Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.
-
Upload
abner-gardner -
Category
Documents
-
view
228 -
download
0
Transcript of Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.
![Page 1: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/1.jpg)
Guide to TCP/IP, Third Edition
Chapter 9: Securing TCP/IP Environments
![Page 2: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/2.jpg)
Securing TCP/IP Environments 2
Objectives
• Understand basic concepts and principles for maintaining computer and network security
• Understand the anatomy of an IP attack
• Recognize common points of attacks inherent in TCP/IP architecture
• Maintain IP security problems
![Page 3: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/3.jpg)
Securing TCP/IP Environments 3
Objectives (continued)
• Understand security policies and recovery plans
• Understand new and improved security features in Windows XP Professional and Windows Server 2003
• Discuss the importance of honeypots and honeynets for network security
![Page 4: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/4.jpg)
Securing TCP/IP Environments 4
Understand Computer and Network Security
• Protecting a system or network means– Closing the door against outside attack– Protecting your systems, data, and applications from
any sources of damage or harm
• The 2005 Computer Crime Survey– Virus and worm infections were among the top
problems leading to financial loss
![Page 5: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/5.jpg)
Securing TCP/IP Environments 5
Principles of IP Security
• Physical security– Synonymous with “controlling physical access” – Should be carefully monitored
• Personnel security– Important to formulate a security policy for your
organization
• System and network security includes – Analyzing the current software environment – Identifying and eliminating potential points of
exposure
![Page 6: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/6.jpg)
Securing TCP/IP Environments 6
Understanding Typical IP Attacks, Exploits, and Break-Ins
• Basic fundamental protocols– Offer no built-in security controls
• Successful attacks against TCP/IP networks and services rely on two powerful weapons– Profiling or footprinting tools– A working knowledge of known weaknesses or
implementation problems
![Page 7: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/7.jpg)
Securing TCP/IP Environments 7
Key Terminology in Network and Computer Security
• An attack– Some kind of attempt to obtain access to information
• An exploit – Documents a vulnerability
• A break-in – Successful attempt to compromise a system’s
security
![Page 8: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/8.jpg)
Securing TCP/IP Environments 8
Key Weaknesses in TCP/IP
• Ways in which TCP/IP can be attacked– Bad guys can
• Attempt to impersonate valid users
• Attempt to take over existing communications sessions
• Attempt to snoop inside traffic moving across the Internet
• Utilize a technique known as IP spoofing
![Page 9: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/9.jpg)
Securing TCP/IP Environments 9
Common Types of IP-Related Attacks
• DoS attacks
• Man-in-the-middle (MITM) attacks
• IP service attacks
• IP service implementation vulnerabilities
• Insecure IP protocols and services
![Page 10: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/10.jpg)
Securing TCP/IP Environments 10
What IP Services Are Most Vulnerable?
• Remote logon service– Includes Telnet remote terminal emulation service,
as well as the Berkeley remote utilities
• Remote control programs– Can pose security threats
• Services that permit anonymous access– Makes anonymous Web and FTP conspicuous
targets
![Page 11: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/11.jpg)
Securing TCP/IP Environments 11
Holes, Back Doors, and Other Illicit Points of Entry
• Hole – Weak spot or known place of attack on any common
operating system, application, or service
• Back door – Undocumented and illicit point of entry into an
operating system or application
• Vulnerability – Weakness that can be accidentally triggered or
intentionally exploited
![Page 12: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/12.jpg)
Securing TCP/IP Environments 12
The Anatomy of IP Attacks
• IP attacks typically follow a set pattern– Reconnaissance or discovery process – Attacker focuses on the attack itself– Stealthy attacker may cover its tracks by deleting log
files, or terminating any active direct connections
![Page 13: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/13.jpg)
Securing TCP/IP Environments 13
Reconnaissance and Discovery Processes
• PING sweep– Can identify active hosts on an IP network
• Port probe – Detect UDP- and TCP-based services running on a
host
• Purpose of reconnaissance – To find out what you have and what is vulnerable
![Page 14: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/14.jpg)
Securing TCP/IP Environments 14
Reconnaissance and Discovery Processes (continued)
• The attack– May encompass a brute force attack process that
overwhelms a victim
• Computer forensics– May be necessary to identify traces from an attacker
winding his or her way through a system
![Page 15: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/15.jpg)
Securing TCP/IP Environments 15
Common IP Points of Attack
• Virus– Any self-replicating program that works for its own
purposes– Classes
• File infectors
• System or boot-record infectors
• Macro viruses
![Page 16: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/16.jpg)
Securing TCP/IP Environments 16
Worms
• A kind of virus that eschews most activity except as it relates to self-replication
• MSBlaster worm– Unleashed in August 2003– Exploited the RPC DCOM buffer overflow
