Security Product Roadmap by TsaZdafc

VIEWS: 0 PAGES: 75

									                     COPYRIGHT
This presentation is provided to specific parties on request.
All slides must be shown in its entirety, including the D-Link’s
logo and brand name, without any modification or deletion,
unless with the written consent of D-Link. Individual slides may
be removed in its entirety. Background colour may be changed.
Printed copies can be distributed freely for the specific purpose
when this presentation slide is used. Failure to observe this
violates the copyright agreement. D-Link reserves the right to
withdraw from the party the right to use the presentation slide
and/or any other actions deemed necessary by D-Link to
prevent the slides or part of it being used.
CONCEPTOS BASICOS EN LA
ADMINISTRACION DE REDES


GESTION DE SEGURIDAD



    MSEE Ing. Héctor J. Simosa
          22 Octubre 2004
                  Seguridad en Redes
 La seguridad en las Redes
 es mecanismo esencial. La
Internet es una red de redes
     interconectadas sin
         fronteras….
  Debido a este hecho, las
redes de las organizaciones
   son vulnerables por su
    accesabilidad desde
 cualquier computador en el
            mundo.
                    Soluciones
• D-LINK ofrece soluciones de seguridad
  bastante completas además de FW para proteger
  su red, entre ellas tenemos:
  –   Sistemas de Detección de Intrusión
  –   Virtual Private Networks
  –   Servicios de Identificación
  –   Herramientas para Gerenciar la Seguridad.
      Seguridad:
Por qué es importante?
               Computer Hackers
• Estos pueden ser divididos en tres categorias:
  – Los que rompen la seguridad de redes de
    computadores
  – Los que rompen la seguridad del software de
    aplicaciones
  – Los que crean programas maliciosos para vulnerar
    las debilidades de los S.O.
    • Hecho:   No existe una solución 100% segura!
        Evolución de la Seguridad                                         Packet
                                                                          Forging/Spoofing
                                                                                                        Internet
                                                            Stealth                                     Worm
High                                                        Diagnostics

                                                                          DDoS

                                                        Sweepers
                                                                                        Sniffers
                                            Backdoors

                                                                           Hi jack                 Sophisticated
                          Exploit known                                    sessions
                          vulnerabilities                                                          Hacker Tools
                                                             Disabling
       Self Replicating                                      Audit
       code


                                     Password                                                 Technical
                                     Cracking
                                                                                              Knowledge
                                                                                              Required

              Password
              guessing

Low
           1980                                  1990                            2000
      Ataques a Redes de Información

• Protección es un Reto!
   –La habilidad para atacar redes se ha
   vuelto más sofisticada
   –No es suficiente confiar en un Firewall
   –Al igual que proteje fisicamente sus
   instalaciones asi debe hacerlo con su Red.
 •   Qué preguntas debemos hacernos?
    Qué preguntas debemos hacer?

• Tiene Usted: Intranet/Extranet/Internet?
• Tiene pensado/planeado implementar algún tipo
  de red?
• Tiene información crítica o estratégica
  disponible en su red?
• Cómo saber si ha sido victima de una falla de
  seguridad?
            Qué és la Internet ?

Corporate
                  Remote Partner
 Network




                                   Remote User

                  Internet


                               Remote Office
                     Qué és la Intranet ?
Corporate
 Network




                                           Remote User

                             Internet


            DMZ Network
                                        Remote Office

             Web Server
             E-Mail Server
                           Qué és la Extranet ?

            Partner Site
Corporate
 Network




                                          Remote User
                               Internet

             DMZ Network

               Web Server
               E-Mail Server
                                           Partner Site
Qué necesitamos proteger?
•   Routers are target
•   Managed Switches target
•   Hosts /Clients target
•   Databases target
•   Applications are target
•   Information are target
•   Web and email Servers
•   Management tools are target
           Más Preguntas ……..

Es su solución de seguridad completa?
Puede Ud. soportar una amplia gama de
 negocios sin comprometer la
 organización?
Es su solución de seguridad extensible a
 requerimientos de los usuarios que están
 en evolución?
      Cómo surgen Problemas de
            Seguridad?
• Al conectar su computador a la Internet está
  amenazado…….
• La primera amenaza es que sus paquetes IP
  pueden ser escrutados al viajar por la
  Internet.
• La segunda amenaza es que alguien use su
  conectividad para atacar su OS.
• Hay una sola forma de proveer seguridad
  contra estas amenazas…….
     Servicios de Seguridad

• Qué significan?.

