chapter 9: securing tcp/ip environments2profs.net/steve/cisntwk413/ppts/ch09.pdf · –test –...
TRANSCRIPT
Guide to TCP/IP, Third Edition
Chapter 9:pSecuring TCP/IP Environments
1
CISNTWK-11PerformanceObjectives
• Understand basic concepts and principles for maintaining computer and network securitymaintaining computer and network security
• Understand the anatomy of an IP attack• Recognize common points of attacks inherent in Recognize common points of attacks inherent in
TCP/IP architecture• Maintain IP security problems
2Securing TCP/IP Environments 2
CISNTWK-11PerformanceObjectives (continued)
• Understand security policies and recovery plansU d t d d i d it f t • Understand new and improved security features in Windows XP Professional and Windows Server 2003
• Discuss the importance of honeypots and honeynets for network security
3Securing TCP/IP Environments 3
CISNTWK-11Performance
Understand Computer and Network SecurityNetwork Security
• Protecting a system or network meansClosing the door against outside attack– Closing the door against outside attack
– Protecting your systems, data, and applications from any sources of damage or harm
• The 2005 Computer Crime Survey– Virus and worm infections were among the top
problems leading to financial lossp g
4Securing TCP/IP Environments 4
CISNTWK-11PerformancePrinciples of IP Security
• Physical securitySynonymous with “controlling physical access” – Synonymous with “controlling physical access”
– Should be carefully monitored • Personnel securityy
– Important to formulate a security policy for your organization
• System and network security includes • System and network security includes – Analyzing the current software environment – Identifying and eliminating potential points of exposure
5Securing TCP/IP Environments 5
CISNTWK-11Performance
Understanding Typical IP Attacks Exploits and Break-InsAttacks, Exploits, and Break-Ins
• Basic fundamental protocolsOffer no built in security controls– Offer no built-in security controls
• Successful attacks against TCP/IP networks and services rely on two powerful weaponsy p p– Profiling or footprinting tools– A working knowledge of known weaknesses or
implementation problemsimplementation problems
6Securing TCP/IP Environments 6
CISNTWK-11Performance
Key Terminology in Network and Computer Securityand Computer Security
• An attackSome kind of attempt to obtain access to information– Some kind of attempt to obtain access to information
• An exploit – Documents a vulnerability y
• A break-in – Successful attempt to compromise a system’s security
7Securing TCP/IP Environments 7
CISNTWK-11PerformanceKey Weaknesses in TCP/IP
• Ways in which TCP/IP can be attackedBad guys can – Bad guys can
• Attempt to impersonate valid users • Attempt to take over existing communications sessions
Att t t i id t ffi i th I t t • Attempt to snoop inside traffic moving across the Internet • Utilize a technique known as IP spoofing
8Securing TCP/IP Environments 8
CISNTWK-11Performance
Common Types of IP-Related AttacksAttacks
• DoS attacksM i th iddl (MITM) tt k• Man-in-the-middle (MITM) attacks
• IP service attacks• IP service implementation vulnerabilities• IP service implementation vulnerabilities• Insecure IP protocols and services
9Securing TCP/IP Environments 9
CISNTWK-11Performance
What IP Services Are Most Vulnerable?Vulnerable?
