1 / 67

Planning for Network Security

Planning for Network Security. Security Planning Susan Lincke. Objectives. The student should be able to:

ldean
Download Presentation

Planning for Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Planning for Network Security Security Planning Susan Lincke

  2. Objectives The student should be able to: Define attacks: script kiddy, social engineering, logic bomb, Trojan horse, phishing, pharming, war driving, war dialing, man-in-the-middle attack, SQL injection, virus, worm, root kit, dictionary attack, brute force attack, DOS, DDOS, botnet, spoofing, packet reply. Describe defenses: defense in depth, bastion host, content filter, packet filter, stateful inspection, circuit-level firewall, application-level firewall, de-militarized zone, multi-homed firewall, IDS, IPS, NIDS, HIDS, signature-based IDS, statistical-based IDS, neural network, VPN, network access server (RADIUS/TACACS), honeypot, honeynet, hash, secret key encryption, public key encryption, digital signature, PKI, vulnerability assessment Identify techniques (what they do): SHA1/SHA2, MD2/MD4/MD5, DES, AES, RSA, ECC. Describe and define security goals: confidentiality, authenticity, integrity, non-repudiation Define service’s & server’s data in the correct sensitivity class and roles with access Define services that can enter and leave a network Draw network Diagram with proper zones and security equipment

  3. The Problem of Network Security The Internet allows an attacker to attack from anywhere in the world from their home desk. They just need to find one vulnerability: a security analyst need to close every vulnerability. Solution: Layered defense

  4. Stages of a Cyber-Operation Target Identification • Opportunistic Attack: focuses on any easy-to-break-into site • Targeted Attack: specific victim in mind • Searches for a vulnerability that will work.

  5. Hacking NetworksReconnaissance Stage • Physical Break-In • Dumpster Diving • Google, Newsgroups, Web sites • Social Engineering • Phishing: fake email • Pharming: fake web pages • WhoIs Database & arin.net • Domain Name Server Interrogations Registrant: Microsoft Corporation One Microsoft Way Redmond, WA 98052 US Domain name: MICROSOFT.COM Administrative Contact: Administrator, Domain domains@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080 Technical Contact: Hostmaster, MSN msnhst@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080 Registration Service Provider: DBMS VeriSign, dbms-support@verisign.com 800-579-2848 x4 Please contact DBMS VeriSign for domain updates, DNS/Nameserver changes, and general domain support questions. Registrar of Record: TUCOWS, INC. Record last updated on 27-Aug-2006. Record expires on 03-May-2014. Record created on 02-May-1991. Domain servers in listed order: NS3.MSFT.NET 213.199.144.151 NS1.MSFT.NET 207.68.160.190 NS4.MSFT.NET 207.46.66.126 NS2.MSFT.NET 65.54.240.126 NS5.MSFT.NET 65.55.238.126

  6. Hacking NetworksReconnaissance Stage War Driving: Can I find a wireless network? War Dialing: Can I find a modem to connect to? Network Scanning: What IP addresses, open ports, applications exist? Protocol Sniffing: What is being sent over communications lines?

  7. Passive Attacks Eavesdropping: Listen to packets from other parties = Sniffing Traffic Analysis: Learn about network from observing traffic patterns Footprinting: Test to determine software installed on system = Network Mapping Login: Ginger Password: Snap Jennie Packet A B Carl C Bob

  8. Hacking Networks:Gaining Access Stage Network Attacks: • IP Address Spoofing • Man-in-the-Middle System Attacks: • Buffer Overflow • Password Cracking • SQL Injection • Web Protocol Abuse • Watering Hole Attack • Trap Door • Virus, Worm, Trojan horse a aa ab ac … ba bb … aaa aab aac …

  9. Bill Some Active Attacks Denial of Service Joe Denial of Service: Message did not make it; or service could not run Masquerading or Spoofing: The actual sender is not the claimed sender Message Modification: The message was modified in transmission Packet Replay: A past packet is transmitted again in order to gain access or otherwise cause damage Spoofing Joe (Actually Bill) Bill Ann Ann Message Modification Joe Packet Replay Joe Bill Bill Ann Ann

  10. Man-in-the-Middle Attack 10.1.1.1 10.1.1.3 (2) Login (1) Login (4) Password (3) Password 10.1.1.2

  11. SQL Injection • Java Original: “SELECT * FROM users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”; • Inserted Password: Aa’ OR ‘’=’ • Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘; • Inserted Password: foo’;DELETE FROM users_table WHERE username LIKE ‘% • Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’ • Inserted entry: ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’ Login: Password: Welcome to My System

