Document Sample
CEN-netsec-ppt Powered By Docstoc
    to Network
           November 20th, 2007

Presented by Aliza Bailey and Phil Ames
The Net is NOT the Web

The Internet: TCP/IP, the “road” if you will that
other protocols run on

The Web: one of the “vehicles” that run on this
road. Other vehicles would include email, chat
programs, file transfer programs and protocols, etc.
Your Network

   “A generic term for a number of different types of
malicious code, can include spyware, worms, viruses,
   etc created with the intent of infiltrating a system
without permission and causing destruction, also called
              “Computer Contaminants””
  “A hidden, self-replicating section of
  computer software, usually malicious
logic, that propagates by infecting - i.e.,
     inserting a copy of itself into and
 becoming part of - another program. A
   virus cannot run by itself; it requires
  that its host program be run to make
              the virus active “

“A computer program that appears to have
a useful function, but also has a hidden and
 potentially malicious function that evades
    security mechanisms, sometimes by
  exploiting legitimate authorizations of a
  system entity that invokes the program.”

“Programs designed to log key strokes
    entered by a user on a machine.
When used negatively, this information
 is transmitted to a remote location to
        collect the personal data”
  “A collection of tools (programs)
    that a hacker uses to mask
intrusion and obtain administrator-
   level access to a computer or
         computer network.”
  “A collection of compromised, broadband-
  enabled PC’s hijacked during a worm/virus
  attack and infected with software that links
      them to a server where they receive
“instructions” from a botnet controller. These
     are then used to participate in further
   virus/worm/spam assaults and Denial of
                Service attacks”
   Denial of Service
              aka DoS

   “An event or series of events that
  prevents a system or network from
    performing its intended function”
This can come from a botnet or a more
direct attack. In the basic sense, more
packets or data is sent to a victim than
 the victim can handle and the system
Generic DoS
     Phishing & Spam
    “The use of e-mails that appear to
 originate from a trusted source to trick a
  user into entering valid credentials at a
fake website. Typically the e-mail and the
web site looks like they are part of a bank
 the user is doing business with. Spam is
any unwanted unsolicited message. Spam
          is usually sent via email”
Breaking Down
Eliminate the “Does not apply to me”
         attitude with users
     Breaking Down Barriers
• Users need to be active members of your
  “security team” as they are certainly members of
  your “network abuse” squad
• Educate them now on proper security practices
  and their benefits before they have to learn the
  hard way
• One compromised machine in a network is all
  that is needed to affect the entire network
Getting to Know
 Your Network
You can not defend what you do
       not understand.
 Getting to Know Your Network
    Baseline your network and core devices
    Port to Jack conversion list
    MAC Address inventory
    Static IP address list
    Knowing where to go when an event occurs is
     absolutely necessary
       Vendor information
       Physical location of devices
 Getting to Know Your Network
 Understand the flow of traffic in your
   Ingress traffic
      This is your inbound traffic
   Egress traffic
      This is your outbound traffic
   Traceroutes
      Is your network symmetrical? Do you have more
      than one internet presence? Are your packets
      traveling the correct route?
Getting to Know Your Network
  What Operating Systems live in your
  Understand any products you want to
   introduce into your network, including their
   purpose, placement, and your expectations
  Create a test environment mirroring your
   production network to fully test new
Defense in Depth
  Multiple layers are always better
  than one.
Defense in Depth

    Proactive Defense
        Preventing the fire from starting
           Firewalls
           Content Filtering

           Intrusion Prevention Devices

           Traffic engineering

           Network Monitoring

           Base lining your network and core devices

           Acceptable use policies
Defense in Depth

    Reactive Defense
        Putting out the fires
           Intrusion Detection Systems
           System backups

           Forensic based programs
                  Fport, nmap
             Network Monitoring tools
                  TCPDump, WinDump, Ethereal, Snort
Defense in Depth
  Desktop Level
Defense in Depth

    Antivirus
        The “flu shot” of the security world
             Anti virus is the most basic level of desktop security and
              should be present on all workstations, servers, laptops, etc
             This is not a replacement for better security practices.
              Definitions need constant updating to meet the ever
              growing number of viruses present. The time between
              virus identification and definition distribution has shrunk as
              technology increases, however the gap still exists
Defense in Depth

    Anti-Spyware
      Common programs available are spybot,
       ad-aware, and most antivirus suites now
       include anti-spyware options
      As with anti virus software, these programs
       require regular updates to remain effective
Defense in Depth

    Host Based Firewalls
        Windows XP comes standard with a firewall, there
         are also popular options such as ZoneAlarm,
         Norton Personal Firewall, Black Ice, McAfee
         Personal Firewall, etc
        Controls application access on machines while
         network based firewalls control the data flow to the
        Learning curve: end users usually need assistance
         in configuring the rules properly to avoid blocking
         legitimate applications
Defense in Depth

