View File - University of Engineering and Technology_ Taxila by cuiliqing

VIEWS: 342 PAGES: 106

									                                               Dr. Adeel Akram
                                                     UET Taxila
Securing Enterprise Network Infrastructure
(Towards secure internetworking on Pakistan Educational Research Network)
                         Outline
► Introduction to Enterprise Network
► Enterprise Network Architectures
► Securing Enterprise Networks
► Enterprise Network Security Requirements
► Pakistan Educational Research Network
► Type of Network Attacks and Vulnerabilities
► Case Studies
   Hacking of Educational and Govt. Websites !!!
     ►Lessons   Learnt
► Recommendations
Introduction to Enterprise Network
► Enterprise  Network is the network that allows
  communication and resource-sharing among all of
  a company's business functions and workers.
► In some cases, Enterprise network would even
  include the company's suppliers, contractors and
  distributors.
► It consists of hardware, software and media
  connecting information technology resources of an
  organization.
Enterprise Network Architectures
Securing Enterprise Networks
Securing Enterprise Networks
Securing Enterprise Networks
Securing Enterprise Networks
Securing Enterprise Networks
Enterprise Network Security Requirements
► Network security has become increasingly
 more difficult to manage and evaluate, even
 as industry and government compliance
 requirements have become more
 demanding.
Enterprise Network Security Requirements
► The  network threats are real, and costly.
  Internal and external vulnerabilities can
  cause business disruption, loss of revenue,
  or loss of operational efficiencies.
► Because network security can be breached
  from both internal and external sources,
  traditional perimeter firewalls are not
  enough to protect the network.
Enterprise Network Security Requirements
► Enterprise networks require new network
  security tools, network appliances, and
  professional services to secure large and
  small networks.
► The following slides show key components
  of network security that are now required in
  all organizations to secure their networks:
Enterprise Security Key Components
► UnifiedThreat Management (UTM) Firewalls
► Network Access Control (NAC), or ROLE-
  based Networking
► Mobile Computer Client Protection
► Event Correlation and Log Analysis
► Layer-7 Visibility and Packet Analysis
► Managed Services
Enterprise Network Security Requirements
► Unified   Threat Management (UTM) Firewalls
   It is too costly and operationally inefficient to
    add-on each separate component as security
    threats emerge. Today's solutions use multiple
    scanning methods and multiple defense layers
    in high-throughput appliances. IDS/IPS, Anti-
    Virus, Content-Filtering, VPN, Anti-Spam, P2P
    control, etc. all needs to be included in a
    network security solution.
Enterprise Network Security Requirements
► NetworkAccess Control (NAC), or ROLE-
 based Networking
   Creating differentiated network services based on
    individual access requirements is the key. The era
    of every user's ability to browse to all network
    resources should be over. Role-based networking
    is required to limit visibility to networks, servers,
    and TCP/IP ports and protocols, regardless of the
    user's point-of-entry into the network.
Enterprise Network Security Requirements
► Mobile   Computer Client Protection
   Also referred to as "Mobile NAC", all network
    devices that can leave and join the network
    need to have accountability and control
    regardless of location. The ability to control
    laptops, PDA's, and other mobile devices when
    they are not connected to a VPN session is a
    key requirement.
Enterprise Network Security Requirements
► Event Correlation and Log Analysis
   Security threats cannot be stopped by reviewing
    logs in "post-mortem" analysis. To stop "zero-
    day" threats, the network needs event-correlation
    and adaptive-response tools. While SNMP report
    tools are important for network engineers
    responsible for network health, other tools are
    required to correlate client, server, and firewall
    activities with computer application processes.
Enterprise Network Security Requirements
► Layer-7(Application Layer) Visibility and
 Packet Analysis
   The ability to classify all applications regardless of
    port and protocol is essential for both security and
    performance analysis. In-line devices for analyzing
    and reporting network traffic across all OSI layers
    are essential for compliance, security assessment,
    and resolving performance issues.
Enterprise Network Security Requirements
► Managed   Services
   Many companies can not become experts in
    Cyber-Security, PC/Server Management,
    Regulatory Compliance, and Disaster Recovery.
    But even small businesses are impacted by
    critical data security threats and technology
    maintenance hurdles that detract from the core
    business goals. Managed Services offer
    expertise on contractual basis.
 Educational Enterprise Network




