computer and network security
Download
Skip this Video
Download Presentation
Computer and Network Security

Loading in 2 Seconds...

play fullscreen
1 / 103

Computer and Network Security - PowerPoint PPT Presentation


  • 470 Views
  • Uploaded on

Computer and Network Security Iain Moffat B.Sc(Hons) CEng MIET Chairman IET Anglian Coastal You are Not Alone …. Contents What is Computer Security? Data Protection Principles and the DPA The Security Implementation Process The threats to your computer and network Security Policies

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Computer and Network Security' - jacob


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
computer and network security

Computer and Network Security

Iain Moffat B.Sc(Hons) CEng MIET

Chairman

IET Anglian Coastal

contents
Contents
  • What is Computer Security?
  • Data Protection Principles and the DPA
  • The Security Implementation Process
  • The threats to your computer and network
  • Security Policies
  • Risk/Impact Assessment
  • Countermeasures
  • Checking Security
  • Investigation and Evidence
what is computer security
What is computer security?

Protection of computer hardware and software from loss, damage or theft

data protection principles
Data Protection Principles
  • Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

  • Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Personal data shall be accurate and, where necessary, kept up to date.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • Personal data shall be processed in accordance with the rights of data subjects under this Act.
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

From the Data Protection Act 1998 Schedule 1 part 1:http://www.opsi.gov.uk/acts/acts1998/19980029.htm#aofs

