network security - defense in depth
TRANSCRIPT
![Page 1: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/1.jpg)
Network SecurityDefense-in-Depth
ByDilum Bandara
![Page 2: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/2.jpg)
2
Objective
To provide an overview of security threats in a networked environment , countermeasures & relating technologies
![Page 3: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/3.jpg)
3
Threats Viruses/Worms Buffer Overflow Denial of service (DoS) Spoofing & Sniffing Address/Port scanning Hacking Trojan horses Logic Bombs Trap Doors
Covered Today
![Page 4: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/4.jpg)
4
Outline Security risk Defense-in-Depth Threats in more detail Counter measures Firewalls Server Protection Enterprise level antiviral solutions Security Vs Sri Lanka Demo
![Page 5: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/5.jpg)
5
Risk Hackers are getting smarter They don’t need to be TCP/IP guru Enough tools are freely available More badly – they don’t have idea of what they are
doing
The security chain is only as strong as its weakest link - users
![Page 6: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/6.jpg)
6
Who should be concerned?
Any 1 who has access to Internet Regardless of their size
Every 1 in 2 small business will be hacked in end of 2003
60% of companies won’t be aware until serious damage happens
![Page 7: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/7.jpg)
7
Defense-in-Depth No single product could deliver all It is advisable to combine
Awareness and Commitment Firewall Network and System Monitoring Access Control & Authentication Anti-Virus Encryption VPN Server Integrity Auditing
![Page 8: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/8.jpg)
8
Internet
OS
FirewallsIntrusion DetectionPerimeter Anti-Viral
Perimeter
Internal Users and Dial-up Access
Users
OS AuthenticationTrusted OS Access ControlHost-Based Anti-ViralOS SecurityServer Security
OS
Files, Directories, Applications and Configuration Settings
VPN
Secured Private Communications
illustrated…
![Page 9: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/9.jpg)
9
Total access Vs no access User wants world to be at their fingertip Sys Admin want to stop as much as The best way to survive is to have no access
We need a compromise Answer is :
Security Policy
![Page 10: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/10.jpg)
10
Security Policy
I need to protect things but how? Security policy is a compromise that
organization decides to adopt between absolute security & absolute access Who can get in/out Where they can go When they can get in/out What they can bring in/carry out Physical access Protecting management station
![Page 11: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/11.jpg)
Security should be from your door step to the Internet gateway
If there is a open door surely some one will probe in
![Page 12: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/12.jpg)
12
Benefits of a policy
User is the key Users gain a sense that the organization is
looking out to protect their files and their livelihood
Users often find that they have access freedoms they were not previously aware of
Users gain an understanding that access limitations are implemented to protect the organization from disaster
![Page 13: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/13.jpg)
13
Done? I published the policy I have all the necessary devices My virus guard gets updated automatically
Hahaha….I’m Secure!!!
No, waitI’ll show you another magic
![Page 14: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/14.jpg)
14
Why?
Security is a dynamic process Its like a Cricket match
When one hacker goes off another hacker of a different style comes to bat
Not a 1 step solution So you are never done It needs lot of vigilance & maintenance
![Page 15: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/15.jpg)
15
The growing Vulnerability gap
Vulnerability]1995 1997 1999 2001 2003 2005
HOSTILEACCESS
DENIAL OFSERVICE
APPLICATIONLAYER
EMAIL SERVERATTACKS
EMAILVIRUSES
BUSINESS THREATS
RESPONSE CAPABILITY
![Page 16: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/16.jpg)
16
Vulnerability Window Is the time gap between 1st attack and until
you get ready to face it
Indicate how vulnerable you are Higher the window size more vulnerable you
are
![Page 17: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/17.jpg)
17
Illustration – Time in GMT
1st attack – 2:30 amSecurity Partner get noticed5:30 am
Patch is available11:45 am
Ready to face the challenge3:50 pm
Vulnerability window13:20
![Page 18: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/18.jpg)
18
Narrowband Vs Broadband
Narrowband Dial-up Dynamic IPs
Broadband Always connect Static IPs Door is always open
![Page 19: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/19.jpg)
19
But….
