CIW 강사를 위한 Security 특강
이화여자대학교 컴퓨터학과
용 환승
http://dblab.ewha.ac.kr/hsyong
Before Starting (1/2)
• UNIX and Open System
–
–
–
–
No restriction, Open Source code policy
For Developer’s Workbench
TCP/IP based Internetworking
편리한 사용에 치중, Simple, Fast
• Finger, rwho 등 다양한 기능
• 그러나 해커의 등장으로 서비스 및 기능을 폐쇄
– Default UNIX의 기능을 체크하고 서비스를 close하는 것이 security
package등의 주요 기능
– Tradeoff between Open System and Security
2001-7-30
CIW Security by H.S.Yong
2
Before Starting (2/2)
• 그러나 이제는 security가 중요, 그러나 완벽한 보안은
불가능
– 수천만라인의 코드가 완벽함을 어떻게 알 수 있는가?
• Debugging time이 개발 시간보다 더 소요
– 중국의 정확한 인구 맞추기와 유사
• 우리나라는
– 시스템 admin의 기본 기능
– 보안 기능은 우선순위에서 뒷전
• 정보기관의 보안:
– No E-Mail, No floppy drive. (하드를 떼어가면?)
– 물리적으로 인터넷으로 부터 차단 (100% 보호)
2001-7-30
CIW Security by H.S.Yong
3
Overview
• Network Security and Firewall (2일)
– 보안의 기초적인 내용과 방화벽
• Operating System Security(1일)
– 운영체제에서 제공하는 보안기능
– TCP Wrapper 등
• 모든 TCP/IP 트래픽을 로깅 및 차단 제어 기능
• 특정 IP 에서만 telnet 허용 등 규칙 설정
– Keylogger (422쪽)
• 모든 키 입력을 기록, 메일로 발송
• 관리자도 필요한 기능. (직원 감시 등)
• Security Auditing, Attacks, and Threat Analysis (2일)
– 4시간으로 중요한 것만 발췌
2001-7-30
CIW Security by H.S.Yong
4
강의 계획
• 각 교시별 30분 강의 및 20분 실습
• 1교시
– 1장 개론, 2장 탐지방법 강의 실습(Sniffer Basic, Ping ProPack,
Nmap)
• 2교시
– 3장 Attacking(Hacking) 방법 강의 및 실습(synful, smurf, targa,
nat)
• 3교시
– 4장 Security Auditing 및 control 강의 및 실습(Netbus)
– 5장 IDS(Intrusion Detection System) 강의 및 실습(eTrust)
• 4교시
– 6장 감사 및 로그분석(last 명령)
– 7장 감사결과 및 적극탐지 강의 및 실습(neped, tcpdump)
2001-7-30
CIW Security by H.S.Yong
5
Lesson 1:
Security Auditing
Objectives
•
•
•
•
•
Identify a security auditor’s chief duties
List security auditing principles
Assess risk factor for a network
Describe the security auditing process
Plan an audit
2001-7-30
CIW Security by H.S.Yong
7
What Is an Auditor?
• Network security
• Risk assessment
2001-7-30
CIW Security by H.S.Yong
8
What Does
an Auditor Do?
Compliance
Risk Analysis
2001-7-30
CIW Security by H.S.Yong
9
Auditor Roles
and Perspectives
• Auditor as security manager
• Auditor as consultant
• Insider threats
2001-7-30
CIW Security by H.S.Yong
10
Conducting a
Risk Assessment
•
•
•
•
•
Check for a written security policy
Analyze, categorize and prioritize resources
Consider business concerns
Evaluate existing perimeter and internal security
Use existing management and control architecture
2001-7-30
CIW Security by H.S.Yong
11
Risk Assessment Stages
• Discovery
• Penetration
• Control
2001-7-30
CIW Security by H.S.Yong
12
Summary





Identify a security auditor’s chief duties
List security auditing principles
Assess risk factor for a network
Describe the security auditing process
Plan an audit
2001-7-30
CIW Security by H.S.Yong
13
Lesson 2:
Discovery Methods
Objectives
• Describe the discovery process
• Identify specific discovery methods
• Install and configure network-based and host-based
discovery software
• Conduct network-level and host-level security scans
• Configure and deploy enterprise-grade network
vulnerability scanners
2001-7-30
CIW Security by H.S.Yong
15
Security Scans
•
•
•
•
• Network-discovery and serverdiscovery applications
• NMAP(Network Mapper)
The whois service
nslookup
The host command
The traceroute (tracert)
command
• Ping scanning
– 특정 TCP/IP 구현 정보를 이
