* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Security Product Roadmap
Survey
Document related concepts
Net neutrality law wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Computer security wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Computer network wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Airborne Networking wikipedia , lookup
Network tap wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Wireless security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Transcript
COPYRIGHT This presentation is provided to specific parties on request. All slides must be shown in its entirety, including the D-Link’s logo and brand name, without any modification or deletion, unless with the written consent of D-Link. Individual slides may be removed in its entirety. Background colour may be changed. Printed copies can be distributed freely for the specific purpose when this presentation slide is used. Failure to observe this violates the copyright agreement. D-Link reserves the right to withdraw from the party the right to use the presentation slide and/or any other actions deemed necessary by D-Link to prevent the slides or part of it being used. CONCEPTOS BASICOS EN LA ADMINISTRACION DE REDES GESTION DE SEGURIDAD MSEE Ing. Héctor J. Simosa 22 Octubre 2004 Seguridad en Redes La seguridad en las Redes es mecanismo esencial. La Internet es una red de redes interconectadas sin fronteras…. Debido a este hecho, las redes de las organizaciones son vulnerables por su accesabilidad desde cualquier computador en el mundo. Soluciones • D-LINK ofrece soluciones de seguridad bastante completas además de FW para proteger su red, entre ellas tenemos: – – – – Sistemas de Detección de Intrusión Virtual Private Networks Servicios de Identificación Herramientas para Gerenciar la Seguridad. Seguridad: Por qué es importante? Computer Hackers • Estos pueden ser divididos en tres categorias: – Los que rompen la seguridad de redes de computadores – Los que rompen la seguridad del software de aplicaciones – Los que crean programas maliciosos para vulnerar las debilidades de los S.O. • Hecho: No existe una solución 100% segura! Evolución de la Seguridad Packet Forging/Spoofing Internet Worm Stealth Diagnostics High DDoS Sweepers Sniffers Backdoors Hi jack sessions Exploit known vulnerabilities Disabling Audit Self Replicating code Password Cracking Technical Knowledge Required Password guessing Low 1980 Sophisticated Hacker Tools 1990 2000 Ataques a Redes de Información • Protección es un Reto! –La habilidad para atacar redes se ha vuelto más sofisticada –No es suficiente confiar en un Firewall –Al igual que proteje fisicamente sus instalaciones asi debe hacerlo con su Red. • Qué preguntas debemos hacernos? Qué preguntas debemos hacer? • Tiene Usted: Intranet/Extranet/Internet? • Tiene pensado/planeado implementar algún tipo de red? • Tiene información crítica o estratégica disponible en su red? • Cómo saber si ha sido victima de una falla de seguridad? Qué és la Internet ? Corporate Network Remote Partner Remote User Internet Remote Office Qué és la Intranet ? Corporate Network Remote User Internet DMZ Network Remote Office Web Server E-Mail Server Qué és la Extranet ? Corporate Network Partner Site Remote User Internet DMZ Network Web Server E-Mail Server Partner Site Qué necesitamos proteger? • • • • • • • • Routers are target Managed Switches target Hosts /Clients target Databases target Applications are target Information are target Web and email Servers Management tools are target Más Preguntas …….. Es su solución de seguridad completa? Puede Ud. soportar una amplia gama de negocios sin comprometer la organización? Es su solución de seguridad extensible a requerimientos de los usuarios que están en evolución? Cómo surgen Problemas de Seguridad? • Al conectar su computador a la Internet está amenazado……. • La primera amenaza es que sus paquetes IP pueden ser escrutados al viajar por la Internet. • La segunda amenaza es que alguien use su conectividad para atacar su OS. • Hay una sola forma de proveer seguridad contra estas amenazas……. Servicios de Seguridad • Qué significan?. • Por qué son necesarios?. • Cómo se implementan?. Qué significan Servicios de Seguridad? • Privacidad…….? •Autenticación..….? •Control de Acceso….