Network Security and Network Security and Information Assurance: Information Assurance: a broad brush a broad brush A Discussion of Firewalls, Intrusion Detection Systems, Encryption, and the Common Criteria for evaluating Information Assurance Products Robert Neal Smith Ph.D. [email protected]
74
Embed
Network Security and Information Assurance€¦ · Information Assurance Products Robert Neal Smith Ph.D. [email protected]. IEEE Phoenix Section Computer [email protected] 2 Society
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Network Security and Network Security and Information Assurance:Information Assurance: a broad brusha broad brush
A Discussion of Firewalls, Intrusion Detection Systems, Encryption, and the Common Criteria for evaluating Information Assurance Products
[email protected] 3IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
IntroductionIntroduction
! Firewalls block or allow selected traffic based on various parameters (typically IP address, TCP or UDP port number)
! Intrusion Detection Systems involve scanning traffic on a network or within a host to determine if an intruder is present.
! Encryption systems involve the distribution of keys used by the encryption algorithm for the encryption/decryption of message and data. (algorithms, keys, key management)
! Common Criteria is the standardization of testing methods for proving information technology systems have security.
[email protected] 4IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
What makes an application secure?What makes an application secure?
[email protected] 5IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
SecuritySecurity
! Privacy / Confidentiality (supported by encryption and firewalls)
! Integrity (supported by signatures)! Authentication! Non-Repudiation (supported by signatures)
! Denial of Service (supported by firewalls)
[email protected] 6IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Before we begin: R U Familiar Before we begin: R U Familiar with..with..! Sapphire (aka) SQL Slammer
– What could have been done?• Patches to the application• Firewall policy to block
– UDP Selected Addresses on Port 1428• Intrusion detection of UDP traffic on port 1428 and a
Search for the signature• Encryption and signatures of user communications• Better requirements and testing of application to
prevent security holes.•• Know who is connecting to your networkKnow who is connecting to your network
[email protected] 7IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
FIREWALLFIREWALL
[email protected] 8IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
FirewallFirewall
! Firewalls (or internet interface proxies) may be used to provide a secure interface to the Internet.– Firewall blocks or allows traffic– Proxy to filter application traffic and provides
address translation• Main proxies is the web interface proxies
– Providing filtering on normal TCP port 80
[email protected] 9IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Firewall TechniquesFirewall Techniques
! Policy Based– (based on your security policy)
! Address Filter– Allow or disallow
[email protected] 10IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
[email protected] 17IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
PC Disk and Application SecurityPC Disk and Application Security
! Secret Agent– SecretAgent® is the premier file encryption and
digital signature utility, supporting cross-platform interoperability over a wide range of Windows- and UNIX-based systems. ($50)
– Information Security Corp (ISC) www.infoseccorp.com
! SpyProof– automatically encrypts all data blocks written to it
and then transparently decrypts them for any application
– Information Security Corp (ISC) www.infoseccorp.com
[email protected] 18IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Secure Sockets LayerSecure Sockets Layer
! Public Key! Private Key! Session (secret key)
! Only as secure as– the Length and privacy of the KEY.– <Fill in the line>
[email protected] 19IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Intrusion Detection SystemsIntrusion Detection Systems
[email protected] 20IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
IDS CategoriesIDS Categories
! Network based! Host based
[email protected] 21IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
IDS TechniquesIDS Techniques
! Artificial Immune System [7]! Control-Loop Measurement [8]! Data Mining [9]! Statistical [24]! Signature-Based (Rule-Based [25]).
[email protected] 22IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Problem Lists / DatabasesProblem Lists / Databases
! bugtraq (since 1993)– http://www.securityfocus.com/– http://online.securityfocus.com/archive/1– A description of bug / events
! Common Vulnerability Exposure (CVE) (since 1999)– http://www.cve.mitre.org/compatible/enterprise.html– http://www.cve.mitre.org/cve/– A Dictionary Not a database
! WhiteHat– In Jail
[email protected] 23IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Slammer SignatureSlammer Signature
! http://www.snort.org/snort-db/sid.html?sid=2003
! Signature/Rule– alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL
– Literal meaning: Any udp from External IP to an home IP at port 1434• If youb see hex 81 F1 03 01 04 9B 81 F1 01 and “sock” and “send”
[email protected] 24IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
CVE Candidate (CAN)CVE Candidate (CAN)
! CAN-2000-1209– The "sa" account is installed with a default null
password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, are installed with a default "sa" account with a null password, which allows remote attackers to gain privileges, including worms such as Voyager Alpha Force and Spida.
[email protected] 25IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
CVE CandidateCVE Candidate
! CAN-2002-0649– Multiple buffer overflows in SQL Server
2000 Resolution Service allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte causes the SQL Monitor thread to generate a long registry key name, or (2) a 0x08 byte with a long string causes heap corruption.
