chapter 9: securing tcp/ip environments2profs.net/steve/cisntwk413/ppts/ch09.pdf · –test –...

Guide to TCP/IP, Third Edition

Chapter 9:pSecuring TCP/IP Environments

1

CISNTWK-11PerformanceObjectives

• Understand basic concepts and principles for maintaining computer and network securitymaintaining computer and network security

• Understand the anatomy of an IP attack• Recognize common points of attacks inherent in Recognize common points of attacks inherent in

TCP/IP architecture• Maintain IP security problems

2Securing TCP/IP Environments 2

CISNTWK-11PerformanceObjectives (continued)

• Understand security policies and recovery plansU d t d d i d it f t • Understand new and improved security features in Windows XP Professional and Windows Server 2003

• Discuss the importance of honeypots and honeynets for network security


CISNTWK-11Performance

Understand Computer and Network SecurityNetwork Security

• Protecting a system or network meansClosing the door against outside attack– Closing the door against outside attack

– Protecting your systems, data, and applications from any sources of damage or harm

• The 2005 Computer Crime Survey– Virus and worm infections were among the top

problems leading to financial lossp g


CISNTWK-11PerformancePrinciples of IP Security

• Physical securitySynonymous with “controlling physical access” – Synonymous with “controlling physical access”

– Should be carefully monitored • Personnel securityy

– Important to formulate a security policy for your organization

• System and network security includes • System and network security includes – Analyzing the current software environment – Identifying and eliminating potential points of exposure



Understanding Typical IP Attacks Exploits and Break-InsAttacks, Exploits, and Break-Ins

• Basic fundamental protocolsOffer no built in security controls– Offer no built-in security controls

• Successful attacks against TCP/IP networks and services rely on two powerful weaponsy p p– Profiling or footprinting tools– A working knowledge of known weaknesses or

implementation problemsimplementation problems



Key Terminology in Network and Computer Securityand Computer Security

• An attackSome kind of attempt to obtain access to information– Some kind of attempt to obtain access to information

• An exploit – Documents a vulnerability y

• A break-in – Successful attempt to compromise a system’s security


CISNTWK-11PerformanceKey Weaknesses in TCP/IP

• Ways in which TCP/IP can be attackedBad guys can – Bad guys can

• Attempt to impersonate valid users • Attempt to take over existing communications sessions

Att t t i id t ffi i th I t t • Attempt to snoop inside traffic moving across the Internet • Utilize a technique known as IP spoofing



Common Types of IP-Related AttacksAttacks

• DoS attacksM i th iddl (MITM) tt k• Man-in-the-middle (MITM) attacks

• IP service attacks• IP service implementation vulnerabilities• IP service implementation vulnerabilities• Insecure IP protocols and services



What IP Services Are Most Vulnerable?Vulnerable?

• Remote logon serviceIncludes Telnet remote terminal emulation service as – Includes Telnet remote terminal emulation service, as well as the Berkeley remote utilities

• Remote control programs– Can pose security threats

• Services that permit anonymous accessMakes anonymous Web and FTP conspicuous targets– Makes anonymous Web and FTP conspicuous targets



Holes, Back Doors, and Other Illicit Points of EntryIllicit Points of Entry

• HoleWeak spot or known place of attack on any common – Weak spot or known place of attack on any common operating system, application, or service

• Back door– Undocumented and illicit point of entry into an

operating system or application • VulnerabilityVulnerability

– Weakness that can be accidentally triggered or intentionally exploited


CISNTWK-11PerformanceThe Anatomy of IP Attacks

• IP attacks typically follow a set patternReconnaissance or discovery process– Reconnaissance or discovery process

– Attacker focuses on the attack itself– Stealthy attacker may cover its tracks by deleting log

files, or terminating any active direct connections



Reconnaissance and Discovery ProcessesDiscovery Processes

• PING sweepCan identify active hosts on an IP network– Can identify active hosts on an IP network

• Port probe – Detect UDP- and TCP-based services running on a hostg

• Purpose of reconnaissance – To find out what you have and what is vulnerable



Reconnaissance and Discovery Processes

(continued)• The attack

May encompass a brute force attack process that – May encompass a brute force attack process that overwhelms a victim

• Computer forensics– May be necessary to identify traces from an attacker

winding his or her way through a system


CISNTWK-11PerformanceCommon IP Points of Attack

• VirusAny self replicating program that works for its own – Any self-replicating program that works for its own purposes

