Network Security Basics

1
Network Security Basics

• Lawrence Orans

2
Infamous Attacks
SQLSlammer Blaster
Code RedNimda
MorrisWorm
Sasser
MySpace
Melissa
(Virus)
1999
2001
2005
1988
2003
2004
3
Morris Worm Background and Analysis

• Released November, 1988
• Target platform Unix
• Why is this worm important?
• Acknowledged as the first Internet worm
• Believed to have infected approximately 10
  percent of Unix systems on the Internet
• Provided the catalyst for DARPA-funded research
  into firewalls

4
Firewalls and DMZ Evolution
Trusted Network
Untrusted Network
CorporateWeb Site
5
Web Application Firewalls and Application
Delivery Convergence
Application Switch
Web App. Firewall
W/A/D Server
Application Delivery Integration
Firewall Integration
Web App. Firewall
W/A/D Server
Pure Play
6
Code Red Background and Analysis

• Released July 2001
• Target platform Windows IIS Web Server
• Why is this worm important?
• Version 1 (17 July 2001) Attacked
  www.whitehouse.gov
• Version 2 released two days later
• Code Red II (August 2001) blended attack
• Installed a remote backdoor
• Wrote to file system and registry

7
Nimda Background and Analysis

• Released September 2001
• Target platforms Internet Explorer, IIS Web
  Server, Outlook, Windows 95, 98, Me, NT and 2000
• Spread rapidly via multiple mechanisms
• Via e-mail
• Via file sharing
• Via browsers surfing an infected Web server
• Via flaws in Microsoft's IIS Web server
• Via backdoors from Code Red II and Sadmind IIS
  worms

8
What Did We Learn From Code Red and Nimda?
Levels of Web Server Security
Gartner's advice after Code Red outbreak
Trusted operating systems/appliances
Securityand Cost
Application-specific firewalling
Implement policy enforcement layer
Install host-based IDS on servers
Deploy network IDS sensor on DMZ
Apply security checklists
Firewall in front of Web servers
Today, use IPS
9
SQL Slammer and Blaster Background and Analysis

• SQL Slammer released January 2003
• Target platform Windows systems running SQL
  Server
• Fastest Spreading Worm to Date
• Blaster released August 2003
• Target platforms Windows NT 4.0, 2000, XP,
  Windows Server 2003
• Some infected PCs had to be disconnected from
  the network before being patched

10
Slammer and Blaster Led to the Vulnerability
Management Process
Discover/Baseline
Policy
Vulnerability Assessment Security Configuration
Audit
Security Configuration Identity and Access
Prioritize
Monitor
Vulnerability ThreatAsset
Security Configuration Audit VulnerabilityAssess
ment SIM/SEM
Shield
Maintain
Firewall IPS NAC
Provisioning ConfigurationManagement
Mitigate
Controls / Eliminate Root Cause
Workflow Patch Install Configuration Change
11
Sasser Background and Analysis

• Released May 2004
• Target platform Windows 2000, XP
• Characteristics
• Set up backdoors on infected computers
• Spread by randomly scanning vulnerable machines
• Instructed vulnerable machines to download and
  execute the viral code

12
Sasser The Catalyst for Network Access Control
Baseline
Policy

• Agent-Based
• Agentless

• Devices
• Users

Access Control
Maintain

• "Operationalize"

• Allow
• Quarantine
• Block

Contain

• Filter Packets
• Firewall Reconfiguration
• ARP Modification
• TCP Reset

Mitigate

• Install Patches
• Update Antivirus
• Repair

Monitor

• Node State Change
• Anomaly Detection

13
MySpace Background and Analysis

• Released December 2005
• Target platform AIM on Windows systems
• Why is this worm important?
• First "interactive" worm
• Infected hosts blindly respond to messages
  received
• Directs users to a URL which downloads a
  malicious file

14
MySpace IM Worm
15
MySpace Worm What Have We Learned About IM
Security?
UnauthorizedPublic IM Users
AuthorizedPublic IM Users
Secure IMSolution
Enterprise IM Server
DB
Virus Scan
LDAP
Enterprise IM Users
16
VoIP Threats Vary By Implementation
VoIP
Toll Bypass
IPTelephony
InternetTelephony
17
Protecting Against IPT Security Threats

• Protect the IP PBX
• Protect the network (QOS for Voice)
• Protect end points (limit softphones)
• Then, think about encryption

Backbone WAN
DoS Protection
Data
LAN
Voice
IP PBX
DoS Protection
QOS
Host IPS
18
What Will the Future Bring?
Financially motivated, targeted attacks are
increasing and are the major threat to the
Internet (see www.gartner.com, Augment Security
Processes to Deal With the Changing Internet
Threat, G00138147).
19
Network Security Basics

• Lawrence Orans

20
Network Security Basics

• Lawrence Orans

21
Melissa Background and Analysis

• Released March 1999
• Target platforms Microsoft Outlook e-mail
  client, and machines with Word 97 and Word 2000
• Why is this malware important?
• Used Internet to spread malware
• Exhibited virus characteristics (required user
  interaction to propagate)

22
E-Mail Security Model

• Considerations
• Ease and speed of implementation
• Licensing model
• Existing vendor relationships
• Size of company

Firewall
TCP Level Router
FirewallModule
SMTP GW
Appliance
E-Mail Server
Appliance or Licensed SW
Desktop
Natively or Third Party
Outsourced
Stand-Alone or Add-In to E-Mail Client