You are Not Alone ' - PowerPoint PPT Presentation

1 / 129
About This Presentation
Title:

You are Not Alone '

Description:

Confidence Tricks. Malicious ... log sensitive traffic (e.g. card numbers) Turn off debug logs when ... Don't log the card number in full !! if you must log ... – PowerPoint PPT presentation

Number of Views:99
Avg rating:3.0/5.0
Slides: 130
Provided by: ms146
Category:

less

Transcript and Presenter's Notes

Title: You are Not Alone '


1
You are Not Alone .
Network Security
2
Network Security
  • Iain Moffat B.Sc(Hons) CEng MIET
  • Chairman
  • IET Anglian Coastal

3
The Network Problem
  • A non networked computer is only at risk from
    people who have physical access to it
  • This can be controlled by locks and keys
  • A networked computer is no longer alone
  • There over 100 million Internet users world wide
  • Based on the ratio of UK prison inmates to
    population at least 160,000 of them are crooks
  • It is therefore necessary to protect your
    computers from attack via the internet

4
Contents
  • WHY ARE WE DOING IT?
  • What is Computer Security?
  • Network Security
  • Data Protection Principles and the DPA
  • WHAT DO WE DO?
  • The Security Implementation Process
  • The threats to your computer and network
  • Risk/Impact Assessment
  • Security Policies
  • TECHNOLOGY REFRESHER
  • IP Networks
  • DNS
  • Ports and Sockets
  • Firewalls and Routers
  • TECHNICAL SOLUTIONS
  • Countermeasures
  • Network Technology Refresher
  • Secure Network Design
  • WHAT TO DO IF SECURITY FAILS

5
What is computer security?
  • Protection of computer hardware, software and
    data from loss, damage or theft

6
What is Network Security ?
  • In todays world almost all computer systems are
    accessed over a network
  • Therefore, the network must be at least as secure
    as the computers
  • Unlike computers, networks go outside the
    computer room and are much harder to make secure
  • All the principles of computer security apply to
    networks

7
Data Protection Principles
  • Personal data shall be processed fairly and
    lawfully and, in particular, shall not be
    processed unless-
  • (a) at least one of the conditions in Schedule 2
    is met, and
  • (b) in the case of sensitive personal data, at
    least one of the conditions in Schedule 3 is also
    met.
  • Personal data shall be obtained only for one or
    more specified and lawful purposes, and shall not
    be further processed in any manner incompatible
    with that purpose or those purposes.
  • Personal data shall be adequate, relevant and not
    excessive in relation to the purpose or purposes
    for which they are processed.
  • Personal data shall be accurate and, where
    necessary, kept up to date.
  • Personal data processed for any purpose or
    purposes shall not be kept for longer than is
    necessary for that purpose or those purposes.
  • Personal data shall be processed in accordance
    with the rights of data subjects under this Act.
  • Appropriate technical and organisational measures
    shall be taken against unauthorised or unlawful
    processing of personal data and against
    accidental loss or destruction of, or damage to,
    personal data.
  • Personal data shall not be transferred to a
    country or territory outside the European
    Economic Area unless that country or territory
    ensures an adequate level of protection for the
    rights and freedoms of data subjects in relation
    to the processing of personal data.
  • From the Data Protection Act 1998 Schedule 1 part
    1http//www.opsi.gov.uk/acts/acts1998/19980029.h
    tmaofs

8
Network Security Principles
  • Authentication
  • It should be possible to prove that the sender of
    a message is who they claim to be
  • Secrecy
  • It should be impossible for anyone other than the
    intended recipient to see the contents of a
    message
  • Integrity
  • It should be impossible for a man in the middle
    to modify the content of a message without being
    detected
  • Non-Repudiation
  • It should be impossible for the sender of a
    message to subsequently deny having sent it
  • It should be impossible for the recipient of a
    message to subsequently deny having received it

9
Security Processs
2
POLICIES
COUNTER MEASURES
3
THREATS
1
4
INCIDENTS
AUDITS
5
10
The Threats
  • Fire
  • Flood
  • Theft
  • Vandalism
  • Impersonation
  • Junk Mail

11
Where Threats Come From
  • People with access to your network and computer
    systems connected to it
  • Removable media (tapes, disks etc)
  • Malicious Software
  • Trojans
  • Viruses
  • Worms
  • Exploits and Rootkits
  • Spyware
  • External Network Connections
  • Foreign computers connected to your network
  • Confidence Tricks

12
Malicious Software
  • Trojans
  • installed by user action e.g. clicking an
    attachment
  • Viruses
  • self-replicating programs spread by various means
    such as floppy disks or network shares.
  • Worms
  • self-replicating programs able to spread from
    machine to machine over a network without user
    help
  • Exploits and Rootkits
  • Exploits are methods of bypassing OS or network
    security
  • Rootkits use exploits to get control of a target
    computer
  • Rootkits usually install a hidden remote access
    program for later use
  • Spyware
  • A payload of trojans or viruses that phones
    home to its creator
  • May retrieve file data or log keystrokes from a
    victims machine
  • Password Capture or Phishing
  • typically done by fake web logon links in fake
    mails from banks etc
  • also seen in links sent to instant messenger users

13
Network Threats
  • Wire Taps / Eavesdropping
  • Primarily a risk in shared media (eg. wireless
    802.11)
  • Leads to data loss and may facilitate
    Man-in-Middle or Impersonation attacks in the
    future
  • Password sniffing is a specific form of this
    threat
  • Man in the Middle
  • Primarily a risk in multi-hop links
  • Requires access to a link carrying all traffic
    between end systems
  • Impersonation
  • Use of false credentials to log in to network
    services
  • DNS Poisoning
  • Denial of Service
  • Primarily a risk to sites with limited internet
    access bandwidth
  • High volumes of unwanted inbound traffic may
    bring down servers or squeeze out legitimate
    traffic
  • Bandwidth Theft
  • unauthorised connections to your WLAN may steal
    your internet access bandwidth

