Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information SystemsCS-507

Lecture 40

•Availability of tools and techniques on the Internet or as commercially available software that an intruder can download easily.

For example, • To scan ports, an intruder can easily obtain network

scanners

• Various password cracking programs are available free or at a minimal cost.

Factors Encouraging Internet Attacks

• No matter how perfect a system is made by removing all possible vulnerabilities, there are still chances that weaknesses exist and the system can be intruded at any given time.

• Inadequate security over firewalls and operating systems may allow intruders to view internal addresses and use network services indiscriminately.

Factors Encouraging Internet Attacks

• Firewall Security Systems

• Intrusion Detection Systems

• Encryption

Internet Security Controls

• Every time a corporation connects its internal computer network to the Internet if faces potential danger.

• Because of the Internet’s openness, every corporate network connected to it is vulnerable to attack.

• Companies should build firewalls as one means of perimeter security for their networks.

Firewall Security Systems

Firewall• Firewalls are defined as a device installed

at the point where network connections enter a site; they apply rules to control the type of networking traffic flowing in and out.

• The purpose is to protect the Web server by controlling all traffic between the Internet and the Web server.

• To be effective, firewalls should allow individual on the corporate network to access the Internet and at the same time, stop hackers or others on the Internet from gaining access to the corporate network to cause damage.

Firewall Security Systems

• Deny-all philosophy -- which means that access to a given recourses will be denied unless a user can provide a specific business reason or need for access to the information resource.

• Accept All Philosophy -- under which everyone is allowed access unless someone can provide a reason for denying access.

• System reports may also be generated to see who attempted to attack to system and tried to enter the firewall from remote locations.

Firewalls are hardware and software combinations that are built using routers, servers and variety of software. They should control the most vulnerable point between a corporate network and the Internet, and they can be as simple or complex as the corporate security policy demands.

General Features of Firewall

• Block access to an organization sites on the Internet

• Limit traffic on an organization’s public services segment to relevant addresses.

• Prevent certain users from accessing certain servers or services.

• Monitor communications between an internal and an external network

• Monitor and record all communications between an internal and the outside world to investigate network penetrations or detect internal subversion.

• Encrypt packets of data that are sent between different physical locations within an organization by creating a VPN over the Internet.

• Encrypt packets that are sent between different physical locations within an organization by creating a VPN over the Internet.

• The capabilities of some firewalls can be extended so that they can also provide for protection against viruses and attacks directed to exploit known operating system vulnerabilities.

• Remote Location server protected by fire walls and IDS further complemented by IPS (Intrusion Prevention system) – Defining Specific ranges of IP addresses that may access the location with defined rights.

General Features of Firewall

• An IDS works in conjunction with routers and firewalls by monitoring network usage anomalies. It protects a company’s information systems resources from external as well as internal misuse.

Intrusion Detection Systems (IDS)

• An IDS is located in between firewall and corporate network and works in compliment with the firewall. However it can also be installed before the fire wall.

• IDS helps to detect both • on-site unauthorized access through network based

IDS, and

• remote unauthorized access through the use of host based IDS

• IDS is more concerned with recording and detecting intrusions. For blocking intrusions, an other system called Intrusion Prevention System (IPS) is used which takes input from IDS.

Intrusion Detection Systems (IDS)

Components of an IDSAn IDS comprise of following components:

• Sensors that are responsible for collecting data. The data can be in the form of network packets, log files, system call, traces, etc.

• Analyzers that receive input from sensors and determine intrusive activity

• An administrative console – it contains intrusion definitions applied by the analyzers.

• A user interface

Categories of IDS

• Host-based IDS’s

• Network-based IDS’s

Host-based IDS• The host based IDS reside on a particular computer

and provide protection for a specific computer system. They are not only equipped with system monitoring facilities but also include other modules of a typical IDS, for example the response module .

• Systems that monitor incoming connection attempts. These examine host-based incoming and outgoing network connections. These are particularly related to the unauthorized connection attempts to various protocols used for network communication such as – TCP (Transmission Control Protocol) or – UDP (User Datagram Protocol) ports and can also detect

incoming portscans.• Systems that examine network traffic that

attempts to access the host. These systems protect the host by intercepting suspicious packets and scanning them to discourage intrusion. – Network Traffic – data travel in the form of packets on

network– Packet – a specific amount of data sent at a time

• The network-based type of IDS (NIDS) produces data about local network usage. The NIDS reassemble and analyze all network packets that reach the network interface card.

Network Based IDS

Example— Network based IDS

• While monitoring traffic, The NIDS’s capture all packets that they see on the network segment without analyzing them and just focusing on creating network traffic statistics.

Honeynets

• Honeynet (s) – does not allow the intruder to access actual data but leaves the intruder in a controlled environment which is constantly monitored. Monitoring provides information regarding the approach of the intruder.

An IDS comprises on the following:

• Sensors that are responsible for collecting data. The data can be in the form of network packets, log files, system call traces, etc.

• Analyzers that receive input from sensors and determines intrusive activity.

• An administration console

• A user interface.

Components of IDS

The features available in an IDS includes:

• Intrusion Detections

• Gathering evidence on intrusive activity

• Automated response (i.e. termination of connection, alarm messaging)

• Security policy

• Interface with system tools

• Security policy management

Features of IDS

An IDS can not help with the following weaknesses :• Incorrectness or scope limitation in the

manner threats are defined

• Application-level vulnerabilities

• Backdoors into application

• Weakness in identification and authentication schemes

Limitations of IDS

Encryption

• Encryption – the process of converting data into codes (cryptograms)

EncryptionOriginal DataCiphertext /

Encrypted data

• This is reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and its authenticity.

Web Server Logs• The major purpose of enhancing web security is

to protect web server from attacks through the use of internet.

• While doing that Logging is the principal component of secure administration of a Web server.

• Logging the appropriate data and then monitoring and analyzing those logs are critical activities. Review of Web server logs is effective, particularly for encrypted traffic, where network monitoring is far less effective.

• Review of logs is a mundane activity that many Web administrators have a difficult time fitting into their hectic schedules.

• This is unfortunate as log files are often the best and/or only record of suspicious behavior. Failure to enable the mechanisms to record this information and use them to initiate alert mechanisms will greatly weaken or eliminate the ability to detect and assess intrusion attempts.

Web Server Logs (Contd.)• Similar problems can result if necessary

procedures and tools are not in place to process and analyze the log files.

• System and network logs can alert the Web administrator that a suspicious event has occurred and requires further investigation. Web server software can provide additional log data relevant to Web-specific events.

• If the Web administrator does not take advantage of these capabilities, Web-relevant log data may not be visible or may require a significant effort to access.