Securing Your Microsoft
Windows SOHO Network
Harold Toomey, Product Manager
Symantec Corporation
[email protected]
8 January 2002
1
Agenda




2
The Threat
• Hackers
• Attacks
Security Best Practices
• The 80-20 Rule
• Patches
• Password strength
The Tools
• Norton Internet Security 2002
• Enterprise-Class tools
Typical SOHO Network
• Network layout
• Vulnerable segments
• Security tips
Symantec Confidential
The Threat
 Whether your Internet connection is always on or you
only dial in occasionally, your computer is vulnerable
every minute it's online
 Hackers have the tools and knowledge to compromise
your system
 Security experts are calling 2001 the worst year for
computer viruses
• December is the worst month
• Experts predict 2002 will be even worse
• Predict “viruses and their cousins, the self-propagating
worms, will find new and even more nasty ways to
attack computer systems, possibly even hitting mobile
devices, pocket PCs and smart phones in the coming
year.”
(Source: Reuters 12-26-2001 & USA Today 12-27-2001)
3
Symantec Confidential
r
Why Hackers Attack
 Professionals
• Military tool / Cyber warfare
• Industrial espionage
• Hacktivism
 Hackers
• Money $$ (credit cards, extortion)
• Power (DDoS zombies)
• Fame (want a “name”)
• Fun (adventure game)
• Socialize (hacker clubs)
• Revenge (www.grc.com)
• Cheap (can’t afford own hard drive space)
• Because they can
4
Symantec Confidential
r
Why Hackers Attack
 Script Kiddies
• Only use tools others have created
• Usually just kids (10-17)
 White Hat Hackers
• Good intent
• Test for security vulnerabilities before attackers
can abuse them
 Black Hat Hackers
• Evil intent
5
Symantec Confidential
r
Personal Firewall Attack Statistics
6
Symantec Confidential
SubSeven Trojan Attack
7
Symantec Confidential
Trojan Horses and Backdoors
 Trojan Horses
• Replace known programs
• A login Trojan works like normal login, but captures user
passwords or gives privileged access on demand
• Will have the same behavior as the programs they are
replacing and are difficult to find
• Usually contain backdoors
• Mask the existence of backdoors
 Backdoors
• May replace known programs
• Backdoors give attackers direct access (often root level)
to the system, foregoing normal authentication
• May replace login command to allow quick root level
access
• May listen on certain ports for further direct access
8
Symantec Confidential
k
SubSeven Trojan
 What it does
• Allows remote control of Windows:
– File
– Monitoring
– Network
 Protection from it
• Keep your systems updated
• Eliminate all unneeded programs
• Periodically scan network for common backdoor
services
• Check critical files for tampering (MD5 signature)
• Use intrusion detection (IDS)
9
Symantec Confidential
SubSeven Trojan
NT Server
Workstation
Attacker
Router
Hub
Internet
Controls system from
remote location
Laptop
Linux Server
10
Symantec Confidential
SubSeven Trojan - GUI
Connect to remote
system
11
Symantec Confidential
SubSeven Trojan - GUI
we have captured a very
> New Message <
confidential email
[email protected]
message!
Company layoffs <
Select Key logger
John,
to capture what is
With the recent end of quarter our worst fears have been realized. We will fall short of our
expected earnings.
typed on the
We must immediately move to control our spending. This is the time to trim the fat from our
keyboard of the
organization. I propose that we incorporate the following measures:
remote system
1.
Implement a 20% reduction in work force, I hate layoffs as much as anyone, but this is
>Logon – mailserver.xyz-company.com <lordoftherings>
2.
necessary.
Eliminate all unnecessary travel.
I know that these measures will be unpopular, but they must be made to stabilize things.
Please draw up plans to implement these measures and have them ready by Friday. As you
already know, this Information is very sensitive and must remain confidential.
David Smith
CEO XYZ Company
12
Symantec Confidential
SubSeven Protection – Norton
Internet Security
13
Symantec Confidential
SubSeven Protection – AntiVirus
14
Symantec Confidential
SubSeven Detection - NetRecon
15
Symantec Confidential
Backdoor - Back Orifice 2000


