* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Key To Personal Information Security
Survey
Document related concepts
Multilevel security wikipedia , lookup
Wireless security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Mobile security wikipedia , lookup
Information security wikipedia , lookup
Cyberattack wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Unix security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Social engineering (security) wikipedia , lookup
Computer security wikipedia , lookup
Transcript
Lesson Six Safeguards & Countermeasures Copyright © Center for Systems Security and Information Assurance Lesson Objectives • Identify common terms associated with information security countermeasures. • Define and identify the various types of firewalls. • Discuss the approaches to dial-up access and protection. • Identify and describe the two categories of intrusion detection systems and discuss the two strategies behind intrusion detection systems. • Discuss scanning, analysis tools, and content filters. • Understand trap and trace technologies. • Discuss various approaches to biometric access control. Copyright © Center for Systems Security and Information Assurance IT Security Countermeasures • Countermeasures come in a variety of sizes, shapes, and levels of complexity. • Countermeasures must begin with a thorough organizational security policy and include technologies, education and enforcement. Copyright © Center for Systems Security and Information Assurance Demilitarized Zone (DMZ) • Sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet • Contains devices accessible to Internet traffic, such as Web (HTTP ) servers, FTP servers, SMTP (e-mail) servers and DNS servers Copyright © Center for Systems Security and Information Assurance Bastion Host • A gateway between an inside network and an outside network • A security measure to defend against attacks aimed at the inside network Trusted Untrusted DMZ Firewall Firewall Internet Bastion Host Copyright © Center for Systems Security and Information Assurance Network Address Translation (NAT) • Located where the LAN meets the Internet • Provides a type of firewall by hiding internal IP addresses for external or untrusted users • Expands the number of internal IP addresses available to an organization • No possibility of conflict with IP addresses used by other companies and organizations Copyright © Center for Systems Security and Information Assurance NAT Reserved NAT addresses: 10.x.x.x 172.16.x.x 192.168.x.x Copyright © Center for Systems Security and Information Assurance Firewalls • Any device that prevents a specific type of information from moving between an untrusted network and a trusted network • Made up of both software and hardware: May reside on a separate and dedicated computer system May reside on an existing computer or network device (router or switch) May reside on a dedicated appliance specifically designed for greater performance Copyright © Center for Systems Security and Information Assurance First Generation Firewalls • Called packet filtering firewalls. • Examined every incoming packet header and selectively filtered packets based on: addresses packet types port request and others factors • Implemented restrictions based on: IP source and destination address Direction (inbound or outbound) TCP/UDP source and destination port-requests Copyright © Center for Systems Security and Information Assurance First Generation Firewalls Copyright © Center for Systems Security and Information Assurance Second Generation Firewalls • Called application-level firewall or proxy server • A dedicated computer separate from the filtering router (filtering routers can still be implemented behind the proxy server) • Exposed to the outside world in the DMZ • Traffic passes through the proxy, which translate the IP address. • Designed for a specific protocol and cannot easily be reconfigured to protect against attacks on protocols for which they are not designed (primary disadvantage) Copyright © Center for Systems Security and Information Assurance Second Generation Firewalls Copyright © Center for Systems Security and Information Assurance Third Generation Firewalls • Called a stateful inspection firewalls • Tracks each network connection established between trusted and untrusted networks • Defaults to its access control list to determine whether to allow the packet to pass, if the stateful firewall receives an incoming packet that it cannot match in its state table • Requires additional processing requirements to manage and verify packets against the state table (primary disadvantage) Copyright © Center for Systems Security and Information Assurance Third Generation Firewalls Copyright © Center for Systems Security and Information Assurance Fourth Generation Firewalls • Called a context-based access control (CBAC) firewall • Intelligently filters packets based on applicationlayer protocol session information and can be used for intranets, extranets and internets • Configured to permit specified traffic through a firewall only when the connection is initiated from within the network you want to protect • Traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer without CBAC Copyright © Center for Systems Security and Information Assurance Fourth Generation Firewalls • Allows support of protocols that involve multiple channels created as a result of negotiations in the control channel. • Provides the following benefits: Java blocking Denial-of-Service prevention and detection Real-time alerts and audit trails Copyright © Center for Systems Security and Information Assurance Fourth Generation Firewalls Copyright © Center for Systems Security and Information Assurance Fifth Generation Firewalls • Called the kernel proxy, a specialized form that works under the Windows NT Executive (the kernel of Windows NT) • Evaluates packets at multiple layers of the protocol stack • More secure due to the fact that the OS of a firewall provides another vulnerability • More secure and performs additional security inspections because the OS kernel was specifically designed for the firewall Copyright © Center for Systems Security and Information Assurance Fifth Generation Firewalls