Sistem as de Firew all - Eriberto.pro.br
Sistem as de Firew all - Eriberto.pro.br
Sistem as de Firew all - Eriberto.pro.br
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Sistem</strong><strong>as</strong> <strong>de</strong> <strong>Firew</strong><strong>all</strong><<strong>br</strong> />
3º Simpósio <strong>de</strong> Tecnologia<<strong>br</strong> />
João <strong>Eriberto</strong> Mota Filho<<strong>br</strong> />
Águ<strong>as</strong> Clar<strong>as</strong>, DF, 06 nov. 2014<<strong>br</strong> />
<strong>Eriberto</strong> nov. 14
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
1. Introdução<<strong>br</strong> />
2. Conceitos<<strong>br</strong> />
> O mo<strong>de</strong>lo OSI<<strong>br</strong> />
> Roteamento <strong>de</strong> re<strong>de</strong> x <strong>br</strong>idges<<strong>br</strong> />
> <strong>Sistem</strong><strong>as</strong> <strong>de</strong> firew<strong>all</strong><<strong>br</strong> />
> Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
3. Conclusão
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
1. Introdução<<strong>br</strong> />
2. Conceitos<<strong>br</strong> />
> O mo<strong>de</strong>lo OSI<<strong>br</strong> />
> Roteamento <strong>de</strong> re<strong>de</strong> x <strong>br</strong>idges<<strong>br</strong> />
> <strong>Sistem</strong><strong>as</strong> <strong>de</strong> firew<strong>all</strong><<strong>br</strong> />
> Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
3. Conclusão
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
Introdução<<strong>br</strong> />
A quem pertence esta mão? Ela está fechando ou está a<strong>br</strong>indo?
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
1. Introdução<<strong>br</strong> />
2. Conceitos<<strong>br</strong> />
> O mo<strong>de</strong>lo OSI<<strong>br</strong> />
> Roteamento <strong>de</strong> re<strong>de</strong> x <strong>br</strong>idges<<strong>br</strong> />
> <strong>Sistem</strong><strong>as</strong> <strong>de</strong> firew<strong>all</strong><<strong>br</strong> />
> Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
3. Conclusão
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
O mo<strong>de</strong>lo OSI<<strong>br</strong> />
Camada 7 - Aplicação<<strong>br</strong> />
Camada 6 - Apresentação<<strong>br</strong> />
Camada 5 - Sessão<<strong>br</strong> />
Camada 4 - Transporte<<strong>br</strong> />
Camada 3 - Re<strong>de</strong><<strong>br</strong> />
Camada 2 - Enlace<<strong>br</strong> />
Camada 1 - Física<<strong>br</strong> />
✔ Open Systems Interconnection.<<strong>br</strong> />
✔ Possui 7 camad<strong>as</strong>, numerad<strong>as</strong> <strong>de</strong><<strong>br</strong> />
baixo para cima.<<strong>br</strong> />
✔ Criado para <strong>pro</strong>ver compatibilida<strong>de</strong><<strong>br</strong> />
entre <strong>pro</strong>dutos <strong>de</strong> re<strong>de</strong> <strong>de</strong><<strong>br</strong> />
fa<strong>br</strong>icantes diferentes.<<strong>br</strong> />
✔ O seu entendimento é fundamental<<strong>br</strong> />
para o estudo dos<<strong>br</strong> />
sistem<strong>as</strong> <strong>de</strong> firew<strong>all</strong>.<<strong>br</strong> />
✔ Um tráfego <strong>de</strong> re<strong>de</strong> nem sempre<<strong>br</strong> />
atingirá <strong>as</strong> camad<strong>as</strong> superiores.
