Что такое findslide.org?

FindSlide.org - это сайт презентаций, докладов, шаблонов в формате PowerPoint.


Для правообладателей

Обратная связь

Email: Нажмите что бы посмотреть 

Яндекс.Метрика

Презентация на тему Computer Security: Principles and Practice. Firewalls and Intrusion Prevention Systems. Chapter 9

Содержание

Firewalls and Intrusion Prevention SystemsEffective means of protecting LANsInternet connectivity is essentialFor organization and individualsBut creates a threat (enabling the outside world to reach and interact with local network assets)Could secure all workstations and servers (but
Computer Security: Principles and PracticeEECS710: Information SecurityProfessor Hossein SaiedianFall 2014Chapter 9: Firewalls and Intrusion Prevention Systems Firewalls and Intrusion Prevention SystemsEffective means of protecting LANsInternet connectivity is essentialFor Firewall Access PolicyA critical component in the planning and implementation of a Firewall Capabilities & LimitsCapabilitiesDefines a single choke pointProvides a location for monitoring Firewall Filter Characteristics Types of FirewallsPositive (negative) filter:Allow (reject) packets thatmeet a criteriaStateful inspection: Keeps track ofTCP connections Packet Filtering FirewallApplies rules to packets in/out of firewallbased on information in Packet Filter RulesDefault rule (usuallythe last rule)Inside hosts can send emailA way of handlingFTP Packet Filter Rules Packet Filter WeaknessesWeaknessesCannot prevent attack on application bugsLimited logging functionalityDo no support Stateful Inspection FirewallReviews packet header information but also keeps info on TCP Connection State Table Application-Level (Proxy) GatewayActs as a relay of application-level trafficUser contacts gateway with Circuit-Level GatewaySets up two TCP connections, to an inside user and to Packet Filtering vs Gateway vs Application-Level Firewall SOCKS Circuit-Level Gateway SOCKS v5 defined as RFC1928 to allow TCP/UDP applications Firewall BasingSeveral options for locating firewall:Bastion hostIndividual host-based firewallPersonal firewall Bastion HostsCritical strongpoint in networkHosts application/circuit-level gatewaysCommon characteristics:Runs secure O/S, only essential Host-Based FirewallsUsed to secure individual hostAvailable in/add-on for many O/SFilter packet flowsOften Personal FirewallControls traffic flow to/from PC/workstationFor both home or corporate useMay be Firewall LocationsInternal firewall: more stringent filtering capabilityto provide protection from externalattacks(b) provides Virtual Private NetworksEncryption and similar servicesbut transparent to the user Distributed FirewallsA combination of earlier firewallsHost-resident firewall on 100s ofPCs plus standalone firewalls undera central administration Firewall TopologiesHost-resident firewall: personal firewall and firewall on servers (used alone or Intrusion Prevention Systems (IPS)Recent addition to security products whichInline network-/host-based IDS that Host-Based IPSIdentifies attacks using both:Signature techniquesmalicious application packetsAnomaly detection techniquesbehavior patterns that Network-Based IPSinline NIDS that can discard packets or terminate TCP connectionsuses signature Unified Threat Management ProductsReduce admin burden by replacingnetwork products (firewall, IDS, IPS, …)With a single device SummaryIntroduced need for & purpose of firewallsTypes of firewallspacket filter, stateful inspection,
Слайды презентации

Слайд 2 Firewalls and Intrusion Prevention Systems
Effective means of protecting

Firewalls and Intrusion Prevention SystemsEffective means of protecting LANsInternet connectivity is

LANs
Internet connectivity is essential
For organization and individuals
But creates a

threat (enabling the outside world to reach and interact with local network assets)
Could secure all workstations and servers (but this is not a practical approach)
Also use firewall as perimeter defence
Single choke point to impose security

Слайд 3 Firewall Access Policy
A critical component in the planning

Firewall Access PolicyA critical component in the planning and implementation of

and implementation of a firewall is specifying a suitable

access policy
Types of traffic authorized to pass through the firewall
Includes address ranges, protocols, applications and content types
The policy should be developed from the organization’s security risk assessment and policy
Should be developed from a broad specification of which traffic types the organization needs to support
Then refined to detail the filter elements which can then be implemented within an appropriate firewall topology

Слайд 4 Firewall Capabilities & Limits
Capabilities
Defines a single choke point
Provides

