Title: Network Intrusion
1Network Intrusion And Its Countermeasures Tao
Chen April 2,2002
2Agenda
- Danger of Intrusion
- Intrusion Technique Analysis
- Network Intrusion Countermeasures
- Intrusion Detection and Response Technology
- Proactive Prevention Technology
- People and Organization Issues
- Conclusion
- Q A
3The Danger of Intrusion
Here are some example of Hacked Web Sites. Lets
guess their correct site names.
4The Danger of Intrusion
www.whitehouse.gov was owned by global hell,
5/10/99 Source http//www.paybackproductions.com/
hackedsites/whitehouse/
5The Danger of Intrusion
ABC receives the wrath of ulg united loan gunmen,
8/20/99 Source http//www.paybackproductions.com/
hackedsites/abc/
6The Danger of Intrusion
International Association for Counterterrorism
and Security Professionals 9/9/99 Source
http//www.paybackproductions.com/hackedsites/iacs
p/
7The Danger of Intrusion
(Source http//www.nwfusion.com/news/2000/0209att
ack.html)
8Intrusion Technique Analysis
- Concepts of Intrusion
- Intrusion Sources
- Analysis of Some Intrusion Methodologies
9Intrusion Technique Analysis
- Concepts of Intrusion
- According to Techdictionary.com, intrusion is
any set of actions that attempt to compromise
the integrity, confidentiality or availability of
a resource1 . - Computer Security Intrusion is any event of
unauthorized access or penetration to an
automated information system 2.
10Intrusion Technique Analysis
- Intrusion Sources
- Outside Intruders
- They are from outside our network. They may
attack the external systems, such as web servers
and e-mail servers. They may also attempt to go
through firewalls to attack systems inside the
internal network. Outside intruders may attack
from the Internet or from business partners
network that is linked to the businesss private
network. - Inside Intruders
- They are authorized to use our internal network.
They can be employees, contractors, part time
workers, even vendors and consultants. The inside
intruders may abuse their privileges or use the
privileges of the other peoples.
11Intrusion Technique Analysis
- Analysis of Some Intrusion Techniques
- Physical Intrusion
- The most effective and dangerous intrusion method
is to get the physical access to the system. Once
intruders can access to a system physically, they
could be able to use the keyboard of the machine.
They can even remove data storage subsystem, like
tape drive or hard disk drive. Or the intruders
can put some device to collect information from
the system, such as network sniffers. - Network Intrusion
- Network Intrusion is the most common intrusion
method on the Internet. Intruders attempt to
compromise the security mechanism of a system and
access the information in the system over the
network.
12Intrusion Technique Analysis
- Analysis of Some Intrusion Techniques
- Network Intrusion
- Port Scan
- A port scan is a series of messages sent by
someone attempting to break into a computer to
learn which computer network services, each
associated with a "well-known" port number, the
computer provides3. Network intruders often
use port scans to know targets and find out the
opening ports and related services to the ports.
It is one of the most common techniques used by
intruders to exploit potential problems and
weaknesses of the target system. - Special Codes
- The intruder can create some malicious programs
to invade a system without compromise the
security mechanism of the system. - Examples are Logical Bomb, Worm,
Backdoor,Virus,Trojan Horse
13Intrusion Technique Analysis
- Analysis of Some Intrusion Techniques
- Network Intrusion
- Software bugs
- A software bug is an error or defect in software
that causes a program to malfunction4. Network
intruders can use these bugs to invade a computer
system. - Improper System Configuration
- Most systems have configuration setup defined by
vendors. These default configurations may have
many unnecessary services and features installed
on the system. If system administrators do not
change these default configurations to remove the
unnecessary accounts and services, intruders may
use these default configurations and service to
invade the system.
14Intrusion Technique Analysis
- Analysis of Some Intrusion Techniques
- Network Intrusion
- Crack Password
- Intruders may look for default password, weak
password and unencrypted password. If intruders
cannot find these passwords in a system, they may
use password-cracking utilities to decrypt the
encrypted passwords. - Sniff unsecured traffic
- Packet sniffing is a technology to intercept and
copy data packets sent through a shared network
medium, like Ethernet and Internet. If intruders
could install sniffers on a network, they can see
the network traffic from everyone. If the network
traffic is not encrypted, the intruders would be
see everyones information.
15Intrusion Technique Analysis
- Analysis of Some Intrusion Techniques
- Network Intrusion
- Attack Server Side Script
- CGI scripts can be another security hole.
Scanning a website for CGI programs is almost as
popular as port scanning. A broad-spectrum
scanner is used to enumerate through hundreds of
CGI programs that have known vulnerabilities in
them. If a vulnerable CGI program is found, then
it will be exploited in order to break into a
server5 - IP Spoofing
- Spoofing is the creation of TCP/IP packets using
somebody else's IP address6. By using other
computers IP address or making an non-existing
IP address as source IP address, an intruder may
make the IP package look like sent from another
location than its real original location. In this
way, intruders may make themselves invisible
because the false source IP address make it
difficult to trace back intruders.
16Intrusion Technique Analysis
- What do hackers do after intrusion?
- Remove log
- Intruders will remove all the system logs that
recorded their actions on the system so that the
system administrator can not detect the
intrusion. - Install Sniffer
- They will install the sniffer on servers or
networking devices to collect network traffic to
get further data and information. - Install Trojan horse
- They will also install Trojan horse software so
that they can easily access and remote control
the system later. - Do other harmful things
- They also may do other harmful things to the
system, like removing data, modifying data,
install computer viruses or stealing information.
