You are Not Alone '

About This Presentation

Title:

You are Not Alone '

Description:

Confidence Tricks. Malicious ... log sensitive traffic (e.g. card numbers) Turn off debug logs when ... Don't log the card number in full !! if you must log ... – PowerPoint PPT presentation

Number of Views:100

Avg rating:3.0/5.0

Slides: 130

Provided by: ms146

Category:

more less

Transcript and Presenter's Notes

Title: You are Not Alone '

1
You are Not Alone .
Network Security
2
Network Security

Iain Moffat B.Sc(Hons) CEng MIET
Chairman
IET Anglian Coastal

3
The Network Problem

A non networked computer is only at risk from
people who have physical access to it
This can be controlled by locks and keys
A networked computer is no longer alone
There over 100 million Internet users world wide
Based on the ratio of UK prison inmates to
population at least 160,000 of them are crooks
It is therefore necessary to protect your
computers from attack via the internet

4
Contents

WHY ARE WE DOING IT?
What is Computer Security?
Network Security
Data Protection Principles and the DPA
WHAT DO WE DO?
The Security Implementation Process
The threats to your computer and network
Risk/Impact Assessment
Security Policies
TECHNOLOGY REFRESHER
IP Networks
DNS
Ports and Sockets
Firewalls and Routers
TECHNICAL SOLUTIONS
Countermeasures
Network Technology Refresher
Secure Network Design
WHAT TO DO IF SECURITY FAILS

5
What is computer security?

Protection of computer hardware, software and
data from loss, damage or theft

6
What is Network Security ?

In todays world almost all computer systems are
accessed over a network
Therefore, the network must be at least as secure
as the computers
Unlike computers, networks go outside the
computer room and are much harder to make secure
All the principles of computer security apply to
networks

7
Data Protection Principles

Personal data shall be processed fairly and
lawfully and, in particular, shall not be
processed unless-
(a) at least one of the conditions in Schedule 2
is met, and
(b) in the case of sensitive personal data, at
least one of the conditions in Schedule 3 is also
met.
Personal data shall be obtained only for one or
more specified and lawful purposes, and shall not
be further processed in any manner incompatible
with that purpose or those purposes.
Personal data shall be adequate, relevant and not
excessive in relation to the purpose or purposes
for which they are processed.
Personal data shall be accurate and, where
necessary, kept up to date.
Personal data processed for any purpose or
purposes shall not be kept for longer than is
necessary for that purpose or those purposes.
Personal data shall be processed in accordance
with the rights of data subjects under this Act.
Appropriate technical and organisational measures
shall be taken against unauthorised or unlawful
processing of personal data and against
accidental loss or destruction of, or damage to,
personal data.
Personal data shall not be transferred to a
country or territory outside the European
Economic Area unless that country or territory
ensures an adequate level of protection for the
rights and freedoms of data subjects in relation
to the processing of personal data.
From the Data Protection Act 1998 Schedule 1 part
1http//www.opsi.gov.uk/acts/acts1998/19980029.h
tmaofs

8
Network Security Principles

Authentication
It should be possible to prove that the sender of
a message is who they claim to be
Secrecy
It should be impossible for anyone other than the
intended recipient to see the contents of a
message
Integrity
It should be impossible for a man in the middle
to modify the content of a message without being
detected
Non-Repudiation
It should be impossible for the sender of a
message to subsequently deny having sent it
It should be impossible for the recipient of a
message to subsequently deny having received it

9
Security Processs
2
POLICIES
COUNTER MEASURES
3
THREATS
1
4
INCIDENTS
AUDITS
5
10
The Threats

Fire
Flood
Theft
Vandalism
Impersonation
Junk Mail

11
Where Threats Come From

People with access to your network and computer
systems connected to it
Removable media (tapes, disks etc)
Malicious Software
Trojans
Viruses
Worms
Exploits and Rootkits
Spyware
External Network Connections
Foreign computers connected to your network
Confidence Tricks

12
Malicious Software

Trojans
installed by user action e.g. clicking an
attachment
Viruses
self-replicating programs spread by various means
such as floppy disks or network shares.
Worms
self-replicating programs able to spread from
machine to machine over a network without user
help
Exploits and Rootkits
Exploits are methods of bypassing OS or network
security
Rootkits use exploits to get control of a target
computer
Rootkits usually install a hidden remote access
program for later use
Spyware
A payload of trojans or viruses that phones
home to its creator
May retrieve file data or log keystrokes from a
victims machine
Password Capture or Phishing
typically done by fake web logon links in fake
mails from banks etc
also seen in links sent to instant messenger users

13
Network Threats

Wire Taps / Eavesdropping
Primarily a risk in shared media (eg. wireless
802.11)
Leads to data loss and may facilitate
Man-in-Middle or Impersonation attacks in the
future
Password sniffing is a specific form of this
threat
Man in the Middle
Primarily a risk in multi-hop links
Requires access to a link carrying all traffic
between end systems
Impersonation
Use of false credentials to log in to network
services
DNS Poisoning
Denial of Service
Primarily a risk to sites with limited internet
access bandwidth
High volumes of unwanted inbound traffic may
bring down servers or squeeze out legitimate
traffic
Bandwidth Theft
unauthorised connections to your WLAN may steal
your internet access bandwidth

14
Risk Assessment
15
Risk Assessment Factors

Business or domestic
Business needs to consider employees as a risk
Domestic users have only external threats
Single or Multi-User
Multi-User systems need to consider who can see
what
Single user systems only need to prevent
accidental damage (by running trojans as an
administrator)
Networked or Standalone
Networked systems are at risk from outside
Physical access is needed to harm standalone
systems
Internet-connected networks are at greater risk
than isolated ones

16
Risk Assessment Process

Make a list of risks
Determine probability of each one happening
Determine cost of each one if it happens
Calculate cost probability for each one
Deal with the worst first
It is worth paying (cost probability) to
fixeach risk that has been identified.

