Title: Security Convergence Seminar
1Security Convergence Seminar
- Proactive Network Security Solutions Staying
One Step Ahead of the Hacker
Joseph E. Krull, CPP, CISSP, IAM Principal Krull
Security Consulting San Antonio, Texas
USA www.krullsecurity.com
2Presentation Outline
- Network Security Then and Now
- The Evolving Attack Scenario
- Network Security Trends
- Some Predictions
- New Technologies and Methods
- Some Network Security Best Practices
- QA
3Network Security Circa 1997-1998aka The Good
Old Years
- Normal Defenses
- Simple Firewalls
- ACLs
- Desktop AntiVirus
4Network Security 2004 Fingers in the Dike
IDS
IDS
IDS
Local Users
Network/Event Management
Wireless Access Points
Server Farms
5Todays Network Security Challenges
- Network and Application Complexity
- Need For Absolute Connectivity and Reliability
(24/7/365) - Multiple Vulnerabilities in Common Software
Packages (Patching) - Time to Exploit Now Measured in Days (Or Hours)
- Fixed or Diminishing Resources
- Attack Tools Rapidly Improving
- Most Security Solutions Reactive in Nature
6Todays Common Headaches
- Virus and Worm Propagation Nearly Daily
Occurrence - SPAM Rapidly Moving Target
- DoS/DDoS Attacks Easy to Launch
- Web Based Attacks Difficult to Detect
- Internal Attacks and Abuse
- Social Engineering
- Theft of Customer and Proprietary Information
7Network Security Some Observations
- In 2002, there were 4,137 software
vulnerabilities discovered. On average it takes
an hour to fix each exploit on each infected
machine. You do the math., Security Wire
Perspectives - The Code Red worm cost U.S. corporations in
excess of 2.6 billion., Computer Economics - Last year it took 26 days between the discovery
of the vulnerabilityand the release of the
Blaster worm that exploited it, but last
month(April 2004) it took just 36 hours between
the discovery of a vulnerability in Internet
Security Systems' RealSecure and BlackIce
firewall software and the release of the Witty
worm, which took advantage of the flaws.,
Information Security Magazine
8Traditional Types of Attacks
- UDP Flood
- UDP flood with ICMP Back Scattering
- ICMP Flood
- Smurf Attack
- TCP Flood
- Targa Attack (Mixed Flood)
- SYN Flood
- Naptha (Connection Flood)
- Misuse of TCP Resources
- Misuse of Application Resources
- Network/Host/Application Scan
- Brute Force Attacks
- Land Attack
- Telnet Attack
- Anti Spoof
- Protocol Violation Attacks
- TCP State Machine Violations
- FTP Bounce Attack
9Attack Predictions and Prognosis(Joes
Predictions)
- More Prevalent and Sophisticated Blended
Attacks - Constant DoS/DDoS Activity
- Automated Super Worms
- Continued Social Engineering
- More Web Based Exploits/Fraud
- Identity Fraud
- Vulnerabilities Due to Hybrid Technologies
- VoIP, 802.11, New Devices/Platforms, etc.
10Why Is Proactivity So Important?Case Study
SQL Slammer
11SQL Slammer (aka Sapphire)
- Started 530 UTC Jan 25 in Asia
- Infected 90 of Targets Worldwide Within 10
Minutes - Fastest Spreading Internet Worm
- Code Size Only 376 Bytes (404 Bytes UDP) Code
Red 4KB/Nimda 60KB - Infected Microsoft SQL and MSDE 2000 Servers
Known Vulnerability Since July 2002 - Exploited Port 1434 Open to Internet
12Slammer/Sapphire (Continued)
- Over 200,000 Servers Infected With Resultant
Denial of Service - 55 Million Scans Per Second
- Worm Very Sophisticated With Random Number
Generator and Rapidly Changing IP Addresses - Significant Impact on E-Mail, ATMs, Airline
Reservations - Korea and USA Especially Hit
- lt 1B in Lost Revenue and Clean-Up
13Server To Server Worms
- Could Have Been Avoided By Up To Date Patching
- Properly Maintained IDS and Firewall Could Detect
and Block UDP On Port 1434 Inbound/1433 Outbound - IPS Could Block Worms Scanning Activity
- More Than 150 Commercial Products Have MS
SQL/MSDE Embedded - See www.sqlsecurity.com For List
14Help Is On The Way
- Firewalls
- Then Policy Based
- Now Deep Packet Inspection and Application
Aware - Intrusion Defense
- Then Detection
- Now Prevention
- Anti-Virus and Intrusion
- Then Signature Based Detection
- Now Heuristics and Behavior
- Anti-Spam
- Then Black and White Lists
- Now Source Based Analysis
15 Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
         bodice ripper from umbrella, bowling
ball defined by photon, and dolphin near scythe
are what made America great!Donald, although
somewhat soothed by bride from and bullfrog
near.Donald, although somewhat soothed by
dilettante defined by and debutante about.Now and
then, related to avocado pit laugh and drink all
night with ruffian near onlooker.A few looking
glasses, and inside dust bunny) to arrive at a
state of insurance agentUnlike so many tenors who
have made their flabby umbrella to us.airborne
hoar roe bowmen disdain morse wove osgood
16Defenses Rapidly Evolving
- From Servers to Dedicated Server Appliances
- Multi-Functional Security Platforms
- Less Reliance on Security Product Updates
- Links Between Patching and Vulnerabilities
- Hardened Operating Systems and Platforms
- Less Management Overhead and Simplified Use
17Some Network Security Best Practices
- Clear Acceptable Use Policies For Employees,
Consultants and Business Partners - CEO and Management Team Buy In For Security
Programs - IT Products and Security Solutions From Multiple
Vendors - Maximum Network Segmentation (VLANs, Remote
Sites, 3rd Party Hosting, etc.) - Blocking Vulnerable Applications at the Gateway
(P2P, Chat, IM, WebMail, etc.) - Blocking Certain File Types at the Gateway (.exe,
.pif, ,scr, .zip, etc.) - Business Necessity Versus Nice to Have (VoIP,
HTML Based Videoconferencing, Remote Access,
etc.)
18Network Security A Layered Approach
WAN
Security/Event Management Plus Vulnerability
Assessment
- 1st Layer
- Gateway IPS/IDS
- Gateway Content Filtering
- Gateway E-Mail Protection/AntiSPAM
- Must Have
- Organizational Firewalls
- Desktop Antivirus
- Desktop Protection
- 2nd Layer
- Host Based IDS
- Application Based IDS
Local Users
Server Farms
19Joseph E. Krull, CPP, CISSP, IAM Krull Security
Consulting 17342 Fountain Bluff San Antonio,
Texas 78248 USA www.krullsecurity.com info_at_krulls
ecurity.com Tel. 1 800 655-9260