Secure Network Architecture

Indian Computer Emergency Response Team

Department of Information Technology
Ministry of Communications & Information Technology
New Delhi

Vikas Jain
[email protected]
 Agenda

• Network Security Architecture

• Major Network Security Equipment
Using Three Interface Firewall
Using IDS/IPS
Secure remote access using VPN
Site-to-site VPN
Secure access using RSA Secure ID token
Wireless Access Point
Unified Threat Management
DDoS
Data Leakage/Data Breach
DLP
Web Security
Email Security
Antivirus Solution
Major Network Security Equipment

3
Basic Secure Network Design

4
Basic Single firewall architecture

5
 Firewall
• A firewall is a hardware or software system that prevents
unauthorized access to or from a network.
• Implemented in both hardware and software, or
combination of both.
• Sits between two networks
– Used to protect one network from the other
– Places a bottleneck between the networks
• All communications must pass through the bottleneck
– this gives us a single point of control.

Firewall functions
• Filtering/Inspection/Detection/Logging/Alerting/Allow
Address Reuse
6
Types of Firewall

• Network Layer firewall

• Application Layer
• Proxies
• Network Address Translation

7
Stateful firewall operation

8
Contd…

9
10
11
12
13
14
 Contd…

• Allow ssh login to firewall host from outside

#iptables –A INPUT –i eth0 –p tcp -–dport ssh –j ACCEPT
#iptables –A OUTPUT –o eth0 –p tcp -–sport ssh –j ACCEPT
• Allow pings from all interfaces
#iptables –A INPUT –p icmp –-icmp-type echo-request –j ACCEPT
#iptables –A OUTPUT –p icmp –-icmp-type echo-reply –j ACCEPT
• Port redirection
#iptables –t nat –A PREROUTING –p tcp –dport 80 –j DNAT --to-dest
192.168.0.20
• Redirect traffic to Proxy server
#iptables –t nat –A OUTPUT –p tcp –dport 80 –j DNAT – -to-dest
192.168.0.200:3128
• MASQUERADE/Internet sharing
#iptables –t nat –A POSTRUTING –o eth0 –j MASQUERADE

15
Definition

Intrusion Detection
Intrusion detection is a technique of detecting unauthorized access to a
computer system or a computer network
Terminology in IDS
• Alert/Alarm: A signal suggesting that a system has been
being attacked.
• True Positive: A legitimate attack which triggers an IDS
to produce an alarm.
• False Positive: An event signalling an IDS to produce an
alarm when no attack has taken place.
• False Negative: A failure of an IDS to detect an actual
attack.
• True Negative: When no attack has taken place and no
alarm is raised.
16
 Types of IDS

For the purpose of dealing with IT, there are three main
types of IDS:
• Network intrusion detection system (NIDS)
-It is an independent platform that identifies intrusions by examining network
traffic and monitors multiple hosts, developed in 1986 by Pete R. Network
intrusion detection systems gain access to network traffic by connecting to a
network hub, network switch configured for port mirroring, or network tap. In
a NIDS, sensors are located at choke points in the network to be monitored,
often in the demilitarized zone (DMZ) or at network borders. Sensors capture
all network traffic and analyzes the content of individual packets for
malicious traffic. An example of a NIDS is Snort.
• Host-based intrusion detection system (HIDS)
-It consists of an agent on a host that identifies intrusions by analyzing
system calls, application logs, file-system modifications (binaries, password
files, capability databases, Access control lists, etc.) and other host activities
and state.
17
 Contd…

• Stack-based intrusion detection system (SIDS)

-This is the newest IDS technology and varies dramatically from
vendor to vendor.
Stack-Based IDS works by integrating closely with the TCP/IP stack,
allowing packets to be watch as they traverse their way up the OSI
Layers. Watching the packets in this way allows the IDS to pull the
packets from the stack before the OS or the Application have a
chance to process the packets. To be complete Stack-Based ID
should watch both incoming and outgoing network traffic on a system.
By monitoring network packets destined only for a simple host, the
principle is to make the IDS have sufficiently low overhead so that
every system on the network can run Stack-Based IDS.

