Building Perimeter Defences in a Network
Download
Report
Transcript Building Perimeter Defences in a Network
Building Perimeter Defences
An Organisational Approach
7/21/2015
1
Scope
Concepts of Perimeter Defences.
An attack through a Perimeter Defence
– Case Study
Requirements of the Army.
7/21/2015
2
Quest for Omnipresent Access ...
Information age is a reality.
Everything depends on reliable and
efficient information processing.
Quality of our everyday life.
Development of national/world economy.
Security of National Defence.
Networking is one critical part of this
underlying information infrastructure!
7/21/2015
3
Security Implications
Vulnerabilities - from weak design, to
“feature-rich” implementation.
Heterogeneous networking technologies
adds to security complexity.
Higher-speed communication.
Ubiquitous access increases exposure to
risks.
Lack of training and awareness.
7/21/2015
4
The Good News ...
Plenty of basic means for end-user protection
- privacy, authentication, integrity.
Intensive R&D effort on security solutions
(government sponsored research & private
industry).
Increasing public awareness of security
issues.
New corps of security(-aware) researchers
and engineers
7/21/2015
YOU!
5
The Bad News ...
Information infrastructure as a whole is
very vulnerable, which makes all critical
national infrastructure vulnerable
e.g., Denial-of-service attacks are
particularly dangerous to the Internet
infrastructure or to an Intranet
Infrastructure …
Serious lack of effective technologies,
policies, and management framework.
7/21/2015
6
The Definition
Security is a state of well-being of
information and infrastructures in which
the possibility of successful yet
undetected theft, tampering, and
disruption of information and services is
kept low or tolerable.
Security rests on confidentiality,
authenticity, integrity, and availability.
7/21/2015
7
The Basic Components
Confidentiality is the concealment of
information or resources.
Authenticity is the identification and
assurance of the origin of information.
Integrity refers to the trustworthiness of data
or resources in terms of preventing improper
and unauthorized changes.
Availability refers to the ability to use the
information or resource desired.
7/21/2015
8
Security Threats and Attacks
A threat is a potential violation of
security.
Flaws in design, implementation, and
operation.
An attack is any action that violates
security.
7/21/2015
9
Eavesdropping - Message Interception
(Attack on Confidentiality)
Unauthorized access to information.
Packet sniffers and wiretappers.
Illicit copying of files and programs.
R
S
Eavesdropper
7/21/2015
10
Integrity Attack - Tampering With
Messages
Stop the flow of the message
Delay and optionally modify the
message
Release the message again
R
S
Perpetrator
7/21/2015
11
Authenticity Attack - Fabrication
Unauthorized assumption of other’s
identity
Generate and distribute objects under
this identity
R
S
Masquerader: from S
7/21/2015
12
Attack on Availability
Destroy hardware (cutting fiber) or software
Modify software in a subtle way (alias
commands)
Corrupt packets in transit
S
R
Blatant denial of service (DoS).
7/21/2015
13
Impact of Attacks
Theft of confidential information.
Unauthorized use of
Network bandwidth.
Computing resource.
Spread of false information.
Disruption of legitimate services.
All attacks can be related and are
dangerous!
7/21/2015
14
Defences are a must …
7/21/2015
15
Perimeter Defences …
Many Approaches – One Aim
Firewalls.
Application Level Security.
Intrusion Detection Systems.
7/21/2015
Network / Host Based.
Network Based.
Host Based.
Authentication Mechanisms.
Public Key Infrastructure.
Virtual Private Networks.
16
Why do we need Firewalls
7/21/2015
?
17
What is a firewall ?
A firewall is a system of hardware and
software components designed to
restrict access between or among
networks, most often between the
Internet and a private Internet.
The firewall is part of an overall security
policy that creates a perimeter defense
designed to protect the information
resources of the organization.
7/21/2015
18
Firewalls DO
Implement security policies at a single point
Monitor security-related events (audit, log)
Provide strong authentication
Allow virtual private networks
Have a specially hardened/secured operating
system
Compartmentalise an Organisation’s Network.
7/21/2015
19
Firewalls DON’T
Protect against attacks that bypass the
firewall.
Protect against internal threats .
Dial-out from internal host to an ISP.
disgruntled employee.
Insider cooperates with an external attacker.
Protect against the transfer of virusinfected programs or files.
7/21/2015
20
Types of Firewalls
Packet-Filtering Router.
Application-Level Gateway.
Circuit-Level Gateway.
Hybrid Firewalls.
7/21/2015
21
Packet Filtering Routers
•
Forwards or discards IP packet according a
set of rules.
•
Filtering rules are based on fields in the IP
and transport header.
7/21/2015
22
What information is used for
filtering decision?
Source IP address (IP header)
Destination IP address (IP header)
Protocol Type
Source port (TCP or UDP header)
Destination port (TCP or UDP header)
ACK. bit
7/21/2015
23
Web Access Through a
Packet Filter Firewall
7/21/2015
24
Packet Filtering Routers
Pros and Cons
Advantages:
Simple, Low cost, Transparent to user.
Disadvantages:
Hard to configure filtering rules.
Source IP Spoofing.
Source Routing Attacks.
Tiny Fragmentation Attacks.
Hard to test filtering rules.
Don’t hide network topology(due to transparency).
May not be able to provide enough control over traffic.
Throughput of a router decreases as the number of filters
increases.
7/21/2015
25
Application Level Gateways
(Proxy Server)
7/21/2015
26
A Telnet Proxy
7/21/2015
27
Application Level Gateways
(Proxy Server)
Advantages:
Complete control over each service (FTP/HTTP…).
Complete control over which services are permitted.
Strong user authentication (Smart Cards etc.).
Easy to log and audit at the application level.
Filtering rules are easy to configure and test.
Disadvantages:
A separate proxy must be installed for each application-level
service.
Not transparent to users.
7/21/2015
28
Circuit Level Gateways
7/21/2015
29
Circuit Level Gateways (2)
Often used for outgoing connections where
the system administrator trusts the internal
users
The chief advantage is that a firewall can be
configured as a hybrid gateway supporting
application-level/proxy services for inbound
connections and circuit-level functions for
outbound connections
7/21/2015
30
Hybrid Firewalls
In practice, many of today's commercial
firewalls use a combination of these
techniques.
Examples:
7/21/2015
A product that originated as a packet-filtering
firewall may since have been enhanced with smart
filtering at the application level.
Application proxies in established areas such as
FTP may augment an inspection-based filtering
scheme.
31
Firewall Architectures
Perimeter Defences
7/21/2015
32
Firewall Configurations
Bastion host.
Dual homed gateway.
Screened host firewall system
Screened-subnet firewall system.
7/21/2015
33
Bastion Host
Projecting part of a Fortification.
Outside the Private Network.
Visible and accessible from the Internet.
Application Level Gateway – allows info to be exch from systems
without direct flow of packets.
Specially armoured –
Secure OS.
Hardened with only essential services.
Additional authentication may be reqd for Proxy Services.
Specific Hosts allowed.
Detailed audit info maintained.
Proxy services on Bastion perform no other disk access other
than to read initial config file – Making Trojan dropping difficult.
7/21/2015
34
Dual-homed Gateway
7/21/2015
35
Variations to the Dual Homed
Host Architecture
IP Forwarding / Routing of Dual Homed host
is disabled.
Services permitted only by proxying or by
logging to the dual homed host.
Clients – normal clients instead of proxy
clients only getting services through the
proxy.
7/21/2015
36
Screened-host gateway
7/21/2015
37
Screened Host Firewall
7/21/2015
38
Screened subnet gateway
7/21/2015
39
Screened Subnet Firewall
7/21/2015
40
Screened subnetwork
Placing the Web server on its own screened subnetwork insulates
it from your organization while granting the outside world limited
access to it.
7/21/2015
41
Screened Subnet Architecture
EXTERNAL NETWORK
SCREENING ROUTER 1
FIREWALL
Perimeter Network 1
BASTION HOST 1
SCREENING ROUTER N
Perimeter Network N
BASTION HOST N
INTERNAL NETWORK
7/21/2015
42
Screened Subnet Architecture
Multiple Screening Routers.
Layered Defences can be created.
Multiple Bastion Hosts for different
services can be used.
Multiple Bastion Hosts – Redundancy.
Interior and Exterior Routers should not
be merged unless screening is done on
both interfaces.
7/21/2015
43
Screened Subnet Architecture
External Bastion Host and Screening Router
may be merged.
Merging of Bastion Host with Internal
Screening Router is not recommended.
Use of Multiple Interior Routers is not
recommended.
Sniffing of Perimeter Traffic
Difficult to formulate good rule base.
Multiple Exterior Routers may be used for
multiple exterior networks.
7/21/2015
44
Configure a Firewall (1)
Outgoing Web Access
7/21/2015
Outgoing connections through a packet
filter firewall
Outgoing connections through an
application-level proxy
Outgoing connections through a circuit
proxy
45
Configure a Firewall (2)
Incoming Web Access
7/21/2015
The
The
The
The
“Judas” server
“Sacrificial Lamb”
“Private Affair” server
doubly fortified server
46
The “Judas” Server (not recommended)
7/21/2015
47
The “sacrificial lamb”
7/21/2015
48
The “private affair” server
7/21/2015
49
Internal Firewall
An Internal Firewall protects the Web server from insider threats.
7/21/2015
50
Placing the sacrificial lamb in
the demilitarized zone.
7/21/2015
51
Cyber Security Assessment of an
Internal Network over our local
Intranet – A Case Study
7/21/2015
52
7/21/2015
53
The Strategy
Two teams - Two Concurrent Phases
Phase I
Penetrate from the WAN through Exploits
from outside the Firewall.
Phase II
7/21/2015
Try to get information from within by using
allowable Protocols through the Firewall
and Proxy Server.
54
Tasking – Team A
Carry out preliminary determination of network
topologies.
Outer Recce of Systems.
Vulnerability Analysis.
Exploits.
Launching of Trojans if possible.
Determination of Passwords.
Decide on further course of action after results.
7/21/2015
55
Phase I
External Attacks
7/21/2015
56
External Penetration
Part 1 : Network Mapping
Part 2 : Analysis
Part 3 : Network Attack
7/21/2015
57
Network Mapping
Get connected to the network.
Discern NW topology.
Identify Operating Systems of the
available Servers.
Identify the Services.
7/21/2015
58
Network Mapping - Results
Firewall installed as Gateway to Internal
Network.
Web Server and Email Server available
for access by the outside world.
Firewall - Linux Machine with
implementation of IPChains.
Probable Proxy Server protecting
Internal Network.
7/21/2015
59
Network Mapping - Results
Details of Web Server:
OS – Linux
Web Server – Apache
Other ports open:
7/21/2015
SSL
XWINDOWS – Vulnerable Port
HTTPS
60
Network Mapping - Results
Details of Email Server:
OS – Windows
Ports open:
7/21/2015
SMTP
Web
POP3
IMAP
Port mapper
Vulnerable Ports
61
7/21/2015
62
Likely Topology - First version
Web
IP Address
Scheme ?
Mail
Servers
External
Addresses Known
Switch
Proxy Server
Switch
Internal
NW
7/21/2015
Firewall
WAN LINK
Router
External NW
63
Analysis
Vulnerabilities : Apache Web Server
X-Windows – Remote Login Possible if
username and password available.
Windows based Mail Server
7/21/2015
Port 80 with IIS – Unicode
Port 135 – Port Mapper
SMTP / POP3
64
Analysis
E-Mail Server checked for Unicode
Vulnerability.
Found Vulnerable to two forms of URLs.
Access possible into System Directory
and files of Email Server.
Execution of all DOS commands
possible.
7/21/2015
65
7/21/2015
66
The Attack
FTP Backdoor
E Mail Server
with
Port 80 Opened
with IIS
FTP Server
Unicode Attack
Hacker Console
Target Network
7/21/2015
68
The Attack - Results
Est a FTP server and uploaded a short file.
Implant was successful.
However, contact with Server was lost before
logs could be erased.
System Mgr caught the logs a few days later
and the hole was rectified.
No data or material was recovered due to this
attack.
System Manager was alert and was perusing
the logs.
7/21/2015
69
UNREALISTIC CIRCUMSTANCES
Unrealistic
Circumstances
No element of surprise.
Administrators were waiting and
scanning through the logs daily.
Time and Place of choosing was not our
choice … test bed offered.
Servers were disconnected most of the
time.
7/21/2015
70
A Different Approach
7/21/2015
71
Typical Backdoor / Trojan
Proxy Server
Intranet
Firewall
Hacker
Internal Network
7/21/2015
72
Typical Backdoor / Trojan
Trojan Horse
Proxy Server
E Mail
IP Address
Port Number
Intranet
Firewall
Hacker
Internal Network
7/21/2015
73
Typical Backdoor / Trojan
Trojan Horse
IP Address + Port Number
Proxy Server
Intranet
Hacker
Firewall
Internal Network
7/21/2015
76
The Idea
7/21/2015
77
The Strategy
Try to get information from the
Internal Networks by using
allowable Protocols through the
Firewall and Proxy Server.
7/21/2015
78
The Plan
Develop the following malicious programs:
Backdoor / Worm.
Wrapper.
Fake Web Server.
Parser.
7/21/2015
79
Is a
program
that can
contain a
Backdoor
7/21/2015
When
executed
it looks
like the
Web
Browser
80
The Plot
It dropped the Backdoor into
the Target PCs who were lured
into opening their Email
attachments.
7/21/2015
81
The Setup
FAKE WEB
SERVER
7/21/2015
82
Infected PC
I want to make an outbound Web Connection
The Plot
Hold on I will request the Firewall ….
PROXY SERVER
Can I make an outword connection to a Web Server
OK , valid request, go ahead
Fake Web Server
7/21/2015
84
Infected PC
I want to make an outbound Web Connection
The Plot
Hold on I will request the Firewall ….
PROXY SERVER
Can I make an outword connection to a Web Server
OK , valid request, go ahead
Fake Web Server
7/21/2015
85
Activities of the Backdoor
Scans Hard Disk of victim for the following types of files:
Powerpoint Presentations.
Word Documents.
Excel Spread Sheets.
Pick up 30 files of each type and send it masqueraded as HTTP
or Web Request Data to the Fake Web Server through all the
defences including Firewalls, IDS , etc.
Bluff its way out of the Proxy ,Firewall and other defences by
asking for legitimate Web Connections.
Connects immediately on startup.
Puts in a time stamp and the user’s machine name on all files
transmitted.
After the job is completed, it kills itself by wiping out all it’s
traces.
7/21/2015
86
Activities of the Fake Web Server
1.
2.
3.
4.
7/21/2015
Holds conversations with the Proxy and
Firewall as if they were legitimate.
Clandestinely accepts chunks of data or
portions of files sent by the Backdoor.
Acknowledges these as valid Web Page
requests to fool the Firewall and the Proxy.
Saves all this raw and unfiltered data to the
hard disk in a specified folder.
87
The Parser
Scans through the raw
data.
Joins fragments together
to form up valid and
legitimate files.
Saves them in the Hard
Disk systematically in
Categories of Command /
User Machine Names.
1.
2.
3.
Hard Disk
7/21/2015
Raw Data
The Parser
Hacked Files
88
Development Parameters
Development Platform
C++, Delphi, VC ++.
Sizes
7/21/2015
Backdoor - 84 K
After Wrapping – 288K
Fake Web Server – 321 K
Parser - 308 K
89
The Outcome …
Summary of the Trials
7/21/2015
90
7/21/2015
91
Identify your Security Level
Unconscious Inadequacy.
Conscious Inadequacy.
Well Protected.
Policy in place.
Employees and Mgt are aware.
Processes are not mature.
Conscious Adequacy.
7/21/2015
Vulnerable.
Quick Fix Solutions.
Short Term Benefits.
Unconscious Adequacy.
Totally Vulnerable.
State that we would like to be in .
May take years.
92
Identify your Security Level Vulnerability Cycle
PEAK MONITORING – LEAST VULNERABLE
WEAK MONITORING – MOST VULNERABLE
7/21/2015
93
Identify causes for Vulnerability
Control Heavy.
Inculcates false sense of Security.
Controls are not embedded in
processes.
Policies are too voluminous and are not
read by all.
Employee Unawareness.
No Periodic Security Audit.
7/21/2015
94
The Bottom-line
Implement a Security Policy.
Implement Controls …
… through processes.
Finalize Procedures.
Training.
Periodic Audit.
7/21/2015
95
Actions at various Levels
User Level.
Administrator's Level.
Management Level.
7/21/2015
96
User Level
Selection of Secure OS: Win 2k/XP,Linux, Unix, Solaris.
Selection of Secure file system: NTFS,ext2.
Configuration of the OS and File System for max security.
Creation of Accounts without Admin or Root rights for all users.
Separate Partition for Data.
Setting up Access Control Rights.
Installation of Personal Firewall to protect the PC from any
network attacks.
Installation of Antivirus software to protect the data from
Virus/worms/Trojans.
Usage and Implementation of a Strict Password Policy.
7/21/2015
97
Network Level
Implementing the Security Policy.
Setting up of a Firewall based on Linux (IP
Cop).
Stateful Inspection Packet Filtering Firewall.
Network Address Translation.
Transparent Proxy Server.
Intrusion Detection System.
Setting up of the Anti Virus Gateway using an
Enterprise Anti Virus Solution.
Use appropriate Perimeter Defences.
7/21/2015
98
Management Level
Decisions based on Periodic Training.
Implementation of Training with respect
to Data Handling.
Implementation of Security Policy.
Periodic Audit.
Release of Funds for Controls.
7/21/2015
99
Mistakes People Make that
Lead to Security Breaches
The Five Worst Security Mistakes End Users Make
Opening unsolicited e-mail attachments without
verifying their source and checking their content
first.
Failing to install security patches-especially for
Microsoft Office, Microsoft Internet Explorer, and
Netscape.
Installing screen savers or games from unknown
sources.
Not making and testing backups.
Using a modem while connected through a local area
network.
7/21/2015
100
Source: SANS Institute Resources
Requirements of the Army
7/21/2015
101
Requirements of the Army
Design of an implementable Security Policy.
Implementation of the Policy.
External Audit by Professional Firms.
Training.
End to End Security – PKI ??
Data Storage Security.
Standardised Authentication Systems.
Own Stream Ciphers.
Cryptanalysis Facilities as long term measures.
7/21/2015
102
Questions ???
7/21/2015
103
Information Security is ….
….. A change in the mindset of the
organisation.
7/21/2015
104
7/21/2015
105