guide to tcp/ip fourth edition chapter 12: securing tcp/ip environments

Guide to TCP/IP Fourth Edition

Chapter 12:Securing TCP/IP Environments

2

Objectives

• Explain basic concepts and principles for maintaining computer and network security

• Explain the anatomy of an IP attack

• Recognize common points of attacks inherent in TCP/IP architecture

• Maintain IP security problems

• Discuss the importance of honeypots and honeynets for network security

© 2013 Course Technology/Cengage Learning. All Rights Reserved.

3

Understanding Network Security Basics

• Hacker– Someone who uses computer and communications

knowledge to exploit information or the functionality of a device

• Cracker– Person who attempts to break into a system for

malicious purposes

• Protecting a system or network means– Closing the door against outside attack– Protecting your systems, data, and applications from

any sources of damage or harm© 2013 Course Technology/Cengage Learning. All Rights Reserved.

4

Understanding Network Security Basics (cont’d.)

• Physical security– Synonymous with “controlling physical access” – Should be carefully monitored

• Personnel security– Important to formulate a security policy for your

organization

• System and network security includes – Analyzing the current software environment – Identifying and eliminating potential points of

exposure


5

Principles of IP Security

• Key principles– Avoid unnecessary exposure– Block all unused ports– Prevent internal address “spoofing”– Filter out unwanted addresses– Exclude access by default, include access by

exception– Restrict outside access to “compromisable” hosts– Protect all clients and servers from obvious attack– Do unto yourself before others do unto you


6

Typical TCP/IP Attacks, Exploits, and Break-Ins

• Basic fundamental protocols– Offer no built-in security controls

• Successful attacks against TCP/IP networks and services rely on two powerful weapons– Profiling or footprinting tools– A working knowledge of known weaknesses or

implementation problems


7

Key Terminology

• An attack– Some kind of attempt to obtain access to information

• An exploit – Documents a vulnerability

• A break-in – Successful attempt to compromise a system’s

security


8

Key Weaknesses in TCP/IP

• Ways in which TCP/IP can be attacked– Bad guys can:

• Attempt to impersonate valid users

• Attempt to take over existing communications sessions

• Attempt to snoop inside packets moving across the Internet

• Utilize a technique known as IP spoofing

• Perform a denial of service, or DoS, attack


9

Flexibility versus Security

• Designers of TCP/IP and most other protocols– Try to make their protocols as flexible as possible

• Interaction between these protocols and IP– Compromised most often

• Question to answer– Is the security of your data worth the effort to prevent

the attack?– In most cases, that answer is “Yes!”


10

Common Types of IP-Related Attacks

• DoS attacks

• Man-in-the-middle (MITM) attacks

• IP service attacks

• IP service implementation vulnerabilities

• Insecure IP protocols and services


11

Which IP Services Are Most Vulnerable?

• Remote logon service– Includes Telnet remote terminal emulation service,

as well as the Berkeley remote utilities

• Remote control programs– Can pose security threats

• Services that permit anonymous access– Makes anonymous Web and FTP conspicuous

targets


12

Holes, Back Doors, and Other Illicit Points of Entry

• Hole – Weak spot or known place of attack on any common

operating system, application, or service

• Back door – Undocumented and illicit point of entry into an

operating system or application

• Vulnerability – Weakness that can be accidentally triggered or

intentionally exploited


13

Phases of IP Attacks

• IP attacks typically follow a set pattern– Reconnaissance or discovery process – Attacker focuses on the attack itself– Stealthy attacker may cover its tracks by deleting log

files, or terminating any active direct connections


14

Reconnaissance and Discovery Phases

• PING sweep– Can identify active hosts on an IP network

• Port probe – Detect UDP- and TCP-based services running on a

host

• Purpose of reconnaissance – To find out what you have and what is vulnerable


15

Attack

• The attack– May encompass a brute force attack process that

overwhelms a victim


16

Cover-Up

• In an effort to escape detection– Many attackers delete log files that could indicate an

attack occurred

• Computer forensics– May be necessary to identify traces from an attacker

winding his or her way through a system


17

Common Attacks and Entry Points in More Detail

• TCP/IP– By its very nature, a trusting protocol stack

• Designers, implementers, and product developers– Have tried to secure the protocol and plug holes or

vulnerabilities whenever possible


18

Viruses, Worms, and Trojan Horse Programs

• Malicious code (malware)– Can disrupt operations or corrupt data

• Viruses, worms (mobile code), and Trojan horses– Three such types of malicious code


