Transcript Network Security - University of Engineering and Technology

Dr. Adeel Akram
UET Taxila
Securing Enterprise Network Infrastructure
(Towards secure internetworking on Pakistan Educational Research Network)
Outline
► Introduction
to Enterprise Network
► Enterprise Network Architectures
► Securing Enterprise Networks
► Enterprise Network Security Requirements
► Pakistan Educational Research Network
► Type of Network Attacks and Vulnerabilities
► Case Studies
 Hacking of Educational and Govt. Websites !!!
►Lessons
Learnt
► Recommendations
Introduction to Enterprise Network
► Enterprise
Network is the network that allows
communication and resource-sharing among all of
a company's business functions and workers.
► In some cases, Enterprise network would even
include the company's suppliers, contractors and
distributors.
► It consists of hardware, software and media
connecting information technology resources of an
organization.
Enterprise Network Architectures
Securing Enterprise Networks
Securing Enterprise Networks
Securing Enterprise Networks
Securing Enterprise Networks
Securing Enterprise Networks
Enterprise Network Security Requirements
► Network
security has become increasingly
more difficult to manage and evaluate, even
as industry and government compliance
requirements have become more
demanding.
Enterprise Network Security Requirements
► The
network threats are real, and costly.
Internal and external vulnerabilities can
cause business disruption, loss of revenue,
or loss of operational efficiencies.
► Because network security can be breached
from both internal and external sources,
traditional perimeter firewalls are not
enough to protect the network.
Enterprise Network Security Requirements
► Enterprise
networks require new network
security tools, network appliances, and
professional services to secure large and
small networks.
► The following slides show key components
of network security that are now required in
all organizations to secure their networks:
Enterprise Security Key Components
► Unified
Threat Management (UTM) Firewalls
► Network Access Control (NAC), or ROLEbased Networking
► Mobile Computer Client Protection
► Event Correlation and Log Analysis
► Layer-7 Visibility and Packet Analysis
► Managed Services
Enterprise Network Security Requirements
► Unified
Threat Management (UTM) Firewalls
 It is too costly and operationally inefficient to
add-on each separate component as security
threats emerge. Today's solutions use multiple
scanning methods and multiple defense layers
in high-throughput appliances. IDS/IPS, AntiVirus, Content-Filtering, VPN, Anti-Spam, P2P
control, etc. all needs to be included in a
network security solution.
Enterprise Network Security Requirements
► Network
Access Control (NAC), or ROLEbased Networking
 Creating differentiated network services based on
individual access requirements is the key. The era
of every user's ability to browse to all network
resources should be over. Role-based networking
is required to limit visibility to networks, servers,
and TCP/IP ports and protocols, regardless of the
user's point-of-entry into the network.
Enterprise Network Security Requirements
► Mobile
Computer Client Protection
 Also referred to as "Mobile NAC", all network
devices that can leave and join the network
need to have accountability and control
regardless of location. The ability to control
laptops, PDA's, and other mobile devices when
they are not connected to a VPN session is a
key requirement.
Enterprise Network Security Requirements
► Event
Correlation and Log Analysis
 Security threats cannot be stopped by reviewing
logs in "post-mortem" analysis. To stop "zeroday" threats, the network needs event-correlation
and adaptive-response tools. While SNMP report
tools are important for network engineers
