cet 4663 computer and network security ch01

Guide to Network Defense and CountermeasuresSecond Edition

Chapter 1Network Defense Fundamentals

Guide to Network Defense and Countermeasures, Second Edition 2

Objectives

• Explain the fundamentals of TCP/IP networking

• Describe the threats to network security

• Explain the goals of network security

• Describe a layered approach to network defense

• Explain how network security defenses affect your organization


TCP/IP Networking Review

• Transmission Control Protocol/Internet Protocol (TCP/IP)

• Suite of many protocols• Allows information to be transmitted from point to

point on a network


The Open Systems Interconnect (OSI) Model


IP Addressing

• Attackers can gain access to networks by determining IP addresses of computers

• IP address components– Network address– Host address– Subnet mask

• Try to hide IP addresses to prevent certain attacks

• Network Address Translation (NAT)– Translate IP addresses into other IP addresses– Used to hide real IP addresses

• Proxy servers are also used to hide IP addresses


Exploring IP Packet Structure

• IP datagrams– Discrete chunk of information– TCP/IP messages are transmitted using multiple

datagrams– Contain information about source and destination IP

addresses and control settings– Divided into different sections

• IP header structure– Part of an IP packet that computers used to

communicate

– IP header plays an important role in terms of network security and intrusion detection


Exploring IP Packet Structure (continued)

• IP data– Firewalls, VPNs and proxy servers are used to

protect data in a packet• IP fragmentation

– Allows large packets to pass through routers– Routers divide packets into multiple fragments and

send them along the network– Fragmentation creates security problems

• Port numbers appear only in fragment 0

• Fragments 1 and higher pass through filters without being scrutinized


ICMP Messages

• Internet Control Message Protocol (ICMP)

• Assists TCP/IP networks with troubleshooting communication problems

• Can tell if another host is alive

• Firewalls and packet filters should be used to filter ICMP messages


TCP Headers

• Provide hosts with additional flags

• Flags are important from a security standpoint– Used to create packet-filtering rules

• Flags– URG (urgent)– ACK (acknowledge)– PSH (push function)– RST (reset the connection)– SYN (synchronize sequence numbers)– FIN (finished)


UDP Headers

• UDP provides a datagram transport service for IP

• UDP is considered unreliable– Because it is connectionless

• UDP is used for broadcasting messages

• Attackers scan for open UDP services to exploit

• UDP packets have their own headers


Domain Name Service (DNS)

• DNS servers translate fully qualified domain names to IP addresses

• DNS can be used to block unwanted communications– Administrators can block Web sites containing offensive

content

• DNS attacks– Buffer overflow– Zone transfer– Cache poisoning


Encryption

• Concealing information to render it unreadable– Except to the intended recipients

• Firewalls often encrypt data leaving the network and decrypt incoming packets

• Encryption often makes use of digital certificates• Digital certificate

– Electronic document containing encryption keys and a digital signature

• Public Key Infrastructure– Makes possible distribution of certificates


Overview of Threats to Network Security

• Security problems– Network intrusions– Loss of data– Loss of privacy

• First step in defeating the enemy is to know your enemy


Types of Attackers

• Knowing the types of attackers helps you anticipate

• Motivation to break into systems– Status– Revenge– Financial gain– Industrial espionage


Types of Attackers (continued)

• Crackers– Attempt to gain access to unauthorized resources

• Circumventing passwords, firewalls, or other protective measures

• Disgruntled employees– Access customer information, financial files, job

records, or other sensitive information from inside an organization

– When an employee is terminated, security measures should be taken immediately



• Criminal and Industrial Spies– Steal and sell a company’s confidential information

to its competitors

• Script Kiddies and Packet Monkeys– Script kiddies

• Young, immature computer programmers

• Spread viruses and other malicious scripts

– Use techniques to exploit known weakness

– Packet monkeys• Block Web site activities using DDoS attacks



• Terrorists– Attack computer systems for several reasons

• Making a political statement

• Achieving a political goal

• Causing damage to critical systems

• Disrupting a target’s financial stability


Malicious Code

• Malware– Malicious code

• Use system’s well known vulnerabilities to spread• Virus

– Code that copies itself surreptitiously– Can be benign or harmful– Spread methods

