Guide to Network Defense and Countermeasures Second Edition

Chapter 1 Network Defense Fundamentals

Objectives
Explain the fundamentals of TCP/IP networking Describe the threats to network security Explain the goals of network security Describe a layered approach to network defense Explain how network security defenses affect your organization

Guide to Network Defense and Countermeasures, Second Edition

TCP/IP Networking Review

Transmission Control Protocol/Internet Protocol (TCP/IP) Suite of many protocols Allows information to be transmitted from point to point on a network

Guide to Network Defense and Countermeasures, Second Edition

The Open Systems Interconnect (OSI) Model

Guide to Network Defense and Countermeasures, Second Edition

IP Addressing
Attackers can gain access to networks by determining IP addresses of computers IP address components
Network address Host address Subnet mask

Try to hide IP addresses to prevent certain attacks Network Address Translation (NAT)
Translate IP addresses into other IP addresses Used to hide real IP addresses

Proxy servers are also used to hide IP addresses

Guide to Network Defense and Countermeasures, Second Edition 5

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Exploring IP Packet Structure

IP datagrams
Discrete chunk of information TCP/IP messages are transmitted using multiple datagrams Contain information about source and destination IP addresses and control settings Divided into different sections

IP header structure
Part of an IP packet that computers used to communicate IP header plays an important role in terms of network security and intrusion detection
Guide to Network Defense and Countermeasures, Second Edition 8

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

10

Exploring IP Packet Structure (continued)

IP data
Firewalls, VPNs and proxy servers are used to protect data in a packet

IP fragmentation
Allows large packets to pass through routers Routers divide packets into multiple fragments and send them along the network Fragmentation creates security problems
Port numbers appear only in fragment 0 Fragments 1 and higher pass through filters without being scrutinized
Guide to Network Defense and Countermeasures, Second Edition 11

ICMP Messages
Internet Control Message Protocol (ICMP) Assists TCP/IP networks with troubleshooting communication problems Can tell if another host is alive Firewalls and packet filters should be used to filter ICMP messages

Guide to Network Defense and Countermeasures, Second Edition

12

Guide to Network Defense and Countermeasures, Second Edition

13

TCP Headers
Provide hosts with additional flags Flags are important from a security standpoint
Used to create packet-filtering rules

Flags
URG (urgent) ACK (acknowledge) PSH (push function) RST (reset the connection) SYN (synchronize sequence numbers) FIN (finished)
14

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

15

UDP Headers
UDP provides a datagram transport service for IP UDP is considered unreliable
Because it is connectionless

UDP is used for broadcasting messages Attackers scan for open UDP services to exploit UDP packets have their own headers

Guide to Network Defense and Countermeasures, Second Edition

16

Guide to Network Defense and Countermeasures, Second Edition

17

Domain Name Service (DNS)

DNS servers translate fully qualified domain names to IP addresses DNS can be used to block unwanted communications
Administrators can block Web sites containing offensive content

DNS attacks
Buffer overflow Zone transfer Cache poisoning

Guide to Network Defense and Countermeasures, Second Edition

18

Encryption
Concealing information to render it unreadable
Except to the intended recipients

Firewalls often encrypt data leaving the network and decrypt incoming packets Encryption often makes use of digital certificates Digital certificate
Electronic document containing encryption keys and a digital signature

Public Key Infrastructure

Makes possible distribution of certificates

Guide to Network Defense and Countermeasures, Second Edition

19

Overview of Threats to Network Security

Security problems
Network intrusions Loss of data Loss of privacy

First step in defeating the enemy is to know your enemy

Guide to Network Defense and Countermeasures, Second Edition

20

Types of Attackers
Knowing the types of attackers helps you anticipate Motivation to break into systems
Status Revenge Financial gain Industrial espionage

Guide to Network Defense and Countermeasures, Second Edition

21

Types of Attackers (continued)

Crackers
Attempt to gain access to unauthorized resources
Circumventing passwords, firewalls, or other protective measures

Disgruntled employees
Access customer information, financial files, job records, or other sensitive information from inside an organization When an employee is terminated, security measures should be taken immediately
Guide to Network Defense and Countermeasures, Second Edition 22

Types of Attackers (continued)

Criminal and Industrial Spies
Steal and sell a companys confidential information to its competitors

Script Kiddies and Packet Monkeys

Script kiddies
Young, immature computer programmers Spread viruses and other malicious scripts Use techniques to exploit known weakness

Packet monkeys
Block Web site activities using DDoS attacks
Guide to Network Defense and Countermeasures, Second Edition 23

Types of Attackers (continued)

Terrorists
Attack computer systems for several reasons
Making a political statement Achieving a political goal Causing damage to critical systems Disrupting a targets financial stability

