Data Security in LAN Data Security in LAN using Distributed using Distributed Firewall Firewall 1 Presented by Sabreen Irfana GMIT Guided by: Mr. Santosh Kumar B.E ,M Tech Asst prof ,Dept ISE GMIT
May 12, 2015
Data Security in LAN Data Security in LAN using Distributed using Distributed FirewallFirewall
1
Presented by Sabreen Irfana GMIT
Guided by: Mr. Santosh Kumar B.E ,M Tech Asst prof ,Dept ISE GMIT
AbstractAbstract
Computer and networking have become inseparable now .
A number of confidential transaction occur every second and today computers are used mostly for transaction rather than processing of data, so Data security is needed to prevent hacking of data and to provide authenticated data transfer
2
..ContdContd
Data security can be achieved by Firewall Conventional firewall relay on the notion of
restricted topology and controlled entry point
Restricting the network topology difficult in filtering certain protocols, expanding network and few more problems leads to the evolution of DISTRIBUTED FIREWALL
3
ContentsContents
Introduction to Security and Firewalls
Problems with traditional Firewalls Distributed Firewall Concept Distributed Firewall Implementation Conclusions
4
FirewallsFirewalls
Firewall is a device or set of instruments designed to permit or deny network transmissions based upon a set of rules and regulations which are frequently used to protect networks from unauthorized access
In most systems today, the firewall is the software that implements the “security policy” for a system
A firewall is typically placed at the edge of a system and acts as a filter for unauthorized traffic5
Security PolicySecurity Policy
A “security policy” defines the security rules of a system.
Without a defined security policy, there is no way to know what access is allowed or disallowed
An example policy: (simple)◦ Allow all connections to the web server◦ Deny all other access
6
Firewall ExampleFirewall Example
7
Firewall DrawbacksFirewall Drawbacks
Traditional Firewalls uses restricted topology of the network
Donot protect networks from internal attack
Certain protocols (FTP, Real-Audio) are difficult for firewalls to process
Assumes inside users are “trusted”
single points of access make firewalls hard to manage8
.contd.contd
1.Restricted topology
9
.contd .contd
2 .Assumes inside users are trusted
10
.contd .contd
3.Single point of failure or access
11
..Data security ThreatsData security Threats
IP Spoofing or IP masquerading
12
A10.10.10.1
B134.117.1.60
B
10.10.10.1
Src_IP
134.117.1.60
dst_IP
Any (>1024)
Src_port
80
dst_port
11.11.11.1
Src_IP
134.117.1.60
dst_IP
Any (>1024)
Src_port
80
dst_port
spoofed
.cont IP spoofing.cont IP spoofing
13
sender ip spoofed packet
victim
partnerdst: victim
src: partner
Oh, my partner sent me a packet. I’ll process this.
impersonation
.contd.contd
Session hijacking
14
contdcontd
Denial of service(DOS)
15
Distributed Firewall Distributed Firewall ConceptConcept
Destributed firewall is a mechanism to enforce a
network domain security policy through the use
of policy language
Security policy is defined centrally
Enforcement of policy is done by network endpoint(s) where is the hackers try to penetrate
16
..contdcontd
It filters traffic from both the internal and
internet network
They overcome the single point of failure concept
17
18
Architecture of Architecture of Distributed FirewallsDistributed Firewalls
The whole distributed firewall system consists of four main parts:
I. The management center
II. Policy actuator:
III.Remote endpoint connectors
IV.Log server
19
.contd.contd
20
PBNA SystemPBNA System
Policy Based Network Management System
21
Standard Firewall ExampleStandard Firewall Example
22
Corporate NetworkCorporateFirewall
Internet
InternalExternal
ExternalHost
InternalHost
1
InternalHost
2(untrusted)
Webserver
IntranetWebserver(companyprivate)
Standard Firewall Example Standard Firewall Example Connection to web serverConnection to web server
23
Corporate NetworkCorporateFirewall
Internet
InternalExternal
ExternalHost
InternalHost
1
InternalHost
2(untrusted)
Webserver
IntranetWebserver(companyprivate)
Standard Firewall Example Standard Firewall Example Connection to intranetConnection to intranet
24
Corporate NetworkCorporateFirewall
Internet
InternalExternal
ExternalHost
InternalHost
1
InternalHost
2(untrusted)
Webserver
IntranetWebserver(companyprivate)
blocked byfirewall connection
allowed,but should
not be
Distributed Firewall Distributed Firewall ExampleExample
25
Corporate NetworkInternet
InternalExternal
ExternalHost
InternalHost
1
InternalHost
2(untrusted)
Webserver
IntranetWebserver(companyprivate)
InternalHost
(telecommuting)
Distributed Firewall Example Distributed Firewall Example to web serverto web server
26
Corporate NetworkInternet
InternalExternal
ExternalHost
InternalHost
1
InternalHost
2(untrusted)
Webserver
IntranetWebserver(companyprivate)
InternalHost
(telecommuting)
Distributed Firewall Example Distributed Firewall Example to intranetto intranet
27
Corporate NetworkInternet
InternalExternal
ExternalHost
InternalHost
1
InternalHost
2(untrusted)
Webserver
IntranetWebserver(companyprivate)
InternalHost
(telecommuting)
Components of Components of Distributed FirewallsDistributed Firewalls
28
A Distributed Firewall is a mechanism to enforce a network domain
security policy through the use of the following:
Policy Language
Policy Distributed Scheme
Certificates
.contd.contd
29
Policy language The Policy language is used to create policies for each firewall.
