Why is Network Security Come out to the Forefront • Increased Internet usage • Increased telecommuting. • Recent high profile attacks on government and private web sites have also contributed to the high exposure of network security.
SPDLC depicted as a Cycle • The security policy development lifecycle (SPDLC) is aptly depicted as a cycle since evaluation processes validate the effectiveness of original analysis stages. • Feedback from evaluation stages cause renewed analysis with possible ripple effects of changes in architecture or implemented technology. • The feedback provided by such a cycle is ongoing, but will only work with proper training and commitment from the people responsible for the various processes depicted in the SPDLC.
Scope of the Security Policy and Critical Success Factors • Throughout the initial stages of these security policy development efforts, it is essential to remember the Critical Success Factors of the network development life. (Fig 13-15) • Before proceeding blindly with a security policy development project, it is important to properly define the scope or limitations of the project.
Security Requirements Assessment Grid • A security requirements assessment grid provides a means to define security requirements and the potential solutions to those requirements for all potential user groups and map them against all potential corporate information resources. (Fig. 13-3) • The security requirements assessment grid is meant to provide only an example of potential user groups and information resource categories. • The grid should be modified to provide an accurate reflection of each different corporate security environment. • Furthermore, the grid should be used as a dynamic strategic planning tool. It should be reviewed on a periodic basis and should be modified to reflect changes in either user groups or information resources.
Security Assessment Grid • There has to be an on-going auditing, monitoring, evaluation, and analysis, for the security requirements assessment plan to remain accurate and reflective of a changing corporate network environment
Balance Sought for Implemented Security process • Security measures that are too stringent can be just as damaging to user productivity as can a total lack of enforced security measures. • The optimal balance point that is sought is the proper amount of implemented security process and technology that will adequately protect corporate information resources while optimizing user productivity.
Figure 13-7 Assests, Threats, Vulnerabilities, Risks, and Protective Measures
Assetts • Assetsare corporate property of some value requiring varying degrees of protection. • In the case of network security, assets most often include corporate data and the network hardware, software, and media used to transport and store that data.
Data Classification based on DOD classification scheme • Unclassified or public information • Sensitive – could cause embarrassment but not cause damage – Salary, Benefits info • Confidential – could cause measurable damage to the corporation – Corporate Strategic Plans • Secret – Could cause serious damage to the organization – Trade secrets,engineering diagrams, etc. • Top Secret – could cause permanent damage- Secret formulae for Key products.
Threats • Threats are processes or people that pose a potential danger to identified assets. A given asset can be potentially threatened by numerous threats. • Threats can be intentional or unintentional, natural or man-made. • Network related threats include hackers, line outages, fires, floods, power failures, equipment failures, dishonest employees, or incompetent employees.
Vulnerabilities • Vulnerabilities are the manner or path by which threats are able to attack assets. • Vulnerabilities can be thought of as weak links in the overall security architecture and should be identified for every potential threat/asset combination. • Vulnerabilities that have been identified can be blocked.
Vulnerabilities (contd.) • Once vulnerabilities have been identified, a network analyst should proceed in developing defenses to these vulnerabilities. Which vulnerabilities should be dealt with first? How can a network analyst determine an objective means to prioritize vulnerabilities? • By considering the risk, or probability of a particular threat successfully attacking a particular asset in a given amount of time via a particular vulnerability, network analysts are able to quantify the relative importance of threats and vulnerabilities
Risk Domain -Assets, Threats, and Vulnerabilities • Risk analysis is a specialized field of study, and quantification of risks should not be viewed as an exact science. • In identifying the proper prioritization of threats and vulnerabilities to be dealt with, network analysts should combine subjective instincts and judgment with objective risk analysis data. • Once the order in which threats and vulnerabilities will be attacked has been determined, protectivemeasuresare designed and taken that effectively block the vulnerability in order to prevent threats from attacking assets.
