Guide to TCP/IP

decisioncrunchNetworking and Communications

Nov 20, 2013 (3 years and 11 months ago)

98 views


Guide to TCP/IP
Fourth Edition

Chapter 12:

Securing TCP/IP Environments

2

Objectives


Explain basic concepts and principles for
maintaining computer and network security


Explain the anatomy of an IP attack


Recognize common points of attacks inherent in
TCP/IP architecture


Maintain IP security problems


Discuss the importance of honeypots and
honeynets for network security

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

3

Understanding Network Security
Basics


Hacker


Someone who uses computer and communications
knowledge to exploit information or the functionality
of a device


Cracker


Person who attempts to break into a system for
malicious purposes


Protecting a system or network means


Closing the door against outside attack


Protecting your systems, data, and applications from
any sources of damage or harm

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

4

Understanding Network Security
Basics (cont’d.)


Physical security


Synonymous with “controlling physical access”


Should be carefully monitored


Personnel security


Important to formulate a security policy for your
organization


System and network security includes


Analyzing the current software environment


Identifying and eliminating potential points of
exposure

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

5

Principles of IP Security


Key principles


Avoid unnecessary exposure


Block all unused ports


Prevent internal address “spoofing”


Filter out unwanted addresses


Exclude access by default, include access by
exception


Restrict outside access to “compromisable” hosts


Protect all clients and servers from obvious attack


Do unto yourself before others do unto you

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

6

Typical TCP/IP Attacks, Exploits, and
Break
-
Ins


Basic fundamental protocols


Offer no built
-
in security controls


Successful attacks against TCP/IP networks and
services rely on two powerful weapons


Profiling or footprinting tools


A working knowledge of known weaknesses or
implementation problems

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

7

Key Terminology


An attack


Some kind of attempt to obtain access to information


An exploit


Documents a vulnerability


A break
-
in


Successful attempt to compromise a system’s
security

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

8

Key Weaknesses in TCP/IP


Ways in which TCP/IP can be attacked


Bad guys can:


Attempt to impersonate valid users


Attempt to take over existing communications
sessions


Attempt to snoop inside packets moving across the
Internet


Utilize a technique known as IP spoofing


Perform a denial of service, or DoS, attack

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

9

Flexibility versus Security


Designers of TCP/IP and most other protocols


Try to make their protocols as flexible as possible


Interaction between these protocols and IP


Compromised most often


Question to answer


Is the security of your data worth the effort to prevent
the attack?


In most cases, that answer is “Yes!”

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

10

Common Types of IP
-
Related Attacks


DoS attacks


Man
-
in
-
the
-
middle (MITM) attacks


IP service attacks


IP service implementation vulnerabilities


Insecure IP protocols and services



©
2013 Course Technology/Cengage Learning. All Rights Reserved.

11

Which IP Services Are Most
Vulnerable?


Remote logon service


Includes Telnet remote terminal emulation service,
as well as the Berkeley remote utilities


Remote control programs


Can pose security threats


Services that permit anonymous access


Makes anonymous Web and FTP conspicuous
targets

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

12

Holes, Back Doors, and Other Illicit
Points of Entry


Hole



Weak spot or known place of attack on any common
operating system, application, or service


Back door



Undocumented and illicit point of entry into an
operating system or application


Vulnerability



Weakness that can be accidentally triggered or
intentionally exploited

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

13

Phases of IP Attacks


IP attacks typically follow a set pattern


Reconnaissance or discovery process



Attacker focuses on the attack itself


Stealthy attacker

may cover its tracks by deleting log
files, or terminating any active direct connections



©
2013 Course Technology/Cengage Learning. All Rights Reserved.

14

Reconnaissance and Discovery
Phases


PING sweep


Can identify active hosts on an IP network


Port probe


Detect UDP
-

and TCP
-
based services running on a
host


Purpose of reconnaissance


To find out what you have and what is vulnerable

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

15

Attack


The attack


May encompass a brute force attack process that
overwhelms a victim

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

16

Cover
-
Up


In an effort to escape detection


Many attackers delete log files that could indicate an
attack occurred


Computer forensics


May be necessary to identify traces from an attacker
winding his or her way through a system

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

17

Common Attacks and Entry Points in
More Detail


TCP/IP


By its very nature, a trusting protocol stack


Designers, implementers, and product developers


Have tried to secure the protocol and plug holes or
vulnerabilities whenever possible

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

18

Viruses, Worms, and Trojan Horse
Programs


Malicious code (malware)


Can disrupt operations or corrupt data


Viruses, worms (mobile code), and Trojan horses


Three such types of malicious code

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

19

Adware and Spyware


Adware


Displays all kinds of unsolicited and unwanted
advertising, often of an unsavory nature


