Office: Dept. of Communication Rm

1
Network Security (II)

• ???? ???
• Office Dept. of Communication Rm 112
• Tel X33512
• Email bcheng_at_ccu.edu.tw

2
Building Internet Firewalls
3
Packet Filter Firewalls

• Access control based upon several pieces of
  information contained in a network packet
• The source address of the packet
• The destination address of the packet
• The type of traffic
• the specific network protocol being used to
  communicate between the source and destination
  systems or devices (e.g., ICMP)
• Possibly some characteristics of the Layer 4
  communications sessions, such as the source and
  destination ports of the sessions
• Interface of the router the packet came from and
  which interface of the router the packet is
  destined for
• this is useful for routers with 3 or more network
  interfaces.

4
Boundary Routers

• The packet filter, referred to as a boundary
  router, can block certain attacks, possibly
  filter un-wanted protocols, perform simple access
  control, and then pass the traffic onto other
  fire-walls that examine higher layers of the OSI
  stack.

Packet Filter used as Boundary Router
5
Basic Weaknesses Associated with Packet Filters

• Do not examine upper-layer data
• Cannot prevent attacks that employ
  application-specific vulnerabilities or
  functions.
• Limited information available to the firewall
• Logging functionality present in packet filter
  firewalls is limited.
• Do not support advanced user authentication
  schemes.
• Network protocol weakness
• Vulnerable to TCP/IP specification and protocol
  stack, such as network layer address spoofing.
• Small number of variables used in access control
  decisions
• Susceptible to security breaches caused by
  improper configurations.
• But
• Consequently, packet filter firewalls are very
  suitable for high-speed environments where
  logging and user authentication with network
  resources are not important.

6
Packet Filter Rulesets

• Actions
• Accept
• Deny
• Discard
• By default
• Any type of access from the inside to the outside
  is allowed.
• No access originating from the outside to the
  inside is allowed except for SMTP and HTTP.
• SMTP and HTTP servers are positioned behind the
  firewall.

7
Stateful Inspection Firewalls

• More secure
• Tracks client ports individually rather than
  opening all high-numbered ports for external
  access.
• Useful or applicable only within TCP/IP network
  infrastructures.
• Representing a superset of packet filter firewall
  functionality.

8
Application-Proxy Gateway Firewalls

• Combine lower layer access control with upper
  layer (Layer 7 . Application Layer)
  functionality.
• For Example Web Proxy
• In addition to the ruleset, include
  authentication of each individual network user
• User ID and Password Authentication,
• Hardware or Software Token Authentication,
• Source Address Authentication, and
• Biometric Authentication.

9
Dedicated Proxy Servers

• Are useful for web and email content scanning
• Java applet or application filtering
• ActiveX control filtering
• JavaScript filtering,
• Blocking specific Multipurpose Internet
  Multimedia Extensions (MIME) types . for example,
  .application/msword. for Microsoft Word documents
  
• Virus scanning and removal,
• Macro virus scanning, filtering, and removal,
• Application-specific commands, for example,
  blocking the HTTP .delete. command, and
• User-specific controls, including blocking
  certain content types for certain users.

10
Dedicated Proxy Servers Deployments
11
Network Address Translation

• Developed in response to two major issues
• Hiding the network-addressing schema present
  behind a firewall environment.
• The depletion of the IP address space has caused
  some organizations to use NAT for mapping
  non-routable IP addresses to a smaller set of
  legal addresses, according to RFC 1918.
• 10.0.0.0 to 10.255.255.255 (Class A)
• 172.16.0.0 to 172.31.255.255 (Class B)
• 192.168.0.0 to 192.168.255.255 (Class C)
• Accomplished in three fashions
• Static Network Address Translation
• Port Address Translation (PAT)

12
IANA-allocated, Non-Internet routable IP address
IP address
Public
Private
American Registry for Internet Numbers (ARIN)
13
Static Network Address Translation
Each internal system on the private network has a
corresponding external, routable IP address
associated with it.
14
PAT
15
Personal Firewalls/Personal Firewall Appliances

• Personal Firewall
• Installed on the system it is meant to protect
• Usually do not offer protection to other systems
  or resources
• Personal Firewall Appliance
• Usually run on specialized hardware and integrate
  some other form of network infrastructure
  components
• Cable Modem WAN Routing,
• LAN Routing (dynamic routing support),
• Network hub,
• Network switch,
• DHCP (Dynamic Host Configuration Protocol)
  server,
• Network management (SNMP) agent, and
• Application-proxy agents.

16
DMZ (DeMilitarized Zone)

• A DMZ is your frontline when protecting valuables
  from direct exposure to an untrusted environment.
  
