copyright this presentation is provided to specific parties on request. all slides must be shown in...
TRANSCRIPT
COPYRIGHTCOPYRIGHT
This presentation is provided to specific parties on request.This presentation is provided to specific parties on request.
All slides must be shown in its entirety, including the D-Link’sAll slides must be shown in its entirety, including the D-Link’s
logo and brand name, without any modification or deletion,logo and brand name, without any modification or deletion,
unless with the written consent of D-Link. Individual slides mayunless with the written consent of D-Link. Individual slides may
be removed in its entirety. Background be removed in its entirety. Background colourcolour may be changed. may be changed.
Printed copies can be distributed freely for the specific purposePrinted copies can be distributed freely for the specific purpose
when this presentation slide is used. Failure to observe thiswhen this presentation slide is used. Failure to observe this
violates the copyright agreement. D-Link reserves the right toviolates the copyright agreement. D-Link reserves the right to
withdraw from the party the right to use the presentation slidewithdraw from the party the right to use the presentation slide
and/or any other actions deemed necessary by D-Link toand/or any other actions deemed necessary by D-Link to
prevent the slides or part of it being used.prevent the slides or part of it being used.
CONCEPTOS BASICOS EN CONCEPTOS BASICOS EN LA ADMINISTRACION DE LA ADMINISTRACION DE
REDESREDES
GESTION DEGESTION DE SEGURIDAD SEGURIDAD
MSEE Ing. Héctor J. Simosa22 Octubre 2004
Seguridad en Redes
La seguridad en las Redes es mecanismo esencial. La Internet es una red de redes
interconectadas sin fronteras….
Debido a este hecho, las redes de las organizaciones
son vulnerables por su accesabilidad desde
cualquier computador en el mundo.
Soluciones
• D-LINK ofrece soluciones de seguridad bastante completas además de FW para proteger su red, entre ellas tenemos: – Sistemas de Detección de Intrusión– Virtual Private Networks– Servicios de Identificación– Herramientas para Gerenciar la Seguridad.
Seguridad: Por qué es importante?
Computer Hackers
• Estos pueden ser divididos en tres categorias:– Los que rompen la seguridad de redes de
computadores– Los que rompen la seguridad del software de
aplicaciones– Los que crean programas maliciosos para vulnerar
las debilidades de los S.O.• Hecho: No existe una solución 100% segura!
Evolución de la Seguridad
1980 20001990
Passwordguessing
PasswordCracking
Self Replicatingcode
Exploit knownvulnerabilities
DisablingAudit
DDoS
Sniffers
Hi jacksessions
StealthDiagnostics
Sweepers
Backdoors
PacketForging/Spoofing
SophisticatedHacker Tools
InternetWorm
TechnicalKnowledgeRequired
Low
High
Ataques a Redes de Información
• Protección es un Reto!
–La habilidad para atacar redes se ha vuelto más sofisticada
–No es suficiente confiar en un Firewall
–Al igual que proteje fisicamente sus instalaciones asi debe hacerlo con su Red.
• Qué preguntas debemos hacernos?
Qué preguntas debemos hacer?
• Tiene Usted: Intranet/Extranet/Internet?
• Tiene pensado/planeado implementar algún tipo de red?
• Tiene información crítica o estratégica disponible en su red?
• Cómo saber si ha sido victima de una falla de seguridad?
Qué és la Qué és la InternetInternet ? ?
Internet
Remote User
Remote Office
Corporate Network Remote Partner
Qué és la Qué és la IntranetIntranet ? ?
Internet
Corporate Network
Web Server
E-Mail Server
DMZ NetworkRemote Office
Remote User
Qué és la Qué és la ExtranetExtranet ??
Internet
Remote User
Partner SiteCorporate
Network
Web Server
E-Mail Server
DMZ Network
Partner Site
Qué necesitamos proteger?
• Routers are target• Managed Switches target• Hosts /Clients target• Databases target• Applications are target• Information are target• Web and email Servers• Management tools are target
Más Preguntas ……..
Es su solución de seguridad completa?Puede Ud. soportar una amplia gama de
negocios sin comprometer la organización?
Es su solución de seguridad extensible a requerimientos de los usuarios que están en evolución?
Cómo surgen Problemas de Seguridad?
• Al conectar su computador a la Internet está amenazado…….
• La primera amenaza es que sus paquetes IP pueden ser escrutados al viajar por la Internet.
• La segunda amenaza es que alguien use su conectividad para atacar su OS.
• Hay una sola forma de proveer seguridad contra estas amenazas…….
Servicios de Seguridad
• Qué significan?.
• Por qué son necesarios?.
• Cómo se implementan?.
Qué significan Servicios de Seguridad?
• Privacidad…….?
•Autenticación..….?
•Control de Acceso….…….?
Propiedades Comunicación
Alice Bob
Comunicarse con seguridad ??
