46
CSE2500 SYSTEM SECURITY & PRIVACY CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Introduction to Computer Network Security Network Security

CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

  • View
    229

  • Download
    1

Embed Size (px)

Citation preview

Page 1: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

CSE2500 SYSTEM SECURITY & PRIVACYCSE2500 SYSTEM SECURITY & PRIVACY

Introduction to Computer Introduction to Computer Network SecurityNetwork Security

Page 2: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 2

LayoutLayout

Network Security - what is different from Network Security - what is different from Computer Systems security?Computer Systems security?

Possible scenarios forPossible scenarios for network connections network connections and and their implication for their implication for security concernssecurity concerns

What is the principal mode of attack in What is the principal mode of attack in networks and how you can defend them?networks and how you can defend them?Which part of network structure can we enforce Which part of network structure can we enforce

security?security?How can we do it efficiently?How can we do it efficiently?

Page 3: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 3

What we have seen so far?What we have seen so far?

authentication

Access control

encryption

Page 4: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 4

Internetwork ArchitectureInternetwork Architecture??

Wireless Stranger

Wired Stranger

Stranger

Internet

Server

Page 5: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 5

Services of the server areServices of the server are

Web serversWeb serversEmail serversEmail serversFTP serversFTP serversWeb and email serversWeb and email serversWeb, email and FTP serversWeb, email and FTP serversModem serversModem serversWeb, email, FTP and modem serversWeb, email, FTP and modem serversWeb, email, file serversWeb, email, file servers Etc.Etc.

Page 6: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 6

Consider web serverConsider web server

What is the authentication here?What is the authentication here? What is the access control here?What is the access control here? If these does not apply, what is the If these does not apply, what is the

issue with respect to security?issue with respect to security?

Page 7: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 7

Recap: Security Attacks - TaxonomyRecap: Security Attacks - Taxonomy

Interruption – attack on Interruption – attack on availabilityavailability Interception – attack on Interception – attack on confidentialityconfidentiality Modification – attack on Modification – attack on integrityintegrity Fabrication – attack on Fabrication – attack on authenticityauthenticity

The availability (and confidentiality) The availability (and confidentiality) property need to be preserved – how it property need to be preserved – how it can be threatened?can be threatened?

Page 8: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 8

Model for network securityModel for network security

Information channelGate

Keeper

Page 9: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 9

Attacks areAttacks are

SnoopingSnooping or sniffing- Attacker or sniffing- Attacker observes network traffic without observes network traffic without disturbing the transmission (passive)disturbing the transmission (passive) e.g. snooping for passwordse.g. snooping for passwords

Sniffing software works by placing a Sniffing software works by placing a system’s network interface into system’s network interface into promiscuous mode.promiscuous mode.

Page 10: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 10

Attacks areAttacks are

Denial of services – make the server Denial of services – make the server in-operative or inefficientin-operative or inefficiente.g: e.g: ping (of death) Attack ping (of death) Attack by floodingby flooding

Page 11: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 11

Ping AttackPing Attack The Hacker sends an ICMP Echo request to the target The Hacker sends an ICMP Echo request to the target expecting an ICMP echo reply to be returned for each request.expecting an ICMP echo reply to be returned for each request. The hacker, because of the high bandwidth, can send more The hacker, because of the high bandwidth, can send more requests then the target can handle.requests then the target can handle.

CountermeasuresCountermeasures No known defenseNo known defense

ICMP ECHO Flooding

Hacker

INTERNET

Server

Packet 1

Packet 2

Packet 3

Packet 5

Packet 4

Packet n

128K LinkT-1 Link

Packet n

Page 12: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 12

TCP SYN Flooding

SYN=1 ACK=0 141521 win 4096 (unreachable address

SYN = 1 ACK = 1 181521 141522 win 4096(unreachable address)

Hacker

SYN = 1 ACK =1 181521 141687 win 4096(unreachable address)

SYN = 1 ACK = 1 181521 141723 win 4096(unreachable address)

SYN=1 ACK=0 141686 win 4096 (unreachable address)SYN=1 ACK=0 141721 win 4096 (unreachable address)

UnreachableIP Address

Legitimate Client is denied access

Legitimate Client

Target Host

Page 13: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 13

SYN AttackSYN Attack

Attack Method:Attack Method: Most hosts will only support 8-16 simultaneous Most hosts will only support 8-16 simultaneous

communication channels.communication channels. The Hacker sends a sequence of SYN packets. The Hacker sends a sequence of SYN packets.