security processs
Security Processs

2

POLICIES

COUNTER

MEASURES

3

THREATS

1

4

INCIDENTS

AUDITS

5

the threats9
The Threats
  • Fire
  • Flood
  • Theft
  • Vandalism
  • Impersonation
  • Junk Mail
the threats10
The Threats
  • Fire
        • Purely a physical threat
        • Results in data loss, loss of money invested in equipment, and downtime
  • Flood
  • Theft
  • Vandalism
  • Impersonation
  • Junk Mail
the threats11
The Threats
  • Fire
  • Flood
        • Purely a physical threat
        • Results in data loss, loss of money invested in equipment, and downtime
  • Theft
  • Vandalism
  • Impersonation
  • Junk Mail
the threats12
The Threats
  • Fire
  • Flood
  • Theft
        • Has physical and electronic forms
        • May involve hardware, data or both
        • Stolen data may be hard to replace
        • Stolen data may facilitate other crimes (eg. Impersonation)
        • Causes financial loss and loss of reputation
  • Vandalism
  • Impersonation
  • Junk Mail
the threats13
The Threats
  • Fire
  • Flood
  • Theft
  • Vandalism
        • Has Physical and Electronic forms
        • May cause downtime and/or data loss
        • Causes financial loss and loss of reputation
  • Impersonation
  • Junk Mail
the threats14
The Threats
  • Fire
  • Flood
  • Theft
  • Vandalism
  • Impersonation
        • Primarily an electronic threat
        • Leads to financial loss and loss of reputation
  • Junk Mail
the threats15
The Threats
  • Fire
  • Flood
  • Theft
  • Vandalism
  • Impersonation
  • Junk Mail
        • Used to be mostly a waste of time and bandwidth
        • Now a carrier for malicious software
where threats come from
Where Threats Come From
  • People with access to your computer
  • Removable media (tapes, disks etc)
  • Malicious Software
        • Trojans
        • Viruses
        • Worms
        • Exploits and Rootkits
        • Spyware
  • Network Connections
  • Confidence Tricks
malicious software18
Malicious Software
  • Trojans
  • Viruses
  • Worms
  • Exploits and Rootkits
  • Spyware
  • Password Capture or “Phishing”
malicious software19
Malicious Software
  • Trojans
        • Programs that claim to do one thing but actually do something unwanted
        • Need to be loaded and run by an authorised user of the system
        • Limited to the access rights of that user
        • Often used as a loader for rootkits or spyware
        • Nowadays usually downloaded by a misleading/bogus website or a link in SPAM email messages
  • Viruses
  • Worms
  • Exploits and Rootkits
  • Spyware
  • Password Capture or “Phishing”
malicious software20
Malicious Software
  • Trojans
  • Viruses
        • Self replicating programs
        • May just install a replicator on an infected machine or deliver a “payload” program to do its makers work on your PC
        • Payload may be destructive or spyware
        • Historically spread using infected DOS floppy disks
        • Nowadays found as macros in documents or downloadable programs
  • Worms
  • Exploits and Rootkits
  • Spyware
  • Password Capture or “Phishing”
malicious software21
Malicious Software
  • Trojans
  • Viruses
  • Worms
        • Self-replicating programs that spread from machine to machine over a network
        • May carry destructive or spyware payloads
        • Rely on vulnerable network services to infect new victims
        • Common in UNIX systems in 1980s, nowadays more common in Windows environments
  • Exploits and Rootkits
  • Spyware
  • Password Capture or “Phishing”
malicious software22
Malicious Software
  • Trojans
  • Viruses
  • Worms
  • Exploits and Rootkits
        • Exploits are bugs in an operating system that allow a local or remote user to get admin-level access
        • Hackers ‘exploit’ these bugs to write programs that install a permanent remote access kit which gives them access to a compromised system
        • The remote access kit gives them root (UNIX) or administrator (Windows) access and hides itself from normal operating system file and process lists
  • Spyware
  • Password Capture or “Phishing”
malicious software23
Malicious Software
  • Trojans
  • Viruses
  • Worms
  • Exploits and Rootkits
  • Spyware
        • Usually installed by a trojan or worm
        • May log key strokes or URLs visited
        • Originally an unethical form of market research
        • Now used by organised crime to steal passwords
  • Password Capture or “Phishing”
malicious software24
Malicious Software
  • Trojans
  • Viruses
  • Worms
  • Exploits and Rootkits
  • Spyware
  • Password Capture or “Phishing”
        • Originally done by faking a login screen on a mainframe terminal or by faking dial-back
        • Now usually a link to a web site
        • Purports to be an urgent message from e-bay, paypal or a bank containing a link to click
        • Link text says http://some.bank.com/login.html but underlying code says http://some.hackers.hijacked.server/fakelogin.html
network threats
Network Threats
  • Wire Taps / Eavesdropping
        • Primarily a risk in shared media (eg. wireless 802.11)
        • Leads to data loss and may facilitate Man-in-Middle or Impersonation attacks in the future
        • Password sniffing is a specific form of this threat
  • Man in the Middle
        • Primarily a risk in multi-hop links
        • Requires access to a link carrying all traffic between end systems
  • Impersonation
        • Use of false credentials to log in to network services
        • DNS Poisoning
  • Denial of Service
        • Primarily a risk to sites with limited internet access bandwidth
        • High volumes of unwanted inbound traffic may bring down servers or squeeze out legitimate traffic
  • Bandwidth Theft
        • unauthorised connections to your WLAN may steal your internet access bandwidth
security policies27
Security Policies
  • Physical Security
  • User Access
  • Removable Media
  • Network Software
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates
security policies28
Security Policies
  • Physical Security
        • Siting to avoid flood and fire risks
        • Locks and chains
        • Computer room access controls
        • Laptop security in transit and in use
        • Backups
        • Off site storage of backup and rebuild media
        • Availability of replacement hardware
  • User Access
  • Removable Media
  • Network Software
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates
security policies29
Security Policies
  • Physical Security
  • User Access
        • Who has administrative access (can add users or programs)
        • Password policies (length, complexity and change period)
        • Identity and background checks prior to granting access
        • Password reset process must prove that the real user is asking
        • 7x24 or restricted access hours
        • Separation of roles (user vs administrator)
        • Audit and removal of expired or unused access
        • Shared user accounts are dangerous (undermine audit trail)
        • Users must be warned that unauthorised access is illegal
        • Users must be informed of the scope and purpose of permitted access
        • Users must be informed and/or trained in data protection
  • Removable Media
  • Network Software
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates
security policies30
Security Policies
  • Physical Security
  • User Access
  • Removable Media
        • How to store backups away from harm
