Introduction to Network Security

November 20th, 2007

Presented by Aliza Bailey and Phil Ames

The Net is NOT the WebThe Net is NOT the Web

The Internet: TCP/IP, the “road” if you will that other protocols run on

The Web: one of the “vehicles” that run on this road. Other vehicles would include email, chat programs, file transfer programs and protocols, etc.

Introducing…

Your Network Exploits

Malware

“A generic term for a number of different types of malicious code, can include spyware, worms, viruses,

etc created with the intent of infiltrating a system without permission and causing destruction, also called

“Computer Contaminants””

Virus

“A hidden, self-replicating section of computer software, usually malicious

logic, that propagates by infecting - i.e., inserting a copy of itself into and

becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make

the virus active “

Trojans/BackdoorsTrojans/Backdoors

“A computer program that appears to have a useful function, but also has a hidden and

potentially malicious function that evades security mechanisms, sometimes by

exploiting legitimate authorizations of a system entity that invokes the program.”

Keyloggers

“Programs designed to log key strokes entered by a user on a machine.

When used negatively, this information is transmitted to a remote location to

collect the personal data”

Rootkits

“A collection of tools (programs) that a hacker uses to mask

intrusion and obtain administrator-level access to a computer or

computer network.”

Botnets

“A collection of compromised, broadband-enabled PC’s hijacked during a worm/virus attack and infected with software that links

them to a server where they receive “instructions” from a botnet controller. These

are then used to participate in further virus/worm/spam assaults and Denial of

Service attacks”

Denial of Serviceaka DoS

“An event or series of events that prevents a system or network from performing its intended function”

This can come from a botnet or a more direct attack. In the basic sense, more packets or data is sent to a victim than the victim can handle and the system

crashes.

Generic DoS

Phishing & Phishing & SpamSpam

““The use of e-mails that appear to The use of e-mails that appear to originate from a trusted source to originate from a trusted source to

trick a user into entering valid trick a user into entering valid credentials at a fake website. credentials at a fake website.

Typically the e-mail and the web Typically the e-mail and the web site looks like they are part of a site looks like they are part of a bank the user is doing business bank the user is doing business

with. Spam is any unwanted with. Spam is any unwanted unsolicited message. Spam is unsolicited message. Spam is

usually sent via email”usually sent via email”

Breaking Breaking Down BarriersDown Barriers

Eliminate the “Does not apply Eliminate the “Does not apply to me” attitude with usersto me” attitude with users

Breaking Down Breaking Down BarriersBarriers

• Users need to be active members of your Users need to be active members of your “security team” as they are certainly “security team” as they are certainly members of your “network abuse” squadmembers of your “network abuse” squad

• Educate them now on proper security Educate them now on proper security practices and their benefits before they practices and their benefits before they have to learn the hard wayhave to learn the hard way

• One compromised machine in a network One compromised machine in a network is all that is needed to affect the entire is all that is needed to affect the entire networknetwork

Getting to Know Getting to Know Your NetworkYour Network

You can not defend what you do You can not defend what you do not understand.not understand.

Getting to Know Your NetworkGetting to Know Your Network

DOCUMENTATION IS KEYDOCUMENTATION IS KEY Baseline your network and core devicesBaseline your network and core devices Port to Jack conversion listPort to Jack conversion list MAC Address inventoryMAC Address inventory Static IP address listStatic IP address list Knowing where to go when an event occurs is Knowing where to go when an event occurs is

absolutely necessaryabsolutely necessary Vendor informationVendor information Physical location of devicesPhysical location of devices

Getting to Know Your NetworkGetting to Know Your Network

Understand the Understand the flow of trafficflow of traffic in your in your networknetwork IngressIngress traffic traffic

This is your inbound trafficThis is your inbound traffic EgressEgress traffic traffic

This is your outbound trafficThis is your outbound traffic TraceroutesTraceroutes

Is your network symmetrical? Do you have more Is your network symmetrical? Do you have more than one internet presence? Are your packets than one internet presence? Are your packets traveling the correct route?traveling the correct route?