•Secreto•Autenticación•Integridad Mensaje
Acceso Autenticado
VLAN AVLAN A
VLAN BVLAN B
Auth. VLANAuth. VLAN
11Logon and
establish access privileges
22Instruct network to
connect user totarget VLAN(s)
33 User is connected to target VLAN(s)
AuthenticationServer
TargetResource A
Target Resource B
Por qué son necesarios?
• Perpetrador tiene conocimientos sólidos de los protocolos usados.
• Puede interpretar el mensaje descubriendo passwords, o información sensible, etc.
Firewall
Cómo se implementan?
El reto de la Seguridad en una Red de Computadoras
Qué és un Firewall?
• Sistema diseñado para prevenir acceso no autorizado desde o hacia una red privada
• Se implementa tanto en hardware como en software, o una combinación de ambas
• Todo mensaje entrante/saliente de la red através del FW será examinado evitando aquellos que no cumplan con las políticas de seguridad.
Arquitecturas de Firewall
• 1. Packet Filters
• 2. Application Proxies
• 3. Circuit-level Gateways
• 4. Network Address Translation (NAT) Firewalls
Packet Filter Firewall
Server
Router with Packet Router with Packet FilterFilter
Application
Presentation
Session
Data Link
Transport
Physical
Network Layer
User
Application Gateways / Proxies
TelnetTelnetTelnetTelnet HTTPHTTPHTTPHTTPFTPFTPFTPFTP
Gateway runs proxy applications for
Network
Data Link
Transport
Physical
Application Layer
SMTPSMTPSMTPSMTP
Presentation
Application
SessionSession
Stateful Inspection
Packets intercepted between Data Link and Network layers.
Between Datalink and Network Layers
Dynamic State
Tables
Application
Presentation
Session
Transport
Network
Physical
Data Link
Information on all higher layers saved in dynamic state tables.
Proxy Server Gateways
External Web Server
FirewallProxy Server
InternalClient
1. Request2. Repackage
request
3. Response 4. Repackageresponse
Políticas de Seguridad
• Network Service Access Policy
• Firewall Design Policy
Políticas de Seguridad
• Network Service Access Policy
Define los servicios que serán permitidos o negados explicitamente desde la red restringida y que cumplan con las propiedades de una comunicación segura.
Políticas de Seguridad
• Firewall Design Policy
Describe como el firewall va ser configurado para aplicar las normas de restringir acceso o filtrado de servicios.
Enterprise Security - InternetEnterprise Security - Internet
Remote User
Remote Office
Partner SiteCorporate Network
DMZ Network
Internet
FW
Enterprise Security - InternetEnterprise Security - Internet
Remote User
Remote Office
Partner SiteCorporate Network
DMZ Network
Internet
FW
Enterprise Security - IntranetEnterprise Security - Intranet• Policies for enterprise-wide communication
Remote User
Remote Office
Partner SiteCorporate Network
DMZ Network
Internet
FW
Enterprise Security - IntranetEnterprise Security - Intranet• Policies for enterprise-wide communication
Remote User
Remote Office
Partner Site
Corporate Network
DMZ Network
Internet
FW
Enterprise Security - ExtranetEnterprise Security - Extranet• Secure communication between partners
Remote User
Remote Office
Partner SiteCorporate Network
DMZ Network
Internet
FW
Elementos de Seguridad
en Redes Inalámbricas
Control de Acceso• By Network Name• By MAC address
Tecnología transmisión DSSS es dificíl de inter
ceptar.
DSSS permite ratas de transmisión altas al
dividir la banda 2.4-GHz en 14 canales 22-MHz
Seguridad es debíl
Seguridad en WLANs
Amenazas en WLANs
• Denial of Service• Interception/Eavesdropping• Manipulation• Masquerading• Repudiation• Transitive Trust• Infrastructure
Premisas Seguridad en 802.11b
• Service Set Identifier (SSID)
• Shared or Open Authentication
• MAC Filtering/FireWall
• Wired Equivalent Privacy (WEP)– Link Level– Poor security
SSID
• Mecanismo usado para segmentar WLANs• Cada AP es programado con un SSID que corresp
onde a su Red• Cliente presenta SSID correcto para accesar el AP• Existen compromisos de seguridad
– AP puede ser configurado para “broadcast” su SSID– SSID puede ser compartido entre varios usuarios de un
segmento inalámbrico
Filtrado MAC
• Cada cliente identificado por su 802.11 NIC MAC Address
• El AP puede ser programado con un set de direcciones MAC para acceptarlas
• Combinar el filtrado con el SSID de AP• Incurrimos en un “Overhead” mantenien
do lista de direcciones MAC.