…….? Propiedades Comunicación Alice Bob Comunicarse con seguridad ?? •Secreto •Autenticación •Integridad Mensaje Acceso Autenticado 2 1 Logon and establish access privileges Instruct network to connect user to target VLAN(s) Authentication Server Auth. VLAN VLAN A Target Resource A VLAN B 3 User is connected to target VLAN(s) Target Resource B Por qué son necesarios? • Perpetrador tiene conocimientos sólidos de los protocolos usados. • Puede interpretar el mensaje descubriendo passwords, o información sensible, etc. Cómo se implementan? El reto de la Seguridad en una Red de Computadoras Firewall Qué és un Firewall? • Sistema diseñado para prevenir acceso no autorizado desde o hacia una red privada • Se implementa tanto en hardware como en software, o una combinación de ambas • Todo mensaje entrante/saliente de la red através del FW será examinado evitando aquellos que no cumplan con las políticas de seguridad. Arquitecturas de Firewall • • • • 1. Packet Filters 2. Application Proxies 3. Circuit-level Gateways 4. Network Address Translation (NAT) Firewalls Packet Filter Firewall Server Application Presentation Session Transport Network Layer Data Link Physical Router with Packet Filter User Application Gateways / Proxies Gateway runs proxy applications for Telnet FTP HTTP SMTP Application Presentation Session Transport Application Network Data Link Physical Layer Stateful Inspection Application Presentation Session Transport Network Between Datalink and Network Layers Data Link Physical Dynamic State Tables Packets intercepted between Data Link and Network layers. Information on all higher layers saved in dynamic state tables. Proxy Server Gateways 2. Repackage request 1. Request 3. Response 4. Repackage response Firewall Proxy Server External Web Server Internal Client Políticas de Seguridad • Network Service Access Policy • Firewall Design Policy Políticas de Seguridad • Network Service Access Policy Define los servicios que serán permitidos o negados explicitamente desde la red restringida y que cumplan con las propiedades de una comunicación segura. Políticas de Seguridad • Firewall Design Policy Describe como el firewall va ser configurado para aplicar las normas de restringir acceso o filtrado de servicios. Enterprise Security - Internet Partner Site Corporate Network Remote User FW Internet DMZ Network Remote Office Enterprise Security - Internet Partner Site Corporate Network Remote User FW Internet DMZ Network Remote Office Enterprise Security - Intranet • Policies for enterprise-wide communication Partner Site Corporate Network Remote User FW Internet DMZ Network Remote Office Enterprise Security - Intranet • Policies for enterprise-wide communication Partner Site Corporate Network Remote User FW Internet DMZ Network Remote Office Enterprise Security - Extranet • Secure communication between partners Partner Site Corporate Network FW Remote User Internet DMZ Network Remote Office Elementos de Seguridad en Redes Inalámbricas Seguridad en WLANs Control de Acceso • By Network Name • By MAC address Tecnología transmisión DSSS es dificíl de interceptar. DSSS permite ratas de transmisión altas al dividir la banda 2.4-GHz en 14 canales 22-MHz Seguridad es debíl Amenazas en WLANs • • • • • • • Denial of Service Interception/Eavesdropping Manipulation Masquerading Repudiation Transitive Trust Infrastructure Premisas Seguridad en 802.11b • • • • Service Set Identifier (SSID) Shared or Open Authentication MAC Filtering/FireWall Wired Equivalent Privacy (WEP) – Link Level – Poor security SSID • Mecanismo usado para segmentar WLANs • Cada AP es programado con un SSID que corresponde a su Red • Cliente presenta SSID correcto para accesar el AP • Existen compromisos de seguridad – AP puede ser configurado para “broadcast” su SSID – SSID puede ser compartido entre varios usuarios de un segmento inalámbrico Filtrado MAC • Cada cliente identificado por su 802.11 NIC MAC Address • El AP puede ser programado con un set de direcciones MAC para acceptarlas • Combinar el filtrado con el SSID de AP • Incurrimos en un “Overhead” manteniendo lista de direcciones MAC. Criptografía Criptografía usa el algoritmo RC4 definido en el estandard IEEE 802.11 WEP. Hay productos disponibles con 40 y 128 bits de encriptamiento. 64 bit WEP es igual al de 40 bit WEP 40 bit (10 Hex caracter) "secret key" (definido por usuario), y un " Vector Initialization ” de 24 bits (que no esta bajo control del usuario). 