securing your microsoft windows soho network l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Securing Your Microsoft Windows SOHO Network PowerPoint Presentation
Download Presentation
Securing Your Microsoft Windows SOHO Network

Loading in 2 Seconds...

play fullscreen
1 / 75

Securing Your Microsoft Windows SOHO Network - PowerPoint PPT Presentation


  • 389 Views
  • Uploaded on

Securing Your Microsoft Windows SOHO Network Harold Toomey, Product Manager Symantec Corporation htoomey@symantec.com 8 January 2002 Agenda The Threat Hackers Attacks Security Best Practices The 80-20 Rule Patches Password strength The Tools Norton Internet Security 2002

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Securing Your Microsoft Windows SOHO Network' - jacob


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
securing your microsoft windows soho network

Securing Your Microsoft Windows SOHO Network

Harold Toomey, Product Manager

Symantec Corporation

htoomey@symantec.com

8 January 2002

agenda
Agenda
  • The Threat
    • Hackers
    • Attacks
  • Security Best Practices
    • The 80-20 Rule
    • Patches
    • Password strength
  • The Tools
    • Norton Internet Security 2002
    • Enterprise-Class tools
  • Typical SOHO Network
    • Network layout
    • Vulnerable segments
    • Security tips
the threat
The Threat
  • Whether your Internet connection is always on or you only dial in occasionally, your computer is vulnerable every minute it's online
  • Hackers have the tools and knowledge to compromise your system
  • Security experts are calling 2001 the worst year for computer viruses
    • December is the worst month
    • Experts predict 2002 will be even worse
    • Predict “viruses and their cousins, the self-propagating worms, will find new and even more nasty ways to attack computer systems, possibly even hitting mobile devices, pocket PCs and smart phones in the coming year.”

(Source: Reuters 12-26-2001 & USA Today 12-27-2001)

r

why hackers attack
Why Hackers Attack
  • Professionals
    • Military tool / Cyber warfare
    • Industrial espionage
    • Hacktivism
  • Hackers
    • Money $$ (credit cards, extortion)
    • Power (DDoS zombies)
    • Fame (want a “name”)
    • Fun (adventure game)
    • Socialize (hacker clubs)
    • Revenge (www.grc.com)
    • Cheap (can’t afford own hard drive space)
    • Because they can

r

why hackers attack5
Why Hackers Attack
  • Script Kiddies
    • Only use tools others have created
    • Usually just kids (10-17)
  • White Hat Hackers
    • Good intent
    • Test for security vulnerabilities before attackers can abuse them
  • Black Hat Hackers
    • Evil intent

r

trojan horses and backdoors
Trojan Horses and Backdoors
  • Trojan Horses
    • Replace known programs
    • A login Trojan works like normal login, but captures user passwords or gives privileged access on demand
    • Will have the same behavior as the programs they are replacing and are difficult to find
    • Usually contain backdoors
    • Mask the existence of backdoors
  • Backdoors
    • May replace known programs
    • Backdoors give attackers direct access (often root level) to the system, foregoing normal authentication
    • May replace login command to allow quick root level access
    • May listen on certain ports for further direct access

k

subseven trojan
SubSeven Trojan
  • What it does
    • Allows remote control of Windows:
      • File
      • Monitoring
      • Network
  • Protection from it
    • Keep your systems updated
    • Eliminate all unneeded programs
    • Periodically scan network for common backdoor services
    • Check critical files for tampering (MD5 signature)
    • Use intrusion detection (IDS)
subseven trojan10
SubSeven Trojan

NT Server

Workstation

Router

Hub

Attacker

Internet

Controls system from remote location

Laptop

Linux Server

subseven trojan gui
SubSeven Trojan - GUI

Connect to remote system

subseven trojan gui12
SubSeven Trojan - GUI

we have captured a very confidential email message!

>Logon – mailserver.xyz-company.com <lordoftherings>

> New Message <

Jcombs@xyz-company.com

Company layoffs <

John,

With the recent end of quarter our worst fears have been realized. We will fall short of our expected earnings.

We must immediately move to control our spending. This is the time to trim the fat from our

organization. I propose that we incorporate the following measures:

Implement a 20% reduction in work force, I hate layoffs as much as anyone, but this is necessary.

Eliminate all unnecessary travel.

I know that these measures will be unpopular, but they must be made to stabilize things.

Please draw up plans to implement these measures and have them ready by Friday. As you

already know, this Information is very sensitive and must remain confidential.

