information security fundamentals n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Information Security Fundamentals PowerPoint Presentation
Download Presentation
Information Security Fundamentals

Loading in 2 Seconds...

play fullscreen
1 / 70

Information Security Fundamentals - PowerPoint PPT Presentation


  • 97 Views
  • Uploaded on

Information Security Fundamentals. Chapter – X Basic Networking. Network Access. TCP/IP is the protocol for communicating. Like sending a letter Home Address == IP address Person == Port number Computers have IP addresses Applications have Port numbers

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Information Security Fundamentals' - tadhg


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
information security fundamentals

Information Security Fundamentals

Chapter – X

Basic Networking

network access
Network Access
  • TCP/IP is the protocol for communicating.
  • Like sending a letter
    • Home Address == IP address
    • Person == Port number
  • Computers have IP addresses
  • Applications have Port numbers
  • THERE ARE NO USERS IN THE NETWORK LAYER
question

Question

Argue for or against using IP address to represent a specific computer on the Internet

port numbers
Port Numbers

port numbers are divided into three ranges

  • Well Known Ports: 0-1023
  • Registered Ports 1024 - 49151
  • Dynamic/Private Ports 49152 - 65535

The IETF regulates new protocols for well known and registered ports

www.ietf.org

network access1
Network access

The Internet Assigned Numbers Authority maintains the port to protocol registry

http://www.iana.org/assignments/port-numbers

tcp ip
TCP/IP
  • Privileged ports
  • Protocols running on ports 0-1023 are considered Privileged
  • They are actively managed by IANA
  • On windows and Unix there are services or daemons running all the time “listening” for connections
  • Vulnerabilities in these listeners can cause problems
  • By default many systems have these services enabled
vulnerabilities
Vulnerabilities
  • FTP problems
    • anonymous access (numerous)
    • Even security vendors products are affected (watchguard SOHO firewall)
    • Misconfigurations (FTP has 2 ports, data and command firewalls and FTP servers are often configured incorrectly)
web vulnerabilities
Web vulnerabilities
  • Myspace – failure to properly filter scripts
  • Oracle Application Server Web Cache contains heap overflow vulnerability
  • iPlanet Web Server Enterprise Edition and Netscape ... and Netscape Enterprise Server malformed Web Publisher command causes denial-of service
standard services running on fedora linux
Standard services running on Fedora (Linux)

Conman – console services via telnet (remote mgt)

Dhcdbd – Dynamic Host Control Protocol

Hald – Hardware abstraction Layer Daemon

Hsqldb – Java Database connector

Httpd – Web server

ip6tables and iptables – IP tables – Linux basic firewall filter and IP protocol translater (more later)

Kudzu – Like boot time plug and play

Lisa – File services including windows

NetworkManager and NetworkManagerDispatcher – switches tcp connections from physical I/Fs

Named – Domain Name Service

NFSD – Network File System

Nscd – Name (User) Service Cache – Allows you to use LDAP or Active Directory for Unix Logins

Openvpn – Virtual Private Network

Portmap – For remote procedure call serviced – different from Windows

Postfix – Email services (only needed if you are a mail relay)

Rdisc – Router discovery

Saslauthd – Simple authentication for connection based services

Sendmail – the original

Syslog – local or network based event logging

Winbind – cross authentication for Windows to Linux users

For a good description of daemons on Fedora see:

http://aniz.wordpress.com/2007/03/20/services-and-daemons-running-in-linux-fedora/

security rule 3

Security Rule #3

The fundamental problem with networking is the lack of authentication

tcp origins
TCP Origins
  • Designed in the late 1970’s as a replacement for the IMP protocol
  • Requirements were for guaranteed delivery
  • Because computers were so new – authentication was assumed
  • Arpanet officially converted to TCP by 1983
when did problems really start to happen
When did problems really start to happen?
  • Rapid adoption due to WWW
  • Early-Mid ’90s
    • States start to look at adding criminal liability for hacking
    • NSF gives up control and commercial utilization expands
    • Hacking becomes a passtime
hacker tools trend
Hacker Tools trend

packet forging /

spoofing

Hacking Tools

sniffer /

sweepers

exploiting

known

vulnerabilities

back

doors

GUI

Relative Technical Complexity

stealth

diagnostics

hijacking

sessions

self-replicating

code

disabling

audits

Average

Intruder

password

cracking

password

guessing

1980 1985 1990 1995

Source: GAO Report to Congress, 1996

commercial response
Commercial Response
  • Early Firewalls were developed
    • Trusted Information Systems developed the “firewall toolkit” – free in source code form
    • Sold by TIS to commercial users
    • Proxy based
osi stack
OSI Stack
  • http://www.commsdesign.com/design_corner/OEG20030416S0015
slide17