802.11 – Seguridad Enterprise/Home – – – Data Encryption (WEP, TKIP, AES): Prevent 3rd parties from viewing the content of wireless data transmissions User Authentication (802.1X): Prevent unauthorized users from connecting to the wireless network Virtual LAN: Use VLAN-capable Access Points to tag “guest traffic” and other “non-secure” traffic so that it can be routed outside the firewall Across the Public Infrastructure – Virtual Private Network: Maintain end-to-end privacy through the use of Layer 3 tunneling protocols (independent of 802.11 devices) Autenticación WEP • Acceso requerido por el cliente • AP envia reto al cliente con texto • El texto es codificado por cliente usando la llave secreta enviada por la AP • Si el texto es codificado adecuadamente el AP permite el acceso o lo niega. WEP en Acción Network resources Association Request Authentication Request Authentication Response Association Response Supplicant WEP Key: 1234567890 Encrypted Data to Access Point Access Point WEP Key 1234567890 Debilidades WEP • Todos los clientes de un AP en una red inalámbrica comparten la misma llave de encriptamiento • No existe un protocolo para la distribución de la llave de encriptamiento. • Se mejora con WPA. WPA en Acción Network resources Client joins LAN with encrypted data AP blocks request until user is authenticated Association Request AP sends authentication request Supplicant Authenticator Once authenticated, authentication server will distributes TKIP encryption key Client proves credential To authentication server Authentication Server 802.11 – Security Portfolio 802.11a and a/b Different Ways a Network Needs to be Made Secure Updated 802.11b Original 802.11b Encryption WEP TKIP “SSN” Authentication nothing 802.1x Application Operation AES LEAP PEAP TLS “Is my data secure?” “How can I keep intruders from entering my network?” VPN “Can I maintain the integrity of my link from end to end?” VLAN “How can I avoid breaking my own security mechanisms?” 802.1X Authentication 1 Using Extensible Authentication Protocol (EAP) an end-user contacts a wireless access point and requests to be authenticated. 2 The Access Point passes the request to the Radius Server. Wireless AP RADIUS (EAP) EAPOL (EAP) End-User Station Request Password DRS-200 3 4 The Radius server authenticates the end user and the access points opens a port to accept data from the end user. The Radius Server challenges the end user for a password, and the end user responds with a password to the Radius server . • Muchas Gracias D-Link Security Solution Basic Definitions • Confidentiality – Are you the only one who is viewing information specific to you or authorized users? • Integrity – Are you communicating with whom you think? – Is the data you are looking at correct or has it been tampered with? • Availability – Are the required services there when you need them? • Authentication – Are you who you say you are? Vocabulary in Security • • • • • • • • • • • • AS – Authentication Server EAP – Extensible Authentication Protocol EAPOL – EAP Over LAN IV – Initialization Vector MIC – Message Integrity Code PEAP – Protected EAP PKI – Public Key Infrastructure RADIUS – Remote Access Dial-In User Service TKIP – Temporal Key Integrity Protocol WEP – Wired Equivalent Privacy WLAN – Wireless Local Area Network AES – Advanced Encryption Standard Hacker Prevention and Network Protection • Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor • Identifies and takes action against suspicious network activity • Uses intrusion signatures, stored in the attack database, to identify the most common attacks • To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log Hacker Prevention and Network Protection • NIDS protects DFL-xxxx and the network connected to it by : – Dropping the connection – Blocking packets from the location of the attack – Blocking network ports, protocols or services being used by an attack Hacker Prevention and Network Protection • Using Virtual Private Networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travelers to an office network • VPN features includeing – – – – standard IPSec VPN (eg IPSec, DES, 3DES, etc) PPTP L2TP IPSec and PPTP VPN pass through Secure Installation, Configuration Management and • Logging and Reporting – Report traffic that connects to the firewall interfaces – Report network