download it
TRANSCRIPT
Introduction to Network Security
November 20th, 2007
Presented by Aliza Bailey and Phil Ames
The Net is NOT the WebThe Net is NOT the Web
The Internet: TCP/IP, the “road” if you will that other protocols run on
The Web: one of the “vehicles” that run on this road. Other vehicles would include email, chat programs, file transfer programs and protocols, etc.
Introducing…
Your Network Exploits
Malware
“A generic term for a number of different types of malicious code, can include spyware, worms, viruses,
etc created with the intent of infiltrating a system without permission and causing destruction, also called
“Computer Contaminants””
Virus
“A hidden, self-replicating section of computer software, usually malicious
logic, that propagates by infecting - i.e., inserting a copy of itself into and
becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make
the virus active “
Trojans/BackdoorsTrojans/Backdoors
“A computer program that appears to have a useful function, but also has a hidden and
potentially malicious function that evades security mechanisms, sometimes by
exploiting legitimate authorizations of a system entity that invokes the program.”
Keyloggers
“Programs designed to log key strokes entered by a user on a machine.
When used negatively, this information is transmitted to a remote location to
collect the personal data”
Rootkits
“A collection of tools (programs) that a hacker uses to mask
intrusion and obtain administrator-level access to a computer or
computer network.”
Botnets
“A collection of compromised, broadband-enabled PC’s hijacked during a worm/virus attack and infected with software that links
them to a server where they receive “instructions” from a botnet controller. These
are then used to participate in further virus/worm/spam assaults and Denial of
Service attacks”
Denial of Serviceaka DoS
“An event or series of events that prevents a system or network from performing its intended function”
This can come from a botnet or a more direct attack. In the basic sense, more packets or data is sent to a victim than the victim can handle and the system
crashes.
Generic DoS
Phishing & Phishing & SpamSpam
““The use of e-mails that appear to The use of e-mails that appear to originate from a trusted source to originate from a trusted source to
trick a user into entering valid trick a user into entering valid credentials at a fake website. credentials at a fake website.
Typically the e-mail and the web Typically the e-mail and the web site looks like they are part of a site looks like they are part of a bank the user is doing business bank the user is doing business
with. Spam is any unwanted with. Spam is any unwanted unsolicited message. Spam is unsolicited message. Spam is
usually sent via email”usually sent via email”
Breaking Breaking Down BarriersDown Barriers
Eliminate the “Does not apply Eliminate the “Does not apply to me” attitude with usersto me” attitude with users
Breaking Down Breaking Down BarriersBarriers
• Users need to be active members of your Users need to be active members of your “security team” as they are certainly “security team” as they are certainly members of your “network abuse” squadmembers of your “network abuse” squad
• Educate them now on proper security Educate them now on proper security practices and their benefits before they practices and their benefits before they have to learn the hard wayhave to learn the hard way
• One compromised machine in a network One compromised machine in a network is all that is needed to affect the entire is all that is needed to affect the entire networknetwork
Getting to Know Getting to Know Your NetworkYour Network
You can not defend what you do You can not defend what you do not understand.not understand.
Getting to Know Your NetworkGetting to Know Your Network
DOCUMENTATION IS KEYDOCUMENTATION IS KEY Baseline your network and core devicesBaseline your network and core devices Port to Jack conversion listPort to Jack conversion list MAC Address inventoryMAC Address inventory Static IP address listStatic IP address list Knowing where to go when an event occurs is Knowing where to go when an event occurs is
absolutely necessaryabsolutely necessary Vendor informationVendor information Physical location of devicesPhysical location of devices
Getting to Know Your NetworkGetting to Know Your Network
Understand the Understand the flow of trafficflow of traffic in your in your networknetwork IngressIngress traffic traffic
This is your inbound trafficThis is your inbound traffic EgressEgress traffic traffic
This is your outbound trafficThis is your outbound traffic TraceroutesTraceroutes
Is your network symmetrical? Do you have more Is your network symmetrical? Do you have more than one internet presence? Are your packets than one internet presence? Are your packets traveling the correct route?traveling the correct route?
