Network Security At this point, we are looking to secure all of the computers in "our" network from outside and inside attack. –If a machine is compromised, we would like to avoid it compromising the rest of network or at least contain/minimize the damage.
Where to start? First internal security, by looking at the computers –What category do they fall into? personal, business workstation, server, sensitive systems. –That determines which computer need access to other computers (ie servers to workstations, etc). –From there we can isolate computers on our network from each other limiting access and limiting damage
Layer security pieces Once the "computers" are sorted, then layer the security to maximize protection. –Firewalls on top (and where needed for more security) –filtering with routers, so parts of the internal network that don't need to "talk" to each other, don't. –IDS and Monitoring to make sure attempts to breach security are not successful.
VLANS in summary VLANs combine shared hubs, switching, routing, and network management –remove physical boundaries on switches –Better control of broadcasts domains VLANs are invisible to end users Offer significant cost and performance benefits in switched LANS –better use of switches –easy to add or move network stations –tighten security
Routers Packet routing, forwarding and filtering, and vlans –Once a set of computer is classified, they can go into vlans. –The router can be configured so that packets can't be routed between two vlans –Or packets can be forwarded between the vlans as needed. Newer routers can also route based on types of packets as well (ICMP, TCP, UDP, etc).
Proxy Proxy servers –Allow a client to access a server through a intermediate computer. The proxy server is secured and it excepts requests for access to a server (or even the internet), then makes the request to server. The proxy server is allowed to talk to server, while the client is not allowed to talk to the server directly. –Many firewalls with NAT work as type of Proxy.
Firewall Definition: A system that can not be broken in to. –It monitors traffic, and "protects" the computer. Configured so that only certain inbound and outbound ports are "open" i.e. blocking port 6000, means that nothing can remotely talk to that port and the computer can't use that port to talk to a remote machine. –Can be configured for only outbound or only inbound as well.
Firewall Categories Packet filtering gateway –Simple firewall, works like router filtering, but at a higher OSI layer. Stateful inspection firewalls –Maintains more information about network connections Personal firewalls (software firewalls) –Normally on users computers
Networks firewalls Packet Filtering –Not only IP addresses like routers, but ports, and types of packets, such as allowing only TCP, while blocking UDP and all ICMP packets. –NFS are blocked, but not ssh packets. Firewalls may provide Network Address Translation (NAT) May Provide Zones of security –Unrestricted access, Protected zones (called DMZs) and no access.
Stateful Included in most high end firewall and many person firewalls as well. –Since each packet of data has no context the packet may fragmented as well. –It’s difficult to figure out what packet of data is doing. Is it an attack? A classic attack is to fragment up a packet, so it’s hard to detect an attack signature. Also remember packets may arrive in any order, the receiving computer (with TCP) will order them correctly. So stateful firewall will track the sequence of packets in order to “thwart” this type of attack.
software firewalls Good for personal computers –Limited by the O/S and what the computer is doing –Provide little protection from DoS attacks. Very good for adding more protection to a single machine, in conjunction with an upstream hardware firewall. For department or enterprise firewalls –A computer (several computers) is tasked as a firewall and does nothing else. Many security experts recommend using a hardware firewall appliance with software firewalls whenever possible.
Why use firewalls? Three aspects referred to as the CIA: Confidentiality, Integrity, and Availability –Confidentiality: protect data/ information you want private. –Integrity: Make sure data/computer has not be tampered with –Availability: So an remote attack does not bring down the computer.
Zones of Security Firewalls can be configured for zones of security. –An area where there is no protection for personal/home computers –An area where machines can be accessed from the internet, but only certain ports (called DMZ) for web, ftp, DNS, VPN servers, etc. –An area where there no inbound access For workstations etc. No one needs to access them from the internet. –An area where there is no inbound and outbound access "Sensitive" computers
Zones of Security (2) Each zone can be configured with the necessary security Each zone can also be protected for other zones. –A server zone: Allow no inbound access from the internet, No inbound traffic from the unprotected zone and the DMZ, but all connections from workstations.
NAT Network Address translation –The internal computers have a 10.x.x.x or 192.168.x.x IP numbers –When a packet is sent from a computer to the "internet", the firewall receives the packet, changes the packet to it's address, then sends it to the internet and waits for a response Also changes the source port number as well. –When a response is received the firewall forwards the packet onto the computer. NAT can be a separate appliances or used in other devices (including routers and firewalls)
NAT Since the firewall acts as the go between, the internal computer is protected. Side effect is that you only need a limited number of real IP numbers, while using the 10.x.x.x IP set for the internal network. Firewall configured to have real IP numbers on machines accessed from the outside, such as web servers.
NAT issues NAT works great if all network applications follow the OSI model standards. –Of course there are many app’s that don’t. –Example: FTP The IP and Port number are in the layer 7 data of packet. Big problem. –Ftp has two modes Active and Passive. In passive mode, which is for firewalls, the server sends it’s IP number and a port number for the client to make a connection for file transfers. –Since the IP number and port are in the layer 7 data, the NAT must read and change the IP and Port number the “world” sees.
What Firewalls can’t do Don’t protect data outside the perimeter Don’t protect computer to computer attack inside of the firewall, Except between zones. –If it doesn’t pass through the firewall, then it can’t offer any protection. Don’t necessary protect open ports. –If port 80 is open to the outside world, then the firewall can’t protect it against every attack. Some attacks will look like normal traffic. And firewalls themselves are also targets of attacks.
Example web site security SOURCE: INTERSHOP How are web sites constructed? TIER 1 TIER 2 Server TIER 3 Applications TIER 4 Database
VPN VPN: virtual private network –A method to provide a secure connection between two networks over an insecure line –A VPN client connects to the VPN server. All networking from the client is directed to the server, which acts as the network gateway. So your network traffic is behind the firewall and you can access every like normal.
VPN (2) A VPN client connects to the VPN server. –All networking from the client is directed to the server, which acts as the network gateway. So the client functions as if it was behind a firewall and could access everything like normal. –Example Employee goes on a business trip. Connect up to an unsecured network. Connects to the VPN server (via the client) and now has a secure connection to "work" over the unsecured network.
VPN Issues Split Tunneling –Traffic to the “protected” network goes through the VPN connection –Everything else goes out the default route –Much more efficient but not as secure. When a user is working from say a hotel and VPNs to campus/office –Only traffic to the campus goes over the VPN –So now if there is an attacker in the hotel, they can for the laptop, attack it and now have direct access into the campus/office via the comprised laptop. Remember VPN servers are deployed behind the firewall.
In the VPN lecture, we look at how VPN the encrypted tunnel is created using either IPSEC or SSL/TLS. Then other defensive measures can be used in conjunction with firewalls –IDS/NIPS –Smoke and mirrors defensives
References Easttom, “Computer Security Fundamentals”, Prentice Hall Bueno, Pedro. “Defending Dynamic Web Sites: A Simple Case Study About the Use of Correlated Log Analysis in Forensics”. http://isc.sans.orghttp://isc.sans.org Comer, Douglas. “Internetworking with TCP/IP”. Volume 1