Securing TCPIP Environments

1
Securing TCP/IP Environments

• Guide to TCP/IP, Third Edition
• Chapter 9

2
Objectives

• Understand basic concepts and principles for
  maintaining computer and network security
• Understand the anatomy of an IP attack
• Recognize common points of attacks inherent in
  TCP/IP architecture
• Maintain IP security problems
• Understand security policies and recovery plans
• Understand security features in Windows XP
  Professional and Windows Server 2003
• Discuss the importance of honeypots honeynets

3
Understand Digital Security

• Protecting a system or network means
• Closing the door against outside attack
• Protecting your systems, data, and applications
  from any sources of damage or harm
• The 2005 Computer Crime Survey
• Virus and worm infections were among the top
  problems leading to financial loss

4
Principles of IP Security

• Physical security
• Synonymous with controlling physical access
• Should be carefully monitored
• Personnel security
• Important to formulate a security policy for your
  organization
• System and network security includes
• Analyzing the current software environment
• Identifying and eliminating potential points of
  exposure

5
Understanding Typical IP Attacks, Exploits, and
Break-Ins

• Basic fundamental protocols
• Offer no built-in security controls
• Successful attacks against TCP/IP networks and
  services rely on two powerful weapons
• Profiling or footprinting tools
• A working knowledge of known weaknesses or
  implementation problems

6
Terminology in Digital Security

• An attack
• Some kind of attempt to obtain access to
  information
• An exploit
• Documents a vulnerability
• A break-in
• Successful attempt to compromise a systems
  security

7
Key Weaknesses in TCP/IP

• TCP/IP can be attacked- the Bad guys can
• Attempt to impersonate valid users
• Attempt to take over existing communications
  sessions
• Attempt to snoop inside traffic moving across the
  Internet
• Utilize a technique known as IP spoofing

8
Common Types of IP Attacks

• DoS attacks
• Man-in-the-middle (MITM) attacks
• IP service attacks
• IP service implementation vulnerabilities
• Insecure IP protocols and services

9
What IP Services Are Most Vulnerable?

• Remote logon service
• Includes Telnet remote terminal emulation
  service, as well as the Berkeley remote utilities
• Remote control programs
• Can pose security threats
• Services that permit anonymous access
• Makes anonymous Web and FTP conspicuous targets

10
Holes, Back Doors, Other Illicit Points of Entry

• Hole
• Weak spot or known place of attack on any common
  operating system, application, or service
• Back door
• Undocumented and illicit point of entry into an
  operating system or application
• Vulnerability
• Weakness that can be accidentally triggered or
  intentionally exploited

11
Anatomy of IP Attacks

• IP attacks typically follow a set pattern
• Reconnaissance or discovery process
• Attacker focuses on the attack itself
• Stealthy attacker may cover its tracks by
  deleting log files, or terminating any active
  direct connections

12
Reconnaissance Discovery Processes

• PING sweep
• Can identify active hosts on an IP network
• Port probe
• Detect UDP- and TCP-based services running on a
  host
• Purpose of reconnaissance
• To find out what you have and what is vulnerable

13
Reconnaissance Discovery Processes (continued)

• The attack
• May encompass a brute force attack process that
  overwhelms a victim
• Computer forensics
• May be necessary to identify traces from an
  attacker winding his or her way through a system

14
Common IP Points of Attack

• Virus
• Any self-replicating program that works for its
  own purposes
• Classes
• File infectors
• System or boot-record infectors
• Macro viruses

15
Worms

• A kind of virus that eschews most activity except
  as it relates to self-replication
• MSBlaster worm
• Unleashed in August 2003
• Exploited the RPC DCOM buffer overflow
  vulnerability in Microsoft Windows
• Hex reader
• Look inside suspect files without launching them

16
Trojan Horse Programs

• Masquerade as innocuous or built-to-purpose
  programs
• Conceal abilities that permit others to take over
  and operate unprotected systems remotely
• Must be installed on a computer system to run
• Back Orifice
• Example of a Trojan horse program

17
Denial of Service Attacks

• Designed to interrupt or completely disrupt
  operations of a network device
• SYN Flood attack
• Uses the three-way TCP handshake process to
  overload a device on a network
• Broadcast amplification attack
• Malicious host crafts and sends ICMP Echo
  Requests to a broadcast address
• Windows 2000 UPnP DoS attack
• Specially crafted request packet is sent that
  causes services.exe to exhaust all virtual memory
  resources

18
Distributed Denial of Service Attacks

• DoS attacks launched from numerous devices
• DDoS attacks consist of four main elements
• Attacker
• Handler
• Agent
• Victim

19
(No Transcript)
20
Buffer Overflows/Overruns

• Exploit a weakness in many programs that expect
  to receive a fixed amount of input
• Adware
• Opens door for a compromised machine to display
  unsolicited and unwanted advertising
• Spyware
• Unsolicited and unwanted software that
• Takes up stealthy unauthorized and uninvited
  residence on a computer

21
Spoofing

• Borrowing identity information to hide or deflect
  interest in attack activities
• Ingress filtering
• Applying restrictions to traffic entering a
  network
• Egress filtering
• Applying restrictions to traffic leaving a network

22
TCP Session Hijacking

• Purpose of an attack
• To masquerade as an authorized user to gain
  access to a system
• Once a session is hijacked
• The attacker can send packets to the server to
  execute commands, change passwords, or worse

