Network Security Pentingnya Keamanan Komputer Source from Computer

  • Slides: 51
Download presentation
Network Security: Pentingnya Keamanan Komputer Source from : Computer Network Research Group ITB

Network Security: Pentingnya Keamanan Komputer Source from : Computer Network Research Group ITB

Perspective. . . zless then 200 security incident in 1989. zabout 400 in 1989.

Perspective. . . zless then 200 security incident in 1989. zabout 400 in 1989. zabout 1400 in 1993. zestimated more than 2241 in 1994. z. Nobody knows the correct statistics on how many attacks are actually detected by the sites broken into.

Survey Dan Farmer (Dec 96) z 1700 web sites: y 60% vurnelable. y 9

Survey Dan Farmer (Dec 96) z 1700 web sites: y 60% vurnelable. y 9 -24%terancam jika satu bug dari service daemon (ftpd, httpd / sendmail) ditemukan. y. Serangan pada 10 -20 % sites di netralisir menggunakan denial-of-service

Statistik Serangan

Statistik Serangan

Resiko Serangan

Resiko Serangan

Sumber Serangan

Sumber Serangan

Aktifitas Serangan

Aktifitas Serangan

Serangan di Internet z. Approx. 19. 540. 000 hosts are connected to Internet (end

Serangan di Internet z. Approx. 19. 540. 000 hosts are connected to Internet (end 1996) z. US Do. D 250. 000 serangan / tahun. z. Serangan pada Rome Laboratory.

Network Security usaha untuk mencegah seseorang melakukan tindakan-tindakan yang tidak kita inginkan pada komputer,

Network Security usaha untuk mencegah seseorang melakukan tindakan-tindakan yang tidak kita inginkan pada komputer, perangkat lunak, dan piranti yang ada di dalamnya sehingga semuanya tetap dalam keadaan ideal yang kita inginkan’

Layout Firewall

Layout Firewall

What are you trying to protect? z. Your Data. z. Your Resources. z. Your

What are you trying to protect? z. Your Data. z. Your Resources. z. Your Reputation.

What Are You Trying To Protect Against? z. Type of attacks z. Intrusion. z.

What Are You Trying To Protect Against? z. Type of attacks z. Intrusion. z. Denial of Service. z. Information Theft.

Type of Attackers z. Joyriders. z. Vandals. z. Score Keepers. z. Spies (Industrial &

Type of Attackers z. Joyriders. z. Vandals. z. Score Keepers. z. Spies (Industrial & Otherwise). z. Stupidity & Accidents.

Security Policy ‘satu keputusan yang menentukan batasan tindakan-tindakan yang bisa dilakukan dan balasan apabila

Security Policy ‘satu keputusan yang menentukan batasan tindakan-tindakan yang bisa dilakukan dan balasan apabila terjadi pelanggaran batasan-batasan yang ada untuk mencapai satu tujuan tertentu’

Objectives z. Secrecy z. Data Integrity z. Availability

Objectives z. Secrecy z. Data Integrity z. Availability

Step Security Policy z. Apa yang boleh / tidak boleh. z. Prediksi resiko &

Step Security Policy z. Apa yang boleh / tidak boleh. z. Prediksi resiko & biaya (start dengan bug). z. Tentukan objek yang di lindungi. z. Tentukan bentuk ancaman & serangan: yunauthorized access. y. Disclosure information. y. Denial of service.

Step. . . z. Perhatikan kelemahan system: yauthentication. y. Password sharing. y. Penggunaan password

Step. . . z. Perhatikan kelemahan system: yauthentication. y. Password sharing. y. Penggunaan password yang mudah di tebak. y. Software bug. z. Optimasi Cost / Performance.

Manusia. . . z. Tanggung Jawab. z. Komitmen.

Manusia. . . z. Tanggung Jawab. z. Komitmen.

Design Security Policy z. Kerahasiaan (Secrecy) z. Integritas Data z. Availability z. Konsistensi z.

