tcp/ip networks management and security presented by: david m. litton, cpa, cisa, cgfm deputy...
TRANSCRIPT
TCP/IP Networks Management and Security
Presented by:
David M. Litton, CPA, CISA, CGFM
Deputy Director, Audit and Management ServicesVirginia Commonwealth University
May 7, 2001
5/7/2001TCP/IP Networks Management
and Security2
5/7/2001TCP/IP Networks Management
and Security3
Course Objectives:
• What is a TCP/IP Network?• Common components of a TCP/IP network• Network environment: TCP/IP protocol and
associated devices functionality• General network risks• Specific risks and compensating controls for
TCP/IP network devices • Areas of a TCP/IP Infrastructure Audit
5/7/2001TCP/IP Networks Management
and Security4
What is a TCP/IP Network?• Envelope and post office concept• Ethernet Frames• Internet Protocol (IP) – Connectionless datagram;
tries to send but not sure if it gets there• Transmission Control Protocol (TCP)• Alternatives to TCP: UDP and ICMP• Ports • Socket (Combination of port# & IP address)• Connection (pair of sockets for a session)
Host(Ex. Unix/Win NT
Server)
Client(Ex. Win 98/2000)
Telnet (Also: HTTP, SMTP, POP3...)Single Control and Data Circuit
IP128.172.161.139
IP128.172.2.30
High Random Port(Ex. Port #3003)
Port 23
FTPSeperate Control and
Data Circuits
Host(Ex. Unix/Win NT
Server)
Client(Ex. Win98/2000)
IP128.172.161.139
IP128.172.22.9
Port 21
Port 20High RandomPort (Ex. Port
#2987)
High RandomPort (Ex. Port
#2986)
5/7/2001TCP/IP Networks Management
and Security9
Host(Ex. Unix/Win NT
Server)
Client(Ex. Win 98/2000)
Telnet (Also: HTTP, SMTP, POP3...)Single Control and Data Circuit
IP128.172.161.139
IP128.172.2.30
High Random Port(Ex. Port #3003)
Port 23
FTPSeperate Control and
Data Circuits
Host(Ex. Unix/Win NT
Server)
Client(Ex. Win98/2000)
IP128.172.161.139
IP128.172.22.9
Port 21
Port 20High RandomPort (Ex. Port
#2987)
High RandomPort (Ex. Port
#2986)
(7)Application
Layer
(6)Presentation
Layer
(5)Session Layer
(4)Transport Layer
(3)Network Layer
(2)Data Link Layer
(1)Physical Layer
Logical Link
Media AccessControl(MAC)
FTP, Telnet,HTTP
TCP, UDP
IP
Ethernet,Frame Relay,Token Ring
Twisted Pair,Fiber
(4)Application
Layer
(3)Transport Layer
(2)Internet Layer
(1)Network
Interface Layer
OSI ReferenceModel Examples
TCP/IPProtocol Stack
OSI Model and
TCP/IP Compared
5/7/2001TCP/IP Networks Management
and Security16
5/7/2001TCP/IP Networks Management
and Security17
Common components of a TCP/IP network
• Cat 5 UTP Wiring & fiber optics lower layer 1• Hubs emphasis layer 1 • Bridges layer 1 or lower-part of layer 2 (MAC)• Switches – some layer 1 & emphasis layer 2• Routers – emphasis layer 3 & some layer 4• Applications/network utilities: layers 5-7; FTP,
HTTP, NFS, X-Windows, Telnet…• Protocol Stacks: part of server/work station O/S• Servers - physical and logical contrasted• Specialized IP servers: DHCP, BOOTP, DNS…
5/7/2001TCP/IP Networks Management
and Security18
Network Environment: TCP/IP Protocol and Associated Devices
Functionality
Ethernet
Token-ring
Ethernet
Workstation
w/s Laptop
Laser printer
Hub
Router
Firewall
`
WAN(ATM)(T-1)
(ISDN)(Frame Relay)
(SMDS)
Firewall
Router
IBM Compatible
Laptop computer
Workstation
HUB
MAU
w/s
Laptop
w/s
Laser printer
Router
Router
Enet[IP[TCP[Data]]]
Enet[IP[TCP[Data]]]
TRing[IP[TCP[Data]]]
ATM[IP[TCP[Data]]]
LAN/WAN Protocol Example
5/7/2001TCP/IP Networks Management
and Security20
General network risks
• Inconsistently applied back-up procedures for Network Equipment and Servers
• Lack of a test lab and change control procedures
• Intercepting clear text, log-on identifiers and passwords
• Staff turn-over
• Use of unauthenticated services on network hosts and pass through routers
• Lack of spoofing prevention measures
• Use of default passwords on network equipment
• Lack of password change procedures for network equipment
• Poor O/S controls on network devices
5/7/2001TCP/IP Networks Management
and Security21
General network risks• Improper access to
restricted systems (patient information, financial records, payroll, etc.)
