390 likes | 570 Views
Internal Networks and Physical Attacks. By Rohini Yadla ISQS 6342. Introduction.
E N D
Internal Networks and Physical Attacks By Rohini Yadla ISQS 6342
Introduction • Working in conjunction with the FBI, the Computer Security Institute (CSI)—a San Francisco-based association of IT security workers—recently released the results of its annual membership survey on cyber crime. • Among the findings: 359 of CSI's 538 member firms, government agencies and universities lost more than $50 million in 2000 as a direct result of unauthorized insider access and abuse of corporate IT systems. • All told, 91% of all member institutions surveyed reported some sort of insider abuse of network access during the past year.
Survey and Statistics According to Computer Security Institute/FBI report ‘Issues and Trends’:2001 CSI/FBI Computer Crime And Security Survey: • 78% of the companies surveyed reported insider abuse. • 65% reported laptop theft. • 44% reported unauthorized access. • 18% reported theft of proprietary information. In spite of increasing crime rates for computer security, very few companies seal off their networks and lock up their laptops.
The Problem • The mantra of successful e-business around the globe is getting louder and louder. In order to provide global instant access to key corporate data, corporations are increasing their commitment to e-business. • The underlying infrastructure that supports this e-business capability is based on open systems and ubiquitous networks. • Because these systems are built to be open, they are teeming with security holes and weaknesses ready to be exploited by employees, consultants or even hackers. • Companies operating Web sites for enhanced communications, or e-commerce, risk denial of service, spoofing or possible defacement of their Web facility due to Web-site breaches or DNS circumvention. While firewalls and virtual private networks (VPNs) offer adequate perimeter and access controls, internal, remote and even authenticated users, unfortunately, can attempt probing, misuse or malicious acts.
Technical Weaknesses In deploying the network ,technology can provide many weak points. • Improperly Configured Firewall Gateways or Servers with well-known (or non-existent ) root passwords. • Multiple Passwords. • Remote Access. • Packet filtering devices. • Lack of Compartmentalization. • Unsecured Data
Firewalls • While developing and deploying web-based applications, organizations secure their networks with technologies such as Firewalls. • Firewalls can be deployed at critical network junctions to manage access between major network segments in an attempt to foil malicious employees. • A firewall validates Transmission Control Protocol (TCP) and in some products, UDP sessions before opening a connection or circuit through firewalls. • The state of the session is monitored , but any kind of data coming through the firewall while the session remains open is allowed, creating a security hole. • Usually, lack of engineering resources leave the firewall misconfigured.
Firewalls • Many costumers do not want to open additional ports through firewalls. Sites allow HTTP and SMTP through the firewall, while blocking all other communications. • Other sites depend on proxy servers for outbound sessions such as FTP, Telnet and Gopher. • Some application programmers know about these limitations and are afraid to ask the firewall administrators to open a new port for proprietary protocol between two enterprise sites. One trick is to write the application so that the endpoints communicate on port 80 (The HTTP port!!!!!). • Essentially , the developers are using the port 80 as general purpose hole through which to punch private protocols!!!!!!!!.
Firewalls Fig 1: Corporate security systems often deploy a "demilitarized zone" to protect internal networks. Two firewalls surround the Web servers, keeping the company's internal networks behind both the firewalls, while still allowing access to outside Web sites.
Multiple Passwords • As organizations deploy business-critical applications and remote access servers, and divide work groups by LAN servers, users are expected to remember and be responsible with more and more passwords. • The effect of too many passwords is weakened security, because users start writing them down, and because LAN administrators have to administer multiple password management systems for each user. • A secure approach is the single sign- on system which provides centralized access control list. • Single sign- on systems keep a list of who is authorized to access different areas of the network. The Systems use a directory to store the names, passwords and access control for each user and system resource. • Users need only to remember a single password to sign into the system. • This provides a single point of entry for administration, further tightening security.
