Docstoc

NOV12

Document Sample
NOV12 Powered By Docstoc
					Intrusion Detection System
                (IDS)

Outlines
•   Host-base IDS – Tripewire
•   Network IDS – Snort
•   How to defeat an IDS


                                1
  Intrusion Detection System (IDS)
Host-base IDS – Tripewire

    Tripwire is a very popular system integrity
    checker, a utility that compares properties
    of designated files and directories against
    information stored in a previously
    generated database. Any changes to these
    files are flagged and logged, including
    those that were added or deleted,with
    optional email and pager reporting. Support
    files (databases, reports, etc.) are
    cryptographically signed.
                                                  2
  Intrusion Detection System (IDS)
Host-base IDS – Tripewire

   Lab 7: install tripewire IDS to monitor
   the the integrity of the data of your
   hosts




                                             3
Intrusion Detection System (IDS)
Network IDS – Snort
  Snort is a lightweight network intrusion detection
  system, capable of performing real-time traffic
  analysis and packet logging on IP
  networks. It can perform protocol analysis,
  content searching/matching and can be used to
  detect a variety of attacks and probes, such as
  buffer overflows, stealth port scans, CGI attacks,
  SMB probes, OS fingerprinting attempts, and
  much more


                                                       4
Intrusion Detection System (IDS)
Network IDS – Snort
  Snort uses a flexible rules language to describe
  traffic that it should collect or pass, as well as a
  detection engine that utilizes a modular plugin
  architecture. Snort has a real-time alerting
  capability as well, incorporating alerting
  mechanisms for syslog, a user specified file, a
  UNIX socket, or WinPopup messages to Windows
  clients using Samba's smbclient.



                                                         5
Intrusion Detection System (IDS)
Network IDS – Snort
  Snort has three primary uses. It can be used as a
  straight packet sniffer like tcpdump(1), a packet
  logger (useful for network traffic debugging, etc),
  or as a full blown network intrusion detection
  system.




                                                        6
Intrusion Detection System (IDS)
Network IDS – Snort
  snort is a very flexible tool. You can customize the
  rulesets to suit your needs. We have just give you
  a very simple introduction in this workshop. For
  more details of rule setting, you should go to
  http://www.snort.org/docs/writing_rules/




                                                         7
 Intrusion Detection System (IDS)
Network IDS – Snort

Lab7: Install a snort IDS on your host and use
    nessus network scanner to test your snort
    IDS




                                                 8
     Intrusion Detection System (IDS)
How to defeat a Network IDS
I.     Insertion Attack
       Insert packets that the end-point server will ignore
       but picked up by IDS as vaild packets. An
       attacker can use insertion attacks to defeat
       signature analysis, allowing her to slip attacks
       past an IDS.




                                                              9
     Intrusion Detection System (IDS)
How to defeat a Network IDS
I.     Insertion Attack
        E.G.
       The signature of the php attack may be
       something like ``GET /cgi-bin/phf?''. We may
       insert extra packets such the IDS detect the
       packets as
       ``GET /cgi-bin/pleasedontdetecttthisforme?'' while
       the end-point server still read as
       ``GET /cgi-bin/phf?''



                                                            10
     Intrusion Detection System (IDS)
How to defeat a Network IDS
I.     Insertion Attack




                                        11
     Intrusion Detection System (IDS)
How to defeat a Network IDS
I.     Insertion Attack
       Techniques:
        •  Using Invalid Sequence no.
           Most IDS do not check sequence no. Invalid
           sequence no. packets are reject by end-
           point servers but may be picked up by these
           IDS




                                                         12
     Intrusion Detection System (IDS)
How to defeat a Network IDS
I.     Insertion Attack

       Techniques:
        •  Using incorrect TCP checksum.
           Most IDS do not check TCP checksums.
           Incorrect TCP checksum packets are reject
           by end-point servers but may be picked up
           by these IDS



                                                       13
     Intrusion Detection System (IDS)
How to defeat a Network IDS
I.     Insertion Attack

       Techniques:
        •  Using incorrect TCP checksum.
           Most IDS do not check TCP checksums.
           Incorrect TCP checksum packets are reject
           by end-point servers but may be picked up
           by these IDS



                                                       14
     Intrusion Detection System (IDS)
How to defeat a Network IDS
I.     Insertion Attack
       Techniques:
        •   Using short TTL.
            If the IDS sit on the network have many hops away
            from the end-point servers, short TTL packets will be
            dropped before they reach the end-point servers. We
            can just tune the insert packet TTL such that they can
            pass the IDS but are dropped before the end-point
            servers.