• Por qué son necesarios?.

• Cómo se implementan?.
Qué significan Servicios de
       Seguridad?

• Privacidad…….?

•Autenticación..….?

•Control de Acceso….…….?
   Propiedades Comunicación



 Alice                   Bob


Comunicarse con seguridad ??

 •Secreto
 •Autenticación
 •Integridad Mensaje
             Acceso Autenticado
                                  2
                                        Instruct network to
    1                           connect user to
        Logon and               target VLAN(s)              Authentication
establish access                                            Server
privileges

                            Auth. VLAN
                                                           Target
                             VLAN A                        Resource A

                             VLAN B


3       User is
        connected
        to target VLAN(s)                                  Target
                                                           Resource B
             Por qué son necesarios?

• Perpetrador tiene conocimientos sólidos
  de los protocolos usados.

• Puede interpretar el mensaje descubriendo
  passwords, o información sensible, etc.
Cómo se implementan?

El reto de la Seguridad en una
     Red de Computadoras



       Firewall
               Qué és un Firewall?

• Sistema diseñado para prevenir acceso no
  autorizado desde o hacia una red privada
• Se implementa tanto en hardware como en
  software, o una combinación de ambas
• Todo mensaje entrante/saliente de la red através
  del FW será examinado evitando aquellos que
  no cumplan con las políticas de seguridad.
            Arquitecturas de
               Firewall

•   1. Packet Filters
•   2. Application Proxies
•   3. Circuit-level Gateways
•   4. Network Address Translation (NAT)
    Firewalls
         Packet Filter Firewall

Server           Application

                 Presentation

                    Session

                   Transport

                Network Layer

                   Data Link

                   Physical
                                    User
               Router with Packet
                     Filter
Application Gateways / Proxies
                Gateway runs proxy applications for
                  Telnet    FTP       HTTP     SMTP


                             Application

                              Presentation

                               Session

                               Transport

  Application                   Network               Layer

                               Data Link

                               Physical
       Stateful Inspection
                        Application

                        Presentation

                         Session

                        Transport

                         Network
  Between Datalink                  and Network Layers

                        Data Link

                         Physical                     Dynamic
                                                         State
                                                        Tables



Packets intercepted between Data Link and Network layers.
Information on all higher layers saved in dynamic state tables.
           Proxy Server Gateways
                2. Repackage
                   request                    1. Request




                3. Response                   4. Repackage
                                                 response

                                 Firewall                    Internal
                               Proxy Server                  Client
External Web Server
   Políticas de Seguridad


• Network Service Access Policy

• Firewall Design Policy
           Políticas de Seguridad

• Network Service Access Policy

 Define los servicios que serán permitidos o
 negados explicitamente desde la red
 restringida y que cumplan con las
 propiedades de una comunicación segura.
              Políticas de Seguridad

• Firewall Design Policy

 Describe como el firewall va ser configurado
 para aplicar las normas de restringir acceso o
 filtrado de servicios.
            Enterprise Security - Internet

              Partner Site
Corporate
 Network




            FW                            Remote User

                               Internet

                 DMZ Network
                                          Remote Office
            Enterprise Security - Internet

               Partner Site
Corporate
 Network




               FW                            Remote User

                                  Internet


                    DMZ Network              Remote Office
        Enterprise Security - Intranet
 • Policies for enterprise-wide communication
            Partner Site
Corporate
 Network




            FW                         Remote User

                            Internet

              DMZ Network
                                       Remote Office
       Enterprise Security - Intranet
• Policies for enterprise-wide communication
             Partner Site
 Corporate
  Network




             FW                         Remote User

                             Internet

               DMZ Network
                                        Remote Office
            Enterprise Security - Extranet
   • Secure communication between partners
              Partner Site
Corporate
 Network




              FW                         Remote User

                              Internet

                DMZ Network
                                         Remote Office
Elementos de Seguridad
 en Redes Inalámbricas
                Seguridad en WLANs

