Professional Documents
Culture Documents
Computer Network
Research Group
ITB
Perspective ...
24
25
20
15
10
3
5
0
W/ Internet W/O Internet
Sumber Serangan
80
Dari luar
60
Virus ke
Jaringan
40 Virus ke PC
20 Dari Dalam
0
Aktifitas Serangan
InterNet
Firewall
Internal
Network
What are you trying to
protect?
Your Data.
Your Resources.
Your Reputation.
What Are You Trying To
Protect Against?
Type of attacks
Intrusion.
Denial of Service.
Information Theft.
Type of Attackers
Joyriders.
Vandals.
Score Keepers.
Spies (Industrial & Otherwise).
Stupidity & Accidents.
Security Policy
Secrecy
Data Integrity
Availability
Step Security Policy
Tanggung Jawab.
Komitmen.
Design Security Policy
Kerahasiaan (Secrecy)
Integritas Data
Availability
Konsistensi
Kontrol Identifikasi & Authentikasi
Monitoring & Logging
Prinsip ...
Hak minimum
Kurangi jumlah komponen
How Can You Protect Your
Site
No Security.
Security Through Obscurity.
Host Security.
Network Security.
No Security Model Can Do It All.
What Can A Firewall Do?
Firewall
A component or set of components that
restricts access between a protected network
and the Internet, or between other sets of
networks.
Host
A computer system attached to a network.
Firewall Def’s Cont’ ..
Bastion Host
A computer system that must be highly secured
because it is vulnerable to attack, usually
because it is exposed to the Internet and is a
main point of contact for users of internal
networks.
Dual-homed host
A general-purpose computer system that has at
least two network interfaces (or homes).
Firewall Def’s Cont ...
Packet.
The fundamental unit of communication on the
Internet.
Packet filtering.
The action a device takes to selectively control the
flow of data to and from a network.
Perimeter network.
a network added between a protected network and
external network, to provide additional layer of
security.
Firewall Def’s Cont ...
Proxy Server
A program that deals with external servers on
behalf of internal clients. Proxy client talk to
proxy servers, which relay approved client
requests on to real servers,and relay answer
back to clients.
Packet Filtering
InterNet
Internal
Network
Proxy Services
InterNet
External Host
Real Server
Proxy Server
Firewall Dual homed Host
Internal
Network
Internal Host
Proxy Client
Screened Host
Architecture
InterNet
Firewall
Screening
Router
Bastion Host
Internal
Network
De-Militarized Zone
Architecture
Firewall
Bastion Host
Internal Perimeter
Network Network
Interior Router
Choke Router
DMZ With Two Bastion
Hosts Firewall
FTP/WWW Host
Internal Perimeter
Network Network
Interior Router
Choke Router SMTP / DNS Host
It’s OK
Keep it simple.
Be prepared for the bastion host to be
compromised.
Special Kinds of Bastion
Hosts
Nonrouting Dual-Homed Hosts.
Victim Machine.
Internal Bastion Hosts.
Choosing A Bastion Host
Why Proxying?
Proxy systems deal with the insecurity
problems by avoiding user logins on the dual-
homed host and by forcing connections
through controlled software.
It’s also impossible for anybody to install
uncontrolled software to reach Internet; the
proxy acts as a control point.
Proxy - Reality & Illusion
Percieved Connection
Actual Connection
Client
User's Illusion
Advantages of Proxying
http://www.telstra.com.au/info/security.ht
ml
http://www.cs.purdue.edu/coast/coast.ht
ml
Mailing Lists
firewalls@greatcircle.com
ftp://ftp.greatcircle.com/pub/firewalls/
http://www.greatcircle.com/firewalls/
fwall-users@tis.com
academic-firewalls@net.tamu.edu
ftp://net.tamu.edu/pub/security/lists/academic-
firewalls
bugtraq@fc.net
Newsgroups
comp.security.announce.
comp.security.unix.
comp.security.misc.
comp.security.firewalls.
alt.security.
comp.admin.policy.
comp.protocols.tcp-ip.
comp.unix.admin.
comp.unix.wizards
Summary