ISACA

1
ISACA Presentation
Network Security Fundamentals
Prepared and Presented by Deloitte
Touche Strategic Security Services
2
Introductions

• Your Instructor
• Introduce Yourself
• Brief Background
• Familiarity With Security
• Expectations
• My Expectations As Your Instructor
• The ONE Thing You Want To Learn Most From This
  Session?

3
Session Overview

• Network Overview
• TCP/IP protocol
• Components of a secure network
• Firewall technology
• Encryption Overview
• VPNs
• Digital Certificates
• Kerberos
• Web security Overview
• SSL
• Redirectors and Load balancing
• CGI considerations
• Sample Files

4
Session Overview

• Network Overview
• TCP/IP protocol
• Components of a secure network
• Firewall technology

5
TCP/IP and Networking
Anatomy of a TCP/IP Packet
6
TCP/IP and Firewalls
Different firewalls operate at different levels
of the OSI model. Routers and some appliance
based firewalls are capable of screening packets
only at the Network and Transport layers of the
OSI model. Proxy servers Protect networks at the
application layer only. This is the highest level
of protection but operates at the highest cost.
This means that all functions are extremely
resource intensive (requiring huge amounts of
processing power, memory, and sometimes disk
space). Stateful Inspection engines protect the
network from the Data Link layer to the
Application layer (generally focusing on the
network and transport layers). Adaptive proxy is
similar to Stateful Inspection but approaches the
sliding security scale from the application
layer. This allows you to apply higher level
security to some types of transactions and lower
levels of security to others.
7
Protect The Network! But How?
Router Management
Encryption
Encryption
Encryption
Passwords
Firewalls
Security Policies
Content Vectoring Protocols
Firewalls
8
Zones of Containment
Commonly referred to as Demilitarized Zones or
DMZs What is the function of a DMZ? Separate
the inside network from the publicly accessible
network. Maintain internal network security if
DMZ network gets compromised. Provide an access
between sites with different levels of
trust. Provide distinct layers of security (zones
can only be crossed through firewalls)
9
Why use zones

• Zones are utilized for the following reasons
• To restrict access between trusted and
  non-trusted networks
• To provide Internet access to services without
  compromising the security of your internal
  network
• To mitigate risk between distinct networks (i.e.
  Between development, test, and production
  networks)
• To allow vendors or partners access to data on
  your network but not within your production
  environment
• To segregate the different divisions within your
  own production network (i.e. HR, Development,
  Procurement, Finance)

10
Why use zones

• Zones are a part of the concept of layered
  security.
• The goal of a layered approach is to have the
  most sensitive network nested as far away as
  possible from the Internet.
• Each network is separated by a firewall. It is
  strongly recommended that a heterogeneous
  firewall implementation be employed.
• Access to more internal networks should be
  authenticated and/or encrypted according to the
  sensitivity of the data contained on the network.

11
Zone Model
This is an example of how a firewall would be
employed to create distinct security zones or
layers of security. Remember that this is only an
example and should not be considered the only way
to achieve high levels of security.
Encrypted
Internet
VPNs
Authenticated
Protected Web Application Servers
The DMZs
Mail Relay
Intrusion Detection System
HTTP CVP DNS
IDS
E-Commerce Application
FireWall
PKI DC
Protected servers
12
Address Translation
Network Address Translation, commonly referred to
as NAT, is a mechanism for reducing the need for
globally available network addresses. Address
Translation allows organizations without globally
unique addresses to connect to the internet by
translating those non-unique addresses into
public addresses. Address translation is
simply the process of exchanging an IP address
for another. This can be done in a variety of
ways but is most often handled by a firewall or
router. The firewall or router handles the
process of changing the IP address of the
packets as they enter and leave the protected
network space. This is done through the use of a
dynamically generated table called a NAT table.
The NAT table is simply a list of internal and
external address to address or address to port
mappings.
13
How NAT works
207.250.227.19 (Legal)
10.10.10.0 (Illegal)
1
Mail server (email.ctl.com)
fw.ctl.com
Outside
Inside
2
Web server (www.ctl.com)
Router
Router
ctl-net (10.10.11.0)
Firewalls Translation Table
14
Use of NAT
RFC 1918 has reserved a set of IP network
addresses that can be used for internal networks.
These are 1 Class A Network Number
10.0.0.0 16 Class B Network Numbers 172.16-31.0
.0 256 Class C Network Numbers 192.168.0-255.0 In
ternal networks with RFC 1918 network numbers can
reach all internal hosts and the Internet by
implementing NAT

