Local Area Network
Security
Computer and Information Security
Three levels of trust
LISTING NETWORK RESOURCES
Local Area Network Security
 Confidentiality. Only authorized users have
access to the network.
 Integrity. Data cannot be modified by
unauthorized users.
 Access. Security must be designed so that
authorizedusers have uninterrupted access to
data.
IDENTIFY NETWORK THREATS
Disruptive
Unauthorized Access
ESTABLISH NETWORK ACCESS
CONTROLS
 Network controls are either software or hardware based
 Are implemented in a hierarchical organization to
monitor and control access level per user of the network
resources.
 Network controls are used to
 detect an unauthorized access
 prevent network security from being breached
 respond to a breach
 thus the three categories of detect, prevent, and
respond.
FIREWALLS
 A firewall is a combination of hardware and software technology,
namely a sort of sentry, waiting at the points of entry and exit to
look out for an unauthorized data packet trying to gain access to
the network.
 A firewall is used in part to implement a security policy
 Typical functions:
 Block unwanted traffic
 Direct incoming traffic to more trustworthy internal nodes
 Hide vulnerable nodes that cannot easily be secure from
external threats
 Log traffic to and from the network
Firewalls
 A firewall is transparent to authorized users (both internal
and external), whereas it is not transparent to unauthorized
users
 Firewalls can be configured in a number of architectures,
providing various levels of security at different costs of
installation and operations
 A Firewall can implement NAT to screen an internal network
from view.
TYPES OF FIREWALLS
 Packet filtering . Permit packets to enter or leave the network
through the interface on the router on the basis of protocol,
IP address, and port numbers.
 Application-layer firewall. A proxy server that acts as an
intermediate host between the source and the destination
nodes.
 Stateful-inspection layer. Validates the packet on the basis of
its content.
Intrusion Detection
 Intrusion is any use or attempted use of a system
that exceeds authentication limits
 Intrusions are similar to incidents
 An incident does not necessarily involve an active
system or network device, an intrusion does
 Intrusion Detection System (IDS) can be either
software or hardware based that monitors network
activity and delivers an alert if it notices suspicious
activity
10
Intrusion Detection
 Security policies are either prohibitive or permissive
 An IDS is sensitive to configuration
 Possible types of IDS errors:
 False positive (unauthorized user let in)
 False negative (authorized user denied access)
 Subversion error (compromised the system from
detecting intrusion)
11
Dealing with Intruders
 Intruders can be external or internal
 External intruders are hackers or crackers
 Internal intruders are more common and very
dangerous
 Security policy should state what steps will be taken to
handle intrusions
 Block and ignore
 Simplest tactic for handling intrusions
 Block the intruder and address the vulnerability
 Don’t take any further action
12
Dealing with Intruders
 Block and investigate
 Block the intruder and address the vulnerability
 Collect evidence and try to determine intruder’s identity
 Investigate
 Honeypot (bait the intruder)
 Allow the intruder to access a part of your network
 Try to catch the intruder while he/she explores
 This is a potentially dangerous approach
 The intruder does have at least partial access
 Crackers may become interested in your site
13
Detecting Intruders
 An IDS monitors system activity in some way
 When it detects suspicious activity, it performs an action
 Action is usually an alert of some type
 E-mail, cell phone, audible alert, etc. to a person or
process
 For highly sensitive systems, out-of-band channel is
used
 All IDS systems continuously sample system activity
and compare the samples to a database
14
IDS Principles
 Run unattended for extended periods of time
 Stay active and secure
 Recognize unusual activity
 Operate without unduly affecting the
system’s activity
 Configurable
15
IDS Principles
Sample current
activity
Decide what to
do
Compare with
database
16
IDS Taxonomy
 Misuse intrusion
 an attack against a known vulnerability
 Relatively easy to detect
 Anomaly intrusion
 an attack against a new vulnerability or one using an
unknown set of actions
 Relatively difficult to detect
 Types of IDS that correspond to intrusion types:
 Signature-based
 Knowledge-based
17
IDS Taxonomy
 Signature-based IDS
 Detects misuse intrusions
 Maintains a database of attack signatures
 Compares current activity to database
 Database must be current and complete to be effective
 Knowledge-based IDS
 Detects anomaly intrusions
