LAN Routing (dynamic routing support),


Network hub,


Network switch,


DHCP (Dynamic Host Configuration Protocol) server,


Network management (SNMP) agent, and


Application
-
proxy agents.

16

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

DMZ (DeMilitarized Zone)


A DMZ is your frontline when protecting valuables
from direct exposure to an untrusted environment.


"A network added between a
protected

network and an
external

network in order to provide an additional layer of
security.“


A DMZ is sometimes called a "Perimeter network" or
a "Three
-
homed perimeter network."


A DMZ is a glowing example of the
Defense
-
in
-
Depth

principle.

17

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Defense
-
in
-
Depth


The Defense
-
in
-
Depth principle states that no
one thing, no two things, will ever provide
total security.


It states that the only way for a system to be
reasonably secured is to consider every aspect
of the systems existence and secure them all.


A DMZ is a step towards defense in depth
because it adds an extra layer of security
beyond that of a single perimeter.



18

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Design DMZ


Start by asking yourself


what do I want to protect? Or


what is most valuable to me?


what is the entrance point into this system? Or


what is my front door?


If there are more than one entrance to your system
such as an Internet connection and dial
-
up
connections


have two different DMZ’s.


Have different configurations for each of those access types.

19

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

DMZ Networks

A DMZ Firewall Environment

Service Leg DMZ Configuration


20

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Domain Name Service (DNS)

Split DNS example

21

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Placement of Servers in Firewall
Environments


Summary Example Firewall Environment

22

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Firewall Ruleset: Blocking Traffics


Inbound traffic from a non
-
authenticated source system with a destination address
of the firewall system itself.


Inbound traffic with a source address indicating that the packet originated on a
network behind the firewall.


Inbound traffic containing ICMP (Internet Control Message Protocol) traffic.


Inbound or Outbound traffic from a system using a source address that falls within
the address ranges set aside in RFC 1918 as being reserved for private networks.


Inbound traffic from a non
-
authenticated source system containing SNMP (Simple
Network Management Protocol) traffic.


Inbound traffic containing IP Source Routing information.


Inbound or Outbound network traffic containing a source or destination address of
127.0.0.1 (localhost).



Inbound or Outbound network traffic containing a source or destination address of
0.0.0.0.



Inbound or Outbound traffic containing directed broadcast addresses.


Inbound

Outbound

FW

Information Networking Security and Assurance Lab

National Chung Cheng University

Network Intrusion Detection
Systems

Bo Cheng (
鄭伯炤
)

Email:bcheng@ccu.edu,tw

Tel: 05
-
272
-
0411 Ext. 33512



Compromise the
confidentiality
,
integrity
,
availability
,



Bypass the security mechanisms of a computer or network

24

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

IDS History

http://www.securityfocus.com/infocus/1514

25

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Types of IDS (Information Source)

Network (NID)

Capture and analyze all
network packets

Host (HID)

Operate on information (e.g., log or
OS system call) collected from
within an individual computer
system.

Network
-
Node (NNID)

Monitor packets to/from
a specific node

Uses a module, coupled with the
application, to extract the desired
information and monitor transactions

Application
-
Integrated (AIID)

Application (AID)

Operate on application
transactions log

e.g., Entercept Web Server Edition

http://www.networkintrusion.co.uk/ids.htm

26

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Complement IDS Tools

Source:
http://www.icsalabs.com/html/communities/ids/buyers_guide/guide/index.shtml

Honey Pot


A system/resource
designed to be attractive
to potential attacker

Padded Cell

When the IDS detects
attackers, it seamlessly
transfers then to a special
padded cell host

Vulnerability
Assessment


Determine whether a
network or host is vulnerable
to known attacks

File Integrity

Checkers

Create a baseline and
apply a message digest
(cryptographic hash) to
key files and then
checking the files
periodically

27

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

IDS Life Cycle

Testing



Accuracy



Resource Usage



Stress

Vulnerability Assessment

Installation



Information Collecting



Filtering and Correlation



Traffic Analysis

Tuning

Configuration



Signature Updating



Writing Signature

Setting up the current generation of IDSs requires a
substantial time investment to ensure they'll flag only
suspicious traffic and leave everything else alone.
www.nwfusion.com/techinsider/2002/0624security1.html

28

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

IDS Market Forecast (I)

Source: IDC, 2001

29

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

IDS Market Forecast (II)

Source: IDC, 2001

30

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

When Firewall Meets IDS

IDS

A security service that
monitors
and analyzes

system events for
the purpose of finding, and
providing real
-
time or near
real
-

time warning of, attempts
to access system resources in an
unauthorized manner



Validate firewall configuration



Detect attacks but firewalls allow them
to pass through (such as attacks against
web servers).



Seize insider hacking

An gateway that
restricts

data
communication traffic
to and from

one of the connected networks
(the one said to be "inside" the
firewall) and thus protects that
network's system resources
against threats from the other
network (the one that is said to be
"outside" the firewall).