Guide to Network Defense and Countermeasures, Second Edition

24

Malicious Code
Malware
Malicious code

Use systems well known vulnerabilities to spread Virus

Code that copies itself surreptitiously Can be benign or harmful Spread methods
Running executable code Sharing disks or memory sticks Opening e-mail attachments

Guide to Network Defense and Countermeasures, Second Edition

25

Malicious Code (continued)

Worm
Creates files that copy themselves and consume disk space Does not require user intervention to be launched Some worms install back doors
A way of gaining unauthorized access to computer or other resources

Others can destroy data on hard disks

Trojan program
Harmful computer program that appears to be something useful Can create a back door
Guide to Network Defense and Countermeasures, Second Edition 26

Malicious Code (continued)

Macro viruses
Macro is a type of script that automates repetitive tasks in Microsoft Word or similar applications Macros run a series of actions automatically Macro viruses run actions that tend to be harmful

Guide to Network Defense and Countermeasures, Second Edition

27

Other Threats to Network Security

It is not possible to prepare for every possible risk to your systems Try to protect your environment for todays threat Be prepared for tomorrows threats

Guide to Network Defense and Countermeasures, Second Edition

28

Social Engineering: The People Factor

Social engineers try to gain access to resources through people
Employees do not always observe accepted security practices Employees are fooled by attackers into giving out passwords or other access codes

Guide to Network Defense and Countermeasures, Second Edition

29

Common Attacks and Defenses

Guide to Network Defense and Countermeasures, Second Edition

30

Common Attacks and Defenses (continued)

Guide to Network Defense and Countermeasures, Second Edition

31

Common Attacks and Defenses (continued)

Guide to Network Defense and Countermeasures, Second Edition

32

Internet Security Concerns

Socket
Port number combined with a computers IP address

Attacker software looks for open sockets

Open sockets are an invitation to be attacked Sometimes sockets have exploitable vulnerabilities

E-mail and Communications

Home users regularly surf the Web, use e-mail and instant messaging programs Personal firewalls keep viruses and Trojan programs from entering a system

Guide to Network Defense and Countermeasures, Second Edition

33

Internet Security Concerns (continued)

Scripts
Executable code attached to e-mail messages or downloaded files that infiltrates a system Difficult for firewalls and IDSs to block all scripts

Always-on Connectivity
Computers using always-on connections are easier to locate and attack Remote users pose security problems to network administrators Always-on connections effectively extend the boundaries of your corporate network
Guide to Network Defense and Countermeasures, Second Edition 34

Goals of Network Security

Goals include
Confidentiality Integrity Availability

Guide to Network Defense and Countermeasures, Second Edition

35

Providing Secure Connectivity

In the past, network security emphasized blocking attackers from accessing the corporate network
Now secure connectivity with trusted users and networks is the priority

Activities that require secure connectivity

Placing orders for merchandise online Paying bills Accessing account information Looking up personnel records Creating authentication information
36

Guide to Network Defense and Countermeasures, Second Edition

Secure Remote Access

One of the biggest security challenges VPN
Ideal and cost-effective solution Uses a combination of encryption and authentication mechanisms

Guide to Network Defense and Countermeasures, Second Edition

37

Guide to Network Defense and Countermeasures, Second Edition

38

Ensuring Privacy
Databases with personal or financial information need to be protected
Legislation exists that protects private information

Education is an effective way to maintain the privacy of information

All employees must be educated about security dangers and security policies Employees are most likely to detect security breaches
And to cause one accidentally

Employees can monitor activities of their co-workers

Guide to Network Defense and Countermeasures, Second Edition

39

Providing Nonrepudiation
Nonrepudiation is important when organizations do business across a network
Rather than face-to-face

Encryption provides integrity, confidentiality, and authenticity of digital information

Encryption can also provide nonrepudiation

Nonrepudiation
Capability to prevent one participant from denying that it performed an action

Guide to Network Defense and Countermeasures, Second Edition

40

Confidentiality, Integrity, and Availability: The CIA Triad

Confidentiality
Prevents intentional or unintentional disclosure of communications between sender and recipient

Integrity
Ensures the accuracy and consistency of information during all processing

Availability
Makes sure those who are authorized to access resources can do so in a reliable and timely manner

Guide to Network Defense and Countermeasures, Second Edition

41

Guide to Network Defense and Countermeasures, Second Edition

42

Using Network Defense Technologies in Layers

No single security measure can ensure complete network protection Assemble a group of methods
That work in a coordinated fashion

Defense in depth (DiD)

Layering approach to network security

Guide to Network Defense and Countermeasures, Second Edition

43

Physical Security
Refers to measures taken to physically protect a computer or other network device Physical security measures
Computer locks Lock protected rooms for critical servers Burglar alarms Uninterruptible power supply (UPS)