Role of the OSI Security Architecture (ISO 7498/2) in Security • Provides a way to organize an approach to security policy and architecture development. • This framework maps fourteen different security services to specific layers of the OSI 7 Layer Reference Model. (Figure 13-6)
ISO 749402 Security Architecture (fig. 13-6) • Peer Entity Authentication • Data origin Authentication • Access Control Service • Connection Confidentiality • Connectionless Confidentiality • Selective field confidentiality • Traffic flow confidentiality • Connection integrity without recovery. • Conncection integrity with recovery. • Selective field connectionless integrity • Non-repudiation, origin • Nonrepudiation,delivery.
OSI Model Security Architecture • It can be used as an open framework in which to categorize security technology and protocols, just as the OSI 7 Layer Model can be used to categorize internetworking technology and protocols. • Not all services will necessarily be provided to all suggested layers in all corporate settings. This does not diminish the value of the OSI Security Architecture as a planning framework however.
Authentication technology contains: 1) Challenge response 2) Time synchronous token authentication systems.
Attack Strategies Attack Strategies often concentrate on: • Vulnerabilities of specific NOS. • Underlying Transport protocols that are used to communicate between servers.
Most Common Attack Strategies on TCP • When two servers communicate via TCP, they communicate via TCP wish to setup a conneciton to each other by engaging in a “three-way handshake.”
The following strategies work on this potential vulnerability of TCP • Denial of Service Attacks – flooding the server with requests to connect to other servers that do not exist. • Land Attack – hacker substitutes the targeted server’s own address as the address of the server requesting a connection.
Network /information System Attack Strategies Masquerading Eavesdropping Man in the Middle Attack Address Spoofing Data Diddling Dictionary Attacks Replay Attack Virus Attack Trojan Horse Attack Denial Of Service Attack Protective Measures Authentication Encryption Digital Certificates,Digital Signatures Firewalls Encrypted Message Digest Strong Passwords, Intruder detection Time stamping or sequence numbering Virus management policy Firewalls Authentication, service filtering Network information System Vulnerabilities and Protective Measures (Fig. 13-8)
Web – Specific Attack Strategies • Minimize the possibility of the attack, do the following: • Eliminate Unused user accounts • Remove or disable all unused services like FTP, Telnet, etc. If required, place a Proxy server or application layer protocol. • Remove unused Unix command Shells • Ensure proper security on file shares and directories • Consult WWW security FAQs on an on-going basis to stay up-to-date with current Attack strategies • Common Gateway Interface (CGI) programs are capable of extracting a Unix-based web server’s password file. • Server Side Includes (SSIs) can be embedded in web pages such as guest books and can instruct a web serer to remove an entire directories content.
Among the major categories of potential protective measures are: • Virus protection • Firewalls, • Authentication, and • Encryption.
Management Role and Responsibilities addressed • Figures 13-9, 13-10, and 13-12 for the roles of executives, management and users in the successful development and implementation of security policy.
Auditing as related to Security policy • AUDITING may be either: i) Manual Audits Manual audits can be done by either internal or external personnel. Manual audits serve to verify the effectiveness of policy development and implementation, especially the extent to which people understand and effectively execute assigned processes in the overall corporate security policy. Manual audits are also referred to as policyauditsor off-lineaudits. ii) Automated Audits Automated audits, otherwise known as event detectionor real-time audits depend on software that is able to assess the weaknesses of your network security and security standards. Most audit software depends on capturing large amounts of event data and then filtering that data for exceptional or unusual events.
Auditing Software and Filtering • Most audit software depends on capturing large amounts of event data and then filtering that data for exceptional or unusual events. Captured events can be: a) Telephone calls, b) Login attempts, c) Network server directory access attempts, d) Access to Internet news groups or web sites, or remote access attempts via dial-up lines. • In order to generate meaningful exception reports, audit software allows users to create filters that will allow only those events deemed exceptional by the users to appear on reports.
Intrusion Detection System • Intrusion detection systemstest the perimeter of the enterprise network through dial modems, remote access servers, web servers, or internet access. In addition to merely detecting intrusions, such as unsuccessful login attempts over a pre-set limit, some tools are also able to provide automated responses to these intrusion attempts. • Also, some of the more sophisticated intrusion detection systems are dynamic or self-learning and are able to become better at detecting intrusions or to adjust exception parameters as they gain experience in a given enterprise network environment.
