copyright this presentation is provided to specific parties on request. all slides must be shown in...

Post on 23-Jan-2016

215 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

COPYRIGHTCOPYRIGHT

This presentation is provided to specific parties on request.This presentation is provided to specific parties on request.

All slides must be shown in its entirety, including the D-Link’sAll slides must be shown in its entirety, including the D-Link’s

logo and brand name, without any modification or deletion,logo and brand name, without any modification or deletion,

unless with the written consent of D-Link. Individual slides mayunless with the written consent of D-Link. Individual slides may

be removed in its entirety. Background be removed in its entirety. Background colourcolour may be changed. may be changed.

Printed copies can be distributed freely for the specific purposePrinted copies can be distributed freely for the specific purpose

when this presentation slide is used. Failure to observe thiswhen this presentation slide is used. Failure to observe this

violates the copyright agreement. D-Link reserves the right toviolates the copyright agreement. D-Link reserves the right to

withdraw from the party the right to use the presentation slidewithdraw from the party the right to use the presentation slide

and/or any other actions deemed necessary by D-Link toand/or any other actions deemed necessary by D-Link to

prevent the slides or part of it being used.prevent the slides or part of it being used.

CONCEPTOS BASICOS EN CONCEPTOS BASICOS EN LA ADMINISTRACION DE LA ADMINISTRACION DE

REDESREDES

GESTION DEGESTION DE SEGURIDAD SEGURIDAD

MSEE Ing. Héctor J. Simosa22 Octubre 2004

Seguridad en Redes

La seguridad en las Redes es mecanismo esencial. La Internet es una red de redes

interconectadas sin fronteras….

Debido a este hecho, las redes de las organizaciones

son vulnerables por su accesabilidad desde

cualquier computador en el mundo.

Soluciones

• D-LINK ofrece soluciones de seguridad bastante completas además de FW para proteger su red, entre ellas tenemos: – Sistemas de Detección de Intrusión– Virtual Private Networks– Servicios de Identificación– Herramientas para Gerenciar la Seguridad.

Seguridad: Por qué es importante?

Computer Hackers

• Estos pueden ser divididos en tres categorias:– Los que rompen la seguridad de redes de

computadores– Los que rompen la seguridad del software de

aplicaciones– Los que crean programas maliciosos para vulnerar

las debilidades de los S.O.• Hecho: No existe una solución 100% segura!

Evolución de la Seguridad

1980 20001990

Passwordguessing

PasswordCracking

Self Replicatingcode

Exploit knownvulnerabilities

DisablingAudit

DDoS

Sniffers

Hi jacksessions

StealthDiagnostics

Sweepers

Backdoors

PacketForging/Spoofing

SophisticatedHacker Tools

InternetWorm

TechnicalKnowledgeRequired

Low

High

Ataques a Redes de Información

• Protección es un Reto!

–La habilidad para atacar redes se ha vuelto más sofisticada

–No es suficiente confiar en un Firewall

–Al igual que proteje fisicamente sus instalaciones asi debe hacerlo con su Red.

• Qué preguntas debemos hacernos?

Qué preguntas debemos hacer?

• Tiene Usted: Intranet/Extranet/Internet?

• Tiene pensado/planeado implementar algún tipo de red?

• Tiene información crítica o estratégica disponible en su red?

• Cómo saber si ha sido victima de una falla de seguridad?

Qué és la Qué és la InternetInternet ? ?

Internet

Remote User

Remote Office

Corporate Network Remote Partner

Qué és la Qué és la IntranetIntranet ? ?

Internet

Corporate Network

Web Server

E-Mail Server

DMZ NetworkRemote Office

Remote User

Qué és la Qué és la ExtranetExtranet ??

Internet

Remote User

Partner SiteCorporate

Network

Web Server

E-Mail Server

DMZ Network

Partner Site

Qué necesitamos proteger?

