Information Security Fundamentals - PowerPoint PPT Presentation

information security fundamentals n.
Skip this Video
Loading SlideShow in 5 Seconds..
Information Security Fundamentals PowerPoint Presentation
Download Presentation
Information Security Fundamentals

play fullscreen
1 / 70
Download Presentation
Information Security Fundamentals
Download Presentation

Information Security Fundamentals

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Information Security Fundamentals Chapter – X Basic Networking

  2. Network Access • TCP/IP is the protocol for communicating. • Like sending a letter • Home Address == IP address • Person == Port number • Computers have IP addresses • Applications have Port numbers • THERE ARE NO USERS IN THE NETWORK LAYER

  3. Question Argue for or against using IP address to represent a specific computer on the Internet

  4. Port Numbers port numbers are divided into three ranges • Well Known Ports: 0-1023 • Registered Ports 1024 - 49151 • Dynamic/Private Ports 49152 - 65535 The IETF regulates new protocols for well known and registered ports

  5. Network access The Internet Assigned Numbers Authority maintains the port to protocol registry

  6. TCP/IP • Privileged ports • Protocols running on ports 0-1023 are considered Privileged • They are actively managed by IANA • On windows and Unix there are services or daemons running all the time “listening” for connections • Vulnerabilities in these listeners can cause problems • By default many systems have these services enabled

  7. Vulnerabilities • FTP problems • anonymous access (numerous) • Even security vendors products are affected (watchguard SOHO firewall) • Misconfigurations (FTP has 2 ports, data and command firewalls and FTP servers are often configured incorrectly)

  8. Web vulnerabilities • Myspace – failure to properly filter scripts • Oracle Application Server Web Cache contains heap overflow vulnerability • iPlanet Web Server Enterprise Edition and Netscape ... and Netscape Enterprise Server malformed Web Publisher command causes denial-of service

  9. Standard services running on Fedora (Linux) Conman – console services via telnet (remote mgt) Dhcdbd – Dynamic Host Control Protocol Hald – Hardware abstraction Layer Daemon Hsqldb – Java Database connector Httpd – Web server ip6tables and iptables – IP tables – Linux basic firewall filter and IP protocol translater (more later) Kudzu – Like boot time plug and play Lisa – File services including windows NetworkManager and NetworkManagerDispatcher – switches tcp connections from physical I/Fs Named – Domain Name Service NFSD – Network File System Nscd – Name (User) Service Cache – Allows you to use LDAP or Active Directory for Unix Logins Openvpn – Virtual Private Network Portmap – For remote procedure call serviced – different from Windows Postfix – Email services (only needed if you are a mail relay) Rdisc – Router discovery Saslauthd – Simple authentication for connection based services Sendmail – the original Syslog – local or network based event logging Winbind – cross authentication for Windows to Linux users For a good description of daemons on Fedora see:

  10. Security Rule #3 The fundamental problem with networking is the lack of authentication

  11. TCP Origins • Designed in the late 1970’s as a replacement for the IMP protocol • Requirements were for guaranteed delivery • Because computers were so new – authentication was assumed • Arpanet officially converted to TCP by 1983

  12. When did problems really start to happen? • Rapid adoption due to WWW • Early-Mid ’90s • States start to look at adding criminal liability for hacking • NSF gives up control and commercial utilization expands • Hacking becomes a passtime

  13. Hacker Tools trend packet forging / spoofing Hacking Tools sniffer / sweepers exploiting known vulnerabilities back doors GUI Relative Technical Complexity stealth diagnostics hijacking sessions self-replicating code disabling audits Average Intruder password cracking password guessing 1980 1985 1990 1995 Source: GAO Report to Congress, 1996

  14. Commercial Response • Early Firewalls were developed • Trusted Information Systems developed the “firewall toolkit” – free in source code form • Sold by TIS to commercial users • Proxy based

  15. OSI Stack •

  16. IP header: •

  17. Internet Address.A 32 bit value that contains the network and host number fields. There are five classes of internet addresses: The class indicates the size of the network and host fields. Internet addresses are commonly displayed in dotted decimal notation format XXX.XXX.XXX.XXX. •

  18. Proxy based firewalls – a tale of Irony Allow or Deny Internet Dst addr 2 1 3 1 4 3 2 4

  19. 1 4 3 5 2 1 2 4 3 5 2 1 3 4 5 1 2 3 4 5 1 3 4 5 2 1 2 3 4 5 1 2 3 4 5 1 2 Benefits of a TCP Proxy TCP/IP Packet Streams • Traffic Grooming • Timeouts and retransmissions from clients are eliminated • TCP segments are all in order (no dropped or out-of-order packets) • Optimizes MTU to server • DoS Attack Mitigation • Since incoming TCP/IP headers are stripped off, common protocol-based hacking attacks don’t pass through • Malformed (often malicious) TCP/IP packets are dropped before they ever get to the server • Unused TCP service ports can be blocked (example: only traffic to ports 80, 25 and 443 are left open) = Malformed Packet 3

  20. Hackers Manipulate TCP/IP Headers to Attack Servers Port Scanning TCP ACK Flood Session Hijacking TCP Header WinNuke Tear Drop, Jolt2 (Fragmentation Attacks) XMAS Tree (All Flags =1) IP Header Hiding Viruses Via TTL Crafting

