cet 4663 computer and network security ch01
DESCRIPTION
CET 4663 Computer and Network Security ch01TRANSCRIPT
Guide to Network Defense and CountermeasuresSecond Edition
Chapter 1Network Defense Fundamentals
Guide to Network Defense and Countermeasures, Second Edition 2
Objectives
• Explain the fundamentals of TCP/IP networking
• Describe the threats to network security
• Explain the goals of network security
• Describe a layered approach to network defense
• Explain how network security defenses affect your organization
Guide to Network Defense and Countermeasures, Second Edition 3
TCP/IP Networking Review
• Transmission Control Protocol/Internet Protocol (TCP/IP)
• Suite of many protocols• Allows information to be transmitted from point to
point on a network
Guide to Network Defense and Countermeasures, Second Edition 4
The Open Systems Interconnect (OSI) Model
Guide to Network Defense and Countermeasures, Second Edition 5
IP Addressing
• Attackers can gain access to networks by determining IP addresses of computers
• IP address components– Network address– Host address– Subnet mask
• Try to hide IP addresses to prevent certain attacks
• Network Address Translation (NAT)– Translate IP addresses into other IP addresses– Used to hide real IP addresses
• Proxy servers are also used to hide IP addresses
Guide to Network Defense and Countermeasures, Second Edition 6
Guide to Network Defense and Countermeasures, Second Edition 7
Guide to Network Defense and Countermeasures, Second Edition 8
Exploring IP Packet Structure
• IP datagrams– Discrete chunk of information– TCP/IP messages are transmitted using multiple
datagrams– Contain information about source and destination IP
addresses and control settings– Divided into different sections
• IP header structure– Part of an IP packet that computers used to
communicate
– IP header plays an important role in terms of network security and intrusion detection
Guide to Network Defense and Countermeasures, Second Edition 9
Guide to Network Defense and Countermeasures, Second Edition 10
Guide to Network Defense and Countermeasures, Second Edition 11
Exploring IP Packet Structure (continued)
• IP data– Firewalls, VPNs and proxy servers are used to
protect data in a packet• IP fragmentation
– Allows large packets to pass through routers– Routers divide packets into multiple fragments and
send them along the network– Fragmentation creates security problems
• Port numbers appear only in fragment 0
• Fragments 1 and higher pass through filters without being scrutinized
Guide to Network Defense and Countermeasures, Second Edition 12
ICMP Messages
• Internet Control Message Protocol (ICMP)
• Assists TCP/IP networks with troubleshooting communication problems
• Can tell if another host is alive
• Firewalls and packet filters should be used to filter ICMP messages
Guide to Network Defense and Countermeasures, Second Edition 13
Guide to Network Defense and Countermeasures, Second Edition 14
TCP Headers
• Provide hosts with additional flags
• Flags are important from a security standpoint– Used to create packet-filtering rules
• Flags– URG (urgent)– ACK (acknowledge)– PSH (push function)– RST (reset the connection)– SYN (synchronize sequence numbers)– FIN (finished)
Guide to Network Defense and Countermeasures, Second Edition 15
Guide to Network Defense and Countermeasures, Second Edition 16
UDP Headers
• UDP provides a datagram transport service for IP
• UDP is considered unreliable– Because it is connectionless
• UDP is used for broadcasting messages
• Attackers scan for open UDP services to exploit
• UDP packets have their own headers
Guide to Network Defense and Countermeasures, Second Edition 17
Guide to Network Defense and Countermeasures, Second Edition 18
Domain Name Service (DNS)
• DNS servers translate fully qualified domain names to IP addresses
• DNS can be used to block unwanted communications– Administrators can block Web sites containing offensive
content
• DNS attacks– Buffer overflow– Zone transfer– Cache poisoning
Guide to Network Defense and Countermeasures, Second Edition 19
Encryption
• Concealing information to render it unreadable– Except to the intended recipients
• Firewalls often encrypt data leaving the network and decrypt incoming packets
• Encryption often makes use of digital certificates• Digital certificate
– Electronic document containing encryption keys and a digital signature
• Public Key Infrastructure– Makes possible distribution of certificates