Getting to Know Your NetworkGetting to Know Your Network
RESEARCH YOUR PRODUCTS!!!RESEARCH YOUR PRODUCTS!!! What Operating Systems live in your What Operating Systems live in your
environment?environment? Understand any products you want to Understand any products you want to
introduce into your network, including their introduce into your network, including their purpose, placement, and your expectationspurpose, placement, and your expectations
Create a test environment mirroring your Create a test environment mirroring your production network to fully test new production network to fully test new equipmentequipment
Defense in Depth
Multiple layers are always better than one.
Defense in Depth
Proactive DefensePreventing the fire from starting
FirewallsContent Filtering Intrusion Prevention DevicesTraffic engineeringNetwork MonitoringBase lining your network and core devicesAcceptable use policies
Defense in Depth
Reactive DefensePutting out the fires
Intrusion Detection SystemsSystem backupsForensic based programs
Fport, nmap
Network Monitoring tools TCPDump, WinDump, Ethereal, Snort
Defense in Depth
Desktop Level
Defense in Depth
Antivirus The “flu shot” of the security world
Anti virus is the most basic level of desktop security and should be present on all workstations, servers, laptops, etc
This is not a replacement for better security practices. Definitions need constant updating to meet the ever growing number of viruses present. The time between virus identification and definition distribution has shrunk as technology increases, however the gap still exists
Defense in Depth
Anti-SpywareCommon programs available are spybot,
ad-aware, and most antivirus suites now include anti-spyware options
As with anti virus software, these programs require regular updates to remain effective
Defense in Depth
Host Based Firewalls Windows XP comes standard with a firewall, there
are also popular options such as ZoneAlarm, Norton Personal Firewall, Black Ice, McAfee Personal Firewall, etc
Controls application access on machines while network based firewalls control the data flow to the machine
Learning curve: end users usually need assistance in configuring the rules properly to avoid blocking legitimate applications
Defense in Depth
Physical Access Login: All machines should require authentication
to the box or domain controller, no guest accounts! Removable storage: unless otherwise needed,
removable storage like thumb drives should be restricted from being introduced to your network
Location: Are your servers open to be accessed by anyone? Is your file server sitting on your desk?
Defense in Depth
PasswordsPassphrases: easier to remember, can be
“fun” and more personalSpecial Characters, Numbers, Case
sensitivityLength: longer = betterSet a minimum password policy!
Maximum Number of Days To Crack One PassphraseNumber of Cracking Computers In Parallel Use = 100 (Edit the assumptions in these red boxes. Larger is more pessimistic.)Brute-Force Keyrate Per Computer Per Second = 10,000,000 (For example, a 1.7GHz P4-M can do 5mil/sec with LC4 on LM hashes, 800k/sec on NT hashes. Larger is more pessimistic.)Calculated Total Keys Guessed Per Second = 1,000,000,000 (This is a calculated value, don't edit directly, edit the two boxes above.)Number of Special Character Symbols = 31 (The 31 standard LC4 symbols: !@#$%^&*()-_+=~`[]{}\:;'"<>,.?/. Smaller is more pessimistic.)Percentage of Randomness In Passphrase = 0.01% (See Notes tab, a crude fudger to account for cracker optimization and actual entropy in passphrase. Smaller is more pessimistic.)Does Adversary Know Exact Length? (1/0) = 1 (1 = Yes, 0 = No. 1 is more pessimistic.)
