KBOM

Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy to the Digital world Describe typical faults in infrastructure security

Good Security Security Success Factors Multiple layers of protection -Defence in-depth -No direct access to customer data Utilises multiple technologies including -Access control -Breach detection -Auditing or recording key events Should integrate Human and Mechanised systems What is not specific required is denied

Security systems Testing the key success factors in the real world

Guard Good Security: A Physical Analogy Motion Detector Security Camera

Guard Security Success Factors Applied Multiple layers of security - “buys” time to repel attacker and prevents bert endangering the jewels Multiple technologies including Access control Breach detection Auditing Ensures one fault does not put the crown jewels at risk Use of manual and digital security

E-security systems Relating the digital-world to the real world

E-security systems A model that works

Countermeasures – Digital & Physical Door + Lock = Firewall Security Camera = Activity Logs Movement Sensors = Intrusion Detection Security Guard = Security Technician Physical Asset = Digital Asset System Logs

Security Success Factors Applied Internet Corporate Network Audit Logs Multiple technologies including Access control Breach detection Auditing Ensures one fault does not put the crown jewels at risk Multiple layers of security -“buys” time to repel attacker and prevents bert endangering the jewels -Customer data not inDMZ Security Console Interface of manual and digital security Alert data

Common Faults

Customer Data Web Server Intranet Internet Enterpris e Systems Corporate Databases Application Server Bank Internet Databases Certification Authority SET payment protocol that sends the user’s details directly to the bank Authentication and permissions Further protection of the Intranet Central role of the application server that will connect to all data sources User securely identified via certificates Merchant securely identified via Certificates Encrypted information securely transferring over the Internet Perimeter Firewall Internal Firewall ? ? Common Faults Overall configuration & design Standing data stored in DMZonly protected by 1 Layer of security No administration access or terminal servers so when things go wrong it is impossible to get access No proper design documentation – only a collection of clip-art No ip addresses or server details etc No centralised Time server or logging server Authentication flawed or SPI Unencrypted Data checking ing download ed scripts Design rules applied with no understanding so for example multiple firewalls provide no extra protection No Desk Check done !!!!! Too much new and diverse technology – multiple UNIX & Multiple Windows OS versions make it operational unviable

Common Faults: Router Internet Corporate Network Audit Logs Access lists absent, incomplete or applied to the wrong interface SNMP open with Community string of Public &... (Go on, have a guess) Telnet open - allowing unrestricted terminal access to the internet Small services open And even if the perimeter router isn’t yours WHO PAYS THE PRICE IF IT IS HACKED

Bad Config - router 1 of 1 pants#show startup-config hostname pants enable password cisco interface Serial0/0 ip address interface FastEthernet1/0 ip address ip route ip route snmp-server community public RO snmp-server community private RW line con 0 line aux 0 line vty 0 4 password cisco login !

After

After router 1 of 2 service password-encryption no service udp-small-servers no service tcp-small-servers hostname pants enable secret 5 $1$s1gN$TDLK8LhaSdgKlDUpR84OY1 enable password notused ! interface Serial0/0 ip address ip access-group 102 in ! interface FastEthernet1/0 ip address ! ip access-group 103 in

After router 1 of 2 ! Management controls access-list 1 permit access-list 1 permit ! ! Spoof & rfc 1918 filter access-list 102 deny ip any access-list 102 deny ip any ! ! Traffic filter access-list 102 permit tcp any host eq www access-list 102 permit tcp any host eq smtp access-list 102 permit ip any host ! ! Egress rules access-list 103 permit ip any access-list 103 deny ip any any

snmp-server community x1xx RO 1 snmp-server community x1xx RW 1 line con 0 password GMxQttt98 login line aux 0 line vty 0 4 access-class 1 in password Tmtttts login

Common Faults - Firewalls Internet Corporate Network Audit Logs No anti-spoofing No anti-spoofing Default passwords, Rules or Config Default passwords, Rules or Config Unused services Unused services Rules confused + undocumented Rules confused + undocumented No consideration given to error logging or the return connection (which can stop many hacks !!!) No consideration given to error logging or the return connection (which can stop many hacks !!!) Changes to the Configuration not logged Changes to the Configuration not logged No reporting of authorisation failures No reporting of authorisation failures

Before Pix 1 of 3 nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname firewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h fixup protocol sqlnet 1521 names pager lines 24 no logging console no logging monitor no logging buffered errors no logging trap logging facility 20

Before Pix 2 of 3 interface ethernet0 auto interface ethernet1 auto ip address outside ip address inside nat (inside) static (inside,outside) netmask static (inside,outside) netmask conduit permit tcp host eq smtp any conduit permit tcp host eq www any conduit permit tcp host eq telnet any

Before Pix 3 of 3 apply (inside) 11 outgoing_src rip outside passive rip outside default rip inside passive rip inside default route outside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps telnet telnet timeout 5 floodguard 1 Cryptochecksum:8c7bc2b51a5bd78305c83a14f13e9c7b

After

after Pix 1 of 3 nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname firewall no fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 no fixup protocol h no fixup protocol sqlnet 1521 names pager lines 24 no logging console logging host logging trap 3 logging facility 20

After Pix 2 of 3 interface ethernet0 auto interface ethernet1 auto ip address outside ip address inside nat (inside) static (inside,outside) netmask static (inside,outside) netmask conduit permit tcp host eq smtp any conduit permit tcp host eq www any conduit permit tcp host eq telnet any outbound 11 permit smtp tcp outbound 11 deny www tcp apply (inside) 11 outgoing_src

After Pix 3 of 3 rip outside passive rip outside default rip inside passive rip inside default route outside no snmp-server location no snmp-server contact no snmp-server community public no snmp-server enable traps telnet telnet timeout 5 floodguard 1 Cryptochecksum:8c7bc2b51a5bd78305c83a14f13e9c7b

Firewall 1 - before

Firewall 1 - After

Common Faults - Web Server Internet Corporate Network Audit Logs Whoops - SSL is not enabled Critical data in the DMZ – Classical example of pointless Multiple layers Default CGI script or Administration servlets only protected by a simple (Default!!) passwords Developer SDK and doco available Operating systems not properly hardened and configured

Common Faults - Applications Internet Corporate Network Audit Logs Confidential screens and information (perhaps passwords) unencrypted – in URL or in cookies Passwords used for high- value transactions Application authorization that “should work” (as long as you don’t try it) No proper application logging or alerting –making fraud easy

Common Faults - IDS Internet Corporate Network Audit Logs Focusing on known- attacks rather than anomalous traffic Not updating it regularly -Attacks emerge every day Encryption -Encryption is our friend – but if you install a network based IDS to monitor encrypted traffic what is it Putting them in a wrong place -You don’t put a motion detector outside your house

KBOM