vulnerability in Microsoft Windows
• Hex reader – Look inside suspect files without launching them
![Page 17: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/17.jpg)
Securing TCP/IP Environments 17
Trojan Horse Programs
• Masquerade as innocuous or built-to-purpose programs
• Conceal abilities that permit others to take over and operate unprotected systems remotely
• Must be installed on a computer system to run
• Back Orifice – Example of a Trojan horse program
![Page 18: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/18.jpg)
Securing TCP/IP Environments 18
Denial of Service Attacks
• Designed to interrupt or completely disrupt operations of a network device or communications
• SYN Flood attack – Uses the three-way TCP handshake process to
overload a device on a network• Broadcast amplification attack
– Malicious host crafts and sends ICMP Echo Requests to a broadcast address
• Windows 2000 UPnP DoS attack – Specially crafted request packet is sent that causes
services.exe to exhaust all virtual memory resources
![Page 19: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/19.jpg)
Securing TCP/IP Environments 19
Distributed Denial of Service Attacks
• DoS attacks launched from numerous devices
• DDoS attacks consist of four main elements– Attacker– Handler– Agent– Victim
![Page 20: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/20.jpg)
Securing TCP/IP Environments 20
![Page 21: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/21.jpg)
Securing TCP/IP Environments 21
Buffer Overflows/Overruns
• Exploit a weakness in many programs that expect to receive a fixed amount of input
• Adware – Opens door for a compromised machine to display
unsolicited and unwanted advertising
• Spyware – Unsolicited and unwanted software that
• Takes up stealthy unauthorized and uninvited residence on a computer
![Page 22: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/22.jpg)
Securing TCP/IP Environments 22
Spoofing
• Borrowing identity information to hide or deflect interest in attack activities
• Ingress filtering – Applying restrictions to traffic entering a network
• Egress filtering – Applying restrictions to traffic leaving a network
![Page 23: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/23.jpg)
Securing TCP/IP Environments 23
TCP Session Hijacking
• Purpose of an attack – To masquerade as an authorized user to gain
access to a system
• Once a session is hijacked– The attacker can send packets to the server to
execute commands, change passwords, or worse
![Page 24: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/24.jpg)
Securing TCP/IP Environments 24
Network Sniffing
• One method of passive network attack – Based on network “sniffing,” or eavesdropping using
a protocol analyzer or other sniffing software
• Network analyzers available to eavesdrop on networks include– tcpdump (UNIX)– EtherPeek (Windows)– Network Monitor (Windows)– AiroPeekWireless (Windows)– Ethereal for Windows
![Page 25: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/25.jpg)
Securing TCP/IP Environments 25
![Page 26: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/26.jpg)
Securing TCP/IP Environments 26
![Page 27: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/27.jpg)
Securing TCP/IP Environments 27
Maintaining IP Security
• Microsoft security bulletins – May be accessed or searched through the Security
Bulletins section at: www.microsoft.com/security/default.mspx
• Essential to know about security patches and fixes and to install them
• Knowing Which Ports to Block– Many exploits and attacks are based on common
vulnerabilities
![Page 28: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/28.jpg)
Securing TCP/IP Environments 28
![Page 29: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/29.jpg)
Securing TCP/IP Environments 29
Recognizing Attack Signatures
• Most attacks have an attack signature – By which they may be recognized or identified– Signatures may be used to
• Implement IDS devices
• Can be configured as network analyzer filters as well
![Page 30: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/30.jpg)
Securing TCP/IP Environments 30
![Page 31: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/31.jpg)
Securing TCP/IP Environments 31
![Page 32: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/32.jpg)
Securing TCP/IP Environments 32
Using IP Security
• RFC 2401 says the goals of IPSec are to provide the following kinds of security– Access control– Connectionless integrity– Data origin authentication– Protection against replays– Confidentiality– Limited traffic flow confidentiality
![Page 33: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/33.jpg)
Securing TCP/IP Environments 33
Protecting the Perimeter of the Network
• Important devices and services used to protect the perimeter of networks– Bastion host– Boundary (or border) router– Demilitarized zone (DMZ)– Firewall– Network address translation– Proxy server
![Page 34: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/34.jpg)
Securing TCP/IP Environments 34
Understanding the Basics of Firewalls
• Firewall – Barrier that controls traffic flow and access between
networks– Designed to inspect incoming traffic and block or
filter traffic based on a variety of criteria– Normally astride the boundary between a public
network and private networks inside an organization
![Page 35: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/35.jpg)
Securing TCP/IP Environments 35
Useful Firewall Specifics
• Firewalls usually incorporate four major elements:– Screening router functions– Proxy service functions– “Stateful inspection” of packet sequences and
services– Virtual Private Network services
