6001_١١٤٩٠٣.pdf

Full Transcript

6 1

Network Security
Dr. Abdullah Rashed
 ‫‪ ‬خط‬
‫‪ ‬عربي انجليزي يا مرسي؟؟‬
‫‪ ‬غير التخصص‬
‫‪ ‬نقل اإلجابات‬
‫‪ ‬ابتسام ‪8‬‬
‫الترجمة المعتمدة‬
 ‫حالة دراسية‬

‫‪ ‬مؤسسة تامين لديها معلومات الحساسة وهي‪:‬‬
‫‪ ‬الخطط وهي مهمة جدا‬
‫‪ ‬بيانات العمالء ورسائلهم وهي مهمة جدا‬
‫‪ ‬تعليمات وارشادات لموظفي المؤسسة‬
‫‪ ‬بيانات عامة تشمل بيانات الدعاية‬
‫‪ ‬بيانات األرباح والنفقات وهي مهمة جدا‬
‫‪ ‬المؤسسة تستخدم االنترنت لكي تتواصل مع شكاوى الموظفين ‪ :‬والرد على‬
‫الشكوى تعتمد على بيانات الزبائن وحاالتهم‬
‫‪ ‬المطلوب تصميم نظام امني للشركة (نص وصورة)‪.‬‬
 Network Organization
1. Firewalls and Proxies
1.1. Firewalls
1.2. Proxies.
2. Analysis of the Network Infrastructure
2.1. Outer Firewall Configuration 3. In the DMZ
2.2. Inner Firewall Configuration 3.1. DMZ Mail Server
3.2. DMZ WWW Server
3.3. DMZ DNS Server
3.4. DMZ Log Server
Important Terms

Saltzer and Schroeder's design principles
Bell-LaPadula Model

 Questions
Back Orifice
DMZ
Defense in depth
FILTERING Firewall vs Router
Vulnerability Analysis
inner firewall vs outer firewall
Proxy vs router
Distinguished address
Hypothesis Methodology
What causes violating
privilege?
‫‪ DMZ‬منطقة الكفلة‬

‫‪.1‬سينا ومحور فيالدلفيا‬
‫‪.2‬الكويت والعراق والسعودية‬
‫‪.3‬فرنسا واسبانيا‪ :‬كل ست شهور‬
‫‪.4‬كوريا اليمانية وكوريا الشامية‬
‫‪.5‬الكفلة بين قبائل اليمن‬
 Network Organization 1
Why the policy (Drib) suggests that the network be
partitioned into several parts, with guards between
parts? to prevent information from leaking.
 Each type of data resides in one of the parts.
This is a fairly standard corporate network, with one
part available to the public and a second part
available only internally.
 Definition: DMZ

