1 / 50

Guide to TCP/IP, Third Edition

Guide to TCP/IP, Third Edition. Chapter 9: Securing TCP/IP Environments. Objectives. Understand basic concepts and principles for maintaining computer and network security Understand the anatomy of an IP attack Recognize common points of attacks inherent in TCP/IP architecture

rferron
Download Presentation

Guide to TCP/IP, Third Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments

  2. Objectives • Understand basic concepts and principles for maintaining computer and network security • Understand the anatomy of an IP attack • Recognize common points of attacks inherent in TCP/IP architecture • Maintain IP security problems Securing TCP/IP Environments

  3. Objectives (continued) • Understand security policies and recovery plans • Understand new and improved security features in Windows XP Professional and Windows Server 2003 • Discuss the importance of honeypots and honeynets for network security Securing TCP/IP Environments

  4. Understand Computer and Network Security • Protecting a system or network means • Closing the door against outside attack • Protecting your systems, data, and applications from any sources of damage or harm • The 2005 Computer Crime Survey • Virus and worm infections were among the top problems leading to financial loss Securing TCP/IP Environments

  5. Principles of IP Security • Physical security • Synonymous with “controlling physical access” • Should be carefully monitored • Personnel security • Important to formulate a security policy for your organization • System and network security includes • Analyzing the current software environment • Identifying and eliminating potential points of exposure Securing TCP/IP Environments

  6. Understanding Typical IP Attacks, Exploits, and Break-Ins • Basic fundamental protocols • Offer no built-in security controls • Successful attacks against TCP/IP networks and services rely on two powerful weapons • Profiling or footprinting tools • A working knowledge of known weaknesses or implementation problems Securing TCP/IP Environments

  7. Key Terminology in Network and Computer Security • An attack • Some kind of attempt to obtain access to information • An exploit • Documents a vulnerability • A break-in • Successful attempt to compromise a system’s security Securing TCP/IP Environments

  8. Key Weaknesses in TCP/IP • Ways in which TCP/IP can be attacked • Bad guys can • Attempt to impersonate valid users • Attempt to take over existing communications sessions • Attempt to snoop inside traffic moving across the Internet • Utilize a technique known as IP spoofing Securing TCP/IP Environments

  9. Common Types of IP-Related Attacks • DoS attacks • Man-in-the-middle (MITM) attacks • IP service attacks • IP service implementation vulnerabilities • Insecure IP protocols and services Securing TCP/IP Environments

  10. What IP Services Are Most Vulnerable? • Remote logon service • Includes Telnet remote terminal emulation service, as well as the Berkeley remote utilities • Remote control programs • Can pose security threats • Services that permit anonymous access • Makes anonymous Web and FTP conspicuous targets Securing TCP/IP Environments

  11. Holes, Back Doors, and Other Illicit Points of Entry • Hole • Weak spot or known place of attack on any common operating system, application, or service • Back door • Undocumented and illicit point of entry into an operating system or application • Vulnerability • Weakness that can be accidentally triggered or intentionally exploited Securing TCP/IP Environments

  12. The Anatomy of IP Attacks • IP attacks typically follow a set pattern • Reconnaissance or discovery process • Attacker focuses on the attack itself • Stealthy attackermay cover its tracks by deleting log files, or terminating any active direct connections Securing TCP/IP Environments

  13. Reconnaissance and Discovery Processes • PING sweep • Can identify active hosts on an IP network • Port probe • Detect UDP- and TCP-based services running on a host • Purpose of reconnaissance • To find out what you have and what is vulnerable Securing TCP/IP Environments

  14. Reconnaissance and Discovery Processes (continued) • The attack • May encompass a brute force attack process that overwhelms a victim • Computer forensics • May be necessary to identify traces from an attacker winding his or her way through a system Securing TCP/IP Environments

  15. Common IP Points of Attack • Virus • Any self-replicating program that works for its own purposes • Classes • File infectors • System or boot-record infectors • Macro viruses Securing TCP/IP Environments

