Firewall Technologies PDF
Document Details
Uploaded by FlawlessCongas
Singapore Polytechnic
Tags
Related
- Chapter 7 - 03 - Understand Different Types of Firewalls and their Role - 03_ocred_fax_ocred.pdf
- Firewall Hot Standby Technologies PDF
- Secure Network Design PDF
- Apply Security Principles to Secure Enterprise Infrastructure PDF
- Computer Networks PDF Lecture Notes
- Chapter 2: Network Technologies and Tools PDF
Summary
This document is a presentation on firewall technologies and network perimeter defense. It covers topics like network security concepts, different types of networks, security policies, risk assessment, and how firewalls, routers, and switches work. It also discusses security problems and methods for securing a switch.
Full Transcript
Firewall Technologies Topic A Introduction/Network Perimeter Defence 1 Learning Objectives You will learn: Understand the network perimeter defense Identify the perimeter of a trusted network Identify the devices that provide defense a...
Firewall Technologies Topic A Introduction/Network Perimeter Defence 1 Learning Objectives You will learn: Understand the network perimeter defense Identify the perimeter of a trusted network Identify the devices that provide defense at the network perimeter Explain the functions of devices located at the perimeter of a network Designing the firewall to implement the policy Understand the need for keeping log files of devices at the perimeter 2 Introduction Security must be a primary concern when designing an optimum network Security means protecting or maintaining CIA. CIA stands for Confidentiality, Integrity & Availability The opposite of CIA is DAD DAD stands for Disclosure, Alteration & Denial A complete network security solution featuring formal authentication, authorization, confidentiality, availability and integrity measures, reduce the likelihood of an unauthorized intrusion. 3 Security Policy A security policy is typically a document that outlines specific requirements or rules that must be met. Usually point-specific, covering a single area (A password policy should state that passwords must be sufficient to properly secure a resource) A security standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. (A password standard specifies that a password generator should be used) A security guideline is typically a collection of system-specific or procedural-specific suggestions for best practices. (A password guideline lists all the company approved, licensed password generators) 4 Network Complexity Internet IDS Intranet Firewalls Extranet Scanner Public servers Filters Internal servers VPN 5 Risk Assessment Risk factors Countermeasures Worth Prevention Cryptography Attraction Firewalls Threat Vulnerability scanning Vulnerability Detection Probability Intrusion detection systems Log analysis Digital signatures Proper risk management is the future of digital security. 6 Cost of Security & Risk Assessment Annualized Rate of Occurrence (ARO) (Likelihood of a risk occurring within a year) Single Loss Expectancy (SLE) (Total cost of the risk if the risk occurs) Annual Loss Expectancy (ALE) (ARO & SLE decide the ALE) ALE=SLE x ARO Eg: A web server failing probability - 30% (ARO) If the e-commerce site hosted in this server generates $10,000.00 an hour. Assume the site is down for 2 hour and cost of repairing the server is $6000.00 Then SLE of the risk =$26000.00 10k x 2hr +6k Money in the budget to deal with the risk (ALE) = $26000*ARO = $7,800 7 What is network perimeter? Every network has a perimeter - a gateway to the Internet A security perimeter surrounds the network and computers, with a single entry point for external traffic A perimeter is a fortified boundary of our network A concept of deploying several layers of defence that mitigate security threats is called defence-in-depth Traditional techniques PC1 PC2 PC3 ` ` ` Server Security Internet IP filtering gateways Proxy gateways Device Network perimeter Combinations (defense in depth) 8 Defence-in-Depth A multilayer model that defines layers of protection for your network Each layer has network- and host-defence features Each layer is capable of stopping a network or host attack The basic foundation of network security Provide multiple chokepoints to contain malicious activity and keep it from spreading throughout your network 9 Defence-in-Depth At a high level, defence-in-depth defines four main layers of protection for your network and an abstract layer that encompasses security best practices Authentication layer Perimeter layer Network intrusion prevention layer Host intrusion prevention layer Security best practices 10 Types of Network Network Classifications Trusted Semi-trusted Untrusted 11 Network Classifications Trusted Networks Inside network security perimeter The networks you are trying to protect Semi-Trusted Networks Allow access to some database materials and e-mail May include WebSever, DNS, proxy, and modem servers Not for confidential or proprietary information Referred to as the demilitarized zone (DMZ) Untrusted Networks Outside your security perimeter Outside your control 12 Perimeter Networks Perimeter Classifications Outermost perimeter Internal perimeters 13 Perimeter classification Outermost Perimeter Router used to separate network from ISP’s network Identifies separation point between assets you control and those you do not Most insecure area of a network infrastructure Normally reserved for routers, firewalls, public Internet servers (HTTP, FTP, Gopher) Internal Perimeters Represent additional boundaries where other security measures are in place Represent the boundary where you keep the networks you are trying to protect 14 Perimeter Devices Having direct connection between public and private networks Network Hardware Devices: These devices can be considered perimeter devices depending on where they are placed within your network infrastructure. They include routers, firewalls, modems, switches, and wireless hubs. If any of these devices have access to both an external network and any part of the internal network, it is considered a perimeter device. Servers: These devices may be considered perimeter devices depending on their connectivity to the Internet and intranet. For example, any server (Network Access Server) that communicates with both the Internet and intranet and is multihomed could be considered a perimeter device. Clients: Remote location clients that connect to the internal network from external networks, because these clients may open doorways to the network. 