Download Internal Networks and Physical Attacks

Internal Networks and
Physical Attacks
By
Rohini Yadla
ISQS 6342
Introduction



Working in conjunction with the FBI, the Computer
Security Institute (CSI)—a San Francisco-based
association of IT security workers—recently released
the results of its annual membership survey on
cyber crime.
Among the findings: 359 of CSI's 538 member firms,
government agencies and universities lost more
than $50 million in 2000 as a direct result of
unauthorized insider access and abuse of corporate
IT systems.
All told, 91% of all member institutions surveyed
reported some sort of insider abuse of network
access during the past year.
Survey and Statistics
According to Computer Security Institute/FBI report
‘Issues and Trends’:2001 CSI/FBI Computer Crime And
Security Survey:

78% of the companies surveyed reported insider abuse.

65% reported laptop theft.

44% reported unauthorized access.

18% reported theft of proprietary information.
In spite of increasing crime rates for computer security,
very few companies seal off their networks and lock up
their laptops.
The Problem




The mantra of successful e-business around the globe is getting louder and
louder. In order to provide global instant access to key corporate data,
corporations are increasing their commitment to e-business.
The underlying infrastructure that supports this e-business capability is
based on open systems and ubiquitous networks.
Because these systems are built to be open, they are teeming with security
holes and weaknesses ready to be exploited by employees, consultants or
even hackers.
Companies operating Web sites for enhanced communications, or ecommerce, risk denial of service, spoofing or possible defacement of their
Web facility due to Web-site breaches or DNS circumvention. While
firewalls and virtual private networks (VPNs) offer adequate perimeter and
access controls, internal, remote and even authenticated users,
unfortunately, can attempt probing, misuse or malicious acts.
Technical Weaknesses






In deploying the network ,technology can provide
many weak points.
Improperly Configured Firewall Gateways or
Servers with well-known (or non-existent ) root
passwords.
Multiple Passwords.
Remote Access.
Packet filtering devices.
Lack of Compartmentalization.
Unsecured Data
Firewalls





While developing and deploying web-based applications,
organizations secure their networks with technologies such as
Firewalls.
Firewalls can be deployed at critical network junctions to
manage access between major network segments in an attempt to
foil malicious employees.
A firewall validates Transmission Control Protocol (TCP) and in
some products, UDP sessions before opening a connection or
circuit through firewalls.
The state of the session is monitored , but any kind of data
coming through the firewall while the session remains open is
allowed, creating a security hole.
Usually, lack of engineering resources leave the firewall
misconfigured.
Firewalls
Firewalls




Many costumers do not want to open additional ports through
firewalls. Sites allow HTTP and SMTP through the firewall,
while blocking all other communications.
Other sites depend on proxy servers for outbound sessions such
as FTP, Telnet and Gopher.
Some application programmers know about these limitations
and are afraid to ask the firewall administrators to open a new
port for proprietary protocol between two enterprise sites. One
trick is to write the application so that the endpoints
communicate on port 80 (The HTTP port!!!!!).
Essentially , the developers are using the port 80 as general
purpose hole through which to punch private protocols!!!!!!!!.
Firewalls
Fig 1: Corporate security systems often deploy a "demilitarized zone" to
protect internal networks. Two firewalls surround the Web servers,
keeping the company's internal networks behind both the firewalls,
while
still
allowing
access
to
outside
Web
sites.
Multiple Passwords






As organizations deploy business-critical applications and remote access
servers, and divide work groups by LAN servers, users are expected to
remember and be responsible with more and more passwords.
The effect of too many passwords is weakened security, because users start
writing them down, and because LAN administrators have to administer
multiple password management systems for each user.
A secure approach is the single sign- on system which provides centralized
access control list.
Single sign- on systems keep a list of who is authorized to access different
areas of the network. The Systems use a directory to store the names,
passwords and access control for each user and system resource.
Users need only to remember a single password to sign into the system.
This provides a single point of entry for administration, further tightening
security.
Remote Access





