Guide to TCP/IP, Third Edition : Guide to TCP/IP, Third Edition Chapter 9:
Securing TCP/IP Environments
Objectives : Securing TCP/IP Environments 2 Objectives Understand basic concepts and principles for maintaining computer and network security
Understand the anatomy of an IP attack
Recognize common points of attacks inherent in TCP/IP architecture
Maintain IP security problems
Objectives (continued) : Securing TCP/IP Environments 3 Objectives (continued) Understand security policies and recovery plans
Understand new and improved security features in Windows XP Professional and Windows Server 2003
Discuss the importance of honeypots and honeynets for network security
Understand Computer and Network Security : Securing TCP/IP Environments 4 Understand Computer and Network Security Protecting a system or network means
Closing the door against outside attack
Protecting your systems, data, and applications from any sources of damage or harm
The 2005 Computer Crime Survey
Virus and worm infections were among the top problems leading to financial loss
Principles of IP Security : Securing TCP/IP Environments 5 Principles of IP Security Physical security
Synonymous with “controlling physical access”
Should be carefully monitored
Personnel security
Important to formulate a security policy for your organization
System and network security includes
Analyzing the current software environment
Identifying and eliminating potential points of exposure
Understanding Typical IP Attacks, Exploits, and Break-Ins : Securing TCP/IP Environments 6 Understanding Typical IP Attacks, Exploits, and Break-Ins Basic fundamental protocols
Offer no built-in security controls
Successful attacks against TCP/IP networks and services rely on two powerful weapons
Profiling or footprinting tools
A working knowledge of known weaknesses or implementation problems
Key Terminology in Network and Computer Security : Securing TCP/IP Environments 7 Key Terminology in Network and Computer Security An attack
Some kind of attempt to obtain access to information
An exploit
Documents a vulnerability
A break-in
Successful attempt to compromise a system’s security
Key Weaknesses in TCP/IP : Securing TCP/IP Environments 8 Key Weaknesses in TCP/IP Ways in which TCP/IP can be attacked
Bad guys can
Attempt to impersonate valid users
Attempt to take over existing communications sessions
Attempt to snoop inside traffic moving across the Internet
Utilize a technique known as IP spoofing
Common Types of IP-Related Attacks : Securing TCP/IP Environments 9 Common Types of IP-Related Attacks DoS attacks
Man-in-the-middle (MITM) attacks
IP service attacks
IP service implementation vulnerabilities
Insecure IP protocols and services
What IP Services Are Most Vulnerable? : Securing TCP/IP Environments 10 What IP Services Are Most Vulnerable? Remote logon service
Includes Telnet remote terminal emulation service, as well as the Berkeley remote utilities
Remote control programs
Can pose security threats
Services that permit anonymous access
Makes anonymous Web and FTP conspicuous targets
Holes, Back Doors, and Other Illicit Points of Entry : Securing TCP/IP Environments 11 Holes, Back Doors, and Other Illicit Points of Entry Hole
Weak spot or known place of attack on any common operating system, application, or service
Back door
Undocumented and illicit point of entry into an operating system or application
Vulnerability
Weakness that can be accidentally triggered or intentionally exploited
The Anatomy of IP Attacks : Securing TCP/IP Environments 12 The Anatomy of IP Attacks IP attacks typically follow a set pattern
Reconnaissance or discovery process
Attacker focuses on the attack itself
Stealthy attacker may cover its tracks by deleting log files, or terminating any active direct connections
Reconnaissance and Discovery Processes : Securing TCP/IP Environments 13 Reconnaissance and Discovery Processes PING sweep
Can identify active hosts on an IP network
Port probe
Detect UDP- and TCP-based services running on a host
Purpose of reconnaissance
To find out what you have and what is vulnerable
Reconnaissance and Discovery Processes (continued) : Securing TCP/IP Environments 14 Reconnaissance and Discovery Processes (continued) The attack
May encompass a brute force attack process that overwhelms a victim
Computer forensics
May be necessary to identify traces from an attacker winding his or her way through a system
Common IP Points of Attack : Securing TCP/IP Environments 15 Common IP Points of Attack Virus
Any self-replicating program that works for its own purposes
Classes
File infectors
System or boot-record infectors
Macro viruses
Worms : Securing TCP/IP Environments 16 Worms A kind of virus that eschews most activity except as it relates to self-replication
MSBlaster worm
Unleashed in August 2003
