SlideShare a Scribd company logo

Ch06-NetworkSecurity2-firewall-tunneling-IDS.ppt

Download as PPT, PDF
G
gocokir267

This document discusses various topics in network security including firewalls, tunneling, virtual private networks (VPNs), and intrusion detection systems (IDSs). It defines firewalls as integrated security systems that filter network traffic based on predefined rulesets. Stateful firewalls maintain connection states while stateless firewalls do not. Tunneling protocols like SSH and IPSec encrypt network traffic to prevent eavesdropping. VPNs allow secure remote access and site-to-site connectivity over public networks. IDSs detect intrusions by analyzing network traffic patterns but can produce false alarms.

Internet
1 of 31
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
CIS3360: Security in Computing Chapter 6 : Network Security II - Firewall, Tunneling, Intrusion Detection Cliff Zou Spring 2012
Firewall 2
Firewalls  A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.  A network firewall is similar to firewalls in building construction, because in both cases they are intended to isolate one "network" or "compartment" from another. 3
Firewall Policies  To protect private networks and individual machines from the dangers of the greater Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies. 4 Trusted internal network Firewall policies Untrusted Internet
Policy Actions  Packets flowing through a firewall can have one of three outcomes:  Accepted: permitted through the firewall  Dropped: not allowed through with no indication of failure  Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was rejected  Policies used by the firewall to handle packets are based on several properties of the packets being inspected, including the protocol used, such as:  TCP or UDP  the source and destination IP addresses  the source and destination ports  the application-level payload of the packet (e.g., whether it contains a virus). 5
Blacklists and White Lists  Two fundamental approaches to creating firewall policies (or rulesets)  Blacklist approach (default-allow)  All packets are allowed through except those that fit the rules defined specifically in a blacklist.  Pros: flexible in ensuring that service to the internal network is not disrupted by the firewall  Cons: unexpected forms of malicious traffic could go through  Whitelist approach (default-deny)  Packets are dropped or rejected unless they are specifically allowed by the firewall  Pros: A safer approach to defining a firewall ruleset  Cons: must consider all possible legitimate traffic in rulesets 6
Firewall Types • packet filters (stateless) – If a packet matches the packet filter's set of rules, the packet filter will drop or accept it • "stateful" filters – it maintains records of all connections passing through it and can determine if a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. • application layer – It works like a proxy it can “understand” certain applications and protocols. – It may inspect the contents of the traffic, blocking what it views as inappropriate content (i.e. websites, viruses, vulnerabilities, ...) 7
Stateless Firewalls  A stateless firewall doesn’t maintain any remembered context (or “state”) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously. 8 Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80 Client Server Firewall
Stateless Restrictions  Stateless firewalls may have to be fairly restrictive in order to prevent most attacks. 9 Trusted internal network SYN Seq = y Port=80 Allow outbound SYN packets, destination port=80 Drop inbound SYN packets, Allow inbound SYN-ACK packets, source port=80 Client Attacker (blocked) Firewall
Statefull Firewalls  Stateful firewalls can tell when packets are part of legitimate sessions originating within a trusted network.  Stateful firewalls maintain tables containing information on each active connection, including the IP addresses, ports, and sequence numbers of packets.  Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to a connection initiated from within the internal network. 10
Statefull Firewall Example  Allow only requested TCP connections: 11 Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound TCP sessions, destination port=80 Client SYN-ACK Seq = y Port=80 Attacker (blocked) Established TCP session: (128.34.78.55, 76.120.54.101) 128.34.78.55 76.120.54.101 Firewall state table Server Firewall
 TCP-based connections are easy to check  TCP SYN packet  UDP-based traffic is not so clear  There is no UDP connection set up  Treat a UDP session starts when a legitimate UDP packet is allowed through the firewall (such as from inside to outside)  Session is defined by (source IP, source port, dest IP, dest port) 12
Network Security 7-13 Application-level Firewall  Filters packets on application data as well as on IP/TCP/UDP fields.  Example: allow select internal users to telnet outside. host-to-gateway session gateway-to-remote host session application gateway router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway. r Example: block user access to know porn websites m Check if the Web URL is in a “black-list”
Firewall on Windows and Linux  On Linux, Iptables is used to provide firewall function  http://en.wikipedia.org/wiki/I ptables 14  On Windows, use “control panel” “Windows Firewall”
Tunnels  The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP connection, he can often see the complete contents of the payloads in this session.  One way to prevent such eavesdropping without changing the software performing the communication is to use a tunneling protocol.  In such a protocol, the communication between a client and server is automatically encrypted, so that useful eavesdropping is infeasible. 15
Tunneling Prevents Eavesdropping  Packets sent over the Internet are automatically encrypted. 16 Server Client Tunneling protocol (does end-to-end encryption and decryption) Payloads are encrypted here TCP/IP TCP/IP Untrusted Internet