• Routers are target• Managed Switches target• Hosts /Clients target• Databases target• Applications are target• Information are target• Web and email Servers• Management tools are target

Más Preguntas ……..

Es su solución de seguridad completa?Puede Ud. soportar una amplia gama de

negocios sin comprometer la organización?

Es su solución de seguridad extensible a requerimientos de los usuarios que están en evolución?

Cómo surgen Problemas de Seguridad?

• Al conectar su computador a la Internet está amenazado…….

• La primera amenaza es que sus paquetes IP pueden ser escrutados al viajar por la Internet.

• La segunda amenaza es que alguien use su conectividad para atacar su OS.

• Hay una sola forma de proveer seguridad contra estas amenazas…….

Servicios de Seguridad

• Qué significan?.

• Por qué son necesarios?.

• Cómo se implementan?.

Qué significan Servicios de Seguridad?

• Privacidad…….?

•Autenticación..….?

•Control de Acceso….…….?

Propiedades Comunicación

Alice Bob

Comunicarse con seguridad ??

•Secreto•Autenticación•Integridad Mensaje

Acceso Autenticado

VLAN AVLAN A

VLAN BVLAN B

Auth. VLANAuth. VLAN

11Logon and

establish access privileges

22Instruct network to

connect user totarget VLAN(s)

33 User is connected to target VLAN(s)

AuthenticationServer

TargetResource A

Target Resource B

Por qué son necesarios?

• Perpetrador tiene conocimientos sólidos de los protocolos usados.

• Puede interpretar el mensaje descubriendo passwords, o información sensible, etc.

Firewall

Cómo se implementan?

El reto de la Seguridad en una Red de Computadoras

Qué és un Firewall?

• Sistema diseñado para prevenir acceso no autorizado desde o hacia una red privada

• Se implementa tanto en hardware como en software, o una combinación de ambas

• Todo mensaje entrante/saliente de la red através del FW será examinado evitando aquellos que no cumplan con las políticas de seguridad.

Arquitecturas de Firewall

• 1. Packet Filters

• 2. Application Proxies

• 3. Circuit-level Gateways

• 4. Network Address Translation (NAT) Firewalls

Packet Filter Firewall

Server

Router with Packet Router with Packet FilterFilter

Application

Presentation

Session

Data Link

Transport

Physical

Network Layer

User

Application Gateways / Proxies

TelnetTelnetTelnetTelnet HTTPHTTPHTTPHTTPFTPFTPFTPFTP

Gateway runs proxy applications for

Network

Data Link

Transport

Physical

Application Layer

SMTPSMTPSMTPSMTP

Presentation

Application

SessionSession

Stateful Inspection

Packets intercepted between Data Link and Network layers.

Between Datalink and Network Layers

Dynamic State

Tables

Application

Presentation

Session

Transport

Network

Physical

Data Link

Information on all higher layers saved in dynamic state tables.

Proxy Server Gateways

External Web Server

FirewallProxy Server

InternalClient

1. Request2. Repackage

request

3. Response 4. Repackageresponse

Políticas de Seguridad

• Network Service Access Policy

• Firewall Design Policy

Políticas de Seguridad

• Network Service Access Policy

Define los servicios que serán permitidos o negados explicitamente desde la red restringida y que cumplan con las propiedades de una comunicación segura.

Políticas de Seguridad

• Firewall Design Policy

Describe como el firewall va ser configurado para aplicar las normas de restringir acceso o filtrado de servicios.

