Security + Certification - Chapter 7: Security Administration for the System - Athena

Chương 7 Quản Trị Bảo Mật Cho Hệ Thống Tóm tắt nội dung ATHENA Objectives in this Chapter  Understand the purpose of a network firewall and the kinds of firewall technology available on the market  Understand the role of routers, switches, and other networking hardware in security  Determine when VPN or RAS technology works to provide a secure network connection ATHENA Firewalls  Hardware or software devices that provides a means of securing a computer or network from unwanted intrusion • Dedicated physical device that protects network from intrusion • Software feature added to a router, switch, or other device that prevents traffic to or from part of a network ATHENA Three firewall technolog  Packet filtering  Application layer gateways  Stateful inspection ATHENA Packet filtering firewall  A packet filtering firewall works at the Network layer of the Open Systems Interconnection (OSI) model and is designed to operate rapidly by either allowing or denying packets. ATHENA Application layer gateways  An application layer gateway operates at the Application layer of the OSI model, analyzing each packet and verifying that it contains the correct type of data for the specific application it is attempting to communicate with. ATHENA Stateful inspection firewall  A stateful inspection firewall checks each packet to verify that it is an expected response to a current communications session. This type of firewall operates at the Network layer, but is aware of the Transport, Session, Presentation, and Application layers and derives its state table based on these layers of the OSI model. ATHENA Management Cycle for Firewall Protection 1. Draft a written security policy 2. Design the firewall/network to implement the policy 3. Implement the design by installing selected hardware and software 4. Test the firewall 5. Review new threats, requirements for additional security, and updates to systems and software; repeat process from first step ATHENA Drafting a Security Policy What am I protecting?  From whom? What services does my company need to access over the network? Who gets access to what resources? Who administers the network? ATHENA Available Targets and Who Is Aiming at Them  Common areas of attack • Web servers • Mail servers • FTP servers • Databases  Intruders • Sport hackers • Malicious hackers • The Pros ATHENA ATHENA Services and Security  To determine the services you need, you have to know how your network will be used  Every service opens up vulnerabilities  Don’t install/use any service you don’t absolutely need ATHENA A Warning  Convenience to users comes at the expense of security, and vice versa  If something is too difficult, users will find a way to circumvent it  Users are the weak link in your security plan  Try to educate and work with your users ATHENA Who Gets Access to Which Resources?  List employees or groups of employees along with files and file servers and databases and database servers they need to access  List which employees need remote access to the network ATHENA Who Gets Access to Which Resources?  Identify groups such as partners, customers, internal users, remote users, etc.  Identify what each group needs to use the network to accomplish.  Examples: email, access the external web site, access internal database server, remote access, etc. ATHENA Who Administers the Network?  Determine individual(s) and scope of individual management control ATHENA Designing the Firewall to Implement the Policy  Select appropriate technology to deploy the firewall ATHENA What Do Firewalls Protect Against?  Denial of service (DoS)  Ping of death  SYN flood  Brute force or smurf attacks  IP spoofing ATHENA How Do Firewalls Work?  Some combination of: • Network address translation (NAT) • Basic packet filtering • Stateful packet inspection (SPI) • Application gateways • Access control lists (ACL) ATHENA Network Address Translation (NAT)  Only technique used by basic firewalls  Enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic  Each active connection requires a unique external address for duration of communication  Port address translation (PAT) • Derivative of NAT • Supports thousands of simultaneous connections on a single public IP address ATHENA Basic Packet Filtering  Firewall system examines each packet that enters it and allows through only those packets that match a predefined set of rules  Can be configured to screen information based on many data fields: • Protocol type • IP address • TCP/UDP port • Source routing information  Routers can also do this ATHENA Stateful Packet Inspection (SPI)  Stateful packet filters record specific information about network connections, including which ports are being used on the client and the server  Enhances security by allowing the filter to distinguish on which side of firewall a connection was initiated  Connections initiated from the inside can be allowed ATHENA Access Control Lists (ACL)  Packet filtering is made possible by the use of ACLs  ACLs are lists of rules built according to organizational policy that defines who can access portions of the network.  