Preventing System Intrusions

WHAT IS AN INTRUSION? A network intrusion: – is an unauthorized penetration of a computer in your enterprise or an address in your assigned domain. – Passive (in which penetration is gained stealthily خفية and without detection). active – (in which changes to network resources are effected). Intrusions can come from outside your network structure or inside (an employee, customer, or business partner)

KNOW YOUR ENEMY: HACKERS VERSUS CRACKERS The term hacker originated from An entire community of people — experts in programming and computer networking and those who thrive on solving complex problems And the term cracker is, to those in their culture, a badge of honor. A cracker’s specialty — or in some cases, his mission in life — is seeking out and exploiting vulnerabilities of an individual computer or network for their own purposes. Crackers ’ intentions are normally malicious and/or criminal in nature

MOTIVES the goal is the same — to penetrate your network defenses

TOOLS OF THE TRADE Crackers today are armed with an increasingly sophisticated and well-stocked tool kit for doing what they do.

TOOLS OF THE TRADE Wireless sniffers: – can these devices locate wireless signals within a certain range, – Can siphon off the data being transmitted over the signals. Packet sniffers: – passively analyze data packets moving into and out of a network interface, – and utilities captured data packets passing through a network interface.

TOOLS OF THE TRADE Port scanners: – These utilities send out successive, sequential connection requests to a target system’s ports to see which one responds or is open to the request. Port knocking: – Sometimes network administrators create a secret back-door method of getting through firewall- protected ports — a secret knock that enables them to quickly access the network. Port-knocking tools find these unprotected entries and implant a Trojan horse that listens to network traffic for evidence of that secret knock.

TOOLS OF THE TRADE Keystroke loggers: – These are spyware utilities planted on vulnerable systems that record a user’s keystrokes. Obviously, when someone can sit back and record every keystroke a user makes, it doesn’t take long to obtain things like usernames, passwords, and ID numbers

TOOLS OF THE TRADE Remote administration tools : – Programs embedded on an unsuspecting user’s system that allow the cracker to take control of that system. Network scanners : – Explore networks to see the number and kind of host systems on a network, the services available, the host’s operating system, and the type of packet filtering or firewalls being used. Password crackers : – These sniff networks for data streams associated with passwords, then employ a brute-force method of peeling away any encryption layers protecting those passwords.

BOTS BOT: is a virus is surreptitiously implanted in large numbers of unprotected computers (usually those found in homes), hijacking them (without the owners ’ knowledge) and turning them into slaves to do the cracker’s bidding. These compromised computers, known as bots, are linked in vast and usually untraceable networks called botnets

BOTS Bot controllers, also called herders, can also make money by leasing their networks to others who need a large and untraceable means of sending out massive amounts of advertisements but don’t have the financial or technical resources to create their own networks.

SYMPTOMS OF INTRUSIONS Large numbers of unsuccessful login attempts are also a good indicator that your system has been targeted If a packet has an unusual source or has been addressed to an abnormal port — say, an inconsistent service request — it could be a sign of random system scanning.

SYMPTOMS OF INTRUSIONS odd or unexpected system behavior is itself a sign. Heavy system use: – (possible DoS attack) or CPU use: – (brute force password-cracking attempts) should always be investigated

شرح معنى هجوم DOS ATTACKشرح معنى هجوم DOS ATTACK هجوم "DOS ATTACK "Denial of Service أو ما يعرف عليه بحجب الخدمة, يستعمله الهكرز غير اخلاقيين لتعطيل خدمة معينة عبر عملية فلود "Flooding" يتم ذلك غالبا على المواقع " سيرفرات ", أجهزة أو شبكات... مثلا اذا تم شن هذا الهجوم الخطير على موقع معين فلا يمكنك تصفحه في وقت محدد قد يصل الى يوم كامل, كبف ذلك ؟ يتم ارسال عدد كبير من الزوار الى هذا الاخير مثلا : زائر, عبر اداة BOTNET التي يتم استعمالها في عملية سبام "Spam", أو عبر فيروس "Virus" مبرمج عمله هو فتح هذا الموقع في جميع الأجهزة المستهذفة, و قد تكون انت أيضا تساهم في عمل هذا الهجوم و انت لا تعلم ذلك. فعند دخول ملايين الزوار الى هذا الموقع, السيرفر لا يتحمل كل هذا العدد الهائل من الزوار و بالتالي يتوقف الموقع المستهذف عن العمل لمدة معينة, يعني نجاح عملية DOS بالنسبة للهكرز. أما بالنسبة للسرفرات الضعيفة فقد يتم ايقاف جميع المواقع المستضيفة عليها. نفس العملية يتم القيام بها لاستهذاف الاجهزة او الشبكات. شرح بعض الكلمات : Flooding : ارسال عدد كبير من البيانات غير الضرورية في شبكة لجعلها غير قادرة للاستعمال, كمثال : كنت تتحدث في برنامج محادثة و بعد لحظة ارسل لك صديقك كلمة " مرحبا " مرات متتالية و انت تملك حاسوب ضعيف, اذا فحاسوبك لن يحتمل هذا, سيلزمك اعادة تشغيل الجهاز او اغلاق برنامج المحادثة و هذا العمل الذي قام به صديقك يعتبر Flood BOTNET : الصورة تشرح Spam : و يستعملها الاغلبية في ارسال رسائل مزورة الى البريد الالكتروني اما بهذف الاختراق او التجسس على المعلومات الشخصية

Know Today’s Network Needs The traditional approach to network security engineering has been to try to erect preventative measures Firewalls to protect the infrastructure from intrusion. The firewall acts like a filter, catching anything that seems suspicious and keeping everything behind it as sterile as possible they typically don’t do much in the way of identifying compromised applications that use network resources.

