Securing Your LAN - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

Securing Your LAN

Description:

McAfee is primary means to detect and clean. March 2002 ... McAfee: AutoUpdate and AutoUpgrade. Share-level vs file-level permissions ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 52
Provided by: ebho
Category:
Tags: lan | mcafee | securing

less

Transcript and Presenter's Notes

Title: Securing Your LAN


1
Securing Your LAN
  • An Interactive Discussion on the security issues
    facing Systems Administrators at Illinois State
    University

Presented by the Technology Support Advisory
Consortium (TSAC)www.ilstu.edu/tsac
2
Presenters
  • Scott Genung, ManagerNetwork Support Services
  • Peter Juvinall, LAN AdministratorCollege of
    Business
  • Eric Hodges, ManagerSystems Support Office
  • Randy Hill, LAN AdministratorComputer
    Infrastructure Support Services

3
Overview
  • Why we are here 4 Case Studies
  • Different categories of concerns
  • Systems Administrator duties
  • Server Firewalls
  • Campus resources what help is available
  • Reporting Procedures
  • On-Line Resources
  • Where do we go from here Discussion

4
I Love You Virus
  • May 4, 2000
  • Conversations started late morning
  • Our users started receiving messages by noon
  • Early confusion regarding effect of virusDelete
    all non-locked files?Only execute upon
    reboot?Overwrite certain files?
  • 4 users executed virus attachment

5
I Love You Virus
  • Sent e-mail to all users started phone tree
  • Formed three internal working groupsAssessment,
    Response, Communications
  • Quickly figured out that afternoonWhat virus
    actually didMcAfee DAT updates were not
    currentOne execution of virus deleted 1800 JPGs

6
I Love You Virus
  • That evening after work, set out to 400
    PCsUpdate McAfee Engine, AutoUpdate
  • Lessons Learned
  • AutoUpdate dependent on Engine level
  • User Education about suspect attachments
  • Backups really are that important
  • Keys could not get into 6 offices that evening
  • Teamwork was critical to our response

7
I Love You Virus
  • 2 Years Later Whats changed
  • Better virus protection at server levels
  • AutoUpdates and AutoUpgrades on PCs
  • User awareness and caution are much higher
  • We now have 130 keys!

8
BoxWorm.Poison
  • Received e-mail messages from web admins stating
    that our web server was attacking
  • Interrogating logs revealed IIS exploit and
    payload dropped off
  • Worm waits for list of sites to attack
  • Watched NIC object on Netmon
  • Installed Zone Alarm and saw the traffic
    immediately drop

9
BoxWorm.Poison
  • Lessons Learned
  • MS O/S patch already existed
  • Patch, once installed, protected against Code Red
    (which released a week later)
  • Configuring Firewall software for the first time,
    under time pressure, is not fun

10
COB FTP Exploit
  • Server Win2k, IIS, 60GB data partition
  • Reviewing logs of newly constructed server
  • Discovered 58GB of 60GB used
  • Server being used as a Zero Day server

11
COB FTP Exploit
  • Immediate Actions
  • Shut down FTP, WWW, Terminal Services
  • Removal of data
  • Analysis of logs to determine origin of attack
    and duration
  • BlackIce Defender to further fine-tune access

12
COB FTP Exploit
  • Discoveries and Long-Term Actions
  • Attackers had compromised server 2 weeks prior
    (just after server was built)
  • Attackers used a common IIS exploit (IIS had not
    been patched)
  • Updated IIS patches sent logs to attackers ISP

13
COB FTP Exploit
  • Lessons Learned
  • IIS patches must be kept current!
  • Special consideration should be given to servers
    with special access (i.e. Terminal Services)

14
COB FTP Exploit Part II
  • A week later, discovered 45GB/60GB used on a
    second web server
  • Another Zero Day incident
  • Immediately assumed same attackers compromised
    2nd box
  • Further analysis revealed that different
    attackers used an open FTP virtual server to
    compromise the system

15
COB FTP Exploit Part II
  • Immediate Actions
  • Shut down all FTP Services
  • Ensured that IIS patches up-to-date
  • Shut down and removed virtual FTP server
  • Reaffirmed no anonymous FTP policy
  • Analysis of FTP logs

16
COB FTP Exploit Part II
  • Long Term Actions
  • Find a long-term action for exchanging large
    files (other than anonymous FTP)
  • Consistent review of server logs usage