                                                                     15
 Intrusion Detection System (IDS)
How to defeat a Network IDS
I.  Insertion Attack
    Techniques:
     •   Using short TTL




                                    16
  Intrusion Detection System (IDS)
How to defeat a Network IDS
II.   Evasion Attack
      An end-system can accept a packet that an IDS
      rejects. An IDS that mistakenly rejects such a
      packet misses its contents entirely.
      E.G.
      The packets of ``GET /cgi-bin/phf?''may show as
      ``GET /gin/f'' in IDS detection




                                                        17
  Intrusion Detection System (IDS)
How to defeat a Network IDS
II.   Evasion Attack




                                     18
  Intrusion Detection System (IDS)
How to defeat a Network IDS
II.   Evasion Attack
      Techniques
      •   Some IDS can only keep track of one
          host/port connection at a time. Flood the
          target port with non-existent SNY packet first
          so that these IDS ignore our real connection
          afterwards




                                                           19
  Intrusion Detection System (IDS)
How to defeat a Network IDS
II.   Evasion Attack
      Techniques
      •   IP Fragmentation
          Sending out fragment packets out of order
          Some IDS assume the fragment packets
          arrive in order. They just reassemble the
          data as soon as the marked final fragment
          arrives. Sending out fragment packets out of
          order may fool these IDS

                                                         20
 Intrusion Detection System (IDS)
How to defeat a Network IDS
II. Evasion Attack
    Techniques
     •   Sending overlapping fragment packets
         There may be a gap between the IDS and
         end-point server handling overlapping
         fragment. If the IDS does not handle
         overlapping fragments in a manner
         consistent with the systems it watches, it
         may, given a stream of fragments,
         reassemble a completely different packet
         than an end system in receipt of the same
         fragments.                                   21
               Firewall

Outlines
•   Variations on Firewall Architecture
•   Setting up network layer Firewalls
•   Firewall log
•   Setting private network with NAT


                                          22
Firewall
Firewall
    In brief, a firewall is typically the first line of defense for
    any Internet-connected network. What a firewall does
    and how it behaves depends on what level it operates on.
    (Those familiar with the OSI model will understand this.)
    Firewalls generally operate at the network layer (IP), or
    the application layer, such as HTTP proxies.




                                                               23
Firewall
Firewall




           24
Lab 12B: Firewall
Firewall
    Those firewalls at the network layer are often called
    screening routers. A screening router examines the IP
    header on each incoming (and possibly outgoing)
    datagram and determines whether or not it should pass.
    It makes this determination by comparing key fields such
    as the source and destination addresses to the policy set
    by the administrator. Most screening routers will also
    examine the packet at the next layer (the transport layer),
    which allows you to create policies based on TCP or
    UDP port, or ICMP type and code.


                                                           25
Firewall
Firewall
    Firewalls at the application layer are called gateways or
    proxies, and are designed to understand protocols at this
    level, such as HTTP or telnet. Application gateways are
    useful because they can offer very high level control over
    traffic, and so they are in some ways more secure than
    screening routers. For example, an application gateway
    may choose to filter all HTTP POST commands. Most
    importantly, gateways can maintain logging specific to
    application layer protocols. A paranoid (and privacy-
    ignorant) company may choose to have all mail pass
    through a gateway to log the To, From, and Subject
    fields of the header, for instance.
                                                          26
Firewall
Variations on Firewall Architecture
A.   Single layer firewall architecture
B.   Two layer firewall architecture
C.   Merged interior and exterior firewall architecture
D.   Two layer firewall architecture with two internal
     network
E.   Two layer firewall architecture with merged
     bastion host and exterior firewall


                                                     27
 Firewall
Bastion host
       A system exposed to the Internet that is expected to
       come under thorough attack. The term contrasts those
       hosts that are inside a firewall's protection.
DMZ (Demilitarized Zone)
       In firewalls, a DMZ is an area that is mostly public to
       the Internet. This is where a companies web, e-mail,
       and DNS servers are located. A DMZ often has some
       limited protection, but since it is very exposed to the
       Internet, the assumption is that the machines in the
       zone will eventually be compromised. Therefore, the
       machines often have as little connectivity to the
       private network as any other machine from the          28
       Internet.
Firewall
Type A: Single layer firewall architecture




