Upload File

ch 4 cse (2).ppt

79
Data unit Layer Function Host layers Data 7. Application N etw ork process to application 6. Presentation D ata representation,encryption and decryption, convertm achine dependentdata to m achine independentdata 5.Session Interhostcom m unication,m anaging sessions betw een applications Segm ents 4.Transport R eliable delivery ofpackets betw een points on a netw ork. Media layers Packet/D atagram 3.N etwork Addressing,routing and (notnecessarily reliable) delivery ofdatagram s betw een points on a netw ork. Bit/Fram e 2.D ata link A reliable directpoint-to-pointdata connection. Bit 1.Physical A (notnecessarily reliable)directpoint-to-pointdata connection. OSI MODEL 1

Upload: bhaskar-dharmadhikari

Post on 19-Nov-2015

220 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • Circuit Level GatewayCircuit Level Gateway.

    *

    OUTOUTOUTOUTININININOutside host & outside connectionInside host & inside connection

    Circuit Level GatewayStand-alone system or specialized function performed by Application level gateway.Sets up two TCP connections.The gateway typically relays TCP segments from one connection to the other without examining the contents.*

    Circuit Level GatewayThe security function consists of which connections to be allowed.Typically use is a situation in which the system administrators trusts the internal users. An example is the SOCKS package.*

    Socket Secure(SOCKS) is anInternetprotocolthat routesnetwork packets between aclientandserverthrough aproxy server. SOCKS5 additionally providesauthenticationso only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.*

    Firewalls Arent Perfect?Useless against attacks from the insideEvildoer exists on insideMalicious code is executed on an internal machineOrganizations with greater insider threatBanks and MilitaryProtection must exist at each layerAssess risks of threats at every layerCannot protect against transfer of all virus infected programs or filesbecause of huge range of O/S & file types*

    Bastion Host

    highly secure host system runs circuit / application level gateways or provides externally accessible servicespotentially exposed to "hostile" elements hence is secured to withstand thishardened O/S, essential services, extra authproxies small, secure, independent, non-privileged may support 2 or more net connectionsmay be trusted to enforce policy of trusted separation between these net connections*

    It is common to base a firewall on a stand-alone machine running a common operating system, such as UNIX or Linux. Firewall functionality can also be implemented as a software module in a router or LAN switch.A bastion host is a critical strong point in the networks security, serving as a platform for an application-level or circuit-level gateway, or for external services. It is thus potentially exposed to "hostile" elements and must be secured to withstand this. Common characteristics of a bastion host include that it: executes a secure version of its O/S, making it a trusted system has only essential services installed on the bastion host may require additional authentication before a user may access to proxy services configured to use only subset of standard commands, access only specific hosts maintains detailed audit information by logging all traffic each proxy module a very small software package designed for network security has each proxy independent of other proxies on the bastion host have a proxy performs no disk access other than read its initial configuration file have each proxy run as a non-privileged user in a private and secured directoryA bastion host may have two or more network interfaces (or ports), and must be trusted to enforce trusted separation between these network connections, relaying traffic only according to policy.

    Host-Based Firewallss/w module used to secure individual hostavailable in many operating systems or can be provided as an add-on packageoften used on serversadvantages:can tailor filtering rules to host environmentprotection is provided independent of topologyprovides an additional layer of protection

    *

    A host-based firewall is a software module used to secure an individual host. Such modules are available in many operating systems or can be provided as an add-on package. Like conventional stand-alone firewalls, host-resident firewalls filter and restrict the flow of packets. A common location for such firewalls is a server. There are several advantages to the use of a server-based or workstation-based firewall: Filtering rules can be tailored to the host environment. Specific corporate security policies for servers can be implemented, with different filters for servers used for different application. Protection is provided independent of topology. Thus both internal and external attacks must pass through the firewall. Used in conjunction with stand-alone firewalls, the host-based firewall provides an additional layer of protection. A new type of server can be added to the network, with its own firewall, without the necessity of altering the network firewall configuration. *

    Firewall ConfigurationsSingle-homed bastion host*

    *As Figure A indicates, a firewall is positioned to provide a protective barrier between an external, potentially untrusted source of traffic and an internal network. With that general principle in mind, a security administrator must decide on the location and on the number of firewalls needed. In addition to the use of a simple configuration consisting of a single system, more complex configurations are possible and indeed more common. illustrates common firewall configurations.screened host firewall, single-homed bastion configuration, where the firewall consists of two systems: a packet-filtering router - allows Internet packets to/from bastion onlya bastion host - performs authentication and proxy functions

    This configuration has greater security, as it implements both packet-level & application-level filtering, forces an intruder to generally penetrate two separate systems to compromise internal security, & also affords flexibility in providing direct Internet access to specific internal servers (eg web) if desired.