19

Adware and Spyware

• Adware– Displays all kinds of unsolicited and unwanted

advertising, often of an unsavory nature

• Spyware– Unsolicited and unwanted software– Stealthily takes up unauthorized and uninvited

residence on a computer


20

Denial of Service Attacks

• Designed to interrupt or completely disrupt operations of a network device or communications

• DoS-related attacks include:– SYN Flood– Broadcast amplification– Buffer overflow


21

Distributed Denial of Service Attacks

• DoS attacks launched from numerous devices

• DDoS attacks consist of four main elements– Attacker– Handler– Agent– Victim


23

Buffer Overflows/Overruns

• Exploit a weakness in many programs that expect to receive a fixed amount of input

• In some cases, extra data can be used to execute commands on the computer– With the same privileges as the program it overruns


24

Spoofing

• Borrowing identity information to hide or deflect interest in attack activities

• NetBIOS attacks– Attacker sends spoofed NetBIOS Name Release or

NetBIOS Name Conflict messages to a victim machine


25

TCP Session Hijacking

• Purpose of an attack – To masquerade as an authorized user to gain

access to a system

• Once a session is hijacked– The attacker can send packets to the server to

execute commands, change passwords, or worse


26

Network Sniffing

• One method of passive network attack – Based on network “sniffing,” or eavesdropping, using

a protocol analyzer or other sniffing software

• Network analyzers available to eavesdrop on networks include:– tcpdump (UNIX)– OmniPeek (Windows)– Network Monitor (Windows)– Wireshark


Network Sniffing (cont’d.)


29

Maintaining IP Security

• Sections cover some of the elements that must be included as part of routine security maintenance


30

Applying Security Patches and Fixes

• Microsoft security bulletins – May be accessed or searched at:

http://technet.microsoft.com/en-us/security/bulletin

• Essential to know about security patches and fixes and to install them

• Security Update Process– Evaluate the vulnerability– Retrieve the patch or update– Test the patch or update– Deploy the patch or update


31

Knowing Which Ports to Block

• Many exploits and attacks are based on common vulnerabilities


32

Using IP Security (IPSec)

• RFC 2401 says the goals of IPSec are to provide the following kinds of security– Access control– Connectionless integrity– Data origin authentication– Protection against replays– Confidentiality– Limited traffic flow confidentiality


33

Protecting the Perimeter of the Network

• Important devices and services used to protect the perimeter of networks– Bastion host– Boundary (or border) router– Demilitarized zone (DMZ)– Firewall– Network address translation– Proxy server– Screening host– Screening router


34

Major Firewall Elements

• Firewalls usually incorporate four major elements:– Screening router functions– Proxy service functions– “Stateful inspection” of packet sequences and

services– Virtual Private Network services


35

Basics of Proxy Servers

• Proxy servers – Can perform “reverse proxying”

• Exposes a service inside a network to outside users, as if it resides on the proxy server itself

• Caching– An important proxy behavior

• Cache– Potentially valuable location for a system attack


Implementing Firewalls

• Link an internal network to the Internet without managing the boundary between them– Blatantly irresponsible to do so


37

Step-by-Step Firewall Planning and Implementing

• Useful steps when planning and implementing firewalls and proxy servers – Plan– Establish requirements– Install– Configure– Test– Attack– Tune– Implement– Monitor and maintain


38

Roles of IDS and IPS in IP Security

• Intrusion detection systems – Make it easier to automate recognizing and

responding to potential attacks

• Increasingly, firewalls include hooks– Allows them to interact with IDSs, or include their

own built-in IDS capabilities

• IPSs make access control decisions on the basis of application content


39

Honeypots and Honeynets

• Honeypot – Computer system deliberately set up to entice and

trap attackers

• Honeynet – Broadens honeypot concept from a single system to

what looks like a network of such systems


Summary

• An attack – An attempt to compromise the privacy and integrity of

an organization’s information assets

• In its original form, TCP/IP implemented an optimistic security model

• Basic principles of IP security – Include avoiding unnecessary exposure by blocking

all unused ports

• Necessary to protect systems and networks from malicious code – Such as viruses, worms, and Trojan horses


Summary (cont’d.)

• Would-be attackers– Usually engage in a well-understood sequence of

activities, called reconnaissance and discovery

• Maintaining system and network security involves constant activity– Must keep up with security news and information

• Keeping operating systems secure in the face of new vulnerabilities– A necessary and ongoing process

• A honeypot is a computer system deliberately set up to entice and trap attackers


guide to tcp/ip fourth edition chapter 12: securing tcp/ip environments

Documents

systems security

security policy

tcpip networks

securitydesigners of

typical tcpip attacks

network meansclosing

network securityexplain

physical access