StocktononTees, Stirling, Manchester, London,

About This Presentation

Title:

StocktononTees, Stirling, Manchester, London,

Description:

A separate rulebase designed for each individual firewall (but can become ... Monitor security in real-time. Manage network-wide response ... – PowerPoint PPT presentation

Number of Views:27

Avg rating:3.0/5.0

Slides: 41

Provided by: lisama8

Category:

more less

Transcript and Presenter's Notes

Title: StocktononTees, Stirling, Manchester, London,

1
Stockton-on-Tees, Stirling, Manchester, London,
2
Information Security Firewalls and things
Keith Foggon Director of Security Sapphire
Technologies Ltd. Keith.Foggon_at_sapphire.net
Ian Pettigrew Sales Executive Sapphire
Technologies Ltd. Ian.Pettigrew_at_sapphire.net
3
Company Blurb
There isnt any !!! Yippeeeeee..
Any good jokes ?
4
(No Transcript)
5
NOW LETS GET SERIOUS
Information security is important to all our
business Business / customer relationships are
built on trust
So let me mention two of the people that I admire
the most.
6
XENA - Warrior Princess

Strong willed
Honest - fights for justice
Uses sword, fists and Chakram as weapons
Good horsemanship
Fights alongside Gabrielle - her companion

7
BUFFY - The Vampire Slayer

Strong and quick
Kills vampires and other demons
Uses anything as weapons or makeshift stakes
Fearless
Fights alongside her team of Slayerettes

8
GLASGOW DEATHMATCH 2002 XENA vs. BUFFY
Who would you choose to protect your systems ?
9
(No Transcript)
10
Picking the right security measures is
important. Care must be taken not to make
unjustified decisions
Assess the risk and put the right measures in
place.
BUT - How exactly do you do this?
And what is information ? - the stuff that you
are trying to protect
11
Most people start with a firewall
A few examples Tekdata Sonicwall Checkpoint
Firewall-1
12
(No Transcript)
13
Why a firewall ?

This is where we want to stop the bad guy
Reduces risk by protecting systems from attempts
to exploit vulnerabilities
Increases privacy - makes it harder to gather
intelligence about a site
Enforces your organisations security policy

14
Where do you put the firewall ?

Where is the traffic coming from and going to ?
What traffic is flowing where ?

How do you use DMZs ?

What is trusted and what is not trusted ?
DMZs quarantine untrusted systems
Untrusted systems are systems that are connected
by systems you do not trust or do not control
(e.g. the Internet)
For example Mail, Web, DNS are untrusted

15
Unprotected DMZ

Lies in front of the FW
No protection (router may filter traffic)
Simple architecture
Systems on DMZ are on their own
Any DMZ system must be stripped down and fully
secured

16
1) SYN sent from client
1) Are you there ?
2) SYN / ACK sent from server
2) Yes I am. Are you ?
3) ACK sent from client
3) Yes, still here, lets play
Client
Server
Example Syn Flood
17
Screened DMZ

Traffic must go through the FW
Can control both inbound and outbound traffic to
the FW
Easy to log traffic to and from DMZ
Impacts on FW performance (as has more packets to
inspect)
Increases complexity of FW configuration

18
Systems on DMZ

Not fully protected by FW
WEB, MAIL, DNS advertised to Internet
Systems under heavy attack
Patches applied, unneeded services removed
File integrity checks applied

19
Dual Layer Firewall

You are not limited to a single firewall
Defence in depth
Different layers of firewalls can have different
responsibilities
2 firewalls have to be successfully penetrated
Internal firewall need not know about certain
other networks

20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
Managing many firewalls

Two options for rulebases
A centralised rulebase used by all firewalls
(however it can become a large rulebase)
A separate rulebase designed for each individual
firewall (but can become confusing which rulebase
belongs to which firewall)
Recommend no more than 10 FWs to a remote
management station

26
(No Transcript)
27
What gets logged

Minimal
Source and Destination IP Address
Transport (UDP / TCP etc.)
Source and Destination IP Port
Date and Time
Action (Permit. Drop etc.)
Nice to have
Flags (SYN / ACK)
Sequence no.
Payload

If you want to look at them then export
28
Stateful Inspection
29
Intrusion Detection Systems
30
What Is Intrusion Detection ?
an intrusion is someone attempting to break into
or misuse your system. How you define someone and
break into or misuse is up to you.
An intrusion detection system, or IDS for short,
attempts to detect an intruder breaking into your
system or a legitimate user misusing system
resources. The IDS will run constantly on your
system, working away in the background, and only
notifying you when it detects something it
considers suspicious or illegal. Whether you
appreciate that notification depends on how well
you've configured your intrusion detection system!
31
Potential Intruders
Note that there are two types of potential
intruders Outside Intruders Most people
perceive the outside world to be the largest
threat to their security. The media scare over
"hackers" coming in over the Internet has only
heightened this perception. Inside Intruders
FBI studies have revealed that 80 of intrusions
and attacks come from within organisations. Think
about it - an insider knows the layout of your
system, where the valuable data is and what
security precautions are in place.
32
Types Of Intrusion Detection Systems

Host Based Intrusion
Network Based Intrusion
Behaviour
Knowledge

33
What is host-based intrusion detection?
Host-based ID involves loading a piece or pieces
of software on the system to be monitored. The
loaded software uses log files and/or the
system's auditing agents as sources of data
34
Network Based Intrusion Detection Systems
Network- based ID system monitors the traffic on
its network segment as a data source.
35
IDS Strengths