430 likes | 583 Views
Packets and Protocols. Security Devices and Practices.
E N D
Packets and Protocols Security Devices and Practices
Information security is an emerging discipline that combines the efforts of people, policy, education, training, awareness, procedures, and technology to improve the confidentiality, integrity, and availability of an organization’s information assets Technical controls alone cannot ensure a secure IT environment, but they are usually an essential part of information security programs Security Devices and Practices
Security Devices and Practices • Although technical controls can be an important part of an information security program, they must be combined with sound policy and education, training, and awareness efforts • Some of the most powerful and widely used technical security mechanisms include: • Access controls • Firewalls • Dial-up protection • Intrusion detection systems • Scanning and analysis tools • Encryption systems
Access control encompasses three processes: Confirming the identity of the entity accessing a logical or physical area (authentication) Determining which actions that entity can perform in that physical or logical area (authorization) Logging their actions (accounting) A successful access control approach—whether intended to control physical access or logical access—always consists of all three. Security Devices and Practices
Mechanism types Something you know Something you have Something you are Something you produce Strong authentication uses at least two different authentication mechanism types Security Devices and Practices
Something you know: This type of authentication mechanism verifies the user’s identity by means of a password, passphrase, or other unique code A password is a private word or combination of characters that only the user should know A passphrase is a plain-language phrase, typically longer than a password, from which a virtual password is derived A good rule of thumb is to require that passwords be at least eight characters long and contain at least one number and one special character Security Devices and Practices
Something you have This authentication mechanism makes use of something (a card, key, or token) that the user or the system possesses One example is a dumb card (such as an ATM card) with magnetic stripes Another example is the smart card containing a processor Another device often used is the cryptographic token, a processor in a card that has a display Security Devices and Practices
Something you are: This authentication mechanism takes advantage of something inherent in the user that is evaluated using biometrics Most of the technologies that scan human characteristics convert these images to obtain some form of minutiae—unique points of reference that are digitized and stored in an encrypted format Security Devices and Practices
Something you do: This type of authentication makes use of something the user performs or produces It includes technology related to signature recognition and voice recognition, for example Security Devices and Practices
In general, authorization can be handled by: Authorization for each authenticated user, in which the system performs an authentication process to verify the specific entity and then grants access to resources for only that entity Authorization for members of a group, in which the system matches authenticated entities to a list of group memberships, and then grants access to resources based on the group’s access rights Authorization across multiple systems, in which a central authentication and authorization system verifies entity identity and grants a set of credentials to the verified entity Security Devices and Practices
To appropriately manage access controls, an organization must have in place a formal access control policy, which determines how access rights are granted to entities and groups This policy must include provisions for periodically reviewing all access rights, granting access rights to new employees, changing access rights when job roles change, and revoking access rights as appropriate Security Devices and Practices
Firewalls In information security, a firewall is any device that prevents a specific type of information from moving between two networks, often the outside, known as the un-trusted network (e.g., the Internet), and the inside, known as the trusted network The firewall may be a separate computer system, a service running on an existing router or server, or a separate network containing a number of supporting devices Security Devices and Practices
Packet Filtering Routers Most organizations with an Internet connection use some form of router between their internal networks and the external service provider Many of these routers can be configured to block packets that the organization does not allow into the network Such an architecture lacks auditing and strong authentication, and the complexity of the access control lists used to filter the packets can grow to a point that degrades network performance Security Devices and Practices
When evaluating a firewall, ask the following questions: What type of firewall technology offers the right balance between protection and cost for the needs of the organization? What features are included in the base price? What features are available at extra cost? Are all cost factors known? How easy is it to set up and configure the firewall? How accessible are the staff technicians who can competently configure the firewall? Can the candidate firewall adapt to the growing network in the target organization? Security Devices and Practices