Firewall Capabilities & LimitsCapabilitiesDefines a single choke pointProvides a location for

a location for monitoring security events
Convenient platform for some

Internet functions such as NAT, usage monitoring, IPSEC, VPNs
Limitations
Cannot protect against attacks bypassing firewall (from dial-out, or a modem pool dial-in capability for traveling employees and telecommuters)
May not protect fully against internal threats
Improperly secure wireless LAN
Laptop, PDA, portable storage device infected outside then used inside

Слайд 5 Firewall Filter Characteristics

Firewall Filter Characteristics

Слайд 6 Types of Firewalls
Positive (negative) filter:
Allow (reject) packets that
meet

Types of FirewallsPositive (negative) filter:Allow (reject) packets thatmeet a criteriaStateful inspection: Keeps track ofTCP connections

a criteria
Stateful inspection: Keeps track of
TCP connections


Слайд 7 Packet Filtering Firewall
Applies rules to packets in/out of

Packet Filtering FirewallApplies rules to packets in/out of firewallbased on information

firewall
based on information in packet header
src/dest IP addr &

port, IP protocol, interface
Typically a list of rules of matches on fields
If match rule says if forward or discard packet
Two default policies:
Discard: prohibit unless expressly permitted
more conservative, controlled, visible to users
Forward: permit unless expressly prohibited
easier to manage/use but less secure

Слайд 8 Packet Filter Rules
Default rule (usually
the last rule)
Inside hosts

Packet Filter RulesDefault rule (usuallythe last rule)Inside hosts can send emailA way of handlingFTP

can
send email
A way of handling
FTP


Слайд 9 Packet Filter Rules

Packet Filter Rules

Слайд 10 Packet Filter Weaknesses
Weaknesses
Cannot prevent attack on application bugs
Limited

Packet Filter WeaknessesWeaknessesCannot prevent attack on application bugsLimited logging functionalityDo no

logging functionality
Do no support advanced user authentication
Vulnerable to attacks

on TCP/IP protocol bugs (e.g., IP address spoofing)
Improper configuration can lead to breaches
Attacks
IP address spoofing
Source route attacks (srs dictates the pkt route)
Tiny fragment attacks (to circumvent filtering rules that depend on TCP header info)

Слайд 11 Stateful Inspection Firewall
Reviews packet header information but also

Stateful Inspection FirewallReviews packet header information but also keeps info on

keeps info on TCP connections
Typically have low, “known” port

# for server and high, dynamically assigned (ephemeral) client port #
Stateful inspection packet firewall tightens rules for TCP traffic using a directory of TCP connections
only allow incoming traffic to high-numbered ports for packets matching an entry in this directory
may also track TCP seq numbers as well

Слайд 12 Connection State Table

Connection State Table

Слайд 13 Application-Level (Proxy) Gateway
Acts as a relay of application-level

Application-Level (Proxy) GatewayActs as a relay of application-level trafficUser contacts gateway

traffic
User contacts gateway with remote host name
Authenticates themselves
Gateway contacts

application on remote host and relays TCP segments between server and user
Must have proxy code for each application
May restrict application features supported
Some services may not be available
More secure than packet filters
But have higher overheads

Слайд 14 Circuit-Level Gateway
Sets up two TCP connections, to an

Circuit-Level GatewaySets up two TCP connections, to an inside user and

inside user and to an outside host
Once connection is

established, relays TCP segments from one connection to the other without examining contents
Hence independent of application logic
Just determines whether relay is permitted
Typically used when inside users trusted
May use application-level gateway inbound and circuit-level gateway outbound
Hence lower overheads

Слайд 15 Packet Filtering vs Gateway vs Application-Level Firewall

Packet Filtering vs Gateway vs Application-Level Firewall

Слайд 16 SOCKS Circuit-Level Gateway
SOCKS v5 defined as RFC1928

SOCKS Circuit-Level Gateway SOCKS v5 defined as RFC1928 to allow TCP/UDP

to allow TCP/UDP applications to use firewall
Components:
SOCKS server on

firewall
SOCKS client library on all internal hosts
SOCKS-ified client applications
Client app contacts SOCKS server, authenticates, sends relay request
Server evaluates & establishes relay connection
UDP handled with parallel TCP control channel

Слайд 17 Firewall Basing
Several options for locating firewall:
Bastion host
Individual host-based

Firewall BasingSeveral options for locating firewall:Bastion hostIndividual host-based firewallPersonal firewall

firewall
Personal firewall


Слайд 18 Bastion Hosts
Critical strongpoint in network
Hosts application/circuit-level gateways
Common characteristics:
Runs

