Guide to TCP/IP, Second Edition1 Guide To TCP/IP, Second Edition Chapter 9 Securing TCP/IP...

Guide to TCP/IP, Second Edition 1

Guide To TCP/IP, Second Edition

Chapter 9

Securing TCP/IP Environments


Objectives

• Understand basic concepts and principles for maintaining computer and network security

• Understand the anatomy of an IP attack, including the reconnaissance and discovery processes, the attack itself, and the cover-up

• Recognize common points of attacks inherent in TCP/IP architecture, explore well-known potential points for attacks on TCP/IP, and understand the form that most TCP/IP attacks usually take


Objectives (cont.)

• Understand security policies and recovery plans

• Understand new and improved security features in Windows XP Professional and Windows Server 2003


Understanding Computer and Network Security

• Principles of IP Security: 3 areas of concern– Physical security– Personal security– System and network security

• Analyzing the current software environment• Identifying and eliminating potential points of

exposure• Closing well-know back doors• Preventing documented exploits


Principles of IP Security

• Specific recommendations:– Avoid unnecessary exposure

– Block all unused ports

– Prevent internal address “spoofing”

– Filter out all unwanted addresses

– Exclude access by default, include by exception

– Restrict outside access to “compromisable” hosts

– Do unto yourself before others do unto you


Understanding Typical IP Attacks, Exploits, and Break-ins

• IP and TCP or UDP offer no built-in security controls

• Successful attacks rely on two weapons– Profiling or footprinting tools– Working knowledge of known weaknesses or

implementation problems


Key Terminology in Network and Computer Security

• An attack represents some kind of attempt to:– Obtain access to information

– To damage or destroy such information

– To otherwise compromise system security or usability

• An exploit documents a vulnerability• A break-in refers to a successful attempt to

compromise a system’s security


Key Weaknesses in TCP/IP• TCP/IP was originally designed around an optimistic

security model• Well-known port addresses• Attackers can do any or all of the following:

– Attempt to impersonate valid users• User impersonation• Brute force password attack

– Session Hijacking– Packet sniffing or packet snooping– IP spoofing– DoS Attack


Flexibility Versus Security

• Flexibility comes from peripheral protocols– Internet Control Message Protocol (ICMP)– Simple Network Management Protocol (SNMP)– Address Resolution Protocol (ARP)– Various routing protocols

• Disable proxy ARP refer to http://www.cisco.com/warp/public/105/5.html#howdoesproxyarpwork

• Manually configuring static MAC addresses


Common Types of IP-Related Attacks

• DoS attack

• Man-in-the-middle (MITM) attack

• IP service attacks– Well-known ports– Anonymous logins

• IP service implementation vulnerabilities

• Insecure IP protocols and services


What IP Services Are Most Vulnerable?

• Remote logon services– Telnet, rexec, rsh, rpr

• Remote control programs– RDP, pcAnywhere, Carbon Copy, Timbuktu

• Anonymous access– Web, FTP


Holes, Back Doors, and Other Illicit Points of Entry

• Hole

• Back door

• Vulnerability

• Password crackers– Brute force or dictionary attack

• Protect with password hashing


The Anatomy Of IP Attack

• Reconnaissance and discovery processes– Identify active hosts or processes

• PING sweep

• Port probe, nmap– Identify IP addresses, operating systems, versions

• The attack– Exploit vulnerabilities

• The cover-up– Delete log files


The Anatomy Of IP Attack (cont.)


Common IP Points Of Attack

• Viruses• Worms• Trojan horse programs• Protect with viruses protection program

– Update daily

• Denial of Service (DoS) attack– Designed to interrupt or completely disrupt operations

of a network device or network communications


Common IP Points Of Attack (cont.)