• Advantages of RFC 1918
• Additional Security The addresses are not
  routeable on the Internet
• Can Demand Quality Customer Service If an ISP
  is not providing the quality of service desired,
  renumbering the network can be as few as (2 to 3
  devices).

15
What Is A Firewall?

• Firewall a device or set of devices that is used
  to implement enforce a written security policy
  regarding communication between protected and
  unsecure networks
• A Firewall acts as a control portal between a
  protected network and an unsecured network.
• Firewalls restrict the entrance and exit of
  traffic based on acceptability.

Untrusted Networks Servers
Firewall
Trusted Networks
Untrusted Users
Router
Intranet
Server Segment
Public Accessible Servers Networks
DMZ
Trusted Users
16
What Is A Firewall?

• A Firewall cannot protect you from
• malicious authorized users
• connections that dont go through it
• all threats

New ways to break through networks are
continually developed. To combat this, Firewall
vendors continually develops and distributes new
methods of protection against unauthorized
network access.
17
Home Grown vs. Commercial Firewalls

• Is it possible to build your own firewall? The
  answer is yes. Is it cost effective and the right
  solution for you? That depends on your business
  model and the type of protection you are working
  towards. There are currently dozens of firewall
  products available as shareware, freeware,
  portions of an OS or source code.
• These solutions can even out perform
  off-the-shelf firewall products. The drawback to
  using a Home Grown solution is in the lack of
  extensibility and the need for highly specialized
  staff.
• Commercial firewall solutions may be expensive
  but they offer three major benefits over Home
  Grown firewalls
• They are highly extensible
• They are supported by the Vendor
• There are a greater number of trained resources
  available to build and maintain them

18
What makes the firewall safe
Firewalls are safe simply because they are
extremely specialized systems that are built
specifically to restrict access. A firewall is
not necessarily any more secure that your average
server though. Do not assume that simply because
an organization employs a firewall at the network
border that they are safe. Just like any other
network device, a firewall may be misconfigured.
Types of firewalls that are especially
susceptible to misconfigurations are appliance
based firewalls (especially those that only allow
HTTP based administration) and routers. In most
cases however, firewalls are proof against
standard Denial Of Service attacks. This is often
built into the source code of the firewall
product (whether it is an appliance, application
based, or hybrid).
19
Routers/Access Lists

• Description
• Commonly referred to as Packet Filtering,
  packets are examined at the network layer only.
  No information in the upper four layers is
  reviewed.
• Pros
• Transparent to users
• Low performance impact (varies with size of ACL
  and router)
• Inexpensive
• Cons
• Difficult to configure, monitor, and maintain
• Limited ability to manipulate data
• Looks at only a small part of packet
• Poor logging and alerting abilities
• Vulnerable to various IP level attacks

20
Proxy Servers

• Description
• Also known as an application gateway. Functions
  at the Application layer (7) of the OSI model.
  These are good for certain smaller environments
  without complex communications needs.
• Pros
• Provide good security
• Examine the upper layers of the packet
• Cons
• Usually not transparent to users
• Performance isnt as good as other solutions due
  to OSI layer implementation
• Doesnt examine information in lower layers of
  packet
• Vulnerable to application and operating system
  bugs
• Can not fully support all communications services
• Break the client server model of communication

21
Stateful Inspection Engines

• Description
• A firewall technology introduced by CheckPoint
  to overcome the failings of proxy servers and
  packet filters. Examines data from all layers
  of the OSI model. Maintains tables regarding
  state of communication sessions and application
  sessions.
• Pros
• Good security
• Good performance
• Transparent to users
• Maintains information on state of communications
  with data from multiple OSI layers
• Cons
• Relies on Operating System to function.
• Expensive in both initial cost and specialized
  training requirements