 Control de Acceso
   • By Network Name
   • By MAC address
 Tecnología transmisión DSSS es dificíl de
 interceptar.
 DSSS permite ratas de transmisión altas al
 dividir la banda 2.4-GHz en 14 canales 22-MHz
 Seguridad es debíl
    Amenazas en WLANs
•   Denial of Service
•   Interception/Eavesdropping
•   Manipulation
•   Masquerading
•   Repudiation
•   Transitive Trust
•   Infrastructure
              Premisas Seguridad en
                    802.11b
•   Service Set Identifier (SSID)
•   Shared or Open Authentication
•   MAC Filtering/FireWall
•   Wired Equivalent Privacy (WEP)
    – Link Level
    – Poor security
                              SSID

• Mecanismo usado para segmentar WLANs
• Cada AP es programado con un SSID que
  corresponde a su Red
• Cliente presenta SSID correcto para accesar el AP
• Existen compromisos de seguridad
   – AP puede ser configurado para “broadcast” su SSID
   – SSID puede ser compartido entre varios usuarios de un
     segmento inalámbrico
             Filtrado MAC

• Cada cliente identificado por su 802.11
  NIC MAC Address
• El AP puede ser programado con un set
  de direcciones MAC para acceptarlas
• Combinar el filtrado con el SSID de AP
• Incurrimos en un “Overhead”
  manteniendo lista de direcciones MAC.
               Criptografía
Criptografía usa el algoritmo RC4 definido en
el estandard IEEE 802.11 WEP.
Hay productos disponibles con 40 y 128 bits
de encriptamiento.
64 bit WEP es igual al de 40 bit WEP
      40 bit (10 Hex caracter) "secret key"
     (definido por usuario), y un " Vector
     Initialization ” de 24 bits (que no esta bajo
     control del usuario).
                       802.11 – Seguridad
 Enterprise/Home
  –   Data Encryption (WEP, TKIP, AES): Prevent 3rd
      parties from viewing the content of wireless data
      transmissions
  –   User Authentication (802.1X): Prevent
      unauthorized users from connecting to the wireless
      network
  –   Virtual LAN: Use VLAN-capable Access Points to tag
      “guest traffic” and other “non-secure” traffic so that it
      can be routed outside the firewall
 Across the Public Infrastructure
  –   Virtual Private Network: Maintain end-to-end
      privacy through the use of Layer 3 tunneling
      protocols (independent of 802.11 devices)
           Autenticación WEP

• Acceso requerido por el cliente
• AP envia reto al cliente con texto
• El texto es codificado por cliente usando la
  llave secreta enviada por la AP
• Si el texto es codificado adecuadamente el
  AP permite el acceso o lo niega.
                WEP en Acción
                                    Network resources




                    Association Request

                 Authentication Request

                Authentication Response

                  Association Response
                                                  Access
Supplicant   Encrypted Data to Access Point       Point


WEP Key:                                          WEP Key
1234567890                                        1234567890
         Debilidades WEP

• Todos los clientes de un AP en una red
  inalámbrica comparten la misma llave de
  encriptamiento
• No existe un protocolo para la
  distribución de la llave de encriptamiento.
• Se mejora con WPA.
                       WPA en Acción
                                                   Network resources
                    Client joins LAN with encrypted data
                                                           AP blocks
                                                           request until
                                                           user is
                                                           authenticated


                           Association Request

                      AP sends authentication request

                                                           Authenticator
Supplicant
             Once authenticated, authentication
             server will distributes TKIP encryption
             key
                                                Client proves credential
                                                To authentication server


                                                    Authentication Server
                                               802.11 – Security Portfolio
                                                  802.11a and a/b


                 Original 802.11b
                                    Updated 802.11b
                                                                      Different Ways a Network
                                                                      Needs to be Made Secure
  Encryption           WEP                TKIP              AES           “Is my data secure?”



                                              “SSN”
Authentication                                                       “How can I keep intruders from
                       nothing                                          entering my network?”
                                                           LEAP
                                           802.1x          PEAP
                                                            TLS

                                                                     “Can I maintain the integrity of
  Application
                                           VPN                         my link from end to end?”


  Operation
                                                                    “How can I avoid breaking my own
                                          VLAN                          security mechanisms?”
                                 802.1X Authentication


       1   Using Extensible Authentication Protocol (EAP) an end-user          2   The Access Point passes the
           contacts a wireless access point and requests to be                     request to the Radius Server.
           authenticated.