responsible for network health, other tools are
required to correlate client, server, and firewall
activities with computer application processes.
Enterprise Network Security Requirements
► Layer-7
(Application Layer) Visibility and
Packet Analysis
 The ability to classify all applications regardless of
port and protocol is essential for both security and
performance analysis. In-line devices for analyzing
and reporting network traffic across all OSI layers
are essential for compliance, security assessment,
and resolving performance issues.
Enterprise Network Security Requirements
► Managed
Services
 Many companies can not become experts in
Cyber-Security, PC/Server Management,
Regulatory Compliance, and Disaster Recovery.
But even small businesses are impacted by
critical data security threats and technology
maintenance hurdles that detract from the core
business goals. Managed Services offer
expertise on contractual basis.
Educational Enterprise Network
► Pakistan
Education and Research Network
Pakistan Educational Research Network
► PERN
- Pakistan Education and Research
Network is a national research and
education network of Pakistan which
connects premiere educational and research
institutions of the country.
Pakistan Educational Research Network
► PERN
focuses on collaborative research,
knowledge sharing, resource sharing, and
distance learning by connecting people
through the use of Intranet and Internet
resources.
Pakistan Educational Research Network
Types of Network Attacks
Web-Hacking-Incident-Database http://webappsec.pbworks.com/Web-Hacking-Incident-Database
Top Application Vulnerabilities
Web-Hacking-Incident-Database http://webappsec.pbworks.com/Web-Hacking-Incident-Database
Top Attack Outcomes
Web-Hacking-Incident-Database http://webappsec.pbworks.com/Web-Hacking-Incident-Database
Hacking Statistics for .gov.pk
Hacking Statistics for .edu.pk
Cyber Attack Response Procedure
Detect
Attack
Source
Prevent
Attack / Plan
Response
Seal Crime
Scene /
Preserve
System
State
Report to
Security
Agencies
Activate
Auditing /
Gather
Suspect
Traces
Estimate
Attack
Losses
FBI Cybercrime Investigation Procedure
► To
ensure that your organization can react to an
incident efficiently, make sure that staff knows
who is responsible for cyber security and how to
reach them.
► The following steps will help you document an
incident and assist federal, state, and local law
enforcement agencies in their investigation (be
sure to act in accordance with your organization's
polices and procedures):
FBI Cybercrime Investigation Procedure
 Preserve the state of the computer at the time
of the incident by making a backup copy of
logs, damaged or altered files, and files left by
the intruder.
 If the incident is in progress, activate auditing
software and consider implementing a
keystroke monitoring program if possible.
FBI Cybercrime Investigation Procedure
 Document the losses suffered by your organization
as a result of the incident. These could include:
►estimated
number of hours spent in response/recovery
►cost of temporary help
►cost of damaged equipment
►value of data lost
►amount of credit given to customers for inconvenience
►loss of revenue
►value of any trade secrets
To report an incident to the FBI, you can submit a tip report at https://tips.fbi.gov
National Response Centre For Cyber Crimes
NR3C CERT (Computer Emergency Response Team)
► Forensic Lab
► R&D
► Implementation of Standards & Procedures
► Media and Projection Cell
► Technology Development Center
► Network Operations & Security
► Liaison with LEA(s) & public /private sector organizations
► Trainings & Seminars
► Legal Regularity & Issues
►
To report an incident to the NR3C visit: http://www.nr3c.gov.pk
Federal Investigation Agency Headquarters
Sector-G-9/4, Islamabad
Ph. 051-9261686, Fax. 051-9261685
Case Studies
► UET
