Network Security:

Pentingnya Keamanan Komputer

Computer Network
Research Group
ITB
Perspective ...

 less then 200 security incident in 1989.

 about 400 in 1989.
 about 1400 in 1993.
 estimated more than 2241 in 1994.
 Nobody knows the correct statistics on
how many attacks are actually detected
by the sites broken into.
Survey Dan Farmer (Dec96)

 1700 web sites:

 60% vurnelable.
 9-24%terancam jika satu bug dari service
daemon (ftpd, httpd / sendmail) ditemukan.
 Serangan pada 10-20 % sites di netralisir
menggunakan denial-of-service
 Statistik Serangan

Jenis Scan Tembus% Kuning% Merah%

Banks 660 68.33 32.73 35.61
Credit U 274 51.09 30.66 20.44
US Fed 47 61.70 23.40 38.30
Newspaper 312 69.55 30.77 38.78
Sex 451 66.08 40.58 25.50
Totals 1734 64.94 33.85 31.08
Resiko Serangan

24
25

20

15

10
3
5

0
W/ Internet W/O Internet
Sumber Serangan

80
Dari luar

60
Virus ke
Jaringan
40 Virus ke PC

20 Dari Dalam

0
Aktifitas Serangan

Manipulasi Data 6.8%

Backdoor Software 6.6%
Password 5.6%
Scanning 14.6%
Trojan Horse 5.8%
IP Spoofing 4.8%
Virus 10.6%
Serangan di Internet

 Approx. 19.540.000 hosts are connected

to Internet (end1996)
 US DoD 250.000 serangan / tahun.
 Serangan pada Rome Laboratory.
Network Security

usaha untuk mencegah seseorang

melakukan tindakan-tindakan yang tidak
kita inginkan pada komputer, perangkat
lunak, dan piranti yang ada di dalamnya
sehingga semuanya tetap dalam keadaan
ideal yang kita inginkan’
Layout Firewall

InterNet

Firewall

Internal
Network
What are you trying to
protect?
 Your Data.
 Your Resources.
 Your Reputation.
What Are You Trying To
Protect Against?
 Type of attacks

 Intrusion.
 Denial of Service.
 Information Theft.
Type of Attackers

 Joyriders.
 Vandals.
 Score Keepers.
 Spies (Industrial & Otherwise).
 Stupidity & Accidents.
Security Policy

‘satu keputusan yang menentukan batasan-

batasan tindakan-tindakan yang bisa
dilakukan dan balasan apabila terjadi
pelanggaran batasan-batasan yang ada
untuk mencapai satu tujuan tertentu’
Objectives

 Secrecy
 Data Integrity
 Availability
Step Security Policy

 Apa yang boleh / tidak boleh.

 Prediksi resiko & biaya (start dengan bug).
 Tentukan objek yang di lindungi.
 Tentukan bentuk ancaman & serangan:
 unauthorized access.
 Disclosure information.
 Denial of service.
Step ...

 Perhatikan kelemahan system:

 authentication.
 Password sharing.
 Penggunaan password yang mudah di tebak.
 Software bug.
 Optimasi Cost / Performance.
Manusia ...

 Tanggung Jawab.
 Komitmen.
Design Security Policy

 Kerahasiaan (Secrecy)
 Integritas Data
 Availability
 Konsistensi
 Kontrol Identifikasi & Authentikasi
 Monitoring & Logging
Prinsip ...

 Hak minimum
 Kurangi jumlah komponen
How Can You Protect Your
Site
 No Security.
 Security Through Obscurity.
 Host Security.
 Network Security.
 No Security Model Can Do It All.
What Can A Firewall Do?

 A firewall is a focus for security decisions.

 A firewall can enforce security policy.
 A firewall can log Internet activity
efficiently.
 A firewall limits your exposure.
What Can’t A Firewall Do?

 A firewall can’t protect you against

malicious insiders.
 A firewall can’t protect you against
connections that don’t go through it.
 A firewall can’t protect against completely
new threats.
 A firewall can’t protect against viruses.
List of A Must Secure
Internet Services
 Electronic mail (SMTP).
 File Transfer (FTP).
 Usenet News (NNTP).
 Remote Terminal Access (Telnet).
 World Wide Web Access (HTTP).
 Hostname / Address lookup (DNS).
Security Strategies.
 Least Privilege.
 Defense in Depth (multiple security mechanism).
 Choke Point forces attackers to use a narrow
channel.
 Weakest Link.
 Fail-Safe Stance.
 Diversity of Defense.
 Simplicity.
Building Firewalls
Some Firewall Definitions

 Firewall
 A component or set of components that
restricts access between a protected network
and the Internet, or between other sets of
networks.
 Host
 A computer system attached to a network.
Firewall Def’s Cont’ ..