Enterprise Security - InternetEnterprise Security - Internet

Remote User

Remote Office

Partner SiteCorporate Network

DMZ Network

Internet

FW

Enterprise Security - InternetEnterprise Security - Internet

Remote User

Remote Office

Partner SiteCorporate Network

DMZ Network

Internet

FW

Enterprise Security - IntranetEnterprise Security - Intranet• Policies for enterprise-wide communication

Remote User

Remote Office

Partner SiteCorporate Network

DMZ Network

Internet

FW

Enterprise Security - IntranetEnterprise Security - Intranet• Policies for enterprise-wide communication

Remote User

Remote Office

Partner Site

Corporate Network

DMZ Network

Internet

FW

Enterprise Security - ExtranetEnterprise Security - Extranet• Secure communication between partners

Remote User

Remote Office

Partner SiteCorporate Network

DMZ Network

Internet

FW

Elementos de Seguridad

en Redes Inalámbricas

Control de Acceso• By Network Name• By MAC address

Tecnología transmisión DSSS es dificíl de inter

ceptar.

DSSS permite ratas de transmisión altas al

dividir la banda 2.4-GHz en 14 canales 22-MHz

Seguridad es debíl

Seguridad en WLANs

Amenazas en WLANs

• Denial of Service• Interception/Eavesdropping• Manipulation• Masquerading• Repudiation• Transitive Trust• Infrastructure

Premisas Seguridad en 802.11b

• Service Set Identifier (SSID)

• Shared or Open Authentication

• MAC Filtering/FireWall

• Wired Equivalent Privacy (WEP)– Link Level– Poor security

SSID

• Mecanismo usado para segmentar WLANs• Cada AP es programado con un SSID que corresp

onde a su Red• Cliente presenta SSID correcto para accesar el AP• Existen compromisos de seguridad

– AP puede ser configurado para “broadcast” su SSID– SSID puede ser compartido entre varios usuarios de un

segmento inalámbrico

Filtrado MAC

• Cada cliente identificado por su 802.11 NIC MAC Address

• El AP puede ser programado con un set de direcciones MAC para acceptarlas

• Combinar el filtrado con el SSID de AP• Incurrimos en un “Overhead” mantenien

do lista de direcciones MAC.

Criptografía usa el algoritmo RC4 definido en el estandard IEEE 802.11 WEP.Hay productos disponibles con 40 y 128 bits de encriptamiento.64 bit WEP es igual al de 40 bit WEP

40 bit (10 Hex caracter) "secret key" (definido por usuario), y un " Vector Initialization ” de 24 bits (que no esta bajo control del usuario).

Criptografía

802.11 – Seguridad Enterprise/Home

– Data Encryption (WEP, TKIP, AES): Prevent 3rd parties from viewing the content of wireless data transmissions

– User Authentication (802.1X): Prevent unauthorized users from connecting to the wireless network

– Virtual LAN: Use VLAN-capable Access Points to tag “guest traffic” and other “non-secure” traffic so that it can be routed outside the firewall

Across the Public Infrastructure– Virtual Private Network: Maintain end-to-end

privacy through the use of Layer 3 tunneling protocols (independent of 802.11 devices)

Autenticación WEP

• Acceso requerido por el cliente

• AP envia reto al cliente con texto

• El texto es codificado por cliente usando la llave secreta enviada por la AP

• Si el texto es codificado adecuadamente el AP permite el acceso o lo niega.

WEP en Acción

SupplicantAccessPoint

Network resources

Association Response

Encrypted Data to Access Point

WEP Key:1234567890

WEP Key1234567890

Authentication Response

Authentication Request

Association Request

Debilidades WEP

• Todos los clientes de un AP en una red inalámbrica comparten la misma llave de encriptamiento

• No existe un protocolo para la distribución de la llave de encriptamiento.

• Se mejora con WPA.

Client proves credential To authentication server

WPA en Acción

Supplicant

Network resources

Association Request

AP sends authentication request

Authenticator

Client joins LAN with encrypted data

Once authenticated, authentication server will distributes TKIP encryptionkey

Authentication Server

AP blocks request until user is authenticated

802.11 – Security Portfolio

802.11a and a/b

Updated 802.11b

Original 802.11bDifferent Ways a Network Needs to be Made Secure

Application

Authentication

WEPEncryption

Operation

TKIP AES

nothing

“SSN”

802.1xLEAPPEAPTLS

VPN

VLAN

“Is my data secure?”

