Introduction to Network Security

1
Introduction to Network Security November 20th,
2007
Presented by Aliza Bailey and Phil Ames
2
The Net is NOT the Web
The Internet TCP/IP, the road if you will
that other protocols run on The Web one of the
vehicles that run on this road. Other vehicles
would include email, chat programs, file transfer
programs and protocols, etc.
3
Introducing Your Network Exploits
4
Malware

• A generic term for a number of different types
  of malicious code, can include spyware, worms,
  viruses, etc created with the intent of
  infiltrating a system without permission and
  causing destruction, also called Computer
  Contaminants

5
Virus

• A hidden, self-replicating section of computer
  software, usually malicious logic, that
  propagates by infecting - i.e., inserting a copy
  of itself into and becoming part of - another
  program. A virus cannot run by itself it
  requires that its host program be run to make the
  virus active

6
Trojans/Backdoors

• A computer program that appears to have a useful
  function, but also has a hidden and potentially
  malicious function that evades security
  mechanisms, sometimes by exploiting legitimate
  authorizations of a system entity that invokes
  the program.

7
Keyloggers

• Programs designed to log key strokes entered by
  a user on a machine. When used negatively, this
  information is transmitted to a remote location
  to collect the personal data

8
Rootkits

• A collection of tools (programs) that a hacker
  uses to mask intrusion and obtain
  administrator-level access to a computer or
  computer network.

9
Botnets

• A collection of compromised, broadband-enabled
  PCs hijacked during a worm/virus attack and
  infected with software that links them to a
  server where they receive instructions from a
  botnet controller. These are then used to
  participate in further virus/worm/spam assaults
  and Denial of Service attacks

10
(No Transcript)
11
Denial of Serviceaka DoS

• An event or series of events that prevents a
  system or network from performing its intended
  function
• This can come from a botnet or a more direct
  attack. In the basic sense, more packets or data
  is sent to a victim than the victim can handle
  and the system crashes.

12
Generic DoS
13
Phishing Spam

• The use of e-mails that appear to originate from
  a trusted source to trick a user into entering
  valid credentials at a fake website. Typically
  the e-mail and the web site looks like they are
  part of a bank the user is doing business with.
  Spam is any unwanted unsolicited message. Spam is
  usually sent via email

14
Breaking Down Barriers

• Eliminate the Does not apply to me attitude
  with users

15
Breaking Down Barriers

• Users need to be active members of your security
  team as they are certainly members of your
  network abuse squad
• Educate them now on proper security practices and
  their benefits before they have to learn the hard
  way
• One compromised machine in a network is all that
  is needed to affect the entire network

16
(No Transcript)
17
Getting to Know Your Network

• You can not defend what you do not understand.

18
Getting to Know Your Network

• DOCUMENTATION IS KEY
• Baseline your network and core devices
• Port to Jack conversion list
• MAC Address inventory
• Static IP address list
• Knowing where to go when an event occurs is
  absolutely necessary
• Vendor information
• Physical location of devices

19
Getting to Know Your Network

• Understand the flow of traffic in your network
• Ingress traffic
• This is your inbound traffic
• Egress traffic
• This is your outbound traffic
• Traceroutes
• Is your network symmetrical? Do you have more
  than one internet presence? Are your packets
  traveling the correct route?

20
Getting to Know Your Network

• RESEARCH YOUR PRODUCTS!!!
• What Operating Systems live in your environment?
• Understand any products you want to introduce
  into your network, including their purpose,
  placement, and your expectations
• Create a test environment mirroring your
  production network to fully test new equipment

21
Defense in Depth

• Multiple layers are always better than one.

22
Defense in Depth

• Proactive Defense
• Preventing the fire from starting
• Firewalls
• Content Filtering
• Intrusion Prevention Devices
• Traffic engineering
• Network Monitoring
• Base lining your network and core devices
• Acceptable use policies

23
Defense in Depth

• Reactive Defense
• Putting out the fires
• Intrusion Detection Systems
• System backups
• Forensic based programs
• Fport, nmap
• Network Monitoring tools
• TCPDump, WinDump, Ethereal, Snort

24
Defense in Depth

• Desktop Level

25
Defense in Depth

• Antivirus
• The flu shot of the security world
• Anti virus is the most basic level of desktop
  security and should be present on all
  workstations, servers, laptops, etc
• This is not a replacement for better security
  practices. Definitions need constant updating to
  meet the ever growing number of viruses present.
  The time between virus identification and
  definition distribution has shrunk as technology
  increases, however the gap still exists

26
Defense in Depth

• Anti-Spyware
• Common programs available are spybot, ad-aware,
  and most antivirus suites now include
  anti-spyware options
• As with anti virus software, these programs
  require regular updates to remain effective

27
Defense in Depth

• Host Based Firewalls
• Windows XP comes standard with a firewall, there
  are also popular options such as ZoneAlarm,
  Norton Personal Firewall, Black Ice, McAfee
  Personal Firewall, etc
• Controls application access on machines while
  network based firewalls control the data flow to
  the machine
• Learning curve end users usually need
  assistance in configuring the rules properly to
  avoid blocking legitimate applications

28
Defense in Depth

• Physical Access
• Login All machines should require
  authentication to the box or domain controller,
  no guest accounts!
• Removable storage unless otherwise needed,
  removable storage like thumb drives should be
  restricted from being introduced to your network
• Location Are your servers open to be accessed
  by anyone? Is your file server sitting on your
  desk?