Guide to Network Defense and Countermeasures, Second Edition 20
Overview of Threats to Network Security
• Security problems– Network intrusions– Loss of data– Loss of privacy
• First step in defeating the enemy is to know your enemy
Guide to Network Defense and Countermeasures, Second Edition 21
Types of Attackers
• Knowing the types of attackers helps you anticipate
• Motivation to break into systems– Status– Revenge– Financial gain– Industrial espionage
Guide to Network Defense and Countermeasures, Second Edition 22
Types of Attackers (continued)
• Crackers– Attempt to gain access to unauthorized resources
• Circumventing passwords, firewalls, or other protective measures
• Disgruntled employees– Access customer information, financial files, job
records, or other sensitive information from inside an organization
– When an employee is terminated, security measures should be taken immediately
Guide to Network Defense and Countermeasures, Second Edition 23
Types of Attackers (continued)
• Criminal and Industrial Spies– Steal and sell a company’s confidential information
to its competitors
• Script Kiddies and Packet Monkeys– Script kiddies
• Young, immature computer programmers
• Spread viruses and other malicious scripts
– Use techniques to exploit known weakness
– Packet monkeys• Block Web site activities using DDoS attacks
Guide to Network Defense and Countermeasures, Second Edition 24
Types of Attackers (continued)
• Terrorists– Attack computer systems for several reasons
• Making a political statement
• Achieving a political goal
• Causing damage to critical systems
• Disrupting a target’s financial stability
Guide to Network Defense and Countermeasures, Second Edition 25
Malicious Code
• Malware– Malicious code
• Use system’s well known vulnerabilities to spread• Virus
– Code that copies itself surreptitiously– Can be benign or harmful– Spread methods
• Running executable code• Sharing disks or memory sticks• Opening e-mail attachments
Guide to Network Defense and Countermeasures, Second Edition 26
Malicious Code (continued)
• Worm– Creates files that copy themselves and consume
disk space– Does not require user intervention to be launched– Some worms install back doors
• A way of gaining unauthorized access to computer or other resources
– Others can destroy data on hard disks• Trojan program
– Harmful computer program that appears to be something useful
– Can create a back door
Guide to Network Defense and Countermeasures, Second Edition 27
Malicious Code (continued)
• Macro viruses– Macro is a type of script that automates repetitive
tasks in Microsoft Word or similar applications– Macros run a series of actions automatically– Macro viruses run actions that tend to be harmful
Guide to Network Defense and Countermeasures, Second Edition 28
Other Threats to Network Security
• It is not possible to prepare for every possible risk to your systems
• Try to protect your environment for today’s threat• Be prepared for tomorrow’s threats
Guide to Network Defense and Countermeasures, Second Edition 29
Social Engineering: The People Factor
• Social engineers try to gain access to resources through people– Employees do not always observe accepted security
practices– Employees are fooled by attackers into giving out
passwords or other access codes
Guide to Network Defense and Countermeasures, Second Edition 30
Common Attacks and Defenses
Guide to Network Defense and Countermeasures, Second Edition 31
Common Attacks and Defenses (continued)
Guide to Network Defense and Countermeasures, Second Edition 32
Common Attacks and Defenses (continued)
Guide to Network Defense and Countermeasures, Second Edition 33
Internet Security Concerns
• Socket– Port number combined with a computer’s IP address
• Attacker software looks for open sockets– Open sockets are an invitation to be attacked– Sometimes sockets have exploitable vulnerabilities
• E-mail and Communications– Home users regularly surf the Web, use e-mail and
instant messaging programs– Personal firewalls keep viruses and Trojan programs
from entering a system
Guide to Network Defense and Countermeasures, Second Edition 34
Internet Security Concerns (continued)
• Scripts– Executable code attached to e-mail messages or
downloaded files that infiltrates a system– Difficult for firewalls and IDSs to block all scripts
• Always-on Connectivity– Computers using always-on connections are easier to
locate and attack– Remote users pose security problems to network
