Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session 1 Framework Security Threat Responsibility and Policy Architecture Response Flow Preparation.

Published byMargery Griffin Modified over 9 years ago

Similar presentations

Presentation on theme: "Session 1 Framework Security Threat Responsibility and Policy Architecture Response Flow Preparation."— Presentation transcript:

1 Session 1 Framework Security Threat Responsibility and Policy Architecture Response Flow Preparation

2 Emergency Response Yan Wang 2006.09

3 Agenda  Framework & Technology  Security Monitoring  Response Measure  Case Study & Discussion

4 Security Threat  Threat Evolution and Trends  Threat Categories  Attacks Fundamental

5 Evolution of Availability Threats

6 Exploit Trends

7 Three Key Threat Categories Reconnaissance Unauthorized discovery and mapping of systems, services, or vulnerabilities Access Unauthorized data manipulation, system access, or privilege escalation Denial of Service Disable or corrupt networks, systems, or services

8 How do these impact ISPs? Reconnaissance – Happens all the time. It is part of the “ attack noise ” of the Internet (along with low level attacks and backscatter). Access – Break-ins on the edge of an ISP ’ s network (I.e. customer CPE equipment) can impact the ISP ’ s core. DOS – The core threat to an ISP – knocking out customers, infrastructure, and services.

9 Reconnaissance Methods Common commands and administrative utilities nslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, srvinfo, dumpacl Public tools Sniffers, SATAN, SAINT, NMAP, custom scripts

10 Network Sniffer

11 nmap

12

13 Why Do We Care?

14

15 Access Methods

16 Access Methods (cont.)

17 Denial of Service Methods Resource Overload Disk space, bandwidth, buffers,... Ping floods, SYN flood, UDP bombs,... Software bugs Out of Band Data Crash: Ping of death, fragmentation … Toolkits TRINOO, Tribal Flood Net and friends Distributed attacks for amplification

18 DoS

19 DoS type Resource Overload Disk space, bandwidth, buffers,... Ping floods, SYN flood, UDP bombs,... Out of Band Data Crash Ping of death,... Routing Capacity Fill up packet buffers, queues, flow tables, and processing capabilities.

20 DoS Sequence

21 DDoS

22 DDoS Step 1: Crack Handlers and Agents

23 DDoS Step 2: Install Trojan & Covert Communication Channel

24 DDoS Step 3: Launch the Attack

25 DDOS Attack Characteristics DDOS Arrays (handlers and agents) a maintenance intensive. Take time and effort to create. Launching attacks from an agent can be considered a one shot weapon. Once the attack is launched, there is a risk of traceback. If someone traces back to the agent, they could watch and wait to see if the perpetrator returns to the agent.

26 Attacks Fundamental

27 Address Resolution Protocol (ARP)

28 ARP Datagram

29 Internet Protocol

30 IP Header

31 Internet Control Message Protocol (ICMP)

32 User Datagram Protocol (UDP)

33 Transport Control Protocol

34 TCP Header

35 TCP Establishment and Termination

36 Packet Spoofing

37 IP Spoofing

38 TCP Blind Spoofing

39 TCP blind spoofing (Cont.)

40 ARP Based Attacks

41 Gratuitous ARP

42 Misuse of Gratuitous ARP

43 A Test in the Lab

44 A Collection of Tools to Do:

45 ARP spoof in Action

46 More on ARP Spoof

47 Selective Sniffing

48 SSL/SSH Interception

49

50

51 ICMP Based Attacks-smurf

52 Smurf ’ s Script Kiddy Tool

53 ICMP Unreachable Teardown

54 IP Based Attacks IP Normal Fragmentation

55 IP Normal Fragmentation (Cont.)

56 IP Normal Reassembly

57 IP Reassembly Attack

58 IP Reassembly Attack (Cont.)

59 Ping of Death Attack Denial of Service

60

61 UDP Based Attacks Looping UDP

62 DoS - Fraggle Attack

63 TCP Based Attacks SYN Attack

64 TCP SYN Flood

65

66 TCP Session Hijacking

67 TCP DDOS Reflection Attacks

68

69

70

71 Other Attacks

72 Incident Response Team  A Computer Security Incident Response Team (CSIRT) is a team that performs, coordinates, and supports the response to security incidents that involve sites within a defined constituency.

