because things chang Inter/Intra/Extra/Network Connectivity, Security and Administration (Everything you always wanted to know - but were afraid to ask)
because things change
Inter/Intra/Extra/Network
Connectivity, Security and Administration
(Everything you always wanted to know -
but were afraid to ask)
because things change
Solutech, Inc.
Craig IngramSenior Consultant
Omaha, NE.
because things change
The Internet is:
– a global network of networks.– the purest form of electronic democracy
.... or anarchy.
– A giant international network of intelligent, informed computer enthusiasts, which are:
People without lives!
because things change
The Internet is not:
• A single computer.• A single Network.• Vendor specific.• Run by a single person, group, or organization or government.•By default, secure.
because things changeThe Internet is comprised
of:• Universities• Corporations• Governments• Government Agencies• Service Providers (AOL, etc.)• Individuals
Every time you tap into the Internet,
you become an extension of the it.
because things changeA Brief History
• The Internet is not new - Outcome of the Cold War.• 1969: Advanced research Projects Agency Network (ARPANet).• Provide redundant connectivity between government, education, and research labs.• Funded by DoD.• Internet Protocols (TCP/IP) were developed to link disparate hardware and software platforms together.• The TCP/IP design allows:
– For tens of thousands of networks, comprised of millions of computers.– Every computer is equal to every other computer.
• Initial uses were text-based Email and file transfers.
because things change
A Technology Overview
because things change
A Network• A network is comprised of multiple computers, file server(s), other servers, hubs and routers.
• Routers are used to interconnect separate networks.– They isolate one network from another.– Can provide a form of security (via filtering of IP addresses). A
message is not forwarded unless the router’s table contains the appropriate link.
because things changeThe OSI Model
Application
Presentation
Session
Transport (TCP)
Network (IP)
Data Link
PhysicalEstablishes electrical and timing specifications (hardware)
Transmits a bit stream over the physical medium.
Defines physical address and protocol.Transmits information as groups of bits.
Defines routes for messages.Switches and routes information.
Provides note-to-node logical connections.End-to-end data integrity.
Manages node-to-node communications.Session svcs: checkpointing, activity mgmt, etc.
Ensures message standardization.Provides data representation.
Provides standard user functions and network interfaces.Application-specific services.
Wiring Plant
End user's screen
Netscapeor
InternetExplorer
OtherApplications
Repeater
Firewall
Router
Bridge
because things change
TCP/IP• Is not a single protocol.• A suite of protocols - each providing a specific function.• Spans two layers of the OSI model.
Physical
Data Link
Network
Transport
Session
Presentation
Application
OSI Model
Transmission ControlProtocol
Internet Protocol
File
Tra
nsfe
r P
roto
col
TelN
et
Net
wor
k Fi
le S
yste
m
Net
wor
k In
form
atio
n S
vc
Rem
ote
Pro
cedu
re C
all
Sim
ple
Mai
l Tra
nspo
rt P
roto
col Netscape
orInternetExplorer
OtherApplications
because things changeOSI Application Messages
• Flows down through the OSI stack on Host A.
• Across the network connection.• Flows up the OSI stack on Host B.• On the transmitting device, each layer appends its own header (containing fields) to the original message.• On the receiving device, each layer strips off its corresponding header.
Data
Data
Data
Data
Data
Data
Data
Physical
Data Link
Network
Transport
Session
Presentation
Application
Host A(Atlanta)
Data
Physical
Data Link
Network
Transport
Session
Presentation
Application
Host B(Omaha)
Data
because things change
The Internet Protocol• Every computer attached to the internet must have a unique address.• An IP address is requested from, assigned, and tracked by InterNIC.
– Each IP address is composed of 32 bits, arranged as 4 8-bit octects.
192.168.1.1
– Internet messages can vary in length from several hundred bytes to 65.565 bytes.– A long message will be broken into multiple smaller packets.– Each packet contains a header reflecting the 32-bit source and 32-bit destination address.