The biggest single weak point in security for the internal networks
occurs in remote access implementations-pools of dial- in modems
ready to provide access to corporate network resources and
administrations.
Freely available “war –dialers”-programs that will dial a programmed
list of numbers and try to gain access to information –make modem
pools a weak link in security architecture.
Even without correct names and passwords, many remote access
servers reveal host names or LAN router prompts.
There are many ways to secure a remote access system including
placing all modems in a modem pool behind a firewall that requires the
users to authenticate before gaining access to the network.
Encryption is another mechanism that protects traffic between user
machines.
Packet Filtering Devices





Packet filtering devices such as routers use packet filtering rules to
grant or deny access based on source address, destination address and
port.
The source address and destination address and ports contained in the
IP packet header are the only information that is available to the
router in making a decision whether or not to permit traffic access to
an internal network.
They offer minimal security at a minimal cost and are appropriate
choice for a very low risk environment.
They do not protect against IP or DNS spoofing. An attacker will have
direct access to any host on the internal network once the router has
granted access.
In order to grant access to valuable corporate assets only to those who
need them and deny everything else, evaluation of the existing routing
and switching tables is necessary.
Compartmentalization




Many organizations allow access from any user to any resource on
the corporate network.
Dividing the network into segments –such as human resources,
engineering, manufacturing, sales and others protects assets from
unauthorized users. This is readily achieved by using firewall
technology to control traffic within the workgroups
and
departments.
For example, compartmentalization, which provides extra measures
of security between external servers such as the web and commerce
servers and the internal servers and databases, is a good idea.
A secure operating environment and strict networking and access
controls would be appropriate for any server that is exposed to
public use and has access to internal databases.
Unsecured Data




Business requirements are driving IT initiatives to take advantage of
web-based standards and to extend services to both internal
constituents and business partners. However, by extending the
availability of internal applications, companies also increase their
exposure to threats from trusted –as well as unknown-users
attempting to probe and potentially cripple or corrupt these
applications.
Sensitive data-including salary information , strategic plans and
intellectual property-requires extra protection.
Yet on many internal networks, it is accessible by anyone on the
network.
Advanced operating environments provide multiple levels of file
protection and logging utilities to track users who access or attempt
to access, the data.
Network Security Solution
Requirements

In order to protect an organization’s most critical internal assets, one must
deploy a solution that secures the infrastructure at its foundation—the
network level. The solution should have certain critical capabilities. It
should be able to:

Instantaneously terminate a session or packet that is requesting a
service or destination that is outside of the parameters defined for that
machine.

Lock down a machine, network segment or network if a system that
houses your valued assets is being pinged, probed or accessed in
violation of network security policy.

Generate logs so that you can evaluate the point of origin and identify
the specific attack patterns .

Require minimal administration and act as a proactive protector of the
network after initial set-up and deployment.

Be centrally managed.

Operate in stealth mode, “passively” monitoring traffic across the
network without impact to network performance.
Layered Security

The layered security approach is one of the most widely agreed upon
strategies by information security experts. It promotes the use of
multiple technologies to thwart hackers and malicious employees
from gaining access to key corporate assets. The approach was
developed when many companies that had deployed firewall
technology found their organization had been compromised. It
became clear that:

Firewalls can be bypassed or directly defeated.

Many devastating attacks were originating from inside the firewall
bypassing that security measure.
 Additional layers of security that operate in a stealth mode are
needed to protect critical assets for those situations where a firewall
is defeated.
Vulnerabilities








Firewalls, Anti-virus software and Internet filtering tools remain the most
prevalent forms of defense for an organization. However, 85% of the organizations
that reported security breaches in 2002 had deployed these types of technologies.
Clearly, a more robust solution is needed.
The advent of the Internet brought an accelerated demand for firewalls and,
possibly, the misunderstood conclusion that firewalls provide an airtight
perimeter defense.
Among the security problems:
Firewalls do not monitor authorized users' actions.
Firewalls control perimeter access and therefore do not address internal threats.
Firewalls must guarantee some degree of access, which may allow for vulnerability
probing .
Firewall policies may lag behind environment changes, which leaves room for
possible entry and attack.
Hackers who use social engineering to gain trusted access often circumvent
firewall policies.
Firewalls do not prevent the use of unauthorized or unsecured modems as a means
to enter or leave a network .
Firewall Security Problems
Vulnerabilities