From “cult of the dead cow”
Allows remote control of Windows:
• File system
• Passwords
• Network
• Registry
• Processes
• System
•
Extensive multi-media controls
• Capture images from server screen
• Record confidential conversations
NT registry passwords and Win9x screen saver password
dumping
Most virus detection software will identify the binary version
Completely open-source (anyone can change it)



16
Symantec Confidential
Back Orifice 2000
NT Server
Workstation
Attacker
Router
Hub
Internet
Controls system
from remote location
17
Symantec Confidential
Laptop
W2K
Server
Capture audio or video from
the victims system if a
microphone or camera is
attached.
You could record confidential
meetings held behind closed
doors.
18
Symantec Confidential
19
Symantec Confidential
20
Symantec Confidential
The system power turns off!
21
Symantec Confidential
22
Symantec Confidential
Spyware and Adware

Adware
• Pop up ads
• AdBots are legal!

Spyware
• “Spyware is ANY SOFTWARE which employs a user's Internet
connection in the background without their knowledge or explicit
permission.” – Steve Gibson
• Symptoms
– Can slow down a PC significantly
– Hide in executables
– Have a “hibernate” setting in registry!
• Example: Time Sink, Inc.’s TSAdBot.exe (evil!)
– Provide a removal tool on web
• www.gohip.com/remove_browser_enhancement.html
• More info: http://grc.com/optout.htm
23
Symantec Confidential
Viruses & Worms
 A few viruses that received media attention
• Naked Wife
• Anna Kournikova
• ILOVEYOU
• Melissa
 A few worms that received media attention
• CodeRed II
• Nimda
• SirCam
 http://securityresponse.symantec.com/
24
Symantec Confidential
Average Reported Losses
2001 CSI/FBI Computer
Crime and Security Survey
$4.42 M
$4.45 M
$454K
$322K
$275K
Theft of
Proprietary
Information
25
Symantec Confidential
Sabotage
Unauthorized and Denial
Insider
of Services
Financial
Access
Fraud
Outside
System
Penetration
Mar 12, 2001
Web Site Defacements
14000
12000
12600
10000
8000
6000
5823
4000
3746
2000
5
0
20
40
245
1995 1996 1997 1998 1999 2000 2001
est.
Source: attrition.org
26
Symantec Confidential
Security Best Practices
 No need to start from scratch
• Rather than analyzing every risk, look at what
others are doing
• Meet standards of due care
• Use existing standards and industry “best
practices”
• Pay attention to regulations and requirements
– Government
– Industry
– Partners
27
Symantec Confidential
Security Best Practices
 Best Practices that Block Most Attacks
• Employ a layer 7, full inspection firewall
• Use automatically updated anti-virus at
gateway, server, and client
• Ensure security patches are up to date
• Ensure passwords are strong
• Turn off unnecessary network services
28
Symantec Confidential
Security Best Practices
 The 80-20 rule of security
1) Security patches
2) Password strength
3) Unnecessary services
 The 80-20 rule means do 20% of the work
to gain 80% of the results
29
Symantec Confidential
Security Patches
 Norton AntiVirus LiveUpdate
• Schedule to check for updates regularly
• Updates virus signatures
• Updates content to entire Norton Internet Security
2002 suite
 Virus Scans
• Scan for viruses 3x weekly
 Enable Personal Firewall
• Be sure it is “Enabled”
30
Symantec Confidential
k
LiveUpdate
31
Symantec Confidential
LiveUpdate
32
Symantec Confidential
LiveUpdate
33
Symantec Confidential
Virus Scans
34
Symantec Confidential
Security Patches
 MS Windows Update
• Download critical updates at a minimum
• %SystemRoot%\system32\wupdmgr.exe
• http://windowsupdate.microsoft.com/  Product
