Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Computer Security Chapter23 Network Security

Published bySuzanna Amie Sims Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to Computer Security Chapter23 Network Security"— Presentation transcript:

1 Introduction to Computer Security Chapter23 Network Security
2005년 11월 29일

2 Contents Introduction Policy Development Network Organization
Availability and Network Flooding

3 Introduction Drib’s security policy
Data related to company plans is to be kept secret. In particular, sensitive corporate data, such as data involved in developing potential products, is to be available only to those who need to know. When a customer provides data (such as a credit card number) to the Drib as part of a purchase, the data, and all information about the customer, are to be available only to those who fill the order. Releasing sensitive data requires the consent of the company's officials and lawyers.

4 Customer Service Group
23.2 Policy Development Customer Service Group Customer info. Credit-card info. Shared information Development Group Future plan New technology Corporate info. Lawsuit problem Corporate Group

5 Data Classes 1. Public data (PD) is available to anyone. It includes product specifications, price information, marketing literature 2. Development data for existing products (DDEP) is available only internally. Because of pending lawsuits, it must be available to the company lawyers and officers as well as to the developers. It is kept secret from all others. 3. Development data for future products (DDFP) is available to the developers only.

6 Data Classes 4. Corporate data (CpD) includes legal information that is privileged and information about corporate actions that is not to become known publicly (such as actions that may affect stock values). 5. Customer data (CuD) is data that customers supply, such as credit card information.

7 User Classes 1. Outsiders (members of the public) get access to some of the Drib's data such as prices, product descriptions, and public corporate information 2. Developers get access to both classes of development data. They cannot alter development data for existing products because that data describes how to manufacture the product 3. Corporation executives (corporation counsel, members of the board of directors, and other executives) get access to corporate data. They can see development data for both existing and future products but may not alter it 4. Employees get access to customer data only

8 23.2.2 User Classes Outsiders Developers Corporation executives
Employees Public data read Development data for existing products Development data for future products read,write Corporate data Customer data write

9 User Classes Specific classes of people can move data from one class to another The specific transformation rules The developers must propose that a proposed future product be realized. Corporation executives must determine if the proposed action is wise, from both legal and economic standpoints. Hence, both developers and corporation executives must agree to reclassify data from the DDFP class to the DDEP class. The employees may identify certain development data as important for answering technical questions from outsiders, or for market literature. Both employees and corporation executives must agree to reclassify data from the DDEP class to the PD class. Corporation executives may reveal corporate data in filings or when revealing that the data will not harm the company. Thus, they can reclassify data from CpD to PD. However, at least two members must agree to do the reclassification

10 Availability The Drib is a world-wide, multinational corporation and does business on all seven continents the corporate officers want employees and the public to be able to contact the Drib at any time the Drib's systems must be available 99% of the time, the remaining 1% being used for planned maintenance and unexpected downtimes.

11 Consistency Check The first goal is to keep sensitive information confidential, on a "need to know" basis The second goal requires that only employees who handle purchases can access customer data, and only they and the customers themselves can alter the customer data The third goal is met by the rules for changing security classes

12 Consistency Check Verifying the consistency of the policy (show that it is not self-contradictory ) only way information can flow into the public class is when a corporate executive moves it there by the rules for moving data out of the DDEP and DDFP classes, some other entity beyond the corporate executives must consent to the release of the information This satisfies the principle of separation of privilege as well as the corporate goals Because there is no contradiction among the rules in the policy, the policy is self-consistent

13 23.3 Network Organization Definition 23–1. The DMZ is a portion of a network that separate a purely internal network from an external network. The policy discussed above suggests that the network be partitioned into several parts, with guards between parts to prevent information from leaking

14 23.3 Network Organization < The network designed for the Dribble Corporation > the systems as deployed will not change any information in transit (except delivery information, such as packet headers The arrangement and configuration of the firewalls provide the supporting access control mechanisms used to implement the policy

