Tải bản đầy đủ - 0 (trang)
Chapter 1. Introduction to Network Security

Chapter 1. Introduction to Network Security

Tải bản đầy đủ - 0trang

FirewallTechnologies

Adetailedunderstandingofhowfirewallsandtheirrelatedtechnologiesworkis

extremelyimportantforallnetworksecurityprofessionals.Thisknowledgewill

helpthemtoconfigureandmanagethesecurityoftheirnetworksaccuratelyand

effectively.Thewordfirewallcommonlydescribessystemsordevicesthatare

placedbetweenatrustedandanuntrustednetwork.

Severalnetworkfirewallsolutionsofferuserandapplicationpolicyenforcement

thatprovidemultivectorattackprotectionfordifferenttypesofsecuritythreats.

Theyoftenprovideloggingcapabilitiesthatallowthesecurityadministratorsto

identify,investigate,validate,andmitigatesuchthreats.

Additionally,severalsoftwareapplicationscanrunonasystemtoprotectonly

thathost.Thesetypesofapplicationsareknownaspersonalfirewalls.This

sectionincludesanoverviewofnetworkandpersonalfirewallsandtheirrelated

technologies.



NetworkFirewalls

Itisimportanttorecognizethevalueofperimetersecurityintoday'snetworking

world.Network-basedfirewallsprovidekeyfeaturesusedforperimetersecurity.

Theprimarytaskofanetworkfirewallistodenyorpermittrafficthatattempts

toenterthenetworkbasedonexplicitpreconfiguredpoliciesandrules.The

processesthatareusedtoalloworblocktrafficmayincludethefollowing:

Simplepacket-filteringtechniques

Multifacetedapplicationproxies

Statefulinspectionsystems

Packet-FilteringTechniques



Thepurposeofpacketfiltersissimplytocontrolaccesstospecificnetwork

segmentsbydefiningwhichtrafficcanpassthroughthem.Theyusuallyinspect

incomingtrafficatthetransportlayeroftheOpenSystemInterconnection(OSI)

model.Forexample,packetfilterscananalyzeTCPorUDPpacketsandjudge

themagainstasetofpredeterminedrulescalledaccesscontrollists(ACLs).

Theyinspectthefollowingelementswithinapacket:

Sourceaddress

Destinationaddress

Sourceport

Destinationport

Protocol

Note

PacketfiltersdonotcommonlyinspectadditionalLayer3andLayer

4fieldssuchassequencenumbers,TCPcontrolflags,andTCP

acknowledgement(ACK)field.



Variouspacket-filteringfirewallscanalsoinspectpacketheaderinformationto

findoutifthepacketisfromaneworanexistingconnection.Simplepacketfilteringfirewallshaveseverallimitationsandweaknesses:

TheirACLsorrulescanberelativelylargeanddifficulttomanage.

Theycanbedeceivedintopermittingunauthorizedaccessofspoofed

packets.AttackerscanorchestrateapacketwithanIPaddressthatis

authorizedbytheACL.

Numerousapplicationscanbuildmultipleconnectionsonrandomly

negotiatedports.Thismakesitdifficulttodeterminewhichportswillbe



selectedanduseduntilaftertheconnectioniscompleted.Examplesofthis

typeofapplicationareseveralmultimediaapplications,including

RealAudio,QuickTime,andotherstreamingaudioandvideoapplications.

Packetfiltersdonotunderstandtheunderlyingupper-layerprotocolsused

bythistypeofapplication,andprovidingsupportforthistypeof

applicationisdifficultbecausetheACLsneedtobemanuallyconfiguredin

packet-filteringfirewalls.

ApplicationProxies

Applicationproxies,orproxyservers,aredevicesthatoperateasintermediary

agentsonbehalfofclientsthatareonaprivateorprotectednetwork.Clientson

theprotectednetworksendconnectionrequeststotheapplicationproxyinorder

totransferdatatotheunprotectednetworkortheInternet.Consequently,the

applicationproxysendstherequestonbehalfoftheinternalclient.Themajority

ofproxyfirewallsworkattheapplicationlayeroftheOSImodel.Fewproxy

firewallshavetheabilitytocacheinformationtoacceleratetheirtransactions.