17Network Intrusion Countermeasures
Intrusion Detection And Response Technology
Proactive Prevention Technology
Integrated Network Intrusion Countermeasure
Solution
People and Organization Issues
There are three main components that are involved
in intrusion countermeasures. First, intrusion
detection technology is used to detect intrusion
attempts and existing intrusion. Second,
proactive prevention technology can be implement
to reduce the chance of being intruded. Third,
people and organization are critical in
successful intrusion response. Any advanced
technology will be useless if people and
organization do not pay attention to information
system security issues. Therefore, an Integrated
Network Intrusion Countermeasure Solution is
proposed in order to increase the chance of
successful intrusion response.
18Network Intrusion Countermeasures
- Intrusion Detection and Response Technology
- Signature recognition
- The idea of signature recognition is as
following Misuse intrusions are attacks on
known weak points of a system. An IDS looks for
this type of attack by comparing network traffic
with signatures of known attacks.7 In order
to detect intrusion, the signature recognition
technology needs to develop a variety of patterns
of different attacks. It just likes antivirus
software that detects certain patterns or
signatures in files to discover computer virus. - Anomaly detection
- Anomaly detection techniques assume that all
intrusive activities are necessarily anomalous.
This means that if we could establish a normal
activity profile for a system, we could, in
theory, flag all system states varying from the
established profile by statistically significant
amounts as intrusion attempts.8 - The anomaly detection technology tracks network
activity to make difference between normal
activities and abnormal activities.
19Network Intrusion Countermeasures
- Detection and Response Technology
- Securing system logs
- After breaking into a system, an intruder usually
changes system log to remove the intrusion
attempts and intrusion activities. One of the
methods to protect system log is to use a remote
dedicate log server which is protected by
firewall and only has logging function with all
other services closed9. Thus, a secure and
clean system log can be used to analyze intrusion
activities - Regular System Check
- Regular system check is an effective way to find
out intrusion attempts and intrusion activities.
Some examples are - Check system log files
- Check System Binaries
- Check for packet sniffers
- Check for unauthorized services
- Check for unusual hidden files
20Network Intrusion Countermeasures
- Detection and Response Technology
- File Integrity Check
- It checks whether important system files have
been modified, removed or deleted. - Example GFI Software LANguard File Integrity
Checker
21Network Intrusion Countermeasures
- Detection and Response Technology
- Common methods used to response to network
intrusions - Isolate the intruded system and service
- Install latest patches to the system
- Keep Record of Intrusion
- Records indicate the vulnerabilities in the
system and help system administrators to correct
these errors and holes. They also provide hint to
response to new intrusions because system
administrators can learn from previous solutions.
Thirdly, the intrusion records also provide
evidence for legal action against intruders. - Trace to the source of the attack
- Example SHARP Technologys Hack Tracer 1.2
- Demo http//www.sharptechnology.com/bh-cons.htm
22Network Intrusion Countermeasures
- Proactive Prevention Technology
- The main idea is to fix system errors and holes
proactively and implement technologies to improve
the security level of the system. - Port scanning
- System administrator can use port scanning to
find out security holes and weaknesses in the
system and then fix them. - Example GFI Software LANGuard Network Scanner
23Network Intrusion Countermeasures
Example GFI Software LANGuard Network Scanner
24Network Intrusion Countermeasures
- Proactive Prevention Technology
- Firewall
- Honeypots10
- Honeypots are programs that simulate one or more
network services on your computer's ports. An
attacker assumes you're running vulnerable
services that can be used to break into the
machine. - Log access attempts to those ports including the
attacker's keystrokes. - Provide warning of a future attack.
- Run on well-know servers, such as Web, mail, or
DNS servers.
25Network Intrusion Countermeasures
- Proactive Prevention Technology
- Authentication
- Authorization
- Encryption
- VPN
26Network Intrusion Countermeasures
- People and Organization Issues
- Management Support
- Management Team should understand how important
system security is to a successful business and
how much it would cost if the system is broken in
and important business data are lost. Their
support could help allocate more resources to
system security and intrusion responses. - Policies and Procedures 11
- Policies and supporting procedures help people
better prepare for the intrusions and give them
the ability to response to the intrusion
effectively. With predefined policies and
procedures, people can know what they should do
before, during and after the intrusion. - Technical Training
- IT department and end users neec to get enough
knowledge of intrusion detection and intrusion
responses technology.
27Conclusion
- Network Intrusion is a threaten to online
business. - A integrated solution is proposed.
Intrusion Detection And Response Technology
Proactive Prevention Technology
Integrated Network Intrusion Countermeasure
Solution
People and Organization Issues
28Thank you!
29Reference 1 Techdictionary.com, Search By
Term Intrusion 2 Techdictionary.com, Search
By Term Intrusion 3 URL http//whatis.techtar
get.com/definition/0,289893,sid9_gci214054,00.html
4 http//www.pcwebopedia.com/TERM/b/bug.html 5
http//www.networkice.com/Advice/Underground/Hac
king/Methods/Technical/CGI/default.htm 6
http//www.networkice.com/Advice/Underground/Hacki
ng/Methods/Technical/Spoofing/default.htm 7
http//www.messageq.com/security/meinel_2.html
8 http//www.acm.org/crossroads/xrds2-4/intrus.
html 9 http//project.honeynet.org/papers/enemy2
/ 10 http//www.sans.org/newlook/resources/IDFA
Q/honeypot.htm 11 http//www.cert.org/security-
improvement/practices/p044.html