1

Defining Network Security

Security is prevention of unwanted information transfer

• What are the components?– ...Physical Security

– …Operational Security

– …Human Factors

– …Protocols

2

Areas for Protection

• Privacy

• Data Integrity

• Authentication/Access Control

• Denial of Service

3

Regulations and Standards

• Computer Crime Laws

• Encryption

• Government as “Big Brother”

4

Security

Threat, Value and Cost Tradeoffs

• Identify the Threats

• Set a Value on Information

• Add up the Costs (to secure)

Cost < Value * Threat

5

Threats

• Hackers/Crackers (“Joyriders”)

• Criminals (Thieves)

• Rogue Programs (Viruses, Worms)

• Internal Personnel

• System Failures

6

Network Threats

• IP Address spoofing attacks

• TCP SYN Flood attacks

• Random port scanning of internal systems

• Snooping of network traffic

• SMTP Buffer overrun attacks

7

Network Threats (cont.)

• SMTP backdoor command attacks

• Information leakage attacks via finger, echo, ping, and traceroute commands

• Attacks via download of Java and ActiveX scripts

• TCP Session Hijacking

• TCP Sequence Number Prediction Attacks

8

Threat, Value and Cost Tradeoffs

• Operations Security

• Host Security

• Firewalls

• Cryptography: Encryption/Authentication

• Monitoring/Audit Trails

9

Host Security

• Security versus Performance & Functionality

• Unix, Windows NT, MVS, etc

• PCs

• “Security Through Obscurity”

10

Host Security (cont)

• Programs

• Configuration

• Regression Testing

11

Network Security

• Traffic Control

• Not a replacement for Host-based mechanisms

• Firewalls and Monitoring, Encryption

• Choke Points & Performance

12

Access Control

• Host-based:– Passwords, etc.

– Directory Rights

– Access Control Lists

– Superusers

• Network-based:– Address Based

– Filters

– Encryption

– Path Selection

13

Network Security and Privacy

• Protecting data from being read by unauthorized persons.

• Preventing unauthorized persons from inserting and deleting messages.

• Verifying the sender of each message.

• Allowing electronic signatures on documents.

14

FIREWALLS

• Prevent against attacks

• Access Control

• Authentication

• Logging

• Notifications

15

Types of Firewalls

• Packet Filters– Network Layer

• Stateful Packet Filters– Network Level

• Circuit-Level Gateways– Session Level

• Application Gateways– Application Level

Presentation

Transport

Network

Session

Data Link

Physical

Application

16

Packet Level

• Sometimes part of router

• TAMU “Drawbridge”

Campus

ROTW

RouterDrawbridge

17

Circuit Level

• Dedicated Host

• Socket Interfaces

ROTW

Local FW

18

Application Level

• Needs a dedicated host

• Special Software most everywhere

telnet

ROTW

Firewall

19

Firewall Installation Issues

DNS

Router

FTP Web Mail

INTERNET

20

Firewall Installation Issues

• DNS Problems

• Web Server

• FTP Server

• Mail Server

• Mobile Users

• Performance

21

Address Transparency

• Need to make some addresses visible to external hosts.

• Firewall lets external hosts connect as if firewall was not there.

• Firewall still performs authentication

22

Network Address Translation

10.0

.0.0

128.

194.

103.

0

FirewallInternet

Gateway

23

Network Address Translation

ftpd

TCP

IP

Data Link

Hardware

ftp

TCP

IP

Data Link

Hardware

proxy ftp

TCP

IP

Data Link

Hardware

gw control

Host A: Internal HostGateway HostHost B: External Host

DatagramA GW DatagramA B

24

IP Packet Handling

• Disables IP Packet Forwarding

• Cannot function as a insecure router

• eg. ping packets will not be passed

• Fail Safe rather than Fail Open

• Only access is through proxies

25

DNS Proxy Security

finance.xyz.com marketing.xyz.comsales.xyz.com

Eagle Gatewayeagle.xyz.com

DNSd

INTERNET

External DNS Server

26

INTERNET

Virtual Private Tunnels

Hello

Hello

Hello

Hello

Hello

Hello!@@%* !@@%* !@@%*

Encapsulate

Authenticate

Encrypt

Decapsulate

Authenticate

Decrypt

Creates a “ Virtual Private Network “

27

VPN Secure Tunnels

• Two types of Tunnels supported– SwIPe and IPsec tunnels

• Encryption– DES, triple DES and RC2

• Secret key used for used for authenticatio and encryption

• Trusted hosts are allowed to use the tunnel on both ends

28

Designing DMZ’s

INTERNET

Web

FTP

Mail

DMZ

ScreeningRouter

CompanyIntranet

29

Firewall Design Project

Wide Area RouterDallas

Raptor RemoteHawk Console

INTERNET

Mail Server

San Jose

Raptor Eagle

File Server

InternetRouter

30

Monitoring

• Many tools exist for capturing network traffic.

• Other tools can analyze captured traffic for “bad” things.

• Few tools are real-time.

31

Summary

• Security must be comprehensive to be effective.

• Remember threat, value, cost when implementing a system.

• Security is achievable, but never 100%.

• Make your system fault tolerant.