David Smith

CEO XYZ Company

Select Key logger to capture what is typed on the keyboard of the remote system

backdoor back orifice 2000
Backdoor - Back Orifice 2000
  • From “cult of the dead cow”
  • Allows remote control of Windows:
    • File system
    • Registry
    • System
  • Extensive multi-media controls
    • Capture images from server screen
    • Record confidential conversations
  • NT registry passwords and Win9x screen saver password dumping
  • Most virus detection software will identify the binary version
  • Completely open-source (anyone can change it)
  • Passwords
  • Network
  • Processes
back orifice 2000
Back Orifice 2000

NT Server

Workstation

Router

Hub

Attacker

Internet

Controls system from remote location

Laptop

W2K Server

slide18

Capture audio or video from the victims system if a microphone or camera is attached.

You could record confidential meetings held behind closed doors.

spyware and adware
Spyware and Adware
  • Adware
    • Pop up ads
    • AdBots are legal!
  • Spyware
    • “Spyware is ANY SOFTWARE which employs a user's Internet connection in the background without their knowledge or explicit permission.” – Steve Gibson
    • Symptoms
      • Can slow down a PC significantly
      • Hide in executables
      • Have a “hibernate” setting in registry!
    • Example: Time Sink, Inc.’s TSAdBot.exe (evil!)
      • Provide a removal tool on web
        • www.gohip.com/remove_browser_enhancement.html
    • More info: http://grc.com/optout.htm
viruses worms
Viruses & Worms
  • A few viruses that received media attention
    • Naked Wife
    • Anna Kournikova
    • ILOVEYOU
    • Melissa
  • A few worms that received media attention
    • CodeRed II
    • Nimda
    • SirCam
  • http://securityresponse.symantec.com/
average reported losses

2001 CSI/FBI Computer Crime and Security Survey

Average Reported Losses

$4.42 M

$4.45 M

$454K

$322K

$275K

Outside System Penetration

Sabotage

and Denialof Services

UnauthorizedInsiderAccess

Financial Fraud

Theft of Proprietary Information

Mar 12, 2001

web site defacements
Web Site Defacements

Source: attrition.org

security best practices
Security Best Practices
  • No need to start from scratch
    • Rather than analyzing every risk, look at what others are doing
    • Meet standards of due care
    • Use existing standards and industry “best practices”
    • Pay attention to regulations and requirements
      • Government
      • Industry
      • Partners
security best practices28
Security Best Practices
  • Best Practices that Block Most Attacks
    • Employ a layer 7, full inspection firewall
    • Use automatically updated anti-virus at gateway, server, and client
    • Ensure security patches are up to date
    • Ensure passwords are strong
    • Turn off unnecessary network services
security best practices29
Security Best Practices
  • The 80-20 rule of security

1) Security patches

2) Password strength

3) Unnecessary services

  • The 80-20 rule means do 20% of the work to gain 80% of the results
security patches
Security Patches
  • Norton AntiVirus LiveUpdate
    • Schedule to check for updates regularly
    • Updates virus signatures
    • Updates content to entire Norton Internet Security 2002 suite
  • Virus Scans
    • Scan for viruses 3x weekly
  • Enable Personal Firewall
    • Be sure it is “Enabled”

k

security patches35
Security Patches
  • MS Windows Update
    • Download critical updates at a minimum
    • %SystemRoot%\system32\wupdmgr.exe
    • http://windowsupdate.microsoft.com/ Product Updates
  • MS Office Product Updates
    • http://windowsupdate.microsoft.com/ Microsoft Office Product Updates
  • Other software products

k

password strength
Password Strength
  • Password stealing
    • CGI script exploits, password cracking, social engineering, shoulder surfing, …
    • Network sniffing
      • Reading the password directly from network traffic
  • Password guessing
    • Predictable passwords
      • blank, “guest”, user name, family name, birthdays, license plates, pets, etc.
    • Dictionary attack
      • “earth1” is an example of a password that is susceptible to dictionary attack
    • Brute force

k

password strength40
Password Strength
  • Password cracking tools
    • Use available tools to regularly check for bad passwords
    • Commercial tools
      • Symantec Enterprise Security Manager
      • Symantec NetRecon
    • Hacker tools
      • LØphtCrack (www.atstake.com/research/lc3/)
      • John the Ripper (www.openwall.com/john/)
      • Caution: Use of such tools may be grounds for dismissal and/or legal action

r

password strength41
Password Strength
  • Don’t send passwords over the network in clear text
  • Consider two-factor authentication
    • A password + something else
      • For example, encryption key pair, smart card, …
  • Enforce strict password policies
    • E.g. minimum 8 characters
  • Keep your systems and applications patched and updated