Remote Access • The biggest single weak point in security for the internal networks occurs in remote access implementations-pools of dial- in modems ready to provide access to corporate network resources and administrations. • Freely available “war –dialers”-programs that will dial a programmed list of numbers and try to gain access to information –make modem pools a weak link in security architecture. • Even without correct names and passwords, many remote access servers reveal host names or LAN router prompts. • There are many ways to secure a remote access system including placing all modems in a modem pool behind a firewall that requires the users to authenticate before gaining access to the network. • Encryption is another mechanism that protects traffic between user machines.
Packet FilteringDevices • Packet filtering devices such as routers use packet filtering rules to grant or deny access based on source address, destination address and port. • The source address and destination address and ports contained in the IP packet header are the only information that is available to the router in making a decision whether or not to permit traffic access to an internal network. • They offer minimal security at a minimal cost and are appropriate choice for a very low risk environment. • They do not protect against IP or DNS spoofing. An attacker will have direct access to any host on the internal network once the router has granted access. • In order to grant access to valuable corporate assets only to those who need them and deny everything else, evaluation of the existing routing and switching tables is necessary.
Compartmentalization • Many organizations allow access from any user to any resource on the corporate network. • Dividing the network into segments –such as human resources, engineering, manufacturing, sales and others protects assets from unauthorized users. This is readily achieved by using firewall technology to control traffic within the workgroups and departments. • For example, compartmentalization, which provides extra measures of security between external servers such as the web and commerce servers and the internal servers and databases, is a good idea. • A secure operating environment and strict networking and access controls would be appropriate for any server that is exposed to public use and has access to internal databases.
Unsecured Data • Business requirements are driving IT initiatives to take advantage of web-based standards and to extend services to both internal constituents and business partners. However, by extending the availability of internal applications, companies also increase their exposure to threats from trusted –as well as unknown-users attempting to probe and potentially cripple or corrupt these applications. • Sensitive data-including salary information , strategic plans and intellectual property-requires extra protection. • Yet on many internal networks, it is accessible by anyone on the network. • Advanced operating environments provide multiple levels of file protection and logging utilities to track users who access or attempt to access, the data.
Network Security Solution Requirements • In order to protect an organization’s most critical internal assets, one must deploy a solution that secures the infrastructure at its foundation—the network level. The solution should have certain critical capabilities. It should be able to: • Instantaneously terminate a session or packet that is requesting a service or destination that is outside of the parameters defined for that machine. • Lock down a machine, network segment or network if a system that houses your valued assets is being pinged, probed or accessed in violation of network security policy. • Generate logs so that you can evaluate the point of origin and identify the specific attack patterns . • Require minimal administration and act as a proactive protector of the network after initial set-up and deployment. • Be centrally managed. • Operate in stealth mode, “passively” monitoring traffic across the network without impact to network performance.
Layered Security • The layered security approach is one of the most widely agreed upon strategies by information security experts. It promotes the use of multiple technologies to thwart hackers and malicious employees from gaining access to key corporate assets. The approach was developed when many companies that had deployed firewall technology found their organization had been compromised. It became clear that: • Firewalls can be bypassed or directly defeated. • Many devastating attacks were originating from inside the firewall bypassing that security measure. • Additional layers of security that operate in a stealth mode are needed to protect critical assets for those situations where a firewall is defeated.
Vulnerabilities • Firewalls, Anti-virus software and Internet filtering tools remain the most prevalent forms of defense for an organization. However, 85% of the organizations that reported security breaches in 2002 had deployed these types of technologies. Clearly, a more robust solution is needed. • The advent of the Internet brought an accelerated demand for firewalls and, possibly, the misunderstood conclusion that firewalls provide an airtight perimeter defense. Among the security problems: • Firewalls do not monitor authorized users' actions. • Firewalls control perimeter access and therefore do not address internal threats. • Firewalls must guarantee some degree of access, which may allow for vulnerability probing . • Firewall policies may lag behind environment changes, which leaves room for possible entry and attack. • Hackers who use social engineering to gain trusted access often circumvent firewall policies. • Firewalls do not prevent the use of unauthorized or unsecured modems as a means to enter or leave a network .