Each SYN packet (about 120 /second) has a Each SYN packet (about 120 /second) has a different and unreachable IP address. different and unreachable IP address.

This consumes all the communication channels This consumes all the communication channels and results in a denial to any TCP based service.and results in a denial to any TCP based service.

Countermeasure:Countermeasure: Expand the number of ports, reduce Expand the number of ports, reduce the time-out period, validate TCP request packets.the time-out period, validate TCP request packets.

Page 14: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 14

Attacks areAttacks are

ImpersonationImpersonation – stealing the identity – stealing the identity of someoneof someone other party thinks that you are the true other party thinks that you are the true

identityidentity

Page 15: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 15

ImpersonationImpersonation

Authentication at the IP layer is concerned Authentication at the IP layer is concerned with the identity of computer systems.with the identity of computer systems.

IP addresses are software configurable and IP addresses are software configurable and the the mere possessionmere possession (or fraudulent use) of (or fraudulent use) of one enables communication with other one enables communication with other systems.systems.

Two such techniques to do this areTwo such techniques to do this are address masqueradingaddress masquerading address spoofingaddress spoofing

Page 16: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 16

Address MasqueradingAddress Masquerading

Page 17: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 17

Address SpoofingAddress Spoofing

Also known as Also known as TCP sequence number TCP sequence number attack.attack.

First we need to understand how the three-First we need to understand how the three-way TCP handshake protocol works.way TCP handshake protocol works. handshakehandshake means- an assertion that indicates means- an assertion that indicates

one party’s readiness to send or receive data. one party’s readiness to send or receive data. When two systems share a hardware connection, When two systems share a hardware connection, two-way handshake is enough.two-way handshake is enough.

Since TCP rides on IP – an unreliable, Since TCP rides on IP – an unreliable, connectionless protocol – a three-way handshake connectionless protocol – a three-way handshake is required.is required.

Page 18: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

18CSE2500 System Security & Privacy Srini & Nandita

Handshake in TCPHandshake in TCP

Machine A Machine B

SYN+ISN A

SYN+ISN B+ ACK(ISNA+1)

ACK(ISNB+)

Application Data

SYN – synchronize requestISN - Initial sequence numberACK – acknowledgement for the ISN

Page 19: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 19

TCP CONNECTIONTCP CONNECTION

SYN=1 ACK=0 141521 win 4096 <mss 1024>

SYN = 1 ACK = 1 181521 141522 win 4096<mss 1024>

SYN = 0 ACK = 1 181522

Segment 2

Segment 3

CLIENT SERVER

THREE-WAYCONNECTION

Segment 1 shows the client sending a SYN segment with an Initial Sequence Number of 141521. The ISN is randomly generated. This is called an Active Open. The field win 4096 shows the advertised window size of the sending station while the field <mss 1024> shows the receiving maximum segment size specified by the sender. SYN=1, ACK=0.

Segment 2 shows the server responding with a SYN segment of 181521 and ACKnowledging the clients ISN with ISN + 1. This is called a Passive Open. SYN=1,ACK=1

Segment 3 shows the client responding by ACKnowledging the servers ISN with ISN + 1. SYN=0,ACK=1.

Data can now be transmitted.

THREE-WAY CONNECTION

Segment 1

Page 20: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 20

Address SpoofingAddress Spoofing

Consider Consider CC (an intruder) want to impersonate (an intruder) want to impersonate the sender (say A) – how?the sender (say A) – how?

