380 likes | 484 Views
The Chinese University of Hong Kong Department of Computer Science and Engineering. CSC7260 ProjectII. Security Issues on Distributed Systems MRL9903. Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999. Agenda. - Objective - What is “Firewall” ??
E N D
The Chinese University of Hong Kong Department of Computer Science and Engineering CSC7260 ProjectII Security Issues on Distributed Systems MRL9903 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999
Agenda • - Objective • - What is “Firewall” ?? • Definition and goals • - Firewall Testing • Methodology • Design ( Hardware / Software/Configuration Setup) and Policy • Performance and Security Testing • - Result Analysis • - Future Work and Conclusion • - Q & A
Objective - To survey on the various distributed systems security related topics such as encryption and decryption schemes and firewall in the literature review - To evaluate the security control of different firewall configurations by doing testing on firewall with different security levels and proxy service -To investigate the impact of different levels of firewall security and measures on the performance of firewall system -To determine how well the various firewall systems in guarding the private network against some potential external attacks and scanning - To examine and try to deduce a relationship between security and performance from the testing result
What is “Firewall” ? Definition: - Logically, a firewall is a separator, a restricter, an analyzer that are used to protect the internal network against any attack. Usually installed at a point where the protected internal network connects to the Internet - A system, either software or hardware or both, that enforces access control policy between two networks. -The manifestation of a company security policy
What is “Firewall” ? • Goals: • to restrict people to entering at a carefully controlled point • to prevent intruders from getting close to your other defenses • to restrict people to leaving at a carefully controlled point • Acts a castle used to prevent us from the outside attacks.
Firewall Testing - Methodology • - Setting up firewall with 7 different security levels by using different firewall policies , Level 1 < Level 2 …. < Level 7, by • Screening rules set into the router • Proxy server / system configurations - Performance Testing - test the network performance against different security levels of firewall with FTP, HTTP - Security Testing - verify the security levels by using network scanners such as “SAINT”, “NESSUS” and BSB monitor ..etc
Outside Attacker A Router Firewall Server - Linux, FWTK Outside Attacker C Outside Attacker B Home - Linux Firewall Testing - Design Test Bed Setup, HW, SW : Internet
Firewall Testing - Policy Firewall Policy 1 - PERMIT any service unless it is expressly denied - Provide the maxi flexibility/access for internal & external users. Firewall Policy 2 - PERMIT any service unless it is expressly denied (same as config 1) - Disallow some problem service accesses from outside, but still provide flexible/easy access from outside, but no restriction on access from internal network to the Internet
Firewall Testing - Policy 2 Screening rules at router for Firewall policy 2 - No ip source routing - No ip spoofing (e.g. traffic from mail server to pc89180) - Deny DNS(TCP) traffic from outside - Deny TFTPD(UDP) from outside to port 69 - Deny link (TCP) from outside to port 97 - Deny SunRPC(UDP) & NFS(TCP) from outside to port 111 & 2049 - Deny lpd(TCP) from outside to port 515 - Allow ALL others from outside to the pc89180 and email - Allow ALL traffic from the internal network to outside - IP Masquerader - IP being translated at the gateway
Firewall Testing - Policy 3 Firewall Policy 3 (Level 2 +) - PERMIT any service unless it is expressly denied (same as config. 2) - An additional protection is added with ‘proxy service’ enabled in the firewall server. Specific traffic is further shielded and screened by the proxy server installed. - Any traffic going into the private network would be pre-screened at the router first, then it would be passed into the proxy server for further authentication and screening. Security level is raised because the network traffic is examined by both the router and proxy server.