![Page 36: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/36.jpg)
Securing TCP/IP Environments 36
Commercial Firewall Features
• Address translation/privacy services
• Specific filtering mechanisms
• Alarms and alerts
• Logs and reports
• Transparency
• Intrusion detection systems (IDSs)
• Management controls
![Page 37: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/37.jpg)
Securing TCP/IP Environments 37
Understanding the Basics of Proxy Servers
• Proxy servers – Can perform “reverse proxying” to
• Expose a service inside a network to outside users, as if it resides on the proxy server itself
• Caching– An important proxy behavior
• Cache– Potentially valuable location for a system attack
![Page 38: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/38.jpg)
Securing TCP/IP Environments 38
Planning and Implementing, Step by Step
• Useful steps when planning and implementing firewalls and proxy servers – Plan– Establish requirements– Install– Configure– Test– Attack– Tune– Implement– Monitor and maintain
![Page 39: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/39.jpg)
Securing TCP/IP Environments 39
Understanding the Test-Attack-Tune Cycle
• Attack tools– McAfee CyberCop ASaP – GNU NetTools– A port mapper such as AnalogX PortMapper – Internet Security Systems various security scanners
![Page 40: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/40.jpg)
Securing TCP/IP Environments 40
Understanding the Role of IDS and IPS in IP Security
• Intrusion detection systems – Make it easier to automate recognizing and
responding to potential attacks
• Increasingly, firewalls include– Hooks to allow them to interact with IDSs, or include
their own built-in IDS capabilities
• IPSs make access control decisions on the basis of application content
![Page 41: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/41.jpg)
Securing TCP/IP Environments 41
Updating Anti-Virus Engines and Virus Lists
• Because of the frequency of introduction of new viruses, worms, and Trojans– Essential to update anti-virus engine software and
virus definitions on a regular basis
• Anti-virus protection – Key ingredient in any security policy
![Page 42: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/42.jpg)
Securing TCP/IP Environments 42
![Page 43: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/43.jpg)
Securing TCP/IP Environments 43
The Security Update Process
• Evaluate the vulnerability
• Retrieve the update
• Test the update
• Deploy the update
![Page 44: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/44.jpg)
Securing TCP/IP Environments 44
Understanding Security Policies and Recovery Plans
• Security policy – Document that reflects an organization’s
understanding of • What information assets and other resources need
protection
• How they are to be protected
• How they must be maintained under normal operating circumstances
![Page 45: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/45.jpg)
Securing TCP/IP Environments 45
Understanding Security Policies and Recovery Plans (continued)
• RFC 2196 lists the following documents as components of a good security policy– An access policy document– An accountability policy document– A privacy policy document– A violations reporting policy document– An authentication policy document– An information technology system and network
maintenance policy document
![Page 46: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/46.jpg)
Securing TCP/IP Environments 46
Windows XP and Windows Server 2003: Another Generation of Network
Security
• Features that should help maintain tighter security– Kerberos version 5– Public Key Infrastructure (PKI)– Directory Service Account Management– CryptoAPI– Encrypting File System (EFS)– Secure Channel Security protocols (SSL 3.0/PCT)
![Page 47: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/47.jpg)
Securing TCP/IP Environments 47
Honeypots and Honeynets
• Honeypot – Computer system deliberately set up to entice and
trap attackers
• Honeynet – Broadens honeypot concept from a single system to
what looks like a network of such systems
![Page 48: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/48.jpg)
Securing TCP/IP Environments 48
Summary
• An attack – An attempt to compromise the privacy and integrity
of an organization’s information assets• In its original form, TCP/IP implemented an
optimistic security model• Basic principles of IP security
– Include avoiding unnecessary exposure by blocking all unused ports
• Necessary to protect systems and networks from malicious code – Such as viruses, worms, and Trojan horses
![Page 49: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/49.jpg)
Securing TCP/IP Environments 49
Summary (continued)
• Would-be attackers– Usually engage in a well-understood sequence of
activities, called reconnaissance and discovery
• Maintaining system and network security involves constant activity that must include– Keeping up with security news and information
• Keeping operating systems secure in the face of new vulnerabilities– A necessary and ongoing process
![Page 50: Guide to TCP/IP, Third Edition Chapter 9: Securing TCP/IP Environments.](https://reader036.fdocuments.in/reader036/viewer/2022062518/56649e9d5503460f94b9e0de/html5/thumbnails/50.jpg)
Securing TCP/IP Environments 50
Summary (continued)
• When establishing a secure network perimeter– It is essential to repeat the test-attack-tune cycle
• To create a strong foundation for system and network security, formulate policy that incorporates – Processes, procedures, and rules regarding physical
and personnel security issues,
• Windows XP and Windows Server 2003 include – Notable security improvements and enhancements
as compared to other Windows versions