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
O mo<strong>de</strong>lo OSI<<strong>br</strong> />
Camada 7 - Aplicação<<strong>br</strong> />
→ http, ftp, smtp, pop3 etc.<<strong>br</strong> />
Camada 6 - Apresentação<<strong>br</strong> />
Camada 5 - Sessão<<strong>br</strong> />
Camada 4 - Transporte<<strong>br</strong> />
Camada 3 - Re<strong>de</strong><<strong>br</strong> />
Camada 2 - Enlace<<strong>br</strong> />
→ Protocolos TCP e UDP.<<strong>br</strong> />
→ En<strong>de</strong>reço IP e roteamento re<strong>de</strong>.<<strong>br</strong> />
→ En<strong>de</strong>reço MAC, <strong>br</strong>idge, switch.<<strong>br</strong> />
Camada 1 - Física
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
1. Introdução<<strong>br</strong> />
2. Conceitos<<strong>br</strong> />
> O mo<strong>de</strong>lo OSI<<strong>br</strong> />
> Roteamento <strong>de</strong> re<strong>de</strong> x <strong>br</strong>idges<<strong>br</strong> />
> <strong>Sistem</strong><strong>as</strong> <strong>de</strong> firew<strong>all</strong><<strong>br</strong> />
> Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
3. Conclusão
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
Roteamento <strong>de</strong> re<strong>de</strong><<strong>br</strong> />
✔ O roteamento é utilizado para interligar segmentos <strong>de</strong> re<strong>de</strong><<strong>br</strong> />
diferentes, via camada <strong>de</strong> re<strong>de</strong> do mo<strong>de</strong>lo OSI (camada 3).
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
As <strong>br</strong>idges<<strong>br</strong> />
✔ As <strong>br</strong>idges possuem divers<strong>as</strong> funções, <strong>de</strong>ntre el<strong>as</strong>, interligar porções<<strong>br</strong> />
diferentes da mesma re<strong>de</strong>, <strong>de</strong> forma transparente, via camada <strong>de</strong><<strong>br</strong> />
enlace do mo<strong>de</strong>lo OSI (camada 2).
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
1. Introdução<<strong>br</strong> />
2. Conceitos<<strong>br</strong> />
> O mo<strong>de</strong>lo OSI<<strong>br</strong> />
> Roteamento <strong>de</strong> re<strong>de</strong> x <strong>br</strong>idges<<strong>br</strong> />
> <strong>Sistem</strong><strong>as</strong> <strong>de</strong> firew<strong>all</strong><<strong>br</strong> />
> Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
3. Conclusão
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
Um simples exemplo...<<strong>br</strong> />
Esta re<strong>de</strong> possui um firew<strong>all</strong>???
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
<strong>Sistem</strong><strong>as</strong> <strong>de</strong> firew<strong>all</strong><<strong>br</strong> />
✔ <strong>Firew</strong><strong>all</strong> é um sistema. É todo o esforço físico e lógico voltado para<<strong>br</strong> />
a segurança da re<strong>de</strong>.<<strong>br</strong> />
✔ Os sistem<strong>as</strong> <strong>de</strong> firew<strong>all</strong> po<strong>de</strong>m ser compostos por diversos<<strong>br</strong> />
elementos, como filtros <strong>de</strong> pacotes, filtros <strong>de</strong> estados, <strong>pro</strong>xies<<strong>br</strong> />
(forward e reverso), IDS, IPS, HIDS, antivírus <strong>de</strong> re<strong>de</strong>, verificadores<<strong>br</strong> />
<strong>de</strong> integrida<strong>de</strong> etc.<<strong>br</strong> />
✔ A segurança em <strong>pro</strong>fundida<strong>de</strong> é fundamental em sistem<strong>as</strong> <strong>de</strong><<strong>br</strong> />
firew<strong>all</strong> (teoria da cebola).<<strong>br</strong> />
✔ Não é possível ter um sistema <strong>de</strong> firew<strong>all</strong> apen<strong>as</strong> com uma máquina.<<strong>br</strong> />
✔ IMPORTANTE: segurança é inversamente <strong>pro</strong>porcional<<strong>br</strong> />
ao conforto. Exemplo: sites <strong>de</strong> bancos.
