Download Network Security Architecture and more Study notes Computer Networks in PDF only on Docsity!
Network Security Architecture
CS461/ECE
Computer Security I
Fall 2010
Reading Material
• Computer Security chapter 26.
• “Firewalls and Internet Security: Repelling the
Wily Hacker”, Cheswick, Bellovin, and Rubin.
Segment
• Separate Functionality
– Limit infection vectors
Server
- 100 Runs DNS, SMTP, DB, Key Design App, File Server Outside World
- 0 Desktop machines
Security Domains
Internet Corporate Network Control Network Partner Network
Multiple VPN Technologies
SSL
Confidentiality? Yes
Data integrity? Yes
User authentication? Yes
Network access control?
No
In addition, limited traffic
IPSec (^) Confidentiality? Yes (^) Data Integrity? Yes (^) User Authentication? Yes (^) Network access control? Yes (^) Client configuration required. VLAN – Layer 2 tunnelling technology (^) Confidentiality? No (^) Data Integrity? No (^) User authentication? Yes (^) Network access control? Yes (^) Not viable over non-VLAN internetworks
Security Domains with VPNs
Internet Corporate Network Control Network Partner Network Home Network Coffee Shop Kids Parents
“Typical” corporate network
Web Server Mail forwarding Mail server DNS (internal) DNS (DMZ) Internet File Server User machines User machines User machines Web Server Demilitarized Zone (DMZ) Intranet Firewall Firewall
Application Proxy Firewall
• Firewall software runs in application space on
the firewall
• The traffic source must be aware of the proxy
and add an additional header
• Leverage basic network stack functionality to
sanitize application level traffic
- (^) Block java or active X
- (^) Filter out “bad” URLs
- (^) Ensure well formed protocols or block suspect aspects of protocol
Stateful Packet Filters
- (^) Evolved as packet filters aimed for proxy functionality
- (^) In addition to Layer 3 reassembly, it can reconstruct layer 4
traffic
- (^) Some application layer analysis exists, e.g., for HTTP, FTP,
H.
- (^) Called context-based access control (CBAC) on IOS
- (^) Configured by fixup command on PIX
- (^) Some of this analysis is necessary to enable address
translation and dynamic access for negotiated data channels
- (^) Reconstruction and analysis can be expensive.
- (^) Must be configured on specified traffic streams
- (^) At a minimum the user must tell the Firewall what kind of traffic to expect on a port
- (^) Degree of reconstruction varies per platform, e.g. IOS does not do IP reassembly
Traffic reconstruction
X Y FTP: X to Y GET /etc/passwd GET command causes firewall to dynamically open data channel initiate from Y to X Might have filter for files to block, like /etc/passwd
Ingress and Egress Filtering
- (^) Ingress filtering
- (^) Filter out packets from invalid addresses before entering your network
- (^) Egress filtering
- Filter out packets from invalid addresses before leaving your network Inside Outside Owns network X Egress Filtering Block outgoing traffic not sourced from network X Ingress Filtering Block incoming traffic from one of the set of invalid networks
Denial of Service
• Example attacks
– Smurf Attack
– TCP SYN Attack
– Teardrop
• DoS general exploits resource
limitations
– Denial by Consumption
– Denial by Disruption
– Denial by Reservation
Address Translation
- (^) Traditional NAT RFC 3022 Reference RFC
- (^) Map real address to alias address
- (^) Real address associated with physical device, generally an unroutable address
- (^) Alias address generally a routeable associated with the translation device
- (^) Originally motivated by limited access to publicly routable IP addresses - (^) Folks didn’t want to pay for addresses and/or hassle with getting official addresses
- (^) Later folks said this also added security
- (^) By hiding structure of internal network
- (^) Obscuring access to internal machines
- (^) Adds complexity to firewall technology
- (^) Must dig around in data stream to rewrite references to IP addresses and ports
- (^) Limits how quickly new protocols can be firewalled
Address Hiding (NAPT)
• Many to few dynamic mapping
- (^) Packets from a large pool of private addresses are mapped to a small pool of public addresses at runtime
• Port remapping makes this sharing more
scalable
- (^) Two real addresses can be rewritten to the same alias address
- (^) Rewrite the source port to differentiate the streams
• Traffic must be initiated from the real side