IP header:

  • http://www.networksorcery.com/enp/protocol/ip.htm
slide18

Internet Address.A 32 bit value that contains the network and host number fields. There are five classes of internet addresses: The class indicates the size of the network and host fields. Internet addresses are commonly displayed in dotted decimal notation format XXX.XXX.XXX.XXX.

  • http://www.networksorcery.com/enp/protocol/ip.htm
proxy based firewalls a tale of irony
Proxy based firewalls – a tale of Irony

Allow or Deny

Internet

Dst addr

172.41.92.0:80

2

1

3

1

4

3

2

4

benefits of a tcp proxy

1

4

3

5

2

1

2

4

3

5

2

1

3

4

5

1

2

3

4

5

1

3

4

5

2

1

2

3

4

5

1

2

3

4

5

1

2

Benefits of a TCP Proxy

TCP/IP Packet Streams

  • Traffic Grooming
    • Timeouts and retransmissions from clients are eliminated
    • TCP segments are all in order (no dropped or out-of-order packets)
    • Optimizes MTU to server
  • DoS Attack Mitigation
    • Since incoming TCP/IP headers are stripped off, common protocol-based hacking attacks don’t pass through
    • Malformed (often malicious) TCP/IP packets are dropped before they ever get to the server
    • Unused TCP service ports can be blocked (example: only traffic to ports 80, 25 and 443 are left open)

= Malformed Packet

3

hackers manipulate tcp ip headers to attack servers
Hackers Manipulate TCP/IP Headers to Attack Servers

Port Scanning

TCP ACK Flood

Session

Hijacking

TCP Header

WinNuke

Tear Drop, Jolt2

(Fragmentation

Attacks)

XMAS

Tree

(All Flags =1)

IP Header

Hiding Viruses

Via TTL Crafting

tcp proxy operation provides powerful attack mitigation
TCP Proxy Operation Provides Powerful Attack Mitigation
  • TCP Proxy Operation Filters Out Common Layer 3-4 DoS Attacks
    • IP Fragmentation Attacks (Tear Drop, Tiny Packet, Jolt2, etc)
    • Malformed TCP Headers (XMAS, FIN w/o ACK, etc)
    • WinNuke (URG flags sent to Port 139 of a PC running Windows)
    • TCP Port Scanning
    • TCP ACK floods
    • Steath attacks using crafted Time-to-Live (TTL) fields in IP headers
    • Protects against future protocol-based attacks
operating system os fingerprinting
Operating System (OS) Fingerprinting
  • DoS attackers usually need to identify the OS running on the target server(s) or host(s) in order to select the appropriate attack method
  • Fingerprinting techniques query the target’s TCP/IP stack and then analyze the responses (ex: NMAP, QueSO)
  • TCP/IP stacks differ in how they respond to legal and illegal queries; hence their responses form a fingerprint identifying the OS and version

OpenBSD

V2.4

TCP/IP Queries

Target

Host

TCP/IP Responses

From target host

“Ah, these responses indicate the servers’ OS is OpenBSD v2.4”

popular fingerprinting methods
Popular Fingerprinting Methods
  • TCP Proxying Thwarts Popular Fingerprinting Methods1 Such As:
    • FIN probe
    • Bogus Flag
    • TCP ISN sampling
    • DF flag set in IP header
    • TCP Initial Window
    • ACK value
    • TCP options
    • ICMP Messages
    • IP Fragmentation Handling

1. Information is from “Remote OS Detection vai TCP/IP Stack Fingerprinting”, available at

http://www.insecure.org/nmap/nmap-fingerprinting-article.html

stateful inspection
“Stateful” Inspection

Compares Dst addr/port for allow or deny access

Usually allow all outbound connections to flow freely

Dst addr

Allow or Deny

1

172.41.92.0:80

3

1

2

3

4

2

4

No inspection

allowing all outbound connections

Allowing all outbound connections

What kind of questions would you ask before creating that as your policy?

