devices isqs 6342 spring 2004 gurkan ozfidan. outline firewalls, routers, switches firewalls,...
TRANSCRIPT
DevicesDevices
ISQS 6342ISQS 6342
Spring 2004Spring 2004
Gurkan OzfidanGurkan Ozfidan
OutlineOutline
Firewalls, Routers, SwitchesFirewalls, Routers, Switches Wireless/ModemsWireless/Modems Remote Access Services (RAS)Remote Access Services (RAS) Telecom/Private Branch Exchange Telecom/Private Branch Exchange
(PBX)(PBX) Virtual Private Networks (VPN)Virtual Private Networks (VPN) Intrusion Detection Systems (IDS)Intrusion Detection Systems (IDS) Mobile DevicesMobile Devices
What is Firewall?What is Firewall? Firewall is a barrier to keep destructive forces Firewall is a barrier to keep destructive forces
away from your property away from your property Firewall is any hardware or software device Firewall is any hardware or software device
that provides a means of securing a computer that provides a means of securing a computer or network from unwanted intrusionor network from unwanted intrusion
Firewall SecurityFirewall SecurityDrafting Security Policy;Drafting Security Policy;
• What am I protecting?What am I protecting?• Who am I protecting it from?Who am I protecting it from?• Who gets access to which resources?Who gets access to which resources?
Common areas of attack;Common areas of attack;• Web servers, mail servers, FTP services, databasesWeb servers, mail servers, FTP services, databases
Available service means hole in your firewall;Available service means hole in your firewall;• DNS(23,23), FTP(20-21), ICQ(4000), HTTP(80), Telnet(23) DNS(23,23), FTP(20-21), ICQ(4000), HTTP(80), Telnet(23)
What Do Firewalls Protect Against?What Do Firewalls Protect Against?
• DoS -DoS -not to steal information, but to disable a devicenot to steal information, but to disable a device • ping of death -ping of death -create an IP packet that exceeds the maximum 65535 bytescreate an IP packet that exceeds the maximum 65535 bytes • SYN flood - SYN flood - TCP connections requests faster than a machine can processTCP connections requests faster than a machine can process • IP spoofing - IP spoofing - break into systems, to hide the hacker's identitybreak into systems, to hide the hacker's identity
Network address translation (NAT)Network address translation (NAT)• Basic firewalls usually use only one technique - NAT Basic firewalls usually use only one technique - NAT
Basic packet filteringBasic packet filtering• Most basic security function performed by firewallMost basic security function performed by firewall
Stateful packet inspection (SPI)Stateful packet inspection (SPI)• Basic packet filtering by adding a feature called “stateful Basic packet filtering by adding a feature called “stateful
packet inspection”packet inspection” Access control lists (ACL)Access control lists (ACL)
• Packet filtering is made possible through the use of Packet filtering is made possible through the use of access control list (ACL).access control list (ACL).
How Do Firewalls Work?How Do Firewalls Work?
Network Address Translation;Network Address Translation; Provides a type of firewall by hiding Provides a type of firewall by hiding
internal IP addresses internal IP addresses Enables a local-area network to use one Enables a local-area network to use one
set of IP addresses for internal networkset of IP addresses for internal network Use second set of addresses for external Use second set of addresses for external
traffictraffic A A NAT boxNAT box located where the LAN meets located where the LAN meets
the Internet makes all necessary IP the Internet makes all necessary IP address translations address translations
How Do Firewalls Work?How Do Firewalls Work?
Basic Packet Filtering;Basic Packet Filtering; Decides whether to forward TCP/IP Decides whether to forward TCP/IP
packets based on informationpackets based on information Packet filters screen information based on Packet filters screen information based on
• Protocol typeProtocol type• IP addressIP address• TCP/UDP portTCP/UDP port• Source routing informationSource routing information
Packets that make it through the filters Packets that make it through the filters are sent to the requesting systemare sent to the requesting system
How Do Firewalls Work?How Do Firewalls Work?
Stateful Packet Inspection;Stateful Packet Inspection; Stateful packet filters can record session-Stateful packet filters can record session-
specific information which ports are in use specific information which ports are in use on the client and on the serveron the client and on the server
Three-way handshake;Three-way handshake;• Initiates a TCP connectionInitiates a TCP connection• Begin passing packets once the connection madeBegin passing packets once the connection made• Once session is ended no packet is allowedOnce session is ended no packet is allowed
Enhances security which side of the Enhances security which side of the firewall a connection was initiatedfirewall a connection was initiated
Essential to blocking IP spoofing attacksEssential to blocking IP spoofing attacks
How Do Firewalls Work?How Do Firewalls Work?
