360 likes | 980 Views
Internet and Intranet Fundamentals. Class 8 Session A. Intranet Security. Assets Needing Protection Threats Firewalls Overview Various Architectures Ref: ref: Building Internet Firewalls, Chapman & Zwicky ISBN: 1565921240. Assets Needing Protection. Data stored on computers Resources
E N D
Internet and Intranet Fundamentals Class 8 Session A
Intranet Security • Assets Needing Protection • Threats • Firewalls • Overview • Various Architectures • Ref: ref: Building Internet Firewalls, Chapman & Zwicky ISBN: 1565921240
Assets Needing Protection • Data • stored on computers • Resources • the computers themselves • Reputation
Protecting Data • Secrecy / Privacy • Integrity • Availability
Protecting DataSecrecy / Privacy • Trade Secrets • obligations to shareholders • Competitive Intelligence • competition sensitive • Examples • national defense • patient medical records • student records
Protecting DataIntegrity • Keeping Data from Being Modified • tampering • Loss of Confidence • consumer • customer • investor • employee
Protecting DataAvailability • Is your data accessible? • Related to computing resource availability
Protecting Resources • Computer Resources • disk space • CPU cycles • memory • Labor Resources • $$$ spent in … • tracking down intruders • performing • re-installing software
Protecting Reputation • Confidence • Intruders Masquerade as You • identity theft • Business/Technical Competence • Example • professor and racist hate mail
Threats • Types of Attacks • Types of Attackers • Stupidity and Accidents
Types of Attacks • Intrusion • Denial of Service • Information Theft
Intrusion • People Gain Access to Your Network and Computers • How? • social engineering • guesswork • crack program • child/dog’s name
Denial of Service • Preventing you (and others) from using your own computers • Mail Bombs • Flooding a Systems Queues, Processes, etc. • Internet Worm • Distributed denial of service (CNN/Ebay/Yahoo) • Limited Number of Login Attempts • they either get in, or they can force denial of service to everyone else!
Information Theft • Stealing Password Files • download for offline cracking • Packet Sniffers • Ethernet is a party line • A switch is your friend.
Types of Attackers • Joyriders • bored, looking for amusement • Vandals • like destroying things, or don’t like you • Score Keepers • bragging rights • Spies • industrial and international
Stupidity and Accidents • 55% of all incidents result from naivete or lack of training • Apple’s buggy mail server • hundreds of thousands of error messages • Any system which doesn’t not assign passwords. • Hard to Protect Against!
Firewalls • Overview • Various Firewall Architectures
Overview • How to Protect Your Intranet Assets? • no security • security through obscurity • host security • network security • Your home is an intranet?
Overview • No Security • Security Through Obscurity • nobody knows about it • people figure a small company or home machine isn’t of interest • “obscurity” impossible on Internet • InterNIC • examples with Telnet
Overview • Host Security • geared to particular host • scalability issue • admin nightmare • sheer numbers • different OS, OS config, etc. • OK for small sites or sites with extreme requirements
Overview • Network Security • control network access • kill lots of birds with one stone • firewalls • Security Technology Can’t Do It All • policing internal time wasting, pranks, etc. • no model is perfect • Who watches the watcher?
Overview • Internet Firewalls • concept: containment • choke point • prevents dangers of Internet from spreading to your Intranet • restricts people to entering at carefully controlled point(s) • can only leave that point too
Overview • Firewall • prevents attackers from getting close to internal defenses • adequate if interactions conform to security policy (tight vs. loose) • Consists of • hardware • routers, computers, networks • software • proxy servers, monitors
Firewall System Exterior Router & Bastion Host may be combined.
Overview • Firewall Limitations • malicious insiders • people going around it (e.g., modems) • completely new threats • designed to protect against known threats • viruses • Make vs. Buy • lots of offerings (see Internet)
Various Firewall Architectures • Screening Router Packet Filtering • Proxy Services • application level gateways • Dual-Home Host • Screened Host • Screened Subnet
Various Firewall Architectures IP Packet Filtering • IP source address • IP destination address • Transport Layer Protocol • TCP / UDP source port • TCP / UDP destination port • ICMP message type
Various Firewall Architectures IP Packet Filtering • Also Knows … • inbound and outbound interfaces • Examples • block all incoming connection from outside except SMTP • block all connections to or from untrusted systems • allow SMTP, FTP, but block TFTP, X Windows, RPC, rlogin, rsh, etc.
Various Firewall ArchitecturesDual-Homed Host • One Computer, Two Networks • must proxy services • can examine data coming in from app level on down
Various Firewall ArchitecturesScreened Host • Bastion Host • controls connections to outside world • If broken, your interior network is open. • Packet Filtering by Router • incoming
Various Firewall ArchitecturesScreened Subnet • Bastion Host • controls connections to outside world • on perimeter network • Packet Filtering • two routers • incoming