TCP/IP Networks Management and Security Presented by: David M. Litton, CPA, CISA, CGFM Deputy...

TCP/IP Networks Management and Security

Presented by:

David M. Litton, CPA, CISA, CGFM

Deputy Director, Audit and Management ServicesVirginia Commonwealth University

May 7, 2001

5/7/2001TCP/IP Networks Management

and Security2


and Security3

Course Objectives:

• What is a TCP/IP Network?• Common components of a TCP/IP network• Network environment: TCP/IP protocol and

associated devices functionality• General network risks• Specific risks and compensating controls for

TCP/IP network devices • Areas of a TCP/IP Infrastructure Audit


and Security4

What is a TCP/IP Network?• Envelope and post office concept• Ethernet Frames• Internet Protocol (IP) – Connectionless datagram;

tries to send but not sure if it gets there• Transmission Control Protocol (TCP)• Alternatives to TCP: UDP and ICMP• Ports • Socket (Combination of port# & IP address)• Connection (pair of sockets for a session)

Host(Ex. Unix/Win NT

Server)

Client(Ex. Win 98/2000)

Telnet (Also: HTTP, SMTP, POP3...)Single Control and Data Circuit

IP128.172.161.139

IP128.172.2.30

High Random Port(Ex. Port #3003)

Port 23

FTPSeperate Control and

Data Circuits


Server)

Client(Ex. Win98/2000)

IP128.172.161.139

IP128.172.22.9

Port 21

Port 20High RandomPort (Ex. Port

#2987)

High RandomPort (Ex. Port

#2986)


and Security9


Server)

Client(Ex. Win 98/2000)

Telnet (Also: HTTP, SMTP, POP3...)Single Control and Data Circuit

IP128.172.161.139

IP128.172.2.30

High Random Port(Ex. Port #3003)

Port 23

FTPSeperate Control and

Data Circuits


Server)

Client(Ex. Win98/2000)

IP128.172.161.139

IP128.172.22.9

Port 21

Port 20High RandomPort (Ex. Port

#2987)

High RandomPort (Ex. Port

#2986)

(7)Application

Layer

(6)Presentation

Layer

(5)Session Layer

(4)Transport Layer

(3)Network Layer

(2)Data Link Layer

(1)Physical Layer

Logical Link

Media AccessControl(MAC)

FTP, Telnet,HTTP

TCP, UDP

IP

Ethernet,Frame Relay,Token Ring

Twisted Pair,Fiber

(4)Application

Layer

(3)Transport Layer

(2)Internet Layer

(1)Network

Interface Layer

OSI ReferenceModel Examples

TCP/IPProtocol Stack

OSI Model and

TCP/IP Compared


and Security16


and Security17

Common components of a TCP/IP network

• Cat 5 UTP Wiring & fiber optics lower layer 1• Hubs emphasis layer 1 • Bridges layer 1 or lower-part of layer 2 (MAC)• Switches – some layer 1 & emphasis layer 2• Routers – emphasis layer 3 & some layer 4• Applications/network utilities: layers 5-7; FTP,

HTTP, NFS, X-Windows, Telnet…• Protocol Stacks: part of server/work station O/S• Servers - physical and logical contrasted• Specialized IP servers: DHCP, BOOTP, DNS…


and Security18

Network Environment: TCP/IP Protocol and Associated Devices

Functionality

Ethernet

Token-ring

Ethernet

Workstation

w/s Laptop

Laser printer

Hub

Router

Firewall

`

WAN(ATM)(T-1)

(ISDN)(Frame Relay)

(SMDS)

Firewall

Router

IBM Compatible

Laptop computer

Workstation

HUB

MAU

w/s

Laptop

w/s

Laser printer

Router

Router

Enet[IP[TCP[Data]]]

Enet[IP[TCP[Data]]]

TRing[IP[TCP[Data]]]

ATM[IP[TCP[Data]]]

LAN/WAN Protocol Example


and Security20

General network risks

• Inconsistently applied back-up procedures for Network Equipment and Servers

• Lack of a test lab and change control procedures

• Intercepting clear text, log-on identifiers and passwords

• Staff turn-over

• Use of unauthenticated services on network hosts and pass through routers

• Lack of spoofing prevention measures

• Use of default passwords on network equipment

• Lack of password change procedures for network equipment

• Poor O/S controls on network devices


and Security21

General network risks• Improper access to

restricted systems (patient information, financial records, payroll, etc.)

• Release of sensitive information

• Prolonged outages and inconsistent availability

• Lack of documentation• Non-compartmentalized

traffic

• Trojan Horses

• Lack of expertise, training, and cross-training

• Lack of restoration plans or spare parts

• Ineffective procedures• Masquerading as another

individual• Spying, Sabotage• Risk from easy-to-use

freeware utilities• Stolen Passwords


and Security22

Specific risks and compensating controls for TCP/IP network

devices


and Security23

Router Risks and ControlsInappropriate addresses or dangerous protocols accessing hosts/servers

Access Control Lists – filter through router

Inappropriate addresses conducting router maintenance

ACLs to restrict IP addresses to router

Unauthenticated or trusted services used for maintenance

Turn off these services in router configuration, use services with stronger authentication


and Security24

Router Risks and ControlsDamaged router/network device configuration

Create backups of the configuration file, store on network, hard copy, and “secret” backup

Failed upgrades or changes Development and maintenance controls & “back-out” plans

