CYBER SECURITY-TUTORIAL2

FROM: SWETA DARGAD

ASSISTANT PROFESSOR

NTC

NETWORK DEFENCE TOOLS

• 1. Explain what is a computer network .

• 2. Explain what is a firewall.

• 3. List types of firewalls and explain in breif.

• 4. Difference between Packet Filter and Firewall

• 5. Write difference between stateless and statefull firewall.

• 6. Explain what is NAT.

• 7. What is port forwarding.

• 8. Difference between windows firewall and linux firewall

• 9. What is Intrution detection system

WHAT IS A COMPUTER NETWORK A computer network is a group of computer systems and other computing hardware devices that are linked together through communication channels to facilitate communication and resource-sharing among a wide range of users.

1. Local Area Networks (LAN)

2. Personal Area Networks (PAN)

3. Home Area Networks (HAN)

4. Wide Area Networks (WAN)

5. Campus Networks

6. Metropolitan Area Networks (MAN)

7. Enterprise Private Networks

8. Internetworks

9. Backbone Networks (BBN)

10. Global Area Networks (GAN)

11. The Internet

NETWORKS ARE USED TO

1. Facilitate communication via email, video conferencing, instant messaging, etc.

2. Enable multiple users to share a single hardware device like a printer or scanner

3. Enable file sharing across the network

4. Allow for the sharing of software or operating programs on remote systems

5. Make information easier to access and maintain among network users

WHAT IS A FIREWALL

A firewall is software or hardware that checks information coming from the Internet or a network, and then either blocks it or allows it to pass through to your computer, depending on your firewall settings.

A choke point of control and monitoring

Interconnects networks with differing trust

Imposes restrictions on network services

only authorized traffic is allowed

Auditing and controlling access

can implement alarms for abnormal behavior

Itself immune to penetration

Provides perimeter defence

FIREWALL

TYPES OF FIREWALLS

Packet filtering

Application gateways/Proxy Firewalls:

Circuit gateways/ Network layer Firewalls

Unified threat management

FIREWALLS – PACKET FILTERS

FIREWALLS – PACKET FILTERS

Simplest of components

Uses transport-layer information only

IP Source Address, Destination Address

Protocol/Next Header (TCP, UDP, ICMP, etc)

TCP or UDP source & destination ports

TCP Flags (SYN, ACK, FIN, RST, PSH, etc)

ICMP message type

Examples

DNS uses port 53

No incoming port 53 packets except known trusted servers

USAGE OF PACKET FILTERS

• Filtering with incoming or outgoing interfaces• E.g., Ingress filtering of spoofed IP addresses• Egress filtering

• Permits or denies certain services• Requires intimate knowledge of TCP and UDP port utilization on a number of operating systems

Every ruleset is followed by an implicit rule reading like this.

Example 1: Suppose we want to allow inbound

mail (SMTP, port 25) but only to our gateway machine. Also suppose

that mail from some particular site SPIGOT is to be blocked.

Solution 1:

Example 2: Now suppose that we want to implement the policy “any inside

host can send mail to the outside”.

Solution 2:

This solution allows calls to come from any port on an inside machine, and will direct them to port 25 on

the outside. Simple enough…

So why is it wrong?

The ACK signifies that the packet is part of an ongoing conversation

Packets without the ACK are connection establishment messages, which we are only permitting from internal hosts

SECURITY & PERFORMANCE OF PACKET FILTERS

IP address spoofing Fake source address to be trusted Add filters on router to block

Tiny fragment attacks Split TCP header info over several tiny packets Either discard or reassemble before check

Degradation depends on number of rules applied at any point Order rules so that most common traffic is dealt with first Correctness is more important than speed

FIREWALLS – STATEFUL PACKET FILTERS

Traditional packet filters do not examine higher layer context ie matching return packets with outgoing flow

Stateful packet filters address this need

They examine each IP packet in context Keep track of client-server sessions

Check each packet validly belongs to one

Hence are better able to detect bogus packets out of context

STATEFUL FILTERING

PROXY FIREWALLS

• A proxy firewall is a network security system that protects network resources by filtering messages at the application layer. A proxy firewall may also be called an application firewall or gateway firewall.

FIREWALL GATEWAYS

Firewall runs set of proxy programs

Proxies filter incoming, outgoing packets

All incoming traffic directed to firewall

All outgoing traffic appears to come from firewall

Policy embedded in proxy programs

Two kinds of proxies

Application-level gateways/proxies

Tailored to http, ftp, smtp, etc.

Circuit-level gateways/proxies

Working on TCP level

FIREWALLS - APPLICATION LEVEL GATEWAY (OR PROXY)

APPLICATION-LEVEL FILTERING

Has full access to protocol

user requests service from proxy

proxy validates request as legal.

then actions request and returns result to user

Need separate proxies for each service

E.g., SMTP (E-Mail)

NNTP (Net news)

DNS (Domain Name System)

NTP (Network Time Protocol)

custom services generally not supported

APP-LEVEL FIREWALL ARCHITECTURE

Daemon spawns proxy when communication detected …

Network Connection

Telnet daemon

SMTP daemon

FTP daemon

Telnet

proxy

FTP proxy SMTP

proxy

ENFORCE POLICY FOR SPECIFIC PROTOCOLS

• E.g., Virus scanning for SMTP• Need to understand MIME, encoding, Zip archives

NETWORK LAYER FIREWALLS

In Figure 1, a network layer firewall called a ``screened host firewall'' is represented. In a screened host firewall, access to and from a single host is controlled by means of a router operating at a network layer. The single host is a bastion host; a highly-defended and secured strong-point that (hopefully) can resist attacks.