Neither is secure Because
Example:FBI’s Carnivore machine
![Page 20: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/20.jpg)
20
Terminology
Hacker – people who get in but no harm (or help for better security)
Cracker – people who get in & do harm
Hacking – unauthorized probing
Cracking – applying patches to software for illegal registration
![Page 21: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/21.jpg)
21
DoS attacks
Denial of Service Degrade performance or crash the
server Ping of Death SYN Flooding Ping Flood Smurf Attacks Buffer Overflow Exploiting the CGI
![Page 22: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/22.jpg)
22
Ping of Death
Exploits bugs on UNIX, Windows, MacOS
Host crashes when large Ping packet arrives (ICMP Echo > 64KB)
Solution OS patch can correct the problem No longer an attack
![Page 23: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/23.jpg)
23
SYN Flooding
Make use of TCP 3 way handshaking Use unavailable IP address
Solution No solution Minimize
the no of uncompleted connections the validation timeout
![Page 24: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/24.jpg)
24
Ping Flood & Smurf Attacks
Send large number of Pings to the host same time
Send large number of pings as coming from the host
Solution Configure routers, NATing device or Firewall
![Page 25: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/25.jpg)
25
Buffer Overflow
Caused when more data is given to a program than that it can handle
Extra data contains malicious code If overwrite system memory area could
execute easily E.g. Nimda, Code Red II
Solution Protect the stack buffer
![Page 26: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/26.jpg)
26
Exploiting the CGI If program blindly accept request from
browser, could provide access to shell With privileges of CGI program
E.g. http://fake.name.com/cgi-bin/name.cgi?fgdn=
%Acat%20/etc/passwd
Solution Filter unwanted commands Remove the shell
![Page 27: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/27.jpg)
27
Address/Port probing
Sequential search of IP address with open ports
Then exploit vulnerabilities of programs Make use of running Trojan horses
Back Orifice
Solution Stateful packet filtering
![Page 28: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/28.jpg)
28
Port scanning how? TCP SYN scanning
Send a packet with SYN to initiate a connection
If reply comes with SYN ACK port is open
TCP FIN Scanning Send a FIN (finish) to host If reply with RST (reset) comes port is open
![Page 29: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/29.jpg)
29
Use of IP Options
Use of Optional header in IP header Used for testing purposes
Source routing If any authentication is done according
to the path ???
Solution Block all packet with optional header
![Page 30: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/30.jpg)
30
Spoofing attacks
Use of false identity to cheat the server, router or firewall and gain access
E.g. sending external packet with internal source IP
Solution Block at the router, NAT or firewall Both incoming & outgoing
![Page 31: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/31.jpg)
31
Solutions ID (Intruder Detection) Firewalls NAT VPN URL filtering DMZ Server Protection Antiviral solutions
![Page 32: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/32.jpg)
32
ID (Intruder Detection) Use all sorts of login to check for
vulnerabilities Cannot prevent attack but could detect
after or when immerging Too complicated, need lot of vigilance Passive security
![Page 33: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/33.jpg)
33
IP (Intruder Prevention) Prevent before it happens Active security Need more processing power Methods
Protocol anomaly detection Signature based detection Behavior based detection
Prevention is better than detection
![Page 34: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/34.jpg)
34
NAT (Network Address Translation)
IP masquerading or port forwarding Take address from one network &
translate to a IP address of another Hides hosts of one network from others
Dynamic NAT 1-to-1 NAT Static NAT
![Page 35: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/35.jpg)
35
VPN (Virtual Private Network) Gives you a private path (channel) in a public
path End to end encrypted Use IPSec, L2TP or PPTP
??