• Remote logon serviceIncludes Telnet remote terminal emulation service as – Includes Telnet remote terminal emulation service, as well as the Berkeley remote utilities
• Remote control programs– Can pose security threats
• Services that permit anonymous accessMakes anonymous Web and FTP conspicuous targets– Makes anonymous Web and FTP conspicuous targets
10Securing TCP/IP Environments 10
CISNTWK-11Performance
Holes, Back Doors, and Other Illicit Points of EntryIllicit Points of Entry
• HoleWeak spot or known place of attack on any common – Weak spot or known place of attack on any common operating system, application, or service
• Back door– Undocumented and illicit point of entry into an
operating system or application • VulnerabilityVulnerability
– Weakness that can be accidentally triggered or intentionally exploited
11Securing TCP/IP Environments 11
CISNTWK-11PerformanceThe Anatomy of IP Attacks
• IP attacks typically follow a set patternReconnaissance or discovery process– Reconnaissance or discovery process
– Attacker focuses on the attack itself– Stealthy attacker may cover its tracks by deleting log
files, or terminating any active direct connections
12Securing TCP/IP Environments 12
CISNTWK-11Performance
Reconnaissance and Discovery ProcessesDiscovery Processes
• PING sweepCan identify active hosts on an IP network– Can identify active hosts on an IP network
• Port probe – Detect UDP- and TCP-based services running on a hostg
• Purpose of reconnaissance – To find out what you have and what is vulnerable
13Securing TCP/IP Environments 13
CISNTWK-11Performance
Reconnaissance and Discovery Processes
(continued)• The attack
May encompass a brute force attack process that – May encompass a brute force attack process that overwhelms a victim
• Computer forensics– May be necessary to identify traces from an attacker
winding his or her way through a system
14Securing TCP/IP Environments 14
CISNTWK-11PerformanceCommon IP Points of Attack
• VirusAny self replicating program that works for its own – Any self-replicating program that works for its own purposes
– ClassesFil i f t• File infectors
• System or boot-record infectors• Macro viruses
15Securing TCP/IP Environments 15
CISNTWK-11PerformanceWorms
• A kind of virus that eschews most activity except as it relates to self replicationas it relates to self-replication
• MSBlaster worm– Unleashed in August 2003g– Exploited the RPC DCOM buffer overflow vulnerability in
Microsoft Windows • Hex reader• Hex reader
– Look inside suspect files without launching them
16Securing TCP/IP Environments 16
CISNTWK-11PerformanceTrojan Horse Programs
• Masquerade as innocuous or built-to-purpose programsprograms
• Conceal abilities that permit others to take over and operate unprotected systems remotelyp p y y
• Must be installed on a computer system to run• Back Orifice
– Example of a Trojan horse program
17Securing TCP/IP Environments 17
CISNTWK-11PerformanceDenial of Service Attacks
• Designed to interrupt or completely disrupt operations of a network device or operations of a network device or communications
• SYN Flood attackU th th TCP h d h k t l d – Uses the three-way TCP handshake process to overload a device on a network
• Broadcast amplification attackM li i h t ft d d ICMP E h R t t – Malicious host crafts and sends ICMP Echo Requests to a broadcast address
• Windows 2000 UPnP DoS attack– Specially crafted request packet is sent that causes
services.exe to exhaust all virtual memory resources
18Securing TCP/IP Environments 18
CISNTWK-11Performance
Distributed Denial of Service AttacksAttacks
• DoS attacks launched from numerous devicesDD S tt k i t f f i l t• DDoS attacks consist of four main elements– Attacker– Handler– Agent– Victim
19Securing TCP/IP Environments 19
CISNTWK-11Performance
20Securing TCP/IP Environments 20
CISNTWK-11PerformanceBuffer Overflows/Overruns
• Exploit a weakness in many programs that expect to receive a fixed amount of inputexpect to receive a fixed amount of input
• Adware– Opens door for a compromised machine to display p p p y
unsolicited and unwanted advertising • Spyware
Unsolicited and unwanted software that– Unsolicited and unwanted software that• Takes up stealthy unauthorized and uninvited residence
on a computer
21Securing TCP/IP Environments 21
CISNTWK-11PerformanceSpoofing
• Borrowing identity information to hide or deflect interest in attack activitiesinterest in attack activities
• Ingress filtering– Applying restrictions to traffic entering a networkpp y g g
• Egress filtering– Applying restrictions to traffic leaving a network