용하여 OS 파악
– Stack fingerprinting
– 전체 IP주소 Range로 파악
• Port scans
2001-7-30
• Share scans
– Directory 공유 구조 파악
• Default configuration and
patch-level scans
• Using Telnet
CIW Security by H.S.Yong
16
탐지 방법
• Using SNMP(Network management Protocol)
– SNMP software
– 기본 설정값과 암호를 그대로 사용하는 데 따르는 보안의 취
약성
• Telnet을 이용한 웹 서버의 버전 파악
– % telnet 서버 80
• Tftp(Trivial File Transfer Protocol)
– Diskless Workstation의 Remote booting
– X terminal 등 login process없이 ftp하도록 지원
– Default가 잘못 세팅된 OS도 많아서 취약
2001-7-30
CIW Security by H.S.Yong
17
TCP/IP
Services
• Finger
–
–
–
–
–
User names
Server names
E-mail accounts
User connectivity
User logon status
2001-7-30
CIW Security by H.S.Yong
18
Enterprise-grade
Auditing Applications
•
•
•
•
•
Protocol support
Network scanners
Subnetting
Configuring network scanners
Configuring host scanners
2001-7-30
CIW Security by H.S.Yong
19
Scan Levels
•
•
•
•
•
•
•
Profiles and policies
Reporting
NetRecon
CyberCop Scanner
Security Analyzer
ISS scanning products
Additional scanning application vendors
2001-7-30
CIW Security by H.S.Yong
20
Social Engineering
• Telephone calls
• Fraudulent e-mail
• Education
2001-7-30
CIW Security by H.S.Yong
21
What Information
Can You Obtain?
•
•
•
•
Network-level information
Host-level information
Research
Legitimate versus illegitimate network tools
2001-7-30
CIW Security by H.S.Yong
22
Summary
 Describe the discovery process
 Identify specific discovery methods
 Install and configure network-based and host-based
discovery software
 Conduct network-level and host-level security scans
 Configure and deploy enterprise-grade network
vulnerability scanners
2001-7-30
CIW Security by H.S.Yong
23
2장 탐지 방법
• 침투할 대상 시스템 파악
• 웹주소로 부터 출발가능
–
–
–
–
–
서버들의 이름 및 IP 주소
각 서버들의 port 서비스 현황
모든 네트워크 패킷을 검사, 암호 등 탐지
네트워크 현황 파악
원격 제어
• Ping ProPack - Throughput, Port, Info, 등 기타 기능 시
험
• Sniffer Basic(NetXRay)
• Nmap
2001-7-30
CIW Security by H.S.Yong
24
Lesson 3:
Auditing Server Penetration and Attack
Techniques
Objectives
• Identify common targets
• Discuss penetration strategies and methods
• List potential physical, operating system, and TCP/IP stack
attacks
• Identify and analyze specific brute-force, social
engineering, and denial-of-service attacks
• Implement methods designed to thwart penetration
2001-7-30
CIW Security by H.S.Yong
26
Attack Signatures
and Auditing
• Reviewing common attacks
– Dictionary: 암호를 사전을 가지고 추정
– Man in the middle: Sniffing을 통해 암호 중간에서 탈취
– Hijacking: 두 접속 사이에서 한 참여자를 배제하고 중간에 접
속을 대체
– Viruses: 다양한 종류 등장, 기업 비밀을 유출
• 문서에 첨부된 바이러스
• 메일 바이러스(?): 바이러스 조심하라는 메일 바이러스
– Illicit servers: 불법 서버 프로세스를 동작
– Denial of service: 패킷 공격으로 서비스 중단
• 침투하지 않고 서비스 정지를 시키는 방법
2001-7-30
CIW Security by H.S.Yong
27
Common Targets
•
•
•
•
Routers
FTP servers
Databases
Web servers: 웹 graffiti로 웹 사이트에 다른 내용 게시
– CIA(Central Idiot Agency) 등
• DNS
– False DNS entry 추가: DNS “poisoning”
• WINS: Microsoft Windows Internet Name Service
• SMB(server message block) services
– client server, request-response protocol
– Windows SMB, Unix Samba
2001-7-30
CIW Security by H.S.Yong
28
Auditing Trap Doors
and Root Kits
• Auditing bugs and back doors
• 사용 시스템이 갖는 취약성 목록 파악 중요
– CERT 센터(www.cert.org)
2001-7-30
CIW Security by H.S.Yong
29