17
Security Policies
18
Security Policies

Are the responses to identified threats
Are designed to mitigate or avoid the threats
Provide the requirements for design of
technical solutions (eg. firewalls)
standards (eg. password rules)
processes (eg. what to do when an employee leaves
the company)

19
Security Policies

Security policies should cover the following
areas
Physical Security
User Access
Removable Media
Network Software
Network Connectivity
3rd. Party Access
Audit and Logging
Patching and Updates

20
Countermeasures
Countermeasures are the technical, process or
organisational implementation of the security
policies that have been defined to address the
identified risks.
21
Countermeasures

Physical Security
Lock it up
Back It Up
Keep Spares
Dont put it under a water pipe
Cables belong in ducts or under ground
User Access Control
Use passwords
Change them often
Use one-time passwords and encryption over the
Internet
Separation of privelige where possible
Removable Media Control
Theres no point encrypting the networkbut
sending disks in the post !!
Theres no point protecting the computer if
backup tapes are insecure !!
If it isnt labelled no one will know whatto do
with it always mark with date, owner, and
security level.
Network Software
Use a robust operating system
turn off unused features
keep checking for new security fixes

Network Access Control
permit only necessary traffic
block all unnecessary traffic by default
do not assume all outbound is safe
use a firewall between different security zones
File Permissions and Security
set the strictest permissions that work
limit access to admin tools and files toadmin
users
do not use admin accounts for general purpose
computing e.g. web browsing
3rd. Party Access
Watch 3rd party maintainers while on site
Avoid letting them use their laptop on your LAN
change passwords before and after
Dont allow removed disks off site !
Audit and Logging
Do log critical events (login, logout
configure)
Dont log sensitive traffic (e.g. card numbers)
Turn off debug logs when not needed
Monitor traffic volumes and investigate changes

22
Patching and Updates

Hackers are always finding new bugs
Software vendors are always fixing them
You must monitor vendor websites or mailing lists
Also check CERT, UNIRAS and ISC alerts frequently
If you have resources test and deploy patches in
a controlled way
If not subscribe to windows update or its Linux
counterparts
Upgrade the OS before it becomes unsupported

23
Audit Trails

To understand and clean up an incident you need
to know what happened
To prosecute you need evidence
WHO did it (implies no shared accounts and
traceability of accounts to people)
WHAT they did(implies need for transaction
logging when sensitve data is changed)
WHEN they did it (implies need for timestamps
and accurate synchronised system clocks)
WHERE they did it (Implies need for logging of
source IP or terminal line)
Evidence trail must withstand suggestions of
tampering (Implies frequent backup to write-once
media which should be checked in to a 3rd party
store)
Keep baseline full backups after system builds
(and after each major update) on non-alterable
media so you can detect all changes (including
unauthorised ones) later

24
LOGGING

Logging
Keep a separate dedicated SYSLOG server with
restricted user access for UNIX and Network
equipment so audit trails are protected if a
server is compromised
Use a central MOM server with restricted user
access to log events for Microsoft platforms
Use centralised password services (LDAP, Windows
Active Directory, TACACS) rather than local
passwords on each machine to log access off the
box
Use a firewall to separate log (SYSLOG or MOM)
and password (LDAP, NIS, TACACS or Active
Directory) servers from the rest of the network
Isolate and analyse infected/compromised systems
prior to rebuild (or at least clone the disks)
Beware of logging too much data (since the
logfiles themselves will become sensitive data)
Do log that Iain from IP 1.2.3.4 paid 10.34 for
an XYZ at 1843 with VISA
Dont log the card number in full !! if you
must log just a few digits
Log primary key only not full customer address
record !!
Where possible customer and user primary keys
should be public domain info or anonymous numeric
IDs
Do not combine debug and audit data in the same
logs
Turn off debug-level logging unless you are
debugging
Delete logs after a reasonable interval (seek
legal advice for your circumstances)

25
Safe Operating Practices

Avoid auto-opening attachments and embedded links
in mail messages
Turn off message preview functions in E-Mail
programs
Never click on links in mail messages copy link
text into a browser window
Never click unsubscribe links in junk mail
messages
Suppress Junk Mail
Use an ISP which provides SPAM filtering
If your company has its own mail server use
something like SpamAssassin to catch repeat spam
items and suspect words
Consider whitelisting (so only mail from trusted
addresses is accepted)
Beware new websites and links from search engines
Disable client-side code (java, javascript and
activeX) or use a dumb browser (eg. Early
Netscape) to preview new sites
Only enable client-side code on trusted sites
Consider copying untrusted zone settings to
internet zone in IE6 and putting known good
sites (www.theiet.org, etc) in the trusted zone
explicitly
use a textmode browser (eg. Lynx) for following
up google searches

