Network Security

1
Network Security

• 12 November 2003
• Bygeorge

2
Background

• Things Of Value/Valuable Information
• Digital Cash (EFT)
• Capabilities
• Good Name
• Status In Community/Prestige
• Status With Clients
• Status With Customers
• Status With Employees

3
Security

• The Quality Or State Of Being Secure
• A Freedom From Danger SAFETY
• B Freedom From Fear Or Anxiety
• C Freedom From The Prospect Of Being Laid Off
  

4
Financial Instruments

• 2 Something Given, Deposited, Or Pledged To
  Make Certain The Fulfillment Of An Obligation
  (Security Deposit)
• 3 An Evidence Of Debt Or Of Ownership (As A
  Promissory Note, Stock Certificate Or Bond)

5
4. Something That Secures PROTECTION

• (1) Measures Taken To Guard Against Loss Or
  Injury
• (2) An Organization Or Department Whose Task Is
  Security

6
Working Definitions (1)

• Information Security The generic name for the
  collection of tools designed to protect data and
  to thwart break-ins.
• (Stallings, William. Cryptography and Network
  Security, Prentice Hall, 1999)
• Security Attack Any Attack that compromises the
  security of information owned by an organization.
• Security Mechanism A mechanism that is designed
  to detect, prevent or recover from a security
  attack.
• Security Service A service that enhances the
  security of information systems and the
  information transfers of an organization. The
  services are intended to counter security
  attacks, and they make use of one or more
  security mechanisms to provide the service.

7
Why Security (1) Griggs Anderson/Gartner Group
Study

• Reduce Costs
• Security Investments Had In An Average Annual
  Savings Of 426,000.
• Enhancing Employee Productivity
• Preventing Security Intrusions
• Recovery Costs From Damage
• Lost Data
• Lost Productivity
• Hours Devoted To Correcting Problems,
• Loss Of Prestige/Public Image, Customer And
  Investor Confidence,

8
Why Security (2)

• Protecting US And What We Have
• Keeping The Network Systems Secure
• Protecting Systems
• Protecting That Which Resides On The System
• Protecting That Which Transits On The System
• Due Diligence
• Most Damages Are Preventable
• Under A Solid Security Strategy And
• A Well-planned Implementation.

9
I Love You" Computer Virus

• More Than 7 Billion In Damage Worldwide.
• Damaged PC Hard Drives And Caused Preemptive
  Shutting Down Of Company Servers
• There Has Been Little Widespread Interest In
  Proactive Network Securityat Least, Not Until
  The "D.DOS" And "I Love You" Viruses Made
  Headlines.
• (Chuck Adams, Manager Of Cisco Secure Consulting
  Services)
• Reality
• It Usually Takes A Direct Network Compromise To
  Motivate .
• Fire Can Burn You
• 7 Ps

10
Security is Priority 1
Source Baird Jan 2002
11
Areas of Vulnerability

• Computer Security Institute/FBI Computer Crime
  and Security Survey 2001

12
Enabling Internet-based Business Processes

• Online procurement
• Secure Document Delivery
• Large IP Files (design docs, etc)
• Billing and payment
• Personnel communications
• Pay-stubs, 401k statements, retirement and
  benefits
• Dissemination of confidential information
• Health, Justice, Tax or other personal/business
  info. (Pin-code distribution)

They all require secure transmission of
information
13
The Changing Face of Security

• (Deutsche Banc Alex. Brown, May 2001)

14
Working Definitions (2)

• Virus Code that copies itself into other
  programs.
• Payload Harmful things a malicious program does,
  after it has had time to propagate.
• Worm Program that replicates itself across the
  network (usually riding on email messages or
  attached documents (e.g., macro viruses).
• Trojan Horse Instructions in an otherwise good
  program that cause bad things to happen (sending
  your data or password to an attacker over the
  net).
• Logic Bomb Malicious code that activates on an
  event (e.g., date).
• Trap Door (or Back Door) Undocumented entry
  point written into code for debugging that can
  allow unwanted users.
• Easter Egg Extraneous code that does something
  cool. A way for programmers to show that they
  control the product.

15
Types Of Security Threats

• (a) Normal Flow
• (b) Interruption An asset of a system becomes
  unavailable or unusable.
• (c) Interception Some unauthorized party which
  has gained access to an asset.
• (d) Modification Some unauthorized party not
  only gains access to, but also tampers with, an
  asset.
• (e) Fabrication Some unauthorized party
  fabricates objects on a system. 3

16
IT Security Principles

• Principle of Easiest Penetration
• An intruder must be expected to use any
  available means of penetration. This is not the
  most obvious means, nor is it the one against
  which the most solid defense has been installed.

• Principle of Adequate Protection
• Computer Items must be protected only until they
  lose their value. They must be protected to a
  degree consistent with their value.