The use of encryption and VPNs offers a formidable vehicle to protect and
transport sensitive application data. Encryption teams with public or
private key authentication offer the user, sender and receiver nonrepudiation, reliability and integrity of the application data. However, only
the application data and the transport mechanism are secured from
unauthorized eyes. All other traffic remains open, unprotected and
unmonitored, including user actions.
Most operating systems, applications and network devices generate some
form of audit trail requiring a security administrator to review the audit
logs for suspicious events. Unfortunately, such manual processes do not
scale with the limited, trained security personnel and frenzied network
moves, adds and changes. Security scanners, probes and policy assessment
tools are adept at finding:

Known operating system or application defects

Misconfigurations that pose exposure to tampering

System and application configurations

Operations that are counter to corporate policy
Security Scanner


A scanner is a program that automatically detects security weaknesses in a
remote or local host.
System administrators can strengthen the security of networks by scanning
their own networks. The primary attributes of a scanner should be:

The capability to find a machine or network.

The capability to find out what services are being run on the host ( once
having found the machine).

The capability to test those services for known holes.

Check for security alerts/vulnerabilities

Detect unnecessary shares

Detect unnecessary open ports

Detect new security holes using scheduled scan comparisons

Check for unused user accounts on workstations

Check password policy and strength
Scanners




Retina is a network security scanner and monitor, that
helps discover and fix all known security vulnerabilities
on the network. It includes easy to navigate reporting
tools to help prioritizing.
http://www.eeye.com/html/Products/Retina/index.ht
ml
It can scan every machine on network, including a
variety of operating system platforms (e.g. Windows,
Unix, Linux), networked devices (e.g. firewalls, routers,
etc.) and databases.
After scanning, Retina delivers a comprehensive report
that details all vulnerabilities and appropriate corrective
actions and fixes.
Scanners

GFI LANguard Network Security Scanner automatically detects security
vulnerabilities on a network, giving administrators a "hacker's eye view" of
their network and enabling them to discover any security holes before a
malicious user can exploit them. GFI LANguard Network Security Scanner
scans entire networks for vulnerabilities, creates reports and can remotely
install security patches.
http://www.gfi.com/lannetscan/


Provides in-depth information about all machines devices, scans your entire
network, IP by IP, and provides information such as service pack level of
the machine, missing security patches, open shares, open ports,
services/applications active on the computer, key registry entries, weak
passwords, users and groups.
Scan results are outputted to an HTML report, which can be
customized/queried, enabling you to proactively secure your network - for
example, by shutting down unnecessary ports, closing shares, installing
service packs etc.
Intrusion Detection Systems (IDS)




Intrusion detection defines network or host monitoring and traffic analysis
tools. These permit network operators and security specialists to protect
their networks and hosts against unauthorized use.
To accomplish this, a network device or software agent is placed on critical
segments of the network. The device monitors the network traffic and
identifies activity that matches suspicious or attack signatures. Once a
suspicious or malicious attack pattern is spotted, the system logs, notifies
and, in some cases, terminates the session.
Intrusion detection utilities can be installed to alert the security
administrators when there are attempts to access key files ,or when there
are multiple failed attempts to log into any system on the network,
including the remote access server.
An IDS attack signature or policy consists of any pattern that constitutes
exploiting a known security defect or executing a corporate security
violation. These patterns are then monitored within the network data or on
a host. The level of sophistication of attack identification ranges from single
violations, events over time that comprise a violation, and sequential
actions that comprise a violation.
Intrusion Detection Systems (IDS)




Network IDS: It utilizes traffic analysis to compare session data against a
known database of popular operating systems and application attack
signatures. On detection, the network IDS can react by logging the session,
alerting the administrator, terminating the session and even hardening a
firewall .
Network-based IDS sits in the middle of a fixed communication path
between client and server and has access to data at all layers of
communication. This system forms its attack detection upon a comparison
of parameters of the user's session and the user's commands to a rules-base
of techniques used by attackers to penetrate a system.
Host-based IDS: It analyzes operating system and application system
logs and events to compare system events against a database of known
security violations and custom policies. The host IDS agent watches
different aspects of the server security such as operating system log files,
access log files, application log files, as well as user-defined application
policies.
Host-based IDS architecture places agents on critical network hosts and
network devices throughout the enterprise. These agents are connected to
managers that are administered through a central management console.
Host-based IDS Methodology
Comparing Host-Based and
Network-Based IDS



