970 likes | 1.22k Views
Chapter 12. Network Security. Objectives. Understand the many processes involved with the development of a comprehensive security policy and security architecture .
E N D
Chapter 12 Network Security Modified by: Masud-Ul-Hasan and Ahmad Al-Yamani
Objectives • Understand the many processes involved with the development of a comprehensive security policy and security architecture. • Understand the importance of a well-developed and implemented security policy and associated people processes to effective security technology implementation. • Understand the concepts, protocols, etc. related to Virus Protection, firewalls, authentication, and encryption.
Business Impact • Impact on business when network security is violated by on-line thieves ? • According to federal law enforcement estimates in USA, more than $ 10 billion worth of data is stolen annually in the US only. • In a single incident, 60,000 credit and calling card numbers were stolen. • 50 % of computer crimes are committed by a company’s current or ex-employees.
Identifybusiness related security issues Analyzesecurity risks, Evaluateeffectiveness threats, and of current architectures vulnerabilities and policies Designthe security Auditimpact of security technology and architecture and the processes associated processes Implementsecurity technology and processes Security Policy Development Life Cycle • A method for the development of a comprehensive network security policy is known as SPDLC.
Identification of Business-related security issues • It is security requirement assessment. • What do we have to lose? • What do we have worth stealing? • Where are the security holes in our business processes? • How much can we afford to lose? • How much can we afford to spend on network security?
Analysis of Risks, Threats, Vulnerabilities • Information asset evaluation – what is worth protecting ? • Network architecture documentation – What is the current state of the network? • How many unauthorized modems are dialing in? • Identify all assets, threats and vulnerabilities. • Determine risks and create protective measures.
Architecture and Process Design • Logical design of security architecture and associated processes. • What must be the required functionality of the implemented technology? • What business processes implemented and monitored by people must match this security architecture?
Security Technology and Process Implementation • Choose security technology based on logical design requirements. • Implement all security technology with complementary people process. • Increase overall awareness of network security and implement training. • Design ongoing education process for all employees including senior management.
Audit Impact of Security Technology & Processes • Ensure that implemented policy and technology are meeting initial goals. • Institute a method to identify exceptions to security policy standards and deal with these exceptions swiftly.
Evaluate effectiveness of Current Architecture and Processes • Based on results of ongoing audits, evaluate effectiveness of current policy and architecture of meeting high-level goals. • Adjust policy and architecture as required and renew the cycle.
Security Requirements Assessment (SRA) • Proper SRA implies that appropriate security processes and technology have been applied for any given users or group’s access to or from any potential corporate information resource.
Scope Definition and Feasibility Studies • Before proceeding blindly with a security policy development project, it is important to properly define the scope or limitations of the project. • The feasibility study provides an opportunity to gain vital information on the difficulty of the security policy development process as well as the assets (human and financial) required to maintain such a process. • One of the key issues is deciding on the balance between security and productivity.
Lack of Security High risk No productivity loss Lack of security may Low cost occurs from access ultimately have Open access restrictions negative impact on No productivity loss productivity Open access may lead to data loss or data integrity problems which may lead to productivity loss. PRODUCTIVITY SECURITY Security vs. Productivity Balance
Over Restrictive Security High cost Over restrictive Security needs take Low risk security causes priority over user Restrictive access productivity decline access Productivity loss Over restrictive security may lead to noncompliance with security processes which may lead to loss of security PRODUCTIVITY SECURITY Security vs. Productivity Balance
Optimal Balance of Security and Productivity Minimize negative Maximize security Balanced risk and costs impact on processes Restrictiveness of security productivity policy balanced by people's acceptance of those policies BALANCE PRODUCTIVITY SECURITY Security vs. Productivity Balance
Security vs. Productivity Balance • How to define the balance between security and productivity? • Identify assets • Identify threats • Identify vulnerabilities • Consider the risks • Identify risk domains • Take protective measures
Data/Information Classification • Unclassified/Public • Information having no restrictions as to storage, transmission, or distribution. • Sensitive • Information whose release could not cause damage to corporation but could cause potential embarrassment or measurable harm to individuals, e.g. salaries & benefits of employees. • Confidential • Information whose release could cause measurable damage to the corporation, e.g. corporate strategic plans, contracts.
Data/Information Classification • Secret • Information whose release could cause serious damage to a corporation. E.g., trade secrets, engineering diagrams, etc. • Top secret • Information whose release could cause severe or permanent damage. Release of such information could literally put a company out of business. Secret formulas for key products would be considered top secret.
