Embed Size (px)
Citation preview
IT E74 WEB TECHNOLOGY
Department Of Information Technology 1
UNIT V
Internet Security: The Internet-Understanding Firewalls-Hackers-TCP/IP from a security
view point –sockets and services-Encryption. Firewall Technology-packet filtering-Network
Address Translation-application level proxies-VPN- ideal firewall.
INTERNET SECURITY
5.1 THE INTERNET – UNDERSTANDING FIREWALLS
In today‟s world, there are number of threats like viruses, Trojans, hackers etc.
To protect our system from all the above mentioned threats we use firewalls.
A firewall limits the access which software applications have to the operating
system services, and consequently to the internal hardware resources found in a
computer, much as a car firewall limits access of heat, or even fire, to the
passengers of the vehicle.
The reason that application firewalls are needed in today's internet and data-sharing
world is that the other types of firewalls in existence do not control the execution of data,
only of the flow of data to the computer's processor.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
5.1.1 Hardware firewalls
The computer's hardware resources are essentially: the processor, the RAM,
and the hard disk. Virtual memory is the content of RAM that is temporarily
written onto the hard disk in order to free the RAM chips to hold other
content or to supply other data for mathematical processing. For this reason,
the virtual memory is open to internet attack just as the RAM is.
Since several ports of a computer need to be open at various times in
order for applications to be allowed to bring data in to the user and send it
out from the user, (applications such as internet browsers (http - hyper-text
transfer protocol) , e-mail programs (smtp - simple mail transfer protocol)
and FTP programs (ftp - file transfer protocol) ), most types of firewalls are
necessarily unable to stop the flow of unwanted content via the ports that they
have been configured to allow.
Hardware firewalls are connected to the computer where the phone-line modem or
cable modem allows data into the computer and out of the computer. They
are external hardware. They can be configured such that only data bound for
designated ports (virtual ways in/out of the computer) are routed to the OS
services.
A port is essentially only an abstract address since the true data pathway is the
cable itself and the modem's jack. Ports are authorizations (in the OS) of data
flow to the OS.
The hardware firewall's function is, therefore, to filter out data coming from
restricted origins and thus keep it from accessing the Operating System's services.
The net result is that only data bound for ports which were set by the user to be
open (in the firewall's configuration) will always be passed on to the OS
services, and to the computer's hardware resources.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
5.1.2 Soft ware firewalls
Let us now contrast software firewalls (personal firewall). They attempt to
perform the function of a hardware firewall, but in the form of running software
which is configured to filter out data traffic designated for restricted ports.
Ideally, only the data bound for the desired ports would be passed on to the
processor.
An application layer firewall is a firewall software operating at the application
layer of a protocol stack. Generally it is a host using various forms of proxy
servers to proxy traffic instead of r outing it.
As it works on the application layer, it may inspect the contents of the traffic,
blocking what the firewall administrator views as inappropriate content, such as
certain websites, viruses, attempts to exploit known logical flaws in client
software, and so forth. An application layer firewall does not route traffic
on the network layer, but from the application to the OS.
In this context, the hardware resources are the bottom layer, the BIOS is the 2nd
layer,
the Operating System Kernel and OS ser vices are the 3rd layer, and the
application layer firewall is running as a 4th layer, at the same level as other
applications such as word processors or internet browsers.
5.1.3 Firewall vulnerabilities
An application layer firewall is, then, a software firewall. Unfortunately,
firewall-type applications developed for Microsoft Windows, Macintosh, or
other operating systems may contain the type of logical flaws exploited by
computer system hackers.
A vulnerability, or logical flaw, in the running firewall software might be
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
exploited in the very same way that internet browser code vulnerabilities or
e-mail software code vulnerabilities often are. What this amounts to is that
the software firewalls of descriptions, software- and application layer -,
might be circumvented by malicious software through exploitation of the
firewalls' own logical software coding flaws.
In that case, an attack written to exploit a software firewall's vulnerability
could also include an attack on the internet browser and make it through to the
browser despite the firewall. In that event there would normally not be any
protection against the attack on the Microsoft, the author of the Windows OS,
has included in its latest service pack ( SP2), for Windows XP, a feature which
they call Data Execution Prevention (DEP).
Since new data must be executed as instruction code, using system services, in
order to be harmful to the existing data or virtual memory on a hard disk,
preventing its execution would seem to be the protection needed against exploit
code.