        • Potentially different content/retention profiles for archives and backups
        • Need to have software to read old archives and install old backups
        • Need to ensure that media are still readable after time
        • Consider retention period (legal and practical constraints may apply)
        • Consider risk from imported media (virus etc)
        • How to ensure timely identification and destruction of redundant media
        • Need to control introduction of new media from outside
  • Network Software
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates
security policies31
Security Policies
  • Physical Security
  • User Access
  • Removable Media
  • Network Software
        • Minimise visible network presence
        • Turn off unwanted network services (need mail on web server?)
        • Avoid use of unsafe protocols (eg. TELNET or FTP send unencrypted passwords)
        • Use safe/encrypted protocols (SSH, HTTPS)
        • Avoid programs or configurations that auto-open received files
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates
security policies32
Security Policies
  • Physical Security
  • User Access
  • Removable Media
  • Network Software
  • Network Connectivity
    • Firewalls are essential
    • Identify security domains in your network and outside
    • Identify necessary connections by source, destination and protocol between machines or domains
    • Configure firewall rules to permit only these connections
    • Log permitted but potentially dangerous traffic
    • Maintain a low profile to the internet – minimise visible network services exposed to the outside by your firewall
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates
security policies33
Security Policies
  • Physical Security
  • User Access
  • Removable Media
  • Network Software
  • Network Connectivity
  • 3rd. Party Access
        • 3rd party maintainers or outsource staff may need remote or on site access
        • Ensure that work is controlled and staff are trustworthy
        • Ensure that confidentiality agreements are in place before granting access
        • Shut off remote access when not in use
        • Log or supervise support access
        • Review and if possible disable ‘phone home’ features for vendor support unless you are trying to fix a problem
        • Test automatic updates on a sacrificial machine before allowing network-wide deployment in your business
  • Audit and Logging
  • Patching and Updates
security policies34
Security Policies
  • Physical Security
  • User Access
  • Removable Media
  • Network Access
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
        • Logs help diagnose problems and are evidence of misuse
        • Excessive logs may be a security risk (eg unencrypted data or disk full)
        • Should be sufficient to determine who did what when
        • Should not be an easier alternative to keystroke logging or wire tapping
        • Useless as an audit trail if login accounts are shared
        • Must be protected from modification – ideally best sent to a dedicated server in real time over the network using SYSLOG (Unix and Network) or MOM (Windows)
        • Content and retention of logs must satisfy data protection and privacy laws
  • Patching and Updates
patching and updates
Patching and Updates
  • Physical Security
  • User Access
  • Removable Media
  • Network Software
  • Network Connectivity
  • 3rd. Party Access
  • Audit and Logging
  • Patching and Updates
    • Hackers are always finding new bugs
    • Software vendors are always fixing them
    • You must monitor vendor websites or mailing lists
    • Also check CERT, UNIRAS and ISC alerts frequently
    • If you have resources test and deploy patches in a controlled way
    • If not subscribe to windows update or its Linux counterparts
    • Upgrade the OS before it becomes unsupported
risk assessment factors
Risk Assessment Factors
  • Business or domestic
        • Business needs to consider employees as a risk
        • Domestic users have only external threats
  • Single or Multi-User
        • Multi-User systems need to consider who can see what
        • Single user systems only need to prevent accidental damage (by running trojans as an administrator)
  • Networked or Standalone
        • Networked systems are at risk from outside
        • Physical access is needed to harm standalone systems
        • Internet-connected networks are at greater risk than isolated ones
risk assessment process
Risk Assessment Process
  • Make a list of risks
  • Determine probability of each one happening
  • Determine cost of each one if it happens
  • Calculate cost * probability for each one
  • Deal with the worst first
  • It is worth paying £(cost * probability) to fixeach risk that has been identified.
countermeasures40
Countermeasures
  • Physical Security
  • User Access Control
  • Removable Media Control
  • Network Software
  • Network Access
  • File Permissions and Security
  • 3rd. Party Access
  • Audit and Logging
physical security
Physical Security
  • Separate components of large systems across multiple sites
    • Clustering for high availability
    • Live/Standby operation for less critical system
    • Consider using test/development system as a cold standby
    • Standby systems are only useful if data and software are up to date
    • Need to rehearse failover and failback
  • Keep taking the backups!
    • Test Backup and restore process regularly
    • Keep all media needed to reinstall your software
    • Test that media are still readable from time to time
    • Ensure backups are stored as securely as the live data (or more so)
    • Review availability of hardware and upgrade or buy spares when it is near end of life
    • Don’t keep backups and live systems in the same room (and if possible not in the same building)
  • Keep critical computers in a separate locked room (which also helps with noise and dust and air conditioning)
  • Don’t put computers under water pipes or tanks
  • Don’t use floor-standing computers or storage furniture in rooms liable to flooding
  • Ensure that temperature and humidity are monitored nd alarmed in computer rooms
  • Ensure that media stores are dry and free from dust and insects
physical security42
Physical Security
  • Separate components of large systems across multiple sites
  • Keep taking the backups!
  • Keep critical computers in a separate locked room (which also helps with noise and dust and air conditioning)
  • Don’t put computers under water pipes or tanks
  • Don’t use floor-standing computers or storage furniture in rooms liable to flooding
  • Ensure that temperature and humidity are monitored nd alarmed in computer rooms
  • Ensure that media stores are dry and free from dust and insects
physical security43
Physical Security
  • Separate components of large systems across multiple sites
    • Clustering for high availability
    • Live/Standby operation for less critical system
    • Consider using test/development system as a cold standby
    • Standby systems are only useful if data and software are up to date
    • Need to rehearse failover and failback
  • Keep taking the backups!
  • Keep critical computers in a separate locked room (which also helps with noise and dust and air conditioning)
  • Don’t put computers under water pipes or tanks
  • Don’t use floor-standing computers or storage furniture in rooms liable to flooding