22
Adaptive Proxy

• Description
• Developed by Network Associates, Adaptive Proxy
  technology protects both in-bound and out-bound
  services while supporting high throughput rates
  by authenticating the first packet at the
  application layer and then passing all additional
  packets in the session at the network layer.
• Pros
• Faster than traditional proxy servers
• More secure than pure packet filtering
  technologies
• Cons
• Vulnerable to OS level security flaws

23
Firewall Appliance

• Description
• A special purpose piece of equipment that
  provides firewall functionality without requiring
  a specific operating system such as Unix, Linux,
  or NT
• Pros
• Faster than most Proxy servers
• Easy to configure
• Not vulnerable to OS specific vulnerabilities
• Cons
• Not as extensible as application based firewalls
• Typically have a fixed configuration
• Some standard features for application firewalls
  may be treated as add-ons by the appliance
  vendors

24
Session Overview

• Encryption Overview
• VPNs
• Digital Certificates
• Kerberos

25
The Need for VPNs
London Office
New York Office
Remote Office
MobileUser
Private WAN
Corporate Headquarters
Building private wide-area networks to
accommodate organizations is expensive and
provides little flexibility
26
Remote Access Using VPNs
27
How Encryption Works
Step 1 The original data (cleartext) is passed
through an encryption algorithm that uses the
secret key to uniquely scramble the data. Step
2 The result is called ciphertext. Step 3
The VPN receives the cipher text and uses a
secret key to decrypt the text.
28
VPN Types

• Firewall-to-Firewall
• Data is encrypted when it leaves Firewall 1 and
  crosses the Internet
• The data is authenticated and decrypted when it
  reaches Firewall 2.

Firewall Module 1
Firewall Module 2
Encrypted PUBLIC
Not Encrypted PRIVATE
Not Encrypted PRIVATE
Payroll
Sales
29
VPN Types
Client-to-Firewall
Firewall or Gateway With Encryption module
Client with Encryption package installed
30
Symmetric Encryption

• Shared Secret key is a secret decryption format
  needed to encrypt and decrypt data
• Primarily for faster encryption performance
• Keys must be kept secret and should be changed
  periodically

Cleartext Message
Ciphertext
Cleartext Message
DES RC4
DES RC4
This is the original text before encryption
This is the original text before encryption
sdfklj98a47556jhgv98456vjnf84576FGHH78lfkghj-506
6lkjg45lknt7lsk
31
Asymmetric Encryption

• Cons
• Up to 1000 times slower than symmetric
  cryptography
• Typically used to encrypt small amounts of data
  (e.g. shared keys)

• Pros
• Each node uses two mathematically related keys
  a public key and a private key
• The private key is not derivable from the public
  key, hence the public key is freely distributed
• Allows
• Computation of shared secrets over insecure
  channels (Diffie-Hellman)
• Digital signature (RSA)
• Public key encryption each node publishes a
  public key. Anyone wishing to send an encrypted
  message to the node encrypts it using that key.
  Only the holder of the private key can decrypt
  the message

32
What Should Be Encrypted?
Should an encryption method encrypt packet header
or data?
33
Tunneling-Mode vs. In-Place Encryption

• Tunneling-Mode
• Encrypts packet, then encapsulates packet within
  the encryption protocol header
• In-Place
• Encrypts the payload portion of the packet and
  leaves the header intact.
• Allows for greater performance than that provided
  by Manual IPSec, ISAKMP/Oakley (IKE) or SKIP
  encryption.

34
Digital Signatures

• Digital Signature a code that can be attached to
  an electronically transmitted message uniquely
  identifying the sender.
• Guarantees that the individual sending the
  message really is who they claim to be.
• Important for electronic commerce and is a key
  component of most authentication schemes.
• Digital signatures must be unforgeable.

