Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Network Security_Example v0.2

No description
by

Faham Usman

on 23 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Network Security_Example v0.2

Information Security
Network Security
Awareness Campaign
Agenda
Salim is your Cyber Security Advisor.
Aims at promoting, building and ensuring a safer & secure cyber environment and culture in the UAE.
About aeCERT
One of the initiatives of the UAE Telecommunications Regulatory Authority.
aeCERT is the United Arab Emirates Computer Emergency Response Team.
About aeCERT
OSI Model
Types of Computer Networks
What is Network Security?
Network Security Models
Mac Flooding
DDoS
Network Security Threats
Network Security Breaches
Spoofing
MITM Attack
Network Security Policy
Router
Event Management Logging and Monitoring
Intrusion Detection System
Firewall and VPN
aeCERT
Salim (aeCERT)
@salim_aecert
For more information
www.aecert.ae
info@aecert.ae
Questions
Types:



Categories


Common Problems


False Negatives
Controls traffic flowing into, and possibly out of, a single host (Ingress/Egress filtering)
IP forwarding is disabled
This involves running additional firewall software on a machine:
One of the most common reasons for failure of a firewall in protecting a LAN
It is necessary to test the performance of a firewall with tools such as NMAP.
Hybrid Firewall
Application Layer Gateway (Proxy)
Change default password
Disable IP directed broadcasts
Block ICMP ping request
Disable IP source routing
Determine your packet filtering needs
Establish Ingress and Egress address filtering policies
Maintain physical security of the router
review the security logs
Disable HTTP configuration for the router
Did you know ?
At 36%, health industry is the one which suffered the most percentage of data breaches in 2012 
Data Breaches by Sector in 2012

Monitoring network events is crucial for identifying intrusive activity at the time of occurring or soon after they occurred through monitoring messages as they traverse the network
Network events are “leading indicators” of an intrusion
Detecting suspicious activity early can potentially minimize and contain any damage
Monitoring of network and system events help to identify intrusive activity and it facilitate investigation of unusual and suspicious activity.
An intrusion detection system is a software application or hardware device which generally monitor, detects and alerts; system or network malicious activities, intrusion attempts and anomalous traffic patterns in a network, or mainly through the Internet
User Access Management
The objective of this control is to;
Simple and fast

They allow or deny packets based on Layers 3 and 4 only (IP address (source/destination), protocol #(IP, ICMP, GRE etc.), Port # (TCP or UDP)

Looks at every packet and decides to allow or deny

Available in almost any OS kernel and most router products
Did you know ?
Over 90% of the organizations have suffered some sort of computer and network security breach in the last 10 years 
Cookie/Session Poisoning
A cookie is poisoned if it's modified by an attacker to gain unauthorized information about the user.
Application layer is the most attacked layer these days because:
Application Layer
User behavior events should be monitored, including login/logout, authentication and other identification process they execute and files they access.
User behavior events can help identify anomalies and suspicious patterns that can indicate an attack that is in process or has been successful
The objective of this control is to prevent unauthorized access to systems and applications

Access to information and application system functions should be restricted according to organization’s access control policy
A
Packet
This is a filtering decision.
Top 10 Source Countries

Source: Global DDOS attack report, 2012


In October 2012, HSBC website, has confirmed about a denial of service attack for the downtime of many of its websites worldwide. This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking.
HSBC website fell in DDoS !!!

In April 2012, Facebook, the most visited social networking website, has confirmed that its source code has been stolen by a 26 year old Mr. Mangham who was trying to help Facebook to patch security vulnerabilities, ended up in a jail for possessing source code more than 3 weeks without informing Facebook

Stealing Facebook’s Source code !!!
In February, there was a data breach in one of Federal Reserves internal websites by the re-known group “Anonymous”
US Federal Reserves Gets Hacked??

