guide to tcp/ip, third edition chapter 9: securing tcp/ip environments
TRANSCRIPT
Guide to TCP/IP, Third Edition
Chapter 9: Securing TCP/IP Environments
Securing TCP/IP Environments 2
Objectives
• Understand basic concepts and principles for maintaining computer and network security
• Understand the anatomy of an IP attack
• Recognize common points of attacks inherent in TCP/IP architecture
• Maintain IP security problems
Securing TCP/IP Environments 3
Objectives (continued)
• Understand security policies and recovery plans
• Understand new and improved security features in Windows XP Professional and Windows Server 2003
• Discuss the importance of honeypots and honeynets for network security
Securing TCP/IP Environments 4
Understand Computer and Network Security
• Protecting a system or network means– Closing the door against outside attack– Protecting your systems, data, and applications from
any sources of damage or harm
• The 2005 Computer Crime Survey– Virus and worm infections were among the top
problems leading to financial loss
Securing TCP/IP Environments 5
Principles of IP Security
• Physical security– Synonymous with “controlling physical access” – Should be carefully monitored
• Personnel security– Important to formulate a security policy for your
organization
• System and network security includes – Analyzing the current software environment – Identifying and eliminating potential points of
exposure
Securing TCP/IP Environments 6
Understanding Typical IP Attacks, Exploits, and Break-Ins
• Basic fundamental protocols– Offer no built-in security controls
• Successful attacks against TCP/IP networks and services rely on two powerful weapons– Profiling or footprinting tools– A working knowledge of known weaknesses or
implementation problems
Securing TCP/IP Environments 7
Key Terminology in Network and Computer Security
• An attack– Some kind of attempt to obtain access to information
• An exploit – Documents a vulnerability
• A break-in – Successful attempt to compromise a system’s
security
Securing TCP/IP Environments 8
Key Weaknesses in TCP/IP
• Ways in which TCP/IP can be attacked– Bad guys can
• Attempt to impersonate valid users
• Attempt to take over existing communications sessions
• Attempt to snoop inside traffic moving across the Internet
• Utilize a technique known as IP spoofing
Securing TCP/IP Environments 9
Common Types of IP-Related Attacks
• DoS attacks
• Man-in-the-middle (MITM) attacks
• IP service attacks
• IP service implementation vulnerabilities
• Insecure IP protocols and services
Securing TCP/IP Environments 10
What IP Services Are Most Vulnerable?
• Remote logon service– Includes Telnet remote terminal emulation service,
as well as the Berkeley remote utilities
• Remote control programs– Can pose security threats
• Services that permit anonymous access– Makes anonymous Web and FTP conspicuous
targets
Securing TCP/IP Environments 11
Holes, Back Doors, and Other Illicit Points of Entry
• Hole – Weak spot or known place of attack on any common
operating system, application, or service
• Back door – Undocumented and illicit point of entry into an
operating system or application
• Vulnerability – Weakness that can be accidentally triggered or
intentionally exploited
Securing TCP/IP Environments 12
The Anatomy of IP Attacks
• IP attacks typically follow a set pattern– Reconnaissance or discovery process – Attacker focuses on the attack itself– Stealthy attacker may cover its tracks by deleting log
files, or terminating any active direct connections
Securing TCP/IP Environments 13
Reconnaissance and Discovery Processes
• PING sweep– Can identify active hosts on an IP network
• Port probe – Detect UDP- and TCP-based services running on a
host
• Purpose of reconnaissance – To find out what you have and what is vulnerable
Securing TCP/IP Environments 14
Reconnaissance and Discovery Processes (continued)
• The attack– May encompass a brute force attack process that
overwhelms a victim
• Computer forensics– May be necessary to identify traces from an attacker
winding his or her way through a system
Securing TCP/IP Environments 15
Common IP Points of Attack
• Virus– Any self-replicating program that works for its own
purposes– Classes
• File infectors
• System or boot-record infectors
• Macro viruses
Securing TCP/IP Environments 16
Worms
• A kind of virus that eschews most activity except as it relates to self-replication