Getting to Know Your NetworkGetting to Know Your Network

RESEARCH YOUR PRODUCTS!!!RESEARCH YOUR PRODUCTS!!! What Operating Systems live in your What Operating Systems live in your

environment?environment? Understand any products you want to Understand any products you want to

introduce into your network, including their introduce into your network, including their purpose, placement, and your expectationspurpose, placement, and your expectations

Create a test environment mirroring your Create a test environment mirroring your production network to fully test new production network to fully test new equipmentequipment

Defense in Depth

Multiple layers are always better than one.

Defense in Depth

Proactive DefensePreventing the fire from starting

FirewallsContent Filtering Intrusion Prevention DevicesTraffic engineeringNetwork MonitoringBase lining your network and core devicesAcceptable use policies

Defense in Depth

Reactive DefensePutting out the fires

Intrusion Detection SystemsSystem backupsForensic based programs

Fport, nmap

Network Monitoring tools TCPDump, WinDump, Ethereal, Snort

Defense in Depth

Desktop Level

Defense in Depth

Antivirus The “flu shot” of the security world

Anti virus is the most basic level of desktop security and should be present on all workstations, servers, laptops, etc

This is not a replacement for better security practices. Definitions need constant updating to meet the ever growing number of viruses present. The time between virus identification and definition distribution has shrunk as technology increases, however the gap still exists

Defense in Depth

Anti-SpywareCommon programs available are spybot,

ad-aware, and most antivirus suites now include anti-spyware options

As with anti virus software, these programs require regular updates to remain effective

Defense in Depth

Host Based Firewalls Windows XP comes standard with a firewall, there

are also popular options such as ZoneAlarm, Norton Personal Firewall, Black Ice, McAfee Personal Firewall, etc

Controls application access on machines while network based firewalls control the data flow to the machine

Learning curve: end users usually need assistance in configuring the rules properly to avoid blocking legitimate applications

Defense in Depth

Physical Access Login: All machines should require authentication

to the box or domain controller, no guest accounts! Removable storage: unless otherwise needed,

removable storage like thumb drives should be restricted from being introduced to your network

Location: Are your servers open to be accessed by anyone? Is your file server sitting on your desk?

Defense in Depth

PasswordsPassphrases: easier to remember, can be

“fun” and more personalSpecial Characters, Numbers, Case

sensitivityLength: longer = betterSet a minimum password policy!

Maximum Number of Days To Crack One PassphraseNumber of Cracking Computers In Parallel Use = 100 (Edit the assumptions in these red boxes. Larger is more pessimistic.)Brute-Force Keyrate Per Computer Per Second = 10,000,000 (For example, a 1.7GHz P4-M can do 5mil/sec with LC4 on LM hashes, 800k/sec on NT hashes. Larger is more pessimistic.)Calculated Total Keys Guessed Per Second = 1,000,000,000 (This is a calculated value, don't edit directly, edit the two boxes above.)Number of Special Character Symbols = 31 (The 31 standard LC4 symbols: !@#$%^&*()-_+=~`[]{}\:;'"<>,.?/. Smaller is more pessimistic.)Percentage of Randomness In Passphrase = 0.01% (See Notes tab, a crude fudger to account for cracker optimization and actual entropy in passphrase. Smaller is more pessimistic.)Does Adversary Know Exact Length? (1/0) = 1 (1 = Yes, 0 = No. 1 is more pessimistic.)

