670 likes | 856 Views
Securing the Internet Chapter 13. Learn how to…. Define the security threats and attacks that hackers use to gain unauthorized access to network services and resources. List the Internet security safeguards that protect networks by detecting intrusions and defeating attacks.
E N D
Securing the Internet Chapter 13
Learn how to… • Define the security threats and attacks that hackers use to gain unauthorized access to network services and resources. • List the Internet security safeguards that protect networks by detecting intrusions and defeating attacks. • Define the methods for digitally signing and encrypting network transmissions. • Describe publishing a Web securely with the SFTP protocol.
Security Risks • Unauthorized access • Data manipulation • Service interruption
User-Level Issues • Inside attacks from inside an organization. • Such attacks account for about two-thirds of all security breaches.
Physical Access Security • Keep equipment behind locked doors and limit access to authorized personnel. • Require employees to log off before walking away from their workstations. • Keep employees from writing their passwords on slips of paper. • Encourage employees to report suspicious activity.
Network Security Threats • Data interception • Packet sniffers and network analyzers can intercept data that moves across the network. • Identity interception • Usernames and passwords can cross the network in clear text. • Require employees to have passwords consisting of a combination of characters and numbers. • Avoid passwords consisting of information that can be searched or guessed.
Network Security Threats • Masquerading • Occurs when unauthorized users assume the privileges of an authorized user. • IP address spoofinghappens when an intruder uses the IP address of a trusted system. • Replay attacks • Occurs when a hacker uses a packet sniffer to record a logon sequence and then plays back the sequence at a later time.
Network Security Threats • Social engineering attack • Exploits human weaknesses to gain access to the organization’s network. • Intruders fake their identity to gain access or information. • Misuse of privileges • Network administrators with high level of system privileges can use their privileges to gain access to information that they should not access.
Identifying Assets • Data tier information resources • Any organization that conducts transactions has a back office database that you do not want hacked. • Server resources • All types of servers may contain resources that need to be protected. • Network resources • Protection from unauthorized access. • Local workstations • End-user workstations are prone to virus attacks.
Defending a Network • Defending a network includes: • A proactive pre-attack strategy • List the threats. • Identify the staff to defend against attacks. • A reactive post-attack strategy • Have a strategy for mobilizing the appropriate staff to take corrective actions.
Viruses • Boot record virusesspread through malicious code that runs when the computer boots. • A file infector virus occurs when malicious code attaches to individual files, which propagate primarily via e-mail attachments. • A document or spreadsheet attached to an e-mail can contain a macro virus. • A macro is a command that executes a set of instructions in a computer application.
Viruses • A Trojan horseis malicious code that masquerades as a desirable program. • Crackers can embed malicious executable code in Web pages via Java applets or ActiveX controls, called embedded code. • A wormcan propagate across the Internet and infect other computers by replicating.
Best Practices • Subscribe to a security newsletter that keeps you apprised of the latest security issues and threats. • Use an automatic update service to install the latest security patches. • Identify the kinds of attacks to which your network is prone.
Best Practices • Audit the network for traces of these attacks. • Install software that can automatically detect intrusions. • Plan how to recover from network disasters. • Use firewalls to block non-trusted traffic or processes.
Microsoft Newsletters • Subscribe to Microsoft security newsletters at www.microsoft.com/technet/security/secnews/newsletter.htm • Choose the link to subscribe. • Follow the instructions to establish a .NET Passport if necessary.
Windows Update • Microsoft runs a Windows Update Servicethat can automatically download the latest security patches to your computer. • Start | Control Panel | double-click System icon | Choose Automatic Updates tab
Defeating Attacks • The most frequent attack is Denial of Service(DoS), in which the attacker seeks to consume so much of a server’s resources that the host cannot respond to legitimate requests. • In a brute force attackor front door attack,a cracker programs a computer to look up words in a dictionary and generate variants to guess a password.
Defeating Attacks • Dumpster diving is the practice of looking through trash for discarded records that can display in clear text important information such as account numbers, passwords, and social security numbers. • A trapdoor attack occurs when crackers find a way into your computer by running diagnostic tools that your staff may have left on the system after troubleshooting some kind of problem.
Auditing and Detection • Security auditing uses software to detect attempts to compromise your assets. • Set an audit policy to activate intrusion detection on a Windows server. • You can audit successes or failures of an event.