26
Internet Zone
Restricted Zone
27
Network Software Configuration

Modern computers come with many network services
Mail servers
Print Servers
File Sharing
Remote Procedure Calls (RPC)
SQL Databases
Web Servers
Remote Desktop Access / X-Windows / VNC
Most are enabled by default in Windows 2000/XP
(bad)
Most are disabled by default in Windows 2003
Server (better)
UNIX and Linux distributions are somewhere
between
Only active network services are vulnerable to
attack
To minimise the attack surface of your systems
you need to turn off the ones you dont plan to
use
Review control panel gt administrative tools gt
services on Windows
Review /etc/inetd.conf or /etc/xinetd on Linux
and Unix systems
Be aware of loopback connections when client
(user interface) and server (backend) portions
of an application run on the same machine
these must not be disabled !!!

28
Interconnect Policies

Define what connections are allowed
starting point for firewall rule or ACL design
starting point for validation of existing rules
and new requests
Divide the network into zones or domains
internal networks
trusted external networks
the internet
Specify permitted connections btweeneach pair of
zones
source
destination
permitted network services
logging and authentication required

29
Network Security Implementation
30
Technology Refresher

IP Networks
Addresses
Domain Names
TCP, UDP and ICMP
Ports
Software Firewalls
Hardware Firewalls and Routers
Network Address Translation (NAT)

31
IP Networks

IP V4 Addresses are globally unique
4 bytes long written as dotted decimal e.g.
10.11.12.13
A range of addresses is defined by a bitmask
called a netmask that selects which bits are
network and which are host addresses
RFC1918 addresses 10.x.x.x, 172.0-31.x.x and
192.168.x.xare reusable in private networks
Other addresses are allocated by regional
registries
Allocation within regions is to companies and
organisations and may cross national boundaries
IP routing is step by step based on destination
address
a default route is used to keep routing tables
small
routes are summarised at higher layers in the
network
routing is done separately for each packet
successive packets in a flow dont necessarily go
the same way
packets propagate up the network hierarchy
until they reach an interconnection point between
providers and then down into the other
providers network
The global IP network is structured on network
provider rather than geographic boundaries
Domain Name Service (DNS) provides name to
address mappings (and address to name reverse
mappings).
DNS is largely independent of address allocation
One address can have multiple names mapped to it
Only one valid reverse mapping per address
DNS mapping for an address is optional
Different domains have different commercial or
nonprofit registrars

32
TCP UDP and ICMP

The Internet uses 3 main network layer
protocols above IP to carry different types of
traffic
TCP Transmission Control Protocol
reliable session-oriented protocol with
acknowledgement and go-back-N automatic
retransmission if lost data segments
used for terminal sessions and data transfer
UDP User Datagram Protocol
send and forget datagram protocol used for time
critical data and notifications that can fit one
packet
widely used for voice and video and for DNS
ICMP Internet Control Message Protocol
send and forget datagram protocol used for
control and diagnostic messages
provides echo, trace and notification of various
delivery failures

33
Ports Sockets

To allow multiple connections between the same
computers sub-addresses called ports are used.
There are 65536 ports each for TCP and UDP
The port number is part of the TCP or UDP header
following the IP header
Ports are associated with specific programs and
sessions on end computers
Server applications listen for connections on
well known destination ports
Client applications use random source ports
The full and description of a connection is a
socket comprising
protocol (TCP or UDP)
source IP
source port
destination IP
destination port

34
Well Known Ports

TCP
20/21 FTP
22 Secure Shell (SSH)
23 TELNET
25 SMTP mail sending
80 HTTP
POP3 mail reading
IMAP4 mail reading
137 MS NETBIOS names
139 MS NETBIOS session
443 HTTPS
3389 Microsoft RDP
8080 Alternate HTTP

UDP
DNS
BOOTP server
BOOTP client
TFTP trivial file transfer protocol
123 Network Time Protocol (NTP)
514 SYSLOG

35
Software Firewalls

Linux and Windows have software firewalls
Microsoft Windows Firewall or (Win2003) IPSEC
Filters
Linux IPTables and IPChains
Not true firewalls really only modifications to
the network I/O driver to provide simple traffic
filtering
These block or restrict incoming traffic based on
source and destination IP Address and/or port
number so as to hide network services that are
needed locally but should not be shared
3rd-party Windows firewalls (eg ZoneAlarm, Sygate
and Norton) can prevent applications accessing
the network outbound until you have permitted
them to do so
Microsoft Windows Firewall has a simple fixed
configuration that permits anything outbound and
replies inbound
3rd. Party Windows firewalls start with a Block
Everything policy and are generally configured
by learning they ask what to do each time they
see anything new
Linux IPTables is configured by user-written
files

Application
Server
Firewall
Original Driver
LAN
36
Firewalls and Routers
THE INTERNET