                                      Wireless AP

                   EAPOL                                      RADIUS         Request
                    (EAP)                                      (EAP)


                                                          Password
End-User                                                                                        DRS-200
 Station



 4                                                                   3   The Radius Server challenges the end
     The Radius server authenticates the end user and the                user for a password, and the end user
     access points opens a port to accept data from the end              responds with a password to the Radius
     user.                                                               server .
• Muchas Gracias
D-Link Security Solution
                        Basic Definitions

• Confidentiality
   – Are you the only one who is viewing information
     specific to you or authorized users?
• Integrity
   – Are you communicating with whom you think?
   – Is the data you are looking at correct or has it been
     tampered with?
• Availability
   – Are the required services there when you need them?
• Authentication
   – Are you who you say you are?
                Vocabulary in Security

•   AS – Authentication Server
•   EAP – Extensible Authentication Protocol
•   EAPOL – EAP Over LAN
•   IV – Initialization Vector
•   MIC – Message Integrity Code
•   PEAP – Protected EAP
•   PKI – Public Key Infrastructure
•   RADIUS – Remote Access Dial-In User Service
•   TKIP – Temporal Key Integrity Protocol
•   WEP – Wired Equivalent Privacy
•   WLAN – Wireless Local Area Network
•   AES – Advanced Encryption Standard
         Hacker Prevention and
          Network Protection
• Network Intrusion Detection System (NIDS) is
  a real-time network intrusion detection sensor
• Identifies and takes action against suspicious
  network activity
• Uses intrusion signatures, stored in the attack
  database, to identify the most common attacks
• To notify system administrators of the attack,
  the NIDS records the attack and any suspicious
  traffic to the attack log
           Hacker Prevention and
            Network Protection

• NIDS protects DFL-xxxx and the network
  connected to it by :
  – Dropping the connection
  – Blocking packets from the location of the attack
  – Blocking network ports, protocols or services being
    used by an attack
          Hacker Prevention and
           Network Protection
• Using Virtual Private Networking (VPN), you
  can provide a secure connection between widely
  separated office networks or securely link
  telecommuters or travelers to an office network
• VPN features includeing
  –   standard IPSec VPN (eg IPSec, DES, 3DES, etc)
  –   PPTP
  –   L2TP
  –   IPSec and PPTP VPN pass through
  Secure Installation, Configuration                    and
                Management
• Logging and Reporting
   – Report traffic that connects to the firewall interfaces
   – Report network services used
   – Report traffic permitted by firewall policies
   – Report events such as configuration changes and other
     management events, IPSec tunnel negotiation, virus
     detection, attacks and web page blocking
• Logs can be sent to a remote syslog server or to a WebTrends
  server using WebTrends enhanced log format
                          DFL-200

• 3,000 concurrent sessions
• Firewall performance: 60Mbps
• 3DES performance: 20Mbps
• 70 dedicated VPN tunnels
• 500 policies, 256 schedules
• 10/100BASE-TX port to connect to
  DSL/cable modem
• 10/100BASE-TX dedicated DMZ
  port
• 4 10/100BASE-TX LAN switch
  ports
                        DFL-700

• Support 100 users
• 10,000 concurrent sessions
• Firewall performance: 100Mbps
• 3DES performance: 30Mbps
• 200 dedicated VPN tunnels
• 1,000 policies, 256 schedules
• 10/100BASE-TX port connect to
  DSL/cable modem or external LAN
• 10/100BASE-TX port connect to
  Internal LAN (Trusted)
• 10/100BASE-TX dedicated DMZ port
                         DFL-1100

•   200,000 concurrent sessions
•   Firewall performance: 250Mbps
•   3DES performance: 60Mbps
•   1,000 dedicated VPN tunnels
•   10/100BASE-TX port connect to
    DSL/cable modem or External LAN
•   10/100BASE-TX dedicated DMZ
    port
•   10/100BASE-TX LAN port connect
    to Internal LAN (Trusted)
•   10/100BASE-TX backup port
    connect to backup firewall
•   2,000 policies, 256 schedules
                  Securing Your Network with DFL-1100
                                                                            ????
             Insurance Business Sector                                      ????
                                   Tele worker
           HQ Network

                                                                            Mobile
                                                                            Users
                                           ADSL
DFL-1100
Backup                                            Internet
firewall

               Backup
                               DFL-1100
               Link                                           VPN
                               Active firewall
                                                             Access

            Switches

                                                                      Tele worker




                                    500 users         Branch
                                                      Office
     DFL-500 & DFL-1000
Network Protection Gateway (NPG)

