Data Security in Local Networks
-
Upload
joohi-hasana -
Category
Documents
-
view
216 -
download
0
Transcript of Data Security in Local Networks
-
8/2/2019 Data Security in Local Networks
1/15
Presented by
Basamma.S.Patil
1HK08CS012
-
8/2/2019 Data Security in Local Networks
2/15
Table of Contents
Chapter No. Title
1. Introduction
2. Distributed Firewalls
2.1.Standard firewall example
2.2.Distributed firewall example
3. Implementation
3.1.Kernal Extensions
3.2.Policy Devices
3.3.Policy Daemon
4. Work in Development
5. Related Work
6. Conclusion
7. References
-
8/2/2019 Data Security in Local Networks
3/15
-
8/2/2019 Data Security in Local Networks
4/15
This enables them to prevent hacking attacks that originate from both the Internet and
the internal network.
This is important because the most costly and destructive attacks still originate from
within the organization.
Finally, we implement the mechanism that enforces the security policy in a TCP-
connection granularity.
In our implementation, the mechanism is split in two parts, one residing in the kernel
and the other in a user-level process.
CSE@HKBKCE 2 DSLDF
-
8/2/2019 Data Security in Local Networks
5/15
2. Distributed Firewalls
In a typical organizational environment, individuals are not necessarily the
administrators of the computers they use.
Instead, to simplify system administration and to permit some level of central control, a
system management package is used to administer individual machines.
Patches can be installed, new software distributed, etc. We use the same mechanisms,
which are likely present in any event, to control a distributed firewall.
Fig 2 : Architecture of Distributed Firewall
CSE@HKBKCE 3 DSLDF
-
8/2/2019 Data Security in Local Networks
6/15
CSE@HKBKCE 4 DSLDF
2.1 Standard Firewall Example
Fig 2.1 : Architecture of standard firewall This is the example of architecture of standard firewall. Example contains
internal and external host, internet, firewall, network, web server, intranet webserver.
In internal part of network, there is two hosts, one is trusted and other one is
untrusted.
Both hosts are connected to the corporate network; web server and intranet webserver are also connected to the network.
-
8/2/2019 Data Security in Local Networks
7/15
CSE@HKBKCE 5 DSLDF
2.2 Distributed Firewall Example
Fig 2.2: Distributed Firewall
Firewall policy is distributed to all the systems and web server.
If firewall policy allowed connecting with server or systems, then only they connect.
In internal part of network, there are two hosts, one is trusted and other one is
untrusted.
-
8/2/2019 Data Security in Local Networks
8/15
Distributed firewalls have the following advantages:
There is no longer a single chokepoint.
Throughput is no longer limited by the speed of the firewall; similarly, there is no
longer a single point of failure that can isolate an entire network.
Relying on the host to make the appropriate decision is therefore more secure.
This advantage is even clearer when it comes to protocols such as FTP. By default,
FTP clients use the PORT command to specify the port number used for the data
channel;
Then network connected to the internet and between network and internet, there is firewall.
There is also an external host and internal host using telecommuting which is connected to
the internet.
CSE@HKBKCE 6 DSLDF
-
8/2/2019 Data Security in Local Networks
9/15
CSE@HKBKCE 7 DSLDF
3. Implementation
Our system is comprised of three components:
A set of kernel extensions, which implement the enforcement mechanisms.
User level daemon process, which implements the distributed firewall policies.
A device driver, which is used for two-way communication between the kernel and the
policy daemon.
3.1. Kernel Extensions
We focused our efforts on the control of the TCP connections.
In the UNIX operating system users create outgoing and allow incoming TCP
connections using the connect(2) and accept(2) system calls respectively.
Since any user has access to these system calls, some filtering mechanism is needed.
Filters can be implemented either in user space or inside the kernel.
-
8/2/2019 Data Security in Local Networks
10/15
CSE@HKBKCE 8 DSLDF
Fig 3.1: Wrappers for filtering the connect(2) and accept(2) system calls are
added to a system library. While this approach offers considerable flexibility,
it suffers from its inability to guarantee the enforcement of security policies, as
applications might not link with the appropriate library.
3.2 Policy Device
To maximize the flexibility of our system and allow for easy experimentation, we decided to
make the policy daemon a user level process.
-
8/2/2019 Data Security in Local Networks
11/15
CSE@HKBKCE 9 DSLDF
3.3 Policy Daemon
It is a user level process responsible for making decisions.
It supports communication between the policy daemon and the kernel using the policy
device.
Processing of the request is done by the daemon using the Key Note library and a
decision to accept or deny it is reached.
Finally the daemon writes the reply back to the kernel and waits for the next request.
Pseudo device driver , /dev/policy that serves as a communication path between the user
space policy daemon, and the modified system calls in the kernel.
This allows the kernel and the policy daemon to resynchronize incase of any errors in
creating or parsing the request messages, by discarding the current policy context and
dropping the associated connection.
-
8/2/2019 Data Security in Local Networks
12/15
CSE@HKBKCE 10 DSLDF
4. Work In Development
We plan to expand our implementation by adding an IP filter-like mechanism for a more
fine grained control.
Apart from protecting applications based on UDP, a packet based implementation would
also limit the types of scanning that an attacker might perform.
We should note here that in our view most communications should be secured end-to-end.
Thus, most hosts would have a minimal set of filtering entries established at boot time.
Policy updates do not affect already existing connections in the current implementation.
Final point to address is credential discovery.
-
8/2/2019 Data Security in Local Networks
13/15
CSE@HKBKCE 11 DSLDF
5. Related Work
In our approach, we introduce a three-layer system:
A high-level policy language.
An intermediate level language.
The actual mechanisms enforcing policy.
This allows us to:1. Express multi-application policies, rather than just packet filtering rules.
2. Express Mixed-layer policies.
3. Permit delegation, which enables decentralized management.
4. Allows incremental and asynchronous policy updates, since, when policy changes,
only the relevant Key Note credentials need to be updated and distributed.
-
8/2/2019 Data Security in Local Networks
14/15
6. Conclusion
A final point is that, from an administrative point of view, a fully
distributed firewall architecture is very similar to a network with a large
number of internal firewalls.
We have demonstrated the feasibility of the distributed firewall by
building a working prototype.
Further experimentation is needed to determine the robustness,
efficiency, and scalability of this architecture.
We hope that our work will stimulate further research in this area.
CSE@HKBKCE 12 DSLDF
-
8/2/2019 Data Security in Local Networks
15/15
7. Reference
http://news.zdnet.com http://www.interhack.net www.cs.columbia.edu/~smb/papers/distfw.html Kurose and Ross - Computer Networking A Top-Down Approach FeaturingThe Internet
CSE@HKBKCE 13 DSLDF
http://news.zdnet.com/http://www.interhack.net/http://www.cs.columbia.edu/~smb/papers/distfw.htmlhttp://www.cs.columbia.edu/~smb/papers/distfw.htmlhttp://www.cs.columbia.edu/~smb/papers/distfw.htmlhttp://www.cs.columbia.edu/~smb/papers/distfw.htmlhttp://www.cs.columbia.edu/~smb/papers/distfw.htmlhttp://www.interhack.net/http://www.interhack.net/http://www.interhack.net/http://www.interhack.net/http://news.zdnet.com/