which is more secure
Which is “more” secure?
  • Neither Cisco's PIX Firewall, nor the Context-Based Access Control (CBAC) feature of Cisco's IOS Firewall Feature Set, protects hosts against certain denial of service attacks involving fragmented IP packets.
  • Out of order packet processing does not happen on most inspection based firewalls.
  • Fragments are passed through unmodified on CheckPoint, Cisco, Juniper
why were stateful inspection fws more popular
Why were “stateful inspection” FWs more popular
  • Proxy Firewalls are slower
  • Initial releases were source code only
  • Proxy Firewalls couldn’t deal with new complicated protocols (H.323 – voip) without upgrades
  • #1 Reason – Check Point had a GUI
security rule 4

Security Rule #4

To make security ubiquitous it has to be easy to use

with the advent of firewalls we now have
With the advent of Firewallswe now have

Authentication

Authorization

What am I permitted to do?

Who or what am I

Access Control

Audit & Monitoring

Rules that grant or deny access to a resource

Log and monitor what actually happens

network privacy

Network Privacy

Introducing the VPN

vpn definition
VPN - Definition
  • A virtual private network (VPN) is a private communications network often used by companies or organizations, to communicate confidentially over a public network.
history
History
  • Two major types:
    • IPSEC
    • SSL VPNs
  • Initially popular because there was a great ROI to move from private leased lines (telco) for the free (relatively) transport of the Internet
ipsec
IPSEC
  • RFC 2401 Security Architecture for IP Nov’98
    • Designed by really smart people – S.Kent BBN
    • To “provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services”
    • By Authenticating - IP Authentication Header (AH)
    • And Encapsulating – (encrypting payload data)
  • BUT
    • Because these security services use shared secret values (cryptographic keys), IPsec relies on a separate set of mechanisms for putting these keys in place.
  • http://rfc.net/rfc2401.html#s3.1
ssl vpn
SSL VPN
  • RFC 2246 – TLS jan ‘99
    • Taher Elgamal a noted cryptographer invented SSL in the mid 90’s
    • Designed for anonymous clients (internet browsers) to authenticated servers
    • Authentication protocol is built in.
    • Defacto standard until RFC 2246
    • Open sourced www.openssl.org
    • Microsoft tried to create a proprietary version to combat Netscape’s popularity
slide38
SSL

HTTPS URL

  • Secure Sockets Layer (SSL) is the de facto method for protecting web data in transit
  • Built into every major web browser today
  • Also used for:
    • Wireless
    • Instant Messaging
    • VPNs
    • Secure email
    • EDI
    • Web Services
    • eGovernment

SSL Secured “Lock”

interoperability of ipsec vpns
Interoperability of IPSEC VPNs
  • A BIG problem
  • What kinds of issues might cause Interoperability issues?
in order to do cryptography you have to share a secret
In order to do cryptography you have to share a secret
  • The problem with IPSEC was there were too many ways to share the secret
    • Skipjack
    • ISAKMP
    • Oakley
    • IKE
    • Son of IKE
some people have solved the interoperability problem
Some people have solved the interoperability problem

http://www.fw-1.de/aerasec/ng/vpn-freeswan/CP-FW1-NG+Linux-FreeSWAN-Gateway.html#checkpoint

ipsec vs ssl
IPSEC vs SSL

SSL

IPSEC

advances in vpns
Advances in VPNs
  • Integrated anti-spyware
  • Policy enforcement with VPN-1
  • Secure auto-remediation to aid security policy compliance
  • Outbound threat protection
with vpns for a select group of users
With VPNs – for a select group of users

Authentication

Authorization

What am I permitted to do?

