2.36k likes | 4.78k Views
Security: Defense In Depth. The layers of defense in depth are. Data . An attacker’s ultimate target, including your databases, Active Directory service information, documents, and so on. Application . The software that manipulates the data that is the ultimate target of attack.
E N D
Security: Defense In Depth Palestinian Land Authority
The layers of defense in depth are • Data. An attacker’s ultimate target, including your databases, Active Directory service information, documents, and so on. • Application. The software that manipulates the data that is the ultimate target of attack. • Host. The computers that are running the applications. • Internal Network. The network in the corporate IT infrastructure. • Perimeter (DMZ). The network that connects the corporate IT infrastructure to another network, such as to external users, partners, or the Internet. • Physical. The tangible aspects in computing: the server computers, hard disks, network switches, power, and so on. • Policies, Procedures, Awareness. The overall governing principles of the security strategy of any organization. Without this layer, the entire strategy fails. Palestinian Land Authority
Layer 1: Data Defenses • Business data is one of the most valuable resources in many organizations. If data were to be • Damaged • Lost • Exposed to competitors many organizations would be adversely affected . • Data is An attacker’s ultimate target, including your • databases, Active Directory service information, documents,... • Data can be protected through the use of : • access control lists (ACLs) on files and folders. • Encryption. • An effective backup and restore strategy Palestinian Land Authority
Layer 2: Application Defenses • The application security layer controls access to sensitive information and represents your company's digital presence in the world. It includes your web servers, email, e-commerce, internet services and voice. • Application can be protected through the use of : • Authentication • Authorization • Password Policy • you should restrict access to each Application so that only authorized users can browse them. • you should configure permissions on the files and folders where the content exists as restrictively as possible. • All of the hard work that your IT team undertakes to protect your information systems at the perimeter, network, and host layers could be easily bypassed if your organization's internally developed applications are easily compromised by malicious users. Palestinian Land Authority
Layer 2: Application Defenses • Server applications have the potential to be compromised by several different methods, including : • denial-of-service attacks :an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts (banking, etc.), or other services that rely on the affected computer. • Directory traversal attacks: is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory. • Buffer overflow attacks: A buffer overflow occurs when a program or process tries to store more data in a buffer than it was intended to holdthe extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer. • SQL injection: is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Always validate user input by testing type, length, format, and range SELECT * FROM OrdersTable WHERE ShipCity = ‘Nablus';drop table OrdersTable--' • poorly configured network applications that expose data to unauthorized users. • Password guessing attacks. Palestinian Land Authority
Layer 3 -Host Defenses • Host. The computers that are running the applications. clients and servers. • Host can be protected through the use of : • Operating system hardening • Antivirus : antivirus software is installed and up-to-date • Distributed firewall: distributed firewall is installed. • Patch management: patches are kept up-to-date • Effective auditing. • operating system hardening • Most current operating systems, such as Windows 2000, Windows XP, and Windows Server 2003, include security features at their core, including • unique names and passwords for each user, • access control lists • auditing. • Legacy Microsoft operating systems, such as Windows 95, 98, and ME, were designed for use on small networks and for home users; should not be present on your organization's network. replace them with computers running Windows XP Palestinian Land Authority
Layer 3 -Host Defenses • Antivirus • Antivirus software protects computer systems from hostile code such as computer viruses, Trojans, and worms. • Symantec. • McAfee Security • Distributed Firewall • can help prevent attackers and network worms from compromising your client and server systems. and protecting computers from spyware and Trojan horses. • Distributed firewalls are software firewalls installed on each individual system Palestinian Land Authority
Layer 3 -Host Defenses • Patch Management • Patch management consists of the tools, utilities, and processes for keeping computers current with new software updates that are developed after a software product is released. • As part of maintaining a secure environment, organizations should have applying software updates, there technologies that help to automate the processes, such as: • Microsoft Systems Management Server, • Windows Software Update Services, • Microsoft Software Update Services. • Ensure that patches are kept up-to-date Palestinian Land Authority
Layer 3 -Host Defenses • Microsoft strongly recommends the use of group policy as a way to distribute security settings to clients and servers. Settings that can be managed through group policies include : • account lockout policies. • password policies. • security options, • Internet Explorer security settings, • Office macro security settings. • Recommends that organizations give their users the minimum privileges that they need to perform their job functions. • Users with administrative rights may be able to bypass many of the security countermeasures you put in place. Palestinian Land Authority
Layer 4-Network Defenses • A network segment consists of two or more devices that communicate with each other on the same physical or logical section of the network. • If the segments are logical, they are referred to as virtual local area networks (VLANs). • LANs are created by connecting either multiple network hosts or multiple network segments using the appropriate network devices. • Database server, domain controller should be on a private network that is invisible from the outside. • Domain users should not be assigned local administrator access to avoid any unwanted software deletion or installation • An edge firewall (between internal and external (internet)) ISA , in the network is a best possible security measure to detect and eliminate the possible security breaches in the network. Palestinian Land Authority
