Securing Enterprise Network Infrastructure (Towards secure internetworking on Pakistan Educational Research Network) Dr. Adeel Akram UET Taxila
Outline • Introduction to Enterprise Network • Enterprise Network Architectures • Securing Enterprise Networks • Enterprise Network Security Requirements • Pakistan Educational Research Network • Type of Network Attacks and Vulnerabilities • Case Studies • Hacking of Educational and Govt. Websites !!! • Lessons Learnt • Recommendations
Introduction to Enterprise Network Enterprise Network is the network that allows communication and resource-sharing among all of a company's business functions and workers. In some cases, Enterprise network would even include the company's suppliers, contractors and distributors. It consists of hardware, software and media connecting information technology resources of an organization.
Enterprise Network Security Requirements Network security has become increasingly more difficult to manage and evaluate, even as industry and government compliance requirements have become more demanding.
Enterprise Network Security Requirements The network threats are real, and costly. Internal and external vulnerabilities can cause business disruption, loss of revenue, or loss of operational efficiencies. Because network security can be breached from both internal and external sources, traditional perimeter firewalls are not enough to protect the network.
Enterprise Network Security Requirements Enterprise networks require new network security tools, network appliances, and professional services to secure large and small networks. The following slides show key components of network security that are now required in all organizations to secure their networks:
Enterprise Security Key Components Unified Threat Management (UTM) Firewalls Network Access Control (NAC), or ROLE-based Networking Mobile Computer Client Protection Event Correlation and Log Analysis Layer-7 Visibility and Packet Analysis Managed Services
Enterprise Network Security Requirements • Unified Threat Management (UTM) Firewalls • It is too costly and operationally inefficient to add-on each separate component as security threats emerge. Today's solutions use multiple scanning methods and multiple defense layers in high-throughput appliances. IDS/IPS, Anti-Virus, Content-Filtering, VPN, Anti-Spam, P2P control, etc. all needs to be included in a network security solution.
Enterprise Network Security Requirements • Network Access Control (NAC), or ROLE-based Networking • Creating differentiated network services based on individual access requirements is the key. The era of every user's ability to browse to all network resources should be over. Role-based networking is required to limit visibility to networks, servers, and TCP/IP ports and protocols, regardless of the user's point-of-entry into the network.
Enterprise Network Security Requirements • Mobile Computer Client Protection • Also referred to as "Mobile NAC", all network devices that can leave and join the network need to have accountability and control regardless of location. The ability to control laptops, PDA's, and other mobile devices when they are not connected to a VPN session is a key requirement.
Enterprise Network Security Requirements • Event Correlation and Log Analysis • Security threats cannot be stopped by reviewing logs in "post-mortem" analysis. To stop "zero-day" threats, the network needs event-correlation and adaptive-response tools. While SNMP report tools are important for network engineers responsible for network health, other tools are required to correlate client, server, and firewall activities with computer application processes.
Enterprise Network Security Requirements • Layer-7 (Application Layer) Visibility and Packet Analysis • The ability to classify all applications regardless of port and protocol is essential for both security and performance analysis. In-line devices for analyzing and reporting network traffic across all OSI layers are essential for compliance, security assessment, and resolving performance issues.
Enterprise Network Security Requirements • Managed Services • Many companies can not become experts in Cyber-Security, PC/Server Management, Regulatory Compliance, and Disaster Recovery. But even small businesses are impacted by critical data security threats and technology maintenance hurdles that detract from the core business goals. Managed Services offer expertise on contractual basis.
Educational Enterprise Network Pakistan Education and Research Network
Pakistan Educational Research Network PERN - Pakistan Education and Research Network is a national research and education network of Pakistan which connects premiere educational and research institutions of the country.
Pakistan Educational Research Network PERN focuses on collaborative research, knowledge sharing, resource sharing, and distance learning by connecting people through the use of Intranet and Internet resources.
Types of Network Attacks Web-Hacking-Incident-Database - http://webappsec.pbworks.com/Web-Hacking-Incident-Database
Top Application Vulnerabilities Web-Hacking-Incident-Database - http://webappsec.pbworks.com/Web-Hacking-Incident-Database
Top Attack Outcomes Web-Hacking-Incident-Database - http://webappsec.pbworks.com/Web-Hacking-Incident-Database
FBI Cybercrime Investigation Procedure To ensure that your organization can react to an incident efficiently, make sure that staff knows who is responsible for cyber security and how to reach them. The following steps will help you document an incident and assist federal, state, and local law enforcement agencies in their investigation (be sure to act in accordance with your organization's polices and procedures):
FBI Cybercrime Investigation Procedure • Preserve the state of the computer at the time of the incident by making a backup copy of logs, damaged or altered files, and files left by the intruder. • If the incident is in progress, activate auditing software and consider implementing a keystroke monitoringprogram if possible.
FBI Cybercrime Investigation Procedure To report an incident to the FBI, you can submit a tip report at https://tips.fbi.gov • Document the losses suffered by your organization as a result of the incident. These could include: • estimated number of hours spent in response/recovery • cost of temporary help • cost of damaged equipment • value of data lost • amount of credit given to customers for inconvenience • loss of revenue • value of any trade secrets
National Response Centre For Cyber Crimes • To report an incident to the NR3C visit: http://www.nr3c.gov.pk • Federal Investigation Agency Headquarters • Sector-G-9/4, Islamabad • Ph. 051-9261686, Fax. 051-9261685 NR3C CERT (Computer Emergency Response Team) Forensic Lab R&D Implementation of Standards & Procedures Media and Projection Cell Technology Development Center Network Operations & Security Liaison with LEA(s) & public /private sector organizations Trainings & Seminars Legal Regularity & Issues
Case Studies UET Taxila – Internal Website(s) Hacked HEC Website(s) – Hacked LUMS Website(s) – Hacked Ministry of Information and Broadcasting Website – Hacked FIA’s National Response Center for Cyber Crime Website
Searched for traces of Hackers • Event Viewer • Application Logs • System Logs • Security Logs • User Manager • Any Accounts Modifications • New Accounts Creation • Rights requests
Checked Systems for Trojan Horses See if any backdoor is created on the system Try to figure out how hackers accomplished to hack the system Check Task Manager for any suspicious running process Check System/Firewalls Security Logs
Checked Logs on the DHCP Server • Cross Checked the MAC Address of Hackers from their IP 169.254.2.57 • 00-01-02-08-37-A8
Checked Hostel Switch Logs • Went to Hostel Switch and checked this MAC address binds to which switch port • Port Number 31 on Switch • Consulted the Hostel Network Diagrams to find out Room Number for Port # 31 • Room Number 41
Observations The site was hacked by our own students who were doing internship in Network Center on Windows Server Administration They were also developing student-portal website on the same server and were given administrative rights on the web server They misused their rights to hack the site
The defacing of UET TAXILA’s Examination website in August 2007 http://web.uettaxila.edu.pk/uet/UETsub/uetDownloads/examination/
Hacked by Whom? • There were 5 main IP addresses that used the URL responsible for hacking and planting the pages on our alpha webserver ! • 126.96.36.199 • 188.8.131.52 • 184.108.40.206 • 220.127.116.11 • 18.104.22.168