Security probes • Rather than passively gathering network statistics like auditing tools, security probes actively test various aspects of enterprise network security and report results and suggest improvements.
SATAN Security Analyzing Tool for Networks (SATAN) actively tests various aspects of enterprise network security and reports results is a type of Security probe
Anti-virus • Virus protection is generally addressed because of a response to Virus incident. • Virus scanning policies are of no use without comprehensive enforced policies regarding use and handling of diskettes and downloaded files.
What is a Computer Virus ? • The term computer virus is generally used to describe any computer program or group of programs that gains access to a computer system or network with the potential to disrupt the normal activity of that system or network.
Virus Scanning Software • Virus scanning is the primary method for successful detection and removal. However, virus-scanning software most often works off a library of known viruses, or more specifically the unique digital signatures of these viruses, while new viruses are appearing at the rate of nearly 200 per month. • Because of this, it is important to buy virus-scanning software whose vendor supplies updates of virus signatures at least once per month.
Three types of Virus Scanning software • Activity monitors 2) signature scanners. 3) CRC checkers and hashing checkers
1) Virtual PC or Activity Monitors • In an effort to be more proactive than reactive, emulation technologyattempts to detect as yet unknown viruses by running programs with a software emulation program known as a virtual PC. • In so doing, the executing program can be examined in a safe environment for any unusual behavior or other telltale symptoms of resident viruses.
The advantage of Activity Monitors • They identify potentially unknown viruses based on their behavior rather than by relying on identifiable signatures of known viruses. • Activity Monitors are also capable of trapping encrypted or polymorphic viruses that are capable of constantly changing their identities or signatures. • In addition, some of these programs are self-learning, thereby increasing their knowledge of virus-like activity with experience.
Virus Categories • File Infectors • System/ Boot infectors • Multipartite Viruses – Boot and File viruses • Hostile Applets • E-mail viruses • Cluster/file system viruses- attack file systems,directories
Types of Viruses – File Infectors • Viruses that are triggered by the passing of a certain date or time are referred to as time bombs while viruses that require a certain event to transpire are known as logic bombs. • When the actual virus is hidden inside an otherwise benign program and delivered to the target system or network to be infected it is known as a trojan horse. • Polymorphic viruses change their appearance each time an infected program is run in order to avoid detection. • Macro Viruses – can infect MACs as well as Windows. Eg. Melissa Virus
Viruses that infect Web Technology and Java embedded Programs • Hostile applets could still be considered viruses. Two kinds of Virus • Attack appletsare intent on serious security breaches, while • Malicious appletstend to be annoying rather than destructive. Hostile applets are unknowingly downloaded while web surfing.
2) Signature Scanners • Signature Scanners scan for known digital signatures or viruses
3) CRC and Hash checkers • The shortcoming of CRC and hashing checkers as anti-virus technology is that they are only able to detect viruses after infection, which may already be too late.
Infection / Re-infection Cycle • As collaborative applications such as groupware have become more commonplace in corporations, a new method of virus infection and virus re-infection has emerged. • Since groupware messages and data are stored in a shared database, and since documents can be distributed throughout the network for document conferencing or workflow automation, the virus is spread throughout the network. Moreover, since groupware servers usually replicate their databases in order to assure that all servers on the network are providing consistent information, the virus will continue to spread. • Even if the virus is eliminated from the originating server, responses from still-infected replicated servers will re-infect the original server as the infection/re-infection cycle continues.
Virus Propagation • 61 % of the viruses are distributed by diskettes • Macro Viruses are gaining steadily since the use of groupware and collabrative software.
Anti-virus Strategies • See Fig 13-17 for Anti-virus strategies
Figure 13-19 Virus Infection Points of Attack and Protective Measures
Firewalls • In order to prevent unauthorized access from the Internet into a company’s confidential data, specialized software known as a firewall is often deployed. Firewall software/hardware usually runs on a dedicated server that is connected to, but outside of the corporate network. • Firewalls as other technologies should be implemented correctly based on overall Security policy.