Some of the best practices for firewall use are: All traffic from the trusted network is allowed out The firewall device is never accessible directly from the public network Simple Mail Transport Protocol (SMTP) data is allowed to pass through the firewall, but should be routed to a SMTP gateway All Internet Control Message Protocol (ICMP) data should be denied Telnet (terminal emulation) access to all internal servers from the public networks should be blocked When Web services are offered outside the firewall, HTTP traffic should be handled by some form of proxy access or DMZ architecture Security Devices and Practices
A host-based IDS works by configuring and classifying various categories of systems and data files In many cases, IDSs provide only a few general levels of alert notification Unless the IDS is very precisely configured, benign actions can generate a large volume of false alarms Host-based IDSs can monitor multiple computers simultaneously Security Devices and Practices
Network-based IDSs monitor network traffic and, when a predefined condition occurs, notify the appropriate administrator The network-based IDS looks for patterns of network traffic Network IDSs must match known and unknown attack strategies against their knowledge base to determine whether an attack has occurred These systems yield many more false-positive readings than do host-based IDSs, because they are attempting to read the network activity pattern to determine what is normal and what is not Security Devices and Practices
A signature-based IDS or knowledge-based IDS examines data traffic for something that matches the signatures, which comprise preconfigured, predetermined attack patterns The problem with this approach is that the signatures must be continually updated, as new attack strategies emerge A weakness of this method is the time frame over which attacks occur If attackers are slow and methodical, they may slip undetected through the IDS, as their actions may not match a signature that includes factors based on duration of the events Security Devices and Practices
The statistical anomaly-based IDS (stat IDS) or behavior-based IDS first collects data from normal traffic and establishes a baseline It then periodically samples network activity, based on statistical methods, and compares the samples to the baseline When the activity falls outside the baseline parameters (known as the clipping level), the IDS notifies the administrator The advantage of this approach is that the system is able to detect new types of attacks, because it looks for abnormal activity of any type Security Devices and Practices
Managing IDSs Just as with any alarm system, if there is no response to an alert, then an alarm does no good IDSs must be configured using technical knowledge and adequate business and security knowledge to differentiate between routine circumstances and low, moderate, or severe threats A properly configured IDS can translate a security alert into different types of notification A poorly configured IDS may yield only noise Security Devices and Practices
RADIUS and TACACS are systems that authenticate the credentials of users who are trying to access an organization’s network via a dial-up connection A Remote Authentication Dial-In User Service (RADIUS) system centralizes the management of user authentication by placing the responsibility for authenticating each user in the central RADIUS server Security Devices and Practices
Security Devices and Practices When a remote access server (RAS) receives a request for a network connection from a dial-up client, it passes the request along with the user’s credentials to the RADIUS server; RADIUS then validates the credentials The Terminal Access Controller Access Control System (TACACS) works similarly and is based on a client/server configuration
Scanning and analysis tools can find vulnerabilities in systems, holes in security components, and other unsecured aspects of the network Conscientious administrators will have several informational Web sites bookmarked, and they frequently browse for new vulnerabilities, recent conquests, and favorite assault techniques There is nothing wrong with security administrators using the tools used by attackers to examine their own defenses and search out areas of vulnerability Security Devices and Practices
WPA is an industry standard, created by the Wi-Fi Alliance Has some compatibility issues with older WAPs Provides increased capabilities for authentication, encryption, and throughput Security Devices and Practices
Vulnerability scanners, which are variants of port scanners, are capable of scanning networks for very detailed information They identify exposed user names and groups, show open network shares, and expose configuration problems and other server vulnerabilities Security Devices and Practices
A packet sniffer is a network tool that collects and analyzes packets on a network It can be used to eavesdrop on network traffic A packet sniffer must be connected directly to a local network from an internal location Security Devices and Practices
Security Devices and Practices • To use a packet sniffer legally, you must: • Be on a network that the organization owns, not leases • Be under the direct authorization of the network’s owners • Have the knowledge and consent of the users • Have a justifiable business reason for doing so