• MSBlaster worm– Unleashed in August 2003– Exploited the RPC DCOM buffer overflow
vulnerability in Microsoft Windows
• Hex reader – Look inside suspect files without launching them
Securing TCP/IP Environments 17
Trojan Horse Programs
• Masquerade as innocuous or built-to-purpose programs
• Conceal abilities that permit others to take over and operate unprotected systems remotely
• Must be installed on a computer system to run
• Back Orifice – Example of a Trojan horse program
Securing TCP/IP Environments 18
Denial of Service Attacks
• Designed to interrupt or completely disrupt operations of a network device or communications
• SYN Flood attack – Uses the three-way TCP handshake process to
overload a device on a network• Broadcast amplification attack
– Malicious host crafts and sends ICMP Echo Requests to a broadcast address
• Windows 2000 UPnP DoS attack – Specially crafted request packet is sent that causes
services.exe to exhaust all virtual memory resources
Securing TCP/IP Environments 19
Distributed Denial of Service Attacks
• DoS attacks launched from numerous devices
• DDoS attacks consist of four main elements– Attacker– Handler– Agent– Victim
Securing TCP/IP Environments 20
Securing TCP/IP Environments 21
Buffer Overflows/Overruns
• Exploit a weakness in many programs that expect to receive a fixed amount of input
• Adware – Opens door for a compromised machine to display
unsolicited and unwanted advertising
• Spyware – Unsolicited and unwanted software that
• Takes up stealthy unauthorized and uninvited residence on a computer
Securing TCP/IP Environments 22
Spoofing
• Borrowing identity information to hide or deflect interest in attack activities
• Ingress filtering – Applying restrictions to traffic entering a network
• Egress filtering – Applying restrictions to traffic leaving a network
Securing TCP/IP Environments 23
TCP Session Hijacking
• Purpose of an attack – To masquerade as an authorized user to gain
access to a system
• Once a session is hijacked– The attacker can send packets to the server to
execute commands, change passwords, or worse
Securing TCP/IP Environments 24
Network Sniffing
• One method of passive network attack – Based on network “sniffing,” or eavesdropping using
a protocol analyzer or other sniffing software
• Network analyzers available to eavesdrop on networks include– tcpdump (UNIX)– EtherPeek (Windows)– Network Monitor (Windows)– AiroPeekWireless (Windows)– Ethereal for Windows
Securing TCP/IP Environments 25
Securing TCP/IP Environments 26
Securing TCP/IP Environments 27
Maintaining IP Security
• Microsoft security bulletins – May be accessed or searched through the Security
Bulletins section at: www.microsoft.com/security/default.mspx
• Essential to know about security patches and fixes and to install them
• Knowing Which Ports to Block– Many exploits and attacks are based on common
vulnerabilities
Securing TCP/IP Environments 28
Securing TCP/IP Environments 29
Recognizing Attack Signatures
• Most attacks have an attack signature – By which they may be recognized or identified– Signatures may be used to
• Implement IDS devices
• Can be configured as network analyzer filters as well
Securing TCP/IP Environments 30
Securing TCP/IP Environments 31
Securing TCP/IP Environments 32
Using IP Security
• RFC 2401 says the goals of IPSec are to provide the following kinds of security– Access control– Connectionless integrity– Data origin authentication– Protection against replays– Confidentiality– Limited traffic flow confidentiality
Securing TCP/IP Environments 33
Protecting the Perimeter of the Network
• Important devices and services used to protect the perimeter of networks– Bastion host– Boundary (or border) router– Demilitarized zone (DMZ)– Firewall– Network address translation– Proxy server
Securing TCP/IP Environments 34
Understanding the Basics of Firewalls
• Firewall – Barrier that controls traffic flow and access between
networks– Designed to inspect incoming traffic and block or
filter traffic based on a variety of criteria– Normally astride the boundary between a public
network and private networks inside an organization
Securing TCP/IP Environments 35
Useful Firewall Specifics
• Firewalls usually incorporate four major elements:– Screening router functions– Proxy service functions– “Stateful inspection” of packet sequences and
services– Virtual Private Network services
Securing TCP/IP Environments 36
Commercial Firewall Features
• Address translation/privacy services