• Running executable code• Sharing disks or memory sticks• Opening e-mail attachments


Malicious Code (continued)

• Worm– Creates files that copy themselves and consume

disk space– Does not require user intervention to be launched– Some worms install back doors

• A way of gaining unauthorized access to computer or other resources

– Others can destroy data on hard disks• Trojan program

– Harmful computer program that appears to be something useful

– Can create a back door


Malicious Code (continued)

• Macro viruses– Macro is a type of script that automates repetitive

tasks in Microsoft Word or similar applications– Macros run a series of actions automatically– Macro viruses run actions that tend to be harmful


Other Threats to Network Security

• It is not possible to prepare for every possible risk to your systems

• Try to protect your environment for today’s threat• Be prepared for tomorrow’s threats


Social Engineering: The People Factor

• Social engineers try to gain access to resources through people– Employees do not always observe accepted security

practices– Employees are fooled by attackers into giving out

passwords or other access codes


Common Attacks and Defenses


Common Attacks and Defenses (continued)


Internet Security Concerns

• Socket– Port number combined with a computer’s IP address

• Attacker software looks for open sockets– Open sockets are an invitation to be attacked– Sometimes sockets have exploitable vulnerabilities

• E-mail and Communications– Home users regularly surf the Web, use e-mail and

instant messaging programs– Personal firewalls keep viruses and Trojan programs

from entering a system


Internet Security Concerns (continued)

• Scripts– Executable code attached to e-mail messages or

downloaded files that infiltrates a system– Difficult for firewalls and IDSs to block all scripts

• Always-on Connectivity– Computers using always-on connections are easier to

locate and attack– Remote users pose security problems to network

administrators– Always-on connections effectively extend the

boundaries of your corporate network


Goals of Network Security

• Goals include– Confidentiality– Integrity– Availability


Providing Secure Connectivity

• In the past, network security emphasized blocking attackers from accessing the corporate network– Now secure connectivity with trusted users and

networks is the priority

• Activities that require secure connectivity– Placing orders for merchandise online– Paying bills– Accessing account information– Looking up personnel records– Creating authentication information


Secure Remote Access

• One of the biggest security challenges• VPN

– Ideal and cost-effective solution– Uses a combination of encryption and authentication

mechanisms


Ensuring Privacy

• Databases with personal or financial information need to be protected– Legislation exists that protects private information

• Education is an effective way to maintain the privacy of information– All employees must be educated about security

dangers and security policies– Employees are most likely to detect security breaches

• And to cause one accidentally– Employees can monitor activities of their co-workers


Providing Nonrepudiation

• Nonrepudiation is important when organizations do business across a network– Rather than face-to-face

• Encryption provides integrity, confidentiality, and authenticity of digital information– Encryption can also provide nonrepudiation

• Nonrepudiation– Capability to prevent one participant from denying that

it performed an action


Confidentiality, Integrity, and Availability: The CIA Triad

• Confidentiality– Prevents intentional or unintentional disclosure of

communications between sender and recipient• Integrity

– Ensures the accuracy and consistency of information during all processing

• Availability– Makes sure those who are authorized to access

resources can do so in a reliable and timely manner


Using Network Defense Technologies in Layers

• No single security measure can ensure complete network protection

• Assemble a group of methods– That work in a coordinated fashion

• Defense in depth (DiD)– Layering approach to network security


Physical Security

• Refers to measures taken to physically protect a computer or other network device

• Physical security measures– Computer locks– Lock protected rooms for critical servers– Burglar alarms– Uninterruptible power supply (UPS)


