Guide to TCP/IP, Third Edition - Olympic...

Guide to TCP/IP

Fourth Edition

Chapter 12:

Securing TCP/IP Environments

2

Objectives

• Explain basic concepts and principles for

maintaining computer and network security

• Explain the anatomy of an IP attack

• Recognize common points of attacks inherent in

TCP/IP architecture

• Maintain IP security problems

• Discuss the importance of honeypots and

honeynets for network security

© 2013 Course Technology/Cengage Learning. All Rights Reserved.

3

Understanding Network Security

Basics

• Hacker

– Someone who uses computer and communications

knowledge to exploit information or the functionality

of a device

• Cracker

– Person who attempts to break into a system for

malicious purposes

• Protecting a system or network means

– Closing the door against outside attack

– Protecting your systems, data, and applications from

any sources of damage or harm


4

Understanding Network Security

Basics (cont’d.)

• Physical security

– Synonymous with “controlling physical access”

– Should be carefully monitored

• Personnel security

– Important to formulate a security policy for your

organization

• System and network security includes

– Analyzing the current software environment

– Identifying and eliminating potential points of

exposure


5

Principles of IP Security

• Key principles

– Avoid unnecessary exposure

– Block all unused ports

– Prevent internal address “spoofing”

– Filter out unwanted addresses

– Exclude access by default, include access by

exception

– Restrict outside access to “compromisable” hosts

– Protect all clients and servers from obvious attack

– Do unto yourself before others do unto you


6

Typical TCP/IP Attacks, Exploits, and

Break-Ins

• Basic fundamental protocols

– Offer no built-in security controls

• Successful attacks against TCP/IP networks and

services rely on two powerful weapons

– Profiling or footprinting tools

– A working knowledge of known weaknesses or

implementation problems


7

Key Terminology

• An attack

– Some kind of attempt to obtain access to information

• An exploit

– Documents a vulnerability

• A break-in

– Successful attempt to compromise a system’s

security


8

Key Weaknesses in TCP/IP

• Ways in which TCP/IP can be attacked

– Bad guys can:

• Attempt to impersonate valid users

• Attempt to take over existing communications

sessions

• Attempt to snoop inside packets moving across the

Internet

• Utilize a technique known as IP spoofing

• Perform a denial of service, or DoS, attack


9

Flexibility versus Security

• Designers of TCP/IP and most other protocols

– Try to make their protocols as flexible as possible

• Interaction between these protocols and IP

– Compromised most often

• Question to answer

– Is the security of your data worth the effort to prevent

the attack?

– In most cases, that answer is “Yes!”


10

Common Types of IP-Related Attacks

• DoS attacks

• Man-in-the-middle (MITM) attacks

• IP service attacks

• IP service implementation vulnerabilities

• Insecure IP protocols and services


11

Which IP Services Are Most

Vulnerable?

• Remote logon service

– Includes Telnet remote terminal emulation service,

as well as the Berkeley remote utilities

• Remote control programs

– Can pose security threats

• Services that permit anonymous access

– Makes anonymous Web and FTP conspicuous

targets


12

Holes, Back Doors, and Other Illicit

Points of Entry

• Hole

– Weak spot or known place of attack on any common

operating system, application, or service

• Back door

– Undocumented and illicit point of entry into an

operating system or application

• Vulnerability

– Weakness that can be accidentally triggered or

intentionally exploited


13

Phases of IP Attacks

• IP attacks typically follow a set pattern

– Reconnaissance or discovery process

– Attacker focuses on the attack itself

– Stealthy attacker may cover its tracks by deleting log

files, or terminating any active direct connections


14

Reconnaissance and Discovery

Phases

• PING sweep

– Can identify active hosts on an IP network

• Port probe

– Detect UDP- and TCP-based services running on a

host

• Purpose of reconnaissance

– To find out what you have and what is vulnerable


15

Attack

• The attack

– May encompass a brute force attack process that

overwhelms a victim


16

Cover-Up

• In an effort to escape detection

– Many attackers delete log files that could indicate an

attack occurred

• Computer forensics

– May be necessary to identify traces from an attacker

winding his or her way through a system


17

Common Attacks and Entry Points in

More Detail

• TCP/IP

– By its very nature, a trusting protocol stack

• Designers, implementers, and product developers

– Have tried to secure the protocol and plug holes or

vulnerabilities whenever possible


18

Viruses, Worms, and Trojan Horse

Programs

• Malicious code (malware)

– Can disrupt operations or corrupt data

• Viruses, worms (mobile code), and Trojan horses

– Three such types of malicious code


19

Adware and Spyware

• Adware

– Displays all kinds of unsolicited and unwanted

advertising, often of an unsavory nature

• Spyware

– Unsolicited and unwanted software

– Stealthily takes up unauthorized and uninvited

residence on a computer


20

Denial of Service Attacks

• Designed to interrupt or completely disrupt operations of a network device or communications