The DMZ is a portion of a network that separates
a purely internal network from an external
network.
“DMZ” stands for “demilitarized zone.”
 The network designed for the Dribble Corporation. The
“outer firewall” sits between the Internet and the company
network. The subnet labeled “DMZ” provides limited public
access to various servers. The “inner firewall” sits between
the DMZ and the subnets that are not to be accessed by
the public. These subnets share common mail and DNS
servers that, like the other hosts, are not publicly accessible.
 Network Organization 2
When information moves from the Internet to the network,
confidentiality is not at issue. However, integrity is. The
guards between the Internet and the DMZ, and between
the DMZ and the internal network, must not accept
messages that will cause servers to work incorrectly or to
crash.
When information moves from the internal network to the
Internet, confidentiality and integrity are both at issue. The
firewalls must ensure that no confidential information goes
to the Internet and that the information that reaches the
Internet is correct.
 Network Organization 3
 The latter issue requires simply that information not be altered in transit
from the internal network to the Internet. For simplicity, we make the
assumption that the systems as deployed will not change any
information in transit.
 If such changes are made, then the system has been compromised
by an attacker. This would require the attacker to gain access to the
system. This is equivalent to the problem of disallowing certain types of
information from entering the internal or DMZ subnets from the
Internet—in other words, ensuring the integrity of this information.
 The arrangement and configuration of the firewalls provide the
supporting access control mechanisms used to implement the policy.
 The “guards” mentioned above perform access control in both
directions, to and from the Drib’s network.
 Firewalls and Proxies 1
Definition A firewall is a host that mediates access
to a network, allowing and disallowing certain types
of access on the basis of a configured security
policy.
EXAMPLE: A company wishes to prevent any
implementations of Back Orifice from allowing
outsiders to control their systems.
Back Orifice is an attack tool that acts as a remote
system administration server, usually illegally.
 Filtering 1
This firewall accepts or rejects messages on the basis of
external information, such as destination addresses or ports,
rather than on the basis of the contents of the message.
A filtering firewall performs access control on the basis of
attributes of the packet headers, such as destination
addresses, source addresses, and options.
Routers and other infrastructure systems are typical
examples of filtering firewalls. They allow connections
through the firewall, usually on the basis of source and
destination addresses and ports. Access control lists
provide a natural mechanism for representing these
policies.
 Filtering 2
 This contrasts with the second type of firewall, which
never allows such a direct connection. Instead,
special agents called proxies control the flow of
information through the firewall.
A proxy is an intermediate agent or server that acts
on behalf of an endpoint without allowing a direct
connection between the two endpoints.
 Proxy 1
Firewall uses proxies to perform access control. A
proxy firewall can base access control on the
contents of packets and messages, as well as on
attributes of the packet headers.
A proxy firewall adds to a filtering firewall the
ability to base access on content, either at the
packet level or at a higher level of abstraction.
 Proxy 2: mail proxy
EXAMPLE: A company wishes to check all incoming
electronic mail for computer viruses. It implements a
mail proxy at the firewall between the Internet and
the company intranet.
The proxy has a virus scanning program. When mail
arrives at the firewall, the proxy mail daemon accepts
the mail.

 Proxy 3: virus scanning
It then runs the virus scanner. If the scanner
reports that there are no viruses in the mail or in
any associated attachments, the proxy forwards
the mail to the desired recipient. If the virus
scanner reports that the mail or an attachment
contains a virus, the mail is discarded (or some
other appropriate action is taken). The fact that
the electronic mail message is reassembled at
the firewall by a mail agent acting on behalf of
the mail agent at the ultimate destination makes
this a proxy firewall.
 Proxy 4: analysis
A different point of view is to see the firewall as an
audit mechanism. It analyzes the packets that
enter. Firewalls can then base actions on this
analysis, leading to traffic shaping (in which
percentages of bandwidth are reserved for
specific types of traffic), intrusion response, and
other controls.
 Analysis of the Network Infrastructure 1
Mediators
The key decision is to limit the flow of information
from the internal network to the DMZ. The public
cannot communicate directly with any system in the
internal network, nor can any system in the internal
network communicate directly with other systems
on the Internet (beyond the “outer firewall”). The
systems in the DMZ serve as mediators, with the
firewalls providing the guards.
 Analysis of the Network Infrastructure
2:Pump
 The firewalls and the DMZ systems make up the
pump, because they control all access to and
from the Internet and filter all traffic in both
directions.

Analysis of the Network Infrastructure 3 : conceal

The first step is to conceal (mask) the addresses of
the internal network. In general, the internal
network addresses can be any IP addresses and
the inner firewall can use a protocol such as the
Network Address Translation protocol to map
these internal host addresses to the firewall’s
Internet address.
 Analysis of the Network Infrastructure 4:

 A more common method is to assign each host
an address but not allow those addresses to leave
the corporate network. This is particularly simple,
because all services are implemented as proxies
in the outer firewall. However, electronic mail
presents a special problem.

