Presentation is loading. Please wait.

Presentation is loading. Please wait.

October 15, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint SOEN321-Information-Systems Security Revision.

Published byJanice Letitia Pierce Modified over 8 years ago

Similar presentations

Presentation on theme: "October 15, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint SOEN321-Information-Systems Security Revision."— Presentation transcript:

1 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 1 Intro to Internet-services from Security Standpoint SOEN321-Information-Systems Security Revision 1.3 Date: November 13, 2003

2 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 2 Connectivity As you know: –Networked computer are more open to the attacks –Attacks may come from an unknown source (if there is a number of access points) –Even over the phone lines connectivity matters. A connected system as secure as it’s most far-reaching point.

3 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 3 Disconnect! To lock a computer in a safe and cut all the wires, including power supply is often not a solution. The Internet is now a mission critical network for many businesses and research facilities. The Internet is a bar of good and bad peeps, with the former outnumbering the latter; however, the latter do usually posses tools to use the Internet to attack remotely, anonymously, etc. the interconnected computers.

4 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 4 Connecting Trusted Computers to an Untrustworthy Network How can we do it safely? –One way use a firewall to separate trusted stuff from the untrusted one. –A firewall can be either hardware (PC or router) or software or both, which sits in between the two stuffs. –It limits network access between the two security domains, and monitors and logs connections. –Filters out connections based on source/destinations addresses, ports, direction, etc.

5 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 5 Firewall Example, you you run a web server, you can set the firewall to let only the incoming HTTP connections through to communicate with the web browsers. The Morris Worm used finger protocol to spread, obviously you really wan to filter it out (in case you do use fingerd in your LAN at all).

6 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 6 Firewall Can split a network into more than two domains –The Internet is untrusted domain –Demilitarized zone (DMZ) – a semitrusted domain –Local domain

7 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 7 Firewall

8 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 8 Firewall Sometimes it is possible to for a special DMZ computer to connect to a local one: example a web server accessing an application or DB servers. But this connection is controlled. The firewall still sort of protects company’s machines even when DMZ is broken into.

9 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 9 Firewall What about its security? –It must be secure and attack proof, as much as possible; otherwise, what’s a point? –DoS attacks are still very possible. –Firewalls do not prevent tunneled attacks (that travel within allowed traffic) E.g. distributed COM objects can be used over HTTP. RPC (e.g. Win32 Blast) –A buffer overflow in the web server will NOT be stopped by a firewall, because HTTP is allowed. –Spoofing – pretending of an unauthorized host be an authorized one (e.g. IP ident and spoofing). –Inside attacks are not guarded against.

10 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 10 Firewall Types Packet Filters –Stateless –Stateful Application-level Gateways (proxies)

11 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 11 Packet Filters Real-time decisions are made to drop or forward a packet. Based on raw packet data, such as source and/or destination IP, port ##, headers, sizes, etc. and sometimes even application data (won’t always work). A: Very efficient, no buffering and assembly of packets; real-time. Totally transparent; easier to administer since no knowledge needed of the client and server software. Widely available. D: Rules are difficult to state and to test. Limited # of policies, and from rules it’s hard to see what exactly the policy is enforced.

12 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 12 Application Level Gateways Proxies Understanding of services being proxied (look at the application data within packets). Stubs, client, server. AC decisions made by the proxy. Decisions are at much more finer granularity. More extensive and accurate logging. Caching. NOT transparent: alteration of client software required to be able to talk to proxy vs. a server. Proxy versions of server software have to written as well, hence a lot of effort required to administer such firewalls. Performance penalties are pertinent.

13 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 13 Firewall vs. Sandbox Firewall protects network perimeter from adversarial input and all application and system software behind. Sandboxing mechanisms are at the level of computer security perimeter and protects System Software (e.g. OS) from untrusted applications.

14 October 15, 2002Serguei A. Mokhov, mokhov@cs.concordia.ca 14 Firewall vs. Intrusion-Detection System Firewalls are active entities, filtering packets according to some rules (active in a sense deciding to “allow or disallow” certain packets). –Network-level access control policy IDS in a general way is a passive entity observing ALL the traffic and logging it, but not stopping it (some IDS do take counteractions). –Auditing

Download ppt "October 15, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint SOEN321-Information-Systems Security Revision."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.

Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
October 22, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint, Part II SOEN321-Information-Systems Security.

October 22, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint, Part II SOEN321-Information-Systems Security.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Similar presentations

Ads by Google