7 August, 1999 S 1 - PowerPoint PPT Presentation

About This Presentation
Title:

7 August, 1999 S 1

Description:

The Chinese University of Hong Kong. Department of Computer Science and Engineering ... Acts a castle used to prevent us from the outside attacks. 7 August, 1999 S 6 ... – PowerPoint PPT presentation

Number of Views:55
Avg rating:3.0/5.0
Slides: 39
Provided by: CSE
Category:

less

Transcript and Presenter's Notes

Title: 7 August, 1999 S 1


1
The Chinese University of Hong Kong Department of
Computer Science and Engineering
CSC7260 ProjectII
Security Issues on Distributed Systems MRL9903
Prepared by Lorrien K. Y. Lau Student I.D.
97077200 7 August 1999
2
Agenda
  • - Objective
  • - What is Firewall ??
  • Definition and goals
  • - Firewall Testing
  • Methodology
  • Design ( Hardware / Software/Configuration
    Setup) and Policy
  • Performance and Security Testing
  • - Result Analysis
  • - Future Work and Conclusion
  • - Q A

3
Objective
- To survey on the various distributed systems
security related topics such as encryption and
decryption schemes and firewall in the literature
review - To evaluate the security control of
different firewall configurations by doing
testing on firewall with different security
levels and proxy service -To investigate the
impact of different levels of firewall security
and measures on the performance of firewall
system -To determine how well the various
firewall systems in guarding the private network
against some potential external attacks and
scanning - To examine and try to deduce a
relationship between security and performance
from the testing result
4
What is Firewall ?
Definition - Logically, a firewall is a
separator, a restricter, an analyzer that are
used to protect the internal network against any
attack. Usually installed at a point where the
protected internal network connects to the
Internet - A system, either software or hardware
or both, that enforces access control policy
between two networks. -The manifestation of a
company security policy
5
What is Firewall ?
  • Goals
  • to restrict people to entering at a carefully
    controlled point
  • to prevent intruders from getting close to your
    other defenses
  • to restrict people to leaving at a carefully
    controlled point
  • Acts a castle used to prevent us from the outside
    attacks.

6
Firewall Testing - Methodology
  • - Setting up firewall with 7 different security
    levels by using different firewall policies ,
    Level 1 lt Level 2 . lt Level 7, by
  • Screening rules set into the router
  • Proxy server / system configurations

- Performance Testing - test the network
performance against different security levels of
firewall with FTP, HTTP
- Security Testing - verify the security levels
by using network scanners such as SAINT,
NESSUS and BSB monitor ..etc
7
Firewall Testing - Design
Test Bed Setup, HW, SW
Internet
8
Firewall Testing - Policy
Firewall Policy 1 - PERMIT any service unless it
is expressly denied - Provide the maxi
flexibility/access for internal external users.
Firewall Policy 2 - PERMIT any service unless it
is expressly denied (same as config 1) -
Disallow some problem service accesses from
outside, but still provide flexible/easy access
from outside, but no restriction on access from
internal network to the Internet
9
Firewall Testing - Policy 2
Screening rules at router for Firewall policy
2 - No ip source routing - No ip spoofing (e.g.
traffic from mail server to pc89180) - Deny
DNS(TCP) traffic from outside - Deny TFTPD(UDP)
from outside to port 69 - Deny link (TCP) from
outside to port 97 - Deny SunRPC(UDP) NFS(TCP)
from outside to port 111 2049 - Deny lpd(TCP)
from outside to port 515 - Allow ALL others from
outside to the pc89180 and email - Allow ALL
traffic from the internal network to outside -
IP Masquerader - IP being translated at the
gateway
10
Firewall Testing - Policy 3
Firewall Policy 3 (Level 2 ) - PERMIT any
service unless it is expressly denied (same as
config. 2) - An additional protection is added
with proxy service enabled in the firewall
server. Specific traffic is further shielded and
screened by the proxy server installed. - Any
traffic going into the private network would be
pre-screened at the router first, then it would
be passed into the proxy server for further
authentication and screening. Security level is
raised because the network traffic is examined by
both the router and proxy server.
11
Firewall Testing - Policy 4 5
Firewall Policy 4 (Level 3) - PERMIT any service
unless it is expressly denied (same as config.
1) - Allow even more restricted access from
outside, and deny from selected bad HOSTs from
outside. - Deny ICMP traffic from outside ( in
response to the nessus report)
Firewall Policy 5 - DENY any service unless it is
expressly permitted. (or we say "that is not
expressly permitted is prohibited") - Deny all
access from outside by default, but allow access
from inside. - Permit only authorized IPs access
to the private network
12
Firewall Testing - Policy 6 7
Firewall Policy 6 (Level 5 ) - DENY any
service unless it is expressly permitted - A more
restricted policy to permit outside access to
certain port no.range only - e.g. restrict the
TCP from outside at port gt 1023 to pc89180 at
port 80 - Permit only authorized IPs access to
the private network
Firewall Policy 7 (Level 6 ) - DENY any service
unless it is expressly permitted - Provide the
least flexibility and services to the internal
users, but incorporate maxi protection on the
LAN. - Restrict the internal users using some
Internet services e.g. Telnet, TFPT
13
Firewall Testing - Performance Test
- Performance indicators Total transaction time
, Latency
  • - FTP protocol
  • Data Transfer from outside FTP server
  • 5 M data, connections 1 to 10
  • 1 M data, connection 1 to 10
  • 395 K data, connection 1, 5, 10, 20, 40
  • - HTTP protocol
  • Data retrieval from outside , 38.9 K data,
    connection 1 to 300