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
Elementos <strong>de</strong> firew<strong>all</strong><<strong>br</strong> />
✔ Filtros <strong>de</strong> pacotes: atuam n<strong>as</strong> camad<strong>as</strong> 2, 3 e 4 do mo<strong>de</strong>lo OSI,<<strong>br</strong> />
filtrando en<strong>de</strong>reços IP, port<strong>as</strong>, <strong>pro</strong>tocolos IP etc.<<strong>br</strong> />
✔ Filtros <strong>de</strong> estados: enten<strong>de</strong>m estados <strong>de</strong> conexão (camada 4).<<strong>br</strong> />
✔ Proxy: enten<strong>de</strong> <strong>pro</strong>tocolos da camada 7 e atua como intermediário<<strong>br</strong> />
em conexões cliente – servidor, evitando o contato direto entre eles.<<strong>br</strong> />
Po<strong>de</strong>m ser dos tipos forward ou reverso.<<strong>br</strong> />
✔ IDS (Intrusion Detection System): enten<strong>de</strong>m o payload da camada<<strong>br</strong> />
7. Criam logs <strong>de</strong> ações suspeit<strong>as</strong>. São <strong>de</strong>talhist<strong>as</strong> e consomem<<strong>br</strong> />
muitos recursos computacionais. Costumam gerar falsos positivos.<<strong>br</strong> />
✔ IPS (Intrusion Prevention System): similares aos IDS m<strong>as</strong> bloqueiam<<strong>br</strong> />
tráfego. São mais precisos. Falsos não <strong>de</strong>vem ocorrer.<<strong>br</strong> />
✔ HIDS: IDS que funciona em máquin<strong>as</strong> finalístic<strong>as</strong>.<<strong>br</strong> />
✔ Verificador <strong>de</strong> integrida<strong>de</strong>: aponta mudanç<strong>as</strong> no filesystem.
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
Alguns exemplos <strong>de</strong> elementos <strong>de</strong> firew<strong>all</strong><<strong>br</strong> />
✔ Filtros <strong>de</strong> pacotes: Netfilter (Iptables), ebtables e PF.<<strong>br</strong> />
✔ Filtros <strong>de</strong> estados: Netfilter (Iptables) e PF.<<strong>br</strong> />
✔ IDS: Snort, Suricata e La<strong>br</strong>ea.<<strong>br</strong> />
✔ IPS: HLBR (extinto) e Snort InLine.<<strong>br</strong> />
✔ Proxy: Squid, totd, qpsmtpd, aptcache search <strong>pro</strong>xy :)<<strong>br</strong> />
✔ Port scan <strong>de</strong>tector: psad e PortSentry.<<strong>br</strong> />
✔ Monitor <strong>de</strong> login: fail2ban.<<strong>br</strong> />
✔ Antivírus: Clamav.<<strong>br</strong> />
✔ Verificadores <strong>de</strong> integrida<strong>de</strong>: Fcheck, iwatch, Samhain e AIDE.<<strong>br</strong> />
✔ Outros: aptcache search firew<strong>all</strong> / aptcache search honey.