A processor capable of enforcing DEP, (as of the time of writing, July 2005, being
64-bit processors only), would consider the data portion of RAM to be non-
executable, or NX (referred to as 'No-Execute' by AMD), or XD (referred to
as eXecution Disable by Intel). RAM designed for data only. Instruction
code is only intended by Windows and other operating systems to be run from
the instruction code area of RAM.
The DEP is a good start, but it only addresses the problem of buffer overflow
exploits of the logical software coding flaws which we refer to as
vulnerabilities. Such an exploit usually writes executable code in the data area
of RAM and then overwrites legitimate code in the protocol stack such that
when the system service returns to retrieve the next instruction, the substituted
instruction tells the processor to look in the data area for the details -- and the
details are malicious.
However, there still lie in the internet and computer arenas such other significant
threats to data and to privacy as viruses, keystroke logger s, Trojan horse
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
viruses, spying software, advertisement-generating software and other forms
of maliciously designed software code which DEP will not address.
If discretion could be given to the OS services to refuse to run code which
is either originating from a RAM buffer overflow, or is originating
from unwanted software not needing to exploit vulnerabilities in order
to achieve its damage or its theft of information, then perhaps the protection
loophole would close -- at least more tightly.
This is the purpose of an application firewall -- to close the loophole around the
OS more tightly and to make the chance of unwanted code execution extremely
slim.
Windows users have the benefit of one such application firewall software,
OSsurance, developed in 2005 by OS Security, which functions much as DEP
protection.
In addition, however, this software refuses to allow the system services to run
executable files which have not purposely been added to an inventory of accepted
programs by the user when the software was installed, it refuses the running
of DLLs which have been substituted or alter ed, and it refuses to allow the
running of a program which has changed itself in name or in content.
This more comprehensive type of firewall has not yet been made available to
the other major operating systems (see buffer overflow).
Various other combinations, or omissions, of components of this application
firewall approach exist, with varying degrees of success. Anti- Execute, developed
by Faronics, is one example of using selected components of an application
firewall. DEP, by Microsoft, is another.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
5.2 HACKERS
Hacker means someone who finds weaknesses in a computer or computer network,
though the term can also refer to someone with an advanced understanding of computers
and computer networks. Hackers may be motivated by a multitude of reasons, such as
profit, protest, or challenge. The subculture that has evolved around hackers is often
referred to as the computer underground but it is now an open community. While other
uses of the word hacker exist that are not related to computer security, they are rarely
used in mainstream context. They are subject to the long standing hacker definition
controversy about the true meaning of the term hacker. In this controversy, the term
hacker is reclaimed by computer programmers who argue that someone breaking into
computers is better called a cracker, not making a difference between computer
criminals (black hats) and computer security experts (white hats). Some white hat hackers
claim that they also deserve the title hacker, and that only black hats should be called
crackers.
5.2.1 Hacker Types
White Hat Hackers: These are the good guys, computer security experts who specialize
in penetration testing and other methodologies to ensure that a company‟s information
systems are secure. These IT security professionals rely on a constantly evolving arsenal
of technology to battle hackers.
Black Hat Hackers: These are the bad guys, who are typically referred to as just plain
hackers. The term is often used specifically for hackers who break into networks or
computers, or create computer viruses. Black hat hackers continue to technologically
outpace white hats. They often manage to find the path of least resistance, whether due to
human error or laziness, or with a new type of attack.
Hacking purists often use the term “crackers” to refer to black hat hackers. Black hats‟
motivation is generally to get paid.
Script Kiddies: This is a derogatory term for black hat hackers who use borrowed
programs to attack networks and deface websites in an attempt to make names for
themselves.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
Hacktivists: Some hacker activists are motivated by politics or religion, while others
may wish to expose wrongdoing, or exact revenge, or simply harass their target for their
own entertainment.
State Sponsored Hackers: Governments around the globe realize that it serves their
military objectives to be well positioned online. The saying used to be, “He who controls
the seas controls the world,” and then it was, “He who controls the air controls the
world.”
Spy Hackers: Corporations hire hackers to infiltrate the competition and steal trade
secrets. They may hack in from the outside or gain employment in order to act as a mole.
Spy hackers may use similar tactics as hacktivists, but their only agenda is to serve their
client‟s goals and get paid.
