Network Security No. 1Seattle Pacific University

Internet Security:Building a Fortress around your Data

Kevin BoldingElectrical Engineering

Seattle Pacific University

Network Security No. 2Seattle Pacific University

Security is a Multi-Faceted Problem

Keeping the bad guys out of your home

Stopping guests from trashing your place

Safety when travelling

Network Security

1. Don’t be stupid2. Anti-Virus

Encryption

Network Security No. 3Seattle Pacific University

Keeping the Bad Guys out• Who is inside?

• People• Computers• Other networked resources

• Who needs to be kept out?• People

• Wanderers• Hackers

• Probe programs

Network Security No. 4Seattle Pacific University

Internet

Firewall

A Firewall/Gateway

• A Gateway is the point where data can be transferred between the LAN and the outside world

Gateway• The Firewall is the area

where no connections are allowed to be made to the outside world

• Our Trusted LAN users would like a connection to the Internet...

Network Security No. 5Seattle Pacific University

Security in the whole• Any data transfer across the

firewall outside of the gateway violates its integrity

Internet

Firewall Gateway• Other Internet connections• Flash Drives• Laptops

Internet• Your security policy mustaddress all of theseissues first

• Smartphones

Network Security No. 6Seattle Pacific University

Gateway Security (Firewalls)• Firewall components have three basic elements

• Packet filtering• Drops incoming packets from non-authorized hosts

• Circuit-level gateway• Matches incoming packets to internally-generated

requests • Proxy servers (application gateway)

• Analyzes incoming messages for content

• Firewall implementations may use any combination of the three main elements

Network Security No. 7Seattle Pacific University

Packet Filtering• Router bridges the firewall

• Checks all packets crossing it Internet

Firewall

PacketFilteringRouter

Reject from…Accept from...

• Works at the network level with IP, so can scan:• IP source/destination addresses• Protocol (TCP, UDP, etc.)• Source/destination TCP ports

• Telnet: port 23, Http: port 80, etc.• Can filter on any of the above

properties• Ex: Disallow all incoming telnet

connections to all hosts except 128.95.1.4

• Ex: Disallow all incoming packets from host 24.1.2.3

• Ex: Disallow all incoming packets except on TCP port 80 (Http)

Normally the first rule in a packet filter is always Deny All

Network Security No. 8Seattle Pacific University

Pros/Cons of Packet Filtering• Pros:

• You need a router anyway• Most routers support packet filtering• Provides good security when set up properly

• Cons:• The IP header is the only basis for filtering • Often filters too much

• Have to trade security for convenience• Very difficult to set up the right filters• Need to change filtering as network needs change

Network Security No. 9Seattle Pacific University

Circuit Level Firewalls - TCP• Packet filtering is often too rigid

• Allows or denies access for broad classes for all time

• Circuit Level Filtering• Takes advantage of TCP connections• Insider (trusted) sets up TCP connection with outside host• Filter allows incoming packets from that outside host as long as

they belong to the original TCP connection

Circuit Level Filtering works at the Transport Layer, while Packet Filtering works at the Network Layer

Network Security No. 10Seattle Pacific University

• Dynamic Packet Filtering • Packet filtering that relies on TCP port numbers won’t

work with UDP packets.• Either allow all UDP accesses or disable all of them

• Dynamic Packet Filtering keeps track of “connections” for UDP packets

• Matches requests from inside with outside responses

Circuit Level Firewalls - UDP

Network Security No. 11Seattle Pacific University

• NAT allows you to hide your network from public view• Converts internal IP addresses to one or more external IP addresses• Public cannot determine information about your internal network• Intruders can’t target individual machines because they don’t know

they exist

Hidden Networks - Network Address Translation

• NAT enables IP address sharing• One external address, many internal devices• NAT box must keep track of connections• Connections must be initiated by devices inside the firewall

Network Security No. 12Seattle Pacific University

• A Broadband Router Typically Contains• A 4-Port Ethernet Switch• A Wireless Access Point• Packet-Filtering Capabilities• NAT for Sharing and Hiding• DHCP Server

One Box to Rule them All!

• This device will shield your network from almost all non-invited threats• Most remaining threats are from Trojan Horse

schemes or software bugs

Network Security No. 13Seattle Pacific University

Application Level Firewalls • Circuit- and Packet-Level Firewalls deal only with

information in the TCP and IP headers• What about Content?

• Application Level Firewalls examine the content of incoming messages• Pass on only those that meet strict requirements

• At the application level, everything is possible...• Passwords/Account names are visible• Content screening/virus scanning can be done

• Application level host must be a Bastion Host• Hardened version of OS

Network Security No. 14Seattle Pacific University

Application Level - Proxy Servers• Force all communication across

a gateway through proxies• Proxy web servers, email

servers, telnet clients, etc.

Internet

Fire

wal

l

Proxy Client

Proxy Server

Analysis• Proxy Server portion of gateway

communicates with insiders

• Proxy Client portion of gateway communicates with outsiders

• Any communication between client and server must undergo analysis

Network Security No. 15Seattle Pacific University

A Full System Using a DMZ

Internet

Bastion Host(Proxy)

InformationServers

Firewall

Packet Filtering Router

Packet Filtering Router

DMZ