Securing networks and systems Aleksandr Lenin Outline • Networking (recap) – Networks, Isolation domains: VLAN, subnets – CIDR/VLSM, Network zoning • Firewalls – Securing networks and hosts • Network zoning • IDS/IPS Systems – Detecting and preventing intrusions Networking recap • Network – A set of hosts – Sharing same network part in an IP address – Having unique host part in an IP address – Broadcast domain Networking recap (contd.) • Address space: – The size of address space = 2^n (n being the number of hosts’ bits in an IPv4 address) – CIDR notation • /24 = 8 bits for hosts. 2^8 = 256 addresses for 254 hosts. – Hosts’ address space – 2 reserved addresses • Gateway (first or last address in the address space) • Broadcast (last possible address in an address space) Networking recap (contd.) • Subnetting – why should we split our network into subnets? – It’s all about trust. Hosts within a network: • “trust” each other • freely communicate to each other – Establish trust boundaries • Trusted subnets, semi-trusted subnets, untrusted subnets • If an attacker controls one host in the network, consider that it will not be a major challenge to take others under control as well • More difficult to cross the boudaries of subnetting and get into another subnetwork. – Broadcast domain Networking recap (contd.) • Isolating groups of hosts within a network – VLAN – CIDR/VLSM – reduces the amount of “spare” addresses. • Networks are interconnected with gateways (routers) • Routers route packets between networks (primary objective). • Additionally, monitoring and filtering of the traffic passing by. Firewall • A wall built to stop (or slow down) the spread of fire. • A piece of software or dedicated hardware monitoring and filtering network traffic. • Protects network against unauthorized access. • Protects hosts against unauthorized access. Firewalling (contd.) Firewalls - classification By architecture: • Hardware firewalls • Software firewalls By functionality/capabilities: • Network layer firewalls – Stateless – Stateful • Application layer firewalls By type: • Network-based firewalls • Host-based firewalls Network layer firewalls Stateful (1st generation) • Packet filters • Examine packet headers. • Filtering is done on the transport layer (on the address/port basis) Stateless (2nd generation) • Performs Stateful Packet Inspection (SPI). • Blocks packets not matching a known active connection. • Falls back to packet filtering for stateless protocols. Examples: • IPFilter (various), ipfw (FreeBSD/Mac OS X), NPF (NetBSD), PF (OpenBSD, and some other BSDs), iptables/ipchains (Linux) Application layer firewalls • 3rd generation of firewalls (current). • Work on the application level of the TCP/IP stack • Inspect actual packet data. May intercept all packets traveling to or from an application. • Filtering on a process basis, instead of filtering connections. • Decide if a process should accept any given connection. • May help preventing the spread of networked computer worms and trojans. • Result - increased latency to packet forwarding. • Problem – too complex rulesets, limited efficacy. Rulesets • Permissive – By default traffic is allowed to pass – Rulesets specify which packets should be dropped • Restrictive – By default traffic is dropped – Rulesets specify which packets are allowed to pass Network zoning • A zone is a LAN segment – Set aside for specific function and/or IP range. – Routes to a gateway – Gateway provide networking interconnection between the zones – Gateway is typically some firewall-like interface – Ruleset on a gateway define which data may be transferred from one zone to another. – Access is granted in accordance with local security policies and best practices. Network zoning (contd.) • Zoning – grouping of computer resources by – Location – Function – Purpose – Access type – Subnet – Etc. Network zoning (contd.) • Zone members are placed within their own subnet. • Can talk to devices outside their subnet/VLAN – only if the router/firewall allows this. – enables flexible filtering. • Each zone is self-contained. • Each zone is isolated from other zones before reaching the firewall. Network zoning (contd.) • Historical approach: – Place a firewall on the external touch-points of your network. – Place all public servers in the DMZ zone. – Restrict access to/from these devices for internal systems. – Modern approaches to network security do not stop at the perimeter – more thorough zoning is required. Network zoning (contd.) • Modern approach: – The DMZ concept + consider principles of trust/privacy – Split internal network into segments – Provides increased security and privacy – Zones form boundaries within a network – Zones isolate trusted, semi-trusted, and untrusted devices from each other. Network zoning (contd.) Network zoning (contd.) • Pay attention to the following facts: – The trusted zone of the external firewall is actually untrusted zone for the internal firewall. – Trusted zone of the external firewall receives traffic which passes the rulesets of the external firewall. – Internal firewall can be configured with the same blocking rules as the external one, and, additionally, new rules applicable for protecting internal networks. Network zoning (contd.) Network zoning (contd.) • Similar access rules and restrictions across the zone. • Makes management of firewalling and routing simpler over-time. • Zoned areas may be simply extended • 4 zones: Users, Administrators, Servers, Sensitive Data Servers. Network zoning (contd.) 