Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Slides:



Advertisements
Similar presentations
Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.
Advertisements

Guide to Network Defense and Countermeasures Second Edition
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
IT security Are you protected against hackers?. Why are we in danger?  The Internet is worldwide, publicly accessible  More and more companies and institutes.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Lecture 10 Page 1 CS 136, Fall 2014 Network Security, Continued Computer Security Peter Reiher November 13, 2014.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
October 15, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint SOEN321-Information-Systems Security Revision.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Lecture 11 Page 1 CS 236 Online Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible –Good.
Lecture 13 Page 1 CS 136, Spring 2009 Network Security: Firewalls continued, VPNS, Honeypots CS 136 Computer Security Peter Reiher May 14, 2009.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Introduction to Computing Lecture # 11 Introduction to Computing Lecture # 11.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
Lecture 12 Page 1 CS 236 Online Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts.
Lecture 6 Page 1 Advanced Network Security Review of Networking Basics Advanced Network Security Peter Reiher August, 2014.
Lecture 12 Page 1 CS 136, Fall 2011 Network Security: Con’t CS 136 Computer Security Peter Reiher November 3, 2011.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Lecture 15 Page 1 CS 236 Online Prolog to Lecture 15 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 2 Page 1 CS 236 Online Prolog to Lecture 2 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
Lecture 12 Page 1 CS 236 Online Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Lecture 12 Page 1 CS 111 Summer 2014 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Lecture 13 Page 1 CS 236 Online Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 12 Page 1 CS 236, Spring 2008 Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
EN Spring 2016 Lecture Notes FUNDAMENTALS OF SECURE DESIGN (NETWORK TOPOLOGY)
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Network Security: Firewalls, Network Cryptography, and Honeypots Computer Security Peter Reiher February 9, 2017.
Outline Basic concepts in computer security
Protecting Memory What is there to protect in memory?
Outline What is a firewall? Types of firewalls
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Firewall Configuration and Administration
Outline Introduction Characteristics of intrusion detection systems
E 96 Introduction to Engineering Design Peter Reiher UCLA
Outline Basics of network security Definitions Sample attacks
Putting It All Together
Putting It All Together
Virtual Private Networks
Outline Introduction Characteristics of intrusion detection systems
Where Malware Lives Most people expect malware in only one place –
Deriving more value from your Windows investment
Network Security: Firewalls continued, Virtual Private Networks, and Honeypots CS 136 Computer Security Peter Reiher February 18, 2010.
Prolog to Lecture 2 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
16. Account Monitoring and Control
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Network Security: Firewalls, VPNs, and Honeypots CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
6. Application Software Security
Outline Basics of network security Definitions Sample attacks
Outline The concept of perimeter defense and networks Firewalls.
Presentation transcript:

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher August, 2014

Lecture 15 Page 2 Advanced Network Security Outline Shortcomings of firewalls How do we properly manage firewalls? Firewalls and mobile computing

Lecture 15 Page 3 Advanced Network Security So Firewalls Are the Answer? Not by themselves Relying exclusively on firewalls runs into problems Why?

Lecture 15 Page 4 Advanced Network Security Internet Problem #1 ISP Local network Is there a way around the firewall? No firewall here!

Lecture 15 Page 5 Advanced Network Security Problem #2 Internet ISP Can you properly identify all bad traffic? Great, no back doors But... It looks OK...

Lecture 15 Page 6 Advanced Network Security Problem #3 Internet ISP Let’s say you’ve closed all the back doors And you’ve somehow recognized all bad traffic What about this? If the bad traffic comes from inside, the firewall doesn’t help

Lecture 15 Page 7 Advanced Network Security Weaknesses of Perimeter Defense

Lecture 15 Page 8 Advanced Network Security Defense in Depth An old principle in warfare Don’t rely on a single defensive mechanism or defense at a single point Combine different defenses Defeating one defense doesn’t defeat your entire plan

Lecture 15 Page 9 Advanced Network Security So What Should Happen?