Buffer Overflow
• Preventing denial-of-service attacks
• Auditing illicit servers, Trojans and worms
2001-7-30
CIW Security by H.S.Yong
30
Combining Attack Strategies
• Penetration strategies
–
–
–
–
Physical
Operating system: OS의 설치 등에 관련된 문제이용
Bad password policies: FTP로 로그인 관리하면 암호 유출 가능
NAT(NetBIOS Auditing Tool)
• 취약한 암호 검사 도구
• ID 리스트와, 암호 리스트를 이용 공격 체크
– Bad system policies
– Auditing file system weaknesses
• IP spoofing and hijacking
– Blind and non-blind spoofing
2001-7-30
CIW Security by H.S.Yong
31
The TCP/IP Stack의 문제를 이용한 공격
•
•
•
•
•
SYN flood
Smurf and Fraggle attacks
Teardrop/Teardrop2
Ping of death
Land attack
2001-7-30
CIW Security by H.S.Yong
32
Summary
 Identify common targets
 Discuss penetration strategies and methods
 List potential physical, operating system, and TCP/IP stack
attacks
 Identify and analyze specific brute-force, social
engineering, and denial-of-service attacks
 Implement methods designed to thwart penetration
2001-7-30
CIW Security by H.S.Yong
33
3장 서버 침입과 공격 기술
• 연습문제 3-1, Linux Synflood 공격
– Synful.c
– 두 명의 팀
– Linux: Synful 공격, 윈도우 NT로 connection 조회
• 연습문제 3-2 Smurf 공격: Denial of Service
–
–
–
–
Papasmurf.c
Smurf는 ICMP를, fraggle은 UDP를 사용
그림 3.3(631쪽) 참조
연습 3-1의 경우와 동일, 두 명이 한 팀으로 공격과 상태 관찰
• 연습문제 3-3, Land, Teardrop 공격 실습
– Targa2.c 사용
• NAT 실습(627쪽)
2001-7-30
CIW Security by H.S.Yong
34
Lesson 4:
Security Auditing
and the Control Phase
Objectives
• Define control procedures
• Identify control methods
• List ways to document control procedures and methods
2001-7-30
CIW Security by H.S.Yong
36
Control Phases
• Gaining root access
• Obtaining information
2001-7-30
CIW Security by H.S.Yong
37
UNIX Password File Locations
•
•
•
•
•
•
The shadow password file
Redirect information
Create new access points
Erase evidence of penetration
Spread to other systems
Port redirection
2001-7-30
CIW Security by H.S.Yong
38
Control Methods
•
•
•
•
System defaults
Services, daemons, and loadable modules
Illicit services, daemons, and loadable modules
Keyloggers
2001-7-30
CIW Security by H.S.Yong
39
Auditing and
the Control Phase
• The auditor never truly enters the control phase
– 해커와 차이점
• The auditor must recognize suspicious traffic
• 감사자는 자신이 감사를 위해 침투했다는 것을 증빙할
필요가 있음
– 각종 사용 소프트웨어의 출력 자료
– 감사자 활동 증빙 시스템 로그 파일
– 침투한 자원에 대한 스크린 셧 등
2001-7-30
CIW Security by H.S.Yong
40
NetBus 기능
•
•
•
•
•
•
•
응용 시작 및 재부팅
사용자 로그오프
웹브라우저 제어 (특정 URL로)
키입력을 다른 응용으로 전송
파일 업/다운 로드
패스워드 관리
시스템 윈도우/registry 등 관리
2001-7-30
CIW Security by H.S.Yong
41
4장 보안 감사 및 제어
• 원격 관리 및 정보 탐지
• NetBus 실습 (Windows NT 용)
–
–
–
–
서버와 CLIENT 설치 및 실습
TELNET 설정 및 실습
HTTP 설정 및 실습
SERVER의 기타 기능
• File Manager
• Cool Function (CD-ROM, Keystroke 제어, URL 등)
• 연습문제 4-3, 4-4, 4-5, 4-6 등
2001-7-30
CIW Security by H.S.Yong
42
Lesson 5:
Intrusion Detection
Objectives
• Define intrusion detection
• Differentiate between intrusion detection and automated
scanning
– Scanning은 미리 알려진 결함만을 찾음
– IDS는 모든 트래픽을 감시, 제어
• List the elements used in an intrusion-detection system
• Implement intrusion-detection software
2001-7-30
CIW Security by H.S.Yong
44
What Is
Intrusion Detection?
• Capabilities
– Network traffic management
– System scanning, jails, and the IDS
– Tracing(중요)
• Is intrusion detection necessary?