Design Security Policy z. Kerahasiaan (Secrecy) z. Integritas Data z. Availability z. Konsistensi z. Kontrol Identifikasi & Authentikasi z. Monitoring & Logging

Prinsip. . . z. Hak minimum z. Kurangi jumlah komponen

Prinsip. . . z. Hak minimum z. Kurangi jumlah komponen

How Can You Protect Your Site z. No Security. z. Security Through Obscurity. z.

How Can You Protect Your Site z. No Security. z. Security Through Obscurity. z. Host Security. z. Network Security. z. No Security Model Can Do It All.

What Can A Firewall Do? z. A firewall is a focus for security decisions.

What Can A Firewall Do? z. A firewall is a focus for security decisions. z. A firewall can enforce security policy. z. A firewall can log Internet activity efficiently. z. A firewall limits your exposure.

What Can’t A Firewall Do? z. A firewall can’t protect you against malicious insiders.

What Can’t A Firewall Do? z. A firewall can’t protect you against malicious insiders. z. A firewall can’t protect you against connections that don’t go through it. z. A firewall can’t protect against completely new threats. z. A firewall can’t protect against viruses.

List of A Must Secure Internet Services z. Electronic mail (SMTP). z. File Transfer

List of A Must Secure Internet Services z. Electronic mail (SMTP). z. File Transfer (FTP). z. Usenet News (NNTP). z. Remote Terminal Access (Telnet). z. World Wide Web Access (HTTP). z. Hostname / Address lookup (DNS).

Security Strategies. z. Least Privilege. z. Defense in Depth (multiple security mechanism). z. Choke

Security Strategies. z. Least Privilege. z. Defense in Depth (multiple security mechanism). z. Choke Point forces attackers to use a narrow channel. z. Weakest Link. z. Fail-Safe Stance. z. Diversity of Defense. z. Simplicity.

Building Firewalls

Building Firewalls

Some Firewall Definitions z. Firewall y. A component or set of components that restricts

Some Firewall Definitions z. Firewall y. A component or set of components that restricts access between a protected network and the Internet, or between other sets of networks. z. Host y. A computer system attached to a network.

Firewall Def’s Cont’. . z. Bastion Host y. A computer system that must be

Firewall Def’s Cont’. . z. Bastion Host y. A computer system that must be highly secured because it is vulnerable to attack, usually because it is exposed to the Internet and is a main point of contact for users of internal networks. z. Dual-homed host y. A general-purpose computer system that has at least two network interfaces (or homes).

Firewall Def’s Cont. . . z. Packet. y. The fundamental unit of communication on

Firewall Def’s Cont. . . z. Packet. y. The fundamental unit of communication on the Internet. z. Packet filtering. y. The action a device takes to selectively control the flow of data to and from a network. z. Perimeter network. ya network added between a protected network and external network, to provide additional layer of security.

Firewall Def’s Cont. . . z. Proxy Server y. A program that deals with

Firewall Def’s Cont. . . z. Proxy Server y. A program that deals with external servers on behalf of internal clients. Proxy client talk to proxy servers, which relay approved client requests on to real servers, and relay answer back to clients.

Packet Filtering

Packet Filtering

Proxy Services

Proxy Services

Screened Host Architecture

Screened Host Architecture

De-Militarized Zone Architecture

De-Militarized Zone Architecture

DMZ With Two Bastion Hosts

DMZ With Two Bastion Hosts

It’s OK z. Merge Interior & Exterior Router z. Merge Bastion Host & Exterior

It’s OK z. Merge Interior & Exterior Router z. Merge Bastion Host & Exterior Router z. Use Mutiple Exterior Router z. Have Multiple Perimeter Network z. Use Dual -Homed Hosts & Screened Subnets

It’s Dangerous z. Use Multiple Interior Router z. Merge Bastion Host and Interior Router

It’s Dangerous z. Use Multiple Interior Router z. Merge Bastion Host and Interior Router

Private IP Address z. Use within Internal Network z. Reference RFC 1597 z. IP

Private IP Address z. Use within Internal Network z. Reference RFC 1597 z. IP address alocation: y. Class A: y. Class B: y. Class C: 10. x. x. x 172. 16. x. x - 172. 31. x. x 192. 168. 0. x - 192. 168. 255. x

Bastion Host z. It is our presence in Internet. z. Keep it simple. z.