Character Set = lowercase only lowercase, <space> lowercase, numbers lowercase, numbers, <space> lowercase, uppercase lowercase, uppercase, <space>Number of Characters In Set = 26 27 36 37 52 53

Number of Characters In Passphrase: Maximum Number of Days To Crack One Random Passphrase Of The Given Length And Character Set (Divide In Half For AVERAGE Number of Days To Crack)1 0.0000000000000 0.0000000000000 0.0000000000000 0.0000000000000 0.0000000000000 0.00000000000002 0.000000000000 0.000000000000 0.000000000000 0.000000000000 0.000000000000 0.0000000000003 0.0000000000 0.0000000000 0.0000000000 0.0000000000 0.0000000000 0.00000000004 0.000000000 0.000000000 0.000000000 0.000000000 0.000000000 0.0000000005 0.00000000 0.00000000 0.00000000 0.00000000 0.00000000 0.000000006 0.000000 0.000000 0.000000 0.000000 0.000000 0.0000007 0.00000 0.00000 0.00000 0.00000 0.00000 0.000008 0.000 0.000 0.000 0.000 0.000 0.0009 0.00 0.00 0.00 0.00 0.00 0.00

10 0.0 0.0 0.0 0.0 0 011 0 0 0 0 9 1112 0 0 5 8 452 56913 3 5 197 282 23,525 30,13514 75 127 7,108 10,431 1,223,300 1,597,16015 1,941 3,419 255,873 385,933 63,611,614 84,649,48116 50,473 92,322 9,211,413 14,279,528 3,307,803,906 4,486,422,51217 1,312,300 2,492,701 331,610,880 528,342,524 172,005,803,104 237,780,393,12118 34,119,803 67,302,936 11,937,991,665 19,548,673,392 8,944,301,761,426 12,602,360,835,39719 887,114,890 1,817,179,281 429,767,699,937 723,300,915,499 465,103,691,594,175 667,925,124,276,03520 23,064,987,147 49,063,840,596 15,471,637,197,736 26,762,133,873,450 24,185,391,962,897,100 35,400,031,586,629,90021 599,689,665,828 1,324,723,696,101 556,978,939,118,489 990,198,953,317,665 ##################### 1,876,201,674,091,380,00022 15,591,931,311,530 35,767,539,794,714 ################## 36,637,361,272,753,600 ##################### 99,438,688,726,843,300,00023 ################ 965,723,574,457,269 ################## 1,355,582,367,091,880,000 ##################### 5,270,250,502,522,700,000,00024 ################ ################## ################## 50,156,547,582,399,700,000 ##################### 279,323,276,633,703,000,000,00025 ################ ################## ################## 1,855,792,260,548,790,000,000 ##################### #############################26 ################ ################## ################## 68,664,313,640,305,200,000,000 ##################### #############################27 ################ ################## ################## ############################ ##################### #############################28 ################ ################## ################## ############################ ##################### #############################29 ################ ################## ################## ############################ ##################### #############################30 ################ ################## ################## ############################ ##################### #############################31 ################ ################## ################## ############################ ##################### #############################32 ################ ################## ################## ############################ ##################### #############################33 ################ ################## ################## ############################ ##################### #############################34 ################ ################## ################## ############################ ##################### #############################35 ################ ################## ################## ############################ ##################### #############################36 ################ ################## ################## ############################ ##################### #############################37 ################ ################## ################## ############################ ##################### #############################38 ################ ################## ################## ############################ ##################### #############################39 ################ ################## ################## ############################ ##################### #############################40 ################ ################## ################## ############################ ##################### #############################41 ################ ################## ################## ############################ ##################### #############################42 ################ ################## ################## ############################ ##################### #############################43 ################ ################## ################## ############################ ##################### #############################44 ################ ################## ################## ############################ ##################### #############################45 ################ ################## ################## ############################ ##################### #############################46 ################ ################## ################## ############################ ##################### #############################47 ################ ################## ################## ############################ ##################### #############################48 ################ ################## ################## ############################ ##################### #############################49 ################ ################## ################## ############################ ##################### #############################50 ################ ################## ################## ############################ ##################### #############################

No point in calculating any further…

Defense in Depth

Patching & UpdatingSet it and forget it! Setting up all machines

to automatically download and install updates takes the guess work out of it

Do not forget to patch and update all softwares used, not just the OS. This includes Microsoft Office, Quicktime, antivirus, anti-malware, etc.