15 Firewalls and Proxies Definition 23–2. A firewall is a host that mediates access to a network, allowing and disallowing certain types of access on the basis of a configured security policy . <Example> A company wishes to prevent any implementations of Back Orifice from allowing outsiders to control their systems. The company can install a firewall that will not allow any messages with destination port number to pass from the Internet into the corporate network firewall Corporate network Message of outsiders Is destination port 25345? If only no, access is allowed

16 Firewalls and Proxies Definition 23–3. A filtering firewall performs access control on the basis of attributes of the packet headers, such as destination addresses, source addresses, and options. Definition 23–4. A proxy is an intermediate agent or server that acts on behalf of an endpoint without allowing a direct connection between the two endpoints . Definition 23–5. A proxy (or applications level) firewall uses proxies to perform access control. A proxy firewall can base access control on the contents of packets and messages, as well as on attributes of the packet headers .

17 Virus scanner detect whether virus is in the mail
Firewalls and Proxies <Example> A company wishes to check all incoming electronic mail for computer viruses . The proxy has a virus scanning program . When mail arrives at the firewall, the proxy mail daemon accepts the mail. It then runs the virus scanner. If the scanner reports that there are no viruses in the mail or in any associated attachments, the proxy forwards the mail to the desired recipient. Virus scanner detect whether virus is in the mail Mail arrives Desired recipient Proxy firewall If only no, it delivers this

18 23.3.2 Analysis of the Network Infrastructure
The key decision is to limit the flow of information from the internal network to the DMZ The firewalls and the DMZ systems make up the pump The first step is to conceal the addresses of the internal network the inner firewall can use a protocol such as the Network Address Translation protocol all services are implemented as proxies in the outer firewall

19 23.3.2 Analysis of the Network Infrastructure
electronic mail presents a special problem DMZ mail server must know an address in order for the internal mail server to pass mail back and forth This need not be the actual address of the internal mail server Drib has decided to use a DNS server on both the internal and DMZ subnets if the DNS system is unavailable, the other servers can function

20 23.3.2 Analysis of the Network Infrastructure
Inner network to the Internet requires that several criteria be met, to implement the principle of separation of privilege The firewalls are distinct computers, as are the DMZ servers, leading to a duplication rather than a sharing of network services If the mail server stops working, for example, the WWW server is not affected. The shared DNS server in the DMZ violates this principle, because multiple systems are affected if it is corrupted or unavailable The reason for the local, fixed addresses of the two firewalls is to handle the case of unavailability, mitigating this threat

21 23.3.2.1 Outer Firewall Configuration
The goals of the outer firewall are to restrict public access to the Drib's corporate network and to restrict the Drib's access to the Internet This arises from the duality of information flow. In the Bell-LaPadula Model, one cannot read information from a higher level , but one cannot write information to a lower level, either Certain sanitized exchanges, however, are allowed To implement the required access control, the firewall uses an access control list, which binds source addresses and ports and destination addresses and ports to access rights

22 23.3.2.1 Outer Firewall Configuration
The firewall is a proxy-based firewall. When an electronic mail connection is initiated, the SMTP proxy on the firewall collects the mail It then analyzes it for computer viruses and other forms of malicious logic. If none is found, it forwards the mail to the DMZ mail server When a Web connection arrives, the firewall scans the message for any suspicious components if none is found, forwards it to the DMZ Web server These two DMZ servers have different addresses, neither of which is the address of the firewall.

