Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security of Information Systems Network Defense

Similar presentations

Presentation on theme: "Security of Information Systems Network Defense"— Presentation transcript:

1 Security of Information Systems Network Defense
Dr. Igor Santos

2 Contents Firewalls IDS VPN Types of firewall Netfilter/IPTables NIDS
Packet filtering vs. Application filtering 'Stateless' vs. ‘Stateful' Netfilter/IPTables IDS NIDS HIDS VPN

3 Firewalls

4 Firewalls A system that filters traffic between networks it, at least two of them It can be a physical device or a software running on an operating system A device with two or more network interfaces where filtering rules are established and with them decides whether a connection can be established or not

5 Firewalls A firewall system contains a set of default rules for:
Authorize the connection (allow) Block the connection (deny) Reject the connection request without informing to the sender (deny / ignore)

6 Firewalls Types regarding functionality Network layer packet filtering
It works at the network layer (layer 3) Often also allow filtering at the transport level (level 4) or data link layer (Layer 2) Application Layer It works at the application level (level 7) Application Proxy firewall Eg HTTP Traffic - filtered by URL → PROXY

7 Firewalls Application Presentation Session Transport Network Link
Physical HTTP URL Application Layer Firewall Protocol+Port IP Packet filtering Firewall MAC

8 Firewalls Software Firewalls
Software that runs over a general-puropose software Advantages Highly customizable Settings Inexpensive flexible and omnipresent hardware Disadvantages Difficult to fortify Several require specific hardware

9 Firewalls Hardware firewall It consists of a black box or 'appliance'
Advantages It offers more security (Depending on the reliability of the manufacturer) Disadvantages More expensive Less flexible / customizable

10 Firewalls Scheme of typical firewall between local network and internet

11 Firewalls Scheme firewall between LAN and internet with DMZ zone for exposed servers

12 Firewalls Scheme of a firewall between LAN and internet with DMZ zone for exposed servers created with double firewall (perimeter)

13 Firewalls ‘Stateless’ firewalls
Analyzes network traffic and filters packets based on source and destination addresses and other static values ​​(network layer - level 3) Doesn’t process patterns or data streams Uses simple rules

14 Firewalls It does not understand the concept of TCP connection
It does not take into account the possibility of receiving a package that claims to be something that has not been asked Eg: ACK from source port 80 to port 22 Examples of 'stateless’ firewall rules : Allow IP packets with network source / 8 Allow UDP packets with destination port 53

15 Firewalls ‘Statefull’ firewalls
It does understand the concept of TCP connection The conditions of the rules can be specified in terms of connections, not only in terms of packets For example: Allow related packets through established connections from the internal network Allow incoming connections to port 80 (http)

16 Firewalls Security Policies Deny is the safest Deny Accept
The default is to deny all except those communications that expressly authorized Accept They accept and reject all explicitly forbidden communications Deny is the safest However, it requires a precise and restrictive communication

17 Firewalls Netfilter/IPTables ‘Statefull' packet filtering firewall
Netfilter is the part in the kernel and is responsible for packet filtering Iptables is the user tool to manage Netfilter Firewalls created this way, are just shell scripts with many calls to the iptables command

18 Firewalls iptables: Usage
iptables receives a packet, analyzes their headers and sends it to one of their treatment chaing Once the package is in a chain, the rules and policies of that chain are checked and once one is satisfied, the associated action is executed (typically ACCEPT, REJECT or DROP) The order in which rules are written is very important If the package does not meet the first rule, the next is checked

19 Firewalls The changes performed in iptables are not permantly stored in any file The rules must be written in a shell script and run it at startup

20 Firewalls Three important chains
INPUT: incoming packets whose destination address our firewall and are not modified by cortafuegos y no son modificados por NAT OUTPUT: output packets FORWARD: packets with no source nor destination the firewall itself, but pass through the firewall, and can be modified or not (eg doing NAT: Network Address Translation)

21 Firewalls Very simplified diagram of what happens when a packet arrives to iptables

22 Firewalls Example A TCP packet arrived to the 80 port for our machine
iptables sends this pakect to the INPUT chain, because it is an input packet for our machine In the INPUT chain, there is no defined rule for the port number 80, so the policy of INPUT is applied, which is DROP (discard)

23 Firewalls Set the default policy (ACCEPT or DROP) for one chain (INPUT, OUTPUT, FORWARD) iptables -P INPUT DROP iptables -P OUTPUT ACCEPT

24 Firewalls -d:I P of the destiny machine of a packet
Parameters to add rules to a chain -A: adds a rule to a chain (at the end) -s: IP of the source machine of a packet -d:I P of the destiny machine of a packet -i: interface through which the packet arrives -o: interface through which the packet is sent

25 Firewalls -p: IP protocol of the packet (tcp, udp, icmp)
--sport: origin port of paquete --dport: destination port of paquete -j: determines that to do with packets that match a rule ACCEPT DROP REJECT -L: displays the current firewall rules