Access Control Lists;Access Control Lists; Packet filtering is made possible through Packet filtering is made possible through
the use of ACLsthe use of ACLs ACL is a list of rules either allowing or ACL is a list of rules either allowing or
blocking inbound or outbound packets blocking inbound or outbound packets which the firewall comes into contactwhich the firewall comes into contact
Example of allowing access only to Example of allowing access only to HTTP(port 80)HTTP(port 80)access-list 101 permit tcp any 111.222.111.222 0.0.0.0 eq 80access-list 101 permit tcp any 111.222.111.222 0.0.0.0 eq 80
access-list 101 deny ip any 111.222.111.222 0.0.0.0 – r uaccess-list 101 deny ip any 111.222.111.222 0.0.0.0 – r u
How Do Firewalls Work?How Do Firewalls Work?
RoutersRouters
Network management device that sits Network management device that sits between different network segmentsbetween different network segments
Allows different networks to communicate with Allows different networks to communicate with one another and the Internet to functionone another and the Internet to function
•Message or file is broken up into packages about 1500 bytes long
•Packages includes information on the sender's address, the receiver's address
•Checksum value allows the receiving computer to be sure that packet arrived intact
•Packet is sent via the best available route
Tracert ; traces the route that a packet takes to another computer
SwitchesSwitches Device that filters and forwards packets Device that filters and forwards packets
between LAN segments between LAN segments Network switches are capable of Network switches are capable of
determining the source and destination of determining the source and destination of packet, and forwarding that packet packet, and forwarding that packet appropriatelyappropriately
Switches conserve network bandwidth and Switches conserve network bandwidth and offer generally better performance than offer generally better performance than hubshubs
Hub joins multiple computers (or other Hub joins multiple computers (or other network devices) together to form a single network devices) together to form a single network segment network segment
• Switches usually work at Layer 2 using MAC addresses.
• Routers work at Layer 3, using addresses (IP, IPX or Appletalk, depending on protocols).
• Hubs are simply a junction that joins all different nodes together.
The seven layers of the Open Systems Interconnection (OSI)
Reference Model
Click on the menu terms to learn more about how transparent
Wireless - Wireless - digital data into radio signalsdigital data into radio signals
WEP;WEP; Wired Equivalent PrivacyWired Equivalent Privacy, a security protocol for wireless , a security protocol for wireless
local area networks (WLANs) defined in the 802.11b local area networks (WLANs) defined in the 802.11b standard.standard.
Designed to provide the same level of security as wired LANDesigned to provide the same level of security as wired LAN WEP aims to provide security by encrypting data over radio WEP aims to provide security by encrypting data over radio
waves.waves. Do not have same physical structure as LAN, therefore are Do not have same physical structure as LAN, therefore are
more vulnerable to tamperingmore vulnerable to tampering
Wireless - digital data into radio Wireless - digital data into radio signalssignals
WPA;WPA; Wi-Fi Protected AccessWi-Fi Protected Access , designed to improve upon the , designed to improve upon the
security features of WEP security features of WEP Includes two improvements over WEP Includes two improvements over WEP
1. Improved data encryption through the temporal key integrity protocol (TKIP). TKIP scrambles the keys using a hashing algorithm, ensures that the keys haven’t been tampered with
2. MAC address is simple to be sniffed out and stolen; Extensible Authentication Protocol EAP is built on a more secure public-key encryption system to ensure that only authorized network users can access the network
Modems - Modems - momodulator-dulator-demdemodulatorodulator
Digital Subscriber Line (DSL) provides a direct connection Digital Subscriber Line (DSL) provides a direct connection between computer or network connected on the client side between computer or network connected on the client side and the Internet.and the Internet.
Cable modems are connected to a shared segment that Cable modems are connected to a shared segment that anyone else on that segment can potentially threaten your anyone else on that segment can potentially threaten your system.system.
• DSL and cable modems users was the issuing of static IP addresses.
• Static addresses provide a fixed target for hackers.
• Dynamic Host Configuration Protocol (DHCP) to issue dynamic addresses.
• Best solution is to implement a firewall.
Remote Access Services (RAS)Remote Access Services (RAS) Provides the ability for one computer to dial into another Provides the ability for one computer to dial into another
computer via modem.computer via modem. Also offer a feature called callback, work only with fixed Also offer a feature called callback, work only with fixed
phone numbers.phone numbers.
It is behind any physical firewall.It is behind any physical firewall. Unless there is a gateway software or a firewall software Unless there is a gateway software or a firewall software
running on the server hosting RAS, there is a potential for running on the server hosting RAS, there is a potential for the network to be compromised.the network to be compromised.