In figure 2, a network layer firewall called a ``screened subnet firewall'' is represented. In a screened subnet firewall, access to and from a whole network is controlled by means of a router operating at a network layer. It is similar to a screened host, except that it is, effectively, a network of screened hosts.

APPLICATION LAYER FIREWALLS

Application layer firewalls are hosts that run proxy servers, which permit no traffic directly between networks, and they perform elaborate logging and examination of traffic passing through them.

Since proxy applications are simply software running on the firewall, it is a good place to do logging and access control.

Application layer firewalls can be used as network address translators, since traffic goes in one side and out the other after having passed through an application that effectively masks the origin of the initiating connection.

DUAL-HOME GATEWAY

In figure 3, an application layer firewall called a ``dual homed gateway'' is represented. A dual homed gateway is a highly secured host that runs proxy software. It has two network interfaces, one on each network, and blocks all traffic passing through it.

FIREWALLS AREN’T PERFECT?

• Useless against attacks from the inside• Evildoer exists on inside

• Malicious code is executed on an internal machine

• Organizations with greater insider threat• Banks and Military

• Protection must exist at each layer• Assess risks of threats at every layer

• Cannot protect against transfer of all virus infected programs or files• because of huge range of O/S & file types

UNIFIED THREAT MANAGEMENTUnified Threat Management (UTM) is an all-in-one network security solution. UTM provides multiple security features (firewalling, intrusion prevention, anti-virus, etc.) without the complexity that comes with managing multiple security vendors.

PACKET FILTER

packet filtering is the process of passing or blocking packets at a network interface based on source and destination addresses, ports, or protocols.

The process is used in conjunction with packet mangling and Network Address Translation (NAT).

Packet filtering is often part of a firewall program for protecting a local network from unwanted intrusion.

FIREWALL

packet filtering is the process of passing or blocking packets at a network interface based on source and destination addresses, ports, or protocols.

The process is used in conjunction with packet mangling and Network Address Translation (NAT).

Packet filtering is often part of a firewall program for protecting a local network from unwanted intrusion.

NETWORK ADDRESS TRANSLATION• RFC-1631• A short term solution to the problem of the

depletion of IP addresses• Long term solution is IP v6 (or whatever is finally agreed

on)• CIDR (Classless InterDomain Routing ) is a possible short

term solution• NAT is another

• NAT is a way to conserve IP addresses• Hide a number of hosts behind a single IP address• Use:

• 10.0.0.0-10.255.255.255,

• 172.16.0.0-172.32.255.255 or

• 192.168.0.0-192.168.255.255 for local networks

Network Address Translation (NAT) is a way to map an entire network (or networks) to a single IP address. NAT is necessary when the number of IP addresses assigned to you by your Internet Service Provider is less than the total number of computers that you wish to provide Internet access for.

PORT FORWARDINGport forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall.

1. Local port forwarding

2. Remote port forwarding

3. Dynamic port forwarding

HACKING THROUGH NAT Static Translation

offers no protection of internal hosts

Internal Host Seduction internals go to the hacker

e-mail attachments – Trojan Horse virus’

peer-to-peer connections

hacker run porn and gambling sites

solution = application level proxies

State Table Timeout Problem hacker could hijack a stale connection before it is timed out

very low probability but smart hacker could do it

Source Routing through NAT if the hacker knows an internal address they can source route a packet to that

host solution is to not allow source routed packets through the firewall

TYPES OF FIREWALLS

1. Network layer firewalls:

Network layer firewalls generally make their decisions based on the source address, destination address and ports in individual IP packets

2. Application layer firewalls:

Application layer firewalls are hosts that run proxy servers, which permit no traffic directly between networks, and they perform elaborate logging and examination of traffic passing through them.

3. Proxy firewalls

Proxy firewalls offer more security than other types of firewalls, but at the expense of speed and functionality, as they can limit which applications the network supports.

4. Unified threat management

A new category of network security products -- called unified threat management (UTM) -- promises integration, convenience and protection from pretty much every threat out there

INTRUTION DETECTION SYSTEM

An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.

1. Anomaly Detection

2. Signature Based Detection

ALERTS

• Burglar Alert/Alarm: A signal suggesting that a system has been or is being attacked.

• Detection Rate: The detection rate is defined as the number of intrusion instances detected by the system (True Positive) divided by the total number of intrusion instances present in the test set.

• False Alarm Rate: defined as the number of 'normal' patterns classified as attacks (False Positive) divided by the total number of 'normal' patterns.

• ALERT TYPE:-

• True Positive: : Attack - Alert

• False Positive: : No attack - Alert

• False Negative: : Attack - No Alert

• True Negative: : No attack - No Alert