Advanced Computer Networks & Computer and Network Security: Prof. Dr. Hasan Hüseyin BALIK (8 Week)
Advanced Computer Networks & Computer and Network Security: Prof. Dr. Hasan Hüseyin BALIK (8 Week)
Advanced Computer Networks & Computer and Network Security: Prof. Dr. Hasan Hüseyin BALIK (8 Week)
(8th Week)
Outline
• 2. Computer security technology and
principles
—2.1. Cryptographic Tools
—2.2. User Authentication
—2.3 Access Control
—2.4 Malicious Software
—2.5. Denial-of-Service Attacks
—2.6 Intrusion Detection
—2.7 Firewalls and Intrusion Prevention Systems
2.7 Firewalls and Intrusion Prevention
Systems
2.7.Outline
• The Need for Firewalls
• Firewall Characteristics and Access Policy
• Types of Firewalls
• Firewall Basing
• Firewall Location and Configurations
• Intrusion Prevention Systems
• Example: Unified Threat Management Products
The Need For Firewalls
• Internet connectivity is essential
• However it creates a threat
• Effective means of protecting LANs
• Inserted between the premises network and the
Internet to establish a controlled link
• Can be a single computer system or a set of two or more systems
working together
• Used as a perimeter defense
• Single choke point to impose security and auditing
• Insulates the internal systems from external networks
Firewall Characteristics
Design goals
All traffic from inside to outside, and vice versa, must pass through
the firewall
Only authorized traffic as defined by the local security policy will
be allowed to pass
The firewall itself is immune to penetration
Firewall Access Policy
• A critical component in the planning and
implementation of a firewall is specifying a suitable
access policy
• This lists the types of traffic authorized to pass through the firewall
• Includes address ranges, protocols, applications and content types
• This policy should be developed from the organization’s
information security risk assessment and policy
• Should be developed from a broad specification of which
traffic types the organization needs to support
• Then refined to detail the filter elements which can then be
implemented within an appropriate firewall topology
Firewall Filter
Characteristics
• Characteristics that a firewall access policy could use to filter
traffic include:
IP address
Application User Network
and protocol
protocol identity activity
values
This type of
filtering is used by This type of
packet filter and filtering is used by
stateful inspection Typically for
an application- Controls access
firewalls inside users who
level gateway that based on
identify
relays and considerations
themselves using
monitors the such as the time or
some form of
exchange of request, rate of
secure
information for requests, or other
authentication
Typically used to specific activity patterns
technology
limit access to application
specific services protocols
Firewall Capabilities And Limits
Capabilities:
• Defines a single choke point
• Provides a location for monitoring security
events
• Convenient platform for several Internet
functions that are not security related
• Can serve as the platform for IPSec
Limitations:
• Cannot protect against attacks bypassing
firewall
• May not protect fully against internal threats
• Improperly secured wireless LAN can be
accessed from outside the organization
• Laptop, PDA, or portable storage device may be
infected outside the corporate network then
used internally
Internal (protected) network External (untrusted) network
(e.g. enterprise network) Firewall (e.g. Internet)
Internet Internet
Network Network
access access
• Source IP address
• Destination IP address
• Source and destination transport-level address
• IP protocol field
• Interface
Advantages:
• Filtering rules can be tailored to the host
environment
• Protection is provided independent of topology
• Provides an additional layer of protection
Personal Firewall
• Controls traffic between a personal computer or workstation
and the Internet or enterprise network
• For both home or corporate use
• Typically is a software module on a personal computer
• Can be housed in a router that connects all of the home
computers to a DSL, cable modem, or other Internet interface
• Typically much less complex than server-based or stand-alone
firewalls
• Primary role is to deny unauthorized remote access
• May also monitor outgoing traffic to detect and block worms
and malware activity
Internet
Boundary
router
LAN
switch
Web Email DNS
server(s) server server
LAN
switch
Application and database servers
Workstations
He
IP er H
yl I P
ad