Character Set = lowercase only lowercase, <space> lowercase, numbers lowercase, numbers, <space> lowercase, uppercase lowercase, uppercase, <space>Number of Characters In Set = 26 27 36 37 52 53
Number of Characters In Passphrase: Maximum Number of Days To Crack One Random Passphrase Of The Given Length And Character Set (Divide In Half For AVERAGE Number of Days To Crack)1 0.0000000000000 0.0000000000000 0.0000000000000 0.0000000000000 0.0000000000000 0.00000000000002 0.000000000000 0.000000000000 0.000000000000 0.000000000000 0.000000000000 0.0000000000003 0.0000000000 0.0000000000 0.0000000000 0.0000000000 0.0000000000 0.00000000004 0.000000000 0.000000000 0.000000000 0.000000000 0.000000000 0.0000000005 0.00000000 0.00000000 0.00000000 0.00000000 0.00000000 0.000000006 0.000000 0.000000 0.000000 0.000000 0.000000 0.0000007 0.00000 0.00000 0.00000 0.00000 0.00000 0.000008 0.000 0.000 0.000 0.000 0.000 0.0009 0.00 0.00 0.00 0.00 0.00 0.00
10 0.0 0.0 0.0 0.0 0 011 0 0 0 0 9 1112 0 0 5 8 452 56913 3 5 197 282 23,525 30,13514 75 127 7,108 10,431 1,223,300 1,597,16015 1,941 3,419 255,873 385,933 63,611,614 84,649,48116 50,473 92,322 9,211,413 14,279,528 3,307,803,906 4,486,422,51217 1,312,300 2,492,701 331,610,880 528,342,524 172,005,803,104 237,780,393,12118 34,119,803 67,302,936 11,937,991,665 19,548,673,392 8,944,301,761,426 12,602,360,835,39719 887,114,890 1,817,179,281 429,767,699,937 723,300,915,499 465,103,691,594,175 667,925,124,276,03520 23,064,987,147 49,063,840,596 15,471,637,197,736 26,762,133,873,450 24,185,391,962,897,100 35,400,031,586,629,90021 599,689,665,828 1,324,723,696,101 556,978,939,118,489 990,198,953,317,665 ##################### 1,876,201,674,091,380,00022 15,591,931,311,530 35,767,539,794,714 ################## 36,637,361,272,753,600 ##################### 99,438,688,726,843,300,00023 ################ 965,723,574,457,269 ################## 1,355,582,367,091,880,000 ##################### 5,270,250,502,522,700,000,00024 ################ ################## ################## 50,156,547,582,399,700,000 ##################### 279,323,276,633,703,000,000,00025 ################ ################## ################## 1,855,792,260,548,790,000,000 ##################### #############################26 ################ ################## ################## 68,664,313,640,305,200,000,000 ##################### #############################27 ################ ################## ################## ############################ ##################### #############################28 ################ ################## ################## ############################ ##################### #############################29 ################ ################## ################## ############################ ##################### #############################30 ################ ################## ################## ############################ ##################### #############################31 ################ ################## ################## ############################ ##################### #############################32 ################ ################## ################## ############################ ##################### #############################33 ################ ################## ################## ############################ ##################### #############################34 ################ ################## ################## ############################ ##################### #############################35 ################ ################## ################## ############################ ##################### #############################36 ################ ################## ################## ############################ ##################### #############################37 ################ ################## ################## ############################ ##################### #############################38 ################ ################## ################## ############################ ##################### #############################39 ################ ################## ################## ############################ ##################### #############################40 ################ ################## ################## ############################ ##################### #############################41 ################ ################## ################## ############################ ##################### #############################42 ################ ################## ################## ############################ ##################### #############################43 ################ ################## ################## ############################ ##################### #############################44 ################ ################## ################## ############################ ##################### #############################45 ################ ################## ################## ############################ ##################### #############################46 ################ ################## ################## ############################ ##################### #############################47 ################ ################## ################## ############################ ##################### #############################48 ################ ################## ################## ############################ ##################### #############################49 ################ ################## ################## ############################ ##################### #############################50 ################ ################## ################## ############################ ##################### #############################
No point in calculating any further…
Defense in Depth
Patching & UpdatingSet it and forget it! Setting up all machines
to automatically download and install updates takes the guess work out of it
Do not forget to patch and update all softwares used, not just the OS. This includes Microsoft Office, Quicktime, antivirus, anti-malware, etc.
