guide to tcp/ip, third edition chapter 9: securing tcp/ip environments

Guide to TCP/IP, Third Edition

Chapter 9: Securing TCP/IP Environments

Securing TCP/IP Environments 2

Objectives

• Understand basic concepts and principles for maintaining computer and network security

• Understand the anatomy of an IP attack

• Recognize common points of attacks inherent in TCP/IP architecture

• Maintain IP security problems


Objectives (continued)

• Understand security policies and recovery plans

• Understand new and improved security features in Windows XP Professional and Windows Server 2003

• Discuss the importance of honeypots and honeynets for network security


Understand Computer and Network Security

• Protecting a system or network means– Closing the door against outside attack– Protecting your systems, data, and applications from

any sources of damage or harm

• The 2005 Computer Crime Survey– Virus and worm infections were among the top

problems leading to financial loss


Principles of IP Security

• Physical security– Synonymous with “controlling physical access” – Should be carefully monitored

• Personnel security– Important to formulate a security policy for your

organization

• System and network security includes – Analyzing the current software environment – Identifying and eliminating potential points of

exposure


Understanding Typical IP Attacks, Exploits, and Break-Ins

• Basic fundamental protocols– Offer no built-in security controls

• Successful attacks against TCP/IP networks and services rely on two powerful weapons– Profiling or footprinting tools– A working knowledge of known weaknesses or

implementation problems


Key Terminology in Network and Computer Security

• An attack– Some kind of attempt to obtain access to information

• An exploit – Documents a vulnerability

• A break-in – Successful attempt to compromise a system’s

security


Key Weaknesses in TCP/IP

• Ways in which TCP/IP can be attacked– Bad guys can

• Attempt to impersonate valid users

• Attempt to take over existing communications sessions

• Attempt to snoop inside traffic moving across the Internet

• Utilize a technique known as IP spoofing


Common Types of IP-Related Attacks

• DoS attacks

• Man-in-the-middle (MITM) attacks

• IP service attacks

• IP service implementation vulnerabilities

• Insecure IP protocols and services


What IP Services Are Most Vulnerable?

• Remote logon service– Includes Telnet remote terminal emulation service,

as well as the Berkeley remote utilities

• Remote control programs– Can pose security threats

• Services that permit anonymous access– Makes anonymous Web and FTP conspicuous

targets


Holes, Back Doors, and Other Illicit Points of Entry

• Hole – Weak spot or known place of attack on any common

operating system, application, or service

• Back door – Undocumented and illicit point of entry into an

operating system or application

• Vulnerability – Weakness that can be accidentally triggered or

intentionally exploited


The Anatomy of IP Attacks

• IP attacks typically follow a set pattern– Reconnaissance or discovery process – Attacker focuses on the attack itself– Stealthy attacker may cover its tracks by deleting log

files, or terminating any active direct connections


Reconnaissance and Discovery Processes

• PING sweep– Can identify active hosts on an IP network

• Port probe – Detect UDP- and TCP-based services running on a

host

• Purpose of reconnaissance – To find out what you have and what is vulnerable


Reconnaissance and Discovery Processes (continued)

• The attack– May encompass a brute force attack process that

overwhelms a victim

• Computer forensics– May be necessary to identify traces from an attacker

winding his or her way through a system


Common IP Points of Attack

• Virus– Any self-replicating program that works for its own

purposes– Classes

• File infectors

• System or boot-record infectors

• Macro viruses


Worms

• A kind of virus that eschews most activity except as it relates to self-replication

• MSBlaster worm– Unleashed in August 2003– Exploited the RPC DCOM buffer overflow

vulnerability in Microsoft Windows

• Hex reader – Look inside suspect files without launching them


Trojan Horse Programs

• Masquerade as innocuous or built-to-purpose programs

• Conceal abilities that permit others to take over and operate unprotected systems remotely

• Must be installed on a computer system to run

• Back Orifice – Example of a Trojan horse program


Denial of Service Attacks

• Designed to interrupt or completely disrupt operations of a network device or communications

• SYN Flood attack – Uses the three-way TCP handshake process to

overload a device on a network• Broadcast amplification attack

– Malicious host crafts and sends ICMP Echo Requests to a broadcast address

• Windows 2000 UPnP DoS attack – Specially crafted request packet is sent that causes

services.exe to exhaust all virtual memory resources


Distributed Denial of Service Attacks

• DoS attacks launched from numerous devices

• DDoS attacks consist of four main elements– Attacker– Handler– Agent– Victim


Buffer Overflows/Overruns

• Exploit a weakness in many programs that expect to receive a fixed amount of input

• Adware – Opens door for a compromised machine to display

unsolicited and unwanted advertising

• Spyware – Unsolicited and unwanted software that

• Takes up stealthy unauthorized and uninvited residence on a computer


Spoofing

• Borrowing identity information to hide or deflect interest in attack activities

