Download Network Security - Delmar Cengage Learning

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
page
79
page
80
page
81
page
82
page
83
page
84
page
85
page
86
page
87
page
88
page
89
page
90
page
91
page
92
page
93
page
94
page
95
page
96
page
97
page
98
page
99
page
100
page
101
page
102
page
103
page
104
page
105
page
106
page
107
page
108
page
109
page
110
page
111
page
112
page
113
page
114
page
115
page
116
page
117
page
118
page
119
page
120
page
121
page
122
page
123
page
124
page
125
page
126
page
127
page
128
page
129
page
130
page
131
page
132
page
133
page
134
page
135
page
136
Document related concepts

Internet protocol suite wikipedia , lookup

Computer network wikipedia , lookup

Net bias wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Network tap wikipedia , lookup

Wireless security wikipedia , lookup

Airborne Networking wikipedia , lookup

Zero-configuration networking wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Deep packet inspection wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Computer security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Network Security
Chapter 17
Chapter Goals
•
•
•
•
•
•
•
Understand the need for security policies
Understand security threats
Understand types of attacks
Understand security analysis
Understand attack tools
Understand network security defenses.
Understand what to do if you have been attacked
Network Security
•
•
•
•
•
•
Many security experts consider the term network security an oxymoron.
Securing a non-networked computer is difficult, but securing a networked
computer sometimes seems impossible.
Connecting systems to a network opens all sorts of avenues for security
compromise, and much like drivers on New Year’s Eve, the security of one
sysadmin’s hosts is often at the mercy of the security practices of other
administrators on the network.
In addition corporate management is often oblivious to security concerns.
Before the administrator can implement steps to secure enterprise
systems, someone has to create policies regarding issues such as
acceptable levels of vulnerability, acceptable levels of risk, and levels of
necessary security.
The policy group needs to determine if convenience of use outweighs data
security.
– WARNING: This chapter is intended as a primer on network security.
System administrators who intend to connect systems to the Internet
securely will need to read further.
Network Security
• Policies
– Long before a sysadmin begins implementing security measures,
someone in a position of authority should have put pen to paper
and created security policies for the site.
– Without approved policies, the sysadmin is acting without the
authority to enforce any rules/changes that need to be made to
ensure the security of systems/data. This is the subject of many
books.
– Because each enterprise has different needs and goals, it is not
possible beyond the range of best practice to stipulate what your
policies should include.
– Each set of policies should be customized for the site. About the
only guideline that seems to be somewhat universal is that the
policies should stick to the KISS principle: Keep it simple, stupid!
– Very detailed, wordy policies are often not read/understood by
users. Worse yet, a certain class of users reads the policy with the
idea “what can I get away with” in the back of his mind.
Network Security
• Acceptable Use Policy
– One policy every site should create is an acceptable use
policy(AUP).
– Some sites spell out the details of every acceptable and
unacceptable action on the part of users in an AUP document.
– Some sites reference other documents for details, and use the AUP
for general guidelines and to make the broad statement that users
should abide by the rules in the referenced documents.
– Because the officers of the enterprise should approve the AUP, a
simple one-page document that references other rules and
regulations is often the smart way to go.
– Such an AUP should rarely require change, so the officers should
not have to discuss this document very often. However, the actual
“rules of conduct” (the implementation of the policy) may change
frequently, without the need for management approval.
– Most AUP policies remind users that the computing resources of
the enterprise are supposed to be a friendly, ethical community.
Network Security
– Actions that might be considered hostile are not welcome. Such
actions might include (but not be limited to) the use of network
sniffers, abusive email, denial-of-service attacks, visiting certain
types of web sites from corporate hosts, perusing other users’ files
or e-mail without permission, forging e-mail, profit-making
activities, or masquerading as someone else on-line.
– The policy should point the user to another document that paints a
broader picture of the activities explicitly prohibited, and the
consequences of such actions.
• Enforcement
– Policies are useless unless they can be (and are) enforced.
– Many sites have their legal counsel read and approve the
document before it becomes part of corporate standards. This step
helps ensure that the policy would withstand a legal test, and that
the policy makers did not “take the law into their own hands”
and/or create a document that could be fodder for litigation.
Network Security
– Even if the policy is “legal,” and has been blessed by the
appropriate deities, someone has to enforce the rules. This
“someone” is often the system administrator.
– This is one of the more unpleasant parts of the system
administrator’s job. Anytime the system administrator can hand
this task off to others, it is usually tempting to do so.
– The sysadmin may have to collect the evidence, and show why the
incident is against the policies, but it is always nice when someone
else is tasked with “enforcing” the policy based on the evidence.
• Implementing Security Policy
– Once the site has agreed upon a security policy, the administrator
needs to assess potential threats to the site and implement a
strategy to minimize such threats. The following is a recommended
general procedure for assessing and ensuring host security.
Network Security
1. Make sure hosts are up to date with the most current vendor patches.
2. Survey your hosts to determine what services they offer.
3. Once you know what services are offered, determine which services are
mission critical and which are not required.
4. When you have sorted out the required/unwanted service list, turn off
unwanted services by editing start-up scripts and/or the [x]inetd.conf file.
5. Once the unwanted services are turned off, you need to determine how
you can protect the required services.
6. With access to services protected, you should look at what type of
information the services pass on to the network.
7. Monitor security mailing lists such as bugtraq – available at:
http://www.securityfocus.org/ Watch for vulnerability announcements for
any service your systems provide, and obtain/install bug fixes as soon
as they are made available by the vendor of the service software.
8. Monitor your log files and watch for signs of suspicious activity.
Threats
• Before exploring how to secure a networked environment, let’s examine
the types of threats you might find in such an environment.
• Is data the item at risk?
• Is the business at risk?
• Are resources at risk?
• How do the bad guys gain access?
• Simply being aware of potential threats is a good thing, but formal risk
analysis requires that you also know how likely a given threat is and/or
the impact such an occurrence might have on the business.
• You want to get the “most bang for your buck” when spending money on
security matters. Protecting against an unlikely threat is not a wise
investment. For more information on risk management, visit
http://csrc.nist.gov/publications/ nistpubs/800-30/sp800-30.pdf
• The System Administration, Networking and Security Institute (SANS)
publishes a “top 20” list of security problems.
Threats
• Who Is Attacking Us?
– A key question that should be considered before jumping into the
security chapter is “who is interested in attacking my site?” What
do I have on my computer that is so interesting?
– It is very difficult to guess the motives or identities of external
attackers. Unfortunately, not all attacks come from outside the
enterprise.
– When an internal attack occurs, and is detected, the corporation
will usually take action to discipline the attacker. Other than
reprimand, this can include termination of employment, criminal
proceedings, and/or civil litigation.
– Internal attacks can be much more difficult to detect than external
attacks, as they occur inside corporate defenses. Much of
corporate monitoring and data collection is performed at the
border with the outside world.
– Although external attacks may be more easily detected,
punishment of the perpetrator is often nearly impossible.
Threats
• Who Is Attacking Us?
– External attacks are often undertaken from third-party sites. The
attacker is hiding behind someone else’s system to attack your
site.
– Even if you can trace the attack to the third-party site, you have to
rely on that site to track the attacker to the next site he hides
behind.
– If you get extremely lucky, and gather enough evidence to
positively identify the perpetrator, punishment will often be
impossible, as the perpetrator is a foreign entity.
– Worse yet is the fact that many companies will refuse to press
charges, as they do not want the negative publicity.
– As far as security work goes, the best policy is to treat all attacks,
whether internal or external, the same.
– You need to collect evidence with the idea in mind that the case will
go to court. This means that the sysadmin needs to know and
understand the legal issues involved with the rules of evidence.
Threats
– Every step taken to identify the attack and track the perpetrator
needs to be handled within the limits of the appropriate laws.
– If your enterprise has in-house legal counsel, it would be wise to
involve them from the very first signs of an attack.
• Theft of Data
– One of the important classes of threats is theft (or attempted theft)
of information from compromised computers.
– Sometimes this may be part of an espionage activity by a party
outside the enterprise.
– Sometimes it may be a disgruntled employee trying to see how
much money employee X makes.
– Even activities such as reading someone else’s e-mail as it goes by
on the network, or reading user files because they are improperly
protected, might be considered “theft of data.”
Threats
– Protecting corporate data is one of the prime activities of the
system administrator.
– Ensuring that data is stored securely on the system is certainly
part of the administrator’s responsibility. If the system
administrator is also responsible for the network, the responsibility
extends to ensuring that the network is secure, and that prying
eyes cannot collect data from the network.
• Theft of Assets
– Another important threat is one that attempts to steal assets using
corporate computers.
– This could be the theft of credit card numbers, bank account
information, or personal information about employees (identity
theft).
– Some enterprises consider corporate data and corporate assets as
one entity. Others consider these two separate entities, and have
separate rules governing access to each.
Threats
– Like theft of data, some portion of protection of assets falls on the
shoulders of the system administrator.
– Other portions of this task may fall on web administrators, network
administrators, and others in the enterprise. But more often than
not, the system administrator has the responsibility for the
protection of this information.
• Theft of Services
– A very large percentage of system compromises are not carried out
with the intent to steal assets or data from systems.
– The vast majority of compromises are carried out to steal services
from enterprise computers.
– The attacker does not care what is on the computer, and may not
even look to see what is there. She broke in so that she could use
your computer to attack someone else.
– If you join any of the hacker bulletin-board/IRC systems, you may
be surprised to see others on the channel “trading” the fruits of
their attacks.
Threats
– The attackers use your system to hide behind. They use your system
to attack other systems. If they get caught attacking someone else,
that “other” entity thinks you are responsible, as the attack came
from one of your computers! The attacker packs up and moves to
another compromised system to hide and start again.
– Quite often, your systems are used in concert with other
compromised systems to enact distributed denial of service (DDOS)
attacks on some other entity.
– When the attacker decides he has enough ammunition, he
commands all of his compromised drones to attack some other site.
– Huge streams of network traffic coming from many seemingly
unrelated sites blind the site under attack.
– The site is effectively “out of business” until administrators
responsible for those systems can be convinced to shut down the
attacking drones. This is often a very time-consuming and expensive
problem.
Threats
• Local Versus Network Issues
– The principal difference between network security and local
security is the fact that you have some control over your local
users, but you have very little or no control over users that come
to your site through the network.
– You can, however, exercise some level of control over which files
and services your users have access to, and which of your users
have access to a specific computer.
– When you connect your computer to the network, you silently give
much of your control to the designers who implemented the
network, and to the network services your systems support.