Assets • Corporate property of some value that require varying degrees of protection. • Assets needed network security are: • Corporate data (highest priority) • Network hardware • Software • Media to transport data
Threats • Processes or people that pose a potential danger to identified assets, can be: • Intentional or unintentional, natural, or man-made. • Network related threats include: • Hackers • Fires • Floods • Power failures • Equipment failures • Dishonest employees • Incompetent employees
Vulnerabilities • Manner or path by which threats are able to attack assets. • Can be thought of as weak links in overall security architecture and should be identified for every potential threat/asset combination. • Vulnerabilities that have been identified can be blocked. • After identifying vulnerabilities, the questions are: • How should a network analyst proceed in developing defenses to these vulnerabilities? • Which vulnerabilities should be dealt with first? • How can a network analyst determine an objective means to prioritize vulnerabilities?
Risks • Probability of a particular threat successfully attacking a particular asset in a given amount of time via particular vulnerability. • By considering the risk, network analysts are able to quantify/calculate the relative importance of threats and vulnerabilities.
Assets, Risks, Protection • Multiple protective measures may need to be established between given threat/asset combinations.
Protective measures • There might exist multiple vulnerabilities (paths) between a given asset and a given threat • So multiple protective measures need to be established between given threat/asset combinations • Major categories of potential protective measures • Virus protection • Firewalls • Authentication • Encryption • Intrusion Detection
Threats and Protective Measures camouflage Spying/listen in attacker is able to read, insert and modify messages b/w two parties A common technique spammers use is to configure the From line in an e-mail message to hide the sender's identity. Modification of data through unauthorized means (e.g., while entering the data) Trying every word in dictionary as a possible password. Form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed by someone who intercepts the data and retransmits it, possibly as part of a masquerade attack Computer program masquerading as a game or any “cute” program. However, when it runs it does something else - like erasing the hard drive or blocking the screen with a graphic that will not go away. A generic class of attacks where a host, or a segment, or an entire network is brought down and becomes unusable by legitimate users.
Threats and Protective Measures • Once policies have been developed, it is up to everyone to support those policies in their own way. • Having been included in the policy development process, users should also be expected to actively support the implemented acceptable use policies.
Virus Protection • Virus protection is often the first area of network security addressed by individuals or corporations. • A comprehensive virus protection plan must combine policy, people, processes, and technology to be effective. • Too often, virus protection is thought to be a technology-based quick fix.
Virus Protection • Most common microcomputer security violation. • 90% of the organizations surveyed with 500 or more PCs experience at least one virus incident per month. • Complete recovery from a virus infections costs and average of $8300 and over a period of 22 working days. • In Jan 1998, there were over 16,000 known viruses, with as many as 200 new viruses appearing per month.
Virus Categories • Virus symptoms, methods of infection, and outbreak mechanisms can vary widely, but all viruses share a few common behaviors. • Most viruses work by infecting other legitimate programs and causing them to become destructive or disrupt the system. • Most viruses use some type of replication method to get the virus to spread and infect other programs, systems, or networks. • Most viruses need some sort of trigger or activation mechanism to set them off. Viruses may remain dormant and undetected for long periods.
Virus Categories • Some viruses have a delayed action, which is sometimes called a bomb. E.g., a virus might display a message on a specific day or wait until it has infected a certain number of hosts. • Two main types • Time bombs: A time bomb occurs during a particular date or time. • Logic bombs: A logic bomb occurs when the user of a computer takes an action that triggers the bomb. E.g., run a file, etc.
Virus Categories • File infectors: attack the executable, or program files. • System/boot infectors: changes the MBR-Master Boot Record an area containing all statements to load the operating system. • Multipartite viruses: also multi-part, attack both the boot sector and the executable, or program files at the same time. • Hostile applets: Java applets that consume resources in rude or malicious ways, so that either all the CPU or memory resources of the computer are consumed. • E-mail viruses: e-mail attachments withspam. • Cluster/File system viruses: changes the system's FAT-File Allocation Table an index of names and addresses of files.
Antivirus Strategies (AS) • Effective AS must include • Policy • Procedures • Technology • AS Policies and Procedures • Identify virus infection vulnerabilities and design protective measures. • Install virus scanning software at all points of attacks. • All diskettes must be scanned at a stand-alone scanning PC before being loaded onto network attached clients or servers. • All consultants and third party contractors should be prohibited from attaching their notebook computers to the corporate network without scanning.
AS Policies and Procedures • All vendors must run demos on their own equipment. • Shareware/downloaded software should be prohibited or controlled and scanned. • All diagnostic and reference diskettes must be scanned before use. • Write protect all diskettes with .exe, .com files. • Create a master boot record that disables write to hard drive when booting from a diskette, etc.