Does Network Security Lax Lead To Cyber Attacks ??
To prevent network messages that are sent across the network from being intercepted or modified in the middle

To detect and respond to attempted and actual intrusions through the network

To provide control at all the points along the network perimeter in order to block network traffic that is malicious, unauthorized and presents risk to internal network

Network security consists of the technologies and processes that are deployed to protect internal networks from internal and external threats
Zero-Day Attacks
A zero-day (or zero-hour) attack tries to exploit unknown, undisclosed or unpatched computer application vulnerabilities.
Command Injection
In a command injection attack, commands are injected and executed in vulnerable application by a malicious user.

The malicious user gains the power of an authorized system user, and executes commands with the same privileges and environment as the application has.

Example:
CGI utility that allows users to change their passwords:

system("cd /var/yp && make &> /dev/null");
DIDSs are a combination of both NIDSs and HIDSs with some form of management ability.
Tri-homed host
Set of rules that decide whether to grant or deny network access to certain IP addresses or ports.

Primary function of access list is to restrict traffic.

ACLs are defined as separate rules for inbound and outbound traffic either allowing or denying it.

IP address based ACL filters traffic based on source and destination IP addresses whereas port based ACL filters based on destination ports.
Introduction
The objective of this control is to make users accountable for safeguarding their authentication information

User should be required to follow and practice organization’s secret authentication information
02
01
A highly secured router can significantly enhance the overall level of network security
Routers play an important part in providing overall network security
The only real protection is ingress and egress filtering, and controlling access to network configuration tools on individual systems.
Changing an IP can be done through your network configuration functions on your computer or though a tool, like nmap, that provides this type of functionality.
An attacker can use an IP address of another trusted system to gain unauthorized access.
$ echo –e “GET /login.php?user=\
> `perl –e ‘print “a” x 500’ `\nHTTP/1.0\n\n” | \
> nc –vv www.victim.com 80
Buffer Overflow (print “a” 500 times):

Buffer Overflow
Cross Site Scripting (XSS) occurs when malicious web users inject code into the web pages viewed by other users.
Cross Site Scripting/XSS
Did you know?
Internet is considered to be the best-known global computer network, connecting billions of computers that are linked to exchange data 
Introduction to Computer Networks
Also known as data network that allows computers to exchange information between them
02
01
Telecommunication highways over which information travels
Most host-level event indicates that attack has been successful and therefore these events warrants immediate investigation
Host-level events are a “lagging indicator” of an intrusion
Misconfigured firewall scripts (the most common problem)
OS vulnerabilities

Modem may be able to connect to the LAN, bypassing the firewall altogether.
Can hijack a remote machine that is allowed to bypass firewall
Firewalls do allow certain traffic through which can be exploited.
Packet Filter – Generation 1
An attacker can exploit ARP poisoning to intercept network traffic between two (or more) machines on the network
ARP packets can be forged to send incorrect IP-to-MAC address mappings to the victim machines
It resolves IP addresses to the MAC (hardware) address of the interface to send data
It is a more effective way of hijacking sessions, because it allows attackers to see incoming and outgoing communications, acting like a proxy as opposed to "blind" TCP/IP spoofing.
ARP is an effective way to intercept, sniff, hijack and DoS connections.
02
01
Macof facilitate the interception of network traffic normally unavailable to an attacker.
Macof is a tool that floods the local network with random MAC addresses, causing the switches to fail to open in repeating mode, which facilitates sniffing.
Permit everything that is not explicitly denied
Maximum
Security
Security

Transparent
user access
Access

Security Policy
Hide Internal Network
Information
Deny everything that is not
explicitly allowed
Control the Perimeter
HTTP is a stateless protocol.

Instead of making a user authenticate upon each click in a web application, a feeling of “state” is created.

In order to maintain state, a secret string is shared between the HTTP client and the server.