    Firewall ConfigurationsDual-homed bastion host*

    *Figure B illustrates the screened host firewall, dual-homed bastion configuration which physically separates the external and internal networks, ensuring two systems must be compromised to breach security. The advantages of dual layers of security are also present here. Again, an information server or other hosts can be allowed direct communication with the router if this is in accord with the security policy, but are now separated from the internal network.

    Firewall ConfigurationsScreened-subnet firewall*

    *Figure C shows the screened subnet firewall configuration, being the most secure shown. It has two packet-filtering routers, one between the bastion host and the Internet and the other between the bastion host and the internal network, creating an isolated subnetwork. This may consist of simply the bastion host but may also include one or more information servers and modems for dial-in capability. Typically, both the Internet and the internal network have access to hosts on the screened subnet, but traffic across the screened subnet is blocked.This configuration offers several advantages: There are now three levels of defense to intruders The outside router advertises only the existence of the screened subnet to the Internet; therefore the internal network is invisible to the Internet Similarly, the inside router advertises only the existence of the screened subnet to the internal network; hence systems on the inside network cannot construct direct routes to the Internet

    What is a VPN?A virtual private network (VPN) is a network that uses public means of transmission (Internet) as its WAN link*

    What is a VPN? (Cont.)A VPN can be created by connecting offices and single users (including mobile users) to the nearest service providers POP (Point of Presence) and using that service providers backbone network, or even the Internet, as the tunnel between offices. (Tunneling is a protocol that allows for the secure movement of data from one network to another. )Traffic that flows through the backbone is encrypted to prevent intruders from spying or intercepting the data*

    *What is a VPN? (Cont.)

  • Who uses VPNs?VPNs can be found in homes, workplaces, or anywhere else as long as an ISP (Internet Service Provider) is available. VPNs allow company employees who travel often or who are outside their company headquarters to safely and securely connect to their companys Intranet

    *

    All 3 types of VPN*

    VPN ProtocolsThere are three main protocols that power the vast majority of VPNs:PPTPL2TPIPsecAll three protocols emphasize encryption and authentication; preserving data integrity that may be sensitive and allowing clients/servers to establish an identity on the network*

    VPN Protocols (In depth)Point-to-point tunneling protocol (PPTP)PPTP is widely supported by Microsoft as it is built into the various of the Windows OSPPTP initially had weak security features, however, Microsoft continues to improve its supportLayer Two tunneling protocol (L2TP)L2TP was the original competitor to PPTP and was implemented primarily in Cisco productsL2TP is a combination of the best features of an older protocol L2F (Layer 2 Forwarding) and PPTPL2TP exists at the datalink layer (Layer 2) of the OSI model*

    Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication.IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload. Only systems that are IPSec compliant can take advantage of this protocol. IPSec can encrypt data between various devices, such as: Router to router Firewall to router PC to router PC to server*VPN Protocols (continued)

    Security TopologiesAny network that is connected (directly or indirectly) to your organization, but is not controlled by your organization, represents a risk.Firewalls deployed on the network edge enforce security policies and create choke points on network perimeters. Include demilitarized zones (DMZs) extranets, and intranets .