AS Antivirus Technology • Viruses can attack • Locally or remotely attached client platforms • Server platforms • Entrance to the corporate network via the Internet • At each entrance point, viruses must be detected and removed.
AS Antivirus Technology • Virus Scanning is the primary method for successful detection and removal. • Software most often works off a library of known viruses. • Purchase antivirus software which updates virus signatures at least twice per month. • Typically, vendors update virus signatures files every 4 hours, with hourly updates expected in near future.
AS Antivirus Technology • Emulation technology attempts to detect as yet unknown viruses by running programs with a software emulation program known as a virtual PC. • Execution program can be examined in a safe environment for any unusual behavior of other tell-tale symptoms of resident viruses. • Proactive rather than reactive. • Advantage: identification of potentially unknown viruses based on their behavior rather than by relying on identifiable signatures of known viruses.
AS Antivirus Technology • Such programs are also capable of trapping encrypted or polymorphic viruses that are capable of constantly changing their identities or signatures. • Some of these programs are also self-learning • Knowledge of virus-like activity increases with experience.
AS Antivirus Technology • CRC checkers or Hashing checkers create and save unique cyclical redundancy check character or hashing number for each file to be monitored. • Each time the file is saved, the new CRC is checked against the reference CRC. • If CRCs are different file has changed • A program evaluates changes to determine a likelihood that changes were caused by a viral infection. • Disadvantage: able to detect viruses after infection, which may already be too late. • Decoys:files that are allowed to be infected to detect and report on virus activity.
AS Antivirus Technology • Active content monitor • to identify viruses and malicious content such as Java applets or Active X controls that may be introduced via Internet connectivity. • Able to examine transmission from the Internet in real time and identify known malicious content based on • definition libraries • contents of reference
Point of Attack: Client PC Point of Attack: Internet Access Vulnerabilities Vulnerabilities Infected diskettes Downloaded viruses Groupware conferences with infected Downloaded hostile agents documents Protective Measures Protective Measures Firewalls Strict diskette scanning policy User education about the dangers of Autoscan at system start-up downloading Client Router PC INTERNET hub Remote Server Access Users Point of Attack: Remote Access Users Point of Attack: Server Vulnerabilities Vulnerabilities Frequent up/downloading of data and use of Infected documents stored by attached clients diskettes increase risk Infected documents replicated from other Linking to customer sites increases risk groupware servers Protective Measures Protective Measures Strict diskette scanning policy Autoscan run at least once a day Strict policy about the connection to corporate Consider active monitoring virus checking networks after linking to other sites. before allowing programs to be loaded onto server Rigorous backup in case of major outbreak Audit logs to track down sources
Firewalls • When a company links to the Internet, a two-way access point, out of as well as into that company’s confidential information is created. • To prevent unauthorized access from the Internet to company’s confidential data, firewall is deployed. • Firewall runs on dedicated server that is connected to, but outside of, the corporate network. • All network packets are filtered/examined for authorized access. • Firewall provides a layer of isolation between inside network and the outside network.
Firewalls • Does it provide full protection? No !!, if • Dial-up modems access remains uncontrolled or unmonitored. • Incorrectly implemented firewalls may introduce new loopholes.
Firewall Architectures • No standards for firewall functionality, architectures, or interoperability. • As a result, user must be especially aware of how firewalls work to evaluate potential firewall technology purchase. • Three architectures • Packet Filtering • Application Gateways • Circuit-level Gateways • Internal Firewalls
Packet Filtering • Every packet of data on the Internet is uniquely identified by the source and destination addresses. • E.g., addresses in the header • Filter is a program that examines the source and destination addresses of all incoming packets to the firewall server. • Filter tables are list of addresses whose data packets and embedded messages are either allowed or prohibited from proceeding through the firewall server and into the corporate network. • It is based on user-defined rules. • Also called as port level filter or network level filter.
Packet Filtering • Routers are also capable of filtering packets-means an existing piece of technology can be used for dual purposes. • Dedicated packet-filtering firewalls are usually easier to configure and require less in-depth knowledge of protocols to be filtered or examined. • But maintaining filter tables and access rules on multiple routers is not a simple task. • Packet filtering has limitations in terms of level of security it provides. • IP spoofing is used by hackers to breach packet filters. • Since packet filters make all filtering decisions based on IP source and destination addresses, if a hacker can make a packet appear to come from an authorized or trusted IP address, then it can pass through the firewall.