Firewall



Access Control



NAT



Prevent the attacks

31

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

NIDS Deployments


Mode:


Tap


SPAN (Mirror)


Port Clustering


In
-
Line

External firewall

Critical Subnets

Network Backbones

DMZ

Internet

2


Identify DMZ related attacks


Spot outside attacks penetrate the network's perimeter


Avoid outside attacks to IDS itself


Highlight external firewall problems with the policy/performance


Pinpoint compromised server via outgoing traffic

1


See all outside attacks to help forensic analysis

3


Increase the possibility to recognize attacks.


Detect attacks from insider or authorized
users within the security perimeter.

4


Observe attacks on critical
systems and resources


Provide cost effective
solutions

32

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Detection Engine Analysis

Protocol Anomalies

Stateful Signatures

Backdoor Detection

Traffic Anomalies

Simple Pattern Matching

String Matching Weaknesses

33

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

The Detection Results

False Positive

False Negative

True Positive

True Negative



Wire
-
speed performance



Mis
-
configuration



Poor detection engine



IDS Evasion



Annoy



Crying wolf



Tuning



Prevention?

34

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

IDS Responses After Detection

Active
Responses

Passive
Responses

Change the
Environment

Take Action Against
the Intruder

Collect additional
information

Alarms/
Notifications

SNMP
Integration

Source: NIST

Reconfiguring routers/firewalls (e.g., via FW
-
1 OPSEC) to block packets based on IP
address, network ports, protocols, or services

Injecting TCP reset packets

Retaliation: Information warfare

Support SNMP Manager (e.g., HP
OV) and MIB (e.g., iss.mib trap)

Generate SNMP trap

Intrusion Detection Working Group


IDMEF
-

Message Exchange Format


XML
-
based alert format among IDS components


IDXP
-

Exchange Protocol


Communication protocol for exchanging IDMEF messages

35

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Check Point
-

Open Platform for Secure
Enterprise Connectivity (OPSEC)

TCP/UDP Port

Name

Short description

18181 /tcp

FW1_cvp

Check Point OPSEC Content Vectoring Protocol
-

Protocol used
for communication between FWM and AntiVirus Server

18182 /tcp

FW1_ufp

Check Point OPSEC URL Filtering Protocol
-

Protocol used for
communication between FWM and Server for Content Control
(e.g. Web Content)

18183 /tcp

FW1_sam

Check Point OPSEC Suspicious Activity Monitor API
-

Protocol
e.g. for Block Intruder between MM and FWM

18184 /tcp

FW1_lea

Check Point OPSEC Log Export API
-

Protocol for exporting
logs from MM

18185 /tcp

FW1_omi

Check Point OPSEC Objects Management Interface
-

Protocol
used by applications having access to the ruleset saved at MM

18187 /tcp

FW1_ela

Check Point Event Logging API
-

Protocol used by applications
delivering logs to MM

18207 /tcp

FW1_pslo
gon

Check Point Policy Server Logon protocol
-

Protocol used for
download of Desktop Security from PS to SCl

NFR and RealSecure support FW
-
1_sam and FW1_ela

36

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

Gateway IDS (GIDS) and Host Intrusion
Prevention (HIP)

Company

Website

Entercept Security Technologies

www.entercept.com

Harris STAT Neutralizer

www.statonline.com

Okena StormWatch and StormFront

www.okena.com

Sana Security

www.sanasecurity.com

Linux IDS

www.lids.org

OneSecure



Netscreen

Okena


Cisco

Entercept and Intruvert


Network Associates

Inadvertently block
legitimate traffic

Ineffective against denial
-
of
-
service attacks

Company

Website

Captus Networks

www.captusnetworks.com

Cisco Systems IDS

www.cisco.com

ForeScout ActiveScout

www.forescout.com

RealSecure Network Protection

www.iss.net

Intruvert Networks

www.intruvert.com

NetScreen Technologies IDP

www.netscreen.com

Snort Hogwash

http://hogwash.sourceforge.net

TippingPoint Technologies
UnityOne

www.tippingpoint.com

http://www.cio.com/archive/061503/et_article.html

37

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

NIDS Market Predictions: Head to Head



IDS is dead, long live IPS



Intrusion detection market jumped 29.2 per cent year on year
(firewall/virtual private network security appliance market increased 7.5
per cent).



In contrast to statements that intrusion detection software is dead, the
growth in intrusion detection appliances show that many organizations
still see the value in monitoring their networks



Could reached $2 billion in 2005, up from $486 million in 2000.


IDS market will grow 43 per cent to $149m by 2004


IDS revenue will hit $1.1bn by 2006,

http://www.vnunet.com/News/1143747

http://www.ipa.go.jp/security/fy11/report/contents/intrusion/ids
-
meeting/idsbg.pdf



By end of 2003, 90% of IDS deployments will fail when false positives are not
reduced by 50%.



By year end 2004, advances in non
-
signature based intrusion detection
technology will enable network
-
based intrusion prevention to replace 50%
of established IDS deployments and capture 75% of new deployments.

38

Network Security Class

National Chung Cheng University

Information Networking Security and Assurance Lab

National Chung Cheng University

IDS Balancer

Internet

GigaBit SX Tap

Network


Toplayer’s IDS Balancer




Radware FireProof


Availability


Scalability


ROI


Cost
-
effective (reduce sensors
while increasing intrusion coverage)

IDS Balancer

Fiber Tap