Layer 4-Network Defenses • HOW TO SECURE NETWORK • Access to internet must be restricted . • SMTP Protection filter must be applied as well. • Sites containing malware and Spywares must be blocked. • There must be a SUS (Software Update Server implemented in the network which will ensure the smooth installation of Automatic Security Updates across the network. • To protect from External threats, firewall software must be installed on each network node to filter the malicious code attacks on each node . • A high performance router or a PC with software firewall can detect these breaches and resolve them. Palestinian Land Authority
Layer 4 -Network Defenses • Organizations can take a number of steps to protect their internal network by • securing wireless LANs • Internet Protocol Security (IPSec), • network segmentation. • Securing Wireless LANs • Many organizations have tested the use of wireless LANs (WLANs), its poor security record has kept a large number of organizations from deploying WLANs. • requires a RADIUS (Remote Authentication Dial–In User Service) infrastructure and a Public Key Infrastructure (PKI). Palestinian Land Authority
Layer 4-Network Defenses • IPSec : Internet Protocol Security • protects networks from active and passive attacks by securing IP packets through the use of • Packet filtering. • Encryption. • Enforcement of trusted communication. • IPSec is useful in host-to-host, VPN, site-to-site and secure server scenarios. • IPSec can be managed by using Group Policy or scripted by using command-line tools. • By using IPSec we can ensure that only specific machines, all using the same encryption key, can talk to one another. We can also ensure that machines without this key are not allowed to talk to machines with it. • This allows us to isolate trusted domain member computers from untrusted devices at the network level. It also allows trusted domain members to restrict inbound network access to a specific group of domain member computers. Palestinian Land Authority
IPSec : Internet Protocol Security • secure the network is by restricting who can talk to whom • IPSec is simply a mechanism that allows O/S to talk security through an encrypted channel. • (IPsec) is a protocol for securing (IP) communications by authenticating and encrypting each IP packet of a communication session. • IPSec has essentially two modes: • Transport Mode, which is used for host-to-host communications, • only the payload (the data you transfer) of the IP packet is usually encrypted and/or authenticated. • Tunnel Mode, which is used for portal-to-portal connections. • the entire IP packet is encrypted and/or authenticated. • Tunnel mode is used to create: virtual private networks for network-to-network communications host-to-network communications (e.g. remote user access), host-to-host communications (e.g. private chat). Palestinian Land Authority
IPSec protocols • There are two IPSec protocols: • Authentication Header (AH) • Encapsulating Security Payload (ESPAuthentication Header (AH)) • AH uses digital signatures to accomplish two goals: • It ensures that data is not altered while in transit. • It ensures that systems only communicate with other authorized systems. • The data is readable and it is protected from modification. • AH usually has a minimal effect on overall system performance. • Encapsulating Security Payload (ESP). • ESP also uses digital signatures to ensure data integrity and authentication, and it also provides confidentiality by • Encrypting the data portion of each network packet. • By itself, ESP does not ensure the integrity of the IP header. • To protect the entire packet, you have to combine ESP with AH. • ESP can have a noticeable impact on system performance, especially systems that use the network extensively. Organizations should select AH, ESP, or both based on their particular requirements. Palestinian Land Authority
Layer 5-Perimeter (DMZ) Defenses • DMZ stands for DeMilitarized Zone. • DMZ“A network added between a protected network and an external network in order to provide an additional layer of security.” • Any service that is being provided to users on the external network can be placed in the network perimeter • Web Servers • E-mail Servers • DNS Servers • If you are running a Web server on your LAN, put it on a DMZ. If your router doesn't have a DMZ, get a new router. • Properly configured firewalls and border routers are the cornerstone for perimeter security • Network Access Quarantine Control, a new feature in the Microsoft Windows Server™ 2003 family, helps reduce the risk of infection from mobile systems by delaying normal remote access to a private network until the configuration of the remote access client has been examined and validated by an administrator-provided script. • Personal Firewalls for Remote Laptops • Traditional packet-filtering firewalls are great at blocking network ports and computer addresses. Palestinian Land Authority
Single firewall • A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. • The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. • The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network. Palestinian Land Authority
Dual firewalls • A more secure approach is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" firewall) allows only traffic from the DMZ to the internal network. • Some recommend that the two firewalls be provided by two different vendors. If an attacker manages to break through the first firewall, it will take more time to break through the second one if it is made by a different vendor. (This architecture is, of course, more costly.) Palestinian Land Authority
Network Security Password Policy • Passwords should include non alphanumeric characters, such as - @#$. • Passwords should not be dictionary words. • They should be completely random in their composition. Family names, pet names and so on, are definitely out. • Automatic password generators can be implemented to avoid staff thinking up easy to hack passwords. • Passwords should expire, the shorter the expiry time the better. • Users should not be allowed to use the same password twice within a given period of time. • A minimum acceptable length of a password should also be set. The longer the password the harder it is to crack. Palestinian Land Authority
Layer 6: Physical Security • Is the alarm system adequate? • Is there enough control over who comes or goes from the building? • Is the server room secure? • Physical access to the computer will give a data thief the opportunity to disable passwords. • Servers should be kept is a secure environment where only certain personnel have access. • A solid brick room with a “strong room” type door is recommended Is there • Gates • Guards • video • Guns Palestinian Land Authority
Layer 7: Policies, Procedures, and Awareness • Policies, Procedures, Awareness. The overall governing principles of the security strategy of any organization. Without this layer, the entire strategy fails. • good written security policies and practices . • Most important of all, it’s about actually enforcing the policies you create. • train all employees. Palestinian Land Authority
Thank You Date :27-4-2011 Palestinian Land Authority