Read Microsoft PowerPoint - ch09 text version

Guide to TCP/IP, Third Edition

Chapter 9: Securing TCP/IP Environments

Objectives

· Understand basic concepts and principles for maintaining computer and network security · Understand the anatomy of an IP attack · Recognize common points of attacks inherent in TCP/IP architecture · Maintain IP security problems

Securing TCP/IP Environments

2

Objectives (continued)

· Understand security policies and recovery plans · Understand new and improved security features in Windows XP Professional and Windows Server 2003 · Discuss the importance of honeypots and honeynets for network security

Securing TCP/IP Environments

3

1

Understand Computer and Network Security

· Protecting a system or network means

­ Closing the door against outside attack ­ Protecting your systems, data, and applications from any sources of damage or harm

· The 2005 Computer Crime Survey

­ Virus and worm infections were among the top problems leading to financial loss

Securing TCP/IP Environments

4

Principles of IP Security

· Physical security

­ Synonymous with "controlling physical access" ­ Should be carefully monitored

· Personnel security

­ Important to formulate a security policy for your organization

· System and network security includes

­ Analyzing the current software environment ­ Identifying and eliminating potential points of exposure

Securing TCP/IP Environments 5

Understanding Typical IP Attacks, Exploits, and Break-Ins

· Basic fundamental protocols

­ Offer no built-in security controls

· Successful attacks against TCP/IP networks and services rely on two powerful weapons

­ Profiling or footprinting tools ­ A working knowledge of known weaknesses or implementation problems

Securing TCP/IP Environments

6

2

Key Terminology in Network and Computer Security

· An attack

­ Some kind of attempt to obtain access to information

· An exploit

­ Documents a vulnerability

· A break-in

­ Successful attempt to compromise a system's security

Securing TCP/IP Environments

7

Key Weaknesses in TCP/IP

· Ways in which TCP/IP can be attacked

­ Bad guys can

· Attempt to impersonate valid users · Attempt to take over existing communications sessions · Attempt to snoop inside traffic moving across the Internet · Utilize a technique known as IP spoofing

Securing TCP/IP Environments

8

Common Types of IP-Related Attacks

· · · · · DoS attacks Man-in-the-middle (MITM) attacks IP service attacks IP service implementation vulnerabilities Insecure IP protocols and services

Securing TCP/IP Environments

9

3

What IP Services Are Most Vulnerable?

· Remote logon service

­ Includes Telnet remote terminal emulation service, as well as the Berkeley remote utilities

· Remote control programs

­ Can pose security threats

· Services that permit anonymous access

­ Makes anonymous Web and FTP conspicuous targets

Securing TCP/IP Environments

10

Holes, Back Doors, and Other Illicit Points of Entry

· Hole

­ Weak spot or known place of attack on any common operating system, application, or service

· Back door

­ Undocumented and illicit point of entry into an operating system or application

· Vulnerability

­ Weakness that can be accidentally triggered or intentionally exploited

Securing TCP/IP Environments

11

The Anatomy of IP Attacks

· IP attacks typically follow a set pattern

­ Reconnaissance or discovery process ­ Attacker focuses on the attack itself ­ Stealthy attacker may cover its tracks by deleting log files, or terminating any active direct connections

Securing TCP/IP Environments

12

4

Reconnaissance and Discovery Processes

· PING sweep

­ Can identify active hosts on an IP network

· Port probe

­ Detect UDP- and TCP-based services running on a host

· Purpose of reconnaissance

­ To find out what you have and what is vulnerable

Securing TCP/IP Environments

13

Reconnaissance and Discovery Processes (continued)

· The attack

­ May encompass a brute force attack process that overwhelms a victim

· Computer forensics

­ May be necessary to identify traces from an attacker winding his or her way through a system

Securing TCP/IP Environments

14

Common IP Points of Attack

· Virus

­ Any self-replicating program that works for its own purposes ­ Classes

· File infectors · System or boot-record infectors · Macro viruses

Securing TCP/IP Environments

15

5

Worms

· A kind of virus that eschews most activity except as it relates to self-replication · MSBlaster worm

­ Unleashed in August 2003 ­ Exploited the RPC DCOM buffer overflow vulnerability in Microsoft Windows

