Beruflich Dokumente
Kultur Dokumente
The network shown in the above figure belongs to a hypothetical Internet Service
Provider XYZ CO, LTD. The company provides its clients with Internet access
through different access means such as the Integrated Services Digital Network
(ISDN), dial up 56 K modem and a high speed leased line for corporate clients. This
company has 2 regional offices (Point of Presence) located in different cities. This
allows clients with flexible roaming access solution within those cities. In addition to
providing Internet access XYZ also support web and DNS hosting for clients.
The XYZ network is based on a hub and spoke model with all regional offices
connecting back to the main offices for major services, Internet access and accounting
purposes. In an attempt to reduce the amount of traffic traveling on the intranet
backbone between the regional offices and the main offices all the regional offices
contain a small portion of highly accessed servers.
The main offices and the regional offices have similar building blocked with each
location (POP) consisting of 4 main blocks (refer to figure 1.1). A multi-port firewall
is connected to each of the building block to ensure the level of desired overall
security. The first block consists of XYZ Local Area Network. The data link medium
in use for the Local Area Network at the main office are traditional Ethernet (802.3)
network with wireless access point located throughout the building, allowing
authorized mobile users with wireless card instant access into the company network.
Regional sites only support traditional Ethernet (802.3) LAN. The local area network
is broken down into different subnets each accommodating different departments. The
wireless clients will also be located on its own subnets to allow easy policy
enforcement.
Refer to the figure 2.1 below for a brief view of XYZ LAN.
The third section of the network will contain publicly accessed servers. These types of
servers require external connections in order to perform their operations successfully.
A subnet has been allocated to this section to ease management and reduce the
broadcast and collision domain. These servers are the most vulnerable servers since
they are highly exposed to the outside world. This zone (section) is called the DMZ
zone (servers located here are usually called bastion hosts). The corporate firewall
allows only traffic designed to known ports on the machine through to the zone. This
prevent a malicious hackers from attempting to port scan the servers for
vulnerabilities. Refer to figure 4.1 for the diagram of the zone.
When a users dial into the network he/she is authenticated by the radius servers which
fetches the appropriate account information from the LDAP server located in the
secure subnets. All accounting information is also written to the database servers
located in the secure subnets. Refer to figure 5.1 for the complete remote access
solution offered by the XYZ companies.
The following section will detail some of the security threads that the XYZ ISP would
have to face.
1] Trojan horse programs
A Trojan host is like a backdoor program. A hacker will trick users via means of
social engineering or other possible means to install the Trojan. Once the Trojan is in
place the hacker can control the infected machine.
Since the ISP will be running some of its server on a Windows NT based system a
possible threads exist from tools such as Back Orifice, Netbus and SubSeven. These
back door or remote administration programs, once installed, allow hacker/cracker
unconditional access and control on the system.
3] Denial of service
Denial of Services (DOS) attack is one of the most common types of attack. In an
attempt to perform a DOS attack on a host computer, the intruder will continuously
flood the victim machine with packet until the application running on the victim
machine stop responding or the victim machine crashes due to an overloaded buffers.
4] Email spoofing
Email spoofing is when one email message appear to have originated from one source
when it fact it has been send by the other source. This form of attack is very common
and the types of messages spoofed can range from simple junk mail to several social
engineering tactics trying to get users to release his/her confidential information like
passwords.
A good example of performing such an attack would be to telnet into the email port
(SMTP 25) and manually inserting options into the Sendmail program to force it to
hide the real identity of the attacker.
TCP passive attack is an attacked perform on the TCP protocol. This type of attack
are perform on Ethernet based network whereby a hacker continuously set up a
program to monitor all the broadcast on an Ethernet segment and reconstruct the
entire session based on the information contained within the Ethernet broadcast (This
technique utilizes the main advantages of an Ethernet network being a broadcasting
network whereby every machine hears all the conversation that happens on the
network). A good way to prevent this attack is to carefully design a complex
switching system so all traffic are not relayed to each port like the traditional hubs
based system).
In earlier Unix kernel such as that of the earlier 2.2.x version the sequencing number
of the system could easily be calculated by constantly monitoring the conversation of
a particular hosts, this could allow a hacker to hi-jack a TCP session by spoofing the
correct sequence number.