Vulnerabilities • The use of encryption and VPNs offers a formidable vehicle to protect and transport sensitive application data. Encryption teams with public or private key authentication offer the user, sender and receiver non-repudiation, reliability and integrity of the application data. However, only the application data and the transport mechanism are secured from unauthorized eyes. All other traffic remains open, unprotected and unmonitored, including user actions. • Most operating systems, applications and network devices generate some form of audit trail requiring a security administrator to review the audit logs for suspicious events. Unfortunately, such manual processes do not scale with the limited, trained security personnel and frenzied network moves, adds and changes. Security scanners, probes and policy assessment tools are adept at finding: • Known operating system or application defects • Misconfigurations that pose exposure to tampering • System and application configurations • Operations that are counter to corporate policy
Security Scanner • A scanner is a program that automatically detects security weaknesses in a remote or local host. • System administrators can strengthen the security of networks by scanning their own networks. The primary attributes of a scanner should be: • The capability to find a machine or network. • The capability to find out what services are being run on the host ( once having found the machine). • The capability to test those services for known holes. • Check for security alerts/vulnerabilities • Detect unnecessary shares • Detect unnecessary open ports • Detect new security holes using scheduled scan comparisons • Check for unused user accounts on workstations • Check password policy and strength
Scanners • Retina is a network security scanner and monitor, that helps discover and fix all known security vulnerabilities on the network. It includes easy to navigate reporting tools to help prioritizing. • http://www.eeye.com/html/Products/Retina/index.html • It can scan every machine on network, including a variety of operating system platforms (e.g. Windows, Unix, Linux), networked devices (e.g. firewalls, routers, etc.) and databases. • After scanning, Retina delivers a comprehensive report that details all vulnerabilities and appropriate corrective actions and fixes.
Scanners • GFI LANguard Network Security Scanner automatically detects security vulnerabilities on a network, giving administrators a "hacker's eye view" of their network and enabling them to discover any security holes before a malicious user can exploit them. GFI LANguard Network Security Scanner scans entire networks for vulnerabilities, creates reports and can remotely install security patches. http://www.gfi.com/lannetscan/ • Provides in-depth information about all machines devices, scans your entire network, IP by IP, and provides information such as service pack level of the machine, missing security patches, open shares, open ports, services/applications active on the computer, key registry entries, weak passwords, users and groups. • Scan results are outputted to an HTML report, which can be customized/queried, enabling you to proactively secure your network - for example, by shutting down unnecessary ports, closing shares, installing service packs etc.
Intrusion Detection Systems (IDS) • Intrusion detection defines network or host monitoring and traffic analysis tools. These permit network operators and security specialists to protect their networks and hosts against unauthorized use. • To accomplish this, a network device or software agent is placed on critical segments of the network. The device monitors the network traffic and identifies activity that matches suspicious or attack signatures. Once a suspicious or malicious attack pattern is spotted, the system logs, notifies and, in some cases, terminates the session. • Intrusion detection utilities can be installed to alert the security administrators when there are attempts to access key files ,or when there are multiple failed attempts to log into any system on the network, including the remote access server. • An IDS attack signature or policy consists of any pattern that constitutes exploiting a known security defect or executing a corporate security violation. These patterns are then monitored within the network data or on a host. The level of sophistication of attack identification ranges from single violations, events over time that comprise a violation, and sequential actions that comprise a violation.
Intrusion Detection Systems (IDS) • Network IDS: It utilizes traffic analysis to compare session data against a known database of popular operating systems and application attack signatures. On detection, the network IDS can react by logging the session, alerting the administrator, terminating the session and even hardening a firewall . • Network-based IDS sits in the middle of a fixed communication path between client and server and has access to data at all layers of communication. This system forms its attack detection upon a comparison of parameters of the user's session and the user's commands to a rules-base of techniques used by attackers to penetrate a system. • Host-based IDS: It analyzes operating system and application system logs and events to compare system events against a database of known security violations and custom policies. The host IDS agent watches different aspects of the server security such as operating system log files, access log files, application log files, as well as user-defined application policies. • Host-based IDS architecture places agents on critical network hosts and network devices throughout the enterprise. These agents are connected to managers that are administered through a central management console.
