Devices l.jpg
Sponsored Links
This presentation is the property of its rightful owner.
1 / 27

Devices PowerPoint PPT Presentation

  • Updated On :
  • Presentation posted in: General

Devices. ISQS 6342 Spring 2004 Gurkan Ozfidan. Outline. Firewalls, Routers, Switches Wireless/Modems Remote Access Services (RAS) Telecom/Private Branch Exchange (PBX) Virtual Private Networks (VPN) Intrusion Detection Systems (IDS) Mobile Devices. What is Firewall?.

Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


ISQS 6342

Spring 2004

Gurkan Ozfidan


  • Firewalls, Routers, Switches

  • Wireless/Modems

  • Remote Access Services (RAS)

  • Telecom/Private Branch Exchange (PBX)

  • Virtual Private Networks (VPN)

  • Intrusion Detection Systems (IDS)

  • Mobile Devices

What is Firewall?

  • Firewall is a barrier to keep destructive forces away from your property

  • Firewall is any hardware or software device that provides a means of securing a computer or network from unwanted intrusion

Firewall Security

Drafting Security Policy;

  • What am I protecting?

  • Who am I protecting it from?

  • Who gets access to which resources?

    Common areas of attack;

  • Web servers, mail servers, FTP services, databases

    Available service means hole in your firewall;

  • DNS(23,23), FTP(20-21), ICQ(4000), HTTP(80), Telnet(23)

    What Do Firewalls Protect Against?

  • DoS -not to steal information, but to disable a device

  • ping of death -create an IP packet that exceeds the maximum 65535 bytes

  • SYN flood - TCP connections requests faster than a machine can process

  • IP spoofing - break into systems, to hide the hacker's identity

How Do Firewalls Work?

  • Network address translation (NAT)

    • Basic firewalls usually use only one technique - NAT

  • Basic packet filtering

    • Most basic security function performed by firewall

  • Stateful packet inspection (SPI)

    • Basic packet filtering by adding a feature called “stateful packet inspection”

  • Access control lists (ACL)

    • Packet filtering is made possible through the use of access control list (ACL).

How Do Firewalls Work?

Network Address Translation;

  • Provides a type of firewall by hiding internal IP addresses

  • Enables a local-area network to use one set of IP addresses for internal network

  • Use second set of addresses for external traffic

  • A NAT box located where the LAN meets the Internet makes all necessary IP address translations

How Do Firewalls Work?

Basic Packet Filtering;

  • Decides whether to forward TCP/IP packets based on information

  • Packet filters screen information based on

    • Protocol type

    • IP address

    • TCP/UDP port

    • Source routing information

  • Packets that make it through the filters are sent to the requesting system

How Do Firewalls Work?

Stateful Packet Inspection;

  • Stateful packet filters can record session-specific information which ports are in use on the client and on the server

  • Three-way handshake;

    • Initiates a TCP connection

    • Begin passing packets once the connection made

    • Once session is ended no packet is allowed

  • Enhances security which side of the firewall a connection was initiated

  • Essential to blocking IP spoofing attacks

How Do Firewalls Work?

Access Control Lists;

  • Packet filtering is made possible through the use of ACLs

  • ACL is a list of rules either allowing or blocking inbound or outbound packets which the firewall comes into contact

  • Example of allowing access only to HTTP(port 80)

    access-list 101 permit tcp any eq 80

    access-list 101 deny ip any – r u


  • Network management device that sits between different network segments

  • Allows different networks to communicate with one another and the Internet to function

  • Message or file is broken up into packages about 1500 bytes long

  • Packages includes information on the sender's address, the receiver's address

  • Checksum value allows the receiving computer to be sure that packet arrived intact

  • Packet is sent via the best available route

  • Tracert ; traces the route that a packet takes to another computer


  • Device that filters and forwards packets between LAN segments

  • Network switches are capable of determining the source and destination of packet, and forwarding that packet appropriately

  • Switches conserve network bandwidth and offer generally better performance than hubs

  • Hub joins multiple computers (or other network devices) together to form a single network segment

  • Switches usually work at Layer 2 using MAC addresses.

  • Routers work at Layer 3, using addresses (IP, IPX or Appletalk, depending on protocols).

  • Hubs are simply a junction that joins all different nodes together.

The seven layers of the Open Systems Interconnection (OSI) Reference Model

Click on the menu terms to learn more about how transparent

Wireless - digital data into radio signals


  • Wired Equivalent Privacy, a security protocol for wireless local area networks (WLANs) defined in the 802.11b standard.