23 Virus, malicious logic check
Outer Firewall Configuration Outer firewall DMZ mail server Only know firewall’s address Try to send a mail Virus, malicious logic check If only no, pass a mail to the DMZ mail server Scan the message of a client Only know firewall’s address Try to contact a Web server DMZ Web Server Outer firewall No extraordinary long lines, Other evidence of attacks

24 23.3.2.2 Inner Firewall Configuration
The internal network is where the Drib's most sensitive data resides All such information will come from the DMZ, and never directly from the Internet. Outer firewall DMZ Zone Prevent a NFS packet from going to internet Inner firewall Internal network (NFS information) <Example> Unless hosts in the DMZ require NFS information, prevent a NFS packet from going to DMZ (least privilege)

25 23.3.2.2 Inner Firewall Configuration
the inner firewall allows a limited set of traffic through It allows SMTP connections using proxies, but all electronic mail is sent to the DMZ mail server for disposition It allows limited transfer of information to the DNS server in the DMZ It also allows system administrators to access the systems in the DMZ from a trusted administrative server All other traffic, including Web access, is blocked.

26 23.3.2.2 Inner Firewall Configuration
The access allowed to system administrators violates the principle of least privilege the connection allows the administrators full control over the DMZ systems if the connection to the systems in the DMZ does not originate from a special system in the internal network, the firewall will disallow the connection the Drib trusts its system administrators, so only trusted users will be allowed unrestricted access to the DMZ servers the administrators can use the SSH protocol only to connect to the DMZ servers

27 DMZ Mail Server The mail server in the DMZ performs address and content checking on all electronic mail messages The goal is to hide internal information from the outside while being transparent to the inside When the mail server receives a letter from the Internet, it performs the following steps The mail proxy reassembles the message into a set of headers, a letter, and any attachments The mail proxy scans the letter and attachments, looking for any "bad" content. "Bad" content here is defined as a computer virus or known malicious logic. The attachments are then restored to the form used to transmit them through electronic mail. The headers, the letter, and the attachments are rescanned for any violation of the SMTP specification.

28 DMZ Mail Server 3. The mail proxy scans the recipient address lines. The addresses that directed the mail to the Drib are rewritten to direct the mail to the internal mail server. The DMZ mail server then forwards the mail to the internal mail server 3’. The mail proxy scans the header lines. All lines that mention internal hosts are rewritten to identify the host as "drib.org," the name of the outside firewall. All header lines must be checked. In addition to the source address lines, any "Received" lines are to be removed, and any destinations that name the Drib must also be changed. Following this sanitization, the letter is forwarded to the firewall for delivery

29 DMZ WWW Server The Web server accepts and services requests from the Internet It does not contact any servers or information sources within the internal network Although the Web server runs CGI scripts, the scripts have been checked for potential attacks and hardened to prevent their success The Web server also identifies itself as " and uses the IP address of the outside firewall

30 DMZ WWW Server A system in the internal network known as the "WWW-clone" is used to update the DMZ Web server A system in the internal network known as the “WWW-clone” is used to update the DMZ Web server Periodically (or on request), an administrator will copy the contents of the WWW-clone to the DMZ Web server This follows from the principle of separation of privilege, because any unauthorized changes in the Web server are mitigated by the updates Like the mail server, the WWW server also runs an SSH server for maintenance and updating.

31 The Drib accepts orders for its merchandise through the Web.
DMZ WWW Server The Drib accepts orders for its merchandise through the Web. The data entered by the consumer is saved to a file. After the user confirms an order, the Web server invokes a simple program that checks the format and contents of the file and creates an enciphered version of the file using the public key of a system on the internal customer subnet. This file resides in a spooling area that is not accessible to the Web server. The program deletes the original file. This way, even if the attacker can obtain the file, the attacker cannot determine the order information or credit card numbers associated with customers .

32 Enciphered and delete original file
DMZ WWW Server Web Server SSH Server Cannot access DMZ SSH, administrator Internal area Enciphered and delete original file Internal trusted server User info in a public key SSH Server rejects connection from any host other than the trusted internal administrative server

33 DMZ DNS Server The DMZ DNS host contains directory name service information about those hosts that the DMZ servers must know. It contains entries for the following. DMZ mail, Web, and log hosts Internal trusted administrative host Outer firewall Inner firewall DNS server does not know the addresses of the internal mail server. The inner firewall will forward mail to that server. The DMZ mail server need only know the addresses of the two firewalls (for mail transfers), and the trusted administrative server The limited information in the DNS server reflects the principle of least privilege

34 23.3.3.4 DMZ Log Server All DMZ machines have logging turned on
Attackers can delete logs, so if the logs were on the attacked machines, they might be tampered with or erased The log system is placed in the DMZ to confine its activity It never initiates transfer to the inner network. Only the trusted administrative host does that The use of write-once media is an example of applying the principle of least privilege and fail-safe defaults the media cannot be altered they can only be destroyed, and then only if the attacker has physical access to the system.