– IP does not guarantee source or destination address, or that a packet was delivered, delivered only once, or in the correct order.
– Authentication, sequencing, and security is provided by higher layer protocols.
because things change
IP AddressingThe Internet in 1969
ThePentagon
(Unisys)
MIT(DEC)
Lockheed(IBM)
ARPANET
Georgia Tech(HP)
TCP/IP
TCP/IP
TCP/IP
TCP/IP
100.100. 010 .001 100. 200 .030 .001
100.100. 030 .001 100.100.010. 123
because things changeTCP
TCP provides reliable connections to end hosts.– The ordering is provided by a sequence number in each packet.– Every TCP message is marked as being from a particular host and port number, to a destination host and port number.– Hosts “listen” on software ‘ports’ to determine the type of service needed by the packet.
Source Address Destination Address DataProtocol-related
Fields
SourcePort
DestinationPort
Seq# Data
because things changeDomain Name Services
• IP addresses work well for computers - but not for humans.• Enter the concept of a Domain name. Example:
spacelink.msfc.nasa.gov• It is read by the computer from right to left, as follows:
– The top domain is gov - government.– The next domain is nasa - NASA.– The next domain is msfc - Marshall Space Flight Center.– The last domain is spacelink - a computer running the spacelink program, or it could be the computer’s name.– Domain Named Servers communicate domain changes/add/deletes with each other on a regular basis.
because things changeEMail
The spacelink.msfc.nasa.gov computer may be an Email server. An example of an Email address on this server might be:
An example for Fred Pfizer on the above computer might be:[email protected]
or it could look like this (up to the Email administrator):[email protected]
because things change
Connectibility•Direction connection
– Normally done through a Local Area Network (LAN) via an Internet Service Provider.– Connection is constant (24 hrs/day, 7 days/wk))– Normally provides fastest speed and quickest access.– Cable modems are a reality. CAUTION!
• Dial-In Connection– Normally done over a phone line. – Slower speed than a LAN or cable modem.
Response times are a function of the ISP’s Internet connection as well as your local connection speed.
because things changeThe World Wide Web
• Fastest growing part of the Internet.• “Surfing” the net• Globally connected• Operates as a ‘client/server’
– You run a web browser on your PC.– The browser contacts a Web server and requests information.
You have now become an extension of the Internet.
because things change
“Home Pages”• Identify and personalize an entity on the WWW.• They can incorporate text, graphics, sound, etc….• They are connected using the hypertext protocol (http).• They are created using a Hypertext Markup Language (HTML).• JAVA: mini applications included in HTML as tags that execute on the browser.• PEARL is similar.
Application
Presentation
Session
End user's screen
Netscapeor
InternetExplorer
OtherApplications
because things changeInternet Tool Examples
• Gopher• Telnet• File Transfer Protocol• Web Crawlers• WHOIS• Ping• Traceroute
A good tool + a good guy = good things.A good tool + a bad guy = bad things.
because things change
Hacking Tool Examples• Rootkit• COPS• SATAN• PRIEST• BackOrifice• BackOrifice2K
All are available for download from the Internet.
because things changeThe OSI Model
Application
Presentation
Session
Transport (TCP)
Network (IP)
Data Link
PhysicalEstablishes electrical and timing specifications (hardware)
Transmits a bit stream over the physical medium.
Defines physical address and protocol.Transmits information as groups of bits.
Defines routes for messages.Switches and routes information.
Provides note-to-node logical connections.End-to-end data integrity.
Manages node-to-node communications.Session svcs: checkpointing, activity mgmt, etc.
Ensures message standardization.Provides data representation.
Provides standard user functions and network interfaces.Application-specific services.
Wiring Plant
End user's screen
Netscapeor
InternetExplorer
OtherApplications
Repeater
Firewall
Router
Bridge
because things change
Routing
Router
Network 1
Example of two networks interconnected by a router. One network can only see transmissions from the other network if therouter allows it.