35
One-Way Hash Function
36
Certificate Authority

• Certificate Authority (CA) a trusted third
  party from whom a public key can be obtained
  reliably, even via the Internet.
• CA certifies a public key by generating a
  certificate. The digital signature acts as
  proof of senders identity.
• Digital signature is created using a public
  encryption key scheme.

37
Encryption and the Audit
Sniffing the process of stealing data from the
network by setting your Network Interface Card
into promiscuous mode. Sniffing allows you to
steal data from the data stream by telling your
NIC that all traffic on the local network should
be reviewed. If this traffic is encrypted then
you will need to acquire the appropriate
cracking technology. If the Encryption
Algorithm is strong enough it will not be worth
the effort of cracking. Man in the Middle If
you perform a man in the middle test for
Gateway to Gateway VPNs, make sure that you are
able to sniff from the same point that the
packets reach the Firewall. This means that you
will plug into the network on the same segment as
the Firewalls external interface.
38
Encryption and the Audit (Cont.)
Misconceptions A client may assume that simply
because the have a VPN or use encryption that
they are safe. This is not true. You must
determine where encryption is used and how.
For example a client may use SSL into their
environment but have clear text transaction
between their Web and Database servers. This may
protect them from most external threats to
transaction sniffing, but does nothing against
internal threats.
39
Kerberos

• Benefits
• Kerberos is an authentication system. Kerberos
  can be used to authenticate users or services
  (principals). A principal is defined by these
  components
• Primary Name
• Instance
• Realm
• The Principal is used to identify users or
  services within distinct domains. For instance a
  users primary name would be their login (with a
  null instance), while a service would likely
  utilize service name and machine name (i.e.
  rlogin.machinename).
• Principals obtain tickets from kerberos servers.
  Each ticket contains identifying information for
  the principal as well as encryption information.
  Once a session is established all subsequent
  transactions can be encrypted.
• Kerberos applies a specific lifetime to each
  ticket. Once this has exceeded a new ticket must
  be requested from the kerberos server.

40
Kerberos (continued)
Disadvantages Kerberos was originally designed
to authenticate end-users to a selected number of
servers. The Authentication structure however was
not designed with overall network security in
mind. The greatest issue is in key storage. Most
of the workstations that would utilize kerberos
do not have a secure location for key
storage. The initial ticket-granting dialog is
initiated with a plain text key. This must be
stored in a secure location. If this key is
compromised, the ticket granting server can then
be compromised by utilizing data contained within
the key. Additionally there is an issue with
multiuser workstations/servers. If a
workstation/server supports multiple simultaneous
users, then the cached key information for one
user can be gained by another with relative
ease. For a list of current and past risks
with kerberos please refer to the security
bugware web site.
41
Session Overview

• Web security Overview
• SSL
• Redirectors and Load balancing
• CGI considerations
• Sample Files

42
SSL
Secure Socket Layer provides transport layer
protection through the use of a variant of the
TCP socket interface and encryption. SSL is
usually bundled with an application (such as a
web server) so that integration with the
underlying protocol stack is eased. SSL was
originally developed by Netscape as a part of
their overall security package. The SSL protocol
specification has since been utilized by other
web server vendors and remains a
standard. Additional information on IPSEC
protocols may be located at the following
sites ftp//ftp.internic.net/rfc/rfc1825.txt -
Security Architecture for the Internet
Protocol ftp//ftp.internic.net/rfc/rfc1826.txt -
IP Authentication Header ftp//ftp.internic.net/rf
c/rfc1827.txt - IP Encapsulating Security Payload
ESP
43
Usage of SSL

• Secure Socket Layer meets the following security
  objectives
• Protects transactions against attack on the
  Internet - SSL protects against many common
  network based attacks. While it cannot protect
  against DOS attacks it can protect against data
  manipulation and spoofing.
• Ensures security without prior arrangements
  between customers and vendors - SSL provides a
  mechanism to verify identity for both customers
  and vendors. This allows transactions between
  entities that have no previously established
  relationships.
• Applies cryptographic protection selectively -
  SSL allows the implementation of cryptography in
  a selective manner. Only sessions that need the
  added layer of security invoke SSL through the
  selected protocol interface and socket.
• Protects the receiving host from attacks by
  incoming messages - While SSL cannot protect
  against actual attacks on the machines hosting or
  utilizing the service, it can protect the service
  (data stream) in use.

