1 / 21

Internet and Intranet Fundamentals

Internet and Intranet Fundamentals. Class 9 Session A. Topics. Firewalls (continued). Firewalls (Continued). Bastion Hosts Packet Filtering. Bastion Hosts. Public Presence on the Internet The “Lobby” Analogy Public Exposure Implies Increased Security Requirements

royd
Download Presentation

Internet and Intranet Fundamentals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet and Intranet Fundamentals Class 9 Session A

  2. Topics • Firewalls (continued)

  3. Firewalls(Continued) • Bastion Hosts • Packet Filtering

  4. Bastion Hosts • Public Presence on the Internet • The “Lobby” Analogy • Public Exposure Implies Increased Security Requirements • focus special attention on building a Bastion host • host security • some principles apply to other hosts as well

  5. Bastion HostsVarious Types • Non-routing Dual-homed Hosts • make sure they are non-routing! • Victim Machines • sacrificial goat • don’t let users put valuables on them • Internal, semi-Bastion Hosts • inside the firewall • communicate with external bastion

  6. Bastion HostsGeneral Design Guidelines • Minimize the Number of Services Provided • keep it simple, scholar • server software may have bugs that can be exploited • Expect Bastion Host to be Compromised • expect the worst and plan for it • most likely to be attacked • bastion host considered untrusted host

  7. Bastion Hosts • What Platform? • Unix, NT, etc. ? • Criteria • your experience • firewall tools availability • Class of Machine • minimal • not a supercomputer • RAM more important than CPU

  8. Bastion HostsLocation • Physical Location • safe • Network Location • preferably on a perimeter network • or a network not susceptible to spoofing • ATM, Ethernet switch

  9. Bastion HostServices • Proxy and Relay Services • HTTP Proxy • SMTP Server • NNTP Server • FTP Server • Public Services • HTTP • SMTP

  10. Bastion HostsConstruction Steps • Secure the Machine • start with minimal, clean operating system • fix all known system bugs • use a security checklist • safeguard the system logs • requires lots of logging

  11. Bastion HostsConstruction Steps • Disable Non-required Services • Install or Modify Services • Reconfigure Machine from Development to Deployment • Perform Security Audit • Connect Machine to Network

  12. Packet FilteringTopics • What is it? • Advantages and Disadvantages • Configuring a Packet Filtering Router • Various Kinds of Filtering

  13. Packet FilteringWhat is it? • Selectively reject IP packets based on: • source address • destination address • incoming physical port • tcp application port

  14. Packet FilteringAdvantages and Disadvantages • Advantages • one router protects an entire network • doesn’t require user knowledge or cooperation • widely available • Disadvantages • current filtering tools not perfect • can be hard to configure, test, and maintain • may have bugs • some protocols don’t lend themselves to filtering

  15. Packet FilteringConfiguring a PF Router • Protocols Bidirectional • Inbound vs. Outbound Semantics • packets vs. services • think “packets” • Default Security Policy • permit or deny? • Returning ICMP Error Codes • destination unreachable, for example

  16. Various Kinds of Filtering • Rules • Direction • Source Address • Destination Address • ACK Set • Action

  17. Various Kinds of FilteringRules

  18. Various Kinds of FilteringRisks of Address Filtering • Address Forgery • source • does not hope to get any packets back • man-in-the-middle • must intercept return packets • must alter network topology to get in the middle

  19. Various Kinds of FilteringFiltering by Service • More Complicated • TELNET • outgoing • local host’s IP source address • remote host’s IP destination address • TCP packet type • TCP destination port is 23 • content: your keystrokes

  20. Various Kinds of FilteringFiltering by Service • TELNET • incoming • remote host’s IP source address • local host’s IP destination address • TCP packet type • TCP source port is 23 • TCP destination port is same as prior source port • ACK set

  21. Various Kinds of FilteringFiltering by Service • TELNET • Rules • permit output on port 23 • permit inbound on port 23 if ACK is set • deny both outbound and inbound for everything else • default rule • Risks • some other service on port 23?

More Related