Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate...
-
Upload
stanley-davis -
Category
Documents
-
view
223 -
download
0
Transcript of Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate...
![Page 1: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/1.jpg)
Lecture 7Network & ISP security
![Page 2: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/2.jpg)
![Page 3: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/3.jpg)
Firewall Simple packet-filters• Simple packet-filters evaluate packets based solely on IP
headers. • Source-IP spoofing attacks generally aren't blocked by
packet-filters, and since allowed packets are literally passed through the firewall, packets with "legitimate" IP headers but dangerous data payloads (as in buffer-overflow attacks) can often be sent intact to "protected" targets.
![Page 4: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/4.jpg)
Stateful packet filtering
![Page 5: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/5.jpg)
Application-layer proxies
• A proxying firewall acts as an intermediary in all transactions that traverse it (see figure).
• proxying firewalls are often called "application-layer" proxies because, unlike other types of proxies that enhance performance but not necessarily security, proxying firewalls usually have a large amount of application-specific intelligence about the services they broker.
![Page 6: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/6.jpg)
Placing Firewall"Inside Versus Outside" Architecture
•Because public services such as SMTP, DNS, and HTTP must either be sent through the firewall to internal servers or hosted on the firewall itself the risk of server compromising is increased.•As result the DMZ (DeMilitarized Zone) network is used.
![Page 7: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/7.jpg)
The "Three-Homed Firewall" DMZ Architecture
![Page 8: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/8.jpg)
A Weak Screened-Subnet Architecture
• Rarely used• Lack of firewall is the
weak point• obsolete
![Page 9: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/9.jpg)
A Strong Screened-Subnet Architecture
![Page 10: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/10.jpg)
2) Secure ResourcesFirewall, Encryption, Authentication, Audit
1) ISP’s Security
Policy
3) Monitor and Respond Intrusion Detection, work the incidence,
4) Test, Practice, DrillVulnerability Scanning
5) Manage and ImprovePost Mortem, Analyze the
Incident, modify the plan/procedures
What Do ISPs Need to Do?
Security incidence are a normal part of an ISP’s operations!
![Page 11: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/11.jpg)
PREPARATION
Prep the networkCreate toolsTest toolsPrep proceduresTrain teamPractice
IDENTIFICATION
How do you know about the attack?What tools can you use?What’s your process for communication?
CLASSIFICATION
What kind of attack is it?TRACEBACK
Where is the attack coming from?Where and how is it affecting the network?
REACTION
What options do you have to remedy?Which option is the best under the circumstances?
POST MORTEM
What was done?Can anything be done to prevent it?How can it be less painful in the future?
Six Phases of Incident Response
![Page 12: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/12.jpg)
The Old World: Router Perspective
• Policy enforced at process level (VTY ACL, SNMP ACL, etc.)• Some early features such as ingress ACL used when possible
“untrusted”telnet, snmp
Attacks, junk
Ro
ute
r C
PU
![Page 13: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/13.jpg)
The New World: Router Perspective
• Central policy enforcement, prior to process level• Granular protection schemes• On high-end platforms, hardware implementations
“untrusted”
telnet, snmp
Attacks, junk
Ro
ute
r C
PU
Pro
tect
ion
![Page 14: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/14.jpg)
Secure Routing Route Authentication
Configure Routing Authentication
Signs Route Updates
Verifies Signature
Campus
Signature Route Updates
Certifies Authenticity of Neighbor and Integrity of Route Updates
![Page 15: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/15.jpg)
References• http://www.cs.fsu.edu/~burmeste/CIS4360/Physical%20Security.ppt• http://www.google.com/url?sa=t&rct=j&q=datacenter%20security%20design
%20examplee%20ppt&source=web&cd=10&ved=0CHEQFjAJ&url=http%3A%2F%2Fwww.nanog.org%2Fmeetings%2Fnanog36%2Fpresentations%2Fgreene.ppt&ei=6usCT8rmAsfQ4QSN6_GCDw&usg=AFQjCNHw7IRd4CrNra6tKN-R_3Dfp7D_Ig&cad=rja
• http://www.cs.fsu.edu/~burmeste/CIS4360/Physical%20Security.ppt• https://www.owasp.org/index.php/Threat_Risk_Modeling• http://www.cert.org/octave/• Joseph G. Boyce Dan W. Jennings, Information Assurance - Managing
Organizational IT Security Risks, Elsevier Science, 2002• https://www.networkworld.com/news/2010/020210-black-hat-processor-
security.html• http://www.backupcentral.com/mr-backup-blog-mainmenu-47/13-mr-backup-
blog/167-encrypted-data-hacked.html• http://www.csoonline.com/article/220665/19-ways-to-build-physical-security-into-
a-data-center?page=3• http://fengnet.com/book/bssl/bssrvrlnx-CHP-2-SECT-2.html• http://www.checkpoint.com/
![Page 16: Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.](https://reader036.fdocuments.us/reader036/viewer/2022062309/56649e9e5503460f94ba0370/html5/thumbnails/16.jpg)
Any wall have some weak points