Download Routers, Filtering, firewall, and NAT

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts

IEEE 1355 wikipedia , lookup

Internet protocol suite wikipedia , lookup

AppleTalk wikipedia , lookup

Airborne Networking wikipedia , lookup

Net bias wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Computer network wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Network tap wikipedia , lookup

Hacker wikipedia , lookup

Lag wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Deep packet inspection wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Cosc 4765
Network Security:
Routers, Firewall, filtering, NAT,
and VPN
Network Security
• At this point, we are looking to secure all
of the computers in "our" network from
outside and inside attack.
– If a machine is compromised, we would like to
avoid it compromising the rest of network or at
least contain/minimize the damage.
Where to start?
• First internal security, by looking at the
computers
– What category do they fall into?
• personal, business workstation, server, sensitive systems.
– That determines which computer need access to
other computers (ie servers to workstations, etc).
– From there we can isolate computers on our network
from each other
• limiting access and limiting damage
Layer security pieces
• Once the "computers" are sorted, then
layer the security to maximize protection.
– Firewalls on top (and where needed for more
security)
– filtering with routers, so parts of the internal
network that don't need to "talk" to each other,
don't.
– IDS and Monitoring to make sure attempts to
breach security are not successful.
VLANS in summary
• VLANs combine shared hubs, switching, routing,
and network management
– remove physical boundaries on switches
– Better control of broadcasts domains
• VLANs are invisible to end users
• Offer significant cost and performance benefits
in switched LANS
– better use of switches
– easy to add or move network stations
– tighten security
Routers
• Packet routing, forwarding and filtering,
and vlans
– Once a set of computer is classified, they can
go into vlans.
– The router can be configured so that packets
can't be routed between two vlans
– Or packets can be forwarded between the
vlans as needed.
• Newer routers can also route based on types of
packets as well (ICMP, TCP, UDP, etc).
Proxy
• Proxy servers
– Allow a client to access a server through a
intermediate computer.
• The proxy server is secured and it excepts
requests for access to a server (or even the
internet), then makes the request to server.
• The proxy server is allowed to talk to server, while
the client is not allowed to talk to the server
directly.
– Many firewalls with NAT work as type of
Proxy.
Firewall
• Definition: A system that can not be
broken in to.
– It monitors traffic, and "protects" the
computer.
• Configured so that only certain inbound and
outbound ports are "open"
• i.e. blocking port 6000, means that nothing can
remotely talk to that port and the computer can't
use that port to talk to a remote machine.
– Can be configured for only outbound or only inbound as
well.
Firewall Categories
• Packet filtering gateway
– Simple firewall, works like router filtering, but
at a higher OSI layer.
• Stateful inspection firewalls
– Maintains more information about network
connections
• Personal firewalls (software firewalls)
– Normally on users computers
Networks firewalls
• Packet Filtering
– Not only IP addresses like routers, but ports, and
types of packets, such as allowing only TCP, while
blocking UDP and all ICMP packets.
– NFS are blocked, but not ssh packets.
• Firewalls may provide Network Address
Translation (NAT)
• May Provide Zones of security
– Unrestricted access, Protected zones (called DMZs)
and no access.
Stateful
• Included in most high end firewall and many
person firewalls as well.
– Since each packet of data has no context
• the packet may fragmented as well.
– It’s difficult to figure out what packet of data is doing.
Is it an attack?
• A classic attack is to fragment up a packet, so it’s hard to
detect an attack signature.
• Also remember packets may arrive in any order, the
receiving computer (with TCP) will order them correctly.
• So stateful firewall will track the sequence of
packets in order to “thwart” this type of attack.
software firewalls
• Good for personal computers
– Limited by the O/S and what the computer is doing
– Provide little protection from DoS attacks.
• Very good for adding more protection to a single
machine, in conjunction with an upstream hardware
firewall .
• For department or enterprise firewalls
– A computer (several computers) is tasked as a firewall and does
nothing else.
• Many security experts recommend using a hardware
firewall appliance with software firewalls whenever
possible.
Why use firewalls?
• Three aspects referred to as the CIA:
Confidentiality, Integrity, and Availability
– Confidentiality: protect data/ information you
want private.
– Integrity: Make sure data/computer has not be
tampered with
– Availability: So an remote attack does not
bring down the computer.
Zones of Security
• Firewalls can be configured for zones of
security.
– An area where there is no protection