In short

Communications :
1. Address Translation protocol
 2. To assign each host an address: proxy
 Analysis of the Network Infrastructure 6

 The DMZ mail server must know an address in
order for the internal mail server to pass mail back
and forth. This need not be the actual address of
the internal mail server. It could be a distinguished
address that the inner firewall will recognize as
representing the internal mail server. Similarly, the
internal mail server must know an address for the
DMZ mail server. These addresses can be fixed (in
which case the DMZ DNS server is unnecessary).
 Analysis of the Network Infrastructure 5:
 For flexibility, we will assume that the Drib has
decided to use a DNS server on both the internal
and DMZ subnets. As a backup, each system in
the DMZ has the network addresses of both
firewalls stored locally, so if the DNS system is
unavailable, the other servers can function.

Not be the actual + inner firewall knows
representation
internal mail server must know an address for the
DMZ mail server

 Analysis of the Network Infrastructure 6

The Web server lies in the DMZ for the same
reasons that a mail server lies in the DMZ. External
connections to the Web server go into the DMZ
and no farther. If any information is to be
transmitted from the Web server to the internal
network (for example, the customer data subnet),
the transmission is made separately, and not as
part of a Web transaction.

 Analysis of the Network Infrastructure 7

The firewalls are distinct computers, as are the DMZ
servers, leading to a duplication rather than a
sharing of network services. If the mail server stops
working, for example, the WWW server is not
affected. The reason for the local, fixed addresses
of the two firewalls is to handle the case of
unavailability, mitigating this threat. Finally, the
applications of confinement, access control, and
information flow control.
Firewalls
1. Unavailability , mitigating this threat
2. Access control
 Outer Firewall Configuration 1: restrict

The goals of the outer firewall are to restrict public
access to the Drib’s corporate network and to
restrict the Drib’s access to the Internet. This arises
from the duality of information flow.
 Outer Firewall Configuration 2: privileges
For example, one cannot read information from a
higher level (here, by restricting public access to
the Drib’s network), but one cannot write
information to a lower level, either (here, by
restricting the Drib’s employees’ access to the
Internet). Certain sanitized exchanges, however,
are allowed. To implement the required access
control, the firewall uses an access control list,
which binds source addresses and ports and
destination addresses and ports to access rights.
 Outer Firewall Configuration 3: interface

 The public needs to be able to access the Web
server and mail server, and no other services. The
firewall therefore presents an interface that allows
connections to the WWW services (HTTP and
HTTPS) and to electronic mail (SMTP). Sites on the
Internet see the addresses of the Web and mail
servers as the same—that of the firewall. No other
services are provided to sites on the Internet.
 Outer Firewall Configuration 4:analysis
The firewall is a proxy-based firewall. When an
electronic mail connection is initiated, the SMTP
proxy on the firewall collects the mail. It then
analyzes it for computer viruses and other forms of
malicious logic. If none is found, it forwards the
mail to the DMZ mail server. When a Web
connection arrives, the firewall scans the message
for any suspicious components and, if none is
found, forwards it to the DMZ.
 Outer Firewall Configuration 5: vulnerability
Analysis

 The mail proxy will detect and reject such
attempts. The third is to attempt to avoid the low-
level firewall checks by exploiting vulnerabilities in
the firewall itself.
“Vulnerability Analysis,” implies that there is no way
to ensure that the firewall software and hardware
cannot be breached.
 Outer Firewall Configuration 6: separation
privileges
Designing the firewall mechanisms to be as simple
as possible, in accordance with the principle of
economy of mechanism, using assurance
techniques minimizes, but does not eliminate, this
possibility. So we apply the principle of separation
of privilege in the form of a technique called
“defense in depth.” In order to attack a system in
the DMZ by avoiding the firewall checks, the
attacker must know something about the internal
addresses of the DMZ.
 Outer Firewall Configuration 7: defense in depth