26 Firewalls - Examples Allow access to our web server
iptables -A INPUT -p TCP --dport 80 -j ACCEPT Allow access to our FTP server iptables -A INPUT -p TCP --dport 21 -j ACCEPT Add a rule to deny all the output packets directed to the IP iptables -A OUTPUT -d j DROP

27 Firewalls - Examples Add a rule so our machine cannot be pinged
iptables -A INPUT -p icmp -j DROP Allow the machine with IP connect with our machine through SSH iptables -A INPUT -s p TCP --dport 22 -j ACCEPT iptables -A OUTPUT -d p TCP --sport 22 -j ACCEPT

28 Firewalls - Examples Tutorial

29 Intrusion Detection System

30 Intrusion Detection System - IDS
IDS: Intrusion Detection System Program used to detect the unauthorized accesses to a computer or a network It is based in network traffic analysis They usually have a database of patterns or signatures of known attacks It neither protects or filters, only detects

31 Intrusion Detection System - IDS
2types: Network Intrusion Detection System (NIDS) Host-Based Intrusion Detection System (HIDS)

32 Network Intrusion Detection System
NIDS Use packet sniffers (sensors) to capture network traffic The content of each packet is analyzed for malicious patterns The sensors are usually located at critical points in the network that have to be monitored: The DMZ Network Endpoints

33 Network Intrusion Detection System
PRE-PROCESSOR PRE-PROCESSOR Notify Opmitized packet for the engine Rule Engine SNIFFER Network Traffic Read the traffic Alert detected Store in DB or plain text Filter attacker IP in the firewall (IPS) Search for a pattern A pattern matches RULES

34 Network Intrusion Detection System
Ejemplo NIDS: Snort Example NIDS: Snort It works as a network sniffer Detects attacks on the basis of a set of rules Save the alerts in a database mysql

35 Network Intrusion Detection System
Managing and viewing alerts ACID - Analysis Console for Intrusion Databases

36 Host-Based Intrusion Detection System
HIDS The sensor consists of a software agent that monitors all the activity on the host on which it is installed Search local information sources on the host, such as system logs User Sessions Privileged user activities Changes to the file system ...

37 Host-Based Intrusion Detection System
Ejemplo HIDS: OSSEC Free, open source host-based intrusion detection system (HIDS) Performs log analysis, integrity checking, Windows registry monitorizacón, rootkit detection, real-time alerts, ... Available for Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows

38 Intrusion Detection System - IDS
Problemas IDS False positives and false negatives Its effectiveness depends largely on its configuration They are not easy to implement Falsos positivos y falsos negativos

39 Other approaches Otros enfoques
IPS (Intrusion Prevention System): besides detection, it takes action Event Correlator: safety knowledge inferred from IDS, IPS, firewalls, AV, etc..

40 Other approaches

41 VPN - Virtual Private Network

42 VPN VPN: Virtual Private Network
Technology that allows to implement a local area network (LAN) within a wide area network (Internet, for example) securely It requires Encapsulated traffic (IP over TCP, for example) Traffic Encryption Traffic compression

43 VPN Advantages Comfortable for end users Cheaper than a dedicated node
High level of scalability (eg going from 2-10 nodes) Security

44 VPN disadvantages Overload on the client side (encapsulation, encryption, data compression) Less reliable than a dedicated node More complex credential management (certificates) The VPN server can easily suffer DoS attacks (by overloading cryptograpy)

45 VPN VPN types Remote access VPN (“road warriors”) Point to point VPN
Remote and disperse clients connected to a corporate LAN through a VPN server Point to point VPN Two or more nodes remotely interconnected to the Internet through encrypted tunnels VPN over LAN Implements a secure LAN within a LAN which is considered unsafe (eg Academic Management network within the University network)

46 VPN Typical protocolos
PPTP: Point-to-Point Tunneling Protocol L2F: Layer-2 Forwarding (CISCO) L2TP: Layer-2 Tunneling Protocol IPSec: Internet Protocol Security SSL/TLS: Secure Sockets Layer/Transport Layer Security SSH: Secure Shell The de facto standard is IPSec, although the others are used to be more straightforward to implement

47 Proxy Socks withSSH Encrypted Tunnels with SSH SSH (Secure Shell)
Encrypts every connection Allows port-forwarding It is possible to create encrypted tunnels for insecure protocols Example: HTTP HTTP traffic is encapsulated into SSH protocol All HTTP traffic is encrypted

48 Proxy Socks with SSH Tools putty (windows) ssh (Unix)
ssh (Unix) aptitude install ssh

49 Proxy Socks with SSH

50 Proxy Socks with SSH HACER DEMO Ssh en casa

51 Proxy Socks with SSH

52 Proxy Socks with SSH Client configuration of putty

53 Proxy Socks with SSH

54 Proxy Socks with SSH Firefox configuration

55 References Images

Download ppt "Security of Information Systems Network Defense"

Similar presentations

Ads by Google