information security fundamentals n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Information Security Fundamentals PowerPoint Presentation
Download Presentation
Information Security Fundamentals

Loading in 2 Seconds...

play fullscreen
1 / 70

Information Security Fundamentals - PowerPoint PPT Presentation


  • 108 Views
  • Updated on

Information Security Fundamentals. Chapter – X Basic Networking. Network Access. TCP/IP is the protocol for communicating. Like sending a letter Home Address == IP address Person == Port number Computers have IP addresses Applications have Port numbers

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Information Security Fundamentals


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Information Security Fundamentals Chapter – X Basic Networking

    2. Network Access • TCP/IP is the protocol for communicating. • Like sending a letter • Home Address == IP address • Person == Port number • Computers have IP addresses • Applications have Port numbers • THERE ARE NO USERS IN THE NETWORK LAYER

    3. Question Argue for or against using IP address to represent a specific computer on the Internet

    4. Port Numbers port numbers are divided into three ranges • Well Known Ports: 0-1023 • Registered Ports 1024 - 49151 • Dynamic/Private Ports 49152 - 65535 The IETF regulates new protocols for well known and registered ports www.ietf.org

    5. Network access The Internet Assigned Numbers Authority maintains the port to protocol registry http://www.iana.org/assignments/port-numbers

    6. TCP/IP • Privileged ports • Protocols running on ports 0-1023 are considered Privileged • They are actively managed by IANA • On windows and Unix there are services or daemons running all the time “listening” for connections • Vulnerabilities in these listeners can cause problems • By default many systems have these services enabled

    7. Vulnerabilities • FTP problems • anonymous access (numerous) • Even security vendors products are affected (watchguard SOHO firewall) • Misconfigurations (FTP has 2 ports, data and command firewalls and FTP servers are often configured incorrectly)

    8. Web vulnerabilities • Myspace – failure to properly filter scripts • Oracle Application Server Web Cache contains heap overflow vulnerability • iPlanet Web Server Enterprise Edition and Netscape ... and Netscape Enterprise Server malformed Web Publisher command causes denial-of service

    9. Standard services running on Fedora (Linux) Conman – console services via telnet (remote mgt) Dhcdbd – Dynamic Host Control Protocol Hald – Hardware abstraction Layer Daemon Hsqldb – Java Database connector Httpd – Web server ip6tables and iptables – IP tables – Linux basic firewall filter and IP protocol translater (more later) Kudzu – Like boot time plug and play Lisa – File services including windows NetworkManager and NetworkManagerDispatcher – switches tcp connections from physical I/Fs Named – Domain Name Service NFSD – Network File System Nscd – Name (User) Service Cache – Allows you to use LDAP or Active Directory for Unix Logins Openvpn – Virtual Private Network Portmap – For remote procedure call serviced – different from Windows Postfix – Email services (only needed if you are a mail relay) Rdisc – Router discovery Saslauthd – Simple authentication for connection based services Sendmail – the original Syslog – local or network based event logging Winbind – cross authentication for Windows to Linux users For a good description of daemons on Fedora see: http://aniz.wordpress.com/2007/03/20/services-and-daemons-running-in-linux-fedora/

    10. Security Rule #3 The fundamental problem with networking is the lack of authentication

    11. TCP Origins • Designed in the late 1970’s as a replacement for the IMP protocol • Requirements were for guaranteed delivery • Because computers were so new – authentication was assumed • Arpanet officially converted to TCP by 1983

    12. When did problems really start to happen? • Rapid adoption due to WWW • Early-Mid ’90s • States start to look at adding criminal liability for hacking • NSF gives up control and commercial utilization expands • Hacking becomes a passtime

    13. Hacker Tools trend packet forging / spoofing Hacking Tools sniffer / sweepers exploiting known vulnerabilities back doors GUI Relative Technical Complexity stealth diagnostics hijacking sessions self-replicating code disabling audits Average Intruder password cracking password guessing 1980 1985 1990 1995 Source: GAO Report to Congress, 1996

