Transcript ISACA

ISACA Presentation
Network Security
Fundamentals
Prepared and Presented by
Deloitte & Touche
Strategic Security Services
Introductions
Your Instructor
Introduce Yourself
• Brief Background
• Familiarity With Security
Expectations
• My Expectations As Your Instructor
• The ONE Thing You Want To Learn Most From This Session?
Session Overview
Network Overview
TCP/IP protocol
Components of a secure network
Firewall technology
Encryption Overview
VPNs
Digital Certificates
Kerberos
Web security Overview
SSL
Redirectors and Load balancing
CGI considerations
Sample Files
Session Overview
Network Overview
TCP/IP protocol
Components of a secure network
Firewall technology
TCP/IP and Networking
Application
Anatomy of a TCP/IP Packet
Presentation
Session
Transport
Network
Data Link
Physical
Source
Destination
MAC Address MAC Address
Source
IP Address
Destination
IP Address
Source Port
Number
Destination
Port Number
Payload (Session Data)
CSUM CSUM CSUM
TCP/IP and Firewalls
Different firewalls operate at different levels of the OSI model. Routers and
some appliance based firewalls are capable of screening packets only at the
Network and Transport layers of the OSI model.
Proxy servers Protect networks at the application layer only. This is the
highest level of protection but operates at the highest cost. This means that
all functions are extremely resource intensive (requiring huge amounts of
processing power, memory, and sometimes disk space).
Stateful Inspection engines protect the network from the Data Link layer to
the Application layer (generally focusing on the network and transport layers).
Adaptive proxy is similar to Stateful Inspection but approaches the sliding
security scale from the application layer. This allows you to apply higher level
security to some types of transactions and lower levels of security to others.
Protect The Network! But How?
Zones of Containment
Commonly referred to as Demilitarized Zones or DMZ’s
What is the function of a DMZ?
Separate the inside network from the publicly accessible network.
Maintain internal network security if DMZ network gets compromised.
Provide an access between sites with different levels of trust.
Provide distinct layers of security (zones can only be crossed through
firewalls)
Why use zones
Zones are utilized for the following reasons:
• To restrict access between trusted and non-trusted networks
• To provide Internet access to services without compromising the
security of your internal network
• To mitigate risk between distinct networks (i.e. Between
development, test, and production networks)
• To allow vendors or partners access to data on your network but
not within your production environment
• To segregate the different divisions within your own production
network (i.e. HR, Development, Procurement, Finance)
Why use zones
Zones are a part of the concept of layered security.
•The goal of a “layered” approach is to have the most
sensitive network nested as far away as possible from the
Internet.
•Each network is separated by a firewall. It is strongly
recommended that a heterogeneous firewall implementation
be employed.
•Access to more internal networks should be authenticated
and/or encrypted according to the sensitivity of the data
contained on the network.
Zone Model
This is an example of how a firewall would be employed to
create distinct security zones or layers of security. Remember
that this is only an example and should not be considered the
only way to achieve high levels of security.
Internet
Intrusion
Detection
System
Encrypted
Authenticated
Mail
Relay
HTTP
CVP
DNS
IDS
FireWall
“The DMZs”
VPN’s
Protected
Web Application Servers
E-Commerce
Application
PKI
DC
Protected servers
Address Translation
Network Address Translation, commonly referred to as NAT, is a mechanism for
reducing the need for globally available network addresses. Address Translation
allows organizations without globally unique addresses to connect to the internet by
translating those non-unique addresses into “public” addresses.
Address translation is simply the process of exchanging an IP address for another.
This can be done in a variety of ways but is most often handled by a firewall or
router. The firewall or router handles the process of changing the IP address of the
packets as they enter and leave the protected network space. This is done through the
use of a dynamically generated table called a NAT table. The NAT table is simply a
list of internal and external address to address or address to port mappings.
How NAT works
207.250.227.19
(Legal)
10.10.10.0
(Illegal)
1
Mail server (email.ctl.com)
fw.ctl.com
Outside
Inside
2
Internet
Web server (www.ctl.com)
Router
Router
Firewall’s Translation Table
NAT Mode Outside (Legal) Inside (Illegal)
Name
Static
207.250.227.19
10.10.10.2
email.ctl.com
Static
207.250.227.20
10.10.10.3
www.ctl.com
Hide
207.250.227.21
10.10.11.0
ctl-net
ctl-net
(10.10.11.0)
Use of NAT
RFC 1918 has reserved a set of IP network addresses that can be
used for internal networks. These are:
1 Class A Network Number:
10.0.0.0
16 Class B Network Numbers:
172.16-31.0.0
256 Class C Network Numbers:
192.168.0-255.0
Internal networks with RFC 1918 network numbers can reach all
internal hosts and the Internet by implementing NAT
Advantages of RFC 1918
• Additional Security — The addresses are not routeable on the Internet
• Can Demand Quality Customer Service — If an ISP is not providing the
quality of service desired, renumbering the network can be as few as (2 to 3
devices).
What Is A Firewall?
 Firewall: a device or set of devices that is used to implement & enforce a written
security policy regarding communication between protected and unsecure networks
 A Firewall acts as a control portal between a protected network and an unsecured
network.
 Firewalls restrict the entrance and exit of traffic based on acceptability.
Trusted
Networks
Untrusted
Networks & Servers
Firewall
Router
Intranet
Server
Segment
Untrusted
Users
Public Accessible
Servers & Networks
DMZ
Trusted
Users
What Is A Firewall?
A Firewall cannot protect you from:

