Local Area Network Security Computer and Information Security Three levels of trust LISTING NETWORK RESOURCES Local Area Network Security Confidentiality. Only authorized users have access to the network. Integrity. Data cannot be modified by unauthorized users. Access. Security must be designed so that authorizedusers have uninterrupted access to data. IDENTIFY NETWORK THREATS Disruptive Unauthorized Access ESTABLISH NETWORK ACCESS CONTROLS Network controls are either software or hardware based Are implemented in a hierarchical organization to monitor and control access level per user of the network resources. Network controls are used to detect an unauthorized access prevent network security from being breached respond to a breach thus the three categories of detect, prevent, and respond. FIREWALLS A firewall is a combination of hardware and software technology, namely a sort of sentry, waiting at the points of entry and exit to look out for an unauthorized data packet trying to gain access to the network. A firewall is used in part to implement a security policy Typical functions: Block unwanted traffic Direct incoming traffic to more trustworthy internal nodes Hide vulnerable nodes that cannot easily be secure from external threats Log traffic to and from the network Firewalls A firewall is transparent to authorized users (both internal and external), whereas it is not transparent to unauthorized users Firewalls can be configured in a number of architectures, providing various levels of security at different costs of installation and operations A Firewall can implement NAT to screen an internal network from view. TYPES OF FIREWALLS Packet filtering . Permit packets to enter or leave the network through the interface on the router on the basis of protocol, IP address, and port numbers. Application-layer firewall. A proxy server that acts as an intermediate host between the source and the destination nodes. Stateful-inspection layer. Validates the packet on the basis of its content. Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are similar to incidents An incident does not necessarily involve an active system or network device, an intrusion does Intrusion Detection System (IDS) can be either software or hardware based that monitors network activity and delivers an alert if it notices suspicious activity 10 Intrusion Detection Security policies are either prohibitive or permissive An IDS is sensitive to configuration Possible types of IDS errors: False positive (unauthorized user let in) False negative (authorized user denied access) Subversion error (compromised the system from detecting intrusion) 11 Dealing with Intruders Intruders can be external or internal External intruders are hackers or crackers Internal intruders are more common and very dangerous Security policy should state what steps will be taken to handle intrusions Block and ignore Simplest tactic for handling intrusions Block the intruder and address the vulnerability Don’t take any further action 12 Dealing with Intruders Block and investigate Block the intruder and address the vulnerability Collect evidence and try to determine intruder’s identity Investigate Honeypot (bait the intruder) Allow the intruder to access a part of your network Try to catch the intruder while he/she explores This is a potentially dangerous approach The intruder does have at least partial access Crackers may become interested in your site 13 Detecting Intruders An IDS monitors system activity in some way When it detects suspicious activity, it performs an action Action is usually an alert of some type E-mail, cell phone, audible alert, etc. to a person or process For highly sensitive systems, out-of-band channel is used All IDS systems continuously sample system activity and compare the samples to a database 14 IDS Principles Run unattended for extended periods of time Stay active and secure Recognize unusual activity Operate without unduly affecting the system’s activity Configurable 15 IDS Principles Sample current activity Decide what to do Compare with database 16 IDS Taxonomy Misuse intrusion an attack against a known vulnerability Relatively easy to detect Anomaly intrusion an attack against a new vulnerability or one using an unknown set of actions Relatively difficult to detect Types of IDS that correspond to intrusion types: Signature-based Knowledge-based 17 IDS Taxonomy Signature-based IDS Detects misuse intrusions Maintains a database of attack signatures Compares current activity to database Database must be current and complete to be effective Knowledge-based IDS Detects anomaly intrusions Builds a profile of “normal” system activity over time