Updates
 MS Office Product Updates
• http://windowsupdate.microsoft.com/  Microsoft
Office Product Updates
 Other software products
35
Symantec Confidential
k
Windows Update
36
Symantec Confidential
k
Windows Update
37
Symantec Confidential
k
Windows Update
38
Symantec Confidential
k
Password Strength
 Password stealing
• CGI script exploits, password cracking, social
engineering, shoulder surfing, …
• Network sniffing
– Reading the password directly from network traffic
 Password guessing
• Predictable passwords
– blank, “guest”, user name, family name, birthdays,
license plates, pets, etc.
• Dictionary attack
– “earth1” is an example of a password that is
susceptible to dictionary attack
• Brute force
39
Symantec Confidential
k
Password Strength
 Password cracking tools
• Use available tools to regularly check for bad
passwords
• Commercial tools
– Symantec Enterprise Security Manager
– Symantec NetRecon
• Hacker tools
– LØphtCrack (www.atstake.com/research/lc3/)
– John the Ripper (www.openwall.com/john/)
– Caution: Use of such tools may be grounds for
dismissal and/or legal action
40
Symantec Confidential
r
Password Strength
 Don’t send passwords over the network in clear
text
 Consider two-factor authentication
• A password + something else
– For example, encryption key pair, smart card, …
 Enforce strict password policies
• E.g. minimum 8 characters
 Keep your systems and applications patched and
updated
41
Symantec Confidential
r
Password Strength
 Do’s
• Use mixed-case letters
– Use uppercase letters throughout the password
• Use alphanumeric characters and include punctuation
• Use mixed-case letters
– Do not just capitalize the first letter, but add
uppercase letters throughout the password
• Use at least six characters, eight characters for
Windows NT
– Password rules apply to the first N characters of the
password
• Use a seemingly random selection of letters and
numbers
• Change passwords regularly
42
Symantec Confidential
r
Password Strength
 Do’s
• Use password expiration settings
– No old (recycled) passwords
– Can't use passwords less than N days old
– Old and new passwords must differ by at least N
characters
• Watch for
– Maximum number of character pairs
• E.g. “HiiiiiiMom”
– Minimum inside digits
• E.g. “Hi123456Mom”
• Test your passwords
– http://www.securitystats.com/tools/password.asp
43
Symantec Confidential
r
Password Strength
 Do Not’s
• Use a network login ID in any form (reversed,
capitalized, or doubled as a password)
• Use your first, middle or last name or anyone
else’s in any form
– Do not use your initials or any nicknames you
may have or anyone else’s
• Use a word contained in English or foreign
dictionaries, spelling lists, or other word lists and
abbreviations
• Use a password that can be typed quickly, without
having to look at the keyboard ("shoulder surfing")
44
Symantec Confidential
r
Password Strength
 Do Not’s
• Use other information easily obtained about you
– This includes pet names, license plate numbers,
telephone numbers, identification numbers, the brand
of your automobile, the name of the street you live
on, and so on
• Use a password of all numbers, or a password
composed of alphabet characters
– Mix numbers and letters
• Use dates e.g., September, SEPT1999 or any
combination thereof
• Use keyboard sequences, e.g., qwerty.
• Use a sample password, no matter how good, that
you’ve gotten from a book that discusses information
and computer security
45
Symantec Confidential
r
Password Strength
 Do Not’s
• Use any of the above things spelled backwards, or