r

password strength42
Password Strength
  • Do’s
    • Use mixed-case letters
      • Use uppercase letters throughout the password
    • Use alphanumeric characters and include punctuation
    • Use mixed-case letters
      • Do not just capitalize the first letter, but add uppercase letters throughout the password
    • Use at least six characters, eight characters for Windows NT
      • Password rules apply to the first N characters of the password
    • Use a seemingly random selection of letters and numbers
    • Change passwords regularly

r

password strength43
Password Strength
  • Do’s
    • Use password expiration settings
      • No old (recycled) passwords
      • Can't use passwords less than N days old
      • Old and new passwords must differ by at least N characters
    • Watch for
      • Maximum number of character pairs
        • E.g. “HiiiiiiMom”
      • Minimum inside digits
        • E.g. “Hi123456Mom”
    • Test your passwords
      • http://www.securitystats.com/tools/password.asp

r

password strength44
Password Strength
  • Do Not’s
    • Use a network login ID in any form (reversed, capitalized, or doubled as a password)
    • Use your first, middle or last name or anyone else’s in any form
      • Do not use your initials or any nicknames you may have or anyone else’s
    • Use a word contained in English or foreign dictionaries, spelling lists, or other word lists and abbreviations
    • Use a password that can be typed quickly, without having to look at the keyboard ("shoulder surfing")

r

password strength45
Password Strength
  • Do Not’s
    • Use other information easily obtained about you
      • This includes pet names, license plate numbers, telephone numbers, identification numbers, the brand of your automobile, the name of the street you live on, and so on
    • Use a password of all numbers, or a password composed of alphabet characters
      • Mix numbers and letters
    • Use dates e.g., September, SEPT1999 or any combination thereof
    • Use keyboard sequences, e.g., qwerty.
    • Use a sample password, no matter how good, that you’ve gotten from a book that discusses information and computer security

r

password strength46
Password Strength
  • Do Not’s
    • Use any of the above things spelled backwards, or in caps, or otherwise disguised
    • Write a password on sticky notes, desk blotters, calendars, or store it online where it can be accessed by others.
    • Use shared accounts
      • Accountability for group access is extremely difficult
    • Reveal a password to anyone

r

unnecessary services
Unnecessary Services
  • Turn off non-essential services
    • Every service is a potential hole into your network
    • Allow connections only from trusted systems
    • Do not share unnecessary resources
  • Turn off File Sharing
    • At least password protect if used
  • Example: Disable web server services if not used
    • Ports 80 & 8080

r

unnecessary services hacker exploitation of file sharing
Unnecessary ServicesHacker Exploitation of File Sharing

1) Find open file shares

- Use Legion v2.1 from www.rhino9.com

2) Crack passwords

- Copy SAM files from Windows systems

- Use LØphtcrack.exe to crack passwords

- www.lØpht.com

- Can also obtain backup of SAM files. Must rename first.

NOTE: To get SAM files,

- Run rdisk.exe to create an emergency repair disk

- Look in \WinNT\system32 for SAM files

unnecessary services hacker exploitation of file sharing49
Unnecessary ServicesHacker Exploitation of File Sharing

3) Login

4) Install BØ2K

- Run BØpeep

- Can wrap Elf Bowling game with BØ2K using Suranwrapper

- BØ2K executable is only 110KB

5) Use a packet sniffer

- Snort (www.whitehat.com for signatures)

- eEye Iris 2.0 Traffic Analyzer (www.eeye.com)

6) Keep Under FBI Limit

- FBI Cyber Crime Unit

- CIA Cyber Crime Unit

- Won't prosecute unless > $10,000 or child porn

Source: 23.org, 5-17-2000

virus and hostile applet protection
Virus and Hostile Applet Protection
  • Use anti-viral and content scanning software
    • Desktops
    • Servers
    • Firewall
  • Apply latest patches
    • E-mail (IE – MS Outlook)
    • Browser
    • Operating System (XP)
  • Don’t double-click blindly on attachments
    • Beware of .EXE, .VBS, and .SCR
  • Use higher levels of browser security
firewalls
Firewalls
  • Protect your perimeter with a firewall
    • Monitor both in-coming and out-going traffic
    • Use a highly configurable, proxy-based firewall
    • Make sure it is ICSA and Checkmark certified
  • Personal Firewalls
    • Norton Personal Firewall 2002
  • Enterprise-Class Firewalls
    • Symantec Firewall Appliance
    • Raptor Firewall

r

symantec tools
Symantec Tools
  • Norton Internet Security 2002
    • Personal Firewall
    • Privacy Control
    • Intrusion Protection
    • Anti-Virus
    • Ad Blocking
    • Parental Control
    • Configure Internet Access