malicious authorized users

connections that don’t go through it

all threats
New ways to break through networks are continually
developed. To combat this, Firewall vendors
continually develops and distributes new methods of
protection against unauthorized network access.
A Firewall is only as effective
as the security policy it supports
and the networks it protects.
Home Grown vs. Commercial Firewalls
Is it possible to build your own firewall? The answer is yes. Is it cost
effective and the right solution for you? That depends on your
business model and the type of protection you are working towards.
There are currently dozens of firewall products available as
shareware, freeware, portions of an OS or source code.
These solutions can even out perform off-the-shelf firewall products.
The drawback to using a “Home Grown” solution is in the lack of
extensibility and the need for highly specialized staff.
Commercial firewall solutions may be expensive but they offer three
major benefits over “Home Grown” firewalls:
They
are highly extensible
They
are supported by the Vendor
There
are a greater number of trained resources available to build
and maintain them
What makes the firewall safe
Firewalls are safe simply because they are extremely specialized
systems that are built specifically to restrict access. A firewall is not
necessarily any more secure that your average server though. Do not
assume that simply because an organization employs a firewall at the
network border that they are safe.
Just like any other network device, a firewall may be misconfigured.
Types of firewalls that are especially susceptible to misconfigurations
are appliance based firewalls (especially those that only allow HTTP
based administration) and routers.
In most cases however, firewalls are proof against standard Denial Of
Service attacks. This is often built into the source code of the firewall
product (whether it is an appliance, application based, or hybrid).
Routers/Access Lists
Description
Commonly referred to as “Packet Filtering”, packets are examined at the
network layer only. No information in the upper four layers is reviewed.
Pro’s
• Transparent to users
• Low performance impact (varies with size of ACL and router)
• Inexpensive
Con’s
• Difficult to configure, monitor, and maintain
• Limited ability to manipulate data
• Looks at only a small part of packet
• Poor logging and alerting abilities
• Vulnerable to various IP level attacks
Proxy Servers
Description
Also known as an application gateway. Functions at the Application layer (7)
of the OSI model. These are good for certain smaller environments without
complex communications needs.
Pro’s
• Provide good security
• Examine the upper layers of the packet
Con’s
• Usually not transparent to users
• Performance isn’t as good as other solutions due to OSI layer implementation
• Doesn’t examine information in lower layers of packet
• Vulnerable to application and operating system bugs
• Can not fully support all communications services
• Break the client server model of communication
Stateful Inspection Engines
Description
A firewall technology introduced by CheckPoint to overcome the failings of
proxy servers and packet filters. Examines data from “all” layers of the
OSI model. Maintains tables regarding state of communication sessions
and application sessions.
Pro’s
•
•
•
•
Good security
Good performance
Transparent to users
Maintains information on state of communications with data from multiple
OSI layers
Con’s
•
•
Relies on Operating System to function.
Expensive in both initial cost and specialized training requirements
Adaptive Proxy
Description
Developed by Network Associates, Adaptive Proxy technology protects both
in-bound and out-bound services while supporting high throughput rates by
authenticating the first packet at the application layer and then passing all
additional packets in the session at the network layer.
Pro’s
•
•
Faster than traditional proxy servers
More secure than pure packet filtering technologies
Con’s
•
Vulnerable to OS level security flaws
Firewall Appliance
Description
A special purpose piece of equipment that provides firewall functionality
without requiring a specific operating system such as Unix, Linux, or NT
Pro’s
•
•
•
Faster than most Proxy servers
Easy to configure
Not vulnerable to OS specific vulnerabilities
Con’s
•
•
•
Not as extensible as application based firewalls
Typically have a fixed configuration
Some standard features for application firewalls may be treated as add-ons by
the appliance vendors
Session Overview
Encryption Overview
VPNs
Digital Certificates
Kerberos
The Need for VPNs
London Office
Mobile
User
Remote Office
New York Office
Private
WAN
Corporate Headquarters
Building private wide-area networks to accommodate
organizations is expensive and provides little flexibility
Remote Access Using VPNs
London Office
Remote Office
VPN
New York Office
Internet
Mobile
User
Corporate Headquarters
How Encryption Works
Step 1: The original data (cleartext) is passed through an
encryption algorithm that uses the secret key to uniquely scramble
the data.
Step 2: The result is called ciphertext.
Step 3: The VPN receives the cipher text and uses a secret key to
decrypt the text.
VPN Types
Firewall-to-Firewall