Secure Shell (SSH)  A secure interactive command session:  The client connects to the server via a TCP session.  The client and server exchange information on administrative details, such as supported encryption methods and their protocol version, each choosing a set of protocols that the other supports.  Example: check ssh client software to see what are supported.  The client and server initiate a secret-key exchange to establish a shared secret session key, which is used to encrypt their communication (but not for authentication). This session key is used in conjunction with a chosen block cipher (typically AES, 3DES) to encrypt all further communications. 17
 The server sends the client a list of acceptable forms of authentication, which the client will try in sequence.  Password based authentication  Public-key authentication method  Client sends the server its public key  The server then checks if this key is stored in its list of authorized keys. If so, the server encrypts a challenge using the client’s public key and sends it to the client  The client decrypts the challenge with its private key and responds to the server, proving its identity 18
IPSec  IPSec defines a set of protocols to provide confidentiality and authenticity for IP packets  Authentication Header (AH)  provide connectionless integrity and data origin authentication for IP datagrams  provides protection against replay attacks  No confidentiality (packets are still unencrypted)  Encapsulating Security Payload (ESP)  provide confidentiality, data-origin authentication, connectionless integrity, and limited traffic-flow confidentiality.  Port numbers are encrypted, poses challenge for NAT  http://en.wikipedia.org/wiki/IPsec 19
20 Digital signature
21
Virtual Private Networking (VPN)  Virtual private networking (VPN) is a technology that allows private networks to be safely extended over long physical distances by making use of a public network, such as the Internet, as a means of transport.  VPN provides guarantees of data confidentiality, integrity, and authentication, despite the use of an untrusted network for transmission.  There are two primary types of VPNs, remote access VPN and site-to-site VPN. 22
Types of VPNs  Remote access VPNs allow authorized clients to access a private network that is referred to as an intranet.  E.g., UCF VPN. Computer has internal IP when connected.  Set up a VPN endpoint, network access server (NAS)  Clients install VPN client software on their machines.  Site-to-site VPN solutions are designed to provide a secure bridge between two or more physically distant networks.  Before VPN, organizations wishing to safely bridge their private networks purchased expensive leased lines to directly connect their intranets with cabling. 23
Intrusion Detection Systems  Intrusion  Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking resources)  Intrusion detection  The identification through intrusion signatures and report of intrusion activities  Intrusion prevention  The process of both detecting intrusion activities and managing automatic responsive actions throughout the network 24
IDS Components  IDS manager compiles data from the IDS sensors to determine if an intrusion has occurred.  If an IDS manager detects an intrusion, then it sounds an alarm. 25 Untrusted Internet IDS Manager IDS Sensor router router router IDS Sensor Firewall
Possible Alarm Outcomes  Alarms can be sounded (positive) or not (negative) 26 Intrusion Attack No Intrusion Attack Alarm Sounded No Alarm Sounded True Positive False Positive True Negative False Negative Bad (miss attack) Bad (reject normal)
The Base-Rate Fallacy  true-positive rate is conflict with false-negative rate.  There is a trade-off  If # of intrusions << # of all events, the effectiveness of an intrusion detection system can be reduced.  In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error known as the base-rate fallacy.  This type of error occurs when the probability of some conditional event is assessed without considering the “base rate” of that event. 27
Base-Rate Fallacy Example  Suppose an IDS has 1% chance of false positives, and 1% of false negatives. Suppose further…  An intrusion detection system generates 1,000,100 log entries.  Only 100 of the 1,000,100 entries correspond to actual malicious events.  Among the 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative.  Among the 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives!  Thus, there will be 10,099 alarms sounded, 10,000 of which are false alarms. That means false alarm rate is roughly 99%! 28
Types of Intrusion Detection Systems  Rule-Based Intrusion Detection  Rules and signatures identify the types of actions that match certain known profiles for an intrusion attack  Alarm raised can indicate what attack triggers the alarm  Problem: Cannot deal with unknown attacks  Statistical Intrusion Detection  Statistical representation (profile) of the typical ways that a user acts or a host is used  Determine when a user or host is acting in highly unusual, anomalous ways.  Alarm when a user or host deviates significantly from the stored profile for that person or machine  Problem: High false positive rate, cannot tell which attack triggers the alarm 29
Port Scanning  Purpose: Attackers need to know where a potential target is  TCP scan: use OS system call to check if TCP connection can be set up on a target machine on any port  Example scanner: nmap  See how nmap works on department eustis machine!  SYN scan: low-level TCP program to send out SYN packet without intent to finish the TCP connection setup  On receiving SYN/ACK, issues a RST packet to terminate 30
Port Scanning  Two port scanning mode:  Vertical scan: target numerous destination ports on a singular host (e.g., nmap)  Horizontal scan: target the same port on many target hosts, effectively looking for a specific vulnerability  E.g., worm  E.g., attacker conduct reconnaissance before real attack 31