• Release of sensitive information
• Prolonged outages and inconsistent availability
• Lack of documentation• Non-compartmentalized
traffic
• Trojan Horses
• Lack of expertise, training, and cross-training
• Lack of restoration plans or spare parts
• Ineffective procedures• Masquerading as another
individual• Spying, Sabotage• Risk from easy-to-use
freeware utilities• Stolen Passwords
5/7/2001TCP/IP Networks Management
and Security22
Specific risks and compensating controls for TCP/IP network
devices
5/7/2001TCP/IP Networks Management
and Security23
Router Risks and ControlsInappropriate addresses or dangerous protocols accessing hosts/servers
Access Control Lists – filter through router
Inappropriate addresses conducting router maintenance
ACLs to restrict IP addresses to router
Unauthenticated or trusted services used for maintenance
Turn off these services in router configuration, use services with stronger authentication
5/7/2001TCP/IP Networks Management
and Security24
Router Risks and ControlsDamaged router/network device configuration
Create backups of the configuration file, store on network, hard copy, and “secret” backup
Failed upgrades or changes Development and maintenance controls & “back-out” plans
Not capturing network events Turn on logging, secure the host that the logs are streaming to
5/7/2001TCP/IP Networks Management
and Security25
Router Risks and Controls
Default passwords and clear text passwords transmitted over the network
Change passwords periodically with timeouts
No console passwords Add passwords with timeouts
Community strings = PUBLIC, PRIVATE and pass network in clear text
Change Community strings and use encrypted SNMP
5/7/2001TCP/IP Networks Management
and Security26
Router Risks and Controls:Methods of Accessing Routers
• Console• TFTP• Telnet• TACACS• MOP (maintenance operation protocol by
DEC for CISCO routers)
• SNMP• R-Shell• R-Copy• FTP• HTTP
• More being added, check manufacturer documentation
5/7/2001TCP/IP Networks Management
and Security27
Domain Name Service:Risks and Controls
Allowing zone file transfers to unauthorized clients provides MX and HINFO records
Use router filters for TCP port 53 (DNS) or control servers that receive DNS zone files
Updates require time to propagate usually 24 hours
Use strong change control procedures – management review
Providing information about internal devices one at a time
Configure external name servers to provide info on Internet connected machines
Whois Command Whois returns the DNS IP addresses + sensitive info.
5/7/2001TCP/IP Networks Management
and Security28
Network Address Translation Static translation does not hide the device from the Internet
Port translation is needed to get the full benefit for security.
