1 / 35

KBOM

KBOM. Aim. Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy to the Digital world Describe typical faults in infrastructure security. Good Security Security Success Factors.

kerri
Download Presentation

KBOM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. KBOM

  2. Aim • Develop a series of Success Factors for infrastructure security • Demonstrate the Success Factors in a Physical security analogy • Extend the analogy to the Digital world • Describe typical faults in infrastructure security

  3. Good SecuritySecurity Success Factors • Multiple layers of protection • Defence in-depth • No direct access to customer data • Utilises multiple technologies including • Access control • Breach detection • Auditing or recording key events • Should integrate Human and Mechanised systems • What is not specific required is denied

  4. Security systems Testing the key success factors in the real world

  5. SecurityCamera Good Security: A Physical Analogy Motion Detector Guard

  6. Multiple layers of security - “buys” time to repel attacker and prevents bert endangering the jewels Security Success Factors Applied Multiple technologies including • Access control • Breach detection • Auditing • Ensures one fault does not put the crown jewels at risk Use of manual and digital security Guard

  7. E-security systems Relating the digital-world to the real world

  8. E-security systems A model that works

  9. Countermeasures – Digital & Physical System Logs

  10. Alert Corporate Network Internet Audit Logs Security Success Factors Applied Interface of manual and digital security Security Console Multiple technologies including • Access control • Breach detection • Auditing • Ensures one fault does not put the crown jewels at risk data • Multiple layers of security • “buys” time to repel attacker and prevents bert endangering the jewels • Customer data not inDMZ

  11. Common Faults

  12. No proper design documentation – only a collection of clip-art No ip addresses or server details etc Too much new and diverse technology – multiple UNIX & Multiple Windows OS versions make it operational unviable Design rules applied with no understanding so for example multiple firewalls provide no extra protection No Desk Check done !!!!! Data checking ing download ed scripts Authentication flawed or SPI Unencrypted No centralised Time server or logging server No administration access or terminal servers so when things go wrong it is impossible to get access Standing data stored in DMZonly protected by 1 Layer of security Common Faults Overall configuration & design Corporate Databases Customer Data Enterprise Systems Encrypted information securely transferring over the Internet Further protection of the Intranet Internet Internal Firewall Intranet Web Server Perimeter Firewall Application Server ? Authentication and permissions ? Merchant securely identified via Certificates Central role of the application server that will connect to all data sources Internet Databases SET payment protocol that sends the user’s details directly to the bank Certification Authority Bank User securely identified via certificates

  13. Corporate Network Internet Audit Logs Common Faults: Router • Access lists absent, incomplete or applied to the wrong interface • SNMP open with Community string of Public & ... (Go on, have a guess) • Telnet open - allowing unrestricted terminal access to the internet • Small services open And even if the perimeter router isn’t yours WHO PAYS THE PRICE IF IT IS HACKED

  14. Bad Config - router 1 of 1 pants#show startup-config hostname pants enable password cisco interface Serial0/0 ip address 194.117.132.10 255.255.255.252 interface FastEthernet1/0 ip address 192.188.144.81 255.255.255.252 ip route 0.0.0.0 0.0.0.0 194.117.132.9 ip route 192.193.97.65 255.255.255.255 195.188.144.82 snmp-server community public RO snmp-server community private RW line con 0 line aux 0 line vty 0 4 password cisco login !

  15. After

  16. After router 1 of 2 service password-encryption no service udp-small-servers no service tcp-small-servers hostname pants enable secret 5 $1$s1gN$TDLK8LhaSdgKlDUpR84OY1 enable password notused ! interface Serial0/0 ip address 192.117.132.10 255.255.255.8 ip access-group 102 in ! interface FastEthernet1/0 ip address 195.188.144.81 255.255.255.0 ! ip access-group 103 in

  17. After router 1 of 2 ! Management controls access-list 1 permit 193.193.97.65 access-list 1 permit 193.193.116.0 0.0.0.255 ! ! Spoof & rfc 1918 filter access-list 102 deny ip 195.188.144.0 0.0.0.255 any access-list 102 deny ip 10.0.0.0 0. 255 . 255 .255 any ! ! Traffic filter access-list 102 permit tcp any host 195.188.144.68 eq www access-list 102 permit tcp any host 195.188.144.66 eq smtp access-list 102 permit ip any host 195.188.144.66 ! ! Egress rules access-list 103 permit ip 195.188.144.0 0.0.0.255 any access-list 103 deny ip any any