Essentially, authentication data (username/password pair) is exchanged for a Session ID. This is done with:
Cookies
Cookie/Session Poisoning – Session ID Overview
Hidden fields
URL parameters
Deciding on which events and attributes to monitor is a trade-off decision to help manage risks
Determining what events to monitor can be sometimes a difficult and complex decision
What to Monitor?
Essentially a router, possibly with multiple interfaces, that forwards or drops packets based on a rule set
Enforcement point for network access control
More secure than host-based alone
IP forwarding is enabled
02
Filtering: It occurs when router allows or denies network packets to pass through the router based on criteria defined in rules
01
Routing: It occurs when a router makes decisions about where to send network packets, and then send those packets accordingly
Router perform two basic functions:

Policy development must focus on:

Switch – MAC Flooding

A CSIRT should be appointed among technical staff to respond to intrusion
Being prepared is the key to effectively responding to a security intrusion or attack
It also maintain a table of the available routes and their conditions

It determines the next network device to which a packet should be forwarded as it makes its way towards its destination

A router is a device that sits between 2 or more networks and transfer network packets from one network to another

03
02
01
Minimize unnecessary risk
Encrypt confidential information
Logging and Monitoring
01
01
It is a network of sub-networks that interconnect LANs over wide geographic areas.
A discrete network, designed to operate in a specific limited area like a floor of a campus building within a single organization
Wide Area Network
Local Area Network
The major difference between this configuration and the previous screening router configuration is that, in addition to packet filtering, the external firewall has the ability to perform stateful inspection and/or application proxying for internal services. It may also provide network translation via NAT/PAT/NAPT.
An NGFW is a cutting-edge, innovative high-performance gateway security appliance that provides state of the art firewalling, intrusion prevention, and application visibility control
application
visibility control
intrusion
prevention
firewalling
Proxy (ALG)
Client communicates with proxy (or proxy intercept transparently)
Proxy initiates a separate session to the server (client & server never directly connect)
Isolates the client from the server
To the client, the proxy is the server
To the server, the proxy is the client
The proxy doesn’t relay anything that doesn’t fall within the guidelines for the protocol being proxied
More secure than packet filtering
A firewall can be either a hardware device or software running on a secure computer
Based on its type, firewall can protect a single computer as well as entire organization’s network.
An attacker puts himself in between two hosts sending traffic
All traffic is between the two hosts is routed to the attacker. The attacker can then read or change any of the information before sending it to the receiving host
It is important to understand how these trusts can be compromised and how to counteract them.

This type of required trust has been taken advantage of in many cases, and used for malicious purposes.

Domains and workgroups are built on some type of trust. When access control decisions are made (whether based on an IP address, source port, password, username, or digital signature), the software making the access decision trusts that the data being handed to it for authentication purposes is somehow trustworthy. It really does not have any other choice.

DNS Attacks

Man-in-the-Middle Attacks

IP Spoofing Attacks

MAC Flooding Attacks

This layer is responsible for how the data is represented and formatted for the user to be sent out onto the networks
The packet filtering router (screening router) drops all unauthorized protocols and prevents spoofed packets with fraudulent internal addresses from entering DMZ from the outside.
This layer is responsible for ensuring the error-free data and provides reliability, flow control, multiplexing and connection oriented data stream
A VPN is a network, created privately within the public network infrastructure, such as global Internet
It gives users, the ability to create a secure connection over the internet, and access the private network remotely on a system as if they are on-site
The idea behind bastion hosts is that they are the organization’s presence on the Internet; they interface with untrusted networks.
It should be assumed that bastion hosts will be compromised and that their access to the internal/trusted network should be limited.
Bastion hosts should be additionally hardened and monitored.
Security Zones: Logical container for physical Interfaces, VLANs, IP addresses or a combination thereof
05
04
03
02
01
Egress Filters
Zombie Zapper
Patches & Updates
IDSs
Harden systems
13%
7%

17%

63%

Over 1 week
3-7 days
1-2 days
Less than 1 day
1/3
OF ATTACKS
LAST MORE THAN
24 HOURS
Routers have 4 main network security functions;

Router protect themselves from attacks by external intruders

04
01
03
OSI model is divided into 7 layers, and each layer has a different function and tasks assigned to it. Therefore they can be implemented independently
02
It is used for designing a flexible and robust network architecture and to ensure compatibility
OSI = Open Systems Interconnection. “Open” means the concepts are non-proprietary; can be used by anyone
A framework that defines how data flows from one computer, through a network, to another computer
Strict control of traffic: “Who needs to talk to whom?”
e.g., buffer overflows, Denial-of-Service attacks, etc.