in caps, or otherwise disguised
• Write a password on sticky notes, desk blotters,
calendars, or store it online where it can be
accessed by others.
• Use shared accounts
– Accountability for group access is extremely
difficult
• Reveal a password to anyone
46
Symantec Confidential
r
Unnecessary Services
 Turn off non-essential services
• Every service is a potential hole into your network
• Allow connections only from trusted systems
• Do not share unnecessary resources
 Turn off File Sharing
• At least password protect if used
 Example: Disable web server services if not used
• Ports 80 & 8080
47
Symantec Confidential
r
Unnecessary Services
Hacker Exploitation of File Sharing
1) Find open file shares
- Use Legion v2.1 from www.rhino9.com
2) Crack passwords
- Copy SAM files from Windows systems
- Use LØphtcrack.exe to crack passwords
- www.lØpht.com
- Can also obtain backup of SAM files. Must rename first.
NOTE: To get SAM files,
- Run rdisk.exe to create an emergency repair disk
- Look in \WinNT\system32 for SAM files
48
Symantec Confidential
Unnecessary Services
Hacker Exploitation of File Sharing
3) Login
4) Install BØ2K
- Run BØpeep
- Can wrap Elf Bowling game with BØ2K using Suranwrapper
- BØ2K executable is only 110KB
5) Use a packet sniffer
- Snort (www.whitehat.com for signatures)
- eEye Iris 2.0 Traffic Analyzer (www.eeye.com)
6) Keep Under FBI Limit
- FBI Cyber Crime Unit
- CIA Cyber Crime Unit
- Won't prosecute unless > $10,000 or child porn
Source: 23.org, 5-17-2000
49
Symantec Confidential
The Tools
50
Symantec Confidential
Virus and Hostile Applet
Protection
 Use anti-viral and content scanning software
• Desktops
• Servers
• Firewall
 Apply latest patches
• E-mail (IE – MS Outlook)
• Browser
• Operating System (XP)
 Don’t double-click blindly on attachments
• Beware of .EXE, .VBS, and .SCR
 Use higher levels of browser security
51
Symantec Confidential
Firewalls
 Protect your perimeter with a firewall
• Monitor both in-coming and out-going traffic
• Use a highly configurable, proxy-based firewall
• Make sure it is ICSA and Checkmark certified
 Personal Firewalls
• Norton Personal Firewall 2002
 Enterprise-Class Firewalls
• Symantec Firewall Appliance
• Raptor Firewall
52
Symantec Confidential
r
Symantec Tools
 Norton Internet Security 2002
• Personal Firewall
• Privacy Control
• Intrusion Protection
• Anti-Virus
• Ad Blocking
• Parental Control
• Configure Internet Access
for each user
v2002 Shipped
30 Aug 2001
53
Symantec Confidential
Personal Firewall
 Defend your PC against hackers
• Norton™ Personal Firewall starts protecting
your PC by "hiding" it from hackers.
• Exclusive Symantec technology automatically
configures firewall rules for the most common
Internet applications.
• Monitors both inbound and outbound traffic.
• The Internet Access Control feature prevents
the applications on your PC from secretly
making connections to Internet sites and
sending information to them.
54
Symantec Confidential
Privacy Control
 Keep your personal information private
• Will alert you if you accidentally try sending
credit-card numbers over an unsecure web
connection.
• Protect your bank-account information, creditcard numbers, and other confidential data
online.
• Prevent web sites from retrieving your email
address without your knowledge, and to
control which sites are allowed to track your
online activities with "cookies.“
• Lets you block Java™ applets, ActiveX®
controls, and cookies on a site-by-site basis.
55
Symantec Confidential
Intrusion Protection