14
Risk Assessment
15
Risk Assessment Factors
  • Business or domestic
  • Business needs to consider employees as a risk
  • Domestic users have only external threats
  • Single or Multi-User
  • Multi-User systems need to consider who can see
    what
  • Single user systems only need to prevent
    accidental damage (by running trojans as an
    administrator)
  • Networked or Standalone
  • Networked systems are at risk from outside
  • Physical access is needed to harm standalone
    systems
  • Internet-connected networks are at greater risk
    than isolated ones

16
Risk Assessment Process
  • Make a list of risks
  • Determine probability of each one happening
  • Determine cost of each one if it happens
  • Calculate cost probability for each one
  • Deal with the worst first
  • It is worth paying (cost probability) to
    fixeach risk that has been identified.

17
Security Policies
18
Security Policies
  • Are the responses to identified threats
  • Are designed to mitigate or avoid the threats
  • Provide the requirements for design of
  • technical solutions (eg. firewalls)
  • standards (eg. password rules)
  • processes (eg. what to do when an employee leaves
    the company)

19
Security Policies
  • Security policies should cover the following
    areas
  • Physical Security
  • User Access
  • Removable Media
  • Network Software
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates

20
Countermeasures
Countermeasures are the technical, process or
organisational implementation of the security
policies that have been defined to address the
identified risks.
21
Countermeasures
  • Physical Security
  • Lock it up
  • Back It Up
  • Keep Spares
  • Dont put it under a water pipe
  • Cables belong in ducts or under ground
  • User Access Control
  • Use passwords
  • Change them often
  • Use one-time passwords and encryption over the
    Internet
  • Separation of privelige where possible
  • Removable Media Control
  • Theres no point encrypting the networkbut
    sending disks in the post !!
  • Theres no point protecting the computer if
    backup tapes are insecure !!
  • If it isnt labelled no one will know whatto do
    with it always mark with date, owner, and
    security level.
  • Network Software
  • Use a robust operating system
  • turn off unused features
  • keep checking for new security fixes
  • Network Access Control
  • permit only necessary traffic
  • block all unnecessary traffic by default
  • do not assume all outbound is safe
  • use a firewall between different security zones
  • File Permissions and Security
  • set the strictest permissions that work
  • limit access to admin tools and files toadmin
    users
  • do not use admin accounts for general purpose
    computing e.g. web browsing
  • 3rd. Party Access
  • Watch 3rd party maintainers while on site
  • Avoid letting them use their laptop on your LAN
  • change passwords before and after
  • Dont allow removed disks off site !
  • Audit and Logging
  • Do log critical events (login, logout
    configure)
  • Dont log sensitive traffic (e.g. card numbers)
  • Turn off debug logs when not needed
  • Monitor traffic volumes and investigate changes

22
Patching and Updates
  • Hackers are always finding new bugs
  • Software vendors are always fixing them
  • You must monitor vendor websites or mailing lists
  • Also check CERT, UNIRAS and ISC alerts frequently
  • If you have resources test and deploy patches in
    a controlled way
  • If not subscribe to windows update or its Linux
    counterparts
  • Upgrade the OS before it becomes unsupported

23
Audit Trails
  • To understand and clean up an incident you need
    to know what happened
  • To prosecute you need evidence
  • WHO did it (implies no shared accounts and
    traceability of accounts to people)
  • WHAT they did(implies need for transaction
    logging when sensitve data is changed)
  • WHEN they did it (implies need for timestamps
    and accurate synchronised system clocks)
  • WHERE they did it (Implies need for logging of
    source IP or terminal line)
  • Evidence trail must withstand suggestions of
    tampering (Implies frequent backup to write-once
    media which should be checked in to a 3rd party
    store)
  • Keep baseline full backups after system builds
    (and after each major update) on non-alterable
    media so you can detect all changes (including
    unauthorised ones) later

24
LOGGING
  • Logging
  • Keep a separate dedicated SYSLOG server with
    restricted user access for UNIX and Network
    equipment so audit trails are protected if a
    server is compromised
  • Use a central MOM server with restricted user
    access to log events for Microsoft platforms
  • Use centralised password services (LDAP, Windows
    Active Directory, TACACS) rather than local
    passwords on each machine to log access off the
    box
  • Use a firewall to separate log (SYSLOG or MOM)
    and password (LDAP, NIS, TACACS or Active
    Directory) servers from the rest of the network
  • Isolate and analyse infected/compromised systems
    prior to rebuild (or at least clone the disks)
  • Beware of logging too much data (since the
    logfiles themselves will become sensitive data)
  • Do log that Iain from IP 1.2.3.4 paid 10.34 for
    an XYZ at 1843 with VISA
  • Dont log the card number in full !! if you
    must log just a few digits
  • Log primary key only not full customer address
    record !!
  • Where possible customer and user primary keys
    should be public domain info or anonymous numeric
    IDs
  • Do not combine debug and audit data in the same
    logs
  • Turn off debug-level logging unless you are
    debugging
  • Delete logs after a reasonable interval (seek
    legal advice for your circumstances)