More Related Content

Similar to Ch06-NetworkSecurity2-firewall-tunneling-IDS.ppt (20)

PPTX
Cyber Security - Firewall and Packet Filters
Radhika Talaviya
 
PDF
Introduction to Cyber security module - III
TAMBEMAHENDRA1
 
PPTX
Cyber security tutorial2
sweta dargad
 
PPT
Introduction to Firewalls and functions.ppt
dalton6070
 
PPTX
Firewalls and packet filters
MOHIT AGARWAL
 
PPTX
WLAN:VPN Security
@zenafaris91
 
DOCX
A firewall is a network security device.
abidhassan225
 
PPTX
Chapter_1_Introduction to Network Security-1.pptx
mmmmoh35
 
PPT
Firewalls
University of Central Punjab
 
PPTX
Firewalls by Puneet Bawa
Puneet Bawa
 
PPTX
FIREWALL
swati463221
 
PDF
Network Security_Dr Shivashankar_Module 5.pdf
Dr. Shivashankar
 
PPTX
Firewall and Types of firewall
Coder Tech
 
DOCX
Firewall configuration
Nutan Kumar Panda
 
PPT
Firewall
thinkahead.net
 
PPTX
Insights of vpn
Harshika Rana
 
PPT
Firewall protection
VC Infotech
 
PPT
Firewall
Amuthavalli Nachiyar
 
PPT
chapter 4.pptWOLAITA SODO UNIVERSITY SCHOOL OF INFORMATICS DEPARTMENT OF INFO...
abititegen3
 
DOC
Firewall
Kenny2012
 
Cyber Security - Firewall and Packet Filters
Radhika Talaviya
 
Introduction to Cyber security module - III
TAMBEMAHENDRA1
 
Cyber security tutorial2
sweta dargad
 
Introduction to Firewalls and functions.ppt
dalton6070
 
Firewalls and packet filters
MOHIT AGARWAL
 
WLAN:VPN Security
@zenafaris91
 
A firewall is a network security device.
abidhassan225
 
Chapter_1_Introduction to Network Security-1.pptx
mmmmoh35
 
Firewalls
University of Central Punjab
 
Firewalls by Puneet Bawa
Puneet Bawa
 
FIREWALL
swati463221
 
Network Security_Dr Shivashankar_Module 5.pdf
Dr. Shivashankar
 
Firewall and Types of firewall
Coder Tech
 
Firewall configuration
Nutan Kumar Panda
 
Firewall
thinkahead.net
 
Insights of vpn
Harshika Rana
 
Firewall protection
VC Infotech
 
Firewall
Amuthavalli Nachiyar
 
chapter 4.pptWOLAITA SODO UNIVERSITY SCHOOL OF INFORMATICS DEPARTMENT OF INFO...
abititegen3
 
Firewall
Kenny2012
 

Recently uploaded (20)

PPTX
Template Timeplan & Roadmap Product.pptx
ImeldaYulistya
 
PPTX
一比一原版(LaTech毕业证)路易斯安那理工大学毕业证如何办理
Taqyea
 
PDF
Pas45789-Energs-Efficient-Craigg1ing.pdf
lafinedelcinghiale
 
PDF
Web Hosting for Shopify WooCommerce etc.
Harry_Phoneix Harry_Phoneix
 
PPTX
ONLINE BIRTH CERTIFICATE APPLICATION SYSYTEM PPT.pptx
ShyamasreeDutta
 
PDF
Technical Guide to Build a Successful Shopify Marketplace from Scratch.pdf
CartCoders
 
