Day 19 - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Day 19

Description:

Black Ice Firewall. Unix. IPtables. IPchains. IPF. Should I use host or network based? ... computer is at clayton on Friday night at 3am, maybe something is ... – PowerPoint PPT presentation

Number of Views:90
Avg rating:3.0/5.0
Slides: 19
Provided by: endasu
Category:
Tags: ads | black | day | friday

less

Transcript and Presenter's Notes

Title: Day 19


1
Day 19
2
Security Tools
  • Firewalls
  • Host Based
  • Network based
  • IDS/IPS
  • Host Based
  • Network based
  • Signature based detection
  • Anomaly based detection
  • Anti Virus, Anti Spyware, Anti-spam
  • Forensic tools
  • Authentication tools
  • Encryption Tools

3
What is a firewall
  • A firewall is a choke point where network traffic
    can be permitted or denied.
  • A set of rules (Access Control List/Policy list)
    are used to determin what to allow.
  • For example
  • A machine is a web server (HTTP only)
  • Everyone in the world should be able to connect
    to the web server on port 80 TCP
  • All other ports should be blocked by a firewall,
    this prevents unintentional services being
    exposed, and lessens the overall likelyhood that
    the server would be compromised.
  • If nobody should ever use this server as a
    workstation, you could also limit outbound
    traffic from this machine
  • Helpful for preventing the machine from being
    used to attack other machines

4
Network based Firewalls
  • A network firewall is a network device which acts
    like a router, but has a set of policies it
    enforces in addition to routing.
  • Sometimes this device is the router
  • Most high end routers support ACL lists
  • Access-list 101 permit tcp any host 100.1.1.1 eq
    80
  • Sometimes the device is actually a separate
    firewall
  • Juniper, Checkpoint, Sonicwall, etc.

5
Host based firewalls
  • Sometimes the firewall is built into the OS of
    the machine it is protecting
  • Windows
  • Windows Firewall
  • Black Ice Firewall
  • Unix
  • IPtables
  • IPchains
  • IPF

6
Should I use host or network based?
  • How many machines do you have?
  • If you are protecting 2 machines host based will
    probably work fine.
  • If you had to install host based on 500
    computers, might have been easier to install
    network.
  • Who has access to the machines?
  • If the machines are publicly accessible what
    stops a malicious person from disabling the
    firewall
  • Network based firewalls are typically more
    difficult to disable.
  • What do you want your machine spending its time
    on.
  • If a machine is a webserver you want it spending
    its time on serving web pages, not denying
    traffic, that is probably best done by a network
    device.

7
Packet Filter Firewalls
  • Each time you receive a packet, check
  • Who sent it
  • Where is it going
  • What port did it come from and what is it
    destined for
  • When did it arrive
  • What TCP/IP flags are set in the header
  • Is it part of an established connection or the
    start of a new one
  • Based on current set of policies either allow or
    deny this packet.

8
Proxy based firewalls
  • When a machine attempts to establish a connection
    intercept it.
  • When the client attempts to connect to the
    server, the firewall acts like a server to the
    client.
  • Next the firewall creates a separate connection
    to the server (thus acting like a client)
  • Now the firewall acts like a traffic cop between
    the client and server be deciding how much of the
    traffic to pass between them.

Firewall
Client
Server
9
Proxy vs. Packet Filter
  • A Proxy based firewall can do much more
    intelligent filtering because it understands what
    is being said between the client and the server.
  • For example, a proxy can alter HTML pages or
    eMails (for example, stripping out sensitive
    information, or adding a signature/disclaimer to
    the end of each message)
  • A packet filter is much more limited because it
    only understands the header of the packets, not
    the data in them.

10
Intrusion Detection System
  • One of the most basic security principles is to
    know when youve been compromised.
  • Worst case is you were compromised and dont even
    know it because more info can be stolen, or more
    damage can be done.
  • In the real world its obvious, but with complex
    computers its less obvious.
  • IDS systems are designed to help you track
    intrusions and identify how they were done.

11
File Integrity Checkers
  • One way to know if your system has been
    compromised is to know if any files on your
    system were changed without your knowledge.
  • Hackers frequently install software on
    compromised machines to give them a guaranteed
    way back on, or to do their bidding (send email,
    attack someone else)
  • File integrity monitors hash all the files on
    your system periodically and notify you of any
    changes.
  • Tripwire, GFI LanGuard etc.

12
Network based IDS
  • Network based IDSs typically monitor all packets
    coming into/out of your network looking for
    interesting patterns.
  • Interesting patterns are defined by a set of
    signatures which either a company or the internet
    community develop based on previous intrusions.
  • When a pattern is noticed it logs it, or possibly
    notifies someone (pager, email, phone)
  • E.G. Snort, ISS Realsecure etc.

13
Logs/Event Viewer
  • A frequently overlooked but critical security
    tool is logs.
  • Most things which happen on your computer are
    logged
  • Windows Event Viewer
  • Unix/Mac Logs
  • Allow for analysis of what is going on your
    computer
  • Gives you an audit trail after a compromise to
    see how it was done, and thus prevent it from
    happening again.
  • Of course this assumes the logs arent erased by
    the attacker.

14
Intrusion Prevention Systems
  • A sort of combination of IDS and Firewall.
  • The smarts of an IDS with the ability to block
    traffic like a firewall.
  • Thing about it as a firewall which can build its
    own policies based on whats happening to it.
  • E.g.
  • You suddenly see a spike of ICMP (ping) traffic
    from a single address, perhaps after a few
    thousand packets you should think about stopping
    it, the IPS might build a rule to block it.

15
IDS/IPS False Positive problem
  • One of the biggest problems with IPS is the
    signatures.
  • If a popular virus happens to send the string
    BLABLA in an HTTP message to distribute itself,
    then any webpage with BLABLA in it will appear
    to be an attack.
  • False positives are frustrating and
    counter-productive.
  • Worse yet, if your IPS decides that the attack
    must be stopped and builds a firewall rule to
    block it.

16
Anomaly based detection
  • Another approach which is being worked on is to
    watch what is normal and then look for things
    which are abnormal.
  • E.g. You use your computer at clayton from
    730PM-845PM Monday and Wed. If your computer
    is at clayton on Friday night at 3am, maybe
    something is up.
  • Very difficult to be correct, requires lots more
    work to get right.

17
Viruses, Spys
  • Anti-Virus
  • Specialized form of IDS.
  • Looks for patterns in files on your hard drive.
  • Once one is found assume it is a virus, and
    remove it
  • Quarantine it, or delete it at users request
  • Anti-Spywear
  • Look for software which may get installed without
    your knowledge
  • E.g. Here is a free screensaver, you also get
    something which monitors all web pages you go to
    for opportunities to send you ads

18
VPN
  • Virtual Private Networks
  • Allow users into your private network from across
    the internet securely.
  • VPNs are based on encryption.
  • All traffic leaving the client are encrypted by
    software on their end.
  • That encrypted traffic is routed across the
    internet
  • The other end decrypts the resulting traffic and
    routes it on the private network
  • Traffic is typically encrypted with Symmetric
    cryptography such as AES or TripleDES. Keys are
    typically exchanged either manually or
    automatically via IKE.
Write a Comment
User Comments (0)
About PowerShow.com