Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

CSC4003: Computer and Information Security

advertisement 
CSC4003: Computer and
Information Security
Professor Mark Early, M.B.A., CISSP, CISM, PMP,
ITILFv3, ISO/IEC 27002, CNSS/NSA 4011
Agenda
• Chapter 14: Local Area
Network Security
• Chapter 27: TCP/IP Packet
Analysis
• Chapter 29: Firewalls
Network Security History
• Today: it’s an Internet connected world
– Name your industry (Healthcare, Government,
Financial, Utilities, Retail, etc.)
– Hacker’s paradise
• Why? It’s easy to “knock on the door” and see what
happens.
• Not everyone in all industries have the technology,
resources (money, skilled people, enough time, etc.), or
executive political willpower to be aware of
unauthorized activities
• Laws are behind the times
Network Security History
• It wasn’t always like this
– When I was in high school, Internet was just coming
into schools
– Computers were not connected to the Internet 20+
years ago
– Biggest threat was physical intrusion and boot-up of a
local system on a Novell Netware LAN, if that
– Further back, non-Internet connected company
mainframes were strictly internal to companies and
physical security protected systems
– Less “easy” opportunities for malicious/unauthorized
activity
Really Basic Network Design Model
• What is wrong with this model?
Network Security Objectives
• Confidentiality: only authorized users have
access to internal network resources required
for their job role
• Integrity: Data cannot be modified by
unauthorized users
• Availability: Security must be designed so that
authorized users have uninterrupted access to
data
Network Security Governance
• Generally headed by a Chief Information Officer
(CIO)
– This person may have another title like VP, IT, IT
Director, etc.
– Network Admins control the network and the security
of the network
– Book isn’t reality – Legal doesn’t spell things out
about breaches; that’s an Information Security
Analysts or Compliance Analysts role most of the time
– Legal is only consulted when asked (generally not
often about such things as breaches)
• Why? Laws lag behind technology
What are malicious actors after?
• Information
– Personally Identifiable Information (PII)
•
•
•
•
•
Social Security Number
Address
E-mail
Mobile Phone #
Driver’s License #
– Credit Card Numbers
– Protected Health Information (PHI)
– Trade Secrets, Patents, Intellectual Property
Why are they after this information?
• $$$
– Identity Theft
– Insurance Fraud
– Tax Fraud (Hear about the IRS getting filings for
false refunds?)
• Attention/Notoriety
• Cyberwarfare and gaining on U.S.
technological superiority
Before we begin, let’s review
• Networking Foundations…
Figure 27.15
•
•
TCP connection - three way handshake
A unique sequence of three data packets are exchanged at the
beginning of an active TCP connection.
OSI Model – memorize it!
Application
•Application interface into the communications network
•Example protocols: HTTP, SMTP, POP3, and FTP
Presentation
•Encryption and translation performed at this layer
•Example protocols: EBCDIC, ASCII, MPEG, GIF, and JPEG
Session
•Is this a new or existing session (session management)?