Guide to Network Defense and Countermeasures, Second Edition

44

Authentication and Password Security

Password security
Simple strategy Select good passwords, keep them secure, and change them as needed Use different passwords for different applications

Authentication methods
Something user knows Something user has Something user is

In large organizations, authentication is handled by centralized servers

Guide to Network Defense and Countermeasures, Second Edition 45

Operating System Security

Protect operating systems by installing
Patches Hot fixes Service packs

OSs must be timely updated to protect from security flaws Stop any unneeded services Disable Guest accounts

Guide to Network Defense and Countermeasures, Second Edition

46

Antivirus Protection
Virus scanning
Examines files or e-mail messages for indications that viruses are present

Viruses have suspicious file extensions Antivirus software uses virus signatures to detect viruses in your systems
You should constantly update virus signatures

Firewalls and IDSs are not enough You should install antivirus software in hosts and all network computers
Guide to Network Defense and Countermeasures, Second Edition 47

Packet Filtering
Block or allow transmission of packets based on
Port number IP addresses Protocol information

Some types of packet filters

Routers
Most common packet filters

Operating systems
Built-in packet filtering utilities that come with some OSs

Software firewalls
Enterprise-level programs
Guide to Network Defense and Countermeasures, Second Edition 48

Firewalls
Firewalls control organizations overall security policies Permissive versus restrictive policies
Permissive
Allows all traffic through the gateway and then blocks services on case-by-case basis

Restrictive
Denies all traffic by default and then allows services on case-by-case basis

Guide to Network Defense and Countermeasures, Second Edition

49

Guide to Network Defense and Countermeasures, Second Edition

50

Demilitarized Zone (DMZ)

Network that sits outside the internal network
DMZ is connected to the firewall

Makes services publicly available

While protecting the internal LAN

It might also contain a DNS server DMZ is sometimes called a service network or perimeter network

Guide to Network Defense and Countermeasures, Second Edition

51

Intrusion Detection System (IDS)

Recognizes the signs of a possible attack
And notifies the administrator

Signs of possible attacks are called signatures

Combinations of IP address, port number, and frequency of access attempts

IDS provides an additional layer of protection

Guide to Network Defense and Countermeasures, Second Edition

52

Virtual Private Networks (VPNs)

Provide a low-cost and secure connection that uses the public Internet Alternative to expensive leased lines
Provides point-to-point communication

Guide to Network Defense and Countermeasures, Second Edition

53

Network Auditing and Log Files

Auditing
Recording which computers are accessing a network and what resources are being accessed Information is recorded in a log file

Reviewing and maintaining log files helps you detect suspicious patterns of activity You can set up blocking rules based on logged information from previous attack attempts

Guide to Network Defense and Countermeasures, Second Edition

54

Network Auditing and Log Files (continued)

Log file analysis

Tedious and time consuming task Record and analyze rejected connection requests Sort logs by time of day and per hour Check logs during peak traffic time
System events Security events Traffic Packets

Configuring log files to record

Guide to Network Defense and Countermeasures, Second Edition

55

Guide to Network Defense and Countermeasures, Second Edition

56

Guide to Network Defense and Countermeasures, Second Edition

57

Routing and Access Control Methods

Border routers are critical to the movement of all network traffic
Can be equipped with their own firewall software

Attackers exploit open points of entry, such as

Vulnerable services E-mail gateways Porous borders

Methods of access control

Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role Based Access Control (RBAC)
Guide to Network Defense and Countermeasures, Second Edition 58

The Impact of Defense

Cost of securing systems might seem high Cost of a security breach can be much higher Support from upper management
Key factor in securing systems

Securing systems will require

Time Money Understanding and cooperation from fellow employees Support from upper management

Guide to Network Defense and Countermeasures, Second Edition

59

Summary
Knowledge of TCP/IP networking is important when securing a network IP and TCP (or UDP) header section contain setting that can be exploited Domain Name Service (DNS)
General-purpose service that translates fully qualified domain names into IP addresses

Encryption can be used to protect data Network intruders are motivated by a variety of reasons
Guide to Network Defense and Countermeasures, Second Edition 60

Summary (continued)
E-mail is one of the most important services to secure
Malicious scripts can be delivered via e-mail

Goals of network security

Confidentiality Integrity Availability

Defense in depth (DiD)

Layering approach to security

Auditing helps identify possible attacks and prevent from other attacks
Guide to Network Defense and Countermeasures, Second Edition 61

Summary (continued)
Routers at the border of a network are critical to the movement of all traffic
Legitimate and harmful

Access control methods

Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role Based Access Control (RBAC)

Defense affects the entire organization

You should always look for support from upper management
Guide to Network Defense and Countermeasures, Second Edition 62