• DoS-related attacks include:

– SYN Flood

– Broadcast amplification

– Buffer overflow


21

Distributed Denial of Service Attacks

• DoS attacks launched from numerous devices

• DDoS attacks consist of four main elements

– Attacker

– Handler

– Agent

– Victim


23

Buffer Overflows/Overruns

• Exploit a weakness in many programs that expect

to receive a fixed amount of input

• In some cases, extra data can be used to execute

commands on the computer

– With the same privileges as the program it overruns


24

Spoofing

• Borrowing identity information to hide or deflect

interest in attack activities

• NetBIOS attacks

– Attacker sends spoofed NetBIOS Name Release or

NetBIOS Name Conflict messages to a victim

machine


25

TCP Session Hijacking

• Purpose of an attack

– To masquerade as an authorized user to gain

access to a system

• Once a session is hijacked

– The attacker can send packets to the server to

execute commands, change passwords, or worse


26

Network Sniffing

• One method of passive network attack

– Based on network “sniffing,” or eavesdropping, using

a protocol analyzer or other sniffing software

• Network analyzers available to eavesdrop on

networks include:

– tcpdump (UNIX)

– OmniPeek (Windows)

– Network Monitor (Windows)

– Wireshark


Network Sniffing (cont’d.)


29

Maintaining IP Security

• Sections cover some of the elements that must be

included as part of routine security maintenance


30

Applying Security Patches and Fixes

• Microsoft security bulletins

– May be accessed or searched at:

http://technet.microsoft.com/en-us/security/bulletin

• Essential to know about security patches and fixes

and to install them

• Security Update Process

– Evaluate the vulnerability

– Retrieve the patch or update

– Test the patch or update

– Deploy the patch or update


31

Knowing Which Ports to Block

• Many exploits and attacks are based on common

vulnerabilities


32

Using IP Security (IPSec)

• RFC 2401 says the goals of IPSec are to provide

the following kinds of security

– Access control

– Connectionless integrity

– Data origin authentication

– Protection against replays

– Confidentiality

– Limited traffic flow confidentiality


33

Protecting the Perimeter of the

Network

• Important devices and services used to protect the

perimeter of networks

– Bastion host

– Boundary (or border) router

– Demilitarized zone (DMZ)

– Firewall

– Network address translation

– Proxy server

– Screening host

– Screening router


34

Major Firewall Elements

• Firewalls usually incorporate four major elements:

– Screening router functions

– Proxy service functions

– “Stateful inspection” of packet sequences and

services

– Virtual Private Network services


35

Basics of Proxy Servers

• Proxy servers

– Can perform “reverse proxying”

• Exposes a service inside a network to outside users,

as if it resides on the proxy server itself

• Caching

– An important proxy behavior

• Cache

– Potentially valuable location for a system attack


Implementing Firewalls

• Link an internal network to the Internet without

managing the boundary between them

– Blatantly irresponsible to do so


37

Step-by-Step Firewall Planning and

Implementing

• Useful steps when planning and implementing firewalls and proxy servers

– Plan

– Establish requirements

– Install

– Configure

– Test

– Attack

– Tune

– Implement

– Monitor and maintain


38

Roles of IDS and IPS in IP Security

• Intrusion detection systems

– Make it easier to automate recognizing and

responding to potential attacks

• Increasingly, firewalls include hooks

– Allows them to interact with IDSs, or include their

own built-in IDS capabilities

• IPSs make access control decisions on the basis of

application content


39

Honeypots and Honeynets

• Honeypot

– Computer system deliberately set up to entice and

trap attackers

• Honeynet

– Broadens honeypot concept from a single system to

what looks like a network of such systems


Summary

• An attack

– An attempt to compromise the privacy and integrity

of an organization’s information assets

• In its original form, TCP/IP implemented an

optimistic security model

• Basic principles of IP security

– Include avoiding unnecessary exposure by blocking

all unused ports

• Necessary to protect systems and networks from

malicious code

– Such as viruses, worms, and Trojan horses


Summary (cont’d.)

• Would-be attackers

– Usually engage in a well-understood sequence of

activities, called reconnaissance and discovery

• Maintaining system and network security involves

constant activity

– Must keep up with security news and information

• Keeping operating systems secure in the face of

new vulnerabilities

– A necessary and ongoing process

• A honeypot is a computer system deliberately set

up to entice and trap attackers 41 © 2013 Course Technology/Cengage Learning. All Rights Reserved.

Guide to TCP/IP, Third Edition - Olympic...

Documents

Transcript of Guide to TCP/IP, Third Edition - Olympic...