Firewalls and routers connect two networks
Firewalls inspect traffic passing through and
understand application protocol
Routers inspect individual packets and dont
understand connection state

Permit OnlyReplies IN
Router orFirewall
Permit Any OUT
Local LAN
Local Computers
37
Firewalls vs Routers

Firewalls
based on general purpose microprocessors
aware of application sessions
can implement complex rules
Usually have graphical management interface
10-1000Mbits/s throughput
include basic IP routing functions
Routers
based on custom silicon in large part
process packets individually
Usually have text configuration file
better at implementing simple rules on fast links
better at complex IP routing protocols
10Mbits/s to 10GBits/s throughput

38
Router ACL process
Packet In
Permit
Permit
Permit
Rule 2
Rule 1
Rule N
Packet Out
Deny
Deny
DISCARD
Default DISCARD
DISCARD
LOG
LOG

Note
This process is completely stateless (per-packet)
Normally packets that reach the default-deny are
not logged
Performance is improved by putting frequently hit
rules first

39
Router Access List

interface atm 0
description outside adsl line
ip address 1.1.1.1 255.255.255.252
ip access-group 101 in
ip access-group 102 out
access-list 101 remark INCOMING TRAFFIC
access-list 101 permit icmp any host 1.1.1.1 eq
echo-reply
access-list 101 permit icmp any host 1.1.1.1 eq
unreachable
access-list 101 permit icmp any host 1.1.1.1 eq
ttl-exceeded
access-list 101 permit tcp any host 1.1.1.1
established
access-list 101 remark DNS Name Servers
access-list 101 permit udp host 2.2.2.2 eq 53
host 1.1.1.1
access-list 101 permit udp host 2.2.2.3 eq 53
host 1.1.1.1
access-list 101 remark NTP server
access-list 101 permit udp host 2.2.2.4 eq 123
host 1.1.1.1
access-list 101 deny ip any any log-input
access-list 102 remark OUTGOING TRAFFIC
access-list 102 permit icmp host 1.1.1.1 any
access-list 102 permit tcp host 1.1.1.1 any eq 80

40
Firewall Inspection
From http//www.checkpoint.com/support/technical/
documents/FWOpenLook.pdf
41
Checkpoint Firewall-1 GUI
From http//www.checkpoint.com/support/technical/
documents/FWOpenLook.pdf
42
Network Address Translation
Server
THE INTERNET

Router translates inside addresses to outside as
packets pass through
Allows reuse of scarce IP addresses
Allows multiple inside users to share one outside
IP address
Prevents outside attackers reaching inside
computers directly

11.12.13.14 towww.xyz.com
Outside IP 11.12.13.14
www.xyz.com To 11.12.13.14
Router orFirewall
192.168.1.1 towww.xyz.com
Local LAN 192.168.1.0/24
www.xyz.com to192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.1
Local Computers
43
Dynamic NAT
Server
THE INTERNET

One outside IP
Multiple inside IPs
Router uses different outbound port numbers for
each connection
Router knows inside IP for reply packets based on
port used
Does not work for unsolicited inbound traffic

11.12.13.1432000 towww.xyz.com
Outside IP 11.12.13.14
www.xyz.com80 To 11.12.13.1432000
Router orFirewall
192.168.1.132000 towww.xyz.com80
Local LAN 192.168.1.0/24
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
Local Computers
44
Static NAT
Server
THE INTERNET

Each inside IP maps to one outside IP
Outside IPs are independent of router IP
Port numbers preserved through NAT
Allows incoming traffic to outside IP
Needs inbound access lists to stop unwanted
traffic getting to inside network

11.12.13.15 towww.xyz.com
Router IP 11.12.13.14
www.xyz.com To 11.12.13.15
NAT TABLE
192.168.1.1 towww.xyz.com
192.168.1.1 gt 11.12.13.15 192.168.1.2 gt
11.12.13.16 192.168.1.3 gt 11.12.13.17 192.168.1.4
gt 11.12.13.18
Local LAN 192.168.1.0/24
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
Local Computers
45
Secure Network Design
46
Secure Network Design

Interconnect Policies
NAT network
DMZ Network
Endpoint ACLs
Infrastructure ACLs
Proxies
Intrusion Detection
Virtual Private Networks

47
Interconnect Policies

You should consider what connections to permit
between your network and the outside
The template for describing a connection is as
follows
Source IP or subnet
Destination IP or subnet
Protocol (Port)
Is authentication required
Action to take (permit/deny log/not log etc)

48
Simple (Home) Policy Set
49
Issues with a simple home network interconnect
policy

Allowing any local-to-internet traffic allows
spyware to phone home
best to permit only specific ports outbound
HTTP and HTTPS to any
E-Mail and chat to trusted servers only
DNS to your ISPs servers only
Some file transfer programs generate incoming
connections
use passive FTP or SSH

50
Secure Network Design

NAT or DMZ
Network Address Translation (NAT) hides a
local network behind a single external internet
connection
A DMZ provides 2 layers of defence and is better
at blocking unwanted outbound traffic
NAT is appropriate to home and branch office
environments
A DMZ is better suited to larger sites that have
their own web and mail servers
DMZ proxies also allow mail and web traffic
monitoring and control

51
Simple NAT Network
THE INTERNET

Typical Home LAN
One Outside IP
Multiple inside IPs
Any inside PC can connect outbound
No unsolicited traffic is allowed inbound
Not well suited to local web or mail servers
Cant stop key loggers etc phoning home without
risk of blocking wanted outbound traffic.