– You might quickly learn that not everyone on the Internet wants to
be a friendly neighbor.
Types of Attacks
• How do the bad guys gain access to your hosts?
– In many cases they exploit well-known security holes in the system
software. The generic sequence of events in most attacks is as
follows.
•
•
•
•
•
•
Perform reconnaissance: Often through the use of network scans
Determine points of weakness: Analyze the output from the scan
Exploit weak points: Attack the weak points found by the scan
Hide the evidence: Patch the hole and “root kit” the system so that
others cannot see that the machine has been compromised
• Burn, pillage, and loot: Use the compromised system for activities
other than its intended purpose
Sometimes these steps happen in very rapid succession (within seconds or
minutes of each other). This is indicative of an automated scanning tool.
Other times these steps may occur very slowly (over a matter of days or
weeks). The slower scans are often intended to escape detection by staying
“under the radar” of anyone watching error logs and other alarm systems.
Types of Attacks
• Host-provided Services
– Hosts that provide services on the network do so according to rules
that govern network communications.
– For the TCP/IP protocol, hosts are required to use an Internet
Protocol address to identify themselves. This IP address is similar to
a street address; it tells other computers on the Internet where this
host is located. All communications bound for this host are sent to
the host’s IP address.
• Extending the IP Address Through Ports
– Hosts on the Internet often provide services used by other hosts on
the Internet. For example, the telnet, ftp, mail, http (web service), and
ssh utilities are services provided by typical hosts. These services
may be provided using the Transmission Control Protocol (TCP
services), or the User Datagram Protocol (UDP services).
– These protocols provide a simple extension of the IP address
scheme in order to provide “entry points” for network services. This
extension is called a port. Every computer provides up to 65,536
TCP ports and up to 65,536 UDP ports where network services live.
Types of Attacks
• Persistent Services
– Persistent services are started at boot time by init scripts.
– These services bind themselves to a port, and are always running.
When a remote system wants to connect to a service on the local
host, it contacts the port number for the persistent service.
– The persistent service (typically) creates a copy of itself, starts the
copy running on an ephemeral port, and directs the caller to talk to
the copy of the service running on the new port.
– Typical persistent services are smtp (e-mail), httpd (WWW server),
and inetd. The inetd daemon is a “super daemon.” It manages
several other service daemons that are not persistent.
Types of Attacks
• inetd Services
– The inetd daemon manages nonpersistent services.
– These services are launched upon demand by inetd.
– When the system boots, inetd reads its configuration file
(/etc/inetd.conf or /etc/xinetd.conf) and binds itself to several ports.
– When a request comes in for one of the inet-managed services, the
inetd binary launches the real service daemon, and connects the
caller to the service (much like an old manual telephone
switchboard).
– Typical inet-controlled services include tftp, ftp, telnet, rlogin, rsh, and
ssh.
Types of Attacks
• RPC Services
– Another method of providing network services is via the Remote
Procedure Call (RPC) interface.
– Calling programs contact the rpcbind (sometimes called the
portmapper) process to ask if the host provides a specific service.
– The rpcbind daemon checks its configuration files to see if the
service is being offered, and if so redirects the caller to the port
where the requested service is listening.
Types of Attacks
• Preventing Unauthorized Access to Services
– One way hackers gain unauthorized access to your systems is to
contact the services your computer is providing. For this reason, one
of the best defenses against unauthorized access is to disable
services you do not need to provide.
– Another good defense against unauthorized access to your
computers is to put a wrapper around the service.
– The wrapper checks to see if the caller is authorized to connect to
the service. One tool that provides this wrapper service, the
tcp_wrapper utility.
– How do hackers find what services your computer is providing? They
use a tool that can scan the network, probing each of the 131,072
ports on every IP address. These tools are known as port scanners,
and they are used to implement network scans.
Types of Attacks
• Network Scans
– One method of performing reconnaissance is to scan the “target”
network.
– Each of the scanning tools released does a little bit more, or a little
bit better job, than its predecessor. The types of tools and the
success they provide are frightening.
– One of the things a sysadmin should do is download these tools and
try them against his own hosts. This allows the administrator to
harden the network based on the finding of the tools.
– Knowledge of these tools also helps the administrator understand
what type of information the attacker is trying to gather, and what
clues the system will give when under attack by someone else using
this tool.
Types of Attacks
• Low and Slow
– One of the most worrisome types of network scans is one that is
barely perceptible.
– The attacker works very slowly, and very methodically, to gather
information about the target.
– These scans are worrisome because someone is trying to gather
information very discreetly. They are trying to stay below the system
administrator’s radar (low), so they are very patient (slow). The
attacker is often a skilled and very determined foe.
– Typically these attacks often lead to theft of important data or assets
from the target site.
– These attacks can be very costly to the enterprise. If someone
manages to steal all of the corporate secrets, the company could be
out of business.
– Worse yet, if the attack is detected, and word leaks to the news
media, the site’s customers (and possibly shareholders) may
abandon the company due to lack of confidence.
Types of Attacks
• Fast and Noisy
– The alternative to a low and slow scan is a fast and noisy scan.
– The tools employed for these scans can map out an entire Class B network
space in a matter of minutes (fast).
– Well-instrumented target systems should spew reams of warning messages
when these scans hit (noisy).
– Many times the scanning tools used in a fast and noisy attack have the
ability to compromise a system as soon as vulnerability is found. Although
these tools are very efficient, they give you plenty of warning that they have
visited your site.
– Quite often the attacker is looking to compromise as many systems as
possible to use for attacks on others, or as an army of drones in an
upcoming attack.
– The attacker is often somewhat skilled in computing. They may have
developed their own attack tool, and used your site as a test to see if it
worked in the wild.
– These attacks can be very bothersome for the system administrator.
Someone has to clean up the mess made by the attackers. This often
means collecting forensic evidence, determining how to protect against such
attacks in the future, and then rebuilding the infected systems from
distribution media.
Types of Attacks
•
Script Kiddies
– Script kiddiez and ankle biterz are just two of the demeaning epithets
for attackers perceived as possessing few real computer skills.
– The scripted attacks are often fast and noisy. The attackers often use
someone else’s scanning tools that they downloaded from the
Internet, and the attacker may not even understand how the tool
works.
– Many times the attacker “saw this tool on the net and decided to try it
out.” Once they compromise a system, the attackers usually do not
look for data to steal; the system was hacked for sport, and/or to use
in attacks against other sites.
– These attacks are often the most vexing for the system administrator.
• The scripts used in the attack have little mercy.
• The attack tools blindly replace system binaries as part of their
attempt to be stealthy once the system has been compromised.
• If the purpose of the attack is to assimilate a drone, or otherwise
attack other hosts, the tool makes no attempt to limit its
consumption of resources.
Types of Attacks
• Buffer Overflows
– Many scripted attacks scan an entire network looking for a specific
service to compromise. These attacks often look for a version of a
network service known to have a security flaw. Quite often the flaw
the attack seeks is a buffer overflow.
– Buffer overflow attacks take advantage of poor coding practice on
the part of the network service developer.
• The developer did not take the time/effort to ensure that data
read by the program/service would actually fit into the container
provided to hold that data.
• When too much data is provided to such a program, the data
overflows the buffer (container).
• If the vulnerable program operates with special privileges, this
often allows the attacker to craft an attack that will give them
access to your system with these elevated privileges.
TIP: One of the best ways to protect against buffer overflow attacks is
to limit services your hosts offer, and to keep up to date with
security patches from your software vendors.
Types of Attacks
• Some operating systems provide a means of disabling
“stack execution” on their systems.
– Buffer overflow attacks often rely on the ability to
overflow the buffer with code that lives on the program
stack.
– The code that overflows the buffer is typically a small
program that will spawn a privileged shell.
– Once the buffer overflow has been accomplished, and
the program tries to exit, the exploit code is executed,
and the attacker has access to the system.
– These attacks rely on the stack allowing the execution of
the exploit code.
Types of Attacks
• Disabling the ability to execute code from the stack can help
defuse some of these attacks.
– For example, if the following directives are placed in the Solaris
/etc/system file, the system will prohibit many of the buffer overflow
attacks from executing exploit code for the attacker.
– These directives also command the system to log a message
warning that someone attempted a buffer overflow attack.
set noexec_user_stack=1
set noexec_user_stack_log=1
– Unfortunately, this method is not foolproof, as there are ways to
defeat this security mechanism.
– Fortunately, most of the “attack tools” do not (currently)
implement methods to get around this defense.
Types of Attacks
• Other operating systems are compiled using special
compilation techniques that are supposed to prevent buffer
overflow attacks.
– There is a special version of RedHat Linux (Immunix), compiled
with a StackGuard compiler, that is supposed to stop buffer
overflows.
– Like the Solaris technique, this attempt has produced modest
success, but the hacking community has found holes in this
defensive strategy.
– Defense in depth may be the only short-term hope for elimination
of successful buffer overflow attacks.
• NOTE: Buffer overflows also affect non-network services. Many
buffer overflow exploits require that the attacker be logged in on
your system. Once the attacker is logged in on a valid user
account, he often exploits a buffer overflow in a setuid program to
gain unauthorized privileges on the system.
Types of Attacks
• Social Engineering
– One of the oldest, yet still widely successful, attack tools is social
engineering.
– Many security consultants make use of social engineering tactics
when performing security audits.
– One social engineering method has the attacker do something as
simple as call an employee on the phone and ask for information that
will help the attacker gain access to the computer.
• Access to the computer makes the task of compromising the
computer much easier to accomplish.
– Another form of social engineering is “dumpster diving.”
• The attacker goes through the company trash looking for slips of
paper that might contain user names, phone numbers, e-mail
addresses, and sometimes passwords. Sometimes the attacker
gets lucky and finds network drawings, printouts of router filters,
or other critical information that can assist in attack planning and
execution.
Types of Attacks
• Social Engineering
– The best way to protect against social engineering reconnaissance is
to educate your users about security. Utilities that require frequent
password changes, or that use one-time passwords, also help limit
the success of social engineering attacks. A system administrator
that looks for odd log-in locations/times of users can help detect such
attacks. A good paper shredder is also a handy tool to have on hand
to secure (several facets of) an office environment.
Types of Attacks
• Sniffers
•
•
•
Packet sniffers are multi-faceted attack tools.
The attacker may use a sniffer to perform social engineering.
– The attacker can listen to all conversations, and collect log-in names,
passwords, and other information that will assist her when she decides
to compromise a host.
– Wireless networks are extremely susceptible to this form of attack.