NFS, NIS, rsh, etc.
Impossible to be sure OS is 100% secure
May want to run "insecure" services!
Easy way to protect the entire LAN
Protects network from misconfigured machines
In this mechanism, it analyzes the system’s behavior and trigger alarm if found some thing suspicious
Security Policy
Enterprise Network Security
Application Security
Restrictive
02. Restrictive model
If the data is not received properly, data link layer will request for it’s retransmission
It handles the media access control, flow control and error detection and correction of data.
This layer divides the data into packets
Layer 1: Physical Layer
OSI model introduced in 1978 and revised in 1984 by International Organization for Standardization (ISO)
Interoperability became an issue. Therefore some network standards were required to ensure compatibility
During early phase of computer era, limited standards and protocol existed between various computer vendors and manufacturers.
With time, computer technology continued to improve and become widespread
3
1
2
Why
What happens when host get compromised?
Deployment is expensive
Less volume of traffic so less overhead
More accurate than NIDS
Can analyze audit-trails, logs, integrity of files and directories, etc.
Runs on single host
Disadvantages
Advantages
Characteristics
Virtual Private Network (VPN)

is a network where packets that are internal to a private network travel across a public network.
VPN Traffic is encrypted, integrity protected, and encapsulated into new packets that are sent across the internet.
Virtual Private Network
Keyword List
3
2
Web Server

Attacker PC

Exploits a security vulnerability occurring in the database layer of an application.

An application is vulnerable to SQL injection if it does not filter user input properly for string literal escape characters embedded in SQL statements or data integrity.
“arp -s IP_ADDRESS MAC_ADDRESS”

Add a static entry in your ARP table either for each host or atleast for the most sensitive ones’ so that it cant be modify with ARP reply.
Static ARP Table
In general, there are two ways of countermeasures for MITM (Man-in-the-middle) and ARP spoofing;
 Syntax for a static entry in ARP table;

State acceptable risk
Outline roles and
responsibilities
Supported by all
stakeholders
Clear and concise
Developed with consensus
Supported by standards,
guidelines and procedures
Reviewed annually or as
changes occur
Implementable and
enforceable
01
To be effective the network security policy must be:
01
With the advent of personal computers, LANs, and the wide-open world of the Internet, the networks of today are more open.
More complex and granular control over traffic
Multiple tiers of security
Source: Symantec

Top Ten Industries Attacked in 2012

Event Management
(Logging and Monitoring)

Intrusion Detection System

Firewalls & VPN

Network Security Policy

05
04
Routers

In this example ARP spoof attack, a hacker sends an ARP reply to a host’s ARP request for a server. The hacker falsely claims to be that server, tying their own MAC address to that of an IP address owned by another device. The bogus ARP message then also adds an entry to the switch’s ARP table. When a message arrives for the device, in the Example MAC ‘B’, this bogus ARP entry diverts it to MAC ‘C’.
ARP Spoof Attack
2

1

Source: Symantec

Targeted Attacks Per Day In 2012

Users
Received Data
Physical Link
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
The Seven Layers of OSI
Physical
Transmit Data
Direct Access
Server or UAG