                                             29
Lab 12B: Firewall
Type B: Two layer firewall architecture




                                          30
Firewall
Type C: Merged interior and exterior firewall
    architecture




                                                31
Firewall
Type D: Two layer firewall architecture with two internal
    network




                                                            32
Firewall
Type E: Two layer firewall architecture with merged bastion
    host and exterior firewall




                                                       33
Firewall



 Lab 8: Deploy firewall on your host
    using ipchains




                                       34
 Firewall
Linux firewall log
       All the traffic going through the firewall is part of a
       connection. A connection consists of the pair of IP
       addresses that are talking to each other, as well a pair
       of port numbers. The destination port number often
       indicates the type of service being connected to.
       When a firewall blocks a connection, it will save the
       destination port number to its logfile.




                                                            35
 Firewall
Linux firewall log
Here is an example:
     Packet log: input DENY eth0 PROTO=17 192.168.2.1:53
     192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254
1.   `input' is the chain which contained the rule which
     matched the packet, causing the log message.
2.   `DENY' is what the rule said to do to the packet. If this is
     `-' then the rule didn't effect the packet at all (an
     accounting rule).
3.   `eth0' is the interface name. Because this was the input
     chain, it means that the packet came in `eth0'.
4.   `PROTO=17' means that the packet was protocol 17. A
     list of protocol numbers is given in `/etc/protocols'. The
     most common are 1 (ICMP), 6 (TCP) and 17 (UDP). 36
 Firewall
Linux firewall log
Here is an example:
     Packet log: input DENY eth0 PROTO=17 192.168.2.1:53
     192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254
5.   `192.168.2.1' means that the packet's source IP address
     was 192.168.2.1.
6.   `:53' means that the source port was port 53. Looking in
     `/etc/services' shows that this is the `domain' port (ie. this
     is probably an DNS reply). For UDP and TCP, this
     number is the source port. For ICMP, it's the ICMP type.
     For others, it will be 65535.
7.   `192.168.1.1' is the destination IP address.
                                                               37
 Firewall
Linux firewall log
Here is an example:
     Packet log: input DENY eth0 PROTO=17 192.168.2.1:53
     192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254
8.   `:1025' means that the destination port was 1025. For
     UDP and TCP, this number is the destination port. For
     ICMP, it's the ICMP code. For others, it will be 65535.
9.   `L=34' means that packet was a total of 34 bytes long.
10. `S=0x00' means the Type of Service field (divide by 4 to
     get the Type of Service as used by ipchains).
11. `I=18' is the IP ID.

                                                         38
 Firewall
Linux firewall log
Here is an example:
     Packet log: input DENY eth0 PROTO=17 192.168.2.1:53
     192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254
12. `F=0x0000' is the 16-bit fragment offset plus flags. A
     value starting with `0x4' or `0x5' means that the Don't
     Fragment bit is set. `0x2' or `0x3' means the `More
     Fragments' bit is set; expect more fragments after this.
     The rest of the number is the offset of this fragment,
     divided by 8.




                                                          39
 Firewall
Linux firewall log
Here is an example:
     Packet log: input DENY eth0 PROTO=17 192.168.2.1:53
     192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254
13. `T=254' is the Time To Live of the packet. One is
     subtracted from this value for every hop, and it usually
     starts at 15 or 255.
14. `(#5)' there may be a final number in brackets on more
     recent kernels (perhaps after 2.2.9). This is the rule
     number which caused the packet log.




                                                          40
 Firewall
Linux firewall log
Here is another example:
     Feb 26 11:15:56 iegatea0 kernel: Packet log: input
     DENY eth0 PROTO=6 200.223.111.242:1956
     137.189.97.67:25 L=60 S=0x60 I=59731 F=0x4000 T=42
     SYN (#77)

    The TCP SYN packet of the SMTP (port 25) access to
    the host 137.189.97.67 from the host 200.223.111.242
    client port 1956 was blocked by the ipchains rule #77


                                                        41
 Firewall
Linux firewall log
Port numbers are divided into three ranges:
   1. The Well Known Ports are those from 0 through 1023.
       These are tightly bound to services, and usually traffic
       on this port clearly indicates the protocol for that
       service. For example, port 80 virtually always
       indicates HTTP traffic.
   2. The Registered Ports are those from 1024 through
       49151. These are loosely bound to services, which
       means that while there are numerous services
       "bound" to these ports, these ports are likewise used
       for many other purposes. For example, most systems
       start handing out dynamic ports starting around 1024.42
 Firewall
Linux firewall log
Port numbers are divided into three ranges:
   3. The Dynamic and/or Private Ports are those from
       49152 through 65535. In theory, no service should be
       assigned to these ports.


