Information Networking Security and Assurance Lab
National Chung Cheng University
授課老師
:
鄭伯炤
Office: Dept. of Communication Rm #112
Tel: X33512
Email: bcheng@ccu.edu.tw
Network Security (II)
2
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Building Internet Firewalls
Application Proxy
Physical
Data Link
Network
Transport
Session
Presentation
Application
Stateful Inspection
Packet Filter
3
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Packet Filter Firewalls
Access control based upon several pieces of information
contained in a network packet:
The
source address
of the packet
The
destination address
of the packet
The type of traffic:
the specific network protocol being used to communicate between the
source and destination systems or devices (e.g., ICMP)
Possibly some characteristics of the Layer 4 communications sessions,
such as the
source and destination ports
of the sessions
Interface of the router the packet came from and which
interface of the router the packet is destined for
this is useful for routers with 3 or more network interfaces.
4
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Boundary Routers
The packet filter, referred to
as a
boundary router
, can
block certain attacks,
possibly filter un
-
wanted
protocols,
perform simple
access control
, and then
pass the traffic onto other
fire
-
walls that examine
higher layers of the OSI
stack.
Packet Filter used as Boundary Router
5
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Basic Weaknesses Associated with Packet
Filters
Do not examine upper
-
layer data
Cannot prevent attacks that employ application
-
specific vulnerabilities or
functions.
Limited information available to the firewall
Logging functionality present in packet filter firewalls is limited.
Do not support advanced user authentication schemes.
Network protocol weakness
Vulnerable to TCP/IP specification and protocol stack, such as network layer
address spoofing.
Small number of variables used in access control decisions
Susceptible to security breaches caused by improper configurations.
But …
Consequently, packet filter firewalls are very suitable for high
-
speed
environments where logging and user authentication with network resources
are not important.
6
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Packet Filter Rulesets
Actions:
Accept
Deny
Discard
By default:
Any type of access from the inside to the outside is allowed.
No access originating from the outside to the inside is allowed
except for SMTP and HTTP.
SMTP and HTTP servers are positioned “behind” the firewall.
7
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Stateful Inspection Firewalls
More secure
Tracks client ports individually rather than opening all
high
-
numbered ports for external access.
Useful or applicable only within TCP/IP
network infrastructures.
Representing a superset of packet filter
firewall functionality.
8
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Application
-
Proxy Gateway Firewalls
Combine lower layer access control with upper layer
(Layer 7 . Application Layer) functionality.
For Example: Web Proxy
In addition to the ruleset, include authentication of
each individual network user:
User ID and Password Authentication,
Hardware or Software Token Authentication,
Source Address Authentication, and
Biometric Authentication.
9
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Dedicated Proxy Servers
Are useful for web and email content scanning
Java applet or application filtering
ActiveX control filtering
JavaScript filtering,
Blocking specific Multipurpose Internet Multimedia
Extensions (MIME) types . for example, .application/msword.
for Microsoft Word documents
Virus scanning and removal,
Macro virus scanning, filtering, and removal,
Application
-
specific commands, for example, blocking the
HTTP .delete. command, and
User
-
specific controls, including blocking certain content
types for certain users.
10
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Dedicated Proxy Servers Deployments
11
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Network Address Translation
Developed in response to two major issues:
Hiding the network
-
addressing schema present behind a firewall
environment.
The depletion of the IP address space has caused some
organizations to use NAT for mapping non
-
routable IP addresses
to a smaller set of legal addresses, according to RFC 1918.
10.0.0.0 to 10.255.255.255 (Class A)
172.16.0.0 to 172.31.255.255 (Class B)
192.168.0.0 to 192.168.255.255 (Class C)
Accomplished in three fashions:
Static Network Address Translation
Port Address Translation (PAT)
12
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
IANA
-
allocated, Non
-
Internet routable
IP address
American Registry for Internet Numbers (ARIN)
IP address
Public
Private
Address Class
Network Address Range
A
B
C
10.0.0.0 ~ 10.255.255.255
172.16.0.0 ~ 172.31.255.255
192.168.0.0 ~ 192.168.255.255
recommend non
-
routable IP for home networks
13
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Static Network Address Translation
Each internal system on the private network has a
corresponding external, routable IP address associated with it.
14
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
PAT
15
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Personal Firewalls/Personal Firewall
Appliances
Personal Firewall:
Installed on the system it is meant to protect;
Usually do not offer protection to other systems or resources
Personal Firewall Appliance:
Usually run on specialized hardware and integrate some other
form of network infrastructure components
Cable Modem WAN Routing,
LAN Routing (dynamic routing support),
Network hub,
Network switch,
DHCP (Dynamic Host Configuration Protocol) server,
Network management (SNMP) agent, and
Application
-
proxy agents.
16
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
DMZ (DeMilitarized Zone)
A DMZ is your frontline when protecting valuables
from direct exposure to an untrusted environment.
"A network added between a
protected
network and an
external
network in order to provide an additional layer of
security.“
A DMZ is sometimes called a "Perimeter network" or
a "Three
-
homed perimeter network."