Taxila – Internal Website(s) Hacked
► HEC Website(s) – Hacked
► LUMS Website(s) – Hacked
► Ministry of Information and Broadcasting
Website – Hacked
► FIA’s National Response Center for Cyber
Crime Website
UET Taxila Website(s) Hacked
UET Taxila’s Internal Website
http://uet.homeip.net Hacked in 2006 !
Email from Hackers
The Next Day
Searched for traces of Hackers
► Event
Viewer
 Application Logs
 System Logs
 Security Logs
► User
Manager
 Any Accounts Modifications
 New Accounts Creation
 Rights requests
Checked Systems for Trojan Horses
► See
if any backdoor is created on the
system
► Try to figure out how hackers accomplished
to hack the system
► Check Task Manager for any suspicious
running process
► Check System/Firewalls Security Logs
Search the Logs
Checked Logs on the DHCP Server
► Cross
Checked the MAC Address of Hackers
from their IP 169.254.2.57
 00-01-02-08-37-A8
Checked Hostel Switch Logs
► Went
to Hostel Switch and checked this
MAC address binds to which switch port
 Port Number 31 on Switch
► Consulted
the Hostel Network Diagrams to
find out Room Number for Port # 31
 Room Number 41
Hackers Caught Red-Handed
Website Restored to Original State
Observations
► The
site was hacked by our own students
who were doing internship in Network
Center on Windows Server Administration
► They were also developing student-portal
website on the same server and were given
administrative rights on the web server
► They misused their rights to hack the site
The defacing of UET TAXILA’s
Examination website in August 2007
http://web.uettaxila.edu.pk/uet/UETsub/uetDownloads/examination/
Hacked by Whom?
•
There were 5 main IP addresses that used
the URL responsible for hacking and
planting the pages on our alpha webserver !
• 202.86.249.21
• 202.86.248.23
• 74.6.25.141
• 88.254.235.5
• 85.106.249.98
Guess What !
► Who
owns this IP Address?
►202.86.249.21
► Pakistan
Whois 202.86.249.21
►
►
►
►
►
►
►
►
►
►
►
►
►
►
►
►
►
►
WHOIS - 202.86.249.21
inetnum:
202.86.249.0 - 202.86.249.255
netname:
DIALLOG
descr:
Great Bear International Services (Pvt) Ltd, Wireless Local Loop
descr:
CDMA Operator, Pakistan
country:
PK
person:
Artem Orange
nic-hdl:
AO71-AP
e-mail:
[email protected]
address:
Great Bear International Services (Pvt) Ltd
address:
106-E, Asif Plaza 3rd & 4th Floor
address:
Fazal-ul-Haq Road, Blue Area,
address:
Islamabad
phone:
+92 51 2806222
country:
PK
changed:
[email protected] 20060111
mnt-by:
MAINT-PK-DIALLOG
source:
APNIC
Who owns the
► Who
nd
2
Attacker IP?
owns this IP Address?
►202.86.248.23
► Singapore
Whois 74.6.25.141
►
►
►
►
►
►
►
►
►
►
►
►
►
►
►
►
WHOIS - 74.6.25.141
OrgName: Inktomi Corporation
OrgID: INKT
Address: 701 First Ave
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US
NetRange: 74.6.0.0 - 74.6.255.255
CIDR: 74.6.0.0/16
NetName: INKTOMI-BLK-6
NetHandle: NET-74-6-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.YAHOO.COM
RAbuseEmail: [email protected]
Whois 85.106.249.98
►
►
►
►
►
►
►
►
►
►
►
►
►
WHOIS - 85.106.249.98
Location: Turkey (high) [City: Adana,
Adana]
inetnum:
85.106.128.0 85.106.255.255
netname:
TurkTelekom
descr:
TT ADSL-alcatel dynamic_ulus
country:
tr
admin-c:
BADB3-RIPE
tech-c:
ZA66-RIPE
status:
ASSIGNED PA
mnt-by:
as9121-mnt
notify:
[email protected]
changed:
[email protected]
20070220
source:
RIPE
role:
address:
address:
address:
address:
phone:
fax-no:
e-mail:
source:
TT Administrative Contact Role
Turk Telekom
Network Direktorlugu
Aydinlikevler
06103 ANKARA
+90 312 555 1927
+90 312 313 1924
[email protected]
RIPE
Whois 88.254.235.5
►
►
►
►
►
►
►
►
►
►
►
►
►
WHOIS - 88.254.235.5
Location: Turkey (high) [City: Adana,
Adana]
inetnum:
88.254.128.0 88.254.255.255
netname:
TurkTelekom
descr:
TT ADSL-alcatel dynamic_ulus
country:
tr
admin-c:
TTBA1-RIPE
tech-c:
TTBA1-RIPE
status:
ASSIGNED PA
mnt-by:
as9121-mnt
notify:
[email protected]