      In reality, machines start assigning "dynamic" ports
      starting at 1024. We also see strangeness, such as Sun
      starting their RPC ports at 32768.
For a complete complete list of port info, you may refer
http://www.iana.org/assignments/port-numbers
                                                          43
Firewall
Setting private network with IP Masquerade

   IP Masquerade is a networking function in Linux similar
   to the one-to-many (1:Many) NAT (Network Address
   Translation) servers found in many commercial firewalls
   and network routers.




                                                        44
Firewall
Setting private network with IP Masquerade

   MASQ allows a set of machines to invisibly access the
   Internet via the MASQ gateway. To other machines on
   the Internet, the outgoing traffic will appear to be from
   the IP MASQ Linux server itself. In addition to the added
   functionality, IP Masquerade provides the foundation to
   create a HEAVILY secured networking environment.
   With a well built firewall, breaking the security of a well
   configured masquerading system and internal LAN
   should be considerably difficult to accomplish.

                                                           45
Firewall
Setting private network with IP Masquerade




                                             46
 Firewall
Setting private network with IP Masquerade
EG.
/sbin/ipchains -A forward -s 192.168.0.0/16 -j MASQ

     This setting will allow all the clients in the private network
     192.168.0.0/16 to have IP masquerade in Linux
     Masquerade gateway




                                                               47
Firewall
Setting private network with iptable NAT
    Linux iptable provides two different types of NAT: Source
    NAT (SNAT) and Destination NAT (DNAT).
     • Source NAT is when you alter the source address
         of the first packet: ie. you are changing where the
         connection is coming from. Masquerading is a
         specialized form of SNAT.
     • Destination NAT is when you alter the destination
         address of the first packet: ie. you are changing
         where the connection is going to. Port forwarding,
         load sharing, and transparent proxying are all forms
         of DNAT.


                                                          48
 Firewall
Setting private network with iptable NAT
Example of source NAT:
## Change source addresses to 1.2.3.4. #
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

Example of destination NAT:
## Change destination addresses to 5.6.7.8 #
iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8




                                                             49
Network Address Translation (NAT)



               10.42.6.9         35.9.20.20
                           NAT



   Client
                                              Server



            (Linux calls it masquerading)

                                                       50
                NAT Pro/Con
• Pro
  – Enforces control over outbound connections
  – Dynamic translation is more restrictive
    changed mapping increases attack difficulty
  – Conceals internal configuration
• Con
  – Dynamic translation requires maintaining state
    (how long to keep connection open?)
  – Interferes with some encryption schemes
  – Dynamic translation interferes with logging
  – Dynamic translation of ports can interfere with filtering

                                                           51
               Firewall   Your network
Evil Hackers


                                  52
• Firewalls mitigate risk
• Block many threats
• They have vulnerabilities




                              53
Firewalls can be your connection to the
  Internet. As a prerequisite to this course
  you already know about networking, but it
  is worthwhile to look at the interface to the
  Internet with respect to security.




                                              54
            Typical Network Stack

•   Application Layer (FTP, HTTP, SSH, etc.)
•   Transport Layer (TCP, UDP, ICMP)
•   Internet Layer (IP)
•   Network Access Layer (Ethernet, FDDI, etc.)

(If you have a Novel or AppleShare network, the IP layer will be different.)
(Carrier Pigeon Network Layer: RFC1149 on 1 April 1990
    defines the Avian Transport Protocol)

                                                                         55
        Packet Organization
Each layer’s packet organization has a
 header and data fields.
Each layer treats the information it gets from
 the layer above it as data,
 i.e. every layer adds a header.