Cyber Terrorists: These hackers, generally motivated by religious or political beliefs,
attempt to create fear and chaos by disrupting critical infrastructures. Cyber terrorists are
by far the most dangerous, with a wide range of skills and goals. Cyber Terrorists
ultimate motivation is to spread fear, terror and commit murder.
5.2.2 Hacking techniques
Hacking attacks progress in a series of stages, using various tools and techniques.
A hacking attack consists of the following stages
Dictionary attack A simple dictionary attack is by far the fastest way to break into a machine. A dictionary
file (a text file full of dictionary words) is loaded into a cracking application (such as
L0phtCrack), which is run against user accounts located by the application. Because the
majority of passwords are often simplistic, running a dictionary attack is often sufficient
to to the job.
Hybrid attack Another well-known form of attack is the hybrid attack. A hybrid attack will add
numbers or symbols to the filename to successfully crack a password. Many people
change their passwords by simply adding a number to the end of their current password.
The pattern usually takes this form: first month password is "cat"; second month
password is "cat1"; third month password is "cat2"; and so on.
Brute force attack A brute force attack is the most comprehensive form of attack, though it may often take a
long time to work depending on the complexity of the password. Some brute force
attacks can take a week depending on the complexity of the password. L0phtcrack can
also be used in a brute force attack.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
5.3 TCP/IP FROM A SECURITY VIEW POINT
IP datagram should be authenticated
IP datagram should be encrypted
IP datagram should be both encrypted and authenticated
Authenticity of IP connections.
In order to prevent IP spoofing and connection hijacking, as well as to
secure the content of IP datagram‟s against any unauthorized modifications,
all IP datagram‟s sent over the Internet should be authenticated.
Privacy of IP connections.
In order to guarantee privacy, all IP datagram‟s sent over the Internet
should be encrypted by employing strong cryptography.
Encryption and Authentication
It is desirable to have both encryption and authentication applied to IP
datagram‟s.
5.4 SOCKETS AND SERVICES
Secure socket layers
Secure socket layer protocol (SSL) is from Netscape. SSL is placed with
internet engineering task force. It is compatible and almost a standard for transport
layer security.
It provides security to the entire communication channel. SSL provides a new
method of public hey encryption. It provides options for caching the session
to reduce repeated network activities. It reduces the CPU load.
Security Achieved by the Secure Sockets Layer (SSL)
Confidentiality
Encrypt data being sent between client and server, so that passive wire
tappers cannot read sensitive data.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
Integrity Protection
Protect against modification of messages by an active wire tapper.
Authentication
Verify that a peer is who they claim to be. Servers are usually
authenticated, and clients may be authenticated if requested by servers.
How SSL Achieves Confidentiality
Create a secret key
o Based on information generated by the client with a secure random number
generator
Use public keys to exchange the secret key
o The server sends its public key to the client
o The client encrypts the secret key with the server's public key and sends it
to the server
o The server decrypts the secret key information with the server‟s private key
Encrypt and decrypt data with the secret key
o The client and server use the negotiated algorithm
How SSL Achieves Integrity Protection
Client and server use their secret key, and an agreed-upon cryptographic hash
function to attach an HMAC to each message sent.
The receiver checks that each message has not been altered.
How SSL Works
1. Handshake
– a negotiation process that creates or rejoins a session
2. If (Handshake succeeds) then Encrypted data can be exchanged
Else The connection is aborted
The Handshake
Negotiate the cipher suite
Authenticate identities (optional)
Exchange secret key
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
Negotiate the Cipher Suite
A cipher suite
o A set of cryptographic algorithms
An algorithm for exchanging a secret key
A secret key encryption algorithm and key length
A cryptographic hash function
The client tells the server which cipher suites it has available, and the server
chooses the best mutually acceptable cipher suite.
The SSL handshake protocol provides the following
Authentication between the server and the client
Communicating encrypting algorithm, and deciphering algorithms
Communicating encrypting algorithm, and deciphering keys
5.5 ENCRYPTION
Encryption is a process that takes information and transcribes it into a different form that
is unable to read by anyone who does not have the encryption code. Depending on the
type of encryption, information can be displayed as various numbers, letters, or symbols.
Those who work in cryptography fields make it their job to encrypt information or to
break codes to receive encrypted information.