 Builds a profile of “normal” system activity over time
 Produces more false positives and requires more
administration
 Requires careful initial configuration
18
Thresholds
 A rule tells the IDS which packets to examine and
what action to take
 Similar to a firewall rule
 Alert tcp any any -> 192.168.1.0/24 111
(content:”|00 01 86 a5|”;msg:”mountd access”;)
 Alert specifies the action to take
 TCP specifies the protocol
 Any any 192…. specifies the source and destination within the
given subnet
 111 specifies the port
 Content specifies the value of a payload
 Msg specifies the message to
19 send
Thresholds
 Threshold is a value that represents the boundary of
normal activity
 Example: Maximum three tries for login
 Common thresholds:
 file I/O activity
 network activity
 administrator logins and actions
20
Snort IDS
 Snort is an example of an IDS
 Freeware
 UNIX and Windows
 A highly configurable packet sniffer
 Analyzes network traffic in real time
 www.snort.org
21
Snort IDS
 Snort sniffs a packet from the network
 Preprocessor looks at the packet header and decides
whether to analyze it further
 Detection engine compares pattern from rules to the
packet payload
 If payload matches, then appropriate action is taken
 Snort can be used in a plain packet sniffer mode or in full
IDS mode
 Snort has numerous configurable options
22
Snort IDS
23
Snort IDS
24
Snort IDS
25
Network-Based vs Host-Based
 IDS systems are classified by their intended locations
 A network-based IDS monitors all traffic on a network
segment
 Can detect intrusions that cross a specific network
segment
 Administrators sometimes place one inside and one
outside of a firewall
 Will not see traffic that passes between LAN computers
26
Network-Based vs Host-Based
 Host-based IDS examines all traffic and activity for a
particular machine
 Can examine system log files as well as inbound and
outbound packets
 Each system requires its own IDS
 Best choice is to use both network-based and host-based IDS
in an organization
 Many firewalls provide some IDS functionality
27
Network-Based IDS
28
Choosing an Appropriate IDS
Determine organizational security needs
Review the different IDS packages
available
medium to large organizations
commonly use both network-based and
host-based IDS
29
Security Auditing with an IDS
 Must have periodic security audits
 Sometimes mandated by law or by corporate
structure
 IDS can contribute to a complete audit
 Many host-based IDS can scan and analyze
system log files
 They can act as a filter for various behaviors
 Port-sniffing IDS can help to profile network
activity
30
Intrusion Prevention System
 IPS combines the knowledge of IDS in an
automated manner
 Usually IPS is a combination of a firewall and an
IDS
 IPSs come in different forms:
 NIDS with two NICs
 Inline NIDS
 Inline NIDS with scrubber
31
Intrusion Prevention System
 IPS with two NICs configured as follows:
One NIC has an IP address and handles
traffic management
Second NIC has no IP address and
performs detecting attacks only
32
IPS with two NICs
Network Traffic
Copy of traffic
NIC1
No IP address
Server
with IPS
NIC2
33
Has IP address
Copy of traffic
IPS with inline NIDS
Network traffic
NIC
Server
Network traffic
NIC
with IPS
NIC
Has IP address
34
IPS with scrubber
Scrubbed packet
Malicious packet
Malicious code
rendered inactive
$%&&^#@@*&*
&^%$$#+!!*(+%%
^^$##@*&&^
Network traffic
NIC
Server
Network traffic
NIC
with IPS
NIC
Has IP address
35
IPS Enhancements
 Traditionally switches work in OSI layer 2
 Most vulnerabilities are on applications
 Layer 7 switches control which applications go to which
server
 Layer 7 switches also help with load balancing
 Layer 7 switch inspects applications such as HTTP,
SMTP and DNS and decide which server to route the
application packets to
 Handles DoS and DDoS attacks
36
IPS Enhancements
 IPS systems first profile applications
 Helps identify normal behavior of access
and functionality from applications
37
IPS Scenario
User: GET /
User: GET /default.asp
Policy:
User: GET /login.asp
Allow: GET /
Allow: GET /default.asp
Allow: GET /login.asp
Allow: /public/default.html
Traffic to
internal
network
Implicitly deny other requests
User: GET /
User: GET /default.asp
Attacker: GET /passwd.txt
User: GET /login.asp
Traffic from internet
38
Commercial IPSs
 Hogwash (http://hogwash.sourceforge.net/oldindex.html)
 ISS Guard
(http://www.iss.net/products_services/enterprise_protection/
rsnetwork/guard.php)
 Netscreen (http://www.juniper.net/products/)
 Tipping Point
(http://www.tippingpoint.com/products_ips.html)
 Intruvert
(http://www.mcafee.com/us/products/mcafee/network_ips/c
ategory.htm?cid=10355)
39
References
 IPS http://www.securityfocus.com/infocus/1670
 IBM’s IPS http://www-
1.ibm.com/services/us/index.wss/offering/bcrs/a1002441
40
Intrusion Detection