22Securing TCP/IP Environments 22
CISNTWK-11PerformanceTCP Session Hijacking
• Purpose of an attack To masquerade as an authorized user to gain access to – To masquerade as an authorized user to gain access to a system
• Once a session is hijacked– The attacker can send packets to the server to execute
commands, change passwords, or worse
23Securing TCP/IP Environments 23
CISNTWK-11PerformanceNetwork Sniffing
• One method of passive network attack Based on network “sniffing ” or eavesdropping using a – Based on network “sniffing,” or eavesdropping using a protocol analyzer or other sniffing software
• Network analyzers available to eavesdrop on networks include– tcpdump (UNIX)– EtherPeek (Windows)EtherPeek (Windows)– Network Monitor (Windows)– AiroPeekWireless (Windows)
Ethereal for Windo s– Ethereal for Windows
24Securing TCP/IP Environments 24
CISNTWK-11Performance
25Securing TCP/IP Environments 25
CISNTWK-11Performance
26Securing TCP/IP Environments 26
CISNTWK-11PerformanceMaintaining IP Security
• Microsoft security bulletins May be accessed or searched through the Security – May be accessed or searched through the Security Bulletins section at: www.microsoft.com/security/default.mspx
E ti l t k b t it t h d • Essential to know about security patches and fixes and to install them
• Knowing Which Ports to BlockKnowing Which Ports to Block– Many exploits and attacks are based on common
vulnerabilities
27Securing TCP/IP Environments 27
CISNTWK-11Performance
28Securing TCP/IP Environments 28
CISNTWK-11PerformanceRecognizing Attack Signatures
• Most attacks have an attack signatureBy which they may be recognized or identified– By which they may be recognized or identified
– Signatures may be used to• Implement IDS devices • Can be configured as network analyzer filters as well
29Securing TCP/IP Environments 29
CISNTWK-11Performance
30Securing TCP/IP Environments 30
CISNTWK-11Performance
31Securing TCP/IP Environments 31
CISNTWK-11PerformanceUsing IP Security
• RFC 2401 says the goals of IPSec are to provide the following kinds of securitythe following kinds of security– Access control– Connectionless integrity– Data origin authentication– Protection against replays– ConfidentialityConfidentiality– Limited traffic flow confidentiality
32Securing TCP/IP Environments 32
CISNTWK-11Performance
Protecting the Perimeter of the Networkthe Network
• Important devices and services used to protect the perimeter of networksthe perimeter of networks– Bastion host– Boundary (or border) router– Demilitarized zone (DMZ)– Firewall– Network address translationNetwork address translation– Proxy server
33Securing TCP/IP Environments 33
CISNTWK-11Performance
Understanding the Basics of FirewallsFirewalls
• Firewall Barrier that controls traffic flow and access between – Barrier that controls traffic flow and access between networks
– Designed to inspect incoming traffic and block or filter traffic based on a variety of criteriatraffic based on a variety of criteria
– Normally astride the boundary between a public network and private networks inside an organization
34Securing TCP/IP Environments 34
CISNTWK-11PerformanceUseful Firewall Specifics
• Firewalls usually incorporate four major elements:Screening router functions– Screening router functions
– Proxy service functions– “Stateful inspection” of packet sequences and services– Virtual Private Network services
35Securing TCP/IP Environments 35
CISNTWK-11PerformanceCommercial Firewall Features
• Address translation/privacy servicesS ifi filt i h i• Specific filtering mechanisms
• Alarms and alerts• Logs and reports• Logs and reports• Transparency• Intrusion detection systems (IDSs)y ( )• Management controls
36Securing TCP/IP Environments 36
CISNTWK-11Performance
Understanding the Basics of Proxy ServersProxy Servers
• Proxy servers Can perform “reverse proxying” to – Can perform “reverse proxying” to
• Expose a service inside a network to outside users, as if it resides on the proxy server itself
C hi• Caching– An important proxy behavior
• CacheCache– Potentially valuable location for a system attack
37Securing TCP/IP Environments 37
CISNTWK-11Performance
Planning and Implementing, Step by StepStep by Step
• Useful steps when planning and implementing firewalls and proxy servers firewalls and proxy servers – Plan– Establish requirements
Install– Install– Configure– Test
Attack– Attack– Tune– Implement
M it d i t i– Monitor and maintain
38Securing TCP/IP Environments 38
CISNTWK-11Performance
Understanding the Test-Attack-Tune CycleAttack-Tune Cycle
• Attack toolsMcAfee CyberCop ASaP – McAfee CyberCop ASaP
