1 / 16

68-520 Intrusion Detection, Response, & Recovery

68-520 Intrusion Detection, Response, & Recovery. Matthew A. Kwiatkowski mattk@anl.gov. Protecting the OSI Model. Determine your assets before coming up with defenses!. OSI Continued. 7. Application Layer

illias
Download Presentation

68-520 Intrusion Detection, Response, & Recovery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 68-520Intrusion Detection, Response, & Recovery Matthew A. Kwiatkowski mattk@anl.gov

  2. Protecting the OSI Model • Determine your assets before coming up with defenses!

  3. OSI Continued • 7. Application Layer • NNTP · SIP · SSI · DNS · FTP · Gopher · HTTP · NFS · NTP · SMPP · SMTP · SNMP · Telnet (more) • 6. Presentation Layer • MIME · XDR · SSL · TLS • 5. Session Layer • Named Pipes · NetBIOS · SAP • 4. Transport Layer • TCP · UDP · PPTP · L2TP · SCTP • 3. Network Layer • IP · ICMP · IPsec · IGMP • 2. Data Link Layer • ARP · CSLIP · SLIP · Frame relay · ITU-T G.hn DLL • 1. Physical Layer • RS-232 · V.35 · V.34 · I.430 · I.431 · T1 · E1 · Ethernet · POTS · SONET · DSL · 802.11a/b/g/n PHY · ITU-T G.hn PHY

  4. OSI +1 • 8. HUMAN Layer (social engineering, training) • Control Computers and all the lower layers • Make critical Decisions • 7. Application Layer • 6. Presentation Layer • 5. Session Layer • 4. Transport Layer • 3. Network Layer • 2. Data Link Layer • 1. Physical Layer

  5. Layered Security Architecture • As we have seen in previous slides, security services that must be provided are numerous and diverse. • Similarly to the “real-world” bank, our web servers, our networks can have many vulnerabilities and these vulnerabilities can be located in many layers of the architecture. • We need to practice a “security in-depth” approach. • Security consideration and services must be present in each and every level of components. • When analyzing the quality of your security infrastructure, always assume that 1 full security layer/functionality will entirely fail. • Are you still secured? What are your areas of vulnerabilities? • How long would it take for you to detect the failure? • Vulnerabilities and security services involve all 7 layers of the OSI model. • Security also is greatly dependant on the OSI’s “Layer 8”. • The balance between the threat to a system and the security services deployed is very Asymmetric: You need to defend each and every aspects to be successful – An attacker often needs to mitigate one aspect to be successful. • Let’s look at an example of an e-Commerce site and try to discuss what can go wrong and where.

  6. Layered Security Architecture

  7. Layered Security Architecture • Areas that can “go wrong”: • Incorrect firewall configuration. • Web and back-end server not hardened: • Known vulnerabilities • Default account/passwords • Lack of granularity in security • Lack of logging and auditing • Back-end database server servers accept any requests from any sources. • Lack of intrusion detection system. • Lack of integrity checking tools. • Router forward packets improperly. • Unnecessary protocols and services running. • Improper patching and update of patches. • Bugs and vulnerabilities in third-party software/applications. • Bugs and vulnerabilities in in-house developed applications. • Bugs and vulnerabilities in toolkits used to build in-house applications. • Improper implementation of an application, test userID not cleaned out, developers userID not cleaned out. • Presence of Trojans, Malware and backdoors. • How do I know the remote offices do not represent a threat? • And I am sure we can add a lot more to the list…

  8. Layered Security Architecture • To prevent attacks, an enterprise need to build a complete and comprehensive security architecture using tools, methods and techniques that individually target some threats and work in an integrated fashion to provide a complete enterprise framework for secure computing. • One missing “piece” or aspect may endanger the whole infrastructure. Example: if you do not have virus protection, can an intruder bypass your firewalls? • The goal of this class will be to present the aspects that most impact network security within that framework. • Example of these tools and methods are presented in next slides.