    14. Commercial Response • Early Firewalls were developed • Trusted Information Systems developed the “firewall toolkit” – free in source code form • Sold by TIS to commercial users • Proxy based

    15. OSI Stack • http://www.commsdesign.com/design_corner/OEG20030416S0015

    16. IP header: • http://www.networksorcery.com/enp/protocol/ip.htm

    17. Internet Address.A 32 bit value that contains the network and host number fields. There are five classes of internet addresses: The class indicates the size of the network and host fields. Internet addresses are commonly displayed in dotted decimal notation format XXX.XXX.XXX.XXX. • http://www.networksorcery.com/enp/protocol/ip.htm

    18. Proxy based firewalls – a tale of Irony Allow or Deny Internet Dst addr 172.41.92.0:80 2 1 3 1 4 3 2 4

    19. 1 4 3 5 2 1 2 4 3 5 2 1 3 4 5 1 2 3 4 5 1 3 4 5 2 1 2 3 4 5 1 2 3 4 5 1 2 Benefits of a TCP Proxy TCP/IP Packet Streams • Traffic Grooming • Timeouts and retransmissions from clients are eliminated • TCP segments are all in order (no dropped or out-of-order packets) • Optimizes MTU to server • DoS Attack Mitigation • Since incoming TCP/IP headers are stripped off, common protocol-based hacking attacks don’t pass through • Malformed (often malicious) TCP/IP packets are dropped before they ever get to the server • Unused TCP service ports can be blocked (example: only traffic to ports 80, 25 and 443 are left open) = Malformed Packet 3

    20. Hackers Manipulate TCP/IP Headers to Attack Servers Port Scanning TCP ACK Flood Session Hijacking TCP Header WinNuke Tear Drop, Jolt2 (Fragmentation Attacks) XMAS Tree (All Flags =1) IP Header Hiding Viruses Via TTL Crafting

    21. TCP Proxy Operation Provides Powerful Attack Mitigation • TCP Proxy Operation Filters Out Common Layer 3-4 DoS Attacks • IP Fragmentation Attacks (Tear Drop, Tiny Packet, Jolt2, etc) • Malformed TCP Headers (XMAS, FIN w/o ACK, etc) • WinNuke (URG flags sent to Port 139 of a PC running Windows) • TCP Port Scanning • TCP ACK floods • Steath attacks using crafted Time-to-Live (TTL) fields in IP headers • Protects against future protocol-based attacks

    22. Operating System (OS) Fingerprinting • DoS attackers usually need to identify the OS running on the target server(s) or host(s) in order to select the appropriate attack method • Fingerprinting techniques query the target’s TCP/IP stack and then analyze the responses (ex: NMAP, QueSO) • TCP/IP stacks differ in how they respond to legal and illegal queries; hence their responses form a fingerprint identifying the OS and version OpenBSD V2.4 TCP/IP Queries Target Host TCP/IP Responses From target host “Ah, these responses indicate the servers’ OS is OpenBSD v2.4”

    23. Popular Fingerprinting Methods • TCP Proxying Thwarts Popular Fingerprinting Methods1 Such As: • FIN probe • Bogus Flag • TCP ISN sampling • DF flag set in IP header • TCP Initial Window • ACK value • TCP options • ICMP Messages • IP Fragmentation Handling 1. Information is from “Remote OS Detection vai TCP/IP Stack Fingerprinting”, available at http://www.insecure.org/nmap/nmap-fingerprinting-article.html

    24. “Stateful” Inspection Compares Dst addr/port for allow or deny access Usually allow all outbound connections to flow freely Dst addr Allow or Deny 1 172.41.92.0:80 3 1 2 3 4 2 4 No inspection