• Distributed Denial of Service (DDoS) attack– Launched from numerous devices– Consist of four elements

• Attacker

• Handler

• Agent

• Victim



• Buffer overflows/overruns– Not related to TCP/IP– Exploit weakness in program

• Spoofing• Secure with

– Ingress filtering (incoming)– Egress filtering (outgoing)

• TCP session hijacking• Networking Sniffing


Maintaining IP Security

• Apply security patches and Fixes to– Operating system faults– Security holes– Microsoft security bulletins

• www.microsoft.com/security


Maintaining IP Security (cont.)

• Recognizing attack signatures– IDS and network analyzer

• Using IP Security (IPSec)– Cryptographic security services– Support explicit and strong authentication– Integrity and access controls– Confidentiality of IP datagrams– (AH), (ESP)


Knowing Which Ports To Block


Protecting the Perimeter of the Network

• Important devices and services to help protect the perimeter of your networks– Bastion host– Boundary (or border) router– Demilitarized zone– Firewall– Network address translation (NAT)– Proxy server– Screening host– Screening router


Understanding the Basics of Firewalls

• Control traffic flow and network access– Inspect incoming traffic– Block or filter traffic

• Placed at network boundaries or organizational boundaries

• Physical or software• Firewalls basic security functions

– Address filtering– Proxy services– Network address translation


Useful Firewall Specifics

• Four major elements– Screening router functions

• Domain name, IP address, port address, message type

– Proxy service functions– “Stateful inspection” of packets sequences and

services– Virtual Private Network services


Commercial Firewall Features

• Additional features and functions in some, but not necessarily all, firewalls– Address translation/privacy services

– Specific filtering mechanisms

– Alarms and alerts

– Logs and reports

– Transparency

– Intrusion detection system (IDS)

– Management controls


Understanding the Basics of Proxy Servers

• Between both outgoing and incoming service requests

• Prevent external users from direct access to internal resources

• Operate at the Application layer

• Caching


Implementing Firewalls and Proxy Servers

• Planning and implementing, step by step– Security policies operate somewhere between

the two extremes of “anything goes” (totally optimistic) and “no connection” (totally pessimistic)

– 1) Plan– 2) Establish equipment– 3) Install– 4) Configure


Implementing Firewalls and Proxy Servers (cont.)

• Planning and implementing, step by step (cont.)– 5) Test– 6) Attack– 7) Tune

• Repeat the test-attack-tune cycle (Steps 5-7)

– 8) Implement– 9) Monitor and Maintain


Implementing Firewalls and Proxy Servers (cont.)

• Don’t ever work straight out of the box with a firewall or proxy server without checking for additional changes, updates, patches, fixes, and workarounds


Understanding the Test-Attack-Tune Cycle

• Harden the firewall or proxy server• Document the configuration• Do not disabled functionality that applications and

services use to work properly• Battery of attack tools to test the network at

– Network Associates – GNU NetTools – A port mapper such as AnalogX PortMapper or nmap– Internet Security System’s various security scanners


Understanding the Role of IDS in IP Security

• Automate recognizing and responding to potential attacks and other suspicious forms of network traffic

• Recognize intrusion attempts in real time


Updating Anti-Virus Engines and Virus Lists

• Update anti-virus engine software and virus definitions on a regular basis

• Automatic update facilities• Transparently and automatically check

– E-mail attachments– Inbound file transfers– Floppy disks and other media– Other potential sources of infection


The Security Update Process

• Security update process involves four steps– Evaluate the vulnerability– Retrieve the update– Test the update– Deploy the update


Understanding Security Policies And Recovery Plans

• A security policy is a document that– Reflects an organization’s understanding of

what information assets and other resources need protection

– How they are to be protected– How they must be maintained under normal

operating circumstances– Restored in the face of compromise or loss


Understanding Security Policies And Recovery Plans (cont.)

• Components of a good security policy– An access policy document– An accountability policy document– A privacy policy document– A violations reporting policy document– An authentication policy document– An information technology system and network

maintenance policy document


Understanding Security Policies And Recovery Plans (cont.)