· Hex reader

­ Look inside suspect files without launching them

Securing TCP/IP Environments

16

Trojan Horse Programs

· Masquerade as innocuous or built-to-purpose programs · Conceal abilities that permit others to take over and operate unprotected systems remotely · Must be installed on a computer system to run · Back Orifice

­ Example of a Trojan horse program

Securing TCP/IP Environments

17

Denial of Service Attacks

· Designed to interrupt or completely disrupt operations of a network device or communications · SYN Flood attack

­ Uses the three-way TCP handshake process to overload a device on a network

· Broadcast amplification attack

­ Malicious host crafts and sends ICMP Echo Requests to a broadcast address

· Windows 2000 UPnP DoS attack

­ Specially crafted request packet is sent that causes services.exe to exhaust all virtual memory resources

Securing TCP/IP Environments 18

6

Distributed Denial of Service Attacks

· DoS attacks launched from numerous devices · DDoS attacks consist of four main elements

­ ­ ­ ­ Attacker Handler Agent Victim

Securing TCP/IP Environments

19

Securing TCP/IP Environments

20

Buffer Overflows/Overruns

· Exploit a weakness in many programs that expect to receive a fixed amount of input · Adware

­ Opens door for a compromised machine to display unsolicited and unwanted advertising

· Spyware

­ Unsolicited and unwanted software that

· Takes up stealthy unauthorized and uninvited residence on a computer

Securing TCP/IP Environments

21

7

Spoofing

· Borrowing identity information to hide or deflect interest in attack activities · Ingress filtering

­ Applying restrictions to traffic entering a network

· Egress filtering

­ Applying restrictions to traffic leaving a network

Securing TCP/IP Environments

22

TCP Session Hijacking

· Purpose of an attack

­ To masquerade as an authorized user to gain access to a system

· Once a session is hijacked

­ The attacker can send packets to the server to execute commands, change passwords, or worse

Securing TCP/IP Environments

23

Network Sniffing

· One method of passive network attack

­ Based on network "sniffing," or eavesdropping using a protocol analyzer or other sniffing software

· Network analyzers available to eavesdrop on networks include

­ ­ ­ ­ ­ tcpdump (UNIX) EtherPeek (Windows) Network Monitor (Windows) AiroPeekWireless (Windows) Ethereal for Windows

24

Securing TCP/IP Environments

8

Securing TCP/IP Environments

25

Securing TCP/IP Environments

26

Maintaining IP Security

· Microsoft security bulletins

­ May be accessed or searched through the Security Bulletins section at: www.microsoft.com/security/default.mspx

· Essential to know about security patches and fixes and to install them · Knowing Which Ports to Block

­ Many exploits and attacks are based on common vulnerabilities

Securing TCP/IP Environments

27

9

Securing TCP/IP Environments

28

Recognizing Attack Signatures

· Most attacks have an attack signature

­ By which they may be recognized or identified ­ Signatures may be used to

· Implement IDS devices · Can be configured as network analyzer filters as well

Securing TCP/IP Environments

29

Securing TCP/IP Environments

30

10

Securing TCP/IP Environments

31

Using IP Security

· RFC 2401 says the goals of IPSec are to provide the following kinds of security

­ ­ ­ ­ ­ ­ Access control Connectionless integrity Data origin authentication Protection against replays Confidentiality Limited traffic flow confidentiality

Securing TCP/IP Environments

32

Protecting the Perimeter of the Network

· Important devices and services used to protect the perimeter of networks

­ ­ ­ ­ ­ ­ Bastion host Boundary (or border) router Demilitarized zone (DMZ) Firewall Network address translation Proxy server

Securing TCP/IP Environments

33

11

Understanding the Basics of Firewalls

· Firewall

­ Barrier that controls traffic flow and access between networks ­ Designed to inspect incoming traffic and block or filter traffic based on a variety of criteria ­ Normally astride the boundary between a public network and private networks inside an organization

Securing TCP/IP Environments

34

Useful Firewall Specifics

· Firewalls usually incorporate four major elements:

­ Screening router functions ­ Proxy service functions ­ "Stateful inspection" of packet sequences and services ­ Virtual Private Network services