  9. Security Architecture Components Examples • Firewall with packet/traffic filtering • Provides protection by preventing prohibited traffic to pass. • Acts at layer 3 or 4 of OSI • Combats many attacks – Spoofing, unauthorized access. • Network Intrusion Detection systems • Monitor network activities for specific patterns or abnormal trends in traffic • Act at layer 3-7 of OSI • Allow alerting (and prevent in some case) in case of identification of known attacks. • Optical Fiber Links • Implement data transfer via optical signals. • Layer 1 of OSI • Protects from sniffing via electromagnetic leaks and interference via EMI by implementing links. Also reduce risks of undetected tapping of transmission media.

  10. Security Architecture Components Examples • Implement IPSEC on traffic • Provides encryption of data over the wire. • Acts at layer 3 of OSI • Prevent eavesdropping and provide anti-replay and traffic authentication. • Intermediate Mail server with virus scanning • Intercept all mail traffic and perform virus scan as well as content filtering • Layer 7 of OSI • Preserve integrity of infrastructure by preventing downloads of virus. Content filtering also help prevent unauthorized dissemination of proprietary data or offensive language. • Enforcement of prohibition of password disclosure via disciplinary actions. • Publicize to all employee the strict prohibition to share passwords. Enforce it by warning system and, if repeated violation, suspension. • Layer 8 of OSI • Protects from sniffing via electromagnetic leaks and interference via EMI by implementing links. Also reduce risks of undetected tapping of transmission media.

  11. Security Architecture Components Examples • Application development follows strict security models and strict, documented, security testing procedures • Provides a method to limit the potential of security vulnerabilities in software developed • Acts at layer 7 (and 8) of OSI • Reduce risk of bugs and validate security models in an application by basing it on a well-proven model. • Network/vulnerability scanner is run weekly • Perform weekly scan on all devices • Layer 3-7 of OSI • Preserve integrity of infrastructure by identifying newly discovered vulnerabilities or unauthorized configuration changes. Also help identified unnecessary services. • Many more aspects not included here.

  12. Types/Sources of Attacks • Attack on Bandwidth • Brute force attack • Attacker sends traffic to consume line • What kind of packets? • ICMP Echo, UDP data, SYN packets • Attack on Protocols: resource (cpu or mem) consumption • TCP Attacks, routing (RIP, OSPF, BGP) attacks • Attacks on Services • DNS, DHCP • Attacks on Servers • Web attack, FTP Attacks, SQL, SSH, Telnet, etc

  13. Planning the attack (recon) • Collection basic Information about the target such as IP address, ports, domain, ..etc) • Hide source identity (spoofing, hijacking, reflecting) • Collecting particular information such as server types, active ports, passwords, topology, OS • Breaking-in or Penetration • Destroying alarms and evidence (e.g., logs .. Etc) • Concurring the system (e.g., back door account ..) • Installing keystroke logger, phone home app, etc • Sit and wait, time is free…. Or better yet infect the rest of the machines.

  14. Target System Attacks • Using Common tools to derive information • WHOIS • POC information • Subnet Ranges • DNS • PING • Org Charts • Who is in charge • Who are the admins • Google is an awesome tool

  15. Google Recon • Go to www.google.com • Type in:intitle:"Welcome to Windows 2000 Internet Services“ • Take a look at the results • These are all default installs of IIS, probably a configuration mistake by someone who does not know any better. • Defaults, defaults, defaults. • Then go Here! • http://johnny.ihackstuff.com/index.php?module=prodreviews • SO SIMPLE!!!!!

  16. Targeted System Penetration • Hiding the identity • IP Address Spoofing: Put false IP addresses in outgoing attack packets • Attacker is blind to replies can’t be used during information collection but DoS • Solution: may be impossible to detect spoofed addresses but with the help of the ISP the hacker could be tracked during the attack. It is easier though for the source ISP to detect invalid spoofed addresses. • VPN is another solution • Chain of victims • Use of Reflectors • Any Combination of these • SAD Thing is that EDU are taken advantage of every second of the day • Too limited resources, too many machines, not enough configuration management control.

More Related