Upload
vina
View
43
Download
1
Embed Size (px)
DESCRIPTION
Internet Security: Building a Fortress around your Data. Kevin Bolding Electrical Engineering Seattle Pacific University. Security is a Multi-Faceted Problem. Keeping the bad guys out of your home. Network Security. Stopping guests from trashing your place. 1. Don’t be stupid 2. Anti-Virus. - PowerPoint PPT Presentation
Citation preview
Network Security No. 1Seattle Pacific University
Internet Security:Building a Fortress around your Data
Kevin BoldingElectrical Engineering
Seattle Pacific University
Network Security No. 2Seattle Pacific University
Security is a Multi-Faceted Problem
Keeping the bad guys out of your home
Stopping guests from trashing your place
Safety when travelling
Network Security
1. Don’t be stupid2. Anti-Virus
Encryption
Network Security No. 3Seattle Pacific University
Keeping the Bad Guys out• Who is inside?
• People• Computers• Other networked resources
• Who needs to be kept out?• People
• Wanderers• Hackers
• Probe programs
Network Security No. 4Seattle Pacific University
Internet
Firewall
A Firewall/Gateway
• A Gateway is the point where data can be transferred between the LAN and the outside world
Gateway• The Firewall is the area
where no connections are allowed to be made to the outside world
• Our Trusted LAN users would like a connection to the Internet...
Network Security No. 5Seattle Pacific University
Security in the whole• Any data transfer across the
firewall outside of the gateway violates its integrity
Internet
Firewall Gateway• Other Internet connections• Flash Drives• Laptops
Internet• Your security policy mustaddress all of theseissues first
• Smartphones
Network Security No. 6Seattle Pacific University
Gateway Security (Firewalls)• Firewall components have three basic elements
• Packet filtering• Drops incoming packets from non-authorized hosts
• Circuit-level gateway• Matches incoming packets to internally-generated
requests • Proxy servers (application gateway)
• Analyzes incoming messages for content
• Firewall implementations may use any combination of the three main elements
Network Security No. 7Seattle Pacific University
Packet Filtering• Router bridges the firewall
• Checks all packets crossing it Internet
Firewall
PacketFilteringRouter
Reject from…Accept from...
• Works at the network level with IP, so can scan:• IP source/destination addresses• Protocol (TCP, UDP, etc.)• Source/destination TCP ports
• Telnet: port 23, Http: port 80, etc.• Can filter on any of the above
properties• Ex: Disallow all incoming telnet
connections to all hosts except 128.95.1.4
• Ex: Disallow all incoming packets from host 24.1.2.3
• Ex: Disallow all incoming packets except on TCP port 80 (Http)
Normally the first rule in a packet filter is always Deny All
Network Security No. 8Seattle Pacific University
Pros/Cons of Packet Filtering• Pros:
• You need a router anyway• Most routers support packet filtering• Provides good security when set up properly
• Cons:• The IP header is the only basis for filtering • Often filters too much
• Have to trade security for convenience• Very difficult to set up the right filters• Need to change filtering as network needs change
Network Security No. 9Seattle Pacific University
Circuit Level Firewalls - TCP• Packet filtering is often too rigid
• Allows or denies access for broad classes for all time
• Circuit Level Filtering• Takes advantage of TCP connections• Insider (trusted) sets up TCP connection with outside host• Filter allows incoming packets from that outside host as long as
they belong to the original TCP connection
Circuit Level Filtering works at the Transport Layer, while Packet Filtering works at the Network Layer
Network Security No. 10Seattle Pacific University
• Dynamic Packet Filtering • Packet filtering that relies on TCP port numbers won’t
work with UDP packets.• Either allow all UDP accesses or disable all of them
• Dynamic Packet Filtering keeps track of “connections” for UDP packets
• Matches requests from inside with outside responses
Circuit Level Firewalls - UDP
Network Security No. 11Seattle Pacific University
• NAT allows you to hide your network from public view• Converts internal IP addresses to one or more external IP addresses• Public cannot determine information about your internal network• Intruders can’t target individual machines because they don’t know
they exist
Hidden Networks - Network Address Translation
• NAT enables IP address sharing• One external address, many internal devices• NAT box must keep track of connections• Connections must be initiated by devices inside the firewall
Network Security No. 12Seattle Pacific University
• A Broadband Router Typically Contains• A 4-Port Ethernet Switch• A Wireless Access Point• Packet-Filtering Capabilities• NAT for Sharing and Hiding• DHCP Server
One Box to Rule them All!
• This device will shield your network from almost all non-invited threats• Most remaining threats are from Trojan Horse
schemes or software bugs
Network Security No. 13Seattle Pacific University
Application Level Firewalls • Circuit- and Packet-Level Firewalls deal only with
information in the TCP and IP headers• What about Content?
• Application Level Firewalls examine the content of incoming messages• Pass on only those that meet strict requirements
• At the application level, everything is possible...• Passwords/Account names are visible• Content screening/virus scanning can be done
• Application level host must be a Bastion Host• Hardened version of OS
Network Security No. 14Seattle Pacific University
Application Level - Proxy Servers• Force all communication across
a gateway through proxies• Proxy web servers, email
servers, telnet clients, etc.
Internet
Fire
wal
l
Proxy Client
Proxy Server
Analysis• Proxy Server portion of gateway
communicates with insiders
• Proxy Client portion of gateway communicates with outsiders
• Any communication between client and server must undergo analysis
Network Security No. 15Seattle Pacific University
A Full System Using a DMZ
Internet
Bastion Host(Proxy)
InformationServers
Firewall
Packet Filtering Router
Packet Filtering Router
DMZ