17
Overview
  • Why we are here 3 Case Studies
  • Different categories of concerns
  • Systems Administrator duties
  • Server Firewalls
  • Campus resources what help is available
  • Reporting Procedures
  • On-Line Resources
  • Where do we go from here Discussion

18
Categories of Concern
Agent
  • Virus

Worm
Port Redirection
Port Scanner
Reconnaissance
DDoS
Buffer Overflow
19
Virus
  • Small program to written to alter the way a
    computer operates
  • It must execute itself
  • It must replicate itself
  • McAfee is primary means to detect and clean

20
Worm
  • Operates very much like a virus, but replicates
    itself without a host file
  • Worm usually release a document that already has
    a copy of the worm macro inside the document
  • McAfee is primary means to detect and clean

21
Agent
  • An agent is a piece of code that runs in memory
    and either continuously executes a set of
    instructions or waits for instructions from an
    outside source
  • Use firewall software temporarily and O/S patches
    to permanently fix

22
Port Scanner
  • Port Scanners methodically check for open ports
    on systems
  • In a 24-hour study, Telecom detected 100,000 port
    scan attempts to on-campus sytems
  • O/S patches and Firewalls can help protect systems

23
Reconnaissance
  • Ping sweep in a targeted address space seeking a
    reachable host
  • Determines O/S and version through scans
  • Launches scripted attacks using known
    vulnerabilities of that platform
  • Firewalls can protect against Reconnaissance

24
Distributed Denial of Service
  • DDoS
  • Designed to saturate network links with spurious
    data
  • Can overwhelm Internet circuits causing
    legitimate traffic to be dropped
  • IP address spoofing typically used to hide source
  • Directed broadcasting is a means for generating
    the highest volume
  • Rootkits are installed after host is exploited to
    hide DoS agent
  • Code Red
  • O/S patches and Firewalls protect against DDoS

25
Buffer Overflow
  • Specialized code built to overflow the buffers of
    a particular application and then execute custom
    code

26
Port Redirection
  • Allows traffic entering a compromised machine on
    a particular port
  • Port25/SMTP to be redirected to a different
    machine on a different port (i.e. Port25/Telnet)
  • Allows an attacker to exploit trust relationships
    to circumvent the firewall for all hosts once a
    single host is controlled

27
Overview
  • Why we are here 3 Case Studies
  • Different categories of concerns
  • Systems Administrator duties
  • Server Firewalls
  • Campus resources what help is available
  • Reporting Procedures
  • On-Line Resources
  • Where do we go from here Discussion

28
Web/FTP Servers
  • Limit Intranet sites by IP address ranges
  • SSL (Secure Socket Layer)
  • Ensure critical updates routinely applied
  • Disable FTP service if not needed
  • Disable anonymous access on FTP

29
E-Mail Servers
  • Disable e-mail relays
  • Scan quarantine viruses at server
  • Disable unused protocols (POP, IMAP, etc.)

30
Specific to Windows Servers
  • Event Viewer
  • Log ALL failed access attempts
  • Windows Update for critical updates
  • Netmon
  • McAfee AutoUpdate and AutoUpgrade
  • Share-level vs file-level permissions
  • Default permissions for new shares

31
Specific to Windows Servers
  • Hide some shares from Network Browsers
  • Remove/disable Guest account(s)
  • Rename administrator account
  • Consider private IP addresses
  • Stay current on security patches

32
Overview
  • Why we are here 3 Case Studies
  • Different categories of concerns
  • Systems Administrator duties
  • Server Firewalls
  • Campus resources what help is available
  • Reporting Procedures
  • On-Line Resources
  • Where do we go from here Discussion

33
Server Firewalls
  • Protects shared resources
  • Inspects packets, blocking hostile ports
  • Allows harmless data to pass
  • Logs packets of interest extended logging
    options available
  • Popular Software Applications
  • Black Ice Defender
  • Zone Alarm

34
Overview
  • Why we are here 3 Case Studies
  • Different categories of concerns
  • Systems Administrator duties
  • Server Firewalls
  • Campus resources what help is available
  • Reporting Procedures
  • On-Line Resources
  • Where do we go from here Discussion

35
Campus Resources
  • Network Support Services (TNSS)
  • Computer Infrastructure Support Services (CISS)
  • Administrative Information Systems (AIS)

36
Campus Resources TNSS
  • What TNSS DOES do
  • Access to campus and Internet resources
  • Means for exchanging on and off-campus traffic
  • Protects campus network infrastructure from
    security vulnerabilities
  • Protects services such as DNS, DHCP, AAA
  • Authentication mechanisms for accessing campus
    network
  • Maintains authentication logs for dialup,
    wireless, VPN
  • Maintains registration logs for DHCP, ResNet