![Page 36: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/36.jpg)
36
![Page 37: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/37.jpg)
37
VPN Cont…. Overhead of encryption is too much – need lot
of processing power Bandwidth of high speed connections would
drop dramatically If VPN server to be use it should be dedicated
Firebox® 4500 200 Mbps firewall/100Mbps VPN
Firebox® 2500 200 Mbps firewall/75Mbps VPN
Firebox® 1000 200 Mbps firewall/60Mbps VPN
Firebox® 700 150 Mbps firewall/5Mbps VPN
![Page 38: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/38.jpg)
38
URL Filtering Filtering of web pages against a filtering
database Database is controlled by 3rd party You can add your own sites or
exceptions Filtering is based on user, user group,
time of the day, etc.
![Page 39: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/39.jpg)
39
DMZ (Demilitarized Zone) Place where you keep your publicly available servers Separate from other local hosts and application
servers Provides better security
![Page 40: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/40.jpg)
40
Firewalls Device which protects resources of private
network from outside intrusions Firewall examines each packet passes through
it against assigned set of rules Not a virus guard
Stance Stance dictates what firewall does when
absence of a rule Stance is to block everything unless
specifically allowed
![Page 41: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/41.jpg)
41
Where does it fits in
![Page 42: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/42.jpg)
42
Interfaces External Interface
connection to external interface (typically Internet) Trusted Interface
connection to internal interface which needs maximum protection
Optional Interface connection to DMZ or free areas. Public Web, e-mail
FTP, DNS servers could be connected here
![Page 43: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/43.jpg)
43
Firewall Security Policy Which
hosts send/receive which kinds of traffic communication links require authentication and/or
encryption users are authorized to use various services
through the Firewall What
communication protocols and content types are allowed
times of day organization members are able to browse the Web
types of Web sites organization members can visit
![Page 44: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/44.jpg)
44
Technology – Packet filtering Based on the header information Incoming & outgoing packets are treated
separately Filter packets bases on
IP address, Port, Protocol, Type of service Works on Network & Transport layers Very effective but can not detect (stateless)
attacks like DoS
![Page 45: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/45.jpg)
45
Technology – Circuit Relay
Use none header information User, time of day
Dynamic packet filtering Keep track of states
Really effective when both packet filtering & circuit relay are combined together
![Page 46: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/46.jpg)
46
Application
Presentation
Session
Transport
Network
Data Link
Physical
Transport
Internet
Host to network
ApplicationSecurity Proxy
Circuit Relay
Packet Filter
OSI TCP/IP
Layer Comparison
![Page 47: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/47.jpg)
47
Security Proxy Proxy is a program which intercepts packets,
examine content, take some action to safeguard the server
Firewall goes beyond packet filtering & circuit relay Detect forbidden contents
Each packet is stripped of its wrapping, analyzed, processed, re-wrapped & forwarded Add some delay as well
![Page 48: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/48.jpg)
48
![Page 49: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/49.jpg)
49
Proxies - Advantages make networks harder to hack by
blocking entire categories of commonly used attacks concealing details about internal network servers from the
public Internet help to use network bandwidth more effectively by
preventing unwanted or inappropriate traffic entering to the network
Proxies reduce corporate liability by preventing a hacker from using networks as a launch point for
further attacks Simplify the management of networks by
providing administrator with tools and defaults that can be applied broadly, rather than desktop by desktop
![Page 50: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/50.jpg)
50
Drop-in & Routed Networks
![Page 51: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/51.jpg)
51
Secondary Network
![Page 52: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/52.jpg)
52
Software Vs Hardware Server based –
dedicated Insecure OS Not a real-time OS Pay for things that are
