2. AGENDA:  I.The Basics  II. Threats  III. Controls  IV.Tools Source: Pfleeger & Pfleeger

3. THE BASICS Source: Pfleeger & Pfleeger

4. INTERNET CONNECTIVITY Advantage: The private networks able to reach and communicate with the outside world. Disadvantage: The outside world can also reach and interact with the private network.

5. ADVANTAGES OF COMPUTING NETWORKS Resource sharing. Distributed workload. Increased reliability. Expandability.

6. SECURITY THREAT ANALYSIS: Local threats: –Local nodes. –Local communications. –Local storage. –Local devices. Network related threats: –Network gateways. –Network communications. –Network control resources. –Network routers. –Network resources.

7. WEB / NETWORK SECURITY Client Side:  What can the server do to the client?  Fool it.  Install or run unauthorized software, inspect/alter files. Server Side:  What can the client do to the server?  Bring it down (denial of service).  Gain access (break-in). Network:  Is anyone listening? (Sniffing)  Is the information genuine? Are the parties genuine?

8. ISO/OSI MODEL Source: Pfleeger & Pfleeger OSI Layer NameActivity 7Application User-level data 6Presentation Standardized data appearance 5Session Logical connection among parts 4Transport Flow control 3Network Routing 2Data Link Reliable data delivery 1Physical Actual communication across physical medium

9. TCP/IP Vs. OSI Source: Pfleeger & Pfleeger OSI Layer NameActivity 7Application User-level data 6Presentation Standardized data appearance 5Session Logical connection among parts 4Transport Flow control 3Network Routing 2Data Link Reliable data delivery 1Physical Actual communication across physical medium

10. TCP/IP Source: Pfleeger & Pfleeger LayerActionResponsibilities Application Prepare messagesUser interaction, addressing Transport Convert messages to packets Sequencing, reliability, error connection Internet Convert messages to datagrams Flow control, routing Physical Transmit datagrams as bits Data communication

11. THREATS (EQ): Precursors In transit Protocol flaws Impersonation Spoofing Message Confidentiality / Integrity threats Web Site Defacement Denial of Service (DOS) Distributed Denial of Service (DDOS) Active or Mobile Code Threats Complex Attacks Source: Pfleeger & Pfleeger

12. VULNERABILITIES: Anonymity Many points of attacks—targets and origins Sharing Complexity of system Unknown perimeter Unknown path Source: Pfleeger & Pfleeger

13. ATTACKERS: Kiddiescripters Industrial spies Information warfare Cyber terrorists “Hactivists” Wardrivers, etc. Source: Pfleeger & Pfleeger

14. FROM CSI/FBI REPORT 2002 90% detected computer security breaches 80% acknowledged financial losses 44% (223) were willing / able to quantify losses: $455M Most serious losses: theft of proprietary information and fraud  26 respondents: $170M  25 respondents: $115M 74% cited Internet connection as a frequent point of attack 33% cited internal systems as a frequent point of attack 34% reported intrusions to law enforcement. (up from 16%-1996) Source: Deb Frincke

15. MORE FROM CSI/FBI 2002  40% detected external penetration  40% detected DOS attacks.  78% detected employee abuse of Internet  85% detected computer viruses.  38% suffered unauthorized access on Web sites  21% didn’t know.  12% reported theft of information.  6% reported financial fraud. Source: Deb Frincke

16. THREATS PRECURSORS: Port Scan Social Engineering Intelligence Reconnaissance Bulletin Boards / Chats Available Documentation Source: Pfleeger & Pfleeger

17. In an impersonation, an attacker has several choices: Guess the identity and authentication details of the target. Pick up the identity and authentication details of the target from a previous communication or from wiretapping. Circumvent or disable the authentication mechanism at the target computer. Use a target that will not be authenticated. Use a target whose authentication data are known. THREATS: IMPERSONATION

18. Source: Pfleeger & Pfleeger  Authentication foiled by:  Guessing  Stealing  Eavesdropping and Wiretapping  Avoidance  Nonexistent authentication

19. THREATS: SPOOFING Source: Pfleeger & Pfleeger  Masquerade  Session hijacking  Man-in-the Middle attack

20. Spoofing: When an attacker falsely carries on one end of a networked interchange. 1. Masquerade: One host pretends to be another. 2. Session Hijacking: Intercepting and carrying on a session begun by another entity. 3. Man-in-the-Middle Attack: One entity intrudes between the other two.