Not capturing network events Turn on logging, secure the host that the logs are streaming to


and Security25

Router Risks and Controls

Default passwords and clear text passwords transmitted over the network

Change passwords periodically with timeouts

No console passwords Add passwords with timeouts

Community strings = PUBLIC, PRIVATE and pass network in clear text

Change Community strings and use encrypted SNMP


and Security26

Router Risks and Controls:Methods of Accessing Routers

• Console• TFTP• Telnet• TACACS• MOP (maintenance operation protocol by

DEC for CISCO routers)

• SNMP• R-Shell• R-Copy• FTP• HTTP

• More being added, check manufacturer documentation


and Security27

Domain Name Service:Risks and Controls

Allowing zone file transfers to unauthorized clients provides MX and HINFO records

Use router filters for TCP port 53 (DNS) or control servers that receive DNS zone files

Updates require time to propagate usually 24 hours

Use strong change control procedures – management review

Providing information about internal devices one at a time

Configure external name servers to provide info on Internet connected machines

Whois Command Whois returns the DNS IP addresses + sensitive info.


and Security28

Network Address Translation Static translation does not hide the device from the Internet

Port translation is needed to get the full benefit for security.

Reduced router performance and can interfere with authentication schemes that verify integrity of the entire packet

Must weigh these costs when reviewing NAT

INTERNET

NATRouter

DHCP Server

Hub

10.xxx.xxx.001

10.xxx.xxx.002

10.xxx.xxx.003

10.xxx.xxx.004

INTERNET

NATRouter

DHCP Server

Hub

10.xxx.xxx.001

10.xxx.xxx.002

10.xxx.xxx.003

10.xxx.xxx.004

PrimaryDNS

SecondaryDNS

TCP/IP Environment Example


and Security30

Wiring/Hubs: Risks and Controls

Inability to track wiring problems

Diagrams, labeling

Sniffing equipment, theft, inappropriate access to equipment

Secure wiring concentrations (closets)

No redundant paths for backbone/WAN connections

Redundant Layer 1 path

Power surges Surge protectors or UPSs

Heat and water damage Design of locations that house equipment


and Security31

Additional Server Risks and Controls

Legitimate network access can cause security problems. Example: Sun Telnet hack, Microsoft IIS hacks

Install up to date patches,Backup (OS, applications & database) , password controls, file permissions, restrict privileges, logging, disable unnecessary services

Differences in server configurations

Use consistent setup checklists and/or scripts for servers and user profiles


and Security32

Dangerous Services to be Restricted

Zone TransfersUDP&TCP 53

LinkTCP 87

LPDTCP 515

BOOTPUDP 67

RPCTCP & UDP 111

NFSUDP 2049

TFTPUDP 69

SNMPUDP 161,162

X-WindowsTCP 6000+

FingerUDP 79

Berkley R-CommandsTCP 512-514

Windows SharingTCP 135-139,445

Chargen,Discard,Echo TCP/UDP 9,19,7

Block ICMP redirects *Internal address from outside the network


and Security33

Work Stations Risks and ControlsTrojan Horses: key capture, sniffers, remote control

BOClean, up to date virus software (for detection)

Viruses Virus software up to date

Modem Lines exposures Policy, inventory, standardization, dial-in servers, Unique id & complex passwords, Wardial company #s


and Security34

Encryption• Examine Encryption Practices• Determine where the traffic is the most exposed –

going out on the Internet, between business partners…

• Look for controls like compartmentalization & VLANs to reduce internal exposure

• Use Encrypted methods like SNMP V.2 and CHAP V.2 to communicate to network devices

• Consider testing encryption controls with a sniffer


and Security35

Sniffed PPP Connection in Clear Text


and Security36

Areas of a TCP/IP Infrastructure Audit: Why Examine Network

Infrastructure

• Rarely examined • Large investment• Basis for most technology - the

“common denominator”• Connects to the World• Lost Revenue on E-Commerce • Susceptible to Denial of Service Attacks


and Security37

Areas of a TCP/IP Infrastructure Audit: Recommended Objectives

• Continuity (consistent reliability and availability

of system -- back-up and ability to recover)

• Management and Maintenance (additions,

change procedures, upgrades, and documentation)

• Security (appropriate physical and logical access

to network devices and hosts)


and Security38

Auditing TCP/IP Infrastructure• Review network policies and procedures

• Review network diagrams (layer 1 & 2), design, and walk-

through, list of network equipment and IP address list

• Verify diagrams with Ping and Trace Route

• Review utilization, trouble reports & helpdesk procedures

• Probe systems (Netscan tools and Portscanner)

• Interview network vendors, users, and network technicians

• Review software settings on network equipment

• Inspect computer room and network locations

• Evaluate back-up and operational procedures


and Security39

Conclusion

• Identify the paths and equipment used to navigate the network

• Identify TCP/IP infrastructure areas of concern• Break into manageable pieces• Every network is different and the components

and risks must be fully understood• Identify risks and prioritize• Dedicate more upfront planning • RELAX !! It’s not that bad !


and Security40

Additional Information

• Presentation located on line at URL:

http://www.vcu.edu/iaweb/iam_welc.html

• Contact information:

[email protected]

(804) 828-9248

http://www.vcu.edu/iaweb/iam_welc.html

mailto:[email protected]

TCP/IP Networks Management and Security Presented by: David M. Litton, CPA, CISA, CGFM Deputy...

Documents

Transcript of TCP/IP Networks Management and Security Presented by: David M. Litton, CPA, CISA, CGFM Deputy...