guide to tcp/ip, third edition - olympic...
TRANSCRIPT
Guide to TCP/IP
Fourth Edition
Chapter 12:
Securing TCP/IP Environments
2
Objectives
• Explain basic concepts and principles for
maintaining computer and network security
• Explain the anatomy of an IP attack
• Recognize common points of attacks inherent in
TCP/IP architecture
• Maintain IP security problems
• Discuss the importance of honeypots and
honeynets for network security
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
3
Understanding Network Security
Basics
• Hacker
– Someone who uses computer and communications
knowledge to exploit information or the functionality
of a device
• Cracker
– Person who attempts to break into a system for
malicious purposes
• Protecting a system or network means
– Closing the door against outside attack
– Protecting your systems, data, and applications from
any sources of damage or harm
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
4
Understanding Network Security
Basics (cont’d.)
• Physical security
– Synonymous with “controlling physical access”
– Should be carefully monitored
• Personnel security
– Important to formulate a security policy for your
organization
• System and network security includes
– Analyzing the current software environment
– Identifying and eliminating potential points of
exposure
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
5
Principles of IP Security
• Key principles
– Avoid unnecessary exposure
– Block all unused ports
– Prevent internal address “spoofing”
– Filter out unwanted addresses
– Exclude access by default, include access by
exception
– Restrict outside access to “compromisable” hosts
– Protect all clients and servers from obvious attack
– Do unto yourself before others do unto you
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
6
Typical TCP/IP Attacks, Exploits, and
Break-Ins
• Basic fundamental protocols
– Offer no built-in security controls
• Successful attacks against TCP/IP networks and
services rely on two powerful weapons
– Profiling or footprinting tools
– A working knowledge of known weaknesses or
implementation problems
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
7
Key Terminology
• An attack
– Some kind of attempt to obtain access to information
• An exploit
– Documents a vulnerability
• A break-in
– Successful attempt to compromise a system’s
security
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
8
Key Weaknesses in TCP/IP
• Ways in which TCP/IP can be attacked
– Bad guys can:
• Attempt to impersonate valid users
• Attempt to take over existing communications
sessions
• Attempt to snoop inside packets moving across the
Internet
• Utilize a technique known as IP spoofing
• Perform a denial of service, or DoS, attack
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
9
Flexibility versus Security
• Designers of TCP/IP and most other protocols
– Try to make their protocols as flexible as possible
• Interaction between these protocols and IP
– Compromised most often
• Question to answer
– Is the security of your data worth the effort to prevent
the attack?
– In most cases, that answer is “Yes!”
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
10
Common Types of IP-Related Attacks
• DoS attacks
• Man-in-the-middle (MITM) attacks
• IP service attacks
• IP service implementation vulnerabilities
• Insecure IP protocols and services
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
11
Which IP Services Are Most
Vulnerable?
• Remote logon service
– Includes Telnet remote terminal emulation service,
as well as the Berkeley remote utilities
• Remote control programs
– Can pose security threats
• Services that permit anonymous access
– Makes anonymous Web and FTP conspicuous
targets
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
12
Holes, Back Doors, and Other Illicit
Points of Entry
• Hole
– Weak spot or known place of attack on any common
operating system, application, or service
• Back door
– Undocumented and illicit point of entry into an
operating system or application
• Vulnerability
– Weakness that can be accidentally triggered or
intentionally exploited
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
13
Phases of IP Attacks
• IP attacks typically follow a set pattern
– Reconnaissance or discovery process
– Attacker focuses on the attack itself
– Stealthy attacker may cover its tracks by deleting log
files, or terminating any active direct connections
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
14
Reconnaissance and Discovery
Phases
• PING sweep
– Can identify active hosts on an IP network
• Port probe
– Detect UDP- and TCP-based services running on a
host
• Purpose of reconnaissance
– To find out what you have and what is vulnerable
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
15
Attack
• The attack
– May encompass a brute force attack process that
overwhelms a victim
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
16
Cover-Up
• In an effort to escape detection
– Many attackers delete log files that could indicate an
attack occurred
• Computer forensics
– May be necessary to identify traces from an attacker
winding his or her way through a system
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
17
Common Attacks and Entry Points in
More Detail
• TCP/IP
– By its very nature, a trusting protocol stack
• Designers, implementers, and product developers
– Have tried to secure the protocol and plug holes or
vulnerabilities whenever possible
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
18
Viruses, Worms, and Trojan Horse
Programs
• Malicious code (malware)
– Can disrupt operations or corrupt data
• Viruses, worms (mobile code), and Trojan horses
– Three such types of malicious code
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
19
Adware and Spyware
• Adware
– Displays all kinds of unsolicited and unwanted
advertising, often of an unsavory nature
• Spyware
– Unsolicited and unwanted software
– Stealthily takes up unauthorized and uninvited
residence on a computer
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
20
Denial of Service Attacks
• Designed to interrupt or completely disrupt operations of a network device or communications
• DoS-related attacks include:
– SYN Flood
– Broadcast amplification
– Buffer overflow
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
21
Distributed Denial of Service Attacks
• DoS attacks launched from numerous devices
• DDoS attacks consist of four main elements
– Attacker
– Handler
– Agent
– Victim
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
22 © 2013 Course Technology/Cengage Learning. All Rights Reserved.
