Network and Systems Security Practices

1

• Network and Systems Security Practices
• Presented by John Halsey
• Principal Consultant
• jhalsey_at_peer-tech.com www.peer-tech.com

2
Agenda

• Security concerns
• Types of security
• Network security
• Host security
• Security tools
• Disaster planning
• Quick tips

3
Security Concerns

• Virus infections
• Trojans back doors
• Denial of Service attacks
• Stolen data
• Defaced web sites modified data
• Loss of data
• Disgruntled employees
• Lost productivity revenue

4
Types of security

• Access Control
• Network design
• Software settings
• Techniques
• Policies
• Operating procedures
• Disaster planning

5
Access Control

• Packet filter
• Firewall
• Proxy
• VPN

6
Packet Filter

• Typically runs on a router
• Permits or blocks traffic based on address,
  protocol or port
• Limited flexibility
• Not stateful

7
Packet Filter
?
permit tcp any host 100.100.100.1 eq 80 deny
tcp any any
?
HTTP80 FTP21 Crafted packet 80
100.100.100.1
8
Firewall

• Permits or blocks traffic based on address,
  protocol or port
• Blocks traffic if protocol rules are violated
• Typically more flexible than packet filters

9
Firewall
?
?
HTTP80 FTP21 Crafted packet 80
100.100.100.1
10
Proxy Server

• Connections are terminated at the proxy
• Accepts request from client
• Issues request to server
• Relays reply back to client
• Caching can improve performance
• Not compatible with all applications
• Clients must be configured

11
Proxy Server
Proxy
Web Server
HTTP80
HTTP80
Reply
Reply
12
Virtual Private Networks

• Allows secure communication over the Internet
• Authentication allows access
• Encryption provides confidentiality
• Compatible with many protocols
• Performance overhead
• Does not address access control

13
Virtual Private Network
Internet
14
Network Design

• Packet filtering
• Firewalls
• DMZs
• Security by separation
• Beware of back doors

15
Network Design
Internet
Web
SQL
File
DNS
Mail
16
Network Design
Internet
Packet filters
Web
SQL
File
DNS
Mail
17
Network Design
Internet
Firewall
Web
Mail
SQL
File
DNS
18
Network Design
Internet
DMZ
Web
SMTP
DNS
DNS
SQL
File
Mail
19
Network Design
Internet
Web
SMTP
DNS
DNS
SQL
File
Mail
20
Network Design
Internet
Web
SMTP
DNS
DNS
SQL
File
Mail
21
Network Design
Internet
Branch office
Web
SMTP
DNS
DNS
SQL
File
Mail
22
Network Design
Internet
Web
SMTP
DNS
DNS
SQL
File
Mail
23
Intrusion Detection
Internet
Web
SMTP
DNS
IDS
DNS
SQL
File
Mail
IDS
24
Software Settings

• Host hardening
• Patches
• Content filtering
• Virus scanning
• Host-based intrusion detection

25
Host Hardening

• Remove unnecessary services
• Remove sample applications scripts
• Enable logging and auditing
• Set strong passwords
• Set file system security

26
Significant Virus Incidents
Anna Kournakova
Melissa
ILoveYou
sadmind/IIS
CodeRed
CodeRedII
Nimda
Goner
sadmind patch
MIME patch
Change file associations
IIS directory traversal patch
IIS Index Server patch
27
Common problems

• Unpatched software
• Default settings
• Unnecessary services/open ports
• Default or blank passwords
• Unblocked spoofing
• Unrestricted DNS zone transfers
• Back doors
• Untested backups

28
DNS Zone Transfers

• BeforeC\gtnslookupgt ls -d demo.org
• demo.org. NS
  ns1.demo.peer-tech.com
• demo.org. MX 10
  mail.demo.org
• bdc A
  192.168.0.22
• ftp A
  192.168.0.11
• mail A
  100.100.100.10
• pdc A
  192.168.0.21
• sql A
  192.168.0.8
• www A
  100.100.100.11
• AfterC\gtnslookupgt ls -d demo.org
• Can't list domain demo.org Query refused

29
Security Tools

• Network monitors
• Vulnerability scanners
• Port scanners
• Patch scanners
• Password crackers

30
Virus Scanning

• Scan at the desktop and file server
• Scan mail servers SMTP gateways
• Centralize lock security settings
• Schedule frequent definition updates
• Enforce policies for remote users

31
Disaster Planning

• Backup on a regular basis
• Test backups
• Keep written restore procedures
• Store some backups off site
• Maintain a software library with installation
  instructions
• Record service account passwords in a secure
  location

32
Quick, inexpensive tips

• Keep virus definitions up to date
• Install current hot fixes
• Restrict DNS zone transfers

33
Quick, inexpensive tips

• Change default file associations
• EML Outlook Express Email message
• HTA HTML Application
• JS JScript file
• JSE JScript Encoded file
• KEY Registration Entries
• MSI Windows Installer Package
• MSP Windows Installer Patch
• NWS Internet News Message
• REG Registration Entries
• SCR Screen Saver
• SHS Scrap Object
• VBE VBScript Encoded file
• VBS VBScript file
• WSF Windows Script file
• WSH Windows Script Host Settings file

34
Microsoft Tools

• Hotfix scanner HFNetChk
• IIS Lockdown
• URL Scan
• Caution IIS Lockdown URL Scan can block
  legitimate web requests.

35
URLScan

• Before071022 216.167.. - GET
  /scripts/root.exe /cdir 404071022
  216.167.. - GET /MSADC/root.exe /cdir
  404071022 216.231.. - GET /default.ida
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXu9090u6858ucbd3u7801u
  9090u6858ucbd3u7801u9090u6858ucbd3u7801u90
  90u9090u8190u00c3u0003u8b00u531bu53ffu0078
  u0000u00a 200071022 216.167.. - GET
  /c/winnt/system32/cmd.exe /cdir 404071023
  216.167.. - GET /d/winnt/system32/cmd.exe
  /cdir 404071023 216.167.. - GET
  /scripts/..5c../winnt/system32/cmd.exe /cdir
  404071023 216.167.. - GET
  /_vti_bin/..5c../..5c../..5c../winnt/system32/c
  md.exe 071024 216.167.. - GET
  /_mem_bin/..5c../..5c../..5c../winnt/system32/c
  md.exe
• After104930 216.231.. - - - -
  404104930 216.231.. - - - - 404104935
  202.100.. - - - - 404110918
  216.231.. - - - - 404110918
  216.231.. - - - - 404

36
Security Links

• www.sans.org
• www.incidents.org
• www.securityfocus.com
• www.microsoft.com/security

37
For more information

• Email jhalsey_at_peer-tech.com
• Web http//www.peer-tech.com