• for personal/home computers
– An area where machines can be accessed from the
internet, but only certain ports (called DMZ)
• for web, ftp, DNS, VPN servers, etc.
– An area where there no inbound access
• For workstations etc. No one needs to access them from the
internet.
– An area where there is no inbound and outbound
access
• "Sensitive" computers
Zones of Security (2)
• Each zone can be configured with the
necessary security
• Each zone can also be protected for other
zones.
– A server zone: Allow no inbound access from
the internet, No inbound traffic from the
unprotected zone and the DMZ, but all
connections from workstations.
NAT
• Network Address translation
– The internal computers have a 10.x.x.x or 192.168.x.x
IP numbers
– When a packet is sent from a computer to the
"internet", the firewall receives the packet, changes
the packet to it's address, then sends it to the internet
and waits for a response
• Also changes the source port number as well.
– When a response is received the firewall forwards the
packet onto the computer.
• NAT can be a separate appliances or used in
other devices (including routers and firewalls)
NAT
• Since the firewall acts as the go between,
the internal computer is protected.
• Side effect is that you only need a limited
number of real IP numbers, while using
the 10.x.x.x IP set for the internal network.
• Firewall configured to have real IP
numbers on machines accessed from the
outside, such as web servers.
NAT issues
• NAT works great if all network applications
follow the OSI model standards.
– Of course there are many app’s that don’t.
– Example: FTP
• The IP and Port number are in the layer 7 data of
packet. Big problem.
– Ftp has two modes Active and Passive.
• In passive mode, which is for firewalls, the server sends
it’s IP number and a port number for the client to make
a connection for file transfers.
– Since the IP number and port are in the layer 7 data, the
NAT must read and change the IP and Port number the
“world” sees.
What Firewalls can’t do
• Don’t protect data outside the perimeter
• Don’t protect computer to computer attack inside
of the firewall, Except between zones.
– If it doesn’t pass through the firewall, then it can’t offer
any protection.
• Don’t necessary protect open ports.
– If port 80 is open to the outside world, then the
firewall can’t protect it against every attack.
• Some attacks will look like normal traffic.
• And firewalls themselves are also targets of
attacks.
Example web site security
How are web sites constructed?
TIER 4
Database
TIER 3
Applications
TIER 2
Server
TIER 1
SOURCE: INTERSHOP
VPN
• VPN: virtual private network
– A method to provide a secure connection
between two networks over an insecure line
– A VPN client connects to the VPN server. All
networking from the client is directed to the
server, which acts as the network gateway.
• So your network traffic is behind the firewall and
you can access every like normal.
VPN (2)
• A VPN client connects to the VPN server.
– All networking from the client is directed to the
server, which acts as the network gateway.
• So the client functions as if it was behind a firewall
and could access everything like normal.
– Example
• Employee goes on a business trip. Connect up to
an unsecured network. Connects to the VPN
server (via the client) and now has a secure
connection to "work" over the unsecured network.
VPN Issues
• Split Tunneling
– Traffic to the “protected” network goes through the
VPN connection
– Everything else goes out the default route
– Much more efficient but not as secure.
• When a user is working from say a hotel and
VPNs to campus/office
– Only traffic to the campus goes over the VPN
– So now if there is an attacker in the hotel, they can for
the laptop, attack it and now have direct access into
the campus/office via the comprised laptop.
• Remember VPN servers are deployed behind the firewall.
• In the VPN lecture, we look at how VPN
the encrypted tunnel is created using
either IPSEC or SSL/TLS.
• Then other defensive measures can be
used in conjunction with firewalls
– IDS/NIPS
– Smoke and mirrors defensives
References
•
•
•
Easttom, “Computer Security
Fundamentals”, Prentice Hall
Bueno, Pedro. “Defending Dynamic Web
Sites: A Simple Case Study About the
Use of Correlated Log Analysis in
Forensics”. http://isc.sans.org
Comer, Douglas. “Internetworking with
TCP/IP”. Volume 1
Q&A
Related documents
Firewall Configuration
Firewall Configuration
Understanding and Installing Firewalls
Understanding and Installing Firewalls
BUS 352 Week 4 Discussion 2 (Security components)
BUS 352 Week 4 Discussion 2 (Security components)
Firewalking
Firewalking
Cisco Discovery 1 Module 08 Quiz Picture Descriptions
Cisco Discovery 1 Module 08 Quiz Picture Descriptions
William Stallings, Cryptography and Network Security 3/e
William Stallings, Cryptography and Network Security 3/e
CS572: Computer Security
CS572: Computer Security
Topic 2: Lesson 3 Intro to Firewalls
Topic 2: Lesson 3 Intro to Firewalls
Firewalls - Eastern Michigan University
Firewalls - Eastern Michigan University
Document 62752
Document 62752
Firewalls
Firewalls
www.whowhatweb.com
www.whowhatweb.com