Chapter 26: Network Security

Dr. Wayne Summers

Department of Computer Science

Columbus State University

Summers_wayne@colstate.edu

http://csc.colstate.edu/summers

2Policy Development

Data Classes– Public Data– Development Data for existing products– Development data for future products– Corporate data– Customer Data

User Classes– Outsiders (public)– Developers– Corporation Executives– Employees

Availability Consistency Check

3Network Organization

DeMilitarized Zone (DMZ) – portion of network that separates internal network from external network

Firewall: Internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall). [RFC 2828]– Filtering firewall – performs access control on the basis of the

attributes of the packet header

Proxy: Intermediate agent or server that acts on behalf of endpoints without allowing a direct connection between two end points.

Proxy (Application Level) Firewall: uses proxies to perform access control. It can based on content and header info.

4Network Organization

Analysis of the Network Infrastructure– The DMZ servers are typically not allowed to make connections to the

intranet. – Internet Systems not allowed to directly contact any systems in the

intranet.– Intranet Systems not allowed to directly contact any systems in the

Internet. (least privilege principle)– Systems in DMZ serve as mediator (go-between).

Password/certificate/credential are presented for allowing mediating services.

– No dual interface from DMZ servers directly to systems Intranet except the inner firewall.

– Intranet system typically uses Private LAN addresses: 10.x.y.z; 172.a.x.z (16<=a<=32); 192.168.x.y.

– Complete Mediation Principle: inner firewall mediate every access involves with DMZ and Intranet.

– Separation of privileges; with different DMZ server running different network functions; firewall machines are different entities than the DMZ servers.

– The outer firewall allows HTTP/HTTPS and SMTP access to DMZ server. Need to detect malware.

5Firewall Network Configuration

DNSServer

Intra1

InternetOuter Firewall/Router

Firewall

Inner Firewall/Router

Firewall

SW

SW

MailServer

WebServer

DMZ

6Availability and Network Flooding

DoS – Denial of Service Attack

– Ex. SYN flood

– DDoS – Distributed DoS

Intermediate Hosts – use routers to divert/eliminate illegitimate traffic before it gets to the firewall

TCP State and Memory Allocation– SYN cookie: push the tracking of the state to the client

– timeout pending connections

Anticipating Attacks

– IDSs