► Pakistan   Education and Research Network
Pakistan Educational Research Network
► PERN  - Pakistan Education and Research
 Network is a national research and
 education network of Pakistan which
 connects premiere educational and research
 institutions of the country.
Pakistan Educational Research Network
► PERN focuses on collaborative research,
 knowledge sharing, resource sharing, and
 distance learning by connecting people
 through the use of Intranet and Internet
 resources.
Pakistan Educational Research Network
    Types of Network Attacks




Web-Hacking-Incident-Database -
http://webappsec.pbworks.com/Web-Hacking-Incident-Database
Top Application Vulnerabilities




Web-Hacking-Incident-Database -
http://webappsec.pbworks.com/Web-Hacking-Incident-Database
        Top Attack Outcomes




Web-Hacking-Incident-Database -
http://webappsec.pbworks.com/Web-Hacking-Incident-Database
Hacking Statistics for .gov.pk
Hacking Statistics for .edu.pk
Cyber Attack Response Procedure
                         Detect
                         Attack
                         Source

                                    Seal Crime
            Prevent                  Scene /
         Attack / Plan               Preserve
          Response                    System
                                       State




                                     Activate
          Report to                 Auditing /
           Security                  Gather
          Agencies                   Suspect
                                      Traces

                         Estimate
                          Attack
                          Losses
       FBI Cybercrime Investigation Procedure

► To  ensure that your organization can react to an
  incident efficiently, make sure that staff knows
  who is responsible for cyber security and how to
  reach them.
► The following steps will help you document an
  incident and assist federal, state, and local law
  enforcement agencies in their investigation (be
  sure to act in accordance with your organization's
  polices and procedures):
     FBI Cybercrime Investigation Procedure

 Preserve the state of the computer at the time
  of the incident by making a backup copy of
  logs, damaged or altered files, and files left by
  the intruder.
 If the incident is in progress, activate auditing
  software and consider implementing a
  keystroke monitoring program if possible.
           FBI Cybercrime Investigation Procedure

    Document the losses suffered by your organization
     as a result of the incident. These could include:
       ►estimated  number of hours spent in response/recovery
       ►cost of temporary help
       ►cost of damaged equipment
       ►value of data lost
       ►amount of credit given to customers for inconvenience
       ►loss of revenue
       ►value of any trade secrets

To report an incident to the FBI, you can submit a tip report at https://tips.fbi.gov
        National Response Centre For Cyber Crimes
  ► NR3C CERT (Computer Emergency Response Team)
  ► Forensic Lab
  ► R&D
  ► Implementation of Standards & Procedures
  ► Media and Projection Cell
  ► Technology Development Center
  ► Network Operations & Security
  ► Liaison with LEA(s) & public /private sector organizations
  ► Trainings & Seminars
  ► Legal Regularity & Issues
To report an incident to the NR3C visit: http://www.nr3c.gov.pk
                                         Federal Investigation Agency Headquarters
                                         Sector-G-9/4, Islamabad
                                         Ph. 051-9261686, Fax. 051-9261685
             Case Studies
► UET  Taxila – Internal Website(s) Hacked
► HEC Website(s) – Hacked
► LUMS Website(s) – Hacked
► Ministry of Information and Broadcasting
  Website – Hacked
► FIA’s National Response Center for Cyber
  Crime Website
UET Taxila Website(s) Hacked
     UET Taxila’s Internal Website
http://uet.homeip.net Hacked in 2006 !
Email from Hackers
The Next Day
  Searched for traces of Hackers
► Event   Viewer
   Application Logs
   System Logs
   Security Logs
► User   Manager
   Any Accounts Modifications
   New Accounts Creation
   Rights requests
Checked Systems for Trojan Horses
► See if any backdoor is created on the
  system
► Try to figure out how hackers accomplished
  to hack the system
► Check Task Manager for any suspicious
  running process
► Check System/Firewalls Security Logs
Search the Logs
 Checked Logs on the DHCP Server
► CrossChecked the MAC Address of Hackers
 from their IP 169.254.2.57
   00-01-02-08-37-A8
     Checked Hostel Switch Logs
► Wentto Hostel Switch and checked this
 MAC address binds to which switch port
   Port Number 31 on Switch
► Consulted the Hostel Network Diagrams to
 find out Room Number for Port # 31
   Room Number 41
Hackers Caught Red-Handed
Website Restored to Original State
             Observations
► The site was hacked by our own students
  who were doing internship in Network
  Center on Windows Server Administration
► They were also developing student-portal
  website on the same server and were given
  administrative rights on the web server
► They misused their rights to hack the site
       The defacing of UET TAXILA’s
    Examination website in August 2007
http://web.uettaxila.edu.pk/uet/UETsub/uetDownloads/examination/
            Hacked by Whom?
•   There were 5 main IP addresses that used
    the URL responsible for hacking and
    planting the pages on our alpha webserver !
       • 202.86.249.21
       • 202.86.248.23
       • 74.6.25.141
       • 88.254.235.5
       • 85.106.249.98
              Guess What !
► Who   owns this IP Address?
    ►202.86.249.21