Lecture 15 Page 10 Advanced Network Security Or, Better

Lecture 15 Page 11 Advanced Network Security Or, Even Better

Lecture 15 Page 12 Advanced Network Security Firewall Configuration and Administration Again, the firewall is the point of attack for intruders Thus, it must be extraordinarily secure How do you achieve that level of security?

Lecture 15 Page 13 Advanced Network Security Firewall Location Clearly, between you and the bad guys But you may have some different types of machines/functionalities Sometimes makes sense to divide your network into segments –Typically, less secure public network and more secure internal network –Using separate firewalls

Lecture 15 Page 14 Advanced Network Security Firewalls and DMZs A standard way to configure multiple firewalls for a single organization Used when organization runs machines with different openness needs –And security requirements Basically, use firewalls to divide your network into segments

Lecture 15 Page 15 Advanced Network Security A Typical DMZ Organization Your production LAN Your web server The Internet Firewall set up to protect your LAN Firewall set up to protect your web server DMZ

Lecture 15 Page 16 Advanced Network Security Advantages of DMZ Approach Can customize firewalls for different purposes Can customize traffic analysis in different areas of network Keeps inherently less safe traffic away from critical resources

Lecture 15 Page 17 Advanced Network Security Dangers of a DMZ Things in the DMZ aren’t well protected –If they’re compromised, provide a foothold into your network One problem in DMZ might compromise all machines there Vital that main network doesn’t treat machines in DMZ as trusted Must avoid back doors from DMZ to network

Lecture 15 Page 18 Advanced Network Security Firewall Hardening Devote a special machine only to firewall duties Alter OS operations on that machine –To allow only firewall activities –And to close known vulnerabilities Strictly limit access to the machine –Both login and remote execution

Lecture 15 Page 19 Advanced Network Security Keep Your Firewall Current New vulnerabilities are discovered all the time Must update your firewall to fix them Even more important, sometimes you have to open doors temporarily –Make sure you shut them again later Can automate some updates to firewalls How about getting rid of old stuff?

Lecture 15 Page 20 Advanced Network Security Closing the Back Doors Firewall security is based on assumption that all traffic goes through the firewall So be careful with: –Wireless connections –Portable computers –Sneakernet mechanisms and other entry points Put a firewall at every entry point to your network And make sure all your firewalls are up to date

Lecture 15 Page 21 Advanced Network Security Firewalls and Mobile Computing The firewall concept comes from the world before mobile computing Firewalls assume machines are safe behind their protections Which is only true if network traffic to the machine goes through the firewall What happens with mobile computers?

Lecture 15 Page 22 Advanced Network Security Consider Bob’s Office Bob’s Office Worker Bob So far, so good

Lecture 15 Page 23 Advanced Network Security Now Bob Goes to a Cafe Local Café BobCarolXavierAlice

Lecture 15 Page 24 Advanced Network Security Now Bob Returns To Work... Bob’s Office Worker Bob The firewall didn’t help at all!

Lecture 15 Page 25 Advanced Network Security How Bad Could This Be? Depends on how much mobility occurs –Nowadays, a lot Wireless connectivity makes it worse –Especially if wireless used in untrusted locations Smart phones in store windows have been infected by malware passing by

Lecture 15 Page 26 Advanced Network Security Handling the Problem Single machine firewalls on mobile devices help –But usually aren’t powerful or sophisticated Safe use practices help –But are usually trumped by convenience So mobile devices will get infected

Lecture 15 Page 27 Advanced Network Security The Next Best Thing It was bad that the mobile device got infected It was worse that it got behind the firewall and infected everyone else Can we at least stop that step?

Lecture 15 Page 28 Advanced Network Security How To Handle This Problem? Essentially quarantine the portable computer until it’s safe Don’t permit connection to wireless access point until you’re satisfied that the portable is safe –Or put them in constrained network Common in Cisco, Microsoft, and other companies’ products –Network access control

Lecture 15 Page 29 Advanced Network Security Conclusion Important to recognize the shortcomings of firewalls Proper organization and management of firewalls can help Mobile computing limits the value of firewalls further –Requiring extra caution

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.