• A dedicated easily managed security device that
  delivers the following services :-
  – application-level services such as virus protection
    and content filtering
  – network-level services such as firewall, intrusion
    detection, VPN and traffic shaping
              DFL-500 & DFL-1000
Accelerated Behaviour and Content Analysis System
                  (ABACASTM)


 • Unique ASIC-based architecture
 • Analyse contents and behaviour in real-time
 • Enable key applications to be deployed right at
   the network edge where they are most effective
   at protecting the network
            DFL-500 vs DFL-1000
                       DFL-500                DFL-1000




Product Category                 SoHo                SMB

CPU                              133MHz             300MHz

RAM                              64MB               256MB

Flash                            32MB                64MB

Ports              .       1 LAN, 1 WAN   .   1 LAN, 1 WAN, 1 DMZ
           DFL-500 vs DFL-1000
           (System Performance)

                       DFL-500   DFL-1000
Concurrent sessions     2,000     25,000

New session / speed      800      10,000

Firewall performance   30Mbps    180Mbps

Triple-DES (168 bit)   15Mbps    120Mbps
Policies                 100      1,000

Schedules                30        256
           DFL-500 vs DFL-1000
        (Firewall Mode of Operation)
                              DFL-500   DFL-1000

Network Address Translation     Yes       Yes

Port Address Translation        Yes       Yes

Transparent mode                Yes       Yes
Route mode                      Yes       Yes

Virtual IP                      Yes       Yes
      DFL-500 vs DFL-1000 (VPN)
                                           DFL-500         DFL-1000

Dedicated tunnels                                20              100

Manual key, IKE, PKI                             Yes             Yes

DES (56-bit) & 3DES (168-bit) encryption   Yes         .   Yes         .


Perfect forward secrecy        (DH         Yes         .   Yes         .
Groups)

Remote access VPN                                Yes             Yes
             DFL-500 vs DFL-1000
               (Firewall Attacks)


                           DFL-500   DFL-1000

DDOS and DOS detected        14         14

MAC address bind with IP     Yes       Yes
                DFL-500 vs DFL-1000
                (Logging / Monitoring)

                                    DFL-500      DFL-1000

Internal log space                     No           Yes

E-mail notify                      3 addresses   3 addresses

Syslog                                Yes           Yes

SNMP                                  Yes           Yes
Device failure detection              Yes           Yes

Network notification on failover      Yes           Yes
 DFL-500 vs DFL-1000 (IPSec)
                   DFL-500   DFL-1000
Site-to-site VPN     Yes       Yes

Authentication       Yes       Yes
SHA-1 / MD5          Yes       Yes
       DFL-500 vs DFL-1000
(Firewall & VPN User Authentication)
                                    DFL-500   DFL-1000
 Build-in database - user limit       Yes       Yes

 RADIUS (external) database           No        Yes
 RSA SecureID (external) database     No        Yes

 LDAP (external) database             No        Yes
               DFL-500 vs DFL-1000
               (System Management)
                                             DFL-500         DFL-1000

WebUI (HTTP and HTTPS)                            Yes             Yes
Multi-language user interface                     Yes             Yes

Command line interface (telnet)                   Yes             Yes
Wizard / Quick Installation                       Yes             Yes

Secure command shell              (ssh v1   Yes         .   Yes         .
compatible)

All management via VPN tunnel on any        Yes         .   Yes         .
interface
              DFL-500 vs DFL-1000
              (Traffic Management)
                                 DFL-500   DFL-1000

Guaranteed bandwidth               Yes       Yes

Maximum bandwidth                  Yes       Yes

Priority-bandwidth utilization     Yes       Yes
                 DFL-500 vs DFL-1000
                   (Administration)
                                                    DFL-500        DFL-1000

Multiple administrators                                  Yes             Yes

Root Admin, Admin &             Read Only user     Yes         .   Yes         .
levels

Software upgrades &       Configuration changes   TFTP / WebUI TFTP / WebUI


Trust host                                               Yes             Yes
              DFL-500 vs DFL-1000
               (Network Service)
                          DFL-500   DFL-1000

PPPoE                       Yes       Yes

PPTP                        Yes       Yes
DHCP client                 Yes       Yes

DHCP server                 Yes       Yes

VPN client pass through     Yes       Yes

								
To top