Chapter 10: Data Centre and Network Security

• Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * *

Objectives:

Destinationserver

GatewayGatewayInternetInternet

Client

Information direction

Client

ProxyProxyInternetInternet

Destinationserver

Information direction

Proxies and gateways• A gateway is a network point that acts as an entrance to another network. • a proxy server acts as a go-between requests from clients seeking resources and servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server evaluates the request according to its filtering rules and pass on the request, if allowed, to the appropriate server. • A computer server acting as a gateway node is often also acting as a proxy server and a firewall server.

InternetInternet

Allowable outgoing IP addresses:146.176.151.10146.176.151.112146.176.155.122

Net 1Net 1

Net 2Net 2

FirewallFirewall

Allowable incoming IP addresses:55.65.100.10192.54.192.3

Packet filter router or Firewall

A firewall is an integrated collection of security measures designed to prevent unauthorized access to an intranet network. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.

Application-level firewall

Client

Proxy (FTP)

Proxy (HTTP)Externalsystems

Networkconnection

GatewayGateway

InternetInternet

FirewallA

FirewallA

Firewall A only accepts data packets addressed to the gateway

FirewallB

FirewallB

Firewall B only accepts data packets addressed to the gateway

Net 1Net 1

Net 2Net 2

Application-level firewall

RouterRouter

FirewallFirewall

Site 1Site 1

FirewallFirewall

Site 2Site 2

FirewallFirewall

Site 3Site 3

FirewallFirewall

Auditmonitor

Auditmonitor

Single externalconnectionTo the Internet

Ring-fenced firewall

Filtering routers (Firewalls)

FirewallFirewall

IPIP TCP/UDPTCP/UDP

Source IP address

Destination IP address

Source Port

Destination Port

Protocol (TCP/UDP)

INCOMING OUTGOINGAllowed Disallowed Allowed Disallowed

FirewallFirewall

MonitoringSoftware

MonitoringSoftwareSite 2

Site 3 Site 1

InternetInternetFirewallFirewall

Net 3Net 3

Net 4Net 4

Net 2Net 2

FirewallFirewall

Net 1Net 1

Routers with encyption/decryption

Intranetover the Internet

Encryption tunnels or Virtual Private Network (VPN)

Encryption tunnels

Internet

Localnetwork

Localnetwork

Localnetwork

Router withEncryption/Decryption

Router withEncryption/Decryption

Localnetwork

Localnetwork

Localnetwork

Intranet over the Internet

Publickey

Privatekey

Publickey

Privatekey

User’s public key isused to encrypt data

User’s private key isused to decrypt data

Encrypted data

INFOINFO ENCR

ENCRINFO

INFO

Virtual Private Network (VPN)

A typical VPN might have a main LAN at the corporate headquarters of a company, other LANs at remote offices or facilities and individual users connecting from out in the field.

Basically, a VPN is a private network (LAN) that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses "virtual“connections routed through the Internet from the company's private network to the remote site or employee.

Security RisksSecurity1. Data protection. This is typically where sensitive or commercially

important information is kept. It might include information databases, design files or source code files. One method of reducing this risk is to encrypt important files with a password and/or some form of data encryption.

2. Software protection. This involves protecting all the software packages from damage or from being misconfigured. A misconfigured software package can cause as much damage as a physical attack on a system, because it can take a long time to find the problem.

3. Physical system protection. This involves protecting systems from intruders who might physically attack the systems. Normally, important systems are locked in rooms and then within locked rack-mounted cabinets.

4. Transmission protection. This involves a hacker tampering with a transmission connection. It might involve tapping into a network connection or total disconnection. Tapping can be avoided by many methods, including using optical fibres which are almost impossible to tap into (as it would typically involve sawing through a cable with hundreds of fibre cables, which would each have to be connected back as they were connected initially). Underground cables can avoid total disconnection, or its damage can be reduced by having redundant paths (such as different connections to the Internet).

Security1. Data protection. This is typically where sensitive or commercially

important information is kept. It might include information databases, design files or source code files. One method of reducing this risk is to encrypt important files with a password and/or some form of data encryption.

2. Software protection. This involves protecting all the software packages from damage or from being misconfigured. A misconfigured software package can cause as much damage as a physical attack on a system, because it can take a long time to find the problem.

3. Physical system protection. This involves protecting systems from intruders who might physically attack the systems. Normally, important systems are locked in rooms and then within locked rack-mounted cabinets.

4. Transmission protection. This involves a hacker tampering with a transmission connection. It might involve tapping into a network connection or total disconnection. Tapping can be avoided by many methods, including using optical fibres which are almost impossible to tap into (as it would typically involve sawing through a cable with hundreds of fibre cables, which would each have to be connected back as they were connected initially). Underground cables can avoid total disconnection, or its damage can be reduced by having redundant paths (such as different connections to the Internet).

Security issues

Hacking methods

• IP spoofing. Involves a hacker stealing an authorized IP address, and using it.

• Packet-sniffing. Listens from TCP/IP. • Password attack. Hacker runs programs which determine the

password of a user. Once into the system the hacker can then move onto other, more trusted, users.