  16. Worms • A kind of virus that eschews most activity except as it relates to self-replication • MSBlaster worm • Unleashed in August 2003 • Exploited the RPC DCOM buffer overflow vulnerability in Microsoft Windows • Hex reader • Look inside suspect files without launching them Securing TCP/IP Environments

  17. Trojan Horse Programs • Masquerade as innocuous or built-to-purpose programs • Conceal abilities that permit others to take over and operate unprotected systems remotely • Must be installed on a computer system to run • Back Orifice • Example of a Trojan horse program Securing TCP/IP Environments

  18. Denial of Service Attacks • Designed to interrupt or completely disrupt operations of a network device or communications • SYN Flood attack • Uses the three-way TCP handshake process to overload a device on a network • Broadcast amplification attack • Malicious host crafts and sends ICMP Echo Requests to a broadcast address • Windows 2000 UPnP DoS attack • Specially crafted request packet is sent that causes services.exe to exhaust all virtual memory resources Securing TCP/IP Environments

  19. Distributed Denial of Service Attacks • DoS attacks launched from numerous devices • DDoS attacks consist of four main elements • Attacker • Handler • Agent • Victim Securing TCP/IP Environments

  20. Securing TCP/IP Environments

  21. Buffer Overflows/Overruns • Exploit a weakness in many programs that expect to receive a fixed amount of input • Adware • Opens door for a compromised machine to display unsolicited and unwanted advertising • Spyware • Unsolicited and unwanted software that • Takes up stealthy unauthorized and uninvited residence on a computer Securing TCP/IP Environments

  22. Spoofing • Borrowing identity information to hide or deflect interest in attack activities • Ingress filtering • Applying restrictions to traffic entering a network • Egress filtering • Applying restrictions to traffic leaving a network Securing TCP/IP Environments

  23. TCP Session Hijacking • Purpose of an attack • To masquerade as an authorized user to gain access to a system • Once a session is hijacked • The attacker can send packets to the server to execute commands, change passwords, or worse Securing TCP/IP Environments

  24. Network Sniffing • One method of passive network attack • Based on network “sniffing,” or eavesdropping using a protocol analyzer or other sniffing software • Network analyzers available to eavesdrop on networks include • tcpdump (UNIX) • EtherPeek (Windows) • Network Monitor (Windows) • AiroPeekWireless (Windows) • Ethereal for Windows Securing TCP/IP Environments

  25. Securing TCP/IP Environments

  26. Securing TCP/IP Environments

  27. Maintaining IP Security • Microsoft security bulletins • May be accessed or searched through the Security Bulletins section at: www.microsoft.com/security/default.mspx • Essential to know about security patches and fixes and to install them • Knowing Which Ports to Block • Many exploits and attacks are based on common vulnerabilities Securing TCP/IP Environments

  28. Securing TCP/IP Environments

  29. Recognizing Attack Signatures • Most attacks have an attack signature • By which they may be recognized or identified • Signatures may be used to • Implement IDS devices • Can be configured as network analyzer filters as well Securing TCP/IP Environments

  30. Securing TCP/IP Environments

  31. Securing TCP/IP Environments

  32. Using IP Security • RFC 2401 says the goals of IPSec are to provide the following kinds of security • Access control • Connectionless integrity • Data origin authentication • Protection against replays • Confidentiality • Limited traffic flow confidentiality Securing TCP/IP Environments

  33. Protecting the Perimeter of the Network • Important devices and services used to protect the perimeter of networks • Bastion host • Boundary (or border) router • Demilitarized zone (DMZ) • Firewall • Network address translation • Proxy server Securing TCP/IP Environments

  34. Understanding the Basics of Firewalls • Firewall • Barrier that controls traffic flow and access between networks • Designed to inspect incoming traffic and block or filter traffic based on a variety of criteria • Normally astride the boundary between a public network and private networks inside an organization Securing TCP/IP Environments

  35. Useful Firewall Specifics • Firewalls usually incorporate four major elements: • Screening router functions • Proxy service functions • “Stateful inspection” of packet sequences and services • Virtual Private Network services Securing TCP/IP Environments