Pa cure
d
oa
IP ader
Se
Se
e
c
ad c
He PSe
er
Se ayloa
I
cu
P
re d
He IP
er
IP
ad
Ethernet Ethernet
switch IP IP
switch IP IP
Header Payload Header Payload
Firewall Firewall
with IPSec with IPSec
Boundary
router
External
DMZ network
Web
server(s) External
firewall
Internal DMZ network
LAN
switch
LAN
switch
host-resident
firewall
Workstations
Figure 9.4 Example Distributed Firewall Configuration
Firewall Topologies
•Includes personal firewall software and firewall software
Host-resident firewall on servers
Distributed firewall
•Used by large businesses and government organizations
configuration
Intrusion Prevention Systems
(IPS)
• Also known as Intrusion Detection and Prevention
System (IDPS)
• Is an extension of an IDS that includes the capability to
attempt to block or prevent detected malicious activity
• Can be host-based, network-based, or distributed/hybrid
• Can use anomaly detection to identify behavior that is
not that of legitimate users, or signature/heuristic
detection to identify known malicious behavior can
block traffic as a firewall does, but makes use of the
types of algorithms developed for IDSs to determine
when to do so
Host-Based IPS
(HIPS)
• Can make use of either signature/heuristic or anomaly
detection techniques to identify attacks
• Signature: focus is on the specific content of application network
traffic, or of sequences of system calls, looking for patterns that
have been identified as malicious
• Anomaly: IPS is looking for behavior patterns that indicate
malware
• Examples of the types of malicious behavior addressed by a
HIPS include:
• Modification of system resources
• Privilege-escalation exploits
• Buffer-overflow exploits
• Access to e-mail contact list
• Directory traversal
HIPS
• Capability can be tailored to the specific platform
• A set of general purpose tools may be used for a desktop or
server system
• Some packages are designed to protect specific types of servers,
such as Web servers and database servers
• In this case the HIPS looks for particular application attacks
• Can use a sandbox approach
• Sandboxes are especially suited to mobile code such as Java
applets and scripting languages
• HIPS quarantines such code in an isolated system area then runs
the code and monitors its behavior
• Areas for which a HIPS typically offers desktop protection:
• System calls
• File system access
• System registry settings
• Host input/output
The Role of HIPS
• Many industry observers see the enterprise endpoint, including
desktop and laptop systems, as now the main target for
hackers and criminals
• Thus security vendors are focusing more on developing endpoint
security products
• Traditionally, endpoint security has been provided by a collection
of distinct products, such as antivirus, antispyware, antispam,
and personal firewalls
• Approach is an effort to provide an integrated, single-product
suite of functions
• Advantages of the integrated HIPS approach are that the various
tools work closely together, threat prevention is more
comprehensive, and management is easier
• A prudent approach is to use HIPS as one element in a defense-
in-depth strategy that involves network-level devices, such as
either firewalls or network-based IPSs
Network-Based IPS
(NIPS)
• Inline NIDS with the authority to modify or discard
packets and tear down TCP connections
• Makes use of signature/heuristic detection and anomaly
detection
• May provide flow data protection
• Requires that the application payload in a sequence of packets
be reassembled
• Methods used to identify malicious packets:
2. Notifications Passive
Correlation sensor Honeypot
server
1. Malware
execution
Remote sensor
Application
3. Forward
server
features
6. Application update
Instrumented applications
Figure
Figure 9.5 Placement of 9.5 Placement
Malware of Worm
Monitors Monitors
(adapted from [SIDI05])
Snort Inline
• Enables Snort to function Drop Reject Sdrop
as an intrusion prevention
system
Snort
• Includes a replace option rejects a
Packet is
rejected
which allows the Snort packet
and
based on
user to modify packets result is Packet is
the
rather than drop them options
logged rejected
and an but not
• Useful for a honeypot defined
error logged
implementation in the
message
rule and
• Attackers see the failure logs the
is
returned
but cannot figure out result
why it occurred
Raw incoming traffic
Routing module
VPN module
Firewall module
Anomaly
IDS engine
detection
Activity
IPS engine inspection
engine
Web filtering module
Antispam module
VPN module
Bandwidth shaping module