A network-based IDS, which has no impact on the network or on
network hosts, will not be able to prevent certain system attacks
that may be visible at the network level. Since it can only
monitor traffic that is visible to the workstation, reconfiguration
of network routing may be required for switched environments.
A Host-based IDS will not be able to prevent certain network
attacks, such as a SYNFlood. Since it runs on a host, it is able to
alleviate network IDS constraints of at-the-system-console
attacks and switched-network environments.
Host-based IDS are also designed to facilitate host-based policy
enforcement, whereas network-based IDS are more adept at
identifying complex network transactions that indicate a security
breach.
Intrusion Detection Systems




GFI LANguard Security Event Log Monitor is a host-based
intrusion detection system primarily designed to monitor
Windows-based networks for security breaches in real-time, but
with enhanced flexibility to meet many other monitoring needs.
GFI LANguard continuously scans the security event logs of all
Windows NT/2000/XP machines on a network, consolidating
them into a central log for fast analysis and generating detailed
activity reports.
When it identifies critical security breaches - such as network
users attempting to access shares, resources and/or data they
should not view, GFI LANguard sends out "real-time" alerts to
administrators, thereby permitting immediate action against
potential attacks and penetrations as they occur.
http://www.gfi.com/lanselm
Intrusion Detection Systems


GFI LANguard event log monitor has a Intrusion &
Event Collection Status Monitor that displays
critical/high security events as they occur on a
network. Administrators are notified of a potential
intrusion in real time visually and/or via a sound.
It also allows users to configure their own event
rules and conditions for issuing alerts. These can be
based on either security flags, for example,
attempting to access a particular file or folder or a
login failure.
Intrusion Detection Systems



Intrusion detection is primarily focused on identifying external
threats that have passed through the perimeter security to the
internal network .
They use very sophisticated rule sets that have been cultivated over
an extensive period of time observing and identifying malicious and
suspicious traffic patterns.
These devices must be placed in specific parts of the network to
truly monitor the critical traffic.
Disadvantages:



High total cost of ownership
Application requires continual upgrading of attack signature
database.
Frequent false alerts require network administrators to immediately
interact with the intrusion detection system wasting network
administrator’s time.
Physical Security





Physical security is the bedrock of any computer security system.
There are two situations with physical security :
 Protecting
the software : Involves software running on
conventional off- the- shelf computing equipment that
incorporates little or no anti tamper mechanisms.
 Protecting the hardware: Involves hardware devices used by
outsiders or other potentially untrustworthy people; these
devices are often built to resist tampering.
The above two cases converge in the problem of protecting
individual workstations or laptop computers that may be subject
to attack.
The essential issue is to identify the security parameter of a
device or system.
www.pcsafe.co.uk/
Protecting Software

Modern server systems combine two strategies to
protect themselves.



The computers reside inside layers of physical protection.
The server software running on the host computer uses
mechanisms built into the CPU to protect the system’s
software from attack.
A well designed server site has several layers of
physical protection. At each layer we identify
classes of people and the type of access they have.

Classes of people

Outsiders and Insiders:


The classification of insiders versus outsiders reflects the basic
element of physical security; insiders are allowed to freely enter
the corporate premises and outsiders are not.
The enterprise uses physical security like locks, burglar alarms,
guards and so on. To ensure that outsiders stay outside except
when invited in.
Protecting Software

Types of access

Users and Administrators




Shared remote access systems like servers and mainframes rely on
the distinction between users and administrators to maintain
security.
Users do not need direct, physical access to servers and
mainframes, so they are generally locked away in a machine
room. Entry to the machine room is restricted to administrators.
The machine room represents the security perimeter for the
computing hardware and software. Not all enterprises enforce
this distinction, but most recognize it as an essential defense.
The distinction between insiders and users is enforced by
the server system itself using software-based protection
mechanisms. They usually enforce an additional distinction
between users and administrators, so that administrators
can make fundamental changes to system that users
cannot.
Protecting Software


