Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University."— Presentation transcript:

1 Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University of Hong Kong Department of Computer Science and Engineering

2 Security Issues on Distributed Systems 7 August, 1999 S 2 - Objective - What is “Firewall” ?? Definition and goals - Firewall Testing Methodology Design ( Hardware / Software/Configuration Setup) and Policy Performance and Security Testing - Result Analysis - Future Work and Conclusion - Q & A Agenda

3 Security Issues on Distributed Systems 7 August, 1999 S 3 Objective - To survey on the various distributed systems security related topics such as encryption and decryption schemes and firewall in the literature review - To evaluate the security control of different firewall configurations by doing testing on firewall with different security levels and proxy service -To investigate the impact of different levels of firewall security and measures on the performance of firewall system -To determine how well the various firewall systems in guarding the private network against some potential external attacks and scanning - To examine and try to deduce a relationship between security and performance from the testing result

4 Security Issues on Distributed Systems 7 August, 1999 S 4 What is “Firewall” ? Definition: - Logically, a firewall is a separator, a restricter, an analyzer that are used to protect the internal network against any attack. Usually installed at a point where the protected internal network connects to the Internet - A system, either software or hardware or both, that enforces access control policy between two networks. -The manifestation of a company security policy

5 Security Issues on Distributed Systems 7 August, 1999 S 5 What is “Firewall” ? Goals: -to restrict people to entering at a carefully controlled point -to prevent intruders from getting close to your other defenses -to restrict people to leaving at a carefully controlled point Acts a castle used to prevent us from the outside attacks.

6 Security Issues on Distributed Systems 7 August, 1999 S 6 Firewall Testing - Methodology - Setting up firewall with 7 different security levels by using different firewall policies, Level 1 < Level 2 …. < Level 7, by Screening rules set into the router Proxy server / system configurations - Performance Testing - test the network performance against different security levels of firewall with FTP, HTTP - Security Testing - verify the security levels by using network scanners such as “SAINT”, “NESSUS” and BSB monitor..etc

7 Security Issues on Distributed Systems 7 August, 1999 S 7 Firewall Testing - Design Test Bed Setup, HW, SW : Firewall Server - Linux, FWTK Home - Linux Router Internet Outside Attacker B Outside Attacker C Outside Attacker A

8 Security Issues on Distributed Systems 7 August, 1999 S 8 Firewall Testing - Policy Firewall Policy 1 - PERMIT any service unless it is expressly denied - Provide the maxi flexibility/access for internal & external users. Firewall Policy 2 - PERMIT any service unless it is expressly denied (same as config 1) - Disallow some problem service accesses from outside, but still provide flexible/easy access from outside, but no restriction on access from internal network to the Internet

9 Security Issues on Distributed Systems 7 August, 1999 S 9 Firewall Testing - Policy 2 Screening rules at router for Firewall policy 2 -No ip source routing -No ip spoofing (e.g. traffic from mail server to pc89180) -Deny DNS(TCP) traffic from outside -Deny TFTPD(UDP) from outside to port 69 -Deny link (TCP) from outside to port 97 -Deny SunRPC(UDP) & NFS(TCP) from outside to port 111 & 2049 -Deny lpd(TCP) from outside to port 515 -Allow ALL others from outside to the pc89180 and email -Allow ALL traffic from the internal network to outside - IP Masquerader - IP being translated at the gateway

10 Security Issues on Distributed Systems 7 August, 1999 S 10 Firewall Testing - Policy 3 Firewall Policy 3 (Level 2 +) - PERMIT any service unless it is expressly denied (same as config. 2) - An additional protection is added with ‘proxy service’ enabled in the firewall server. Specific traffic is further shielded and screened by the proxy server installed. - Any traffic going into the private network would be pre-screened at the router first, then it would be passed into the proxy server for further authentication and screening. Security level is raised because the network traffic is examined by both the router and proxy server.

11 Security Issues on Distributed Systems 7 August, 1999 S 11 Firewall Testing - Policy 4 & 5 Firewall Policy 4 (Level 3+) - PERMIT any service unless it is expressly denied (same as config. 1) - Allow even more restricted access from outside, and deny from selected bad HOSTs from outside. - Deny ICMP traffic from outside ( in response to the nessus report) Firewall Policy 5 - DENY any service unless it is expressly permitted. (or we say "that is not expressly permitted is prohibited") - Deny all access from outside by default, but allow access from inside. - Permit only authorized IPs access to the private network

12 Security Issues on Distributed Systems 7 August, 1999 S 12 Firewall Testing - Policy 6 & 7 Firewall Policy 6 (Level 5 + ) - DENY any service unless it is expressly permitted - A more restricted policy to permit outside access to certain port no.range only - e.g. restrict the TCP from outside at port > 1023 to pc89180 at port 80 - Permit only authorized IPs access to the private network Firewall Policy 7 (Level 6 + ) - DENY any service unless it is expressly permitted - Provide the least flexibility and services to the internal users, but incorporate maxi protection on the LAN. - Restrict the internal users using some Internet services e.g. Telnet, TFPT

13 Security Issues on Distributed Systems 7 August, 1999 S 13 Firewall Testing - Performance Test - Performance indicators: Total transaction time, Latency - FTP protocol Data Transfer from outside FTP server 5 M data, connections 1 to 10 1 M data, connection 1 to 10 395 K data, connection 1, 5, 10, 20, 40 - HTTP protocol Data retrieval from outside, 38.9 K data, connection 1 to 300

