Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download 投影片 1
Document related concepts
Computer network wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Citizen Lab wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Network tap wikipedia , lookup
Wireless security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Computer security wikipedia , lookup
Transcript
Network Security (II) 授課老師: 鄭伯炤 Office: Dept. of Communication Rm #112 Tel: X33512 Email: [email protected] Information Networking Security and Assurance Lab National Chung Cheng University Building Internet Firewalls Application Presentation Session Application Proxy Transport Stateful Inspection Network Data Link Physical Packet Filter Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 2 Packet Filter Firewalls Access control based upon several pieces of information contained in a network packet: The source address of the packet The destination address of the packet The type of traffic: the specific network protocol being used to communicate between the source and destination systems or devices (e.g., ICMP) Possibly some characteristics of the Layer 4 communications sessions, such as the source and destination ports of the sessions Interface of the router the packet came from and which interface of the router the packet is destined for this is useful for routers with 3 or more network interfaces. Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 3 Boundary Routers The packet filter, referred to as a boundary router, can block certain attacks, possibly filter un-wanted protocols, perform simple access control, and then pass the traffic onto other fire-walls that examine higher layers of the OSI stack. Packet Filter used as Boundary Router Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 4 Basic Weaknesses Associated with Packet Filters Do not examine upper-layer data Cannot prevent attacks that employ application-specific vulnerabilities or functions. Limited information available to the firewall Logging functionality present in packet filter firewalls is limited. Do not support advanced user authentication schemes. Network protocol weakness Vulnerable to TCP/IP specification and protocol stack, such as network layer address spoofing. Small number of variables used in access control decisions Susceptible to security breaches caused by improper configurations. But … Consequently, packet filter firewalls are very suitable for high-speed environments where logging and user authentication with network resources are not important. Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 5 Packet Filter Rulesets Actions: Accept Deny Discard By default: Any type of access from the inside to the outside is allowed. No access originating from the outside to the inside is allowed except for SMTP and HTTP. SMTP and HTTP servers are positioned “behind” the firewall. Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 6 Stateful Inspection Firewalls More secure Tracks client ports individually rather than opening all high-numbered ports for external access. Useful or applicable only within TCP/IP network infrastructures. Representing a superset of packet filter firewall functionality. Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 7 Application-Proxy Gateway Firewalls Combine lower layer access control with upper layer (Layer 7 . Application Layer) functionality. For Example: Web Proxy In addition to the ruleset, include authentication of each individual network user: User ID and Password Authentication, Hardware or Software Token Authentication, Source Address Authentication, and Biometric Authentication. Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 8 Dedicated Proxy Servers Are useful for web and email content scanning Java applet or application filtering ActiveX control filtering JavaScript filtering, Blocking specific Multipurpose Internet Multimedia Extensions (MIME) types . for example, .application/msword. for Microsoft Word documents Virus scanning and removal, Macro virus scanning, filtering, and removal, Application-specific commands, for example, blocking the HTTP .delete. command, and User-specific controls, including blocking certain content types for certain users. Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 9 Dedicated Proxy Servers Deployments Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 10 Network Address Translation Developed in response to two major issues: Hiding the network-addressing schema present behind a firewall environment. The depletion of the IP address space has caused some organizations to use NAT for mapping non-routable IP addresses to a smaller set of legal addresses, according to RFC 1918. 10.0.0.0 to 10.255.255.255 (Class A) 172.16.0.0 to 172.31.255.255 (Class B) 192.168.0.0 to 192.168.255.255 (Class C) Accomplished in three fashions: Static Network Address Translation Port Address Translation (PAT) Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 11 IANA-allocated, Non-Internet routable IP address IP address Public Private American Registry for Internet Numbers (ARIN) Address Class A B C Network Address Range 10.0.0.0 ~ 10.255.255.255 172.16.0.0 ~ 172.31.255.255 192.168.0.0 ~ 192.168.255.255 recommend non-routable IP for home networks Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 12 Static Network Address Translation Each internal system on the private network has a corresponding external, routable IP address associated with it. Network Security Information Networking Class Security and Assurance Lab National Chung Cheng University 13 PAT Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 14 Personal Firewalls/Personal Firewall Appliances Personal Firewall: Installed on the system it is meant to protect; Usually do not offer protection to other systems or resources Personal Firewall Appliance: Usually run on specialized hardware and integrate some other form of network infrastructure components Cable Modem WAN Routing, LAN Routing (dynamic routing support), Network hub, Network switch, DHCP (Dynamic Host Configuration Protocol) server, Network management (SNMP) agent, and Application-proxy agents. Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 15 DMZ (DeMilitarized Zone) A DMZ is your frontline when protecting valuables from direct exposure to an untrusted environment. "A network added between a protected network and an external network in order to provide an additional layer of security.“ A DMZ is sometimes called a "Perimeter network" or a "Three-homed perimeter network." A DMZ is a glowing example of the Defense-inDepth principle. Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 16 Defense-in-Depth The Defense-in-Depth principle states that no one thing, no two things, will ever provide total security. It states that the only way for a system to be reasonably secured is to consider every aspect of the systems existence and secure them all. A DMZ is a step towards defense in depth because it adds an extra layer of security beyond that of a single perimeter. Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 17 Design DMZ Start by asking yourself what do I want to protect? Or what is most valuable to me? what is the entrance point into this system? Or what is my front door? If there are more than one entrance to your system such as an Internet connection and dial-up connections have two different DMZ’s. Have different configurations for each of those access types. Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 18 DMZ Networks Service Leg DMZ Configuration A DMZ Firewall Environment Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 19 Domain Name Service (DNS) Split DNS example Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 20 Placement of Servers in Firewall Environments Summary Example Firewall Environment Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 21 Firewall Ruleset: Blocking Traffics Inbound traffic from a non-authenticated source system with a destination address of the firewall system itself. Inbound traffic with a source address indicating that the packet originated on a network behind the firewall. Inbound traffic containing ICMP (Internet Control Message Protocol) traffic. Inbound or Outbound traffic from a system using a source address that falls within the address ranges set aside in RFC 1918 as being reserved for private networks. Inbound traffic from a non-authenticated source system containing SNMP (Simple Network Management Protocol) traffic. Inbound traffic containing IP Source Routing information. Inbound or Outbound network traffic containing a source or destination address of 127.0.0.1 (localhost). Inbound or Outbound network traffic containing a source or destination address of 0.0.0.0. Inbound or Outbound traffic containing directed broadcast addresses. Inbound FW Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University Outbound 22 • Compromise the confidentiality, integrity, availability, • Bypass the security mechanisms of a computer or network Network Intrusion Detection Systems Bo Cheng (鄭伯炤) Email:[email protected],tw Tel: 05-272-0411 Ext. 33512 Information Networking Security and Assurance Lab National Chung Cheng University IDS History Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University http://www.securityfocus.com/infocus/1514 24 Types of IDS (Information Source) Operate on information (e.g., log or Host (HID) OS system call) collected from within an individual computer system. Uses a module, coupled with the application, to extract the desired information and monitor transactions Application-Integrated (AIID) Application (AID) Network (NID) Capture and analyze all network packets Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University Operate on application transactions log e.g., Entercept Web Server Edition Monitor packets to/from Network-Node (NNID) a specific node http://www.networkintrusion.co.uk/ids.htm25 Complement IDS Tools Create a baseline and apply a message digest (cryptographic hash) to key files and then checking the files periodically When the IDS detects attackers, it seamlessly transfers then to a special padded cell host Determine whether a network or host is vulnerable to known attacks File Integrity Checkers Vulnerability Assessment Honey Pot Padded Cell Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University A system/resource designed to be attractive to potential attacker Source: http://www.icsalabs.com/html/communities/ids/buyers_guide/guide/index.shtml 26 IDS Life Cycle Setting up the current generation of IDSs requires a substantial time investment to ensure they'll flag only suspicious traffic and leave everything else alone. www.nwfusion.com/techinsider/2002/0624security1.html • Signature Updating • Writing Signature Testing • Accuracy • Resource Usage • Stress Vulnerability Assessment Configuration Tuning Installation Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University • Information Collecting • Filtering and Correlation • Traffic Analysis 27 IDS Market Forecast (I) Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University Source: IDC, 2001 28 IDS Market Forecast (II) Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University Source: IDC, 2001 29 When Firewall Meets IDS Firewall An gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall). • Access Control • NAT • Prevent the attacks Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University • Validate firewall