Thisisagreattoolfornetworksthathavenumerousserversthatexperience

considerablyhighusage.Adisadvantageofapplicationproxiesistheirinability

toscale.Thismakesthemdifficulttodeployinlargeenvironments.

NetworkAddressTranslation

SeveralLayer3devicescanprovideNetworkAddressTranslation(NAT)

services.Theapplicationproxytranslatestheinternalhost'sIPaddressestoa

publiclyroutableaddress.NATisoftenusedbyfirewalls;however,other

devicessuchaswirelessaccesspointsprovidesupportforNAT.ByusingNAT,

thefirewallexposesitsownnetworkaddressorpublicaddressrangeofan

unprotectednetwork.ThisenablesanetworkprofessionaltouseanyIPaddress

spaceastheinternalnetwork.Abestpracticeistousetheaddressspacesthatare

reservedforprivateuse(seeRFC1918,"AddressAllocationforPrivate

Internets").Table1-1liststheprivateaddressrangesspecifiedinRFC1918.

Table1-1.RFC1918PrivateAddressRanges

NetworkAddressRange



Network/Mask



10.0.0.010.255.255.255



10.0.0.0/8



172.16.0.0172.31.255.255



172.16.0.0/12



192.168.0.0192.168.255.255



192.168.0.0/16



Itisimportanttothinkaboutthedifferentprivateaddressspaceswhenyouplan

yournetwork(forexample,numberofhostsandsubnetsthatcanbeconfigured).

Carefulplanningandpreparationwillleadtosubstantialtimesavingsifchanges

areencountereddowntheroad.

PortAddressTranslation

Normally,applicationproxiesperformatechniquecalledPortAddress

Translation(PAT).Thisfeatureallowsmanydevicesontheinternalprotected

networktoshareoneIPaddressbyinspectingtheLayer4informationonthe

packet.Thisaddressisusuallythefirewall'spublicaddress.Figure1-1shows

howPATworks.

Figure1-1.PATExample

[Viewfullsizeimage]



AsillustratedinFigure1-1,severalhostsonaprotectednetworklabeled"inside"

areconfiguredwithanaddressfromthenetwork10.10.10.0witha24-bitsubnet

mask.TheapplicationproxyisperformingPATfortheinternalhostsand

translatingthe10.10.10.xaddressesintoitsownaddress(209.165.200.228).In

thisexample,HostAsendsaTCPport80packettothewebserverlocatedinthe

"outside"unprotectednetwork.Theapplicationproxytranslatestherequestfrom

theoriginal10.10.10.8IPaddressofHostAtoitsownaddress.Itdoesthisby

randomlyselectingadifferentLayer4sourceportwhenforwardingtherequest

tothewebserver.

StaticTranslation

Adifferentmethodologyisusedwhenhostsintheunprotectednetworkneedto

contactspecifichostsbehindtheNATdevice.Thisisdonebycreatingastatic

mappingofthepublicIPaddressandtheaddressoftheinternalprotecteddevice.

Forexample,staticNATcanbeconfiguredwhenawebserverhasaprivateIP

addressbutneedstobecontactedbyhostslocatedintheunprotectednetworkor

theInternet.Figure1-2demonstrateshowstatictranslationworks.



Figure1-2.ExampleofStaticTranslation



InFigure1-2,thewebserveraddress(10.10.10.230)isstaticallytranslatedtoan

addressintheoutsidenetwork(209.165.200.240,inthiscase).Thisallowsthe

outsidehosttoinitiateaconnectiontothewebserverbydirectingthetrafficto

209.165.200.240.ThedeviceperformingNATthentranslatesandsendsthe

requesttothewebserverontheinsidenetwork.

Addresstranslationisnotlimitedtofirewalls.Nowadays,devicesfromsimple

smalloffice,homeoffice(SOHO)routerstoverysophisticatedstateful

inspectionfirewallsareabletoperformdifferenttypesofNATtechniques.