for each user

v2002 Shipped

30 Aug 2001

personal firewall
Personal Firewall
  • Defend your PC against hackers
    • Norton™ Personal Firewall starts protecting your PC by "hiding" it from hackers.
    • Exclusive Symantec technology automatically configures firewall rules for the most common Internet applications.
    • Monitors both inbound and outbound traffic.
    • The Internet Access Control feature prevents the applications on your PC from secretly making connections to Internet sites and sending information to them.
privacy control
Privacy Control
  • Keep your personal information private
    • Will alert you if you accidentally try sending credit-card numbers over an unsecure web connection.
    • Protect your bank-account information, credit-card numbers, and other confidential data online.
    • Prevent web sites from retrieving your email address without your knowledge, and to control which sites are allowed to track your online activities with "cookies.“
    • Lets you block Java™ applets, ActiveX® controls, and cookies on a site-by-site basis.
intrusion protection
Intrusion Protection
  • Norton Internet Security 2002
    • Intrusion Protection with AutoBlock automatically stops systems from trying to probe your PC's ports.
    • It safeguards your PC and your personal information by blocking unauthorized connections and alerting you to attempted intrusions.
anti virus
Anti-Virus
  • Stop viruses and other malicious code automatically
    • Norton AntiVirus™ provides maximum protection against viruses-including those included in email messages.
    • The world's leading anti-virus software works in the background to defend your computer 24 hours a day.
    • New and exclusive Script Blocking technology proactively protects against known and unknown threats, such as the renowned "I Love You" and "Anna Kournikova" viruses - without the need for virus definitions.
ad blocking

Must be 18 or older …

Ad Blocking
  • Block unwanted ads
    • Banner ads and pop-up windows can clutter your screen and lengthen web page download times.
    • They can also expose children to inappropriate advertising.
    • Norton Internet Security 2002 lets you filter them out for a faster, more enjoyable web experience.
parental control
Parental Control
  • Keep your children safe on the Internet
    • Norton Parental Control software blocks access to objectionable sites based on a comprehensive, customizable list.
    • Make sure that your children have a safe, enjoyable experience every time they log on to the Internet.
    • It also lets you set up different Internet access privileges for each person in your household, so you can quickly and easily provide full access for adults and age-appropriate access for each child.
    • Tools are only 80% to 90% effective. “Teach them correct principles …”
updates with liveupdate
Updates with LiveUpdate
  • Get regular protection updates
    • Symantec's Internet security experts update Norton Internet Security 2002 continuously to deal with new viruses and other Internet threats.
    • Norton AntiVirus even keeps itself updated, using Symantec's exclusive LiveUpdate™ technology to check for new virus definitions when you're online and download them automatically.
    • As a registered user, you'll get free anti-virus and firewall updates for one year. After that, you can subscribe to future updates $3.95 annual fee.
  • More info:
    • http://securityresponse.symantec.com
norton internet security 2002 system requirements
Norton Internet Security 2002System Requirements

Windows XP Home Edition/Professional- Intel Pentium II 300MHz or higher processor- 128 MB of RAM

Windows NT/2000 Professional- Windows NT 4.0 Workstation with service pack 6a or higher- Intel Pentium 150MHz or higher processor- 64 MB of RAM

Windows Me/98- Intel Pentium 150MHz or higher processor- 32 MB of RAM (48 MB recommended)

REQUIRED FOR ALL INSTALLATIONS- 60 MB of available hard disk space (without Parental Control feature installed)- 90 MB of available hard disk space (for complete installation)- CD-ROM or DVD-ROM drive- Microsoft ® Internet Explorer 4.01with MSIE Service Pack 1 or later- Microsoft Windows Internet support

norton internet security 2002 system requirements62
Norton Internet Security 2002System Requirements

Email scanning supported for any standard POP3 compatible email client, including

- Microsoft Outlook Express 4.0/5.x

- Microsoft Outlook XP/2000/98/97

- Netscape Messenger 4.X

- Netscape Mail 6.0

- Eudora Light 3.0, Eudora Pro 4.0, Eudora 5.0

Supported instant messaging clients for Confidential Information filtering

- MSN Messenger 3.6

- AOL Instant Messenger 4.3

- Windows Messenger 4

slide63

Symantec Firewall/VPN Small Office Appliance

  • Firewall
  • VPN
  • IP Sharing/DHCP Server
  • 10/100 Auto-sense switch
  • Automatic dial-up backup*
  • Load balancing built-in (model 200)
  • Remote management