Internet Traffic
Internet Server

Direct Access
Internet

1
1
Intranet
It is defined as a logical TCP/IP network within an organization’s internal network
It is a global, public TCP/IP network
Global Network - Internet
OSI Model
OSI Model Background
1
When
OSI Layers
Presentation
Data Link
Network
Transport
Session
Application
OSI Layers
This layer involves with the data transmission, reception, encoding and signaling
1
Layer 2: Data Link Layer
1
2
3
OSI Layers
Layer 3: Network Layer
This layer performs the packet forwarding which includes routing
1
Layer 4: Transport Layer
1
It provides end-to-end logical addressing system of data packets, routed across several layer 2 networks
2
OSI Layers
Layer 5: Session Layer
This layer is responsible for establishing, managing and terminating sessions between two parties i.e. end-users or application processes
1
Layer 6: Presentation Layer
1
OSI Layers
Layer 7: Application Layer
This is the top most layer of OSI model, reserved for communication protocols.
1
This is what the user sees, the data user views such as web browser or word document.
2
Most Targeted OSI Layer
It provides an easy path for an attacker to penetrate into target infrastructure as application traffic is difficult to filter and protect.
It is very difficult to differentiate between legitimate and illegitimate application layer traffic (e.g. a request having SQL injection query).
Vulnerabilities include:
Cross-site scripting, SQL injection, Command injection, Buffer overflow, DoS attack, Cookie/session poisoning etc.
Application Layer Threats
Cookie/Session Poisoning
Cross-Site Scripting
Buffer Overflow
Command Injection
SQL Injection
Zero-day Attack

Application Layer Threats
SQL Injection
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; INSERT INTO members ('email','passwd','login_id','full_name') VALUES (’bob@acme.net','hello',’bob',’Bob White');--';
1
Application Layer Threats
Application Layer Threats
Zero-day attacks occur between the time a threat is released and the time security vendors release patches.
Application Layer Threats
Attackers make use of JavaScript, VBScript, ActiveX, HTML, or FLASH in vulnerable applications to fool the users into submitting data.
The data is usually gathered in the form of a hyperlink which contains malicious content within it.
The attacker encodes the malicious part in HEX to lower suspicion.

Application Layer Threats
The information gained is used to create new accounts or gain access to existing accounts.
Application Layer Threats
Application Layer Threats
Different Types of Computer Networks
Different Types of Computer Networks
Extranet
It is defined as a private TCP/IP network that is accessed by users outside the organization such as 3rd party partners. This network is not publicly accessible
Internet
1
Corporate
Resources

Intranet

Internal Traffic
Different Types of Computer Networks
Virtual Private Network (VPN)

What is Network Security?
Why Network Security?
To protect assets
Historically done through physical security and closed networks

Today’s Network
Open Network
Objectives of Network Security
Principles of Network Security
Least Privilege
Defense-in-Depth
Do not rely on a single security solution, but instead have multiple security controls that provide overlapping security controls to back each other in case of failure
1
It only allow access to that is legitimately required for authorized purposes
1
Principles of Network Security
Principles of Network Security
Network Security Models
03. Closed model
01. Open model
Closed
Open
Open Model
Combination of specific permissions and specific restrictions
Restricted Model
Maximum
Security
Security

Transparent
user access
Access

That which is not explicitly permitted is denied
Closed Model
Maximum
Security
Security

Transparent
user access
Access

Network Security Breaches
Network Security Breaches
Network Security Breaches
Network Security Threats
Network Security Threats
Network Security Threats
Network Security Threats
DDoS Attacks
DDoS Attacks
DDoS Attacks
How big were DDoS attacks in 2012?
Source: Global DDOS attack report, 2012


