1 Campus Network Security and Security Repercussions Pete Siemsen National Center for Atmospheric Research July 28 th, 2002.

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
Personal Info 1 Prepared by: Mr. NHEAN Sophan  Presenter: Mr. NHEAN Sophan  Position: Desktop Support  Company: Khalibre Co,. Ltd 
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
NCAR National Center for Atmospheric Research 1 Security At NCAR Pete Siemsen National Center for Atmospheric Research November 22, 1999.
Wireless and Switch Security NETS David Mitchell.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
COEN 252: Computer Forensics Router Investigation.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewalls: General Principles & Configuration (in Linux)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
FIREWALL Mạng máy tính nâng cao-V1.
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
This courseware is copyrighted © 2015 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
FIREWALLS Prepared By: Hilal TORGAY Uğurcan SOYLU.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Internet and Intranet Fundamentals Class 9 Session A.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.
Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.
NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Security at NCAR David Mitchell February 20th, 2007.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
1 Network Security Issues Pete Siemsen National Center for Atmospheric Research April 24 th, 2002.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
CHAPTER 9 Sniffing.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
1 Firewalls - Introduction l What is a firewall? –Firewalls are frequently thought of as a very complex system that is some sort of magical, mystical..
Computer Security By Duncan Hall.
Lab #2 NET332 By Asma AlOsaimi. "Security has been a major concern in today’s computer networks. There has been various exploits of attacks against companies,
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
General Information: This document was created for use in the "Bridges to Computing" project of Brooklyn College. You are invited and encouraged to use.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Security fundamentals
Wireless Network Security
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
Security in Networking
6.6 Firewalls Packet Filter (=filtering router)
Digital Pacman: Firewall Edition
Firewalls Purpose of a Firewall Characteristic of a firewall
Firewalls Routers, Switches, Hubs VPNs
Network hardening Chapter 14.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

1 Campus Network Security and Security Repercussions Pete Siemsen National Center for Atmospheric Research July 28 th, 2002

2 Overview Obstacles to security Overview of threats and solutions Case study: NCAR

3 Obstacles to Security Doesn’t mesh well with research Considered low priority (few resources) Not always taken seriously

4 Obstacles to Security Security implementers may not be appreciated. Too little security, it’s your fault: “We got hacked, you should’ve done more” Too much security, it’s your fault: “I can’t get my work done, you should do less” When it works, no one notices

5 Types of Threats Viruses Packet sniffing Denial of service Scanning for holes Wireless

6 Viruses: problems Hard to battle Mail-borne Web-borne Instant Messaging ?

7 Viruses: solutions Scan block executable attachments Virus scanning software helps, but new viruses are not immediately detected

8 Packet Sniffing: problems Your users may type passwords on foreign networks Switches are better than hubs, but do not protect you from Layer 2 attacks

9 Packet sniffing: problems dsniff suite for overloading switches, spoofing ARPs, man-in-middle, etc. ettercap for injecting commands in someone else’s session

10 Packet Sniffing: solutions Use switches instead of hubs or repeaters Consider MAC address locking Consider SecureID Ban telnet in favor of ssh Use VPNs for remote access Run ARPwatch

11 Denial of Service: problems Distributed DoS can’t be blocked No magic bullet Luckily, attacks are usually short-lived See trinoo and stacheldracht

12 Denial of Service: solutions Must back-track to source, installing filters as you go to reduce pain Install patches to keep your systems from becoming part of the problem Scan for client code on your systems Filter ICMP

13 Denial of Service: solutions Dave Dietrich's DDOS website: staff.Washington.edu/Dietrich/wise/ddos ICMP traceback proposal: see itrace IP traceback: apers/Sigcomm00.pdf

14 Scanning for holes: problems “script kiddies” are unsophisticated hackers who run software “kits” to attack a target. They don’t have to understand networking. Software scans for open ports and known vulnerabilities

15 Scanning for holes: solutions Apply vendor patches in a timely manner Filter packets inbound Scan your own systems Use an intrusion detection system See

16 Wireless: problems

17 Wireless: problems

18 Wireless: problems

19 Wireless: problems

20 Wireless: problems

21 Wireless: problems

22 Wireless: problems

23 Wireless: problems

24 Wireless: problems WEP is insecure (see Kismet, Airsnort, WEPcrack) Can’t track down attackers easily Physical security is harder You may not own all the access points!