administrators– Always-on connections effectively extend the
boundaries of your corporate network
Guide to Network Defense and Countermeasures, Second Edition 35
Goals of Network Security
• Goals include– Confidentiality– Integrity– Availability
Guide to Network Defense and Countermeasures, Second Edition 36
Providing Secure Connectivity
• In the past, network security emphasized blocking attackers from accessing the corporate network– Now secure connectivity with trusted users and
networks is the priority
• Activities that require secure connectivity– Placing orders for merchandise online– Paying bills– Accessing account information– Looking up personnel records– Creating authentication information
Guide to Network Defense and Countermeasures, Second Edition 37
Secure Remote Access
• One of the biggest security challenges• VPN
– Ideal and cost-effective solution– Uses a combination of encryption and authentication
mechanisms
Guide to Network Defense and Countermeasures, Second Edition 38
Guide to Network Defense and Countermeasures, Second Edition 39
Ensuring Privacy
• Databases with personal or financial information need to be protected– Legislation exists that protects private information
• Education is an effective way to maintain the privacy of information– All employees must be educated about security
dangers and security policies– Employees are most likely to detect security breaches
• And to cause one accidentally– Employees can monitor activities of their co-workers
Guide to Network Defense and Countermeasures, Second Edition 40
Providing Nonrepudiation
• Nonrepudiation is important when organizations do business across a network– Rather than face-to-face
• Encryption provides integrity, confidentiality, and authenticity of digital information– Encryption can also provide nonrepudiation
• Nonrepudiation– Capability to prevent one participant from denying that
it performed an action
Guide to Network Defense and Countermeasures, Second Edition 41
Confidentiality, Integrity, and Availability: The CIA Triad
• Confidentiality– Prevents intentional or unintentional disclosure of
communications between sender and recipient• Integrity
– Ensures the accuracy and consistency of information during all processing
• Availability– Makes sure those who are authorized to access
resources can do so in a reliable and timely manner
Guide to Network Defense and Countermeasures, Second Edition 42
Guide to Network Defense and Countermeasures, Second Edition 43
Using Network Defense Technologies in Layers
• No single security measure can ensure complete network protection
• Assemble a group of methods– That work in a coordinated fashion
• Defense in depth (DiD)– Layering approach to network security
Guide to Network Defense and Countermeasures, Second Edition 44
Physical Security
• Refers to measures taken to physically protect a computer or other network device
• Physical security measures– Computer locks– Lock protected rooms for critical servers– Burglar alarms– Uninterruptible power supply (UPS)
Guide to Network Defense and Countermeasures, Second Edition 45
Authentication and Password Security
• Password security– Simple strategy– Select good passwords, keep them secure, and change
them as needed– Use different passwords for different applications
• Authentication methods– Something user knows– Something user has– Something user is
• In large organizations, authentication is handled by centralized servers
Guide to Network Defense and Countermeasures, Second Edition 46
Operating System Security
• Protect operating systems by installing– Patches– Hot fixes– Service packs
• OSs must be timely updated to protect from security flaws
• Stop any unneeded services• Disable Guest accounts
Guide to Network Defense and Countermeasures, Second Edition 47
Antivirus Protection
• Virus scanning– Examines files or e-mail messages for indications that
viruses are present
• Viruses have suspicious file extensions
• Antivirus software uses virus signatures to detect viruses in your systems– You should constantly update virus signatures
• Firewalls and IDSs are not enough
• You should install antivirus software in hosts and all network computers
Guide to Network Defense and Countermeasures, Second Edition 48
Packet Filtering
• Block or allow transmission of packets based on– Port number– IP addresses– Protocol information
• Some types of packet filters– Routers
• Most common packet filters– Operating systems