    *

    Security Topologies (cont..)The firewall must be the gateway for all communications between trusted networks, untrusted and unknown networks. The firewall should selectively admit or deny data flows from other networks based on several criteria:Type (protocol)SourceDestinationContent*

    Security ZonesThree Main Security Zones.Trusted sitesUnclassified sitesRestricted sites

    e.g.- Internet Explorer. Includes 4 predefined zones.*

    Creating and designing SZ.Go to Tools menu, click Internet Options and then click the Security tab. Internet - (medium)Local Internet - (LAN, IP, FQDN)Trusted site (low)Restricted sites (medium)Security setting Security level (high, medium, medium-low or low), Sites , Custom level, Default level

    *

    DMZ (Demilitarized Zone)Used by a company to host its own Internet services without sacrificing unauthorized access to its private networkSits between Internet and internal networks line of defense, usually some combination of firewalls and bastion hostsTraffic originating from it should be filtered*

    DMZTypically contains devices accessible to Internet trafficWeb (HTTP) serversFTP serversSMTP (e-mail) serversDNS serversOptional, more secure approach to a simple firewall; may include a proxy server*

    DMZ Design GoalsMinimize scope of damageProtect sensitive data on the serverDetect the compromise as soon as possibleMinimize effect of the compromise on other organizationsThe bastion host is not able to initiate a session back into the private network. It can only forward packets that have already been requested. *

    DMZ Design GoalsA useful mechanism to meet goals is to add the filtering of traffic initiated from the DMZ network to the Internet, impairs an attacker's ability to have a vulnerable host communicate to the attacker's host keep the vulnerable host from being exploited altogether keep a compromised host from being used as a traffic-generating agent in distributed denial-of-service attacks. The key is to limit traffic to only what is needed, and to drop what is not required, even if the traffic is not a direct threat to your internal network *

    DMZ Design GoalsFiltering DMZ traffic would identify traffic coming in from the DMZ interface of the firewall or router that appears to have a source IP address on a network other the DMZ network number (spoofed traffic). the firewall or router should be configured to initiate a log message or rule alert to notify administrator *

    IntranetTypically a collection of all LANs inside the firewall (campus network.)Either a network topology or application (usually a Web portal) used as a single point of access to deliver services to employeesShares company information and computing resources among employeesAllows access to public Internet through firewalls that screen communications in both directions to maintain company security*

    ExtranetPrivate network that uses Internet protocol and public telecommunication system to provide various levels of accessibility to outsidersRequires security and privacyFirewall managementIssuance and use of digital certificates or other user authenticationEncryption of messagesUse of VPNs that tunnel through the public network*

    VLAN introductionVLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless of the physical location or connections to the network. All workstations and servers used by a particular workgroup share the same VLAN, regardless of the physical connection or location.*

    VLAN introductionA workstation in a VLAN group is restricted to communicating with file servers in the same VLAN group.

    *

    VLAN introductionVLANs function by logically segmenting the network into different broadcast domains so that packets are only switched between ports that are designated for the same VLAN. Routers in VLAN topologies provide broadcast filtering, security, and traffic flow management.

    *

    VLAN introductionVLANs address scalability, security, and network management. Switches may not bridge any traffic between VLANs, as this would violate the integrity of the VLAN broadcast domain. Traffic should only be routed between VLANs. *

    Broadcast domains with VLANs and routersA VLAN is a broadcast domain created by one or more switches.*

    Broadcast domains with VLANs and routersLayer 3 routing allows the router to send packets to the three different broadcast domains.*

    VLAN operationEach switch port could be assigned to a different VLAN. Ports assigned to the same VLAN share broadcasts. Ports that do not belong to that VLAN do not share these broadcasts.*

    VLAN operationUsers attached to the same shared segment, share the bandwidth of that segment. Each additional user attached to the shared medium means less bandwidth and fall of network performance. VLANs offer more bandwidth to users than a shared network. The default VLAN for every port in the switch is the management VLAN. The management VLAN is always VLAN 1 and may not be deleted. All other ports on the switch may be reassigned to alternate VLANs.*

    VLAN operationDynamic VLANs allow for membership based on the MAC address of the device connected to the switch port. As a device enters the network, it queries a database within the switch for a VLAN membership. *

    VLAN operationIn port-based or port-centric VLAN membership, the port is assigned to a specific VLAN membership independent of the user or system attached to the port. All users of the same port must be in the same VLAN.