18
 Strength of Network IDS

• Cost of ownership:-
Being fewer detection points are required and no need of installation on
every system like software agent.
• Packet analysis:-
Most of today’s IP based Dos attacks are easily detected by NIDS by
analyzing packet header .
for example LAND attack which has forged packet in which source and
destination IP and port being same as the target host machine.
• Evidence removal:-
The network-based IDS uses live network traffic for its attack detection in
real-time and a hacker cannot remove this evidence once captured. This
captured data not only has the attack in it but information that may help lead
to his/her identification.

19
 Contd…

• Malicious Intent Detection:-

A network-based IDS can also be very valuable in determining malicious
intent. If a network-based IDS is placed outside of detection Firewall it can
detect attacks intended for resources behind the Firewall, although the
firewall may be rejecting these attack attempts. A host-based IDS could not
show these rejected attacks because they never hit the Host but are
important to know the frequency and types of attacks being thrown at your
network.

20
 Strength of Host IDS

• Attack Verification:-

Being the Host Based IDS uses logs containing events that have actually
occurred, it has the advantage of knowing if the actual attack or exploit was
successful. This type of detection has been deemed as more accurate and
less prone to false positives. Many Network Based attacks can trigger
numerous false positives because of normal traffic looking very close to
malicious traffic. In addition it is hard for a Network Based IDS to know
whether or not an attack was successful or not.
• System Specific Activity:–
The Host Based IDS can quickly monitor user and file access activity.
Anytime a Login or Logoff procedure is executed it is logged and the host-
based IDS can monitor this based on its current policy. In addition it can also
monitor various file access and also be notified when specific files are open
or closed. This type of system activity cannot be monitored or detected by
Network Based IDS being it may not necessarily propagate traffic on the
network.

21
 Contd…

Example:-
Someone walking up to a Keyboard and open a non-shared file. The host-
based IDS can also monitor activities that should and can only be executed
from an administrator. Anytime user accounts are added, deleted, or
modified this information is logged and can be detected as soon as the
change is executed.
• Firecell:--
Firecell is a technology that is part of ISS Stack-Based IDS Server Sensor.
Firecell allows either by pre-configuration, or as a response to an attack, to
have specific traffic refused. This is done similar to a firewall in that the
Stack-Based IDS examines the packets and if they match a Firecell rule the
packets are dropped. For example if your company policy is for no HTTP
servers to be installed on workstations, a Firecell rule could be implemented
that dropped all inbound packets to port 80.

22
The need for both types
As you can clearly see both network and host-based IDS solutions have
unique strengths and benefits over one another and that is why the next
generation IDS must evolve to include a tightly integrated host and network
component.

23
24
 Types of Detection

• NIDS Detection Types

• Rule-Based Detection
– Signatures produced for known attacks
– Traffic scanned for matches to signatures
• Anomaly Detection
– Baseline of “normal” traffic produced
– Deviations from baseline flagged as intrusions
• HIDS Detection Types
– Executable file checksums
– System call monitoring
– Log file monitoring

25
 Intrusion Prevention
The IT Security Guard
• IPS evolved from IDS - IDS identifies threats and sends
alerts, IPS blocks attacks targeted at your network.
• Looks at network traffic and host logs for signs of
intrusion
• For accurate, pre-emptive protection, IPS products use
multiple techniques to:
- Recognize and identify protocols
- Analyze traffic
• Automatically takes action to protect networks and
systems from attack
• Helps reduce patch update urgency.
26
27
 Types of IPS

• Network-based Intrusion Prevention (NIPS): monitors the

entire network for suspicious traffic by analyzing protocol
activity.
• Network Behaviour Analysis (NBA): examines network
traffic to identify threats that generate unusual traffic
flows, such as distributed denial of service (DDoS)
attacks, certain forms of malware, and policy violations.
• Host-based Intrusion Prevention (HIPS): an installed
software package which monitors a single host for
suspicious activity by analyzing events occurring within
that host.

