Network Perimeter Security

Yu Wang

Main Topics

• Border Router

• Firewall

• IPS/IDS

• VLAN

• SPAM

• AAA

• Q/A

Border Router

• Gate to the Internet

• First and last line of defense

• Role of a router– Designed to route packets– Operates primarily on layer 3– Able to filter packet using Access Control List

• Limitations on network security control

Router ACL

• Standard ACL (layer 3)– access-list 1 permit 168.223.0.0 0.0.255.255– access-list 2 deny 192.168.0.0 0.0.0.255

• Extended ACL (layer 3, 4)– access-list 101 permit tcp 168.223.0.0 0.0.255.255

host 128.186.6.14 eq www– access-list 101 deny tcp 192.168.0.0 0.0.0.255 any

log– access-list 101 deny ip any any

Firewall

• What is a firewall– A network device designed to filter packets – A software application developed to do the

same function

• Firewall operates on layer 3 – 7

• Firewall is stateful– If a packet is allowed to pass, an entry is

added to the state table

TCP States

TCP States

Firewall Stateful Operations

• State Table– TCP out 67.76.135.17:26944 in 128.186.120.4:993 idle

23:27:42 bytes 333091 flags UfFIOB– TCP out 71.229.26.75:60849 in 128.186.120.56:22 idle 2:26:47

bytes 2074496 flags UIOB– ICMP out 192.168.25.15:512 in 128.186.120.179:0 idle 0:00:00

bytes 2048– UDP out 64.70.24.76:53 in 128.186.120.179:1110 idle 0:00:00

flags –

• Stateful filtering – layer 4 and lower• Stateful Inspection – all layers

Firewall Product Examples

• Hardware firewall

– CISCO PIX firewall

– Home router firewall

• Software firewall

– Iptables – Linux

– Ipfilter – Solaris

– Windows XP

IPS/IDS

• Intrusion Prevention/Detection System

– Firewall is good in packet filtering but weak in layer

7 inspection

– IPS/IDS operates on layer 2-7

– IPS can do application protection, performance

protection, and infrastructure protection

– It uses specialized network devices designed and a

database of known attack signature

IPS/IDS• IPS examples

– TippingPoint UnityOne IPS

• Uses “Digital Vaccine” effectively block viruses/worms, spyware, phishing, P2P, DDoS

• Do not replace firewall

IPS/IDS• IPS examples

– Packeteer Traffic Shaper

• Guarantee bandwidth availability for legitimate network traffics

• Control malicious network traffics

• Better use of existing bandwidth

IPS/IDS• IPS examples

– CISCO ASA

• Uses modular approach

• Simplifies configuration and management

IPS/IDS• IDS examples

– Snort• An open source solution

• Low budget system suitable for organizational unit level

• Runs on UNIX, Linux, Windows

• Slower compare to ASA, TippingPoint

• Flexible compare to ASA, TippingPoint

VLAN

• Virtual LAN is used to do resources separation– Divide a physical network into multiple virtual

networks

– Network traffics in one VLAN won’t go to another VLAN by default

– Inter-VLAN traffics must go through a router where ACL can be used to filter unwanted flow

SPAM Solution• SPAM and Email virus

– Email is one of the most important network services. SPAM becomes big issue for many organizations

– Many commercial SPAM filtering software available.

– We use GFI mailessential and GFI mailsecurity. • RBL checking, Header checking, Message body checking• Virus checking, Phishing checking

– Also use Spamassassin, procmail, clamav– Tumbleweed Mail Email Firewall (MMS)

• Automatic quarantine and user release/deletion function

AAA

• Authentication

– Use strong authentication methods

• Kerberos, SSH, PKI

• Authorization

– Define access control

– Harden network resources (servers)

– Separate vulnerable servers from rest of network (DMZ)

• Auditing

– Central log server

– Log analyzer/watcher

Questions