Intruder Intruder CC knows that B (receiver) trusts A’s knows that B (receiver) trusts A’s users and let them execute commands users and let them execute commands through, say through, say rsh rsh (remote shell) service (remote shell) service without them requiring a password.without them requiring a password.

Although Although CC will not receive a single datagram will not receive a single datagram in response from B – whose replies will be in response from B – whose replies will be routed to the real, but unavailable A.routed to the real, but unavailable A.

CC now now somehow needs to predict the ISN of somehow needs to predict the ISN of BB that B would tell A during the handshake. that B would tell A during the handshake.

Page 21: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 21

How to get the ISN?How to get the ISN?

ISN is a 32 bit clock that increases ISN is a 32 bit clock that increases systematically with time.systematically with time.

If the clock increment is predictable If the clock increment is predictable and an attacker can see the value of and an attacker can see the value of any one ISN, he can probably predict any one ISN, he can probably predict the value of the next or a soon the value of the next or a soon subsequent ISN with accuracy.subsequent ISN with accuracy.

Page 22: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 22

Predictable ISN can lead toPredictable ISN can lead to

After knowing the ISN, wait for A to go down (say for After knowing the ISN, wait for A to go down (say for maintenance) which is easy to detect (say by maintenance) which is easy to detect (say by pingping), then), thenCC sends sends BB a counterfeit IP datagram containing its SYN a counterfeit IP datagram containing its SYN

and ISN; this and ISN; this BB receives and believes to have originated receives and believes to have originated from A.from A.

B B replies with a SYN, its own ISN and an replies with a SYN, its own ISN and an acknowledgement of acknowledgement of CC’s ISN (This reply is routed ’s ISN (This reply is routed inconsequentially to A who is still unavailable to inconsequentially to A who is still unavailable to receive it.)receive it.)

CC mean while predicts and acknowledges mean while predicts and acknowledges BB’s ISN. It ’s ISN. It follows with an follows with an rshrsh command that coaxes command that coaxes BB to give the to give the attacker easier access from his true location. attacker easier access from his true location.

CC successfully opened a TCP connection and executed a successfully opened a TCP connection and executed a command on command on BB, without ever having received a single byte , without ever having received a single byte in return from in return from BB. It simply acted as if it had, enabled by . It simply acted as if it had, enabled by BB’s predictable ISN.’s predictable ISN.

Page 23: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 23

Method of defenseMethod of defense

Avoid reliance on address-based authentication and Avoid reliance on address-based authentication and trust mechanisms (like those used by trust mechanisms (like those used by rshrsh))

Use a Use a screening routerscreening router, a device that can , a device that can intelligently filter network packets based on intelligently filter network packets based on configurable rules. Although this cannot prevent configurable rules. Although this cannot prevent spoofing, but can preventspoofing, but can preventInbound attacks that originate from external Inbound attacks that originate from external

networks (networks (by discarding incoming datagrams with by discarding incoming datagrams with source address belonging to the internal addresssource address belonging to the internal address))

Outbound attacks that originate inside of your Outbound attacks that originate inside of your own network (discarding outgoing datagrams own network (discarding outgoing datagrams with a source address from an external network).with a source address from an external network).

Page 24: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 24

Attacks areAttacks are

Relaying a message to another host Relaying a message to another host and it accepts as if it is trusted.and it accepts as if it is trusted.Example: transfer of password files in a Example: transfer of password files in a

networked unix systems.networked unix systems.

Page 25: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 25

Message alterationMessage alteration

Message means the payload of the IP Message means the payload of the IP datagram, the router performs routine datagram, the router performs routine modifications to the IP datagram header, modifications to the IP datagram header, and sometimes fragments a datagram into and sometimes fragments a datagram into several smaller ones (when the length several smaller ones (when the length exceeds a limit allowed by the underlying exceeds a limit allowed by the underlying data link layer).data link layer).