25
Safe Operating Practices
  • Avoid auto-opening attachments and embedded links
    in mail messages
  • Turn off message preview functions in E-Mail
    programs
  • Never click on links in mail messages copy link
    text into a browser window
  • Never click unsubscribe links in junk mail
    messages
  • Suppress Junk Mail
  • Use an ISP which provides SPAM filtering
  • If your company has its own mail server use
    something like SpamAssassin to catch repeat spam
    items and suspect words
  • Consider whitelisting (so only mail from trusted
    addresses is accepted)
  • Beware new websites and links from search engines
  • Disable client-side code (java, javascript and
    activeX) or use a dumb browser (eg. Early
    Netscape) to preview new sites
  • Only enable client-side code on trusted sites
  • Consider copying untrusted zone settings to
    internet zone in IE6 and putting known good
    sites (www.theiet.org, etc) in the trusted zone
    explicitly
  • use a textmode browser (eg. Lynx) for following
    up google searches

26
Internet Zone
Restricted Zone
27
Network Software Configuration
  • Modern computers come with many network services
  • Mail servers
  • Print Servers
  • File Sharing
  • Remote Procedure Calls (RPC)
  • SQL Databases
  • Web Servers
  • Remote Desktop Access / X-Windows / VNC
  • Most are enabled by default in Windows 2000/XP
    (bad)
  • Most are disabled by default in Windows 2003
    Server (better)
  • UNIX and Linux distributions are somewhere
    between
  • Only active network services are vulnerable to
    attack
  • To minimise the attack surface of your systems
    you need to turn off the ones you dont plan to
    use
  • Review control panel gt administrative tools gt
    services on Windows
  • Review /etc/inetd.conf or /etc/xinetd on Linux
    and Unix systems
  • Be aware of loopback connections when client
    (user interface) and server (backend) portions
    of an application run on the same machine
    these must not be disabled !!!

28
Interconnect Policies
  • Define what connections are allowed
  • starting point for firewall rule or ACL design
  • starting point for validation of existing rules
    and new requests
  • Divide the network into zones or domains
  • internal networks
  • trusted external networks
  • the internet
  • Specify permitted connections btweeneach pair of
    zones
  • source
  • destination
  • permitted network services
  • logging and authentication required

29
Network Security Implementation
30
Technology Refresher
  • IP Networks
  • Addresses
  • Domain Names
  • TCP, UDP and ICMP
  • Ports
  • Software Firewalls
  • Hardware Firewalls and Routers
  • Network Address Translation (NAT)

31
IP Networks
  • IP V4 Addresses are globally unique
  • 4 bytes long written as dotted decimal e.g.
    10.11.12.13
  • A range of addresses is defined by a bitmask
    called a netmask that selects which bits are
    network and which are host addresses
  • RFC1918 addresses 10.x.x.x, 172.0-31.x.x and
    192.168.x.xare reusable in private networks
  • Other addresses are allocated by regional
    registries
  • Allocation within regions is to companies and
    organisations and may cross national boundaries
  • IP routing is step by step based on destination
    address
  • a default route is used to keep routing tables
    small
  • routes are summarised at higher layers in the
    network
  • routing is done separately for each packet
  • successive packets in a flow dont necessarily go
    the same way
  • packets propagate up the network hierarchy
    until they reach an interconnection point between
    providers and then down into the other
    providers network
  • The global IP network is structured on network
    provider rather than geographic boundaries
  • Domain Name Service (DNS) provides name to
    address mappings (and address to name reverse
    mappings).
  • DNS is largely independent of address allocation
  • One address can have multiple names mapped to it
  • Only one valid reverse mapping per address
  • DNS mapping for an address is optional
  • Different domains have different commercial or
    nonprofit registrars

32
TCP UDP and ICMP
  • The Internet uses 3 main network layer
    protocols above IP to carry different types of
    traffic
  • TCP Transmission Control Protocol
  • reliable session-oriented protocol with
    acknowledgement and go-back-N automatic
    retransmission if lost data segments
  • used for terminal sessions and data transfer
  • UDP User Datagram Protocol
  • send and forget datagram protocol used for time
    critical data and notifications that can fit one
    packet
  • widely used for voice and video and for DNS
  • ICMP Internet Control Message Protocol
  • send and forget datagram protocol used for
    control and diagnostic messages
  • provides echo, trace and notification of various
    delivery failures

33
Ports Sockets
  • To allow multiple connections between the same
    computers sub-addresses called ports are used.
  • There are 65536 ports each for TCP and UDP
  • The port number is part of the TCP or UDP header
    following the IP header
  • Ports are associated with specific programs and
    sessions on end computers
  • Server applications listen for connections on
    well known destination ports
  • Client applications use random source ports
  • The full and description of a connection is a
    socket comprising
  • protocol (TCP or UDP)
  • source IP
  • source port
  • destination IP
  • destination port

34
Well Known Ports
  • TCP
  • 20/21 FTP
  • 22 Secure Shell (SSH)
  • 23 TELNET
  • 25 SMTP mail sending
  • 80 HTTP
  • POP3 mail reading
  • IMAP4 mail reading
  • 137 MS NETBIOS names
  • 139 MS NETBIOS session
  • 443 HTTPS
  • 3389 Microsoft RDP
  • 8080 Alternate HTTP
  • UDP
  • DNS
  • BOOTP server
  • BOOTP client
  • TFTP trivial file transfer protocol
  • 123 Network Time Protocol (NTP)
  • 514 SYSLOG

35
Software Firewalls
  • Linux and Windows have software firewalls
  • Microsoft Windows Firewall or (Win2003) IPSEC
    Filters
  • Linux IPTables and IPChains
  • Not true firewalls really only modifications to
    the network I/O driver to provide simple traffic
    filtering
  • These block or restrict incoming traffic based on
    source and destination IP Address and/or port
    number so as to hide network services that are
    needed locally but should not be shared
  • 3rd-party Windows firewalls (eg ZoneAlarm, Sygate
    and Norton) can prevent applications accessing
    the network outbound until you have permitted
    them to do so
  • Microsoft Windows Firewall has a simple fixed
    configuration that permits anything outbound and
    replies inbound
  • 3rd. Party Windows firewalls start with a Block
    Everything policy and are generally configured
    by learning they ask what to do each time they
    see anything new
  • Linux IPTables is configured by user-written
    files