PPT
introduction to networking with basics coverage
RamananMuthukrishnan
 
PPTX
本科硕士学历佛罗里达大学毕业证(UF毕业证书)24小时在线办理
Taqyea
 
PPTX
ipv6 very very very very vvoverview.pptx
eyala75
 
PDF
The-Hidden-Dangers-of-Skipping-Penetration-Testing.pdf.pdf
naksh4thra
 
PDF
𝐁𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓
hokimamad0
 
PPTX
PE introd.pptxfrgfgfdgfdgfgrtretrt44t444
nepmithibai2024
 
PPT
introductio to computers by arthur janry
RamananMuthukrishnan
 
PPTX
unit 2_2 copy right fdrgfdgfai and sm.pptx
nepmithibai2024
 
PPTX
Optimization_Techniques_ML_Presentation.pptx
farispalayi
 
PPTX
ZARA-Case.pptx djdkkdjnddkdoodkdxjidjdnhdjjdjx
RonnelPineda2
 
PPTX
internet básico presentacion es una red global
70965857
 
PPTX
Research Design - Report on seminar in thesis writing. PPTX
arvielobos1
 
PPTX
sajflsajfljsdfljslfjslfsdfas;fdsfksadfjlsdflkjslgfs;lfjlsajfl;sajfasfd.pptx
theknightme
 
PPTX
英国学位证(RCM毕业证书)皇家音乐学院毕业证书如何办理
Taqyea
 
Template Timeplan & Roadmap Product.pptx
ImeldaYulistya
 
一比一原版(LaTech毕业证)路易斯安那理工大学毕业证如何办理
Taqyea
 
Pas45789-Energs-Efficient-Craigg1ing.pdf
lafinedelcinghiale
 
Web Hosting for Shopify WooCommerce etc.
Harry_Phoneix Harry_Phoneix
 
ONLINE BIRTH CERTIFICATE APPLICATION SYSYTEM PPT.pptx
ShyamasreeDutta
 
Technical Guide to Build a Successful Shopify Marketplace from Scratch.pdf
CartCoders
 
introduction to networking with basics coverage
RamananMuthukrishnan
 
本科硕士学历佛罗里达大学毕业证(UF毕业证书)24小时在线办理
Taqyea
 
ipv6 very very very very vvoverview.pptx
eyala75
 
The-Hidden-Dangers-of-Skipping-Penetration-Testing.pdf.pdf
naksh4thra
 
𝐁𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓
hokimamad0
 
PE introd.pptxfrgfgfdgfdgfgrtretrt44t444
nepmithibai2024
 
introductio to computers by arthur janry
RamananMuthukrishnan
 
unit 2_2 copy right fdrgfdgfai and sm.pptx
nepmithibai2024
 
Optimization_Techniques_ML_Presentation.pptx
farispalayi
 
ZARA-Case.pptx djdkkdjnddkdoodkdxjidjdnhdjjdjx
RonnelPineda2
 
internet básico presentacion es una red global
70965857
 
Research Design - Report on seminar in thesis writing. PPTX
arvielobos1
 
sajflsajfljsdfljslfjslfsdfas;fdsfksadfjlsdflkjslgfs;lfjlsajfl;sajfasfd.pptx
theknightme
 