[email protected] 26IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
BugTraq BugTraq (Sample)(Sample)
! SQL Sapphire Worm Analysis
! Release Date: 1/25/03
! Severity: High
! Systems Affected: Microsoft SQL Server 2000 pre SP 2
! Description: Late Friday, January 24, 2003 we became aware of a new SQL worm spreading quickly across various networks around the world.
! The worm is spreading using a buffer overflow to exploit a flaw in Microsoft SQL Server 2000. The SQL 2000 server flaw was discovered in July, 2002 by Next Generation Security Software Ltd. The buffer overflow exists because of the way SQL improperly handles data sent to its Microsoft SQL Monitor port
[email protected] 27IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
[email protected] 59IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Related PapersRelated Papers
! Smith, R. N. and S. Bhattacharya, 1997, ”Firewall Placement In A Large Network Topology,” IEEE FTDCS’97
! Smith, R. N. and S. Bhattacharya, 1998, “Fault and Leak Tolerance in Firewall Engineering,” IEEE HASE’98
! Smith, R. N. and S. Bhattacharya, 1998, “A Protocol and Simulation for Distributed Communicating Firewalls,” IEEE COMPSAC,99
! Smith, R. N. and S. Bhattacharya, 1999, “Operating Firewalls Outside the LAN Perimeter,” IEEE IPCCC’99.
[email protected] 60IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Related PapersRelated Papers
! Smith, R. N. and S. Bhattacharya, 1999, “Distributed Firewall Protocol, With Simulation and Emulation Tool in Java,”Motorola Inc., SMS’99
! Smith, R. N., R. Feigen, and S. Bhattacharya, 2000, “Securing Communications in an Enterprise Network of LAN and or WAN by Utilizing an Enhanced Encrypting Network Interface Card and Associated Software,” Motorola Inc., Technical Developments, 2000
! Smith, R. N., and S. Bhattacharya, 2003, “Cascade of Distributed and Cooperating Firewalls in a Secure Data Network,” IEEE Transactions on Knowledge AND Data Engineering, VOL. 15, NO. 4, July/August 2003
[email protected] 61IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
Listed ReferencesListed References
[1] S. Staniford, J. Hoagland, J. McAlerney. “Practical Automated Detection of Stealthy Portscans.” In: CCS IDS Workshop Athens. November 1, 2000.
[2] deleted.[3] A. Sundaram. “An Introduction to Intrusion Detection.”
http://www.acm.org/crossroads/xrds2-4/intrus.html[4] H. Debar. “What is knowledge-based intrusion detection?” In: Intrusion
[5] H. Debar. “What is behavior-based intrusion detection?” In: Intrusion Detection FAQ. http://www.sans.org/newlook/resources/IDFAQ/behavior_based.htm
[6] D. Lehmann. “What is ID?” In: Intrusion Detection FAQ. http://www.sans.org/newlook/resources/IDFAQ/what_is_ID.htm
[email protected] 62IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
References ContinuedReferences Continued
[7] J. Kim. “An Artificial Immune System for Network Intrusion Detection.”http://www.cs.ucl.ac.uk/staff/J.Kim/GECCO_WS99.html
[8] M. Craymer, J. Cannady, J. Harrell. “New Methods of Intrusion Detection using Control-Loop Measurement.” In: Fourth Technology for Information Security Conference’96. May, 16, 1996.
[9] W. Lee, S. Stolfo. “Data Mining Approaches for Intrusion Detection.” In: Proceedings of the 7th USENIX Security Symposium. 1998.
[10] M. Gerken. “Statistical-Based Intrusion Detection.”http://www.sei.cmu.edu/str/descriptions/sbid_body.html
[email protected] 63IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
References ContinuedReferences Continued
[11] http://www.nfr.com/products/NID/[12] http://www.checkpoint.com/products/firewall-1/realsecure.html[13] http://www.portcullis-security.com/products/index.htm[14] http://www.snort.org[15] http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/[16] S. Northcutt. Network Intrusion Detection: An Analyst’s Handbook. New
Riders, Indianapolis, 1999. p. 125.
[email protected] 64IEEE Phoenix Section Computer Society Chapter Feb 28, 2003
References ContinuedReferences Continued
[17] http://www.silicondefense.com/software/spice/index.htm[18] http://www.tcpdump.org[19] http://www.ethereal.com[20] http://www.gnu.org/copyleft/gpl.html[21] R. Permeh, M. Maiffret. “.ida “Code Red” Worm.”
http://www.eeye.com/html/Research/Advisories/AL20010717.html.[22] R. Lyttle. http://www.sub-seven.com[23] D. Ruiu. “Snort FAQ Version 1.8.”
http://snort.sourcefire.com/docs/faq.html[24] M. Prabhaker. “Intrusion Detection.”