changed:
[email protected]
20070220
source:
RIPE
role:
address:
address:
address:
address:
phone:
fax-no:
e-mail:
source:
TT Administrative Contact Role
Turk Telekom
Bilisim Aglari Dairesi
Aydinlikevler
06103 ANKARA
+90 312 313 1950
+90 312 313 1949
[email protected]
RIPE
How it was done?
► An
ASP Shell script CP5.asp was planted
under
http://web.uettaxila.edu.pk/uet/UETsub/uet
Downloads/examination/ folder that had
Write rights on it with Directory Browsing
turned ON
► Our Firewall Logs showed that the first call
to the malicious asp page was done on
30/Aug/2007 at 14:45:24 PST.
Home of CyberSpy 5 (CP5.asp)
CP5.asp Removed from Server!
►I
didn’t understand the Turkish language, but
the icons were pretty intuitive to indicate that
the
means Delete and
means
Download.
► So after indiring the CP5.asp for my personal
interest and further investigation, Siled the
cp5.asp using its own page.
► Thanks to the author of CP5 for self destructive
features ;-)
Observations
► The
CP-5 (CyberSpy 5) ASP Shell Script code was
intentionally/unintentionally planted in the
Examination website by someone having physical
access to the server
► The network supervisors of exam branch didn’t
confess their fault
► CyberSpy 5 is now detected by newer Antiviruses
as PhP/C99Shell.A.Trojan and ASP/Ace.DC. Trojan
What security measures were taken?
► As
the first step during the revival of
web.uettaxila.edu.pk website, All traffic for
web.uettaxila.edu.pk was redirected to
www.uettaxila.edu.pk to get the original
website contents from our hosted services
server directly instead of the local Hacked
Server.
What security measures were taken?
► Browsed
through the IIS Service manager
on Hacked Server to check the rights on all
folders related to the Website.
► Removed Write rights by IUSR_ALPHA on all
folders.
► Changed the default webpage at
web.uettaxila.edu.pk from index.htm to
index1.asp
What security measures were taken?
► Backed
up the Hacked pages and emailed them
to my account for further investigation.
► I deleted the Hacked index.htm file and
replaced the original files from Hosted Services
Server to Local Hacked Server.
► At this time, the hackers tried to reinstall their
hacked page on our server by overwriting the
index.htm with their hacked page.
What security measures were taken?
► As
the Webserver was now set to show
index1.asp instead of index.htm, the hacked
page was no longer visible on the main page.
► The hackers realized that they should leave
the server now.
► As a protective measure, we blocked all IP
ranges of hackers IP class to Firewall block list.
► In future they will not be able to use the same
addresses to access our server.
What security measures were taken?
► The
domain accounts of all users were
checked for their security privileges.
► Un-necessary administrative group members
were removed.
► Passwords were changed on all
Administrative accounts.
► [email protected] was removed.
Response to the Hackers
► Used
network forensic tools to track the hackers
► Used
OS fingerprinting to identify the types of
systems used by the attackers
► Tried
to gain access of their network resources
► Tried
to get personal information about hackers
Who owned 88.254.235.5?
This is the ADSL Router of Attacker in Turkey
I changed its old password for future communication
ZyXEL ADSL Router on Turk IP!
Who owned 88.254.235.5?
Suggestions and Comments
► Routine
checking of Firewall Logs should be
performed to see obnoxious calls to URL addresses
on server.
► All servers should be shifted behind a UTM Firewall
► Intrusion Prevention System on UTM should be
configured to detect and block such attacks in future.
► Concerned ISPs and Security Agencies should be
contacted for Logs to get access to the owners of
these attacker IP Addresses.
HEC Website(s) Hacked
HEC Website(s) Hacked
► Domain:





