Outline22 Firewall Packet Filtering Application Gateway Proxy Server
- Slides: 56
Outline(2/2) • 防火牆(Firewall) –簡單交通記錄系統 – Packet Filtering – Application Gateway – Proxy Server – Screened Host Firewall 3
其他傳輸Attack • • Eavesdropping OS漏洞 Password的竊取 Spoofing, Spam, Intrusion Session Hijacking 特洛依木馬Troy、virus、trapdoor Covert Channel 5
加 密 與 解 密 Encryption M 明文 Ke Kd C 密文 Decryption 7
Vigenere 加密法 Jwlmliplopwkjmzieufvhshhnabhof odqfauiipjaoxabtwlmleffrsnruhloggbnn Fesnedxabieltmbeevuiqzizjlogoomoziipfvhssl ochiewpufiegnykfauuinoozuhhseltnw br. Dedotrpdhfpdnoxotdjnvphlhhlucdotnfeslehq mhbwdzazbyisopiivmoyf 13
DES(Data Encryption Standard) • • Plaintext M(64 bits) Ciphertext C(64 bits) Key K(56 bits or 64 bits) Round Function F(X, Y) : X(32 bits) and Y(48 bits) • Rounds: 16 14
DES(Cont. ) • • • IP: initial permutation IP(M) = (L, R) FP: final permutation : IP. FP = FP. IP (Ln, Rn) = (Rn-1, Ln-1 F(Rn-1, K)) F(X, Y) = Perm(S_box( Ext(X) Y)) C = FP(R, L) 15
DES(Fig. ) 16
DES(One round) 17
Triple DES 18
RSA (原理) (Cd mod n) = ((Me mod n)d mod n) = Me*d mod n = M(k * (p-1) * (q-1)) + 1 mod n = M 1 mod n=M (因為e * d ≡ 1 (mod ((p-1) * (q-1)))。) Fermat’s Theorem (n) mod n =1 20
RSA 例子 1, B A(Cont. ) • e. A*d. A=11*3=1 mod Φ(n) • B用A’s Public key加密得密文為: 1311 mod 15 = 7 • A 用自己的Private key 解開密文得回明文 73 mod 15=13 24
RSA特性及其運用 • • • RSA運用exponential algorithm RSA執行速度較DES等對稱加密慢 硬體的RSA比硬體的DES慢 1000倍 軟體的RSA則比軟體的DES慢 100倍 故RSA其主要的用途: – digital signature – protocol中的key exchange。 26
Message Authentication Codes (MAC) • MAC is an authentication tag (also called a checksum) derived by appying an authentication scheme, together with a secret key, to a message. • There are four types of MACs: (1) unconditionally secure (2) hash function-based (3) stream cipher-based or (4) block cipher-based. 28
MAC • Hash function H(m 1, m 2, …, mt)=m • 現有的Hash function: MD 5, SHA-1, . . . • MAC is key-dependent one-way hash function – MAC are computed and verified with the same key – A & B 共同擁有 key K – A send H(K, M) to B – B can reproduce A’s result 29
總結(1/) • 對稱式加密 Session Key I am Yiter DES Session Key Asd$# v#$h DES I am Yiter 31
總結(2/) • 非對稱式加密 第三公正者 對方的 自己的 Private Key Public key I am Yiter RSA @#SD FGSA SDF RSA I am Yiter 32
總結(3/) • 對稱與非對稱式加密交互運用 自己的 Private Key 對方的 Public key Session Key RSA ^%$(* &#$ Session Key I am 陳水扁 DES RSA Session Key Dthfgb $shgzx cv DES Bdve$ %^@d grse I am 陳水扁 33
總結(6/) • 對稱; 非對稱式加密加電子簽章 自己的 Private Key 對方的 Public key Session Key 原 文 電子簽章 RSA ^%$(* &#$ Session Key Rijndael RSA Session Key Dthfgb $shgzx cv Rijndael Session Key 原 文 電子簽章 36
Firewall 定義: 只讓具備特殊身分的外在使用者才能連 上一個被保護的網站, 使用其軟體或硬體 A firewall system is used to control access to or from a protected network ( a site ). 小問題: pcanywhere 37
Firewall圖示 38
Firewall 的種類 • 簡單交通記錄系統 • 封包過濾(Packet Filtering) • Application Gateway (Dual-homed Gateway) • Proxy Server • Screened Host Firewall 39
封包過濾(Packet Filtering) 41
封包過濾優缺點 • 優點 – Most Common , easy and cheap – Fully transparency, no impact to user • 缺點 – Little or no logging capability – Complex filtering rules may become unmanageable – Rules are difficult to test thoroughly 43
Application Gateway Dual-homed Gateway 44
Application Gateway圖示 45
Proxy Server 位於Internet 和內部網路之間, 提供中間人的服務 支援「extra logging」and「advanced authentication 」 Client Proxy Server Remote Server Cache 47
Screened Host Firewall為封包濾器 (packet filter) 與應用閘道器 (application gateway) 的組合 48
Screened Host Firewall n 優點 èMore flexibility. èRouter filtering rules are simplified. n 缺點 èLess security. (packet can go directly inside) 50
Screened Subnet Firewall 51
“Subnet v. s. Host” Screened Gateway • Subnet 將 Host中的單部Gateway擴展成數 部,並將風險及效能的負擔分散至數部主 機,所以較有彈性、安全、且有效率。 • 缺點 – More expensive – complex management – Less security if permit special「trusted」service. 52
What Can’t a Firewall Protect Against • Firewalls can’t protect against attacks that don’t go through the firewall , or rules that make a leak. • Firewalls can’t protect against「data driven 」 attacks , like「Virus」. 53
參考資料 • Electronic Commerce : A Manager’s Guide Kalakota & Whinston • 碁峰: 網際網路安全手冊 • 網站 –http: //www. rsasecurity. com/ –http: //khchu. virtualave. net/index. htm 56
Stateless packet filtering
Packet filtering gateway
Packet filtering firewall
Screened subnet firewall
Ingress filtering vs egress filtering
Stateless inspection
Mac layer firewalls
Firewall basing
Firewall a
Ip packet icon
Access point cisco icon
German proxy server
Topologi proxy server
Proxy server
Oracle services for microsoft transaction server
Twebsa
Server radius packet tracer
Firewall evaluation criteria
Waf utm
Ace web application firewall
Waf vs ips
Web application firewall
Azure application gateway vs traffic manager
Advantages and disadvantages of common gateway interface
Progress application server for openedge
We sip
Application server market
Resin application server monitoring
Oracle internet application server
Discuss the e-commerce architecture and its components
Communications application server
Enterprise oracle and magee
Geronimo application server
Client server basics
Windows filtering platform
Collaborative filtering medium
Ducks relationship filtering model
Collaborative filtering pros and cons
Selim aksoy
Filtering methods based on dft
Windows filtering platform
In digital image processing
Constrained least squares filtering
Competitive filtering
Matched filtering gravitational waves
Intensity transformation and spatial filtering
Linear filtering citra
Filtration
Filtering mode
Perceptron-based prefetch filtering
Intensity transformation and spatial filtering
Band pass filtering in biomedical instrumentation
Content filtering trusts
Abbe imaging and spatial filtering experiment
Recursive bilateral filtering
Grating couplers wikipedia
Linear filtering