Who or what am I

Access Control

Audit & Monitoring

Rules that grant or deny access to a resource

Log and monitor what actually happens

vulnerability assessment
Vulnerability Assessment
  • As firewall usage and Internet usage continued to grow there was no “good” way to validate firewall effectiveness
vulnerability assessment1
Vulnerability Assessment
  • Basically taking attack tools and running them against your own resources
  • In the early days you had to be careful
    • Nabisco
    • Large automotive Manufacturer
to make va work
To make VA work
  • You need to “discover” all the nodes you want to test
    • Nmap http://insecure.org/nmap/
  • Try to run destructive tests in non-destructive mode
  • Have a lot of time available
  • Sometimes difficult to access the subnets you want to test
va was great but

VA was great but…

If you ran VA against an out of the box windows system it would generate over 200 vulnerabilities

va was overwhelming
VA was overwhelming
  • Common Vulnerabilities and Exposures
    • cve.mitre.org/
    • Common Vulnerability Scoring
      • http://nvd.nist.gov/cvss.cfm
  • Integrated with workflow
    • Vulnerability management
    • Patch Management
  • Still didn’t give you a THREAT posture
    • Because THREAT is context sensitive
why are threats context sensitive
Why are threats context sensitive?

Unauth

PDA

SQL

Slammer

Rogue

Access

SCANNER

sql slammer
SQL Slammer
  • DB – High asset value x High Risk VA Means High Threat
  • What if the database is NOT accessible from the Internet
  • What if the database is surrounded by routers which filter for SQL slammer?
  • VA can’t tell you the likelihood of an event occuring
threat management
Threat Management
  • Today there are tools that allow you to create and evaluate threat scenarios
  • http://www.redseal.net/interactive_demo_v07.html
another fw problem
Another FW problem
  • Auditing and Monitoring
    • Firewalls generate HUGE logs
      • A simple T1 connection can generate over 1 GB/day
    • Firewalls don’t understand the full range of threats
solution ids
Solution - IDS
  • Intrusion Detection Systems
    • Monitors network connections for “malware” specific to TCP/ICMP/UDP and other network protocols
    • Does NOT Detect malware in files
ids has been around for a long time
IDS has been around for a LONG time
  • 1983, SRI International Dr. Dorothy Denning – developed a system to monitor Mainframe events
  • 1984 – SRI sponsored research into login tracking on the Arpanet
  • 1988 – Airforce sponsored DIDs
    • Lead to Netranger (now Cisco IDS)
    • ISS’s RealSecure
  • 1996 Dr Peter Neuman at SRI – conceputalized Emerald
  • 1997-1998 First commercial applications
ids today
IDS Today
  • Snort
    • Opensource
  • Numerous commercial solutions
  • Continuing research by federal government
ids how it works
IDS – How it works
  • Signatures == State diagrams

Bad

State #1

Initial

Bad

State #N

Hack

things ids systems look for
Things IDS systems look for
  • Bad flags
  • Bad protocol transitions
    • FTP moves to a directory it shouldn’t
    • An HTTP send without a get
    • Sendmail commands out of order
ids algorithms
IDS algorithms
  • Protocol conformity
  • Signatures
  • Anomaly Detection
ids limitations
IDS limitations
  • Speed
    • Keeping track of all connections and all their state requires lots of CPU and memory
    • General purpose CPUs not so great at packet processing
    • Most high end Network IDS systems use special purpose hardware
ids problems
IDS Problems
  • Accuracy
    • Because IDS systems DO NOT understand the target vulnerabilities…
ids problems1
IDS problems
  • Often only set up on the I-gateway so miss
    • Accidental worms let loose by internal users or guests
  • Most can not handle “day zero” attacks
    • Even if you had IDS SQL Slammer would have been missed
  • Require a lot of tuning
some final thoughts on firewalls
Some final thoughts on Firewalls
  • Proxys are back in style
    • To deal with application attacks
  • More companies are implementing outbound filtering
    • But it is so easy to tunnel over SSL, and many services offer SSL based remote connectivity
circumventing the firewall
Circumventing the firewall
  • Thanks for the push!  It's really strange - I can get an ssh login out of the firewall, but when I try to hit one of the forwarded ports, I get the dreaded "administratively prohibited" error.  I didn't know that a firewall could distinguish a forwarded port from an interactive login.But I noticed that SDF also provides sshd on port 443, and when I went in that way, it worked like a charm.  Well worth the $36 fee.”
circumventing the firewall1
Circumventing the firewall
  • There is even a patent issued to a now bankrupt company on how to tunnel VOIP through firewalls.

(without changing the firewall rules of course)