  18. snmp-server community x1xx RO 1 snmp-server community x1xx RW 1 line con 0 password GMxQttt98 login line aux 0 line vty 0 4 access-class 1 in password Tmtttts login

  19. Corporate Network Internet Audit Logs Common Faults - Firewalls • No anti-spoofing • Default passwords, Rules or Config • Unused services • Rules confused + undocumented • No consideration given to error logging or the return connection (which can stop many hacks !!!) • Changes to the Configuration not logged • No reporting of authorisation failures

  20. Before Pix 1 of 3 nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname firewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol sqlnet 1521 names pager lines 24 no logging console no logging monitor no logging buffered errors no logging trap logging facility 20

  21. Before Pix 2 of 3 interface ethernet0 auto interface ethernet1 auto ip address outside 11.73.2.222 255.255.255.0 ip address inside 11.73.7.251 255.255.255.0 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 11.73.1.2 161.73.1.2 netmask 255.255.255.255 0 0 static (inside,outside) 11.73.1.1 161.73.1.1 netmask 255.255.255.255 0 0 conduit permit tcp host 11.73.1.1 eq smtp any conduit permit tcp host 11.73.1.2 eq www any conduit permit tcp host 11.73.1.2 eq telnet any

  22. Before Pix 3 of 3 apply (inside) 11 outgoing_src rip outside passive rip outside default rip inside passive rip inside default route outside 0.0.0.0 0.0.0.0 161.73.2.234 1 no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps telnet 11.73.140.99 255.255.255.255 telnet timeout 5 floodguard 1 Cryptochecksum:8c7bc2b51a5bd78305c83a14f13e9c7b

  23. After

  24. after Pix 1 of 3 nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname firewall no fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 no fixup protocol h323 1720 no fixup protocol sqlnet 1521 names pager lines 24 no logging console logging host 192.2.2.1 logging trap 3 logging facility 20

  25. After Pix 2 of 3 interface ethernet0 auto interface ethernet1 auto ip address outside 11.73.2.222 255.255.255.0 ip address inside 11.73.7.251 255.255.255.0 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 11.73.1.2 161.73.1.2 netmask 255.255.255.255 0 0 static (inside,outside) 161.73.1.1 161.73.1.1 netmask 255.255.255.255 0 0 conduit permit tcp host 11.73.1.1 eq smtp any conduit permit tcp host 11.73.1.2 eq www any conduit permit tcp host 11.73.1.2 eq telnet any outbound 11 permit 11.73.0.0 255.255.0.0 smtp tcp outbound 11 deny 11.73.0.0 255.255.0.0 www tcp apply (inside) 11 outgoing_src

  26. After Pix 3 of 3 rip outside passive rip outside default rip inside passive rip inside default route outside 0.0.0.0 0.0.0.0 161.73.2.234 1 no snmp-server location no snmp-server contact no snmp-server community public no snmp-server enable traps telnet 11.73.140.99 255.255.255.255 telnet timeout 5 floodguard 1 Cryptochecksum:8c7bc2b51a5bd78305c83a14f13e9c7b

  27. Firewall 1 - before

  28. Firewall 1 - After

  29. Corporate Network Internet Audit Logs Common Faults - Web Server • Whoops - SSL is not enabled • Critical data in the DMZ – Classical example of pointless Multiple layers • Default CGI script or Administration servlets only protected by a simple(Default!!) passwords • Developer SDK and doco available • Operating systems not properly hardened and configured

  30. Corporate Network Internet Audit Logs Common Faults - Applications • Confidential screens and information (perhaps passwords) unencrypted – in URL or in cookies • Passwords used for high-value transactions • Application authorization that “should work” (as long as you don’t try it) • No proper application logging or alerting –making fraud easy

  31. Corporate Network Internet Audit Logs Common Faults - IDS • Focusing on known-attacks rather than anomalous traffic • Not updating it regularly • Attacks emerge every day • Encryption • Encryption is our friend – but if you install a network based IDS to monitor encrypted traffic what is it • Putting them in a wrong place • You don’t put a motion detector outside your house

  32. KBOM

More Related