1 / 30

Perimeter Security

Perimeter Security. CS498IA Spring 2007. Reading. Ch. 25 (Intrusion Detection) Ch. 26 (Network Security) Optional: “Firewalls and Internet Security,” Cheswick, Bellovin, Rubin The text about network security. Network Security Approaches. Secure Network Protocols

vic
Download Presentation

Perimeter Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Perimeter Security CS498IA Spring 2007

  2. Reading • Ch. 25 (Intrusion Detection) • Ch. 26 (Network Security) • Optional: “Firewalls and Internet Security,” Cheswick, Bellovin, Rubin • The text about network security

  3. Network Security Approaches • Secure Network Protocols • Secure Networked Computer • Perimeter Security

  4. Perimeter Defense Perimeter Internet Intranet

  5. Perimeter Defense Strategy • Divide networks into zones of varying trust • Simplest division: intranet (trusted) and Internet (untrusted) • Put security measures on boundaries between zones • choke points • E.g. connection to ISP

  6. Perimeter Defense Advantages • Scale • Can configure one computer to be secure, but how about 1,000? • Threat model • Most threats come from less trusted zones • Convenience • Can use less secure protocols and software inside perimeter • Don’t bother users with security protections unless they talk to the outside

  7. Firewalls • Filter traffic going across perimeter boundary • Various levels of sophistication Firewall Internet Intranet

  8. Packet Filter • Filter IP packets based on their headers • Fields may include: • IP address (source & destination) • TCP/UDP ports (source & destination) • Flags • Options • Stateless & fast • Implementation is based on lookup of header bits/bytes and decisions

  9. Example Rules allow proto=TCP AND port=80 deny proto=UDP AND port=1434 deny sourceIP=127.0.0.1 allow proto=TCP AND port=22 AND sourceIP=adminConsole

  10. Example Policy • Outbound traffic only • allow proto=TCP AND (sourceIP=inside OR ACK=true) • What might be some issues with this policy? Firewall Internet Intranet

  11. Firewall Internet More complicated network Intranet • Need to allow services from within the Intranet • Option 1: “punch a hole” allow port=25 AND destIP=mailserver • Option 2: DMZ WebServer DNSServer MailServer Desktop Desktop Desktop

  12. Firewall Internet Demilitarized Zone Intranet Intranet WebServer Desktop Desktop Desktop MailServer Public WebServer DMZ DNSServer

  13. DMZ principles • Restrict access • from Internet to the DMZ to protect servers • from DMZ to intranet to protect against compromises • E.g. • Allow connections from Internet to mail server on port 25 (SMTP) • Allow connections from intranet to mail server on port 993 (secure IMAP)

  14. Policies • Firewall policies typically lists of allow or deny rules • What should the default rule be? • Default allow: • convenient since doesn’t interfere with legitimate activity • Default deny: • more secure, since every allowed use undergoes security review • if policy too restrictive, people complain and it gets fixed • if policy too permissive, only learn about it after an attack -- too late!

  15. Other policy issues • Scale • Large organizations have thousands of rules • How do you process them efficiently? • How do you know they are correct? • Ingress vs. egress filtering • Ingress: filter packets from the Internet • Egress: filter traffic to the Internet (why?)

  16. Packet Filter Limitation • Packet fragmentation • IP allows packets to be split into several fragments • No connection semantics • Actions only on individual packets • No application semantics • Only indication of application protocol is port number • Modern applications abuse this fact

  17. Higher-level analysis • Packet filters cannot: • Forbid a particular URL • Detect email viruses • Block (malicious) ActiveX plugins • Alternate approaches: • Stateful firewall: reconstruct connections • Application-level proxy: transform connections

  18. Stateful Firewall • Reconstruct connection state • Make decisions based on flows, not on packets • Some application protocol parsing may also be done GET su /foo.html root flow1  GET /foo.html ... flow2 su root X

  19. Application-Level Proxy • Process incoming packets at application layer • Generate transformed message stream • Block dangerous messages • Normalize protocol semantics GET /foo.html HTTP/1.0 Evil-option: yes Proxy GET /foo.html HTTP/1.1 Evil-option: no

  20. Trade-offs • Pro: Higher precision • Con: Higher costs • Scalability: keep state for all connections for 1000’s of computers • Latency: proxy adds processing delays • Flexibility: proxy needs to understand everything you do with a protocol

  21. Network Address Translation rest of Internet local network (e.g., home network) 10.0.0/24 10.0.0.1 10.0.0.4 10.0.0.2 138.76.29.7 10.0.0.3 All datagrams leaving local network have same single source NAT IP address: 138.76.29.7, different source port numbers Datagrams with source or destination in this network have 10.0.0/24 address for source, destination (as usual)

  22. NAT & security • NAT originally designed to address IP scarcity • A user (e.g. DSL subscriber) pays for one or a few IP addresses for many computers • Side benefit: simple firewall • External ports allocated when internal host initiates connection • External connection attempts are impossible • Modern NATs more sophisticated • Allow some external connections to exist • Support for dynamic port allocation for P2P, UDP applications • Limited firewall semantics

  23. Network Intrusion Detection NIDS • Passive traffic interception • Send copy of traffic to NIDS • Do not block normal path • Better performance / worse security Internet Intranet

  24. NIDS vs. Firewalls • Actions: • Firewalls: block or allow • NIDS: alert administrator, log, block (intrusion prevention system) • Policies: • Firewalls: ACL-style policy on (packet) attributes • NIDS: attack signatures, statistical anomalies • NIDS challenges: • Evasion • False positives

  25. VPNs Firewall Intranet Internet Home Network

  26. VPNs and Firewalls • VPN goals • Home computer / laptop on the road can be on corporate network • VPN issues • Home networks less protected than corporate network • Attacks can vector through VPN • Mitigation • Require protection on computers using VPN • More restrictive FW policy on VPN connections

  27. Blurring of the Perimeter • VPNs • Complicated network connections with multiple partners • Wireless networks • Laptops • Malicious insiders • Worms / compromised computers can be seen as “malicious insiders”

  28. Host-based approaches • Host-based IDS • Earlier types of IDS were all host-based • Can get better insight into host behavior • But more susceptible to compromise • Host-based firewalls • Your laptop and desktop probably have this functionality already • Challenge: management • Require all users to install firewall / IDS product, manage policies, configuration, and logs centrally • Alternate approach: FW/IDS in routers and switches

  29. If you want to learn more... • Take CS460 lab course • Hands on experience with firewalls and IDSs • Take CS463 course • More detailed coverage of intrusion detection

  30. Key points • Perimeter security is popular • Cheap, convenient, effective(?) • Firewalls and IDSs most common tools for network security • Firewalls and IDSs fighting an uphill battle • Both attackers and legitimate users struggle to avoid/evade them • Security management is a key challenge

More Related