28
29
30
31
Contd…

32
Contd…

33
Contd…

34
Contd…

35
Contd…

36
Contd…

37
Contd…

38
Contd…

39
Contd…

40
Contd…

41
 Secure remote access with VPN
Primarily three methods of creating / establishing a Virtual Private Network
– With Routers/ VPN Concentrators,
--With UTM (Unified Threat Management) devices,
--With Wireless Controllers and Remote Access Points

Fig. VPN Archite

cture Diagram wi
th Routers/ VPN
Concentrators
Site-to-site VPN

43
Contd…
• Secure VPN protocols include the following:
• IPSec Its design meets most security goals: authentication, integrity,
and confidentiality. IPSec functions through encrypting and
encapsulating an IP packet inside an IPSec packet. De-
encapsulation happens at the end of the tunnel, where the original
IP packet is decrypted and forwarded to its intended destination.
• Transport Layer Security (SSL/TLS) can tunnel an entire network's
traffic, as it does in the OpenVPN project, or secure an individual
connection. An SSL VPN can connect from locations where IPSec
runs into trouble with Network Address Translation and firewall
rules.
• Secure Shell (SSH) VPN - OpenSSH offers VPN tunnelling (distinct
from port forwarding) to secure remote connections to a network or
inter-network links. OpenSSH server provides a limited number of
concurrent tunnels and the VPN feature itself does not support
personal authentication.
Secure access with RSA secureID

45
Wireless Access Point
Wireless Attacks
• Rogue access points
– Employees often set up home wireless routers for convenience at work
– This allows attackers to bypass all of the network security and opens
the entire network and all users to direct attacks
– An attacker who can access the network through a rogue access point
is behind the company's firewall.
Unified Threat Management
Unified Threat Management (UTM) is a comprehensive
solution that has recently emerged in the network
security industry, and since 2004 it has gained
widespread currency as a primary network gateway
defense solution for organizations. In theory, UTM is the
evolution of the traditional firewall into an all-inclusive
security product able to perform multiple security
functions within one single appliance: network
firewalling, network intrusion prevention and gateway
antivirus (AV), gateway anti-spam, VPN, content
filtering, load balancing, data leak prevention and on-
appliance reporting.
 DDoS

• In computing, a denial-of-service attack (DoS attack) or distributed denial-of-

service attack (DDoS attack) is an attempt to make a machine or network
resource unavailable to its intended users.
• Perpetrators of DoS attacks typically target sites or services hosted on high-
profile web servers such as banks, credit card payment gateways, and even
root nameservers.
• Types of DDoS attack
– ICMP Flood
– Syn Flood
– Teardrop attacks
– Low rate Dos attacks
– Permanent Dos attacks
– Spoofed Attacks e.g. Smurf attack

49
• Prevention

• Using Router ,firewall , switch

• In old days, these devices can play some significant role in preventing Dos
attack for small industries by applying these features
– Black holing
– Sink holing
– Redirect traffic to NULL Interface
– ACL/Rate Limiting

• But today some vendor like Radware , Checkpoint and Arbor gives
you advanced feature to fight against DDoS attack. For working
these devices router has to be configured with redirection of netflow
traffic to TMS interface of device.

50
 NetFlow

• Netflow:- It’s a network protocol developed by Cisco Systems for

collecting IP traffic information.
• A network flow can be defined in many ways. Cisco standard
NetFlow version 5 defines a flow as an unidirectional sequence of
packets that all share of the following 7 values:-

– Ingress Interface
– Source IP Address
– Destination IP Address
– IP Protocol
– Source Port for TCP,UDP and 0 for other
– Destination Port for TCP and UDP, type for ICMP, 0 for other
– IP Type of Service

