430 likes | 838 Views
Introduction to Network Security November 20 th , 2007. Presented by Aliza Bailey and Phil Ames. The Net is NOT the Web. The Internet: TCP/IP, the “road” if you will that other protocols run on
E N D
Introduction to Network Security November 20th, 2007 Presented by Aliza Bailey and Phil Ames
The Net is NOT the Web The Internet: TCP/IP, the “road” if you will that other protocols run on The Web: one of the “vehicles” that run on this road. Other vehicles would include email, chat programs, file transfer programs and protocols, etc.
Introducing… Your Network Exploits
Malware “A generic term for a number of different types of malicious code, can include spyware, worms, viruses, etc created with the intent of infiltrating a system without permission and causing destruction, also called “Computer Contaminants””
Virus “A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active “
Trojans/Backdoors “A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.”
Keyloggers “Programs designed to log key strokes entered by a user on a machine. When used negatively, this information is transmitted to a remote location to collect the personal data”
Rootkits “A collection of tools (programs) that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network.”
Botnets “A collection of compromised, broadband-enabled PC’s hijacked during a worm/virus attack and infected with software that links them to a server where they receive “instructions” from a botnet controller. These are then used to participate in further virus/worm/spam assaults and Denial of Service attacks”
Denial of Serviceaka DoS “An event or series of events that prevents a system or network from performing its intended function” This can come from a botnet or a more direct attack. In the basic sense, more packets or data is sent to a victim than the victim can handle and the system crashes.
Phishing & Spam “The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with. Spam is any unwanted unsolicited message. Spam is usually sent via email”
Breaking Down Barriers Eliminate the “Does not apply to me” attitude with users
Breaking Down Barriers • Users need to be active members of your “security team” as they are certainly members of your “network abuse” squad • Educate them now on proper security practices and their benefits before they have to learn the hard way • One compromised machine in a network is all that is needed to affect the entire network
Getting to Know Your Network You can not defend what you do not understand.
Getting to Know Your Network • DOCUMENTATION IS KEY • Baseline your network and core devices • Port to Jack conversion list • MAC Address inventory • Static IP address list • Knowing where to go when an event occurs is absolutely necessary • Vendor information • Physical location of devices
Getting to Know Your Network • Understand the flow of traffic in your network • Ingress traffic • This is your inbound traffic • Egress traffic • This is your outbound traffic • Traceroutes • Is your network symmetrical? Do you have more than one internet presence? Are your packets traveling the correct route?
Getting to Know Your Network • RESEARCH YOUR PRODUCTS!!! • What Operating Systems live in your environment? • Understand any products you want to introduce into your network, including their purpose, placement, and your expectations • Create a test environment mirroring your production network to fully test new equipment
Defense in Depth Multiple layers are always better than one.
Defense in Depth • Proactive Defense • Preventing the fire from starting • Firewalls • Content Filtering • Intrusion Prevention Devices • Traffic engineering • Network Monitoring • Base lining your network and core devices • Acceptable use policies
Defense in Depth • Reactive Defense • Putting out the fires • Intrusion Detection Systems • System backups • Forensic based programs • Fport, nmap • Network Monitoring tools • TCPDump, WinDump, Ethereal, Snort
Defense in Depth Desktop Level
Defense in Depth • Antivirus • The “flu shot” of the security world • Anti virus is the most basic level of desktop security and should be present on all workstations, servers, laptops, etc • This is not a replacement for better security practices. Definitions need constant updating to meet the ever growing number of viruses present. The time between virus identification and definition distribution has shrunk as technology increases, however the gap still exists
Defense in Depth • Anti-Spyware • Common programs available are spybot, ad-aware, and most antivirus suites now include anti-spyware options • As with anti virus software, these programs require regular updates to remain effective
Defense in Depth • Host Based Firewalls • Windows XP comes standard with a firewall, there are also popular options such as ZoneAlarm, Norton Personal Firewall, Black Ice, McAfee Personal Firewall, etc • Controls application access on machines while network based firewalls control the data flow to the machine • Learning curve: end users usually need assistance in configuring the rules properly to avoid blocking legitimate applications
Defense in Depth • Physical Access • Login: All machines should require authentication to the box or domain controller, no guest accounts! • Removable storage: unless otherwise needed, removable storage like thumb drives should be restricted from being introduced to your network • Location: Are your servers open to be accessed by anyone? Is your file server sitting on your desk?