73 ISP Security ISP need to: Protect themselves Help protect their customers from the Internet Protect the Internet from their customers At any given time there are between 20 to 40 DOS/DDOS attacks on the Net

74 Role of Service Providers

75

76

77 ISP Security Actions

78 Policy

79 Avoid extensive damage to data, systems and networks due to not taking timely action to contain an intrusion Minimize the possibility of an intrusion affecting multiple systems both inside and outside an organization because staff did not know who to notify and what actions to take. Avoid negative exposure in the news media that can damage an organization ’ s public image and reputation. Avoid possible legal liability and prosecution for failure to exercise due care when systems are inadvertently or intentionally used to attack others.

80 Preparing to Respond Create an archive of original media, configuration files, and security-related patches for all router and host operating systems and application software versions Ensure that backup tools and procedures are working Create a database of contact information Select and install tools to use when responding to intrusions

81 Preparing to Respond (Cont.) Develop a plan and process to configure isolated test systems and networks when required Keep response plans, procedures and tools up to date Consider performing a practice drill to test tools and procedures

82 CERT Infrastructure Information Platform ( Website ) Tel, Mail Event Processing System Traffic Monitoring System Intrusion Detection System

83 Security System Security System Architecture Infrastructure Identity Authen Clock Synchronization Security Monitoring System Traffic Collection Traffic Analyse and Account emergency response service system information issue system Event Cooperation Leak Scan Distributing IDS IP info

84 CCERT Framework CERNET Committee of Experts Center CCERT Regional CCERT CCERT Expert Team Campus CCERT R&D Secretariat Interprovincial CCERT

85 CCERT R&DLiaisonTraining AnalysisMonitoringService Committee of Experts CCERT Framework

86 Response Flow ① Preparation ② Detection ③ Analysis ④ Decision ⑤ Control ⑥ Announcement ⑦ Statistic

87 Response Flow helpdesk Investigation NOC Traffic analyzing and monitoring Signature based IDS CERNET management CNCERT/CC Other IRTs Users Administrators tools patches Attack signature Incident database Whois info advisories Common Event Important Event

88 What Do ISPs Need to Do?

89 Components of Response  Analyze the event  Contain the incident  Eliminate intruder access  Restore operations  Update procedures based on lessons learned

90 Analyze Event What systems were used to gain access What systems were accessed by the intruder What information assets were available to those systems? What an intruder did after obtaining access What an intruder is currently doing

91 Contain the Intrusion Gain control of the systems involved Attempt to deny an intruder access to prevent further damage Monitor systems and networks for subsequent intruder access attempts

92 Eliminate Intruder Access Change all passwords on all systems accessed Restore system and application software and data, as needed What other systems might be vulnerable?

93 Restore Operations Validate the restored system Monitor systems and networks Notify users and management that systems are again operational

94 Other Build the Communications Channels to your Peers and Customers Build the Communications Channels to your Vendors

95 Preparation Securing the Router and the Management Plane Securing the Network and Data Plane Securing the Routing Protocol and Control Plane Anycast as a Security Tool Using IP Routing as a Security Tool

96 Terminology

97 Securing the Router and the Management Plane

98 Routers do get Directly Attacked

99

100 Router Security

101 Global Services You Turn OFF

102

103 Interface Services You Turn Off

104

105 Cisco Discovery Protocol

106

107

108 Use Enable Secret

109 Securing Access to the Router

110 RISK Assessment

111 Lock Down the VTY and Console Ports

112 VTY and Console Port Timeouts

113 VTY Security

114

115 Encrypt the Traffic from Staff to Device

116 SSH Support in ISP Code

117 Cisco IOS SSH Configuration

118 SSH Server Implementation

119 SSH Server Configuration Prerequisites

120 SSH Server Configuration

121 SSH Server Configuration (cont.)

122 SSH Server Configuration Summary

123 SSH Client Access

124 SSH Terminal-Line Access

125 Secure Copy (SCP)

126

127 Staff AAA to get into the Device

128 What is ISP AAA and ISP AA?

129 Separate Security Domains!

Download ppt "Session 1 Framework Security Threat Responsibility and Policy Architecture Response Flow Preparation."

Similar presentations

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.

Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Information Networking Security and Assurance Lab National Chung Cheng University Network Security (I) 授課老師 : 鄭伯炤 Office: Dept. of Communication Rm #112.

Information Networking Security and Assurance Lab National Chung Cheng University Network Security (I) 授課老師 : 鄭伯炤 Office: Dept. of Communication Rm #112.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Network security policy: best practices

Network security policy: best practices
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Similar presentations

Ads by Google