Telecom/Private Branch ExchangeTelecom/Private Branch Exchange
A traditional PBX is a computer-based A traditional PBX is a computer-based telephone switch that may be thought of as a telephone switch that may be thought of as a small, in-house, telephone companysmall, in-house, telephone company
A private telephone network used within an A private telephone network used within an enterprise enterprise
Users of the PBX share a certain number of Users of the PBX share a certain number of outside linesoutside lines for making telephone calls for making telephone calls external to the PBXexternal to the PBX
Failure to secure PBX can result in toll fraud, Failure to secure PBX can result in toll fraud, theft of information, denial of servicetheft of information, denial of service
Securing a PBX should be part of a written Securing a PBX should be part of a written security policysecurity policy
Virtual Private NetworksVirtual Private Networks VPN is a private network that uses a public network (usually VPN is a private network that uses a public network (usually
the Internet) to connect remote sites or users together the Internet) to connect remote sites or users together Security is enhanced by implementing Internet Protocol Security is enhanced by implementing Internet Protocol
Security (IPSec)Security (IPSec) IPSec provides better encryption algorithms and more IPSec provides better encryption algorithms and more
comprehensive authentication – transport and tunnelingcomprehensive authentication – transport and tunneling• Transport; encryption of data in a packetTransport; encryption of data in a packet• Tunneling; encryption of data including the address Tunneling; encryption of data including the address
header informationheader information IPSec eliminates packet sniffing and identity spoofingIPSec eliminates packet sniffing and identity spoofing Sending and receiving computers hold the keys to encrypt Sending and receiving computers hold the keys to encrypt
and decrypt the packetsand decrypt the packets
A typical VPN might have a main LAN at the corporate headquarters of a company, other LANs at remote offices or
facilities and individual users connecting from out in the field
Intrusion Detection SystemsIntrusion Detection Systems IDS offer the ability to analyze data in real time to detect, IDS offer the ability to analyze data in real time to detect,
log, and stop misuse or attacks as they occurlog, and stop misuse or attacks as they occur
Computer Based IDS;Computer Based IDS;• To secure critical network servers or systems sensitive To secure critical network servers or systems sensitive
informationinformation• Agents are loaded on each on each protected computerAgents are loaded on each on each protected computer• Analyze the disk space, RAM, CPU time, and applicationsAnalyze the disk space, RAM, CPU time, and applications• Collected information is compared to a set of rules to Collected information is compared to a set of rules to
determine if a security breach has occurreddetermine if a security breach has occurred
Network-based IDS; Network-based IDS; • Monitor activity on a specific network segmentMonitor activity on a specific network segment• Usually dedicated platforms with two components;Usually dedicated platforms with two components;
Sensor; which passively analyzes network trafficSensor; which passively analyzes network traffic Management system; displays alarm information Management system; displays alarm information
from the sensor and allows security personnel to from the sensor and allows security personnel to configure the sensorsconfigure the sensors
Anomaly-based Detection;Anomaly-based Detection;• Involves building statistical profiles of user activity and Involves building statistical profiles of user activity and
reacting to any activity that falls outside these profilesreacting to any activity that falls outside these profiles• Two major problems;Two major problems;• Users do not access their computers or the network in Users do not access their computers or the network in
static, predictable waysstatic, predictable ways• Not enough memory to contain the entire profileNot enough memory to contain the entire profile
Intrusion Detection SystemsIntrusion Detection Systems
Signature-based detection;Signature-based detection;• Similar to an antivirus program in its method of Similar to an antivirus program in its method of
detecting potential attacksdetecting potential attacks• Vendors produce a list of “signatures” to Vendors produce a list of “signatures” to
compare against activitycompare against activity• When match is found, IDS take some actionWhen match is found, IDS take some action• Customers depend on vendors to provide the Customers depend on vendors to provide the
latest signatureslatest signatures• Normal network activity can be constructed as Normal network activity can be constructed as
maliciousmalicious• Network application may send ICMP (supports Network application may send ICMP (supports
packets containing errors) messages packets containing errors) messages
Intrusion Detection SystemsIntrusion Detection Systems
Mobile DevicesMobile Devices
Personal Digital Systems (PDAs)Personal Digital Systems (PDAs) Can open security holes for any Can open security holes for any
computer with which these devices computer with which these devices communicatecommunicate
Virus or destructive code may be Virus or destructive code may be introduced during a sync operation introduced during a sync operation between mobile and PCbetween mobile and PC
Standard antivirus and firewall Standard antivirus and firewall applications can’t protect PCsapplications can’t protect PCs
ReferencesReferences Paul Campbell, et al. Security+.Paul Campbell, et al. Security+. Thomson Thomson
Course Technology, 2004.Course Technology, 2004. Craig Zacker. The Complete Reference Craig Zacker. The Complete Reference
Networking. Mc Graw Hill, 2001.Networking. Mc Graw Hill, 2001. George Coulouris, et al. Distributed Systems George Coulouris, et al. Distributed Systems
Concepts and Desing. Addison Wesley, 2001.Concepts and Desing. Addison Wesley, 2001. How Stuff Works. Retrieved from How Stuff Works. Retrieved from
www.howstuffworks.comwww.howstuffworks.com on February 16, 2004. on February 16, 2004. P2P Concepts. Retrieved from P2P Concepts. Retrieved from
http://yucca.cs.ttu.edu:8080/cs5331/p2p/index.hthttp://yucca.cs.ttu.edu:8080/cs5331/p2p/index.htmlml on February 17, 2004. on February 17, 2004.
Wireless LAN Standards. Retrieved from Wireless LAN Standards. Retrieved from http://www.webopedia.com/quick_ref/WLANStandhttp://www.webopedia.com/quick_ref/WLANStandards.aspards.asp on February 27, 2004. on February 27, 2004.