1 / 35

Network Security Issues

Network Security Issues. Pete Siemsen siemsen@ucar.edu National Center for Atmospheric Research April 24 th , 2002. Obstacles to Security. Doesn’t mesh well with research Security is a lose-lose proposition! Too little security: it’s your fault We got hacked, you should’ve done more

menora
Download Presentation

Network Security Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Security Issues Pete Siemsen siemsen@ucar.edu National Center for Atmospheric Research April 24th, 2002

  2. Obstacles to Security • Doesn’t mesh well with research • Security is a lose-lose proposition! • Too little security: it’s your fault • We got hacked, you should’ve done more • Too much security: it’s your fault • I can’t get my work done, you should do less • And when it works, no one notices • Considered low priority (few resources) • Security not always taken seriously

  3. Types of Threats • Viruses • Packet sniffing • Denial of service • Probing for holes • Wireless

  4. Viruses • Hard to battle • Mail-borne • Web-borne • Filtering

  5. Packet Sniffing • Switches are better than hubs • Try to reduce cleartext passwords on the net: ban telnet in favor of ssh

  6. Denial of Service • Usually short-lived • Must back-track to source, installing filters as you go • Distributed DoS can’t be blocked • No magic bullet

  7. Probing for holes • “script kiddies” are unsophisticated hackers who run software “kits” to attack a target. They don’t have to understand networking. • Software scans for open ports and known vulnerabilities

  8. Wireless security • Built-in WEP is insecure • Your wireless net may be wide open to anyone • Details at http://www.scd.ucar.edu/nets/projects/wireless/

  9. Case study: NCAR

  10. NCAR’s Environment • Academic research institution • But no students • Collaboration with 63 member Universities • ~1500 university (external) users • Diverse, widespread field projects • ~2500 networked nodes internal to NCAR • ~1500 internal users

  11. NCAR’s Motivation to Get Serious About Security • We experienced increasing malicious attacks • More hackers hacking • Availability of script kiddie “kits” • Easy to get • Don’t require network expertise • We had some strong advocates

  12. Getting Started

  13. NCAR Security Committee • We created a committee to develop policy • Sysadmins from all NCAR Divisions • Policy process delivers institutional buy-in • 2-hour meetings once a month • Lots of cooperation, little authority • With time, authority has grown

  14. The Security Policy • Need a policy that defines • vulnerabilities • how much security is needed • level of inconvenience that is tolerable • solutions • We recommended a full-time Security Administrator for the institution • http://www.ncar.ucar.edu/csac

  15. Define Scope of Problem • Decide which types of attacks are problems • Examples: • Hacker spoofing of source IP address • Hacker scanning for weaknesses • TCP/UDP ports, INETD services • Hackers sniffing passwords • Hacker exploitation of buggy operating systems • Inconsistent/tardy OS patching

  16. Define Scope of Solution • What we won’t do • Not feasible to secure every computer • Over-reliance on timely OS security fixes • Can’t prohibit internal “personal” modems • Attacks from within aren’t a big problem • What we will do • Reduce external attacks from the Internet

  17. Basic Solutions at NCAR • One-time passwords • Switched LANs • Router packet filtering • Application-proxy gateways • Filter email attachments

  18. A.K.A. Challenge-Response Requires little calculator things (~$50/per) Prevents password sniffing We use it on critical devices Routers, ATM Switches, Ethernet Switches, Remote Access Servers, Server hosts (root accounts) At the least, do this! One-time Passwords

  19. Switched LANs • Reduces packet eavesdropping • Get this for “free” with switched network • Can still steal ARP entries

  20. Packet Filtering

  21. Used to construct router-based firewall around your internal network Main security implementation tool Routers check each inbound packet against filter criteria and accept or reject Filters reject dangerous packets Filters accept all useful packets Router-Based Filters

  22. Cisco access-lists filter on IP address source, destination, ranges Interfaces: inbound and/or outbound Protocols, TCP ports, etc. We filter inbound and outbound packets Performance can be an issue Packet Filtering At NCAR

  23. Filter Stance: Strong or Weak? • Strong • Deny everything, except for the good stuff • Weak • Allow everything, except for the bad stuff • NCAR chose a Strong stance

  24. Example Filter Statistics • 41 lines (rules) in NCAR’s access-list • Hits as of 9/30/98, 28 days after filter was installed: • 3 MP Denied because of spoofing • 17 MP Denied because of “catchall” • 71 MP Permitted to exposed networks • 100MP Permitted to exposed hosts

  25. Example: Web servers, data source machines, etc. Must meet stringent security standards to avoid being compromised and used as launch pads for attacking protected hosts OS restricts set of network services allowed Must keep up with OS patches Exposed Hosts

  26. Provides focus for security for the entire institution Helps deal with break-ins Central point of contact Tracks CERT advisories for sysadmins Advocates security solutions, like ssh Scans exposed hosts for standards violations Generally helps/educates sysadmins Security Administrator

  27. Impacts of NCAR’s Security

  28. >99% of NCAR hosts are protected Outbound Telnet, HTTP, etc. still work Relatively cheap and easy Dial-in users are “inside”, no changes Benefits

  29. UDP is blocked Some services are no longer available Inbound pings are blocked !!! To use FTP, must use passive mode, or use an exposed host, or proxy through the Gateway DNS and email can get complicated Drawbacks

  30. Crunchy outside, chewy inside Modems in offices are a huge hole Users must install VPN or ssh software for remote access Drawbacks (cont.)

  31. Wrapup

  32. Security is Never “Done” • How do you know if you’re being hacked? • “Silent” attacks very hard to detect • “Noisy” attacks hard to distinguish from other network (or host) problems • Network keeps changing • Software keeps changing • Hackers keep advancing

  33. Security is Never “Done” (cont.) • Policy and security mechanisms must evolve • Security committee continues to meet

  34. Conclusion • NCAR struck a balance between: • Convenience and Security • Politics and Technology • Cost and Quality

More Related