not necessary 3 vendors Frequent patches Licensed based Although initial cost is
low TCO is high
Dedicated box Hardened OS Single vender Product based Hard to apply firmware
updates No hard disk (not in all
firewalls) Initial cost is bit high but
TCO is significantly lower
![Page 53: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/53.jpg)
53
ASIC (Application Specific IC) Hardware beats software because of ASIC Software is hard coded to chip
CPU
PacketClassification
Firewall ruleenforcement
IPSec (AH, ESP)3DES
NAT
SNMPManagement
Interface (GUI, CLI)
Statistics
Logs
Alarms
QoS
PKI
LoadBalancing
NICNIC
Data Path
L2TP PPTP
System Bus
DES
MD5/SHA
![Page 54: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/54.jpg)
54
ASIC…
System Bus becomes the bottleneck
NICNIC
CPU
PacketClassificationFirewall rule
enforcement
IPSec (AH, ESP)
3DES
NAT
SNMPManagement
Interface (GUI, CLI)
Statistics
Logs
Alarms
QoS
PKI
LoadBalancing
System Bus
Data Path
EncryptionAccelerator
DES
MD5/SHA
![Page 55: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/55.jpg)
55
Intelligent ASIC
SYSTEM BUS
Logs
Alarms
PKI
Statistics
SNMP
Interface (GUI, CLI)
Management
CPU
Qos
NATLoadBalancing
Firewall RuleInforcement
IPSec
DES 3DES
MD5, SHA1
PacketClassificationCustom
SecurityASIC
DATA PATH\
3) Following packets of flow are cut through, bypassing CPU
1) First Packet of flow forwarded to CPU for classifications and security policy lookup
Logs
NAT
QoS
Packet ClassificationFirewall ruleEnforcement
Load Balancing
DES
3DES
SHA
MD5
IPSec
L2TP PPTP
2) Policy for flowforwarded to custom security ASICcache memory
![Page 56: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/56.jpg)
56
WatchGuard®
![Page 57: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/57.jpg)
57
Features QoS
Active Active Active Passive
Server load balancing Centralized management Value added service No hard disk Hardened Linux
(Proprietary Vs Open)
![Page 58: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/58.jpg)
Demo
![Page 59: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/59.jpg)
Server Protection
![Page 60: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/60.jpg)
60
Server Protection
![Page 61: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/61.jpg)
61
Why? Risk comes from out side so why do I bother
about internal servers?
In reality risk comes from inside than outside Either planned or unplanned
None of the commercial OSs are secure It is a separate layer not a integrated part of the
system
![Page 62: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/62.jpg)
62
A legitimate user Any one who get access as the power
user can do anything Change the content of a web page to divert
credit card information to a different location Create a user account as a backdoor Delete all the log entries that could indicate
a system hack System reconfiguration
![Page 63: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/63.jpg)
63
ServerLock An immerging concept
Operating under the belief that protecting your data from unauthorized change is more effective than detecting attacks
Locks It self Critical OS files & configurations Registry User defined resources
![Page 64: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/64.jpg)
64
Protection
![Page 65: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/65.jpg)
65
Policy
Denies write or delete access based on The resource Not on the user Even Sys Admin cannot do anything
If need to change any protected resource first unlock the resource
![Page 66: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/66.jpg)
66
Location Resides between user space & kernel space
As a device driver in Windows As a loadable kernel module in Solaris
Intercept all the system calls
![Page 67: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/67.jpg)
67
Logic
![Page 68: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/68.jpg)
68
Internal Security
PKI + 239 bit ECC
![Page 69: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/69.jpg)
69
Protecting it self Protects itself from being altered, disabled, or
removed by unauthorized individuals, by securing: Hardware profiles File System Registry
![Page 70: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/70.jpg)
70
![Page 71: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/71.jpg)
71
Can guard against Changes to existing files or registry keys Creation of new files or registry keys Other resources
IIS Metabase User Accounts Date & Time Stack Buffer
Custom rules can be added to protect other resources
![Page 72: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/72.jpg)
72
ServerLock Vs AppLock/Web Server Lock protects the entire server