Application
Server
Firewall
Original Driver
LAN
36
Firewalls and Routers
THE INTERNET
  • Firewalls and routers connect two networks
  • Firewalls inspect traffic passing through and
    understand application protocol
  • Routers inspect individual packets and dont
    understand connection state

Permit OnlyReplies IN
Router orFirewall
Permit Any OUT
Local LAN
Local Computers
37
Firewalls vs Routers
  • Firewalls
  • based on general purpose microprocessors
  • aware of application sessions
  • can implement complex rules
  • Usually have graphical management interface
  • 10-1000Mbits/s throughput
  • include basic IP routing functions
  • Routers
  • based on custom silicon in large part
  • process packets individually
  • Usually have text configuration file
  • better at implementing simple rules on fast links
  • better at complex IP routing protocols
  • 10Mbits/s to 10GBits/s throughput

38
Router ACL process
Packet In
Permit
Permit
Permit
Rule 2
Rule 1
Rule N
Packet Out
Deny
Deny
DISCARD
Default DISCARD
DISCARD
LOG
LOG
  • Note
  • This process is completely stateless (per-packet)
  • Normally packets that reach the default-deny are
    not logged
  • Performance is improved by putting frequently hit
    rules first

39
Router Access List
  • interface atm 0
  • description outside adsl line
  • ip address 1.1.1.1 255.255.255.252
  • ip access-group 101 in
  • ip access-group 102 out
  • access-list 101 remark INCOMING TRAFFIC
  • access-list 101 permit icmp any host 1.1.1.1 eq
    echo-reply
  • access-list 101 permit icmp any host 1.1.1.1 eq
    unreachable
  • access-list 101 permit icmp any host 1.1.1.1 eq
    ttl-exceeded
  • access-list 101 permit tcp any host 1.1.1.1
    established
  • access-list 101 remark DNS Name Servers
  • access-list 101 permit udp host 2.2.2.2 eq 53
    host 1.1.1.1
  • access-list 101 permit udp host 2.2.2.3 eq 53
    host 1.1.1.1
  • access-list 101 remark NTP server
  • access-list 101 permit udp host 2.2.2.4 eq 123
    host 1.1.1.1
  • access-list 101 deny ip any any log-input
  • access-list 102 remark OUTGOING TRAFFIC
  • access-list 102 permit icmp host 1.1.1.1 any
  • access-list 102 permit tcp host 1.1.1.1 any eq 80

40
Firewall Inspection
From http//www.checkpoint.com/support/technical/
documents/FWOpenLook.pdf
41
Checkpoint Firewall-1 GUI
From http//www.checkpoint.com/support/technical/
documents/FWOpenLook.pdf
42
Network Address Translation
Server
THE INTERNET
  • Router translates inside addresses to outside as
    packets pass through
  • Allows reuse of scarce IP addresses
  • Allows multiple inside users to share one outside
    IP address
  • Prevents outside attackers reaching inside
    computers directly

11.12.13.14 towww.xyz.com
Outside IP 11.12.13.14
www.xyz.com To 11.12.13.14
Router orFirewall
192.168.1.1 towww.xyz.com
Local LAN 192.168.1.0/24
www.xyz.com to192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.1
Local Computers
43
Dynamic NAT
Server
THE INTERNET
  • One outside IP
  • Multiple inside IPs
  • Router uses different outbound port numbers for
    each connection
  • Router knows inside IP for reply packets based on
    port used
  • Does not work for unsolicited inbound traffic

11.12.13.1432000 towww.xyz.com
Outside IP 11.12.13.14
www.xyz.com80 To 11.12.13.1432000
Router orFirewall
192.168.1.132000 towww.xyz.com80
Local LAN 192.168.1.0/24
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
Local Computers
44
Static NAT
Server
THE INTERNET
  • Each inside IP maps to one outside IP
  • Outside IPs are independent of router IP
  • Port numbers preserved through NAT
  • Allows incoming traffic to outside IP
  • Needs inbound access lists to stop unwanted
    traffic getting to inside network

11.12.13.15 towww.xyz.com
Router IP 11.12.13.14
www.xyz.com To 11.12.13.15
NAT TABLE
192.168.1.1 towww.xyz.com
192.168.1.1 gt 11.12.13.15 192.168.1.2 gt
11.12.13.16 192.168.1.3 gt 11.12.13.17 192.168.1.4
gt 11.12.13.18
Local LAN 192.168.1.0/24
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
Local Computers
45
Secure Network Design
46
Secure Network Design
  • Interconnect Policies
  • NAT network
  • DMZ Network
  • Endpoint ACLs
  • Infrastructure ACLs
  • Proxies
  • Intrusion Detection
  • Virtual Private Networks

47
Interconnect Policies
  • You should consider what connections to permit
    between your network and the outside
  • The template for describing a connection is as
    follows
  • Source IP or subnet
  • Destination IP or subnet
  • Protocol (Port)
  • Is authentication required
  • Action to take (permit/deny log/not log etc)

48
Simple (Home) Policy Set
49
Issues with a simple home network interconnect
policy
  • Allowing any local-to-internet traffic allows
    spyware to phone home
  • best to permit only specific ports outbound
  • HTTP and HTTPS to any
  • E-Mail and chat to trusted servers only
  • DNS to your ISPs servers only
  • Some file transfer programs generate incoming
    connections
  • use passive FTP or SSH

50
Secure Network Design
  • NAT or DMZ
  • Network Address Translation (NAT) hides a
    local network behind a single external internet
    connection
  • A DMZ provides 2 layers of defence and is better
    at blocking unwanted outbound traffic
  • NAT is appropriate to home and branch office
    environments
  • A DMZ is better suited to larger sites that have
    their own web and mail servers
  • DMZ proxies also allow mail and web traffic
    monitoring and control

51
Simple NAT Network
THE INTERNET
  • Typical Home LAN
  • One Outside IP
  • Multiple inside IPs
  • Any inside PC can connect outbound
  • No unsolicited traffic is allowed inbound
  • Not well suited to local web or mail servers
  • Cant stop key loggers etc phoning home without
    risk of blocking wanted outbound traffic.