Administrators that come across the output from packet sniffers might
need to contact hundreds of users and make them change their
passwords.
Packet sniffers may also be used as part of the orchestration of much
more technically challenging attacks.
– The attacker may capture secret encryption keys as she traverses the
network. By recording the keys, and all communications using those
keys, the attacker has means of decrypting the communication.
– Sniffers can also be used to provide information on how the attacker
might hijack a communication session, or masquerade as a trusted
host to gain access to private information.
Types of Attacks
• Sniffers
• Most of the time sniffers are nearly impossible to detect. The sniffer does
not generate any network traffic. They merely sit and listen to everything
that goes by on the network.
• At some point the attacker contacts the sniffer, and collects the
information for “off-line” analysis. If nobody notices the sniffer in action, it
may be present on the network for months (or longer), collecting
information for the attacker.
System Security Analysis
• Every system administrator should be concerned about the security of
his or her systems, but how do you determine how much security is
enough? What should you do to ensure that your systems are secure?
• Defense in Depth
– One way to view the security of a well-secured system is to
compare it to the layers of an onion.
– Security tools and techniques provide layers of protection from
unauthorized use such that the inner layers may stop an attack that
managed to get past outer layers.
– This is often called “defense in depth.” From a security standpoint,
defense in depth of a computer begins with a secure local system
(the core), followed by a layer of checks using tools such as
tripwire. A layer of password controls and monitoring is an
essential layer of system security, as is an outer layer of carefully
configured services.
System Security Analysis
– You also need to apply this defense in depth security
model to the network equipment itself.
• Routers and switches and other network gear should be
secured using the layered defense strategy.
• Secure hosts providing secured services to “secured users”
on a secure network might allow a paranoid sysadmin to get a
few hours of sleep at night.
System Security Analysis
• Patches
– Before you attempt to test the security of your systems, it would
be wise to install the latest patches available from the vendor.
– Keeping up with patches is a time-consuming, tedious process,
but it is also one of the best ways to keep your system secure.
• Tripwire
– Another thing you may want to do before testing your systems is
update your tripwire databases, and make sure you will be able to
catch any files that change as a result of the security testing.
– Some of the test tools will attempt to create files on your system
in order to “prove” that the tool was able to compromise the
system.
System Security Analysis
• Tools
– New security tools appear on the Internet every day. The tools
discussed in the sections that follow are a miniscule sample of all
that are currently available. These have withstood the test of time
and remain popular and viable security assessment tools.
– A vigilant sysadmin should also download and try many other tools.
Knowing how these tools work helps the administrator secure
systems against attacks. Watching messages generated by these
tools should also help the administrator recognize when the tool is
used to attack hosts.
System Security Analysis
• Entercept
– The Entercept package is a server-based intrusion protection
package.
– The Entercept package is a multi-layer tool that protects applications,
the operating system, and communications drivers.
– This protection is provided via a set of behavioral rules, system call
interception, and http (web server) call interception. The Entercept
package is available at http://www.entercept.com/
System Security Analysis
• Crack
– Crack, although not a network scanner, is a very useful tool to have
in the security toolbox.
– Crack is a password cracker. Although some may argue that it is
better to have a password program that will not allow users to
choose “bad” passwords, a good password cracker can be a very
useful tool.
– If you think you have a good password program, periodic Crack
scans can assess just how good the password program is.
– Crack employs various encryption algorithms and dictionaries to try
to break the passwords on the system.
– Because the inner layer of defense in depth relies on strong user
authentication, a good password cracker is essential. The Crack tool
was developed by Alec Muffitt, and is available at ftp.cert.org
System Security Analysis
• COPS
– Another tool that is not a “network” security scanner but is still a
useful scanner is the Computer Oracle and Password System
(COPS).
– The COPS scanner attempts to break passwords, check file
permissions on the system, and locate setuid/setgid programs.
COPS was written by Dan Farmer, and is available at
http://www.cerias.purdue.edu/
System Security Analysis
• Center for Internet Security Scanner
– The Center for Internet Security (CIS) scanner project is a program
that may be used as a ruler to judge how your system measures up
as far as security is concerned.
– The CIS scanner checks your system against a list of settings known
to provide reasonable security.
• For each setting your system meets or exceeds, you score
points. For each setting your system falls below the
recommended setting, you lose points.
• The final outcome of the scan is a score between 0 (low) and 10
(high), which provides a relative indication of how secure your
system is.
• The CIS scanner is available at http://www.cisecurity.org/
• The CIS site also contains tools for checking your system for the
SANS Top 20 security problems.
System Security Analysis
• JASS
– The Solaris Security Toolkit, informally known as the JumpStart
Architecture and Security Scripts (JASS) toolkit, provides a
mechanism for minimizing, hardening, and securing Solaris
operating environment systems.
– The primary goal of JASS is to simplify and automate the process of
securing Solaris systems. JASS is available at
http://www.sun.com/security/jass
System Security Analysis
• Nmap
– The Nmap security scanner is one of the most widely used security
scanning tools available.
– Nmap is a port scanner that slices, dices, and otherwise wreaks
havoc with your network.
– Nmap can generate various types of packets that probe the TCP/IP
stack on your systems.
– Nmap can generate a list of open service ports on your system,
penetrate firewalls, and even provide hauntingly reliable “guesses” at
what operating system (complete with patch level and version
number) is running on your host.
– The Nmap security scanner is available at http://www.insecure.org/
System Security Analysis
• Nessus
– The Nessus project is a remote security scanner.
– Nessus employs Nmap to perform some of the tasks it undertakes, but
also has plug-in modules that can test for well-known security problems.
– The Nessus developers are quick to develop modules used to test for
the latest published security problems.
– Because Nessus is a remote scanner, the administrator can configure
the tool to scan the entire network and report on all hosts it finds.
– Unlike many other scanners, Nessus does not rely on finding given
services on their assigned ports.
– Nessus will probe every TCP and UDP port on a system, and if it finds
something will probe that port further in an attempt to determine what
service it has found.
– Nessus plug-ins are able to locate backdoor programs, DDOS agents,
services that contain buffer overflows, insecurities in network file
systems, database security problems, web server security problems,
and many other common security holes.
– The Nessus scanner is available at http://www.nessus.org/
System Security Analysis
• Saint
– The Security Administrator’s Integrated Network Tool (Saint is an
updated version of the SATAN security scanner.
– Saint is a web-based tool that can be configured to locate systems
on the network, and scan them for well-known security problems.
– Although the number of tests performed by Saint is smaller than the
list of tests performed by the Nessus tool, Saint is still under active
development, and is a reasonable tool to have in the security
toolbox.
– Saint is available at http://www.saintcorporation.com/saint/
System Security Analysis
• dsniff
– dsniff is a collection of tools for network auditing and penetration
testing. The collection includes dsniff, filesnarf, mailsnarf, msgsnarf,
urlsnarf, and webspy. The tools passively monitor a network
watching for interesting data.
– dsniff also includes (arpspoof, dnsspoof, and macof) to facilitate the
interception of network traffic normally unavailable to an attacker,
due to layer 2 switching.
– The remaining two components of the dsniff package are sshmitm
and webmitm.
• These utilities implement active man-in-the-middle attacks
against redirected SSH and HTTPS sessions by exploiting weak
bindings in ad hoc Public Key Infrastructure (PKI).
System Security Analysis
• Root Kits
– Root kits are not tools for gauging the security of your network.
– In fact, they are tools used by attackers to hide their presence on
compromised systems.
– The root kits come with Trojan versions of many system utilities. The
real system utilities allow the administrator to list files, list processes
running on the system, list active network connections, examine
binary files for text strings, and perform similar functions.
– Luckily, root kit detectors are also available on the Web.
– The chkrootkit package checks for signs that a root kit has been
installed on a system.
– The chkrootkit package checks for over 30 types of root kits, and
checks over 60 critical operating system command binaries to
ensure that they have not been altered. In addition, the chkrootkit
package checks for network interfaces running in promiscuous
mode, checks the lastlog and wtmp files for signs that they have
been edited, and checks for loadable kernel module root kits. The
chkrootkit package is available at http://www.chkrootkit.org/
Defenses
• Network Services
– Computer systems offer a wide range of services to other entities
on the network.
– By default most of these services do not employ encryption to
keep prying eyes from monitoring the information they make
available on the network.
– Most of these services do not (by default) create log entries
detailing connections to the service.
• Access Control Methods
– One way to improve the security of system services is to limit
access to the service.
– This can be accomplished (at least) two ways:
• (1) disable the service such that it is not available for use and
• (2) implement a list of hosts/users allowed to use the service and
force the system to check every inbound request for this service to
ensure that the user/host requesting the service has permission to
use the service.
Defenses
• Not Using It? Turn It Off
– The easiest way to control access to a network service is to turn it
off. Problem solved; if the service is not running, it cannot be
compromised.
– But this is not always an acceptable solution. On the other hand,
there are wide ranges of services enabled by default, but these
services are not required for normal operation of the system.
• Simple Services
– Almost every TCP/IP stack includes a group of services referred to as
“simple services.” This group of services includes the time, chargen
service, echo service, and discard services. All of these services listen
on TCP and UDP ports. These services are not required for normal
operation.
• These services should be disabled. Under UNIX operating systems
this can be accomplished by commenting them out of the
/etc/inetd.conf file (/etc/xinet.d for Red Hat Linux) and then causing
inetd to reread the startup files.
• You can force inetd to reread startup files by invoking the following
command.
kill -HUP {PID for the inetd process}
Defenses
– On Windows systems, use the network control panel to remove
the “simple TCP” services.
– Some operating systems also provide the capability of performing
a “trace” on every incoming network request. This is a good
function to enable.
• Under recent versions of Solaris you can enable this function by
editing the file /etc/init.d/inetsvc and changing the invocation of
the inetd program from inetd -s to inetd -s -t.
• Under other operating systems you may need to enable the auth
daemon, or in a few cases download and install the portable
ident daemon (pidentd) The pidentd daemon is available at
http://www2.lysator.liu.se/~pen/pidentd/
Defenses
• Other Unnecessary Services
– Each operating system ships with a number of inet services that
may not be needed.
– Services often disabled include :
•
•
•
•
•
•
•
•
•
•
•
tnamed,
uucp,
exec,
rexd,
comsat,
finger,
systat,
netstat,
time,
sadmind,
linuxconf,
•
•
•
•
•
•
•
•
•
•
rquotad,
rpc.rusersd,
sprayd,
walld,
rpc.statd,
ufsd,
cachefsd,
kerbd,
gssd, and
in.talkd.