services used – Report traffic permitted by firewall policies – Report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks and web page blocking • Logs can be sent to a remote syslog server or to a WebTrends server using WebTrends enhanced log format DFL-200 • • • • • • 3,000 concurrent sessions Firewall performance: 60Mbps 3DES performance: 20Mbps 70 dedicated VPN tunnels 500 policies, 256 schedules 10/100BASE-TX port to connect to DSL/cable modem • 10/100BASE-TX dedicated DMZ port • 4 10/100BASE-TX LAN switch ports DFL-700 • • • • • • • Support 100 users 10,000 concurrent sessions Firewall performance: 100Mbps 3DES performance: 30Mbps 200 dedicated VPN tunnels 1,000 policies, 256 schedules 10/100BASE-TX port connect to DSL/cable modem or external LAN • 10/100BASE-TX port connect to Internal LAN (Trusted) • 10/100BASE-TX dedicated DMZ port DFL-1100 • • • • • • • • • 200,000 concurrent sessions Firewall performance: 250Mbps 3DES performance: 60Mbps 1,000 dedicated VPN tunnels 10/100BASE-TX port connect to DSL/cable modem or External LAN 10/100BASE-TX dedicated DMZ port 10/100BASE-TX LAN port connect to Internal LAN (Trusted) 10/100BASE-TX backup port connect to backup firewall 2,000 policies, 256 schedules Securing Your Network with DFL-1100 ???? ???? Insurance Business Sector Tele worker HQ Network Mobile Users ADSL DFL-1100 Backup firewall Internet Backup Link DFL-1100 Active firewall VPN Access Switches Tele worker 500 users Branch Office DFL-500 & DFL-1000 Network Protection Gateway (NPG) • A dedicated easily managed security device that delivers the following services :– application-level services such as virus protection and content filtering – network-level services such as firewall, intrusion detection, VPN and traffic shaping DFL-500 & DFL-1000 Accelerated Behaviour and Content Analysis System (ABACASTM) • Unique ASIC-based architecture • Analyse contents and behaviour in real-time • Enable key applications to be deployed right at the network edge where they are most effective at protecting the network DFL-500 vs DFL-1000 DFL-500 Product Category DFL-1000 SoHo SMB CPU 133MHz 300MHz RAM 64MB 256MB Flash 32MB 64MB Ports . 1 LAN, 1 WAN . 1 LAN, 1 WAN, 1 DMZ DFL-500 vs DFL-1000 (System Performance) DFL-500 DFL-1000 Concurrent sessions 2,000 25,000 New session / speed 800 10,000 Firewall performance 30Mbps 180Mbps Triple-DES (168 bit) 15Mbps 120Mbps Policies 100 1,000 Schedules 30 256 DFL-500 vs DFL-1000 (Firewall Mode of Operation) DFL-500 DFL-1000 Network Address Translation Yes Yes Port Address Translation Yes Yes Transparent mode Yes Yes Route mode Yes Yes Virtual IP Yes Yes DFL-500 vs DFL-1000 (VPN) DFL-500 DFL-1000 Dedicated tunnels 20 100 Manual key, IKE, PKI Yes Yes DES (56-bit) & 3DES (168-bit) encryption Yes . Yes . Perfect forward secrecy Groups) Yes . Yes . Remote access VPN (DH Yes Yes DFL-500 vs DFL-1000 (Firewall Attacks) DFL-500 DFL-1000 DDOS and DOS detected 14 14 MAC address bind with IP Yes Yes DFL-500 vs DFL-1000 (Logging / Monitoring) DFL-500 DFL-1000 No Yes 3 addresses 3 addresses Syslog Yes Yes SNMP Yes Yes Device failure detection Yes Yes Network notification on failover Yes Yes Internal log space E-mail notify DFL-500 vs DFL-1000 (IPSec) DFL-500 DFL-1000 Site-to-site VPN Yes Yes Authentication Yes Yes SHA-1 / MD5 Yes Yes DFL-500 vs DFL-1000 (Firewall & VPN User Authentication) DFL-500 DFL-1000 Build-in database - user limit Yes Yes RADIUS (external) database No Yes RSA SecureID (external) database No Yes LDAP (external) database No Yes DFL-500 vs DFL-1000 (System Management) DFL-500 DFL-1000 WebUI (HTTP and HTTPS) Yes Yes Multi-language user interface Yes Yes Command line interface (telnet) Yes Yes Wizard / Quick Installation Yes Yes Secure command shell compatible) (ssh v1 Yes . Yes . All management via VPN tunnel on any interface Yes . Yes . DFL-500 vs DFL-1000 (Traffic Management) DFL-500 DFL-1000 Guaranteed bandwidth Yes Yes Maximum bandwidth Yes Yes Priority-bandwidth utilization Yes Yes DFL-500 vs DFL-1000 (Administration) DFL-500 DFL-1000 Yes Yes Multiple administrators Root Admin, Admin & levels Read Only user Software upgrades & Configuration changes Trust host Yes . Yes . TFTP / WebUI TFTP / WebUI Yes Yes DFL-500 vs DFL-1000 (Network Service) DFL-500 DFL-1000 PPPoE Yes Yes PPTP Yes Yes DHCP client Yes Yes DHCP server Yes Yes VPN client pass through Yes Yes