Defense in Depth • Passwords • Passphrases: easier to remember, can be “fun” and more personal • Special Characters, Numbers, Case sensitivity • Length: longer = better • Set a minimum password policy!
Defense in Depth • Patching & Updating • Set it and forget it! Setting up all machines to automatically download and install updates takes the guess work out of it • Do not forget to patch and update all softwares used, not just the OS. This includes Microsoft Office, Quicktime, antivirus, anti-malware, etc.
Network Level Defense Border Patrol Keeping the bad guys from reaching your users
Network Level Defense • Router Security • Routers allow for more concise security measures to be implemented than their switch and hub brethren • Networks can be segregated by VLANS • Traffic can be engineered with access control lists
Network Level Defense • Router Security • Lock down access to the router • Always require a login, be it a local account, RADIUS authentication, etc. • Restrict access only to those networks/IP addresses that should be accessing the device • Do you access this router from outside your work network? • Do you only access this router from one particular workstation?
Network Level Defense • Router Security • Lock down port access • Restricting what can be plugged into your network and where reduces the occurrence of rogue routers/switches/hubs, wireless access points, and laptops • Usually accomplished by MAC address restrictions
Network Level Defense • Access Control Lists (ACL’s) • A Standard ACL can restrict ingress and egress network traffic based upon the source IP, network, or subnet • An Extended ACL (Cisco) can restrict ingress and egress network traffic based upon source and destination networks, along with ports and protocols • Extremely important to map out EXACTLY what you want to allow/deny access to • As with Firewalls, better to maintain a “deny all, permit by exception” list
Network Level Defense · Routers apply lists sequentially in the order in which you type them into the router.· Routers apply lists to packets sequentially, from top down, one line at a time.· Packets are processed only until a match is made and then they are acted upon based on the access list criteria contained in the access list statements.· Lists always end with an implicit deny. Routers discard any packets that do not match any of the access list statements.· Access lists must be applied to an interface as either inbound or outbound traffic filters.· Only one list per direction can be applied to an interface.
Network Level Defense Example: Restricting network access only to one network Permits any IP in the 64.251.55.0/28 network to go anywhere, denies all else IP access list 99 10 permit ip 64.251.55.0 0.0.0.15 any 20 deny ip any any interface Vlan2 ip address 64.251.55.1 255.255.255.240 ip access-group 100 in no ip unreachables Applied INBOUND to the VLAN interface. Inbound means traffic coming into that interface from machines internal to your network
Network Level Defense Example: Restricting traffic even more with extended ACL’s ip access-list extended School_Security permit tcp 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255 eq smtp permit tcp 10.10.10.0 0.0.0.255 160.241.0.0 0.0.255.255 eq smtp deny tcp any any eq smtp deny udp any any eq snmp permit tcp 10.10.10.0 0.0.0.255 any eq www permit tcp 10.10.10.0 0.0.0.255 any eq 8888 deny ip any any This ACL will allow SMTP access for the 10.10.10.0/24 network only to the two networks stated, deny all others. Next, access to WWW and TCP port 8888 is allowed, nothing else. This example works in direct conjunction with our HTTPS proxy
Network Level Defense • Firewalls • A firewall is similar to a wall around a city or a wall around a building. It can prevent traffic from going into or out of the city except through designated gates. Another term for these gates would be ports. For example, if you want someone to be able to send you email, you would open up a specific gate and email could get into your network.
Network Level Defense • Firewalls • Network Layer • Packet filtering usually based on source IP address, source port, destination IP address or port, destination service like WWW or FTP • Application Layer • Filters for applications, like XML/WWW/FTP, to provide more protection for the specified application • Proxies • May be used in a firewall fashion to hide internal networks
Network Level Defense • Wireless Security • Restrict access! No public access should be available • Disable SSID broadcasting • Restrict access to known users (by MAC) • ENCRYPT ENCRYPT ENCRYPT!!! • Even if you only use WEP, use it. • Consult your product documentation for instructions
“Best Practices” Summary • Document your network • Research your products • Inform and educate your users • Set a security policy and follow it • Be proactive or suffer the consequences of only reacting to events • Multiple layers of security: Network and Desktop • Passwords! • Patch and Update everything • Secure ALL wireless connections!!! • DENY ALL PERMIT BY EXCEPTION