  • Ensure that temperature and humidity are monitored nd alarmed in computer rooms
  • Ensure that media stores are dry and free from dust and insects
physical security44
Physical Security
  • Separate components of large systems across multiple sites
  • Keep taking the backups!
    • Test Backup and restore process regularly
    • Keep all media needed to reinstall your software
    • Test that media are still readable from time to time
    • Ensure backups are stored as securely as the live data (or more so)
    • Review availability of hardware and upgrade or buy spares when it is near end of life
    • Don’t keep backups and live systems in the same room (and if possible not in the same building)
  • Keep critical computers in a separate locked room (which also helps with noise and dust and air conditioning)
  • Don’t put computers under water pipes or tanks
  • Don’t use floor-standing computers or storage furniture in rooms liable to flooding
  • Ensure that temperature and humidity are monitored nd alarmed in computer rooms
  • Ensure that media stores are dry and free from dust and insects
user account security
User Account Security
  • Separation of Priveliege
  • Password Policies
  • Clean Up Afterwards
  • No Shared Accounts
separation of priveliege
Separation of Priveliege
  • Create separate administrative and normal users even on a single-user system to limit the damage that can be done by mistakes or infection in normal use
    • Use administrative accounts only to install software or change system configuration
    • Never use an administrative account for normal e-mailing or web browsing
    • Use normal accounts for all dangerous activities so that a trojan or virus will not run as administrator
  • Wherever possible configure network services (mail, file and web servers) to run under dedicated user accounts rather than as administrator so a remote attack not only has to get control of them but then also gain administrative rights
  • Separate administrative and audit functions under separate user accounts if the operating system allows it, so that someone cannot do an unauthorised change and then cover up by changing the logs
password policies
Password Policies
  • There are several good password guessing programs in the field and as computers get faster they become a bigger risk
  • Always change default passwords in operating systems and applications as soon as you take delivery or install them
  • Minimum recommendations are
    • 6 character normal passwords
    • 8 to 10 character administrative passwords
    • Change passwords at least every 90 days
    • Change passwords ASAP if keylogging or dishonesty is suspected
    • Change passwords ASAP if an employee leaves
    • Must not be a dictionary word
    • Substitution of letters for numbers is not enough (eg “pa33w0rd”)
    • Combinations of words or words and non-guessable numbers are stronger (eg. “pass3249w0rd” or “random.nothing”
    • Random, machine generated passwords are non-memorable and need to be written down (which is a greater risk)
  • Passwords must be non-reversibly encrypted when stored on disk
  • Passwords must never ever under any circumstances be shared
clean up afterwards
Clean Up Afterwards
  • Remove user accounts when employees leave
  • Search disk for passwords or password bypass
    • eg. unix .rhosts and .netrc files
  • Audit the user list frequently and ensure that
    • All users are still employed at your site
    • All users have the lowest priveliege level that will let them do their work
    • Any application program ‘users’ are still needed
    • User information (real name, phone) is correct
no shared accounts
No Shared Accounts
  • Shared Accounts prevent effective auditing since more than one person knows the same username and password
  • Each human user must have their own login account for auditing to be effective
  • If there is more than one system administrator then it is better to have multiple administrative accounts than to share one account and password
    • Directly possible by assigning users to the “Administrators” group in Windows
    • Requires use of “SUDO” or custom-written software in Unix or Linux systems
  • Where accounts have to be shared then it is best to configure it so that users have to log in as themselves and then switch to the shared account
removable media
Removable Media
  • Removable Media are
    • Floppy disks, CD-Roms, DVDs and tapes
    • The traditional infection vector for trojans and viruses
    • The main risk of data loss from your site
  • Consider laptops as removable media
  • New Removable Media must
    • Be clearly labelled with date, privacy marking and contents
    • Be stored as securely as the computers they came from (or more so)
    • Be securely destroyed when no longer required
      • Physical destruction by fire or cutting up is recommended
      • Deleting files just marks space as reusable
      • Must delete contents and overwrite with random data prior to sale or reuse
    • Be adequately protected in a risky environment
      • Encrypt sensitive files on media that will be posted
      • Ensure laptops taken off site have passwords and encrypted hard disks
  • Incoming Removable Media must
    • Be virus checked (preferably on a non-networked ‘sheep dip’ computer
    • Be expected and from a trustworthy source (beware magazine cover CDs)
file permissions
File Permissions
  • File Permissions and Privilege Separation work together
    • Only administrators can write or update system files
    • Only administrators can change other users files
    • Normal users can read system files
    • It’s a policy decision whether users can read each other’s files
  • UNIX defaults to a strict implementation
  • Win2K and XP can be strict but default to an open model for backward compatibility with Windows 3.1 and 95/98
file security
File Security
  • Anti Virus Tools
    • Periodically or on-demand scan files for virus signatures
    • Scan word documents for macro viruses prior to opening
    • Intercept file-open requests to the OS and compare files to a signature library before passing data to applications
    • Intercept mail send and receive requests to the OS and scan incoming and outgoing mail
  • Anti-Spyware Tools
    • Inspect registry for traces left by spyware
    • May block or query registry changes
    • Pre-emptively block creation of registry keys used
    • Periodically or on-demand scan files on disk for spyware signatures
  • Regular Updates to Signature Library are Critical
safe operating practices
Safe Operating Practices
  • Avoid auto-opening attachments and embedded links in mail messages
    • Turn off message preview functions in E-Mail programs
    • Never click on links in mail messages – copy link text into a browser window
    • Never click ‘unsubscribe’ links in junk mail messages
  • Suppress Junk Mail
    • Use an ISP which provides SPAM filtering
    • If your company has its own mail server use something like SpamAssassin
  • Beware new websites and links from search engines
    • Disable client-side code (java, javascript and activeX) or use a dumb browser (eg. Early Netscape) to preview new sites
    • Only enable client-side code on trusted sites
    • Consider copying “untrusted zone” settings to “internet zone” in IE6 and putting known good sites (www.theiet.org, etc) in the trusted zone explicitly
slide54
Internet Zone