configuration • Detect attacks but firewalls allow them to pass through (such as attacks against web servers). • Seize insider hacking IDS A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real- time warning of, attempts to access system resources in an unauthorized manner 30 NIDS Deployments •See all outside attacks to help forensic analysis Internet 1 •Identify DMZ related attacks •Spot outside attacks penetrate the network's perimeter •Avoid outside attacks to IDS itself •Highlight external firewall problems with the policy/performance •Pinpoint compromised server via outgoing traffic External firewall 2 DMZ •Increase the possibility to recognize attacks. •Detect attacks from insider or authorized users within the security perimeter. Mode: •Tap 3 4 •SPAN (Mirror) Network Backbones •Port Clustering •In-Line Critical Subnets Network Security Information Networking Class Security and Assurance Lab National Chung Cheng University •Observe attacks on critical systems and resources •Provide cost effective solutions 31 Detection Engine Analysis Simple Pattern Matching Traffic Anomalies Protocol Anomalies String Matching Weaknesses Stateful Signatures Backdoor Detection Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 32 The Detection Results False Positive • Annoy • Crying wolf • Tuning • Prevention? True Negative True Positive • Wire-speed performance • Mis-configuration • Poor detection engine • IDS Evasion False Negative Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 33 IDS Responses After Detection Intrusion Detection Working Group •IDMEF - Message Exchange Format Alarms/ Notifications Passive Responses Active Responses •IDXP - Exchange Protocol Communication protocol for exchanging IDMEF messages Generate SNMP trap SNMP Integration Support SNMP Manager (e.g., HP OV) and MIB (e.g., iss.mib trap) Take Action Against the Intruder Retaliation: Information warfare Injecting TCP reset packets Collect additional information Change the Environment Network Security Information Networking Class Security and Assurance Lab National Chung Cheng University XML-based alert format among IDS components Reconfiguring routers/firewalls (e.g., via FW1 OPSEC) to block packets based on IP address, network ports, protocols, or services Source: NIST 34 Check Point - Open Platform for Secure Enterprise Connectivity (OPSEC) TCP/UDP Port Name Short description FW1_cvp Check Point OPSEC Content Vectoring Protocol - Protocol used for communication between FWM and AntiVirus Server 18182 /tcp FW1_ufp Check Point OPSEC URL Filtering Protocol - Protocol used for communication between FWM and Server for Content Control (e.g. Web Content) 18183 /tcp FW1_sam Check Point OPSEC Suspicious Activity Monitor API - Protocol e.g. for Block Intruder between MM and FWM 18184 /tcp FW1_lea Check Point OPSEC Log Export API - Protocol for exporting logs from MM 18185 /tcp FW1_omi Check Point OPSEC Objects Management Interface - Protocol used by applications having access to the ruleset saved at MM 18187 /tcp FW1_ela Check Point Event Logging API - Protocol used by applications delivering logs to MM 18207 /tcp FW1_pslo gon Check Point Policy Server Logon protocol - Protocol used for download of Desktop Security from PS to SCl 18181 /tcp Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University NFR and RealSecure support FW-1_sam and FW1_ela 35 Gateway IDS (GIDS) and Host Intrusion Prevention (HIP) Company Inadvertently block legitimate traffic Company Website Entercept Security Technologies www.entercept.com Harris STAT Neutralizer www.statonline.com Okena StormWatch and StormFront www.okena.com Sana Security www.sanasecurity.com Linux IDS www.lids.org Website Captus Networks www.captusnetworks.com Cisco Systems IDS www.cisco.com ForeScout ActiveScout www.forescout.com RealSecure Network Protection www.iss.net Intruvert Networks www.intruvert.com NetScreen Technologies IDP www.netscreen.com Snort Hogwash http://hogwash.sourceforge.net TippingPoint Technologies UnityOne www.tippingpoint.com Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University Ineffective against denial-ofservice attacks http://www.cio.com/archive/061503/et_article.html OneSecure Netscreen Okena Cisco Entercept and Intruvert Network Associates 36 NIDS Market Predictions: Head to Head • Intrusion detection market jumped 29.2 per cent year on year (firewall/virtual private network security appliance market increased 7.5 per cent). • In contrast to statements that intrusion detection software is dead, the growth in intrusion detection appliances show that many organizations still see the value in monitoring their networks • Could reached $2 billion in 2005, up from $486 million in 2000. 1000 600 400 200 0 •IDS market will grow 43 per cent to $149m by 2004 •IDS revenue will hit $1.1bn by 2006, 230 800 491 571 634 688 327 70 2002 2003 IPS Revenue 2004 2005 IDS Revenue • IDS is dead, long live IPS • By year end 2004, advances in non-signature based intrusion detection technology will enable network-based intrusion prevention to replace 50% of established IDS deployments and capture 75% of new deployments. • By end of 2003, 90% of IDS deployments will fail when false positives are not reduced by 50%. Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University http://www.vnunet.com/News/1143747 http://www.ipa.go.jp/security/fy11/report/contents/intrusion/ids-meeting/idsbg.pdf 37 IDS Balancer Network Internet •Toplayer’s IDS Balancer •Radware FireProof GigaBit SX Tap Fiber Tap IDS Balancer •Availability •Scalability •ROI •Cost-effective (reduce sensors while increasing intrusion coverage) Information Network Security Networking Class Security and Assurance Lab National Chung Cheng University 38