Firewalls • A firewallis a combination of hardware, software, and security policies that block certain kinds of traffic from entering or leaving a network, subnet, or individual host computer.
Firewall Strategies • Packet filtering • Works at OSI Layers 3 and 4 to inspect the headers of all incoming and outgoing packets to block transmissions based on source or destination ports or IP addresses. • Proxy servers and Network Address Translation • Help to keep internal addresses private and hidden from attackers.
Firewall Strategies • Acircuit level gatewayprevents the establishment of end-to-end TCP connections. Instead, the gateway establishes a connection on behalf of an inside host with an outside host.
Firewall Strategies • An application level gateway is a type of firewall that can scan packets for malicious content spread through SMTP (mail), HTTP (Web pages), FTP (file transfers), DNS (attacks on name servers), or Telnet (remote logon).
Firewall Strategies • Stateful inspectioncan keep track of when a port opens, what session is using it, and how long the port stays open. • If the firewall suspects a session has been hijacked, the firewall can drop the session.
Firewall Topologies • Packet filtering firewall • Single-homed bastion host firewall • Dual-homed bastion host firewall • Screened subnet firewall with DMZ
Packet Filtering Firewall • Uses a packet filter, which monitors the headers of all incoming or outgoing packets and can block transmissions based on source or destination ports or IP addresses. • Operates at OSI layers 3 and 4.
Single-Homed Bastion • A bastion hostis a computer that sits on the perimeter of a local network and serves as an application-level gateway between the external network and the internal client workstations. • A single-homed bastion host contains one network card.
Dual-Homed Bastion • A dual-homed bastion firewall uses two NICs (hence the term dual-homed) on which IP forwarding is disabled, thereby creating a complete physical break between the internal and external networks.
DMZ Screened-Subnet • The screened-subnet firewallestablishes a demilitarized zone(DMZ) by placing packet filtering routers on both the Internet side and the private network side of the bastion host. This makes it impossible for insiders to communicate directly over the Internet. • The DMZ provides a secure location for the network’s modem pool and the organization’s public Web and FTP servers.
Firewalls • For more on firewalls, visit Microsoft’s firewall page at www.microsoft.com/technet/security/guidance/secmod155.mspx • ZoneAlarm is a popular firewall product that is available for free. • Visit www.zonelabs.com
Encryption • To encryptmeans to encode the data stream by manipulating the symbols with a set of rules called an algorithm that makes the message appear scrambled and unintelligible. • To decipher the data, the person who receives the message must have the encryption key, which is the secret algorithm comprising the rules used to encode the message.
Symmetric Cryptography • Symmetric cryptography, also called secret-key cryptography, uses the same secret key for both encryption and decryption.
Symmetric Standards • Symmetric encryption standards include: • Data Encryption Standard (DES) • Triple DES (3DES) • RC algorithms • www.rsasecurity.com/rsalabs/faq • International Data Encryption Algorithm (IDEA) • http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm • Advanced Encryption Standard (AES)
Asymmetric Cryptography • A public key infrastructure(PKI)consists of a certificate authority system that assigns each user a digital certificate containing a key pair consisting of a public key and a private key. • The person sending a message uses the public key to encrypt the message. • The person receiving the message uses the private key to decrypt it. • Because the key that encrypts the message is different from the key that decrypts it, this process is called asymmetric cryptography.
Digital Signatures • A digital signatureis an identification method that binds a document to the possessor of a particular key by creating a message digest and encrypting the digest with the sender’s key. • Verifies whether the message truly came from the person who appears to have sent it, and that it has not been altered on its way.
Hash Encryption • A one-way encryption method called hash encryptioncreates the message digest. • The message’s digital fingerprint.
Encryption Algorithms • The two most commonly used hash encryption algorithms include SHA-1 and MD5. • SHA-1 is the Secure Hash Algorythm which takes a message up to 264 bits in length and produces a 160-bit message digest. • MD5 is the latest Message Digest algorithm which creates a 128-bit message digest.
Digital IDs • The term digital ID refers to an X.509 certificate containing a key pair that consists of a public key and a private key. • An X.509 certificate enables you to digitally sign your mail and/or send mail encrypted. • The next few slides outline how to obtain a digital ID to use with Microsoft Outlook.
Digital ID with Outlook • Open Microsoft Outlook and then select Tools | Options | Security tab. • Click Get a Digital ID button, which will take you to a Microsoft Web site listing digital ID services. • Use VeriSign for a 60-day free trial to get a digital ID.