Criptografía usa el algoritmo RC4 definido en el estandard IEEE 802.11 WEP.Hay productos disponibles con 40 y 128 bits de encriptamiento.64 bit WEP es igual al de 40 bit WEP
40 bit (10 Hex caracter) "secret key" (definido por usuario), y un " Vector Initialization ” de 24 bits (que no esta bajo control del usuario).
Criptografía
802.11 – Seguridad Enterprise/Home
– Data Encryption (WEP, TKIP, AES): Prevent 3rd parties from viewing the content of wireless data transmissions
– User Authentication (802.1X): Prevent unauthorized users from connecting to the wireless network
– Virtual LAN: Use VLAN-capable Access Points to tag “guest traffic” and other “non-secure” traffic so that it can be routed outside the firewall
Across the Public Infrastructure– Virtual Private Network: Maintain end-to-end
privacy through the use of Layer 3 tunneling protocols (independent of 802.11 devices)
Autenticación WEP
• Acceso requerido por el cliente
• AP envia reto al cliente con texto
• El texto es codificado por cliente usando la llave secreta enviada por la AP
• Si el texto es codificado adecuadamente el AP permite el acceso o lo niega.
WEP en Acción
SupplicantAccessPoint
Network resources
Association Response
Encrypted Data to Access Point
WEP Key:1234567890
WEP Key1234567890
Authentication Response
Authentication Request
Association Request
Debilidades WEP
• Todos los clientes de un AP en una red inalámbrica comparten la misma llave de encriptamiento
• No existe un protocolo para la distribución de la llave de encriptamiento.
• Se mejora con WPA.
Client proves credential To authentication server
WPA en Acción
Supplicant
Network resources
Association Request
AP sends authentication request
Authenticator
Client joins LAN with encrypted data
Once authenticated, authentication server will distributes TKIP encryptionkey
Authentication Server
AP blocks request until user is authenticated
802.11 – Security Portfolio
802.11a and a/b
Updated 802.11b
Original 802.11bDifferent Ways a Network Needs to be Made Secure
Application
Authentication
WEPEncryption
Operation
TKIP AES
nothing
“SSN”
802.1xLEAPPEAPTLS
VPN
VLAN
“Is my data secure?”
“How can I keep intruders fromentering my network?”
“Can I maintain the integrity ofmy link from end to end?”
“How can I avoid breaking my ownsecurity mechanisms?”
End-User Station
Password
802.1X Authentication
1 Using Extensible Authentication Protocol (EAP) an end-user contacts a wireless access point and requests to be authenticated.
2 The Access Point passes the request to the Radius Server.
3 The Radius Server challenges the end user for a password, and the end user responds with a password to the Radius server .
4The Radius server authenticates the end user and the access points opens a port to accept data from the end user.
DRS-200
Wireless AP
RequestEAPOL (EAP)
RADIUS (EAP)
• Muchas Gracias
D-Link Security SolutionD-Link Security Solution
Basic Definitions
• Confidentiality – Are you the only one who is viewing information
specific to you or authorized users?
• Integrity– Are you communicating with whom you think?– Is the data you are looking at correct or has it been
tampered with?
• Availability– Are the required services there when you need them?
• Authentication– Are you who you say you are?
Vocabulary in Security
• AS – Authentication Server• EAP – Extensible Authentication Protocol• EAPOL – EAP Over LAN• IV – Initialization Vector• MIC – Message Integrity Code• PEAP – Protected EAP• PKI – Public Key Infrastructure• RADIUS – Remote Access Dial-In User Service• TKIP – Temporal Key Integrity Protocol• WEP – Wired Equivalent Privacy• WLAN – Wireless Local Area Network• AES – Advanced Encryption Standard
Hacker Prevention and Network Protection
• Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor
• Identifies and takes action against suspicious network activity
• Uses intrusion signatures, stored in the attack database, to identify the most common attacks
• To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log
Hacker Prevention and Network Protection
• NIDS protects DFL-xxxx and the network connected to it by :– Dropping the connection– Blocking packets from the location of the attack– Blocking network ports, protocols or services being
used by an attack
Hacker Prevention and Network Protection
• Using Virtual Private Networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travelers to an office network
• VPN features includeing– standard IPSec VPN (eg IPSec, DES, 3DES, etc)– PPTP– L2TP– IPSec and PPTP VPN pass through
Secure Installation, Configuration and Management
• Logging and Reporting
– Report traffic that connects to the firewall interfaces
– Report network services used
– Report traffic permitted by firewall policies
– Report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks and web page blocking
• Logs can be sent to a remote syslog server or to a WebTrends server using WebTrends enhanced log format
DFL-200
• 3,000 concurrent sessions
• Firewall performance: 60Mbps
• 3DES performance: 20Mbps
• 70 dedicated VPN tunnels
• 500 policies, 256 schedules
• 10/100BASE-TX port to connect to DSL/cable modem
• 10/100BASE-TX dedicated DMZ port
• 4 10/100BASE-TX LAN switch ports
DFL-700
• Support 100 users
• 10,000 concurrent sessions
• Firewall performance: 100Mbps
• 3DES performance: 30Mbps
• 200 dedicated VPN tunnels
• 1,000 policies, 256 schedules
• 10/100BASE-TX port connect to DSL/cable modem or external LAN
• 10/100BASE-TX port connect to Internal LAN (Trusted)
• 10/100BASE-TX dedicated DMZ port
DFL-1100
• 200,000 concurrent sessions• Firewall performance: 250Mbps• 3DES performance: 60Mbps• 1,000 dedicated VPN tunnels• 10/100BASE-TX port connect to
DSL/cable modem or External LAN• 10/100BASE-TX dedicated DMZ
port• 10/100BASE-TX LAN port connect
to Internal LAN (Trusted)• 10/100BASE-TX backup port
connect to backup firewall• 2,000 policies, 256 schedules
Securing Your Network with DFL-1100
Internet
ADSL
Switches
BackupLink DFL-1100
Active firewall
DFL-1100Backupfirewall
VPN Access
HQ Network
Branch Office
????????