DDoS Attacks
How long did DDoS attacks last?
Source: Global DDOS attack report, 2012
DDoS Attacks
What kind of DDoS protection was used?
Source: Global DDOS attack report, 2012
DDoS Attacks
DDoS Defenses
DDoS Defenses
Network Security Risks
Types of Network Attacks
MAC Flooding
MAC Flooding Attack
CAM Flow Attack
MAC Flooding Tool: Macof
MAC Flooding Tool: Macof
Spoofing
1
2
3
IP Spoofing
ARP Spoofing Attack
ARP Spoofing Attacks
Man-in-the-Middle (MiTM) Attack
1
2
Man In The Middle - ARP Poisoning
Man In The Middle - ARP Poisoning
MITM & ARP Spoofing Countermeasures
Prevention
1
Detection
2
Prevention
1
1
2
MITM & ARP Spoofing Countermeasures
ARP Filtering
Detection
2
Another prevention technique is to  filter ARP packet based on different parameters (e.g. source and destination).
1
Intrusion Detection System is another solution for ARP spoofing
MITM & ARP Spoofing Countermeasures
If a system send unsolicited ARP reply
1
Following rules can be set against ARP spoofing and MITM:
If each IP address has a unique MAC address in the Local Area Network (LAN)
2
If sender MAC address of an ARP reply coming from a critical system, match the proper MAC address
3
DNS Attacks
DNS stands for Domain Name System and it is used to resolve domain names to IP addresses and vice versa. A DNS server will listen on UDP port 53 for name resolution queries and TCP port 53 for zone transfers which are conducted most typically by other DNS servers
1
1
DNS servers have been attacked and compromised using a number of techniques
2
Examples include:
3
Buffer overflow attacks to gain command level access on the DNS server or to modify zone files
2
Information Disclosure attacks such as zone transfers and obtaining version information
3
Cache poisoning attacks whereby the cache of the DNS is deliberately contaminated by an attacker. This is done using DNS Transaction ID predication or recursive queries
DNS Poisoning Techniques
DNS Poisoning Techniques

Acting as a device on the same internal network
Acting as a device on the internet
Modifying the DNS entries on a proxy server so the user is redirected to a different host system
Modifying the DNS entries on any system so the user is redirected to a different host
Layered Approach to Network Security
03
02
01
Network Security Policy
Preventive and Detective Policy
Network Security Policy
Network Security Policy
Network Security Policy
02
03
04
05
06
07
08
Router
Router
Router
Routing and Filtering
A network packet arrives at router interface A. The router connects 5 networks, so there are four other interfaces on the router
1
1
Should the packet be allowed to pass through the router or should it be blocked?
Which interface should the packet be sent through to reach its destination?
2
What is the next router it should send the packet to?
3
These are routing decisions.
Example
Routing and Filtering
Role of Router in Network Security
Role of Router in Network Security
Router provide logging which enables timely detection of
intrusion attempts

Router transfer all network traffic through a firewall or along a safe
path into the network

Router transfer all network traffic through a firewall or
along a safe path into the network

Routers – Network Security Context - Topology
Router Security Risk
It is necessary to understand some of the ways the router can be attacked over the network
1
Common router security risk are;
2
Hardening Routers
Perimeter Security Firewall and VPN
Firewalls
Firewalls
Why Do I Need A Firewall
Security Zones
Main Firewall Types
Application Layer Gateway (Proxy) – Generation 2
Stateful Inspection Engine – Generation 3
Hybrid
Next Generation Firewalls
Packet Filters: Generation 1
Packet Filter
Access Control
To ensure authorized user access

To prevent unauthorized access to systems and services
To enable assignment of access rights, a formal user registration and de-registration process should be in placed and implemented
Access Control
User Responsibilities
Access Control
System and Application Access Control:
Access Control List (ACL)
IP Based ACL
IP & Port Based ACL
Application Layer Gateways: Generation 2
Highly intelligent, service-specific, but slower and more resource intensive than packet filter
ALGs understand the language of the protocol they are designed for. For example, an HTTP proxy will speak HTTP and know whether or not an incoming HTTP GET request is formatted correctly or whether it is junk designed to confuse the HTTP daemon/server.
A separate ALG service is required for each proxied service (one for FTP, one for HTTP, one for Telnet and so on). They may all exist on the same machine.
AKA “Deep Packet Inspection”
ALGs (Proxies)
Stateful Inspection Engine: Generation 3
Stateful Inspection Engine (Dynamic Packet Filter)
Keeps a state-table which records outgoing requests and dynamically opens a hole through the firewall for the response

Won’t allow any incoming traffic from external hosts unless an internal host initiates communication with an external host first

Looks at the first packet in a “conversation” and decides to allow or deny the whole stream

Once considered a compromise between packet filter performance and ALG performance
Stateful Packet Inspection
Hybrid
Combines packet filtering, with ALGs and stateful inspection of traffic