    *

    Benefits of VLANsThe key benefit of VLANs is that they permit the network administrator to organize the LAN logically instead of physically.PerformanceFormation of Virtual WorkgroupsSimplified Administration Reduced Cost eliminate need Expn. routersSecurityImproved management*

    VLAN Limitations Broadcast limitations Device limitationsPort Constraints*

    VLAN typesThere are three basic VLAN memberships for determining and controlling how a packet gets assigned: - Port-based VLANs MAC address based Protocol based VLANs e.g. Protocol - IP VLAN- 1Membership by IP subnet Address IP- 23.2.24 VLAN -1Higher Layer VLANS The frame headers are encapsulated or modified to reflect a VLAN ID before the frame is sent over the link between switches. Before forwarding to the destination device, the frame header is changed back to the original format.*

    VLAN typesPort-based VLANs MAC address based VLANs Protocol based VLANs *

    Membership by Port*

    Email SecurityElectronic MailSend text , picture, videos and sounds Security is extremely important issue.Email msg. has two portions.Content and Header (like postal system.)Header Which are followed by the actual msg contents.Header Include -- From, To ,Subject & Date.*

    Threats to E-mailMessage interception(confidentiality)Message interception(blocked delivery)Message content modificationMessage origin modificationMessage content forgery (fake ,dummy) by outsiderMessage origin forgery by outsiderMessage content forgery by recipient Message origin forgery by recipientDenial of message transmission*

    E-mail ThreatsViruses :- Common Threats, types - worm or Trojan Program code that replicates itself by being copiedCome from Innocent looking email or attachment.Dangerous bz they arrive in email from people you knowSpam :- Billions sent every day.Electronic junk mail or junk newsgroup postingsunsolicited emailReal spam is generally email advertising for some product sent to a mailing list or newsgroup.wasting people's time with unwanted e-mail, spam also eats up a lot of network bandwidth.

    *

    E-mail ThreatsPhishingthe fraudulent (criminal,illegal) practice of sending emails purporting (seem) to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers,online.e.g. simulated a bankDirect you to a false site.Ask you to confirm your account informationFalse site look like the real website.

    *

    SMTPSimple Mail Transfer ProtocolRequest/Response based

    *

    *Fig- Email using SMTP Protocol

    Gateway is like a NAT box, ie, a home router.It is common to base a firewall on a stand-alone machine running a common operating system, such as UNIX or Linux. Firewall functionality can also be implemented as a software module in a router or LAN switch.A bastion host is a critical strong point in the networks security, serving as a platform for an application-level or circuit-level gateway, or for external services. It is thus potentially exposed to "hostile" elements and must be secured to withstand this. Common characteristics of a bastion host include that it: executes a secure version of its O/S, making it a trusted system has only essential services installed on the bastion host may require additional authentication before a user may access to proxy services configured to use only subset of standard commands, access only specific hosts maintains detailed audit information by logging all traffic each proxy module a very small software package designed for network security has each proxy independent of other proxies on the bastion host have a proxy performs no disk access other than read its initial configuration file have each proxy run as a non-privileged user in a private and secured directoryA bastion host may have two or more network interfaces (or ports), and must be trusted to enforce trusted separation between these network connections, relaying traffic only according to policy.A host-based firewall is a software module used to secure an individual host. Such modules are available in many operating systems or can be provided as an add-on package. Like conventional stand-alone firewalls, host-resident firewalls filter and restrict the flow of packets. A common location for such firewalls is a server. There are several advantages to the use of a server-based or workstation-based firewall: Filtering rules can be tailored to the host environment. Specific corporate security policies for servers can be implemented, with different filters for servers used for different application. Protection is provided independent of topology. Thus both internal and external attacks must pass through the firewall. Used in conjunction with stand-alone firewalls, the host-based firewall provides an additional layer of protection. A new type of server can be added to the network, with its own firewall, without the necessity of altering the network firewall configuration. **As Figure A indicates, a firewall is positioned to provide a protective barrier between an external, potentially untrusted source of traffic and an internal network. With that general principle in mind, a security administrator must decide on the location and on the number of firewalls needed. In addition to the use of a simple configuration consisting of a single system, more complex configurations are possible and indeed more common. illustrates common firewall configurations.screened host firewall, single-homed bastion configuration, where the firewall consists of two systems: a packet-filtering router - allows Internet packets to/from bastion onlya bastion host - performs authentication and proxy functions

