Computer Security CSE 543
Popular in Course
Popular in Computer Science and Engineering
This 0 page Class Notes was uploaded by Libby Kuhlman on Sunday November 1, 2015. The Class Notes belongs to CSE 543 at Pennsylvania State University taught by Staff in Fall. Since its upload, it has received 22 views. For similar materials see /class/233115/cse-543-pennsylvania-state-university in Computer Science and Engineering at Pennsylvania State University.
Reviews for Computer Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
Date Created: 11/01/15
CSE 543 Computer Security Lecture 20 Firewalls November 8 2007 URL httpwwwcseIosuedutiaeqercse543f07 Midterm 0 Grades High is 83 77 94 A 4 71 75 BA 7 6469 BB 13 5661 BB 7 54 55 c 2 lt50 DF 2 0 Impact 0 20 ofgrade 0 Project and final to go more than 50 of grade I l PENNSTATE Some Questions 0 First 14 General basic concepts or lookup in slides or papers 0 Generally Good 0 All were answered correctly by multiple people Windows and TOCTTOU in Janus 0 Questions 1518 0 Generally good 0 17weakcapability 0 18 IDs in messages 0 Constructions 0 Where points were lost I l Question 1921 o Capability and Crypto 0 EK objrights HMACK objrights 0 EK objrights SK objrights 0 DH and Info Flow 0 DH was better 0 Info Flow not so prepared 0 Multics 0 Betterthan the other two 0 Main problem ring of user shell vs ring of passwd PENNSTATE Network Security o This is a poorly understood engineering discipline Mesh Plot of abslalanlpowerlz53l o The following looks at the application of tools I l PENNSTATE Network security the high bits o The network is 0 a collection of interconnected computers 0 with resources that must be protected 0 from unwanted inspection or modification 0 while maintaining adequate quality of senice 0 Another way of seeing network security is Securing the network infrastructure such that the integrity confidentiality and availability of the resources is maintained 0 Q How do we do this PENNSTATE The network re r 39 remote hosts servers hosts desktops CSE543 Computer and Network Security Fall 2007 Professor Jaeger PENNSTATE The big picture 0 Internet Protocol IP 0 Really refers to a whole collection of protocols making up the vast majority of the Internet 0 Routing o How these packets move from place to place 0 Network management 0 Administrators have to maintain the services and infrastructure supporting everyone s daily activities PENNSTATE Network security the tools o Filtering 0 Firewalls 0 Communication Security and Services 0 DNSsec lPsec SSH 0 Isolation o VPNsVLANs 0 Detection and mitigation o intrusion detection 0 DDOS tools CSE543 Computer and Network Security Fall 2007 Professor Jaeger PENNSTATE Filtering the threats Adversary 1 some external network entity attempting to gain access to internal resources Adversary 2 some internal but malicious entity or software trying to expose sensitive data Adversary 3 some internal or external entity that is preventing access to internal resource DOS PENNSTATE Filtering Firewalls 0 Filtering traffic based on policy 0 Policy determines what is acceptable traffic 0 Access control over traffic 0 Acceptor deny Application 0 May perform other duties 0 Logging forensics SLA Network 0 Flagging intrusion detection 0 QOS differentiated services Firewall Policy 0 Specifies what traffic is not allowed 0 Maps attributes to address and ports 0 Example HTTP should be allowed to any external host but inbound only to webserver Source Destination Protocol Flags Actlons Address Port Address Port 1 1 1 1 80 TOP SYN Accept 1 1 1 80 TOP SYN Accept 80 TOP Accept quot39 TCP Deny PENNSTATE xListing Blacklisting specifying specific connectivity that is explicitly disallowed 0 Eg prevent connections from badguyscom Whitelisting specifying specific connectivity that explicitly allowed 0 Eg allow connections from goodguyscom 0 These is useful for IP filtering SPAM mitigation 0 Q What access control policies do these represent PENNSTATE Stateful Proxy and Transparent 0 Single packet contains insufficient data to make access control decision 0 State allows historical context consideration 0 Firewall collects data over time 0 eg TCP packet is part of established session 0 Firewalls can affect network traffic 0 Transparent appear as a single router network 0 Proxy receives interprets and reinitiates communication application 0 Transparent good for speed routers proxies good for complex state applications I l DMZ Demilitarized Zone servers Internet Practical Issues and Limitations PENNSTATE 0 Network layer firewalls are dominant 0 DMZs allow multitiered firewalling 0 Tools are widely available and mature 0 Personal firewalls gaining popularity 0 Issues 0 Network perimeters not quite as clear as before 0 Eg telecommuters VPNs wireless 0 Every access point must be protected 0 Eg this is why wardialing is effective Hard to debug maintain consistency and correctness Often seen by nonsecurity personnel as impediment 0 Eg Just open portho I can use my wonderwidget o SOAP why is this protocol an issue I l PENNSTATE Wool s Firewall Study 0 What is the purpose of this study PENNSTATE Interesting tidbits from the Wool study 0 12 error classes No default policy automatic broad tools NetBlOS the very use ofthe Win protocol deemed error Portmapper protocols Use of any wildcards Lack of egress rules 0 Interesting questions 0 Is the violation of Wool s errors really a problem 0 DNS attack comment 0 Why do you think more expensive firewalls had a higher occurrence of errors 0 Take away configurations are bad I l Practical Firewall Implementations mg Primary task is to filter packets But systems and requirements are complex Consider All the protocols and services Stateless vs stateful firewalls Network function NAT forwarding etc Practical implementation Linux iptables httpwwwnetfilterorgdocumentationHOWTOpacket filteringHOWTOhtmI httplinuxwebcernchlinuxscientific8docsrhelrgen8 chiptableshtml I J PENNSTATE Netfilter hooks a Series of hooks in Linux network protocol stack At each Netfilter hook An iptable rule set is evaluated Hook placements iptables Concepts PENNSTATE Table All the firewall rules Chain List of rules associated with the chain identifier Eg hook name Match When all a rule s field match the packet protocolspecific Target Operation to execute on a packet given a match