1 / 31

Defining Network Security

Defining Network Security. Security is prevention of unwanted information transfer What are the components? ...Physical Security …Operational Security …Human Factors …Protocols. Areas for Protection. Privacy Data Integrity Authentication/Access Control Denial of Service.

yosef
Télécharger la présentation

Defining Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defining Network Security Securityis prevention of unwanted information transfer • What are the components? • ...Physical Security • …Operational Security • …Human Factors • …Protocols

  2. Areas for Protection • Privacy • Data Integrity • Authentication/Access Control • Denial of Service

  3. Regulations and Standards • Computer Crime Laws • Encryption • Government as “Big Brother”

  4. Security Threat, Value and Cost Tradeoffs • Identify the Threats • Set a Value on Information • Add up the Costs (to secure) Cost < Value * Threat

  5. Threats • Hackers/Crackers (“Joyriders”) • Criminals (Thieves) • Rogue Programs (Viruses, Worms) • Internal Personnel • System Failures

  6. Network Threats • IP Address spoofing attacks • TCP SYN Flood attacks • Random port scanning of internal systems • Snooping of network traffic • SMTP Buffer overrun attacks

  7. Network Threats (cont.) • SMTP backdoor command attacks • Information leakage attacks via finger, echo, ping, and traceroute commands • Attacks via download of Java and ActiveX scripts • TCP Session Hijacking • TCP Sequence Number Prediction Attacks

  8. Security Tools Threat, Value and Cost Tradeoffs • Operations Security • Host Security • Firewalls • Cryptography: Encryption/Authentication • Monitoring/Audit Trails

  9. Host Security • Security versus Performance & Functionality • Unix, Windows NT, MVS, etc • PCs • “Security Through Obscurity” L

  10. Host Security (cont) • Programs • Configuration • Regression Testing

  11. Network Security • Traffic Control • Not a replacement for Host-based mechanisms • Firewalls and Monitoring, Encryption • Choke Points & Performance

  12. Access Control • Host-based: • Passwords, etc. • Directory Rights • Access Control Lists • Superusers L • Network-based: • Address Based • Filters • Encryption • Path Selection

  13. Network Security and Privacy • Protecting data from being read by unauthorized persons. • Preventing unauthorized persons from inserting and deleting messages. • Verifying the sender of each message. • Allowing electronic signatures on documents.

  14. FIREWALLS • Prevent against attacks • Access Control • Authentication • Logging • Notifications

  15. Types of Firewalls • Packet Filters • Network Layer • Stateful Packet Filters • Network Level • Circuit-Level Gateways • Session Level • Application Gateways • Application Level Application Presentation Session Transport Network Data Link Physical

  16. Packet Level • Sometimes part of router • TAMU “Drawbridge” ROTW Drawbridge Router Campus

  17. Circuit Level • Dedicated Host • Socket Interfaces Local FW ROTW

  18. Application Level • Needs a dedicated host • Special Software most everywhere Firewall telnet ROTW

  19. INTERNET Firewall Installation Issues FTP DNS Web Mail Router

  20. Firewall Installation Issues • DNS Problems • Web Server • FTP Server • Mail Server • Mobile Users • Performance

  21. Address Transparency • Need to make some addresses visible to external hosts. • Firewall lets external hosts connect as if firewall was not there. • Firewall still performs authentication

  22. Internet Network Address Translation 10.0.0.0 128.194.103.0 Gateway Firewall

  23. ftpd TCP IP Data Link Hardware A GW Datagram A B Datagram Network Address Translation Host B: External Host Gateway Host Host A: Internal Host gw control ftp proxy ftp TCP TCP IP IP Data Link Data Link Hardware Hardware

  24. IP Packet Handling • Disables IP Packet Forwarding • Cannot function as a insecure router • eg. ping packets will not be passed • Fail Safe rather than Fail Open • Only access is through proxies

  25. INTERNET DNSd DNS Proxy Security External DNS Server Eagle Gateway eagle.xyz.com finance.xyz.com sales.xyz.com marketing.xyz.com

  26. Decapsulate Encapsulate Hello Hello Authenticate Authenticate Hello Hello Decrypt Encrypt Hello Hello !@@%* !@@%* !@@%* Virtual Private Tunnels INTERNET Creates a “ Virtual Private Network “

  27. VPN Secure Tunnels • Two types of Tunnels supported • SwIPe and IPsec tunnels • Encryption • DES, triple DES and RC2 • Secret key used for used for authenticatio and encryption • Trusted hosts are allowed to use the tunnel on both ends

  28. INTERNET Designing DMZ’s DMZ Screening Router Web FTP Company Intranet Mail

  29. INTERNET Firewall Design Project San Jose File Server Mail Server Wide Area Router Dallas Internet Router Raptor Eagle Raptor Remote Hawk Console

  30. Monitoring • Many tools exist for capturing network traffic. • Other tools can analyze captured traffic for “bad” things. • Few tools are real-time.

  31. Summary • Security must be comprehensive to be effective. • Remember threat, value, cost when implementing a system. • Security is achievable, but never 100%. • Make your system fault tolerant.

More Related