The encrypted data are useful for the following reasons
1. To obtain added security when sending messages through the inter net
2. For verifying the authenticity of the sender or the receiver
3. While signing documents
4. For distributing the keys for an encryption algorithm.
Types
Symmetric key encryption
Asymmetric key encryption
Manual encryption
Transparent encryption
Email encryption
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
Manual Encryption
Manual encryption is a type that involves the use of encryption software. These
are computer programs that encrypt various bits of information digitally. Manual
encryption involves the user's participation completely. The files he wants to encrypt are
chosen, and then an encryption type is chosen from a list that the security system
provides. This is great for personal computers because it allows a user to encrypt personal
files in a way that will suit him, thus protecting personal material on a computer.
Transparent Encryption
Transparent encryption is another type of computer software encryption. It can be
downloaded onto a computer to encrypt everything automatically. This is one of the most
secure types of encryption available because it doesn't leave out anything that might be
forgotten when using manual encryption. Every executable application and file created in
the computer has an encrypted copy that can withstand power surges and protects
information in case a computer is stolen.
Symmetric Encryption
Not all encryption is done via a computer software program. You can easily
encrypt information by yourself. One of the simplest ways to do this is through
symmetric encryption. Here, a letter or number coincides with another letter or number in
the encryption code. You can make the code up yourself--for example, a=1, b=2 and so
on. You can take any written text and substitute letters and numbers for their coded
counterpart, thus encrypting the text.
Asymmetric Encryption
Asymmetric encryption is a secure and easy way that can be used to encrypt data
that you will be receiving. It is generally done electronically. A public key is given out to
whomever you want or posted somewhere for the public to see. They can then encrypt
information using the key and send it to you. This is often done when writing emails.
However, to decipher the encrypted code, there is another key, a private one, that only
one person has. This means that while any can encrypt the data with the public key, it can
only be read again by whomever has the private key.
Email Encryption
As mentioned, email encryption typically uses asymmetrical encryption methods.
This entails that emails that are received cannot be read by others, such as hackers who
may be trying to get into an email inbox. There are two types of encryption methods used
with email. The first is when a central station, such as an email provider, has the sole
decision in who gets the private key to the email. This is usually given only to the user of
an email address. The second type gives the user control over who gets the key. This
means they can allow others to read encrypted emails with the private key they are given.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
Terminologies Used:
Plaintext:
This is what you want to encrypt
Cipher text:
The encrypted output
Enciphering or encryption:
The process by which plaintext is converted into cipher text
Encryption algorithm:
The sequence of data processing steps that go into transforming plaintext into
cipher text. Various parameters used by an encryption algorithm are derived from a secret
key.
In classical cryptography for commercial and other civilian applications, the
encryption algorithm is made public.
Secret key:
A secret key is used to set some or all of the various parameters used by the
encryption algorithm. The important thing to note is that the same secret key is used for
encryption and decryption in classical cryptography.
It is for this reason that classical cryptography is also referred to as symmetric key
cryptography.
Deciphering or decryption:
Recovering plaintext from cipher- text
Decryption algorithm:
The sequence of data processing steps that go into transforming ciphertext back
into plaintext. Various pa- rameters used by a decryption algorithm are derived from the
same secret key that was used in the encryption algorithm.
In classical cryptography for commercial and other civilian applications, the
decryption algorithm is made public.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
Cryptography:
The many schemes available today for encryption and decryption cryptographic
system: Any single scheme for encryption cipher: A cipher means the same thing as a
“cryptographic system”
Block cipher:
A block cipher processes a block of input data at a time and produces a cipher text
block of the same size.
Stream cipher:
A stream cipher encrypts data on the fly, usually one byte at at time.
Cryptanalysis:
Means “breaking the code”. Cryptanalysis relies on a knowledge of the encryption
algorithm (that for civilian applications should be in the public domain) and some
knowledge of the possible structure of the plaintext (such as the structure of a typical
inter-bank financial transaction) for a partial or full reconstruction of the plaintext from
cipher text. Additionally, the goal is to also infer the key for decryption of future
messages.
Building Blocks of Classical Encryption Techniques
Two building blocks of all classical encryption techniques are substitution and
transposition.
Substitution means replacing an element of the plaintext with an element of cipher
text.
Transposition means rearranging the order of appearance of the elements of the
plaintext.
Transposition is also referred to as permutation.
Caesar Cipher
This is the earliest known example of a substitution cipher.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
Each character of a message is replaced by a character three position down in the
alphabet.