– GNU NetTools– A port mapper such as AnalogX PortMapper – Internet Security Systems various security scanners
39Securing TCP/IP Environments 39
CISNTWK-11Performance
Understanding the Role of IDS and IPS in IP Securityand IPS in IP Security
• Intrusion detection systems Make it easier to automate recognizing and – Make it easier to automate recognizing and responding to potential attacks
• Increasingly, firewalls include– Hooks to allow them to interact with IDSs, or include
their own built-in IDS capabilities• IDSs make access control decisions on the basis IDSs make access control decisions on the basis
of application content
40Securing TCP/IP Environments 40
CISNTWK-11Performance
Updating Anti-Virus Engines and Virus Listsand Virus Lists
• Because of the frequency of introduction of new viruses worms and Trojansviruses, worms, and Trojans– Essential to update anti-virus engine software and virus
definitions on a regular basis• Anti-virus protection
– Key ingredient in any security policy
41Securing TCP/IP Environments 41
CISNTWK-11Performance
42Securing TCP/IP Environments 42
CISNTWK-11PerformanceThe Security Update Process
• Evaluate the vulnerabilityR t i th d t• Retrieve the update
• Test the update• Deploy the update• Deploy the update
43Securing TCP/IP Environments 43
CISNTWK-11Performance
Understanding Security Policies and Recovery PlansPolicies and Recovery Plans
• Security policy Document that reflects an organization’s – Document that reflects an organization’s understanding of
• What information assets and other resources need protectionprotection
• How they are to be protected• How they must be maintained under normal operating
circumstancescircumstances
44Securing TCP/IP Environments 44
CISNTWK-11Performance
Understanding Security Policies and Recovery Plans
(continued)• RFC 2196 lists the following documents as
components of a good security policycomponents of a good security policy– An access policy document– An accountability policy document– A privacy policy document– A violations reporting policy document– An authentication policy documentAn authentication policy document– An information technology system and network
maintenance policy document
45Securing TCP/IP Environments 45
CISNTWK-11Performance
Windows XP and Windows Server 2003: Another Generation of Network Securityy
• Features that should help maintain tighter security– Kerberos version 5– Public Key Infrastructure (PKI)– Directory Service Account Management
CryptoAPI– CryptoAPI– Encrypting File System (EFS)– Secure Channel Security protocols (SSL 3.0/PCT)
46Securing TCP/IP Environments 46
CISNTWK-11PerformanceHoneypots and Honeynets
• HoneypotComputer system deliberately set up to entice and trap – Computer system deliberately set up to entice and trap attackers
• Honeynet– Broadens honeypot concept from a single system to
what looks like a network of such systems
47Securing TCP/IP Environments 47
CISNTWK-11PerformanceSummary
• An attack – An attempt to compromise the privacy and integrity of – An attempt to compromise the privacy and integrity of
an organization’s information assets• In its original form, TCP/IP implemented an
optimistic security modeloptimistic security model• Basic principles of IP security
– Include avoiding unnecessary exposure by blocking all unused ports unused ports
• Necessary to protect systems and networks from malicious code – Such as viruses, worms, and Trojan horses
48Securing TCP/IP Environments 48
CISNTWK-11PerformanceSummary (continued)
• Would-be attackersUsually engage in a well understood sequence of – Usually engage in a well-understood sequence of activities, called reconnaissance and discovery
• Maintaining system and network security involves constant activity that must include– Keeping up with security news and information
• Keeping operating systems secure in the face of • Keeping operating systems secure in the face of new vulnerabilities– A necessary and ongoing process
49Securing TCP/IP Environments 49
CISNTWK-11PerformanceSummary (continued)
• When establishing a secure network perimeterIt is essential to repeat the test attack tune cycle – It is essential to repeat the test-attack-tune cycle
• To create a strong foundation for system and network security, formulate policy that y p yincorporates – Processes, procedures, and rules regarding physical
and personnel security issues,and personnel security issues,• Windows XP and Windows Server 2003 include
– Notable security improvements and enhancements as d t th Wi d icompared to other Windows versions
50Securing TCP/IP Environments 50