“How can I keep intruders fromentering my network?”

“Can I maintain the integrity ofmy link from end to end?”

“How can I avoid breaking my ownsecurity mechanisms?”

End-User Station

Password

802.1X Authentication

1 Using Extensible Authentication Protocol (EAP) an end-user contacts a wireless access point and requests to be authenticated.

2 The Access Point passes the request to the Radius Server.

3 The Radius Server challenges the end user for a password, and the end user responds with a password to the Radius server .

4The Radius server authenticates the end user and the access points opens a port to accept data from the end user.

DRS-200

Wireless AP

RequestEAPOL (EAP)

RADIUS (EAP)

• Muchas Gracias

D-Link Security SolutionD-Link Security Solution

Basic Definitions

• Confidentiality – Are you the only one who is viewing information

specific to you or authorized users?

• Integrity– Are you communicating with whom you think?– Is the data you are looking at correct or has it been

tampered with?

• Availability– Are the required services there when you need them?

• Authentication– Are you who you say you are?

Vocabulary in Security

• AS – Authentication Server• EAP – Extensible Authentication Protocol• EAPOL – EAP Over LAN• IV – Initialization Vector• MIC – Message Integrity Code• PEAP – Protected EAP• PKI – Public Key Infrastructure• RADIUS – Remote Access Dial-In User Service• TKIP – Temporal Key Integrity Protocol• WEP – Wired Equivalent Privacy• WLAN – Wireless Local Area Network• AES – Advanced Encryption Standard

Hacker Prevention and Network Protection

• Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor

• Identifies and takes action against suspicious network activity

• Uses intrusion signatures, stored in the attack database, to identify the most common attacks

• To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log

Hacker Prevention and Network Protection

• NIDS protects DFL-xxxx and the network connected to it by :– Dropping the connection– Blocking packets from the location of the attack– Blocking network ports, protocols or services being

used by an attack

Hacker Prevention and Network Protection

• Using Virtual Private Networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travelers to an office network

• VPN features includeing– standard IPSec VPN (eg IPSec, DES, 3DES, etc)– PPTP– L2TP– IPSec and PPTP VPN pass through

Secure Installation, Configuration and Management

• Logging and Reporting

– Report traffic that connects to the firewall interfaces

– Report network services used

– Report traffic permitted by firewall policies

– Report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks and web page blocking

• Logs can be sent to a remote syslog server or to a WebTrends server using WebTrends enhanced log format

DFL-200

• 3,000 concurrent sessions

• Firewall performance: 60Mbps

• 3DES performance: 20Mbps

• 70 dedicated VPN tunnels

• 500 policies, 256 schedules

• 10/100BASE-TX port to connect to DSL/cable modem

• 10/100BASE-TX dedicated DMZ port

• 4 10/100BASE-TX LAN switch ports

DFL-700

• Support 100 users

• 10,000 concurrent sessions

• Firewall performance: 100Mbps

• 3DES performance: 30Mbps

• 200 dedicated VPN tunnels

• 1,000 policies, 256 schedules

• 10/100BASE-TX port connect to DSL/cable modem or external LAN

• 10/100BASE-TX port connect to Internal LAN (Trusted)

• 10/100BASE-TX dedicated DMZ port

DFL-1100

• 200,000 concurrent sessions• Firewall performance: 250Mbps• 3DES performance: 60Mbps• 1,000 dedicated VPN tunnels• 10/100BASE-TX port connect to

DSL/cable modem or External LAN• 10/100BASE-TX dedicated DMZ

port• 10/100BASE-TX LAN port connect

to Internal LAN (Trusted)• 10/100BASE-TX backup port

connect to backup firewall• 2,000 policies, 256 schedules

Securing Your Network with DFL-1100

Internet

ADSL

Switches

BackupLink DFL-1100

Active firewall

DFL-1100Backupfirewall

VPN Access

HQ Network

Branch Office

????????