29
Defense in Depth

• Passwords
• Passphrases easier to remember, can be fun
  and more personal
• Special Characters, Numbers, Case sensitivity
• Length longer better
• Set a minimum password policy!

30
(No Transcript)
31
Defense in Depth

• Patching Updating
• Set it and forget it! Setting up all machines to
  automatically download and install updates takes
  the guess work out of it
• Do not forget to patch and update all softwares
  used, not just the OS. This includes Microsoft
  Office, Quicktime, antivirus, anti-malware, etc.

32
Network Level Defense

• Border Patrol
• Keeping the bad guys from reaching your users

33
Network Level Defense

• Router Security
• Routers allow for more concise security measures
  to be implemented than their switch and hub
  brethren
• Networks can be segregated by VLANS
• Traffic can be engineered with access control
  lists

34
Network Level Defense

• Router Security
• Lock down access to the router
• Always require a login, be it a local account,
  RADIUS authentication, etc.
• Restrict access only to those networks/IP
  addresses that should be accessing the device
• Do you access this router from outside your work
  network?
• Do you only access this router from one
  particular workstation?

35
Network Level Defense

• Router Security
• Lock down port access
• Restricting what can be plugged into your network
  and where reduces the occurrence of rogue
  routers/switches/hubs, wireless access points,
  and laptops
• Usually accomplished by MAC address restrictions

36
Network Level Defense

• Access Control Lists (ACLs)
• A Standard ACL can restrict ingress and egress
  network traffic based upon the source IP,
  network, or subnet
• An Extended ACL (Cisco) can restrict ingress and
  egress network traffic based upon source and
  destination networks, along with ports and
  protocols
• Extremely important to map out EXACTLY what you
  want to allow/deny access to
• As with Firewalls, better to maintain a deny
  all, permit by exception list

37
Network Level Defense
Routers apply lists sequentially in the order
in which you type them into the router. Routers
apply lists to packets sequentially, from top
down, one line at a time. Packets are processed
only until a match is made and then they are
acted upon based on the access list criteria
contained in the access list statements. Lists
always end with an implicit deny. Routers discard
any packets that do not match any of the access
list statements. Access lists must be applied
to an interface as either inbound or outbound
traffic filters. Only one list per direction
can be applied to an interface.
38
Network Level Defense
Example Restricting network access only to one
network
Permits any IP in the 64.251.55.0/28 network to
go anywhere, denies all else
IP access list 99 10 permit ip 64.251.55.0
0.0.0.15 any 20 deny ip any any interface
Vlan2 ip address 64.251.55.1 255.255.255.240 ip
access-group 100 in no ip unreachables
Applied INBOUND to the VLAN interface. Inbound
means traffic coming into that interface from
machines internal to your network
39
Network Level Defense
Example Restricting traffic even more with
extended ACLs
ip access-list extended School_Security permit
tcp 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255
eq smtp permit tcp 10.10.10.0 0.0.0.255
160.241.0.0 0.0.255.255 eq smtp deny tcp any
any eq smtp deny udp any any eq snmp permit
tcp 10.10.10.0 0.0.0.255 any eq www permit tcp
10.10.10.0 0.0.0.255 any eq 8888 deny ip any
any
This ACL will allow SMTP access for the
10.10.10.0/24 network only to the two networks
stated, deny all others. Next, access to WWW and
TCP port 8888 is allowed, nothing else. This
example works in direct conjunction with our
HTTPS proxy
40
Network Level Defense

• Firewalls
• A firewall is similar to a wall around a city or
  a wall around a building. It can prevent traffic
  from going into or out of the city except through
  designated gates. Another term for these gates
  would be ports. For example, if you want someone
  to be able to send you email, you would open up a
  specific gate and email could get into your
  network.

41
Network Level Defense

• Firewalls
• Network Layer
• Packet filtering usually based on source IP
  address, source port, destination IP address or
  port, destination service like WWW or FTP
• Application Layer
• Filters for applications, like XML/WWW/FTP, to
  provide more protection for the specified
  application
• Proxies
• May be used in a firewall fashion to hide
  internal networks

42
Network Level Defense

• Wireless Security
• Restrict access! No public access should be
  available
• Disable SSID broadcasting
• Restrict access to known users (by MAC)
• ENCRYPT ENCRYPT ENCRYPT!!!
• Even if you only use WEP, use it.
• Consult your product documentation for
  instructions

43
Best Practices Summary

• Document your network
• Research your products
• Inform and educate your users
• Set a security policy and follow it
• Be proactive or suffer the consequences of only
  reacting to events
• Multiple layers of security Network and Desktop
• Passwords!
• Patch and Update everything
• Secure ALL wireless connections!!!
• DENY ALL PERMIT BY EXCEPTION