StocktononTees, Stirling, Manchester, London,

1
Stockton-on-Tees, Stirling, Manchester, London,
2
Information Security Firewalls and things
Keith Foggon Director of Security Sapphire
Technologies Ltd. Keith.Foggon_at_sapphire.net
Ian Pettigrew Sales Executive Sapphire
Technologies Ltd. Ian.Pettigrew_at_sapphire.net
3
Company Blurb
There isnt any !!! Yippeeeeee..
Any good jokes ?
4
(No Transcript)
5
NOW LETS GET SERIOUS
Information security is important to all our
business Business / customer relationships are
built on trust
So let me mention two of the people that I admire
the most.
6
XENA - Warrior Princess

• Strong willed
• Honest - fights for justice
• Uses sword, fists and Chakram as weapons
• Good horsemanship
• Fights alongside Gabrielle - her companion

7
BUFFY - The Vampire Slayer

• Strong and quick
• Kills vampires and other demons
• Uses anything as weapons or makeshift stakes
• Fearless
• Fights alongside her team of Slayerettes

8
GLASGOW DEATHMATCH 2002 XENA vs. BUFFY
Who would you choose to protect your systems ?
9
(No Transcript)
10
Picking the right security measures is
important. Care must be taken not to make
unjustified decisions
Assess the risk and put the right measures in
place.
BUT - How exactly do you do this?
And what is information ? - the stuff that you
are trying to protect
11
Most people start with a firewall
A few examples Tekdata Sonicwall Checkpoint
Firewall-1
12
(No Transcript)
13
Why a firewall ?

• This is where we want to stop the bad guy
• Reduces risk by protecting systems from attempts
  to exploit vulnerabilities
• Increases privacy - makes it harder to gather
  intelligence about a site
• Enforces your organisations security policy

14
Where do you put the firewall ?

• Where is the traffic coming from and going to ?
• What traffic is flowing where ?

How do you use DMZs ?

• What is trusted and what is not trusted ?
• DMZs quarantine untrusted systems
• Untrusted systems are systems that are connected
  by systems you do not trust or do not control
  (e.g. the Internet)
• For example Mail, Web, DNS are untrusted

15
Unprotected DMZ

• Lies in front of the FW
• No protection (router may filter traffic)
• Simple architecture
• Systems on DMZ are on their own
• Any DMZ system must be stripped down and fully
  secured

16
1) SYN sent from client
1) Are you there ?
2) SYN / ACK sent from server
2) Yes I am. Are you ?
3) ACK sent from client
3) Yes, still here, lets play
Client
Server
Example Syn Flood
17
Screened DMZ

• Traffic must go through the FW
• Can control both inbound and outbound traffic to
  the FW
• Easy to log traffic to and from DMZ
• Impacts on FW performance (as has more packets to
  inspect)
• Increases complexity of FW configuration

18
Systems on DMZ

• Not fully protected by FW
• WEB, MAIL, DNS advertised to Internet
• Systems under heavy attack
• Patches applied, unneeded services removed
• File integrity checks applied

19
Dual Layer Firewall

• You are not limited to a single firewall
• Defence in depth
• Different layers of firewalls can have different
  responsibilities
• 2 firewalls have to be successfully penetrated
• Internal firewall need not know about certain
  other networks

20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
Managing many firewalls

• Two options for rulebases
• A centralised rulebase used by all firewalls
  (however it can become a large rulebase)
• A separate rulebase designed for each individual
  firewall (but can become confusing which rulebase
  belongs to which firewall)
• Recommend no more than 10 FWs to a remote
  management station

26
(No Transcript)
27
What gets logged

• Minimal
• Source and Destination IP Address
• Transport (UDP / TCP etc.)
• Source and Destination IP Port
• Date and Time
• Action (Permit. Drop etc.)
• Nice to have
• Flags (SYN / ACK)
• Sequence no.
• Payload

If you want to look at them then export
28
Stateful Inspection
29
Intrusion Detection Systems
30
What Is Intrusion Detection ?
an intrusion is someone attempting to break into
or misuse your system. How you define someone and
break into or misuse is up to you.
An intrusion detection system, or IDS for short,
attempts to detect an intruder breaking into your
system or a legitimate user misusing system
resources. The IDS will run constantly on your
system, working away in the background, and only
notifying you when it detects something it
considers suspicious or illegal. Whether you
appreciate that notification depends on how well
you've configured your intrusion detection system!
31
Potential Intruders
Note that there are two types of potential
intruders Outside Intruders Most people
perceive the outside world to be the largest
threat to their security. The media scare over
"hackers" coming in over the Internet has only
heightened this perception. Inside Intruders
FBI studies have revealed that 80 of intrusions
and attacks come from within organisations. Think
about it - an insider knows the layout of your
system, where the valuable data is and what
security precautions are in place.
32
Types Of Intrusion Detection Systems

• Host Based Intrusion
• Network Based Intrusion
• Behaviour
• Knowledge

33
What is host-based intrusion detection?
Host-based ID involves loading a piece or pieces
of software on the system to be monitored. The
loaded software uses log files and/or the
system's auditing agents as sources of data
34
Network Based Intrusion Detection Systems
Network- based ID system monitors the traffic on
its network segment as a data source.
35
IDS Strengths

• A strong IDS Security Policy is the HEART of
  commercial IDS
• Provides worthwhile information about malicious
  network traffic
• Can be programmed to minimise damage
• A useful tool for ones Network Security Armory
• Help identify the source of the incoming probes
  or attacks
• Can collect forensic evidence, which could be
  used to identify intruders
• Similar to a security "camera" or a "burglar
  alarm"
• Alert security personnel that someone is picking
  the "lock"
• Alerts security personnel that a Network Invasion
  maybe in progress
• When well configured, provides a certain "peace"
  of mind
• Part of a Total Defense Strategy infrastructure

36
IDS Limits

• Not a cure-all for most security ills
• Produces false positive (false alarms)
• Produces false negative (failed to alarm)
• Large-scale attacks could overwhelm a sensor
• NIDS cannot properly protect high-speed networks
  
• All products have weaknesses
• Not a replacement for
• well managed firewall
• regular security audit
• a strong security policy

37
IDS Products
38

• Intruder Alert
  NetProwlerHost-Based Intrusion Detection
• Policy Management
• Key Features
• Continuously monitor user actions
• Monitor security in real-time
• Manage network-wide response
• Scalable host-based security monitoring
• and intrusion detection.

39
(No Transcript)
40
Stockton-on-Tees, Stirling, Manchester, London