1. Decide how to group the resources. 2. Describe and qualify what is unique and different about each grouping – groups should not overlap. 3. Clarify what each zone can and cannot access (e.g. Sensitive Data Servers do not surf the web or have access to email). 4. Implement the designed grouping. Network zoning (contd.) • Zone – Servers – Subnet: 10.0.0.0/24 (10.0.0.0 – 10.0.0.255) – Size: 256 Server IP Addresses – Description: Zone dedicated to application servers and services, no end-users and no sensitive customer data • Examples: Intranet server, Email server, File server Network zoning (contd.) • Zone – SENSITIVE – Subnet: 10.0.1.0/24 (10.0.1.0 – 10.0.1.255) – Size: 256 Server IP Addresses – Description: Zone dedicated to servers that contain sensitive customer data (could also be employee data) • Examples: Oracle database server Network zoning (contd.) • Zone – SYSADMIN – Subnet: 10.0.2.0/24 (10.0.2.0 – 10.0.2.255) – Size: 256 System Administrator IP Addresses – Description: Zone dedicated to privileged administrators of systems, applications, or infrastructure, requires extra access to servers, network elements, etc. • Examples: Network Management Team, Firewall Administrators, Database Administrators, etc. Network zoning (contd.) • 4 zones: Users, Administrators, Servers, Sensitive Data Servers. • Zone – USERS – Subnet: 10.0.3.0/22 (10.0.3.0 – 10.0.6.255) – Size: 1,024 Desktop User IP Addresses – Description: Zone dedicated to the general user base • Example: Average Joe user Network zoning (contd.) • Zone – NETCORE – Network: 10.255.0.0/24 (10.255.0.0 – 10.255.0.255) – Size: 256 Network Core IP Addresses – Description: Zone dedicated to network interface on routers to facilitate core communications and isolate zones • Examples: each router has an interface on this Zone Network zoning (contd.) IDS/IPS Systems Intrusion Detection System (IDS) – a piece of hardware or software, which: • monitors network or system activity • detects malicious activities • detects policy violations • produces reports to management station • keeps track of suspicious activities in logs “Observe, identify, report” idea. IDS/IPS Systems (contd.) Intrusion Prevention System (IPS) is a piece of hardware or software, which does everything that an IDS can do, additionally: • Attempt to stop detected malicious activity by adaptively deploying various protective and defensive security measures “Observe, identify, report, protect (act back)” ideology IDS/IPS Systems (contd.) • Network based and host based IDS/IPS systems. • Protect the network/host consecutively. • Differ in their approach how to detect suspicious activities. IDS/IPS Systems (contd.) Are used for: • Detecting / preventing malicious activities in hosts and networks • Increased security awareness • Identifying problems with security policies • Keeping track of existing threats • Deferring individuals from violating security policies IDS / IPS Systems (contd.) Typical behavior: • Perform monitoring, observe and classify events • Log information about suspicious activities • In case a suspicious activity has been detected, deploy security measures (IPS systems) • Notify security administrator(s) of important/critical suspicious activities that have been observed. IDS/IPS Systems (contd.) Network Intrusion Detection System (NIDS): • is placed in the strategic points within a network • performs analysis of the entire traffic passed through the subnet • performs pattern matching – matches traffic to a library of known attacks • Once possible attack is detected – classify its potential impact and proceed as intended (just report, or prevent and report) IDS/IPS Systems (contd.) Host Intrustion Detection System (HIDS): • runs on individual hosts or devices • monitors incoming and outgoing traffic from/to this device only • takes a snapshot of existing system files and compares to the previous snapshot • if critical system files were modified or deleted – sends notification to system administrator IDS/IPS Systems (contd.) Application protocol-based system • Performs stateful protocol analysis. • Focuses its attention on the specific application protocol(s) in use by the computing system. • Monitoring of dynamic behavior and state of the protocols • Example: APIDS deployed between the web server and the database management system monitoring the SQL protocol communications. IDS/IPS Systems (contd.) Statistical anomaly based system • Compares network traffic against an established baseline. • The baseline establishes what is “normal” for that particular system (the amount of bandwidth, protocols, ports, devices generally connect to each other, etc.) • May raise false-positive alarms for legitimate use of resources. IDS/IPS Systems (contd.) Signature based system • Matches observed traffic against patterns of known malicious threats. • Methods similar to the one antivirus software works. • Problem – lag time during which IDS/IPS is unable to identify the threat. IDS/IPS Systems Examples: • Snort • Suricata ???