*with external analog modem

network vulnerability scanners
Network Vulnerability Scanners
  • Symantec NetRecon
    • Discovers systems
    • Discovers services
    • Finds vulnerabilities than can be exploited
    • Cracks passwords
    • Logs in
    • Reports
  • ISS Internet Scanner
    • Strong market share
    • Will execute denial-of-service (DoS) attacks
  • Nessus Scanner
    • Is free

r

intrusion detection
Intrusion Detection
  • Stop scans at the perimeter
    • Use a highly configurable firewall (proxy-based is best)
    • Only allow necessary ports to be accessible from the outside
    • Use a DMZ for other services
  • Use both Host-based and Network-based intrusion detection
    • Security administrator can be alerted when an attack is in progress
    • Symantec Intruder Alert (host-based)
    • NetProwler (network-based)

r

other symantec products
Other Symantec Products
  • Intrusion Detection
    • Intruder Alert
    • ProwlerIDS
  • Content Filtering
    • I-Gear
    • Mail Gear
  • Privacy
    • Norton Internet Security
  • Administration / Utilities
    • pcAnywhere
    • Norton Ghost
    • Norton Utilities
    • Norton CleanSweep
  • VPN
    • RaptorMobile
  • AntiVirus
    • Norton AntiVirus
    • NAV for Palm Pilots
    • NAV for Gateways
  • Firewall
    • Symantec Enterprise Firewall (Raptor)
    • Symantec Firewall Appliance
    • Norton Personal Firewall
  • Security Assessment
    • Enterprise Security Manager
    • Symantec NetRecon
    • ESM for Databases, Web Servers and Firewalls
typical soho network

Internet

Typical SOHO Network

Modems

Windows 98 & 2000 PCs

56 Kbps

1.5 Mbps

11 Mbps

Windows 2000 Laptop

100 Mbps

iPAQ

Cisco Aironet Workgroup Bridge (802.11b)

8-Port LinkSys Hub

Symantec Firewall Appliance

soho network wireless link

Internet

SOHO Network – Wireless Link

1.5 Mbps

128-bit WEP (802.11b)

11 Mbps

100 Mbps

Cisco Aironet Workgroup Bridge (802.11b)

Symantec Firewall Appliance

soho network firewall nat
SOHO Network – Firewall & NAT

VPN &

NAT

100 Mbps

100 Mbps

Cisco Aironet Workgroup Bridge (802.11b)

8-Port LinkSys Hub

Symantec Firewall Appliance Model 200R

soho network pc security
SOHO Network – PC Security

- Personal Firewall

- NAV CE

Windows 2000 (PC2)

Windows 98 (PC1)

Windows 2000 (PC3)

Norton Internet Security 2002

- Personal Firewall

- NAV

Windows 98 (PC4)

100 Mbps

Windows 98 (PC5)

iPAQ

8-Port LinkSys Hub

Visitor’s PC (PC6)

PC-cillin

soho network modems

Internet

SOHO Network - Modems

Modem

56 Kbps

Windows 2000 (PC2)

100 Mbps

Modem

Modem

  • Modems
    • Use only as a backup
    • Configure for outgoing connections only

Windows 98 (PC1)

Windows 2000

(PC3)

Modem

Symantec Firewall Appliance

typical soho network72

Internet

Typical SOHO Network

Modems

Windows 98 & 2000 PCs

56 Kbps

1.5 Mbps

11 Mbps

Windows 2000 Laptop

100 Mbps

iPAQ

Cisco Aironet Workgroup Bridge (802.11b)

8-Port LinkSys Hub

Symantec Firewall Appliance

where to look for more information
Where to Look for More Information
  • Symantec Corporation
    • http://www.symantec.com
    • http://securityresponse.symantec.com
  • SANS Top 20 List
    • http://www.sans.org
  • CERT Advisories
    • http://www.cert.org
  • CVE (Common Vulnerabilities and Exposures)
    • http://cve.mitre.org
  • Security Focus (Home of BUGTRAQ)
    • http://www.securityfocus.com
  • Packet Storm
    • http://packetstorm.securify.com
conclusion
Conclusion
  • Hackers will attack your SOHO network
    • They have access to powerful tools and lots of information
    • Looking for DDoS Zombies
    • Want free hard disk space to store porn, etc.
  • Form a habit of following the 80-20 rule of security
    • Check for OS, application and security patches weekly
    • Use strong passwords
    • Turn off unnecessary services
  • Firewalls and anti-virus software must be used
    • Design security into your network
  • Use Symantec software!
    • Largest security company in the world
    • 100% focused on security

r