Permit OnlyReplies IN
Router orFirewall
Permit Any OUT
Local LAN
Local Computers
52
DMZ Network
THE INTERNET
  • No direct external connections
  • All traffic is filtered by secure servers in the
    DMZ
  • Safer and more controlled solution for large
    sites
  • Outbound connections via web proxies in DMZ only
  • Inbound connections to mail/web/file servers in
    DMZ only
  • Inside firewall permits DMZ Local traffic
    only
  • Outside firewall permits Local DMZ traffic
    only.

MailServer
WebProxy
Permit OnlyDMZ traffic IN
Outside or ScreenRouter or Firewall
DMZ LAN
Inside or ChokeRouter or Firewall
Permit onlyto DMZ
Local LAN
Local Computers
53
ENDPOINT ACLs
  • Control outside access to locally hosted services
  • block TCP/UDP ports not used
  • Restrict addresses allowed access to used ports
  • Block known bad address ranges
  • Minimise network services visible from outside
  • Tradeoff between ease of support and security
  • An IP with fewer visible services is less at risk
    of detailed probing
  • Control inside to outside access according to
    site policies
  • control employee/family internet access
  • block malicious software from phoning home

54
Structure of an Endpoint ACL
  • Block known dangerous traffic
  • Permit open TCP/UDP ports from any
  • Permit unsafe TCP/UDP ports from specific IPs
  • Permit ICMP echo-reply and ttl-exceeded
  • (if desired) permit ICMP echo and traceroute in
  • Block and log anything else

55
Example Endpoint ACL
The Internet
Interface atm 0 ip address 85.189.17.65
255.255.255.0 ip access-group 101 in
  • access-list 101 remark Internet Inbound ACL
  • access-list 101 remark ICMP and established
    at top for efficiency
  • access-list 101 permit tcp any 85.189.17.64
    0.0.0.7 established
  • access-list 101 permit icmp any 85.189.17.64
    0.0.0.7 echo-reply
  • access-list 101 permit icmp any 85.189.17.64
    0.0.0.7 unreachable
  • access-list 101 permit icmp any 85.189.17.64
    0.0.0.7 ttl-exceeded
  • access-list 101 permit icmp any 85.189.17.68
    0.0.0.3 echo
  • access-list 101 permit icmp any host 85.189.17.65
    echo
  • access-list 101 remark Top 4 NAT IPs are
    statics for server
  • access-list 101 permit tcp any 85.189.17.68
    0.0.0.3 eq www
  • access-list 101 permit tcp any 85.189.17.68
    0.0.0.3 eq 443
  • access-list 101 permit tcp any 85.189.17.68
    0.0.0.3 eq smtp
  • etc etc etc

56
Infrastructure ACLs
  • Infrastructure ACLs are applied to WAN routers in
    public or large private networks
  • These networks carry traffic between source and
    destination addresses external to themselves
  • Nothing except management traffic should be
    addressed to the routers themselves
  • Infrastructure ACLs block most traffic to the
    routers own addresses

57
Structure of an Infrastructure ACL
  • Permit trusted protocols from management subnet
    to infrastructure subnet
  • (Optionally) block traffic sourced from
    infrastructure subnet at edge routers only
  • Block traffic from any RFC1918 source IP to any
    IP
  • Block traffic from any IP to infrastructure
    subnet

58
Infrastructure ACL example
Management LAN 123.234.100.0/24
OUR INFRASTRUCTURE NETWORK 123.234.101.0/24
SOMEPUBLICNETWORK
Some Other Network
  • ! Infrastructure ACL applied IN on all interfaces
    in transit network
  • ! Permit management centre IPs to log in with
    TELNET or SSH
  • access-list 120 permit tcp 123.234.100.0
    0.0.0.255 123.234.101.0 0.0.0.255 eq telnet
  • access-list 120 permit tcp 123.234.100.0
    0.0.0.255 123.234.101.0 0.0.0.255 eq ssh
  • ! Permit ICMP echo and trace to infrastructure
    IPs
  • access-list 120 permit icmp any 123.234.101.0
    0.0.0.255 echo
  • access-list 120 permit icmp any 123.234.101.0
    0.0.0.255 traceroute
  • access-list 120 permit icmp any 123.234.101.0
    0.0.0.255 ttl-exceeded
  • ! Block RFC1918 source IPs that escaped into the
    internet
  • access-list 120 deny ip 10.0.0.0 0.255.255.255
    any
  • access-list 120 deny ip 172.0.0.0 0.63.255.255
    any
  • access-list 120 deny ip 192.0.0.0 0.0.0.255 any
  • ! Block any other traffic to infrastructure
    ranges
  • access-list 120 deny ip any 123.234.101.0
    0.0.0.255

59
Proxies
  • Intercept outbound communications
  • Apply filtering rules
  • Block dangerous content inbound
  • Can be
  • opt in requiring browser configuration
  • transparent using network to redirect web
    traffic through the proxy
  • All users appear to a web server as coming from
    the proxy