Exploited the RPC DCOM buffer overflow vulnerability in Microsoft Windows
Hex reader
Look inside suspect files without launching them
Trojan Horse Programs : Securing TCP/IP Environments 17 Trojan Horse Programs Masquerade as innocuous or built-to-purpose programs
Conceal abilities that permit others to take over and operate unprotected systems remotely
Must be installed on a computer system to run
Back Orifice
Example of a Trojan horse program
Denial of Service Attacks : Securing TCP/IP Environments 18 Denial of Service Attacks Designed to interrupt or completely disrupt operations of a network device or communications
SYN Flood attack
Uses the three-way TCP handshake process to overload a device on a network
Broadcast amplification attack
Malicious host crafts and sends ICMP Echo Requests to a broadcast address
Windows 2000 UPnP DoS attack
Specially crafted request packet is sent that causes services.exe to exhaust all virtual memory resources
Distributed Denial of Service Attacks : Securing TCP/IP Environments 19 Distributed Denial of Service Attacks DoS attacks launched from numerous devices
DDoS attacks consist of four main elements
Attacker
Handler
Agent
Victim
Slide 20 : Securing TCP/IP Environments 20
Buffer Overflows/Overruns : Securing TCP/IP Environments 21 Buffer Overflows/Overruns Exploit a weakness in many programs that expect to receive a fixed amount of input
Adware
Opens door for a compromised machine to display unsolicited and unwanted advertising
Spyware
Unsolicited and unwanted software that
Takes up stealthy unauthorized and uninvited residence on a computer
Spoofing : Securing TCP/IP Environments 22 Spoofing Borrowing identity information to hide or deflect interest in attack activities
Ingress filtering
Applying restrictions to traffic entering a network
Egress filtering
Applying restrictions to traffic leaving a network
TCP Session Hijacking : Securing TCP/IP Environments 23 TCP Session Hijacking Purpose of an attack
To masquerade as an authorized user to gain access to a system
Once a session is hijacked
The attacker can send packets to the server to execute commands, change passwords, or worse
Network Sniffing : Securing TCP/IP Environments 24 Network Sniffing One method of passive network attack
Based on network “sniffing,” or eavesdropping using a protocol analyzer or other sniffing software
Network analyzers available to eavesdrop on networks include
tcpdump (UNIX)
EtherPeek (Windows)
Network Monitor (Windows)
AiroPeekWireless (Windows)
Ethereal for Windows
: Securing TCP/IP Environments 25
Slide 26 : Securing TCP/IP Environments 26
Maintaining IP Security : Securing TCP/IP Environments 27 Maintaining IP Security Microsoft security bulletins
May be accessed or searched through the Security Bulletins section at: www.microsoft.com/security/default.mspx
Essential to know about security patches and fixes and to install them
Knowing Which Ports to Block
Many exploits and attacks are based on common vulnerabilities
Slide 28 : Securing TCP/IP Environments 28
Recognizing Attack Signatures : Securing TCP/IP Environments 29 Recognizing Attack Signatures Most attacks have an attack signature
By which they may be recognized or identified
Signatures may be used to
Implement IDS devices
Can be configured as network analyzer filters as well
Slide 30 : Securing TCP/IP Environments 30
Slide 31 : Securing TCP/IP Environments 31
Using IP Security : Securing TCP/IP Environments 32 Using IP Security RFC 2401 says the goals of IPSec are to provide the following kinds of security
Access control
Connectionless integrity
Data origin authentication
Protection against replays
Confidentiality
Limited traffic flow confidentiality
Protecting the Perimeter of the Network : Securing TCP/IP Environments 33 Protecting the Perimeter of the Network Important devices and services used to protect the perimeter of networks
Bastion host
Boundary (or border) router
Demilitarized zone (DMZ)
Firewall
Network address translation
Proxy server
Understanding the Basics of Firewalls : Securing TCP/IP Environments 34 Understanding the Basics of Firewalls Firewall
Barrier that controls traffic flow and access between networks
Designed to inspect incoming traffic and block or filter traffic based on a variety of criteria
Normally astride the boundary between a public network and private networks inside an organization
Useful Firewall Specifics : Securing TCP/IP Environments 35 Useful Firewall Specifics Firewalls usually incorporate four major elements:
Screening router functions
Proxy service functions
“Stateful inspection” of packet sequences and services
Virtual Private Network services
Commercial Firewall Features : Securing TCP/IP Environments 36 Commercial Firewall Features Address translation/privacy services
Specific filtering mechanisms