44
Attacks on SSL

• Secure Socket Layer protects against most common
  attacks. However, there are still a number of
  attack methods that can work. Most of these have
  been addressed by more recent versions of the
  protocol, however new attacks are released
  regularly.
• Predictable Keys - Early versions of SSL
  generated keys based on a small amount of
  internal information that could be used to assist
  with key prediction. This data was similar to
  having access to the random seed used to generate
  encrypted passwords in a shadow file.
• Man in the Middle - SSL stops standard MIM
  attacks by validating the public key certificate
  before using its public key. This does not
  prevent the switching of valid certificates with
  subverted sites. The latest SSL implementation
  will extract the host name from the servers
  certificate and compare it to hostname in the
  URL.
• Short checksum keys - Early versions of SSL
  utilized the same key for both encryption and
  computing a keyed hash on the data. This allowed
  a successfully cracked key to be used to forge
  data sent from that key. Newer versions use
  different keys for encryption and data integrity.
• Replay - While SSL originally protected against
  session replay it did not prevent the use of
  captured session data from being used to extend a
  session. It was therefore possible to hijack an
  SSL session and bump the valid client and extend
  the session with captured session data. SSL 3.0
  incorporates sequence numbers to prevent this
  sort of attack.

45
SSL - Additional Information

• For additional information on SSL please refer
  to the following
• Network Security Private Communication in a
  Public World - Kaufman, Perlman, and Speciner
  - Overview of mathematics and public key
  cryptography
• The Public Key Cryptography Standards (PKCS) -
  RSA Laboratories -Standards on how to implement
  public key cryptography facilities
• On the Difficulty of Factoring - Rivest - a
  set of estimates on the difficulty of cracking an
  RSA key
• SSL 3.0 Specification - Netsacpe
  Communications http//www.netscape.com/libr/ssl/ss
  l3/index.html - The official definition of SSL.
  Take note of the appendix on attacks.

46
The Need for Load Balancing

• Web and FTP servers may see a tremendous amount
  of requests in a short period of time.
• Often, a single system cannot effectively handle
  the load.

?
?
Internet
Overloaded Server becomes bottleneck
?
FTP Server
?
47
How Load Balancing Works
Load balancing distributes the requests among a
group of mirrored servers.
Requests Balanced Between Mirrored Servers
!
!
target1.client.com
Client requests to target.client.com
target2.client.com
Internet
target3.client.com
!
!
target4.client.com
48
Logical Servers

• Firewall acts as the logical server
• Packets flow to the firewall
• Firewall distributes network traffic among its
  server group

Server 1
Server 2
Server 3
49
Load Balancing Components
Load Balancing Daemon Directs client packets to a
server
Load Balancing Algorithms Determine which
physical server will fulfill request
50
Problems with Load Balancing

• Problem
• You wish to hide the true IP address of the
  physical server to which your HTTP redirect
  rule directs HTTP traffic. HTTP load balancing
  may rewrite the HTTP logical servers name when
• you tie several logical server names to one IP
  address. The HTTP protocol has a feature that
  uses a servers name in the HTTP request. HTTP
  load balancing rewrites the logical server name
  to the actual physical server it represents.
• Test
• Attempt to browse to the client web server and
  watch for the redirect. If you get a response
  other than the stated Web server then the Load
  Balancing tool is misconfigured and is leaking
  information.