英国学位证(RCM毕业证书)皇家音乐学院毕业证书如何办理
Taqyea
 
Ad

Ch06-NetworkSecurity2-firewall-tunneling-IDS.ppt

  • 1. CIS3360: Security in Computing Chapter 6 : Network Security II - Firewall, Tunneling, Intrusion Detection Cliff Zou Spring 2012
  • 3. Firewalls  A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.  A network firewall is similar to firewalls in building construction, because in both cases they are intended to isolate one "network" or "compartment" from another. 3
  • 4. Firewall Policies  To protect private networks and individual machines from the dangers of the greater Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies. 4 Trusted internal network Firewall policies Untrusted Internet
  • 5. Policy Actions  Packets flowing through a firewall can have one of three outcomes:  Accepted: permitted through the firewall  Dropped: not allowed through with no indication of failure  Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was rejected  Policies used by the firewall to handle packets are based on several properties of the packets being inspected, including the protocol used, such as:  TCP or UDP  the source and destination IP addresses  the source and destination ports  the application-level payload of the packet (e.g., whether it contains a virus). 5
  • 6. Blacklists and White Lists  Two fundamental approaches to creating firewall policies (or rulesets)  Blacklist approach (default-allow)  All packets are allowed through except those that fit the rules defined specifically in a blacklist.  Pros: flexible in ensuring that service to the internal network is not disrupted by the firewall  Cons: unexpected forms of malicious traffic could go through  Whitelist approach (default-deny)  Packets are dropped or rejected unless they are specifically allowed by the firewall  Pros: A safer approach to defining a firewall ruleset  Cons: must consider all possible legitimate traffic in rulesets 6
  • 7. Firewall Types • packet filters (stateless) – If a packet matches the packet filter's set of rules, the packet filter will drop or accept it • "stateful" filters – it maintains records of all connections passing through it and can determine if a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. • application layer – It works like a proxy it can “understand” certain applications and protocols. – It may inspect the contents of the traffic, blocking what it views as inappropriate content (i.e. websites, viruses, vulnerabilities, ...) 7
  • 8. Stateless Firewalls  A stateless firewall doesn’t maintain any remembered context (or “state”) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously. 8 Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80 Client Server Firewall
  • 9. Stateless Restrictions  Stateless firewalls may have to be fairly restrictive in order to prevent most attacks. 9 Trusted internal network SYN Seq = y Port=80 Allow outbound SYN packets, destination port=80 Drop inbound SYN packets, Allow inbound SYN-ACK packets, source port=80 Client Attacker (blocked) Firewall
  • 10. Statefull Firewalls  Stateful firewalls can tell when packets are part of legitimate sessions originating within a trusted network.  Stateful firewalls maintain tables containing information on each active connection, including the IP addresses, ports, and sequence numbers of packets.  Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to a connection initiated from within the internal network. 10
  • 11. Statefull Firewall Example  Allow only requested TCP connections: 11 Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound TCP sessions, destination port=80 Client SYN-ACK Seq = y Port=80 Attacker (blocked) Established TCP session: (128.34.78.55, 76.120.54.101) 128.34.78.55 76.120.54.101 Firewall state table Server Firewall
  • 12.  TCP-based connections are easy to check  TCP SYN packet  UDP-based traffic is not so clear  There is no UDP connection set up  Treat a UDP session starts when a legitimate UDP packet is allowed through the firewall (such as from inside to outside)  Session is defined by (source IP, source port, dest IP, dest port) 12
  • 13. Network Security 7-13 Application-level Firewall  Filters packets on application data as well as on IP/TCP/UDP fields.  Example: allow select internal users to telnet outside. host-to-gateway session gateway-to-remote host session application gateway router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway. r Example: block user access to know porn websites m Check if the Web URL is in a “black-list”
  • 14. Firewall on Windows and Linux  On Linux, Iptables is used to provide firewall function  http://en.wikipedia.org/wiki/I ptables 14  On Windows, use “control panel” “Windows Firewall”
  • 15. Tunnels  The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP connection, he can often see the complete contents of the payloads in this session.  One way to prevent such eavesdropping without changing the software performing the communication is to use a tunneling protocol.  In such a protocol, the communication between a client and server is automatically encrypted, so that useful eavesdropping is infeasible. 15
  • 16. Tunneling Prevents Eavesdropping  Packets sent over the Internet are automatically encrypted. 16 Server Client Tunneling protocol (does end-to-end encryption and decryption) Payloads are encrypted here TCP/IP TCP/IP Untrusted Internet
  • 17. Secure Shell (SSH)  A secure interactive command session:  The client connects to the server via a TCP session.  The client and server exchange information on administrative details, such as supported encryption methods and their protocol version, each choosing a set of protocols that the other supports.  Example: check ssh client software to see what are supported.  The client and server initiate a secret-key exchange to establish a shared secret session key, which is used to encrypt their communication (but not for authentication). This session key is used in conjunction with a chosen block cipher (typically AES, 3DES) to encrypt all further communications. 17