Permit OnlyReplies IN
Router orFirewall
Permit Any OUT
Local LAN
Local Computers
52
DMZ Network
THE INTERNET

No direct external connections
All traffic is filtered by secure servers in the
DMZ
Safer and more controlled solution for large
sites
Outbound connections via web proxies in DMZ only
Inbound connections to mail/web/file servers in
DMZ only
Inside firewall permits DMZ Local traffic
only
Outside firewall permits Local DMZ traffic
only.

MailServer
WebProxy
Permit OnlyDMZ traffic IN
Outside or ScreenRouter or Firewall
DMZ LAN
Inside or ChokeRouter or Firewall
Permit onlyto DMZ
Local LAN
Local Computers
53
ENDPOINT ACLs

Control outside access to locally hosted services
block TCP/UDP ports not used
Restrict addresses allowed access to used ports
Block known bad address ranges
Minimise network services visible from outside
Tradeoff between ease of support and security
An IP with fewer visible services is less at risk
of detailed probing
Control inside to outside access according to
site policies
control employee/family internet access
block malicious software from phoning home

54
Structure of an Endpoint ACL

Block known dangerous traffic
Permit open TCP/UDP ports from any
Permit unsafe TCP/UDP ports from specific IPs
Permit ICMP echo-reply and ttl-exceeded
(if desired) permit ICMP echo and traceroute in
Block and log anything else

55
Example Endpoint ACL
The Internet
Interface atm 0 ip address 85.189.17.65
255.255.255.0 ip access-group 101 in

access-list 101 remark Internet Inbound ACL
access-list 101 remark ICMP and established
at top for efficiency
access-list 101 permit tcp any 85.189.17.64
0.0.0.7 established
access-list 101 permit icmp any 85.189.17.64
0.0.0.7 echo-reply
access-list 101 permit icmp any 85.189.17.64
0.0.0.7 unreachable
access-list 101 permit icmp any 85.189.17.64
0.0.0.7 ttl-exceeded
access-list 101 permit icmp any 85.189.17.68
0.0.0.3 echo
access-list 101 permit icmp any host 85.189.17.65
echo
access-list 101 remark Top 4 NAT IPs are
statics for server
access-list 101 permit tcp any 85.189.17.68
0.0.0.3 eq www
access-list 101 permit tcp any 85.189.17.68
0.0.0.3 eq 443
access-list 101 permit tcp any 85.189.17.68
0.0.0.3 eq smtp
etc etc etc

56
Infrastructure ACLs

Infrastructure ACLs are applied to WAN routers in
public or large private networks
These networks carry traffic between source and
destination addresses external to themselves
Nothing except management traffic should be
addressed to the routers themselves
Infrastructure ACLs block most traffic to the
routers own addresses

57
Structure of an Infrastructure ACL

Permit trusted protocols from management subnet
to infrastructure subnet
(Optionally) block traffic sourced from
infrastructure subnet at edge routers only
Block traffic from any RFC1918 source IP to any
IP
Block traffic from any IP to infrastructure
subnet

58
Infrastructure ACL example
Management LAN 123.234.100.0/24
OUR INFRASTRUCTURE NETWORK 123.234.101.0/24
SOMEPUBLICNETWORK
Some Other Network

! Infrastructure ACL applied IN on all interfaces
in transit network
! Permit management centre IPs to log in with
TELNET or SSH
access-list 120 permit tcp 123.234.100.0
0.0.0.255 123.234.101.0 0.0.0.255 eq telnet
access-list 120 permit tcp 123.234.100.0
0.0.0.255 123.234.101.0 0.0.0.255 eq ssh
! Permit ICMP echo and trace to infrastructure
IPs
access-list 120 permit icmp any 123.234.101.0
0.0.0.255 echo
access-list 120 permit icmp any 123.234.101.0
0.0.0.255 traceroute
access-list 120 permit icmp any 123.234.101.0
0.0.0.255 ttl-exceeded
! Block RFC1918 source IPs that escaped into the
internet
access-list 120 deny ip 10.0.0.0 0.255.255.255
any
access-list 120 deny ip 172.0.0.0 0.63.255.255
any
access-list 120 deny ip 192.0.0.0 0.0.0.255 any
! Block any other traffic to infrastructure
ranges
access-list 120 deny ip any 123.234.101.0
0.0.0.255

59
Proxies

Intercept outbound communications
Apply filtering rules
Block dangerous content inbound
Can be
opt in requiring browser configuration
transparent using network to redirect web
traffic through the proxy
All users appear to a web server as coming from
the proxy

60
Proxy Operation
Web Server www.xyz.com
THE INTERNET
connect to www.xyz.com GET /index.html
Access Rules
Proxy Server
Log Files
192.168.0.253
Connect to 192.168.0.253 GET http//www.xyz.com/
index.html
61
Available Proxy Solutions