15 Perimeter Devices (contd…) Perimeter security is traditionally provided by a perimeter devices such as firewall. The base definition of a perimeter device is any device that routes packets between two networks i.e. (firewall, router, and switch). An unsecured perimeter device could compromise your corporate network. Supplier Main Office Is this a Perimeter Internet Customer Device ? Manufacturing Branch Office Telecommuter Mobile user 16 A SMB (small-sized to medium sized business) network and its perimeter devices A firewall in front of the Internet is not the only perimeter device. Outside Perimeter Router Dirty DMZ DMZ Protected DMZ Firewall Inside DMZ Servers Corporate Network Internal Servers 17 Perimeter - ownership The base definition of a perimeter device is any device that routes packets between two networks i.e. (firewall, router, and switch). 18 Perimeter Security Topologies Perimeter networks Put in place firewalls and routers on network edge Permit secure communications between the organization and third parties Key enablers for many mission-critical network services Include demilitarized zones (DMZs), extranets, and intranets Goal of the perimeter is to selectively admit or deny data flows from other networks based on several criteria: Type (protocol) Source Destination Content 19 Firewalls Hardware or software device that provides a means of securing a computer or network from unwanted intrusion Dedicated physical device that protects network from intrusion Software feature added to a router, switch, or other device that prevents traffic to or from part of a network Firewall inspects packets and sessions to determine if they should be transmitted to or from the protected network or instead dropped. Firewalls have become a single point of network access where traffic can be analyzed and controlled using firewall scripts that define application, address, and user parameters. These scripts help protect the connectivity paths to external networks and data centres. 20 What Do Firewalls Protect Against? Denial of service (DoS) Ping of death sending of oversized data packets Teardrop or Raindrop attacks expliot bug of fragmenting data (old systems) SYN flood LAND attack Brute force smurf attacks overwhelm with high traffic volume of requests IP spoofing 21 How Do Firewalls Work? Network address translation (NAT) Basic packet filtering Stateful packet inspection (SPI) Application gateways Access control lists (ACL) 22 Routers Network management device that sits between network segments and routes traffic from one network to another Allows networks to communicate with one another Allows Internet to function Act as digital traffic cop (with addition of packet filtering) 23 How a Router Moves Information Examines electronic envelope surrounding a packet, compares address to list of addresses contained in router’s lookup tables Determines which router to send the packet to next, based on changing network conditions 24 Perimeter/Firewall Router functions Protection Service Method Sniffer or snooping Control evesdropping with the TCP/IP service capabilities and network layer encryption Control unauthorized access Use AAA and ACS. Also use access list filtering and PIX firewall Control session replay Control which TCP/IP sessions are authorized Control inbound connections Permit inbound traffic to DMZ only Allow connections only for required service Filter private addresses Control outbound connections Allow valid IP addresses to the outside world Packet filtering Use pre-defined access lists Control vty lines and access Ensure routing updates are authenticated 25 Switches Provide same function as bridges (divide collision domains), but employ application-specific integrated circuits (ASICs) that are optimized for the task Reduce collision domain to two nodes (switch and host) Main benefit over hubs Separation of collision domains limits the possibility of sniffing Switch security: ACLs Virtual Local Area Networks (VLANs) 26 Security Problems with Switches Common ways of switch hijacking Try default passwords which may not have been changed Sniff network to get administrator password via SNMP or Telnet 27 Securing a Switch Isolate all management interfaces Manage switch by physical connection to a serial port or through secure shell (SSH) or other encrypted method Use separate switches or hubs for DMZs to physically isolate them from the network and prevent VLAN jumping Put switch behind dedicated firewall device Maintain the switch; install latest version of software and security patches Read product documentation Set strong passwords 28 VLAN (Virtual Local Area Network) VLANs are used to separate subnets and implement security zones. It is commonly assumed that Virtual LANs are fully isolated from each other. The possibility to send packets across different zones would render such separations useless, as a compromised machine in a low security zone could initiate denial of service attacks against computers in a high security zone. Another threat lies in the possibility to “destroy” the virtual architecture, performing indeed a DoS (Denial Of Service) against a whole network architecture. 