Solutech, Inc.
Download
Report
Transcript Solutech, Inc.
because things change
Inter/Intra/Extra/Network
Connectivity, Security and Administration
(Everything you always wanted to know but were afraid to ask)
because things change
Solutech, Inc.
Craig Ingram
Senior Consultant
Omaha, NE.
because things change
The Internet is:
– a global network of networks.
– the purest form of electronic democracy
.... or anarchy.
– A giant international network of intelligent, informed
computer enthusiasts, which are:
People without lives!
because things change
The Internet is not:
•
•
•
•
A single computer.
A single Network.
Vendor specific.
Run by a single person, group, or organization or
government.
•By default, secure.
because things change
The Internet is comprised of:
•
•
•
•
•
•
Universities
Corporations
Governments
Government Agencies
Service Providers (AOL, etc.)
Individuals
Every time you tap into the Internet,
you become an extension of the it.
because things change
A Brief History
• The Internet is not new - Outcome of the Cold War.
• 1969: Advanced research Projects Agency Network (ARPANet).
• Provide redundant connectivity between government, education, and
research labs.
• Funded by DoD.
• Internet Protocols (TCP/IP) were developed to link disparate hardware
and software platforms together.
• The TCP/IP design allows:
– For tens of thousands of networks, comprised of millions of computers.
– Every computer is equal to every other computer.
• Initial uses were text-based Email and file transfers.
because things change
A Technology Overview
because things change
A Network
• A network is comprised of multiple computers, file
server(s), other servers, hubs and routers.
• Routers are used to interconnect separate networks.
– They isolate one network from another.
– Can provide a form of security (via filtering of IP addresses). A
message is not forwarded unless the router’s table contains the
appropriate link.
because things change
The OSI Model
Netscape
End user's screen
Application
Presentation
Firewall
Network
Router
Othe r
Applications
Provides standard user functions and network interfaces.
Application-specific services.
Ensures message standardization.
Provides data representation.
Manages node-to-node communications.
Session svcs: checkpointing, activity mgmt, etc.
Session
Transport
or
Internet
Explorer
(TCP)
(IP)
Data Link
Provides note-to-node logical connections.
End-to-end data integrity.
Defines routes for messages.
Switches and routes information.
Defines physical address and protocol.
T ransmits information as groups of bits.
Bridge
Physical
Repeater
Wiring Plant
Establishes electrical and timing specifications (hardware)
T ransmits a bit stream over the physical medium.
because things change
TCP/IP
• Is not a single protocol.
• A suite of protocols - each providing a specific function.
• Spans two layers of the OSI model.
Simple Mail Transport Protocol
Remote Procedure Call
Network Information Svc
Se s s ion
Network File System
Pre s e ntation
TelNet
Application
File Transfer Protocol
OSI Model
Trans port
Transmission Control
Protocol
Ne tw ork
Internet Protocol
Data Link
Phys ical
Netscape
or
Internet
Explorer
Other
Applications
because things change
OSI Application Messages
•
Flows down through the OSI stack on Host A.
• Across the network connection.
• Flows up the OSI stack on Host B.
• On the transmitting device, each layer appends its own header
(containing fields) to the original message.
• On the receiving device, each layer strips off its corresponding header.
Host A
Host B
(Atlanta)
(Omaha)
Application
Data
Data
Data
Pre s e ntation
Application
Pre s e ntation
Data
Se s s ion
Se s s ion
Data
Trans port
Trans port
Data
Ne tw ork
Ne tw ork
Data
Data Link
Data Link
Data
Phys ical
Phys ical
Data
because things change
The Internet Protocol
• Every computer attached to the internet must have a unique address.
• An IP address is requested from, assigned, and tracked by InterNIC.
– Each IP address is composed of 32 bits, arranged as 4 8-bit octects.
192.168.1.1
– Internet messages can vary in length from several hundred bytes to 65.565 bytes.
– A long message will be broken into multiple smaller packets.