Data is encrypted when it leaves Firewall #1 and crosses the Internet

The data is authenticated and decrypted when it reaches Firewall #2.
Firewall
Module
#2
Firewall
Module
#1
Payroll
Not Encrypted
PRIVATE
Encrypted
PUBLIC
Not Encrypted
PRIVATE
Sales
VPN Types
Client-to-Firewall
Firewall or Gateway
With Encryption module
Client with
Encryption package installed
Symmetric Encryption

Shared Secret key is a secret decryption format needed to
encrypt and decrypt data

Primarily for faster encryption performance

Keys must be kept secret and should be changed periodically
Cleartext Message
This is the
original
text before
encryption
Ciphertext
DES | RC4
sdfklj98a475
$56jhgv9845
6vjnf84576F
GHH78lfkghj
506#6lkjg4#
$5;lkn;t7;lsk
%
Cleartext Message
DES | RC4
This is the
original
text before
encryption
Asymmetric Encryption
Pros
Each node uses two mathematically
related keys: a public key and a private key
 The private key is not derivable from the
public key, hence the public key is freely
distributed
 Allows:
Computation of shared secrets over
insecure channels (Diffie-Hellman)
Digital signature (RSA)
 Public key encryption: each node publishes
a public key. Anyone wishing to send an
encrypted message to the node encrypts it
using that key. Only the holder of the private
key can decrypt the message

Cons
Up to 1000 times slower than
symmetric cryptography
 Typically used to encrypt small
amounts of data (e.g. shared keys)

What Should Be Encrypted?
Should an encryption method encrypt packet header or data?
Tunneling-Mode vs. In-Place
Encryption
Tunneling-Mode

Encrypts packet, then encapsulates packet within the
encryption protocol header
In-Place


Encrypts the payload portion of the packet and leaves the
header intact.
Allows for greater performance than that provided by Manual
IPSec, ISAKMP/Oakley (IKE) or SKIP encryption.
Digital Signatures
Digital Signature: a code that can be attached to an
electronically transmitted message uniquely identifying the
sender.

Guarantees that the individual sending the message
really is who they claim to be.

Important for electronic commerce and is a key
component of most authentication schemes.

