1. 베스천호스트 (Bastion host) 배스천호스트는내부네트웍과외부네트웍사이에위치하는게이트웨이다. 보안대책의일환으로사용되는배스천호스트는, 내부네트웍을겨냥한공격에대해방어하도록설계. 보통강력한로깅과모니터링정책이구현되어있으며, 접근을허용하거나차단하는등방화벽의일반기능을함. A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers. 2. 스크리닝 (screening) 라우터 외부네트워크와내부네트워크의경계에놓이며, 보통일반라우터에패킷필터링규칙을적용하여방화벽역할을수행세부규칙적용이어렵고많은규칙을적용하면라우터에부하가걸려대역폭을효과적으로이용할수없음요즘대부분의라우터들은필터링 (filtering) 기능을제공함. 라우터에서필요없는패킷은걸러내어서비스를해줌라우터에서보내는곳의인터넷주소 (source address), 받는곳의인터넷주소, TCP나 UDP 의보내는포트번호와받는포트번호그리고보내는곳의라우터주소등을바탕으로외부에서오는패킷을필터링함. 라우터에서는단순한필터링기능만을제공하기때문에, 완벽하게방화벽의역할을기대하기는어려움. A screening router performs packet-filtering and is used as a firewall. In some cases a screening router may be used as perimeter protection for the internal network or as the entire firewall solution.
3. 단일홈게이트웨이 (single-homed Gateway) 일반적으로이구조를베스천호스트라고부름접근제어, 프록시, 인증, 로깅등방화벽의가장기본적인기능을수행비교적강력한보안정책을실행할수있으나방화벽이손상되면내부네트워크에대한무조건적인접속을허용할가능성이있으며, 방화벽으로의원격로그인정보가노출되어공격자가방화벽에대한제어권을얻게되면내부네트워크를더는보호할수없음 4. 이중홈게이트웨이 (Dual Homed Gateway) 외부네트워크에대한네트워크카드와내부네트워크에대한네트워크카드를구분하여운영. 내부네트워크에서인터넷을이용하거나, 인터넷에서내부네트워크가제공하는서비스를이용하려면이중홈게이트웨이를반드시지나야함. 이중홈게이트웨이는단일홈게이트웨이보다네트워크카드를하나더지원하므로좀더효율적으로트래픽을관리할수있음. In firewall technology, dual-homed is one of the firewall architectures for implementing preventive security. It provides the first-line defense and protection technology for keeping untrusted bodies from compromising information security by violating trusted network space. A dual-homed host (or dual-homed gateway) is a system fitted with two network interfaces (NICs) that sits between an untrusted network (like the internet) and trusted network (such
as a corporate network) to provide secure access. Dual-homed is a general term for proxies, gateways, firewalls, or any server that provides secured applications or services directly to an untrusted network. 5. Screened Host Gateway 라우터와방화벽을구분하여운영하며, 스크리닝라우터와단일홈게이트웨이의조합스크리닝라우터에서패킷필터링을함으로써 1차방어를하며, 베스천호스트로써단일홈게이트웨이에서프록시와같은서비스를통해 2차방어를함인터넷과같은외부네트워크에서내부네트워크로들어오는트래픽에대해서스크리닝라우터는정해진패킷필터링규칙에따라허용네트워크주소와서비스포트를검사하고허용되지않은패킷들은일차폐기하게된다. 그리고허용된패킷들은라우터에모두 bastion 호스트로전달되도록정의된라우팅정보에따라 bastion 호스트로전달되며 bastion 호스트에서정의된 proxy 서비스에따라 2차로네트워크접속을차단하게된다. 6. Screened Subnet Gateway 외부네트워크와내부네트워크사이에서브넷 (Subnet) 이라는완충지대를두는것방화벽도서브넷에위치하며주로프록시가설치됨다른방화벽의장점을모두갖추고있으며융통성이아주뛰어남
