1 guide to network defense and countermeasures chapter 1

1

Guide to Network Defense and Countermeasures

Chapter 1

2

Chapter 1 - Foundations of Network Security

Understand the individuals who might attempt to break into your network

Set goals for developing a network security system

Review the TCP/IP networking fundamentals that you’ll need to secure a network

Describe the elements of IP packets that can be misused by hackers

3

Chapter 1 - Foundations of Network Security

Know the role routers play in a network security perimeter

Secure workstations Understand aspects of Internet-based

communications that present security risks

4

Hackers are looking for: Access to computer systems either for the thrill of it

or for criminal purposes Revenge, where disgruntled current or former

employees want to retaliate against an organization Financial gain through theft of financial information,

such as credit card numbers, or to defraud people out of money with scams

Corporate proprietary information, which can be sold to those that want the data to upgrade their technological capabilities

Knowing Your Enemies

7

Knowing Your Enemies

The attackers are typically: Hackers who gain access to unauthorized network

resources, usually by finding a way to circumvent passwords, firewalls, or other protective measures

Disgruntled employees who want to exact revenge on their place of employment

Script kiddies who are immature programmers that spread viruses and other malicious scripts

Packet monkeys who are interested in blocking Web site activities through Distributed Denial of Service (DDoS) attacks

8

Goals of Network Security

Maintaining Privacy Organizations that hold databases of personal and

financial data need to maintain privacy not only to protect their customers, but to maintain the integrity and credibility of their own organizations

One of the most important and effective ways to maintain privacy of information held on an organization’s network resources is to educate rank-and-file employees about security dangers and security policies

9


Preserving Data Integrity Data integrity is preserved through encryption

methods such as public-key cryptography, which encrypts communications through the use of long blocks of code called keys; users obtain keys in order to view encrypted information

Authenticating Users The process of determining the identity of an

authorized user through the matching of a username and password or by other means is known as authentication

13


Enabling Connectivity To provide security for online transactions, many

businesses set up leased lines, which are point-to-point frame relays or other connections established by telecommunications companies that own the line; leased lines are expensive

To reduce leased line costs, many businesses that already have high-speed Internet connections set up virtual private networks (VPNs), which use encryption, authentication, and data encapsulation to secure systems using the Internet

15

Understanding TCP/IP Networking

TCP/IP is the combination of protocols that allow information to be transmitted from point to point on a network The Open System Interconnects (OSI) model of

network communications breaks communications into seven layers; TCP/IP has its own stack of protocols that roughly correspond to these layers

Understanding the fundamentals of TCP/IP networking will help you understand one of the ways an intruder can get into your network: through the IP addresses of each computer

17


IP Addressing Hackers can gain access to networks by determining

actual IP addresses of individual computers; therefore, a fundamental goal of network security is to understand IP addresses and other network addresses so that they can be concealed or changed to deter hackers

IP addresses that are currently in use on the Internet conform to Internet Protocol version 4 (IPv4), which calls for addresses with 32 bits or four bytes of data; IPv6 calls for 128 bits

18


IP Addressing (cont.) IP addresses consist of the network address and the

station (or host) address; these two values are combined with a third value, the subnet mask

IP addresses are hidden by using:Network Address Translation (NAT) to translate the non-routable internal addresses into the external interface of the NAT server or Proxy servers, which make all requests from internal computers look like they are coming from the proxy server

20


IP Addressing (cont.) IPv4 addresses are broken into address categories

called classes; class designation determines the subnet mask of an IP address

Subnetting is one way to take a single network address and divide it into multiple network addresses by “borrowing” bits from the host portion of the address and subdividing it

IP addresses and their subnet masks must be protected by security devices that perform NAT, by proxy servers, or by VPNs

22

Exploring IP Packet Structure

TCP/IP is a network communications medium which is packet-based, it transmits data in small packages called packets or datagrams Each complete message is broken into multiple

datagrams that contain information about the source and destination IP addresses, a variety of control settings, and the data to be exchanged

The primary packet subdivisions are the header and the data; some packets have an additional section at the end that is called either a trailer or the footer