Securing TCP/IP Environments

35

Commercial Firewall Features

· · · · · · · Address translation/privacy services Specific filtering mechanisms Alarms and alerts Logs and reports Transparency Intrusion detection systems (IDSs) Management controls

Securing TCP/IP Environments

36

12

Understanding the Basics of Proxy Servers

· Proxy servers

­ Can perform "reverse proxying" to

· Expose a service inside a network to outside users, as if it resides on the proxy server itself

· Caching

­ An important proxy behavior

· Cache

­ Potentially valuable location for a system attack

Securing TCP/IP Environments

37

Planning and Implementing, Step by Step

· Useful steps when planning and implementing firewalls and proxy servers

­ ­ ­ ­ ­ ­ ­ ­ ­ Plan Establish requirements Install Configure Test Attack Tune Implement Monitor and maintain

38

Securing TCP/IP Environments

Understanding the Test-Attack-Tune Cycle

· Attack tools

­ ­ ­ ­ McAfee CyberCop ASaP GNU NetTools A port mapper such as AnalogX PortMapper Internet Security Systems various security scanners

Securing TCP/IP Environments

39

13

Understanding the Role of IDS and IPS in IP Security

· Intrusion detection systems

­ Make it easier to automate recognizing and responding to potential attacks

· Increasingly, firewalls include

­ Hooks to allow them to interact with IDSs, or include their own built-in IDS capabilities

· IPSs make access control decisions on the basis of application content

Securing TCP/IP Environments

40

Updating Anti-Virus Engines and Virus Lists

· Because of the frequency of introduction of new viruses, worms, and Trojans

­ Essential to update anti-virus engine software and virus definitions on a regular basis

· Anti-virus protection

­ Key ingredient in any security policy

Securing TCP/IP Environments

41

Securing TCP/IP Environments

42

14

The Security Update Process

· · · · Evaluate the vulnerability Retrieve the update Test the update Deploy the update

Securing TCP/IP Environments

43

Understanding Security Policies and Recovery Plans

· Security policy

­ Document that reflects an organization's understanding of

· What information assets and other resources need protection · How they are to be protected · How they must be maintained under normal operating circumstances

Securing TCP/IP Environments

44

Understanding Security Policies and Recovery Plans (continued)

· RFC 2196 lists the following documents as components of a good security policy

­ ­ ­ ­ ­ ­ An access policy document An accountability policy document A privacy policy document A violations reporting policy document An authentication policy document An information technology system and network maintenance policy document

Securing TCP/IP Environments

45

15

Windows XP and Windows Server 2003: Another Generation of Network Security

· Features that should help maintain tighter security

­ ­ ­ ­ ­ ­ Kerberos version 5 Public Key Infrastructure (PKI) Directory Service Account Management CryptoAPI Encrypting File System (EFS) Secure Channel Security protocols (SSL 3.0/PCT)

Securing TCP/IP Environments

46

Honeypots and Honeynets

· Honeypot

­ Computer system deliberately set up to entice and trap attackers

· Honeynet

­ Broadens honeypot concept from a single system to what looks like a network of such systems

Securing TCP/IP Environments

47

Summary

· An attack

­ An attempt to compromise the privacy and integrity of an organization's information assets

· In its original form, TCP/IP implemented an optimistic security model · Basic principles of IP security

­ Include avoiding unnecessary exposure by blocking all unused ports

· Necessary to protect systems and networks from malicious code

­ Such as viruses, worms, and Trojan horses

Securing TCP/IP Environments 48

16

Summary (continued)

· Would-be attackers

­ Usually engage in a well-understood sequence of activities, called reconnaissance and discovery

· Maintaining system and network security involves

constant activity that must include ­ Keeping up with security news and information

· Keeping operating systems secure in the face of new vulnerabilities

­ A necessary and ongoing process

Securing TCP/IP Environments

49

Summary (continued)

· When establishing a secure network perimeter

­ It is essential to repeat the test-attack-tune cycle

· To create a strong foundation for system and network security, formulate policy that incorporates

­ Processes, procedures, and rules regarding physical and personnel security issues,

· Windows XP and Windows Server 2003 include

­ Notable security improvements and enhancements as compared to other Windows versions

Securing TCP/IP Environments

50

17

Information

Microsoft PowerPoint - ch09

17 pages

Find more like this

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate

932059