Guide To TCPIP, Second Edition

1
Guide To TCP/IP, Second Edition

• Chapter 9
• Securing TCP/IP Environments

2
Topics

• Basic concepts and principles of network security
• The 3 components of an IP attack
• reconnaissance and discovery process
• the attack
• the cover-up
• Common and well-known points of attack in the
  TCP/IP architecture
• TCP/IP attack forms

3
Topics Continued

• Identifying, addressing, fixing, and maintaining
  IP security problems
• Security policies and recovery plans
• New and improved security features in Windows XP
  Pro and Server 2003

4
Understanding Computer and Network Security

• Principles of IP Security 3 areas of concern
• Physical security
• Personal security
• System and network security
• Analyzing the current software environment
• Identifying and eliminating potential points of
  exposure
• Closing well-know back doors
• Preventing documented exploits

5
Principles of IP Security

• Specific recommendations
• Avoid unnecessary exposure
• Block all unused ports (use a port scanner)
• Prevent internal address spoofing
• Filter out all unwanted addresses
• Exclude access by default, include by exception
• Restrict outside access to compromisable hosts
• Do unto yourself before others do unto you
  (perform regular attacks on your system)

6
Typical IP Attacks, Exploits, and Break-ins

• IP and TCP or UDP offer no built-in security
  controls
• Successful hacker attacks rely on two weapons
• Profiling or footprinting tools
• Working knowledge of known weaknesses or
  implementation problems

7
Key Terminology in Network and Computer Security

• Attack
• represents an attempt to
• Obtain access to information
• To damage or destroy such information
• To otherwise compromise system security or
  usability
• Exploit
• documents a vulnerability
• Break-in
• refers to a successful attempt to compromise a
  systems security
• may not be reported publicly

8
Key Weaknesses in TCP/IP

• TCP/IP
• was originally designed around an optimistic
  security model
• uses well-known port addresses
• Attackers may
• Attempt to impersonate valid users
• by stealing valid account info
• or using Brute force password attack
• Session Hijacking by inserting manufactured IP
  packets that shift control
• Packet sniffing or packet snooping
• IP spoofing
• DoS Attack

9
Flexibility Versus Security

• To facilitate ease of use, TCP/IP designed
  flexibility into many protocols such as
• Internet Control Message Protocol (ICMP)
• Simple Network Management Protocol (SNMP)
• Address Resolution Protocol (ARP)
• Interaction was facilitated
• To protect systems you may need to
• Disable proxy ARP
• Manually configuring MAC addresses, etc

10
Common Types of IP-Related Attacks

• DoS attack
• Man-in-the-middle (MITM) attack
• IP service attacks
• Well-known ports
• Anonymous logins
• IP service implementation vulnerabilities
• Insecure IP protocols and services

11
What IP Services Are Most Vulnerable?

• Remote logon services
• Telnet, rexec, rsh, rpr
• Remote control programs
• pcAnywhere, Carbon Copy, Timbuktu
• Anonymous access
• Web, FTP

12
Holes, Back Doors, and Other Illicit Points of
Entry

• Hole known place of attack
• Back door undocumented or illicit point of
  entry
• Vulnerability a weakness that can be
  accidentally triggered
• Password crackers
• Brute force or dictionary attack
• Protect with password hashing

13
The Anatomy Of IP Attack

• Reconnaissance and discovery processes
• Identify active hosts or processes
• PING sweep
• Port probe, nmap
• Identify IP addresses, operating systems,
  versions
• The attack
• Exploit vulnerabilities
• The cover-up
• Delete log files

14
Common IP Points Of Attack

• Viruses
• File infectors
• System or boot-sector infectors
• Macro viruses
• Worms
• Self-replicating
• MSBlaster attack on Windows update
• Trojan horse programs
• Downloaded as part of another program or game
• Back Orifice
• Protect with viruses protection program
• Update daily

15
Denial of Service Attack

• Denial of Service (DoS) attack
• Designed to interrupt or completely disrupt
  operations of a network device
• SYN Flood (half-open handshakes)
• Smurf attack (ICMP echo requests with modified
  source address)
• WinNuke attack (NetBIOS packet with Urgent flag)
• Land.c attack (Same IP for source and target)
• Buffer overflow

16
Example of DoS Attack
17
Distributed Denial of Service Attack

• Distributed Denial of Service (DDoS) attack
• Launched from numerous devices
• Consist of four elements
• Attacker
• Handler
• Agent
• Victim

