Presentation is loading. Please wait.

Presentation is loading. Please wait.

NS-H0503-02/11041 Intruder. NS-H0503-02/11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user.

Similar presentations


Presentation on theme: "NS-H0503-02/11041 Intruder. NS-H0503-02/11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user."— Presentation transcript:

1 NS-H0503-02/11041 Intruder

2 NS-H0503-02/11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user

3 NS-H0503-02/11043 Intrusion Techniques System maintain a file that associates a password with each authorized user. Password file can be protected with: –One-way encryption –Access Control

4 NS-H0503-02/11044 Intrusion Techniques Techniques for guessing passwords: Try default passwords. Try all short words, 1 to 3 characters long. Try all the words in an electronic dictionary(60,000). Collect information about the user’s hobbies, family names, birthday, etc. Try user’s phone number, social security number, street address, etc. Try all license plate numbers (MUP103). Use a Trojan horse Tap the line between a remote user and the host system. Prevention: Enforce good password selection (Ij4Gf4Se%f#)

5 NS-H0503-02/11045 The Stages of a Network Intrusion 1. Scan the network to: locate which IP addresses are in use, what operating system is in use, what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports 3. Get access to Shell program which is “suid” (has “root” privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast. 5

6 NS-H0503-02/11046 Intusion Detection The intruder can be identified and ejected from the system. An effective intrusion detection can prevent intrusions. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

7 NS-H0503-02/11047 Profiles of Behavior Intruders and Authorized Users

8 NS-H0503-02/11048 Intrusion Detection Statistical anomaly detection –Treshold detection –Profile based Rule based detection –Anomaly detection –Penetration identidication

9 NS-H0503-02/11049 Measures used for Intrusion Detection Login frequency by day and time. Frequency of login at different locations. Time since last login. Password failures at login. Execution frequency. Execution denials. Read, write, create, delete frequency. Failure count for read, write, create and delete.

10 NS-H0503-02/110410 Distributed Intrusion Detection Developed at University of California at Davis

11 NS-H0503-02/110411 Distributed Intrusion Detection

12 NS-H0503-02/110412 Firewall

13 NS-H0503-02/110413 Firewalls Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet

14 NS-H0503-02/110414 Firewall Design Principles Information systems undergo a steady evolution (from small LAN`s to Internet connectivity) Strong security features for all workstations and servers not established The firewall is inserted between the premises network and the Internet Aims: –Establish a controlled link –Protect the premises network from Internet- based attacks –Provide a single choke point

15 NS-H0503-02/110415 Firewall Characteristics Design goals: –All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) –Only authorized traffic (defined by the local security policy) will be allowed to pass –The firewall itself is immune to penetration (use of trusted system with a secure operating system)

16 NS-H0503-02/110416 Four general techniques: Service control –Determines the types of Internet services that can be accessed, inbound or outbound Direction control –Determines the direction in which particular service requests are allowed to flow User control –Controls access to a service according to which user is attempting to access it Behavior control –Controls how particular services are used (e.g. filter e-mail) Firewall Characteristics

17 NS-H0503-02/110417 Types of Firewalls Three common types of Firewalls: –Packet-filtering routers –Application-level gateways –Circuit-level gateways

18 NS-H0503-02/110418 Types of Firewalls Packet-filtering Router

19 NS-H0503-02/110419 Packet-filtering Router –Applies a set of rules to each incoming IP packet and then forwards or discards the packet –Filter packets going in both directions –The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header –Two default policies (discard or forward) Types of Firewalls

20 NS-H0503-02/110420 Advantages: –Simplicity –Transparency to users –High speed Disadvantages: –Difficulty of setting up packet filter rules –Lack of Authentication Possible attacks and appropriate countermeasures –IP address spoofing –Source routing attacks –Tiny fragment attacks Types of Firewalls

21 NS-H0503-02/110421 Application-level Gateway Types of Firewalls

22 NS-H0503-02/110422 Application-level Gateway –Also called proxy server –Acts as a relay of application-level traffic Advantages: –Higher security than packet filters –Only need to scrutinize a few allowable applications –Easy to log and audit all incoming traffic Disadvantages: –Additional processing overhead on each connection (gateway as splice point) Types of Firewalls

23 NS-H0503-02/110423 Circuit-level Gateway Types of Firewalls

24 NS-H0503-02/110424 Circuit-level Gateway –Stand-alone system or –Specialized function performed by an Application-level Gateway –Sets up two TCP connections –The gateway typically relays TCP segments from one connection to the other without examining the contents Circuit-level Gateway –The security function consists of determining which connections will be allowed –Typically use is a situation in which the system administrator trusts the internal users –An example is the SOCKS package Types of Firewalls

25 NS-H0503-02/110425 Screened host firewall system (single-homed bastion host) Firewall Configurations

26 NS-H0503-02/110426 Screened host firewall, single-homed bastion configuration Firewall consists of two systems: –A packet-filtering router –A bastion host Firewall Configurations

27 NS-H0503-02/110427 Configuration for the packet-filtering router: –Only packets from and to the bastion host are allowed to pass through the router The bastion host performs authentication and proxy functions Firewall Configurations

28 NS-H0503-02/110428 Greater security than single configurations because of two reasons: –This configuration implements both packet- level and application-level filtering (allowing for flexibility in defining security policy) –An intruder must generally penetrate two separate systems Firewall Configurations

29 NS-H0503-02/110429 This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server) Firewall Configurations

30 NS-H0503-02/110430 Screened host firewall system (dual-homed bastion host) Firewall Configurations

31 NS-H0503-02/110431 Screened host firewall, dual-homed bastion configuration –The packet-filtering router is not completely compromised –Traffic between the Internet and other hosts on the private network has to flow through the bastion host Firewall Configurations

32 NS-H0503-02/110432 Screened-subnet firewall system Firewall Configurations

33 NS-H0503-02/110433 Screened subnet firewall configuration –Most secure configuration of the three –Two packet-filtering routers are used –Creation of an isolated sub-network Firewall Configurations

34 NS-H0503-02/110434 Advantages: –Three levels of defense to thwart intruders –The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet) Firewall Configurations

35 NS-H0503-02/110435 Advantages: –The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet) Firewall Configurations


Download ppt "NS-H0503-02/11041 Intruder. NS-H0503-02/11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user."

Similar presentations


Ads by Google