Firewall Testing - Policy 4 & 5 Firewall Policy 4 (Level 3+) - PERMIT any service unless it is expressly denied (same as config. 1) - Allow even more restricted access from outside, and deny from selected bad HOSTs from outside. - Deny ICMP traffic from outside ( in response to the nessus report) Firewall Policy 5 - DENY any service unless it is expressly permitted. (or we say "that is not expressly permitted is prohibited") - Deny all access from outside by default, but allow access from inside. - Permit only authorized IPs access to the private network
Firewall Testing - Policy 6 & 7 Firewall Policy 6 (Level 5 + ) - DENY any service unless it is expressly permitted - A more restricted policy to permit outside access to certain port no.range only - e.g. restrict the TCP from outside at port > 1023 to pc89180 at port 80 - Permit only authorized IPs access to the private network Firewall Policy 7 (Level 6 + ) - DENY any service unless it is expressly permitted - Provide the least flexibility and services to the internal users, but incorporate maxi protection on the LAN. - Restrict the internal users using some Internet services e.g. Telnet, TFPT
Firewall Testing - Performance Test - Performance indicators: Total transaction time , Latency • - FTP protocol • Data Transfer from outside FTP server • 5 M data, connections 1 to 10 • 1 M data, connection 1 to 10 • 395 K data, connection 1, 5, 10, 20, 40 • - HTTP protocol • Data retrieval from outside , 38.9 K data, connection 1 to 300
Firewall Testing - Security Test Tools : Network Scanner such as Nessus
Firewall Testing - Security Test Nessus Setup Screen:
Firewall Testing - Security Test Nessus - Attacks and Scanning to be choose :
Firewall Testing - Security Test Nessus Result Report generated after attack and scanning :
Firewall Testing - Security Test SAINT - Security Administrator's Integrated Network Tool
Firewall Testing - Security Test BSB - Monitor :
Result Analysis - Security Test When summarying all the report from scanner, it found that No. of warning and vulnerability count(s) Level1 10 Level 2 9 Level 3 7 Level 4 6 Level 5 6 Level 6 3 Level 7 0
Result Analysis - Performance Testing - Data Transfer by HTTP With 395K data retrieval, under firewall policy/configuration 1
Result Analysis - Performance Testing - Data Transfer by HTTP With 395K data retrieval, under firewall configuration 1,2
Result Analysis - Performance Testing - Data Transfer by HTTP With 395K data retrieval, under firewall configuration 1,2,3
Result Analysis - Performance Testing - Data Transfer by HTTP With 395K data retrieval, under firewall configuration 1,2,3,4
Result Analysis - Performance Testing - Data Transfer by HTTP With 395K data retrieval, with all the 7 firewall configurations
Result Analysis - Performance Testing - Data Transfer by HTTP Latency - with 395K data retrieval, with all the 7 firewall config.
Result Analysis - Performance Testing - Data Transfer by FTP TL average transaction time, with 5M data for transfer
Result Analysis - Performance Testing - Data Transfer by FTP TL min transaction time, with 5M data for transfer
Result Analysis - Performance Testing - Data Transfer by FTP TL average transaction time, with 1M data for transfer
Result Analysis - Performance Testing - Data Transfer by FTP TL average transaction time, with 38.9K data for transfer
Result Analysis - Performance Testing - Data Transfer by FTP Average latency Time, with 38.9K data for transfer
Result Summary & Conclusion • Larger/smaller size of data for transfer, more/less transaction time • More connection requests, more traffic collision, performance be more affected by external traffic interference • Overhead - significant when it outweighs/is comparable with the transaction time used, especially using proxy servers • More security --> more overhead ---> poor performance L1>L3 • Security - Performance Relationship ~~ overhead added with more security control with respect to higher level of security, except that the added security control NOT incur any overhead
More about future work ... • More repeated testing on different size of data , connection numbers and some other firewall parameters • Restructure the security of seven levels -- more difference between one another
Finally …. Thanks for your coming !
Mainly 2 Problems ... 1. Outside interference to performance testing ~ irregularities of curves needs more testing to smooth out 2. Security level definition for firewall Easy to define, difficult to achieve and guarantee
Screening rule ….. checkings Phase 2 : access-list 100 deny udp any host 137.189.89.250 eq tftp access-list 100 deny tcp any host 137.189.89.250 eq 97 access-list 100 deny tcp any host 137.189.89.250 eq sunrpc access-list 100 deny udp any host 137.189.89.250 eq sunrpc access-list 100 deny tcp any host 137.189.89.250 eq 2049 access-list 100 deny tcp any host 137.189.89.250 eq lpd access-list 100 permit ip any any The no. of rules to permit packet Phase 7 12 Phase 6 20 Phase5 20 Phase 4 24 Phase 3/2 7