Digital signatures must be unforgeable.
One-Way Hash Function
Certificate Authority
Certificate Authority (CA): a trusted third party from
whom a public key can be obtained reliably, even via the
Internet.
 CA certifies a public key by generating a certificate.
The digital signature acts as proof of sender’s identity.
 Digital signature is created using a public encryption key
scheme.
Encryption and the Audit
Sniffing: the process of stealing data from the network by
setting your Network Interface Card into “promiscuous”
mode. Sniffing allows you to steal data from the data stream
by telling your NIC that all traffic on the local network should
be reviewed. If this traffic is encrypted then you will need to
acquire the appropriate “cracking” technology. If the
Encryption Algorithm is strong enough it will not be worth
the effort of cracking.
Man in the Middle: If you perform a “man in the middle”
test for Gateway to Gateway VPNs, make sure that you are
able to sniff from the same point that the packets reach the
Firewall. This means that you will plug into the network on
the same segment as the Firewall’s external interface.
Encryption and the Audit (Cont.)
Misconceptions: A client may assume that simply
because the have a VPN or use encryption that they are
safe. This is not true. You must determine where encryption
is used and how.
For example a client may use SSL into their environment
but have clear text transaction between their Web and
Database servers. This may protect them from most
external threats to transaction sniffing, but does nothing
against internal threats.
Kerberos
Benefits
Kerberos is an authentication system. Kerberos can be used to
authenticate users or services (principals). A principal is defined by
these components:
Primary Name
Instance
Realm
The Principal is used to identify users or services within distinct domains.
For instance a users primary name would be their login (with a null
instance), while a service would likely utilize service name and machine
name (i.e. rlogin.machinename).
Principals obtain tickets from kerberos servers. Each ticket contains
identifying information for the principal as well as encryption information.
Once a session is established all subsequent transactions can be
encrypted.
Kerberos applies a specific lifetime to each ticket. Once this has
exceeded a new ticket must be requested from the kerberos server.
Kerberos (continued)
Disadvantages
Kerberos was originally designed to authenticate end-users to a selected
number of servers. The Authentication structure however was not
designed with overall network security in mind. The greatest issue is in
key storage. Most of the workstations that would utilize kerberos do not
have a secure location for key storage.
The initial ticket-granting dialog is initiated with a plain text key. This must
be stored in a secure location. If this key is compromised, the ticket
granting server can then be compromised by utilizing data contained
within the key.
Additionally there is an issue with multiuser workstations/servers. If a
workstation/server supports multiple simultaneous users, then the cached
key information for one user can be gained by another with relative ease.
For a list of current and past risks with kerberos please refer to the
“security bugware” web site.
Session Overview
Web Sites
Internal &
External
Web security Overview
SSL
Redirectors and Load balancing
CGI considerations
Sample Files
SSL
Secure Socket Layer provides transport layer protection through the use of a variant of the
TCP socket interface and encryption. SSL is usually bundled with an application (such as a
web server) so that integration with the underlying protocol stack is eased.
SSL was originally developed by Netscape as a part of their overall security package. The
SSL protocol specification has since been utilized by other web server vendors and remains
a standard.
Additional information on IPSEC protocols may be located at the following sites:
ftp://ftp.internic.net/rfc/rfc1825.txt
ftp://ftp.internic.net/rfc/rfc1826.txt
ftp://ftp.internic.net/rfc/rfc1827.txt
- Security Architecture for the Internet Protocol
- IP Authentication Header
- IP Encapsulating Security Payload [ESP]
Usage of SSL
Secure Socket Layer meets the following security objectives:
Protects
transactions against attack on the Internet - SSL protects against many
common network based attacks. While it cannot protect against DOS attacks it can
protect against data manipulation and spoofing.
Ensures security without prior arrangements between customers and vendors SSL provides a mechanism to verify identity for both customers and vendors. This
allows transactions between entities that have no previously established
relationships.
Applies cryptographic protection selectively - SSL allows the implementation of
cryptography in a selective manner. Only sessions that need the added layer of
security invoke SSL through the selected protocol interface and socket.
Protects the receiving host from attacks by incoming messages - While SSL
cannot protect against actual attacks on the machines hosting or utilizing the
service, it can protect the service (data stream) in use.
Attacks on SSL
Secure Socket Layer protects against most common attacks. However, there are still a
number of attack methods that can work. Most of these have been addressed by more recent
versions of the protocol, however new attacks are released regularly.
Predictable
Keys - Early versions of SSL generated keys based on a small amount of
internal information that could be used to assist with key prediction. This data was similar to
having access to the random seed used to generate encrypted passwords in a shadow file.
Man in the Middle - SSL stops standard MIM attacks by validating the public key
certificate before using its public key. This does not prevent the switching of valid
certificates with subverted sites. The latest SSL implementation will extract the host name
from the server’s certificate and compare it to hostname in the URL.
Short checksum keys - Early versions of SSL utilized the same key for both encryption
and computing a keyed hash on the data. This allowed a successfully cracked key to be used
to forge data sent from that key. Newer versions use different keys for encryption and data
integrity.
Replay - While SSL originally protected against session replay it did not prevent the use
of captured session data from being used to extend a session. It was therefore possible to
hijack an SSL session and bump the valid client and extend the session with captured
session data. SSL 3.0 incorporates sequence numbers to prevent this sort of attack.
SSL - Additional Information
For additional information on SSL please refer to the following:
Network Security: Private Communication in a Public World - Kaufman, Perlman,
and Speciner - Overview of mathematics and public key cryptography
 The Public Key Cryptography Standards (PKCS) - RSA Laboratories -Standards
on how to implement public key cryptography facilities
 “On the Difficulty of Factoring” - Rivest - a set of estimates on the difficulty of
cracking an RSA key
 SSL 3.0 Specification - Netsacpe Communications
http://www.netscape.com/libr/ssl/ssl3/index.html - The official definition of SSL.
Take note of the appendix on attacks.

