180 likes | 312 Views
Distribution. ED01. English. Code : STM#530. OfficeServ7400 Security Introduction. Samsung Electronics Co., Ltd. Objectives. After successful completion of the course the trainees should be able to execute the following activities. Contents. VPN. IDS. VPN. Overview. IPSec
E N D
Distribution ED01 English Code : STM#530 OfficeServ7400 Security Introduction Samsung Electronics Co., Ltd.
Objectives • After successful completion of the course the trainees should be able to execute the following activities.
Contents VPN IDS
Overview • IPSec • System to system : Need GWIMS D-board • PPTP/L2TP • System to Node or Server to Client (ex: PC) • Don’t need GWIMS D-board IPSec Branch #1 Remote User Office 본사 PPTP, L2TP Internet VPN Tunneling Branch #2 Serial 2Mbps Serial 2Mbps Private Line
payload payload Internet payload payload payload payload What’s VPN ? • Tunnel Mode (don’t support Transport mode) • Tunnel Protocol (IPSec, L2TP/PPTP) • Key Management : IKE, ISAKMAP, X.509, pre-shared • Authentication : MD5, SHA-1 • Encryption : AES,3DES • Transform Protocol : AH, ESP Mobile User VPN S/W Remoteaccess payload BusinessPartner Headquarters Tunnel VPN S/W Extranet encryption VPN new header payload payload Branch VPN payload Intranet payload VPN payload
IP header AH IP payload Authenticated except for mutable fields in ‘IP header’ IP header ESP header IP payload ESP trailer ESP auth Encrypted Authenticated New IP header AH IP header IP payload Authenticated except for mutable fields in ‘New IP header’ New IP header ESP header IP header IP payload ESP trailer ESP auth Encrypted Authenticated IPSec • Transport Mode • Tunnel Mode
IKE • Phase 1 • Generate IKE key • Main mode, aggressive mode • Authentication • Pre-shared key • Digital Signature • Public key encryption • Revised public key encryption • Phase 2 • Generate IPSEC key • Quick mode
OfficeServ VPN • 2. Choose Phase 1 / Phase 2 parameters. • 1. Configuration • 3. Check status
OS 7200 OS 7400 Tunnels 100 Tunnels 1024 Tunnels Chip Hifn 7951 CN 1120 IPSec, PPTP, L2TP Protocol Phase 1(main), Phase 2(quick) Phase 1(main, aggressive), Phase 2(quick) ISAKMP 3DES 3DES, AES Encryption RSA, Pre-shared key, X.509 Authentication Specifications of the OfficeServ
Functions • Real-time detection and response to network based attacks • backdoor, DoS, DDoS, anomalous network access, etc. • Using web management • Support almost all kinds of protocol used in Internet • Intrusion detection according to risk level • High, medium, low • Correspond to intrusion detection • Log audit • IP blocking as linked with firewall • Report to admin using e-mail about detected attacks • 5 categories : Intrusion Type, Source IP, Destination IP, Port, Port scan • Rule update
Rule Update • Sourcefire VRT Certified Rules • Official rules of snort.org (www.snort.org) • Three ways to obtain these rules: • Subscribers (a charge) • Online web subscriber • Receive real-time rules updates as they are available • Registered users (Free) • Online web subscriber • Can access rule updates 5days after release to subscription users • Unregistered users (Free) • Receive a static ruleset at the time of each major Snort Release • CANNOT use for GWIM (limited to commercial use!)
Rule Update • Open Community Rulesets • Submitted by members of the open source community • Release to users without basic tests • not to ensure that new rules will not break Snort • Distributed under the GPL • Freely available to all open source Snort users
Using Snort • Three main operational modes • Sniffer • Packet logger • Network Intrusion Detection System • (Forensic Data Analysis Mode)
Network Environment 165.213.109.2 165.213.109.254 165.213.146.134 • • • • • Send an attack packet pattern or packet pattern similar to attack Untrusted Network Mail Server 165.213.88.100 Internet Send a packet pattern similar to attack Trusted Terminal ManagementPC WAN1 165.213.89.238 165.213.87.230 10.0.0.1 LAN Important File Server Internal Network