Trusted DMZ Web, Email, FTP Internet Untrusted Kernel Proxy Firewall A firewall with a scaled-down OS Copyright © Center for Systems Security and Information Assurance Radius • Most common access server for authenticating and authorizing dial-up users of an organization’s network • Comprises three components: An authentication protocol a server (points to RADIUS authentication database) a client • Supports a variety of methods to authenticate a user PPP PAP CHAP Copyright © Center for Systems Security and Information Assurance Radius Authentication Copyright © Center for Systems Security and Information Assurance TACACS Authentication • Short for Terminal Access Controller Access Control System • Commonly used in UNIX networks • Allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network Copyright © Center for Systems Security and Information Assurance TACACS Services Copyright © Center for Systems Security and Information Assurance Intrusion Detection System IDS • Identifies and tracks packets entering and leaving a monitored network • Acts as alarm system notifying you of unusual events or traffic patterns • Monitors your network and takes automatic predefined action • Available options when implementing IDS: Host based IDS Network based IDS Copyright © Center for Systems Security and Information Assurance Host-based Intrusion Detection System HIDS • Installed locally on host machines • Installed on many different types of machines (servers, workstations and notebook computers) • Transmitted traffic to the host is analyzed and passed onto the host, if there are not potentially malicious packets within the data transmission • Focused host-Based installations on anomalies on the local machines • Platform specific • Require both host-based and network-based IDS Copyright © Center for Systems Security and Information Assurance Host-Based Intrusion Detection System HIDS Copyright © Center for Systems Security and Information Assurance Network-based Intrusion Detection Systems • Operates differently from host-based • Scans network packets auditing packet information and logs any suspicious packets into a special log file with extended information. • Scans its own database for known network attack signatures and assigns a severity level for each packet based on these suspicious packets • Investigates the nature of the anomaly, if severity levels are high enough--a warning email or pager call is placed to security team members Copyright © Center for Systems Security and Information Assurance Network-Based Intrusion Detection Systems • Known malicious network activity: IP Spoofing Denial-of-service attacks ARP cache poisoning DNS name corruption Man-in-the-middle attacks • Require that the host system network device be set to promiscuous mode, which allows the device to capture every packet passed on the network Copyright © Center for Systems Security and Information Assurance Network-Based Intrusion Detection Systems Copyright © Center for Systems Security and Information Assurance Port Scanners • All machines connected to a Local Area Network (LAN) or Internet run many services that listen at well-known and not so well known ports • By port scanning, the attacker finds which ports are available (i.e., what service might be listing to a port) • A port scan consists of sending a message to each port, one at a time • The kind of response received indicates whether the port is used and can therefore be probed further for weakness Copyright © Center for Systems Security and Information Assurance Port Scanners Copyright © Center for Systems Security and Information Assurance Port Numbers • Port numbers are not so controlled, but over the decades certain ports have become standard for certain services • The port numbers are unique only within a computer system • Port numbers are 16-bit unsigned numbers • The port numbers are divided into three ranges: Well Known Ports (0 - 1023) Registered Ports (1024 - 49151) Dynamic and/or Private Ports (49152 - 65535) Copyright © Center for Systems Security and Information Assurance Port Numbers Copyright © Center for Systems Security and Information Assurance Well-Known Ports • Ports numbered 0 to 1023 are assigned to services by the Internet Assigned Numbers Authority (IANA) • Sample ports: Echo FTP-data FTP-Control SSH Telnet DNS WWW-HTTP 7tcp 20/udp 21/tcp 22/tcp 23/tcp 53/udp 80/tcp Copyright © Center for Systems Security and Information Assurance Vulnerability Scanners • Capable of scanning networks for very detailed information • Identify exposed usernames and groups • Show open network shares • Expose configuration problems, and other vulnerabilities in servers Copyright © Center for Systems Security and Information Assurance Packet Sniffers • Collects copies of packets from the network and analyzes them • Eavesdrops on the network traffic • Legal uses include: Being on a network that the organization owns Being under direct authorization of the owners of the network Having knowledge and consent of the content creators (users) Copyright © Center for Systems Security and Information Assurance Content Filters • Allows administrators to restrict accessible content from within a network • Restricts Web sites with inappropriate content Copyright © Center for Systems Security and Information Assurance Honey Pots • Detect encrypted attacks in IPv6 networks and capture the latest in on-line credit card fraud • Designed to distract the attacker while notifying the administrator of a possible attack or break in • Provide two major security features: Slow down the attacker Provide detection and tracking Copyright © Center for Systems Security and Information Assurance Biometrics • Automatically recognizing a person using distinguishing traits. • Defined as automated methods of identifying or verifying the identity of a living person based on physiological or behavioral characteristics http://www.idsysgroup.com/ftp/biometrics_101_ISG.pdf Copyright © Center for Systems Security and Information Assurance Types of Biometrics • • • • • • • • Iris Recognition Finger Scan Hand Geometry Facial Recognition Signature Dynamics Voice Dynamics Retinal Scan Vascular Patterns Copyright © Center for Systems Security and Information Assurance