• Ingress filtering – Applying restrictions to traffic entering a network

• Egress filtering – Applying restrictions to traffic leaving a network


TCP Session Hijacking

• Purpose of an attack – To masquerade as an authorized user to gain

access to a system

• Once a session is hijacked– The attacker can send packets to the server to

execute commands, change passwords, or worse


Network Sniffing

• One method of passive network attack – Based on network “sniffing,” or eavesdropping using

a protocol analyzer or other sniffing software

• Network analyzers available to eavesdrop on networks include– tcpdump (UNIX)– EtherPeek (Windows)– Network Monitor (Windows)– AiroPeekWireless (Windows)– Ethereal for Windows


Maintaining IP Security

• Microsoft security bulletins – May be accessed or searched through the Security

Bulletins section at: www.microsoft.com/security/default.mspx

• Essential to know about security patches and fixes and to install them

• Knowing Which Ports to Block– Many exploits and attacks are based on common

vulnerabilities


Recognizing Attack Signatures

• Most attacks have an attack signature – By which they may be recognized or identified– Signatures may be used to

• Implement IDS devices

• Can be configured as network analyzer filters as well


Using IP Security

• RFC 2401 says the goals of IPSec are to provide the following kinds of security– Access control– Connectionless integrity– Data origin authentication– Protection against replays– Confidentiality– Limited traffic flow confidentiality


Protecting the Perimeter of the Network

• Important devices and services used to protect the perimeter of networks– Bastion host– Boundary (or border) router– Demilitarized zone (DMZ)– Firewall– Network address translation– Proxy server


Understanding the Basics of Firewalls

• Firewall – Barrier that controls traffic flow and access between

networks– Designed to inspect incoming traffic and block or

filter traffic based on a variety of criteria– Normally astride the boundary between a public

network and private networks inside an organization


Useful Firewall Specifics

• Firewalls usually incorporate four major elements:– Screening router functions– Proxy service functions– “Stateful inspection” of packet sequences and

services– Virtual Private Network services


Commercial Firewall Features

• Address translation/privacy services

• Specific filtering mechanisms

• Alarms and alerts

• Logs and reports

• Transparency

• Intrusion detection systems (IDSs)

• Management controls


Understanding the Basics of Proxy Servers

• Proxy servers – Can perform “reverse proxying” to

• Expose a service inside a network to outside users, as if it resides on the proxy server itself

• Caching– An important proxy behavior

• Cache– Potentially valuable location for a system attack


Planning and Implementing, Step by Step

• Useful steps when planning and implementing firewalls and proxy servers – Plan– Establish requirements– Install– Configure– Test– Attack– Tune– Implement– Monitor and maintain


Understanding the Test-Attack-Tune Cycle

• Attack tools– McAfee CyberCop ASaP – GNU NetTools– A port mapper such as AnalogX PortMapper – Internet Security Systems various security scanners


Understanding the Role of IDS and IPS in IP Security

• Intrusion detection systems – Make it easier to automate recognizing and

responding to potential attacks

• Increasingly, firewalls include– Hooks to allow them to interact with IDSs, or include

their own built-in IDS capabilities

• IPSs make access control decisions on the basis of application content


Updating Anti-Virus Engines and Virus Lists

• Because of the frequency of introduction of new viruses, worms, and Trojans– Essential to update anti-virus engine software and

virus definitions on a regular basis

• Anti-virus protection – Key ingredient in any security policy


The Security Update Process

• Evaluate the vulnerability

• Retrieve the update

• Test the update

• Deploy the update


Understanding Security Policies and Recovery Plans

• Security policy – Document that reflects an organization’s

understanding of • What information assets and other resources need

protection

• How they are to be protected

• How they must be maintained under normal operating circumstances


Understanding Security Policies and Recovery Plans (continued)

• RFC 2196 lists the following documents as components of a good security policy– An access policy document– An accountability policy document– A privacy policy document– A violations reporting policy document– An authentication policy document– An information technology system and network

maintenance policy document


Windows XP and Windows Server 2003: Another Generation of Network

Security

• Features that should help maintain tighter security– Kerberos version 5– Public Key Infrastructure (PKI)– Directory Service Account Management– CryptoAPI– Encrypting File System (EFS)– Secure Channel Security protocols (SSL 3.0/PCT)


Honeypots and Honeynets

• Honeypot – Computer system deliberately set up to entice and

trap attackers

• Honeynet – Broadens honeypot concept from a single system to

what looks like a network of such systems


Summary

• An attack – An attempt to compromise the privacy and integrity

of an organization’s information assets• In its original form, TCP/IP implemented an

optimistic security model• Basic principles of IP security

– Include avoiding unnecessary exposure by blocking all unused ports

• Necessary to protect systems and networks from malicious code – Such as viruses, worms, and Trojan horses


Summary (continued)

• Would-be attackers– Usually engage in a well-understood sequence of

activities, called reconnaissance and discovery

• Maintaining system and network security involves constant activity that must include– Keeping up with security news and information

• Keeping operating systems secure in the face of new vulnerabilities– A necessary and ongoing process


Summary (continued)

• When establishing a secure network perimeter– It is essential to repeat the test-attack-tune cycle

• To create a strong foundation for system and network security, formulate policy that incorporates – Processes, procedures, and rules regarding physical

and personnel security issues,

• Windows XP and Windows Server 2003 include – Notable security improvements and enhancements

as compared to other Windows versions