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
Elementos <strong>de</strong> firew<strong>all</strong> x mo<strong>de</strong>lo OSI<<strong>br</strong> />
Camada 7 - Aplicação<<strong>br</strong> />
→ <strong>pro</strong>xies, (H)IDS, IPS, antivírus etc.<<strong>br</strong> />
Camada 6 - Apresentação<<strong>br</strong> />
Camada 5 - Sessão<<strong>br</strong> />
Camada 4 - Transporte<<strong>br</strong> />
Camada 3 - Re<strong>de</strong><<strong>br</strong> />
Camada 2 - Enlace<<strong>br</strong> />
→ filtros, <strong>pro</strong>xies, IDS, IPS etc.<<strong>br</strong> />
→ filtros, <strong>pro</strong>xies, IDS, IPS etc.<<strong>br</strong> />
→ filtros, IPS (scrubbers).<<strong>br</strong> />
Camada 1 - Física
Um exemplo simples <strong>de</strong> sistema <strong>de</strong> firew<strong>all</strong><<strong>br</strong> />
<strong>Eriberto</strong> nov. 14
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
<strong>Sistem</strong><strong>as</strong> <strong>de</strong> firew<strong>all</strong><<strong>br</strong> />
✔ Única solução 100% confiável e eficiente para a<<strong>br</strong> />
segurança em re<strong>de</strong>s <strong>de</strong> computadores:<<strong>br</strong> />
D E U S
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
1. Introdução<<strong>br</strong> />
2. Conceitos<<strong>br</strong> />
> O mo<strong>de</strong>lo OSI<<strong>br</strong> />
> Roteamento <strong>de</strong> re<strong>de</strong> x <strong>br</strong>idges<<strong>br</strong> />
> <strong>Sistem</strong><strong>as</strong> <strong>de</strong> firew<strong>all</strong><<strong>br</strong> />
> Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
3. Conclusão
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
Criptografia é uma boa solução<<strong>br</strong> />
para a segurança?
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
✔ A criptografia cria um canal cliente servidor. Esse canal não po<strong>de</strong><<strong>br</strong> />
ser entendido por quem está no meio do caminho.<<strong>br</strong> />
✔ A criptografia CEGA o sistema <strong>de</strong> firew<strong>all</strong>.<<strong>br</strong> />
✔ A criptografia <strong>pro</strong>vê segurança para o usuário.<<strong>br</strong> />
✔ A criptografia em servidores po<strong>de</strong>rá causar insegurança na re<strong>de</strong> e o<<strong>br</strong> />
seu uso <strong>de</strong>verá ser feito mediante extrema necessida<strong>de</strong>.<<strong>br</strong> />
✔ Uma solução: criptografia até os <strong>pro</strong>xies reversos e elementos <strong>de</strong><<strong>br</strong> />
firew<strong>all</strong> entre os reversos e os servidores.
Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
<strong>Eriberto</strong> nov. 14
Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
<strong>Eriberto</strong> nov. 14
Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
<strong>Eriberto</strong> nov. 14
Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
<strong>Eriberto</strong> nov. 14
Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
<strong>Eriberto</strong> nov. 14
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
1. Introdução<<strong>br</strong> />
2. Conceitos<<strong>br</strong> />
> O mo<strong>de</strong>lo OSI<<strong>br</strong> />
> Roteamento <strong>de</strong> re<strong>de</strong> x <strong>br</strong>idges<<strong>br</strong> />
> <strong>Sistem</strong><strong>as</strong> <strong>de</strong> firew<strong>all</strong><<strong>br</strong> />
> Criptografia x firew<strong>all</strong>s<<strong>br</strong> />
3. Conclusão
<strong>Eriberto</strong> nov. 14<<strong>br</strong> />
Conclusão<<strong>br</strong> />
✔ <strong>Firew</strong><strong>all</strong> é um sistema e não uma máquina.<<strong>br</strong> />
✔ É um esforço integrado para <strong>pro</strong>ver segurança em uma re<strong>de</strong> <strong>de</strong><<strong>br</strong> />
computadores.<<strong>br</strong> />
✔ A <strong>de</strong>fesa em <strong>pro</strong>fundida<strong>de</strong> é essencial para garantir a segurança do<<strong>br</strong> />
próprio sistema <strong>de</strong> firew<strong>all</strong>.<<strong>br</strong> />
✔ Não existe re<strong>de</strong> 100% segura.<<strong>br</strong> />
✔ Criptografia só <strong>de</strong>ve ser utilizada quando for extremamente<<strong>br</strong> />
necessário e a sua adoção requer cuidados especiais.<<strong>br</strong> />
Esta palestra está disponível em:<<strong>br</strong> />
http://eriberto.<strong>pro</strong>.<strong>br</strong><<strong>br</strong> />
Sigame no Twitter @eribertomota