14
Firewall Testing - Security Test
Tools Network Scanner such as Nessus
15
Firewall Testing - Security Test
Nessus Setup Screen
16
Firewall Testing - Security Test
Nessus - Attacks and Scanning to be choose
17
Firewall Testing - Security Test
Nessus Result Report generated after attack and
scanning
18
Firewall Testing - Security Test
SAINT - Security Administrator's Integrated
Network Tool
19
Firewall Testing - Security Test
BSB - Monitor
20
Result Analysis - Security Test
When summarying all the report from scanner, it
found that
No. of warning and vulnerability
count(s) Level1 10 Level 2 9 Level 3 7 Level
4 6 Level 5 6 Level 6 3 Level 7 0
21
Result Analysis - Performance Testing - Data
Transfer by HTTP
With 395K data retrieval, under firewall
policy/configuration 1
22
Result Analysis - Performance Testing - Data
Transfer by HTTP
With 395K data retrieval, under firewall
configuration 1,2
23
Result Analysis - Performance Testing - Data
Transfer by HTTP
With 395K data retrieval, under firewall
configuration 1,2,3
24
Result Analysis - Performance Testing - Data
Transfer by HTTP
With 395K data retrieval, under firewall
configuration 1,2,3,4
25
Result Analysis - Performance Testing - Data
Transfer by HTTP
With 395K data retrieval, with all the 7
firewall configurations
26
Result Analysis - Performance Testing - Data
Transfer by HTTP
Latency - with 395K data retrieval, with all the
7 firewall config.
27
Result Analysis - Performance Testing - Data
Transfer by FTP
TL average transaction time, with 5M data for
transfer
28
Result Analysis - Performance Testing - Data
Transfer by FTP
TL min transaction time, with 5M data for
transfer
29
Result Analysis - Performance Testing - Data
Transfer by FTP
TL average transaction time, with 1M data for
transfer
30
Result Analysis - Performance Testing - Data
Transfer by FTP
TL average transaction time, with 38.9K data for
transfer
31
Result Analysis - Performance Testing - Data
Transfer by FTP
Average latency Time, with 38.9K data for
transfer
32
Result Summary Conclusion
  • Larger/smaller size of data for transfer,
    more/less transaction time
  • More connection requests, more traffic
    collision, performance be more affected by
    external traffic interference
  • Overhead - significant when it outweighs/is
    comparable with the transaction time used,
    especially using proxy servers
  • More security --gt more overhead ---gt poor
    performance L1gtL3
  • Security - Performance Relationship overhead
    added with more security control with respect to
    higher level of security, except that the added
    security control NOT incur any overhead

33
Future Work
34
Calculate performance index ?
35
More about future work ...
  • More repeated testing on different size of data
    , connection numbers and some other firewall
    parameters
  • Restructure the security of seven levels --
    more difference between one another

36
Finally .
Thanks for your coming !
37
Mainly 2 Problems ...
1. Outside interference to performance testing
irregularities of curves needs more testing
to smooth out
2. Security level definition for firewall Easy
to define, difficult to achieve and guarantee
38
Screening rule .. checkings
Phase 2 access-list 100 deny udp any host
137.189.89.250 eq tftp access-list 100 deny tcp
any host 137.189.89.250 eq 97 access-list 100
deny tcp any host 137.189.89.250 eq
sunrpc access-list 100 deny udp any host
137.189.89.250 eq sunrpc access-list 100 deny
tcp any host 137.189.89.250 eq 2049 access-list
100 deny tcp any host 137.189.89.250 eq
lpd access-list 100 permit ip any any The
no. of rules to permit packet Phase 7 12 Phase
6 20 Phase5 20 Phase 4 24 Phase 3/2 7
Write a Comment
User Comments (0)
About PowerShow.com