    25. Allowing all outbound connections What kind of questions would you ask before creating that as your policy?

    26. Which is “more” secure? • Neither Cisco's PIX Firewall, nor the Context-Based Access Control (CBAC) feature of Cisco's IOS Firewall Feature Set, protects hosts against certain denial of service attacks involving fragmented IP packets. • Out of order packet processing does not happen on most inspection based firewalls. • Fragments are passed through unmodified on CheckPoint, Cisco, Juniper

    27. Why were “stateful inspection” FWs more popular • Proxy Firewalls are slower • Initial releases were source code only • Proxy Firewalls couldn’t deal with new complicated protocols (H.323 – voip) without upgrades • #1 Reason – Check Point had a GUI

    28. Security Rule #4 To make security ubiquitous it has to be easy to use

    29. With the advent of Firewallswe now have Authentication Authorization What am I permitted to do? Who or what am I Access Control Audit & Monitoring Rules that grant or deny access to a resource Log and monitor what actually happens

    30. Network Privacy Introducing the VPN

    31. VPN - Definition • A virtual private network (VPN) is a private communications network often used by companies or organizations, to communicate confidentially over a public network.

    32. History • Two major types: • IPSEC • SSL VPNs • Initially popular because there was a great ROI to move from private leased lines (telco) for the free (relatively) transport of the Internet

    33. IPSEC • RFC 2401 Security Architecture for IP Nov’98 • Designed by really smart people – S.Kent BBN • To “provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services” • By Authenticating - IP Authentication Header (AH) • And Encapsulating – (encrypting payload data) • BUT • Because these security services use shared secret values (cryptographic keys), IPsec relies on a separate set of mechanisms for putting these keys in place. • http://rfc.net/rfc2401.html#s3.1

    34. SSL VPN • RFC 2246 – TLS jan ‘99 • Taher Elgamal a noted cryptographer invented SSL in the mid 90’s • Designed for anonymous clients (internet browsers) to authenticated servers • Authentication protocol is built in. • Defacto standard until RFC 2246 • Open sourced www.openssl.org • Microsoft tried to create a proprietary version to combat Netscape’s popularity

    35. SSL HTTPS URL • Secure Sockets Layer (SSL) is the de facto method for protecting web data in transit • Built into every major web browser today • Also used for: • Wireless • Instant Messaging • VPNs • Secure email • EDI • Web Services • eGovernment SSL Secured “Lock”

    36. Interoperability of IPSEC VPNs • A BIG problem • What kinds of issues might cause Interoperability issues?

    37. In order to do cryptography you have to share a secret • The problem with IPSEC was there were too many ways to share the secret • Skipjack • ISAKMP • Oakley • IKE • Son of IKE

    38. Some people have solved the interoperability problem http://www.fw-1.de/aerasec/ng/vpn-freeswan/CP-FW1-NG+Linux-FreeSWAN-Gateway.html#checkpoint

    39. Interoperability of SSL VPNs • None..

    40. IPSEC vs SSL SSL IPSEC

    41. Benefits of IPSEC vs SSL • Discussion topic

    42. Advances in VPNs • Integrated anti-spyware • Policy enforcement with VPN-1 • Secure auto-remediation to aid security policy compliance • Outbound threat protection

    43. With VPNs – for a select group of users Authentication Authorization What am I permitted to do? Who or what am I Access Control Audit & Monitoring Rules that grant or deny access to a resource Log and monitor what actually happens

    44. Vulnerability Assessment • As firewall usage and Internet usage continued to grow there was no “good” way to validate firewall effectiveness

    45. Vulnerability Assessment • Basically taking attack tools and running them against your own resources • In the early days you had to be careful • Nabisco • Large automotive Manufacturer

    46. How VA works SCANNER

    47. To make VA work • You need to “discover” all the nodes you want to test • Nmap http://insecure.org/nmap/ • Try to run destructive tests in non-destructive mode • Have a lot of time available • Sometimes difficult to access the subnets you want to test