Network Level DefenseBorder Patrol

Keeping the bad guys from reaching your users

Network Level Defense Router Security

Routers allow for more concise security measures to be implemented than their switch and hub brethren

Networks can be segregated by VLANS Traffic can be engineered with access control

lists

Network Level Defense Router Security

Lock down access to the router Always require a login, be it a local account, RADIUS

authentication, etc. Restrict access only to those networks/IP addresses

that should be accessing the device Do you access this router from outside

your work network? Do you only access this router from one

particular workstation?

Network Level Defense Router Security

Lock down port access Restricting what can be plugged into your network

and where reduces the occurrence of rogue routers/switches/hubs, wireless access points, and laptops

Usually accomplished by MAC address restrictions

Network Level Defense Access Control Lists (ACL’s)

A Standard ACL can restrict ingress and egress network traffic based upon the source IP, network, or subnet

An Extended ACL (Cisco) can restrict ingress and egress network traffic based upon source and destination networks, along with ports and protocols

Extremely important to map out EXACTLY what you want to allow/deny access to

As with Firewalls, better to maintain a “deny all, permit by exception” list

Network Level Defense

· Routers apply lists sequentially in the order in which you type them into the router.· Routers apply lists to packets sequentially, from top down, one line at a time.· Packets are processed only until a match is made and then they are acted upon based on the access list criteria contained in the access list statements.· Lists always end with an implicit deny. Routers discard any packets that do not match any of the access list statements.· Access lists must be applied to an interface as either inbound or outbound traffic filters.· Only one list per direction can be applied to an interface.

Network Level Defense

IP access list 99 10 permit ip 64.251.55.0 0.0.0.15 any 20 deny ip any any

interface Vlan2ip address 64.251.55.1 255.255.255.240 ip access-group 100 in no ip unreachables

Example: Restricting network access only to one network

Permits any IP in the 64.251.55.0/28 network to go anywhere, denies all else

Applied INBOUND to the VLAN interface. Inbound means traffic coming into that interface from machines internal to your network

Network Level Defense

ip access-list extended School_Security permit tcp 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255 eq smtp permit tcp 10.10.10.0 0.0.0.255 160.241.0.0 0.0.255.255 eq smtp deny tcp any any eq smtp deny udp any any eq snmp permit tcp 10.10.10.0 0.0.0.255 any eq www permit tcp 10.10.10.0 0.0.0.255 any eq 8888 deny ip any any

Example: Restricting traffic even more with extended ACL’s

This ACL will allow SMTP access for the 10.10.10.0/24 network only to the two networks stated, deny all others. Next, access to WWW and TCP port 8888 is allowed, nothing else. This example works in direct conjunction with our HTTPS proxy

Network Level Defense Firewalls

A firewall is similar to a wall around a city or a wall around a building. It can prevent traffic from going into or out of the city except through designated gates. Another term for these gates would be ports. For example, if you want someone to be able to send you email, you would open up a specific gate and email could get into your network.

Network Level Defense Firewalls

Network Layer Packet filtering usually based on source IP address,

source port, destination IP address or port, destination service like WWW or FTP

Application Layer Filters for applications, like XML/WWW/FTP, to provide

more protection for the specified application Proxies

May be used in a firewall fashion to hide internal networks

Network Level Defense Wireless Security

Restrict access! No public access should be available

Disable SSID broadcasting Restrict access to known users (by MAC)

ENCRYPT ENCRYPT ENCRYPT!!! Even if you only use WEP, use it. Consult your product documentation for instructions

“Best Practices” SummaryDocument your network

Research your products

Inform and educate your users

Set a security policy and follow it

Be proactive or suffer the consequences of only reacting to events

Multiple layers of security: Network and Desktop

Passwords!

Patch and Update everything

Secure ALL wireless connections!!!

DENY ALL PERMIT BY EXCEPTION