                                             56
                     Encapsulation

Application (FTP, HTTP, …)                      Data

                                       Header
Transport (TCP,UDP,…)
                              Header

Internet (IP)
                     Header

Network (Ethernet)




                                                       57
              Ethernet Layer
• Header:
  – Packet Type, e.g. IP
  – Source Address
     Original source or last router on path
  – Destination Address
     • Final destination or next router
     • Maybe multicast or broadcast
  – Addresses are Media Access Control (MAC)
• Data is an IP packet

                                              58
                   IP Layer
• Header
  – IP Source Address, e.g. 35.9.20.20
  – IP Destination Address
  – IP Protocol Type, e.g. TCP, UDP, ICMP
• Data: TCP packet (or UDP, etc.)
• Fragmentation
  If (network max packet size < IP max size)
  split data into multiple packets (fragments)


                                                 59
                 TCP Layer
• Header
  – TCP Source Port (2-bytes)
  – TCP Destination Port
  – TCP Flags: designates packet type
     • ACK, SYN, etc.
• Data: application data, e.g. FTP data



                                          60
 Multicast or Broadcast Source
• Legitimate use:
  DHCP request uses a broadcast source since it
  doesn’t have a valid address
• Illegitimate use:
  sending a broadcast source to a single
  destination will prompt a broadcast reply
  allowing you to use the destination as a
  broadcast source
• Since DHCP isn’t external (normally),
  block broadcast source

                                                  61
           IP Fragmentation
Prevent fragmentation with
  path MTU discovery
  – Maximum Transmission Unit (MTU)
  – Send message with “don’t fragment” set
    If (error returned), decrease size
       else increase size




                                             62
   Packet Filters & Fragmentation
• Solution: packet filter only first packet and
  let non-first packets through
  If you drop the first, a higher level protocol
  (TCP) will invalidate the rest.
• Problem #1: destination holds non-first
  packets waiting for the missing one (until
  timeout) resulting in
  Denial of Service!

                                               63
 Packet Filter & Fragmentation
• Problem #2: attacker carefully constructs
  overlapping fragments so that non-first
  packets contain useful information.
  Overlapping fragments may be
  reassembled into invalid packets causing
  the OS to crash.



                                              64
 Packet Filter & Fragmentation
• Problem #3: Attacker can get information
  to otherwise blocked ports by having valid
  TCP packets in non-first fragments which
  slip through.




                                           65
 Packet Filter & Fragmentation
Solutions
• Fragment reassembly before filtering
  Time consuming
• Reject all non-first fragments
  May reject otherwise good connections,
   but they will retransmit.
• Increased use of MTU is reducing
  fragmentation

                                           66
                    TCP

TCP is reliable because it guarantees to
 the application layer:
  – Provide data in order it was sent
  – Provide all data sent
  – Will not provide duplicates
It will kill a connection before violating any.


                                              67
            Blocking TCP

• To block a TCP connection,
  simply block the first packet.
• The first packet is unique: ACK is not set
  – “start-of-connection” packet
• Can enforce a policy of only allowing
  connections to external servers,
  i.e. deny external connection requests to
  internal servers
                                           68
           TCP Options

• Common TCP Options:
  – ACK (acknowledgement)
  – SYN (synchronize)
  – RST (reset)
  – FIN (finish)
• 3-way handshake uses ACK & SYN
• RST & FIN are used to close connections

                                        69
              TCP Options
Firewalls use ACK and RST
  – ACK indicates first packet of connection
  – RST tells people to “shut up”
    without providing a useful error message




                                               70
     TCP Sequence Numbers

• Sequence numbers allow reconstruction of
  correct order of packets
• Supposed to begin with a random number,
  but often is not random—vulnerability!
• How to hijack a TCP connection?



                                         71
   Hijacking a TCP Connection
Attackers needs
• Ability to forge TCP/IP packets.
• Initial sequence number
• Knowledge that a TCP connection has started
  (but not the ability to see it)
• When the TCP connection started
• Ability to redirect responses to you
  OR continue the conversation without responses
  to you while achieving your goal
Thought to be too hard, but exists in the wild.

                                               72
                    UDP

Since UDP does not guarantee reliability
  there is no uniquely identifiable first packet




                                               73
                     ICMP
Examples
  – Echo Request: send by ping
  – Echo Response
  – Time exceeded (really hops exceeded)
  – Destination unreachable
  – Redirect (router redirected a packet and is
    telling the sender that a better way exists)



                                                   74
                    ICMP
“Destination Unreachable” has codes
  to indicate reason
The relevant ones are
  “Fragmentation Needed” and
  “Don’t Fragment”
  used for path MTU discovery
Desirable to drop all other “unreachable” replies
 since they provide useful information to
 scanners.
Most firewalls do not allow discrimination on
 ICMP reason.