Defenses
• Point and Shoot (Yourself in the Foot)
– There are several system services known to be “bad things” to run.
These services are known to be security problems, yet they are run
for several bad reasons: there are no better solutions, time does not
permit replacing them, “it has always been done that way,” and “we
can’t afford the down time to fix them.”
– Chief among these “bad things” that weaken security is to allow
programs to pass information across the network in clear text.
– Another nemesis is a service that does not require authentication of
the remote user.
– Yet another class of dangerous services is those that allow the
remote user to alter the configuration of the local system.
– When these services are compromised, you have shot yourself in the
foot (as the old saying goes).
– We all know better, but for one (bad) reason or another we do not
remove the ammunition (fix the problem) before the trigger is pulled.
Defenses
• Plaintext Authentication
– One type of service you should consider disabling is a class of
services that perform plain-text authentication.
• These services pass the user’s log-in name and password across
the network as unencrypted data.
• Anyone sniffing the network can collect this information and use it
to gain unauthorized access to your systems.
• Services that allow plain-text authentication include rlogin, rsh,
telnet, ftp, http, imap, and pop.
– Technically, it is a simple matter to disable these services.
Comment them out of /etc/inetd.conf, or remove the binary
program.
– If the service is not installed on the system, or is not available, it
cannot be exploited.
Defenses
• Plaintext Authentication
– On Windows 2000 systems, make sure the following registry
key is set to the value 0.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkSta
tion\Parameters] "EnablePlainTextPassword"=dword:00000000
– Politically, attempts to disable these services are met with stiff
resistance.
– This is one of many instances in which strong policies can make
the life of the system administrator easier.
– If the site’s security policy forbids the use of services that require
plain-text authentication, the administrator is free to disable these
services. However, keep in mind that you may need to provide a
secure replacement for many of these services.
Defenses
• Other Problematic Services
– The services discussed in the previous section are services that
should not be offered.
– The system will function without these services, and/or there are
secure versions of these services that can be installed in place of
the insecure versions.
• Trivial File Transfer Protocol
– The Trivial File Transfer Protocol (tftp) is a simplified version of
the ftp protocol.
• The tftp protocol was originally intended for use as an aid to bootdiskless workstations. Once the diskless system located its
server, the operating system was downloaded to the workstation
using tftp. tftp comes with several built-in security problems. For
starters, tftp does not require any authentication.
Defenses
• Common Desktop Environment
– The Common Desktop Environment (CDE) is a windowing system.
– The original implementation was developed by Hewlett Packard, and
was named HP-VUE. More recently, Hewlett Packard, Sun
Microsystems, and IBM have collaborated to bring the package to all
of their operating systems. The package was renamed the Common
Desktop Environment.
– The CDE package includes several network daemons that facilitate
use of the windowing environment across several hosts.
– Several of these services have been found to be insecure. However,
turning off all of these services may render the windowing
environment unusable.
– The following portions of the CDE environment may be turned off
without completely disabling the environment. Some CDE functions
may not operate with these daemons disabled.
Defenses
• Common Desktop Environment
–
–
–
–
–
rpc.ttdbserverd: tooltalkobject manager
fs.auto: Font server
kcms_serverd: Allows access to user profiles across a network.
rpc.cmsd: Calendar manager
dtspcd CDE subprocess control service
Defenses
• named
– The named binary is an implementation of the Domain Name Service
(DNS) daemon.
– This daemon should be running only on hosts that provide your
enterprise name service.
– Several recent attacks have been released against named. Some of
these attacks make use of buffer overflow compromises to give the
attacker elevated privilege access to your system.
– Other attacks use the DNS software to force the machine to
participate in a distributed denial of service (DDOS) attack against
other hosts on the network.
• NOTE: There are several packages available for providing name
service. Some of these packages have (so far) been more secure
than others..
Defenses
• Wrap It Up (tcpd)
– Because it is impractical to disable all services, you need another
way of limiting access to services such that only authorized users
may use them.
– If you could somehow convince every application to check an access
control list before it allowed a remote user access to the service, you
might have a chance of providing the service with some assurance of
security.
– The tcp wrapper program (tcpd) is a surrogate service daemon that
can be used to protect other service daemons.
• Protecting Programs Using tcpd Library Routines
– The tcpd libraries provide a series of system calls programs can
use to check whether a remote host has permission to contact a
service running on the local host. When the service daemon is
compiled, and linked using these libraries, it will check the
/etc/hosts.deny file, and then the /etc/hosts.allow files, to determine
whether the remote host has the appropriate permissions to use
this service.
Defenses
• Protecting Programs Using the tcpd Daemon
– The second method of protecting programs with tcpd is to force
tcpd to “answer” anytime the service daemon’s port is contacted.
– One way of doing this is to edit the inetd.conf file and “replace” the
actual service daemon with a call to tcpd.
– The tcpd program is called with the name of the actual service
daemon as an argument. The tcpd binary checks hosts.deny, and
then the hosts.allow files, to see if the caller has permission to
contact the service daemon.
– If permission is granted, tcpd starts the service daemon, and the
conversation progresses normally. Typical entries in the
/etc/inetd.conf file might look like the following.
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -i -o
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
Defenses
• /etc/hosts.deny
– tcpd relies on two text files to configure access to services. These
two files provide two methods of protecting the system:
• allow everything except what is explicitly denied, or
• deny everything except what is explicitly allowed.
– The /etc/hosts.deny file lists the services available, and the
names/addresses of hosts not allowed to use the service.
– A site that used the “allow everything except that which is explicitly
denied” logic might have hosts.deny files with entries similar to:
in.ftpd: insecure-host.plc.com
in.telnetd: all
– These two entries tell the tcpd package that the host insecurehost.plc.com is not allowed to contact the ftpd binary. The file also
tells tcpd that all hosts are disallowed use of the in.telnetd program.
– Sites that use the “deny all except that which is explicitly allowed”
strategy might place the following in the /etc/hosts.deny file to
disallow all contact from the outside to any service protected by tcpd:
ALL: ALL
Defenses
• /etc/hosts.allow
– The /etc/hosts.allow file performs the opposite function of the
hosts.deny file. Entries in this file tell the tcpd package to allow
access to the listed services. The following are example entries:
in.fingerd: .nd.edu
ALL: .plc.com
sshd: ALL
rpcbind: 172.16.0.0/255.255.0.0
rpcbind: 255.255.255.255 0.0.0.0
– These entries tell tcpd that all hosts in the nd.edu domain can finger
at the local host, that all hosts in the plc.com domain may use any
service on the local host that is protected by tcpd, and that any host
that connects to the sshd service is allowed to use this service.
– The last two entries tell tcpd that any host on the 172.16.0.0 network
is allowed to contact the rpcbind (RPC port mapper) service on
localhost.
• Logging tcpd Messages
– One of the nice features of the tcpd package is that it allows you to
log all refused connection attempts via syslog.
Defenses
• Services Protected Using tcpd
– It would be very difficult to compile a complete list of every program
that could be protected by the tcpd package.
– Luckily, most hosts only offer a few services, and most of these
services are common TCP-based daemons. Some of the more
common packages wrapped using tcp-wrapper are portmap, rlogin,
rsh, telnet, ftpd, lpd, and finger.
• Windows 2000 Access Control
– Under Windows 2000, you can use the Network control panel to limit
access to the system’s services.
– Under the Internet Protocol TCP/IP item, click on the Properties
button. Click on the ADVANCED button, and then select the Options
tab.
– Select the TCP/IP filtering entry, and then select Properties. Enter
the port access information you desire, and then click on the Enable
TCP/IP filtering (All Adapters) button to enable the filters.
Defenses
• Providing Services on Alternate Ports
– Some sites attempt to secure their network services by
providing services on nonstandard (alternate) ports.
– Although this method may work for a while, it may not
provide the desired protection in the long run.
– Security through obscurity does not provide much
protection against tools such as Nessus and Nmap.
• These tools will be able to detect that something is listening
on the port, and will report this fact to the attacker. The
attacker can then probe the service in an attempt to
determine what it is.
Defenses
• Alternate Versions of Service Daemons
– Another way some sites improve the security of their
systems is to employ alternate versions of network
service daemons.
– Several Open Source and commercial entities provide
service daemons that have been hardened against
attacks.
– A few of the more common alternate service daemons
are ftpd from wuftpd and pureftpd, telnet replacements
from MindTerm and SecureCRT, and scp (a replacement
for rcp that is distributed as part of many ssh packages).
Defenses
• Encrypt It
– Another method of securing network services is to force the service
to encrypt all communications with other hosts.
– Although this method does not prevent a remote host from using the
service, it does make it more difficult for someone running a sniffer to
determine what the hosts are saying to each other.
NOTE: If the “encrypted service daemon” contains a buffer
overflow, it may still be possible for an attacker to gain access to
the system. Older versions of the ssh program suffered such a
fate. You should consider wrapping encrypted services with tcpd,
or compiling these services using the tcp_wrapper libraries, when
possible.
Defenses
• ssh
– One solution to the clear-text problems of the r commands and the
threat of snooping is to use a secure communications program that
encrypts all data for transit. The ssh package is used at many sites
as a drop-in replacement for the r commands, ftp, and telnet.
– Because there are also ssh clients for Windows and MacOS
systems, the ssh package is useful for employees who require
access to corporate computing facilities from remote sites (which
may not be secure). The ssh package provides a secure remote
communications channel. The ssh package can be obtained from
http://www.openssh.org/ The ssh package includes complete
configuration and installation directions.
Defenses
• PGP
– The Pretty Good Privacy (PGP) package is a freely distributable
public-key encryption package. PGP is available for UNIX, Windows,
MacOS, Amiga, DOS, and most other operating systems.
– PGP has become one of the most widely used e-mail encryption
tools. The PGP vendor (Network Associates) recently decided to
discontinue distribution of its commercial version of PGP.
– Freeware versions remain available at http://www.pgpi.org/ A public
domain version of PGP is also available. The Gnu Privacy Guard
package, also known as GnuPG (or simply GPG), is a complete and
free replacement for PGP. GPG is available at http://www.gnupg.org/
Defenses
• Zebedee
– Zebedee is a package that allows you to establish an encrypted,
compressed “tunnel” for TCP/IP or UDP data transfer.
– This allows traffic such as telnet, ftp, and X to be protected from
prying eyes, as well as providing, via data compression, improved
performance over low-bandwidth networks by compressing the
encrypted data before sending it across the network. Zebedee
provides full client and server functionality under UNIX/Linux and
Windows.