These policies are the collection of rules, which guides the firewall for evaluating the network traffic. It also defines which inbound and outbound connections on any component of the network policy domain are allowed.
.contd.contd
30
Policy Distribution Scheme
The policy distribution scheme should guarantee the integrity of the policy during transfer.
This policy is consulted before processing the incoming or outgoing messages.
The distribution of the policy can be different and varies with the implementation. It can be either directly pushed to end systems , or pulled when necessary
.contd.contd
31
Certificates There may be the chance of using IP address for the host identification by the distributed firewalls.
But a mechanism of security is more important. It is preferred to use certificate to identify hosts. IPSec provides cryptographic certificates. Unlike IP address, which can be easily spoofed, the digital certificate is much more secure and the authentication of the certificate is not easily forged. Policies are distributed by means of these
Advantages Advantages
32
1. Provides security for internet and intranet
2. Multiple access points
3. Insiders are no longer trusted
4. Security policy rules are distributed and established on needed basis
5 End to End can be easily done and filtering packets is easy
DisadvantageDisadvantage
33
1. Compliance of the security policy for insiders is one of the major issues of the distributed firewalls. This problem especially occurs when each ending host have the right of changing security policy. There can be some techniques to make modifying policies harder but it is not totally impossible to prevent it.2 It is not so easy to implement an intrusion detection system in a distributed firewall environment. It is possible to log suspicious connections on local server but these logs need to be collected and analyzed by security experts in central service
Distributed Firewall Distributed Firewall implementationimplementation....
Language to express policies and resolving requests (KeyNote system)
Using keynode and Ipsec allows control of mixed level
policies where authentication mechanism is applied
through public key cryptography
34
KeyNoteKeyNote
A language to describe security policies (RFC 2704)
Fields :◦ KeyNote Version – Must be first field, if present
◦ Authorizer – Mandatory field, identifies the issuer of the assertion
◦ Comment◦ Conditions – The conditions under which the Authorizer trusts the
Licensee
◦ Licensees – Identifies the authorized, should be public key, but can be IP address
◦ Signature – Must be last, if present
All field names are case-insensitive
35
KeyNote Example 1KeyNote Example 1
36
KeyNote Example 2KeyNote Example 2
37
KeyNote-Version: 2Authorizer: “rsa-hex:1023abcd”Licensee: “IP:158.130.6.141”Conditions: (@remote_port < 1024 &&
@local_port == 22 ) -> “true”;Signature: “rsa-sha1-hex:bee11984”
Note that this credential delegates to an IP address,
Application interaction Application interaction with keyNote with keyNote
38
Example of Connection to Example of Connection to a Distributed Firewalla Distributed Firewall
local host security policy:KeyNote-Version: 2
Authorizer: “POLICY”
Licensees: ADMINISTRATIVE_KEY
Assumes an IPSEC SA between hosts
39
Example of Connection to a Example of Connection to a Distributed FirewallDistributed Firewall
KeyNote-Version: 2
Authorizer: ADMINISTRATIVE_KEY
Licensees: USER_KEY
Conditions:
(app_domain == "IPsec policy" &&
encryption_algorithm == “yes" &&
local_address == "158.130.006.141")
-> "true";
(app_domain == "Distributed Firewall" &&
@local_port == 23 &&
encrypted == "yes" &&
authenticated == "yes") -> "true";
Signature: ...
40
Example of Connection to a Example of Connection to a Distributed FirewallDistributed Firewall
41
source
local host158.130.6.141
(running PolicyDaemon)
IPSEC SA
TCP connect (23)context created
local port=23encrypted="yes"
authenticated="yes"
Policy Daemonchecks context
vs.credential
continue TCPsession
Returns TRUE
ConclusionsConclusions
Distributed firewalls allows the network security policy to remain under control of the system administrators
Insiders may no longer be unconditionally treated as “trusted”
Does not completely eliminate the need for traditional firewalls
More research is needed in this area to increase robustness, efficiency,
42
Future WorkFuture Work
High quality administration tools NEED to exist for distributed firewalls to be accepted
Allow per-packet scanning as opposed to per-connection scanning
Policy updating
43
ReferencesReferences
[1] Sotiris Ioannidis, Angelos D. Keromytis, Steve M. Bellovin, Jonathan M. Smith, “Implementing a Distributed Firewall”, CCS ’00,Athens, Greece.
[2] Steven M. Bellovin, “Distributed Firewalls”, November 1999 issue of; login: pp. 37-39.
[3] W. R. Cheswick and S. M. Bellovin. “Firewalls and Internet Security”: Repelling the Wily Hacker. Addison-Wesley, 1994.
[4] [Robert Stepanek, “Distributed Firewalls”, [email protected], T-110.501 Seminar on Network Security, HUT TML 2001.
[5] Dr. Mostafa Hassan Dahshan “Security and Internet Protocol”, Computer Engineering
44
45