• Additional information about security policies and related documents– System and Administration, Networking, and

Security (SANS) Institute– Department of Defense funds the Software

Engineering Institute (SEI) at Carnegie-Mellon University

– Murdoch University’s Office of Information Technology Services


Chapter Summary

• In security terms, an attack represents an attempt to break into or otherwise compromise the privacy and integrity of an organization’s information assets

• An exploit documents a vulnerability, whereas a break-in is usually the result of a successful attack


Chapter Summary (cont.)

• In its original form,TCP/IP implemented an optimistic security model, wherein little or no protection was built into its protocols and services

• Recent improvements, enhancements, and updates to TCP/IP include many ways in which this model is mitigated with a more pessimistic security model

• Unfortunately,TCP/IP remains prey to many kinds of attacks and vulnerabilities, including denials of service (which may be from a single source or distributed across numerous sources), service attacks, service and implementation vulnerabilities, man-in-the-middle attacks



• Basic principles of IP security include avoiding unnecessary exposure by blocking all unused ports and installing only necessary services

• They also include judicious use of address filtering to block known malefactors and stymie address spoofing

• We advocate adoption of a pessimistic security policy, wherein access is denied, by default, and allowed only with considered exceptions

• Finally, it’s a good idea to monitor the Internet for security-related news and events—especially exploits—and to regularly attack your own systems and networks



• It’s necessary to protect systems and networks from malicious code such as viruses, worms, and Trojan horses

• Such protection means using modern anti-virus software, which should be part of any well-built security policy



• Would-be attackers usually engage in a well-understood sequence of activities, called reconnaissance and discovery, as they attempt to footprint systems and networks, looking for points of attack

• Judicious monitoring of network activity, especially through an IDS, can help block such attacks (and may even be able to identify their sources, if not their perpetrators)



• Maintaining system and network security involves constant activity that must include keeping up with security news and information; applying necessary patches, fixes, and software updates; regular security audits; and self attacks to maintain the required level of security



• Maintaining a secure network boundary remains a key ingredient for good system and network security

• This usually involves the use of screening routers, firewalls, and proxy servers, which may be on separate devices, or integrated into a single device that straddles the network boundary

• Some network architectures also make use of a DMZ between the internal and external networks, where services can more safely be exposed to the outside world, and where inside users can access proxy, caching, and other key services for external network access



• Keeping operating systems secure in the face of new vulnerabilities is a necessary and ongoing process

• This process includes evaluation of the vulnerability, retrieval of the update, testing of the update, and deployment of the update



• When establishing a secure network perimeter, it’s essential to repeat the test attack-tune cycle while you’re preparing to deploy security devices until no further tuning changes are necessitated by the test and attacks that precede them

• This is the only method of ensuring that your network boundary is as secure as possible; it’s also necessary to repeat this process as relevant new exploits or vulnerabilities become known



• To create a strong foundation for system and network security, it’s necessary to formulate a policy that incorporates processes, procedures, and rules regarding physical and personnel security issues, as well as addressing system and software security issues

• Likewise, system and software security should address any potential causes of loss or harm to information systems and assets, including backups, disaster recovery, and internal safeguards, as well as guard the network perimeter or boundary



• Windows XP and Windows 2003 include notable security improvements and enhancements as compared to other Windows versions

• Especially noteworthy are Kerberos authentication and session security controls; PKI for secure, private exchange of sensitive data; blank password restriction; default lock-down state; Internet Connection Firewall (ICF); Internet Connection Sharing (ICS); and various new protocols and services, such as IP Security, EFS encryption, SSL, PCT, and TLS, all of which help to protect and secure IP-based client/server network traffic

Guide to TCP/IP, Second Edition1 Guide To TCP/IP, Second Edition Chapter 9 Securing TCP/IP...

Documents

Transcript of Guide to TCP/IP, Second Edition1 Guide To TCP/IP, Second Edition Chapter 9 Securing TCP/IP...