A DMZ is a glowing example of the
Defense
-
in
-
Depth
principle.
17
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Defense
-
in
-
Depth
The Defense
-
in
-
Depth principle states that no
one thing, no two things, will ever provide
total security.
It states that the only way for a system to be
reasonably secured is to consider every aspect
of the systems existence and secure them all.
A DMZ is a step towards defense in depth
because it adds an extra layer of security
beyond that of a single perimeter.
18
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Design DMZ
Start by asking yourself
what do I want to protect? Or
what is most valuable to me?
what is the entrance point into this system? Or
what is my front door?
If there are more than one entrance to your system
such as an Internet connection and dial
-
up
connections
have two different DMZ’s.
Have different configurations for each of those access types.
19
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
DMZ Networks
A DMZ Firewall Environment
Service Leg DMZ Configuration
20
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Domain Name Service (DNS)
Split DNS example
21
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Placement of Servers in Firewall
Environments
Summary Example Firewall Environment
22
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Firewall Ruleset: Blocking Traffics
Inbound traffic from a non
-
authenticated source system with a destination address
of the firewall system itself.
Inbound traffic with a source address indicating that the packet originated on a
network behind the firewall.
Inbound traffic containing ICMP (Internet Control Message Protocol) traffic.
Inbound or Outbound traffic from a system using a source address that falls within
the address ranges set aside in RFC 1918 as being reserved for private networks.
Inbound traffic from a non
-
authenticated source system containing SNMP (Simple
Network Management Protocol) traffic.
Inbound traffic containing IP Source Routing information.
Inbound or Outbound network traffic containing a source or destination address of
127.0.0.1 (localhost).
Inbound or Outbound network traffic containing a source or destination address of
0.0.0.0.
Inbound or Outbound traffic containing directed broadcast addresses.
Inbound
Outbound
FW
Information Networking Security and Assurance Lab
National Chung Cheng University
Network Intrusion Detection
Systems
Bo Cheng (
鄭伯炤
)
Email:bcheng@ccu.edu,tw
Tel: 05
-
272
-
0411 Ext. 33512
•
Compromise the
confidentiality
,
integrity
,
availability
,
•
Bypass the security mechanisms of a computer or network
24
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS History
http://www.securityfocus.com/infocus/1514
25
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Types of IDS (Information Source)
Network (NID)
Capture and analyze all
network packets
Host (HID)
Operate on information (e.g., log or
OS system call) collected from
within an individual computer
system.
Network
-
Node (NNID)
Monitor packets to/from
a specific node
Uses a module, coupled with the
application, to extract the desired
information and monitor transactions
Application
-
Integrated (AIID)
Application (AID)
Operate on application
transactions log
e.g., Entercept Web Server Edition
http://www.networkintrusion.co.uk/ids.htm
26
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Complement IDS Tools
Source:
http://www.icsalabs.com/html/communities/ids/buyers_guide/guide/index.shtml
Honey Pot
A system/resource
designed to be attractive
to potential attacker
Padded Cell
When the IDS detects
attackers, it seamlessly
transfers then to a special
padded cell host
Vulnerability
Assessment
Determine whether a
network or host is vulnerable
to known attacks
File Integrity
Checkers
Create a baseline and
apply a message digest
(cryptographic hash) to
key files and then
checking the files
periodically
27
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS Life Cycle
Testing
•
Accuracy
•
Resource Usage
•
Stress
Vulnerability Assessment
Installation
•
Information Collecting
•
Filtering and Correlation
•
Traffic Analysis
Tuning
Configuration
•
Signature Updating
•
Writing Signature
Setting up the current generation of IDSs requires a
substantial time investment to ensure they'll flag only
suspicious traffic and leave everything else alone.
www.nwfusion.com/techinsider/2002/0624security1.html
28
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS Market Forecast (I)
Source: IDC, 2001
29
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS Market Forecast (II)
Source: IDC, 2001
30
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
When Firewall Meets IDS
IDS
A security service that
monitors
and analyzes
system events for
the purpose of finding, and
providing real
-
time or near
real
-
time warning of, attempts
to access system resources in an
unauthorized manner
•
Validate firewall configuration
•
Detect attacks but firewalls allow them
to pass through (such as attacks against
web servers).
•
Seize insider hacking
An gateway that
restricts
data
communication traffic
to and from
one of the connected networks
(the one said to be "inside" the
firewall) and thus protects that
network's system resources
against threats from the other
network (the one that is said to be
"outside" the firewall).
Firewall
•
Access Control
•
NAT
•
Prevent the attacks
31
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
NIDS Deployments
Mode:
•
Tap
•
SPAN (Mirror)
•
Port Clustering
•
In
-
Line
External firewall
Critical Subnets
Network Backbones
DMZ
Internet
2
•
Identify DMZ related attacks
•
Spot outside attacks penetrate the network's perimeter
•
Avoid outside attacks to IDS itself
•
Highlight external firewall problems with the policy/performance
•
Pinpoint compromised server via outgoing traffic
1
•
See all outside attacks to help forensic analysis
3
•
Increase the possibility to recognize attacks.
