1 Guide to Network Defense and Countermeasures Chapter 2.

1

Guide to Network Defense and Countermeasures

Chapter 2

2

Chapter 2 - Designing a Network Defense

Understand covert channeling and other common attack threats you need to defend against

Describe the network security components that make up a layered defense configuration

List the essential activities that need to be performed in order to protect a network

Integrate an intrusion detection system (IDS) into a network security configuration

3

The kinds of security attacks faced include: Covert channeling is a way to gain unauthorized

access to systems through communications ports Denial of Service (DoS) attacks shut down networks Remote procedure call abuses that give hackers

access using Windows networking services Viruses and Trojan horses enter through e-mail

messages or downloaded files Man-in-the-middle attacks can destroy privacy Fragmented IP packets can be used to sneak in

malicious code

Common Attack Threats

4

Network vulnerabilities include services and computers that might present openings: Vulnerable services that a hacker may be able to

exploit in a server program E-mail gateways where hackers can attach a virus

payload to a message; when the recipient opens it, the program runs and the virus installs itself

Porous border can result when a computer is listening on a virtual channel that is not being used

Gullible employees can be fooled by hackers

Common Attack Threats

5

Denial of Service (DoS) attacks are launched against network servers The server is flooded with more requests to view

Web pages and access files than it can handle The server is so busy sending response messages

to the requests that result from the DoS attack that it is unable to process legitimate requests and, as a result, the network is effectively blocked

Numerous types of DoS attacks exist; the more common are SYN floods and address spoofing

Common Attack Threats

6

DoS attacks (cont): In SYN flood attacks, the attacker sends a TCP packet

to the host with the SYN flag set; the server responds by sending an ACK, which the attacker never responds to - the server uses its resources as it waits; the attacker then sends a flood of TCP SYN requests without responding and eventually the server exhausts its resources

In an address spoofing attack, the attacker finds an open port, then sends a packet containing a spoofed address and the same source IP address as the server’s own - this can crash the server

Common Attack Threats

7

8

Other attacks: In a Remote Procedure Call (RPC) attack, RPC

packets that contain spoofed addresses are sent to a server; when the RPC server is unable to interpret the spoofed address, it sends an RPC REJECT packet; if enough spoofed RPC packets are sent, the resulting REJECTs drain server resources

A virus is computer code that copies itself from one place to another and performs actions that range from benign to harmful; worms create files that copy themselves over and over and take up disk space

Common Attack Threats

9

Other attacks (cont.): A Trojan horse is a harmful computer program that

creates a back door - an opening to a computer such as an unused port or terminal service that gives a hacker the ability to control a computer

In a man-in-the-middle attack, a hacker intercepts part of an encrypted data session to gain control over what is being exchanged; as a result, the hacker can impersonate the intended recipient

By assigning a packet a false fragment number and embedding IP header data within it, a hacker can sometimes fool a host into letting the packets in

Common Attack Threats

10

11

Providing Layers of Network Defense

Good network protection involves arranging a group of components in such a way that they provide layers of network defense Layer 1: Physical security protects computers from

theft (use locks), fire, or environmental disaster Layer 2: Password security means using good

passwords, securing them, changing as needed Layer 3: Operating system security involves installing

operating system patches, hotfixes and service packs; also disabling guest accounts

12

Providing Layers of Network Defense

Layers of network defense (cont.): Layer 4: Using anti-virus protection means setting up

anti-virus software and updating definitions Layer 5: Packet filtering blocks or allows the

transmission of packets based on port, IP address, protocol, or other criteria; packet filters come in the form of routers, operating systems, or firewalls; stateless packet filtering decides on packets based on established connections, whereas stateful packet filtering goes beyond stateless and maintains an intelligent rule base and state table

13

14

Providing Layers of Network Defense

Layers of network defense (cont.): Layer 6: Firewalls reflect the heart of a company’s

security policy in that they control the amount of traffic the network receives and the ease with which users can access external networks; two firewall approaches exist: permissive, which allows traffic through by default and blocks on a case-by-case basis; restrictive, which blocks all traffic by default and allows it on a case-by-case basis; another function performed by firewalls is Network Address Translation (NAT), which converts internal IP address to different ones

15

16

17

Providing Layers of Network Defense

Layers of network defense (cont.): Layer 7: Proxy servers can conceal end users in a

network and act as a go-between, forwarding data between internal users and external hosts; proxies work by examining the port each service uses, screening all traffic into and out of each port and deciding whether to block or allow traffic based on rules set up by the proxy server administrator; ultimately, because of their strengths and weaknesses, proxy servers and packet filters need to be used together in a firewall