25 Wireless: solutions Tune access point power Don’t count on WEP: use VPNs Requires extra network engineering Wardrive/netstumble with Kismet, Airsnort, WEPcrack IETF is working on better standards

26 Wireless: solutions Current issue of SysAdmin David Packham’s URL list: et/prev- mtg/ meeting/0602.meeting/06 02.presentations/dave.packham.url.li st.html

27 Case study: NCAR

28 NCAR’s Environment Academic research institution But no students! Collaboration with 63 member Universities ~1500 university (external) users Diverse, widespread field projects ~2500 networked nodes internal to NCAR ~1500 internal users

29 NCAR’s Motivation to Get Serious About Security We experienced increasing malicious attacks More hackers hacking Availability of script kiddie “kits” · Easy to get · Don’t require network expertise We had some strong advocates

30 Getting Started

31 NCAR Security Committee We created a committee to develop policy Sysadmins from all NCAR Divisions Formal process delivered institutional buy-in 2-hour meetings once a month Lots of cooperation, little authority With time, authority has grown

32 The Security Policy Need a policy that defines vulnerabilities how much security is needed level of inconvenience that is tolerable solutions We recommended a full-time Security Administrator for the institution

33 Define Scope of Problem Decide which types of attacks are problems Examples: Hacker spoofing of source IP address Hacker scanning for weaknesses · TCP/UDP ports, INETD services Hackers sniffing passwords Hacker exploitation of buggy operating systems · Inconsistent/tardy OS patching

34 Define Scope of Solution What we won’t do Not feasible to secure every computer Over-reliance on timely OS security fixes Can’t prohibit internal “personal” modems Attacks from within aren’t a big problem What we will do Reduce external attacks from the Internet

35 Basic Solutions at NCAR One-time passwords (critical devices) Switched LANs Packet filtering on routers Application-proxy gateways Filter attachments Encryption for wireless and remote access (VPNs and ssh)

36 One-time Passwords A.K.A. Challenge-Response Requires little calculator things (~$50/per) Prevents password sniffing We use it on critical devices Routers, ATM Switches, Ethernet Switches, Remote Access Servers, Server hosts (root accounts) At the least, do this!

37 Switched LANs Reduces packet eavesdropping Get this for “free” with switched network Hackers can still steal ARP entries Hackers can still fill CAM tables

38 Packet Filtering

39 Router-Based Filters Used to construct router-based firewall around your internal network Main security implementation tool Routers check each inbound packet against filter criteria and accept or reject

40

41 Packet Filtering At NCAR Routers can filter on IP address source, destination, ranges Interfaces: inbound and/or outbound Protocols, TCP ports, etc. We filter inbound and outbound packets Performance is no longer an issue with modern routers

42 Filter Stance: Strong or Weak? Strong Deny everything, except for the good stuff Weak Allow everything, except for the bad stuff NCAR chose a Strong stance

43 Example Filter Statistics 41 lines (rules) in NCAR’s old Cisco access-list Hits as of 9/30/98, 28 days after filter was installed: 3 MP Denied because of spoofing 17 MP Denied because of “catchall” 71 MP Permitted to exposed networks 100MP Permitted to exposed hosts

44 Exposed Hosts Example: Web servers, data source machines, etc. Must meet stringent security standards to avoid being compromised and used as launch pads for attacking protected hosts OS restricts set of network services allowed Must keep up with OS patches

45 Intrusion Detection NCAR uses SNORT and Network Flight Recorder to look for suspect patterns in packets.

46 VPNs Virtual Private Network: an encrypted tunnel from one point to another over an untrusted network. NCAR uses VPNs or ssh for all remote connections to NCAR networks. Mostly used by travelers and home users with DSL or cable modems.

47 Wireless at NCAR We filter all wireless packets The filters are established and removed as wireless machines connect and disconnect VPN users are passed through

48 Wireless at NCAR BSD Unix host AP DHCP server router client bridge Internet NCAR VPN server

49 Wireless at NCAR BSD Unix host AP DHCP server router client bridge Internet NCAR staff user NCAR VPN server

50 Wireless at NCAR BSD Unix host AP DHCP server router client bridge Internet NCAR Guest user DNS 1

51 Wireless at NCAR BSD Unix host auth AP DHCP server router client web bridge Internet Guest user NCAR DNS 2

52 Wireless at NCAR BSD Unix host AP DHCP server router client web bridge Internet Guest user NCAR DNS 3

53 Wireless at NCAR BSD Unix host AP DHCP server router client bridge Internet Guest user NCAR DNS web 4

54 Security Administrator Provides focus for security for the entire institution Helps deal with break-ins Central point of contact Tracks CERT advisories for sysadmins Advocates security solutions, like ssh Scans exposed hosts for standards violations Generally helps/educates sysadmins

55 Impacts of NCAR’s Security

56 Benefits >99% of NCAR hosts are protected Outbound Telnet, HTTP, etc. still work Relatively cheap and easy Dial-in users are “inside”, no changes

57 Drawbacks UDP is blocked Some services are no longer available Inbound pings are blocked !!! To use FTP, must use passive mode, or use an exposed host, or proxy through a gateway DNS and can get complicated

58 Drawbacks Crunchy outside, chewy inside Modems in offices are a huge hole Users must install VPN or ssh software for remote access

59 Wrap-up

60 Security is Never “Done” How do you know if you’re being hacked? “Silent” attacks very hard to detect “Noisy” attacks hard to distinguish from other network (or host) problems Network keeps changing Software keeps changing Hackers keep advancing

61 Security is Never “Done” Policy and security mechanisms must evolve Security committee continues to meet

62 Conclusion NCAR struck a balance between: Convenience and Security Politics and Technology Cost and Quality

63 Scary paper How to own the Internet in your spare time, at: sec02/index.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.