14 Security Issues on Distributed Systems 7 August, 1999 S 14 Firewall Testing - Security Test Tools : Network Scanner such as Nessus

15 Security Issues on Distributed Systems 7 August, 1999 S 15 Firewall Testing - Security Test Nessus Setup Screen:

16 Security Issues on Distributed Systems 7 August, 1999 S 16 Firewall Testing - Security Test Nessus - Attacks and Scanning to be choose :

17 Security Issues on Distributed Systems 7 August, 1999 S 17 Firewall Testing - Security Test Nessus Result Report generated after attack and scanning :

18 Security Issues on Distributed Systems 7 August, 1999 S 18 Firewall Testing - Security Test SAINT - Security Administrator's Integrated Network Tool

19 Security Issues on Distributed Systems 7 August, 1999 S 19 Firewall Testing - Security Test BSB - Monitor :

20 Security Issues on Distributed Systems 7 August, 1999 S 20 Result Analysis - Security Test When summarying all the report from scanner, it found that No. of warning and vulnerability count(s) Level1 10 Level 2 9 Level 37 Level 46 Level 5 6 Level 63 Level 70

21 Security Issues on Distributed Systems 7 August, 1999 S 21 Result Analysis - Performance Testing - Data Transfer by HTTP With 395K data retrieval, under firewall policy/configuration 1

22 Security Issues on Distributed Systems 7 August, 1999 S 22 Result Analysis - Performance Testing - Data Transfer by HTTP With 395K data retrieval, under firewall configuration 1,2

23 Security Issues on Distributed Systems 7 August, 1999 S 23 Result Analysis - Performance Testing - Data Transfer by HTTP With 395K data retrieval, under firewall configuration 1,2,3

24 Security Issues on Distributed Systems 7 August, 1999 S 24 Result Analysis - Performance Testing - Data Transfer by HTTP With 395K data retrieval, under firewall configuration 1,2,3,4

25 Security Issues on Distributed Systems 7 August, 1999 S 25 Result Analysis - Performance Testing - Data Transfer by HTTP With 395K data retrieval, with all the 7 firewall configurations

26 Security Issues on Distributed Systems 7 August, 1999 S 26 Result Analysis - Performance Testing - Data Transfer by HTTP Latency - with 395K data retrieval, with all the 7 firewall config.

27 Security Issues on Distributed Systems 7 August, 1999 S 27 Result Analysis - Performance Testing - Data Transfer by FTP TL average transaction time, with 5M data for transfer

28 Security Issues on Distributed Systems 7 August, 1999 S 28 Result Analysis - Performance Testing - Data Transfer by FTP TL min transaction time, with 5M data for transfer

29 Security Issues on Distributed Systems 7 August, 1999 S 29 Result Analysis - Performance Testing - Data Transfer by FTP TL average transaction time, with 1M data for transfer

30 Security Issues on Distributed Systems 7 August, 1999 S 30 Result Analysis - Performance Testing - Data Transfer by FTP TL average transaction time, with 38.9K data for transfer

31 Security Issues on Distributed Systems 7 August, 1999 S 31 Result Analysis - Performance Testing - Data Transfer by FTP Average latency Time, with 38.9K data for transfer

32 Security Issues on Distributed Systems 7 August, 1999 S 32 Result Summary & Conclusion More connection requests, more traffic collision, performance be more affected by external traffic interference Overhead - significant when it outweighs/is comparable with the transaction time used, especially using proxy servers Larger/smaller size of data for transfer, more/less transaction time More security --> more overhead ---> poor performance L1>L3 Security - Performance Relationship ~~ overhead added with more security control with respect to higher level of security, except that the added security control NOT incur any overhead

33 Security Issues on Distributed Systems 7 August, 1999 S 33 Future Work

34 Security Issues on Distributed Systems 7 August, 1999 S 34 Calculate performance index ?

35 Security Issues on Distributed Systems 7 August, 1999 S 35 More about future work... More repeated testing on different size of data, connection numbers and some other firewall parameters Restructure the security of seven levels -- more difference between one another

36 Security Issues on Distributed Systems 7 August, 1999 S 36 Finally ….

37 Security Issues on Distributed Systems 7 August, 1999 S 37 Mainly 2 Problems... 1.Outside interference to performance testing ~ irregularities of curves needs more testing to smooth out 2.Security level definition for firewall Easy to define, difficult to achieve and guarantee

38 Security Issues on Distributed Systems 7 August, 1999 S 38 Screening rule ….. checkings Phase 2 : access-list 100 deny udp any host 137.189.89.250 eq tftp access-list 100 deny tcp any host 137.189.89.250 eq 97 access-list 100 deny tcp any host 137.189.89.250 eq sunrpc access-list 100 deny udp any host 137.189.89.250 eq sunrpc access-list 100 deny tcp any host 137.189.89.250 eq 2049 access-list 100 deny tcp any host 137.189.89.250 eq lpd access-list 100 permit ip any any The no. of rules to permit packet Phase 7 12 Phase 620 Phase5 20 Phase 424 Phase 3/2 7

Download ppt "Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Firewall Configuration Strategies

Firewall Configuration Strategies
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Similar presentations

Ads by Google