  12. Review: Password Cracking:Dictionary Attack & Brute Force NIST SP 800-118 Draft

  13. Hacking Networks:Hiding Presence; Establishing Persistence Control system: system commands, log keystrokes, pswd Useful utility actually creates a backdoor. Backdoor Trojan Horse Replaces system executables: e.g. Login, ls, du User-Level Rootkit Command & Control Slave forwards/performs commands; Replaces OS kernel: e.g. process or file control to hide Spyware/Adware Kernel-Level Rootkit Spyware: Keystroke logger collects info: passwords, collect credit card #s, AdWare: insert ads, filter search results Bot Spread & infect, list email addrs, DDOS attacks

  14. Bots & Distributed Denial of Service Zombies Handler Victim Attacker Russia Bulgaria United States Can barrage a victim server with requests, causing the network to fail to respond to anyone Zombies

  15. Question An attack where multiple computers send connection packets to a server simultaneously to slow the firewall is known as: Spoofing DDOS Worm Rootkit

  16. Question A man in the middle attack is implementing which additional type of attack: Spoofing DoS Phishing Pharming

  17. Network Defense Encryption Network Security

  18. Security: Defense in Depth Border Router Perimeter firewall Internal firewall Intrusion Detection System Policies & Procedures & Audits Authentication Access Controls

  19. Bastion Host Computer fortified against attackers • Applications turned off • Operating system patched • Security configuration tightened

  20. Attacking the NetworkWhat ways do you see of getting in? Border Router/Firewall The Internet De-Militarized Zone Commercial Network Internal Firewall WLAN Private Network

  21. Filters: Firewalls & Routers The good, the bad & the ugly… Filter The Good The bad & the ugly Route Filter: Verifies source/destination IP addresses Packet Filter: Scans headers of packets Content Filter: Scans contents of packet (e.g., IPS) Default Deny: Any packet not explicitly permitted is rejected Fail Safe or Fail Secure: If router fails, it fails shut

  22. Packet Filter Firewall Web Response Illegal Dest IP Address Web Request Email Response SSH Connect Request DNS Request Web Response Ping Request Illegal Source IP Address Email Response FTP request Microsoft NetBIOS Name Service Email Connect Request Telnet Request

  23. Informal Path of Logical Access Campus Login Students &Instructors Desire2Learn Library Register Public: Potential Students Graduates Lab Advisors & Registrars Students &Instructors Public Web Legend Staff Nurses Public Health Services PoS Private Confidential

  24. Step 1: Determine Services: Who, What, Where?Workbook

  25. Step 2: Determine Sensitivity of ServicesWorkbook

  26. Isolation & Compartmentalization • Compartmentalize network • by Sensitivity Class & Role • Segment Network into Regions = Zones • E.g., DMZ, wireless, Payment Card • Isolate Apps on Servers: • physical vs. virtual (e.g. VMware) • Virtual Servers combine onto one Physical server. • has own OS and limited section of disk. • Hypervisor software is interface between virtual system’s OS and real computer’s OS.

  27. Multi-Homed Firewall:Separate Zones Internet Screening Device: Router The router serves as a screen for the Firewall, preventing Denial of Service attacks to the Firewall. Private Payment Card Zone Screened Host Demilitarized Zone IPS E-Commerce External DNS Email Server Web Server Protected Internal Network Zone Database/File Servers IDS

  28. Step 3: Allocate Network ZonesWorkbook

  29. Step 4: Define ControlsWorkbook

  30. Bill Data Privacy Confidentiality Joe Authenticity • Confidentiality: Unauthorized parties cannot access information • (->Secret Key Encryption) • Authenticity: Ensures claimed sender = actual sender. • (->Public Key Encryption) • Integrity: Ensures the message is not modified in transmission. • (->Hashing) • Nonrepudiation: Ensures sender cannot later deny sending message. • (->Digital Signature) Joe (Actually Bill) Bill Ann Ann Integrity Joe Non-Repudiation Joe Bill Ann Ann

  31. Confidentiality:Encryption – Secret KeyExamples: DES, AES Encrypt Ksecret Decrypt Ksecret plaintext plaintext ciphertext Sender, Receiver have IDENTICAL keys Plaintext = Decrypt(Ksecret, Encrypt(Ksecret,Plaintext)) NIST Recommended: 3DES w. CBC AES 128 Bit

  32. Encryption (e.g., RCS) Joe Encrypt Kpublic Decrypt Kprivate Key owner Message, private key Authentication, Non-repudiation Joe Decrypt Kpublic Encrypt Kprivate Key owner Digital Signature Confidentiality, Authentication, Non-RepudiationPublic Key EncryptionExamples: RSA, ECC, Quantum Sender, Receiver have Complimentary Keys Plaintext = Decrypt(kPRIV, Encrypt(kPUB,Plaintext)) Plaintext = Decrypt(kPUB, Encrypt(kPRIV,Plaintext)) NIST Recommended: 2011: RSA 2048 bit