  21. TCP Proxy Operation Provides Powerful Attack Mitigation • TCP Proxy Operation Filters Out Common Layer 3-4 DoS Attacks • IP Fragmentation Attacks (Tear Drop, Tiny Packet, Jolt2, etc) • Malformed TCP Headers (XMAS, FIN w/o ACK, etc) • WinNuke (URG flags sent to Port 139 of a PC running Windows) • TCP Port Scanning • TCP ACK floods • Steath attacks using crafted Time-to-Live (TTL) fields in IP headers • Protects against future protocol-based attacks

  22. Operating System (OS) Fingerprinting • DoS attackers usually need to identify the OS running on the target server(s) or host(s) in order to select the appropriate attack method • Fingerprinting techniques query the target’s TCP/IP stack and then analyze the responses (ex: NMAP, QueSO) • TCP/IP stacks differ in how they respond to legal and illegal queries; hence their responses form a fingerprint identifying the OS and version OpenBSD V2.4 TCP/IP Queries Target Host TCP/IP Responses From target host “Ah, these responses indicate the servers’ OS is OpenBSD v2.4”

  23. Popular Fingerprinting Methods • TCP Proxying Thwarts Popular Fingerprinting Methods1 Such As: • FIN probe • Bogus Flag • TCP ISN sampling • DF flag set in IP header • TCP Initial Window • ACK value • TCP options • ICMP Messages • IP Fragmentation Handling 1. Information is from “Remote OS Detection vai TCP/IP Stack Fingerprinting”, available at

  24. “Stateful” Inspection Compares Dst addr/port for allow or deny access Usually allow all outbound connections to flow freely Dst addr Allow or Deny 1 3 1 2 3 4 2 4 No inspection

  25. Allowing all outbound connections What kind of questions would you ask before creating that as your policy?

  26. Which is “more” secure? • Neither Cisco's PIX Firewall, nor the Context-Based Access Control (CBAC) feature of Cisco's IOS Firewall Feature Set, protects hosts against certain denial of service attacks involving fragmented IP packets. • Out of order packet processing does not happen on most inspection based firewalls. • Fragments are passed through unmodified on CheckPoint, Cisco, Juniper

  27. Why were “stateful inspection” FWs more popular • Proxy Firewalls are slower • Initial releases were source code only • Proxy Firewalls couldn’t deal with new complicated protocols (H.323 – voip) without upgrades • #1 Reason – Check Point had a GUI

  28. Security Rule #4 To make security ubiquitous it has to be easy to use

  29. With the advent of Firewallswe now have Authentication Authorization What am I permitted to do? Who or what am I Access Control Audit & Monitoring Rules that grant or deny access to a resource Log and monitor what actually happens

  30. Network Privacy Introducing the VPN

  31. VPN - Definition • A virtual private network (VPN) is a private communications network often used by companies or organizations, to communicate confidentially over a public network.

  32. History • Two major types: • IPSEC • SSL VPNs • Initially popular because there was a great ROI to move from private leased lines (telco) for the free (relatively) transport of the Internet

  33. IPSEC • RFC 2401 Security Architecture for IP Nov’98 • Designed by really smart people – S.Kent BBN • To “provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services” • By Authenticating - IP Authentication Header (AH) • And Encapsulating – (encrypting payload data) • BUT • Because these security services use shared secret values (cryptographic keys), IPsec relies on a separate set of mechanisms for putting these keys in place. •

  34. SSL VPN • RFC 2246 – TLS jan ‘99 • Taher Elgamal a noted cryptographer invented SSL in the mid 90’s • Designed for anonymous clients (internet browsers) to authenticated servers • Authentication protocol is built in. • Defacto standard until RFC 2246 • Open sourced • Microsoft tried to create a proprietary version to combat Netscape’s popularity

  35. SSL HTTPS URL • Secure Sockets Layer (SSL) is the de facto method for protecting web data in transit • Built into every major web browser today • Also used for: • Wireless • Instant Messaging • VPNs • Secure email • EDI • Web Services • eGovernment SSL Secured “Lock”

  36. Interoperability of IPSEC VPNs • A BIG problem • What kinds of issues might cause Interoperability issues?

  37. In order to do cryptography you have to share a secret • The problem with IPSEC was there were too many ways to share the secret • Skipjack • ISAKMP • Oakley • IKE • Son of IKE

  38. Some people have solved the interoperability problem

  39. Interoperability of SSL VPNs • None..


  41. Benefits of IPSEC vs SSL • Discussion topic

  42. Advances in VPNs • Integrated anti-spyware • Policy enforcement with VPN-1 • Secure auto-remediation to aid security policy compliance • Outbound threat protection

  43. With VPNs – for a select group of users Authentication Authorization What am I permitted to do? Who or what am I Access Control Audit & Monitoring Rules that grant or deny access to a resource Log and monitor what actually happens

  44. Vulnerability Assessment • As firewall usage and Internet usage continued to grow there was no “good” way to validate firewall effectiveness

  45. Vulnerability Assessment • Basically taking attack tools and running them against your own resources • In the early days you had to be careful • Nabisco • Large automotive Manufacturer

  46. How VA works SCANNER

  47. To make VA work • You need to “discover” all the nodes you want to test • Nmap • Try to run destructive tests in non-destructive mode • Have a lot of time available • Sometimes difficult to access the subnets you want to test