No need to suspect message alteration, but No need to suspect message alteration, but techniques such as check sum are not techniques such as check sum are not sufficient.sufficient.

Page 26: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 26

Message Delay and DenialMessage Delay and Denial

By gaining authorised control of a router or By gaining authorised control of a router or routing host, then modifying executable routing host, then modifying executable code or routing and screening rules used by code or routing and screening rules used by the code.the code. need to apply proper authentication and access need to apply proper authentication and access

mechanisms to the routing systems.mechanisms to the routing systems.

By overwhelming a routing device, or one of By overwhelming a routing device, or one of the communication end systems, with an the communication end systems, with an inordinate amount of network traffic.inordinate amount of network traffic. easy to detect but difficult to prevent!easy to detect but difficult to prevent!

Page 27: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

27CSE2500 System Security & Privacy Srini & Nandita

By Blocking (or Screening)By Blocking (or Screening)

Accepted

Blocked

Accepted

blocked

Source: 108.3.54.92Destination:130.194.225.92

Source: 130.194.225.52Destination:130.194.225.92

Source: 108.3.54.92Destination:121.92.5.52

Source: 130.194.225.92Destination:121.5.92.1

Internal network130.194.225.xxxx

External network

Page 28: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 28

Network CommunicationNetwork CommunicationOSI Reference ModelOSI Reference Model

Applicationrelatedservices

Networkrelatedservices

Application programs that use the network

Manage connectionsacross network

Manage sessions between applications

Provide end-to-enderror detection and correction

Provide reliable deliveryacross physical links

Define characteristicsof media

Standardise data rep.to application layer

Application (7)

Presentation(6)

Session(5)

Transport(4)

Network(3)

Data Link(2)

Physical(1)

Page 29: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 29

Generic Message FormatGeneric Message Format

MessageData

SenderIdentify

RecipientIdentity

MessageLength

Page 30: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 30

Internet TCP/IP ModelInternet TCP/IP Model

Sockets

Programs: X window, mobile agents, Web applications, Email …

Digital signal (0,1)

Table of addresses and algorithms for handling the routing of data

Table of addresses, data and algorithms to perform reliable check

Application

Transport(TCP, UDP)

Physical

Network (IP)

Page 31: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 31

Network Layer – IP Datagram format Network Layer – IP Datagram format (for reference)(for reference)

16 bit 3 bit 13 –bit Identification flags fragment offset

Data (variable length)

32-bit Destination address

Options(if any) and padding

32-bit Source address

4-bit 4-bit 8 bit 16-bit Version header length type of service Total Length

8-bit 8-bit 16-bit time to live protocol header checksum

Page 32: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 32

TCP segment (for reference)TCP segment (for reference)

Data (variable length)

16-bit 16-bit TCP Checksum Urgent pointer

Options(if any) and padding

16-bit 16-bit Source port number Destination port number

32 bit acknowledgement number

4-bit 6-bit 6-bit 16-bitHeader length Reserved Flags Window Size

32-bit Sequence number

Page 33: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 33

UDP datagram (for reference)UDP datagram (for reference)

Data (variable length, if any)

16- bit 16-bit Source Port Number Destination Port Number

16-bit 16-bit Length Checksum

Page 34: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 34

Possible methodsPossible methods

Simple denial of requests – though Simple denial of requests – though firewallfirewall useful to prevent address spoofing, useful to prevent address spoofing,

masqueradingmasquerading Tailored software to each of the Tailored software to each of the

network services – called network services – called wrapperswrappers application oriented functionality can be application oriented functionality can be

implementedimplemented

Page 35: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 35

FirewallsFirewalls

Screening router (also called as packet Screening router (also called as packet filtering) is an example of a firewall.filtering) is an example of a firewall.

We will look at the firewalls in more We will look at the firewalls in more detail in another subject.detail in another subject.

