Securing Your MS Windows SOHO Network
advertisement
Securing Your Microsoft Windows SOHO Network Harold Toomey, Product Manager Symantec Corporation htoomey@symantec.com 8 January 2002 1 Agenda 2 The Threat • Hackers • Attacks Security Best Practices • The 80-20 Rule • Patches • Password strength The Tools • Norton Internet Security 2002 • Enterprise-Class tools Typical SOHO Network • Network layout • Vulnerable segments • Security tips Symantec Confidential The Threat Whether your Internet connection is always on or you only dial in occasionally, your computer is vulnerable every minute it's online Hackers have the tools and knowledge to compromise your system Security experts are calling 2001 the worst year for computer viruses • December is the worst month • Experts predict 2002 will be even worse • Predict “viruses and their cousins, the self-propagating worms, will find new and even more nasty ways to attack computer systems, possibly even hitting mobile devices, pocket PCs and smart phones in the coming year.” (Source: Reuters 12-26-2001 & USA Today 12-27-2001) 3 Symantec Confidential r Why Hackers Attack Professionals • Military tool / Cyber warfare • Industrial espionage • Hacktivism Hackers • Money $$ (credit cards, extortion) • Power (DDoS zombies) • Fame (want a “name”) • Fun (adventure game) • Socialize (hacker clubs) • Revenge (www.grc.com) • Cheap (can’t afford own hard drive space) • Because they can 4 Symantec Confidential r Why Hackers Attack Script Kiddies • Only use tools others have created • Usually just kids (10-17) White Hat Hackers • Good intent • Test for security vulnerabilities before attackers can abuse them Black Hat Hackers • Evil intent 5 Symantec Confidential r Personal Firewall Attack Statistics 6 Symantec Confidential SubSeven Trojan Attack 7 Symantec Confidential Trojan Horses and Backdoors Trojan Horses • Replace known programs • A login Trojan works like normal login, but captures user passwords or gives privileged access on demand • Will have the same behavior as the programs they are replacing and are difficult to find • Usually contain backdoors • Mask the existence of backdoors Backdoors • May replace known programs • Backdoors give attackers direct access (often root level) to the system, foregoing normal authentication • May replace login command to allow quick root level access • May listen on certain ports for further direct access 8 Symantec Confidential k SubSeven Trojan What it does • Allows remote control of Windows: – File – Monitoring – Network Protection from it • Keep your systems updated • Eliminate all unneeded programs • Periodically scan network for common backdoor services • Check critical files for tampering (MD5 signature) • Use intrusion detection (IDS) 9 Symantec Confidential SubSeven Trojan NT Server Workstation Attacker Router Hub Internet Controls system from remote location Laptop Linux Server 10 Symantec Confidential SubSeven Trojan - GUI Connect to remote system 11 Symantec Confidential SubSeven Trojan - GUI we have captured a very > New Message < confidential email Jcombs@xyz-company.com message! Company layoffs < Select Key logger John, to capture what is With the recent end of quarter our worst fears have been realized. We will fall short of our expected earnings. typed on the We must immediately move to control our spending. This is the time to trim the fat from our keyboard of the organization. I propose that we incorporate the following measures: remote system 1. Implement a 20% reduction in work force, I hate layoffs as much as anyone, but this is >Logon – mailserver.xyz-company.com <lordoftherings> 2. necessary. Eliminate all unnecessary travel. I know that these measures will be unpopular, but they must be made to stabilize things. Please draw up plans to implement these measures and have them ready by Friday. As you already know, this Information is very sensitive and must remain confidential. David Smith CEO XYZ Company 12 Symantec Confidential SubSeven Protection – Norton Internet Security 13 Symantec Confidential SubSeven Protection – AntiVirus 14 Symantec Confidential SubSeven Detection - NetRecon 15 Symantec Confidential Backdoor - Back Orifice 2000 From “cult of the dead cow” Allows remote control of Windows: • File system • Passwords • Network • Registry • Processes • System • Extensive multi-media controls • Capture images from server screen • Record confidential conversations NT registry passwords and Win9x screen saver password dumping Most virus detection software will identify the binary version Completely open-source (anyone can change it) 16 Symantec Confidential Back Orifice 2000 NT Server Workstation Attacker Router Hub Internet Controls system from remote location 17 Symantec Confidential Laptop W2K Server Capture audio or video from the victims system if a microphone or camera is attached. You could record confidential meetings held behind closed doors. 