• Built-in packet filtering utilities that come with some OSs– Software firewalls
• Enterprise-level programs
Guide to Network Defense and Countermeasures, Second Edition 49
Firewalls
• Firewalls control organizations overall security policies
• Permissive versus restrictive policies– Permissive
• Allows all traffic through the gateway and then blocks services on case-by-case basis
– Restrictive• Denies all traffic by default and then allows services on
case-by-case basis
Guide to Network Defense and Countermeasures, Second Edition 50
Guide to Network Defense and Countermeasures, Second Edition 51
Demilitarized Zone (DMZ)
• Network that sits outside the internal network– DMZ is connected to the firewall
• Makes services publicly available– While protecting the internal LAN
• It might also contain a DNS server
• DMZ is sometimes called a “service network” or “perimeter network”
Guide to Network Defense and Countermeasures, Second Edition 52
Intrusion Detection System (IDS)
• Recognizes the signs of a possible attack– And notifies the administrator
• Signs of possible attacks are called signatures– Combinations of IP address, port number, and
frequency of access attempts
• IDS provides an additional layer of protection
Guide to Network Defense and Countermeasures, Second Edition 53
Virtual Private Networks (VPNs)
• Provide a low-cost and secure connection that uses the public Internet
• Alternative to expensive leased lines– Provides point-to-point communication
Guide to Network Defense and Countermeasures, Second Edition 54
Network Auditing and Log Files
• Auditing– Recording which computers are accessing a network
and what resources are being accessed– Information is recorded in a log file
• Reviewing and maintaining log files helps you detect suspicious patterns of activity
• You can set up blocking rules based on logged information from previous attack attempts
Guide to Network Defense and Countermeasures, Second Edition 55
Network Auditing and Log Files (continued)
• Log file analysis– Tedious and time consuming task– Record and analyze rejected connection requests– Sort logs by time of day and per hour– Check logs during peak traffic time
• Configuring log files to record– System events– Security events– Traffic– Packets
Guide to Network Defense and Countermeasures, Second Edition 56
Guide to Network Defense and Countermeasures, Second Edition 57
Guide to Network Defense and Countermeasures, Second Edition 58
Routing and Access Control Methods
• Border routers are critical to the movement of all network traffic– Can be equipped with their own firewall software
• Attackers exploit open points of entry, such as– Vulnerable services– E-mail gateways– Porous borders
• Methods of access control– Mandatory Access Control (MAC)– Discretionary Access Control (DAC)– Role Based Access Control (RBAC)
Guide to Network Defense and Countermeasures, Second Edition 59
The Impact of Defense
• Cost of securing systems might seem high• Cost of a security breach can be much higher• Support from upper management
– Key factor in securing systems• Securing systems will require
– Time– Money– Understanding and cooperation from fellow employees– Support from upper management
Guide to Network Defense and Countermeasures, Second Edition 60
Summary
• Knowledge of TCP/IP networking is important when securing a network
• IP and TCP (or UDP) header section contain setting that can be exploited
• Domain Name Service (DNS)– General-purpose service that translates fully qualified
domain names into IP addresses
• Encryption can be used to protect data
• Network intruders are motivated by a variety of reasons
Guide to Network Defense and Countermeasures, Second Edition 61
Summary (continued)
• E-mail is one of the most important services to secure– Malicious scripts can be delivered via e-mail
• Goals of network security– Confidentiality– Integrity– Availability
• Defense in depth (DiD)– Layering approach to security
• Auditing helps identify possible attacks and prevent from other attacks
Guide to Network Defense and Countermeasures, Second Edition 62
Summary (continued)
• Routers at the border of a network are critical to the movement of all traffic– Legitimate and harmful
• Access control methods– Mandatory Access Control (MAC)– Discretionary Access Control (DAC)– Role Based Access Control (RBAC)
• Defense affects the entire organization– You should always look for support from upper
management