1 / 55

Dr. Igor Santos

Security of Information Systems Network Defense. Dr. Igor Santos. Contents. Firewall s Types of firewall Packet filtering vs . Application filtering ' Stateless ' vs. ‘ Stateful ' Netfilter / IPTables IDS NIDS HIDS VPN. Firewalls. Firewalls.

glenda
Download Presentation

Dr. Igor Santos

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of InformationSystemsNetwork Defense Dr. Igor Santos

  2. Contents • Firewalls • Types of firewall • Packetfiltering vs. Applicationfiltering • 'Stateless' vs. ‘Stateful' • Netfilter/IPTables • IDS • NIDS • HIDS • VPN

  3. Firewalls

  4. Firewalls • A system that filterstraffic between networks it, at least two of them • It can be a physical device or a software running on an operating system • A device with two or more network interfaces where filtering rules are established and with them decides whether a connection can be established or not

  5. Firewalls • A firewall system contains a set of default rules for: • Authorizethe connection (allow) • Block the connection (deny) • Reject the connection request without informing to the sender (deny / ignore)

  6. Firewalls • Typesregardingfunctionality • Network layer packet filtering • It works at the network layer (layer 3) • Often also allow filtering at the transport level (level 4) or data link layer (Layer 2) • Application Layer • It works at the application level (level 7) • Application Proxy firewall • Eg HTTP Traffic - filtered by URL → PROXY

  7. Firewalls HTTP URL ApplicationLayer Firewall Protocol+Port IP Packetfiltering Firewall MAC

  8. Firewalls • Software Firewalls • Software that runs over a general-puropose software • Advantages • Highly customizable Settings • Inexpensive flexible and omnipresent hardware • Disadvantages • Difficult to fortify • Several require specific hardware

  9. Firewalls • Hardware firewall • It consists of a black box or 'appliance' • Advantages • It offers more security (Depending on the reliability of the manufacturer) • Disadvantages • More expensive • Less flexible / customizable

  10. Firewalls • Scheme of typical firewall between local network and internet

  11. Firewalls • Scheme firewall between LAN and internet with DMZ zone for exposed servers

  12. Firewalls • Scheme of a firewall between LAN and internet with DMZ zone for exposed servers created with double firewall (perimeter)

  13. Firewalls • ‘Stateless’ firewalls • Analyzes network traffic and filters packets based on source and destination addresses and other static values ​​(network layer - level 3) • Doesn’t process patterns or data streams • Uses simple rules

  14. Firewalls • It does not understand the concept of TCP connection • It does not take into account the possibility of receiving a package that claims to be something that has not been asked • Eg: ACK from source port 80 to port 22 • Examples of 'stateless’ firewall rules : • Allow IP packets with network source 10.0.0 / 8 • Allow UDP packets with destination port 53

  15. Firewalls • ‘Statefull’ firewalls • It does understand the concept of TCP connection • The conditions of the rules can be specified in terms of connections, not only in terms of packets • For example: • Allow related packets through established connections from the internal network • Allow incoming connections to port 80 (http)

  16. Firewalls • Security Policies • Deny • The default is to deny all except those communications that expressly authorized • Accept • They accept and reject all explicitly forbidden communications • Deny is the safest • However, it requires a precise and restrictive communication

  17. Firewalls • Netfilter/IPTables • ‘Statefull' packetfiltering firewall • Netfilteris the part in the kernel and is responsible for packet filtering • Iptables is the user tool to manage Netfilter • Firewalls created this way, are just shell scripts with many calls to the iptables command

  18. Firewalls • iptables: Usage • iptables receives a packet, analyzes their headers and sends it to one of their treatment chaing • Once the package is in a chain, the rules and policies of that chain are checked and once one is satisfied, the associated action is executed (typically ACCEPT, REJECT or DROP) • The order in which rules are written is very important • If the package does not meet the first rule, the next is checked

  19. Firewalls • The changes performed in iptables are not permantly stored in any file • The rules must be written in a shell script and run it at startup

  20. Firewalls • Threeimportantchains • INPUT: incoming packets whose destination address our firewall and are not modified by • cortafuegos y no son modificados por NAT • OUTPUT: output packets • FORWARD: packetswith no source nor destination the firewall itself, but pass through the firewall, and can be modified or not (eg doing NAT: Network Address Translation)

  21. Firewalls • Very simplified diagram of what happens when a packet arrives to iptables

  22. Firewalls • Example • A TCP packetarrivedtothe80 portforour machine • iptablessendsthispakecttotheINPUT chain, becauseitisan input packetforour machine • In the INPUT chain, thereis no defined rule fortheportnumber 80, so thepolicy of INPUT isapplied, whichisDROP (discard)

  23. Firewalls • Set the default policy (ACCEPT or DROP) for one chain (INPUT, OUTPUT, FORWARD) • iptables-P INPUT DROP • iptables -P OUTPUT ACCEPT

  24. Firewalls • Parameters to add rules to a chain • -A: adds a rule to a chain (at the end) • -s: IP of the source machine of a packet • -d:I P of the destiny machine of a packet • -i: interface through which the packet arrives • -o:interface through which the packet is sent

  25. Firewalls • -p: IP protocol of the packet (tcp, udp, icmp) • --sport: origin port of paquete • --dport: destination port of paquete • -j: determines that to do with packets that match a rule • ACCEPT • DROP • REJECT • -L: displays the current firewall rules