6] Packet sniffing
A packet sniffer is a very important tool for a system administrator but it can also be
dangerous if used with bad intention. The first thing most hacker does when he/she
could gain access into a network is to set up a packet sniffer, to sniff out
username/password and confidential information from the network.
7] Buffer Overflow
A buffer overflow is a very dangerous attack that can if successfully usually gives
root access to a hacker. The buffer overflow problem is due to the memory
management of the software.
8] Virus attack
Virus attack is very common and many good anti-viruses exist to combat with the
viruses. A good way to protect from viruses is to regularly scan your network for any
viruses and automatically updating your virus scanner program.
9] Spoofing
Spoofing is when one host prevents to be another hosts. They are 2 popular types of
spoofing one called ARP spoofing and the other called IP spoofing.
DNS cache pollution is when a hacker has access into a DNS server and he changes
the name to address mapping pair within the server to a fake server set up to attack the
victims computer. (EG - www.xyz.net = 203.20.104.1 but the hacker manages to gain
access into the DNS cache and changes www.xyz.com to 200.200.200.1 (the hackers
machines)
The XYZ companies have set up an emergency respond team to handle all emergency
incident. This team consists of a formalized team with a highly technical people who
have a strong computer security related experience. The emergency response team
will have their office located in the main building and they will respond to all
emergencies situation detail in the earlier section of this report. The jobs of the
emergency respond team apart from responding to emergency situations will be to
work with the technical support people in helping design a secure network system.
The security respond team will try to break into the ISP network in an attempt to find
out every possible path that a hacker could undertake to get into the ISP protected
network. If the respond team find any problem such a buffer overflow in one of the
Unix Sendmail program which could allow a potential hacker to gain access on the
machine they will immediately inform the technical support people of such a threads
and recommend an upgrade to the Sendmail version that is more secure.
Description of good security practices that you need to educate your users
Security, privacy, and protection are rapidly becoming the most important issues for
computer users. The following are some of the good security practices that XYZ will
educate its worker through campaign such as seminar, social workshop, and special
training.
One of the cheapest and secure ways of authentication is through the use of a
password. If user X needs to gain access to the resources and services offered on a
network he/she will need to identify themselves as a registered users through the use
of a password. The XYZ company has sets up certain policy as follow that ensure a
users select a password that would be capable of withstanding simple brute forced
attacked.
Figure 6.1 – Clients authentication through a central LDAP server with Radius AAA
Most people think about locks, bars, alarms, and uniformed guards when they think
about security. While these countermeasures are by no means the only precautions
that need to be considered when trying to secure an information system, they are a
perfectly logical place to begin. Physical security is a vital part of any security plan
and is fundamental to all security efforts.
The XYZ Corporation has taken many countermeasure in securing itself from any
physical attack to the servers. All the servers are placed in a highly protected room
with limited access.
• Maximize structural protection: A secure room should have full height walls
and fireproof ceilings.
• Minimize external access (doors): A secure room should only have one or 2
solid door with good locks, and observable by assigned security staff. Doors to
the secure room should never be propped open.
• Minimize external access (windows): A secure room should not have
excessively large windows. All windows should have locks.
• Maintain locking devices responsibly: Locking doors and windows can be an
effective security strategy as long as appropriate authorities maintain the keys
and combinations responsibly. If there is a breach, each compromised lock
should be changed.
Denial of Service Attack (DOS) has been briefly explains in the risks and priorities
section of this report. In this section we will look at how to prevent such an attack
from occurring on the XYZ company network. The following lists precautions that
should has been taken to prevent such an attack.
• Perform regular virus scans for DOS agents regularly, check for machines
with unfamiliar ports, and make sure that the corporate firewall blocks
packets with spoofed source addresses from originating inside the company
network.
• Turn off restrictive specific services that might otherwise be compromised or
attacked. A good example of this would be something like disabling UDP
services for use only within the internal network, thus keeping UDP available
for network diagnostic purposes only.
• Use an Intrusion Detection System (IDS). IDS can automatically report to
network manager in an event of a thread to the network.
• Protect all key network infrastructures such as switches, routers, etc from
DOS by setting up a secure access lists on these devices.
• Some DOS attacks will result from an intruders who understand the network
routing policies, it is also therefore important to maintain tight controls over
basic policy disciplines such as IP-broadcast forwarding controls, ICMP and
IP option response controls.
(Some of the above points have been referenced from the web site,
http://www.itp.net/features/980333182529006.htm )
The XYZ Corporation will uses the following method to guarantee security on its data
and information.
1] Encryptions
All the email messages containing any sensitive information will be encrypted using
the PGP public and private key RSA encryption method. All file and patch
downloaded for any system within the intranet will be checked with the matching
hashed key. The Radius server and the LDAP server will also uses the public/private
key encryption pair to secure their communication from any tampering.
2] Segmentation
The database server are segmented and replicated at each location to ensure full
integrity of the data stored within them. The protected servers are stored at one
location and the publicly accessed servers on the other subnet. Both these group of
server are protected by the firewall.
3] Regular Backup
All the core database server such as the IBM RISC 7000, users home directory server,
etc will be automatically backup at the end of each day. This ensures that if any
version of such a server has been modified the system administrator could always
resort to the last clean backup copy of the system.
4] Transaction Auditing
Some of the crucial users may have their keystroke recorded in a central database and
an alert could be filled if an attempt to break in is being detected by the users.
With users demand a VPN IPSEC tunnel could be established between 2 end points of
the users network.
All the servers such as the automatic billing payment system, the user password
changing system, the comment and support form will support full SSL to prevent any
kind of interceptions of the data while it travel its path from one end to the other.
Methods and tools to protect the XYZ networks against attacks from the outside world
Three main tools used to protect the network from outside threads are Firewall for the
entire network, TCP Wrapper on Linux/Unix based machine, an Intrusion detection
system to detect and warn of attacks as they happen and system vulnerabilities
reporting tools such as SATANS. We will now look at each of the individual
component and how they fit together in this network.
1] A firewall system
A firewall is a group of one or more system that enforces an access control policy
between different computer networks. In principles a firewall scan all the packet that
leaves or enter the network and deny or permit them based on the predefined policies.
Some firewalls places a greater emphasis on blocking traffic, while others emphasize
more on permitting traffic.
The following will provide a brief explanation on how the firewall system will be
used for the XYZ network to protect against security threads from the outside world.
Figure 7.1 – A multi-port firewall with a connection to each network block (subnets)
The above figure shows the firewall design of the XYZ corporations. All traffic
traveling from any sections of the network will have to go through the firewall. The
following briefly explains the firewall policy in use by the corporations.
1] Traffic from the local LAN port 2 will be allowed to the protected server block on
port 3. Only authorized traffic from other POP will also be allowed to enter the
protected server section this is determined based on the source and destination
address.
2] Port 4 will only allow known port traffic through to the public server areas. All
traffic cannot be initiated from port 4 to any other port in the network (this prevent a
hacker who has successfully confiscated the bastion hosts from getting into the
protected network from the bastion hosts).
3] Port 5 has no restriction set but are bound to policy placed on other ports.
TCP Wrapper
TCP Wrapper is a public domain computer program that provides a simple firewall
services for Unix servers. An un-secure Unix server attached to a network is exposed
to various types of risk from users of the network. TCP Wrapper works by monitors
incoming packets and if an external host attempts to connect, TCP Wrapper checks to
see if that external entity is authorized to connect. If it is authorized, then access is
permitted; if not, access is denied. The program can be tailored to suit individual user
or network needs.
All the XYZ Linux server will have TCP wrapper set up to deny all connection to the
machine and allow only the registered administrator IP address to make SSH , FTP,
etc connection into the machine.
IDS can automatically alert the network manager in an event of real time threads. In
order to use an IDS system the system administrator will define a policy that trigger
an alert if the IDS system will continuously monitor the network and send off an alert
on such an event. Certain policies that usually trigger the alert are the detecting of a
DOS attacks, the detection of a port scan or TCP session hijacking etc.
Other ways to prevent threads from the Internet is to constantly use tools such as
SATANS that are capable of scanning a system (Unix) and producing a report based
on the vulnerability detected on such a system
Plans to update systems to cope with new technologies that may increase
security risks to your systems
In order to update the security of the current system to cope with future technologies
the following steps should be perform.
Windows system supports an automatic update tools the san your system and
recommend the required patch for your system. Linux system has freeware
application written in Perl that scan the application install on your system and attempt
to automatically update them when a newer patch fix has been released.
A good administrator must attend all seminar and conferences to keep themselves up
to date with all the new technologies available.
With the advent of new technologies such as a faster and higher throughput access
medium may forces a company to expand its resources to remain competitive in the
market.
Bibliography