Example:
plaintext: are you ready
ciphertext: DUH BRX UHDGB
5.6 FIREWALL TECHNOLOGY
Motivation
Communication systems continue to be a fundamental infrastructure resource
Risks
o computation and communication resources
o data
o reputation
Note that firewall technology is only one piece of a large security puzzle
Model of communication and generic firewall model
A firewall guards and isolates an inside (private) network--an intranet--from an outside
(hence untrusted) network: the Internet, for instance. A firewall may also guard some
parts of an internal network against other parts.
Domains A and A*, though parts of one organization's network, are physically separate
and communicate through an outside (untrusted) network. Firewalls can only control
communication traffic to, from, or through that outside network, such as indicated by
arrows a, b, and c. They cannot control communication traffic d and d', which do not
leave the protected networks' boundaries, and communication traffic e, which simply
extends through the outside network. Note that arrow c indicates virtual private
networking (VPN) traffic.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
5.6.1 Definition of Firewall Technology
firewall technology as a set of mechanisms that collectively enforce a network domain
security policy on communication traffic entering or leaving a guarded network policy
domain.
5.6.2 Mechanisms for firewall technology
Packet filtering routers
Bastion hosts
Network address translators
Circuit-level gateways
Application-level proxies
In general, the various firewall security mechanisms address themselves to specific layers
in the open systems interconnection (OSI) network model. Several mechanisms can be
combined into a comprehensive firewall system, but the mechanisms should be chosen
and coordinated so that they do not work against each other.
5.6.3 Packet filtering routers and bastion hosts
All packet-filter firewalls deny access to traffic that does not meet a set of rules
[indicated by a red line with x] and pass traffic that does [green lines with
arrowheads].
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
In a screened-host firewall, a router at network level controls access to and from a
single host - called a bastion host - through which all traffic to and from the
protected network must travel. Direct access to the protected network is denied
and the bastion host does not forward packets. The bastion host is a highly
defended, secured strongpoint that - one hopes - can resist attack.
In a screened-subnet firewall, a pair of routers control access to a small network
of bastion hosts. The screened subnet is also called a "demilitarized zone" (DMZ).
5.6.4 Network address translators
A network address translator hides internal addresses from the outside world. Network
address translation (NAT) routers contain a table of outside and inside addresses. They
translate the outside address of an incoming message into the hidden inside address, and
do the reverse for an outgoing message.
5.6.5 Circuit-level gateways
Many firewalls now include built-in support for Socks (the name derives from
Unix Sockets), software that allows applications to access a variety of
communication protocols.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
Thus Socks can handle many different types of traffic, routing packets between
compatible clients and servers in the untrusted network and the protected one.
In effect, it forms a circuit between a client and server; but it acts as a proxy, too,
forwarding only those packets deemed acceptable.
5.6.6 Application-level proxies
An application-level firewall uses application-specific proxies that can interact
with the source and destination of a message to determine whether it meets
security standards, and then allows or denies access on the basis of its evaluation.
Separate proxies are needed for each application.
Further, a so-called "dual-homed" application-level firewall can be built by
installing two interfaces, one on each network. So a popular location for such a
firewall is a bastion host, in either a screened-host or screened-subnet firewall.
5.6.7 Potential Advantages of Firewall Technology
Protection against external network based attacks (prevention)
Focus of security decisions
Additional services (e.g., authentication prior to network access)
Access control at the IP/port level
Privacy
o data
o infrastructure and topology information
Audit
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
Manageability of security enforcement
Transparency to user (not always)
Technology is available for purchase
5.6.8 Shortcomings of Firewall Technology
Opaque to users
No replacement for internal/host security
Firewalls often geneate a false sense of security
Limited protection against:
o malicious insiders
o tunneled connections
o data driven attacks
o novel attacks
o denial of service
Operational difficulties
No protection against connections that circumvent the firewall!
Efficiency questions
Single point of failure
5.6.9 The Firewall Life Cycle
The phases of the firewall's life cycle, shown in blue rectangles, use the methods in the
brown hexagonal to the right to produce the results noted in the beige ovals. The life
cycle progresses diagonally, beginning with the all important definition of security policy
and arriving at implementation, review, and testing after high-level design, selection of
components, and detailed design. Even after the firewall is in use, periodic review and
testing during the system's lifetime may result in an earlier phase being revisited
(indicated by the upward-pointing blue arrows), as when a new, improved firewall
component becomes available or when defects in an earlier phase are discovered.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
5.7 PACKET FILTERING
Packet filtering is the process of passing or blocking packets at a network interface based
on source and
destination
addresses, ports, or
protocols. The
process is used in
conjunction with
packet mangling and Network Address Translation (NAT). Packet filtering is often part
of a firewall program for protecting a local network from unwanted intrusion.
