1 / 14

Network Access Control

Network Access Control. Focus Question. What are three ways in which network security can be applied through the application layer?. Network Interfaces. Configuration files: /etc/sysconfig/network-scripts/ifcfg-* All interfaces are brought up with: /etc/init.d/network [start | restart]

quiana
Download Presentation

Network Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Access Control

  2. Focus Question What are three ways in which network security can be applied through the application layer?

  3. Network Interfaces • Configuration files:/etc/sysconfig/network-scripts/ifcfg-* • All interfaces are brought up with:/etc/init.d/network [start | restart] • Individual interfaces managed with:/sbin/ifup eth?, /sbin/ifdown eth? • Interfacers turned on or off with:/sbin/ifconfig eth? [up|down]

  4. Application Config Files • sshd: /etc/ssh/sshd_config • httpd: /etc/httpd/conf/httpd.conf • vsftpd:/etc/vsftpd/vsftpd.conf • Xorg: xhosts and .Xauthority

  5. Libwrap.so • Three stages of access checking • Is access explicity permitted? • Is access explicity denied? • Otherwise, permit access! • Configuration store in two files: • Permissions in /etc/hosts.allow • Denials in /etc/hosts.deny • Basic Syntaxdaemon_list: client_list [:options]

  6. Daemon Specification • Daemon name: • Applications pass name of executable • Multiple services can be specified • Use wildcard ALL to match all daemons • Limitations for RPC daemons • Advanced Syntax:daemon@host: client_list …

  7. Client Specification • Host specification • by IP address (192.168.0.1 10.0.0.) • by name (www.redhat.com, .example.com) • by netmask (192.168.0.0/255.255.255.0) • by network name (/etc/networks or NIS)

  8. Advanced Client Syntax • Wildcards • ALL, LOCAL • KNOWN, UNKNOWN, PARANOID • EXCEPT operator • Can be used for client and service list • Can be nested

  9. Example • Consider the following example for the machine 192.168.0.254 • /etc/hosts.allow vsftpd: 192.168.0.in.telnetd, portmap: 192.168.0.8 • /etc/hosts.denyALL: .cracker.org EXCEPT trusted.cracker.org vsftpd, portmap: ALL sshd: 192.168.0. EXCEPT 192.168.0.4

  10. Questions and Observations • Only stations of the local network can FTP to the machine. • Only station 8 could NFS mount a remote directory. • All hosts on cracker.org except trusted.cracker.org are denied access to any tcp-wrapped services. • Only the host 192.168.0.4 is able to ssh in from local nw. • What stations from the local network can initiate atelnet connection? • Can machines in the cracker.org network access the web server? • What tcp-wrapped services are available to a system from someother.net? • What’s wrong with these rules from the perspective of a security policy?

  11. Network Attacks • Header abusespackets that contain maliciously constructed, broken, or falsified network layer headers. • Network stack exploitsexploit a vulnerability in the networks stack implementation. • Bandwidth saturationpackets that are designed to saturateall available bandwidth on a targeted network.

  12. Attack Responses • A filtering operationconducted by a device such as a firewall or a router to block the source IP address of attacker. • Reconfiguration of a routing protocolroute blackholing • Applying threshold logicto the amount of traffic that is allowed to pass through a firewall or router based on bandwidth.

  13. Review

  14. Focus Question What are three ways in which network security can be applied through the application layer? • Most modern network applications allow some security and access control to be configured in their own configuration files. • Common Libraries like libwrap.so can be linked into applications to allow access control to be configured. • Network services may be managed by super-daemons, like xinetd which can support a variety of access controls.

More Related