18

19

20

Providing Layers of Network Defense

Layers of network defense (cont.): Layer 8: DMZ, or demilitarized zone, is a network that

sits outside the internal network (but is connected to the firewall), and makes services publicly available while protecting the internal LAN; DMZs are a standard in e-commerce to protect and ensure that successful electronic transactions take place; the most common type of DMZ is a screened subnet, created by grouping public service servers and combining them with the firewall’s subnet; often, a company will add a second firewall for an extra level of security

21

22

23

Providing Layers of Network Defense

Layers of network defense (cont.): Layer 9: Intrusion detection systems (IDSs) work by

recognizing the signs of a possible attack and sending a notification to an administrator

Layer 10: Virtual private networks (VPNs) provide relatively low-cost and secure connection between organizations that use the public Internet; VPNs encrypt packets, provide user authentication, and encapsulate encrypted packets

Layer 11: Logging and administration involves reviewing and analyzing firewall and IDS log files

24

Essential Network Security Activities

The most common activities of any network security configuration are: Encryption, which is the process of concealing

information to render it unreadable to all but the intended recipients; an encrypted code called a digital signature is attached to the files that are exchanged during the transaction so that each party can ensure the other’s identity

Authentication is the act of reliable determining whether an entity is whom they claim to be

25

Essential Network Security Activities

Security configuration activities (cont.): Developing a packet filtering rule base, which is a

set of individual rules that the filter reviews when it encounters a packet

Virus protection is a central activity that needs to be performed to protect a network and its users; it should scan the content of e-mail messages

Secure remote access is one of the biggest security challenges facing organizations that communicate via the Internet and need to provide access for remote users; a VPN provides an ideal solution

26

Essential Network Security Activities

Security configuration activities (cont.): Working with log files involves reviewing and

maintaining these files so that you can detect intrusion attempts by suspicious patterns of activity

Managing log files is tedious and time consuming, but the network administrator must read log files to see who is accessing the network from the Internet

Log files compiled by firewalls allow you to see active data, recently recorded data, system events, security events, traffic and packets; be sure to use graphic displays of log file entries

27

28

29

30

Integrating Intrusion Detection Systems (IDSs)

An IDS fits into an overall network security program in the following ways: The best way to configure an IDS is to anticipate what

attacks you are likely to encounter so that you can make sure the IDS has the appropriate signatures or rules available to it

A good IDS system notifies the appropriate individuals and provides information about what type of event occurred and where it took place

The logical place for locating an IDS is near the point where the internal network has an interface with the external Internet

31

32

33

34

Chapter Summary

This chapter gives you a rundown of the fundamental network security tools and approaches you need to design a defensive perimeter. An effective network security strategy involves many layers of defense working together to prevent many different kinds of threats

You begin by reviewing the common security threats you need to guard against. These include Denial of Service attacks such as SYN floods and address spoofing; covert channeling attacks; virus attacks; and man-in-the-middle attacks

35

Chapter Summary

The following are the layers of network security that you can set up: Layer 1, or physical security - lock computers, provide

environmental controls, use alarm systems Layer 2, or password security - use good passwords and

change them regularly Layer 3, or operating system security - install operating

system patches and updates to plug obvious holes such as unused ports

Layer 4, or use of anti-virus protection - set up anti-virus software and update virus definitions periodically

Layer 5, or packet filtering - set up a packet filtering rule base

36

Chapter Summary

Layers of network security (cont.): Layer 6, or use of firewalls - set up a DMZ and firewall to

protect your internal LAN while providing external clients with public services such as Web pages

Layer 7, or use of proxy server - set up a proxy server to conceal the identity of internal hosts

Layer 8, or use of DMZ, place proxy servers, Web servers, e-mail servers, and other servers in an area outside of the internal Internet but still protected by the firewall called a DMZ

Layer 9, use of Intrusion Detection System (IDS) - set up an IDS to notify you when security events occur

37

Chapter Summary

Layers of network security (cont.): Layer 10, or use of virtual private network (VPN) -

set up a VPN and secure remote clients with firewalls and anti-virus software

Layer 11, or use of logging and administration - keep reviewing your firewall, packet filtering, and IDS logs on a regular basis

Encryption protects data as it passes from one network to another, and authentication limits access to authorized users

38

Chapter Summary

Packet filtering to allow or block packets based on a set of rules, and virus protection helps prevent computer systems from being attacked

Secure remote access gives contractors and mobile users a way to connect to the home network; log files give the network administrator the ability to analyze who is accessing the network from the Internet, as well as a way of detecting intrusion attempts based on patterns of suspicious activity

39

Chapter Summary

An IDS is an ideal tool for real-world situations in which security breaches occur. The IDS can notify you by e-mail, by log file alert messages, or even by sending a message to your pager. The IDS should be located on the perimeter of the network, but it can be located in any number of places - either on a server in the DMZ, between the external router and the Internet, or between the router and the LAN

40

Chapter Summary

When you receive an alert from an IDS, react rationally and use the alerts to assess whether the network has actually been breached or not, to track what resources, if any, have been affected