– ClassesFil i f t• File infectors

• System or boot-record infectors• Macro viruses


CISNTWK-11PerformanceWorms

• A kind of virus that eschews most activity except as it relates to self replicationas it relates to self-replication

• MSBlaster worm– Unleashed in August 2003g– Exploited the RPC DCOM buffer overflow vulnerability in

Microsoft Windows • Hex reader• Hex reader

– Look inside suspect files without launching them


CISNTWK-11PerformanceTrojan Horse Programs

• Masquerade as innocuous or built-to-purpose programsprograms

• Conceal abilities that permit others to take over and operate unprotected systems remotelyp p y y

• Must be installed on a computer system to run• Back Orifice

– Example of a Trojan horse program


CISNTWK-11PerformanceDenial of Service Attacks

• Designed to interrupt or completely disrupt operations of a network device or operations of a network device or communications

• SYN Flood attackU th th TCP h d h k t l d – Uses the three-way TCP handshake process to overload a device on a network

• Broadcast amplification attackM li i h t ft d d ICMP E h R t t – Malicious host crafts and sends ICMP Echo Requests to a broadcast address

• Windows 2000 UPnP DoS attack– Specially crafted request packet is sent that causes

services.exe to exhaust all virtual memory resources



Distributed Denial of Service AttacksAttacks

• DoS attacks launched from numerous devicesDD S tt k i t f f i l t• DDoS attacks consist of four main elements– Attacker– Handler– Agent– Victim


CISNTWK-11PerformanceBuffer Overflows/Overruns

• Exploit a weakness in many programs that expect to receive a fixed amount of inputexpect to receive a fixed amount of input

• Adware– Opens door for a compromised machine to display p p p y

unsolicited and unwanted advertising • Spyware

Unsolicited and unwanted software that– Unsolicited and unwanted software that• Takes up stealthy unauthorized and uninvited residence

on a computer


CISNTWK-11PerformanceSpoofing

• Borrowing identity information to hide or deflect interest in attack activitiesinterest in attack activities

• Ingress filtering– Applying restrictions to traffic entering a networkpp y g g

• Egress filtering– Applying restrictions to traffic leaving a network


CISNTWK-11PerformanceTCP Session Hijacking

• Purpose of an attack To masquerade as an authorized user to gain access to – To masquerade as an authorized user to gain access to a system

• Once a session is hijacked– The attacker can send packets to the server to execute

commands, change passwords, or worse


CISNTWK-11PerformanceNetwork Sniffing

• One method of passive network attack Based on network “sniffing ” or eavesdropping using a – Based on network “sniffing,” or eavesdropping using a protocol analyzer or other sniffing software

• Network analyzers available to eavesdrop on networks include– tcpdump (UNIX)– EtherPeek (Windows)EtherPeek (Windows)– Network Monitor (Windows)– AiroPeekWireless (Windows)

Ethereal for Windo s– Ethereal for Windows


CISNTWK-11PerformanceMaintaining IP Security

• Microsoft security bulletins May be accessed or searched through the Security – May be accessed or searched through the Security Bulletins section at: www.microsoft.com/security/default.mspx

E ti l t k b t it t h d • Essential to know about security patches and fixes and to install them

• Knowing Which Ports to BlockKnowing Which Ports to Block– Many exploits and attacks are based on common

vulnerabilities


CISNTWK-11PerformanceRecognizing Attack Signatures

• Most attacks have an attack signatureBy which they may be recognized or identified– By which they may be recognized or identified

– Signatures may be used to• Implement IDS devices • Can be configured as network analyzer filters as well


CISNTWK-11PerformanceUsing IP Security

• RFC 2401 says the goals of IPSec are to provide the following kinds of securitythe following kinds of security– Access control– Connectionless integrity– Data origin authentication– Protection against replays– ConfidentialityConfidentiality– Limited traffic flow confidentiality



Protecting the Perimeter of the Networkthe Network

• Important devices and services used to protect the perimeter of networksthe perimeter of networks– Bastion host– Boundary (or border) router– Demilitarized zone (DMZ)– Firewall– Network address translationNetwork address translation– Proxy server



Understanding the Basics of FirewallsFirewalls

• Firewall Barrier that controls traffic flow and access between – Barrier that controls traffic flow and access between networks

– Designed to inspect incoming traffic and block or filter traffic based on a variety of criteriatraffic based on a variety of criteria

– Normally astride the boundary between a public network and private networks inside an organization


CISNTWK-11PerformanceUseful Firewall Specifics

• Firewalls usually incorporate four major elements:Screening router functions– Screening router functions