23
Network Sniffing

• One method of passive network attack
• Based on network sniffing, or eavesdropping
  using a protocol analyzer or other sniffing
  software
• Network analyzers available to eavesdrop on
  networks include
• tcpdump (UNIX)
• EtherPeek (Windows)
• Network Monitor (Windows)
• AiroPeekWireless (Windows)
• Ethereal for Windows

24
Maintaining IP Security

• Stay up-to-date on security patches!!!
• Microsoft security bulletins
• May be accessed or searched through the Security
  Bulletins section at www.microsoft.com/security/d
  efault.mspx
• Essential to know about security patches and
  fixes and to install them
• Knowing Which Ports to Block
• Many exploits and attacks are based on common
  vulnerabilities

25
(No Transcript)
26
Recognizing Attack Signatures

• Most attacks have an attack signature
• By which they may be recognized or identified
• Signatures may be used to
• Implement IDS devices
• Can be configured as network analyzer filters as
  well

27
(No Transcript)
28
(No Transcript)
29
Using IP Security

• RFC 2401 says the goals of IPSec are to provide
  the following kinds of security
• Access control
• Connectionless integrity
• Data origin authentication
• Protection against replays
• Confidentiality
• Limited traffic flow confidentiality

30
Protecting Network Perimeters

• Important devices and services used to protect
  the perimeter of networks
• Bastion host
• Boundary (or border) router
• Demilitarized zone (DMZ)
• Firewall
• Network address translation
• Proxy server

31
Understanding the Basics of Firewalls

• Firewalls
• Barrier controling traffic flow and access
  between networks
• Designed to inspect incoming traffic and block or
  filter traffic based on a variety of criteria
• Normally astride the boundary between a public
  network and private networks inside an
  organization

32
Useful Firewall Specifics

• Firewalls usually incorporate four major
  elements
• Screening router functions
• Proxy service functions
• Stateful inspection of packet sequences and
  services
• Virtual Private Network services

33
Commercial Firewall Features

• Address translation/privacy services
• Specific filtering mechanisms
• Alarms and alerts
• Logs and reports
• Transparency
• Intrusion detection systems (IDSs)
• Management controls

34
Understanding the Basics of Proxy Servers

• Proxy servers
• Can perform reverse proxying to
• Expose a service inside a network to outside
  users, as if it resides on the proxy server
  itself
• Caching
• An important proxy behavior
• Cache
• Potentially valuable location for a system attack

35
Planning and Implementing, Step by Step

• Useful steps when planning and implementing
  firewalls and proxy servers
• Plan
• Establish requirements
• Install
• Configure
• Test
• Attack
• Tune
• Implement
• Monitor and maintain

36
Understanding the Test-Attack-Tune Cycle

• Attack tools
• McAfee CyberCop ASaP
• GNU NetTools
• A port mapper such as AnalogX PortMapper
• Internet Security Systems various security
  scanners

37
Understanding the Role of IDS and IPS in IP
Security

• Intrusion detection systems
• Make it easier to automate recognizing and
  responding to potential attacks
• Increasingly, firewalls include
• Hooks to allow them to interact with IDSs, or
  include their own built-in IDS capabilities
• IPSs make access control decisions on the basis
  of application content

38
Updating Anti-Virus Engines and Virus Lists

• Because of the frequency of introduction of new
  viruses, worms, and Trojans
• Essential to update anti-virus engine software
  and virus definitions on a regular basis
• Anti-virus protection
• Key ingredient in any security policy

39
(No Transcript)
40
The Security Update Process

• Evaluate the vulnerability
• Retrieve the update
• Test the update
• Deploy the update

41
Understanding Security Policies Recovery Plans

• Security policy
• Document that reflects an organizations
  understanding of
• What information assets and other resources need
  protection
• How they are to be protected
• How they must be maintained under normal
  operating circumstances

42
Understanding Security Policies Recovery Plans
(continued)

• RFC 2196 lists the following documents as
  components of a good security policy
• An access policy document
• An accountability policy document
• A privacy policy document
• A violations reporting policy document
• An authentication policy document
• An information technology system and network
  maintenance policy document

43
Windows XP and Windows Server 2003

• Features that should help maintain tighter
  security
• Kerberos version 5
• Public Key Infrastructure (PKI)
• Directory Service Account Management
• CryptoAPI
• Encrypting File System (EFS)
• Secure Channel Security protocols (SSL 3.0/PCT)

44
Honeypots and Honeynets

• Honeypot
• Computer system deliberately set up to entice and
  trap attackers
• Honeynet
• Broadens honeypot concept from a single system to
  what looks like a network of such systems

45
Summary

• An attack
• An attempt to compromise the privacy and
  integrity of an organizations information assets
• In its original form, TCP/IP implemented an
  optimistic security model
• Basic principles of IP security
• Include avoiding unnecessary exposure by blocking
  all unused ports
• Necessary to protect systems and networks from
  malicious code
• Such as viruses, worms, and Trojan horses

46
Summary (continued)

• Would-be attackers
• Usually engage in a well-understood sequence of
  activities, called reconnaissance and discovery
• Maintaining system and network security involves
• constant activity that must include
• Keeping up with security news and information
• Keeping operating systems secure in the face of
  new vulnerabilities
• A necessary and ongoing process

47
Summary (continued)

• When establishing a secure network perimeter
• It is essential to repeat the test-attack-tune
  cycle
• To create a strong foundation for system and
  network security, formulate policy that
  incorporates
• Processes, procedures, and rules regarding
  physical and personnel security issues,
• Windows XP and Windows Server 2003 include
• Notable security improvements and enhancements as
  compared to other Windows versions