MobileUsers

Tele worker

Tele worker

500 users

Insurance Business Sector

DFL-500 & DFL-1000Network Protection Gateway (NPG)

• A dedicated easily managed security device that delivers the following services :-– application-level services such as virus protection

and content filtering– network-level services such as firewall, intrusion

detection, VPN and traffic shaping

DFL-500 & DFL-1000Accelerated Behaviour and Content Analysis System

(ABACASTM)

• Unique ASIC-based architecture

• Analyse contents and behaviour in real-time

• Enable key applications to be deployed right at the network edge where they are most effective at protecting the network

DFL-500 vs DFL-1000DFL-500 DFL-1000

Product Category

CPU

RAM

Flash

Ports .

SoHo SMB

133MHz 300MHz

64MB 256MB

32MB 64MB

1 LAN, 1 WAN . 1 LAN, 1 WAN, 1 DMZ

DFL-500 vs DFL-1000 (System Performance)

Concurrent sessions

DFL-1000DFL-500

25,0002,000

New session / speed 10,000800

Firewall performance 180Mbps30Mbps

Triple-DES (168 bit) 120Mbps15Mbps

Policies 1,000100

Schedules 25630

DFL-500 vs DFL-1000 (Firewall Mode of Operation)

Network Address Translation

DFL-1000DFL-500

YesYes

Port Address Translation YesYes

Transparent mode YesYes

Route mode YesYes

Virtual IP YesYes

DFL-500 vs DFL-1000 (VPN)

Dedicated tunnels

DFL-1000DFL-500

10020

Manual key, IKE, PKI YesYes

DES (56-bit) & 3DES (168-bit) encryption Yes .Yes .

Perfect forward secrecy (DH Groups)

Yes .Yes .

Remote access VPN YesYes

DFL-500 vs DFL-1000 (Firewall Attacks)

DDOS and DOS detected

DFL-1000DFL-500

1414

MAC address bind with IP YesYes

DFL-500 vs DFL-1000 (Logging / Monitoring)

Internal log space

DFL-1000DFL-500

YesNo

E-mail notify 3 addresses3 addresses

Syslog YesYes

SNMP YesYes

Device failure detection YesYes

Network notification on failover YesYes

DFL-500 vs DFL-1000 (IPSec)

Site-to-site VPN

DFL-1000DFL-500

YesYes

Authentication YesYes

SHA-1 / MD5 YesYes

DFL-500 vs DFL-1000 (Firewall & VPN User Authentication)

Build-in database - user limit

DFL-1000DFL-500

YesYes

RADIUS (external) database YesNo

RSA SecureID (external) database YesNo

LDAP (external) database YesNo

DFL-500 vs DFL-1000 (System Management)

WebUI (HTTP and HTTPS)

DFL-1000DFL-500

YesYes

Multi-language user interface YesYes

Command line interface (telnet) YesYes

Wizard / Quick Installation YesYes

Secure command shell (ssh v1 compatible)

Yes .Yes .

All management via VPN tunnel on any interface

Yes .Yes .

DFL-500 vs DFL-1000 (Traffic Management)

Guaranteed bandwidth

DFL-1000DFL-500

YesYes

Maximum bandwidth YesYes

Priority-bandwidth utilization YesYes

DFL-500 vs DFL-1000 (Administration)

Multiple administrators

DFL-1000DFL-500

YesYes

Root Admin, Admin & Read Only user levels

Yes .Yes .

Software upgrades & Configuration changes TFTP / WebUITFTP / WebUI

Trust host YesYes

DFL-500 vs DFL-1000 (Network Service)

PPPoE

DFL-1000DFL-500

YesYes

PPTP YesYes

DHCP client YesYes

DHCP server YesYes

VPN client pass through YesYes

top related