1 / 70

Information Security Fundamentals

Information Security Fundamentals. Chapter – X Basic Networking. Network Access. TCP/IP is the protocol for communicating. Like sending a letter Home Address == IP address Person == Port number Computers have IP addresses Applications have Port numbers

tadhg
Download Presentation

Information Security Fundamentals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Fundamentals Chapter – X Basic Networking

  2. Network Access • TCP/IP is the protocol for communicating. • Like sending a letter • Home Address == IP address • Person == Port number • Computers have IP addresses • Applications have Port numbers • THERE ARE NO USERS IN THE NETWORK LAYER

  3. Question Argue for or against using IP address to represent a specific computer on the Internet

  4. Port Numbers port numbers are divided into three ranges • Well Known Ports: 0-1023 • Registered Ports 1024 - 49151 • Dynamic/Private Ports 49152 - 65535 The IETF regulates new protocols for well known and registered ports www.ietf.org

  5. Network access The Internet Assigned Numbers Authority maintains the port to protocol registry http://www.iana.org/assignments/port-numbers

  6. TCP/IP • Privileged ports • Protocols running on ports 0-1023 are considered Privileged • They are actively managed by IANA • On windows and Unix there are services or daemons running all the time “listening” for connections • Vulnerabilities in these listeners can cause problems • By default many systems have these services enabled

  7. Vulnerabilities • FTP problems • anonymous access (numerous) • Even security vendors products are affected (watchguard SOHO firewall) • Misconfigurations (FTP has 2 ports, data and command firewalls and FTP servers are often configured incorrectly)

  8. Web vulnerabilities • Myspace – failure to properly filter scripts • Oracle Application Server Web Cache contains heap overflow vulnerability • iPlanet Web Server Enterprise Edition and Netscape ... and Netscape Enterprise Server malformed Web Publisher command causes denial-of service

  9. Standard services running on Fedora (Linux) Conman – console services via telnet (remote mgt) Dhcdbd – Dynamic Host Control Protocol Hald – Hardware abstraction Layer Daemon Hsqldb – Java Database connector Httpd – Web server ip6tables and iptables – IP tables – Linux basic firewall filter and IP protocol translater (more later) Kudzu – Like boot time plug and play Lisa – File services including windows NetworkManager and NetworkManagerDispatcher – switches tcp connections from physical I/Fs Named – Domain Name Service NFSD – Network File System Nscd – Name (User) Service Cache – Allows you to use LDAP or Active Directory for Unix Logins Openvpn – Virtual Private Network Portmap – For remote procedure call serviced – different from Windows Postfix – Email services (only needed if you are a mail relay) Rdisc – Router discovery Saslauthd – Simple authentication for connection based services Sendmail – the original Syslog – local or network based event logging Winbind – cross authentication for Windows to Linux users For a good description of daemons on Fedora see: http://aniz.wordpress.com/2007/03/20/services-and-daemons-running-in-linux-fedora/

  10. Security Rule #3 The fundamental problem with networking is the lack of authentication

  11. TCP Origins • Designed in the late 1970’s as a replacement for the IMP protocol • Requirements were for guaranteed delivery • Because computers were so new – authentication was assumed • Arpanet officially converted to TCP by 1983

  12. When did problems really start to happen? • Rapid adoption due to WWW • Early-Mid ’90s • States start to look at adding criminal liability for hacking • NSF gives up control and commercial utilization expands • Hacking becomes a passtime

  13. Hacker Tools trend packet forging / spoofing Hacking Tools sniffer / sweepers exploiting known vulnerabilities back doors GUI Relative Technical Complexity stealth diagnostics hijacking sessions self-replicating code disabling audits Average Intruder password cracking password guessing 1980 1985 1990 1995 Source: GAO Report to Congress, 1996

  14. Commercial Response • Early Firewalls were developed • Trusted Information Systems developed the “firewall toolkit” – free in source code form • Sold by TIS to commercial users • Proxy based

  15. OSI Stack • http://www.commsdesign.com/design_corner/OEG20030416S0015

  16. IP header: • http://www.networksorcery.com/enp/protocol/ip.htm

  17. Internet Address.A 32 bit value that contains the network and host number fields. There are five classes of internet addresses: The class indicates the size of the network and host fields. Internet addresses are commonly displayed in dotted decimal notation format XXX.XXX.XXX.XXX. • http://www.networksorcery.com/enp/protocol/ip.htm

  18. Proxy based firewalls – a tale of Irony Allow or Deny Internet Dst addr 172.41.92.0:80 2 1 3 1 4 3 2 4

  19. 1 4 3 5 2 1 2 4 3 5 2 1 3 4 5 1 2 3 4 5 1 3 4 5 2 1 2 3 4 5 1 2 3 4 5 1 2 Benefits of a TCP Proxy TCP/IP Packet Streams • Traffic Grooming • Timeouts and retransmissions from clients are eliminated • TCP segments are all in order (no dropped or out-of-order packets) • Optimizes MTU to server • DoS Attack Mitigation • Since incoming TCP/IP headers are stripped off, common protocol-based hacking attacks don’t pass through • Malformed (often malicious) TCP/IP packets are dropped before they ever get to the server • Unused TCP service ports can be blocked (example: only traffic to ports 80, 25 and 443 are left open) = Malformed Packet 3

  20. Hackers Manipulate TCP/IP Headers to Attack Servers Port Scanning TCP ACK Flood Session Hijacking TCP Header WinNuke Tear Drop, Jolt2 (Fragmentation Attacks) XMAS Tree (All Flags =1) IP Header Hiding Viruses Via TTL Crafting