Restricted Zone

network software
Network Software
  • Modern computers come with many network services
      • Mail servers
      • Print Servers
      • File Sharing
      • Remote Procedure Calls (RPC)
      • SQL Databases
      • Web Servers
      • Remote Desktop Access / X-Windows / VNC
  • Most are enabled by default in Windows 2000/XP
  • Most are disabled by default in Windows 2003 Server
  • UNIX and Linux distributions are somewhere between
  • Only active network services are vulnerable to attack
  • To minimise the “attack surface” of your systems you need to turn off the ones you don’t plan to use
    • Review control panel > administrative tools > services on Windows
    • Review /etc/inetd.conf or /etc/xinetd on Linux and Unix systems
  • Be aware of “loopback” connections when client (user interface) and server (backend) portions of an application run on the same machine
software firewalls
Software Firewalls
  • Linux and Windows have software “firewalls”
    • Microsoft Windows Firewall or (Win2003) IPSEC Filters
    • Linux IPTables and IPChains
  • Not true firewalls – really only modifications to the network I/O driver
  • These block or restrict incoming traffic based on source and destination IP Address to hide network services that are needed locally but should not be shared
  • 3rd-party Windows firewalls (eg ZoneAlarm, Sygate and Norton) can prevent applications accessing the network outbound until you have permitted them to do so
  • Microsoft Windows Firewall has a simple fixed configuration that permits anything outbound and replies inbound
  • 3rd. Party Windows firewalls start with a “Block Everything” policy and are generally configured by learning – they ask what to do each time they see anything new
  • Linux IPTables is configured by user-written files

Application

Server

“Firewall”

Original Driver

network connections
Network Connections
  • A networked computer is no longer alone
  • There are around 100 million Internet users world wide
  • Based on the UK prison population at least 160,000 of them are crooks
  • It is therefore necessary to protect your computers from attack via the internet
interconnect policies
Interconnect Policies
  • You should consider what connections to permit between your network and the outside
  • The template for describing a connection is as follows
    • Source IP or subnet
    • Destination IP or subnet
    • Protocol (Port)
    • Is authentication required
3 rd party access
3rd. Party Access
  • Maintainers have access to your data
  • Manage remote access
    • Turn off ‘phone home’ functions if you can
    • Firewall them or unplug the modem if you can’t
    • Windows and AntiVirus/AntiSpyware updates are a necessary risk
  • Manage on-site maintainance technicians
    • Ensure on site maintainers sign a non-disclosure agreement and are escorted at all times
    • Insist that all media used by on-site maintainers are virus-scanned
    • Check that on-site engineers have correct windows updates and current AV signatures before connecting to your network
  • Minimise risk of sending data off site
    • Use physically separate data and OS disks and remove data disks prior to sending machines for repair
    • Clear empty space on disks of machines sent for repair
    • Minimise data that will be left on a failed disk drive
      • Use cleanup tools (eg. Window Washer from www.webroot.com ) to regularly clean up recycle bins and caches
      • Use sdelete (from www.sysinternals.com) to overwrite and erase free space
audit trails
Audit Trails
  • To understand and clean up an incident you need to know what happened
  • To prosecute you need evidence
    • WHO did it (implies no shared accounts and traceability of accounts to people)
    • WHAT they did(implies need for transaction logging when sensitve data is changed)
    • WHEN they did it (implies need for timestamps and accurate synchronised system clocks)
    • WHERE they did it (Implies need for logging of source IP or terminal line)
    • Evidence trail must withstand suggestions of tampering (Implies frequent backup to write-once media which should be checked in to a 3rd party store)
  • Keep baseline full backups after system builds (and after each major update) on non-alterable media so you can detect all changes (including unauthorised ones) later
logging
LOGGING
  • Logging
    • Keep a separate dedicated SYSLOG server with restricted user access for UNIX and Network equipment so audit trails are protected if a server is compromised
    • Use a central MOM server with restricted user access to log events for Microsoft platforms
    • Use centralised password services (LDAP, Windows Active Directory, TACACS+) rather than local passwords on each machine to log access “off the box”
    • Use a firewall to separate log (SYSLOG or MOM) and password (LDAP, NIS, TACACS+ or Active Directory) servers from the rest of the network
    • Isolate and analyse infected/compromised systems prior to rebuild (or at least clone the disks)
  • Beware of logging too much data (since the logfiles themselves will become sensitive data)
    • Do log that “Iain from IP 1.2.3.4 paid £10.34 for an XYZ at 18:43 with VISA”
    • Don’t log the card number in full !! – if you must log just a few digits
    • Log primary key only not full customer address record !!
    • Where possible customer and user primary keys should be public domain info or anonymous numeric IDs
    • Do not combine debug and audit data in the same logs
    • Turn off debug-level logging unless you are debugging
    • Delete logs after a reasonable interval (seek legal advice for your circumstances)
network implementation

Network Implementation

(A Refresher Course)

network types
Network Types
  • Point to Point
    • Modem connection
    • Leased line
  • Broadcast
    • Ethernet
    • Wireless
  • Switched
    • X.25