The Need for Load Balancing
?
• Web and FTP servers may see a tremendous
amount of requests in a short period of time.
• Often, a single system cannot effectively
handle the load.
?
Internet
?
Overloaded Server
becomes bottleneck
FTP Server
?
How Load Balancing Works
Load balancing distributes the requests among a group of mirrored
servers.
!
Requests Balanced
Between Mirrored Servers
!
target1.client.com
Client requests to
target.client.com
target2.client.com
Internet
target3.client.com
!
!
target4.client.com
Logical Servers
Server 1
Server 2

Firewall acts as the logical
server

Packets flow to the firewall

Firewall distributes network
traffic among its server group
Server 3
Load Balancing Components
Load Balancing
Daemon
Directs client packets to a server
Load Balancing Algorithms
Determine which physical server will
fulfill request
Problems with Load Balancing
Problem:
You wish to hide the true IP address of the physical server to
which your HTTP redirect rule directs HTTP traffic. HTTP load
balancing may rewrite the HTTP logical server’s name when
you tie several logical server names to one IP address. The
HTTP protocol has a feature that uses a server’s name in the
HTTP request. HTTP load balancing rewrites the logical server
name to the actual physical server it represents.
Test:
Attempt to browse to the client web server and watch for the
redirect. If you get a response other than the stated Web
server then the Load Balancing tool is misconfigured and is
leaking information.
How This Affects the Audit
Since Load Balancing acts as a broker for requests to certain services,
you will not be able to target all of the Internet accessible servers with an
external audit.
Requests Balanced
Between Mirrored Servers
target1.client.com
Client requests to
target.client.com
Testing
from across
the Internet
target2.client.com
target3.client.com
!
target4.client.com
CGI Scripts
The problem with CGI scripts is that each one presents yet
another opportunity for exploitable bugs.
CGI scripts can present security holes in two ways:
They may intentionally or unintentionally leak
information about the host system that will help
hackers break in.
Scripts that process remote user input, such as the
contents of a form or a "searchable index"
command, may be vulnerable to attacks in which
the remote user tricks them into executing
commands.
CGI Scripts
CGI scripts are potential security holes even though you run
your server as “nobody.” A subverted CGI script running as
“nobody” still has enough privileges to mail out the system
password file, examine the network information maps, or
launch a log-in session on a high numbered port (it just needs to
execute a few commands in Perl to accomplish this). Even if
your server runs in a chroot directory, a buggy CGI script can
leak sufficient system information to compromise the host.
Safe CGI Development
Avoid giving out too much information about your site and
server host.
If you're coding in a compiled language like C, avoid making
assumptions about the size of user input.
Never pass unchecked remote user input to a shell
command.
JAVA
Nothing in life is completely secure; Java is no exception.
If you're using an up-to-date Web browser, you are usually safe
against the known attacks. However, nobody is safe against
attacks that haven't been discovered yet.
Other Web “scripting” tools such as JavaScript, Visual Basic
Script, or ActiveX face the same sorts of problems as Java.
“Plug-in” mechanisms provide no security protection. If you