MobileUsers
Tele worker
Tele worker
500 users
Insurance Business Sector
DFL-500 & DFL-1000Network Protection Gateway (NPG)
• A dedicated easily managed security device that delivers the following services :-– application-level services such as virus protection
and content filtering– network-level services such as firewall, intrusion
detection, VPN and traffic shaping
DFL-500 & DFL-1000Accelerated Behaviour and Content Analysis System
(ABACASTM)
• Unique ASIC-based architecture
• Analyse contents and behaviour in real-time
• Enable key applications to be deployed right at the network edge where they are most effective at protecting the network
DFL-500 vs DFL-1000DFL-500 DFL-1000
Product Category
CPU
RAM
Flash
Ports .
SoHo SMB
133MHz 300MHz
64MB 256MB
32MB 64MB
1 LAN, 1 WAN . 1 LAN, 1 WAN, 1 DMZ
DFL-500 vs DFL-1000 (System Performance)
Concurrent sessions
DFL-1000DFL-500
25,0002,000
New session / speed 10,000800
Firewall performance 180Mbps30Mbps
Triple-DES (168 bit) 120Mbps15Mbps
Policies 1,000100
Schedules 25630
DFL-500 vs DFL-1000 (Firewall Mode of Operation)
Network Address Translation
DFL-1000DFL-500
YesYes
Port Address Translation YesYes
Transparent mode YesYes
Route mode YesYes
Virtual IP YesYes
DFL-500 vs DFL-1000 (VPN)
Dedicated tunnels
DFL-1000DFL-500
10020
Manual key, IKE, PKI YesYes
DES (56-bit) & 3DES (168-bit) encryption Yes .Yes .
Perfect forward secrecy (DH Groups)
Yes .Yes .
Remote access VPN YesYes
DFL-500 vs DFL-1000 (Firewall Attacks)
DDOS and DOS detected
DFL-1000DFL-500
1414
MAC address bind with IP YesYes
DFL-500 vs DFL-1000 (Logging / Monitoring)
Internal log space
DFL-1000DFL-500
YesNo
E-mail notify 3 addresses3 addresses
Syslog YesYes
SNMP YesYes
Device failure detection YesYes
Network notification on failover YesYes
DFL-500 vs DFL-1000 (IPSec)
Site-to-site VPN
DFL-1000DFL-500
YesYes
Authentication YesYes
SHA-1 / MD5 YesYes
DFL-500 vs DFL-1000 (Firewall & VPN User Authentication)
Build-in database - user limit
DFL-1000DFL-500
YesYes
RADIUS (external) database YesNo
RSA SecureID (external) database YesNo
LDAP (external) database YesNo
DFL-500 vs DFL-1000 (System Management)
WebUI (HTTP and HTTPS)
DFL-1000DFL-500
YesYes
Multi-language user interface YesYes
Command line interface (telnet) YesYes
Wizard / Quick Installation YesYes
Secure command shell (ssh v1 compatible)
Yes .Yes .
All management via VPN tunnel on any interface
Yes .Yes .
DFL-500 vs DFL-1000 (Traffic Management)
Guaranteed bandwidth
DFL-1000DFL-500
YesYes
Maximum bandwidth YesYes
Priority-bandwidth utilization YesYes
DFL-500 vs DFL-1000 (Administration)
Multiple administrators
DFL-1000DFL-500
YesYes
Root Admin, Admin & Read Only user levels
Yes .Yes .
Software upgrades & Configuration changes TFTP / WebUITFTP / WebUI
Trust host YesYes
DFL-500 vs DFL-1000 (Network Service)
PPPoE
DFL-1000DFL-500
YesYes
PPTP YesYes
DHCP client YesYes
DHCP server YesYes
VPN client pass through YesYes