•
Detect attacks from insider or authorized
users within the security perimeter.
4
•
Observe attacks on critical
systems and resources
•
Provide cost effective
solutions
32
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Detection Engine Analysis
Protocol Anomalies
Stateful Signatures
Backdoor Detection
Traffic Anomalies
Simple Pattern Matching
String Matching Weaknesses
33
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
The Detection Results
False Positive
False Negative
True Positive
True Negative
•
Wire
-
speed performance
•
Mis
-
configuration
•
Poor detection engine
•
IDS Evasion
•
Annoy
•
Crying wolf
•
Tuning
•
Prevention?
34
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS Responses After Detection
Active
Responses
Passive
Responses
Change the
Environment
Take Action Against
the Intruder
Collect additional
information
Alarms/
Notifications
SNMP
Integration
Source: NIST
Reconfiguring routers/firewalls (e.g., via FW
-
1 OPSEC) to block packets based on IP
address, network ports, protocols, or services
Injecting TCP reset packets
Retaliation: Information warfare
Support SNMP Manager (e.g., HP
OV) and MIB (e.g., iss.mib trap)
Generate SNMP trap
Intrusion Detection Working Group
•
IDMEF
-
Message Exchange Format
XML
-
based alert format among IDS components
•
IDXP
-
Exchange Protocol
Communication protocol for exchanging IDMEF messages
35
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Check Point
-
Open Platform for Secure
Enterprise Connectivity (OPSEC)
TCP/UDP Port
Name
Short description
18181 /tcp
FW1_cvp
Check Point OPSEC Content Vectoring Protocol
-
Protocol used
for communication between FWM and AntiVirus Server
18182 /tcp
FW1_ufp
Check Point OPSEC URL Filtering Protocol
-
Protocol used for
communication between FWM and Server for Content Control
(e.g. Web Content)
18183 /tcp
FW1_sam
Check Point OPSEC Suspicious Activity Monitor API
-
Protocol
e.g. for Block Intruder between MM and FWM
18184 /tcp
FW1_lea
Check Point OPSEC Log Export API
-
Protocol for exporting
logs from MM
18185 /tcp
FW1_omi
Check Point OPSEC Objects Management Interface
-
Protocol
used by applications having access to the ruleset saved at MM
18187 /tcp
FW1_ela
Check Point Event Logging API
-
Protocol used by applications
delivering logs to MM
18207 /tcp
FW1_pslo
gon
Check Point Policy Server Logon protocol
-
Protocol used for
download of Desktop Security from PS to SCl
NFR and RealSecure support FW
-
1_sam and FW1_ela
36
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
Gateway IDS (GIDS) and Host Intrusion
Prevention (HIP)
Company
Website
Entercept Security Technologies
www.entercept.com
Harris STAT Neutralizer
www.statonline.com
Okena StormWatch and StormFront
www.okena.com
Sana Security
www.sanasecurity.com
Linux IDS
www.lids.org
OneSecure
Netscreen
Okena
Cisco
Entercept and Intruvert
Network Associates
Inadvertently block
legitimate traffic
Ineffective against denial
-
of
-
service attacks
Company
Website
Captus Networks
www.captusnetworks.com
Cisco Systems IDS
www.cisco.com
ForeScout ActiveScout
www.forescout.com
RealSecure Network Protection
www.iss.net
Intruvert Networks
www.intruvert.com
NetScreen Technologies IDP
www.netscreen.com
Snort Hogwash
http://hogwash.sourceforge.net
TippingPoint Technologies
UnityOne
www.tippingpoint.com
http://www.cio.com/archive/061503/et_article.html
37
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
NIDS Market Predictions: Head to Head
•
IDS is dead, long live IPS
•
Intrusion detection market jumped 29.2 per cent year on year
(firewall/virtual private network security appliance market increased 7.5
per cent).
•
In contrast to statements that intrusion detection software is dead, the
growth in intrusion detection appliances show that many organizations
still see the value in monitoring their networks
•
Could reached $2 billion in 2005, up from $486 million in 2000.
•
IDS market will grow 43 per cent to $149m by 2004
•
IDS revenue will hit $1.1bn by 2006,
http://www.vnunet.com/News/1143747
http://www.ipa.go.jp/security/fy11/report/contents/intrusion/ids
-
meeting/idsbg.pdf
•
By end of 2003, 90% of IDS deployments will fail when false positives are not
reduced by 50%.
•
By year end 2004, advances in non
-
signature based intrusion detection
technology will enable network
-
based intrusion prevention to replace 50%
of established IDS deployments and capture 75% of new deployments.
38
Network Security Class
National Chung Cheng University
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS Balancer
Internet
GigaBit SX Tap
Network
•
Toplayer’s IDS Balancer
•
Radware FireProof
•
Availability
•
Scalability
•
ROI
•
Cost
-
effective (reduce sensors
while increasing intrusion coverage)
IDS Balancer
Fiber Tap
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment