1 / 27


Devices. ISQS 6342 Spring 2004 Gurkan Ozfidan. Outline. Firewalls, Routers, Switches Wireless/Modems Remote Access Services (RAS) Telecom/Private Branch Exchange (PBX) Virtual Private Networks (VPN) Intrusion Detection Systems (IDS) Mobile Devices. What is Firewall?.

Download Presentation


An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Devices ISQS 6342 Spring 2004 Gurkan Ozfidan

  2. Outline • Firewalls, Routers, Switches • Wireless/Modems • Remote Access Services (RAS) • Telecom/Private Branch Exchange (PBX) • Virtual Private Networks (VPN) • Intrusion Detection Systems (IDS) • Mobile Devices

  3. What is Firewall? • Firewall is a barrier to keep destructive forces away from your property • Firewall is any hardware or software device that provides a means of securing a computer or network from unwanted intrusion

  4. Firewall Security Drafting Security Policy; • What am I protecting? • Who am I protecting it from? • Who gets access to which resources? Common areas of attack; • Web servers, mail servers, FTP services, databases Available service means hole in your firewall; • DNS(23,23), FTP(20-21), ICQ(4000), HTTP(80), Telnet(23) What Do Firewalls Protect Against? • DoS -not to steal information, but to disable a device • ping of death -create an IP packet that exceeds the maximum 65535 bytes • SYN flood - TCP connections requests faster than a machine can process • IP spoofing - break into systems, to hide the hacker's identity

  5. How Do Firewalls Work? • Network address translation (NAT) • Basic firewalls usually use only one technique - NAT • Basic packet filtering • Most basic security function performed by firewall • Stateful packet inspection (SPI) • Basic packet filtering by adding a feature called “stateful packet inspection” • Access control lists (ACL) • Packet filtering is made possible through the use of access control list (ACL).

  6. How Do Firewalls Work? Network Address Translation; • Provides a type of firewall by hiding internal IP addresses • Enables a local-area network to use one set of IP addresses for internal network • Use second set of addresses for external traffic • A NAT box located where the LAN meets the Internet makes all necessary IP address translations

  7. How Do Firewalls Work? Basic Packet Filtering; • Decides whether to forward TCP/IP packets based on information • Packet filters screen information based on • Protocol type • IP address • TCP/UDP port • Source routing information • Packets that make it through the filters are sent to the requesting system

  8. How Do Firewalls Work? Stateful Packet Inspection; • Stateful packet filters can record session-specific information which ports are in use on the client and on the server • Three-way handshake; • Initiates a TCP connection • Begin passing packets once the connection made • Once session is ended no packet is allowed • Enhances security which side of the firewall a connection was initiated • Essential to blocking IP spoofing attacks

  9. How Do Firewalls Work? Access Control Lists; • Packet filtering is made possible through the use of ACLs • ACL is a list of rules either allowing or blocking inbound or outbound packets which the firewall comes into contact • Example of allowing access only to HTTP(port 80) access-list 101 permit tcp any eq 80 access-list 101 deny ip any – r u

  10. Routers • Network management device that sits between different network segments • Allows different networks to communicate with one another and the Internet to function

  11. Message or file is broken up into packages about 1500 bytes long • Packages includes information on the sender's address, the receiver's address • Checksum value allows the receiving computer to be sure that packet arrived intact • Packet is sent via the best available route • Tracert ; traces the route that a packet takes to another computer

  12. Switches • Device that filters and forwards packets between LAN segments • Network switches are capable of determining the source and destination of packet, and forwarding that packet appropriately • Switches conserve network bandwidth and offer generally better performance than hubs • Hub joins multiple computers (or other network devices) together to form a single network segment

  13. Switches usually work at Layer 2 using MAC addresses. • Routers work at Layer 3, using addresses (IP, IPX or Appletalk, depending on protocols). • Hubs are simply a junction that joins all different nodes together. The seven layers of the Open Systems Interconnection (OSI) Reference Model

  14. Click on the menu terms to learn more about how transparent

  15. Wireless - digital data into radio signals WEP; • Wired Equivalent Privacy, a security protocol for wireless local area networks (WLANs) defined in the 802.11b standard. • Designed to provide the same level of security as wired LAN • WEP aims to provide security by encrypting data over radio waves. • Do not have same physical structure as LAN, therefore are more vulnerable to tampering

