Professional Documents
Culture Documents
Basics
Network Security
Fundamentals
Agenda
³ Introduction – Firewalls, Routers, IDS
³ Types of Networks
³ Internetworking = Increased Risk
³ Network Security Risks Explained
³ Network Security Defined
³ Network Connections to Control
³ Defense in Depth
³ Principles of Network Security
³ Effective Controls for Network Security
(1) Hackers
Servers
Security Weaknesses:
(3) To Exploit - Weak passwords
- Weak access controls
- Misconfigurations
- Access without a
(2) Connect through password
- Inherent security
Networks
Networks vulnerabilities
- Buffer overflows to
get privileged access
Internet Extranet
TP 2 Internal TP 1
Network
Hackers
N
e
t Routers Network Architecture
S
e
c
Logging and Monitoring Firewall
Moderate
High Risk
Risk
Threat
Moderate
Low Risk
Risk
Impact
³ High risk is where the greatest return on security
investment is found
©2002 SecureIT Consulting Group, Inc. 35
Network Security Policy Components
³ Policy components communicate to the users, managers
and support personnel what they need to know. Ideally, this
policy should be documented to ensure that relevant
personnel can understand expectations and effectively
implement practices to support the policy.
³ FIREWALL COMPONENT
O Address specific aspects of security related to the firewall that
are not addressed by other policies
O Clarify how security objectives apply to the firewall
O Responsibilities of firewall administrators
O Firewall configuration: remote access policy, supported
services, blocked services, configuration change
management, etc.
O Firewall audit policy: granularity of logging, frequency of
review, etc.
³ Control is based and enforced through a series of rules. These rules are based on
information stored in the IP and TCP/UDP/ICMP headers
Ê Both a brand new packet and a “reply” packet both appear very
similar
• Both have source IPs from the outside, destination IPs for the
inside, and appear on the external interface.
• The only difference is in the TCP flag bits:
o New traffic has SYN, return traffic for existing connections has
ACK
o TCP flags can be crafted or manipulated so these are not good ways
to track state
o UDP, ICMP, and other protocols do not have the flags—only TCP
³ Telnet
³ FTP
³ HTTP, HTTPS
³ SMTP
³ DNS
³ NNTP
³ LDAP
³ Finger
³ The DMZ network (and the hosts that reside on it) should not be
trusted by the internal network
³ Simple packet filters are the fastest firewalls, but they are
not secure. Application-layer proxy firewalls are the most
secure, but are slow
Internet
Internet
The secret The secret
formula is formula is
…. M&28^M7hNt! ….
$v30mNk …
Message Message
CONFIDENTIALITY Decrypt
Encrypt
Message Message
Receiver’s Private
Receiver’s Public
Encrypt Decrypt
Receiver’s Public Sender’s Public
Sender Receiver
Sender’s Will never use his own public Use to decrypt messages that
Public Key key. have origin authentication
Sender’s Use to encrypt messages that Can never use the other
Private need origin authentication party’s private key – this is
Key not known.
Receiver’s Use to encrypt messages that Will never use his own public
Public Key require confidentiality key.
Receiver’s Can never use the other Use to decrypt message that
Private party’s private key – this is require confidentiality
Key not known.
Packet
O Network topology
Internet
Internet
DMZ
Border Router
Internal
Internal
Network
Network
Inner Router
Extranet
Extranet
Screening Router (no FW)
³ Rerouting attacks
O In a rerouting attack, the attacker attempts to make an unauthorized
change to the router’s routing table, or attempts simply to bypass
those predefined routes
O Examples of this kind of attack include ICMP redirect attacks, or
routing protocol attacks that attempt to change the routing table to
direct traffic to unauthorized destinations. Also, packets with the
source-route IP option set will attempt to control their own routing,
bypassing the router’s controls
Audit and
Database
Collection Policy
Audit Settings
Real-Time
Audit Detection Policy
Reduction
Network
Detection Policy
Real-Time
Event Log
ID Service
Batch ID
Real-Time and
Service
Network Alerts
Network
Response
ID Service
Raw Event
Log Archive
Network
Card