access-list 101 permit tcp any 111.222.111.222 0.0.0.0 eq 80  Access-list 101 deny ip any 111.222.111.222 0.0.0.0 – r u ATHENA Access Control Lists (ACL)  ACLs are made up of a number of statements  A packet is evaluated against each statement until it matches one  There is an implicit deny at the end of the list (if there’s not a match by then, throw the packet away) ATHENA Routers  Network management device that sits between network segments and routes traffic from one network to another  Allows networks to communicate with one another  Allows Internet to function  Act as digital traffic cop (with addition of packet filtering) ATHENA How a Router Moves Information  Examines electronic envelope surrounding a packet; compares destination IP address to list of IP addresses contained in router’s lookup (routing) tables  Determines which router to send the packet to next, based on changing network conditions ATHENA How a Router Moves Information ATHENA Beyond the Firewall  Demilitarized zone (DMZ) – contains servers that are publicly accessible, but still need as much protection as possible  Bastion hosts (potentially) – a server that resides on the DMZ and hosts Web, mail, DNS, and/or ftp services ATHENA Demilitarized Zone  Area set aside for servers that are publicly accessible or have lower security requirements  Sits between the Internet and internal network’s line of defense • Stateful device fully protects other internal systems • Packet filter allows external traffic only to services provided by DMZ servers  Allows a company to host its own Internet services without sacrificing unauthorized access to its private network ATHENA ATHENA Bastion Hosts  Computers that reside in a DMZ and that host Web, mail, DNS, and/or FTP services  Unnecessary programs, services, and protocols are removed; unnecessary network ports are disabled  Do not share authentication services with trusted hosts within the network ATHENA Application Gateways  Also known as proxy servers (actually reverse proxies)  Monitor specific applications (FTP, HTTP, Telnet)  Traffic destined for web server goes to web proxy instead  Web proxy forwards packet to the web server, and relays the reply back to the requesting browser ATHENA Application Gateways  Exploits meant for the web server are detected and filtered by the proxy  Proxy itself is not running web service and is not vulnerable to exploit  Good backup to packet filtering ATHENA Application Gateways  Security advantages • Information hiding • Robust authentication and logging • Simpler filtering rules • Protects actual server from exploits  Disadvantage • Two steps are required to connect inbound or outbound traffic; can increase processor overhead ATHENA OSI Reference Model  Architecture that classifies most network functions  Seven layers • Application • Presentation • Session • Transport • Network • Data-Link • Physical ATHENA ATHENA The OSI Stack  Layers 4 and 5 • Where TCP and UDP ports that control communication sessions operate  Layer 3 • Routes IP packets  Layer 2 • Delivers data frames across LANs ATHENA Limitations of Packet-Filtering Routers  Administrators must have a detailed knowledge of required network traffic  ACL can become long, complicated, and difficult to manage and comprehend  Throughput decreases as number of rules being processed increases ATHENA Limitations of Packet-Filtering Routers  Unable to determine specific content or data of packets at layers 3 through 5  Packet filtering is typically all or none  No concept of state, of connections initiated on the inside ATHENA Switches  Provide same function as bridges (divide collision domains), but employ application-specific integrated circuits (ASICs) that are optimized for the task  Reduce collision domain to two nodes (switch and host)  Broadcasts are still forwarded to all ports  Main benefit over hubs • Separation of collision domains limits the possibility of sniffing ATHENA Switches ATHENA Switch Security  ACLs  Virtual Local Area Networks (VLANs)  Separation of collision domains limits sniffing (but remember dsniff) ATHENA Virtual Local Area Network  Uses public wires to connect nodes to create a “virtual” LAN  Broadcast domain within a switched network – limits broadcasts to members of VLANs  Clusters users in smaller groups • Increases security from hackers • Reduces possibility of broadcast storm ATHENA Security Problems with Switches  Switch hijacking is when an unauthorized person is able to obtain administrative access to a switch  Common ways of switch hijacking • Try default passwords which may not have been changed • Sniff network to get administrator password via SNMP or Telnet ATHENA Securing a Switch  Isolate all management interfaces Manage switch by physical connection to a serial port or through secure shell (SSH) or other encrypted method  Use separate switches or hubs for DMZs to physically isolate them from the network and prevent VLAN jumping ATHENA continued Securing a Switch  Put switch behind dedicated firewall device Maintain the switch; install latest version of software and security patches  Read product documentation  Set strong passwords ATHENA Example of a Compromised VLAN ATHENA Wireless  Almost anyone can eavesdrop on a wireless network communication  Encryption is the only secure method of communicating with wireless technology Wired Equivalent Privacy (WEP) is not good enough ATHENA Modems ATHENA DSL versus Cable Modem Security  DSL • Direct connection between computer/network and the Internet  Cable modem • Connected to a shared segment; party line • Most have basic firewall capabilities to prevent files from being viewed or downloaded • Most implement the Data Over Cable Service Interface Specification (DOCSIS) for authentication and packet filtering ATHENA Dynamic versus Static IP Addressing  Static IP addresses • Provide a fixed target for potential hackers  Dynamic IP addresses • Provide enhanced security • By changing IP addresses of client machines, DHCP server makes them moving targets for potential hackers • Assigned by the Dynamic Host Configuration Protocol (DHCP) ATHENA