  36. Commercial Firewall Features • Address translation/privacy services • Specific filtering mechanisms • Alarms and alerts • Logs and reports • Transparency • Intrusion detection systems (IDSs) • Management controls Securing TCP/IP Environments

  37. Understanding the Basics of Proxy Servers • Proxy servers • Can perform “reverse proxying” to • Expose a service inside a network to outside users, as if it resides on the proxy server itself • Caching • An important proxy behavior • Cache • Potentially valuable location for a system attack Securing TCP/IP Environments

  38. Planning and Implementing, Step by Step • Useful steps when planning and implementing firewalls and proxy servers • Plan • Establish requirements • Install • Configure • Test • Attack • Tune • Implement • Monitor and maintain Securing TCP/IP Environments

  39. Understanding the Test-Attack-Tune Cycle • Attack tools • McAfee CyberCop ASaP • GNU NetTools • A port mapper such as AnalogX PortMapper • Internet Security Systems various security scanners Securing TCP/IP Environments

  40. Understanding the Role of IDS and IPS in IP Security • Intrusion detection systems • Make it easier to automate recognizing and responding to potential attacks • Increasingly, firewalls include • Hooks to allow them to interact with IDSs, or include their own built-in IDS capabilities • IPSs make access control decisions on the basis of application content Securing TCP/IP Environments

  41. Updating Anti-Virus Engines and Virus Lists • Because of the frequency of introduction of new viruses, worms, and Trojans • Essential to update anti-virus engine software and virus definitions on a regular basis • Anti-virus protection • Key ingredient in any security policy Securing TCP/IP Environments

  42. Securing TCP/IP Environments

  43. The Security Update Process • Evaluate the vulnerability • Retrieve the update • Test the update • Deploy the update Securing TCP/IP Environments

  44. Understanding Security Policies and Recovery Plans • Security policy • Document that reflects an organization’s understanding of • What information assets and other resources need protection • How they are to be protected • How they must be maintained under normal operating circumstances Securing TCP/IP Environments

  45. Understanding Security Policies and Recovery Plans (continued) • RFC 2196 lists the following documents as components of a good security policy • An access policy document • An accountability policy document • A privacy policy document • A violations reporting policy document • An authentication policy document • An information technology system and network maintenance policy document Securing TCP/IP Environments

  46. Windows XP and Windows Server 2003: Another Generation of Network Security • Features that should help maintain tighter security • Kerberos version 5 • Public Key Infrastructure (PKI) • Directory Service Account Management • CryptoAPI • Encrypting File System (EFS) • Secure Channel Security protocols (SSL 3.0/PCT) Securing TCP/IP Environments

  47. Honeypots and Honeynets • Honeypot • Computer system deliberately set up to entice and trap attackers • Honeynet • Broadens honeypot concept from a single system to what looks like a network of such systems Securing TCP/IP Environments

  48. Summary • An attack • An attempt to compromise the privacy and integrity of an organization’s information assets • In its original form, TCP/IP implemented an optimistic security model • Basic principles of IP security • Include avoiding unnecessary exposure by blocking all unused ports • Necessary to protect systems and networks from malicious code • Such as viruses, worms, and Trojan horses Securing TCP/IP Environments

  49. Summary (continued) • Would-be attackers • Usually engage in a well-understood sequence of activities, called reconnaissance and discovery • Maintaining system and network security involves constant activity that must include • Keeping up with security news and information • Keeping operating systems secure in the face of new vulnerabilities • A necessary and ongoing process Securing TCP/IP Environments

  50. Summary (continued) • When establishing a secure network perimeter • It is essential to repeat the test-attack-tune cycle • To create a strong foundation for system and network security, formulate policy that incorporates • Processes, procedures, and rules regarding physical and personnel security issues, • Windows XP and Windows Server 2003 include • Notable security improvements and enhancements as compared to other Windows versions Securing TCP/IP Environments

More Related