                                                    75
            ICMP Attacks
• ICMP packets should be very small—large
  one indicate a problem so filter out large
  ones.
• For example, echo packets allow padding
  which could contain data.
  Not useful for cracking, but could be used
  to maintain a connection to a
  compromised site.

                                           76
                     IP over IP
• Encapsulating IP over IP
  – Encrypted traffic
  – Mobile IP (movement with fixed IP)
  – Burying protocol
     • Multicast over non-supporting networks
     • IPv6 over IPv4
  – VPN: virtual private networks
• Problem: cannot see “actual” IP packet
  (encrypted) or may not look at it

                                                77
           Low-level attacks
• Port scanning
  – Send SYN without ACK;
    receives SYN if open or RST if not
  – Send FIN
    • “all options on” = Christmas tree (lights it up)
    • “all options off” = null
    • Either can crash a weak TCP/IP stack




                                                         78
            Low-level Attacks

IP Spoofing:
  Apparent problem: reply not sent to attacker
  – Attacker can intercept reply
  – Attacker doesn’t care to see it (e.g. DoS)
  – Attacker doesn’t want reply: smurf attack
    redirects response to attack while multiplying
    replies with broadcast source


                                                     79
    Packet Filtering Pro/Con
• Pro
  – One filter can protect an entire network
  – Simple filtering is efficient
  – Widely available
• Con
  – Not perfect: hard to configure and test
  – Reduces router performance
  – Some security policies cannot be enforced,
    e.g. block a user
                                                 80
 Three main categories of firewalls
• Network layer firewalls. An example would
  be iptables.
• Application layer firewalls. An example
  would be TCP Wrappers.
• Application firewalls. An example would be
  restricting ftp services through
  /etc/ftpaccess file


                                           81
        Network layer firewalls
• operate at a (relatively) low level of the TCP/IP protocol
  stack as IP-packet filters, not allowing packets to pass
  through the firewall unless they match the rules. The
  firewall administrator may define the rules; or default
  built-in rules may apply (as in some inflexible firewall
  systems).
• A more permissive setup could allow any packet to pass
  the filter as long as it does not match one or more
  "negative-rules", or "deny rules". Today network firewalls
  are built into most computer operating systems and
  network appliances.
• Modern firewalls can filter traffic based on many packet
  attributes like source IP address, source port, destination
  IP address or port, destination service like WWW or
  FTP. They can filter based on protocols, TTL values,
  netblock of originator, domain name of the source, and
  many other attributes.                                    82
    Application-layer firewalls
• work on the application level of the TCP/IP stack (i.e., all
  browser traffic, or all telnet or ftp traffic), and may
  intercept all packets traveling to or from an application.
  They block other packets (usually dropping them without
  acknowledgement to the sender). In principle, application
  firewalls can prevent all unwanted outside traffic from
  reaching protected machines.
• By inspecting all packets for improper content, firewalls
  can even prevent the spread of the likes of viruses. In
  practice, however, this becomes so complex and so
  difficult to attempt (given the variety of applications and
  the diversity of content each may allow in its packet
  traffic) that comprehensive firewall design does not
  generally attempt this approach.
• The XML firewall exemplifies a more recent kind of
  application-layer firewall.                               83
               A proxy device
• (running either on dedicated hardware or as software on
  a general-purpose machine) may act as a firewall by
  responding to input packets (connection requests, for
  example) in the manner of an application, whilst blocking
  other packets.
• Proxies make tampering with an internal system from the
  external network more difficult and misuse of one
  internal system would not necessarily cause a security
  breach exploitable from outside the firewall (as long as
  the application proxy remains intact and properly
  configured). Conversely, intruders may hijack a publicly-
  reachable system and use it as a proxy for their own
  purposes; the proxy then masquerades as that system to
  other internal machines. While use of internal address
  spaces enhances security, crackers may still employ
  methods such as IP spoofing to attempt to pass packets
  to a target network..                                   84

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:6/3/2013
language:Latin
pages:84
langkunxg langkunxg http://
About