 Norton Internet Security 2002
• Intrusion Protection with AutoBlock automatically
stops systems from trying to probe your PC's ports.
• It safeguards your PC and your personal
information by blocking unauthorized connections
and alerting you to attempted intrusions.
56
Symantec Confidential
Anti-Virus
 Stop viruses and other malicious code
automatically
• Norton AntiVirus™ provides maximum protection
against viruses-including those included in email
messages.
• The world's leading anti-virus software works in the
background to defend your computer 24 hours a
day.
• New and exclusive Script Blocking technology
proactively protects against known and unknown
threats, such as the renowned "I Love You" and
"Anna Kournikova" viruses - without the need for
virus definitions.
57
Symantec Confidential
Ad Blocking
 Block unwanted ads
• Banner ads and pop-up windows can clutter your
screen and lengthen web page download times.
• They can also expose children to inappropriate
advertising.
• Norton Internet Security 2002 lets you filter them
out for a faster, more enjoyable web experience.
58
Symantec Confidential
Parental Control
 Keep your children safe on the Internet
• Norton Parental Control software blocks access to
objectionable sites based on a comprehensive,
customizable list.
• Make sure that your children have a safe,
enjoyable experience every time they log on to the
Internet.
• It also lets you set up different Internet access
privileges for each person in your household, so
you can quickly and easily provide full access for
adults and age-appropriate access for each child.
• Tools are only 80% to 90% effective. “Teach them
correct principles …”
59
Symantec Confidential
Updates with LiveUpdate
 Get regular protection updates
• Symantec's Internet security experts update
Norton Internet Security 2002 continuously to deal
with new viruses and other Internet threats.
• Norton AntiVirus even keeps itself updated, using
Symantec's exclusive LiveUpdate™ technology to
check for new virus definitions when you're online
and download them automatically.
• As a registered user, you'll get free anti-virus and
firewall updates for one year. After that, you can
subscribe to future updates $3.95 annual fee.
 More info:
• http://securityresponse.symantec.com
60
Symantec Confidential
Norton Internet Security 2002
System Requirements
Windows XP Home Edition/Professional
- Intel Pentium II 300MHz or higher processor
- 128 MB of RAM
Windows NT/2000 Professional
- Windows NT 4.0 Workstation with service pack 6a or higher
- Intel Pentium 150MHz or higher processor
- 64 MB of RAM
Windows Me/98
- Intel Pentium 150MHz or higher processor
- 32 MB of RAM (48 MB recommended)
REQUIRED FOR ALL INSTALLATIONS
- 60 MB of available hard disk space (without Parental Control
feature installed)
- 90 MB of available hard disk space (for complete installation)
- CD-ROM or DVD-ROM drive
- Microsoft ® Internet Explorer 4.01with MSIE Service Pack 1 or
later
- Microsoft Windows Internet support
61
Symantec Confidential
Norton Internet Security 2002
System Requirements
Email scanning supported for any standard POP3
compatible email client, including
- Microsoft Outlook Express 4.0/5.x
- Microsoft Outlook XP/2000/98/97
- Netscape Messenger 4.X
- Netscape Mail 6.0
- Eudora Light 3.0, Eudora Pro 4.0, Eudora 5.0
Supported instant messaging clients for Confidential
Information filtering
- MSN Messenger 3.6
- AOL Instant Messenger 4.3
- Windows Messenger 4
62
Symantec Confidential
Symantec Firewall/VPN Small
Office Appliance