while AppLock protects only specific application
Applock/Web is designed to protect web servers (IIS only)
AppLock/Web$595 per server
ServerLock$1295-1695 per serverServerLock Manager$5,000 – 15,000
![Page 73: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/73.jpg)
73
DemoService
Incoming OutgoingProperties
From To From To
HTTP Any Web server Any Any Port 80
FTP HQ only 170 & Dinky Any Any Port 21
SMTP Any Mail server Any Any Port 25
DNS Any 170 Any Any Multi protocol on ports using client ports
Telnet HQ only 170 & Dinky Any Any Port 23
Ping Dinky Any Any Any Do
Lotus Notes HQ only 170 Any Any TCP on port 1352
WatchGuard None None Trusted Any Multi protocol on port 4103
Virus Scan None None Any 64.75.31.197 TCP on port 80
Authority Admin PC Firewall Any Any TCP on port 113
![Page 74: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/74.jpg)
Enterprise Level Anti-virus Solutions
![Page 75: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/75.jpg)
75
359,000 SERVERS INFECTED
IN 14 HOURS
$2.6 BILLION IN
DOWNTIME AND
CLEANUP
800,000+ SERVERS INFECTED
WORLDWIDE
Code Red
![Page 76: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/76.jpg)
76
Viruses & Worms
Is the most destructive in terms of data losses, time to recover & money
New destructive threat immerge in every 11 hours
Safeguard requires frequently updating of virus patterns & applying patches
![Page 77: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/77.jpg)
77
Defense-in-Depth
![Page 78: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/78.jpg)
78
Definitios VirusWall
Resides just after the firewall (internet gateway)
All traffic (SMTP, HTTP, FTP) must pass through the Viruswall
Stops viruses, worms, spam at the entry point
Files are download to the VirusWall Server before sending to clients
![Page 79: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/79.jpg)
79
Server Protection Server based virus guards are different than a
PC based ones
![Page 80: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/80.jpg)
80
Server Protection Cont… Everything depends on the type of server
Mail servers must use specialized mail scanning software
Centralized management of all servers allow one station to update virus definitions & deploy to others Preserves bandwidth
![Page 81: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/81.jpg)
81
Desktop Protection Standalone solutions or centralized
solution? All PCs having same policy Ease of management & policy enforcement Preserve bandwidth Extensive login
User state Corporate image
![Page 82: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/82.jpg)
82
![Page 83: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/83.jpg)
83
What makes a good Network Security System
Simplicity If it is complex in design & configuration, hard to
manage would course more security holes Simple designs are more likely to be used
consistently & correctly
Scalability When you (business) grow it should grow with you
![Page 84: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/84.jpg)
84
Good Security System Cont… High uptime & quick recovery
High meantime between failure Failover recovery
Distributed architecture Different tasks on different locations (or PCs)
Dynamically secured Cannot be static & one time product
![Page 85: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/85.jpg)
85
Good Security System Cont… Economy of IP addresses
Hiding internal IPs Reducing the number of public IPs
Secure connection VPN, management station, subcomponents
Authentication
![Page 86: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/86.jpg)
86
Good Security System Cont… Login & notification
Keep you informed
Summarized & reports of NW activity
Physically secured
![Page 87: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/87.jpg)
87
Security Vs Sri Lanka Not aware of the threat
Every one is searching for low cost anti-virus solution that could protect everything
I am not having anything to loose so why do I?
Should I invest more on security?
If you spend more on Coffee (Tea) than security you are deserved to be hacked!
By advice for defense for US president
![Page 88: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/88.jpg)
88
Conclusion
Security is a dynamic process which you have a role to play (loose or winner)
Third world countries should not be a playground for hackers
Awareness is the best way of protection
![Page 90: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/90.jpg)
Questions????
![Page 91: Network security - Defense in Depth](https://reader034.vdocuments.mx/reader034/viewer/2022042619/58e673e41a28ab2a298b5699/html5/thumbnails/91.jpg)
Thank you