– Zebedee employs algorithms that are either unpatented or for which
the patent has expired. Zebedee is available from
http://www.winton.org.uk/zebedee
Defenses
• Stunnel
– Stunnel is another program that allows you to encrypt arbitrary TCP
connections inside SSL (Secure Sockets Layer).
– Stunnel is available for both UNIX and Windows.
– Stunnel can allow you to secure non-SSL aware daemons and
protocols (such as POP, IMAP, and LDAP) by having Stunnel provide
the encryption.
– The Stunnel source code is not a complete product; that is, you still
need a functioning SSL library such as OpenSSL or SSLeay to
compile Stunnel. This means that Stunnel can support whatever your
SSL library can, without making any changes in the Stunnel code.
Stunnel is available at http://www.stunnel.org/
Defenses
• One-time Passwords in Everything
– The One-time Passwords in Everything (OPIE) package is a
password-hardening tool. It is particularly useful when the remote
host does not offer any encrypted forms of remote user
authentication.
– A standard exists for one-time password systems (RFC1938), and
OPIE is one of the tools that implement this standard. OPIE is a
successor to the S/Key tool from Bellcore (now called Telecordia
Technologies).
Defenses
• Secure Remote Password
– The Secure Remote Password (SRP) package is another tool
that can be used to encrypt network traffic.
– SRP is a lesser-known alternative to ssh. If both ends of the
connection agree that they can use the SRP protocol, the
connection is encrypted transparent to the user.
– This approach allows the user to keep using her favorite
commands, and allows the sysadmin to do something other than
install new versions of ssh every week.
• The downside of SRP is that it introduces yet another
password file. The /etc/tpasswd file contains the SRP
version of each user’s password. The sysadmin needs to
replace the system’s password program with a program
from the SRP distribution. This new version of password
synchronizes the /etc/passwd and /etc/tpasswd files. SRP is
available at http://srp.stanford.edu/
Firewalls
• Another approach to limiting access to your hosts is to pass
all network traffic through a filtering router and/or firewall.
• This approach constitutes an attempt to deal with all
possible avenues of access by carefully controlling the
network traffic as it passes through network electronics.
• An advantage of this method is that it provides some
measure of security for all services, including those added
later or services created by individual users.
• A disadvantage of this approach is that the inspection of
packets impedes the traffic flow across the network..
Firewalls
• The hosts inside the enterprise are protected by two
firewalls.
– The border router often provides filtering to eliminate
some of the attacks headed for the corporate network.
– This router is between the outside world and a set of
“bastion hosts” on a network, referred to as the
demilitarized zone (DMZ).
– The firewall is placed between the DMZ and the internal
network.
– Instead of using two separate devices to implement this
scheme, some sites use one router or firewall with three
interfaces (to connect to the outside, the DMZ, and
internal networks).
Firewalls
• Classification of Firewalls
– There are three general firewall classifications (listed in order of
increasing security): packet-filtering (plain and stateful) firewalls,
circuit proxy firewalls, and application proxy firewalls.
• Packet Filters
– A filtering router/firewall conditionally passes network traffic
between networks. The router filters are rules developed by the
network manager.
– These rules tell the router which packets should be allowed to
pass, and which packets should be rejected. Depending on the
particular router, it may be able to pass traffic based on the source
or destination IP address, the source or destination port number, or
other information contained in the packet.
– A filtering router restricts access to a service on a system by
allowing (or disallowing) network traffic to enter (or leave) the
network.
Firewalls
• Classification of Firewalls
– Stateful Filters
• There are certain types of network traffic that are very
problematic for firewall systems.
• Among this traffic are so-called protocol benders, such as ftp and
traceroute, and fragmented packets. Stateful firewalls boast the
capability to handle these odd conversations.
• Protocol Benders
– The ftp protocol is particularly troublesome for firewalls.
– The ftp protocol uses a pair of connections to transfer files.
– One connection, initiated by the client, is used to send
commands to the ftp service host.
» This connection is generally made between an
ephemeral port on the client and TCP port 21 on the
server.
– When the client asks for a file from the server, the server
opens a connection to the client system’s TCP port 20.
Firewalls
– A nonstateful firewall might not allow the server to open this
port, as the idea of a firewall is to block unwanted
connections from external hosts.
– A stateful firewall keeps track of conversations initiated by
hosts “behind” the firewall.
– When such a host opens an ftp connection to an external
system, the firewall keeps track of this connection in a
special state table.
– When the remote ftp server attempts to open the ftp data
connection on port 20, the firewall consults its open
connection table and allows/disallows the connection to
proceed based on the information found in the table.
Firewalls
• Fragmented Traffic
– Another type of traffic that is a problem for many firewalls is a
conversation that includes fragmented packets.
– Packet fragmentation occurs as a natural part of transmitting data
across the network. As large packets are forwarded to networks that
only transport small packets, the packet is fragmented into smaller
pieces for transport. The destination host is supposed to reassemble
these fragments into a complete packet. Intermediate routers are not
supposed to reassemble these packets as they traverse the network.
– Unfortunately, the hacker community also determined that it could
fragment attack packets into small pieces, and sneak them through
many firewall systems.
– When the target host reassembled the attack packet, the hacker
could compromise the system.
– Stateful firewalls can reassemble fragmented packets and then
determine if they should be allowed to pass through the firewall.
Firewalls
• Nonstateful Firewalls
– With an understanding of stateful firewalls, the definition of a plain
(nonstateful) firewall is pretty easy to discern.
– Plain firewalls do not keep any state information regarding current
connections. These firewalls are incapable of detecting problems
that deal with fragmented packets or protocol bender applications.
• Application Proxy Firewalls
– Another firewall design is called the application proxy.
– An application proxy does not allow any traffic through the firewall.
– The application proxy behaves as a server to clients on the trusted
network, and as a client to servers outside the trusted network.
• A client on the trusted network sends connection information to the
proxy firewall. The firewall applies its policy rules to determine
whether to allow the requested connection.
• If the request is permitted, the proxy firewall will send the request
to the destination.
• The source IP address on the packets sent to the remote host will
be that of the firewall, not that of the original client.
Firewalls
– By operating at the application layer, application proxy firewalls
provide finer granularity when it comes to policy rules.
• For example, specific URLs can be blocked from certain subnets,
or FTP clients can be restricted from performing a Put, but
permitted to execute a Get.
• An added advantage of application-layer proxy operation is the
ability to require strong authentication before allowing the
connection to proceed.
• Application proxy firewalls also possess the ability to create
detailed logs of security events.
– One drawback to the application proxy is that proxies must be
provided for each application.
– Several Internet applications –(including FTP, e-mail, and news) are
bundled into most browsers. These applications can be handled by
configuring the browser to talk to the firewall. Custom applications
and network applications not bundled into a browser will require
custom firewall configurations.
Firewalls
– Although application proxy firewalls provide the highest level of
security and finest-grain control, they can also be the most complex
to configure. In addition, because they act as relay agents for all
clients on the network, performance can be problematic.
• Circuit Proxy Firewalls
– Circuit proxy firewalls are a variant of application proxy firewalls.
Circuit proxy firewalls relay TCP and UDP connections between
(trusted and untrusted) networks after authenticating end points.
– The best-known implementations of circuit-level gateways employ an
IETF standard protocol, SOCKS. SOCKS firewalls require
modifications to applications or to client TCP/IP stacks. Most
browsers have built-in SOCKS support, and modified protocol stacks
are also available for various flavors of UNIX, various flavors of
Windows, and MacOS.
– Circuit proxy firewalls require a significant administrative effort to
implement in a sizable enterprise.
Firewalls
• Types of Firewalls
– Under each classification of firewall there are two types of
firewalls.
• Host-based Firewalls
– Host-based firewalls are programs installed on each computer.
These programs intercept traffic that comes in to the host via the
network interface. The package checks a rules file to see if this
packet should be allowed to continue its journey to the system’s
TCP/IP stack for processing.
– If the packet is on the “allowed” list, it is passed to the TCP/IP stack
for normal processing. If the packet is not on the “allowed” list, the
firewall package may log a copy of the packet complete with an error
message, and set off alarms. The firewall package should not allow
such packets to be passed to the TCP/IP stack.
Firewalls
– ipchains
• The ipchains utility employs an ordered set of rules to determine
if the packet should be allowed to pass to the host’s TCP/IP stack
for further processing.
• The ipchains package defines three default chains, but the
administrator is free to declare other chains in addition to the
following three default chains.
– Input: This set of rules examines every packet bound for this
host.
– Output: This set of rules examines every packet originating
on this host.
– Forward: This set of rules examines every packet that must
be forwarded to another host on the network.
Firewalls
• The ipchains rules result in one of the following actions.
– Accept: The packet is okay; allow it to pass to the appropriate
chain.
– Deny: The packet is not okay; silently drop it in the bit bucket.
– Reject: The packet is not okay; but inform the sender of this fact
via an ICMP packet.
– Masq: Used for IP masquerading (network address translation).
– Redirect: Send this packet to someone else for processing.
– Return: Terminate the rule list.
NOTE: The ipfw (ipfilters/iptable) package under BSD
operating systems provides similar functionality to ipchains.
Consult the manual page for ipfw for more information on
this package.
Firewalls
TIP: An easy-to-use interface to ip chains, called brickhouse, is available for
MacOS X. See http://personalpages.tds.net/~brian_hill/brickhouse.html
Brickhouse makes creating rules easier by including common settings
and common names for specific protocols and sockets.
– BlackIce Defender
• The BlackIce Defender package is one of a plethora of personal
firewall utilities for Windows operating systems. It operates in a
manner similar to ipchains/ipfw.
• The user builds a set of rules the system uses to determine if a
packet should be allowed to continue to the IP stack. Other
packages that provide the same functionality are Personal
Firewall and Network Ice.
Firewalls
• Tiny Firewall
– The Tiny Software company produces several host-based
packages that are highly recommended.
– The Tiny Firewall package is a host-based firewall package for
Windows operating systems. Like the other host-based firewalls,
the user builds a series of filters to protect the host from external
connections.
– Another offering from Tiny Software is the Tiny Trojan Trap. The
Trojan Trap provides protection from active content such as Java,
e-mail, ASP, and macro viruses. The tiny tools are available at
http://www/tinysoftware.com/
Firewalls
• Dedicated Firewalls
– Dedicated (network based) firewalls are specialized systems that
attempt to protect entire networks as opposed to protecting a single
host. These devices are placed between two networks.