Reduced router performance and can interfere with authentication schemes that verify integrity of the entire packet
Must weigh these costs when reviewing NAT
INTERNET
NATRouter
DHCP Server
Hub
10.xxx.xxx.001
10.xxx.xxx.002
10.xxx.xxx.003
10.xxx.xxx.004
INTERNET
NATRouter
DHCP Server
Hub
10.xxx.xxx.001
10.xxx.xxx.002
10.xxx.xxx.003
10.xxx.xxx.004
PrimaryDNS
SecondaryDNS
TCP/IP Environment Example
5/7/2001TCP/IP Networks Management
and Security30
Wiring/Hubs: Risks and Controls
Inability to track wiring problems
Diagrams, labeling
Sniffing equipment, theft, inappropriate access to equipment
Secure wiring concentrations (closets)
No redundant paths for backbone/WAN connections
Redundant Layer 1 path
Power surges Surge protectors or UPSs
Heat and water damage Design of locations that house equipment
5/7/2001TCP/IP Networks Management
and Security31
Additional Server Risks and Controls
Legitimate network access can cause security problems. Example: Sun Telnet hack, Microsoft IIS hacks
Install up to date patches,Backup (OS, applications & database) , password controls, file permissions, restrict privileges, logging, disable unnecessary services
Differences in server configurations
Use consistent setup checklists and/or scripts for servers and user profiles
5/7/2001TCP/IP Networks Management
and Security32
Dangerous Services to be Restricted
Zone TransfersUDP&TCP 53
LinkTCP 87
LPDTCP 515
BOOTPUDP 67
RPCTCP & UDP 111
NFSUDP 2049
TFTPUDP 69
SNMPUDP 161,162
X-WindowsTCP 6000+
FingerUDP 79
Berkley R-CommandsTCP 512-514
Windows SharingTCP 135-139,445
Chargen,Discard,Echo TCP/UDP 9,19,7
Block ICMP redirects *Internal address from outside the network
5/7/2001TCP/IP Networks Management
and Security33
Work Stations Risks and ControlsTrojan Horses: key capture, sniffers, remote control
BOClean, up to date virus software (for detection)
Viruses Virus software up to date
Modem Lines exposures Policy, inventory, standardization, dial-in servers, Unique id & complex passwords, Wardial company #s
5/7/2001TCP/IP Networks Management
and Security34
Encryption• Examine Encryption Practices• Determine where the traffic is the most exposed –
going out on the Internet, between business partners…
• Look for controls like compartmentalization & VLANs to reduce internal exposure
• Use Encrypted methods like SNMP V.2 and CHAP V.2 to communicate to network devices
• Consider testing encryption controls with a sniffer
5/7/2001TCP/IP Networks Management
and Security35
Sniffed PPP Connection in Clear Text
5/7/2001TCP/IP Networks Management
and Security36
Areas of a TCP/IP Infrastructure Audit: Why Examine Network
Infrastructure
• Rarely examined • Large investment• Basis for most technology - the
“common denominator”• Connects to the World• Lost Revenue on E-Commerce • Susceptible to Denial of Service Attacks
5/7/2001TCP/IP Networks Management
and Security37
Areas of a TCP/IP Infrastructure Audit: Recommended Objectives
• Continuity (consistent reliability and availability
of system -- back-up and ability to recover)
• Management and Maintenance (additions,
change procedures, upgrades, and documentation)
• Security (appropriate physical and logical access
to network devices and hosts)
5/7/2001TCP/IP Networks Management
and Security38
Auditing TCP/IP Infrastructure• Review network policies and procedures
• Review network diagrams (layer 1 & 2), design, and walk-
through, list of network equipment and IP address list
• Verify diagrams with Ping and Trace Route
• Review utilization, trouble reports & helpdesk procedures
• Probe systems (Netscan tools and Portscanner)
• Interview network vendors, users, and network technicians
• Review software settings on network equipment
• Inspect computer room and network locations
• Evaluate back-up and operational procedures
5/7/2001TCP/IP Networks Management
and Security39
Conclusion
• Identify the paths and equipment used to navigate the network
• Identify TCP/IP infrastructure areas of concern• Break into manageable pieces• Every network is different and the components
and risks must be fully understood• Identify risks and prioritize• Dedicate more upfront planning • RELAX !! It’s not that bad !
5/7/2001TCP/IP Networks Management
and Security40
Additional Information
• Presentation located on line at URL:
http://www.vcu.edu/iaweb/iam_welc.html
• Contact information:
(804) 828-9248