http://hjp.hec.gov.pk
Hacking Reported on: 2010-05-19 10:47:33
Notified by: Ashiyane Digital Security Team
IP address: 111.68.100.144
System: Linux
Web server: Apache
http://hjp.hec.gov.pk
HEC Website(s) Hacked
► Domain:





http://dev.hec.gov.pk
Hacking Reported on: 2010-07-06 16:50:06
Notified by: r4diationz
IP address: 72.249.151.41
Sub directory: /appsup/submit.asp
Attack Type: Database injection
http://dev.hec.gov.pk
HEC Website(s) Hacked
► Domain:





http://app.hec.gov.pk
Hacking Reported on: 2010-07-06 16:51:25
Notified by: r4diationz
IP address: 72.249.151.41
Sub directory: /appsup/submit.asp
Attack Type: Database injection
http://app.hec.gov.pk
HEC Website(s) Hacked
► Domain:





http://sc.hec.gov.pk/aphds/Submit.asp
Hacking Reported on: 2010-02-05 16:09:21
Notified by: sacred_relic
IP address: 111.68.100.150
System: Win 2003
Web server: IIS/6.0
http://sc.hec.gov.pk
LUMS Website(s) Hacked
LUMS Website(s) Hacked
► Domain:





http://cmer.lums.edu.pk
Hacking Reported on: 2009-07-12 21:17:08
Notified by: syniack
IP address: 203.128.0.46
System: Linux
Web server: Apache
http://cmer.lums.edu.pk
LUMS Website(s) Hacked
► Domain:
http://suraj.lums.edu.pk/~lrs/forum/phpBB2
 Hacking Reported on: 2006-07-19 15:39:52
 Notified by: SanalYargic
 IP address: 203.128.0.6
 System: SolarisSunOS
 Web server: Apache
http://suraj.lums.edu.pk
LUMS Website(s) Hacked
► Domain:





http://sedp.lums.edu.pk/index2.htm
Hacking Reported on: 2003-08-15 22:39:41
Notified by: INDIAN TIGERS
IP address: 203.128.1.242
System: Win 2000
Web server: IIS/5.0
http://sedp.lums.edu.pk
LUMS Website(s) Hacked
► Domain:





http://sedp.lums.edu.pk
Hacking Reported on: 2003-08-16 17:38:40
Notified by: INDIAN TIGERS
IP address: 203.128.1.242
System: Win 2000
Web server: IIS/5.0
http://sedp.lums.edu.pk
InfoPak.gov.pk Website Hacked
Ministry of Information and
Broadcasting Website Hacked
► Domain:
http://www.infopak.gov.pk
► Hacking Reported on : 2010-07-13 09:20:12
 Notified by: Sovalye
 IP address: 174.143.146.58
 System: Win 2003
 Web server: IIS/6.0
http://www.infopak.gov.pk
NR3C Website Hacked
FIA’s National Response Center for
Cyber Crime Website Hacked
► Domain:





http://www.nr3c.gov.pk
Hacking Reported on : 2010-01-07 16:16:56
Notified by: ZombiE_KsA
IP address: 72.9.156.44
System: Linux
Web server: Apache
http://www.nr3c.gov.pk
Lessons Learnt
The faster the network the more are the attacks from
the internet
► Greater availability/always online connectivity
increases the chances for hacking attacks
► Internal users are mostly responsible for
compromising network security
► Easy availability of hacking scripts have encouraged
script kiddies to try hacking
► Lack of regular security audits, shortage of certified
ethical hackers and knowledge sharing
►
Recommendations
► Enable
ROLE-based Network Services
► Disable Windows File Sharing
► Update the Operating System
► Choose Strong Passwords
► Anti-virus Software Installation and Update
► Train the End Users to maintain their PCs
► Install A Personal Firewall and Email Security Apps
► On demand and Startup Scan For Spyware
► Network Access Control
Tips for End Users
► Deploy Internet Security Software (FW+AV+UTM)
 ESET NOD32 Business Edition
 TrendMicro Internet Security
 Symantec Endpoint protection + Network Access Control
►
►
►
►
Keep Security Software updated
Keep OS and Installed Software updated
Report abnormal system behavior to Admins
Enable System Restore and Backup System
Tips for Network and Sys Admins
► Block
TCP Port 25 (Commonly used by Spam-bots)
► Block TCP Port 135 (Used by W32/Blaster worm)
► Block TCP Port 445, NetBIOS-DGM, NetBIOS-NS,
NetBIOS-SSN, Kerberos, LDAP, WINS, RDP and
Ping to/from WAN
► Turn off File and Printer Sharing for Microsoft
Networks on WAN Interfaces of all servers
► Install Firewall and Antivirus software on servers
► Create Backups / Images of Servers
References
►
►
►
►
►
►
►
►
►
►
►
►
►
►
http://www.nle.com
www.networkdictionary.com/networking/e.php
http://www.cisco.com/web/about/security/intelligence/worm-mitigation-whitepaper.html
http://www.firewall.cx/firewall_topologies.php
http://webappsec.pbworks.com/Web-Hacking-Incident-Database
http://www.zone-h.com/archive
http://www.dnsstuff.com/tools
http://www.ip-whois-lookup.com/lookup.php?ip=88.254.235.5
http://www.hec.gov.pk
http://www.pern.edu.pk
http://www.cert.org/tech_tips/FBI_investigates_crime.html
http://www.insecure.org
http://www.eeye.com
https://secure.dshield.org/reports.html
Questions
[email protected]