The CPU’s protection mechanism generally
provide a kernel mode used by the OS or
the timesharing system and a restricted user
mode for executing application programs.
Software running in the kernel mode is
responsible for running the rest of the
software safely and securely.
Protecting Workstations


Workstations are highly vulnerable to attack, since
the attackers can steal sensitive data or modify
critical information.
Even if the workstation’s software attempts to
prevent unauthorized use, two types of threats exist.

OS substitution attack


Most workstations will allow someone to boot up an
operating system from a different disk, like a CD-ROM or a
diskette. This capability is provided for administrative or
maintenance purposes.
Attackers can use it to boot an OS that is configured with
access control protections disabled. They can then read and
modify files on the workstation even if its standard OS has
placed protections on files.
Protecting Workstations

OS substitution attack




Workstations implement a BIOS password to protect against such attacks .
The password is stored in the workstation’s start-up configuration combined
with instructions to boot the workstation from a particular hard drive. The
attackers can redirect the boot operation only if they know the password.
However, BIOS password feature is not a foolproof solution. Most systems
arrive with a predefined BIOS password and many administrators fail to
change it to new and unpredictable password.
The BIOS password is stored in a special RAM powered by a battery. The
attacker can wipe out the password in many ways. For example , if the
computer is running , the attacker could install and run a program that clears
the BIOS RAM. Otherwise the attacker could zero the RAM by shutting off its
power, either by physically removing the battery or by shorting it out.
I/O Bus attack

In this case, the attacker attacks at the hardware level. Essentially , the
attackers can make complete copies of the workstation’s hard drives. Given
sufficiently sophisticated tools, the attacker can also modify files, which can
bypass the software and BIOS entirely.
Protecting Hardware




Hardware protection tries to enforce a security parameter in the
absence of people to guard that perimeter.
Hardware protection generally serves two purposes.
 It protects the base secret and some portion of the
authentication process from theft, modification, or other
interference by blocking it from direct access by an attacker.
 It detects attacks on itself, so it can take steps to protect the
base secret from disclosure.
Password tokens provide protection in practical. Under ideal
circumstances a key card system, along with a personal PIN must be
used. Attackers who try to use the device must comply with the
built- in capabilities and can’t simply extract a base secret unless the
token contains a function to do so.
The system considers itself under attack if someone tries to use it
without providing the right password (or PIN). Persistent attacks
will cause some devices to erase the base secret while others simply
introduce longer and longer delays into processing.
Physical Security




The last aspect of Physical Security is that of the
Networking cables. Anyone with an access to the
corporate premises can easily tap into an Ethernet line
and sniff the network. There of the techniques that can
be used to minimize the possibility of a user tapping into
the system with a network sniffer.
Encryption of all sensitive data. However, encryption
increases the amount of bandwidth required.
Using promiscuous mode detection software. Software
like AntiSniff can detect any systems on the network
that are operating in the promiscuous mode.
http://www.securiteam.com/tools/AntiSniff__find_sniffers_on_your_local_network.html
References














Authentication
From password to public keys ; Richard E. Smith
Intrusion Detection,
Network Security beyond the firewall ; Terry Escamilla
Intranet Firewalls
Planning and implementing your network security system; Scott Fuller & Kevin
Pagan
http://www.cigital.com/paynereport/archive/apr2001.php
http://www.palisadesys.com/resources/suitewhitepaper.pdf
http://www.itoc.usma.edu/ragsdale/Pubs/humphries.pdf
http://www.gfi.com/lanselm
http://www.ion-networks.com/assets/pdf/ION_article.pdf
http://www.sensorsmag.com/isensors/dec01/8/pf_main.shtml
http://www.eeye.com/html/products
http://www.bmc.com/technews/993/993tn7.html
http://www.computerworld.com/securitytopics/security
http://www.hpcc-usa.org/pics/02-pres/wright.ppt
http://www.infotoday.com/cilmag/oct98/story2.htm