23


IP datagrams (cont.) The header is the part of the packet that computers

use to communicate, and it plays an important role in terms of network security and intrusion detection

IP headers contain components called flags Flags can be used by firewalls and IDS systems to:

block packets that don’t meet a predetermined set of rules; allow packets that have criteria that matches at least one rule; set off intrusion alerts if a particular flag or a set of specific criteria, called a signature, is detected by a firewall or IDS system

26


IP datagrams (cont.) IP spoofing occurs when hackers sneak through the

network by manipulating the header flags, where they specify their own computer as the destination during the process of source routing

The data part of a TCP/IP packet is the part that needs to be protected

Firewalls and VPNs have a number of ways in which they can protect packet data, and in some cases, will work with third-party software to screen the content of network communications for viruses

27


IP datagrams (cont.) Internet Control Message Protocol (ICMP) is designed

to assist TCP/IP networks with various communication problems, but they can be used by hackers to crash network computers

Because ICMP packets have no authentication method, hackers can attempt man-in-the-middle attacks, in which they impersonate the recipient

Hackers can also transmit packets that send the ICMP Redirect message type to direct traffic to a computer outside the protected network

29


IP datagrams (cont.) TCP/IP packets also contain TCP headers, which

provide hosts with a different set of flags In particular, hackers can craft a false TCP header

that contains a set Acknowledgement flag as a means to gain illicit access to a network

User Data Protocol (UDP) provides a datagram transport service for IP, but one that is considered unreliable because it is connectionless - this makes it easier for a hacker to send a malformed or dangerous UDP packet to a client

31


IP datagrams (cont.) IP fragmentation was originally developed as a means

of enabling large packets to pass through early routers that couldn’t handle their size; this created a security problem due to the fragment numbering scheme - hackers can gain access to the network if they modify the IP header to start all fragments at number 1 or higher

To protect against this, configure firewall or packet filters to drop all fragmented packets, especially since fragmentation is rarely used today

32


IP datagrams (cont.) The Domain Name System (DNS) is a general-

purpose service used mainly on the Internet for translating host names to IP addresses

DNS introduced a security issue since it can be exploited by hackers who perform buffer overflow (sending an overly-long DNS name to the server) or cache poisoning attacks (breaking into cache to retrieve stored DNS addresses)

Most DNS servers today have been patched to eliminate this vulnerability

33

Routing and Access Control

Routers move TCP/IP packets between LANs Every router uses a routing table, which is a list of

network addresses and corresponding gateway IP addresses that a router uses to direct traffic

Some firewalls come packaged in a hardware device that also serves as a router

Access Control Lists (ACLs): Provide hosts with authorized user and group lists, as

well as user authorization levels Protect ACLs with good passwords, and disable Guest

accounts that hackers can exploit

35

Securing Individual Workstations

Workstations that host security software are commonly placed on the network perimeter The perimeter is a vulnerable spot that stands

between the internal LAN and external Internet Some IDS systems are positioned on public servers

outside of the organization’s internal LAN Because they are in a vulnerable location, firewalls

and intrusion detection systems make use of bastion hosts, machines that have been hardened (made more secure) by turning off all unneeded services except the bare essentials

36


Securing workstations (cont.) In securing workstations, the choice of system

operating system isn’t as important as the administrator’s familiarity with it

Both the hardware and software that make up a bastion host should be familiar to the administrator

The workstation should present intruders with only a minimal set of resources and open ports

A bare bones workstation configuration reduces the chances of attack; the fewer the resources and openings, the more secure the host is

39


Securing workstations (cont.) RAM is important when operating a server, but

because the host that operates the firewall or IDS may only be providing a single service on the network, a great amount of RAM is not necessary

A great amount of hard disk space is required due to the accumulation of vast quantities of records or log files detailing resource access requests

Because the IDS host or firewall is integral to network security, you should obtain a machine with the fastest processor speed you can afford

40


Securing workstations (cont.) Secure Windows 2000 and XP computers by installing

the various patches and hotfixes that are released for these operating systems; such updates are regularly issued by Microsoft