Windows - Microsoft ISA Serverhttp//www.microso
ft.com/isaserver/default.mspx
UNIX/Linux squid proxyhttp//www.squid-cache.o
rg/
Self contained appliance Netapp
Netcachehttp//www.netapp.com/products/netcache/
bluecoat.html

62
Intrusion Detection

Intrusion Detection System (IDS) is a permanent
sniffer with a receive-only network connection
(tap)
IDS examines incoming traffic and raises alarms
when patterns associated with an attack or misuse
are seen
IDS works best when linked to a firewall so it
can automatically block sources of suspect traffic

63
IDS
THE INTERNET
Traffic
IDS PROBE
Router orFirewall
Signature Database
New Rules
IDSServer
Log Files
Local LAN
Local Computers
64
Other Security Devices

A Honeypot
is an unprotected computer exposed to the
internet but closely monitored
It is used to detect and examine new forms of
probing or attack
A Tar Pit
is a block of unused address space used to
monitor randomly addressed traffic in the
internet
replies to unused addresses are backscatter
from virus and worm software using those
addresses to conceal the true source of their
probe traffic
Also allows passive identification and census of
the Internet hardware population

65
Virtual Private Networks

Allow the internet to be used to carry private
data
Based on encapsulating private packets in
internet packets
Require application-layer implementations
5 main solutions
GRE Non encrypted, allows interconnection of
sites with private addresses
PPTP Microsoft to Microsoft, can be encrypted
SSL Encrypted Primarily used by mobile or
roaming clients to access a corporate LAN
simulates access to a secure web site so fairly
invisible to firewalls/routers
SSH Secure Shell Primarily a UNIX client-server
protocol but can be (mis) used to tunnel other IP
traffic over a client-server connection
IPSEC Open standard, supports two modes
Authenticated Header (AH) gives integrity and
authentication
Encapsulated Payload (ESP) gives secrecy too

66
VPN example
Corporate Application Server
VPN ROUTER
THE INTERNET
VPNTunnel
VPN ROUTER
SITE A LAN
Teleworker PC
Local Computers
67
Investigating Problems
68
Local Investigation Tools

Evidence Preservation
Norton Ghost
UNIX or Windows disk mirroring
Audit Logs
Windows Event Log or MOM
Log files in C\Windows or C\WinNT
UNIX Syslog and /var/log files
Firewall or Router logs
IDS logs

69
Remote Investigation Tools

Nslookup
Traceroute (unix) or tracert (Windows)
Whois
Port Scanners

70
NSLOOKUP

Name to Address Mapping
Address to Name Mapping

71
Traceroute

Finds path to remote host or IP
Will usually identify the attackers ISP

72
WHOIS

Provides lookup of registered domain name and IP
address owners
3 regional registries for IP addresses
RIPE (Europe)
ARIN (Americas)
APNIC (Asia/Pacific)
Registries for each domain ending
.com www.netsol.com
.co.uk www.nominet.co.uk

73
(No Transcript)
74
(No Transcript)
75
(No Transcript)
76
(No Transcript)
77
Port Scanners

Not nice to use on other people
A good thing for scanning ones own network for
security holes
I recommend NMAP which is included in many Linux
distributions

78
(No Transcript)
79
Packet Sniffers

Easiest independent check on traffic
May also spot private data and passwords in
transit
Built in to most UNIX versions
snoop in Sun Solaris
tcpdump in Linux and BSD
Freeware for Windows
ethereal
wireshark

80
WEB02 tcpdump -i eth0 -s 0 -x port 80 tcpdump
verbose output suppressed, use -v or -vv for full
protocol decode listening on eth0, link-type
EN10MB (Ethernet), capture size 65535
bytes 172837.651756 IP web02.moffatig.com.47731
gt 213.120.156.179.www S 2409488259 2409488259(0)
win 5840 ltmss 1460,sackOK,timestamp 2867567837
0,nop,wscale 0gt 0x0000 4500 003c 435e
4000 4006 c186 c0a8 0303 E..ltC_at_._at_.......
0x0010 d578 9cb3 ba73 0050 8f9d df83 0000 0000
.x...s.P........ 0x0020 a002 16d0 89b1
0000 0204 05b4 0402 080a ................
0x0030 aaeb 9cdd 0000 0000 0103 0300
............ 172840.651910 IP
web02.moffatig.com.47731 gt 213.120.156.179.www S
2409488259 2409488259(0) win 5840 ltmss
1460,sackOK,timestamp 2867570838 0,nop,wscale 0gt
0x0000 4500 003c 435f 4000 4006 c185
c0a8 0303 E..ltC__at_._at_....... 0x0010 d578
9cb3 ba73 0050 8f9d df83 0000 0000
.x...s.P........ 0x0020 a002 16d0 7df8
0000 0204 05b4 0402 080a ...............
0x0030 aaeb a896 0000 0000 0103 0300
............ 172845.603093 IP
193.113.37.9.20654 gt web02.moffatig.com.www S
2349994328234 9994328(0) win 65535 ltmss
1460,nop,wscale 0,nop,nop,timestamp 8486240 0gt
0x0000 4500 003c 12ff 0000 3406 c997 c171
2509 E..lt....4....q. 0x0010 c0a8 0303
50ae 0050 8c12 1158 0000 0000 ....P..P...X....
0x0020 a002 ffff 3498 0000 0204 05b4 0103
0300 ....4........... 0x0030 0101 080a
0081 7d60 0000 0000 ..........
81
Current Security issues