• "A network added between a protected network and
  an external network in order to provide an
  additional layer of security.
• A DMZ is sometimes called a "Perimeter network"
  or a "Three-homed perimeter network."
• A DMZ is a glowing example of the
  Defense-in-Depth principle.

17
Defense-in-Depth

• The Defense-in-Depth principle states that no one
  thing, no two things, will ever provide total
  security.
• It states that the only way for a system to be
  reasonably secured is to consider every aspect of
  the systems existence and secure them all.
• A DMZ is a step towards defense in depth because
  it adds an extra layer of security beyond that of
  a single perimeter.

18
Design DMZ

• Start by asking yourself
• what do I want to protect? Or
• what is most valuable to me?
• what is the entrance point into this system? Or
• what is my front door?
• If there are more than one entrance to your
  system such as an Internet connection and dial-up
  connections
• have two different DMZs.
• Have different configurations for each of those
  access types.

19
DMZ Networks
Service Leg DMZ Configuration
A DMZ Firewall Environment
20
Domain Name Service (DNS)
Split DNS example
21
Placement of Servers in Firewall Environments
Summary Example Firewall Environment
22
Firewall Ruleset Blocking Traffics

• Inbound traffic from a non-authenticated source
  system with a destination address of the firewall
  system itself.
• Inbound traffic with a source address indicating
  that the packet originated on a network behind
  the firewall.
• Inbound traffic containing ICMP (Internet Control
  Message Protocol) traffic.
• Inbound or Outbound traffic from a system using a
  source address that falls within the address
  ranges set aside in RFC 1918 as being reserved
  for private networks.
• Inbound traffic from a non-authenticated source
  system containing SNMP (Simple Network Management
  Protocol) traffic.
• Inbound traffic containing IP Source Routing
  information.
• Inbound or Outbound network traffic containing a
  source or destination address of 127.0.0.1
  (localhost).
• Inbound or Outbound network traffic containing a
  source or destination address of 0.0.0.0.
• Inbound or Outbound traffic containing directed
  broadcast addresses.

23
Network Intrusion Detection Systems
Bo Cheng (???) Emailbcheng_at_ccu.edu,tw Tel
05-272-0411 Ext. 33512
24
IDS History
http//www.securityfocus.com/infocus/1514
25
Types of IDS (Information Source)
http//www.networkintrusion.co.uk/ids.htm
26
Complement IDS Tools
Source http//www.icsalabs.com/html/communities/i
ds/buyers_guide/guide/index.shtml
27
IDS Life Cycle
Installation
28
IDS Market Forecast (I)
Source IDC, 2001
29
IDS Market Forecast (II)
Source IDC, 2001
30
When Firewall Meets IDS

• Validate firewall configuration
• Detect attacks but firewalls allow them to pass
  through (such as attacks against web servers).
• Seize insider hacking

• Access Control
• NAT
• Prevent the attacks

31
NIDS Deployments

• See all outside attacks to help forensic analysis

1

• Identify DMZ related attacks
• Spot outside attacks penetrate the network's
  perimeter
• Avoid outside attacks to IDS itself
• Highlight external firewall problems with the
  policy/performance
• Pinpoint compromised server via outgoing traffic

DMZ
2

• Increase the possibility to recognize attacks.
• Detect attacks from insider or authorized users
  within the security perimeter.

3

• Mode
• Tap
• SPAN (Mirror)
• Port Clustering
• In-Line

• Observe attacks on critical systems and resources
• Provide cost effective solutions

4
32
Detection Engine Analysis
33
The Detection Results

• Annoy
• Crying wolf
• Tuning
• Prevention?

• Wire-speed performance
• Mis-configuration
• Poor detection engine
• IDS Evasion

34
IDS Responses After Detection
Passive Responses
Active Responses
Source NIST
35
Check Point - Open Platform for Secure Enterprise
Connectivity (OPSEC)
NFR and RealSecure support FW-1_sam and FW1_ela
36
Gateway IDS (GIDS) and Host Intrusion Prevention
(HIP)
GIDS
Inadvertently block legitimate traffic
HIP
Ineffective against denial-of-service attacks
OneSecure ? Netscreen Okena ? Cisco Entercept
and Intruvert ? Network Associates
http//www.cio.com/archive/061503/et_article.html
37
NIDS Market Predictions Head to Head

• By year end 2004, advances in non-signature
  based intrusion detection technology will enable
  network-based intrusion prevention to replace 50
  of established IDS deployments and capture 75 of
  new deployments.

• By end of 2003, 90 of IDS deployments will fail
  when false positives are not reduced by 50.

38
IDS Balancer

• Toplayers IDS Balancer
• Radware FireProof

GigaBit SX Tap
Fiber Tap

• Availability
• Scalability
• ROI
• Cost-effective (reduce sensors while increasing
  intrusion coverage)