Firewall
VPN
IP Sharing/DHCP Server
10/100 Auto-sense switch
Automatic dial-up backup*
Load balancing built-in (model 200)
Remote management
*with external analog modem
63
Symantec Confidential
Network Vulnerability
Scanners



64
Symantec NetRecon
1. Discovers systems
2. Discovers services
3. Finds vulnerabilities than can be exploited
4. Cracks passwords
5. Logs in
6. Reports
ISS Internet Scanner
• Strong market share
• Will execute denial-of-service (DoS) attacks
Nessus Scanner
• Is free
Symantec Confidential
r
Intrusion Detection
 Stop scans at the perimeter
• Use a highly configurable firewall (proxy-based is
best)
• Only allow necessary ports to be accessible from
the outside
• Use a DMZ for other services
 Use both Host-based and Network-based intrusion
detection
• Security administrator can be alerted when an
attack is in progress
• Symantec Intruder Alert (host-based)
• NetProwler (network-based)
65
Symantec Confidential
r
Other Symantec Products



66
AntiVirus
• Norton AntiVirus
• NAV for Palm Pilots
• NAV for Gateways
Firewall
• Symantec Enterprise
Firewall (Raptor)
• Symantec Firewall
Appliance
• Norton Personal Firewall
Security Assessment
• Enterprise Security
Manager
• Symantec NetRecon
• ESM for Databases, Web
Servers and Firewalls
Symantec Confidential





Intrusion Detection
• Intruder Alert
• ProwlerIDS
Content Filtering
 I-Gear
 Mail Gear
Privacy
 Norton Internet Security
Administration / Utilities
 pcAnywhere
 Norton Ghost
 Norton Utilities
 Norton CleanSweep
VPN
 RaptorMobile
Typical SOHO Network
Modems
1.5 Mbps
Internet
Windows 98
& 2000 PCs
56 Kbps
11 Mbps
Windows
2000 Laptop
100 Mbps
Cisco
Aironet
Workgroup
Bridge
(802.11b)
67
Symantec Confidential
Symantec
Firewall
Appliance
8-Port
LinkSys Hub
iPAQ
SOHO Network – Wireless Link
1.5 Mbps
Internet
11 Mbps
128-bit
WEP
(802.11b)
100 Mbps
Cisco Aironet
Workgroup
Bridge (802.11b)
68
Symantec Confidential
Symantec
Firewall
Appliance
SOHO Network – Firewall & NAT
VPN &
NAT
100 Mbps
Cisco Aironet
Workgroup
Bridge (802.11b)
69
Symantec Confidential
100 Mbps
Symantec
Firewall
Appliance
Model 200R
8-Port
LinkSys Hub
SOHO Network – PC Security
- Personal
Firewall
- NAV CE
Windows 2000
(PC2)
Windows 98
(PC1)
Windows 2000
(PC3)
100 Mbps
8-Port
LinkSys Hub
iPAQ
Windows 98
(PC4)
Windows 98
(PC5)
Visitor’s PC
(PC6)
PC-cillin
70
Symantec Confidential
Norton
Internet
Security
2002
- Personal
Firewall
- NAV
SOHO Network - Modems
Internet
Modem
56 Kbps
100 Mbps
Modem
Windows 2000
(PC2)
Modem

Modems
• Use only as a
backup
• Configure for
outgoing
connections only
Windows 2000
(PC3)
Modem
71
Symantec Confidential
Symantec Firewall
Appliance
Windows 98
(PC1)
Typical SOHO Network
Modems
1.5 Mbps
Internet
Windows 98
& 2000 PCs
56 Kbps
11 Mbps
Windows
2000 Laptop
100 Mbps
Cisco Aironet
Workgroup
Bridge
(802.11b)
72
Symantec Confidential
Symantec
Firewall
Appliance
8-Port
LinkSys Hub
iPAQ
Where to Look for More Information
 Symantec Corporation
• http://www.symantec.com
• http://securityresponse.symantec.com
 SANS Top 20 List
• http://www.sans.org
 CERT Advisories
• http://www.cert.org
 CVE (Common Vulnerabilities and Exposures)
• http://cve.mitre.org
 Security Focus (Home of BUGTRAQ)
• http://www.securityfocus.com
 Packet Storm
• http://packetstorm.securify.com
73
Symantec Confidential
Conclusion




74
Hackers will attack your SOHO network
• They have access to powerful tools and lots of information
• Looking for DDoS Zombies
• Want free hard disk space to store porn, etc.
Form a habit of following the 80-20 rule of security
• Check for OS, application and security patches weekly
• Use strong passwords
• Turn off unnecessary services
Firewalls and anti-virus software must be used
• Design security into your network
Use Symantec software!
• Largest security company in the world
• 100% focused on security
Symantec Confidential
r
75
Symantec Confidential
Download

Securing Your MS Windows SOHO Network