Internet and Intranet Fundamentals
description
Transcript of Internet and Intranet Fundamentals
Internet and Intranet Fundamentals
Class 8Session A
Intranet Security
• Assets Needing Protection• Threats• Firewalls
– Overview– Various Architectures– Ref: ref: Building Internet Firewalls, Chapman
& Zwicky ISBN: 1565921240
Assets Needing Protection
• Data– stored on computers
• Resources– the computers themselves
• Reputation
Protecting Data
• Secrecy / Privacy• Integrity• Availability
Protecting DataSecrecy / Privacy
• Trade Secrets– obligations to shareholders
• Competitive Intelligence– competition sensitive
• Examples– national defense– patient medical records– student records
Protecting DataIntegrity
• Keeping Data from Being Modified– tampering
• Loss of Confidence– consumer– customer– investor– employee
Protecting DataAvailability
• Is your data accessible?• Related to computing resource availability
Protecting Resources
• Computer Resources– disk space– CPU cycles– memory
• Labor Resources– $$$ spent in …
• tracking down intruders• performing• re-installing software
Protecting Reputation
• Confidence• Intruders Masquerade as You
– identity theft• Business/Technical Competence• Example
– professor and racist hate mail
Threats
• Types of Attacks• Types of Attackers• Stupidity and Accidents
Types of Attacks
• Intrusion• Denial of Service• Information Theft
Intrusion
• People Gain Access to Your Network and Computers
• How?– social engineering– guesswork
• crack program• child/dog’s name
Denial of Service• Preventing you (and others) from using your own
computers• Mail Bombs• Flooding a Systems Queues, Processes, etc.
– Internet Worm– Distributed denial of service (CNN/Ebay/Yahoo)
• Limited Number of Login Attempts– they either get in, or they can force denial of service to
everyone else!
Information Theft
• Stealing Password Files– download for offline cracking
• Packet Sniffers– Ethernet is a party line– A switch is your friend.
Types of Attackers
• Joyriders– bored, looking for amusement
• Vandals– like destroying things, or don’t like you
• Score Keepers– bragging rights
• Spies– industrial and international
Stupidity and Accidents
• 55% of all incidents result from naivete or lack of training
• Apple’s buggy mail server– hundreds of thousands of error messages
• Any system which doesn’t not assign passwords.
• Hard to Protect Against!
Firewalls
• Overview• Various Firewall Architectures
Overview
• How to Protect Your Intranet Assets?– no security– security through obscurity– host security– network security
• Your home is an intranet?
Overview
• No Security• Security Through Obscurity
– nobody knows about it– people figure a small company or home
machine isn’t of interest– “obscurity” impossible on Internet
• InterNIC– examples with Telnet
Overview
• Host Security– geared to particular host– scalability issue– admin nightmare
• sheer numbers• different OS, OS config, etc.
– OK for small sites or sites with extreme requirements
Overview
• Network Security– control network access– kill lots of birds with one stone– firewalls
• Security Technology Can’t Do It All– policing internal time wasting, pranks, etc.– no model is perfect– Who watches the watcher?
Overview• Internet Firewalls
– concept: containment• choke point
– prevents dangers of Internet from spreading to your Intranet
– restricts people to entering at carefully controlled point(s)
• can only leave that point too
Overview• Firewall
– prevents attackers from getting close to internal defenses
– adequate if interactions conform to security policy (tight vs. loose)
• Consists of– hardware
• routers, computers, networks– software
• proxy servers, monitors
Internet
Desktop System Desktop System Desktop System
Internal Network
Internal Server
Firewall
Exterior Router
Interior Router
Bastion Host
Perimeter Network
Firewall System
Exterior Router & Bastion Host may be combined.
Desktop System Desktop System Desktop System
Internal Network
Internal Server
Internet
Exterior Router
Screened SubnetArchitecture
Interior Router
Bastion Host
Perimeter Network
Overview
• Firewall Limitations– malicious insiders– people going around it (e.g., modems)– completely new threats
• designed to protect against known threats– viruses
• Make vs. Buy– lots of offerings (see Internet)
Various Firewall Architectures
• Screening Router Packet Filtering• Proxy Services
– application level gateways• Dual-Home Host• Screened Host• Screened Subnet
Various Firewall Architectures IP Packet Filtering
• IP source address• IP destination address• Transport Layer Protocol• TCP / UDP source port• TCP / UDP destination port• ICMP message type
Various Firewall Architectures IP Packet Filtering
• Also Knows …– inbound and outbound interfaces
• Examples– block all incoming connection from outside except
SMTP– block all connections to or from untrusted systems– allow SMTP, FTP, but block TFTP, X Windows,
RPC, rlogin, rsh, etc.
Various Firewall ArchitecturesDual-Homed Host
• One Computer, Two Networks– must proxy services– can examine data coming in from app level on
down
Internet
Dual-Homed Host
Desktop System Desktop System Desktop System
Internal Network
Firewall
Tower box
Dual-Homed HostArchitecture
Various Firewall ArchitecturesScreened Host
• Bastion Host– controls connections to outside world– If broken, your interior network is open.
• Packet Filtering by Router– incoming
Desktop System Desktop System Desktop System
Internal Network
Bastion Host
Internet
Screening Router
Screening RouterArchitecture
Various Firewall ArchitecturesScreened Subnet
• Bastion Host– controls connections to outside world– on perimeter network
• Packet Filtering– two routers– incoming
Desktop System Desktop System Desktop System
Internal Network
Internal Server
Internet
Exterior Router
Screened SubnetArchitecture
Interior Router
Bastion Host
Perimeter Network