Authentication and Password Security

• Password security– Simple strategy– Select good passwords, keep them secure, and change

them as needed– Use different passwords for different applications

• Authentication methods– Something user knows– Something user has– Something user is

• In large organizations, authentication is handled by centralized servers


Operating System Security

• Protect operating systems by installing– Patches– Hot fixes– Service packs

• OSs must be timely updated to protect from security flaws

• Stop any unneeded services• Disable Guest accounts


Antivirus Protection

• Virus scanning– Examines files or e-mail messages for indications that

viruses are present

• Viruses have suspicious file extensions

• Antivirus software uses virus signatures to detect viruses in your systems– You should constantly update virus signatures

• Firewalls and IDSs are not enough

• You should install antivirus software in hosts and all network computers


Packet Filtering

• Block or allow transmission of packets based on– Port number– IP addresses– Protocol information

• Some types of packet filters– Routers

• Most common packet filters– Operating systems

• Built-in packet filtering utilities that come with some OSs– Software firewalls

• Enterprise-level programs


Firewalls

• Firewalls control organizations overall security policies

• Permissive versus restrictive policies– Permissive

• Allows all traffic through the gateway and then blocks services on case-by-case basis

– Restrictive• Denies all traffic by default and then allows services on

case-by-case basis


Demilitarized Zone (DMZ)

• Network that sits outside the internal network– DMZ is connected to the firewall

• Makes services publicly available– While protecting the internal LAN

• It might also contain a DNS server

• DMZ is sometimes called a “service network” or “perimeter network”


Intrusion Detection System (IDS)

• Recognizes the signs of a possible attack– And notifies the administrator

• Signs of possible attacks are called signatures– Combinations of IP address, port number, and

frequency of access attempts

• IDS provides an additional layer of protection


Virtual Private Networks (VPNs)

• Provide a low-cost and secure connection that uses the public Internet

• Alternative to expensive leased lines– Provides point-to-point communication


Network Auditing and Log Files

• Auditing– Recording which computers are accessing a network

and what resources are being accessed– Information is recorded in a log file

• Reviewing and maintaining log files helps you detect suspicious patterns of activity

• You can set up blocking rules based on logged information from previous attack attempts


Network Auditing and Log Files (continued)

• Log file analysis– Tedious and time consuming task– Record and analyze rejected connection requests– Sort logs by time of day and per hour– Check logs during peak traffic time

• Configuring log files to record– System events– Security events– Traffic– Packets


Routing and Access Control Methods

• Border routers are critical to the movement of all network traffic– Can be equipped with their own firewall software

• Attackers exploit open points of entry, such as– Vulnerable services– E-mail gateways– Porous borders

• Methods of access control– Mandatory Access Control (MAC)– Discretionary Access Control (DAC)– Role Based Access Control (RBAC)


The Impact of Defense

• Cost of securing systems might seem high• Cost of a security breach can be much higher• Support from upper management

– Key factor in securing systems• Securing systems will require

– Time– Money– Understanding and cooperation from fellow employees– Support from upper management


Summary

• Knowledge of TCP/IP networking is important when securing a network

• IP and TCP (or UDP) header section contain setting that can be exploited

• Domain Name Service (DNS)– General-purpose service that translates fully qualified

domain names into IP addresses

• Encryption can be used to protect data

• Network intruders are motivated by a variety of reasons


Summary (continued)

• E-mail is one of the most important services to secure– Malicious scripts can be delivered via e-mail

• Goals of network security– Confidentiality– Integrity– Availability

• Defense in depth (DiD)– Layering approach to security

• Auditing helps identify possible attacks and prevent from other attacks


Summary (continued)

• Routers at the border of a network are critical to the movement of all traffic– Legitimate and harmful

• Access control methods– Mandatory Access Control (MAC)– Discretionary Access Control (DAC)– Role Based Access Control (RBAC)

• Defense affects the entire organization– You should always look for support from upper

management

cet 4663 computer and network security ch01

Documents