Network Level DefenseBorder Patrol
Keeping the bad guys from reaching your users
Network Level Defense Router Security
Routers allow for more concise security measures to be implemented than their switch and hub brethren
Networks can be segregated by VLANS Traffic can be engineered with access control
lists
Network Level Defense Router Security
Lock down access to the router Always require a login, be it a local account, RADIUS
authentication, etc. Restrict access only to those networks/IP addresses
that should be accessing the device Do you access this router from outside
your work network? Do you only access this router from one
particular workstation?
Network Level Defense Router Security
Lock down port access Restricting what can be plugged into your network
and where reduces the occurrence of rogue routers/switches/hubs, wireless access points, and laptops
Usually accomplished by MAC address restrictions
Network Level Defense Access Control Lists (ACL’s)
A Standard ACL can restrict ingress and egress network traffic based upon the source IP, network, or subnet
An Extended ACL (Cisco) can restrict ingress and egress network traffic based upon source and destination networks, along with ports and protocols
Extremely important to map out EXACTLY what you want to allow/deny access to
As with Firewalls, better to maintain a “deny all, permit by exception” list
Network Level Defense
· Routers apply lists sequentially in the order in which you type them into the router.· Routers apply lists to packets sequentially, from top down, one line at a time.· Packets are processed only until a match is made and then they are acted upon based on the access list criteria contained in the access list statements.· Lists always end with an implicit deny. Routers discard any packets that do not match any of the access list statements.· Access lists must be applied to an interface as either inbound or outbound traffic filters.· Only one list per direction can be applied to an interface.
Network Level Defense
IP access list 99 10 permit ip 64.251.55.0 0.0.0.15 any 20 deny ip any any
interface Vlan2ip address 64.251.55.1 255.255.255.240 ip access-group 100 in no ip unreachables
Example: Restricting network access only to one network
Permits any IP in the 64.251.55.0/28 network to go anywhere, denies all else
Applied INBOUND to the VLAN interface. Inbound means traffic coming into that interface from machines internal to your network
Network Level Defense
ip access-list extended School_Security permit tcp 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255 eq smtp permit tcp 10.10.10.0 0.0.0.255 160.241.0.0 0.0.255.255 eq smtp deny tcp any any eq smtp deny udp any any eq snmp permit tcp 10.10.10.0 0.0.0.255 any eq www permit tcp 10.10.10.0 0.0.0.255 any eq 8888 deny ip any any
Example: Restricting traffic even more with extended ACL’s
This ACL will allow SMTP access for the 10.10.10.0/24 network only to the two networks stated, deny all others. Next, access to WWW and TCP port 8888 is allowed, nothing else. This example works in direct conjunction with our HTTPS proxy
Network Level Defense Firewalls
A firewall is similar to a wall around a city or a wall around a building. It can prevent traffic from going into or out of the city except through designated gates. Another term for these gates would be ports. For example, if you want someone to be able to send you email, you would open up a specific gate and email could get into your network.
Network Level Defense Firewalls
Network Layer Packet filtering usually based on source IP address,
source port, destination IP address or port, destination service like WWW or FTP
Application Layer Filters for applications, like XML/WWW/FTP, to provide
more protection for the specified application Proxies
May be used in a firewall fashion to hide internal networks
Network Level Defense Wireless Security
Restrict access! No public access should be available
Disable SSID broadcasting Restrict access to known users (by MAC)
ENCRYPT ENCRYPT ENCRYPT!!! Even if you only use WEP, use it. Consult your product documentation for instructions
“Best Practices” SummaryDocument your network
Research your products
Inform and educate your users
Set a security policy and follow it
Be proactive or suffer the consequences of only reacting to events
Multiple layers of security: Network and Desktop
Passwords!
Patch and Update everything
Secure ALL wireless connections!!!
DENY ALL PERMIT BY EXCEPTION