BOTNETS
Networks of hijacked PCs controlled remotely to
send SPAM or do denial-of-service attacks on a
remote system
Defeats most attempts to trace source of an
attack
Will require strict control of outbound traffic
to stop infected PCs registering with a botnet
Highly randomised SPAM mail
Difficult to get rid of by subject or keyword
filters
Distasteful or destructive content hidden in
image files or embedded URLs
Requires pattern recognition to reliably block
The world really needs mailscanners that can
interpret images

82
Further Reading

Data Protection Act 1998http//www.opsi.gov.uk/a
cts/acts1998/19980029.htmaofs
Regulation of Investigatory Powers Act 2000
http//www.opsi.gov.uk/Acts/acts2000/20000023.htm
Computer Misuse Act 1990http//www.opsi.gov.uk/a
cts/acts1990/Ukpga_19900018_en_1.htm
Regional Address Registrieshttp//www.ripe.net/
http//www.arin.net/index.shtmlhttp//www.apnic.
net
Computer Security Alerts UNIRAS (UK)
http//www.uniras.gov.uk/niscc/index-en.htmlUSCE
RT http//www.cert.org/ ISC http//isc.sans
.org/
Microsoft Baseline Security Analyserhttp//www.m
icrosoft.com/technet/security/tools/mbsahome.mspx

83
(No Transcript)
84
SUPPLEMENTARYMATERIAL
85
THE THREATS
86
The Threats

Fire
Purely a physical threat
Results in data loss, loss of money invested in
equipment, and downtime
Flood
Theft
Vandalism
Impersonation
Junk Mail

87
The Threats

Fire
Flood
Purely a physical threat
Results in data loss, loss of money invested in
equipment, and downtime
Theft
Vandalism
Impersonation
Junk Mail

88
The Threats

Fire
Flood
Theft
Has physical and electronic forms
May involve hardware, data or both
Stolen data may be hard to replace
Stolen data may facilitate other crimes (eg.
Impersonation)
Causes financial loss and loss of reputation
Vandalism
Impersonation
Junk Mail

89
The Threats

Fire
Flood
Theft
Vandalism
Has Physical and Electronic forms
May cause downtime and/or data loss
Causes financial loss and loss of reputation
Impersonation
Junk Mail

90
The Threats

Fire
Flood
Theft
Vandalism
Impersonation
Primarily an electronic threat
Leads to financial loss and loss of reputation
Junk Mail

91
The Threats

Fire
Flood
Theft
Vandalism
Impersonation
Junk Mail
Used to be mostly a waste of time and bandwidth
Now a carrier for malicious software

92
Malicious Software
93
Malicious Software

Trojans
Programs that claim to do one thing but actually
do something unwanted
Need to be loaded and run by an authorised user
of the system
Limited to the access rights of that user
Often used as a loader for rootkits or spyware
Nowadays usually downloaded by a misleading/bogus
website or a link in SPAM email messages
Viruses
Worms
Exploits and Rootkits
Spyware
Password Capture or Phishing

94
Malicious Software

Trojans
Viruses
Self replicating programs
May just install a replicator on an infected
machine or deliver a payload program to do its
makers work on your PC
Payload may be destructive or spyware
Historically spread using infected DOS floppy
disks
Nowadays found as macros in documents or
downloadable programs
Worms
Exploits and Rootkits
Spyware
Password Capture or Phishing

95
Malicious Software

Trojans
Viruses
Worms
Self-replicating programs that spread from
machine to machine over a network
May carry destructive or spyware payloads
Rely on vulnerable network services to infect new
victims
Common in UNIX systems in 1980s, nowadays more
common in Windows environments
Exploits and Rootkits
Spyware
Password Capture or Phishing

96
Malicious Software

Trojans
Viruses
Worms
Exploits and Rootkits
Exploits are bugs in an operating system that
allow a local or remote user to get admin-level
access
Hackers exploit these bugs to write programs
that install a permanent remote access kit which
gives them access to a compromised system
The remote access kit gives them root (UNIX) or
administrator (Windows) access and hides itself
from normal operating system file and process
lists
Spyware
Password Capture or Phishing

97
Malicious Software

Trojans
Viruses
Worms
Exploits and Rootkits
Spyware
Usually installed by a trojan or worm
May log key strokes or URLs visited
Originally an unethical form of market research
Now used by organised crime to steal passwords
Password Capture or Phishing

98
Malicious Software

Trojans
Viruses
Worms
Exploits and Rootkits
Spyware
Password Capture or Phishing
Originally done by faking a login screen on a
mainframe terminal or by faking dial-back
Now usually a link to a web site
Purports to be an urgent message from e-bay,
paypal or a bank containing a link to click
Link text says http//some.bank.com/login.html
but underlying code says http//some.hackers.hijac
ked.server/fakelogin.html

