Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing networks and systems Aleksandr Lenin. Outline Networking (recap) – Networks, Isolation domains: VLAN, subnets – CIDR/VLSM, Network zoning Firewalls.

Published byMagdalene Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing networks and systems Aleksandr Lenin. Outline Networking (recap) – Networks, Isolation domains: VLAN, subnets – CIDR/VLSM, Network zoning Firewalls."— Presentation transcript:

1 Securing networks and systems Aleksandr Lenin

2 Outline Networking (recap) – Networks, Isolation domains: VLAN, subnets – CIDR/VLSM, Network zoning Firewalls – Securing networks and hosts Network zoning IDS/IPS Systems – Detecting and preventing intrusions

3 Networking recap Network – A set of hosts – Sharing same network part in an IP address – Having unique host part in an IP address – Broadcast domain

4 Networking recap (contd.) Address space: – The size of address space = 2^n (n being the number of hosts’ bits in an IPv4 address) – CIDR notation /24 = 8 bits for hosts. 2^8 = 256 addresses for 254 hosts. – Hosts’ address space – 2 reserved addresses Gateway (first or last address in the address space) Broadcast (last possible address in an address space)

5 Networking recap (contd.) Subnetting – why should we split our network into subnets? – It’s all about trust. Hosts within a network: “trust” each other freely communicate to each other – Establish trust boundaries Trusted subnets, semi-trusted subnets, untrusted subnets If an attacker controls one host in the network, consider that it will not be a major challenge to take others under control as well More difficult to cross the boudaries of subnetting and get into another subnetwork. – Broadcast domain

6 Networking recap (contd.) Isolating groups of hosts within a network – VLAN – CIDR/VLSM – reduces the amount of “spare” addresses. Networks are interconnected with gateways (routers) Routers route packets between networks (primary objective). Additionally, monitoring and filtering of the traffic passing by.

7 Firewall A wall built to stop (or slow down) the spread of fire. A piece of software or dedicated hardware monitoring and filtering network traffic. Protects network against unauthorized access. Protects hosts against unauthorized access.

8 Firewalling (contd.)

9 Firewalls - classification By architecture: Hardware firewalls Software firewalls By functionality/capabilities: Network layer firewalls – Stateless – Stateful Application layer firewalls By type: Network-based firewalls Host-based firewalls

10 Network layer firewalls Stateful (1 st generation) Packet filters Examine packet headers. Filtering is done on the transport layer (on the address/port basis) Stateless (2 nd generation) Performs Stateful Packet Inspection (SPI). Blocks packets not matching a known active connection. Falls back to packet filtering for stateless protocols. Examples: IPFilter (various), ipfw (FreeBSD/Mac OS X), NPF (NetBSD), PF (OpenBSD, and some other BSDs), iptables/ipchains (Linux)

11 Application layer firewalls 3 rd generation of firewalls (current). Work on the application level of the TCP/IP stack Inspect actual packet data. May intercept all packets traveling to or from an application. Filtering on a process basis, instead of filtering connections. Decide if a process should accept any given connection. May help preventing the spread of networked computer worms and trojans. Result - increased latency to packet forwarding. Problem – too complex rulesets, limited efficacy.

12 Rulesets Permissive – By default traffic is allowed to pass – Rulesets specify which packets should be dropped Restrictive – By default traffic is dropped – Rulesets specify which packets are allowed to pass

13 Network zoning A zone is a LAN segment – Set aside for specific function and/or IP range. – Routes to a gateway – Gateway provide networking interconnection between the zones – Gateway is typically some firewall-like interface – Ruleset on a gateway define which data may be transferred from one zone to another. – Access is granted in accordance with local security policies and best practices.

14 Network zoning (contd.) Zoning – grouping of computer resources by – Location – Function – Purpose – Access type – Subnet – Etc.

15 Network zoning (contd.) Zone members are placed within their own subnet. Can talk to devices outside their subnet/VLAN – only if the router/firewall allows this. – enables flexible filtering. Each zone is self-contained. Each zone is isolated from other zones before reaching the firewall.

16 Network zoning (contd.) Historical approach: – Place a firewall on the external touch-points of your network. – Place all public servers in the DMZ zone. – Restrict access to/from these devices for internal systems. – Modern approaches to network security do not stop at the perimeter – more thorough zoning is required.

17 Network zoning (contd.) Modern approach: – The DMZ concept + consider principles of trust/privacy – Split internal network into segments – Provides increased security and privacy – Zones form boundaries within a network – Zones isolate trusted, semi-trusted, and untrusted devices from each other.

18 Network zoning (contd.)

19 Pay attention to the following facts: – The trusted zone of the external firewall is actually untrusted zone for the internal firewall. – Trusted zone of the external firewall receives traffic which passes the rulesets of the external firewall. – Internal firewall can be configured with the same blocking rules as the external one, and, additionally, new rules applicable for protecting internal networks.

20 Network zoning (contd.)

21 Similar access rules and restrictions across the zone. Makes management of firewalling and routing simpler over-time. Zoned areas may be simply extended 4 zones: Users, Administrators, Servers, Sensitive Data Servers.