SWITCH

routed networks
SWITCHRouted Networks
  • A hierarchy of broadcast or switched networks
  • Connected by point to point links
  • Between “Gateways” or “Routers”
  • Traffic is routed hop by hop between sites
the internet
The Internet
  • Based on DoD ARPANET (1970)
  • Current form (IP Version 4) since 1980
  • IP V6 used in some mobile networks
  • Packet Switched (40 to 1500 byte packets)
  • Primitive Layering (not quite OSI !!!)
    • Uses any available physical/data link layer
    • Internet Protocol stateless transport layer
    • Step by step routing between nodes
    • Multiple session-layer protocols
      • TCP (session oriented)
      • UDP (message oriented)
      • ICMP (diagnostic and control)
      • GRE and IPSEC (Virtual Private Networks)
      • RIP, OSPF and BGP (routing information exchange)
ip addresses
IP Addresses
  • Each IP V4 address is globally unique
  • Each IP V4 address has 4 octets/bytes eg.85.189.17.65
  • Each Octet has a value between 1 and 255
  • The address is split into network and host parts
  • The network part is used to route traffic to your network
    • Comparable to the street address or post code of a building
  • The host part identifies the host inside your network
    • Comparable to a room number in a building
  • Eg. a /24 subnet has 24 bits (3 octets) of network and the remaining octet identifies a host:85.189.17.65

NETWORK PART

HOST PART

private ip addresses
Private IP Addresses
  • Normal IP addresses are globally unique
    • allocated by regional internet registries
    • routable over public networks
  • 3 IP address blocks are allocated for private use under RFC1918
    • 10.0.0.0 to 10.255.255.255
    • 172.0.0.0 to 172.32.255.255
    • 192.168.0.0 to 192.168.255.255
    • Anyone can use RFC1918 IPs
    • Public networks must not route traffic addressed to them
  • RFC1918 addresses should be used in private networks
  • Network Address Translation (NAT)is required to interconnect RFC1918 and public networks
ip routing
IP Routing
  • Routers hold routing tables for network addresses
  • Traffic routes hop by hop towards the destination according to the best known route in subset of the routing table held in each router
  • Each host and router has a “default route” or “default gateway” to destinations not in its table
  • Addresses with the same network address and different host addresses are in the local LAN and can be reached without going through the gateway
  • The “Netmask” specifies the bits in the host address that form the network address. A bit set to ‘1’ in the netmask forms part of the network address eg. netmask 255.255.255.0 specifies 3 bytes of network address (sometimes called a /24 or class C network)
ip routing 2
IP Routing (2)

Server

THE INTERNET

  • Netmask is /24Network part is 192.168.1
  • From 192.168.1.2 to 192.168.1.4:Network parts are the same – send over LAN
  • From 192.168.1.1 to 1.2.3.4:Network parts are different – send to default gateway 192.168.1.254Default gateway sends to internet

1.2.3.4

Outside IP

11.12.13.14

Router orFirewall

Inside IP

192.168.1.254

Local LAN

192.168.1.0/24

192.168.1.2

192.168.1.3

192.168.1.4

Local Computers

network address translation
Network Address Translation

Server

THE INTERNET

  • Router translates inside addresses to outside as packets pass through
  • Allows reuse of scarce IP addresses
  • Allows multiple inside users to share one outside IP address
  • Prevents outside attackers reaching inside computers directly

11.12.13.14 towww.xyz.com

Outside IP

11.12.13.14

www.xyz.com

To 11.12.13.14

Router orFirewall

192.168.1.1 towww.xyz.com

Local LAN

192.168.1.0/24

www.xyz.com to192.168.1.1

192.168.1.2

192.168.1.3

192.168.1.4

192.168.1.1

Local Computers

dynamic nat
Dynamic NAT

Server

THE INTERNET

  • One outside IP
  • Multiple inside IPs
  • Router uses different outbound port numbers for each connection
  • Router knows inside IP for reply packets based on port used
  • Does not work for unsolicited inbound traffic

11.12.13.14:32000 towww.xyz.com

Outside IP

11.12.13.14

www.xyz.com:80

To 11.12.13.14:32000

Router orFirewall

192.168.1.1:32000 towww.xyz.com:80

Local LAN

192.168.1.0/24

192.168.1.1

192.168.1.2

192.168.1.3

192.168.1.4

Local Computers

static nat
Static NAT

Server

THE INTERNET

  • Each inside IP maps to one outside IP
  • Outside IPs are independent of router IP
  • Port numbers preserved through NAT
  • Allows incoming traffic to outside IP
  • Needs inbound access lists to stop unwanted traffic getting to inside network

11.12.13.15 towww.xyz.com

Router IP

11.12.13.14

www.xyz.com

To 11.12.13.15

NAT TABLE:

192.168.1.1 towww.xyz.com

192.168.1.1 > 11.12.13.15

192.168.1.2 > 11.12.13.16

192.168.1.3 > 11.12.13.17

192.168.1.4 > 11.12.13.18

Local LAN 192.168.1.0/24

192.168.1.1

192.168.1.2

192.168.1.3

192.168.1.4

Local Computers

domain name service dns
Domain Name Service (DNS)
  • IP addresses are non memorable and change frequently
  • DNS provides long lasting plain language names mapped to addresses
    • Eg. 85.189.17.65 = router.moffatig.com
  • DNS is a distributed hierarchical database
  • Root Servers are managed by US Government
  • Country and subject domains are managed by various agencies and contractors eg.
    • .co.uk by nominet, a non-profit organisation
    • .com and .net by Versign, inc.
  • Most Internet Service Providers, Universities and Companies operate local DNS cache servers
  • Local users always query the cache server
  • Cache servers query up the chain until they find a name<>address mapping or fail
  • Successful lookups are stored for a configurable time in the cache
tcp and udp ports
TCP and UDP Ports
  • TCP and UDP append a ‘port’ to the network address to identify a program or service running on each endpoint computer
  • The port is a 16 bit field in the TCP or UDP header so 65536 are available
  • The combination of address, protocol and port is called a “socket”
  • In general ports above 32,000 are used to source outbound connections
  • Ports below 1024 are used for well-known services
    • TCP:80 world wide web
    • TCP:25 SMTP mail delivery
    • UDP:53 Domain Name Service (DNS)
secure network design
Secure Network Design
  • NAT or DMZ
    • Network Address Translation (NAT) ‘hides’ a local network behind a single external internet connection
    • A DMZ provides 2 layers of defence and is better at blocking unwanted outbound traffic
  • NAT is appropriate to home and branch office environments
  • A DMZ is better suited to larger sites that have their own web and mail servers
  • DMZ proxies also allow mail and web traffic monitoring and control
simple nat network
Simple NAT Network

THE INTERNET

  • Typical Home LAN
  • One Outside IP
  • Multiple inside IPs
  • Any inside PC can connect outbound
  • No unsolicited traffic is allowed inbound
  • Not well suited to local web or mail servers
  • Can’t stop key loggers etc ‘phoning home’ without risk of blocking wanted outbound traffic.

Permit OnlyReplies IN

Router orFirewall

Permit Any OUT

Local LAN

Local Computers

dmz network
DMZ Network

THE INTERNET

  • No direct external connections
  • All traffic is filtered by secure servers in the DMZ
  • Safer and more controlled solution for large sites
  • Outbound connections via web proxies in DMZ only
  • Inbound connections to mail/web/file servers in DMZ only
  • Inside firewall permits DMZ Local traffic only
  • Outside firewall permits Local DMZ traffic only.

MailServer

WebProxy

Permit OnlyDMZ traffic IN

Outside or “Screen”Router or Firewall

Inside or “Choke”Router or Firewall

DMZ LAN

Permit onlyto DMZ

Local LAN

Local Computers

firewalls and routers
Firewalls and Routers

THE INTERNET

  • Firewalls and routers connect two networks
  • Firewalls inspect traffic passing through and understand application protocol
  • Routers inspect individual packets and don’t understand connection state

Permit OnlyReplies IN

Router orFirewall

Permit Any OUT

Local LAN

Local Computers

firewalls vs routers
Firewalls vs Routers
  • Firewalls
    • based on general purpose microprocessors
    • aware of application sessions
    • can implement complex rules
    • Usually have graphical management interface
    • 10-1000Mbits/s throughput
    • include basic IP routing functions
  • Routers
    • based on custom silicon in large part
    • process packets individually
    • Usually have text configuration file
    • better at implementing simple rules on fast links
    • better at complex IP routing protocols
    • 10Mbits/s to 10GBits/s throughput
firewall inspection
Firewall Inspection

From: http://www.checkpoint.com/support/technical/documents/FWOpenLook.pdf

checkpoint firewall 1 gui
Checkpoint Firewall-1 GUI

From: http://www.checkpoint.com/support/technical/documents/FWOpenLook.pdf

router acl process
Router ACL process

Packet In

Permit

Permit

Permit

Rule N

Rule 1

Rule 2

Packet Out

Deny

Deny

DISCARD

DISCARD

Default

DISCARD

LOG

LOG

  • Note:
  • This process is completely stateless (per-packet)
  • Normally packets that reach the default-deny are not logged
  • Performance is improved by putting frequently hit rules first
example router acl
Example Router ACL

access-list 101 remark *** Internet Inbound ACL

access-list 101 remark *** ICMP and established at top for efficiency

access-list 101 permit tcp any 85.189.17.64 0.0.0.7 established

access-list 101 permit icmp any 85.189.17.64 0.0.0.7 echo-reply

access-list 101 permit icmp any 85.189.17.64 0.0.0.7 unreachable

access-list 101 permit icmp any 85.189.17.64 0.0.0.7 ttl-exceeded

access-list 101 permit icmp any 85.189.17.68 0.0.0.3 echo

access-list 101 permit icmp any host 85.189.17.65 echo

access-list 101 remark *** Top 4 NAT IPs are statics for server

access-list 101 permit tcp any 85.189.17.68 0.0.0.3 eq www

access-list 101 permit tcp any 85.189.17.68 0.0.0.3 eq 443

access-list 101 permit tcp any 85.189.17.68 0.0.0.3 eq smtp

etc etc etc

proxies
Proxies
  • Intercept outbound communications
  • Apply filtering rules
  • Block dangerous content inbound
  • Can be
    • “opt in” – requiring browser configuration
    • “transparent” – using network to redirect web traffic through the proxy
  • All users appear to a web server as coming from the proxy
proxy operation
Proxy Operation