install a plug-in, you're trusting that plug-in to be harmless.
JAVA Attacks
There are two classes of security problems: nuisances and
security breaches
A nuisance attack merely prevents you from getting your
work done. For example, it may cause your computer to
crash.
Security breaches are more serious: your files could be
deleted, your private data could be read, or a virus could
infect your machine.
Java, ActiveX and Java Script
• Moving the Risk from Server Processing to Client
Processing
• Alternative to CGI
Java
• Programming Language
• Platform Independent
• Built in Security Manager
– Will not allow Java to open IP Connections
– Will not read/write to local disk
– Applets downloaded controlled by the security manager
The Real Java
•
•
•
•
Applets can open IP connections
Applets can execute binary code
Applets can bypass security manager
Denial Service Attacks common (Looping)
ActiveX
• OLE for the Internet
• NO Security model
• Certificate Trust model
– Even bad people can have a Drivers License
• Full control of the system
• No Audit trail
Java Script
• Scripting language
– Code in HTML files
• Ability to control the browser
• Security not designed within
• Security by feature removal
So what is unsafe with my
browser?
Reading your Private Files
Making you do something that you really
should not do
What files are private?
A few files provide a lot of information about you.
These include:
Cache files
History file
Bookmarks
Configuration
Important Files
History File
Since the default is 30 days to expire a link, typically you can see the last
30 days worth of web surfing by examining the history file.
Bookmark File
Bookmarks are a problem for the same reason the history file is a problem.
It shows what sites you feel that are important.
Cache
The cache is your browser's way of making things faster.
Every query is stored in cache. Typically every form submittal including
accesses to pages requiring an ID and password will be there, unless a site
has tagged an HTML document NOT to be cached.
What can my Web browser
make me do?
You can be tricked into supplying user IDs and passwords,
sending personal information like Social Security numbers
and credit card information.
If your browser supports HTML 3.0 extensions and Java,
your files could be plucked from your hard drive.
Your machine could be used to terrorize other resources
behind your firewall and send critical information offsite.
The Basic FireWall Design
Security & Phase 1 Performance
Internet
Encrypted
Authenticated
VPN’s
“The DMZ”
Intrusion
Detection
Monitor
Protected
Web Application Servers
IDM
FireWall
Mail - HTTP -FTP - DHCP - ACE - E-Commerce
Relay
DNS CVP PC Banking
Network Address Translation
Centralized Management
Security Policies
Router Control
User Access
Scalable
Internal Resources
Mainframe - SAP - People Soft - Oracle - Internal Mail - Etc.
Layer 1
The Layered FireWall Design
Enhanced Containment
Internet
Encrypted
Authenticated
“The DMZ”
Intrusion
Detection
Monitor
IDM
FireWall
VPN’s
Protected
Web Application Servers
Mail - HTTP - DHCP - ACE - E-Commerce
Relay
DNS CVP PC Banking
Centralized Management
Security Policies
Router Control
User Access
Scalable
Layer 1
Batch Data Bases
FTP - SQL- Access - Oracle - Etc.
Layer 2
Intra-Wall
Internal Resources
Mainframe - SAP - People Soft - Oracle - Internal Mail - Etc.
Layer 3
The Perimeter Design for
Performance, Reliability, and Security
Internet
OUT-Bound
Intrusion
Detection
Monitor