다른방화벽보다설치와관리가어렵고, 서비스속도가느리며, 비용도만만치않음 In network security, a screened subnet firewall is a variation of the dual-homed gateway and screened host firewall. It can be used to separate components of the firewall onto separate systems, thereby achieving greater throughput and flexibility, although at some cost to simplicity. As each component system of the screened subnet firewall needs to implement only a specific task, each system is less complex to configure. 7. 침입탐지시스템 (Intrusion Detection System, IDS) 침입탐지시스템 (Intrusion Detection System, IDS) 은일반적으로시스템에대한원치않는조작을탐지하여준다. IDS는매우많은종류들이존재하며, 여기서는그들중일부를설명한다. 시스템에대한원치않는조작은악의를가진숙련된해커또는자동화된툴을사용하는스크립트키디에의한공격의형태로행해질수있다. 침입탐지시스템은전통적인방화벽이탐지할수없는모든종류의악의적인네트워크트래픽및컴퓨터사용을탐지하기위해필요하다. 이것은취약한서비스에대한네트워크공격과애플리케이션에서의데이터처리공격 (data driven attack) 그리고권한상승 (privilege escalation) 및침입자로그인 / 침입자에의한주요파일접근 / 멀웜 ( 컴퓨터바이러스, 트로이목마, 웜 ) 과같은호스트기반공격을포함. 컴퓨터시스템의비정상적인사용, 오용, 남용등을실시간으로탐지하는시스템. 침입차단 ( 시스템 ) 만으로내부사용자의불법적인행동 ( 기밀유출등 ) 과외부해킹에대처할수는없으므로모든내ㆍ외부정보의흐름을실시간으로차단하기위해해커침입패턴에대한추적과유해정보감시가필요. - 데이터수집 (Raw Data Collection) - 데이터필터링과축약 (Data Reduction and Filtering)
- 분석및침입탐지 (Analysis and Intrusion Detection) - 보고및대응 (Reporting and Response) An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Intrusion detection is not a monitoring process. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.[1] Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts.[1] In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization. 8. 호스트기반 IDS(Host-Based IDS, HIDS) 윈도우나유닉스등의운영체제에부가적으로설치되어운용되거나일반클라이언트에설치됨운영체제에설정된사용자계정에따라어떤사용자가어떤접근을시도하고, 어떤작업을했는지에대한기록을남기고추적하며, 스위칭환경과는전혀상관이없음전체네트워크에대한침입탐지는불가능. 스스로가공격대상이될때만침입탐지가능운영체제의취약점은 HIDS를손상시킬수있으며, 다른IDS에비해비용이많이드는편 9. 네트워크기반 IDS(Network-Based IDS, NIDS) NIDS는감사와로깅을할때네트워크자원이손실되거나데이터가변조되지않음 HIDS로는할수없는네트워크전반의감시를할수있으며, 감시영역이상대적으로아주넓음 IP 주소를소유하지않기때문에해커의직접적인공격에는거의완벽하게방어할수있으며, 존재사실도숨길수있음당한시스템의공격에대한결과를알수없으며, 암호화된내용을검사할수없음스위칭환경에서 NIDS를설치하려면부가장비가필요하며, 1Gbps 이상의네트워크에서는정상적으로작동하기힘듦
10. 침입차단시스템 (Intrusion Prevention Systems (IPS)) 침입차단시스템 (Intrusion Prevention Systems (IPS), Intrusion Detection and Prevention Systems (IDPS)) 은외부네트워크로부터내부네트워크로침입하는네트워크패킷을찾아제어하는기능을가진소프트웨어또는하드웨어이다. 일반적으로내부네트워크로들어오는모든패킷이지나가는경로에설치되며, 호스트의 IP주소, TCP/UDP 의포트번호, 사용자인증에기반을두고외부침입을차단하는역할을한다. 허용되지않는사용자나서비스에대해사용을거부하여내부자원을보호한다. 침입탐지시스템에방화벽의차단기능을부가한시스템방화벽은공격차단이가능하지만새로운패턴의공격에대한적응력이무척낮으며, 대부분 IP나포트를통한차단만가능. 실시간대응을불가능침입탐지시스템은실시간탐지는가능하지만, 그에대한대응책을제시할수없음 Intrusion Prevention Systems (IPS), also known as Intrusion Detection and Prevention Systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity. 11. 침입차단시스템의주요기능 기능 설명 접근통제 (Access Control) 식별및인증 (Identification & Authentication) 무결성점검 (Integrity Check) 감사추적 (Audit Trail) 주소변환 (NAT) 방화벽의가장기본적기능허가받은객체만이접근할수있도록통제하는기능보유한데이터 ( 보안정책, 감사추적로그, 시스템환경 ) 에대한불법변조를방지하기위한기능통과되어지는모든트래픽에대한접속정보를기록유지하여보안사고가발생하였을경우에감사추적기능을제공내부 IP 주소가외부에공개되어허가받지않은사용자가내부 IP 주소로접근하는것을방지하기위한 IP 주소변환기능