Can route certain traffic to ALG services for proxying, while others are forwarded or dropped

Describes most firewall products in the market today
Application Firewall
Next Generation Firewall (NGFW)
Why NGFW?
Who is NGFW for?
Firewall Architecture
Host-based
01
Network-based
02
DMZs
03
04
05
Screened subnets
Bastion hosts
Host-Based Firewall
Windows Firewall
Forefront Threat Management Gateway (TMG)
Formerly Microsoft ISA server
TCP Wrappers (“Sort of” an FW, Ingress filtering only)
Now called IP Tables/NetFilter
IP Chains/IPFW (old)
PF (OpenBSD)
Symantec Personal FW
Tiny Personal FW
Black Ice
Zone Alarm, etc.
Network-Based Firewall
Some have been designed around switching at Layer 2
DMZ (Demilitarized Zone)
In this configuration, the firewall is connected to 3 or more subnets: The trusted internal network, the untrusted external network and the DMZ semi-trusted network.
DMZ Screened Subnet
Back-to-Back Firewalls
Bastion Hosts
Control Traffic Flow
Ex: If the DNS server never needs to initiate communication to the web server, then the web server should deny all traffic originating from it.
Ex: The web server may need to talk to the internal database server, but the mail and DNS servers shouldn’t ever need to. If that’s the case, then such traffic flows shouldn’t be permitted.
This might best be accomplished by a combination of network- and host-based firewalls, as well as strategically placed proxies.
Bastion Hosts
Multiple DMZs
Firewall Vulnerabilities
Misconfigured Firewall
Virtual Private Network (VPN)
How VPN Works?
Intrusion Detection System
Intrusion Detection System
Intrusion Detection System
Intrusion Prevention System
Types of IDS
Host-based
Network-based
Distributed
Anomaly-based
Signature-based
False Positives
Error when reporting on insignificant events
Error by not reporting significant events
Types of IDS
Host-based IDS
Network-based IDS
Different hosts process packets differently
Fail Open
Disadvantages
Unobtrusive
Easy deployment
Advantages
Network-based IDS examine data packets in the network passively and triggers alerts
Characteristics
Difficult to evade if done at low level of network operation
Network-based IDS
NIDS needs to create traffic seen at the end host
Need to have the complete network topology and complete host behavior
Distributed IDS

Most organizations are moving to this type.
DIDSs take advantage of both technologies.
The advent of Correlation technologies have reduced the amount of false positives a little. NO SILVER BULLET HERE!
Signature-Based IDS
Cannot detect attacks for which it has no signature
Disadvantages
Fairly fast
Widely available
Advantages
Uses known pattern matching to signify attack
Characteristics
Easy to implement
Easy to update
Anomaly-based IDS
It uses statistical model to characterize normal usage behaviors
Characteristics
It can detect hack attempts to exploit new and unexpected vulnerabilities
Advantages
It can recognize anomaly traffic patterns that falls outside the normal pattern
It recognizes anomaly patterns from normal as potential intrusions
Anomaly-based IDS
They are generally slower and resource intensive as compared to signature-based IDS
Disadvantages
Greater complexity, difficult to configure
Higher percentages of false alerts
Event Management Logging and Monitoring
Logging and Monitoring
Event Monitoring
Network Events
Network Events
Host Level Events
User Events
Directory and File Events
Summary
Network security policies and procedures should be defined to establish an overall framework for how intrusions are to be handled.

Combine use of security tools such as firewalls, IDS and authentication mechanism provides to be effective in guarding intellectual property

03
04
02
01
Routers play an important part in providing network security through safe routing, filtering, hardening, and logging
05
Next generation firewalls are now emerging and dominating the market and provides cutting-edge application visibility controls for most organizations
06
Deploy several intrusion detection systems, considering both network and host based intrusion detection devices, to cover multiple areas of potential attack
07
Monitor and inspect network traffic, connections, system resources, process utilization, user accounts and verify file and data integrity
The network security field may have to evolve more rapidly to deal with the more evolving threats in the future
08
09
Full transcript