21. Figure 7-16 Key Interception by a Man-in-the-Middle Attack.

22. THREATS: MESSAGE CONFIDENTIALITY/INTEGRITY Source: Pfleeger & Pfleeger  Misdelivery  Exposure  Traffic flow analysis  Falsification of messages  Noise

23. THREATS: WEB SITE DEFACEMENT Source: Pfleeger & Pfleeger  Buffer overflows  Dot-Dot and address problems  Server-Side include

24. THREATS: DENIAL OF SERVICE (DOS) Source: Pfleeger & Pfleeger  Transmission failure  Connection flooding  Ping, echo, destination unreachable, source quench  TYPES OF ATTACK:  Echo-chargen  Ping of death  Smurf attack  Syn flood  Teardrop  Traffic redirection Service

25. Figure 7-17 Smurf Attack.

26. Figure 7-18 Three-Way Connection Handshake.

27. THREATS: DISTRIBUTED DENIAL OF SERVICE (DDOS) Source: Pfleeger & Pfleeger  Trojan horses planted  Zombies attack

28. Figure 7-19 Distributed Denial-of-Service Attack.

29. THREATS: COMPLEX ATTACKS Source: Pfleeger & Pfleeger  Script Kiddies  Building Blocks

30. NETWORK VULNERABILITIES

31. TargetVulnerability Precursors to attack Port scan Social engineering Reconnaissance Authentication failures Impersonation Guessing Eavesdropping Spoofing Session hijacking Man-in-the-middle attack Programming flaws Buffer overflow Addressing errors Parameter modification, time-of-check to time-of-use errors Server-side include Cookie Malicious code: virus, worm, Trojan horse Malicious typed code

32. Confidentiality Protocol flaw Eavesdropping Passive wiretap Misdelivery Exposure within the network Traffic flow analysis Cookie Integrity Protocol flaw Active wiretap Impersonation Falsification of message Noise Web site defacement DNS attack Availability Protocol flaw Transmission or component failure Connection flooding, e.g., echo-chargen, ping of death, smurf, syn flood DNS attack Traffic redirection Distributed denial of service

33. NETWORK SECURITY CONTROLS

34. NETWORK SECURITY CONTROLS (EQ / 20M) Design and implementation. Architecture. Segmentation. Redundancy. Firewalls. Intrusion detection systems (IDS). Alarms and alerts. Honeypots. Traffic flow security. Onion routing. SSH and SSL encryption. IPSec. Source: Pfleeger & Pfleeger

35. SECURITY THREAT ANALYSIS Individual parts of a network:  Local nodes connected via…  Local communication links to a…  Local area network, which has…  Local data storage,  Local processes and  Local devices. Local network connected to a:  Network gateway which gives access via…  Network communication links…  Network control resources,  Network routers and  Network resources.

36. WHAT HACKER WILL DO? Read communication. Modify communication. Forge communication. Inhibit all communication. Read data at some other machine. Modify or destroy data.

37. THREATS Intercepting data in traffic. Accessing programs or data. Modify. Modify data in transit. Inserting communications. Impersonating a user. Blocking selected / all traffic.

38. DESIGN AND IMPLEMENTATION ARCHITECTURE: ARCHITECTURE: Segmentation: Overall functionality of a system is broken into segments. Redundancy: Allowing a function to be performed on more than one node (failover mode). Single point of failure: Distributing the database.

41. CONTENTS What is firewall? Need of firewall. Types of firewalls. Firewall configurations. What firewall can-and cannot-block.

43. WHAT IS FIREWALL? A firewall is a system or group of systems that enforces an access control policy between two networks. It can be a pair of mechanisms : to block traffic and to permit traffic. It allows outsiders to access public areas but preventing them from exploring proprietary areas of network. It can be in the form of hardware or software or both.

44. WHAT IS FIREWALL? A dedicated device that filters all traffic between a protected or inside network and a less trustworthy or outside network. It implements a security policy that can keep bad things away from inside network. Security policy – might permit access from certain places, from certain users or from certain activities.

45. NEED OF A FIREWALL The internet is plagued with many kinds of jerks. The sensitive or proprietary data must be protected. A firewall's purpose is to keep the jerks out of the networks. It acts as a security blanket for management. It acts as corporate “ambassador” to the internet.

49. FIREWALL FEATURES

51. DESIGN OF FIREWALL Always invoked Isolated Tamperproof Small and simple

52. TYPES OF FIREWALLS Packet filtering firewalls Stateful inspection firewalls Application proxies Guards Personal firewalls

53. PACKET FILTERING FIREWALLS Packet filtering firewalls decide whether or not to forward packets based on:  Source and destination IP addresses.  Source and destination port numbers. It does not keep track of connection state. It is susceptible to application layer attacks.

54. PACKET FILTERING FIREWALLS It controls access to packets based on packet address (IP and ports) or specific transport protocol type (HTTP). Packet filters do not see inside a packet. Filtering rules set needs to be very detailed. No state or context from one packet to other.

55. PACKET FILTERING FIREWALLS

56. The figure shows a packet filter that blocks access from (or to) addresses in one network; the filter allows HTTP traffic using the Telnet protocol. Local network PFG Remote blocked network1 Remote accepted network2 Telnet

61. STATEFUL INSPECTION FIREWALL It maintains state information from one packet to another in the input stream. It maintains state information on connections. It would track the sequence of packets and conditions from one packet to another to thwart an attack.