► Pakistan
                  Whois 202.86.249.21
►   WHOIS - 202.86.249.21
►   inetnum:   202.86.249.0 - 202.86.249.255
►   netname:    DIALLOG
►   descr:   Great Bear International Services (Pvt) Ltd, Wireless Local Loop
►   descr:   CDMA Operator, Pakistan
►   country:  PK
►   person:   Artem Orange
►   nic-hdl: AO71-AP
►   e-mail:  artem@diallog.com.pk
►   address:  Great Bear International Services (Pvt) Ltd
►   address:  106-E, Asif Plaza 3rd & 4th Floor
►   address:  Fazal-ul-Haq Road, Blue Area,
►   address:  Islamabad
►   phone:    +92 51 2806222
►   country:  PK
►   changed:   artem@diallog.com.pk 20060111
►   mnt-by:   MAINT-PK-DIALLOG
►   source:  APNIC
 Who owns the         2nd   Attacker IP?
► Who   owns this IP Address?
    ►202.86.248.23



► Singapore
                     Whois 74.6.25.141
►   WHOIS - 74.6.25.141
►   OrgName: Inktomi Corporation
►   OrgID: INKT
►   Address: 701 First Ave
►   City: Sunnyvale
►   StateProv: CA
►   PostalCode: 94089
►   Country: US
►   NetRange: 74.6.0.0 - 74.6.255.255
►   CIDR: 74.6.0.0/16
►   NetName: INKTOMI-BLK-6
►   NetHandle: NET-74-6-0-0-1
►   Parent: NET-74-0-0-0-0
►   NetType: Direct Allocation
►   NameServer: NS1.YAHOO.COM
►   RAbuseEmail: network-abuse@cc.yahoo-inc.com
                  Whois 85.106.249.98
►   WHOIS - 85.106.249.98                       role:      TT Administrative Contact Role
►   Location: Turkey (high) [City: Adana,       address:     Turk Telekom
    Adana]                                      address:     Network Direktorlugu
►   inetnum:       85.106.128.0 -               address:     Aydinlikevler
    85.106.255.255                              address:     06103 ANKARA
                                                phone:       +90 312 555 1927
►   netname:        TurkTelekom
                                                fax-no:     +90 312 313 1924
►   descr:       TT ADSL-alcatel dynamic_ulus   e-mail:     abuse@ttnet.net.tr
►   country:      tr                            source:     RIPE
►   admin-c:       BADB3-RIPE
►   tech-c:      ZA66-RIPE
►   status:      ASSIGNED PA
►   mnt-by:       as9121-mnt
►   notify:     ipg@telekom.gov.tr
►   changed:       ipg@telekom.gov.tr
    20070220
►   source:      RIPE
                    Whois 88.254.235.5
►   WHOIS - 88.254.235.5                        role:      TT Administrative Contact Role
►   Location: Turkey (high) [City: Adana,       address:     Turk Telekom
    Adana]                                      address:     Bilisim Aglari Dairesi
►   inetnum:       88.254.128.0 -               address:     Aydinlikevler
    88.254.255.255                              address:     06103 ANKARA
                                                phone:       +90 312 313 1950
►   netname:        TurkTelekom
                                                fax-no:     +90 312 313 1949
►   descr:       TT ADSL-alcatel dynamic_ulus   e-mail:     abuse@ttnet.net.tr
►   country:      tr                            source:     RIPE
►   admin-c:       TTBA1-RIPE
►   tech-c:      TTBA1-RIPE
►   status:      ASSIGNED PA
►   mnt-by:       as9121-mnt
►   notify:     ipg@telekom.gov.tr
►   changed:       ipg@telekom.gov.tr
    20070220
►   source:      RIPE
           How it was done?
► An  ASP Shell script CP5.asp was planted
  under
  http://web.uettaxila.edu.pk/uet/UETsub/uet
  Downloads/examination/ folder that had
  Write rights on it with Directory Browsing
  turned ON
► Our Firewall Logs showed that the first call
  to the malicious asp page was done on
  30/Aug/2007 at 14:45:24 PST.
Home of CyberSpy 5 (CP5.asp)
 CP5.asp Removed from Server!
►I  didn’t understand the Turkish language, but
  the icons were pretty intuitive to indicate that
  the          means Delete and            means
  Download.
► So after indiring the CP5.asp for my personal
  interest and further investigation, Siled the
  cp5.asp using its own page.
► Thanks to the author of CP5 for self destructive
  features ;-)
               Observations
► The  CP-5 (CyberSpy 5) ASP Shell Script code was
  intentionally/unintentionally planted in the
  Examination website by someone having physical
  access to the server
► The network supervisors of exam branch didn’t
  confess their fault
► CyberSpy 5 is now detected by newer Antiviruses
  as PhP/C99Shell.A.Trojan and ASP/Ace.DC. Trojan
What security measures were taken?
► Asthe first step during the revival of
 web.uettaxila.edu.pk website, All traffic for
 web.uettaxila.edu.pk was redirected to
 www.uettaxila.edu.pk to get the original
 website contents from our hosted services
 server directly instead of the local Hacked
 Server.
What security measures were taken?
► Browsed   through the IIS Service manager
  on Hacked Server to check the rights on all
  folders related to the Website.
► Removed Write rights by IUSR_ALPHA on all
  folders.
► Changed the default webpage at
  web.uettaxila.edu.pk from index.htm to
  index1.asp
What security measures were taken?
► Backed   up the Hacked pages and emailed them
  to my account for further investigation.
► I deleted the Hacked index.htm file and
  replaced the original files from Hosted Services
  Server to Local Hacked Server.
► At this time, the hackers tried to reinstall their
  hacked page on our server by overwriting the
  index.htm with their hacked page.
What security measures were taken?
► As the Webserver was now set to show
  index1.asp instead of index.htm, the hacked
  page was no longer visible on the main page.
► The hackers realized that they should leave
  the server now.
► As a protective measure, we blocked all IP
  ranges of hackers IP class to Firewall block list.
► In future they will not be able to use the same
  addresses to access our server.
What security measures were taken?
► The domain accounts of all users were
  checked for their security privileges.
► Un-necessary administrative group members
  were removed.
► Passwords were changed on all
  Administrative accounts.
► anonymous@uettaxila.edu.pk was removed.
         Response to the Hackers
► Used    network forensic tools to track the hackers