18 Symantec Confidential 19 Symantec Confidential 20 Symantec Confidential The system power turns off! 21 Symantec Confidential 22 Symantec Confidential Spyware and Adware Adware • Pop up ads • AdBots are legal! Spyware • “Spyware is ANY SOFTWARE which employs a user's Internet connection in the background without their knowledge or explicit permission.” – Steve Gibson • Symptoms – Can slow down a PC significantly – Hide in executables – Have a “hibernate” setting in registry! • Example: Time Sink, Inc.’s TSAdBot.exe (evil!) – Provide a removal tool on web • www.gohip.com/remove_browser_enhancement.html • More info: http://grc.com/optout.htm 23 Symantec Confidential Viruses & Worms A few viruses that received media attention • Naked Wife • Anna Kournikova • ILOVEYOU • Melissa A few worms that received media attention • CodeRed II • Nimda • SirCam http://securityresponse.symantec.com/ 24 Symantec Confidential Average Reported Losses 2001 CSI/FBI Computer Crime and Security Survey $4.42 M $4.45 M $454K $322K $275K Theft of Proprietary Information 25 Symantec Confidential Sabotage Unauthorized and Denial Insider of Services Financial Access Fraud Outside System Penetration Mar 12, 2001 Web Site Defacements 14000 12000 12600 10000 8000 6000 5823 4000 3746 2000 5 0 20 40 245 1995 1996 1997 1998 1999 2000 2001 est. Source: attrition.org 26 Symantec Confidential Security Best Practices No need to start from scratch • Rather than analyzing every risk, look at what others are doing • Meet standards of due care • Use existing standards and industry “best practices” • Pay attention to regulations and requirements – Government – Industry – Partners 27 Symantec Confidential Security Best Practices Best Practices that Block Most Attacks • Employ a layer 7, full inspection firewall • Use automatically updated anti-virus at gateway, server, and client • Ensure security patches are up to date • Ensure passwords are strong • Turn off unnecessary network services 28 Symantec Confidential Security Best Practices The 80-20 rule of security 1) Security patches 2) Password strength 3) Unnecessary services The 80-20 rule means do 20% of the work to gain 80% of the results 29 Symantec Confidential Security Patches Norton AntiVirus LiveUpdate • Schedule to check for updates regularly • Updates virus signatures • Updates content to entire Norton Internet Security 2002 suite Virus Scans • Scan for viruses 3x weekly Enable Personal Firewall • Be sure it is “Enabled” 30 Symantec Confidential k LiveUpdate 31 Symantec Confidential LiveUpdate 32 Symantec Confidential LiveUpdate 33 Symantec Confidential Virus Scans 34 Symantec Confidential Security Patches MS Windows Update • Download critical updates at a minimum • %SystemRoot%\system32\wupdmgr.exe • http://windowsupdate.microsoft.com/ Product Updates MS Office Product Updates • http://windowsupdate.microsoft.com/ Microsoft Office Product Updates Other software products 35 Symantec Confidential k Windows Update 36 Symantec Confidential k Windows Update 37 Symantec Confidential k Windows Update 38 Symantec Confidential k Password Strength Password stealing • CGI script exploits, password cracking, social engineering, shoulder surfing, … • Network sniffing – Reading the password directly from network traffic Password guessing • Predictable passwords – blank, “guest”, user name, family name, birthdays, license plates, pets, etc. • Dictionary attack – “earth1” is an example of a password that is susceptible to dictionary attack • Brute force 39 Symantec Confidential k Password Strength Password cracking tools • Use available tools to regularly check for bad passwords • Commercial tools – Symantec Enterprise Security Manager – Symantec NetRecon • Hacker tools – LØphtCrack (www.atstake.com/research/lc3/) – John the Ripper (www.openwall.com/john/) – Caution: Use of such tools may be grounds for dismissal and/or legal action 40 Symantec Confidential r Password Strength Don’t send passwords over the network in clear text Consider two-factor authentication • A password + something else – For example, encryption key pair, smart card, … Enforce strict password policies • E.g. minimum 8 characters Keep your systems and applications patched and updated 41 Symantec Confidential r Password Strength Do’s • Use mixed-case letters – Use uppercase letters throughout the password • Use alphanumeric characters and include punctuation • Use mixed-case letters – Do not just capitalize the first letter, but add uppercase letters throughout the password • Use at least six characters, eight characters for Windows NT – Password rules apply to the first N characters of the password • Use a seemingly random selection of letters and numbers • Change passwords regularly 42 Symantec Confidential r Password Strength Do’s • Use password expiration settings – No old (recycled) passwords – Can't use passwords less than N days old – Old and new passwords must differ by at least N characters • Watch for – Maximum number of character pairs • E.g. “HiiiiiiMom” – Minimum inside digits • E.g. “Hi123456Mom” • Test your passwords – http://www.securitystats.com/tools/password.asp 43 Symantec Confidential r Password Strength Do Not’s • Use a network login ID in any form (reversed, capitalized, or doubled as a password) • Use your first, middle or last name or anyone else’s in any form – Do not use your initials or any nicknames you may have or anyone else’s • Use a word contained in English or foreign dictionaries, spelling lists, or other word lists and abbreviations • Use a password that can be typed quickly, without having to look at the keyboard ("shoulder surfing") 44 Symantec Confidential r Password Strength Do Not’s • Use other information easily obtained about you – This includes pet names, license plate numbers, telephone numbers, identification numbers, the brand of your automobile, the name of the street you live on, and so on • Use a password of all numbers, or a password composed of alphabet characters – Mix numbers and letters • Use dates e.g., September, SEPT1999 or any combination thereof • Use keyboard sequences, e.g., qwerty. • Use a sample password, no matter how good, that you’ve gotten from a book that discusses information and computer security 45 Symantec Confidential r Password Strength Do Not’s • Use any of the above things spelled backwards, or in caps, or otherwise disguised • Write a password on sticky notes, desk blotters, calendars, or store it online where it can be accessed by others. • Use shared accounts – Accountability for group access is extremely difficult • Reveal a password to anyone 46 Symantec Confidential r Unnecessary Services Turn off non-essential services • Every service is a potential hole into your network • Allow connections only from trusted systems • Do not share unnecessary resources Turn off File Sharing • At least password protect if used Example: Disable web server services if not used • Ports 80 & 8080 47 Symantec Confidential r Unnecessary Services Hacker Exploitation of File Sharing 1) Find open file shares - Use Legion v2.1 from www.rhino9.com 2) Crack passwords - Copy SAM files from Windows systems - Use LØphtcrack.exe to crack passwords - www.lØpht.com - Can also obtain backup of SAM files. Must rename first. NOTE: To get SAM files, - Run rdisk.exe to create an emergency repair disk - Look in \WinNT\system32 for SAM files 48 Symantec Confidential Unnecessary Services Hacker Exploitation of File Sharing 3) Login 4) Install BØ2K - Run BØpeep - Can wrap Elf Bowling game with BØ2K using Suranwrapper - BØ2K executable is only 110KB 5) Use a packet sniffer - Snort (www.whitehat.com for signatures) - eEye Iris 2.0 Traffic Analyzer (www.eeye.com) 6) Keep Under FBI Limit - FBI Cyber Crime Unit - CIA Cyber Crime Unit - Won't prosecute unless > $10,000 or child porn Source: 23.org, 5-17-2000 49 Symantec Confidential The Tools 50 Symantec Confidential Virus and Hostile Applet Protection Use anti-viral and content scanning software • Desktops • Servers • Firewall Apply latest patches • E-mail (IE – MS Outlook) • Browser • Operating System (XP) Don’t double-click blindly on attachments • Beware of .EXE, .VBS, and .SCR Use higher levels of browser security 51 Symantec Confidential Firewalls Protect your perimeter with a firewall • Monitor both in-coming and out-going traffic • Use a highly configurable, proxy-based firewall • Make sure it is ICSA and Checkmark certified Personal Firewalls • Norton Personal Firewall 2002 Enterprise-Class Firewalls • Symantec Firewall Appliance • Raptor Firewall 52 Symantec Confidential r Symantec Tools Norton Internet Security 2002 • Personal Firewall • Privacy Control • Intrusion Protection • Anti-Virus • Ad Blocking • Parental Control • Configure Internet Access for each user v2002 Shipped 30 Aug 2001 53 Symantec Confidential Personal Firewall Defend your PC against hackers • Norton™ Personal Firewall starts protecting your PC by "hiding" it from hackers. • Exclusive Symantec technology automatically configures firewall rules for the most common Internet applications. • Monitors both inbound and outbound traffic. • The Internet Access Control feature prevents the applications on your PC from secretly making connections to Internet sites and sending information to them. 54 Symantec Confidential Privacy Control Keep your personal information private • Will alert you if you accidentally try sending credit-card numbers over an unsecure web connection. • Protect your bank-account information, creditcard numbers, and other confidential data online. • Prevent web sites from retrieving your email address without your knowledge, and to control which sites are allowed to track your online activities with "cookies.“ • Lets you block Java™ applets, ActiveX® controls, and cookies on a site-by-site basis. 55 Symantec Confidential Intrusion Protection Norton Internet Security 2002 • Intrusion Protection with AutoBlock automatically stops systems from trying to probe your PC's ports. • It safeguards your PC and your personal information by blocking unauthorized connections and alerting you to attempted intrusions. 56 Symantec Confidential Anti-Virus Stop viruses and other malicious code automatically • Norton AntiVirus™ provides maximum protection against viruses-including those included in email messages. • The world's leading anti-virus software works in the background to defend your computer 24 hours a day. • New and exclusive Script Blocking technology proactively protects against known and unknown threats, such as the renowned "I Love You" and "Anna Kournikova" viruses - without the need for virus definitions. 57 Symantec Confidential Ad Blocking Block unwanted ads • Banner ads and pop-up windows can clutter your screen and lengthen web page download times. • They can also expose children to inappropriate advertising. • Norton Internet Security 2002 lets you filter them out for a faster, more enjoyable web experience. 58 Symantec Confidential Parental Control Keep your children safe on the Internet • Norton Parental Control software blocks access to objectionable sites based on a comprehensive, customizable list. • Make sure that your children have a safe, enjoyable experience every time they log on to the Internet. • It also lets you set up different Internet access privileges for each person in your household, so you can quickly and easily provide full access for adults and age-appropriate access for each child. • Tools are only 80% to 90% effective. “Teach them correct principles …” 59 Symantec Confidential Updates with LiveUpdate Get regular protection updates • Symantec's Internet security experts update Norton Internet Security 2002 continuously to deal with new viruses and other Internet threats. • Norton AntiVirus even keeps itself updated, using Symantec's exclusive LiveUpdate™ technology to check for new virus definitions when you're online and download them automatically. • As a registered user, you'll get free anti-virus and firewall updates for one year. After that, you can subscribe to future updates $3.95 annual fee. More info: • http://securityresponse.symantec.com 60 Symantec Confidential Norton Internet Security 2002 System Requirements Windows XP Home Edition/Professional - Intel Pentium II 300MHz or higher processor - 128 MB of RAM Windows NT/2000 Professional - Windows NT 4.0 Workstation with service pack 6a or higher - Intel Pentium 150MHz or higher processor - 64 MB of RAM Windows Me/98 - Intel Pentium 150MHz or higher processor - 32 MB of RAM (48 MB recommended) REQUIRED FOR ALL INSTALLATIONS - 60 MB of available hard disk space (without Parental Control feature installed) - 90 MB of available hard disk space (for complete installation) - CD-ROM or DVD-ROM drive - Microsoft ® Internet Explorer 4.01with MSIE Service Pack 1 or later - Microsoft Windows Internet support 61 Symantec Confidential Norton Internet Security 2002 System Requirements Email scanning supported for any standard POP3 compatible email client, including - Microsoft Outlook Express 4.0/5.x - Microsoft Outlook XP/2000/98/97 - Netscape Messenger 4.X - Netscape Mail 6.0 - Eudora Light 3.0, Eudora Pro 4.0, Eudora 5.0 Supported instant messaging clients for Confidential Information filtering - MSN Messenger 3.6 - AOL Instant Messenger 4.3 - Windows Messenger 4 62 Symantec Confidential Symantec Firewall/VPN Small Office Appliance Firewall VPN IP Sharing/DHCP Server 10/100 Auto-sense switch Automatic dial-up backup* Load balancing built-in (model 200) Remote management *with external analog modem 63 Symantec Confidential Network Vulnerability Scanners 64 Symantec NetRecon 1. Discovers systems 2. Discovers services 3. Finds vulnerabilities than can be exploited 4. Cracks passwords 5. Logs in 6. Reports ISS Internet Scanner • Strong market share • Will execute denial-of-service (DoS) attacks Nessus Scanner • Is free Symantec Confidential r Intrusion Detection Stop scans at the perimeter • Use a highly configurable firewall (proxy-based is best) • Only allow necessary ports to be accessible from the outside • Use a DMZ for other services Use both Host-based and Network-based intrusion detection • Security administrator can be alerted when an attack is in progress • Symantec Intruder Alert (host-based) • NetProwler (network-based) 65 Symantec Confidential r Other Symantec Products 66 AntiVirus • Norton AntiVirus • NAV for Palm Pilots • NAV for Gateways Firewall • Symantec Enterprise Firewall (Raptor) • Symantec Firewall Appliance • Norton Personal Firewall Security Assessment • Enterprise Security Manager • Symantec NetRecon • ESM for Databases, Web Servers and Firewalls Symantec Confidential Intrusion Detection • Intruder Alert • ProwlerIDS Content Filtering I-Gear Mail Gear Privacy Norton Internet Security Administration / Utilities pcAnywhere Norton Ghost Norton Utilities Norton CleanSweep VPN RaptorMobile Typical SOHO Network Modems 1.5 Mbps Internet Windows 98 & 2000 PCs 56 Kbps 11 Mbps Windows 2000 Laptop 100 Mbps Cisco Aironet Workgroup Bridge (802.11b) 67 Symantec Confidential Symantec Firewall Appliance 8-Port LinkSys Hub iPAQ SOHO Network – Wireless Link 1.5 Mbps Internet 11 Mbps 128-bit WEP (802.11b) 100 Mbps Cisco Aironet Workgroup Bridge (802.11b) 68 Symantec Confidential Symantec Firewall Appliance SOHO Network – Firewall & NAT VPN & NAT 100 Mbps Cisco Aironet Workgroup Bridge (802.11b) 69 Symantec Confidential 100 Mbps Symantec Firewall Appliance Model 200R 8-Port LinkSys Hub SOHO Network – PC Security - Personal Firewall - NAV CE Windows 2000 (PC2) Windows 98 (PC1) Windows 2000 (PC3) 100 Mbps 8-Port LinkSys Hub iPAQ Windows 98 (PC4) Windows 98 (PC5) Visitor’s PC (PC6) PC-cillin 70 Symantec Confidential Norton Internet Security 2002 - Personal Firewall - NAV SOHO Network - Modems Internet Modem 56 Kbps 100 Mbps Modem Windows 2000 (PC2) Modem Modems • Use only as a backup • Configure for outgoing connections only Windows 2000 (PC3) Modem 71 Symantec Confidential Symantec Firewall Appliance Windows 98 (PC1) Typical SOHO Network Modems 1.5 Mbps Internet Windows 98 & 2000 PCs 56 Kbps 11 Mbps Windows 2000 Laptop 100 Mbps Cisco Aironet Workgroup Bridge (802.11b) 72 Symantec Confidential Symantec Firewall Appliance 8-Port LinkSys Hub iPAQ Where to Look for More Information Symantec Corporation • http://www.symantec.com • http://securityresponse.symantec.com SANS Top 20 List • http://www.sans.org CERT Advisories • http://www.cert.org CVE (Common Vulnerabilities and Exposures) • http://cve.mitre.org Security Focus (Home of BUGTRAQ) • http://www.securityfocus.com Packet Storm • http://packetstorm.securify.com 73 Symantec Confidential Conclusion 74 Hackers will attack your SOHO network • They have access to powerful tools and lots of information • Looking for DDoS Zombies • Want free hard disk space to store porn, etc. Form a habit of following the 80-20 rule of security • Check for OS, application and security patches weekly • Use strong passwords • Turn off unnecessary services Firewalls and anti-virus software must be used • Design security into your network Use Symantec software! • Largest security company in the world • 100% focused on security Symantec Confidential r 75 Symantec Confidential