•Example protocols: NFS and RPC
Transport
Network
Data Link
Physical
•Packets are formed into segments; takes the packets and makes them the right size for delivery
•Example protocols: TCP or UDP
•Frames are formed into packets; “Stamp, address label, and return address on the package”; where I am
going now; hardware: router
•Example protocols: IP, ARP, RARP, and ICMP
•Bits are formed into frames; Think MAC here; postal office hop to the UK; hardware: switch or bridge
•Example protocols:
•Bits of data on the physical wire
•Examples: cables, connectors, hub, and jacks
Please Do Not Throw Sausage
Pizza Away
Other OSI Model “Stuff”
• Physical Layer defines a commonly agreed standard for
the mechanical, electrical, and functional specifications
of the interface and the transmission media
• Physical layer is concerned with:
–
–
–
–
–
–
–
Physical characteristics of interfaces and media
Representation of bits
Data rate
Synchronization of bits
Line configuration
Physical topology
Transmission mode
Other OSI Model “Stuff”
• Data Link Layer – 2 sublayers
– Logical Link Control (LLC) is responsible for flow
and error control
– Media Access Control (MAC) specifies how the
node accesses the media
• Most common for a LAN is carrier sense multiple access
with collision detection (CSMA/CD) (a.k.a. Ethernet)
• CSMA/CD = broadcast protocol and listens before
sending the packet
• Key security issue at this layer: MAC spoofing
Other OSI Model “Stuff”
• Network Layer areas to remember
– IP is a connectionless protocol
• No guaranteed delivery of datagrams (data packets)
– Network Layer is concerned with:
• Addressing the datagram (source & destination addresses)
• Routing the datagram
• Length of datagram is compatible with the allowed size if
going through a WAN
• Maximum Transfer Unit (MTU) is the largest length allowed
by the protocol (X.25 or ATM) over the WAN
• Key security issue at this layer: Fragmentation due to
datagram size restriction
• Subnet masks help route the IP datagrams
Other OSI Model “Stuff”
• Network Layer areas to remember
– Important protocols
• Border Gateway Protocol (BGP) – Interdomain routing
protocol
• Address Resolution Protocol (ARP) – Find unknown
MAC address based upon IP address
• Reverse Address Resolution Protocol (RARP) – Find
unknown IP address based upon the MAC address
• Internet Control Message Protocol (ICMP) – ping
command uses this protocol
Other OSI Model “Stuff”
• Transport Layer areas to remember
– TCP lives here and allows for an end-to-end
virtual connection between endpoints by:
• Establishing the connection
• Managing the data transfer
• Terminating the connection
– Uses IP addresses and port numbers (16-bit
number) to identify sending/receiving processes
• This combination is called a socket
Other OSI Model “Stuff”
• Transport Layer areas to remember
– 3-way handshake used in TCP
• The client initiates a connection by sending a
synchronizing (SYN) packet
• The server responds with a SYN + ACK
(acknowledgement) packet
• The client acknowledges the SYN + ACK packet with its
own ACK packet
– Active TCP connection is established and data is
transmitted
Other OSI Model “Stuff”
• Transport Layer security issues:
– SYN Flood Attack – where a node can continuously
send SYN segments to a server. The server
responds with SYN + ACK segments. Server
becomes overloaded causing a Denial of Service
(DoS) condition
Other OSI Model “Stuff”
• Application Layer areas to remember:
– Common protocols:
• Dynamic Host Configuration Protocol (DHCP) – assigns
IP addresses to clients when requested. Consists of 2
parts:
– DHCP server – assigns the IP address to clients
– DHCP client – uses the UDP protocol to send a request for an
IP address to the DHCP server
– Lease is granted for a fixed period of time for the IP address
• Domain Name Service (DNS) – Providing name
resolution (resolves friendly name to an IP address)
TCP/IP Model – memorize it!
Application
Host-to-Host
Transport
Networking/Internet
Network Access
Other Networking things I already
think you know…
•
•
•
•
•
•
•
•
•
•
BGP
IEEE 802.11 WLAN
IPSec
IPv4
IPv6
Spanning Tree
IPv4 Subnetting
TCP/UDP Common Ports
VLANs
VOIP
KNOW THESE AND LOVE THEM! THEY ARE FAIR GAME IN THIS
COURSE!
Identify Network Threats
• Disruptive Type
– Power failure causing segment or complete network
failure
– Malware running rampant on the network on
secondary storage causing data loss
• Unauthorized Access Type
– Insider Threat – book calls this “internal (employee)”
• Not limited to just employees – who can you think of that
would have internal access, but is not an employee?
– External (intruder) Threat – those outside the
corporate egress point firewall who want to gain
unauthorized access to any internal IT resource
Inventory - My Dear Watson
• Don’t make the mistake of doing the technical
setup work and forget the documentation!
– Inventory information is critical to any project!
– Some parts of this can be automated.
– This inventory is a feed into:
• The Configuration Management Database (CMDB) in
the IT Service Management process (think the ticketing
system)
• Business Impact Analysis (BIA) of the BC/DR Plan
– We’ll get to this later, but for now think of it as a prioritized
listing of business services for recovery
Other Network Security Elements
• Risk Assessment - we’ll cover this late, but for now consider…
– Completing this during initial network design phase
– Assess network risk types (based upon levels)
– Assess the costs of recovering from attacks (Cost/Benefit Analysis, ROI,
TCO)
• Threats – try to understand who is after your data or what natural
disaster could affect network availability
• Security Policies – more on this later
– Most important security policy – Acceptable Use Policy (AUP) which
states the “rules of the game”
– Other important policies
•
•
•
•
Security Point of Contact
Ethical Internet access capabilities
Remote Access
Incident Handling/Response
Key Network Access Controls
• Set proper policy/parameters on perimeter router
– Oh by the way: make sure the router is not end of life (EOL)
• Move to external firewall
– Checks contents of the traffic packet against the nature of the TCP connection
request
– Ensure rules are simplified and secure
– Ensure all firmware/software is not end of life and updated
– Ensure change control on firewall rules
– Look at Next Generation Firewall features like threat prevention, antivirus, etc.
– Network Forensics – when I lose electronic information, do I know what I
lost?d
• Network control functions
– Detect unauthorized access
– Prevent network security from being breached
– Respond to a breach
Key Network Access Controls
• Examine the DMZ
– Functional servers in DMZ – are they segmented
or not?
– Server hardening (covered later)
• Second (internal) firewall
– Filters malicious content out prior to allowing into
the internal network
• Consider threat prevention, antivirus, etc. on internal
firewall
Key Network Access Controls
• Internal network controls
– VLAN segments based on function (User, Server, etc.) – do I have
access to everything on the network?
• Consider data classification/risk related to functional segmentation
– SCADA system or other specialized segmentation needs based upon
industry vertical
• SCADA = Supervisory Control And Data Acquisition) = think building
automation system controls (HVAC, electrical, etc.)
• Consider medical devices in healthcare
– Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) –
Is anything unusual happening on my network (and do I need to be
blocking that known malicious traffic)?
– Network Access Control – when I plug in can I access the network?
– IP Address Management (IPAM) – do I understand what IP addresses
are being assigned and do I trust what is coming on the network
• Consider quarantining systems that do not meet patching, antivirus, etc.
requirements
Intrusion Detection Systems
• Hardware or software based
• Goal: identify, notify (if configured) and
prevent (if an IPS) potential attacks on the
network or host
• Two types based on location:
– Network IDS/IPS – looks at the network itself
– Host-Based IDS/IPS – looks at the host system
itself
Figure 14.2
An example of a network-based intrusion detection system.
Network-based IDS (NIDS) sensors scan network packets at the router or host level,
auditing data packets and logging any suspicious packets to a log file. The data packets
are captured by a sniffer program, which is a part of the IDS software package. The node
on which the IDS software is enabled runs in promiscuous mode.
Intrusion Detection Systems
• Two types based upon identification model:
– Pattern-based
– Behavioral-based (also called anomaly driven)
Intrusion Detection Systems
• 8 Categories of IDS:
– Network – monitors the network traffic; stops (IPS) or alerts (IDS)
when suspected malicious traffic is found
– Host-based – software installed on a host to protect that single host
– Signature-based - uses signatures of known bad traffic patterns (think
antivirus signatures only from a network pattern perspective)
– Anomaly-based - Learns common network behaviors for a period of
time and then once the learning has completed then anomalies from
the normal network traffic pattern are flagged as suspicious/malicious
– Protocol-based – look at specific protocols rather than an entire host
or network
– Application protocol-based – looks at specific application protocol
requests to identify malicious activity (think SQL requests/responses
between an application server and a database server)
– Hybrid – combination of 2 or more of the above categories
– Passive/Reactive – Passive provide alerts; reactive block
IDS pros/cons
•
Pros
– Good at alerting/preventing known attacks
•
•
•
•
IP address spoofing
MAC address spoofing
ARP cache poisoning
DNS name corruption
– Good at UDP based attacks (page 268)
– Good at TCP SYN (half-open scanning) (pages 268-269)
•
Cons
– Don’t address 0-day attacks; only as good as signatures or common behaviors on the network
– Tend to be expensive and/or time intensive to configure properly
– Tend to be higher in FTE (Full Time Equivalent) to maintain due to “noisiness” – especially true
in behavioral based IDS
– Cannot compensate for weaknesses in other security controls/network protocols
•
•
Weaknesses in identification and authentication
Message integrity
– Don’t work well on busy networks
– Cannot always deal with problems involving packet-level attacks
– Can’t deal particularly well with fragmented data packets
Firewalls
• A firewall is either a single node or a set of nodes that
enforce an access policy between two networks
• Firewalls are based upon host connections over TCP/UDP
ports
• Opening these “holes” through the firewall for TCP/UDP
ports becomes a weakness
• Firewall is like a guard monitoring who enters/exits the one
door of a room
– Legitimate traffic is allowed through the door
– Unauthorized traffic is blocked from going through
– Firewalls differ on how the “inspect” the traffic
• Some just look to see if you are suspicious looking
• Others “pat you down” to verify you are not suspicious
High level firewall protection process
• Identify the “crown jewels” that need to be protected
• Identify which roles/employees have a need to access the
“crown jewels”
• Placement of firewalls is determined by the level of
protection to protect the “crown jewels”
–
–
–
–
Some data/resources are “priceless”
Other data/resources are just highly costly to replace
Others are pretty worthless (i.e. Marketing materials)
Some have regulatory implications
• Firewall rules are created in a firewall policy to provide
access rights to the data/resources
• Rules are based upon the TCP/UDP ports numbers and/or
TCP protocols
Basic characteristics of a firewall policy
• Block out unwanted traffic
• Direct “trusted” incoming traffic to more
trustworthy internal hosts/subnets
• Hide vulnerable nodes that cannot easily be
secured from external threats
– Example: a piece of software that is too costly to
upgrade that still runs on Windows Server 2000 (not
supported by Microsoft)
• Log all traffic going in and out of the network
• Network Address Translation (NAT)
NAT
• NAT – publishes small public IP space addresses
mapped to internal private IP space
– Advantage: Full obfuscation of internal IP address to
the Internet
• NAT steps
– First, configure a NAT pool
• Allocate outside addresses to the requesting inside hosts
– Next, define access-list
• Determine inside networks translated by the NAT router
– Finally, correlate the NAT pool and the access-list
Firewall Policy Rule Types
• Allow/Accept – let the traffic flow from the
“source” to the “destination”
• Block/Deny – do not let the traffic flow from
the “source” to the “destination”
• Log – optional component to both of the
above
Firewall Basics
• Firewalls read packet headers
–
–
–
–
–
Source IP
Source Port
Destination IP
Destination Port
Protocol
• Packet header information is sequentially compared to first rule’s
fields – if match then allow else move to next rule
• Same process until all rules have been evaluated (generally the last
rule in a firewall is a * * deny – this is called a “default rule”)
• This method is called a “First Match Policy”
• Other rule evaluation methods include: best match and last match
Shadowing
• Common issue with complex firewall rules
using the first match policy
• Problem where a rule unintentionally makes
other rules later be forced into not matching
• Half shadowing – only a portion of the packets
of a later rule matches an earlier rule
Policy Optimization
• Use a product from Tufin or FireMon to
identify
– Policy reordering – make sure rules are being used
• Most Popular -> Never Used
– Rule Combination
• Remove redundant rules
• Smaller rulesets perform faster
• Most popular rules at the top of the firewall
policy increases rule evaluation performance
Principle of Least Privilege
• Start with a deny all policy and work to allow
traffic if possible (good for new initiatives)
• For existing implementations, start with an
allow all policy
– Integrate the allow all policy with a product like
Tufin or FireMon to build the rules for you after a
“bake-in” time period
– Flip over to the defined ruleset developed by the
product during a maintenance window
Firewall Types
• Packet filtering – decides what to do with the packet as
it travels through the firewall
– OSI layer operation: Network
– 1st generation firewall
• Stateful inspection – determines the “state” of the
packet (looks at previous packets and compares)
– OSI layer operation: Network
– 2nd generation firewall
• Proxy – these devices act as a middle-man by
intercepting, inspecting, repackaging, and sending the
packet to the destination
– Advantage – masks the sender’s original identity
Firewall Types
• Application-level proxy – inspects the packet
up to the application layer in the stack
– Smarter about the contents of the packets
– OSI layer operation: Application
– 3rd generation firewall
• Circuit-level proxy – creates a circuit that
provides a connection from a source to a
destination that operates at the session layer
– OSI layer operation: Session
Firewall Types
• Dynamic packet filtering – is where a client system
attempts to connect to our outside system, the firewall
creates an allow ACL rule and assigns a high port for the
return traffic from the destination, and the destination is
allowed to reply to the firewall on the high port which gets
relayed by the firewall to the source client system
– OSI layer operation: Network
– 4th generation firewall
• Kernel proxy firewall – this firewall creates dynamic, unique
TCP/IP stacks when a packet is evaluated
– OSI layer operation: Application
– 5th generation firewall
Firewall Type pros/cons
Firewall architecture
• Bastion Host – locked down system
• Dual-Homed Firewall – one firewall that has
an internal interface (connection) and a
separate external interface (connection)
• Screened Host – firewall that talks directly to a
perimeter router and internal network
• Screened Subnet – Screened-Host + DMZ in
the middle of 2 firewalls
The “DMZ”
• DeMilitarized Zone (DMZ)
– Shared space between internal users and Internet
users
• Consider: Several companies desiring to work together
to bid on a government contract (collaboration)
• Consider: Patients needing access to see their own
medical record for treatment purposes
• Consider: Customers wanting to transact business with
a bank, insurance company, etc. online
• Consider: An employee wants to securely read their email from a mobile device and/or through a browser
The “DMZ”
• The DMZ simply allows certain ports from the
Internet into DMZ hosts (HTTP, HTTPS, SMTP,
DNS, etc.).
• A good model for a DMZ can be found on page
e9 (far right model)
Other Firewall Considerations
• High Availability (HA)
– Active/Active
– Active/Passive
• Throughput requirements
• Network Time Protocol (NTP)
• Centralized Log Management – Syslog and/or SIEM
integration
• Centralized Firewall Management
– Push single policy to multiple firewalls
– Single config change to all firewalls (i.e. software update)
• Do a “Proof of Concept” of any firewall before you buy!
Reality Check!
• Network based IDS/IPS is really not as
important as it once was…
• Why?
– Next Generation Firewalls
• Threat Prevention subscription
• Antivirus subscription
• Web proxy subscription
• This is why our lab will be using a “NextGen”
Palo Alto Networks firewall
Security Countermeasures Checklist
• Countermeasures checklist disadvantages
– Does not guarantee secure LAN environment
– Cannot prevent all adversary penetrations
• Security comes at a cost
– Expenses related to security equipment
– Inconvenience, maintenance, and operation
• Evaluate acceptable risk level
– Based on numerous factors
• Incorporate security throughout entire life cycle
– Security policy enforcement is key
Related documents
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
Warriors of the net questions 1. What three things are put on the
Warriors of the net questions 1. What three things are put on the
Guide to Firewalls and Network Security
Guide to Firewalls and Network Security
technical planning - St. Joseph Elementary School Library
technical planning - St. Joseph Elementary School Library
WS#5solution - WordPress.com
WS#5solution - WordPress.com
The definition of a firewall
The definition of a firewall
SNS COLLEGE OF ENGINEERING Kurumbapalayam(Po
SNS COLLEGE OF ENGINEERING Kurumbapalayam(Po
Download
advertisement