► Used OS fingerprinting to identify the types of
  systems used by the attackers

► Tried   to gain access of their network resources

► Tried   to get personal information about hackers
Who owned 88.254.235.5?

This is the ADSL Router of Attacker in Turkey




   I changed its old password for future communication
ZyXEL ADSL Router on Turk IP!
Who owned 88.254.235.5?
    Suggestions and Comments
► Routine  checking of Firewall Logs should be
  performed to see obnoxious calls to URL addresses
  on server.
► All servers should be shifted behind a UTM Firewall
► Intrusion Prevention System on UTM should be
  configured to detect and block such attacks in future.
► Concerned ISPs and Security Agencies should be
  contacted for Logs to get access to the owners of
  these attacker IP Addresses.
HEC Website(s) Hacked
         HEC Website(s) Hacked
► Domain:    http://hjp.hec.gov.pk
     Hacking Reported on: 2010-05-19 10:47:33
     Notified by: Ashiyane Digital Security Team
     IP address: 111.68.100.144
     System: Linux
     Web server: Apache
http://hjp.hec.gov.pk
        HEC Website(s) Hacked
► Domain:    http://dev.hec.gov.pk
     Hacking Reported on: 2010-07-06 16:50:06
     Notified by: r4diationz
     IP address: 72.249.151.41
     Sub directory: /appsup/submit.asp
     Attack Type: Database injection
http://dev.hec.gov.pk
        HEC Website(s) Hacked
► Domain:    http://app.hec.gov.pk
     Hacking Reported on: 2010-07-06 16:51:25
     Notified by: r4diationz
     IP address: 72.249.151.41
     Sub directory: /appsup/submit.asp
     Attack Type: Database injection
http://app.hec.gov.pk
         HEC Website(s) Hacked
► Domain:    http://sc.hec.gov.pk/aphds/Submit.asp
     Hacking Reported on: 2010-02-05 16:09:21
     Notified by: sacred_relic
     IP address: 111.68.100.150
     System: Win 2003
     Web server: IIS/6.0
http://sc.hec.gov.pk
LUMS Website(s) Hacked
       LUMS Website(s) Hacked
► Domain:    http://cmer.lums.edu.pk
     Hacking Reported on: 2009-07-12 21:17:08
     Notified by: syniack
     IP address: 203.128.0.46
     System: Linux
     Web server: Apache
http://cmer.lums.edu.pk
     LUMS Website(s) Hacked
► Domain:
 http://suraj.lums.edu.pk/~lrs/forum/phpBB2
   Hacking Reported on: 2006-07-19 15:39:52
   Notified by: SanalYargic
   IP address: 203.128.0.6
   System: SolarisSunOS
   Web server: Apache
http://suraj.lums.edu.pk
       LUMS Website(s) Hacked
► Domain:    http://sedp.lums.edu.pk/index2.htm
     Hacking Reported on: 2003-08-15 22:39:41
     Notified by: INDIAN TIGERS
     IP address: 203.128.1.242
     System: Win 2000
     Web server: IIS/5.0
http://sedp.lums.edu.pk
       LUMS Website(s) Hacked
► Domain:    http://sedp.lums.edu.pk
     Hacking Reported on: 2003-08-16 17:38:40
     Notified by: INDIAN TIGERS
     IP address: 203.128.1.242
     System: Win 2000
     Web server: IIS/5.0
http://sedp.lums.edu.pk