In a software firewall, packet filtering is done by a program called a packet filter. The
packet filter examines the header of each packet based on a specific set of rules, and on
that basis, decides to prevent it from passing (called DROP) or allow it to pass (called
ACCEPT).
There are three ways in which a packet filter can be configured, once the set of filtering
rules has been defined. In the first method, the filter accepts only those packets that it is
certain are safe, dropping all others. This is the most secure mode, but it can cause
inconvenience if legitimate packets are inadvertently dropped. In the second method, the
filter drops only the packets that it is certain are unsafe, accepting all others. This mode is
the least secure, but is causes less inconvenience, particularly in casual Web browsing. In
the third method, if the filter encounters a packet for which its rules do not provide
instructions, that packet can be quarantined, or the user can be specifically queried
concerning what should be done with it. This can be inconvenient if it causes numerous
dialog boxes to appear, for example, during Web browsing.
5.8 NETWORK ADDRESS TRANSLATION
Overview
NAT is an acronym for Network Address Translation. It is a commonly
used IP translation and mapping technology.
It is a technology that allows your home network to share internet access. Using a
device or piece of software that implements NAT allows an entire home
network to share a single internet connection over a single IP address.
A single cable mode, DSL modem, or even 56k modem could connect all the
computers in your home to the internet simultaneously. Additionally, NAT keeps
your home network fairly secure from hackers.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
NAT is built in to the most common Internet Connection Sharing
technologies around. Microsoft has built their ICS around it and every Cable/DSL
Broadband Router on the market accomplishes its job with NAT.
How does it work?
NAT acts as an interpreter between two networks. In the case of a home network,
it sits between the internet and your home network.
The internet is considered the „public‟ side and your home network is
considered the „private‟ side.
When a computer in the private side, request data from the public side, (the
internet), the NAT device will open a little conduit between your computer
and the destination computer. When the public computer returns results from the
request, it is passed back through the NAT device to the requesting computer.
Security: Basic NAT is not a real firewall?
Basic NAT devices are not real firewalls, but they are usually considered „good
enough‟ for most home networks. By not forwarding requests or probes that
originate from the inter net to your LAN, a NAT device blocks most mischief.
A simple NAT device can not keep hackers from running DOS (Denial Of
Service) attacks on you, but individuals rarely get attacked like that.
It will keep out people looking for file shares, rogue mail servers and web
servers, and most port based exploits. Most also protect against SMURF and
WinNuke atatcks. With a NAT device and a good anti-virus program, you should
be safe from the most common kinds of internet attacks.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
Stateful packet inspection (SPI)
Some NAT routers have an advanced form of firewall built in that does
'stateful packet inspection'. This allows the NAT devices to filter out specific
kinds of data on your router like SYN flood attacks, IP Spoofing, Teardrop
attacks and others.
SPI is a general term that can describe a router that filters more kinds of
attacks than basic NAT by closely examining packet data structures. Of
course, each manufacturer will implement different kinds of SPI so not all SPI
routers are equal. Routers with SPI can often log attacks.
What If I want to host a server?
Most NAT devices allow you to create maps between the internet and your
computer network - this is called port for warding.
Example: A request on port 80 from the Internet (looking for a web server
on your IP address) would normally be turned away by a NAT device.
A special mapping can be set up to send that request from the inter net to
a specific computer on your network. One of your LAN computers could host a
web server on the Internet, and another computer (or the same one) could host an
FTP server because the two services work on different ports. Only a few special
programs on the internet will not work using this port forwarding system.
Network Address Translation - the Need.
The reason why NAT is so important is that address space under IPv4 (in
the current version) is limited.
There are four octets, totaling 32 bits of address space. We‟ve tried classing the
address space, we‟ve tried using CIDR, but nevertheless address space will
eventually run out.
