Computer networks provide the necessary means for communication between the components of a distributed system.
Networking requires:
1. hardware components
2. software components such as protocol managers and communication handlers
1. Local area networks: computers are connected
via a communication medium, such as coaxial
cable or fiber optic cable, and no routing is
required: each computer has an address
(hardware) and can be reached through that.
For example computers in a single building.
There are various network types: For example
Ethernet, Apple LocalTalk
2. Wide area network: carry messages between computers that are separated by a large distance.
Computers connected by WAN are called hosts and can be located in different cities, countries.
Messages are subdivided into packets. A packet is a sequence of data element (block of data) together with addressing information that identifies sending and receiving computers.
The communication medium uses packet switches to route a packet.
To connect two networks gateways are used. A gateway is a computer and provides hardware and software translation between two networks.
The resulting internetwork will look like a single network.
Internet is an example of a WAN. It is a single world wide collection of interconnected networks that share a uniform scheme for addressing host computers and a suite of agreed protocols. Internet commenced in the early 1970s and is the result of more than 20 years research and development.
TCP/IP
An important part of the Internet is TCP/IP protocol suite.
TCP stands for Transmission Control Protocol and IP stands for Internet Protocol.
To reach a host on Internet, the host must have an Internet address.
An IP packet has a source address, a destination address and a data section.
IP layer is a virtual network layer that is responsible for routing a packet from its source to its destination. However there is no guarantee that the packet actually reaches the intended destination.
The task of dividing a message into packets and re-assembling them at the destination is performed in transport layer and by TCP protocol. That is, it provides a network-independent message transport service between pairs of network ports.
TCP provides reliable virtual circuits to user processes. Lost or damaged packet and retransmitted ; incoming packets are shuffled around if necessary to match the original order of transmission.
Every TCP message is tagged with
<local-host, local-port, remote-host, remote-port>
A drawback of original TCP/IP is that it does not have integrated support for secure communication.
IPSec
1) IP Security (IPSec) is the proposed IETF standard for IP security.
It defines a set of standard security protocols that authenticate TCP/IP connections, add data confidentiality and integrity to TCP/IP packets, and are transparent to the application and the underlying network infrastructure.
2) The IPSec standards effort is being supported by a wide variety of vendors and is being implemented as a built-in feature in IPv6 version of the protocol.
Firewalls
The following factors make Internet an insecure environment:
1) Exponential growth of hosts connected to the Internet.
2) Exponential growth of Intranets and LANs
3) TCP/IP is not designed to offer secure communication.
4) Services (telnet, ftp, rlogin etc) offer little or no security.
5) Enterprises need to expose themselves to the Internet and WWW.
Firewalls are a security mechanism that allow limited access to a site from the Internet by allowing approved traffic in and out according to a well-defined policy.
1) A firewall is a security control point.
2) It connects different trust zones (or risk zones) of the network together (for example Internet low trust zone and Intranet high trust zone).
3) It provides a pragmatic approach to risk management.
A firewall is only a part of the implementation of the security policy.
Firewall Techniques
a) Packet filters
b) Application Layer Firewalls
Packet Filters filters the traffic at the network layer.
It ensures that only users with certain IP- addresses can access the protected network area.
1) Operate at network level.
2) Use a predefined set of rules to filter traffic
a) Source and destination IP addresses.
b) Source and destination ports.
c) Protocols
3) Filters
a) Deny-filter: everything is allowed unless it is specifically denied.
b) Pass-filter: everything is denied unless it is specifically allowed.
Advantages/Disadvantages
a) Low costs, easy configuration.
b) High speed if implemented in hardware.
c) Transparent to users as long as they do not try to use prohibited service.
d) Does not provide any features to obtain confidentiality or authenticy beyond IP address filtering.
e) "Tunnelling techniques" can circumvent firewall.
Application Layer Firewalls directs each application to a specific proxy on the firewall to examine the traffic and check for source and destination address.
a) Operate at application level. _
b) Also called application proxy firewalls.
c) Implemenated by a workstation with two or more network interfaces.
d) Each service (rlogin, telnet, etc) is replaced by special code on gateway.
e) No direct traffic is allowed between Internet and Intranet.
Advantages/Disadvantages
a) Each application must be have a proxy on the gateway.
If the firewall doesn't support a desired application, then it is possible to punch a hole through the firewall by leaving a port open. Poses a risk and allows the port to be used by
attackers.
b) More or less transparent to users.
c) Auditing is possible.
d) Problem: An attacker may reinstalls the IP forwarding kernel option on gateway- bypass at lower level.
Firewall Architectures
Bastion host:
a) Gateway machine which is exposed to the Internet:
It is the organisation's public presence on the Internet.
b) Outside world sees only bastion host:
Outsiders (friends or possible foes) need to connect to bastion host to access a system/service of the Intranet.
c) Highly exposed, security efforts must be concentrated on bastion host.
Perimeter network (demilitarised zone):
a) Network between Internet and Intranet.
b) Provides additional security.
c) Isolation between different components of the firewall.
Firewall Limits
a) Product design flaws.
b) Configurations errors and/or omissions.
c) Poor firewall management.
What a firewall cannot do:
a) can't protect you against malicious insiders.
b) can't protect you against connections that do not go through it.
c) can't protect against new threats.
d) A firewall can't protect against viruses.
e) mobile users connected through dial-up connections today get their IP address allocated dynamically. The decision on which addresses to allowed to pass the firewall is then rather difficult as the users address might change from time to
time.
-> denial of access for authorised users
TIS (Trusted Information System) Toolkit
a) a freely available set of tools for building Internet firewalls
b) provide centerpiece for further development
c) application gateways handle store and forward traffic and some interactive traffic
d) can log and audit file
Alternative/Complementary Solutions
a) Using Cryptography
1) to establish secure channels
2) Manage trust
b) IPSec
c) Virtual Private Networks
d) Intrusion Detection Systems - (COPS, SATAN, IDES, NIDES..)
Intrusion detection Systems
Anderson's report: intrusions - unauthorised access to computers - can be detected by analyzing audit records.
a) External intrusion attempts can be detected by auditing login records,
b) Internal intrusions can be detected by analyzing resource access attempts.
Today's intrusion detection systems use one or a combination of the following methods:
1. encoding supposedly known intrusion patterns into knowledge bases; then essentially
monitoring the system audit trail for sequences that resemble intrusive patterns (intrusion
detection expert systems).
2. developing profiles of system subjects or entities that describe normal behavior patterns; then attempting to identify any deviation from the established patterns (profile-based intrusion detection systems).
Example Network Attacks
1) IP Spoofing
Intruder send packets from outside with the address of an internal host
2) Source routing attack
Source station specifies the route that a packet must take.
3) Sync attack
This attack modifies SYN Protocol, request-response-confirm sequence, by
removing confirm.
->the server will have an incomplete connection for several minute
Openning many connection to a server and leaving them open results in a denial of service attack.
|