Comparing Host-Based and Network-Based IDS • A network-based IDS, which has no impact on the network or on network hosts, will not be able to prevent certain system attacks that may be visible at the network level. Since it can only monitor traffic that is visible to the workstation, reconfiguration of network routing may be required for switched environments. • A Host-based IDS will not be able to prevent certain network attacks, such as a SYNFlood. Since it runs on a host, it is able to alleviate network IDS constraints of at-the-system-console attacks and switched-network environments. • Host-based IDS are also designed to facilitate host-based policy enforcement, whereas network-based IDS are more adept at identifying complex network transactions that indicate a security breach.
Intrusion Detection Systems • GFI LANguard Security Event Log Monitor is a host-based intrusion detection system primarily designed to monitor Windows-based networks for security breaches in real-time, but with enhanced flexibility to meet many other monitoring needs. • GFI LANguard continuously scans the security event logs of all Windows NT/2000/XP machines on a network, consolidating them into a central log for fast analysis and generating detailed activity reports. • When it identifies critical security breaches - such as network users attempting to access shares, resources and/or data they should not view, GFI LANguard sends out "real-time" alerts to administrators, thereby permitting immediate action against potential attacks and penetrations as they occur. • http://www.gfi.com/lanselm
Intrusion Detection Systems • GFI LANguardevent log monitor has a Intrusion & Event Collection Status Monitor that displays critical/high security events as they occur on a network. Administrators are notified of a potential intrusion in real time visually and/or via a sound. • It also allows users to configure their own event rules and conditions for issuing alerts. These can be based on either security flags, for example, attempting to access a particular file or folder or a login failure.
Intrusion Detection Systems • Intrusion detection is primarily focused on identifying external threats that have passed through the perimeter security to the internal network . • They use very sophisticated rule sets that have been cultivated over an extensive period of time observing and identifying malicious and suspicious traffic patterns. • These devices must be placed in specific parts of the network to truly monitor the critical traffic. Disadvantages: • High total cost of ownership • Application requires continual upgrading of attack signature database. • Frequent false alerts require network administrators to immediately interact with the intrusion detection system wasting network administrator’s time.
Physical Security • Physical security is the bedrock of any computer security system. • There are two situations with physical security : • Protecting the software : Involves software running on conventional off- the- shelf computing equipment that incorporates little or no anti tamper mechanisms. • Protecting the hardware: Involves hardware devices used by outsiders or other potentially untrustworthy people; these devices are often built to resist tampering. • The above two cases converge in the problem of protecting individual workstations or laptop computers that may be subject to attack. • The essential issue is to identify the security parameter of a device or system. • www.pcsafe.co.uk/
Protecting Software • Modern server systems combine two strategies to protect themselves. • The computers reside inside layers of physical protection. • The server software running on the host computer uses mechanisms built into the CPU to protect the system’s software from attack. • A well designed server site has several layers of physical protection. At each layer we identify classes of people and the type of access they have. • Classes of people • Outsiders and Insiders: • The classification of insiders versus outsiders reflects the basic element of physical security; insiders are allowed to freely enter the corporate premises and outsiders are not. • The enterprise uses physical security like locks, burglar alarms, guards and so on. To ensure that outsiders stay outside except when invited in.
Protecting Software • Types of access • Users and Administrators • Shared remote access systems like servers and mainframes rely on the distinction between users and administrators to maintain security. • Users do not need direct, physical access to servers and mainframes, so they are generally locked away in a machine room. Entry to the machine room is restricted to administrators. • The machine room represents the security perimeter for the computing hardware and software. Not all enterprises enforce this distinction, but most recognize it as an essential defense. • The distinction between insiders and users is enforced by the server system itself using software-based protection mechanisms. They usually enforce an additional distinction between users and administrators, so that administrators can make fundamental changes to system that users cannot.