InfoPak.gov.pk Website Hacked
   Ministry of Information and
  Broadcasting Website Hacked
► Domain:  http://www.infopak.gov.pk
► Hacking Reported on : 2010-07-13 09:20:12
   Notified by: Sovalye
   IP address: 174.143.146.58
   System: Win 2003
   Web server: IIS/6.0
http://www.infopak.gov.pk
NR3C Website Hacked
FIA’s National Response Center for
   Cyber Crime Website Hacked
► Domain:    http://www.nr3c.gov.pk
     Hacking Reported on : 2010-01-07 16:16:56
     Notified by: ZombiE_KsA
     IP address: 72.9.156.44
     System: Linux
     Web server: Apache
http://www.nr3c.gov.pk
                Lessons Learnt
► The faster the network the more are the attacks from
  the internet
► Greater availability/always online connectivity
  increases the chances for hacking attacks
► Internal users are mostly responsible for
  compromising network security
► Easy availability of hacking scripts have encouraged
  script kiddies to try hacking
► Lack of regular security audits, shortage of certified
  ethical hackers and knowledge sharing
            Recommendations
► Enable  ROLE-based Network Services
► Disable Windows File Sharing
► Update the Operating System
► Choose Strong Passwords
► Anti-virus Software Installation and Update
► Train the End Users to maintain their PCs
► Install A Personal Firewall and Email Security Apps
► On demand and Startup Scan For Spyware
► Network Access Control
               Tips for End Users
► Deploy Internet Security Software (FW+AV+UTM)
     ESET NOD32 Business Edition
     TrendMicro Internet Security
     Symantec Endpoint protection + Network Access Control
►   Keep Security Software updated
►   Keep OS and Installed Software updated
►   Report abnormal system behavior to Admins
►   Enable System Restore and Backup System
Tips for Network and Sys Admins
► Block  TCP Port 25 (Commonly used by Spam-bots)
► Block TCP Port 135 (Used by W32/Blaster worm)
► Block TCP Port 445, NetBIOS-DGM, NetBIOS-NS,
  NetBIOS-SSN, Kerberos, LDAP, WINS, RDP and
  Ping to/from WAN
► Turn off File and Printer Sharing for Microsoft
  Networks on WAN Interfaces of all servers
► Install Firewall and Antivirus software on servers
► Create Backups / Images of Servers
                              References
►   http://www.nle.com
►   www.networkdictionary.com/networking/e.php
►   http://www.cisco.com/web/about/security/intelligence/worm-mitigation-whitepaper.html
►   http://www.firewall.cx/firewall_topologies.php
►   http://webappsec.pbworks.com/Web-Hacking-Incident-Database
►   http://www.zone-h.com/archive
►   http://www.dnsstuff.com/tools
►   http://www.ip-whois-lookup.com/lookup.php?ip=88.254.235.5
►   http://www.hec.gov.pk
►   http://www.pern.edu.pk
►   http://www.cert.org/tech_tips/FBI_investigates_crime.html
►   http://www.insecure.org
►   http://www.eeye.com
►   https://secure.dshield.org/reports.html
Questions




     adeel.akram@uettaxila.edu.pk

								
To top