Produces more false positives and requires more administration Requires careful initial configuration 18 Thresholds A rule tells the IDS which packets to examine and what action to take Similar to a firewall rule Alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 86 a5|”;msg:”mountd access”;) Alert specifies the action to take TCP specifies the protocol Any any 192…. specifies the source and destination within the given subnet 111 specifies the port Content specifies the value of a payload Msg specifies the message to 19 send Thresholds Threshold is a value that represents the boundary of normal activity Example: Maximum three tries for login Common thresholds: file I/O activity network activity administrator logins and actions 20 Snort IDS Snort is an example of an IDS Freeware UNIX and Windows A highly configurable packet sniffer Analyzes network traffic in real time www.snort.org 21 Snort IDS Snort sniffs a packet from the network Preprocessor looks at the packet header and decides whether to analyze it further Detection engine compares pattern from rules to the packet payload If payload matches, then appropriate action is taken Snort can be used in a plain packet sniffer mode or in full IDS mode Snort has numerous configurable options 22 Snort IDS 23 Snort IDS 24 Snort IDS 25 Network-Based vs Host-Based IDS systems are classified by their intended locations A network-based IDS monitors all traffic on a network segment Can detect intrusions that cross a specific network segment Administrators sometimes place one inside and one outside of a firewall Will not see traffic that passes between LAN computers 26 Network-Based vs Host-Based Host-based IDS examines all traffic and activity for a particular machine Can examine system log files as well as inbound and outbound packets Each system requires its own IDS Best choice is to use both network-based and host-based IDS in an organization Many firewalls provide some IDS functionality 27 Network-Based IDS 28 Choosing an Appropriate IDS Determine organizational security needs Review the different IDS packages available medium to large organizations commonly use both network-based and host-based IDS 29 Security Auditing with an IDS Must have periodic security audits Sometimes mandated by law or by corporate structure IDS can contribute to a complete audit Many host-based IDS can scan and analyze system log files They can act as a filter for various behaviors Port-sniffing IDS can help to profile network activity 30 Intrusion Prevention System IPS combines the knowledge of IDS in an automated manner Usually IPS is a combination of a firewall and an IDS IPSs come in different forms: NIDS with two NICs Inline NIDS Inline NIDS with scrubber 31 Intrusion Prevention System IPS with two NICs configured as follows: One NIC has an IP address and handles traffic management Second NIC has no IP address and performs detecting attacks only 32 IPS with two NICs Network Traffic Copy of traffic NIC1 No IP address Server with IPS NIC2 33 Has IP address Copy of traffic IPS with inline NIDS Network traffic NIC Server Network traffic NIC with IPS NIC Has IP address 34 IPS with scrubber Scrubbed packet Malicious packet Malicious code rendered inactive $%&&^#@@*&* &^%$$#+!!*(+%% ^^$##@*&&^ Network traffic NIC Server Network traffic NIC with IPS NIC Has IP address 35 IPS Enhancements Traditionally switches work in OSI layer 2 Most vulnerabilities are on applications Layer 7 switches control which applications go to which server Layer 7 switches also help with load balancing Layer 7 switch inspects applications such as HTTP, SMTP and DNS and decide which server to route the application packets to Handles DoS and DDoS attacks 36 IPS Enhancements IPS systems first profile applications Helps identify normal behavior of access and functionality from applications 37 IPS Scenario User: GET / User: GET /default.asp Policy: User: GET /login.asp Allow: GET / Allow: GET /default.asp Allow: GET /login.asp Allow: /public/default.html Traffic to internal network Implicitly deny other requests User: GET / User: GET /default.asp Attacker: GET /passwd.txt User: GET /login.asp Traffic from internet 38 Commercial IPSs Hogwash (http://hogwash.sourceforge.net/oldindex.html) ISS Guard (http://www.iss.net/products_services/enterprise_protection/ rsnetwork/guard.php) Netscreen (http://www.juniper.net/products/) Tipping Point (http://www.tippingpoint.com/products_ips.html) Intruvert (http://www.mcafee.com/us/products/mcafee/network_ips/c ategory.htm?cid=10355) 39 References IPS http://www.securityfocus.com/infocus/1670 IBM’s IPS http://www- 1.ibm.com/services/us/index.wss/offering/bcrs/a1002441 40 Intrusion Detection