– 내부 해킹의 증대
– 방화벽 내부의 보안도 중요
– 방화벽의 보안 불완전
• IDS concerns: IDS가 주요 해커의 공격 대상
2001-7-30
CIW Security by H.S.Yong
45
Intrusion Detection
Architecture
• Network-based IDS
– 호스트에 설치하는 것으로 간단
– 모든 서브넷의 네트워크 트래픽 감시
– 복잡한 네트워크에 부적합
• Host-based IDS
– 하나의 관리자(Manager)와 여러 에이전트(agent)로 구성
– Manager-to-agent ratio: 50개 또는 100개로 제한
– Agents
• 네트워크 모니터역할
• Promiscuous mode 로 동작
– Optimal agent placement(중요 호스트에 설치)
– Auditing manager-to-agent communication
2001-7-30
CIW Security by H.S.Yong
46
IDS Rules
• Network anomalies
– NetBus, Smurf 공격 등을 탐지
• Network misuses
– 웹 서핑, 게임 등 사용 방지
• Actions
– 보호 호스트 범위 지정
– 시간 주기
– 차단, 통지 등 제반 기능
• False positives and IDS configuration
– 과잉 탐지 문제 발생 가능(정상을 이상하다고 보고)
– 규칙을 잘 제정해야 함.
2001-7-30
CIW Security by H.S.Yong
47
Intrusion Detection
Software
•
•
•
•
•
•
•
Computer Associates eTrust Intrusion Detection
Axent Intruder Alert
Cisco NetRanger
ISS RealSecure
Computer Misuse Detection System
Network Flight Recorder
Network Associates CyberCop Monitor
2001-7-30
CIW Security by H.S.Yong
48
Purchasing an IDS
•
•
•
•
Product support
Product training
Update policy
Company reputation
2001-7-30
•
•
•
•
IDS capacity
Product scalability
Network support
Encryption
CIW Security by H.S.Yong
49
Summary
 Define intrusion detection
 Differentiate between intrusion detection and automated
scanning
 List the elements used in an intrusion-detection system
 Implement intrusion-detection software
2001-7-30
CIW Security by H.S.Yong
50
5장 Intrusion Detection
• eTrust Intrusion Detection 실습: 연습문제 5-1부터 5-5까지
• 주요 기능
– See your users WEB usage
- See where they are going
- See what they are doing
- Generate easy-to-read management and detail reports
– View Web, Telnet, FTP, POP traffic activity
– View all E-mail messages (message content masked)
– Blocking
– View and terminate inappropriate active sessions
– Send message, e-mail and fax alert messages (limits user e-mail
notification)
– Receive notifications of:
- Non-productive URL access
- Predefined intrusions and suspicious network activity
- Malicious Java and ActiveX applets
- Viruses entering the network
2001-7-30
CIW Security by H.S.Yong
51
Lesson 6:
Auditing and
Log Analysis
Objectives
•
•
•
•
Establish a baseline for your users’ activities
Conduct log analysis
Filter events found in NT and Linux systems
Establish auditing for logins, system restarts, and specific
resource use
2001-7-30
CIW Security by H.S.Yong
53
Baseline Creation and Firewall and Router
Logs
• Baseline is standard activity for a network
– Baseline에 벗어나는 것을 즉시 파악
• Logs help determine activity patterns of users
– 트래픽 패턴 추출
– 사용량의 최대/최소 패턴 변화 추출
2001-7-30
CIW Security by H.S.Yong
54
Operating
System Logs
• Logging UNIX systems
• Logging NT systems
2001-7-30
CIW Security by H.S.Yong
55
Filtering Logs
• Filtering logs in Windows NT
• Filtering logs in Linux
• Operating system add-ons and third-party logging
2001-7-30
CIW Security by H.S.Yong
56
Suspicious Activity
• Skilled hacking attempts to camouflage its use as
legitimate system activity
– 새벽 1시에 로그인 시도
– 주 서버가 아침 일찍 재부팅
– 하루 중 시스템에 가끔 둔화현상 발생
2001-7-30
CIW Security by H.S.Yong
57
Additional Logs
•
•
•
•
Intrusion detection systems
Telephony connections
ISDN and/or frame relay connections
Employee access logs
2001-7-30
CIW Security by H.S.Yong
58
Log Storage
• Sending logs to a different machine for storage
• Replicating logs to a writable CD-ROM drive
• Scheduling hard-copy backups
2001-7-30
CIW Security by H.S.Yong
59
Auditing and
Performance Degradation
• 감사로 인한 성능 저하 문제 고려 필요
• Network traffic
• Packet sniffers
2001-7-30
CIW Security by H.S.Yong
60
Summary




Establish a baseline for your users’ activities