    This configuration has greater security, as it implements both packet-level & application-level filtering, forces an intruder to generally penetrate two separate systems to compromise internal security, & also affords flexibility in providing direct Internet access to specific internal servers (eg web) if desired.*Figure B illustrates the screened host firewall, dual-homed bastion configuration which physically separates the external and internal networks, ensuring two systems must be compromised to breach security. The advantages of dual layers of security are also present here. Again, an information server or other hosts can be allowed direct communication with the router if this is in accord with the security policy, but are now separated from the internal network.*Figure C shows the screened subnet firewall configuration, being the most secure shown. It has two packet-filtering routers, one between the bastion host and the Internet and the other between the bastion host and the internal network, creating an isolated subnetwork. This may consist of simply the bastion host but may also include one or more information servers and modems for dial-in capability. Typically, both the Internet and the internal network have access to hosts on the screened subnet, but traffic across the screened subnet is blocked.This configuration offers several advantages: There are now three levels of defense to intruders The outside router advertises only the existence of the screened subnet to the Internet; therefore the internal network is invisible to the Internet Similarly, the inside router advertises only the existence of the screened subnet to the internal network; hence systems on the inside network cannot construct direct routes to the Internet


Ch. 1 Tutorial Ppt

Cse mobile phone cloning ppt

2 cse et ppt

CSE PPT Region 4 Prof

ch.5 - ppt

APRIL 6, 2014 CSE-PPT PROFESSIONAL LEVEL CSCRO NO. 11web.csc.gov.ph/phocadownload/CSE-PPT/04062014/RO11pro.pdf · april 6, 2014 cse-ppt professional level cscro no. 11 no. region

ExamAnnouncement 2015 CSE-PPT

APRIL 6, 2014 CSE-PPT PROFESSIONAL LEVEL CSCRO NO. 14 …web.csc.gov.ph/phocadownload/CSE-PPT/04062014/RO14pro.pdf · april 6, 2014 cse-ppt professional level cscro no. 14 (car) no

Ch. 33 ppt

OCTOBER 13, 2013 CSE-PPT PROFESSIONAL LEVEL CSCRO NO. 7web.csc.gov.ph/phocadownload/CSE-PPT/10132013/RO7pro.pdf · october 13, 2013 cse-ppt professional level cscro no. 7 no. region

ch.1 - ppt

Oct. 2014 CSE-PPT Professional Room Assignment

Ch 3 final ppt

Kh ch#2 ppt

Cpu ppt cse

Ch.5 ppt

Cse ppt 39,38,29 (1)

PPT presentasi ch.6.ppt

CSE 447 Lecture 1.ppt

Examinee's Guide in Taking CSE-PPT (Ballpen-based)

strategi ppt ch 1

Ch 14 ppt renal

APRIL 6, 2014 CSE-PPT PROFESSIONAL LEVEL CSCRO NO. 7web.csc.gov.ph/phocadownload/CSE-PPT/04062014/RO7pro.pdf · april 6, 2014 cse-ppt professional level cscro no. 7 no. region examno

CE / ME / EE / IE / PE / CH / DE / CSE / IT

Oct. 2014 CSE-PPT Sub-Prof. Room Assignment

thermal ppt for ECE & CSE students (KaTPP)

Ch._13_Handout_2011 ppt

CSE-PPT Room Assignment Region 3 Prof

Andhra Loyola Institute of Engineering and Technology · 2019. 6. 13. · cse cse cse cse cse cse cse cse cse roll number 14hpia1212 12hpia0507 11hpia0204 1 a0224 1 a0225 1 ... ch

Ch 12 ppt 2010

CSE-PPT Subpro Region 4 Final

CSE Ethical Hacking Ppt

April 14, 2013 CSE-PPT PROFESSIONAL LEVEL 2 05 231309 ...web.csc.gov.ph/phocadownload/CSE-PPT/04142013/RO5pro.pdf · April 14, 2013 CSE-PPT PROFESSIONAL LEVEL CSCRO NO. 5 Seq. No

ppt - CSE, IIT Bombay

CSE PPT Room Assignment Region 2 Sub-Prof