17
Types Of Security Attacks

• Passive Threats
• Release of Message Contents
• Traffic Analysis
• Active Threats
• Masquerade
• Replay
• Modification of Mess. Contents
• Denial of Service

18
Model For Network Security

• (1) A message is transferred from one party
  (Principal) to another.
• (2) A logical information channel is established
  between the two Principals by the cooperative use
  of some protocol, e.g. TCP/IP.
• (3) Goal is to provide the secure transmission of
  information from Opponents.
• (4) A trusted third-party may be needed for
  secure transmissions.

19
Model For Network Access Security

• (1) Gatekeeper functions include Password-based
  login authentications.
• (2) Various internal controls that monitor
  activity and analyze stored information in an
  attempt to detect the presence of unwanted
  intruders.

20
Security Strategy (60,000 View)

• Requires
• Identifying Threats
• Choosing The Most Effective Set Of Tools
• Awareness
• Training
• Hardware
• Software
• Procedures
• Policies

21
Recognizing Security

• Risk Possibility Of Loss Or Injury Peril
• Risk Threat Vulnerability
• Threat Possibility To Inflict Evil, Injury, Or
  Damage
• Vulnerability Open To Attack Or Damage

22
Threats To Network Security

• Attacks
• Reconnaissance Attacks
• Access Attacks
• Denial-of-service Attacks
• Data Interception/Alteration
• Eavesdropping On Communications
• Altering Data Packets Being Transmitted
• Social Engineering

23
Threats To Network Security

• Malicious Code
• Malicious People
• Error
• Human Actions
• Programming
• Maintenance

24
Vulnerabilities

• Weaknesses Exploitable By
• Bad Guys
• Insiders And Outsiders
• Bad Things
• Malicious Code
• Environmental Events
• Negligence
• Management
• Labor

25
Network Security Tools (1)

• Antivirus Software Packages
• Secure Network Infrastructure
• Switches And Routers
• Dedicated Network Security Hardware And Software
• Firewalls And Intrusion Detection Systems Provide
  Protection For All Areas Of The Network And
  Enable Secure Connections.

26
Network Security Tools (2)

• Virtual Private Networks
• Networks Providing Access Control And Data
  Encryption Between Two Different Computers On A
  Network Or Across The Internet.
• Allows Remote Workers To Connect To The Network
  Without The Risk Of A Hacker Or Thief
  Intercepting Data.
• Identity Services
• Help To Identify Users And Control Their
  Activities And Transactions On The Network.
  Includes Passwords, Digital Certificates, And
  Digital Authentication Keys.
• Encryption
• Ensures Messages Cannot Be Understood By Anyone
  Other Than The Authorized Recipient.
• Security Management Ties And Holds It All
  Together

27
Deployment Considerations And Questions

• Strategy
• Understanding Network Security Needs And
  Objectives
• Gaining The Support Of Senior Management (ROI)
• Identifying Most Critical Applications, Most
  Likely Threats, And Acceptable Level Of Risk.
• Process
• Clearly Define The Methods And Practice For
  Implementing A Network Security Solution.
• Where Are We
• Where Do WE Need To Go
• The Plan To Get There (May Include Radical
  Change)
• People
• Training, Organizational Culture, And
  Organizational Structure Must Support Your
  Security Strategy And Goals.
• Security Staff Having The Skills, Equipment, And
  Accesses To Implement An Effective Security
  Solution.
• Technology
• Reliable, Scalable, Accessible, And Manageable
  Computer Networks, Applications, Tools And
  Interoperability
• Service And Support
• This One Gets Me Buy The System But Not The
  Updates/Support Etc.

28
Timeline (TPFD)

• Business Assessment And Strategy Development
• Where Are We And Where Do We Need To Go
• Getting It Accepted Into The Business Strategy
• Evaluate And Select Technology
• Prioritize Criteriainteroperability,
  Scalability, Performance, Etc.
• Build, Model, And Test
• A Forgotten Art
• Train
• Full Deployment

29
A New Reality On Security

• No One Approach Alone Is Sufficient To Protect A
  Network
• Layered Together Can Provide A Highly Effective
  Process In Keeping A Network Safe From Attacks
  And Other Threats.
• Well-thought-out Corporate Policies Are Critical
  To Determine And Control Access To Various Parts
  Of The Network.
• Defense In Depth

30
Success Measurements

• The Absence Of Intrusions And Attacks.
• Not Always A Good Measure
• Better Metrics
• Reduced Costs For Connectivity,
  Telecommunications Infrastructure, And
  Maintenance
• Employee Productivity Improvement
• Customer Confidence In Your Businesss Network
  Security
• Partner And Employee Confidence
• Business Continuance And Maintained Viability

31
How Do Intruders Get In?

• Physical Intrusion Console Passwords, Disk
  Removal, Etc.
• System Intrusion Hacker Has A Low Privilege
  Account On The System And Uses A Tool That
  Exploits A Weakness To Gain System Privilege.
• Remote Intrusion Gains Access Via A Remote
  Service On The System.