Designing the firewall mechanisms to be as simple
as possible, in accordance with the principle of
economy of mechanism, using assurance
techniques minimizes, but does not eliminate, this
possibility. So we apply the principle of separation
of privilege in the form of a technique called
“defense in depth.” In order to attack a system in
the DMZ by bypassing (avoiding)the firewall
checks, the attacker must know something about
the internal addresses of the DMZ.
 Outer Firewall Configuration 8
 If, for example, the attacker knows that the
internal address of the DMZ mail server is
10.34.231.19, the attacker may be able to use that
information to associated packets to that host. But
if the attacker has no idea of the internal DMZ mail
server’s address, even if the attacker is able to
bypass the firewall checks, she will not know where
to have the packets sent.

 Inner Firewall Configuration 1
The internal network is where the Drib’s most
sensitive data resides. It may contain data, such as
proprietary information, that the Drib does not want
outsiders to see. For this reason, the inner firewall will
block all traffic except for that specifically
authorized to enter (the principle of fail-safe
defaults). All such information will come from the
DMZ, and never directly from the Internet.
 Inner Firewall Configuration 2
EXAMPLE: The Drib uses the Network File System
(NFS) protocol to share files among its systems. The
NFS protocol sends the contents of files around a
network. Were any of these packets containing
sensitive information to leak to the Internet, the Drib
would be compromised. The outer firewall is
configured to disallow NFS packets from leaking to
the Internet. However, the principle of least
privilege says that, unless hosts in the DMZ require
access to the internal NFS information, the packets
should not even reach the DMZ.
 Inner Firewall Configuration 3

Furthermore, the principle of separation of privilege
says that multiple mechanisms should prevent NFS
packets from leaking to the Internet. If one
mechanism fails, the others will still prevent the leak.
Hence, the inner firewall should also disallow NFS
packets from going to the DMZ.
 Inner Firewall Configuration 6:crypto+integrity+Auth

This use of cryptography provides message
secrecy and integrity as well as strong
(cryptographic) authentication of the endpoints.
Because the requisite public keys are embedded
into the system when SSH is configured, the issue of
an infrastructure for public key distribution is
finessed.
 Inner Firewall Configuration 7: violating privilege

The access allowed to system administrators
violates the principle of least privilege, because
the connection allows the administrators full
control over the DMZ systems. Several precautions
improve this violation. First, if the connection to
the systems in the DMZ does not originate from a
special system in the internal network, the firewall
will disallow the connection.
violating privilege

 Full control
 Trust users: unrestricted access
 Admiration uses SSH for DMZ
Saltzer and Schroeder's design principles

are design principles enumerated by Jerome
Saltzer and Michael Schroeder in their 1975
article The Protection of Information in Computer
Systems, that from their experience are
important for the design of secure software
systems.
 Saltzer and Schroeder's design
principles
The design principles
1. Economy of mechanism: Keep the design as
simple and small as possible.
2. Fail-safe defaults: Base access decisions on
permission rather than exclusion.
3. Complete mediation: Every access to every
object must be checked for authority.
4. Open design: The design should not be secret.
 Saltzer and Schroeder's design
principles
5. Separation of privilege: Where feasible, a
protection mechanism that requires two keys to
unlock it is more robust and flexible than one that
allows access to the presenter of only a single key.
6. Least privilege: Every program and every user of
the system should operate using the least set of
privileges necessary to complete the job.
7. Least common mechanism: Minimize the amount of
mechanism common to more than one user and
depended on by all users.
 Saltzer and Schroeder's design
principles
8. Psychological acceptability: It is essential that
the human interface be designed for ease of use,
so that users routinely and automatically apply the
protection mechanisms correctly.
9. Work factor: Compare the cost of
circumventing the mechanism with the resources
of a potential attacker.
 Saltzer and Schroeder's design
principles
10. Compromise recording: It is sometimes
suggested that mechanisms that reliably record
that a compromise of information has occurred
can be used in place of more elaborate
mechanisms that completely prevent loss.