– The firewall system is loaded with configuration files that specify
what types of packets should not be allowed to pass through the
device to the other network.
– There are several types of dedicated firewall systems, including
packet filtering firewalls and proxy firewalls.
Firewalls
• Firewall Policies
– Along with the types of firewalls, there are two general firewall
policies:
• allow everything except that which is explicitly denied, and
• deny everything except that which is explicitly allowed.
– The first policy requires a lot of operator fine-tuning, and can be
problematic to implement. The “allow all but that which is denied”
policy generally requires considerable computational horsepower
in the router.
– The “deny all but that which is allowed” policy is usually easier to
implement, less prone to operator errors, and typically does not
require as much computational power on the part of the router.
Firewalls
• Drilling Holes in the Firewall
WARNING: Even at their best, firewalls do not provide a complete
answer to the network security problem. Firewalls do not provide
security to individual hosts. They do not protect hosts on the “secure”
network from “inside” attacks. A single hole in the firewall may allow
attackers access to all hosts on the “protected” network. Mistakes in
the configuration of a firewall may go unnoticed without other
security measures in place. Resist the temptation to open a hole
through a firewall without studying the possible impact on the
security of the enterprise.
– A firewall’s purpose in life is to block network traffic.
– The best firewall might be one that does not let any packet
through. This is somewhat akin to being disconnected from one of
the networks.
– Unfortunately, this makes doing business on the Internet very
difficult. Most companies will not allow such a firewall to be
installed. Therefore, once we install a firewall on a network, we
immediately begin drilling holes through the wall to allow some
information to pass through the barricade.
Firewalls
– Some firewalls allow very few types of information through. This
generally means that these firewalls have had minimal holes
drilled through them.
– Other firewalls allow data to flow in and out of the organization, as
as if there were no firewall present. This generally means that the
firewall has had numerous holes drilled through it. In this case,
you may as well not bother with the expense of the firewall.
• Virtual Private Networks
– Virtual private networking (VPN) allows users to build an
encrypted connection across an unencrypted link. Many
corporations employ VPN technology to allow users to pass data
through firewalls.
– To establish a VPN connection, both ends of the link must agree on
encryption keys.
– The VPN routers may be separate devices, or their functionality
may be built into other pieces of network equipment.
Firewalls
– The VPN devices may be in-line, or may reside on
bastion networks. When a connection is requested, the
remote host contacts its VPN router, and asks for a
connection to the local host. The VPN routers build an
encrypted tunnel across the unencrypted network. The
VPN routers are essentially a proxy service.
– When the two hosts communicate, the encrypted packets
are intercepted by the VPN routers, and decrypted.
– The content of these packets is sent to the end hosts
involved in the communication.
– Note that the encrypted traffic is allowed through the
firewall unimpeded; therefore, the security of the entire
network relies on the security of the hosts using the VPN.
If one of those hosts is compromised, all hosts on both
networks are vulnerable to compromise!
Firewalls
• IPSEC
– Ipsec is an IP protocol security package. PSEC is a series of
protocols that allow the implementation of encryption over an IP
connection.
– IPSEC, in reality, is the base that most virtual private networks are
built on top of. The IPSEC package allows for the following two
modes of operation.
– The headers of the packet are not encrypted, but the data in the
packet is encrypted.
– The entire packet is encrypted, and encapsulated within an
unencrypted packet.
• IPSEC requires that the administrator configure the following databases.
– Security Policy Database (SPD): Database of security policies that
may be applied to an IPSEC device. For example, an SPD might
contain information that means: to access network 10.2.3.4, use
3DES for encryption with HMAC-MD5 for authentication.
– Security Association Database (SAD): Database that contains the
information for each currently established IPSEC link.
Firewalls
• IPSEC relies on/provides the following services.
– Internet Key Exchange (IKE): Method of distributing encryption
key information. This piece of the puzzle is still under
development. RFC 2409 is the standard for IKE, and is currently
under consideration.
– Authentication Header (AH) protocol: Protocol used when the
desire is to encrypt just the transport layer header, and data.
– Encapsulating Security Payload (ESP) protocol: Protocol used
when the entire packet is encrypted, and encapsulated within a
nonencrypted packet.
NOTE: IPSEC will have an impact on the processing speed of
the system’s IP stack!
Firewalls
• Network Address Translation
– Network Address Translation (NAT) was originally developed as a
way for sites using private address space to allow hosts to
communicate over the public network. The address translation is a
proxy service that maps the internal (private) address to an external
(public) address.
• As packets pass through the NAT router, the packets are
modified to replace the private address with the public address of
the router.
• The router keeps a table detailing ongoing conversations. When
a packet arrives from a remote host, the router checks the table
to see which host was communicating with the remote system.
• The router then alters the IP addresses, and forwards the packet
to the internal host. The NAT box provides a proxy translation
service.
Firewalls
– The use of NAT technology is growing rapidly due to the growing
base of DSL and cable modem Internet connections.
• Cable modem and DSL networks are prime playgrounds for
hackers, and there are hundreds of thousands of systems
connected to the Internet that are ripe for the hacking.
• This is true because most home computer users do not realize
they need to do something to secure their computer from the
denizens of the Internet. One way to protect home computers
(and corporate computers as well) is through the use of NAT.
Network Stack Options
• The TCP/IP protocol suite was not developed with today’s attacks in
mind.
• Many portions of the protocol suite provide extremely fertile
environments for attackers to explore and take advantage of.
• Although it is important for the sysadmin to understand these
weaknesses, it is nearly impossible to catalog even a small portion of
the attacks possible due to gray areas in the specifications and/or
inconsistencies in stack implementations.
• The IP protocol defines several optional services hosts may make use of
during a communication session.
• Many of these options are rarely seen in the wild. Some of these options
are used to collect data about a target network, or to finagle ways of
getting information to hosts on the target network.
IP Options
• IP Forwarding
– IP forwarding is the process of forwarding IP packets from one
network segment to another based on the protocol layer address of
the destination. Routers and multi-homed hosts do this routinely.
– Sometimes sysadmins know that the hosts in their domain are
forwarding packets, and sometimes users forget to tell the
administrator they configured their hosts to do this. Therein lies the
problem.
– Attackers have learned that they can sometimes circumvent firewalls
and other monitoring devices using misconfigured devices that
provide IP forwarding.
– For this reason, the sysadmin might decide to explicitly disable this
capability on systems within the enterprise.
IP Options
Source Routing
• Source routing is another option that is rarely generated (on its own) by
the TCP/IP protocol stack.
• Intended as a way for administrators to reroute traffic around failures,
this option has earned favor as a stealthy attack mechanism.
• The source routing option allows the sender to specify a loose or strict
route from host A to host B.
• A loose route is a list of devices the sender wants this communication to
go through on the way to the final destination. The network equipment
may decide to add stops along the way.
• A strict source route is the exact route the sender wants this
communication to traverse.
• Because source routing allows the sender to avoid monitoring devices,
and may allow them to divert traffic to undesirable locations, it is wise to
disable this function, or at a minimum to monitor it closely.
IP Options
• ICMP and ICMP Redirects
– The ICMP protocol is intended to act as a network control protocol.
– Recent attack tools have pointed out that the original intent of
several types of ICMP packets is not the only use for such packets.
– A router usually issues an ICMP redirect to inform a host of an
alternate path to a destination.
– Attackers have learned to use this method to cause hosts to redirect
all communications through another host.
– In effect, the attacker tells the system “send everything to me, and I’ll
deliver it for you.”
– The result is that the attacker has access to all communications sent
from host A to host B through this intermediary.
IP Options
• Fun with Broadcasts
– Broadcast packets are an essential part of the IP version 4 protocol.
– Not surprising, the hacker community has found ways to use
broadcast packets as attack tools.
– One “famous” attack was implemented by sending a forged ping
packet to a directed broadcast address.
– This caused all hosts on the network to reply to the “sender.”
– Unfortunately, the sender’s address was forged, so the reply packets
(tens of thousands of them) all went to an unsuspecting target.
– For example, ping 172.16.255.255 would have caused all hosts on
the 172.16.0.0 network to reply.
– This attack was called the “smurf” attack. Other forms of this attack
have used the local broadcast address (255.255.255.255) and
directed subnet broadcast addresses (for example, 192.168.10.255).
– To minimize the ability of her site’s hosts from responding to this type
of attack, the administrator needs to disable the host’s ability to
respond to broadcast pings.
IP Options
• Session Hijacking
– Session hijacking is a technique whereby the attacker monitors
TCP packet sequence numbers, and predicts the next sequence
number.
– Using this technique it is possible to take over (hijack) a session
between two hosts.
– This method was extremely successful against some operating
systems, as the algorithm that was used to generate “random”
sequence numbers was not random at all!
– Most vendors currently ship their systems with relatively weak
sequence number generators.
– Fortunately, vendors give the administrator a method of forcing
the system to use much stronger sequence numbers.
IP Options
• Other Stack Attacks
– Multi-homed hosts have been used to forward spoofed packets to
the network. If your stack offers the option of hardening multi-homed
systems, it is recommended you take advantage of these options.
– SYN floods are a method used to tie up the resources of the system.
A remote host sends thousands of SYN packets to initiate TCP
connections, but the sender never completes the three-way TCP
handshake.
– This leaves the local host in a state of confusion. The host needs to
hold these connections open until the other end responds, or the
connection times out. This may exhaust the resources of the local
host.
– One attack type not handled by modifying driver parameters is IP
spoofing. These attacks make use of a trust relationship between
two systems and the ability to predict the sequence numbers used in
a TCP connection.
– To reduce the predictability of sequence numbers, some operating
systems implement a better system of creating initial sequence
numbers, as recommended in RFC 1498.
IP Options
• Hardening the Stack
– The following sections list default settings and methods of
“hardening” (generally disabling) for the previously outlined
problems.
– These constitute only a partial list of TCP stack variables that may be
tuned in order to harden an operating system’s IP stack.
– Refer to your host’s documentation for more information on the stack
implementation for a specific operating environment.
– NOTE: Most operating system vendors provide tools and technical
white papers that describe their TCP/IP stack implementation, and
how to harden their respective stacks.
– For example, the JASS toolkit for Solaris includes a script for
checking/configuring a huge number of stack variables. Contact your
OS vendor for the most up-to-date and comprehensive list of stack
variables for your systems.
IP Options
• IP Forwarding
• The following are IP forwarding hardening strategies.