22 Network zoning (contd.) 1.Decide how to group the resources. 2.Describe and qualify what is unique and different about each grouping – groups should not overlap. 3.Clarify what each zone can and cannot access (e.g. Sensitive Data Servers do not surf the web or have access to email). 4.Implement the designed grouping.

23 Network zoning (contd.) Zone – Servers – Subnet: 10.0.0.0/24 (10.0.0.0 – 10.0.0.255) – Size: 256 Server IP Addresses – Description: Zone dedicated to application servers and services, no end-users and no sensitive customer data Examples: Intranet server, Email server, File server

24 Network zoning (contd.) Zone – SENSITIVE – Subnet: 10.0.1.0/24 (10.0.1.0 – 10.0.1.255) – Size: 256 Server IP Addresses – Description: Zone dedicated to servers that contain sensitive customer data (could also be employee data) Examples: Oracle database server

25 Network zoning (contd.) Zone – SYSADMIN – Subnet: 10.0.2.0/24 (10.0.2.0 – 10.0.2.255) – Size: 256 System Administrator IP Addresses – Description: Zone dedicated to privileged administrators of systems, applications, or infrastructure, requires extra access to servers, network elements, etc. Examples: Network Management Team, Firewall Administrators, Database Administrators, etc.

26 Network zoning (contd.) 4 zones: Users, Administrators, Servers, Sensitive Data Servers. Zone – USERS – Subnet: 10.0.3.0/22 (10.0.3.0 – 10.0.6.255) – Size: 1,024 Desktop User IP Addresses – Description: Zone dedicated to the general user base Example: Average Joe user

27 Network zoning (contd.) Zone – NETCORE – Network: 10.255.0.0/24 (10.255.0.0 – 10.255.0.255) – Size: 256 Network Core IP Addresses – Description: Zone dedicated to network interface on routers to facilitate core communications and isolate zones Examples: each router has an interface on this Zone

28 Network zoning (contd.)

29 IDS/IPS Systems Intrusion Detection System (IDS) – a piece of hardware or software, which: monitors network or system activity detects malicious activities detects policy violations produces reports to management station keeps track of suspicious activities in logs “Observe, identify, report” idea.

30 IDS/IPS Systems (contd.) Intrusion Prevention System (IPS) is a piece of hardware or software, which does everything that an IDS can do, additionally: Attempt to stop detected malicious activity by adaptively deploying various protective and defensive security measures “Observe, identify, report, protect (act back)” ideology

31 IDS/IPS Systems (contd.) Network based and host based IDS/IPS systems. Protect the network/host consecutively. Differ in their approach how to detect suspicious activities.

32 IDS/IPS Systems (contd.) Are used for: Detecting / preventing malicious activities in hosts and networks Increased security awareness Identifying problems with security policies Keeping track of existing threats Deferring individuals from violating security policies

33 IDS / IPS Systems (contd.) Typical behavior: Perform monitoring, observe and classify events Log information about suspicious activities In case a suspicious activity has been detected, deploy security measures (IPS systems) Notify security administrator(s) of important/critical suspicious activities that have been observed.

34 IDS/IPS Systems (contd.) Network Intrusion Detection System (NIDS): is placed in the strategic points within a network performs analysis of the entire traffic passed through the subnet performs pattern matching – matches traffic to a library of known attacks Once possible attack is detected – classify its potential impact and proceed as intended (just report, or prevent and report)

35 IDS/IPS Systems (contd.) Host Intrustion Detection System (HIDS): runs on individual hosts or devices monitors incoming and outgoing traffic from/to this device only takes a snapshot of existing system files and compares to the previous snapshot if critical system files were modified or deleted – sends notification to system administrator

36 IDS/IPS Systems (contd.) Application protocol-based system Performs stateful protocol analysis. Focuses its attention on the specific application protocol(s) in use by the computing system. Monitoring of dynamic behavior and state of the protocols Example: APIDS deployed between the web server and the database management system monitoring the SQL protocol communications.

37 IDS/IPS Systems (contd.) Statistical anomaly based system Compares network traffic against an established baseline. The baseline establishes what is “normal” for that particular system (the amount of bandwidth, protocols, ports, devices generally connect to each other, etc.) May raise false-positive alarms for legitimate use of resources.

38 IDS/IPS Systems (contd.) Signature based system Matches observed traffic against patterns of known malicious threats. Methods similar to the one antivirus software works. Problem – lag time during which IDS/IPS is unable to identify the threat.

39 IDS/IPS Systems Examples: Snort Suricata

40 ???

Download ppt "Securing networks and systems Aleksandr Lenin. Outline Networking (recap) – Networks, Isolation domains: VLAN, subnets – CIDR/VLSM, Network zoning Firewalls."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Firewalls Anand Sharma Austin Wellman Kingdon Barrett.

Firewalls Anand Sharma Austin Wellman Kingdon Barrett.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
—On War, Carl Von Clausewitz

—On War, Carl Von Clausewitz
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.

1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Similar presentations

Ads by Google