Protecting Software • The CPU’s protection mechanism generally provide a kernel mode used by the OS or the timesharing system and a restricted user mode for executing application programs. • Software running in the kernel mode is responsible for running the rest of the software safely and securely.
Protecting Workstations • Workstations are highly vulnerable to attack, since the attackers can steal sensitive data or modify critical information. • Even if the workstation’s software attempts to prevent unauthorized use, two types of threats exist. • OS substitution attack • Most workstations will allow someone to boot up an operating system from a different disk, like a CD-ROM or a diskette. This capability is provided for administrative or maintenance purposes. • Attackers can use it to boot an OS that is configured with access control protections disabled. They can then read and modify files on the workstation even if its standard OS has placed protections on files.
Protecting Workstations • OS substitution attack • Workstations implement a BIOS password to protect against such attacks . The password is stored in the workstation’s start-up configuration combined with instructions to boot the workstation from a particular hard drive. The attackers can redirect the boot operation only if they know the password. • However, BIOS password feature is not a foolproof solution. Most systems arrive with a predefined BIOS password and many administrators fail to change it to new and unpredictable password. • The BIOS password is stored in a special RAM powered by a battery. The attacker can wipe out the password in many ways. For example , if the computer is running , the attacker could install and run a program that clears the BIOS RAM. Otherwise the attacker could zero the RAM by shutting off its power, either by physically removing the battery or by shorting it out. • I/O Bus attack • In this case, the attacker attacks at the hardware level. Essentially , the attackers can make complete copies of the workstation’s hard drives. Given sufficiently sophisticated tools, the attacker can also modify files, which can bypass the software and BIOS entirely.
Protecting Hardware • Hardware protection tries to enforce a security parameter in the absence of people to guard that perimeter. • Hardware protection generally serves two purposes. • It protects the base secret and some portion of the authentication process from theft, modification, or other interference by blocking it from direct access by an attacker. • It detects attacks on itself, so it can take steps to protect the base secret from disclosure. • Password tokens provide protection in practical. Under ideal circumstances a key card system, along with a personal PIN must be used. Attackers who try to use the device must comply with the built- in capabilities and can’t simply extract a base secret unless the token contains a function to do so. • The system considers itself under attack if someone tries to use it without providing the right password (or PIN). Persistent attacks will cause some devices to erase the base secret while others simply introduce longer and longer delays into processing.
Physical Security • The last aspect of Physical Security is that of the Networking cables. Anyone with an access to the corporate premises can easily tap into an Ethernet line and sniff the network. There of the techniques that can be used to minimize the possibility of a user tapping into the system with a network sniffer. • Encryption of all sensitive data. However, encryption increases the amount of bandwidth required. • Using promiscuous mode detection software. Software like AntiSniff can detect any systems on the network that are operating in the promiscuous mode. • http://www.securiteam.com/tools/AntiSniff_-_find_sniffers_on_your_local_network.html
References • Authentication From password to public keys; Richard E. Smith • Intrusion Detection, Network Security beyond the firewall ; Terry Escamilla • Intranet Firewalls Planning and implementing your network security system; Scott Fuller & Kevin Pagan • http://www.cigital.com/paynereport/archive/apr2001.php • http://www.palisadesys.com/resources/suitewhitepaper.pdf • http://www.itoc.usma.edu/ragsdale/Pubs/humphries.pdf • http://www.gfi.com/lanselm • http://www.ion-networks.com/assets/pdf/ION_article.pdf • http://www.sensorsmag.com/isensors/dec01/8/pf_main.shtml • http://www.eeye.com/html/products • http://www.bmc.com/technews/993/993tn7.html • http://www.computerworld.com/securitytopics/security • http://www.hpcc-usa.org/pics/02-pres/wright.ppt • http://www.infotoday.com/cilmag/oct98/story2.htm