60
Proxy Operation
Web Server www.xyz.com
THE INTERNET
connect to www.xyz.com GET /index.html
Access Rules
Proxy Server
Log Files
192.168.0.253
Connect to 192.168.0.253 GET http//www.xyz.com/
index.html
61
Available Proxy Solutions
  • Windows - Microsoft ISA Serverhttp//www.microso
    ft.com/isaserver/default.mspx
  • UNIX/Linux squid proxyhttp//www.squid-cache.o
    rg/
  • Self contained appliance Netapp
    Netcachehttp//www.netapp.com/products/netcache/
    bluecoat.html

62
Intrusion Detection
  • Intrusion Detection System (IDS) is a permanent
    sniffer with a receive-only network connection
    (tap)
  • IDS examines incoming traffic and raises alarms
    when patterns associated with an attack or misuse
    are seen
  • IDS works best when linked to a firewall so it
    can automatically block sources of suspect traffic

63
IDS
THE INTERNET
Traffic
IDS PROBE
Router orFirewall
Signature Database
New Rules
IDSServer
Log Files
Local LAN
Local Computers
64
Other Security Devices
  • A Honeypot
  • is an unprotected computer exposed to the
    internet but closely monitored
  • It is used to detect and examine new forms of
    probing or attack
  • A Tar Pit
  • is a block of unused address space used to
    monitor randomly addressed traffic in the
    internet
  • replies to unused addresses are backscatter
    from virus and worm software using those
    addresses to conceal the true source of their
    probe traffic
  • Also allows passive identification and census of
    the Internet hardware population

65
Virtual Private Networks
  • Allow the internet to be used to carry private
    data
  • Based on encapsulating private packets in
    internet packets
  • Require application-layer implementations
  • 5 main solutions
  • GRE Non encrypted, allows interconnection of
    sites with private addresses
  • PPTP Microsoft to Microsoft, can be encrypted
  • SSL Encrypted Primarily used by mobile or
    roaming clients to access a corporate LAN
    simulates access to a secure web site so fairly
    invisible to firewalls/routers
  • SSH Secure Shell Primarily a UNIX client-server
    protocol but can be (mis) used to tunnel other IP
    traffic over a client-server connection
  • IPSEC Open standard, supports two modes
  • Authenticated Header (AH) gives integrity and
    authentication
  • Encapsulated Payload (ESP) gives secrecy too

66
VPN example
Corporate Application Server
VPN ROUTER
THE INTERNET
VPNTunnel
VPN ROUTER
SITE A LAN
Teleworker PC
Local Computers
67
Investigating Problems
68
Local Investigation Tools
  • Evidence Preservation
  • Norton Ghost
  • UNIX or Windows disk mirroring
  • Audit Logs
  • Windows Event Log or MOM
  • Log files in C\Windows or C\WinNT
  • UNIX Syslog and /var/log files
  • Firewall or Router logs
  • IDS logs

69
Remote Investigation Tools
  • Nslookup
  • Traceroute (unix) or tracert (Windows)
  • Whois
  • Port Scanners

70
NSLOOKUP
  • Name to Address Mapping
  • Address to Name Mapping

71
Traceroute
  • Finds path to remote host or IP
  • Will usually identify the attackers ISP

72
WHOIS
  • Provides lookup of registered domain name and IP
    address owners
  • 3 regional registries for IP addresses
  • RIPE (Europe)
  • ARIN (Americas)
  • APNIC (Asia/Pacific)
  • Registries for each domain ending
  • .com www.netsol.com
  • .co.uk www.nominet.co.uk

73
(No Transcript)
74
(No Transcript)
75
(No Transcript)
76
(No Transcript)
77
Port Scanners
  • Not nice to use on other people
  • A good thing for scanning ones own network for
    security holes
  • I recommend NMAP which is included in many Linux
    distributions

78
(No Transcript)
79
Packet Sniffers
  • Easiest independent check on traffic
  • May also spot private data and passwords in
    transit
  • Built in to most UNIX versions
  • snoop in Sun Solaris
  • tcpdump in Linux and BSD
  • Freeware for Windows
  • ethereal
  • wireshark

80
WEB02 tcpdump -i eth0 -s 0 -x port 80 tcpdump
verbose output suppressed, use -v or -vv for full
protocol decode listening on eth0, link-type
EN10MB (Ethernet), capture size 65535
bytes 172837.651756 IP web02.moffatig.com.47731
gt 213.120.156.179.www S 2409488259 2409488259(0)
win 5840 ltmss 1460,sackOK,timestamp 2867567837
0,nop,wscale 0gt 0x0000 4500 003c 435e
4000 4006 c186 c0a8 0303 E..ltC_at_._at_.......
0x0010 d578 9cb3 ba73 0050 8f9d df83 0000 0000
.x...s.P........ 0x0020 a002 16d0 89b1
0000 0204 05b4 0402 080a ................
0x0030 aaeb 9cdd 0000 0000 0103 0300
............ 172840.651910 IP
web02.moffatig.com.47731 gt 213.120.156.179.www S
2409488259 2409488259(0) win 5840 ltmss
1460,sackOK,timestamp 2867570838 0,nop,wscale 0gt
0x0000 4500 003c 435f 4000 4006 c185
c0a8 0303 E..ltC__at_._at_....... 0x0010 d578
9cb3 ba73 0050 8f9d df83 0000 0000
.x...s.P........ 0x0020 a002 16d0 7df8
0000 0204 05b4 0402 080a ...............
0x0030 aaeb a896 0000 0000 0103 0300
............ 172845.603093 IP
193.113.37.9.20654 gt web02.moffatig.com.www S
2349994328234 9994328(0) win 65535 ltmss
1460,nop,wscale 0,nop,nop,timestamp 8486240 0gt
0x0000 4500 003c 12ff 0000 3406 c997 c171
2509 E..lt....4....q. 0x0010 c0a8 0303
50ae 0050 8c12 1158 0000 0000 ....P..P...X....
0x0020 a002 ffff 3498 0000 0204 05b4 0103
0300 ....4........... 0x0030 0101 080a
0081 7d60 0000 0000 ..........
81
Current Security issues
  • BOTNETS
  • Networks of hijacked PCs controlled remotely to
    send SPAM or do denial-of-service attacks on a
    remote system
  • Defeats most attempts to trace source of an
    attack
  • Will require strict control of outbound traffic
    to stop infected PCs registering with a botnet
  • Highly randomised SPAM mail
  • Difficult to get rid of by subject or keyword
    filters
  • Distasteful or destructive content hidden in
    image files or embedded URLs
  • Requires pattern recognition to reliably block
  • The world really needs mailscanners that can
    interpret images