 Bastion Host
 A computer system that must be highly secured
because it is vulnerable to attack, usually
because it is exposed to the Internet and is a
main point of contact for users of internal
networks.
 Dual-homed host
 A general-purpose computer system that has at
least two network interfaces (or homes).
Firewall Def’s Cont ...
 Packet.
 The fundamental unit of communication on the
Internet.
 Packet filtering.
 The action a device takes to selectively control the
flow of data to and from a network.
 Perimeter network.
 a network added between a protected network and
external network, to provide additional layer of
security.
Firewall Def’s Cont ...

 Proxy Server
 A program that deals with external servers on
behalf of internal clients. Proxy client talk to
proxy servers, which relay approved client
requests on to real servers,and relay answer
back to clients.
Packet Filtering

InterNet

Routes or blocks packets,

Screening
as determined by site's
Router
security policy.

Internal
Network
Proxy Services

InterNet
External Host
Real Server

Proxy Server
Firewall Dual homed Host

Internal
Network
Internal Host
Proxy Client
Screened Host
Architecture
InterNet

Firewall

Screening
Router

Bastion Host

Internal
Network
De-Militarized Zone
Architecture
Firewall

InterNet Exterior Router

Bastion Host

Internal Perimeter
Network Network
Interior Router
Choke Router
DMZ With Two Bastion
Hosts Firewall

InterNet Exterior Router

FTP/WWW Host

Internal Perimeter
Network Network
Interior Router
Choke Router SMTP / DNS Host
It’s OK

 Merge Interior & Exterior Router

 Merge Bastion Host & Exterior Router
 Use Mutiple Exterior Router
 Have Multiple Perimeter Network
 Use Dual -Homed Hosts & Screened
Subnets
It’s Dangerous

 Use Multiple Interior Router

 Merge Bastion Host and Interior Router
Private IP Address

 Use within Internal Network

 Reference RFC 1597
 IP address alocation:
 Class A: 10.x.x.x
 Class B: 172.16.x.x - 172.31.x.x
 Class C: 192.168.0.x - 192.168.255.x
Bastion Host

 It is our presence in Internet.

 Keep it simple.
 Be prepared for the bastion host to be
compromised.
Special Kinds of Bastion
Hosts
 Nonrouting Dual-Homed Hosts.
 Victim Machine.
 Internal Bastion Hosts.
Choosing A Bastion Host

 What Operating System?

 Unix
 How Fast a Machine?
 386-based UNIX.
 MicroVAX II
 Sun-3
Proxy Systems

 Why Proxying?
 Proxy systems deal with the insecurity
problems by avoiding user logins on the dual-
homed host and by forcing connections
through controlled software.
 It’s also impossible for anybody to install
uncontrolled software to reach Internet; the
proxy acts as a control point.
Proxy - Reality & Illusion

Percieved Connection

Actual Connection

Proxy Server Server

Client

User's Illusion
Advantages of Proxying

 Proxy services allow users to access

Internet services “directly”
 Proxy services are good at logging.
Disadvantages of Proxying
 Proxy services lag behind non-proxied services.
 Proxy services may require different servers for
each service.
 Proxy services usually require modifications to
clients, procedures, or both.
 Proxy services aren’t workable for some services.
 Proxy services don’t protect you from all protocol
weaknesses.
Proxying without a Proxy
Server
 Store-and-Forward services naturally
support proxying.
 Examples:
 E-mail (SMTP).
 News (NNTP).
 Time (NTP).
Internet Resources on
Security Issues
WWW Pages

 http://www.telstra.com.au/info/security.ht
ml
 http://www.cs.purdue.edu/coast/coast.ht
ml
Mailing Lists

 firewalls@greatcircle.com
 ftp://ftp.greatcircle.com/pub/firewalls/
 http://www.greatcircle.com/firewalls/
 fwall-users@tis.com
 academic-firewalls@net.tamu.edu
 ftp://net.tamu.edu/pub/security/lists/academic-
firewalls
 bugtraq@fc.net
Newsgroups
 comp.security.announce.
 comp.security.unix.
 comp.security.misc.
 comp.security.firewalls.
 alt.security.
 comp.admin.policy.
 comp.protocols.tcp-ip.
 comp.unix.admin.
 comp.unix.wizards
Summary

 In these dangerous times, firewalls are

the best way to keep your site secure.
 Although you’ve got to include other tipes
of security in the mix, if you’re serious
about connecting to the Internet, firewall
should be at the very center of your
security plans.