70 likes | 90 Vues
Chapter 26: Network Security. Dr. Wayne Summers Department of Computer Science Columbus State University Summers_wayne@colstate.edu http://csc.colstate.edu/summers. Policy Development. Data Classes Public Data Development Data for existing products Development data for future products
E N D
Chapter 26: Network Security Dr. Wayne Summers Department of Computer Science Columbus State University Summers_wayne@colstate.edu http://csc.colstate.edu/summers
Policy Development • Data Classes • Public Data • Development Data for existing products • Development data for future products • Corporate data • Customer Data • User Classes • Outsiders (public) • Developers • Corporation Executives • Employees • Availability • Consistency Check
Network Organization • DeMilitarized Zone (DMZ) – portion of network that separates internal network from external network • Firewall: Internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall). [RFC 2828] • Filtering firewall – performs access control on the basis of the attributes of the packet header • Proxy: Intermediate agent or server that acts on behalf of endpoints without allowing a direct connection between two end points. • Proxy (Application Level) Firewall: uses proxies to perform access control. It can based on content and header info.
Network Organization • Analysis of the Network Infrastructure • The DMZ servers are typically not allowed to make connections to the intranet. • Internet Systems not allowed to directly contact any systems in the intranet. • Intranet Systems not allowed to directly contact any systems in the Internet. (least privilege principle) • Systems in DMZ serve as mediator (go-between). Password/certificate/credential are presented for allowing mediating services. • No dual interface from DMZ servers directly to systems Intranet except the inner firewall. • Intranet system typically uses Private LAN addresses: 10.x.y.z; 172.a.x.z (16<=a<=32); 192.168.x.y. • Complete Mediation Principle: inner firewall mediate every access involves with DMZ and Intranet. • Separation of privileges; with different DMZ server running different network functions; firewall machines are different entities than the DMZ servers. • The outer firewall allows HTTP/HTTPS and SMTP access to DMZ server. Need to detect malware.
Availability and Network Flooding • DoS – Denial of Service Attack • Ex. SYN flood • DDoS – Distributed DoS • Intermediate Hosts – use routers to divert/eliminate illegitimate traffic before it gets to the firewall • TCP State and Memory Allocation • SYN cookie: push the tracking of the state to the client • timeout pending connections • Anticipating Attacks • IDSs