Content Filters Another type of utility that effectively protects the organization’s systems from misuse and unintentional denial-of-service conditions is the content filter A content filter is a software program or a hardware/software appliance that allows administrators to restrict content that comes into a network The most common application of a content filter is the restriction of access to Web sites with non–business-related material, such as pornography Another application is the restriction of spam e-mail Content filters ensure that employees are using network resources appropriately Security Devices and Practices
Managing Scanning and Analysis Tools It is vitally important that the security manager be able to see the organization’s systems and networks from the viewpoint of potential attackers The security manager should develop a program using in-house resources, contractors, or an outsourced service provider to periodically scan his or her own systems and networks for vulnerabilities with the same tools that a typical hacker might use Security Devices and Practices
Drawbacks to using scanners and analysis tools, content filters, etc: These tools do not have human-level capabilities Most tools function by pattern recognition, so they only handle known issues Most tools are computer-based, so they are prone to errors, flaws, and vulnerabilities of their own All of these tools are designed, configured, and operated by humans and are subject to human errors Some governments, agencies, institutions, and universities have established policies or laws that protect the individual user’s right to access content Tool usage and configuration must comply with an explicitly articulated policy, and the policy must provide for valid exceptions Security Devices and Practices
E-Mail Security Secure Multipurpose Internet Mail Extensions (S/MIME) builds on the Multipurpose Internet Mail Extensions (MIME) encoding format by adding encryption and authentication via digital signatures based on public key cryptosystems Privacy Enhanced Mail (PEM) has been proposed by the Internet Engineering Task Force (IETF) as a standard that will function with public key cryptosystems PEM uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures Security Devices and Practices
Security Devices and Practices • Pretty Good Privacy (PGP) was developed by Phil Zimmerman and uses the IDEA Cipher, a 128-bit symmetric key block encryption algorithm with 64-bit blocks for message encoding • Like PEM, it uses RSA for symmetric key exchange and to support digital signatures
IP Security (IPSec) is the primary and now dominant cryptographic authentication and encryption product of the IETF’s IP Protocol Security Working Group IPSec combines several different cryptosystems: Diffie-Hellman key exchange for deriving key material between peers on a public network Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two parties Bulk encryption algorithms, such as DES, for encrypting the data Digital certificates signed by a certificate authority to act as digital ID cards Security Devices and Practices
Security Devices and Practices • IPSec has two components: • The IP Security protocol itself, which specifies the information to be added to an IP packet and indicates how to encrypt packet data • The Internet Key Exchange, which uses asymmetric key exchange and negotiates the security associations
IPSec works in two modes of operation: transport and tunnel In transport mode, only the IP data is encrypted—not the IP headers themselves; this allows intermediate nodes to read the source and destination addresses In tunnel mode, the entire IP packet is encrypted and inserted as the payload in another IP packet IPSec and other cryptographic extensions to TCP/IP are often used to support a virtual private network (VPN), a private, secure network operated over a public and insecure network Security Devices and Practices
Securing the WEB Secure Electronic Transactions (SET) Developed by MasterCard and VISA in 1997 to provide protection from electronic payment fraud Encrypts credit card transfers with DES for encryption and RSA for key exchange Secure Sockets Layer (SSL) Developed by Netscape in 1994 to provide security for e-commerce transactions Mainly relies on RSA for key transfer and on IDEA, DES, or 3DES for encrypted symmetric key-based data transfer Security Devices and Practices
Security Devices and Practices • Secure Hypertext Transfer Protocol (SHTTP) • Provides secure e-commerce transactions as well as encrypted Web pages for secure data transfer over the Web, using different algorithms • Secure Shell (SSH) • Provides security for remote access connections over public networks by using tunneling, authentication services between a client and a server • Used to secure replacement tools for terminal emulation, remote management, and file transfer applications
Securing Authentication A final use of cryptosystems is to provide enhanced and secure authentication One approach to this issue is provided by Kerberos, which uses symmetric key encryption to validate an individual user’s access to various network resources It keeps a database containing the private keys of clients and servers that are in the authentication domain that it supervises Security Devices and Practices