Bastion Host z. It is our presence in Internet. z. Keep it simple. z. Be prepared for the bastion host to be compromised.

Special Kinds of Bastion Hosts z. Nonrouting Dual-Homed Hosts. z. Victim Machine. z. Internal

Special Kinds of Bastion Hosts z. Nonrouting Dual-Homed Hosts. z. Victim Machine. z. Internal Bastion Hosts.

Choosing A Bastion Host z. What Operating System? y. Unix z. How Fast a

Choosing A Bastion Host z. What Operating System? y. Unix z. How Fast a Machine? y 386 -based UNIX. y. Micro. VAX II y. Sun-3

Proxy Systems z. Why Proxying? y. Proxy systems deal with the insecurity problems by

Proxy Systems z. Why Proxying? y. Proxy systems deal with the insecurity problems by avoiding user logins on the dualhomed host and by forcing connections through controlled software. y. It’s also impossible for anybody to install uncontrolled software to reach Internet; the proxy acts as a control point.

Proxy - Reality & Illusion

Proxy - Reality & Illusion

Advantages of Proxying z. Proxy services allow users to access Internet services “directly” z.

Advantages of Proxying z. Proxy services allow users to access Internet services “directly” z. Proxy services are good at logging.

Disadvantages of Proxying z. Proxy services lag behind non-proxied services. z. Proxy services may

Disadvantages of Proxying z. Proxy services lag behind non-proxied services. z. Proxy services may require different servers for each service. z. Proxy services usually require modifications to clients, procedures, or both. z. Proxy services aren’t workable for some services. z. Proxy services don’t protect you from all protocol weaknesses.

Proxying without a Proxy Server z. Store-and-Forward services naturally support proxying. z. Examples: y.

Proxying without a Proxy Server z. Store-and-Forward services naturally support proxying. z. Examples: y. E-mail (SMTP). y. News (NNTP). y. Time (NTP).

Internet Resources on Security Issues

Internet Resources on Security Issues

WWW Pages zhttp: //www. telstra. com. au/info/security. ht ml zhttp: //www. cs. purdue. edu/coast.

WWW Pages zhttp: //www. telstra. com. au/info/security. ht ml zhttp: //www. cs. purdue. edu/coast. ht ml

Mailing Lists zfirewalls@greatcircle. com yftp: //ftp. greatcircle. com/pub/firewalls/ yhttp: //www. greatcircle. com/firewalls/ zfwall-users@tis. com

Mailing Lists zfirewalls@greatcircle. com yftp: //ftp. greatcircle. com/pub/firewalls/ yhttp: //www. greatcircle. com/firewalls/ zfwall-users@tis. com zacademic-firewalls@net. tamu. edu yftp: //net. tamu. edu/pub/security/lists/academ ic-firewalls zbugtraq@fc. net

Newsgroups zcomp. security. announce. zcomp. security. unix. zcomp. security. misc. zcomp. security. firewalls. zalt.

Newsgroups zcomp. security. announce. zcomp. security. unix. zcomp. security. misc. zcomp. security. firewalls. zalt. security. zcomp. admin. policy. zcomp. protocols. tcp-ip. zcomp. unix. admin. zcomp. unix. wizards

Summary z. In these dangerous times, firewalls are the best way to keep your

Summary z. In these dangerous times, firewalls are the best way to keep your site secure. z. Although you’ve got to include other tipes of security in the mix, if you’re serious about connecting to the Internet, firewall should be at the very center of your security plans.