  26. Firewalls - Examples • Allow access to our web server • iptables-A INPUT -p TCP --dport 80 -j ACCEPT • Allow access to our FTP server • iptables-A INPUT -p TCP --dport 21 -j ACCEPT • Add a rule to deny all the output packets directed to the IP 80.90.1.30 • iptables-A OUTPUT -d 80.90.1.30 -j DROP

  27. Firewalls - Examples • Add a rule so our machine cannot be pinged • iptables-A INPUT -p icmp -j DROP • Allow the machine with IP 192.168.1.2 connect with our machine through SSH • iptables -A INPUT -s 192.168.1.2 -p TCP --dport 22 -j ACCEPT • iptables -A OUTPUT -d 192.168.1.2 -p TCP --sport 22 -j ACCEPT

  28. Firewalls - Examples • Tutorial • http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

  29. IntrusionDetectionSystem IDS

  30. IntrusionDetectionSystem - IDS • IDS: Intrusion Detection System • Program used to detect the unauthorized accessesto a computer or a network • It is based in network traffic analysis • They usually have a database of patterns or signatures of known attacks • Itneitherprotectsorfilters, onlydetects

  31. IntrusionDetectionSystem - IDS • 2types: • Network Intrusion Detection System (NIDS) • Host-Based Intrusion Detection System (HIDS)

  32. Network Intrusion Detection System • NIDS • Use packet sniffers (sensors) to capture network traffic • The content of each packet is analyzed for malicious patterns • The sensors are usually located at critical points in the network that have to be monitored: • The DMZ • Network Endpoints

  33. Network Intrusion Detection System PRE-PROCESSOR PRE-PROCESSOR Notify e-mail Opmitized packet for the engine Rule Engine SNIFFER Read the traffic Network Traffic Alert detected Store in DB orplaintext Filter attacker IP in the firewall (IPS) Search for a pattern A pattern matches RULES

  34. Network Intrusion Detection System • Ejemplo NIDS:Snort • Example NIDS: Snort • It works as a network sniffer • Detects attacks on the basis of a set of rules • Save the alerts in a database mysql • http://www.snort.org

  35. Network Intrusion Detection System • Managing and viewingalerts • ACID - AnalysisConsoleforIntrusionDatabases

  36. Host-Based Intrusion Detection System • HIDS • The sensor consists of a software agent that monitors all the activity on the host on which it is installed • Search local information sources on the host, such as system logs • User Sessions • Privileged user activities • Changes to the file system • ...

  37. Host-Based Intrusion Detection System • Ejemplo HIDS: OSSEC • Free, open source host-basedintrusiondetectionsystem (HIDS) • Performs log analysis, integritychecking, Windows registrymonitorizacón, rootkitdetection, real-time alerts, ... • Availablefor Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows • http://www.ossec.net

  38. Intrusion Detection System - IDS • Problemas IDS • False positives and false negatives • Its effectiveness depends largely on its configuration • They are not easy to implement • Falsos positivos y falsos negativos

  39. Otherapproaches • Otros enfoques • IPS (Intrusion Prevention System): besides detection, it takes action • Event Correlator: safety knowledge inferred from IDS, IPS, firewalls, AV, etc..

  40. Otherapproaches

  41. VPN - Virtual Private Network

  42. VPN • VPN: Virtual Private Network • Technology that allows to implement a local area network (LAN) within a wide area network (Internet, for example) securely • It requires • Encapsulated traffic (IP over TCP, for example) • Traffic Encryption • Traffic compression

  43. VPN • Advantages • Comfortable for end users • Cheaper than a dedicated node • High level of scalability (eg going from 2-10 nodes) • Security

  44. VPN • disadvantages • Overload on the client side (encapsulation, encryption, data compression) • Less reliable than a dedicated node • More complex credential management (certificates) • The VPN server can easily suffer DoS attacks (by overloading cryptograpy)

  45. VPN • VPN types • Remoteaccess VPN (“roadwarriors”) • Remote and disperse clients connected to a corporate LAN through a VPN server • Point topoint VPN • Two or more nodes remotely interconnected to the Internet through encrypted tunnels • VPN over LAN • Implements a secure LAN within a LAN which is considered unsafe (eg Academic Management network within the University network)

  46. VPN • Typical protocolos • PPTP: Point-to-Point TunnelingProtocol • L2F: Layer-2 Forwarding (CISCO) • L2TP: Layer-2 TunnelingProtocol • IPSec: Internet Protocol Security • SSL/TLS: Secure Sockets Layer/TransportLayer Security • SSH: Secure Shell • The de facto standard is IPSec, although the others are used to be more straightforward to implement

  47. Proxy SockswithSSH • EncryptedTunnelswithSSH • SSH (Secure Shell) • Encryptseveryconnection • Allowsport-forwarding • It is possible to create encrypted tunnels for insecure protocols • Example: HTTP • HTTP traffic is encapsulated into SSH protocol • All HTTP traffic is encrypted

  48. Proxy Sockswith SSH • Tools • putty (windows) • http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html • ssh (Unix) • aptitudeinstallssh

  49. Proxy Sockswith SSH

  50. Proxy Sockswith SSH

More Related