security
TRANSCRIPT
![Page 1: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/1.jpg)
Firewall Categorization Methods
Firewalls can be categorized by processing mode, development era, or intended structure
Five processing modes that firewalls can be categorized by are: Packet filtering Application gateways Circuit gateways MAC layer firewalls Hybrids
![Page 2: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/2.jpg)
![Page 3: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/3.jpg)
![Page 4: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/4.jpg)
Firewalls Categorized by Development Generation
First generation: static packet filtering firewalls
Second generation: application-level firewalls or proxy servers
Third generation: stateful inspection firewalls
Fourth generation: dynamic packet filtering firewalls; allow only packets with particular source, destination and port addresses to enter
Fifth generation: kernel proxies; specialized form working under kernel of Windows NT
![Page 5: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/5.jpg)
![Page 6: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/6.jpg)
Packet Filters
Either block or allow transmission of packets of information based on criteria such as port, IP address, and protocol
Review the header, strip it off, and replace it with a new header before sending it to a specific location within the network
Fundamental components of firewalls
![Page 7: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/7.jpg)
Viewing Header Contents
![Page 8: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/8.jpg)
The Use of Rules
![Page 9: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/9.jpg)
The Use of Rules
![Page 10: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/10.jpg)
![Page 11: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/11.jpg)
Stateful Packet Filtering
![Page 12: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/12.jpg)
Dual-Homed Host Proxy Server Configuration
![Page 13: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/13.jpg)
![Page 14: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/14.jpg)
Figure 8-3 Symmetric Encryption Example
![Page 15: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/15.jpg)
Cryptographic Algorithms
Data Encryption Standard (DES): one of most popular symmetric encryption cryptosystems
64-bit block size; 56-bit key
Adopted by NIST in 1976 as federal standard for encrypting non-classified information
Triple DES (3DES): created to provide security far beyond DES
Advanced Encryption Standard (AES): developed to replace both DES and 3DES
![Page 16: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/16.jpg)
Cryptographic Algorithms
Asymmetric Encryption (public key encryption)
Uses two different but related keys; either key can encrypt or decrypt message
If Key A encrypts message, only Key B can decrypt
Highest value when one key serves as private key and the other serves as public key
![Page 17: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/17.jpg)
Figure 8-4 Using Public Keys
![Page 18: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/18.jpg)
![Page 19: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/19.jpg)
A Public Key Generated by PGP
![Page 20: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/20.jpg)
Network Address Translation (NAT)
Used, by most firewalls, to shield a private network from outside interference Translates between private addresses inside a network and public
addresses outside the network Done transparently (unnoticed by external computers) Internal IP addresses remain hidden
Performed by NAT proxy servers Uses an address table to do translations Ex: a computer inside accesses a computer outside
Change source IP address to its own address Change source port number to a unique number
Used as an index to the original source IP address Performs reverse operations for response packets
![Page 21: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/21.jpg)
Network Address Translation (NAT)
1
2
NATFirewall
Client
From 172.47.9.6,Port 31789 From 192.168.34.2,
Port 13472
Internet
ServerHost
IP Addr
172.47.9.6
…
Port
31789
…
IP Addr
192.168.34.2
…
Port
13472
…
Internal ExternalTranslation Table
![Page 22: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/22.jpg)
Network Address Translation (NAT)
43NAT
FirewallClient
Internet
ServerHost
To 172.47.9.6,Port 31789
To 192.168.34.2,Port 13472
Translation Table
IP Addr
172.47.9.6
…
Port
31789
…
IP Addr
192.168.34.2
…
Port
13472
…
Internal External
![Page 23: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/23.jpg)
Tunneling Protocols Used with VPNs
IPSec
PPTP (Point-to-Point Tunneling Protocol)
L2TP (Layer 2 Tunneling Protocol)
PPP over SSL (Point-to-Point Protocol over Secure Sockets Layer)
![Page 24: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/24.jpg)
IPSec
IPSec provides: Encryption of the data part of packets Authentication Encapsulation between two VPN hosts Two security methods (AH and ESP) Capability to work in two modes (transport and
tunnel)
![Page 25: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/25.jpg)
PPTP
Developed by Microsoft for granting VPN access to remote users over dial-up connections
Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data
Useful if support for older clients is needed
Compatible with Network Address Translation (NAT)
Replaced by L2TP
![Page 26: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/26.jpg)
L2TP
Extension to PPP that enables dial-up users to establish a VPN connection to a remote access server
Uses IPSec to encrypt data
Incompatible with NAT but provides a higher level of encryption and authentication
![Page 27: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/27.jpg)
PPP Over SSL
UNIX based method for creating VPNs
Both combine existing tunnel system (PPP) with a way of encrypting data in transport (SSL) SSL
Public key encryption system used to provide secure communications over the Web
![Page 28: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/28.jpg)
![Page 29: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/29.jpg)
Detecting Unauthorized AccessIntrusion Detection Systems (IDSs): Network-based IDSs
Install IDS sensors on network circuits and monitor packets Reports intrusions to IDS Management Console
Host-based IDSs Monitor all activity on the server as well as incoming server
traffic
Application-based IDSs Special form of host-based IDSs Monitor just one application, such as a Web server
![Page 30: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/30.jpg)
Techniques Used by IDSsMisuse detection Compares monitored activities with signatures of known
attacks If an attack is recognized the IDS issues an alert and
discards the packet Challenge: keep database current
Anomaly detection Operates in stable computing environments Looks for major deviations from the “normal” parameters of
network operation e.g., a large number of failed logins
When detected, an alert is issued, packets discarded Problem: false alarms (valid traffic different from normal)
![Page 31: Security](https://reader034.vdocuments.site/reader034/viewer/2022051314/55756d9ed8b42a2e248b4e7c/html5/thumbnails/31.jpg)
Use of IDSs with Firewalls