Know Today’s Network Needs Unified threat management system (UTM) “ blacklist ” approach, Firewalls, antivirus,and intrusion detection systems (IDSs), for example,work by trying to block all currently known threats “ whitelist ” appoach, Perhaps a better, and more easily managed, policy is to specifically state which devices are allowed access and which applications are allowed to run in your network’s applications. Any UTM system you employ should provide the means of doing two things: – specify which applications and devices are allowed and offer a policy- based approach to managing those applications and devices. – It should allow you to secure your critical resources against unauthorized data extraction (or data leakage), %8A%D8%AB%D8%A9

Network Security Best Practices: typical network layout A typical network layout. Users outside the DMZ approach the network via a secure (HTTPS) Web or VPN connection. They are authenticated by the perimeter firewall and handed off to either a Web server or a VPN gateway. If allowed to pass, they can then access resources inside the network.

SECURITY POLICIES A good security policy: – isn’t always a single document; rather, it is a conglomeration تكتل of: – policies that address specific areas, such as computer and network use, forms of authentication, policies, remote/mobile technology use, and Web surfing policies. – It should be written in such a way that, while comprehensive, it can be » easily understood by those it affects

TOOLS OF YOUR TRADE Firewalls: – Hardware/software that protect the insiders from outsiders and prevent outsiders to damage the insider network. Firewall combines the five most necessary security systems — 1. firewall, 2.antivirus/spyware/spam, 3.virtual private network (VPN), 4.application filtering, and 5.intrusion prevention/detection systems — into a single appliance.

TOOLS OF YOUR TRADE Intrusion Prevention Systems A good intrusion prevention system (IPS): – is a vast improvement over a basic firewall in that it can, among other things: be configured with policies that allow it to make autonomous decisions as to how to deal with application-level threats as well as: – simple IP address or – port-level attacks.

IPS products respond directly to incoming threats in avariety of ways, from automatically dropping (extracting) suspicious packets (while still allowing legitimate ones to pass) to, in some cases, placing an intruder into a “ quarantine ” file. IPS, like an application layer firewall, can be considered another form of access control in that it can make pass/fail decisions on application content. For an IPS to be effective, it must also be very good at discriminating between a real threat signature and one that looks like but isn’t one (false positive). TOOLS OF YOUR TRADE

types of IPS Network-based: – create a series of check points in the enterprise that detect suspected intrusion attempt activity. Placed inline at their needed locations, they invisibly monitor network traffic for known attack signatures that they then block. Host-based: – reside on the servers and individual machines. – They quietly monitor activities and requests from applications, weeding out actions deemed prohibited in nature.

IPS Continued…. Content-based. These IPSs scan network packets, looking for signatures of content that is unknown or unrecognized or that has been explicitly labeled threatening in nature. Rate-based. These IPSs look for activity that falls outside the range of normal levels, such as activity that seems to be related to password cracking and brute-force penetration attempts.

Application Firewalls Application firewalls (AFs) are sometimes confused with IPSs in that they can perform IPS-like functions. But an AF is specifically designed to limit or deny an application’s level of access to a system’s OS Though AF systems can conduct intrusion prevention duties, they typically employ proxies to handle firewall access control and focus on traditional firewall type functions. Application firewalls can detect the signatures of recognized threats and block them before they can infect the network.

Access Control Systems Access control systems (ACSs) rely on administrator defined rules that allow or restrict user access to protected network resources Biometric devices

access control list (ACL) Some ACS products allow for the creation of an access control list (ACL), which is a set of rules that define security policy. These ACLs contain one or more access control entries (ACEs), which are the actual rule definitions themselves. These rules can restrict access by specific user, time of day, IP address, function (department, management level, etc.), or specific system from which a logon or access attempt is being made.

CONTROLLING USER ACCESS system of user authentication should know who users are.

Authentication, Authorization, and Accounting Authentication is simply proving that a user’s identity claim is valid and authentic. Authentication requires some form of “ proof of identity. ” The most secure means of identifying users is by a combination of (1) hardware device in their possession that is “ known ” to an authentication server in your network, coupled with (2) what they know. A whole host of devices available today — tokens, smart cards, biometric devices — are designed to more positively identify a user.

Authorization when a user has authentication, he also has to be authorization, or permission to enter Authorization is independent of authentication. A user can be permitted entry into the network but not be authorized to access a resource Authorization requires a set of rules that dictate the resources to which a user will have access. These permissions are established in your security policy Authentication, Authorization, and Accounting

accounting have some record of users ’ entry into a network — username, time of entry, and resources. Accounting refers to the recording, logging, and archiving of all server activity, especially activity related to access attempts and whether they were successful. Authentication, Authorization, and Accounting

This information should be written into audit logs that are stored and available any time you want or need to view them. The audit logs should contain, at minimum, the following information: ● The user’s identity ● The date and time of the request ● Whether the request passed authentication and was granted Any network security system you put into place should store, or archive, these logs for a specified period of time and allow you to determine for how long these archives will be maintained before they start to age out of the system. Authentication, Authorization, and Accounting