37
Campus Resources TNSS
  • What TNSS Does NOT do
  • Support desktop or server-based O/Ss
  • Research desktop or server-based vulnerabilities
  • Protect desktop or server-based platforms from
    local or external security vulnerabilities

38
Campus Resources TNSS
  • ISUnet Security Countermeasures
  • Protect the network and infrastructure components
    from being targets of known threats. For
    example
  • IP address spoofing
  • Directed broadcasting
  • Session hijacking
  • TCP synch attacks
  • These countermeasures do not address host security

39
Campus Resources TNSS
  • Perimeter Firewalling
  • Blocking application sockets at edge routers
  • Between campus network and ISPs
  • Major security vulnerabilities as defined by CERT
  • Examples NetBIOS/IP, SNMP, RSH
  • ACLs
  • Perimeter, deny
  • Syslogging
  • No filtering takes place inside the campus
    firewall
  • i.e. LAN, ResNet, ADSL, Dialup, VPN Clients

40
Campus Resources TNSS
  • Authentication
  • Challenge users for login and password to
    validate access to campus network
  • Encryption where appropriate
  • Examples
  • Dialup
  • DHCP registration (soon to be changing)
  • Wireless (authentication and encryption)
  • VPN (authentication and encryption)

41
Campus Resources CISS
  • Campus E-Mail Server (mail.ilstu.edu)
  • VBS attachments replaced with text file
  • Campus Web Server (www.ilstu.edu)
  • SSL LDAP authentication on select sites
  • Campus FTP Server (ftp.ilstu.edu)
  • On-Campus IP required to access /pub/ilstu
  • Datastore
  • Nightly anti-virus sweep of all files
  • Nightly Backup of ALL central systems

42
Campus Resources AIS
  • Responsible for a majority of the Universitys
    critical sensitive business information
  • Assists in the development of University policy
    concerning Security Awareness
  • Works with data custodians to ensure data
    integrity and confidentiality

43
Overview
  • Why we are here 3 Case Studies
  • Different categories of concerns
  • Systems Administrator duties
  • Server Firewalls
  • Campus resources what help is available
  • Reporting Procedures
  • On-Line Resources
  • Where do we go from here Discussion

44
Reporting Procedures
  • Report confirmed incidents to theAppropriate Use
    Committee
  • E-Mail abuse_at_ilstu.edu
  • Members Connie Barling, AIS
  • David Greenfield, STSS

45
Reporting Procedures
  • Details to include in the report
  • Nature of incident
  • Source of attack (on-campus, off-campus)
  • Burden of Proof
  • Sample messages
  • Relevant logs
  • Full e-mail headers (where appropriate)

46
Reporting Procedures
  • If you contact attackers ISP, please carbon
    abuse_at_ilstu.edu
  • If an on-campus system was broken into, but no
    specific allegation is being made, contact
    abuse_at_ilstu.edu as a courtesy

47
Overview
  • Why we are here 3 Case Studies
  • Different categories of concerns
  • Systems Administrator duties
  • Server Firewalls
  • Campus resources what help is available
  • Reporting Procedures
  • On-Line Resources
  • Where do we go from here Discussion

48
On-Line Resources
  • LAN Coordinators Standards Guidelineshttp//www
    .policy.ilstu.edu/fiscal/lan_coordinators.htm(bei
    ng updated this semester)
  • Securityhttp//www.ais.ilstu.edu/security
  • Unisog Listservemail to unisog-subscribe_at_sans.org

49
Overview
  • Why we are here 3 Case Studies
  • Different categories of concerns
  • Systems Administrator duties
  • Server Firewalls
  • Campus resources what help is available
  • Reporting Procedures
  • On-Line Resources
  • Where do we go from here Discussion

50
Discussion Topics
  • How do you educate users regarding McAfee Updates
    and Upgrades Security Patches on their HOME
    PCs?
  • How do you handle situations where users infect
    work PCs by sending mail from home?
  • Common practices
  • Common safeguard strategies
  • Common response strategies
  • Common communications strategies
  • Dedicated campus-level personnel to help Systems
    Admins

51
Securing Your LAN
  • Presentation and handouts on-line at
  • TSACs Web Site
  • http//www.ilstu.edu/tsac

Presented by the Technology Support Advisory
Consortium (TSAC)www.ilstu.edu/tsac
Write a Comment
User Comments (0)
About PowerShow.com