Spyware


Unsolicited and unwanted software


Stealthily takes up unauthorized and uninvited
residence on a computer

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

20

Denial of Service Attacks


Designed to interrupt or completely disrupt
operations of a network device or communications


DoS
-
related attacks include:


SYN Flood


Broadcast amplification


Buffer overflow

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

21

Distributed Denial of Service Attacks


DoS attacks launched from numerous devices


DDoS attacks consist of four main elements


Attacker


Handler


Agent


Victim

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

22

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

23

Buffer Overflows/Overruns


Exploit a weakness in many programs that expect
to receive a fixed amount of input


In some cases, extra data can be used to execute
commands on the computer


With the same privileges as the program it overruns

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

24

Spoofing


Borrowing identity information to hide or deflect
interest in attack activities


NetBIOS attacks


Attacker sends spoofed NetBIOS Name Release or
NetBIOS Name Conflict messages to a victim
machine

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

25

TCP Session Hijacking


Purpose of an attack


To masquerade as an authorized user to gain
access to a system


Once a session is hijacked


The attacker can send packets to the server to
execute commands, change passwords, or worse

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

26

Network Sniffing


One method of passive network attack


Based on network “sniffing,” or eavesdropping, using
a protocol analyzer or other sniffing software


Network analyzers available to eavesdrop on
networks include:



tcpdump (UNIX)


OmniPeek (Windows)


Network Monitor (Windows)


Wireshark

©
2013 Course Technology/Cengage Learning. All Rights Reserved.


Network Sniffing (cont’d.)

27

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

Network Sniffing (cont’d.)

28

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

29

Maintaining IP Security


Sections cover some of the elements that must be
included as part of routine security maintenance

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

30

Applying Security Patches and Fixes


Microsoft security bulletins


May be accessed or searched at:
http://technet.microsoft.com/en
-
us/security/bulletin


Essential to know about security patches and fixes
and to install them


Security Update Process


Evaluate the vulnerability


Retrieve the patch or update


Test the patch or update


Deploy the patch or update

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

31

Knowing Which Ports to Block


Many exploits and attacks are based on common
vulnerabilities

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

32

Using IP Security (IPSec)


RFC 2401 says the goals of IPSec are to provide
the following kinds of security


Access control


Connectionless integrity


Data origin authentication


Protection against replays


Confidentiality


Limited traffic flow confidentiality

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

33

Protecting the Perimeter of the
Network


Important devices and services used to protect the
perimeter of networks


Bastion host


Boundary (or border) router


Demilitarized zone (DMZ)


Firewall


Network address translation


Proxy server


Screening host


Screening router

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

34

Major Firewall Elements


Firewalls usually incorporate four major elements:


Screening router functions


Proxy service functions


“Stateful inspection” of packet sequences and
services


Virtual Private Network services

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

35

Basics of Proxy Servers


Proxy servers


Can perform “reverse proxying”


Exposes a service inside a network to outside users,
as if it resides on the proxy server itself


Caching


An important proxy behavior


Cache


Potentially valuable location for a system attack

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

Implementing Firewalls


Link an internal network to the Internet without
managing the boundary between them


Blatantly irresponsible to do so

36

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

37

Step
-
by
-
Step Firewall Planning and
Implementing


Useful steps when planning and implementing
firewalls and proxy servers


Plan


Establish requirements


Install


Configure


Test


Attack


Tune


Implement


Monitor and maintain

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

38

Roles of IDS and IPS in IP Security


Intrusion detection systems


Make it easier to automate recognizing and
responding to potential attacks


Increasingly, firewalls include hooks


Allows them to interact with IDSs, or include their
own built
-
in IDS capabilities


IPSs make access control decisions on the basis of
application content


©
2013 Course Technology/Cengage Learning. All Rights Reserved.

39

Honeypots and Honeynets


Honeypot



Computer system deliberately set up to entice and
trap attackers


Honeynet



Broadens honeypot concept from a single system to
what looks like a network of such systems

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

Summary


An attack


An attempt to compromise the privacy and integrity
of an organization’s information assets


In its original form, TCP/IP implemented an
optimistic security model


Basic principles of IP security


Include avoiding unnecessary exposure by blocking
all unused ports


Necessary to protect systems and networks from
malicious code


Such as viruses, worms, and Trojan horses

40

©
2013 Course Technology/Cengage Learning. All Rights Reserved.

Summary (cont’d.)


Would
-
be attackers


Usually engage in a well
-
understood sequence of
activities, called reconnaissance and discovery


Maintaining system and network security involves
constant activity


Must keep up with security news and information


Keeping operating systems secure in the face of
new vulnerabilities


A necessary and ongoing process


A honeypot is a computer system deliberately set
up to entice and trap attackers

41

©
2013 Course Technology/Cengage Learning. All Rights Reserved.