18
Common IP Points Of Attack (cont.)
19
Other Common IP Points Of Attack

• Buffer overflows/overruns
• Not related to TCP/IP
• Exploit weakness in program
• Spoofing
• Protect against by using
• Ingress filtering
• Egress filtering
• TCP session hijacking
• Networking Sniffing

20
Example Plain Text displayed by Analysis of FTP
Session
21
Maintaining IP Security

• Apply security patches and Fixes to
• Operating system faults
• Security holes
• Microsoft security bulletins
• www.microsoft.com/security

22
Knowing Which Ports To Block
23
Attack Signatures and Encryption

• See Table 9-2 for a partial list of port numbers
  that are used for Trojan horse attacks
• Using IP Security (IPSec)
• Cryptographic security services
• Support explicit and strong authentication
• Integrity and access controls
• Confidentiality of IP datagrams
• (AH), (ESP)

24
Protecting the Perimeter of the Network

• Important devices and services to help protect
  the perimeter of your networks
• Bastion host
• Boundary (or border) router
• Demilitarized zone (DMZ)
• Firewall
• Network address translation (NAT)
• Proxy server
• Screening host
• Screening router

25
Understanding the Basics of Firewalls

• Control traffic flow and network access
• Inspect incoming traffic
• Block or filter traffic
• Placed at network boundaries or organizational
  boundaries
• Physical or software
• Firewalls basic security functions
• Address filtering
• Proxy services
• Network address translation

26
Useful Firewall Specifics

• Four major elements
• Screening router functions
• Domain name, IP address, port address, message
  type
• Proxy service functions
• Stateful inspection of packets sequences and
  services
• Virtual Private Network services

27
Commercial Firewall Features

• Additional features and functions in some, but
  not necessarily all, firewalls
• Address translation/privacy services
• Specific filtering mechanisms
• Alarms and alerts
• Logs and reports
• Transparency
• Intrusion detection system (IDS)
• Management controls

28
Understanding the Basics of Proxy Servers

• Between both outgoing and incoming service
  requests
• Prevent external users from direct access to
  internal resources
• Operate at the Application layer
• Caching

29
Implementing Firewalls and Proxy Servers

• Security policies extremes
• anything goes (totally optimistic)
• no connection (totally pessimistic)
• No protection may make your system a launching
  point for DoS
• Total lockdown includes disable removable media

30
Implemention Steps

• Plan
• Establish requirements
• Install
• Configure
• Test
• Attack
• Tune
• Repeat the test-attack-tune cycle (Steps 5-7)
• Implement
• Monitor and Maintain

31
Implementing Firewalls and Proxy Servers Warning

• Never implement a firewall or proxy server
  without checking for additional changes, updates,
  patches, fixes, and workarounds

32
Understanding the Test-Attack-Tune Cycle

• Harden the firewall or proxy server
• Document the configuration
• Do not disabled functionality that applications
  and services use to work properly
• Battery of attack tools to test the network at
• Network Associates
• GNU NetTools
• A port mapper such as AnalogX PortMapper or nmap
• Internet Security Systems various security
  scanners

33
Understanding the Role of IDS in IP Security

• Automate recognizing and responding to potential
  attacks and other suspicious forms of network
  traffic
• Recognize intrusion attempts in real time

34
Updating Anti-Virus Engines and Virus Lists

• Update anti-virus engine software and virus
  definitions on a regular basis
• Automatic update facilities
• Transparently and automatically check
• E-mail attachments
• Inbound file transfers
• Floppy disks and other media
• Other potential sources of infection

35
The Security Update Process

• Security update process involves four steps
• Evaluate the vulnerability
• Retrieve the update
• Test the update
• Deploy the update

36
Understanding Security Policies And Recovery Plans

• A security policy is a document that
• Reflects an organizations understanding of what
  information assets and other resources need
  protection
• How they are to be protected
• How they must be maintained under normal
  operating circumstances
• Restored in the face of compromise or loss

37
Components of a good security policy

• An access policy document
• An accountability policy document
• A privacy policy document
• A violations reporting policy document
• An authentication policy document
• An information technology system and network
  maintenance policy document

38
Sample Incident Response and Recovery Document

• See pages 430-431 in your text

39
Sources for Security Policy Information

• SANS Institute
• Department of Defense funds the Software
  Engineering Institute (SEI) at Carnegie-Mellon
  University
• Murdoch Universitys Office of Information
  Technology Services

40
Windows XP And 2003 Another Generation Of
Network Security

• Numerous security enhancements and improvements
• Kerberos version5
• Public Key Infrastructure (PKI)
• Directory Service Account Management
• CryptoAPI
• Encrypting File System (EFS)
• Secure Channel Security protocols (SSL 3.0/PCT)
• Transport Layer Security (TLS) protocol

