Internet and Intranet Fundamentals

Class 8

Session A

Intranet Security

• Assets Needing Protection

• Threats

• Firewalls – Overview– Various Architectures– Ref: ref: Building Internet Firewalls, Chapman

& Zwicky ISBN: 1565921240

Assets Needing Protection

• Data– stored on computers

• Resources– the computers themselves

• Reputation

Protecting Data

• Secrecy / Privacy

• Integrity

• Availability

Protecting DataSecrecy / Privacy

• Trade Secrets– obligations to shareholders

• Competitive Intelligence– competition sensitive

• Examples– national defense– patient medical records– student records

Protecting DataIntegrity

• Keeping Data from Being Modified– tampering

• Loss of Confidence– consumer– customer– investor– employee

Protecting DataAvailability

• Is your data accessible?

• Related to computing resource availability

Protecting Resources

• Computer Resources– disk space– CPU cycles– memory

• Labor Resources– $$$ spent in …

• tracking down intruders

• performing

• re-installing software

Protecting Reputation

• Confidence

• Intruders Masquerade as You– identity theft

• Business/Technical Competence

• Example– professor and racist hate mail

Threats

• Types of Attacks

• Types of Attackers

• Stupidity and Accidents

Types of Attacks

• Intrusion

• Denial of Service

• Information Theft

Intrusion

• People Gain Access to Your Network and Computers

• How?– social engineering– guesswork

• crack program

• child/dog’s name

Denial of Service• Preventing you (and others) from using your own

computers

• Mail Bombs

• Flooding a Systems Queues, Processes, etc.– Internet Worm– Distributed denial of service (CNN/Ebay/Yahoo)

• Limited Number of Login Attempts– they either get in, or they can force denial of service to

everyone else!

Information Theft

• Stealing Password Files– download for offline cracking

• Packet Sniffers– Ethernet is a party line– A switch is your friend.

Types of Attackers

• Joyriders– bored, looking for amusement

• Vandals– like destroying things, or don’t like you

• Score Keepers– bragging rights

• Spies– industrial and international

Stupidity and Accidents

• 55% of all incidents result from naivete or lack of training

• Apple’s buggy mail server– hundreds of thousands of error messages

• Any system which doesn’t not assign passwords.

• Hard to Protect Against!

Firewalls

• Overview

• Various Firewall Architectures

Overview

• How to Protect Your Intranet Assets?– no security– security through obscurity– host security– network security

• Your home is an intranet?

Overview

• No Security

• Security Through Obscurity– nobody knows about it– people figure a small company or home

machine isn’t of interest– “obscurity” impossible on Internet

• InterNIC

– examples with Telnet

Overview

• Host Security– geared to particular host– scalability issue– admin nightmare

• sheer numbers

• different OS, OS config, etc.

– OK for small sites or sites with extreme requirements

Overview

• Network Security– control network access– kill lots of birds with one stone– firewalls

• Security Technology Can’t Do It All– policing internal time wasting, pranks, etc.– no model is perfect– Who watches the watcher?

Overview

• Internet Firewalls– concept: containment

• choke point

– prevents dangers of Internet from spreading to your Intranet

– restricts people to entering at carefully controlled point(s)

• can only leave that point too

Overview

• Firewall– prevents attackers from getting close to internal

defenses– adequate if interactions conform to security

policy (tight vs. loose)

• Consists of– hardware

• routers, computers, networks

– software• proxy servers, monitors

Internet

Desktop System Desktop System Desktop System

Internal Network

Internal Server

Firewall

Exterior Router

Interior Router

Bastion Host

Perimeter Network

Firewall System

Exterior Router & Bastion Host may be combined.

Desktop System Desktop System Desktop System

Internal Network

Internal Server

Internet

Exterior Router

Screened SubnetArchitecture

Interior Router

Bastion Host

Perimeter Network

Overview

• Firewall Limitations– malicious insiders– people going around it (e.g., modems)– completely new threats

• designed to protect against known threats

– viruses

• Make vs. Buy– lots of offerings (see Internet)

Various Firewall Architectures

• Screening Router Packet Filtering

• Proxy Services– application level gateways

• Dual-Home Host

• Screened Host

• Screened Subnet

Various Firewall Architectures IP Packet Filtering

• IP source address

• IP destination address

• Transport Layer Protocol

• TCP / UDP source port

• TCP / UDP destination port

• ICMP message type

Various Firewall Architectures IP Packet Filtering

• Also Knows …– inbound and outbound interfaces

• Examples– block all incoming connection from outside

except SMTP

– block all connections to or from untrusted systems

– allow SMTP, FTP, but block TFTP, X Windows, RPC, rlogin, rsh, etc.

Various Firewall ArchitecturesDual-Homed Host

• One Computer, Two Networks– must proxy services– can examine data coming in from app level on

down

Internet

Dual-Homed Host

Desktop System Desktop System Desktop System

Internal Network

Firewall

Tower box

Dual-Homed HostArchitecture

Various Firewall ArchitecturesScreened Host

• Bastion Host– controls connections to outside world– If broken, your interior network is open.

• Packet Filtering by Router– incoming

Desktop System Desktop System Desktop System

Internal Network

Bastion Host

Internet

Screening Router

Screening RouterArchitecture

Various Firewall ArchitecturesScreened Subnet

• Bastion Host– controls connections to outside world– on perimeter network

• Packet Filtering– two routers– incoming

Desktop System Desktop System Desktop System

Internal Network

Internal Server

Internet

Exterior Router

Screened SubnetArchitecture

Interior Router

Bastion Host

Perimeter Network