Our "stop gap" measures have, however, succeeded in preserving the address space
for longer than we all thought possible. RFC 1918 provides the rules for using a
set of reserved numbers guaranteed never to be in use on the Internet. The beauty
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
of it is that every company that connects can pick from the same set of reserved
numbers, and it doesn‟t matter. However, as these numbers are not routed
around the Internet at all we have to have a method of transmitting packets
around the Internet, and receiving the replies, and then sending the packets
inwards to our network to the correct computer on our LAN, and the correct
session on that computer. This is where NAT comes in.
To use NAT, the router which connects your LAN to the Internet will have two
addresses. On the LAN side, it will have an address from the particular RFC
1918 address range you chose to use and, on the Internet side, it will have an
address assigned to you by your current ISP.
Network Address Translation- Dynamic vs. Static
Finally a quick word on the difference between dynamic NAT and static NAT.
What has been defined so far is known as dynamic NAT - all packets leaving
your LAN for the Internet contain the same source IP address, which is the public one
assigned to your router.
There is one drawback with this. If the router is the only device with a
public address, then there is no way for you to provide information services on
any computer on your network.
Supposing that, despite being a good network citizen and using RFC 1918
addressing,
you nevertheless wish to provide a Web server, or an ftp repository, for
example. You can‟t, because no one on the Internet has any way of
specifying that they want to connect to the specific computer containing the
server.
However, static NAT allows this to happen. First, you will need to get your ISP to
allocate you a block of public addresses. Using CIDR, most ISPs will allocate you
a block of eight addresses. Because of certain rules which we won‟t go into
here, you will have five of these eight available for use for static mapping.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
5.9 APPLICATION LEVEL PROXIES
Proxy servers were originally developed to cache web pages that were
frequently accessed. In the early days of the internet, wide area links were
slow, the web was relatively small, and the web pages were static. By caching
that page on a local server, proxies could eliminate redundant internet access to
retrieve the same page over and over.
Proxy servers regenerate high-level service request on an external network
for their clients on a private network. This effectively hides the identity and
number of clients on the internal network from examination from the external
network.
Security advantages of proxies
Proxies hide private clients from the external exposure
It can block dangerous URLs
It can filter dangerous content such as viruses and torjan horses before passing it
to the client.
It can check the consistency of returned content.
It can eliminate the need for transport layer routing between networks
It provides a single point of access, control, and logging.
5.10 VIRTUAL PRIVATE NETWORKS
Virtual private network (VPN) technologies in Microsoft Windows using the
resources on this page. An extension of a private network, a VPN encompasses links
across shared or public networks. VPN connections use the connectivity of the Internet
plus a combination of tunneling and data encryption technologies, such as the Point-to-
Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol with Internet
Protocol security (L2TP/IPSec), to connect remote clients and remote offices.
VPNs are a cost effective way to extend your LAN over the internet to remote
networks and remote client computers. It uses the internet to route LAN
traffic from one private network to another by encapsulating the LAN traffic in
IP packets.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
Virtual private networks solve the problem of direct internet access to servers
through a combination of the following fundamental security components
IP encapsulation
Cryptographic authentication
Data payload encryption
Characteristics of VPN
VPNs are cheaper than WANs
It is easier to establish
They are slower than LANs
It is less reliable
It is less secure
Types of VPN
Server based VPNs
Firewall based VPNs
Router based VPNs
5.11 IDEAL FIREWALL
The ideal firewall defines your security requirements and helps to figure out what general
type of security our business requires. It also explains exactly how to configure
your border gateways to achieve that level of security.
Defining your security requirements
No two networks have the exact same security requirements. to decide just
how much effort to expend in securing your network, you need to know the value
of the data in your network, the publicity or visibility of your organization and the
harm that could be caused by loss of services. You should also consider how
much disruption or imposition in the name of security you can live on with your
network.
WEB TECHNOLOGY
DEPARTMENT OF INFORMATION TECHNOLOGY UNIT V
Configuring the rules
Once you‟ve determined the determined degree of paranoia that is justified
for your network ,you can set up the fire walling rules that keep the crackers
out.
Every firewall allows you to establish a set of rules that will specify what
trans-firewall traffic will be allowed and what will not, as well as to establish
and manipulate these rules.
Rules about rules:
Apply to order
Per interface
Per type of packet (TCP,UDP,ICMP)
Per source and destination addresses
Per source and destination ports
Per options
Per ICMP message type
Per ACK bit for TCP
Protocols specific proxying rules
Logging
Graphical user interface
Rules for security level
There are five levels, they are
Aware
Concerned
Cautious
Strict
Paranoid