StatefulInspectionFirewalls

Statefulinspectionfirewallsprovideenhancedbenefitswhencomparedtothe

simplepacket-filteringfirewalls.Theytrackeveryconnectionpassingthrough

theirinterfacesbyassuringthattheyarevalidconnections.Theyexaminenot

onlythepacketheadercontents,butalsotheapplicationlayerinformationwithin



thepayload.Thisisdonetofindoutmoreaboutthetransactionthanjustthe

sourceanddestinationaddressesandports.Astatefulfirewallmonitorsthestate

oftheconnectionandmaintainsadatabasewiththisinformation.Thisdatabase

isusuallycalledthestatetable.Thestateoftheconnectiondetailswhethersuch

connectionhasbeenestablished,closed,reset,orisbeingnegotiated.These

mechanismsofferprotectionfordifferenttypesofnetworkattacks.

Numerousfirewallshavethecapabilitytoconfigureanetwork(orzone)where

youcanplacedevicestoallowoutsideorInternethoststoaccessthem.These

areasornetworksegmentsareusuallycalleddemilitarizedzones(DMZs).These

zonesprovidesecuritytothesystemsthatresidewithinthem,butwitha

differentsecuritylevelthanyournetworkwithinyourinsidenetwork.

SophisticatedfirewallsolutionscanbeconfiguredwithseveralDMZs.Figure13exemplifiesthistechnique.

Figure1-3.FirewallDMZConfigurations



TheexampleinFigure1-3showshowafirewall(aCiscoASA5500appliance,



inthiscase)canbedeployedandconfiguredtoprotectseveralDMZnetworks.

DMZsminimizetheexposureofdevicesandclientsonyourexternalnetworkby

allowingonlyrecognizedandmanagedservicesonthosehoststobeaccessible

byhostsontheInternet.



PersonalFirewalls

Personalfirewallsusesimilarmethodsasnetwork-basedfirewalls.Theyprovide

filteringtechniquesandstatefulinspectionofconnectionsdirectedtothespecific

host.Conversely,theyabridgetheoperationoftheapplicationtomeettheneeds

ofalesstechnicallyinclinedconsumer.Personalfirewallapplicationscan

restrictaccesstoservicesandapplicationsinstalledwithinasinglehost.Thisis

commonlydeployedtotelecommutersandremotemobileusers.Several

personalfirewallsgenerallyprotectthehostfrominboundconnectionsand

attacks;however,theyallowalloutboundconnections.

Therearemanydifferencesbetweenpersonalfirewallsandnetwork-based

firewalls.Oneofthemajordifferencesisthedeploymentmodelandthesecurity

serviceseachofthemprovides.



IntrusionDetectionandPrevention

Technologies

Inthesecurityworld,intrusiondetectionsystems(IDSs)aredevicesthatdetect

attemptsfromanattackertogainunauthorizedaccesstoanetworkorahostto

createperformancedegradationortostealinformation.TheyalsodetectDDoS

attacks,worms,andvirusoutbreaks.Thenumberandcomplexityofsecurity

threatshaveskyrocketedoverrecentyears.Achievingefficientnetwork

intrusionsecurityisvitaltomaintainingahighlevelofprotection.Cautious

protectionensuresbusinesscontinuityandminimizestheeffectsofcostly

interruptionofservices.Likefirewalls,therearetwodifferenttypesofintrusion

detectionsystems:

Network-basedintrusiondetectionsystems(NIDS)

Host-basedintrusiondetectionsystems(HIDS)



Network-BasedIntrusionDetectionandPrevention

Systems

Network-basedintrusiondetectionandpreventionsystemsaredesignedto

preciselyidentify,categorize,andprotectagainstknownandunknownthreats

targetinganetwork.Thesethreatsincludeworms,DoSattacks,andanyother

detectedvulnerabilities.Severaldetectionmethodologiesarewidelydeployed.

Thesetechniquesormethodologiesembracethefollowing:

Patternmatchingandstatefulpattern-matchingrecognition

Protocolanalysis

Heuristic-basedanalysis

Anomaly-basedanalysis



PatternMatchingandStatefulPattern-MatchingRecognition

Patternmatchingisamethodologyinwhichtheintrusiondetectiondevice

searchesforafixedsequenceofbyteswithinthepacketstraversingthenetwork.