29 Virtual Local Area Network Broadcast domain within a switched network Uses encryption and other security mechanisms to ensure that Only authorized users can access the network Data cannot be intercepted Clusters users in smaller groups Increases security from hackers Reduces possibility of broadcast storm 30 Layer 2 Attacks Media Access Control (MAC) attack BASIC VLAN Hopping attack Double Encapsulation VLAN Hopping attack Address Resolution Protocol (ARP) attack Spanning Tree Attack VLAN Trunking Protocol attack VLAN Management Policy Server (VMPS)/ VLAN Query Protocol (VQP) attack Cisco Discovery Protocol (CDP) Attack Private VLAN (PVLAN) attack 31 Perimeter Expansion Increased bandwidth: Technology Remote offices Cryptography Telecommuters Roaming users Content scanning Partners Intrusion detection As a consequence: Vulnerability scanning Greater potential of Countermeasures attacks and vulnerabilities Data integrity attacks Prevention Harder detection Detection Reaction 32 What we can do at perimeter? Application Proxy Packet Filtering System Simple packet Presentation Stateful filtering Inspection Stateful filtering Session Proxy filtering Transport Packet Content filtering filtering Network Intrusion Detection Intrusion prevention Data Link Physical 33 Packet filters (Routers) Application Application Application Advantage High performance Presentation Presentation Presentation Scalability Session Session Application Session independence Transport Transport Transport Disadvantage Low security Network Network Network No screening in upper layers Data Link Data Link Data Link No state or application Physical Physical Physical information 34 Proxy systems/ Application Layer Gateways Application Application Application Advantage Good security Presentation Presentation Presentation Application layer awareness Session Session Session Disadvantage Transport Transport Transport Poor performance Limited Network Network Network application support Data Link Data Link Data Link Physical Physical Physical 35 Stateful Inspection Application Application Application Advantage High security Presentation Presentation Presentation Scalability Session Session Extensibility Session Independence Transport Transport Transport Application layer awareness Network Network Network Disadvantage Expensive Data Link Data Link Data Link Physical Physical Physical 36 Security processes Every day New processes are being transformed into electronic forms New vulnerabilities and patches emerge Event logs must be analyzed Appropriate actions must be taken As a consequence Security is a process Services serve better than products Expert teams specialized in security are needed 37 Event logging Full, fine-grained event logs are vital for detection Easy to process, human readable Log analysis: statistics, expert systems, manual Audit Logs 38 Logging Logging process controls the distribution of logging messages to the various destinations such as logging buffer, terminal lines, or a syslog server depending on the configuration. Can set the severity level of the messages Possible to time stamp the messages Logging is enabled by the following command: RouterA(config)# logging on 39 Logging level Command Purpose logging console level Limits the messages logged to the console with a level up to and including the specified level argument logging monitor level Limits the messages logged to the terminal lines with a level up to and including the specified level argument logging trap level Limits the messages logged to the SYSLOG servers with a level up to and including the specified level argument 40 Syslog Severity Levels and Their Messages Emergency (0) 41 SYSLOG SYSLOG is a protocol that is widely used to inspect the behaviour of a certain device. By installing a SYSLOG server daemon on a PC, we can check the status of all devices that are configured to use that server. RouterA#config t SYSLOG Server 150.100.1.0/24 Router(config)#logging 150.100.1.242 RouterA#(config)#logging trap warnings RouterA#(config)#end 150.100.1.242 RouterA RouterA# 42 Chapter Summary A perimeter is a fortified boundary of our network. Trusted network is a network you are trying to protect which is inside the network security perimeter. Perimeter device is any device that routes packets between two networks. Perimeter devices (Routers and firewalls) can act as Packet filters, stateful filters and proxy filters. Firewall inspects packets and sessions to determine if they should be transmitted to or from the protected network or instead dropped. Event logging is vital for detection, prevention, analysis and statistics. 43 Review Questions What is CIA? Confidentiality, Integrity & Availability What is SLE? Single Loss Expectancy (How much money would be lost if the risk occurred) List three potential threats from inside an organization? Authenticated users, unauthorized programs and unpatched software What is a perimeter? A perimeter is a fortified boundary of our network. Name three broad classification of network. Trusted, Semi-trusted and Untrusted network Which perimeter device inspects packets and sessions to determine if they should be transmitted to or from the protected network or instead dropped. Firewall Name three methods to secure the switch. Refer to page 27 Name three security mechanisms, which can be done at the perimeter. Network Firewalls, VPN Concentrators and Built-In VPNs, Proxy Systems , IDS/IPS Devices, Web Application Firewalls, Switched Network Firewalls, Network Devices, VLANs 44 Thank you? 45