51
How This Affects the Audit
Since Load Balancing acts as a broker for
requests to certain services, you will not be
able to target all of the Internet accessible
servers with an external audit.
Requests Balanced Between Mirrored Servers
target1.client.com
Client requests to target.client.com
target2.client.com
Testing from across the Internet
target3.client.com
!
target4.client.com
52
CGI Scripts
The problem with CGI scripts is that each one
presents yet another opportunity for exploitable
bugs. CGI scripts can present security holes in
two ways They may intentionally or
unintentionally leak information about the host
system that will help hackers break in. Scripts
that process remote user input, such as the
contents of a form or a "searchable index"
command, may be vulnerable to attacks in which
the remote user tricks them into executing
commands.
53
CGI Scripts
CGI scripts are potential security holes even
though you run your server as nobody. A
subverted CGI script running as nobody still
has enough privileges to mail out the system
password file, examine the network information
maps, or launch a log-in session on a high
numbered port (it just needs to execute a few
commands in Perl to accomplish this). Even if
your server runs in a chroot directory, a buggy
CGI script can leak sufficient system information
to compromise the host.
54
Safe CGI Development
Avoid giving out too much information about your
site and server host.
If you're coding in a compiled language like C,
avoid making assumptions about the size of user
input.
Never pass unchecked remote user input to a shell
command.
55
JAVA
Nothing in life is completely secure Java is no
exception. If you're using an up-to-date Web
browser, you are usually safe against the known
attacks. However, nobody is safe against attacks
that haven't been discovered yet. Other Web
scripting tools such as JavaScript, Visual
Basic Script, or ActiveX face the same sorts of
problems as Java. Plug-in mechanisms provide no
security protection. If you install a plug-in,
you're trusting that plug-in to be harmless.
56
JAVA Attacks
There are two classes of security problems
nuisances and security breaches A nuisance attack
merely prevents you from getting your work done.
For example, it may cause your computer to
crash. Security breaches are more serious your
files could be deleted, your private data could
be read, or a virus could infect your machine.
57
Java, ActiveX and Java Script

• Moving the Risk from Server Processing to Client
  Processing
• Alternative to CGI

58
Java

• Programming Language
• Platform Independent
• Built in Security Manager
• Will not allow Java to open IP Connections
• Will not read/write to local disk
• Applets downloaded controlled by the security
  manager

59
The Real Java

• Applets can open IP connections
• Applets can execute binary code
• Applets can bypass security manager
• Denial Service Attacks common (Looping)

60
ActiveX

• OLE for the Internet
• NO Security model
• Certificate Trust model
• Even bad people can have a Drivers License
• Full control of the system
• No Audit trail

61
Java Script

• Scripting language
• Code in HTML files
• Ability to control the browser
• Security not designed within
• Security by feature removal

62
So what is unsafe with my browser?
Reading your Private Files Making you do
something that you really should not do
63
What files are private?
A few files provide a lot of information about
you. These include Cache files
History file Bookmarks Configuratio
n
64
Important Files
History File Since the default is 30 days to
expire a link, typically you can see the last 30
days worth of web surfing by examining the
history file. Bookmark File Bookmarks are a
problem for the same reason the history file is a
problem. It shows what sites you feel that are
important. Cache The cache is your browser's
way of making things faster. Every query is
stored in cache. Typically every form submittal
including accesses to pages requiring an ID and
password will be there, unless a site has tagged
an HTML document NOT to be cached.
65
What can my Web browser make me do?
You can be tricked into supplying user IDs and
passwords, sending personal information like
Social Security numbers and credit card
information. If your browser supports HTML 3.0
extensions and Java, your files could be plucked
from your hard drive. Your machine could be
used to terrorize other resources behind your
firewall and send critical information offsite.
66
The Basic FireWall DesignSecurity Phase 1
Performance
Encrypted
Internet
VPNs
Authenticated
Protected Web Application Servers
The DMZ
Intrusion Detection Monitor
IDM
FireWall
Mail - HTTP -FTP - DHCP - ACE - E-Commerce Relay
DNS CVP PC Banking
Layer 1
Network Address Translation Centralized
Management Security Policies Router Control User
Access Scalable
Internal Resources
Mainframe - SAP - People Soft - Oracle - Internal
Mail - Etc.
67
The Layered FireWall DesignEnhanced Containment
Encrypted
Internet
VPNs
Authenticated
Protected Web Application Servers
The DMZ
Intrusion Detection Monitor
IDM
FireWall
Mail - HTTP - DHCP - ACE - E-Commerce Relay DNS
CVP PC Banking
Layer 1
Centralized Management Security Policies Router
Control User Access Scalable
Batch Data Bases
FTP - SQL- Access - Oracle - Etc.
Layer 2
Intra-Wall
Layer 3
Internal Resources
Mainframe - SAP - People Soft - Oracle - Internal
Mail - Etc.
68
The Perimeter Design for Performance,
Reliability, and Security
Internet
Encrypted
VPNs
Authenticated
IN-Bound
OUT-Bound
Protected Web Application Servers
The DMZ
Intrusion Detection Monitor
IDM
IDM
Mail - HTTP - DHCP - ACE - E-Commerce Relay DNS
FireWall
State Sync
Layer 1
Centralized Management Bandwidth Management FW
Svr Load Balancing FW High Availability
VRRP Scalable
Batch Data Bases
IDM
VRRP
FTP - SQL- Access - Oracle - Etc.
Layer 2
Intra-Wall
Firewall Reporting Engine
Layer 3
Internal Resources
IDM
Mainframe - SAP - People Soft - Oracle - Internal
Mail - Etc.
69
So What Can I Do Now?