Bastion HostsCritical strongpoint in networkHosts application/circuit-level gatewaysCommon characteristics:Runs secure O/S, only

secure O/S, only essential services
May require user auth to

access proxy or host
There may be many proxy services
Each proxy can restrict features, hosts accessed
Each proxy small, simple, checked for security
Each proxy is independent, can be uninstalled

Слайд 19 Host-Based Firewalls
Used to secure individual host
Available in/add-on for

Host-Based FirewallsUsed to secure individual hostAvailable in/add-on for many O/SFilter packet

many O/S
Filter packet flows
Often used on servers
Advantages:
Tailored filter rules

for specific host needs
Protection from both internal/external attacks
Additional layer of protection to org firewall when used with a standalone firewall

Слайд 20 Personal Firewall
Controls traffic flow to/from PC/workstation
For both home

Personal FirewallControls traffic flow to/from PC/workstationFor both home or corporate useMay

or corporate use
May be software module on PC
Or in

home cable/DSL router/gateway
Typically much less complex
Primary role to deny unauthorized access
May also monitor outgoing traffic to detect/block worm/malware activity

Слайд 21 Firewall Locations
Internal firewall:

more stringent filtering capability
to provide

Firewall LocationsInternal firewall: more stringent filtering capabilityto provide protection from externalattacks(b)

protection from external
attacks
(b) provides two way protection wrt
the DMZ

network

External firewall: protection for the
DMZ consistent with their need for
external connectivity


Слайд 22 Virtual Private Networks
Encryption and similar services
but transparent to

Virtual Private NetworksEncryption and similar servicesbut transparent to the user

the user


Слайд 23 Distributed Firewalls
A combination of earlier firewalls

Host-resident firewall on

Distributed FirewallsA combination of earlier firewallsHost-resident firewall on 100s ofPCs plus standalone firewalls undera central administration

100s of
PCs plus standalone firewalls under
a central administration


Слайд 24 Firewall Topologies
Host-resident firewall: personal firewall and firewall on

Firewall TopologiesHost-resident firewall: personal firewall and firewall on servers (used alone

servers (used alone or part of a defense in-depth)
Screening

router: a single router between internal and external networks, e.g., SOHO apps)
Single bastion inline: single firewall device between an internal and external router (stateful or app proxies)
Single bastion T: similar to above but has a 3rd NIC on bastion to a DMZ (for medium to large organizations)
Double bastion inline: DMZ is between (for large organizations)
Distributed firewall configuration

Слайд 25 Intrusion Prevention Systems (IPS)
Recent addition to security products

Intrusion Prevention Systems (IPS)Recent addition to security products whichInline network-/host-based IDS

which
Inline network-/host-based IDS that can block traffic
Functional addition to

firewall that adds IDS capabilities
Using IDS algorithms but can block or reject packets like a firewall
May be network or host based

Слайд 26 Host-Based IPS
Identifies attacks using both:
Signature techniques
malicious application packets
Anomaly

Host-Based IPSIdentifies attacks using both:Signature techniquesmalicious application packetsAnomaly detection techniquesbehavior patterns

detection techniques
behavior patterns that indicate malware
Example of malicious behavior:

buffer overflow, access to email contacts, directory traversal
Can be tailored to the specific platform
e.g. general purpose, web/database server specific
Can also sandbox applets to monitor behavior
May give desktop file, registry, I/O protection

Слайд 27 Network-Based IPS
inline NIDS that can discard packets or

Network-Based IPSinline NIDS that can discard packets or terminate TCP connectionsuses

terminate TCP connections
uses signature and anomaly detection
may provide flow

data protection
monitoring full application flow content
can identify malicious packets using:
pattern matching (for specific byte seq)
stateful matching (to stop attack streams rather than a single pkts)
protocol anomaly (deviations from stds)
traffic anomaly (unusual traffic like a UDP floods)

Слайд 28 Unified Threat Management Products
Reduce admin burden by replacing
network

Unified Threat Management ProductsReduce admin burden by replacingnetwork products (firewall, IDS, IPS, …)With a single device

products (firewall, IDS, IPS, …)
With a single device


  • Имя файла: computer-security-principles-and-practice-firewalls-and-intrusion-prevention-systems-chapter-9.pptx
  • Количество просмотров: 140
  • Количество скачиваний: 0