cse 543 computer security
play

CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 - PowerPoint PPT Presentation

Jan 25, 2023 •629 likes •930 views

CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Midterm Grades (High is 83) 77-94 -- A (4)

  1. CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1

  2. Midterm • Grades (High is 83) • 77-94 -- A (4) • 71-75 -- B+/A- (7) • 64-69 -- B+/B (13) • 56-61 -- B/B- (7) • 54-55 -- C+ (2) • <50 -- D/F (2) • Impact • 20% of grade • Project and final to go -- more than 50% of grade 2 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  3. Some Questions • First 14: General basic concepts or lookup in slides or papers • Generally Good • All were answered correctly by multiple people (Windows and TOCTTOU in Janus) • Questions 15-18 • Generally good • 17 weak capability • 18 IDs in messages • Constructions • Where points were lost 3 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  4. Question 19-21 • Capability and Crypto • E(K, obj+rights) HMAC(K, obj+rights) • E(K+, obj+rights) S(K-, obj+rights) • DH and Info Flow • DH was better • Info Flow -- not so prepared • Multics • Better than the other two • Main problem: ring of user shell vs. ring of passwd 4 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  5. Network Security … • This is a poorly understood engineering discipline. • The following looks at the application of tools … 5 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  6. Network security: the high bits • The network is … • … a collection of interconnected computers • … with resources that must be protected • … from unwanted inspection or modification • … while maintaining adequate quality of service. • Another way of seeing network security is • Securing the network infrastructure such that the integrity, confidentiality, and availability of the resources is maintained. • Q: How do we do this? 6 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  7. The network … (perimeter) (edge) Internet LAN (server) (remote hosts/servers) (hosts/desktops) 7 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  8. The big picture …. • Internet Protocol (IP) • Really refers to a whole collection of protocols making up the vast majority of the Internet • Routing • How these packets move from place to place • Network management • Administrators have to maintain the services and infrastructure supporting everyone’s daily activities 8 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  9. Network security – the tools … • Filtering • Firewalls • Communication Security and Services • DNSsec, IPsec, SSH, ... • Isolation • VPNs, VLANs • Detection and mitigation • intrusion detection • DDOS tools 9 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  10. Filtering: the threats • Adversary 1: some external network entity attempting to gain access to internal resources • Adversary 2: some internal, but malicious entity (or software) trying to expose sensitive data • Adversary 3: some internal or external entity that is preventing access to internal resource (DOS) 10 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  11. Filtering: Firewalls • Filtering traffic based on policy • Policy determines what is acceptable traffic • Access control over traffic • Accept or deny Application • May perform other duties • Logging (forensics, SLA) Network • Flagging (intrusion detection) • QOS (differentiated services) Link 11 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  12. Firewall Policy • Specifies what traffic is (not) allowed • Maps attributes to address and ports • Example: HTTP should be allowed to any external host, but inbound only to web-server 12 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  13. xListing • Blacklisting - specifying specific connectivity that is explicitly disallowed • E.g., prevent connections from badguys.com • Whitelisting - specifying specific connectivity that explicitly allowed • E.g., allow connections from goodguys.com • These is useful for IP filtering, SPAM mitigation, … • Q: What access control policies do these represent? 13 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  14. Stateful, Proxy, and Transparent • Single packet contains insufficient data to make access control decision • State allows historical context consideration • Firewall collects data over time • e.g., TCP packet is part of established session • Firewalls can affect network traffic • Transparent: appear as a single router (network) • Proxy: receives, interprets, and reinitiates communication (application) • Transparent good for speed (routers), proxies good for complex state (applications) 14 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  15. DMZ (De-militarized Zone) (servers) LAN LAN Internet 15 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  16. Practical Issues and Limitations • Network layer firewalls are dominant • DMZs allow multi-tiered fire-walling • Tools are widely available and mature • Personal firewalls gaining popularity • Issues • Network perimeters not quite as clear as before • E.g., telecommuters, VPNs, wireless, … • Every access point must be protected • E.g., this is why war-dialing is effective • Hard to debug, maintain consistency and correctness • Often seen by non-security personnel as impediment • E.g., Just open port X so I can use my wonder widget … • SOAP - why is this protocol an issue? 16 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  17. Wool’s Firewall Study • What is the purpose of this study? 17 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  18. Interesting tid-bits from the Wool study • 12 error classes • No default policy, automatic broad tools • NetBIOS (the very use of the Win protocol deemed error) • Portmapper protocols • Use of “any wildcards” • Lack of egress rules • Interesting questions: • Is the violation of Wool’s errors really a problem? • “DNS attack” comment? • Why do you think more expensive firewalls had a higher occurrence of errors? • Take away: configurations are bad 18 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger

  19. Practical Firewall Implementations • Primary task is to filter packets – But systems and requirements are complex • Consider – All the protocols and services – Stateless vs. stateful firewalls – Network function: NAT, forwarding, etc. • Practical implementation: Linux iptables – http://www.netfilter.org/documentation/HOWTO/packet- filtering-HOWTO.html – http://linux.web.cern.ch/linux/scientific3/docs/rhel-rg-en-3/ ch-iptables.html CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

  20. Netfilter hooks • Series of hooks in Linux network protocol stack • At each Netfilter hook – An iptable rule set is evaluated • Hook placements Preroute Routing Forward Postroute Input Output CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

  21. iptables Concepts • Table – All the firewall rules • Chain – List of rules associated with the chain identifier – E.g., hook name • Match – When all a rule ’ s field match the packet (protocol-specific) • Target – Operation to execute on a packet given a match CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

  22. iptables Commands • iptables [-t <table_name>] <cmd> <chain> <plist> • Commands – Append rule to end or specific location in chain – Delete a specific rule in a chain – Flush a chain – List a chain – Create a new user-specified chain – Replace a rule CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

  23. Test it out • PING on localhost – ping -c 1 127.0.0.1 • Add iptables rule to block – iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP • Try ping • Delete the rule – iptables -D INPUT 1 – iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP – iptables -F INPUT CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

  24. Testing • Use loopback to test the rules locally on your machine – IP address 127.0.0.1 • ICMP – submit ping requests to 127.0.0.1 as above • TCP – submit requests to 127.0.0.1 at specific port – server • nc -l -p 3750 • listen at port 3750 – client • nc -p 3000 localhost 3750 • send from port 3000 to localhost at port 3750 CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

  25. iptables Rule Parameters • Destination/Source – IP address range and netmask • Protocol of packet – ICMP, TCP, etc • Fragmented only • Incoming/outgoing interface • Target on rule match CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

  26. Per Protocol Options • Specialized matching options for rules – Specific to protocol • TCP – Source/destination ports – SYN – TCP flags CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
Quick Intro to Computer Security What is computer security? Securing communication

Quick Intro to Computer Security What is computer security? Securing communication

Carnegie Mellon Quick Intro to Computer Security What is computer security? Securing communication Cryptographic tools Access control User authentication Computer security and usability Thanks to Mike Reiter for the

412 views • 38 slides
Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them? Lecture 1 Page 1 CS 236 Online Why Is Security Necessary? Because people arent always nice Because a lot of

415 views • 25 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer Security? Generally concerned with protection of computer related assets Risk analysis and management! Manage could mean prevention of

537 views • 26 slides
Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

IN3210 Network Security Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure Computer Security Security of computers and networks Protection of digital assets Axioms of Computer Security:

240 views • 23 slides
Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

8.10.2019 Information Security Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak Can Network Security: Hacettepe University Ensure security of communication over insecure medium

267 views • 10 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #2 Aug 25 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Economist Survey Please read it Main points Security is a MUCH

600 views • 27 slides
CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human

Overview CS 480/ 557 Computer Security I ntroduction to I nf ormation 1. Physical Security 2.Human Security 3.Program Security Security Computer security threats Unintentional: - Coding faults - Operational faults -

238 views • 8 slides
CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL:

CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL:

CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 OS Security An secure OS should provide the

873 views • 28 slides
Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 3:

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 3:

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 3: Foundations of Computer Security Chapter 3: 2 Agenda Security strategies Prevention detection reaction Security objectives

839 views • 38 slides
Computer Security 3e Security.di.unimi.it/sicurezza1314 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1314 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1314 Chapter 3: 1 Chapter 3: Foundations of Computer Security Chapter 3: 2 Agenda Security strategies Prevention detection reaction Security objectives Confidentiality

1.08k views • 42 slides
Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of

Computer Security 3e Security.di.unimi.it/sicurezza1516 Chapter 3: 1 Chapter 3: Foundations of Computer Security Chapter 3: 2 Agenda Security strategies Prevention detection reaction Security objectives Confidentiality