  33. Confidentiality:Remote Access Security Firewall VPN Concentrator The Internet Virtual Private Network (VPN) often implemented with IPSec • Can authenticate and encrypt data through Internet (red line) • Easy to use and inexpensive • Difficult to troubleshoot • Susceptible to malicious software and unauthorized actions • Often router or firewall is the VPN endpoint

  34. Integrity: Secure Hash FunctionsExamples: HMAC, SHA-2, SHA-3 Ensures the message was not modified during transmission Message Message H Message H H Compare Secure Hash H H H K K K Message Message H H H K Message Compare HMAC Transmitted Hash H H H NIST Recommended: SHA-2, SHA-3 = Hash Algorithm K=Encryption Key H=Hashed Value

  35. Non-Repudiation:Digital Signature • Electronic Signature • Uses public key algorithm • Verifies integrity of data • Verifies identity of sender: non-repudiation Message Encrypted K(Sender’s Private) Msg Digest

  36. Authentication:Public Key Infrastructure (PKI) 7. Tom confirms Sue’s DS 5. Tom requests Sue’s DC  6. CA sends Sue’s DC  Tom Digital Certificate User: Sue Public Key: 2456 4. Sue sends Tom message signed with Digital Signature Certificate Authority (CA) 3. Send approved Digital Certificates 1. Sue registers with CA through RA Sue Register(Owner, Public Key) 2. Registration Authority (RA) verifies owners

  37. Hacking Defense:Intrusion Detection/Prevention Systems (IDS or IPS) Network IDS=NIDS • Examines packets for attacks • Can find worms, viruses, or defined attacks • Warns administrator of attack • IPS=Packets are routed through IPS Host IDS=HIDS • Examines actions or resources for attacks • Recognize unusual or inappropriate behavior • E.g., Detect modification or deletion of special files Router IDS Firewall

  38. IDS/IPS Intelligence Systems Signature-Based: • Specific patterns are recognized as attacks Statistical-Based: • The expected behavior of the system is understood • If variations occur, they may be attacks (or maybe not) Neural Networks: • Statistical-Based with self-learning (or artificial intelligence) • Recognizes patterns NIDS:ALARM!!! NastyVirus Attacks: NastyVirus BlastWorm Normal

  39. Hacking Defense:Evaluating Applications • Unified Threat Management = SuperFirewall = firewall + IPS + anti-virus + VPN capabilities • Concerns are redundancy and bandwidth. • Blacklist= restrict access to particular web sites, e.g., social, email sites • Whitelist= permit access to only a limited set of web sites.

  40. Hacking Defense:Honeypot & Honeynet Honeypot: A system with a special software application which appears easy to break into Honeynet: A network which appears easy to break into • Purpose: Catch attackers • All traffic going to honeypot/net is suspicious • If successfully penetrated, can launch further attacks • Must be carefully monitored Firewall Honey Pot External DNS VPN Server IDS Web Server E-Commerce

  41. Hacking Defense:Vulnerability Assessment • Scan servers, work stations, and control devices for vulnerabilities • Open services, patching, configuration weaknesses • Testing controls for effectiveness • Adherence to policy & standards • Penetration testing

  42. Step 5: Draw Network DiagramWorkbook Internet Router Demilitarized Zone External DNS Public Web Server E-Commerce Email Firewall Zone 3:Confidential Data Student Scholastic Student Billing Student History Zone 1: Student Labs & Files Zone 2: Faculty Labs & Files Student Records Student Billing Transcripts

  43. Path of Logical AccessHow would access control be improved? Border Router/ Firewall The Internet De-Militarized Zone Router/Firewall WLAN Private Network

  44. Protecting the Network Border Router: Packet Filter The Internet De-Militarized Zone Bastion Hosts Proxy server firewall WLAN Private Network

  45. University Scenario:Dual in-line Firewalls

  46. Writing Rules Policies Network Filter Capabilities Write Rules Corrections Audit Failures Protected Network Fail-Safe: If the filter fails, it fails closed Default Deny: If a specific rule does not apply, The packet is dropped.

  47. FirewallConfigurations terminal host Router Packet Filtering: Packet header is inspected Single packet attacks caught Very little overhead in firewall: very quick High volume filter firewall A A terminal host Stateful Inspection State retained in firewall memory Most multi-packet attacks caught More fields in packet header inspected Little overhead in firewall: quick firewall A A A

  48. FirewallConfigurations terminal host Circuit-Level Firewall: Packet session terminated and recreated via a Proxy Server All multi-packet attacks caught Packet header completely inspected High overhead in firewall: slow firewall A B A B terminal host Application-Level Firewall Packet session terminated and recreated via a Proxy Server Packet header completely inspected Most or all of application inspected Highest overhead: slow & low volume firewall A B A B

  49. Summary of Controls

More Related