1 Guide to Network Defense and Countermeasures Chapter 2

2 Chapter 2 - Designing a Network Defense Understand covert channeling and other common attack threats you need to defend against Describe the network security components that make up a layered defense configuration List the essential activities that need to be performed in order to protect a network Integrate an intrusion detection system (IDS) into a network security configuration

3 The kinds of security attacks faced include: Covert channeling is a way to gain unauthorized access to systems through communications ports Denial of Service (DoS) attacks shut down networks Remote procedure call abuses that give hackers access using Windows networking services Viruses and Trojan horses enter through messages or downloaded files Man-in-the-middle attacks can destroy privacy Fragmented IP packets can be used to sneak in malicious code Common Attack Threats

4 Network vulnerabilities include services and computers that might present openings: Vulnerable services that a hacker may be able to exploit in a server program gateways where hackers can attach a virus payload to a message; when the recipient opens it, the program runs and the virus installs itself Porous border can result when a computer is listening on a virtual channel that is not being used Gullible employees can be fooled by hackers Common Attack Threats

5 Denial of Service (DoS) attacks are launched against network servers The server is flooded with more requests to view Web pages and access files than it can handle The server is so busy sending response messages to the requests that result from the DoS attack that it is unable to process legitimate requests and, as a result, the network is effectively blocked Numerous types of DoS attacks exist; the more common are SYN floods and address spoofing Common Attack Threats

6 DoS attacks (cont): In SYN flood attacks, the attacker sends a TCP packet to the host with the SYN flag set; the server responds by sending an ACK, which the attacker never responds to - the server uses its resources as it waits; the attacker then sends a flood of TCP SYN requests without responding and eventually the server exhausts its resources In an address spoofing attack, the attacker finds an open port, then sends a packet containing a spoofed address and the same source IP address as the server’s own - this can crash the server Common Attack Threats

7

8 Other attacks: In a Remote Procedure Call (RPC) attack, RPC packets that contain spoofed addresses are sent to a server; when the RPC server is unable to interpret the spoofed address, it sends an RPC REJECT packet; if enough spoofed RPC packets are sent, the resulting REJECTs drain server resources A virus is computer code that copies itself from one place to another and performs actions that range from benign to harmful; worms create files that copy themselves over and over and take up disk space Common Attack Threats

9 Other attacks (cont.): A Trojan horse is a harmful computer program that creates a back door - an opening to a computer such as an unused port or terminal service that gives a hacker the ability to control a computer In a man-in-the-middle attack, a hacker intercepts part of an encrypted data session to gain control over what is being exchanged; as a result, the hacker can impersonate the intended recipient By assigning a packet a false fragment number and embedding IP header data within it, a hacker can sometimes fool a host into letting the packets in Common Attack Threats

10

11 Providing Layers of Network Defense Good network protection involves arranging a group of components in such a way that they provide layers of network defense Layer 1: Physical security protects computers from theft (use locks), fire, or environmental disaster Layer 2: Password security means using good passwords, securing them, changing as needed Layer 3: Operating system security involves installing operating system patches, hotfixes and service packs; also disabling guest accounts

12 Providing Layers of Network Defense Layers of network defense (cont.): Layer 4: Using anti-virus protection means setting up anti-virus software and updating definitions Layer 5: Packet filtering blocks or allows the transmission of packets based on port, IP address, protocol, or other criteria; packet filters come in the form of routers, operating systems, or firewalls; stateless packet filtering decides on packets based on established connections, whereas stateful packet filtering goes beyond stateless and maintains an intelligent rule base and state table

13

14 Providing Layers of Network Defense Layers of network defense (cont.): Layer 6: Firewalls reflect the heart of a company’s security policy in that they control the amount of traffic the network receives and the ease with which users can access external networks; two firewall approaches exist: permissive, which allows traffic through by default and blocks on a case-by-case basis; restrictive, which blocks all traffic by default and allows it on a case-by-case basis; another function performed by firewalls is Network Address Translation (NAT), which converts internal IP address to different ones

15

16

17 Providing Layers of Network Defense Layers of network defense (cont.): Layer 7: Proxy servers can conceal end users in a network and act as a go-between, forwarding data between internal users and external hosts; proxies work by examining the port each service uses, screening all traffic into and out of each port and deciding whether to block or allow traffic based on rules set up by the proxy server administrator; ultimately, because of their strengths and weaknesses, proxy servers and packet filters need to be used together in a firewall

18

19

20 Providing Layers of Network Defense Layers of network defense (cont.): Layer 8: DMZ, or demilitarized zone, is a network that sits outside the internal network (but is connected to the firewall), and makes services publicly available while protecting the internal LAN; DMZs are a standard in e-commerce to protect and ensure that successful electronic transactions take place; the most common type of DMZ is a screened subnet, created by grouping public service servers and combining them with the firewall’s subnet; often, a company will add a second firewall for an extra level of security