• On My Own
• Install Firewalls Intrawalls properly
• Install Security Monitoring
• Audit Security Logs
• Acquire Scanning Tools Lock Down Platforms
• Perform Security Testing
• Attend Security Training

• From Security Experts
• Security Verification Assistance
• Not all third parties have the same expertise!
• Tiger Team Analysis
• Security Training
• Firewalls
• Attack Monitoring
• Scanning Tools
• Vulnerabilities

70
Security Skills Improvement Recommendations

• Entry Level Training
• OS Administration Training
• Scanning Tool Certification
• Firewall Certification

• Advanced Level Training
• OS Security Lock Down Training
• FireWall Lock Down
• Compromise Response Initiatives

• Management Awareness
• Security Awareness Seminar

71
Security Issues Initiatives

• Review Architecture Design for Unprotected
  Access
• Scan network for all available network routes
  security short cuts
• Redesign Security Architecture Layer FireWall-
  Security Controls
• Scan all IP Devices for Vulnerabilities
• Remote Internal Testing
• Lock Down all Security Holes
• Operating Systems
• Applications
• Files Data Bases
• Networks Access Points
• Develop Document Security Baselines Policies
• Resolve Security Vulnerabilities Re-test all
  Targets
• Implement On-line Security Monitoring
  Auditing
• Develop Document Security Baselines Policies
• Resolve Security Vulnerabilities Re-test
  all Targets
• Implement On-line Security
  Monitoring Auditing

72
Adaptive Security Management
Monitor
The ability to monitor, detect, and respond to
threat and vulnerability conditions.
Detect
73
Intrusion Detection Attack Recognition
Corporate Network
IntraWalls
Intrusion Detection
Internet Intranet Extranet
DMZ Net
Virus CA Server
Mail Server
Server Pool (Web, FTP)
Intrusion Detection
74
Vulnerability Detection Response
DMZ E-Mail File Transfer HTTP
Manufacturing
Internet
Comms Server
Engineering
Router
Network
Marketing
Intranet
Human Resources
Corporate Network
75
Vulnerability Detection Response
DMZ E-Mail File Transfer HTTP
Manufacturing
Internet
Comms Server
Engineering
Router
Applications
Marketing
Intranet
Human Resources
Corporate Network
76
Vulnerability Detection Response
DMZ E-Mail File Transfer HTTP
Manufacturing
Internet
Comms Server
Engineering
Router
Systems
Marketing
Intranet
Human Resources
Corporate Network
77
Threat Detection Response
DMZ E-Mail File Transfer HTTP
Manufacturing
Attack Recognition
Engineering
Router
Marketing
Intranet
Human Resources
Corporate Network
78
Manual Tests

• http//www.target.com/msadc/Samples/SELECTOR/showc
  ode.asp?source/msadc/Samples/../../../../../boot.
  ini
• ftp//www.target.com - often displays the Web
  root as a set of files
• IIS character buffering on open ports