1 / 15

Internet Security: Building a Fortress around your Data

Internet Security: Building a Fortress around your Data. Kevin Bolding Electrical Engineering Seattle Pacific University. Security is a Multi-Faceted Problem. Keeping the bad guys out of your home. Network Security. Stopping guests from trashing your place. 1. Don’t be stupid 2. Anti-Virus.

vina
Download Presentation

Internet Security: Building a Fortress around your Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Security:Building a Fortress around your Data Kevin BoldingElectrical EngineeringSeattle Pacific University

  2. Security is a Multi-Faceted Problem Keeping the bad guys out of your home Network Security Stopping guests from trashing your place 1. Don’t be stupid2. Anti-Virus Safety when travelling Encryption

  3. Keeping the Bad Guys out • Who is inside? • People • Computers • Other networked resources • Who needs to be kept out? • People • Wanderers • Hackers • Probe programs

  4. Internet Gateway Firewall A Firewall/Gateway • A Gateway is the point where data can be transferred between the LAN and the outside world • Our Trusted LAN users would like a connection to the Internet... • The Firewall is the area where no connections are allowed to be made to the outside world

  5. Internet Security in the whole Internet • Any data transfer across the firewall outside of the gateway violates its integrity Gateway Firewall • Other Internet connections • Flash Drives • Laptops • Smartphones • Your security policy mustaddress all of theseissues first

  6. Gateway Security (Firewalls) • Firewall components have three basic elements • Packet filtering • Drops incoming packets from non-authorized hosts • Circuit-level gateway • Matches incoming packets to internally-generated requests • Proxy servers (application gateway) • Analyzes incoming messages for content • Firewall implementations may use any combination of the three main elements

  7. PacketFilteringRouter Reject from…Accept from... Packet Filtering Internet • Router bridges the firewall • Checks all packets crossing it • Works at the network level with IP, so can scan: • IP source/destinationaddresses • Protocol (TCP, UDP, etc.) • Source/destination ports • Telnet: port 23, Http: port 80, etc. Firewall • Can filter on any of the above properties • Ex: Disallow all incoming telnet connections to all hosts except 128.95.1.4 • Ex: Disallow all incoming packets from host 24.1.2.3 • Ex: Disallow all incoming packets except on port 80 (Http) Normally the first rule in a packet filter is always Deny All

  8. Pros/Cons of Packet Filtering • Pros: • You need a router anyway • Most routers support packet filtering • Provides good security when set up properly • Cons: • The IP header is the only basis for filtering • Often filters too much • Have to trade security for convenience • Very difficult to set up the right filters • Need to change filtering as network needs change

  9. Circuit Level Firewalls - TCP • Packet filtering is often too rigid • Allows or denies access for broad classes for all time • Circuit Level Filtering • Takes advantage of TCP connections • Insider (trusted) sets up TCP connection with outside host • Filter allows incoming packets from that outside host as long as they belong to the original TCP connection Circuit Level Filteringworks at theTransport Layer, while Packet Filtering works at the Network Layer

  10. Circuit Level Firewalls - UDP • Dynamic Packet Filtering • Packet filtering that relies on TCP port numbers won’t work with UDP packets. • Either allow all UDP accesses or disable all of them • Dynamic Packet Filtering keeps track of “connections” for UDP packets • Matches requests from inside with outside responses

  11. Hidden Networks - Network Address Translation • NAT allows you to hide your network from public view • Converts internal IP addresses to one or more external IP addresses • Public cannot determine information about your internal network • Intruders can’t target individual machines because they don’t know they exist • NAT enables IP address sharing • One external address, many internal devices • NAT box must keep track of connections • Connections must be initiated by devices inside the firewall

  12. One ($40) Box to Rule them All! • A Broadband Router Typically Contains • A 4-Port Ethernet Switch • A Wireless Access Point • Packet-Filtering Capabilities • NAT for Sharing and Hiding • DHCP Server • This device will shield your network from almost all non-invited threats • Most remaining threats are from Trojan Horse schemes or software bugs

  13. Application Level Firewalls • Circuit- and Packet-Level Firewalls deal only with information in the TCP and IP headers • What about Content? • Application Level Firewalls examine the content of incoming messages • Pass on only those that meet strict requirements • At the application level, everything is possible... • Passwords/Account names are visible • Content screening/virus scanning can be done • Application level host must be a Bastion Host • Hardened version of OS

  14. Force all communication across a gateway through proxies Proxy web servers, email servers, telnet clients, etc. Application Level - Proxy Servers Internet Proxy Client • Proxy Server portion of gateway communicates with insiders Analysis Proxy Server • Proxy Client portion of gateway communicates with outsiders Firewall • Any communication between client and server must undergo analysis

  15. Internet DMZ Packet Filtering Router InformationServers Bastion Host (Proxy) Packet Filtering Router Firewall A Full System Using a DMZ

More Related