41
Windows XP And 2003 Another Generation Of
Network Security (cont.)

• Numerous security enhancements and improvements
  (cont.)
• Internet Security Framework
• Network Access Control
• Blank Password Restriction
• Internet Connection Firewall
• Internet Connection Sharing
• Default Lock-Down

42
Chapter Summary

• In security terms, an attack represents an
  attempt to break into or otherwise compromise the
  privacy and integrity of an organizations
  information assets
• An exploit documents a vulnerability, whereas a
  break-in is usually the result of a successful
  attack

43
Chapter Summary (cont.)

• In its original form,TCP/IP implemented an
  optimistic security model, wherein little or no
  protection was built into its protocols and
  services
• Recent improvements, enhancements, and updates to
  TCP/IP include many ways in which this model is
  mitigated with a more pessimistic security model
• Unfortunately,TCP/IP remains prey to many kinds
  of attacks and vulnerabilities, including denials
  of service (which may be from a single source or
  distributed across numerous sources), service
  attacks, service and implementation
  vulnerabilities, man-in-the-middle attacks

44
Chapter Summary (cont.)

• Basic principles of IP security include avoiding
  unnecessary exposure by blocking all unused ports
  and installing only necessary services
• They also include judicious use of address
  filtering to block known malefactors and stymie
  address spoofing
• We advocate adoption of a pessimistic security
  policy, wherein access is denied, by default, and
  allowed only with considered exceptions
• Finally, its a good idea to monitor the Internet
  for security-related news and eventsespecially
  exploitsand to regularly attack your own systems
  and networks

45
Chapter Summary (cont.)

• Its necessary to protect systems and networks
  from malicious code such as viruses, worms, and
  Trojan horses
• Such protection means using modern anti-virus
  software, which should be part of any well-built
  security policy

46
Chapter Summary (cont.)

• Would-be attackers usually engage in a
  well-understood sequence of activities, called
  reconnaissance and discovery, as they attempt to
  footprint systems and networks, looking for
  points of attack
• Judicious monitoring of network activity,
  especially through an IDS, can help block such
  attacks (and may even be able to identify their
  sources, if not their perpetrators)

47
Chapter Summary (cont.)

• Maintaining system and network security involves
  constant activity that must include keeping up
  with security news and information applying
  necessary patches, fixes, and software updates
  regular security audits and self attacks to
  maintain the required level of security

48
Chapter Summary (cont.)

• Maintaining a secure network boundary remains a
  key ingredient for good system and network
  security
• This usually involves the use of screening
  routers, firewalls, and proxy servers, which may
  be on separate devices, or integrated into a
  single device that straddles the network boundary
• Some network architectures also make use of a DMZ
  between the internal and external networks, where
  services can more safely be exposed to the
  outside world, and where inside users can access
  proxy, caching, and other key services for
  external network access

49
Chapter Summary (cont.)

• Keeping operating systems secure in the face of
  new vulnerabilities is a necessary and ongoing
  process
• This process includes evaluation of the
  vulnerability, retrieval of the update, testing
  of the update, and deployment of the update

50
Chapter Summary (cont.)

• When establishing a secure network perimeter,
  its essential to repeat the test attack-tune
  cycle while youre preparing to deploy security
  devices until no further tuning changes are
  necessitated by the test and attacks that precede
  them
• This is the only method of ensuring that your
  network boundary is as secure as possible its
  also necessary to repeat this process as relevant
  new exploits or vulnerabilities become known

51
Chapter Summary (cont.)

• To create a strong foundation for system and
  network security, its necessary to formulate a
  policy that incorporates processes, procedures,
  and rules regarding physical and personnel
  security issues, as well as addressing system and
  software security issues
• Likewise, system and software security should
  address any potential causes of loss or harm to
  information systems and assets, including
  backups, disaster recovery, and internal
  safeguards, as well as guard the network
  perimeter or boundary

52
Chapter Summary (cont.)

• Windows XP and Windows 2003 include notable
  security improvements and enhancements as
  compared to other Windows versions
• Especially noteworthy are Kerberos authentication
  and session security controls PKI for secure,
  private exchange of sensitive data blank
  password restriction default lock-down state
  Internet Connection Firewall (ICF) Internet
  Connection Sharing (ICS) and various new
  protocols and services, such as IP Security, EFS
  encryption, SSL, PCT, and TLS, all of which help
  to protect and secure IP-based client/server
  network traffic