Windows 2000 and XP are excellent choices for bastion host operating systems because of their reliability and widespread use as servers; when configuring a bastion host with 2000 or XP, make use of two hardening utilities: Microsoft Baseline Security Analyzer and the Internet Information Server (IIS) Lockdown Tool

42


Securing workstations (cont.) UNIX is the most popular Web operating system and

may have fewer security holes than Windows; If an option, follow the stripped-down installation HP-UX, it leaves out unneeded items or services

The UNIX security patches you install must correspond to the installed operating system

Other UNIX issues: install supplemental security software such as TCP Wrapper and Secure Shell (SSH); a remote computer command interface; do logging through the syslog daemon; include a utility called chkconfig

43


Day-to-day security maintenance involves maintaining hotfixes, reviewing security logs, and plugging holes as they arise Don’t go it alone - assemble a team Follow a daily list, such as a security task checklist Gather weekly security activity reports from team Get rank-and-file employees involved in security Establish and distribute your security policy Set up a network security perimeter - use firewalls,

DMZs, intrusion detection, and VPNs

44

Web and Internet-basedSecurity Concerns

Internet issues requiring attention: For a home user that regularly uses the Internet, a

firewall’s primary job is to keep viruses from infecting files and preventing Trojan horses from entering the system through back doors

Executable code attached to email messages may be difficult for a firewall or IDS system to detect, but specialty e-mail firewalls monitor and control content - they especially filter out malicious code

Always-on connections are best protected with firewalls, anti-virus software and VPN connections

45

Chapter Summary

You need to know the types of enemies you are up against, and what they are after, in order to defend against them. The individuals who might attempt to intrude on your network might simply be motivated by a desire to see what kinds of data you have and to gain control of your computer. Revenge by disgruntled current or former employees might be the primary motivation, however. Some hackers break into accounts and networks for financial gain. Other want to steal proprietary information either for their own use or for resale to other parties

46

Chapter Summary

You need to set goals for you network security program. These goals originate with an analysis of the risks you face and an assessment of the resources you want to protect. One of the most important goals of any network security effort should be to maintain the privacy of information related to customers and employees alike. Other goals include the preservation of data integrity, the authentication of approved users of network resources, and enabling remote users to connect securely to the internal network

47

Chapter Summary

Some basic knowledge of TCP/IP networking is important not only to configure the firewalls and routers that help Defense in Depth configuration, but also to be aware of vulnerabilities related to IP addresses. Consider using proxy servers or NAT to shield the actual IP addresses from external users

48

Chapter Summary

The IP and TCP header sections of IP packets were explored in detail, because they contain a variety of settings that can be exploited by hackers. These include header information such as the fragmentation flag and the source or destination IP address. ICMP messages such as redirect and echo request can be misused by hackers to either intercept traffic and direct it to a server that they control, or flood a server with so many requests that it can no longer handle other traffic

49

Chapter Summary

Routing and access control are important network concepts because the routers at the perimeter of a network are critical to the movement of all traffic into and out of the network, regardless of whether the traffic is legitimate or harmful. Because of their position on the perimeter, routers can be equipped with their own firewall so that they can perform packet filtering and other functions

50

Chapter Summary

It’s also important to realize the various activities that go into securing the bastion hosts on which your firewall software and intrusion detection programs will be installed. These include obtaining the latest versions of operating system software and checking periodically for any new security patches or hot fixes that have been released. Computers that are expected to host firewall or IDS software or provide public services should be hardened as much as possible by reducing unnecessary software and accounts and by closing any open ports

51

Chapter Summary

Because the Internet and particularly the WWW are playing increasingly important roles in the movement of business-related traffic from one corporate network to another, it’s important to have some understanding of the network security concerns that pertain to e-commerce and online communications. E-mail is one of the most important services you can secure because of the possibility of malicious scripts being delivered in e-mail attachments. The “always on” DSL and cable modem connections that are becoming increasingly popular present new security risks that need to be addressed with firewall and VPN solutions

1 guide to network defense and countermeasures chapter 1

Documents

network defense

network security systemreview

network set goals

unauthorized network

security dangers

privacy of information

present security risksknowing

financial data need