  • 18.  The server sends the client a list of acceptable forms of authentication, which the client will try in sequence.  Password based authentication  Public-key authentication method  Client sends the server its public key  The server then checks if this key is stored in its list of authorized keys. If so, the server encrypts a challenge using the client’s public key and sends it to the client  The client decrypts the challenge with its private key and responds to the server, proving its identity 18
  • 19. IPSec  IPSec defines a set of protocols to provide confidentiality and authenticity for IP packets  Authentication Header (AH)  provide connectionless integrity and data origin authentication for IP datagrams  provides protection against replay attacks  No confidentiality (packets are still unencrypted)  Encapsulating Security Payload (ESP)  provide confidentiality, data-origin authentication, connectionless integrity, and limited traffic-flow confidentiality.  Port numbers are encrypted, poses challenge for NAT  http://en.wikipedia.org/wiki/IPsec 19
  • 21. 21
  • 22. Virtual Private Networking (VPN)  Virtual private networking (VPN) is a technology that allows private networks to be safely extended over long physical distances by making use of a public network, such as the Internet, as a means of transport.  VPN provides guarantees of data confidentiality, integrity, and authentication, despite the use of an untrusted network for transmission.  There are two primary types of VPNs, remote access VPN and site-to-site VPN. 22
  • 23. Types of VPNs  Remote access VPNs allow authorized clients to access a private network that is referred to as an intranet.  E.g., UCF VPN. Computer has internal IP when connected.  Set up a VPN endpoint, network access server (NAS)  Clients install VPN client software on their machines.  Site-to-site VPN solutions are designed to provide a secure bridge between two or more physically distant networks.  Before VPN, organizations wishing to safely bridge their private networks purchased expensive leased lines to directly connect their intranets with cabling. 23
  • 24. Intrusion Detection Systems  Intrusion  Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking resources)  Intrusion detection  The identification through intrusion signatures and report of intrusion activities  Intrusion prevention  The process of both detecting intrusion activities and managing automatic responsive actions throughout the network 24
  • 25. IDS Components  IDS manager compiles data from the IDS sensors to determine if an intrusion has occurred.  If an IDS manager detects an intrusion, then it sounds an alarm. 25 Untrusted Internet IDS Manager IDS Sensor router router router IDS Sensor Firewall
  • 26. Possible Alarm Outcomes  Alarms can be sounded (positive) or not (negative) 26 Intrusion Attack No Intrusion Attack Alarm Sounded No Alarm Sounded True Positive False Positive True Negative False Negative Bad (miss attack) Bad (reject normal)
  • 27. The Base-Rate Fallacy  true-positive rate is conflict with false-negative rate.  There is a trade-off  If # of intrusions << # of all events, the effectiveness of an intrusion detection system can be reduced.  In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error known as the base-rate fallacy.  This type of error occurs when the probability of some conditional event is assessed without considering the “base rate” of that event. 27
  • 28. Base-Rate Fallacy Example  Suppose an IDS has 1% chance of false positives, and 1% of false negatives. Suppose further…  An intrusion detection system generates 1,000,100 log entries.  Only 100 of the 1,000,100 entries correspond to actual malicious events.  Among the 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative.  Among the 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives!  Thus, there will be 10,099 alarms sounded, 10,000 of which are false alarms. That means false alarm rate is roughly 99%! 28
  • 29. Types of Intrusion Detection Systems  Rule-Based Intrusion Detection  Rules and signatures identify the types of actions that match certain known profiles for an intrusion attack  Alarm raised can indicate what attack triggers the alarm  Problem: Cannot deal with unknown attacks  Statistical Intrusion Detection  Statistical representation (profile) of the typical ways that a user acts or a host is used  Determine when a user or host is acting in highly unusual, anomalous ways.  Alarm when a user or host deviates significantly from the stored profile for that person or machine  Problem: High false positive rate, cannot tell which attack triggers the alarm 29
  • 30. Port Scanning  Purpose: Attackers need to know where a potential target is  TCP scan: use OS system call to check if TCP connection can be set up on a target machine on any port  Example scanner: nmap  See how nmap works on department eustis machine!  SYN scan: low-level TCP program to send out SYN packet without intent to finish the TCP connection setup  On receiving SYN/ACK, issues a RST packet to terminate 30
  • 31. Port Scanning  Two port scanning mode:  Vertical scan: target numerous destination ports on a singular host (e.g., nmap)  Horizontal scan: target the same port on many target hosts, effectively looking for a specific vulnerability  E.g., worm  E.g., attacker conduct reconnaissance before real attack 31