32
Software Vulnerability Types

• Race Conditions 2 Programs Accessing The Same
  Data At The Same Time.
• Software Bugs Buffer Overflows
• Unexpected Combinations Input Is Meaningless At
  1 Level But Not At Another.
• Unhandled Input What Happens When Input Doesnt
  Match Specifications.

33
System Configuration

• Default Vendor Shipped Configurations
• Lazy Sysadmins Too Lazy To Tighten The System.
• Hole Creation Most Programs Can Run In
  Non-secure Mode.
• Trust Relationships One System Trusts Another.
  R-commands Are An Example.

34
Sniffers Design Flaws

• Shared Medium Base Ethernet
• Server Sniffer Runs On The Server. Works On
  Switched Nets.
• Remote Snmp Based
• TCP/IP Protocol Flaws Smurf, Synflood, IP
  Spoofing. IP Allows Data To Be Changed Anytime.
  IPSEC Is A Fix.
• System Flaws Windows, Unix

35
How Do They Get Passwords?

• Clear Text Passwords
• Encrypted Sniffing
• Replay Attack The Intruders Dont Decrypt The
  Passwords. They Use The Encrypted Form To Login
  The Systems.
• Password File Stealing
• Observation/Social Engineering Piece Of Paper
  Attack
• Look In Top Left Drawer
• Read Sticky Note Attached To Monitor

36
Intrusion Steps

• Outside Reconnaissance Whois, DNS, WWW, FTP
• Inside Reconnaissance Ping Sweep, Inverse
  Mapping, Port Scanning, Rpcinfo, Showmount,
  Snmpwalk.
• Exploit Exploiting Vulnerabilities Discovered
  Earlier.

37
Intrusion Steps

• Foothold Gained Entrance Into The Machine And
  Now Starts To Hide The Evidence. Install
  Rootkits, Trojans.
• Profit Taking Advantage Of The Entry, The
  Hacker Now Goes After The Real Target
  Information, , Credit Card Info, Etc.
• Joyride Systems Used In A Relay Attack.

38
Common Reconnaissance Scans And Dos Attacks

• Ping Sweeps
• TCP/UDP Scans
• OS Identification
• Account Scans
• Ping Of Death
• SYN Flood
• Land
• Ddos

39
How Do NIDS Detect Intrusions?

• Anomaly Detection Measures A Baseline Of Stats
  Like Cpu Utilization, Disk Activity, User Logins,
  File Activity. NIDS Triggers When A Deviation
  From This Baseline Occurs.
• Signature Recognition Pattern Matching Attack
  Probes. Uses Large Databases To Detect The
  Attack. Antiviral Software Uses This. Works Only
  For Known Attacks.

40
Matching Signatures With Incoming Traffic

• NIDS Consists Of Special TCP/IP Stack That
  Reassembles Datagrams And TCP Streams. It Uses
• Protocol Stack Verification Search For Protocol
  Violations (SYN/FIN, Etc.)
• Application Protocol Verification
• New Event Creation Log All Application Layer
  Protocols For Later Correlation.

41
NIDS Detecting The Attack

• Firewall Reconfiguration To Block IP Address.
• Chime Danger, Will Robinson!
• Alarm. Email Or Page Responders (Admins?)
• SNMP Trap Send Trap Datagram To Console.
• Syslog Record It In Event Log Or Syslog
• Save Evidence.
• Launch Program To Handle The Event.
• Terminate The TCP Connection

42
Other Countermeasures

• Firewalls Should Be Considered As The LAST Line
  Of Defense.
• Authentication Password Policies, Single
  Signon, Removing Cleartext Protocols.
• VPN Secure Connection For Remote Access.
  However, They Decrease Corporate Security Because
  Both Ends Of The Pipe Are Wide Open.

43
Where To Locate IDS

• Network Hosts
• Network Perimeter
• WAN/LAN Backbone
• Server Farms
• Need To Be On Low-bandwidth Nets To Keep Up With
  Traffic.

44
Fitting IDS With Security Framework

• Put Firewalls Between Networks With Different
  Security Requirements.
• Use Scanners To Check For Exploits.
• Set Host Policy To Conform With Standards.
• Use Nids To See What Is Actually Happening.
• Use Host Based Ids To Flag Intrusions.
• Create Effective Irp.