• Specific filtering mechanisms
• Alarms and alerts
• Logs and reports
• Transparency
• Intrusion detection systems (IDSs)
• Management controls
Securing TCP/IP Environments 37
Understanding the Basics of Proxy Servers
• Proxy servers – Can perform “reverse proxying” to
• Expose a service inside a network to outside users, as if it resides on the proxy server itself
• Caching– An important proxy behavior
• Cache– Potentially valuable location for a system attack
Securing TCP/IP Environments 38
Planning and Implementing, Step by Step
• Useful steps when planning and implementing firewalls and proxy servers – Plan– Establish requirements– Install– Configure– Test– Attack– Tune– Implement– Monitor and maintain
Securing TCP/IP Environments 39
Understanding the Test-Attack-Tune Cycle
• Attack tools– McAfee CyberCop ASaP – GNU NetTools– A port mapper such as AnalogX PortMapper – Internet Security Systems various security scanners
Securing TCP/IP Environments 40
Understanding the Role of IDS and IPS in IP Security
• Intrusion detection systems – Make it easier to automate recognizing and
responding to potential attacks
• Increasingly, firewalls include– Hooks to allow them to interact with IDSs, or include
their own built-in IDS capabilities
• IPSs make access control decisions on the basis of application content
Securing TCP/IP Environments 41
Updating Anti-Virus Engines and Virus Lists
• Because of the frequency of introduction of new viruses, worms, and Trojans– Essential to update anti-virus engine software and
virus definitions on a regular basis
• Anti-virus protection – Key ingredient in any security policy
Securing TCP/IP Environments 42
Securing TCP/IP Environments 43
The Security Update Process
• Evaluate the vulnerability
• Retrieve the update
• Test the update
• Deploy the update
Securing TCP/IP Environments 44
Understanding Security Policies and Recovery Plans
• Security policy – Document that reflects an organization’s
understanding of • What information assets and other resources need
protection
• How they are to be protected
• How they must be maintained under normal operating circumstances
Securing TCP/IP Environments 45
Understanding Security Policies and Recovery Plans (continued)
• RFC 2196 lists the following documents as components of a good security policy– An access policy document– An accountability policy document– A privacy policy document– A violations reporting policy document– An authentication policy document– An information technology system and network
maintenance policy document
Securing TCP/IP Environments 46
Windows XP and Windows Server 2003: Another Generation of Network
Security
• Features that should help maintain tighter security– Kerberos version 5– Public Key Infrastructure (PKI)– Directory Service Account Management– CryptoAPI– Encrypting File System (EFS)– Secure Channel Security protocols (SSL 3.0/PCT)
Securing TCP/IP Environments 47
Honeypots and Honeynets
• Honeypot – Computer system deliberately set up to entice and
trap attackers
• Honeynet – Broadens honeypot concept from a single system to
what looks like a network of such systems
Securing TCP/IP Environments 48
Summary
• An attack – An attempt to compromise the privacy and integrity
of an organization’s information assets• In its original form, TCP/IP implemented an
optimistic security model• Basic principles of IP security
– Include avoiding unnecessary exposure by blocking all unused ports
• Necessary to protect systems and networks from malicious code – Such as viruses, worms, and Trojan horses
Securing TCP/IP Environments 49
Summary (continued)
• Would-be attackers– Usually engage in a well-understood sequence of
activities, called reconnaissance and discovery
• Maintaining system and network security involves constant activity that must include– Keeping up with security news and information
• Keeping operating systems secure in the face of new vulnerabilities– A necessary and ongoing process
Securing TCP/IP Environments 50
Summary (continued)
• When establishing a secure network perimeter– It is essential to repeat the test-attack-tune cycle
• To create a strong foundation for system and network security, formulate policy that incorporates – Processes, procedures, and rules regarding physical
and personnel security issues,
• Windows XP and Windows Server 2003 include – Notable security improvements and enhancements
as compared to other Windows versions