– Proxy service functions– “Stateful inspection” of packet sequences and services– Virtual Private Network services


CISNTWK-11PerformanceCommercial Firewall Features

• Address translation/privacy servicesS ifi filt i h i• Specific filtering mechanisms

• Alarms and alerts• Logs and reports• Logs and reports• Transparency• Intrusion detection systems (IDSs)y ( )• Management controls



Understanding the Basics of Proxy ServersProxy Servers

• Proxy servers Can perform “reverse proxying” to – Can perform “reverse proxying” to

• Expose a service inside a network to outside users, as if it resides on the proxy server itself

C hi• Caching– An important proxy behavior

• CacheCache– Potentially valuable location for a system attack



Planning and Implementing, Step by StepStep by Step

• Useful steps when planning and implementing firewalls and proxy servers firewalls and proxy servers – Plan– Establish requirements

Install– Install– Configure– Test

Attack– Attack– Tune– Implement

M it d i t i– Monitor and maintain



Understanding the Test-Attack-Tune CycleAttack-Tune Cycle

• Attack toolsMcAfee CyberCop ASaP – McAfee CyberCop ASaP

– GNU NetTools– A port mapper such as AnalogX PortMapper – Internet Security Systems various security scanners



Understanding the Role of IDS and IPS in IP Securityand IPS in IP Security

• Intrusion detection systems Make it easier to automate recognizing and – Make it easier to automate recognizing and responding to potential attacks

• Increasingly, firewalls include– Hooks to allow them to interact with IDSs, or include

their own built-in IDS capabilities• IDSs make access control decisions on the basis IDSs make access control decisions on the basis

of application content



Updating Anti-Virus Engines and Virus Listsand Virus Lists

• Because of the frequency of introduction of new viruses worms and Trojansviruses, worms, and Trojans– Essential to update anti-virus engine software and virus

definitions on a regular basis• Anti-virus protection

– Key ingredient in any security policy


CISNTWK-11PerformanceThe Security Update Process

• Evaluate the vulnerabilityR t i th d t• Retrieve the update

• Test the update• Deploy the update• Deploy the update



Understanding Security Policies and Recovery PlansPolicies and Recovery Plans

• Security policy Document that reflects an organization’s – Document that reflects an organization’s understanding of

• What information assets and other resources need protectionprotection

• How they are to be protected• How they must be maintained under normal operating

circumstancescircumstances



Understanding Security Policies and Recovery Plans

(continued)• RFC 2196 lists the following documents as

components of a good security policycomponents of a good security policy– An access policy document– An accountability policy document– A privacy policy document– A violations reporting policy document– An authentication policy documentAn authentication policy document– An information technology system and network

maintenance policy document



Windows XP and Windows Server 2003: Another Generation of Network Securityy

• Features that should help maintain tighter security– Kerberos version 5– Public Key Infrastructure (PKI)– Directory Service Account Management

CryptoAPI– CryptoAPI– Encrypting File System (EFS)– Secure Channel Security protocols (SSL 3.0/PCT)


CISNTWK-11PerformanceHoneypots and Honeynets

• HoneypotComputer system deliberately set up to entice and trap – Computer system deliberately set up to entice and trap attackers

• Honeynet– Broadens honeypot concept from a single system to

what looks like a network of such systems


CISNTWK-11PerformanceSummary

• An attack – An attempt to compromise the privacy and integrity of – An attempt to compromise the privacy and integrity of

an organization’s information assets• In its original form, TCP/IP implemented an

optimistic security modeloptimistic security model• Basic principles of IP security

– Include avoiding unnecessary exposure by blocking all unused ports unused ports

• Necessary to protect systems and networks from malicious code – Such as viruses, worms, and Trojan horses


CISNTWK-11PerformanceSummary (continued)

• Would-be attackersUsually engage in a well understood sequence of – Usually engage in a well-understood sequence of activities, called reconnaissance and discovery

• Maintaining system and network security involves constant activity that must include– Keeping up with security news and information

• Keeping operating systems secure in the face of • Keeping operating systems secure in the face of new vulnerabilities– A necessary and ongoing process


CISNTWK-11PerformanceSummary (continued)

• When establishing a secure network perimeterIt is essential to repeat the test attack tune cycle – It is essential to repeat the test-attack-tune cycle

• To create a strong foundation for system and network security, formulate policy that y p yincorporates – Processes, procedures, and rules regarding physical

and personnel security issues,and personnel security issues,• Windows XP and Windows Server 2003 include

– Notable security improvements and enhancements as d t th Wi d icompared to other Windows versions