Conduct log analysis
Filter events found in NT and Linux systems
Establish auditing for logins, system restarts, and specific
resource use
2001-7-30
CIW Security by H.S.Yong
61
6장 감사 및 로그 분석
• 741쪽, Linux Log filtering
– Last
– Lastlog
– Lastb
• 연습문제 6-3 Linux 감사도구 사용하기
– Last, lastlog
– Cat /var/log/secure | grep telnet
– Lastb
2001-7-30
CIW Security by H.S.Yong
62
Lesson 7:
Audit Results
Objectives
•
•
•
•
Recommend solutions based on specific network problems
Suggest ways to improve compliance to a security policy
Create an assessment report
Enable proactive detection services
2001-7-30
CIW Security by H.S.Yong
64
Objectives (cont’d)
•
•
•
•
Cleanse operating systems
Install operating system add-ons
Implement native auditing
Use SSH as a replacement for Telnet, rlogin, and rsh
2001-7-30
CIW Security by H.S.Yong
65
Auditing
Recommendations
• Recommending specific ways to continue or implement
efficient auditing
• Confronting and correcting virus, worm and Trojan
infections
• Recommending changes and improvements
2001-7-30
CIW Security by H.S.Yong
66
Network Auditing
Categories
2001-7-30
Firewalls
and Routers
Host and
Personal
Security
Intrusion
Detection
and
Traceback
Policy
Enforcement
CIW Security by H.S.Yong
67
Creating the
Assessment Report
• Sample audit report elements include:
–
–
–
–
–
–
–
Overview of existing security
Estimates of time hackers require to enter system
Summary of important recommendations
Outline of audit procedures
Network element recommendations
Physical security discussion
Terms
2001-7-30
CIW Security by H.S.Yong
68
Improving Compliance
• Steps for continued auditing and strengthening
2001-7-30
CIW Security by H.S.Yong
69
Security Auditing
and Security Standards
•
•
•
•
ISO 7498-2
British Standard (BS) 7799
Common Criteria (CC)
Evaluation Assurance Levels
2001-7-30
CIW Security by H.S.Yong
70
Improving
Router Security
• 물리적 접근 제한
• Ingress and egress filtering
– 통신 패킷에 대한 필터링
– 지정된 IP의 패킷만 통과
• Disable broadcast filtering
2001-7-30
CIW Security by H.S.Yong
71
Enabling
Proactive Detection
• Scan detection, honey pots and jails
– Detecting a NIC in promiscuous mode
2001-7-30
CIW Security by H.S.Yong
72
Host Auditing
Solutions
•
•
•
•
•
•
Cleaning up infections
Personal firewall software
IPSec and personal encryption
Native auditing services
Fixing system bugs
IPv6
2001-7-30
CIW Security by H.S.Yong
73
Secure Shell (SSH)
•
•
•
•
•
•
Security services provided by SSH
Encryption and authentication in SSH
SSH2 components
Preparing SSH components
SSH and DNS
SSH and authentication
2001-7-30
CIW Security by H.S.Yong
74
Summary




Recommend solutions based on specific network problems
Suggest ways to improve compliance to a security policy
Create an assessment report
Enable proactive detection services
2001-7-30
CIW Security by H.S.Yong
75
Summary (cont’d)




Cleanse operating systems
Install operating system add-ons
Implement native auditing
Use SSH as a replacement for Telnet, rlogin, and rsh
2001-7-30
CIW Security by H.S.Yong
76
Security Auditing,
Attacks, and Threat Analysis







Security Auditing
Discovery Methods
Auditing Server Penetration and Attack Techniques
Security Auditing and the Control Phase
Intrusion Detection
Auditing and Log Analysis
Audit Results
2001-7-30
CIW Security by H.S.Yong
77
7장 감사결과
• 탐지 활성화(Proactive Detection)
– 방어의 수동적 자세에서 해커를 적극적으로 탐지 추적
– Honeypot and Jails
– Promiscuous mode의 NIC 탐지
• 연습문제7-3
– Anti Sniffing Technique
– Linux에 Neped.c 설치 및 tcpdump 시험
• 연습문제 7-6, 789쪽 실습
– Telnet/rlogin 대체로서 SSH 설치
– www.ssh.com 에서 down, linux
– 현재 Evaluation Version을 제공하지 않음.
2001-7-30
CIW Security by H.S.Yong
78