Page 36: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 36

FIREWALL

INTERNET

Exterior Router

Internal Network

Perimeter Network

Interior Router

Bastion Host

SMTP Routing1. Route incoming/outgoing mail to bastion Host.2. Use Exterior Router to restrict connections from

external hosts to Bastion Host.3. Use Interior Router to restrict connections from

Bastion Host to specific internal servers.4. Internal systems send mail to Bastion Host.

SMTP ROUTING

SMTP Server

SMTP Sender/Recipient

ExternalSMTP Server

SMTP Client Inside SMTP Server

Page 37: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 37

TCP WrapperTCP Wrapper

The TCPWrapper is a utility program that can be "wrapped" around existing servers connected to the Internet.

A Firewall can be placed between your internal network and the Internet to protect the entire internal network.

The TCPWrapper is placed on an internal server and protects the services of that machine.

The combination of firewall and TCPWrapper provides defense in-depth.

The TCPWRapper was written by Wietse Venema and is used for: Logging request for service made through /etc/inetd.confAnd intercepting and controlling TCP services that are started

by /etc/inetd.conf.

Page 38: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 38

TCP WrapperTCP Wrapper

Internal Server

External User

INTERNET

RouterBastion Host

FirewallTCP Wrapper

Page 39: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 39

TCP Wrapper OperationTCP Wrapper Operation

The TCPWrapper is installed on the internal server and inetd is configured to run TCPwrapper, tcpd, instead of the the real server. inetd is the internet protocol starter program that, upon

detecting a service request, forks a process directly to the requested service.

tcpd is is the TCPWrapper program that receives control from inetd when an internal server has been "wrapped". tcpd evaluates the request against two TCPWrapper configuration files

/etc/hosts.allow tells tcpd which host to allow connections from.

/etc/hosts.deny tells tcpd to deny all connections from that host.

If no match is found the connection is allowed. tcpd completes its function then transfers control to the requested

service.

Page 40: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 40

TCP Wrapper OperationTCP Wrapper Operation

External User

INTERNET

inetd

/etc/hosts.allow

/etc/hosts.deny

tcpd

inetd.conf

telnetftprloginudp, etc

network services

RequestedService

tcpd

Router Bastion Host

Firewall

TCP Wrapper

Page 41: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 41

TCP Wrapper FunctionsTCP Wrapper Functions

The TCPWrapper performs the following functions upon assuming control from inetd.

Compares the incoming hostname and requested service with previously created host.allow an hosts.deny files.

Performs a double-reverse lookup of the IP address to make sure the DNS entries for the IP address match the hostname.

Logs the result with syslog. This provides a way to log services that are normally not logged, e.g., finger and systat.

Optionally run a command, e.g., run finger to get a list of users on the connecting client computer.

Optionally substitute a different version of the requested service daemon, e.g., the calling host may require a special extended service.

Optionally send a banner to the connecting client.Passes control of the connection to the real network daemon.Reject the connection without providing a service.

Page 42: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 42

Possible connections: Security?Possible connections: Security?

InternetFirewall

(optional)

Your PCWired Stranger

Wireless Stranger

StrangerISP server

Page 43: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 43

Possible connections: Security?Possible connections: Security?

ProductionServers

Internet

firewall

Web server

Wired stranger

Wireless stranger

Stranger

ftp server

Your systems

Page 44: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 44

Possible connections: Security?Possible connections: Security?

ProductionServers

Internet

firewall

Web server

Wireless stranger

stranger

ftp server

Your systems

Wired stranger

Page 45: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 45

Possible connections: Security?Possible connections: Security?

Internet

Back endData Servers

Web Servers

Lan/Wanfirewall

Lan/Wan

Lan/Wan

Lan/Wan

Page 46: CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security

Srini & NanditaCSE2500 System Security & Privacy 46

Possible connections: Security?Possible connections: Security?

BusinessIntegratio

nsystems

BusinessIntegratio

nsystems

Lan/Wan

Internet

Intranet

Extranet

Back endData Servers

Mobile users

Web Servers

CallCentre

BusinessApplications

Lan/Wan

firewall