Key To Personal Information Security
Download
Report
Transcript Key To Personal Information Security
Lesson Six
Safeguards & Countermeasures
Copyright © Center for Systems Security and Information Assurance
Lesson Objectives
• Identify common terms associated with information security
countermeasures.
• Define and identify the various types of firewalls.
• Discuss the approaches to dial-up access and protection.
• Identify and describe the two categories of intrusion detection
systems and discuss the two strategies behind intrusion
detection systems.
• Discuss scanning, analysis tools, and content filters.
• Understand trap and trace technologies.
• Discuss various approaches to biometric access control.
Copyright © Center for Systems Security and Information Assurance
IT Security Countermeasures
• Countermeasures come in a variety of sizes,
shapes, and levels of complexity.
• Countermeasures must begin with a thorough
organizational security policy and include
technologies, education and enforcement.
Copyright © Center for Systems Security and Information Assurance
Demilitarized Zone (DMZ)
• Sits between a trusted internal
network, such as a corporate
private LAN, and an untrusted
external network, such as the
public Internet
• Contains devices accessible to
Internet traffic, such as Web
(HTTP ) servers, FTP servers,
SMTP (e-mail) servers and
DNS servers
Copyright © Center for Systems Security and Information Assurance
Bastion Host
• A gateway between an inside network and an
outside network
• A security measure to defend against attacks
aimed at the inside network
Trusted
Untrusted
DMZ
Firewall
Firewall
Internet
Bastion Host
Copyright © Center for Systems Security and Information Assurance
Network Address Translation (NAT)
• Located where the LAN meets the Internet
• Provides a type of firewall by hiding internal IP
addresses for external or untrusted users
• Expands the number of internal IP addresses
available to an organization
• No possibility of conflict with IP addresses used
by other companies and organizations
Copyright © Center for Systems Security and Information Assurance
NAT
Reserved NAT addresses:
10.x.x.x
172.16.x.x
192.168.x.x
Copyright © Center for Systems Security and Information Assurance
Firewalls
• Any device that prevents a specific type of
information from moving between an untrusted
network and a trusted network
• Made up of both software and hardware:
May reside on a separate and dedicated computer
system
May reside on an existing computer or network device
(router or switch)
May reside on a dedicated appliance specifically
designed for greater performance
Copyright © Center for Systems Security and Information Assurance
First Generation Firewalls
• Called packet filtering firewalls.
• Examined every incoming packet header and
selectively filtered packets based on:
addresses
packet types
port request
and others factors
• Implemented restrictions based on:
IP source and destination address
Direction (inbound or outbound)
TCP/UDP source and destination port-requests
Copyright © Center for Systems Security and Information Assurance
First Generation Firewalls
Copyright © Center for Systems Security and Information Assurance
Second Generation Firewalls
• Called application-level firewall or proxy server
• A dedicated computer separate from the filtering
router (filtering routers can still be implemented
behind the proxy server)
• Exposed to the outside world in the DMZ
• Traffic passes through the proxy, which translate
the IP address.
• Designed for a specific protocol and cannot
easily be reconfigured to protect against attacks
on protocols for which they are not designed
(primary disadvantage)
Copyright © Center for Systems Security and Information Assurance
Second Generation Firewalls
Copyright © Center for Systems Security and Information Assurance
Third Generation Firewalls
• Called a stateful inspection firewalls
• Tracks each network connection established
between trusted and untrusted networks
• Defaults to its access control list to determine
whether to allow the packet to pass, if the
stateful firewall receives an incoming packet that
it cannot match in its state table
• Requires additional processing requirements to
manage and verify packets against the state
table (primary disadvantage)
Copyright © Center for Systems Security and Information Assurance
Third Generation Firewalls
Copyright © Center for Systems Security and Information Assurance
Fourth Generation Firewalls
• Called a context-based access control (CBAC)
firewall
• Intelligently filters packets based on applicationlayer protocol session information and can be
used for intranets, extranets and internets
• Configured to permit specified traffic through a
firewall only when the connection is initiated
from within the network you want to protect
• Traffic filtering is limited to access list
implementations that examine packets at the
network layer, or at most, the transport layer
without CBAC
Copyright © Center for Systems Security and Information Assurance
Fourth Generation Firewalls
• Allows support of protocols that involve multiple
channels created as a result of negotiations in
the control channel.
• Provides the following benefits:
Java blocking
Denial-of-Service prevention and detection
Real-time alerts and audit trails
Copyright © Center for Systems Security and Information Assurance
Fourth Generation Firewalls
Copyright © Center for Systems Security and Information Assurance
Fifth Generation Firewalls
• Called the kernel proxy, a specialized form that
works under the Windows NT Executive (the
kernel of Windows NT)
• Evaluates packets at multiple layers of the
protocol stack
• More secure due to the fact that the OS of a
firewall provides another vulnerability
• More secure and performs additional security
inspections because the OS kernel was
specifically designed for the firewall
Copyright © Center for Systems Security and Information Assurance
Fifth Generation Firewalls
Trusted
DMZ
Web, Email, FTP
Internet
Untrusted
Kernel Proxy
Firewall
A firewall with a scaled-down OS
Copyright © Center for Systems Security and Information Assurance
Radius
• Most common access server for authenticating and
authorizing dial-up users of an organization’s
network
• Comprises three components:
An authentication protocol
a server (points to RADIUS authentication database)
a client
• Supports a variety of methods to authenticate a
user
PPP
PAP
CHAP
Copyright © Center for Systems Security and Information Assurance
Radius Authentication
Copyright © Center for Systems Security and Information Assurance
TACACS Authentication
• Short for Terminal Access Controller Access
Control System
• Commonly used in UNIX networks
• Allows a remote access server to communicate
with an authentication server in order to
determine if the user has access to the network
Copyright © Center for Systems Security and Information Assurance
TACACS Services
Copyright © Center for Systems Security and Information Assurance
Intrusion Detection System IDS
• Identifies and tracks packets entering and
leaving a monitored network
• Acts as alarm system notifying you of unusual
events or traffic patterns
• Monitors your network and takes automatic predefined action
• Available options when implementing IDS:
Host based IDS
Network based IDS
Copyright © Center for Systems Security and Information Assurance
Host-based Intrusion Detection System
HIDS
• Installed locally on host machines
• Installed on many different types of machines
(servers, workstations and notebook computers)
• Transmitted traffic to the host is analyzed and
passed onto the host, if there are not potentially
malicious packets within the data transmission
• Focused host-Based installations on anomalies
on the local machines
• Platform specific
• Require both host-based and network-based
IDS
Copyright © Center for Systems Security and Information Assurance
Host-Based Intrusion Detection System
HIDS
Copyright © Center for Systems Security and Information Assurance
Network-based Intrusion
Detection Systems
• Operates differently from host-based
• Scans network packets auditing packet
information and logs any suspicious packets into
a special log file with extended information.
• Scans its own database for known network
attack signatures and assigns a severity level for
each packet based on these suspicious packets
• Investigates the nature of the anomaly, if
severity levels are high enough--a warning email
or pager call is placed to security team members
Copyright © Center for Systems Security and Information Assurance
Network-Based Intrusion
Detection Systems
• Known malicious network activity:
IP Spoofing
Denial-of-service attacks
ARP cache poisoning
DNS name corruption
Man-in-the-middle attacks
• Require that the host system network device be
set to promiscuous mode, which allows the
device to capture every packet passed on the
network
Copyright © Center for Systems Security and Information Assurance
Network-Based Intrusion
Detection Systems
Copyright © Center for Systems Security and Information Assurance
Port Scanners
• All machines connected to a Local Area Network
(LAN) or Internet run many services that listen at
well-known and not so well known ports
• By port scanning, the attacker finds which ports
are available (i.e., what service might be listing
to a port)
• A port scan consists of sending a message to
each port, one at a time
• The kind of response received indicates whether
the port is used and can therefore be probed
further for weakness
Copyright © Center for Systems Security and Information Assurance
Port Scanners
Copyright © Center for Systems Security and Information Assurance
Port Numbers
• Port numbers are not so controlled, but over the
decades certain ports have become standard for
certain services
• The port numbers are unique only within a
computer system
• Port numbers are 16-bit unsigned numbers
• The port numbers are divided into three ranges:
Well Known Ports (0 - 1023)
Registered Ports (1024 - 49151)
Dynamic and/or Private Ports (49152 - 65535)
Copyright © Center for Systems Security and Information Assurance
Port Numbers
Copyright © Center for Systems Security and Information Assurance
Well-Known Ports
• Ports numbered 0 to 1023 are assigned to
services by the Internet Assigned Numbers
Authority (IANA)
• Sample ports:
Echo
FTP-data
FTP-Control
SSH
Telnet
DNS
WWW-HTTP
7tcp
20/udp
21/tcp
22/tcp
23/tcp
53/udp
80/tcp
Copyright © Center for Systems Security and Information Assurance
Vulnerability Scanners
• Capable of scanning networks for very detailed
information
• Identify exposed usernames and groups
• Show open network shares
• Expose configuration problems, and other
vulnerabilities in servers
Copyright © Center for Systems Security and Information Assurance
Packet Sniffers
• Collects copies of packets from the network and
analyzes them
• Eavesdrops on the network traffic
• Legal uses include:
Being on a network that the organization owns
Being under direct authorization of the owners of the
network
Having knowledge and consent of the content
creators (users)
Copyright © Center for Systems Security and Information Assurance
Content Filters
• Allows administrators to restrict accessible
content from within a network
• Restricts Web sites with inappropriate content
Copyright © Center for Systems Security and Information Assurance
Honey Pots
• Detect encrypted attacks in IPv6 networks and
capture the latest in on-line credit card fraud
• Designed to distract the attacker while notifying
the administrator of a possible attack or break in
• Provide two major security features:
Slow down the attacker
Provide detection and tracking
Copyright © Center for Systems Security and Information Assurance
Biometrics
• Automatically recognizing a person using
distinguishing traits.
• Defined as automated methods of identifying or
verifying the identity of a living person based on
physiological or behavioral characteristics
http://www.idsysgroup.com/ftp/biometrics_101_ISG.pdf
Copyright © Center for Systems Security and Information Assurance
Types of Biometrics
•
•
•
•
•
•
•
•
Iris Recognition
Finger Scan
Hand Geometry
Facial Recognition
Signature Dynamics
Voice Dynamics
Retinal Scan
Vascular Patterns
Copyright © Center for Systems Security and Information Assurance