23
Buffer Overflows/Overruns
• Exploit a weakness in many programs that expect
to receive a fixed amount of input
• In some cases, extra data can be used to execute
commands on the computer
– With the same privileges as the program it overruns
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
24
Spoofing
• Borrowing identity information to hide or deflect
interest in attack activities
• NetBIOS attacks
– Attacker sends spoofed NetBIOS Name Release or
NetBIOS Name Conflict messages to a victim
machine
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
25
TCP Session Hijacking
• Purpose of an attack
– To masquerade as an authorized user to gain
access to a system
• Once a session is hijacked
– The attacker can send packets to the server to
execute commands, change passwords, or worse
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
26
Network Sniffing
• One method of passive network attack
– Based on network “sniffing,” or eavesdropping, using
a protocol analyzer or other sniffing software
• Network analyzers available to eavesdrop on
networks include:
– tcpdump (UNIX)
– OmniPeek (Windows)
– Network Monitor (Windows)
– Wireshark
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
Network Sniffing (cont’d.)
27 © 2013 Course Technology/Cengage Learning. All Rights Reserved.
Network Sniffing (cont’d.)
28 © 2013 Course Technology/Cengage Learning. All Rights Reserved.
29
Maintaining IP Security
• Sections cover some of the elements that must be
included as part of routine security maintenance
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
30
Applying Security Patches and Fixes
• Microsoft security bulletins
– May be accessed or searched at:
http://technet.microsoft.com/en-us/security/bulletin
• Essential to know about security patches and fixes
and to install them
• Security Update Process
– Evaluate the vulnerability
– Retrieve the patch or update
– Test the patch or update
– Deploy the patch or update
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
31
Knowing Which Ports to Block
• Many exploits and attacks are based on common
vulnerabilities
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
32
Using IP Security (IPSec)
• RFC 2401 says the goals of IPSec are to provide
the following kinds of security
– Access control
– Connectionless integrity
– Data origin authentication
– Protection against replays
– Confidentiality
– Limited traffic flow confidentiality
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
33
Protecting the Perimeter of the
Network
• Important devices and services used to protect the
perimeter of networks
– Bastion host
– Boundary (or border) router
– Demilitarized zone (DMZ)
– Firewall
– Network address translation
– Proxy server
– Screening host
– Screening router
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
34
Major Firewall Elements
• Firewalls usually incorporate four major elements:
– Screening router functions
– Proxy service functions
– “Stateful inspection” of packet sequences and
services
– Virtual Private Network services
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
35
Basics of Proxy Servers
• Proxy servers
– Can perform “reverse proxying”
• Exposes a service inside a network to outside users,
as if it resides on the proxy server itself
• Caching
– An important proxy behavior
• Cache
– Potentially valuable location for a system attack
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
Implementing Firewalls
• Link an internal network to the Internet without
managing the boundary between them
– Blatantly irresponsible to do so
36 © 2013 Course Technology/Cengage Learning. All Rights Reserved.
37
Step-by-Step Firewall Planning and
Implementing
• Useful steps when planning and implementing firewalls and proxy servers
– Plan
– Establish requirements
– Install
– Configure
– Test
– Attack
– Tune
– Implement
– Monitor and maintain
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
38
Roles of IDS and IPS in IP Security
• Intrusion detection systems
– Make it easier to automate recognizing and
responding to potential attacks
• Increasingly, firewalls include hooks
– Allows them to interact with IDSs, or include their
own built-in IDS capabilities
• IPSs make access control decisions on the basis of
application content
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
39
Honeypots and Honeynets
• Honeypot
– Computer system deliberately set up to entice and
trap attackers
• Honeynet
– Broadens honeypot concept from a single system to
what looks like a network of such systems
© 2013 Course Technology/Cengage Learning. All Rights Reserved.
Summary
• An attack
– An attempt to compromise the privacy and integrity
of an organization’s information assets
• In its original form, TCP/IP implemented an
optimistic security model
• Basic principles of IP security
– Include avoiding unnecessary exposure by blocking
all unused ports
• Necessary to protect systems and networks from
malicious code
– Such as viruses, worms, and Trojan horses
40 © 2013 Course Technology/Cengage Learning. All Rights Reserved.
Summary (cont’d.)
• Would-be attackers
– Usually engage in a well-understood sequence of
activities, called reconnaissance and discovery
• Maintaining system and network security involves
constant activity
– Must keep up with security news and information
• Keeping operating systems secure in the face of
new vulnerabilities
– A necessary and ongoing process
• A honeypot is a computer system deliberately set
up to entice and trap attackers 41 © 2013 Course Technology/Cengage Learning. All Rights Reserved.