lecture 7 network & isp security. firewall simple packet-filters simple packet-filters evaluate...

Lecture 7Network & ISP security

Firewall Simple packet-filters• Simple packet-filters evaluate packets based solely on IP

headers. • Source-IP spoofing attacks generally aren't blocked by

packet-filters, and since allowed packets are literally passed through the firewall, packets with "legitimate" IP headers but dangerous data payloads (as in buffer-overflow attacks) can often be sent intact to "protected" targets.

Stateful packet filtering

Application-layer proxies

• A proxying firewall acts as an intermediary in all transactions that traverse it (see figure).

• proxying firewalls are often called "application-layer" proxies because, unlike other types of proxies that enhance performance but not necessarily security, proxying firewalls usually have a large amount of application-specific intelligence about the services they broker.

Placing Firewall"Inside Versus Outside" Architecture

•Because public services such as SMTP, DNS, and HTTP must either be sent through the firewall to internal servers or hosted on the firewall itself the risk of server compromising is increased.•As result the DMZ (DeMilitarized Zone) network is used.

The "Three-Homed Firewall" DMZ Architecture

A Weak Screened-Subnet Architecture

• Rarely used• Lack of firewall is the

weak point• obsolete

A Strong Screened-Subnet Architecture

2) Secure ResourcesFirewall, Encryption, Authentication, Audit

1) ISP’s Security

Policy

3) Monitor and Respond Intrusion Detection, work the incidence,

4) Test, Practice, DrillVulnerability Scanning

5) Manage and ImprovePost Mortem, Analyze the

Incident, modify the plan/procedures

What Do ISPs Need to Do?

Security incidence are a normal part of an ISP’s operations!

PREPARATION

Prep the networkCreate toolsTest toolsPrep proceduresTrain teamPractice

IDENTIFICATION

How do you know about the attack?What tools can you use?What’s your process for communication?

CLASSIFICATION

What kind of attack is it?TRACEBACK

Where is the attack coming from?Where and how is it affecting the network?

REACTION

What options do you have to remedy?Which option is the best under the circumstances?

POST MORTEM

What was done?Can anything be done to prevent it?How can it be less painful in the future?

Six Phases of Incident Response

The Old World: Router Perspective

• Policy enforced at process level (VTY ACL, SNMP ACL, etc.)• Some early features such as ingress ACL used when possible

“untrusted”telnet, snmp

Attacks, junk

Ro

ute

r C

PU

The New World: Router Perspective

• Central policy enforcement, prior to process level• Granular protection schemes• On high-end platforms, hardware implementations

“untrusted”

telnet, snmp

Attacks, junk

Ro

ute

r C

PU

Pro

tect

ion

Secure Routing Route Authentication

Configure Routing Authentication

Signs Route Updates

Verifies Signature

Campus

Signature Route Updates

Certifies Authenticity of Neighbor and Integrity of Route Updates

References• http://www.cs.fsu.edu/~burmeste/CIS4360/Physical%20Security.ppt• http://www.google.com/url?sa=t&rct=j&q=datacenter%20security%20design

%20examplee%20ppt&source=web&cd=10&ved=0CHEQFjAJ&url=http%3A%2F%2Fwww.nanog.org%2Fmeetings%2Fnanog36%2Fpresentations%2Fgreene.ppt&ei=6usCT8rmAsfQ4QSN6_GCDw&usg=AFQjCNHw7IRd4CrNra6tKN-R_3Dfp7D_Ig&cad=rja

• http://www.cs.fsu.edu/~burmeste/CIS4360/Physical%20Security.ppt• https://www.owasp.org/index.php/Threat_Risk_Modeling• http://www.cert.org/octave/• Joseph G. Boyce Dan W. Jennings, Information Assurance - Managing

Organizational IT Security Risks, Elsevier Science, 2002• https://www.networkworld.com/news/2010/020210-black-hat-processor-

security.html• http://www.backupcentral.com/mr-backup-blog-mainmenu-47/13-mr-backup-

blog/167-encrypted-data-hacked.html• http://www.csoonline.com/article/220665/19-ways-to-build-physical-security-into-

a-data-center?page=3• http://fengnet.com/book/bssl/bssrvrlnx-CHP-2-SECT-2.html• http://www.checkpoint.com/

Any wall have some weak points