Dynamic versus Static IP Addressing  Since the computer is usually on, you tend to get the same IP address  Other DSL/Cable issues • Always on • High bandwidth • Users not thinking about security • Favorite target of hackers ATHENA Remote Access Service (RAS)  Provides a mechanism for one computer to securely dial in to another computer  Treats dialed-in computer as an extension of the network  RAS usually includes encryption and logging  Should be placed in the DMZ – but requires you to open up a hole in your firewall ATHENA Security Problems with RAS  Behind physical firewall; potential for network to be compromised Most RAS systems offer encryption and callback as features to enhance security ATHENA Telecom/Private Branch Exchange (PBX)  PBX • Private phone system that offers features such as voicemail, call forwarding, and conference calling • Failure to secure a PBX can result in toll fraud, theft of information, denial of service, and enhanced susceptibility to legal liability ATHENA IP-Based PBX ATHENA PBX Security Concerns  Remote PBX management (vendor can dial-in to the PBX)  Hoteling or job sharing • You plug a phone in and enter a code • Many move codes are standardized and posted on the Internet ATHENA Virtual Private Networks  Provide secure communication pathway or tunnel through public networks (eg, Internet)  Encrypts either underlying data in a packet or the entire packet itself before wrapping it in another IP packet for delivery  You can further enhances security by implementing Internet Protocol Security (IPSec) ATHENA ATHENA Internet Protocol Security (IPSec)  Allows encryption of either just the data in a packet (transport mode) or the packet as a whole (tunnel mode)  Enables a VPN to eliminate packet sniffing and identity spoofing  Requirement of Internet Protocol version 6 (IPv6) specification, but many IPv4 devices support IPSec ATHENA Intrusion Detection Systems (IDS)  Monitor networks and report on unauthorized attempts to access any part of the system  Available from many vendors  Forms • Host IDS • Network IDS  Types of detection • Anomaly-based detection • Signature-based detection ATHENA Host-based IDS  Software applications (“agents”) are installed on each protected computer • Make use of disk space, RAM, and CPU time to analyze OS, applications, system audit trails • Compare these to a list of specific rules • Reports discrepancies  Can be self-contained or remotely managed  Easy to upgrade software, but do not scale well (also cost of each installation, management costs) ATHENA Network-based IDS Monitors activity on a specific network segment (watches the packets as they go by)  (Usually) Dedicated platforms with two components • Sensor (Passively analyzes network traffic) • Management system (Displays alarm information from the sensor) ATHENA ATHENA IDS  The sensor analyzes each packet’s header to determine source and destination, other header information, and also the contents of the packet Most attacks have a “signature”  Rules can be written to look for specific attacks ATHENA Anomaly-based Detection  Builds statistical profiles of user activity and then reacts to any activity that falls outside these profiles  Often leads to large number of false positives • Users do not access computers/network in static, predictable ways • Cost of building a sensor that could hold enough memory to contain the entire profile and time to process the profiles is prohibitively large ATHENA Signature-based Detection  Similar to antivirus program in its method of detecting potential attacks  Vendors (or you or me) produce a list of signatures used by the IDS to compare against activity on the network or host  When a match is found, the IDS take some action (eg, logging the event) (shunning – the IDS changes the firewall rules to block certain traffic)  Can produce false positives; normal network activity may be construed as malicious ATHENA Network Monitoring and Diagnostics  Essential steps in ensuring safety and health of a network (along with IDS)  Can be either stand-alone or part of a network-monitoring platform • HP’s OpenView • IBM’s Netview/AIX • Fidelia’s NetVigil • Aprisma’s Spectrum ATHENA Ensuring Workstation and Server Security  Remove unnecessary protocols such as NetBIOS or IPX  Remove unnecessary user accounts  Remove unnecessary file/folder shares  Rename the administrator account  Use strong passwords ATHENA Ensuring Workstation and Server Security  Remove unnecessary services  Use anti-virus software – keep the signature file up-to-date  Apply patches as soon as they are available *  Use a personal firewall  Educate your users ATHENA Personal Firewall Software Packages  Offer application-level blocking, packet filtering, and can put your computer into stealth mode by turning off most if not all ports  Many products available, including: • Norton Firewall • ZoneAlarm • Black Ice Defender • Tiny Software’s Personal Firewall ATHENA Firewall Product Example ATHENA Antivirus Software Packages  Necessary even on a secure network – (Viruses come in attached to email, worms come in through ports you can’t block) Many vendors, including: • McAffee • Norton • Computer Associates • Network Associates ATHENA Mobile Devices Can open security holes for any computer with which these devices communicate ATHENA Summary  Virtual isolation of a computer or network by implementing a firewall through software and hardware techniques: • Routers • Switches • Modems • Various software packages designed to run on servers, workstations, and PDAs  Virtual private networks (VPNs)  Private branch exchanges (PBX)  Remote Access Services (RAS) ATHENA continued