Network 2
because things change
Routing ProtocolsRouters communicate paths between themselves with routing protocols.This way they always know the shortest path between two hosts (hops) and what paths are available.
Let’s say you’re on the INET in Omaha and attach to a server in SF
One potential router path might be: Omaha-St Louis-LA-SF
Another path might be: Omaha-NYC-Atlanta-SF
Yet a third path could be: Omaha-Minneapolis-Atlanta-SF
Omaha St. Louis
N.Y.C.
Minneapolis L.A.Atlanta
San Francisco
Workstationin Omaha
because things changeRouting Concerns
Every hop along the way becomes a potential breach of security.
Also remember:
- a large message will be broken up into multiple packets, with each packet
potentially taking a different path to your PC.
S.F.
L.A.
Minneapolis
Chicago
St.Louis
Omaha
Dallas
N.Y.C.
Atlanta
because things changeDomain Name Servers
• In the previous example, assume each site had a Domain Name Server.
– Each DNS contains a listing of other DNS’s in their area.– As your search propagated from one DNS to another, the risk of packet interception increases.
– Imagine the potential for disaster is a DNS were compromised.• Imagine if a host site had multiple servers and one of them was compromised.
– Once compromised, the hacker now has ‘inside’ details on other servers served by that server.– And the saga continues through other servers, into other servers, etc.
because things changeSecurity Summary
Potential security holes include:– Connecting to the Internet– Redundancy in connectivity between routers (routing protocols).– IP addressing (source and destination)– TCP port address (source and destination)– DNS table update protocol– Network tools– Passwords– Non-encryption of messages
because things change
Firewalls• A firewall is a device designed to prevent outsiders from accessing your network. They can also be used internally to isolate one network from another.
• They allow you to grant or deny access based on many variables (rules). These rules are set in the firewall, based on your Security Policy.
• Two basic types of firewalls:– Network level– Application gateway
because things change
Selecting a FirewallThere are 6 general steps to selecting a Firewall that’s right for your environment.
1) Identify your topology, applications, and protocol needs. 2) Analyze trust relationships within your organization. 3) Develop security policies based on these trust relationships. 4) Identify the right firewall for your specific configuration. 5) Employ the firewall correctly. 6) Test your firewall policies religiously.
because things changeSecurity Policy
Development
a.k.a. inventing the wheel
because things change
A Security Policy is:A set of instructions, that collectively, determines an organization’s posture towards security. They set the limits of acceptable behavior, and what the response to violations will be.
Remember ….
Whether a security policy is formally spelled out, or not, one always exists.
If nothing else is said or implemented, the default policy is:
ANYTHING GOES!
because things change
Network Security . . . . A Journey, not a destination.
View security as a critical business process to address the ever-changing risk environment.
It is not be a program, but a process.
Use a combinations of Techniques, Tools and Products.
If the only tool you’ve got is a hammer,it’s amazing how many problemsstart looking like nails.
because things change
Security DecisionsDecide what is, and is not permitted.
This process is normally driven by the business or structural needs of the organization, such as:
– An edict that bars personal use of corporate computers.– Restrictions on outgoing traffic (employees exporting valuable data).– Not allowing a specific protocol because it cannot be administered securely.– Not allowing employees to import software without proper permission (licensing issues, virus’, etc). This philosophy extends to opposite ends of the scale.
We’ll run it unless, and until, you Show me it’s both safe and necessary can show me that it’s broken. otherwise we won’t run it at all.
because things change
Fundamental PremiseAnyone can break into anything if they have the sufficient:
Motivation - They have to want to do it. Skill - They have to be good enough to
understand and pierce the defenses. Opportunity - They have to have enough access to the
defenses for long enough to penetrate them.
because things changeIdentify Resources
• It’s difficult to protect something you don’t know you have - or know what its worth.