  • Designed to provide the same level of security as wired LAN

  • WEP aims to provide security by encrypting data over radio waves.

  • Do not have same physical structure as LAN, therefore are more vulnerable to tampering

Wireless - digital data into radio signals


  • Wi-Fi Protected Access , designed to improve upon the security features of WEP

  • Includes two improvements over WEP

  • Improved data encryption through the temporal key integrity protocol (TKIP). TKIP scrambles the keys using a hashing algorithm, ensures that the keys haven’t been tampered with

  • MAC address is simple to be sniffed out and stolen; Extensible Authentication Protocol EAP is built on a more secure public-key encryption system to ensure that only authorized network users can access the network

Modems - modulator-demodulator

  • Digital Subscriber Line (DSL) provides a direct connection between computer or network connected on the client side and the Internet.

  • Cable modems are connected to a shared segment that anyone else on that segment can potentially threaten your system.

  • DSL and cable modems users was the issuing of static IP addresses.

  • Static addresses provide a fixed target for hackers.

  • Dynamic Host Configuration Protocol (DHCP) to issue dynamic addresses.

  • Best solution is to implement a firewall.

Remote Access Services (RAS)

  • Provides the ability for one computer to dial into another computer via modem.

  • Also offer a feature called callback, work only with fixed phone numbers.

  • It is behind any physical firewall.

  • Unless there is a gateway software or a firewall software running on the server hosting RAS, there is a potential for the network to be compromised.

Telecom/Private Branch Exchange

  • A traditional PBX is a computer-based telephone switch that may be thought of as a small, in-house, telephone company

  • A private telephone network used within an enterprise

  • Users of the PBX share a certain number of outside lines for making telephone calls external to the PBX

  • Failure to secure PBX can result in toll fraud, theft of information, denial of service

  • Securing a PBX should be part of a written security policy

Virtual Private Networks

  • VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together

  • Security is enhanced by implementing Internet Protocol Security (IPSec)

  • IPSec provides better encryption algorithms and more comprehensive authentication – transport and tunneling

    • Transport; encryption of data in a packet

    • Tunneling; encryption of data including the address header information

  • IPSec eliminates packet sniffing and identity spoofing

  • Sending and receiving computers hold the keys to encrypt and decrypt the packets

A typical VPN might have a main LAN at the corporate headquarters of a company, other LANs at remote offices or facilities and individual users connecting from out in the field

Intrusion Detection Systems

  • IDS offer the ability to analyze data in real time to detect, log, and stop misuse or attacks as they occur

    Computer Based IDS;

    • To secure critical network servers or systems sensitive information

    • Agents are loaded on each on each protected computer

    • Analyze the disk space, RAM, CPU time, and applications

    • Collected information is compared to a set of rules to determine if a security breach has occurred

Intrusion Detection Systems

Network-based IDS;

  • Monitor activity on a specific network segment

  • Usually dedicated platforms with two components;

    • Sensor; which passively analyzes network traffic

    • Management system; displays alarm information from the sensor and allows security personnel to configure the sensors

      Anomaly-based Detection;

  • Involves building statistical profiles of user activity and reacting to any activity that falls outside these profiles

  • Two major problems;

  • Users do not access their computers or the network in static, predictable ways

  • Not enough memory to contain the entire profile

Intrusion Detection Systems

Signature-based detection;

  • Similar to an antivirus program in its method of detecting potential attacks

  • Vendors produce a list of “signatures” to compare against activity

  • When match is found, IDS take some action

  • Customers depend on vendors to provide the latest signatures

  • Normal network activity can be constructed as malicious

  • Network application may send ICMP (supports packets containing errors) messages

Mobile Devices

  • Personal Digital Systems (PDAs)

  • Can open security holes for any computer with which these devices communicate

  • Virus or destructive code may be introduced during a sync operation between mobile and PC

  • Standard antivirus and firewall applications can’t protect PCs


  • Paul Campbell, et al. Security+.Thomson Course Technology, 2004.

  • Craig Zacker. The Complete Reference Networking. Mc Graw Hill, 2001.

  • George Coulouris, et al. Distributed Systems Concepts and Desing. Addison Wesley, 2001.

  • How Stuff Works. Retrieved from on February 16, 2004.

  • P2P Concepts. Retrieved from on February 17, 2004.

  • Wireless LAN Standards. Retrieved from on February 27, 2004.

  • Login