Generally,thepatternisalignedwithapacketthatisrelatedtoarespective

serviceor,inparticular,associatedwithasourceanddestinationport.This

approachreducestheamountofinspectionmadeoneverypacket.However,itis

limitedtoservicesandprotocolsthatareassociatedwithwell-definedports.

ProtocolsthatdonotuseanyLayer4portinformationwillnotbecategorized.

Thistacticusestheconceptofsignatures.Asignatureisasetofconditionsthat

pointoutsometypeofintrusionoccurrence.Forexample,ifaspecificTCP

packethasadestinationportof1234anditspayloadcontainsthestring

"ff11ff22,"analertwillbetriggeredtodetectsuchstring.

Alternatively,thesignaturecouldincludeanexplicitstartingpointandendpoint

forinspectionwithinthespecificpacket.

Thebenefitsoftheplainpattern-matchingtechniqueincludethefollowing:

Directcorrelationofanexploit

Triggeralertsonthepatternspecified

Canbeappliedacrossdifferentservicesandprotocols

Oneofthemaindisadvantagesisthatpatternmatchingcanleadtoa

considerablyhighrateoffalsepositives.Falsepositivesarealertsthatdonot

representagenuinemaliciousactivity.Incontrast,anyalterationstotheattack

canleadtooverlookedeventsofrealattacks,whicharenormallyreferredas

falsenegatives.

Toaddresssomeoftheselimitations,amorerefinedmethodwascreated.This

methodologyiscalledstatefulpattern-matchingrecognition.Thisprocess

dictatesthatsystemsperformingthistypeofsignatureanalysismustconsiderthe

chronologicalorderofpacketsinaTCPstream.Inparticular,theyshouldjudge

andmaintainastatefulinspectionofsuchpacketsandflows.



Theadvantagesofstatefulpattern-matchingrecognitionincludethefollowing:

Ithasthecapabilitytodirectlycorrelateaspecificexploitwithinthe

pattern.

Supportsallnon-encryptedIPprotocols.

Systemsthatperformstatefulpatternmatchingkeeptrackofthearrivalorderof

packetsinaTCPstreamandhandlematchingpatternsacrosspacketboundaries.

However,statefulpattern-matchingrecognitionsharessomeofthesame

restrictionsofthesimplepattern-matchingmethodology,whichwasdiscussed

previously,includinganuncertainrateoffalsepositivesandapossibilityof

somefalsenegatives.

ProtocolAnalysis

Protocolanalysis(orprotocoldecode-basesignatures)isoftenreferredtoasthe

extensiontostatefulpatternrecognition.ANIDSaccomplishesprotocolanalysis

bydecodingallprotocolorclient-serverconversations.TheNIDSidentifiesthe

elementsoftheprotocolandanalyzesthemwhilelookingforaninfringement.

Someintrusiondetectionsystemslookatexplicitprotocolfieldswithinthe

inspectedpackets.Othersrequiremoresophisticatedtechniques,suchas

examinationofthelengthofafieldwithintheprotocolorthenumberof

arguments.Forexample,inSMTP,thedevicemaylookatspecificcommands

andfieldssuchasHELO,MAIL,RCPT,DATA,RSET,NOOP,andQUIT.This

techniquediminishesthepossibilityofencounteringfalsepositivesifthe

protocolbeinganalyzedisproperlydefinedandenforced.Ontheotherhand,the

systemcanalertnumerousfalsepositivesiftheprotocoldefinitionisambiguous

ortoleratesflexibilityinitsimplementation.

Heuristic-BasedAnalysis

Adifferentapproachtonetworkintrusiondetectionistoperformheuristic-based

analysis.Heuristicscanningusesalgorithmiclogicfromstatisticalanalysisof

thetrafficpassingthroughthenetwork.ItstasksareCPUandresourceintensive.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 1. Introduction to Network Security

Tải bản đầy đủ ngay(0 tr)

×