45
Implementing IDS

• OS Enable Logging/Auditing Features
• Services Build/Enable Security In WWW Servers,
  Email Servers, DB Servers.
• NIDS Install In Appropriate Places.
• Firewalls Enable Detection Facilities.
• Install SNMP Traps (Openview, Tivoli)

46
Sample IDS Placement
IDS 1
INTERNAL NETWORK
INTERNET
FIREWALL
IDS 3
IDS 2
IDS 4
IDS 1 FW dont produce enough info to
effectively detect hits. IDS 2 detects attacks
that penetrate the FW IDS 3 detects attacks
attempted against the FW IDS 4 Insider attacks
will be detected
47
Distributed Intrusion Detection (1)
48
Distributed Intrusion Detection (2)
49
Case Study Technical Context

• Context
• On November 2, 1988, a computer worm began to
  inch its way through the Internet at the time a
  government-funded network that linked more than
  60K computers across the United States.
• Once installed, the Worm multiplied, created
  processes and rapidly clogged a computers
  available space, until other work virtually
  halted.
• -Collected user and network information
• -Exploited UNIX security holes (e.g. sendmail
  facility and fingerd daemon)
• -Camouflaged itself by changing its name to that
  of a standard UNIX command interpreter.

50
Case Study Context And Analysis

• Context
• Traced to Robert T. Morris, Cornell University
  graduate student.
• -Claimed that the Worm was an experimental
  program containing a bug that caused it to run
  rampant.
• -Convicted on January 23, 1990 under the 1986
  Computer and Fraud Act.
• -Placed on 3-year probation and subjected to a
  10K fine, 400 hours of community service.
• Analysis
• Worm had the side effect of increasing public
  awareness of computer security, and creating a
  new generation of security consultants.
• But despite the level of spending, increased
  public awareness, and preparedness, most
  organizations havent significantly tightened
  security.

51
Stages Of Network Intrusion

• Network Intrusion
• (1) Scan the network to
• - Locate which IP addresses are in use,
• - Identify what operating system is in use,
• - Identify what TCP or UDP ports are open
  (being listened to by Servers).
• (2) Run Exploit scripts against open ports
• (3) Get access to Shell program which is suid
  (has root privileges).
• (4) Download special versions of systems files
  that will let Hackers have free access without
  his /her CPU time or disk storage space being
  noticed by auditing programs.
• (5) Use IRC (Internet Relay Chat) to invite
  fellow hackers.

52
Intrusion Detection Truths

• Inevitably, the best intrusion prevention system
  will fail. A systems second line of defence is
  intrusion detection.
• Motivation is a function of several
  considerations
• -If detected early, the intruder can be
  identified and ejected from the system.
• -An effective intrusion detection can prevent
  intrusions.
• -Intrusion detection enables the collection of
  information about intrusion techniques that can
  be used to strengthen the intrusion prevention
  facility.

53
Behavioral Profiles Of Intruders And Authorized
Users
54
Approaches To Intrusion Detection

• Approaches to Intrusion Detection 2
• Statistical Anomaly Detection Involves the
  collection of data relating to the behavior of
  legitimate users over a period of time. Then
  statistical tests are applied to observed
  behavior to determine with a high level of
  confidence whether that behavior is not
  legitimate user behavior.
• -Treshold Detection
• Profile Based
• Rule Based Detection Involves an attempt to
  define a set of rules that can be used to decide
  that a given behavior is that of an intruder.
• -Anomaly Detection
• -Penetration Identidication

55
Measures Of Intrusion Detection

• Measures 3
• Login frequency by day and time.
• Frequency of login at different locations.
• Time since last login.
• Password failures at login.
• Execution frequency.
• Execution denials.
• Read, Write, Create, Delete frequency.
• Failure count for Read, Write, Create and Delete.

56
Phases Of Viruses

• (1) Dormant Phase Virus is idle
• (2) Propagation Phase Virus places an identical
  copy of itself into other programs
• (3) Triggering Phase Virus is activated to
  perform the function for which it was intended
• (4) Execution Phase Function is performed

57
Types Of Viruses

• Parasitic Virus Attaches itself to executable
  files as part of their code. Runs whenever the
  host program runs.
• Memory-resident Virus Lodges in main memory as
  part of the residual operating system.
• Boot Sector Virus Infects the boot sector of a
  disk, and spreads when the operating system boots
  up (original DOS viruses).
• Stealth Virus Explicitly designed to hide from
  Virus Scanning programs.
• Marco Virus The macro could run whenever the
  document is opened, or when a certain command is
  selected (Save File). Mutates with every new host
• Polymorphic Virus Mutates with every new host
  to prevent signature detection

58
Anti-virus Approaches

• 1st Generation, Scanners Searches files for any
  of a library of known virus signatures. Checked
  executable files for length changes.
• 2nd Generation, Heuristic Scanners Looks for
  more general signs than specific signatures (code
  segments common to many viruses). Checked files
  for checksum or hash changes.
• 3rd Generation, Activity Traps Stays resident in
  memory and look for certain patterns of software
  behavior (e.g., scanning files).
• 4th Generation, Full Featured Combines the best
  of the techniques above.

59
Advanced Anti-virus Approaches