553 views • 39 slides
CSE 543 - Computer Security Lecture 12 - MAC Security October 4, 2007 URL:

CSE 543 - Computer Security Lecture 12 - MAC Security October 4, 2007 URL:

CSE 543 - Computer Security Lecture 12 - MAC Security October 4, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mandatory Access Control Is about administration

462 views • 19 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #13 Oct 11 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #2 later today Allocate last 30 mins No Class

488 views • 30 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #25 Dec 1 st 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Remainder of the semester: Quiz #3 is Today 40 mins

414 views • 20 slides
DIFFERENTIATING ACTIVITIES TO SUPPORT AND CHALLENGE LEARNERS Please sign up or log in to

DIFFERENTIATING ACTIVITIES TO SUPPORT AND CHALLENGE LEARNERS Please sign up or log in to

USING DIGITAL TOOLS: DIFFERENTIATING ACTIVITIES TO SUPPORT AND CHALLENGE LEARNERS Please sign up or log in to https://quizlet.com to participate fully in this session. Supporting and challenging learners My groups are a mix of different

404 views • 19 slides
LOGMINER ENHANCEMENTS Objectifs : Limiter les cas de dsynchronisation entre le

LOGMINER ENHANCEMENTS Objectifs : Limiter les cas de dsynchronisation entre le

Oracle upg adm 9i Claude DA COSTA Chap 3 LOGMINER Enhcts Page 1/14 LOGMINER ENHANCEMENTS Objectifs : Limiter les cas de dsynchronisation entre le dictionnaire de donnes (fournisseur d'infos de translation des donnes binaires en

513 views • 14 slides
Dynamical analysis of euclidean algorithms Introduction Dynamical analysis of euclidean

Dynamical analysis of euclidean algorithms Introduction Dynamical analysis of euclidean

Dynamical analysis of euclidean algorithms Beno t Daireaux Dynamical analysis of euclidean algorithms Introduction Dynamical analysis of euclidean algorithms Beno t Daireaux Application to accelerated GREYC, Universit e

978 views • 76 slides
Low frequency estimates for long range perturbations in divergence form Jean-Marc Bouclet

Low frequency estimates for long range perturbations in divergence form Jean-Marc Bouclet

Low frequency estimates for long range perturbations in divergence form Jean-Marc Bouclet Abstract We prove a uniform control as z 0 for the resolvent ( P z ) 1 of long range perturbations P of the Euclidean Laplacian in divergence

599 views • 30 slides
CSE 543 - Computer Security (Fall 2006) Lecture 16 - Network Security October 31, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 16 - Network Security October 31, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 16 - Network Security October 31, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06 CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger 1 Midterm Grades 85-100 -- A

1.41k views • 26 slides
KOACH Guilherme Cavalheiro Mockup Review Orange Team Quantifying Boxing 1. Vision 2. Contract

KOACH Guilherme Cavalheiro Mockup Review Orange Team Quantifying Boxing 1. Vision 2. Contract

KOACH Guilherme Cavalheiro Mockup Review Orange Team Quantifying Boxing 1. Vision 2. Contract 3. Risks 4. Future Overview Punching bag that Function measures performance Customer Boxing gyms Sports training Market 1. Vision 2.

370 views • 10 slides
Basic Number Skills Key Vocabulary Numeral Number Value Cardinal Value Subsidising Step 1

Basic Number Skills Key Vocabulary Numeral Number Value Cardinal Value Subsidising Step 1

Starting from the very beginning Basic Number Skills Key Vocabulary Numeral Number Value Cardinal Value Subsidising Step 1 NumberNames Step 2 NumberSequences Step 3 NumberCorrespondence 7 Fundamental Step 4 CardinalValues Steps

251 views • 11 slides
Text Search and Closure Properties CSCI 3130 Formal Languages and Automata Theory Siu On CHAN

Text Search and Closure Properties CSCI 3130 Formal Languages and Automata Theory Siu On CHAN

Text Search and Closure Properties CSCI 3130 Formal Languages and Automata Theory Siu On CHAN Fall 2018 Chinese University of Hong Kong 1/28 Text Search grep program grep -E regex file.txt n copies [ab]{2} one or more (cat)+ zero or one

747 views • 36 slides

More recommend