Post on 23-Dec-2015
Network Perimeter Security
Yu Wang
Main Topics
• Border Router
• Firewall
• IPS/IDS
• VLAN
• SPAM
• AAA
• Q/A
Border Router
• Gate to the Internet
• First and last line of defense
• Role of a router– Designed to route packets– Operates primarily on layer 3– Able to filter packet using Access Control List
• Limitations on network security control
Router ACL
• Standard ACL (layer 3)– access-list 1 permit 168.223.0.0 0.0.255.255– access-list 2 deny 192.168.0.0 0.0.0.255
• Extended ACL (layer 3, 4)– access-list 101 permit tcp 168.223.0.0 0.0.255.255
host 128.186.6.14 eq www– access-list 101 deny tcp 192.168.0.0 0.0.0.255 any
log– access-list 101 deny ip any any
Firewall
• What is a firewall– A network device designed to filter packets – A software application developed to do the
same function
• Firewall operates on layer 3 – 7
• Firewall is stateful– If a packet is allowed to pass, an entry is
added to the state table
TCP States
TCP States
Firewall Stateful Operations
• State Table– TCP out 67.76.135.17:26944 in 128.186.120.4:993 idle
23:27:42 bytes 333091 flags UfFIOB– TCP out 71.229.26.75:60849 in 128.186.120.56:22 idle 2:26:47
bytes 2074496 flags UIOB– ICMP out 192.168.25.15:512 in 128.186.120.179:0 idle 0:00:00
bytes 2048– UDP out 64.70.24.76:53 in 128.186.120.179:1110 idle 0:00:00
flags –
• Stateful filtering – layer 4 and lower• Stateful Inspection – all layers
Firewall Product Examples
• Hardware firewall
– CISCO PIX firewall
– Home router firewall
• Software firewall
– Iptables – Linux
– Ipfilter – Solaris
– Windows XP
IPS/IDS
• Intrusion Prevention/Detection System
– Firewall is good in packet filtering but weak in layer
7 inspection
– IPS/IDS operates on layer 2-7
– IPS can do application protection, performance
protection, and infrastructure protection
– It uses specialized network devices designed and a
database of known attack signature
IPS/IDS• IPS examples
– TippingPoint UnityOne IPS
• Uses “Digital Vaccine” effectively block viruses/worms, spyware, phishing, P2P, DDoS
• Do not replace firewall
IPS/IDS• IPS examples
– Packeteer Traffic Shaper
• Guarantee bandwidth availability for legitimate network traffics
• Control malicious network traffics
• Better use of existing bandwidth
IPS/IDS• IPS examples
– CISCO ASA
• Uses modular approach
• Simplifies configuration and management
IPS/IDS• IDS examples
– Snort• An open source solution
• Low budget system suitable for organizational unit level
• Runs on UNIX, Linux, Windows
• Slower compare to ASA, TippingPoint
• Flexible compare to ASA, TippingPoint
VLAN
• Virtual LAN is used to do resources separation– Divide a physical network into multiple virtual
networks
– Network traffics in one VLAN won’t go to another VLAN by default
– Inter-VLAN traffics must go through a router where ACL can be used to filter unwanted flow
SPAM Solution• SPAM and Email virus
– Email is one of the most important network services. SPAM becomes big issue for many organizations
– Many commercial SPAM filtering software available.
– We use GFI mailessential and GFI mailsecurity. • RBL checking, Header checking, Message body checking• Virus checking, Phishing checking
– Also use Spamassassin, procmail, clamav– Tumbleweed Mail Email Firewall (MMS)
• Automatic quarantine and user release/deletion function
AAA
• Authentication
– Use strong authentication methods
• Kerberos, SSH, PKI
• Authorization
– Define access control
– Harden network resources (servers)
– Separate vulnerable servers from rest of network (DMZ)
• Auditing
– Central log server
– Log analyzer/watcher
Questions