Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Network Research Group ITB Security Issues Onno W. Purbo Computer Network Research Group Institute of Technology Bandung

Similar presentations


Presentation on theme: "Computer Network Research Group ITB Security Issues Onno W. Purbo Computer Network Research Group Institute of Technology Bandung"— Presentation transcript:

1 Computer Network Research Group ITB Security Issues Onno W. Purbo Computer Network Research Group Institute of Technology Bandung

2 Computer Network Research Group ITB Perspective... l less then 200 security incident in l about 400 in l about 1400 in l estimated more than 2241 in l Nobody knows the correct statistics on how many attacks are actually detected by the sites broken into.

3 Computer Network Research Group ITB Layout Firewall

4 Computer Network Research Group ITB What are you trying to protect? l Your Data. l Your Resources. l Your Reputation.

5 Computer Network Research Group ITB What Are You Trying To Protect Against? l Type of attacks l Intrusion. l Denial of Service. l Information Theft.

6 Computer Network Research Group ITB Type of Attackers l Joyriders. l Vandals. l Score Keepers. l Spies (Industrial & Otherwise). l Stupidity & Accidents.

7 Computer Network Research Group ITB How Can You Protect Your Site l No Security. l Security Through Obscurity. l Host Security. l Network Security. l No Security Model Can Do It All.

8 Computer Network Research Group ITB What Can A Firewall Do? l A firewall is a focus for security decisions. l A firewall can enforce security policy. l A firewall can log Internet activity efficiently. l A firewall limits your exposure.

9 Computer Network Research Group ITB What Can’t A Firewall Do? l A firewall can’t protect you against malicious insiders. l A firewall can’t protect you against connections that don’t go through it. l A firewall can’t protect against completely new threats. l A firewall can’t protect against viruses.

10 Computer Network Research Group ITB List of A Must Secure Internet Services l Electronic mail (SMTP). l File Transfer (FTP). l Usenet News (NNTP). l Remote Terminal Access (Telnet). l World Wide Web Access (HTTP). l Hostname / Address lookup (DNS).

11 Computer Network Research Group ITB Security Strategies. l Least Privilege. l Defense in Depth (multiple security mechanism). l Choke Point forces attackers to use a narrow channel. l Weakest Link. l Fail-Safe Stance. l Diversity of Defense. l Simplicity.

12 Computer Network Research Group ITB Building Firewalls

13 Computer Network Research Group ITB Some Firewall Definitions l Firewall –A component or set of components that restricts access between a protected network and the Internet, or between other sets of networks. l Host –A computer system attached to a network.

14 Computer Network Research Group ITB Firewall Def’s Cont’.. l Bastion Host –A computer system that must be highly secured because it is vulnerable to attack, usually because it is exposed to the Internet and is a main point of contact for users of internal networks. l Dual-homed host –A general-purpose computer system that has at least two network interfaces (or homes).

15 Computer Network Research Group ITB Firewall Def’s Cont... l Packet. –The fundamental unit of communication on the Internet. l Packet filtering. –The action a device takes to selectively control the flow of data to and from a network. l Perimeter network. –a network added between a protected network and external network, to provide additional layer of security.

16 Computer Network Research Group ITB Firewall Def’s Cont... l Proxy Server –A program that deals with external servers on behalf of internal clients. Proxy client talk to proxy servers, which relay approved client requests on to real servers,and relay answer back to clients.

17 Computer Network Research Group ITB Packet Filtering

18 Computer Network Research Group ITB Proxy Services

19 Computer Network Research Group ITB Screened Host Architecture

20 Computer Network Research Group ITB De-Militarized Zone Architecture

21 Computer Network Research Group ITB DMZ With Two Bastion Hosts

22 Computer Network Research Group ITB It’s OK l Merge Interior & Exterior Router l Merge Bastion Host & Exterior Router l Use Mutiple Exterior Router l Have Multiple Perimeter Network l Use Dual -Homed Hosts & Screened Subnets

23 Computer Network Research Group ITB It’s Dangerous l Use Multiple Interior Router l Merge Bastion Host and Interior Router

24 Computer Network Research Group ITB Private IP Address l Use within Internal Network l Reference RFC 1597 l IP address alocation: –Class A:10.x.x.x –Class B: x.x x.x –Class C: x x

25 Computer Network Research Group ITB Bastion Host l It is our presence in Internet. l Keep it simple. l Be prepared for the bastion host to be compromised.

26 Computer Network Research Group ITB Special Kinds of Bastion Hosts l Nonrouting Dual-Homed Hosts. l Victim Machine. l Internal Bastion Hosts.

27 Computer Network Research Group ITB Choosing A Bastion Host l What Operating System? –Unix l How Fast a Machine? –386-based UNIX. –MicroVAX II –Sun-3

28 Computer Network Research Group ITB Proxy Systems l Why Proxying? –Proxy systems deal with the insecurity problems by avoiding user logins on the dual- homed host and by forcing connections through controlled software. –It’s also impossible for anybody to install uncontrolled software to reach Internet; the proxy acts as a control point.

29 Computer Network Research Group ITB Proxy - Reality & Illusion

30 Computer Network Research Group ITB Advantages of Proxying l Proxy services allow users to access Internet services “directly” l Proxy services are good at logging.

31 Computer Network Research Group ITB Disadvantages of Proxying l Proxy services lag behind non-proxied services. l Proxy services may require different servers for each service. l Proxy services usually require modifications to clients, procedures, or both. l Proxy services aren’t workable for some services. l Proxy services don’t protect you from all protocol weaknesses.

32 Computer Network Research Group ITB Proxying without a Proxy Server l Store-and-Forward services naturally support proxying. l Examples: – (SMTP). –News (NNTP). –Time (NTP).

33 Computer Network Research Group ITB Internet Resources on Security Issues

34 Computer Network Research Group ITB WWW Pages l l

35 Computer Network Research Group ITB Mailing Lists l –ftp://ftp.greatcircle.com/pub/firewalls/ –http://www.greatcircle.com/firewalls/ l l –ftp://net.tamu.edu/pub/security/lists/academic- firewalls l

36 Computer Network Research Group ITB Newsgroups l comp.security.announce. l comp.security.unix. l comp.security.misc. l comp.security.firewalls. l alt.security. l comp.admin.policy. l comp.protocols.tcp-ip. l comp.unix.admin. l comp.unix.wizards

37 Computer Network Research Group ITB Summary l In these dangerous times, firewalls are the best way to keep your site secure. l Although you’ve got to include other tipes of security in the mix, if you’re serious about connecting to the Internet, firewall should be at the very center of your security plans.


Download ppt "Computer Network Research Group ITB Security Issues Onno W. Purbo Computer Network Research Group Institute of Technology Bandung"

Similar presentations


Ads by Google