• Identify all resources to be protected, such as:– Mainframes– Servers and Workstations (including laptops)– Interconnection devices (gateways, routers, bridges, hubs, etc.)– Terminal servers– Network and applications software– Network cables– Information in files and databases
because things changeAsk Yourself
• What resources are you trying to protect, and why?• Which people do you need to protect the resources from?
– Internal threats– External threats (Perimeter security)
• How likely are the threats?• How important is the resource?• What measures can you take to protect your assets in a cost-effective and timely manner.• Periodically examine your network security policy to see if your objectives and network circumstances have changes.
Understand the Bad Guy!!
because things changeIdentify the Threats
An understanding of the technology is important, but common sense is equally valuable in stopping potential security threats.
– Define Authorized Access• Physical access to computing facilities.• Access to computers.• “Borrowing” another user’s account/password (Training and Policy issues).
– Identify the Risk of Information Disclosure• Determine the value or sensitivity of the information stored on your computers.• Encrypt password files.• Use minimum 8 characters passwords (mixed alpha/numeric, upper/lower case).
– Change passwords on a regular basis.
• Don’t forget laptops.
because things changeNetwork Use &
Responsibilities• Who is allowed to use the network?• What are the proper use of network resources?• Who is authorized to grant access an approve usage?• Who has system administrative privileges?• What the user’s rights and responsibilities? (In WRITING?)• What are the rights and responsibilities of the system administrator vs. those of the users? (In WRITING).• What do you do with sensitive information?
• Outdated IP listings and network drawings?• Crashed hard drives?• Network documentation?• Off site storage of backups and their transportation?
because things changePlan of Action
• Develop a plan of action when a security policy is violated.– Response to security violations from the ‘outside’.
– Response to security violations by local users (from the inside).
– Response strategies.
– Define the responsibilities of being a good citizen on the Internet.
– Contacts and responsibilities to external organization (CERT, etc).
because things changeIdentify and Prevent Security
Problems• Access points.
• Improperly configured systems.
• Software bugs and patches.
• Insider threats.
• Physical security.
• Confidentiality.
because things changePublicize the Policy
• How to ‘Get the Word Out’:– Committee input for policy creation.
– Training.
– User Mailing lists.
– Committee review of the policy on a regular basis.
– Signed policy commitment by all employees.• Keep on file.
because things change
Additional Administration• Understand firewall and router functions and limitations.• Understand your needs and what your trying to protect.• Have your firewall and routers professionally installed. Initially configured for minimum passthrough.• Monitor all Firewall and UNIX/NT logs, and router tables.• Implement automatic corrective action - where possible.• Continuous ‘real time’ monitoring of all network devices, applications, and databases.• Immediate installation of patches and other software updates.
because things change
Disaster PlanningWhat would you do if your drove in the parking lot tomorrow and the building was gone?
An interesting fact:
Of the 350 firms that had Corporate offices in the World Trade Center,150 were out of business 8 months after the terrorist bombing.
It wasn’t that they lost information - they had no redundancy (disaster plan)
that allowed them to run their business from another location.
because things changeSecurity = Disaster
PlanningThe same information derived from your security assessment can be used for disaster planning and business recovery.
– Identify key hardware, software, and information.– Identify key personnel.– Identify a backup location and keep backups off-site.– Document all configuration, including:
• hardware installation parameters• software installation parameters• file server and workstation boot files• file/print/FAX/communications server parameters (phone line rollover?)• application settings and installation parameters• user access rights• backup and virus parameters
because things change
Who’s in charge?
Any plan must include staffing.It should also include standardization.
because things changeReading Materials
Maximum Security (2nd Edition)Author: Anonymous
Publisher: SAMSISBN: 0-672-31341-3
Firewalls and Internet Security - Repelling the Wily Hacker
Authors: W. Cheswick and S. Bellovin
Publisher: Addison-WesleyISBN: 0-201-6337-4
Internet Firewalls and Network SecurityAuthors: K. Siyan and C. Hare
Publisher: New Riders PublishingISBN: 1-56205-437-6
because things change