– Solaris: Default setting (disabled), harden with
• ndd –set /dev/ip ip_forwarding=0
– HPUX: Default setting (enabled on multi-homed hosts), harden
with
• ndd –set /dev/ip ip_forwarding=0
– Linux: Default setting (host disabled, gateway enabled), harden
with
• gateway_enable=0 in /etc/rc.conf
– Windows: Use the network control panel to disable IP forwarding,
or set the following registry key to 0.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
\Parameters\IPEnableRouter=0
IP Options
• Source Route Handling
• The following are source route-handling hardening
strategies.
– Solaris: Default (setting enabled), harden with
• ndd –set /dev/ip ip_forward_source_route=0
– HPUX: Default setting (enabled), harden with
• ndd –set /dev/ip ip_forward_source_route=0
– Linux: Default setting (ignored), harden with
• echo 0 >/proc/sys/net/ipv4/conf/interface/accept_source_route=0
– BSD/MacOSX: Default setting (ignored), harden with
• forward_source_route=0 in /etc/rc.conf
• accept_source_route=0 in /etc/rc.conf
IP Options
• ICMP Redirect Handling
• The following are ICMP redirect-handling hardening strategies.
– Solaris: Default setting (enabled), harden with (N/A)
– HPUX: Default setting (enabled), harden with (N/A)
– Linux: Default setting (Host enabled, gateway disabled), harden
with
• echo 0 >/proc/sys/net/ipv4/conf/interface/accept_redirects=0
– BSDI/MacOSX: Default setting (enabled), harden with
• icmp_drop_redirect=0 in /etc/rc.conf;
• icmp_log_redirect=1 in /etc/rc.conf
– Windows 2000: Set the registry values for EnableICMPRedirect and
EnableICMPRedirects to 0, as follows.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Pa
rameters\EnableICMPRedirect=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Pa
rameters\EnableICMPRedirects=0
IP Options
• Broadcast Ping Handling
• The following are broadcast ping-handling hardening
strategies.
– Solaris: Default setting (enabled), harden with
• ndd –set /dev/ip ip_respond_to_echo_broadcast=0;
• ndd –set /dev/ip ip_forward_directed_broadcast=0
– HPUX: Default setting (enabled), harden with
• ndd –set /dev/ip ip_forward_directed_broadcast=0
– Linux: Default setting (enabled), harden with
• echo 0 > /proc/sys/net/ipv4/ip_echo_ignore_broadcasts
– BSDI/MacOSX: Default setting (disabled), harden with
• icmp_bmcastecho=0 in /etc/rc.conf
IP Options
• TCP Sequence Number
– The following is a TCP sequence number hardening
strategy for Solaris.
• Solaris: Default setting (weak protection), harden with
– ndd –set /dev/tcp tcp_strong_iss=2
• Multi-homed Packet Spoofing
– The following is a multi-homed packet-spoofing
hardening strategy for Solaris.
– Solaris: Default setting (enabled), harden with
» ndd –set /dev/ip ip_strict_dst_multihoming 0
• SYN Floods
– Solaris: Default setting (enabled(, harden with
» ndd –set /dev/tcp tcp_conn_req_max_q0 10240
– NOTE: On versions of Solaris prior to 2.6, use
» ndd—set /dev/tcp TCP_CONN_REQ_MAX 1024.
IP Options
• Windows 2000: Set the following keys in the registry
entry as specified.
Registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Value name: SynAttackProtect=2
Value name: EnableDeadGWDetect=0
Value name: EnablePMTUDiscovery=0
Value name: KeepAliveTime=300000
Value name: NoNameReleaseOnDemand=1
Value name: tcpmaxconnectresponseretransmissions=2
Value name: tcpmaxdataretransmissions=3
NOTE : You must be using Windows 2000 Service Pack 2 (SP2) or
later to use the NoNameReleaseOnDemand value.
Network Monitoring
• Monitoring the network is a never-ending task.
• The sysadmin must be ever vigilant in order to catch the wily attacker.
• But there are several ways of monitoring the network, from simple log
file monitoring to using management tools such as SNMP and RMON to
the high-end intrusion detection systems (IDSs).
• Along the way, some sites even employ sacrificial honeypot systems
that are easy to compromise.
• By monitoring what the bad guys do to the sacrificial lamb, the
administrator has a pretty good idea what they have done to, or are
trying to do to, other systems at the site.
System Monitoring
• Log Files
– One of the easiest ways of monitoring your network is to configure all
of your systems to send syslog messages to a central syslog server.
– This allows you to monitor all systems from one host. It also makes
life for the attacker more difficult.
– Many times the attacker will edit the log files stored on the
compromised host. They will remove all signs that they ever logged
in on the host.
– But the attacker may not notice that the messages were also sent to
another host. And if they do notice, they now have to compromise a
second host in order to completely cover their tracks.
• syslog
– The syslog file is the primary log file under most versions of UNIX.
This file receives copies of all system messages generated by the
syslog utility. The syslog file, placed in different locations (e.g.,
/var/log/syslog, /var/adm/syslog, and /var/syslog) per different
versions of UNIX, is the most important file to monitor.
Log Files
• NOTE: The syslog daemon is controlled by a configuration file,
/etc/syslog.conf, which can be modified to increase the detail of
recorded log file messages, and optionally to display messages on the
system console, or broadcast to the terminals, of specific users. syslog
is also a network service, and logging can be directed to another
machine (such as a central logging server).
• By default, Solaris does not record unsuccessful log-in attempts. To
enable this logging, add the following line to /etc/syslog.conf.
auth.info
/var/log/authlog
• This statement informs the syslog daemon to record the events tagged
as “LOG_AUTH” with a severity of “INFO” or higher in the file
/var/log/authlog. The next step is to create this file and the
corresponding loginlog file. The following commands accomplish this.
touch /var/adm/authlog /var/adm/loginlog
chown root /var/adm/authlog /var/adm/loginlog
chmod 600 /var/adm/authlog /var/adm/loginlog
chgrp sys /var/adm/loginlog
Log Files
•
•
•
•
•
WARNING: An attacker who has gained unauthorized access to a machine
you manage will most likely know about these log files and will modify
them to remove any indication of his/her actions. Log file monitoring
needs to be performed in concert with tools such as ASET and tripwire to
provide a high level of assurance that unauthorized access is discovered.
Another feature of syslog is remote logging.
Any of the information logged by syslog can be transmitted to another
syslog process on another system.
This allows for log information to be centralized. This has several benefits,
including ease of monitoring and making it more difficult for an attacker to
hide his or her tracks.
The following is an example of a line from syslog.conf that sends the log
messages to the mail facility at level debug or greater to a remote system.
Note that instead of a file name the notation @ followed by a host name is
used.
mail.debug
@log.astrocorp.com
Log Files
• sulog
– The log file produced by the su command is another item a system
administrator should check on a routine basis.
– The command logs both successful and unsuccessful attempts to
obtain root privileges.
– Successful su attempts have a plus symbol (+) listed after the date
and time; unsuccessful attempts show a hyphen or minus sign ()
after the date and time.
– Unsuccessful su attempts should be investigated thoroughly.
– Any attempts made by persons not authorized to perform system
administration tasks might be a sign of a security breach.
Log Files
• Other Log Files
– The following are system log files that should be routinely checked.
• [as]ppp.log: PPP software logs errors and connections here. Watch
for failed connections as indicators of problems.
• syslog: Here, by default, the syslog service writes error messages
produced by sendmail. Watch for errors of all types.
• messages: By default, the syslog service writes error messages
from a number of different daemons to this file. Watch for errors of
all types.
• maillog: Optional sendmail log file. Check this file for signs of
unauthorized e-mail relay, or attempts to gain access to the system
via the SMTP service.
• cron/log: By default, the cron daemon logs a message when it runs
a scheduled cron job. Watch here for proper operation of
scheduled jobs.
Log File Parsers
• Log File Parsers
– If you decide to make your systems log everything to a central log file
server, you might want consider the use of tools for summarizing the
data you have collected.
– At a moderately large site, the log information collected can be quite
lengthy and difficult to visually parse.
– Several tools are available for parsing these combined syslog files
and automatically generating alarms when certain types of
messages are logged.
• swatch
– One popular syslog parsing tool is swatch. swatch can actively
monitor a log file and look for patterns.
– When swatch finds a matching pattern, it can display messages or
run commands, such as sending e-mail to alert the system
administrator. swatch can be found at
http://www.stanford.edu/~atkins/swatch/.
Log File Parsers
• logcheck
– logcheck is a log parser distributed by Psionic Corporation. logcheck
is available for multiple versions of UNIX, at
http://www.psionic.com/abacus/logcheck/
• Intrusion Detection Systems
– Intrusion detection systems (IDSs) are similar to firewalls.
– The difference is that IDS systems do not (typically) block traffic.
– The IDS system monitors every packet that traverses the network.
– The IDS compares every packet to a set of rules that specify what
the administrator believes are bad (dangerous) packets.
– If a bad packet is found, it is logged. The logging may be in real time,
in which case an alarm may be set off.
– More often than not, the log is processed at a later date, so real-time
alarms are not available.
– Many IDS systems do not perform content filtering. They simply look
at packet headers to determine if the packet is dangerous or not.
Log Files
– IDS systems that perform content filtering are available, but you may
want to check your company’s rules about the use of these systems,
as some may consider them an invasion of privacy!
– Several IDS packages are available free from the Internet.
– There are also many commercial IDS systems available.
– The following sections describe some of the more popular IDS
systems. See http://www.networkintrusion.co.uk/N_ids.htm/ for more
information on IDS freeware and commercial offerings.
• tcpdump
– tcpdump was originally developed by Van Jacobson’s TCP/IP
research group at Berkeley.
– tcpdump is a rules-driven packet sniffer.
– If the rules are simple (catch everything), tcpdump can capture
everything that goes by on the network, and log it to a file.
Log Files
– The log file can them be played back through a different set of filters
to pull out the “interesting” packets. The SHADOW IDS
http://www.nswc.navy.mil/ISSEC/CID/ is one IDS system that
employs tcpdump to collect raw packets for analysis. tcpdump is
available at http://www.tcpdump.org/
– NOTE: The SHADOW IDS system is not a real-time IDS. The
information is collected and stored for a short interval (typically an
hour) and analyzed off-line. Although this near real-time operation
may be useful for collecting archives of conversations, it would not
be acceptable for many commercial sites.
Log Files
• SNORT
– SNORT is a rules-driven IDS package. SNORT loads a set of rules
and compares every packet to the rules.
– If the packet matches a rule, the packet is logged.
– SNORT has the ability to log the captured packets in tcpdump
format, but by default it generates a text file containing the alerts.