35 23.3.4 In the Internal Network
The subnets must guard against unauthorized access to information as dictated by the policy For these purposes, "read" corresponds to fetching or retrieving a file, and "write" corresponds to putting or depositing a file For the moment, we ignore electronic mail, updating of Web pages on the DMZ, and the internal administrative host

36 23.3.4 In the Internal Network
The data and users are distributed among the three subnets of the internal network in the obvious way The firewall on the developer network allows read access from the corporate network but blocks write access to all other subnets The firewall on the corporate network does not allow read or write access from the other networks The firewall for the customer subnet allows read access from the corporate network

37 23.3.4 In the Internal Network
The internal mail server must be free to communicate with hosts behind each of the subnet firewalls Either the subnet may have its own mail server, or the internal mail server can deliver mail directly to each host on the subnets. The former has the advantage of flexibility, because the internal DNS server need only know the addresses of the subnet firewalls and (possibly) the mail servers The latter requires the internal DNS to have the addresses of all hosts on the internal network

38 23.3.4 In the Internal Network
The DMZ Web server's pages are synchronized with the Web pages on this server by using the trusted internal administrative host This provides a test bed for changes in the pages, so corporate and other internal personnel can review and approve changes before they are made visible to the public if the DMZ Web server is ever compromised, the Web pages can be restored very quickly

39 23.3.4 In the Internal Network
The DMZ servers never communicate directly with the internal servers. They instead send information to the firewall, which routes the messages appropriately. DMZ servers accept only incoming SSH connections from the trusted administrative host. These connections use public key authentication to establish identity, so an attacker cannot forge addresses

40 23.3.4 In the Internal Network
The only data in the DMZ that non-administrators can alter is the data in the Web pages. However, the alterations occur on a copy on the internal network. An administrator must invoke special functions to move the updated pages to the Web server on the DMZ.

41 23.3.5 General Comment on Assurance
Although the amount of software running on the firewalls is minimized, and the software is written to perform only necessary functions and has been extensively audited and tested, the Drib defensive mechanisms all trust that the software is correct and cannot be compromised If this trust is misplaced, the defensive mechanisms can be breached This is another reason why the configuration of servers and firewalls is based extensively on the principle of separation of mechanism If one mechanism fails, another may prevent the attacker from exploiting that failure

42 23.3.5 General Comment on Assurance
Suppose the network interface card connected to the Internet never cleared its buffer An attacker could craft a packet that contained data of the form of a legal packet addressed to an interior system The containing packet would be validated as allowed to go to the interior network and then would be passed to the interior network The next packet would be short enough to overwrite the contents of the buffer from the beginning up to the data in the form of the valid packet If the card then flushed the contents of its buffer to the inside network, the legal but unvalidated packet would be sent on, too The separation of mechanism inherent in a proxy firewall hinders attacks based on failures in single network cards, but other types of malfunctions may allow other attacks

43 23.3.5 General Comment on Assurance
Informal policy model of the Drib guides the design of the network architecture as well as the analysis of the software and hardware configurations Infrastructure, software, and hardware all provide the basis for claims that the network actually enforces the policy model correctly.