82
Further Reading
  • Data Protection Act 1998http//www.opsi.gov.uk/a
    cts/acts1998/19980029.htmaofs
  • Regulation of Investigatory Powers Act 2000
    http//www.opsi.gov.uk/Acts/acts2000/20000023.htm
  • Computer Misuse Act 1990http//www.opsi.gov.uk/a
    cts/acts1990/Ukpga_19900018_en_1.htm
  • Regional Address Registrieshttp//www.ripe.net/
    http//www.arin.net/index.shtmlhttp//www.apnic.
    net
  • Computer Security Alerts UNIRAS (UK)
    http//www.uniras.gov.uk/niscc/index-en.htmlUSCE
    RT http//www.cert.org/ ISC http//isc.sans
    .org/
  • Microsoft Baseline Security Analyserhttp//www.m
    icrosoft.com/technet/security/tools/mbsahome.mspx

83
(No Transcript)
84
SUPPLEMENTARYMATERIAL
85
THE THREATS
86
The Threats
  • Fire
  • Purely a physical threat
  • Results in data loss, loss of money invested in
    equipment, and downtime
  • Flood
  • Theft
  • Vandalism
  • Impersonation
  • Junk Mail

87
The Threats
  • Fire
  • Flood
  • Purely a physical threat
  • Results in data loss, loss of money invested in
    equipment, and downtime
  • Theft
  • Vandalism
  • Impersonation
  • Junk Mail

88
The Threats
  • Fire
  • Flood
  • Theft
  • Has physical and electronic forms
  • May involve hardware, data or both
  • Stolen data may be hard to replace
  • Stolen data may facilitate other crimes (eg.
    Impersonation)
  • Causes financial loss and loss of reputation
  • Vandalism
  • Impersonation
  • Junk Mail

89
The Threats
  • Fire
  • Flood
  • Theft
  • Vandalism
  • Has Physical and Electronic forms
  • May cause downtime and/or data loss
  • Causes financial loss and loss of reputation
  • Impersonation
  • Junk Mail

90
The Threats
  • Fire
  • Flood
  • Theft
  • Vandalism
  • Impersonation
  • Primarily an electronic threat
  • Leads to financial loss and loss of reputation
  • Junk Mail

91
The Threats
  • Fire
  • Flood
  • Theft
  • Vandalism
  • Impersonation
  • Junk Mail
  • Used to be mostly a waste of time and bandwidth
  • Now a carrier for malicious software

92
Malicious Software
93
Malicious Software
  • Trojans
  • Programs that claim to do one thing but actually
    do something unwanted
  • Need to be loaded and run by an authorised user
    of the system
  • Limited to the access rights of that user
  • Often used as a loader for rootkits or spyware
  • Nowadays usually downloaded by a misleading/bogus
    website or a link in SPAM email messages
  • Viruses
  • Worms
  • Exploits and Rootkits
  • Spyware
  • Password Capture or Phishing

94
Malicious Software
  • Trojans
  • Viruses
  • Self replicating programs
  • May just install a replicator on an infected
    machine or deliver a payload program to do its
    makers work on your PC
  • Payload may be destructive or spyware
  • Historically spread using infected DOS floppy
    disks
  • Nowadays found as macros in documents or
    downloadable programs
  • Worms
  • Exploits and Rootkits
  • Spyware
  • Password Capture or Phishing

95
Malicious Software
  • Trojans
  • Viruses
  • Worms
  • Self-replicating programs that spread from
    machine to machine over a network
  • May carry destructive or spyware payloads
  • Rely on vulnerable network services to infect new
    victims
  • Common in UNIX systems in 1980s, nowadays more
    common in Windows environments
  • Exploits and Rootkits
  • Spyware
  • Password Capture or Phishing

96
Malicious Software
  • Trojans
  • Viruses
  • Worms
  • Exploits and Rootkits
  • Exploits are bugs in an operating system that
    allow a local or remote user to get admin-level
    access
  • Hackers exploit these bugs to write programs
    that install a permanent remote access kit which
    gives them access to a compromised system
  • The remote access kit gives them root (UNIX) or
    administrator (Windows) access and hides itself
    from normal operating system file and process
    lists
  • Spyware
  • Password Capture or Phishing

97
Malicious Software
  • Trojans
  • Viruses
  • Worms
  • Exploits and Rootkits
  • Spyware
  • Usually installed by a trojan or worm
  • May log key strokes or URLs visited
  • Originally an unethical form of market research
  • Now used by organised crime to steal passwords
  • Password Capture or Phishing

98
Malicious Software
  • Trojans
  • Viruses
  • Worms
  • Exploits and Rootkits
  • Spyware
  • Password Capture or Phishing
  • Originally done by faking a login screen on a
    mainframe terminal or by faking dial-back
  • Now usually a link to a web site
  • Purports to be an urgent message from e-bay,
    paypal or a bank containing a link to click
  • Link text says http//some.bank.com/login.html
    but underlying code says http//some.hackers.hijac
    ked.server/fakelogin.html

