Internet and Intranet Fundamentals

Internet and Intranet Fundamentals

Class 8Session A

Intranet Security

• Assets Needing Protection• Threats• Firewalls

– Overview– Various Architectures– Ref: ref: Building Internet Firewalls, Chapman

& Zwicky ISBN: 1565921240

Assets Needing Protection

• Data– stored on computers

• Resources– the computers themselves

• Reputation

Protecting Data

• Secrecy / Privacy• Integrity• Availability

Protecting DataSecrecy / Privacy

• Trade Secrets– obligations to shareholders

• Competitive Intelligence– competition sensitive

• Examples– national defense– patient medical records– student records

Protecting DataIntegrity

• Keeping Data from Being Modified– tampering

• Loss of Confidence– consumer– customer– investor– employee

Protecting DataAvailability

• Is your data accessible?• Related to computing resource availability

Protecting Resources

• Computer Resources– disk space– CPU cycles– memory

• Labor Resources– $$$ spent in …

• tracking down intruders• performing• re-installing software

Protecting Reputation

• Confidence• Intruders Masquerade as You

– identity theft• Business/Technical Competence• Example

– professor and racist hate mail

Threats

• Types of Attacks• Types of Attackers• Stupidity and Accidents

Types of Attacks

• Intrusion• Denial of Service• Information Theft

Intrusion

• People Gain Access to Your Network and Computers

• How?– social engineering– guesswork

• crack program• child/dog’s name

Denial of Service• Preventing you (and others) from using your own

computers• Mail Bombs• Flooding a Systems Queues, Processes, etc.

– Internet Worm– Distributed denial of service (CNN/Ebay/Yahoo)

• Limited Number of Login Attempts– they either get in, or they can force denial of service to

everyone else!

Information Theft

• Stealing Password Files– download for offline cracking

• Packet Sniffers– Ethernet is a party line– A switch is your friend.

Types of Attackers

• Joyriders– bored, looking for amusement

• Vandals– like destroying things, or don’t like you

• Score Keepers– bragging rights

• Spies– industrial and international

Stupidity and Accidents

• 55% of all incidents result from naivete or lack of training

• Apple’s buggy mail server– hundreds of thousands of error messages

• Any system which doesn’t not assign passwords.

• Hard to Protect Against!

Firewalls

• Overview• Various Firewall Architectures

Overview

• How to Protect Your Intranet Assets?– no security– security through obscurity– host security– network security

• Your home is an intranet?

Overview

• No Security• Security Through Obscurity

– nobody knows about it– people figure a small company or home

machine isn’t of interest– “obscurity” impossible on Internet

• InterNIC– examples with Telnet

Overview

• Host Security– geared to particular host– scalability issue– admin nightmare

• sheer numbers• different OS, OS config, etc.

– OK for small sites or sites with extreme requirements

Overview

• Network Security– control network access– kill lots of birds with one stone– firewalls

• Security Technology Can’t Do It All– policing internal time wasting, pranks, etc.– no model is perfect– Who watches the watcher?

Overview• Internet Firewalls

– concept: containment• choke point

– prevents dangers of Internet from spreading to your Intranet

– restricts people to entering at carefully controlled point(s)

• can only leave that point too

Overview• Firewall

– prevents attackers from getting close to internal defenses

– adequate if interactions conform to security policy (tight vs. loose)

• Consists of– hardware

• routers, computers, networks– software

• proxy servers, monitors

Internet

Desktop System Desktop System Desktop System

Internal Network

Internal Server

Firewall

Exterior Router

Interior Router

Bastion Host

Perimeter Network

Firewall System

Exterior Router & Bastion Host may be combined.


Internal Network

Internal Server

Internet

Exterior Router

Screened SubnetArchitecture

Interior Router

Bastion Host

Perimeter Network

Overview

• Firewall Limitations– malicious insiders– people going around it (e.g., modems)– completely new threats

• designed to protect against known threats– viruses

• Make vs. Buy– lots of offerings (see Internet)

Various Firewall Architectures

• Screening Router Packet Filtering• Proxy Services

– application level gateways• Dual-Home Host• Screened Host• Screened Subnet

Various Firewall Architectures IP Packet Filtering

• IP source address• IP destination address• Transport Layer Protocol• TCP / UDP source port• TCP / UDP destination port• ICMP message type

Various Firewall Architectures IP Packet Filtering

• Also Knows …– inbound and outbound interfaces

• Examples– block all incoming connection from outside except

SMTP– block all connections to or from untrusted systems– allow SMTP, FTP, but block TFTP, X Windows,

RPC, rlogin, rsh, etc.

Various Firewall ArchitecturesDual-Homed Host

• One Computer, Two Networks– must proxy services– can examine data coming in from app level on

down

Internet

Dual-Homed Host


Internal Network

Firewall

Tower box

Dual-Homed HostArchitecture

Various Firewall ArchitecturesScreened Host

• Bastion Host– controls connections to outside world– If broken, your interior network is open.

• Packet Filtering by Router– incoming


Internal Network

Bastion Host

Internet

Screening Router

Screening RouterArchitecture

Various Firewall ArchitecturesScreened Subnet

• Bastion Host– controls connections to outside world– on perimeter network

• Packet Filtering– two routers– incoming


Internal Network

Internal Server

Internet

Exterior Router

Screened SubnetArchitecture

Interior Router

Bastion Host

Perimeter Network

Internet and Intranet Fundamentals

Documents

Transcript of Internet and Intranet Fundamentals