– There are several add-on utilities that can parse SNORT logs, and
generate web pages containing the output.
– SNORT also has the ability to send resets to the attacker (active
response), to close connections. SNORT is available at
http://www.snort/org/
Log Files
• bro
– bro is another rules-driven IDS system.
– bro contains a powerful description language used to create capture
filters.
– Although the bro language is very powerful, and makes for a nice
IDS package, many sysadmins find it cumbersome to work with, as it
is yet another language to remember. bro was developed at
Berkeley, and is currently available at http://www-org.ee.lbl.gov/broinfo.html/
• Commercial IDS Systems
– Several companies produce IDS systems. Among these are Cisco,
Internet Security Systems, Network Flight Recorder, and Check Point
Software Technologies. It seems that every day another offering
pops up on the market. The following offerings are well-respected
commercial IDS systems.
Log Files
• Network Flight Recorder (NFR) is a commercial IDS system
produced by Network Flight Recorder. Information is available at
http://www.nfr.com/
• RealSecure is a commercial IDS system developed by Internet
Security Systems (ISS).
• Enterasys Dragon is a series of tools, applications, and hardware
that forms the basis of one of the top commercial IDS systems.
Information on the Enterasys Dragon IDS is available at
http://www.enterasys.com/
• Cisco IDS (Formerly NetRanger) is Cisco’s second generation
IDS system. Information on Cisco IDS is available at
http://www.cisco.com/go/ids/
Honeypots
• Honeypots
– Honeypots are specially instrumented “bait” for attackers.
– The honeypot appears to the attacker to be a normal system on the
network.
– The honeypot is not secure; in fact, it is often configured to be
anything but secure.
– The idea behind the honeypot is to allow the attacker to break in, and
then log everything the attacker does while on the system.
– By monitoring every keystroke the attacker types, the sysadmin can
learn a little bit about the skills of the attacker, the tools the attacker
employs, and possibly the attacker’s motives.
– The deception toolkit (dtk) is one honeypot package. The dtk
package is available at http://www.all.net/dtk/
– Others include BackOfficer Friendly, Mantrap, CyberCop Sting, and
Spectre. Consult http://www.networkintrusion .co.uk/honey.htm/ for
more information on honeypot systems.
Simple Network Monitor Protocol
• SNMP
– The Simple Network Monitor Protocol (SNMP) is an optional part
of the TCP/IP package on most operating systems.
– The SNMP protocol defines packet types that allow a
management host to poll client hosts (agents) in order to collect
data about the client.
– The data collected is often performance information related to
network interfaces on the host.
– This includes packet counts, byte counts, and error counts per
interface. The SNMP package on most systems has been found
to be very insecure.
– It is recommended you disable SNMP unless you absolutely need
to run it.
Simple Network Monitor Protocol
• SNMP
– SNMP also allows a method for using SNMP to configure remote
devices.
– This requires that a “write-community” (password) string be
enabled on the remote host.
– The SNMP management station authenticates itself to the remote
host using the write-community string, and proceeds to write new
configuration information to the remote client.
– This is a very dangerous capability!
– The variables that can be set include IP address, gateways,
name servers, and other important IP information.
Simple Network Monitor Protocol
– This capability should be disabled unless it is critical to the operation
of your network!
– SNMP operates on data structures called management information
bases (MIBs).
– Every network device manufacturer provides MIB definitions for its
products. The SNMP management information station uses the MIB
to determine what information is available in read/write form for the
agent system(s).
– WARNING: Several security problems have been found with the
SNMP protocol. Make sure you read all CERT and manufacturer
security notes about SNMP before enabling it on your systems!
– The Remote Monitor protocol (RMON) is built on top of an SNMP
MIB.
– RMON allows even more information to be collected from the host,
including memory use, CPU utilization, disk space utilization and
throughput, application layer statistics, number of users, processor
load, and input/output statistics.
Forensics
• Forensics is the science of collecting evidence and
assessing its meaning.
• Computer forensics generally deals with collecting evidence
after a host has been compromised.
• The legal concepts of “chain of evidence” and “preservation
of evidence” are also important facets of forensics.
• Depending on several factors, it may be necessary to have
someone on the system administration staff trained in the
legalities of the collection of evidence, or to keep an
organization trained in forensics on retainer in the event
your hosts get hacked.
When You Think You Have Been
Hacked
• The first thing to do when you think you have been hacked is to take a
deep breath and relax. You might as well relax for a minute before you
dive into the hunt.
• Once you have caught your breath you need to think about how you
plan to approach the problem.
• You think a system has possibly been compromised.
• Anything you do that might change the state of the machine might
destroy valuable evidence.
• Even the act of logging in on the machine to look around may
compromise the legal value of the evidence, as log files record the fact
that you logged.
• This same log file might contain information detailing the IP address of
the machine that compromised the host.
• However, by logging in you may cause this information to be tainted, as
you altered the evidence.
When You Think You Have Been
Hacked
• Even the act of performing a file system backup can alter evidence.
– The backup program “touches” each file.
– This changes the access time on a file, thereby tainting it as
evidence.
– Special programs are available for performing backups that do not
alter any access information for the files.
– You might consider checking out the Coroner’s Toolkit (TCT).
– The toolkit is a collection of utilities that can help determine what
happened, when it happened, and how it happened.
– The toolkit is available at http://www,fish.com/security/
• NOTE: The TCT tool is not “court proven” at this point in time. If you
want to ensure that your evidence is court eligible, you might want to
look at the Encase product from Guidance Software. Information on the
Encase software is available at http://www.encase.com/
When You Think You Have Been
Hacked
• You should also try to avoid letting the intruder know that you are
watching.
• This is one place an IDS system can be extremely valuable.
• You create a set of filters to monitor all communications to and from the
suspect host.
• By monitoring from another host, you are not disturbing evidence
already on the compromised host’s disk drive.
When You Know You Have Been
Hacked
• Again, the first thing to do when you know you have
been hacked is to take a deep breath and relax.
• You might as well relax for a minute before you dive
into the task of forensics and remediation.
• Every site should have a well-documented disaster
recovery plan that includes a plan for dealing with
attacks and compromised hosts.
• This plan should include the following elements.
When You Know You Have Been
Hacked
•
•
•
•
•
•
•
•
•
How to react to the attack
Collection of information about the attack
Determining what level exposure this incident has caused
Rules to determine when to disconnect this system from the network, or
the entire site from the network
A uniform recovery plan
How the recovery plan will be communicated to users
Steps involved in implementing the recovery plan
Information regarding how to report the incident to the appropriate
authorities
An incident response team should be formed to deal with all compromises.
This ensures that every compromise is handled using the same
procedures. In the event this becomes a legal case, the uniformity may be
helpful. This team might want to use the CERT incident reporting form,
available at www.cert.org/ , to standardize the information collection and
reporting process.
Summary
• Securing networked systems is a challenge, especially for systems
connected to the Internet.
• The current Internet provides an environment rich in potential threats,
including automated scans and attacks.
• Almost every OS provides numerous network services, each with the
potential of offering unauthorized access.
• This chapter discussed several methods of securing a networked
system.
• The use of firewalls and/or filtering routers can provide a site with a first
line of defense against unauthorized access.
• Turning off services wherever possible affords the best security.
• When services are required, careful attention to access methods and
controls, and continual monitoring for unauthorized access, can help
make a networked system more secure.
Resources
•
•
•
•
•
Chapman, Brent, and Elizabeth D. Zwicky, Building Internet Firewalls.
Sebastopol, CA: O’Reilly & Associates, 1995, (ISBN 1-56592- 124-0). -–
(Covers the setup and maintenance of firewalls.)
Computer Emergency Response Team (CERT);, http://www.cert.org/;
[email protected]; 1-412-268-7090. -– (The national contact for computer
security. This web site contains a wealth of information on security
matters, and pointers to the security software mentioned in this chapter.)
Computer Incident Advisory Capability (CIAC);, http://ciac.llnl.gov/;
[email protected]; 1-510-422-8193. -– (Government and education contact for
computer security. Provides an excellent mailing list, with updates on the
latest security problems and their solutions.)
ftp://coast.cs.purdue.edu/pub/-– (A well- known FTP archive for security
tools, including TCP wrappers, tripwire, nessus, nmap, and satan.
Garfinkle, Simson, and Gene Spafford, Practical UNIX and Internet
Security, 2d edition., Sebastopol, CA: O’Reilly & Associates, 1996, (ISBN 156592-148-8).. -– (A detailed and complete guide to security for UNIX
systems connected to the Internet.)
Resources
•
•
•
•
•
Garfinkle, Simson, and Gene Spafford, Web Security and Commerce.
Sebastopol, CA: O’Reilly & Associates, 1997, (ISBN 1-56592-269-7). -–
(Targets web server security and security of transactions executed over
the Web.)
McClure, Stuart, Joel Scambray, and George Kurtz, Hacking Exposed:
Network Security Secrets & Solutions, Third Edition,3d ed., Stuart
McClure, Joel Scambray, George Kurtz, September 26, 2001,New York:
McGraw-Hill Professional Publishing;, 2001, ISBN: 0072193816.
Northcutt, Steven, Network Intrusion Detection: – An Analyst’s Handbook,.
2nd edition, Steven Northcutt, 2d ed., New Riders Books, Indianapolis, IN:
New Riders, ISBN 0-7357-1008-2.
Pomeranz, Hal (ed.), Solaris Security: Step by Step. Colorado Springs,
SANS Institute, 1999; (719) 599-4303 or [email protected]– (A very thorough
checklist of procedures for tightening the security of a Solaris system.
Step-by-step guides for Linux, Windows, routers, and intrusion detection
are also available format http://www.sans.org/
www.cs.purdue.edu/homes/spaf/hotlists/ csec-top.html. -– (Professor Gene
Spafford’s well-maintained Purdue list of security-related web sites.)
Related documents
Firewall Configuration
Firewall Configuration
www.bestitdocuments.com
www.bestitdocuments.com
Skating on Stilts
Skating on Stilts
View File
View File
Firewall
Firewall
The Internet and Security
The Internet and Security
ppt
ppt
William Stallings, Cryptography and Network Security 3/e
William Stallings, Cryptography and Network Security 3/e
Slide 1
Slide 1
Understanding and Installing Firewalls
Understanding and Installing Firewalls
Firewalls
Firewalls
Topic 2: Lesson 3 Intro to Firewalls
Topic 2: Lesson 3 Intro to Firewalls
Security “Tidbits” - The Stanford University InfoLab
Security “Tidbits” - The Stanford University InfoLab