Encrypted
Authenticated
IN-Bound
Protected
Web Application Servers
“The DMZ”
IDM
FireWall
IDM
State
Sync
Centralized Management
Bandwidth Management
FW & Svr Load Balancing
FW High Availability VRRP
Scalable
VPN’s
Mail - HTTP - DHCP - ACE - E-Commerce
Relay
DNS
VRRP
IDM
Layer 1
Batch Data Bases
FTP - SQL- Access - Oracle - Etc.
Layer 2
Intra-Wall
IDM
Firewall
Reporting Engine
Layer 3
Internal Resources
Mainframe - SAP - People Soft - Oracle - Internal Mail - Etc.
So What Can I Do Now?
• On My Own
– Install Firewalls & Intrawalls
properly
– Install Security Monitoring
– Audit Security Logs
– Acquire Scanning Tools &
Lock Down Platforms
– Perform Security Testing
– Attend Security Training
• From Security Experts
– Security Verification Assistance
• Not all third parties have the
same expertise!
– Tiger Team Analysis
– Security Training
• Firewalls
• Attack Monitoring
• Scanning Tools
• Vulnerabilities
Security Skills Improvement
Recommendations
• Entry Level Training
– OS Administration
Training
– Scanning Tool
Certification
– Firewall Certification
• Advanced Level Training
– OS Security Lock Down
Training
– FireWall Lock Down
– Compromise Response
Initiatives
Management Awareness
• Security Awareness Seminar
Security Issues & Initiatives
Review Architecture & Design for Unprotected Access
– Scan network for all available network routes & security short cuts
– Redesign Security Architecture & Layer FireWall- Security Controls
Scan all IP Devices for Vulnerabilities
– Remote & Internal Testing
Internet Scanner TM
Lock Down all Security Holes
– Operating Systems
– Applications
– Files & Data Bases
Intranet
Firewall
Web
Scanner
Scanner
Security
– Networks & Access Points
Scanner
Develop & Document Security Baselines & Policies
Resolve Security Vulnerabilities & Re-test all Targets
Implement On-line Security Monitoring & Auditing
Develop & Document Security Baselines & Policies
Resolve Security Vulnerabilities & Re-test all Targets
Implement On-line Security Monitoring & Auditing
Adaptive Security Management
Monitor
The ability to
monitor, detect, and
respond to threat
and vulnerability
conditions.
Respond
7/16/2015
Detect
Intrusion Detection
& Attack Recognition
Corporate
Network
Active Attack
Monitoring
Active Attack
Monitoring
Internet
Intranet
Extranet
Vulnerability Detection & Response
Manufacturing
Engineering
DMZ
• E-Mail
• File Transfer
• HTTP
Comms
Server
Internet
Route
r
Network
Marketing
Intranet
Human Resources
Corporate Network
Internet Scanner
Vulnerability Detection & Response
Manufacturing
Engineering
DMZ
• E-Mail
• File Transfer
• HTTP
Comms
Server
Internet
Route
r
Applications
Marketing
Intranet
Human Resources
Corporate Network
Internet Scanner
Vulnerability Detection &
Response
Manufacturing
Engineering
DMZ
• E-Mail
• File Transfer
• HTTP
Comms
Server
Route
r
Internet
Systems
Marketing
Intranet
Human Resources
Corporate Network
System Security Scanner
Threat Detection & Response
Manufacturing
Engineering
ALERT!
Record Session,
Send Message,
Terminate
Marketing
Connection
DMZ
• E-Mail
• File Transfer
• HTTP
Attack
Recognitio
n
Route
r
Extranet
Business Partner
Intranet
Human Resources
RECONFIGURE
Router or Firewall
to Block IP
Address
Corporate Network
Extranet
External Threats
Terminate
Connection
Manual Tests
• http://www.target.com/msadc/Samples/SE
LECTOR/showcode.asp?source=/msadc/S
amples/../../../../../boot.ini
• ftp://www.target.com - often displays the
Web root as a set of files
• IIS character buffering on open ports