44 23.4 Availability and Network Flooding
The SYN flood is the most common type of flooding attack. It occurs when incoming connections repeatedly refuse to execute the third part of the TCP three-way handshake This is a denial of service attack. If the packets come from multiple sources but have the same destination, this is an example of a distributed denial of service attack

45 23.4 Availability and Network Flooding
Two aspects of SYN flooding consumption of bandwidth If the flooding is more than the capacity of the physical network medium, or of intermediate nodes, legitimate handshakes may be unable to reach the target the use of resources—specifically, memory space—on the target If the flooding absorbs all the memory allocated for half-open connections, then the target will discard the SYN packets from legitimate handshake attempts

46 Intermediate Hosts This approach tries to reduce the consumption of resources on the target by using routers to divert or eliminate illegitimate traffic The goal is to have only legitimate handshakes reach the firewall <Example> Cisco routers can use "TCP intercept mode". When the router sees a SYN packet coming from the Internet, it does not forward the packet to its destination. Instead, the router responds, and tries to establish the connection. If the SYN packet is part of a legitimate handshake and a connection is established, the router establishes a connection with the intended destination and "merges" the two connections

47 23.4.2 TCP State and Memory Allocations
When a SYN packet is received, the server creates an entry in a data structure of pending connections and then sends the SYN/ACK packet The entry remains until either a corresponding ACK is received or a time-out occurs Under a SYN flood, the data structure is kept full of entries that never move to the connected state All will be timed out, and new SYNs create new entries to continue the cycle

48 23.4.2 TCP State and Memory Allocations
Two techniques are used to make availability of space more likely push the tracking of state to the client. if the state can be encoded in the initial sequence number of the ACK, the server can rederive the information from information in the client's ACK packet. <Example> The Linux kernel can be configured to use the SYN cookie approach when the table of pending connections is full. Linux uses the SYN cookie formula developed by Bernstein and Schenk h(s1, sA, sP, dA, dP, s1) + n + 224t + [h(s2, sA, sP, dA, dP, t, s2) mod 224] h is a hash function(SHA-1), s1 and s2 are randomly generated secrets, sA and sP are the source address and port, dA and dP are the destination address and port, t is a counter incremented every minute, and n is the sequence number of the received SYN packet.

49 23.4.2 TCP State and Memory Allocations
<Example> Freedman modified the kernel of a SunOS system to provide adaptive time-outs of pending connections. First, he shortened the time-out period for pending connections from 75 to 15 seconds. He then modified the formula for queuing pending connections. Let p be the number of pending connections. Let c be a tunable parameter. When a + p > cb, the current SYN message is dropped.

50 23.5 Anticipating Attacks The Drib's security officers are very interested in attempted attacks within the DMZ use of the DMZ is restricted only to those who have access to the internal administrative trusted host or who are using a small set of services a known attack occurs on this network, someone who has obtained access to the network has launched it. some trusted administrator should not have been trusted (entry through the administrative trusted host)

51 23.5 Anticipating Attacks The philosophy of ignoring attacks that fail seems dangerous when an attacker succeeds in compromising the system, the attacker probably has tried—and failed—numerous times before We do not have the personnel to handle the false alarms and the failed attacks Instead, we focus on what we are most concerned about: successful attacks, and failed attacks in areas where attacks ought not to be launched

52 23.5 Anticipating Attacks Drib security officers analyzed many commercial intrusion detection systems to find one that met their needs Some even failed to detect attacks launched by the security officers Drib therefore purchased an intrusion detection system that allowed them to add signatures of known attacks and to tune parameters to control reporting of events. After considerable experimentation, they found a group of settings that seemed to work well. results of the analysis are compared with the reported events. If they match, the current set of settings is accepted; if not, the settings are retuned.

Download ppt "Introduction to Computer Security Chapter23 Network Security"

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
NS-H0503-02/11041 Attacks. NS-H0503-02/11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #23-1 Chapter 23: Network Security Introduction to the Drib Policy Development.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #23-1 Chapter 23: Network Security Introduction to the Drib Policy Development.
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Stephen S. Yau 1CSE 465-591, Fall 2006 Firewalls.

Stephen S. Yau 1CSE , Fall 2006 Firewalls.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google