99
Security Policies
100
Security Policies

Physical Security
Siting to avoid flood and fire risks
Locks and chains
Computer room access controls
Laptop security in transit and in use
Backups
Off site storage of backup and rebuild media
Availability of replacement hardware
User Access
Removable Media
Network Software
Network Connectivity
3rd. Party Access
Audit and Logging
Patching and Updates

101
Security Policies

Physical Security
User Access
Who has administrative access (can add users or
programs)
Password policies (length, complexity and change
period)
Identity and background checks prior to granting
access
Password reset process must prove that the real
user is asking
7x24 or restricted access hours
Separation of roles (user vs administrator)
Audit and removal of expired or unused access
Shared user accounts are dangerous (undermine
audit trail)
Users must be warned that unauthorised access is
illegal
Users must be informed of the scope and purpose
of permitted access
Users must be informed and/or trained in data
protection
Removable Media
Network Software
Network Connectivity
3rd. Party Access
Audit and Logging
Patching and Updates

102
Security Policies

Physical Security
User Access
Removable Media
How to store backups away from harm
Potentially different content/retention profiles
for archives and backups
Need to have software to read old archives and
install old backups
Need to ensure that media are still readable
after time
Consider retention period (legal and practical
constraints may apply)
Consider risk from imported media (virus etc)
How to ensure timely identification and
destruction of redundant media
Need to control introduction of new media from
outside
Network Software
Network Connectivity
3rd. Party Access
Audit and Logging
Patching and Updates

103
Security Policies

Physical Security
User Access
Removable Media
Network Software
Minimise visible network presence
Turn off unwanted network services (need mail on
web server?)
Avoid use of unsafe protocols (eg. TELNET or FTP
send unencrypted passwords)
Use safe/encrypted protocols (SSH, HTTPS)
Avoid programs or configurations that auto-open
received files
Network Connectivity
3rd. Party Access
Audit and Logging
Patching and Updates

104
Security Policies

Physical Security
User Access
Removable Media
Network Software
Network Connectivity
Firewalls are essential
Identify security domains in your network and
outside
Identify necessary connections by source,
destination and protocol between machines or
domains
Configure firewall rules to permit only these
connections
Log permitted but potentially dangerous traffic
Maintain a low profile to the internet minimise
visible network services exposed to the outside
by your firewall
3rd. Party Access
Audit and Logging
Patching and Updates

105
Security Policies

Physical Security
User Access
Removable Media
Network Software
Network Connectivity
3rd. Party Access
3rd party maintainers or outsource staff may need
remote or on site access
Ensure that work is controlled and staff are
trustworthy
Ensure that confidentiality agreements are in
place before granting access
Shut off remote access when not in use
Log or supervise support access
Review and if possible disable phone home
features for vendor support unless you are trying
to fix a problem
Test automatic updates on a sacrificial machine
before allowing network-wide deployment in your
business
Audit and Logging
Patching and Updates

106
Security Policies

Physical Security
User Access
Removable Media
Network Access
Network Connectivity
3rd. Party Access
Audit and Logging
Logs help diagnose problems and are evidence of
misuse
Excessive logs may be a security risk (eg
unencrypted data or disk full)
Should be sufficient to determine who did what
when
Should not be an easier alternative to keystroke
logging or wire tapping
Useless as an audit trail if login accounts are
shared
Must be protected from modification ideally
best sent to a dedicated server in real time over
the network using SYSLOG (Unix and Network) or
MOM (Windows)
Content and retention of logs must satisfy data
protection and privacy laws
Patching and Updates

107
Patching and Updates

Physical Security
User Access
Removable Media
Network Software
Network Connectivity
3rd. Party Access
Audit and Logging
Patching and Updates
Hackers are always finding new bugs
Software vendors are always fixing them
You must monitor vendor websites or mailing lists
Also check CERT, UNIRAS and ISC alerts frequently
If you have resources test and deploy patches in
a controlled way
If not subscribe to windows update or its Linux
counterparts
Upgrade the OS before it becomes unsupported

108
Physical Security

Separate components of large systems across
multiple sites
Clustering for high availability
Live/Standby operation for less critical system
Consider using test/development system as a cold
standby
Standby systems are only useful if data and
software are up to date
Need to rehearse failover and failback
Keep taking the backups!
Test Backup and restore process regularly
Keep all media needed to reinstall your software
Test that media are still readable from time to
time
Ensure backups are stored as securely as the live
data (or more so)
Review availability of hardware and upgrade or
buy spares when it is near end of life
Dont keep backups and live systems in the same
room (and if possible not in the same building)
Keep critical computers in a separate locked room
(which also helps with noise and dust and air
conditioning)
Dont put computers under water pipes or tanks
Dont use floor-standing computers or storage
furniture in rooms liable to flooding
Ensure that temperature and humidity are
monitored nd alarmed in computer rooms
Ensure that media stores are dry and free from
dust and insects

109
Physical Security

Separate components of large systems across
multiple sites
Keep taking the backups!
Keep critical computers in a separate locked room
(which also helps with noise and dust and air
conditioning)
Dont put computers under water pipes or tanks
Dont use floor-standing computers or storage
furniture in rooms liable to flooding
Ensure that temperature and humidity are
monitored nd alarmed in computer rooms
Ensure that media stores are dry and free from
dust and insects