99
Security Policies
100
Security Policies
  • Physical Security
  • Siting to avoid flood and fire risks
  • Locks and chains
  • Computer room access controls
  • Laptop security in transit and in use
  • Backups
  • Off site storage of backup and rebuild media
  • Availability of replacement hardware
  • User Access
  • Removable Media
  • Network Software
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates

101
Security Policies
  • Physical Security
  • User Access
  • Who has administrative access (can add users or
    programs)
  • Password policies (length, complexity and change
    period)
  • Identity and background checks prior to granting
    access
  • Password reset process must prove that the real
    user is asking
  • 7x24 or restricted access hours
  • Separation of roles (user vs administrator)
  • Audit and removal of expired or unused access
  • Shared user accounts are dangerous (undermine
    audit trail)
  • Users must be warned that unauthorised access is
    illegal
  • Users must be informed of the scope and purpose
    of permitted access
  • Users must be informed and/or trained in data
    protection
  • Removable Media
  • Network Software
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates

102
Security Policies
  • Physical Security
  • User Access
  • Removable Media
  • How to store backups away from harm
  • Potentially different content/retention profiles
    for archives and backups
  • Need to have software to read old archives and
    install old backups
  • Need to ensure that media are still readable
    after time
  • Consider retention period (legal and practical
    constraints may apply)
  • Consider risk from imported media (virus etc)
  • How to ensure timely identification and
    destruction of redundant media
  • Need to control introduction of new media from
    outside
  • Network Software
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates

103
Security Policies
  • Physical Security
  • User Access
  • Removable Media
  • Network Software
  • Minimise visible network presence
  • Turn off unwanted network services (need mail on
    web server?)
  • Avoid use of unsafe protocols (eg. TELNET or FTP
    send unencrypted passwords)
  • Use safe/encrypted protocols (SSH, HTTPS)
  • Avoid programs or configurations that auto-open
    received files
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates

104
Security Policies
  • Physical Security
  • User Access
  • Removable Media
  • Network Software
  • Network Connectivity
  • Firewalls are essential
  • Identify security domains in your network and
    outside
  • Identify necessary connections by source,
    destination and protocol between machines or
    domains
  • Configure firewall rules to permit only these
    connections
  • Log permitted but potentially dangerous traffic
  • Maintain a low profile to the internet minimise
    visible network services exposed to the outside
    by your firewall
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates

105
Security Policies
  • Physical Security
  • User Access
  • Removable Media
  • Network Software
  • Network Connectivity
  • 3rd. Party Access
  • 3rd party maintainers or outsource staff may need
    remote or on site access
  • Ensure that work is controlled and staff are
    trustworthy
  • Ensure that confidentiality agreements are in
    place before granting access
  • Shut off remote access when not in use
  • Log or supervise support access
  • Review and if possible disable phone home
    features for vendor support unless you are trying
    to fix a problem
  • Test automatic updates on a sacrificial machine
    before allowing network-wide deployment in your
    business
  • Audit and Logging
  • Patching and Updates

106
Security Policies
  • Physical Security
  • User Access
  • Removable Media
  • Network Access
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
  • Logs help diagnose problems and are evidence of
    misuse
  • Excessive logs may be a security risk (eg
    unencrypted data or disk full)
  • Should be sufficient to determine who did what
    when
  • Should not be an easier alternative to keystroke
    logging or wire tapping
  • Useless as an audit trail if login accounts are
    shared
  • Must be protected from modification ideally
    best sent to a dedicated server in real time over
    the network using SYSLOG (Unix and Network) or
    MOM (Windows)
  • Content and retention of logs must satisfy data
    protection and privacy laws
  • Patching and Updates

107
Patching and Updates
  • Physical Security
  • User Access
  • Removable Media
  • Network Software
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates
  • Hackers are always finding new bugs
  • Software vendors are always fixing them
  • You must monitor vendor websites or mailing lists
  • Also check CERT, UNIRAS and ISC alerts frequently
  • If you have resources test and deploy patches in
    a controlled way
  • If not subscribe to windows update or its Linux
    counterparts
  • Upgrade the OS before it becomes unsupported

108
Physical Security
  • Separate components of large systems across
    multiple sites
  • Clustering for high availability
  • Live/Standby operation for less critical system
  • Consider using test/development system as a cold
    standby
  • Standby systems are only useful if data and
    software are up to date
  • Need to rehearse failover and failback
  • Keep taking the backups!
  • Test Backup and restore process regularly
  • Keep all media needed to reinstall your software
  • Test that media are still readable from time to
    time
  • Ensure backups are stored as securely as the live
    data (or more so)
  • Review availability of hardware and upgrade or
    buy spares when it is near end of life
  • Dont keep backups and live systems in the same
    room (and if possible not in the same building)
  • Keep critical computers in a separate locked room
    (which also helps with noise and dust and air
    conditioning)
  • Dont put computers under water pipes or tanks
  • Dont use floor-standing computers or storage
    furniture in rooms liable to flooding
  • Ensure that temperature and humidity are
    monitored nd alarmed in computer rooms
  • Ensure that media stores are dry and free from
    dust and insects

109
Physical Security
  • Separate components of large systems across
    multiple sites
  • Keep taking the backups!
  • Keep critical computers in a separate locked room
    (which also helps with noise and dust and air
    conditioning)
  • Dont put computers under water pipes or tanks
  • Dont use floor-standing computers or storage
    furniture in rooms liable to flooding
  • Ensure that temperature and humidity are
    monitored nd alarmed in computer rooms
  • Ensure that media stores are dry and free from
    dust and insects

110
Physical Security
  • Separate components of large systems across
    multiple sites
  • Clustering for high availability
  • Live/Standby operation for less critical system
  • Consider using test/development system as a cold
    standby
Write a Comment
User Comments (0)
About PowerShow.com