Alarms and alerts
Logs and reports
Transparency
Intrusion detection systems (IDSs)
Management controls
Understanding the Basics of Proxy Servers : Securing TCP/IP Environments 37 Understanding the Basics of Proxy Servers Proxy servers
Can perform “reverse proxying” to
Expose a service inside a network to outside users, as if it resides on the proxy server itself
Caching
An important proxy behavior
Cache
Potentially valuable location for a system attack
Planning and Implementing, Step by Step : Securing TCP/IP Environments 38 Planning and Implementing, Step by Step Useful steps when planning and implementing firewalls and proxy servers
Plan
Establish requirements
Install
Configure
Test
Attack
Tune
Implement
Monitor and maintain
Understanding the Test-Attack-Tune Cycle : Securing TCP/IP Environments 39 Understanding the Test-Attack-Tune Cycle Attack tools
McAfee CyberCop ASaP
GNU NetTools
A port mapper such as AnalogX PortMapper
Internet Security Systems various security scanners
Understanding the Role of IDS and IPS in IP Security : Securing TCP/IP Environments 40 Understanding the Role of IDS and IPS in IP Security Intrusion detection systems
Make it easier to automate recognizing and responding to potential attacks
Increasingly, firewalls include
Hooks to allow them to interact with IDSs, or include their own built-in IDS capabilities
IPSs make access control decisions on the basis of application content
Updating Anti-Virus Engines and Virus Lists : Securing TCP/IP Environments 41 Updating Anti-Virus Engines and Virus Lists Because of the frequency of introduction of new viruses, worms, and Trojans
Essential to update anti-virus engine software and virus definitions on a regular basis
Anti-virus protection
Key ingredient in any security policy
Slide 42 : Securing TCP/IP Environments 42
The Security Update Process : Securing TCP/IP Environments 43 The Security Update Process Evaluate the vulnerability
Retrieve the update
Test the update
Deploy the update
Understanding Security Policies and Recovery Plans : Securing TCP/IP Environments 44 Understanding Security Policies and Recovery Plans Security policy
Document that reflects an organization’s understanding of
What information assets and other resources need protection
How they are to be protected
How they must be maintained under normal operating circumstances
Understanding Security Policies and Recovery Plans (continued) : Securing TCP/IP Environments 45 Understanding Security Policies and Recovery Plans (continued) RFC 2196 lists the following documents as components of a good security policy
An access policy document
An accountability policy document
A privacy policy document
A violations reporting policy document
An authentication policy document
An information technology system and network maintenance policy document
Windows XP and Windows Server 2003: Another Generation of Network Security : Securing TCP/IP Environments 46 Windows XP and Windows Server 2003: Another Generation of Network Security Features that should help maintain tighter security
Kerberos version 5
Public Key Infrastructure (PKI)
Directory Service Account Management
CryptoAPI
Encrypting File System (EFS)
Secure Channel Security protocols (SSL 3.0/PCT)
Honeypots and Honeynets : Securing TCP/IP Environments 47 Honeypots and Honeynets Honeypot
Computer system deliberately set up to entice and trap attackers
Honeynet
Broadens honeypot concept from a single system to what looks like a network of such systems
Summary : Securing TCP/IP Environments 48 Summary An attack
An attempt to compromise the privacy and integrity of an organization’s information assets
In its original form, TCP/IP implemented an optimistic security model
Basic principles of IP security
Include avoiding unnecessary exposure by blocking all unused ports
Necessary to protect systems and networks from malicious code
Such as viruses, worms, and Trojan horses
Summary (continued) : Securing TCP/IP Environments 49 Summary (continued) Would-be attackers
Usually engage in a well-understood sequence of activities, called reconnaissance and discovery
Maintaining system and network security involves
constant activity that must include
Keeping up with security news and information
Keeping operating systems secure in the face of new vulnerabilities
A necessary and ongoing process
Summary (continued) : Securing TCP/IP Environments 50 Summary (continued) When establishing a secure network perimeter
It is essential to repeat the test-attack-tune cycle
To create a strong foundation for system and network security, formulate policy that incorporates
Processes, procedures, and rules regarding physical and personnel security issues,
Windows XP and Windows Server 2003 include
Notable security improvements and enhancements as compared to other Windows versions