  21. TCP Proxy Operation Provides Powerful Attack Mitigation • TCP Proxy Operation Filters Out Common Layer 3-4 DoS Attacks • IP Fragmentation Attacks (Tear Drop, Tiny Packet, Jolt2, etc) • Malformed TCP Headers (XMAS, FIN w/o ACK, etc) • WinNuke (URG flags sent to Port 139 of a PC running Windows) • TCP Port Scanning • TCP ACK floods • Steath attacks using crafted Time-to-Live (TTL) fields in IP headers • Protects against future protocol-based attacks

  22. Operating System (OS) Fingerprinting • DoS attackers usually need to identify the OS running on the target server(s) or host(s) in order to select the appropriate attack method • Fingerprinting techniques query the target’s TCP/IP stack and then analyze the responses (ex: NMAP, QueSO) • TCP/IP stacks differ in how they respond to legal and illegal queries; hence their responses form a fingerprint identifying the OS and version OpenBSD V2.4 TCP/IP Queries Target Host TCP/IP Responses From target host “Ah, these responses indicate the servers’ OS is OpenBSD v2.4”

  23. Popular Fingerprinting Methods • TCP Proxying Thwarts Popular Fingerprinting Methods1 Such As: • FIN probe • Bogus Flag • TCP ISN sampling • DF flag set in IP header • TCP Initial Window • ACK value • TCP options • ICMP Messages • IP Fragmentation Handling 1. Information is from “Remote OS Detection vai TCP/IP Stack Fingerprinting”, available at http://www.insecure.org/nmap/nmap-fingerprinting-article.html

  24. “Stateful” Inspection Compares Dst addr/port for allow or deny access Usually allow all outbound connections to flow freely Dst addr Allow or Deny 1 172.41.92.0:80 3 1 2 3 4 2 4 No inspection

  25. Allowing all outbound connections What kind of questions would you ask before creating that as your policy?

  26. Which is “more” secure? • Neither Cisco's PIX Firewall, nor the Context-Based Access Control (CBAC) feature of Cisco's IOS Firewall Feature Set, protects hosts against certain denial of service attacks involving fragmented IP packets. • Out of order packet processing does not happen on most inspection based firewalls. • Fragments are passed through unmodified on CheckPoint, Cisco, Juniper

  27. Why were “stateful inspection” FWs more popular • Proxy Firewalls are slower • Initial releases were source code only • Proxy Firewalls couldn’t deal with new complicated protocols (H.323 – voip) without upgrades • #1 Reason – Check Point had a GUI

  28. Security Rule #4 To make security ubiquitous it has to be easy to use

  29. With the advent of Firewallswe now have Authentication Authorization What am I permitted to do? Who or what am I Access Control Audit & Monitoring Rules that grant or deny access to a resource Log and monitor what actually happens

  30. Network Privacy Introducing the VPN

  31. VPN - Definition • A virtual private network (VPN) is a private communications network often used by companies or organizations, to communicate confidentially over a public network.

  32. History • Two major types: • IPSEC • SSL VPNs • Initially popular because there was a great ROI to move from private leased lines (telco) for the free (relatively) transport of the Internet

  33. IPSEC • RFC 2401 Security Architecture for IP Nov’98 • Designed by really smart people – S.Kent BBN • To “provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services” • By Authenticating - IP Authentication Header (AH) • And Encapsulating – (encrypting payload data) • BUT • Because these security services use shared secret values (cryptographic keys), IPsec relies on a separate set of mechanisms for putting these keys in place. • http://rfc.net/rfc2401.html#s3.1

  34. SSL VPN • RFC 2246 – TLS jan ‘99 • Taher Elgamal a noted cryptographer invented SSL in the mid 90’s • Designed for anonymous clients (internet browsers) to authenticated servers • Authentication protocol is built in. • Defacto standard until RFC 2246 • Open sourced www.openssl.org • Microsoft tried to create a proprietary version to combat Netscape’s popularity

  35. SSL HTTPS URL • Secure Sockets Layer (SSL) is the de facto method for protecting web data in transit • Built into every major web browser today • Also used for: • Wireless • Instant Messaging • VPNs • Secure email • EDI • Web Services • eGovernment SSL Secured “Lock”

  36. Interoperability of IPSEC VPNs • A BIG problem • What kinds of issues might cause Interoperability issues?

  37. In order to do cryptography you have to share a secret • The problem with IPSEC was there were too many ways to share the secret • Skipjack • ISAKMP • Oakley • IKE • Son of IKE

  38. Some people have solved the interoperability problem http://www.fw-1.de/aerasec/ng/vpn-freeswan/CP-FW1-NG+Linux-FreeSWAN-Gateway.html#checkpoint

  39. Interoperability of SSL VPNs • None..

  40. IPSEC vs SSL SSL IPSEC

  41. Benefits of IPSEC vs SSL • Discussion topic

  42. Advances in VPNs • Integrated anti-spyware • Policy enforcement with VPN-1 • Secure auto-remediation to aid security policy compliance • Outbound threat protection

  43. With VPNs – for a select group of users Authentication Authorization What am I permitted to do? Who or what am I Access Control Audit & Monitoring Rules that grant or deny access to a resource Log and monitor what actually happens

  44. Vulnerability Assessment • As firewall usage and Internet usage continued to grow there was no “good” way to validate firewall effectiveness

  45. Vulnerability Assessment • Basically taking attack tools and running them against your own resources • In the early days you had to be careful • Nabisco • Large automotive Manufacturer

  46. How VA works SCANNER

  47. To make VA work • You need to “discover” all the nodes you want to test • Nmap http://insecure.org/nmap/ • Try to run destructive tests in non-destructive mode • Have a lot of time available • Sometimes difficult to access the subnets you want to test

More Related