51
• Advanced Threat Countermeasures: -

– White and Black Lists: Determine if specific hosts are allowed (i.e., white
listed) or not allowed to pass through the Peakflow SP TMS device (i.e.,
put on a black list and scrubbed).
– Detailed Filters: Detect and block traffic that matches user-defined
details, such as host/destination IP addresses, port numbers, TCP/UDP
header flags, etc.
– HTTP Object and Rate Limiting: Detect and block traffic coming from
hosts that exceed user-defined thresholds for the number of HTTP
requests/second and HTTP objects downloaded/second.
– Malformed Packets and DNS Authentication: Detect and block traffic that
is coming from hosts sending malformed DNS requests, or when DNS
authentication does not occur in a specified time period.
– Idle Connection Timeouts and TCP SYN Authentication: Detect and
block TCP connections that remain idle for too long, or cannot be
authenticated by the Peakflow SP TMS device within a specified timeout.
– Zombie Detection: Detect and block traffic from hosts that exceeds a
user-defined threshold for packets-per-second (pps) or bits-per-second
(bps).
52
Data Leakage/Data Breach
• Data leakage is one of the most debilitating problem that
occur within an organization. The main problem is created
when private and confidential data leaks out of the
organization’s network and drips into hands of unauthorized
user, hackers or malicious users. The leak data may consists
of an Intellectual property, private and sensitive data . The
loss of private and sensitive data affects the financial
condition and reputation of the organization. Therefore , it is
important to protect and secure the confidential data of the
organization.
• Data can be leak be leak through:
– Data Breach after hacking web server
– ftp server upload
– Web upload
– Email attachment
53
Data Theft
• Data theft is a growing problem primarily perpetrated by office
workers with access to technology such as desktop computers and
hand-held devices capable of storing digital information such as
USB flash drives, iPods and even digital cameras.

• Types of Data theft:-

– Thumbsucking
– Pod slurping
– Bluesnarfing
– Sneakernet
– Data breach

54
Data Leak Prevention
• Data leak prevention (DLP) is a suite of technologies
aimed at stemming the loss of sensitive information that
occurs in enterprises across the globe.

• Types of DLP:-
• Data in motion:-if a sensitive file was transferred using FTP,
there are several things that this will bring to light.

55
Types of DLP
• Data in motion DLP works on these factor:-
• If the file is send through clear text protocol like ftp.
• If the file is leaving outside the company.
• If the parties involved are authorize to view and transmit data.
• Data at rest:-

• Data at endpoint:-
– Data at end-points is an agent based solution that sits on end
user workstations and laptops monitoring for any data leaving via
removable devices, such as floppies, CDs, USBs, etc.

56
Data Security
Data security is the means of ensuring that data is kept safe from corruption
and that access to it is suitably controlled.
Physical Data Security technologies:-
Disk encryption
-We can use PGP , Truecrypt and Bitlocker .
Hardware based mechanism for protecting data
Security tokens are based on hardware based encryption and provide two
factor authentication.
Backups are used to ensure data which is lost can be recovered.
Data Masking of structured data is the process of obscuring (masking)
specific data within a database table . (For ex banking customer
representatives can only see the last 4 digits of a customers national identity
Number)
Data erasure is a method of erasing data completely from media.
Web Security
• Targeted attacks and data theft are
changing web security. Blocking threats is no
longer enough. You need to know who in your
organization is being targeted. How attacks infect your
systems. Where command-and-control malware is
calling home. And what data your attackers are going
after.

58
Contd…

59
Contd…

60
Contd…

61
Contd…

62
Contd…

63
Email Security

• Email accounts are the repositories for storing the private and
confidential information related to any individual. The user of email
account can be vulnerable. If the account is hacked by an attacker
,that result in the loss of important and personal information.
• Need of Email Security
– Information can be leak by hacking Email account password.
– If email is transmitted through cleartext protocol like pop , smtp ,
anyone can intercept email data by performing MITM attack.
• Protection:-
• The user email can be protected from hacker by using email
encryption software and secured connection between user and
server.
– PGP gives us functionality of sending encrypted mail.
– By implementing Secure communication between client server using
Secure protocol like HTTPS,POP3S,SMTPS.

64
Antivirus Suites and Internet Security
Antivirus Software/Hardware is used to prevent,
detect, and remove malware, including computer
viruses, worms, and trojan horses. Such programs
may also prevent and remove adware, spyware, and
other forms of malware. Some examples are:-
 Bit Defender 2010 Suite
 McAfee Virus Scan Plus
 Symantec Corporate 11.0
 Cyberoam UTM
 Panda Security
 Kaspersky Space Security
 Trend Micro Scan Suites
 Quickheal Total Security 65
Building secure environment
Defense in Depth:

•Using a layered Approach

•Increases an attacker’s risk of detection
•Decreases an attacker’s chances of
success
67
Thank you