    Physical Access
        Login: All machines should require authentication
         to the box or domain controller, no guest accounts!
        Removable storage: unless otherwise needed,
         removable storage like thumb drives should be
         restricted from being introduced to your network
        Location: Are your servers open to be accessed by
         anyone? Is your file server sitting on your desk?
Defense in Depth

    Passwords
      Passphrases: easier to remember, can be
       “fun” and more personal
      Special Characters, Numbers, Case
      Length: longer = better

      Set a minimum password policy!
Defense in Depth

    Patching & Updating
      Set it and forget it! Setting up all machines
       to automatically download and install
       updates takes the guess work out of it
      Do not forget to patch and update all
       softwares used, not just the OS. This
       includes Microsoft Office, Quicktime,
       antivirus, anti-malware, etc.
  Network Level
      Border Patrol

Keeping the bad guys from reaching
            your users
Network Level Defense
   Router Security
       Routers allow for more concise security
        measures to be implemented than their switch
        and hub brethren
       Networks can be segregated by VLANS
       Traffic can be engineered with access control
Network Level Defense
   Router Security
       Lock down access to the router
            Always require a login, be it a local account, RADIUS
             authentication, etc.
            Restrict access only to those networks/IP addresses
             that should be accessing the device
               Do you access this router from outside
                your work network?
               Do you only access this router from one
                particular workstation?
Network Level Defense
   Router Security
       Lock down port access
            Restricting what can be plugged into your network
             and where reduces the occurrence of rogue
             routers/switches/hubs, wireless access points, and
            Usually accomplished by MAC address restrictions
Network Level Defense
   Access Control Lists (ACL’s)
       A Standard ACL can restrict ingress and egress
        network traffic based upon the source IP,
        network, or subnet
       An Extended ACL (Cisco) can restrict ingress
        and egress network traffic based upon source
        and destination networks, along with ports and
       Extremely important to map out EXACTLY what
        you want to allow/deny access to
       As with Firewalls, better to maintain a “deny
        all, permit by exception” list
Network Level Defense
 · Routers apply lists sequentially in the order in which
 you type them into the router.
 · Routers apply lists to packets sequentially, from top
 down, one line at a time.
 · Packets are processed only until a match is made and
 then they are acted upon based on the access list
 criteria contained in the access list statements.
 · Lists always end with an implicit deny. Routers discard
 any packets that do not match any of the access list
 · Access lists must be applied to an interface as either
 inbound or outbound traffic filters.
 · Only one list per direction can be applied to an
Network Level Defense
Example: Restricting network access only to one network

                                           Permits any IP in the
IP access list 99
   10 permit ip any
                                           to go anywhere, denies
   20 deny ip any any
                                           all else

                                           Applied INBOUND to
interface Vlan2
                                           the VLAN interface.
ip address
                                           Inbound means traffic
 ip access-group 100 in
                                           coming into that
 no ip unreachables
                                           interface from
                                           machines internal to
                                           your network
Network Level Defense
 Example: Restricting traffic even more with extended ACL’s

ip access-list extended School_Security
 permit tcp eq smtp
 permit tcp eq smtp
 deny tcp any any eq smtp
 deny udp any any eq snmp
 permit tcp any eq www
 permit tcp any eq 8888
 deny ip any any

      This ACL will allow SMTP access for the network
      only to the two networks stated, deny all others. Next, access to
      WWW and TCP port 8888 is allowed, nothing else. This
      example works in direct conjunction with our HTTPS proxy
Network Level Defense
   Firewalls
       A firewall is similar to a wall around a city or a
        wall around a building. It can prevent traffic
        from going into or out of the city except
        through designated gates. Another term for
        these gates would be ports. For example, if
        you want someone to be able to send you
        email, you would open up a specific gate and
        email could get into your network.
Network Level Defense
   Firewalls
       Network Layer
            Packet filtering usually based on source IP address,
             source port, destination IP address or port,
             destination service like WWW or FTP
       Application Layer
            Filters for applications, like XML/WWW/FTP, to
             provide more protection for the specified application
       Proxies
            May be used in a firewall fashion to hide internal
Network Level Defense
   Wireless Security
       Restrict access! No public access should be
            Disable SSID broadcasting
            Restrict access to known users (by MAC)

            Even if you only use WEP, use it.
            Consult your product documentation for instructions
             “Best Practices” Summary
 Document your network
 Research your products
 Inform and educate your users
 Set a security policy and follow it
  Be proactive or suffer the consequences of only reacting
to events
 Multiple layers of security: Network and Desktop
 Patch and Update everything
 Secure ALL wireless connections!!!

Shared By: