Transcript Chapter 2

Guide to Network Defense
and Countermeasures
Chapter 2
1
Chapter 2 - Designing a Network Defense




Understand covert channeling and other
common attack threats you need to defend
against
Describe the network security components
that make up a layered defense configuration
List the essential activities that need to be
performed in order to protect a network
Integrate an intrusion detection system (IDS)
into a network security configuration
2
Common Attack Threats

The kinds of security attacks faced include:






Covert channeling is a way to gain unauthorized
access to systems through communications ports
Denial of Service (DoS) attacks shut down networks
Remote procedure call abuses that give hackers
access using Windows networking services
Viruses and Trojan horses enter through e-mail
messages or downloaded files
Man-in-the-middle attacks can destroy privacy
Fragmented IP packets can be used to sneak in
malicious code
3
Common Attack Threats

Network vulnerabilities include services and
computers that might present openings:




Vulnerable services that a hacker may be able to
exploit in a server program
E-mail gateways where hackers can attach a virus
payload to a message; when the recipient opens it,
the program runs and the virus installs itself
Porous border can result when a computer is
listening on a virtual channel that is not being used
Gullible employees can be fooled by hackers
4
Common Attack Threats

Denial of Service (DoS) attacks are
launched against network servers



The server is flooded with more requests to view
Web pages and access files than it can handle
The server is so busy sending response messages
to the requests that result from the DoS attack that it
is unable to process legitimate requests and, as a
result, the network is effectively blocked
Numerous types of DoS attacks exist; the more
common are SYN floods and address spoofing
5
Common Attack Threats

DoS attacks (cont):


In SYN flood attacks, the attacker sends a TCP
packet to the host with the SYN flag set; the server
responds by sending an ACK, which the attacker
never responds to - the server uses its resources as
it waits; the attacker then sends a flood of TCP SYN
requests without responding and eventually the
server exhausts its resources
In an address spoofing attack, the attacker finds an
open port, then sends a packet containing a spoofed
address and the same source IP address as the
server’s own - this can crash the server
6
7
Common Attack Threats

Other attacks:


In a Remote Procedure Call (RPC) attack, RPC
packets that contain spoofed addresses are sent to
a server; when the RPC server is unable to interpret
the spoofed address, it sends an RPC REJECT
packet; if enough spoofed RPC packets are sent,
the resulting REJECTs drain server resources
A virus is computer code that copies itself from one
place to another and performs actions that range
from benign to harmful; worms create files that copy
themselves over and over and take up disk space
8
Common Attack Threats

Other attacks (cont.):



A Trojan horse is a harmful computer program that
creates a back door - an opening to a computer
such as an unused port or terminal service that
gives a hacker the ability to control a computer
In a man-in-the-middle attack, a hacker intercepts
part of an encrypted data session to gain control
over what is being exchanged; as a result, the
hacker can impersonate the intended recipient
By assigning a packet a false fragment number and
embedding IP header data within it, a hacker can
sometimes fool a host into letting the packets in
9
10
Providing Layers of Network Defense

Good network protection involves arranging a
group of components in such a way that they
provide layers of network defense



Layer 1: Physical security protects computers from
theft (use locks), fire, or environmental disaster
Layer 2: Password security means using good
passwords, securing them, changing as needed
Layer 3: Operating system security involves installing
operating system patches, hotfixes and service packs;
also disabling guest accounts
11
Providing Layers of Network Defense

Layers of network defense (cont.):


Layer 4: Using anti-virus protection means setting up
anti-virus software and updating definitions
Layer 5: Packet filtering blocks or allows the
transmission of packets based on port, IP address,
protocol, or other criteria; packet filters come in the
form of routers, operating systems, or firewalls;
stateless packet filtering decides on packets based on
established connections, whereas stateful packet
filtering goes beyond stateless and maintains an
intelligent rule base and state table
12
13
Providing Layers of Network Defense

Layers of network defense (cont.):

Layer 6: Firewalls reflect the heart of a company’s
security policy in that they control the amount of traffic
the network receives and the ease with which users
can access external networks; two firewall
approaches exist: permissive, which allows traffic
through by default and blocks on a case-by-case
basis; restrictive, which blocks all traffic by default and
allows it on a case-by-case basis; another function
performed by firewalls is Network Address Translation
(NAT), which converts internal IP address to different
ones
14
15
16
Providing Layers of Network Defense

Layers of network defense (cont.):

Layer 7: Proxy servers can conceal end users in a
network and act as a go-between, forwarding data
between internal users and external hosts; proxies
work by examining the port each service uses,
screening all traffic into and out of each port and
deciding whether to block or allow traffic based on
rules set up by the proxy server administrator;
ultimately, because of their strengths and
weaknesses, proxy servers and packet filters need to
be used together in a firewall
17
18
19
Providing Layers of Network Defense

Layers of network defense (cont.):

Layer 8: DMZ, or demilitarized zone, is a network that
sits outside the internal network (but is connected to
the firewall), and makes services publicly available
while protecting the internal LAN; DMZs are a
standard in e-commerce to protect and ensure that
successful electronic transactions take place; the
most common type of DMZ is a screened subnet,
created by grouping public service servers and
combining them with the firewall’s subnet; often, a
company will add a second firewall for an extra level
of security
20
21
22
Providing Layers of Network Defense

Layers of network defense (cont.):



Layer 9: Intrusion detection systems (IDSs) work by
recognizing the signs of a possible attack and sending
a notification to an administrator
Layer 10: Virtual private networks (VPNs) provide
relatively low-cost and secure connection between
organizations that use the public Internet; VPNs
encrypt packets, provide user authentication, and
encapsulate encrypted packets
Layer 11: Logging and administration involves
reviewing and analyzing firewall and IDS log files
23
Essential Network Security Activities

The most common activities of any network
security configuration are:


Encryption, which is the process of concealing
information to render it unreadable to all but the
intended recipients; an encrypted code called a digital
signature is attached to the files that are exchanged
during the transaction so that each party can ensure
the other’s identity
Authentication is the act of reliable determining
whether an entity is whom they claim to be
24
Essential Network Security Activities

Security configuration activities (cont.):



Developing a packet filtering rule base, which is a
set of individual rules that the filter reviews when it
encounters a packet
Virus protection is a central activity that needs to be
performed to protect a network and its users; it
should scan the content of e-mail messages
Secure remote access is one of the biggest security
challenges facing organizations that communicate
via the Internet and need to provide access for
remote users; a VPN provides an ideal solution
25
Essential Network Security Activities

Security configuration activities (cont.):



Working with log files involves reviewing and
maintaining these files so that you can detect
intrusion attempts by suspicious patterns of activity
Managing log files is tedious and time consuming,
but the network administrator must read log files to
see who is accessing the network from the Internet
Log files compiled by firewalls allow you to see
active data, recently recorded data, system events,
security events, traffic and packets; be sure to use
graphic displays of log file entries
26
27
28
29
Integrating Intrusion Detection
Systems (IDSs)

An IDS fits into an overall network security
program in the following ways:



The best way to configure an IDS is to anticipate what
attacks you are likely to encounter so that you can
make sure the IDS has the appropriate signatures or
rules available to it
A good IDS system notifies the appropriate individuals
and provides information about what type of event
occurred and where it took place
The logical place for locating an IDS is near the point
where the internal network has an interface with the
external Internet
30
31
32
33
Chapter Summary


This chapter gives you a rundown of the
fundamental network security tools and
approaches you need to design a defensive
perimeter. An effective network security strategy
involves many layers of defense working together
to prevent many different kinds of threats
You begin by reviewing the common security
threats you need to guard against. These include
Denial of Service attacks such as SYN floods
and address spoofing; covert channeling attacks;
virus attacks; and man-in-the-middle attacks
34
Chapter Summary

The following are the layers of network security
that you can set up:





Layer 1, or physical security - lock computers, provide
environmental controls, use alarm systems
Layer 2, or password security - use good passwords and
change them regularly
Layer 3, or operating system security - install operating
system patches and updates to plug obvious holes such as
unused ports
Layer 4, or use of anti-virus protection - set up anti-virus
software and update virus definitions periodically
Layer 5, or packet filtering - set up a packet filtering rule base
35
Chapter Summary

Layers of network security (cont.):




Layer 6, or use of firewalls - set up a DMZ and firewall to
protect your internal LAN while providing external clients with
public services such as Web pages
Layer 7, or use of proxy server - set up a proxy server to
conceal the identity of internal hosts
Layer 8, or use of DMZ, place proxy servers, Web servers, email servers, and other servers in an area outside of the
internal Internet but still protected by the firewall called a
DMZ
Layer 9, use of Intrusion Detection System (IDS) - set up an
IDS to notify you when security events occur
36
Chapter Summary

Layers of network security (cont.):



Layer 10, or use of virtual private network (VPN) set up a VPN and secure remote clients with
firewalls and anti-virus software
Layer 11, or use of logging and administration keep reviewing your firewall, packet filtering, and
IDS logs on a regular basis
Encryption protects data as it passes from
one network to another, and authentication
limits access to authorized users
37
Chapter Summary


Packet filtering to allow or block packets based
on a set of rules, and virus protection helps
prevent computer systems from being attacked
Secure remote access gives contractors and
mobile users a way to connect to the home
network; log files give the network administrator
the ability to analyze who is accessing the
network from the Internet, as well as a way of
detecting intrusion attempts based on patterns of
suspicious activity
38
Chapter Summary

An IDS is an ideal tool for real-world situations in
which security breaches occur. The IDS can
notify you by e-mail, by log file alert messages, or
even by sending a message to your pager. The
IDS should be located on the perimeter of the
network, but it can be located in any number of
places - either on a server in the DMZ, between
the external router and the Internet, or between
the router and the LAN
39
Chapter Summary

When you receive an alert from an IDS, react
rationally and use the alerts to assess whether
the network has actually been breached or not,
to track what resources, if any, have been
affected
40