21

22

23 Providing Layers of Network Defense Layers of network defense (cont.): Layer 9: Intrusion detection systems (IDSs) work by recognizing the signs of a possible attack and sending a notification to an administrator Layer 10: Virtual private networks (VPNs) provide relatively low-cost and secure connection between organizations that use the public Internet; VPNs encrypt packets, provide user authentication, and encapsulate encrypted packets Layer 11: Logging and administration involves reviewing and analyzing firewall and IDS log files

24 Essential Network Security Activities The most common activities of any network security configuration are: Encryption, which is the process of concealing information to render it unreadable to all but the intended recipients; an encrypted code called a digital signature is attached to the files that are exchanged during the transaction so that each party can ensure the other’s identity Authentication is the act of reliable determining whether an entity is whom they claim to be

25 Essential Network Security Activities Security configuration activities (cont.): Developing a packet filtering rule base, which is a set of individual rules that the filter reviews when it encounters a packet Virus protection is a central activity that needs to be performed to protect a network and its users; it should scan the content of messages Secure remote access is one of the biggest security challenges facing organizations that communicate via the Internet and need to provide access for remote users; a VPN provides an ideal solution

26 Essential Network Security Activities Security configuration activities (cont.): Working with log files involves reviewing and maintaining these files so that you can detect intrusion attempts by suspicious patterns of activity Managing log files is tedious and time consuming, but the network administrator must read log files to see who is accessing the network from the Internet Log files compiled by firewalls allow you to see active data, recently recorded data, system events, security events, traffic and packets; be sure to use graphic displays of log file entries

27

28

29

30 Integrating Intrusion Detection Systems (IDSs) An IDS fits into an overall network security program in the following ways: The best way to configure an IDS is to anticipate what attacks you are likely to encounter so that you can make sure the IDS has the appropriate signatures or rules available to it A good IDS system notifies the appropriate individuals and provides information about what type of event occurred and where it took place The logical place for locating an IDS is near the point where the internal network has an interface with the external Internet

31

32

33

34 Chapter Summary This chapter gives you a rundown of the fundamental network security tools and approaches you need to design a defensive perimeter. An effective network security strategy involves many layers of defense working together to prevent many different kinds of threats You begin by reviewing the common security threats you need to guard against. These include Denial of Service attacks such as SYN floods and address spoofing; covert channeling attacks; virus attacks; and man-in-the-middle attacks

35 Chapter Summary The following are the layers of network security that you can set up: Layer 1, or physical security - lock computers, provide environmental controls, use alarm systems Layer 2, or password security - use good passwords and change them regularly Layer 3, or operating system security - install operating system patches and updates to plug obvious holes such as unused ports Layer 4, or use of anti-virus protection - set up anti-virus software and update virus definitions periodically Layer 5, or packet filtering - set up a packet filtering rule base

36 Chapter Summary Layers of network security (cont.): Layer 6, or use of firewalls - set up a DMZ and firewall to protect your internal LAN while providing external clients with public services such as Web pages Layer 7, or use of proxy server - set up a proxy server to conceal the identity of internal hosts Layer 8, or use of DMZ, place proxy servers, Web servers, e- mail servers, and other servers in an area outside of the internal Internet but still protected by the firewall called a DMZ Layer 9, use of Intrusion Detection System (IDS) - set up an IDS to notify you when security events occur

37 Chapter Summary Layers of network security (cont.): Layer 10, or use of virtual private network (VPN) - set up a VPN and secure remote clients with firewalls and anti-virus software Layer 11, or use of logging and administration - keep reviewing your firewall, packet filtering, and IDS logs on a regular basis Encryption protects data as it passes from one network to another, and authentication limits access to authorized users

38 Chapter Summary Packet filtering to allow or block packets based on a set of rules, and virus protection helps prevent computer systems from being attacked Secure remote access gives contractors and mobile users a way to connect to the home network; log files give the network administrator the ability to analyze who is accessing the network from the Internet, as well as a way of detecting intrusion attempts based on patterns of suspicious activity

39 Chapter Summary An IDS is an ideal tool for real-world situations in which security breaches occur. The IDS can notify you by , by log file alert messages, or even by sending a message to your pager. The IDS should be located on the perimeter of the network, but it can be located in any number of places - either on a server in the DMZ, between the external router and the Internet, or between the router and the LAN

40 Chapter Summary When you receive an alert from an IDS, react rationally and use the alerts to assess whether the network has actually been breached or not, to track what resources, if any, have been affected