62. FILTER SCREENING OUTSIDE ADDRESSES LAN 100.50.25.x Screening router 100.50.25.x

63. APPLICATION PROXY Application proxy gateway is a firewall that simulates the effects of an application so that the application will receive only requests to act properly. It runs pseudo applications. It is a two-headed device. E.g. E-mail transfer. E.g. Company’s products and price list for the user. E.g. Web information.

64. ACTIONS OF FIREWALL PROXIES LAN Application proxy Remote File access www access Remote access logging

65. The figure below depicts the application proxy firewall Proxy Client Server Logical connection Client Server

68. GUARD It receives protocol data units, interprets them and passes through same protocol. It decides what services to perform on the user’s behalf with user’s knowledge. E.g. Limited access to the e-mails. Limited access to the www. Availability of library documents. Virus scanners.

72. PERSONAL FIREWALLS Is an application program that runs on a workstation to block unwanted traffic, from the network. It screens the data for a single host. Virus scanner + Personal firewall => effective and efficient. Commercial PF’s are – Norton from Symantec, McAfee, Zone Alarm from Zone Labs.

74. FIREWALL CONFIGURATIONS LAN Screening router Remote network Firewall with screening router

75. CONFIGURATION CONTINUE… LAN Proxy gateway Remote network Firewall on separate LAN

76. CONFIGURATION CONTINUE… Screening router Proxy firewall LAN Remot e networ k Firewall with both proxy and screening router

77. WHAT FIREWALLS CAN-AND CANNOT -BLOCK It can protect its entire perimeter. It does not protect data outside the perimeter. It must be correctly configured. They are targets for penetrators.

78. INTRUSION DETECTION SYSTEM

79. BACKGROUND What is intrusion ?  An intrusion can be defined as any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource. Three classes of intruder:  Masquerader : An illegitimate user intrudes into the system using a legitimate user’s account.  Misfeasor: A legitimate user misuses his/her privileges, accessing resources that is not authorized.  Clandestine user: An illegitimate user trying to retrieve information secretly.

80. BACKGROUND  An Intrusion Detection System (IDS) must identify, preferably in real time, unauthorized use, misuse and abuse of computer systems.  It is a reactive, rather than proactive, form of system defense. Classification:  Misuse intrusion detection Vs. Anomaly intrusion detection.  Misuse intrusion detection : It detects attacks on known weak points of a system.  Anomaly intrusion detection: It detects by building up a profile of the system being monitored and detecting significant deviations from this profile.

81. HISTORY Conventional approach to system security: Authentication, Access control and Authorization. In 1980, James Anderson first proposed that audit trails should be used to monitor threats. In 1987, Dorothy Denning presented an abstract model of an Intrusion Detection System. In 1988, IDES (Intrusion Detection Expert System) – host-based IDS is developed. In 1990, Network Security Monitor is developed – network-based IDS is developed. In 1994, Mark Crosbie and Gene Spafford suggested the use of autonomous agents in order to improve the scalability, maintainability, efficiency and fault tolerance of an IDS.

82. WHY DO I NEED AN IDS, I HAVE A FIREWALL? IDS are a dedicated assistant used to monitor the rest of the security infrastructure. Today’s security infrastructure are becoming extremely complex, it includes firewalls, identification and authentication systems, access control product, virtual private networks, encryption products, virus scanners, and more. All of these tools performs functions essential to system security. Given their role they are also prime target and being managed by humans, as such they are prone to errors. The failure of one of the above component of your security infrastructure jeopardized the system they are supposed to protect.

83. WHY DO I NEED AN IDS, IF I HAVE A FIREWALL? Not all traffic may go through a firewall. Not all threats originates from outside. As networks uses more and more encryption, attackers will aim at the location where it is often stored unencrypted (internal network). It protects against misconfiguration or fault in other security mechanisms.

84. WHAT CAN IDS REALISTICLY DO?  It monitors and analyses user and system activities.  It audits the system and configuration vulnerabilities.  It asses integrity of critical system and data files.  It recognizes of pattern reflecting known attacks.  It provides statistical analysis for abnormal activities.  It performs data trail, in which activities from point of entry up to the point of exit.  It does installation of decoy servers (honey pots).

85. COMMON COMPONENTS OF AN IDS FRAMEWORK

86. TYPE OF ANALYSIS Signature based (Pattern matching):  It is similar to a virus scanner, look for a specific string in the network data being presented to the IDS. Statistical:  It is based on time, frequency, length of a session.  For example: a user logs on at 03:00 A.M. and has never done so in the past, it will raise a flag. Anomaly detection / Behavior based. Flow based.