  16. Wireless - digital data into radio signals WPA; • Wi-Fi Protected Access , designed to improve upon the security features of WEP • Includes two improvements over WEP • Improved data encryption through the temporal key integrity protocol (TKIP). TKIP scrambles the keys using a hashing algorithm, ensures that the keys haven’t been tampered with • MAC address is simple to be sniffed out and stolen; Extensible Authentication Protocol EAP is built on a more secure public-key encryption system to ensure that only authorized network users can access the network

  17. Modems - modulator-demodulator • Digital Subscriber Line (DSL) provides a direct connection between computer or network connected on the client side and the Internet. • Cable modems are connected to a shared segment that anyone else on that segment can potentially threaten your system. • DSL and cable modems users was the issuing of static IP addresses. • Static addresses provide a fixed target for hackers. • Dynamic Host Configuration Protocol (DHCP) to issue dynamic addresses. • Best solution is to implement a firewall.

  18. Remote Access Services (RAS) • Provides the ability for one computer to dial into another computer via modem. • Also offer a feature called callback, work only with fixed phone numbers. • It is behind any physical firewall. • Unless there is a gateway software or a firewall software running on the server hosting RAS, there is a potential for the network to be compromised.

  19. Telecom/Private Branch Exchange • A traditional PBX is a computer-based telephone switch that may be thought of as a small, in-house, telephone company • A private telephone network used within an enterprise • Users of the PBX share a certain number of outside lines for making telephone calls external to the PBX • Failure to secure PBX can result in toll fraud, theft of information, denial of service • Securing a PBX should be part of a written security policy

  20. Virtual Private Networks • VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together • Security is enhanced by implementing Internet Protocol Security (IPSec) • IPSec provides better encryption algorithms and more comprehensive authentication – transport and tunneling • Transport; encryption of data in a packet • Tunneling; encryption of data including the address header information • IPSec eliminates packet sniffing and identity spoofing • Sending and receiving computers hold the keys to encrypt and decrypt the packets

  21. A typical VPN might have a main LAN at the corporate headquarters of a company, other LANs at remote offices or facilities and individual users connecting from out in the field

  22. Intrusion Detection Systems • IDS offer the ability to analyze data in real time to detect, log, and stop misuse or attacks as they occur Computer Based IDS; • To secure critical network servers or systems sensitive information • Agents are loaded on each on each protected computer • Analyze the disk space, RAM, CPU time, and applications • Collected information is compared to a set of rules to determine if a security breach has occurred

  23. Intrusion Detection Systems Network-based IDS; • Monitor activity on a specific network segment • Usually dedicated platforms with two components; • Sensor; which passively analyzes network traffic • Management system; displays alarm information from the sensor and allows security personnel to configure the sensors Anomaly-based Detection; • Involves building statistical profiles of user activity and reacting to any activity that falls outside these profiles • Two major problems; • Users do not access their computers or the network in static, predictable ways • Not enough memory to contain the entire profile

  24. Intrusion Detection Systems Signature-based detection; • Similar to an antivirus program in its method of detecting potential attacks • Vendors produce a list of “signatures” to compare against activity • When match is found, IDS take some action • Customers depend on vendors to provide the latest signatures • Normal network activity can be constructed as malicious • Network application may send ICMP (supports packets containing errors) messages

  25. Mobile Devices • Personal Digital Systems (PDAs) • Can open security holes for any computer with which these devices communicate • Virus or destructive code may be introduced during a sync operation between mobile and PC • Standard antivirus and firewall applications can’t protect PCs

  26. References • Paul Campbell, et al. Security+. Thomson Course Technology, 2004. • Craig Zacker. The Complete Reference Networking. Mc Graw Hill, 2001. • George Coulouris, et al. Distributed Systems Concepts and Desing. Addison Wesley, 2001. • How Stuff Works. Retrieved from on February 16, 2004. • P2P Concepts. Retrieved from on February 17, 2004. • Wireless LAN Standards. Retrieved from on February 27, 2004.

More Related