• Session hi-jacking attacks. Hacker taps into a conversation between two computers. A remote trusted user could start the conversation, but the hacker could continue it.

• Shared library attacks. • Social engineering attacks. Typically a hacker uses social methods

to determine a user’s password. • Technological vulnerability attack. The hacker attacks a

vulnerable part of the system, such as rebooting the computer, spreading viruses, etc.

• Trust-access attacks. Hacker adds their system to one of the trusted systems. The hacker can then get full administrator privileges.

Hacking methods

• IP spoofing. Involves a hacker stealing an authorized IP address, and using it.

• Packet-sniffing. Listens from TCP/IP. • Password attack. Hacker runs programs which determine the

password of a user. Once into the system the hacker can then move onto other, more trusted, users.

• Session hi-jacking attacks. Hacker taps into a conversation between two computers. A remote trusted user could start the conversation, but the hacker could continue it.

• Shared library attacks. • Social engineering attacks. Typically a hacker uses social methods

to determine a user’s password. • Technological vulnerability attack. The hacker attacks a

vulnerable part of the system, such as rebooting the computer, spreading viruses, etc.

• Trust-access attacks. Hacker adds their system to one of the trusted systems. The hacker can then get full administrator privileges.

1. BAN EXTERNAL CONNECTIONS. In a highly secure network, all external traffic should go through a strong firewall. There should be no other external connections on the network. If possible, telephone lines should be monitored to stop data being transferred over without going through firewall.

2. SECURE ACCESS TO RESOURCES. Typically users must use swipe cards, or some biometric technique to gain access to a restricted domain.

3. VIRUSES PROTECTION. All computers which access the Internet should be well protected against malicious programs and viruses.

4. FIREWALLS USED BETWEEN DOMAINS. Internal hackers can be as big a problem as external hackers. Thus firewalls should be used between domains to limit access.

5. BASE AUTHENTICATION ON MAC ADDRESSES. Network addresses do not offer good authentication of a user, as they can be easily spoofed. An improved method is to check the MAC address of the computer (as no two computers have the same MAC address).

6. MONITORING of LOG EVENT. All the important security related events should be monitored within each domain. If possible they should be recorded over a long period of time. Software should be used to try and determine incorrect usage.

1. BAN EXTERNAL CONNECTIONS. In a highly secure network, all external traffic should go through a strong firewall. There should be no other external connections on the network. If possible, telephone lines should be monitored to stop data being transferred over without going through firewall.

2. SECURE ACCESS TO RESOURCES. Typically users must use swipe cards, or some biometric technique to gain access to a restricted domain.

3. VIRUSES PROTECTION. All computers which access the Internet should be well protected against malicious programs and viruses.

4. FIREWALLS USED BETWEEN DOMAINS. Internal hackers can be as big a problem as external hackers. Thus firewalls should be used between domains to limit access.

5. BASE AUTHENTICATION ON MAC ADDRESSES. Network addresses do not offer good authentication of a user, as they can be easily spoofed. An improved method is to check the MAC address of the computer (as no two computers have the same MAC address).

6. MONITORING of LOG EVENT. All the important security related events should be monitored within each domain. If possible they should be recorded over a long period of time. Software should be used to try and determine incorrect usage.

Best practices for high-security networks

Intrusion Detection System (IDS)

intrusion detection is an important part of solid network security strategy, especially for administrator that implement the best practice of defense in depth.

provides monitoring of network resources to detect intrusion and attacks that were not stopped by the preventative techniques. For many reasons, it is impossible for firewalls to prevent all attacks.

Intrusion Detection approach

• anomaly detection:• *Baseline is defined to describe normal state of

network or host• *Any activity outside baseline is considered to be

an attack

signature detection:

• *Also know as misuse detection• *IDS analyzes information it gathers and compares it to

a database of known attacks, which are identified by their individual signatures.

• The signature detection method is good at detecting known attacks .Signature enable the IDS to detect an attack without any knowledge of normal traffic in given network, but also requires a signature be created and entered onto the sensors database

Protected System

• primarily two types of intrusion detection systems on the market today , those that are host based and those that are network based.

Host-based IDS

• to protect a critical network server • host-based IDS agent use resources on the host

server (disk space, memory, and processor time)• analyzing the logs of operating systems and

applications • monitoring of file checksums to identify change

Network-based IDS

• monitor activity on one or more network segments, while host-based IDS are software agents that reside on the protected system

• NIDS analyze all passing traffic • NIDS sensors usually have two network connection ,

one that operates to sniff passing traffic , and to send data such as alerts to a centralized management system

NIDS Architecture

• Place IDS sensors strategically to defend most valuable assets

• Typical locations of IDS sensors– Just inside the firewall– On the DMZ– On the server farm segment– On network segments connecting mainframe or

midrange hosts

Firewalls

• Basic packet filtering– Protocol type– IP address– TCP/UDP port– Source routing information

• Access control lists (ACL)• Rules built according to organizational policy that defines who

can access portions of the network.

Demilitarized zone (DMZ)

• Area set aside for servers that are publicly accessible or have lower security requirements

• Sits between the Internet and internal network’s line of defense

shunning or blocking

Network IDS reactions

• Tcp resets