Web Server

www.xyz.com

THE INTERNET

connect to: www.xyz.com

GET:

/index.html

Access Rules

Proxy Server

Log Files

192.168.0.253

Connect to: 192.168.0.253

GET: http://www.xyz.com/index.html

available proxy solutions
Available Proxy Solutions
  • Windows - Microsoft ISA Server:http://www.microsoft.com/isaserver/default.mspx
  • UNIX/Linux – squid proxy:http://www.squid-cache.org/
  • Self contained appliance – Netapp Netcache:http://www.netapp.com/products/netcache/bluecoat.html
local investigation tools
Local Investigation Tools
  • Evidence Preservation
    • Norton Ghost
    • UNIX or Windows disk mirroring
  • Audit Logs
    • Windows Event Log or MOM
    • Log files in C:\Windows or C:\WinNT
    • UNIX Syslog and /var/log files
    • Firewall or Router logs
remote investigation tools
Remote Investigation Tools
  • Nslookup
  • Traceroute (unix) or tracert (Windows)
  • Whois
  • Port Scanners
nslookup
NSLOOKUP
  • Name to Address Mapping
  • Address to Name Mapping
traceroute
Traceroute
  • Finds path to remote host or IP
  • Will usually identify the attacker’s ISP
whois
WHOIS
  • Provides lookup of registered domain name and IP address owners
  • 3 regional registries for IP addresses
    • RIPE (Europe):
    • ARIN (Americas):
    • APNIC (Asia/Pacific):
  • Registries for each domain ending
    • .com: www.netsol.com
    • .co.uk: www.nominet.co.uk
port scanners
Port Scanners
  • Not nice to use on other people
  • A good thing for scanning one’s own network for security holes
  • I recommend NMAP which is included in many Linux distributions
packet sniffers
Packet Sniffers
  • Easiest independent check on traffic
  • May also spot private data and passwords in transit
  • Built in to most UNIX versions
    • snoop in Sun Solaris
    • tcpdump in Linux and BSD
  • Freeware for Windows
    • ethereal
    • wireshark
slide101
WEB02:~# tcpdump -i eth0 -s 0 -x port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

17:28:37.651756 IP web02.moffatig.com.47731 > 213.120.156.179.www: S 2409488259:

2409488259(0) win 5840

0x0000: 4500 003c 435e 4000 4006 c186 c0a8 0303 E..

0x0010: d578 9cb3 ba73 0050 8f9d df83 0000 0000 .x...s.P........

0x0020: a002 16d0 89b1 0000 0204 05b4 0402 080a ................

0x0030: aaeb 9cdd 0000 0000 0103 0300 ............

17:28:40.651910 IP web02.moffatig.com.47731 > 213.120.156.179.www: S 2409488259:

2409488259(0) win 5840

0x0000: 4500 003c 435f 4000 4006 c185 c0a8 0303 E..

0x0010: d578 9cb3 ba73 0050 8f9d df83 0000 0000 .x...s.P........

0x0020: a002 16d0 7df8 0000 0204 05b4 0402 080a ....}...........

0x0030: aaeb a896 0000 0000 0103 0300 ............

17:28:45.603093 IP 193.113.37.9.20654 > web02.moffatig.com.www: S 2349994328:234

9994328(0) win 65535

0x0000: 4500 003c 12ff 0000 3406 c997 c171 2509 E..<....4....q%.

0x0010: c0a8 0303 50ae 0050 8c12 1158 0000 0000 ....P..P...X....

0x0020: a002 ffff 3498 0000 0204 05b4 0103 0300 ....4...........

0x0030: 0101 080a 0081 7d60 0000 0000 ......}`....

current security issues
Current Security issues
  • BOTNETS
    • Networks of hijacked PCs controlled remotely to send SPAM or do denial-of-service attacks on a remote system
    • Defeats most attempts to trace source of an attack
    • Will require strict control of outbound traffic to stop infected PCs registering with a botnet
  • Highly randomised SPAM mail
    • Difficult to get rid of by subject or keyword filters
    • Distasteful or destructive content hidden in image files or embedded URLs
    • Requires pattern recognition to reliably block
    • The world really needs mailscanners that can interpret images
further reading
Further Reading
  • Data Protection Act 1998:http://www.opsi.gov.uk/acts/acts1998/19980029.htm#aofs
  • Regulation of Investigatory Powers Act 2000: http://www.opsi.gov.uk/Acts/acts2000/20000023.htm
  • Computer Misuse Act 1990:http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm
  • Regional Address Registries:http://www.ripe.net/http://www.arin.net/index.shtmlhttp://www.apnic.net
  • Computer Security Alerts: UNIRAS (UK): http://www.uniras.gov.uk/niscc/index-en.htmlUSCERT: http://www.cert.org/ISC: http://isc.sans.org/
  • Microsoft Baseline Security Analyser:http://www.microsoft.com/technet/security/tools/mbsahome.mspx
ad