– Each packet contains a header reflecting the 32-bit source and 32-bit destination
address.
– IP does not guarantee source or destination address, or that a packet was delivered,
delivered only once, or in the correct order.
– Authentication, sequencing, and security is provided by higher layer protocols.
because things change
IP Addressing
The Internet in 1969
The
Pentagon
MIT
(DEC)
(Unisys)
TCP/IP
TCP/IP
100.100.010.001
100.200.030.001
ARPANET
TCP/IP
Lockheed
(IBM)
100.100.030.001
TCP/IP
Georgia Tech
(HP)
100.100.010.123
because things change
TCP
TCP provides reliable connections to end hosts.
– The ordering is provided by a sequence number in each packet.
– Every TCP message is marked as being from a particular host and
port number, to a destination host and port number.
– Hosts “listen” on software ‘ports’ to determine the type of service
needed by the packet.
Source
Port
Destination
Port
Protocol-related
Fields
Seq
#
Source Address
Data
Destination Address
Data
because things change
Domain Name Services
• IP addresses work well for computers - but not for humans.
• Enter the concept of a Domain name. Example:
spacelink.msfc.nasa.gov
• It is read by the computer from right to left, as follows:
–
–
–
–
The top domain is gov - government.
The next domain is nasa - NASA.
The next domain is msfc - Marshall Space Flight Center.
The last domain is spacelink - a computer running the spacelink
program, or it could be the computer’s name.
– Domain Named Servers communicate domain changes/add/deletes
with each other on a regular basis.
because things change
EMail
The spacelink.msfc.nasa.gov computer may be an Email server. An example of
an Email address on this server might be:
[email protected]
An example for Fred Pfizer on the above computer might be:
[email protected]
or it could look like this (up to the Email administrator):
[email protected]
because things change
Connectibility
•Direction connection
–
Normally done through a Local Area Network (LAN) via an Internet Service Provider.
– Connection is constant (24 hrs/day, 7 days/wk))
– Normally provides fastest speed and quickest access.
– Cable modems are a reality. CAUTION!
• Dial-In Connection
–
Normally done over a phone line.
– Slower speed than a LAN or cable modem.
Response times are a function of the ISP’s Internet connection
as well as your local connection speed.
because things change
The World Wide Web
•
•
•
•
Fastest growing part of the Internet.
“Surfing” the net
Globally connected
Operates as a ‘client/server’
– You run a web browser on your PC.
– The browser contacts a Web server and requests information.
You have now become an extension of the Internet.
because things change
“Home Pages”
•
•
•
•
•
•
Identify and personalize an entity on the WWW.
They can incorporate text, graphics, sound, etc….
They are connected using the hypertext protocol (http).
They are created using a Hypertext Markup Language (HTML).
JAVA: mini applications included in HTML as tags that execute on the browser.
PEARL is similar.
Netscape
End user's screen
Application
Presentation
Session
or
Internet
Explorer
Othe r
Applications
because things change
Internet Tool Examples
• Gopher
• Telnet
• File Transfer Protocol
• Web Crawlers
• WHOIS
• Ping
• Traceroute
A good tool + a good guy = good things.
A good tool + a bad guy = bad things.
because things change
Hacking Tool Examples
• Rootkit
• COPS
• SATAN
• PRIEST
• BackOrifice
• BackOrifice2K
All are available for download from the Internet.
because things change
The OSI Model
Netscape
End user's screen
Application
Presentation
Firewall
Network
Router
Othe r
Applications
Provides standard user functions and network interfaces.
Application-specific services.
Ensures message standardization.
Provides data representation.
Manages node-to-node communications.
Session svcs: checkpointing, activity mgmt, etc.
Session
Transport
or
Internet
Explorer
(TCP)
(IP)
Data Link
Provides note-to-node logical connections.
End-to-end data integrity.
Defines routes for messages.
Switches and routes information.
Defines physical address and protocol.
T ransmits information as groups of bits.
Bridge
Physical
Repeater
Wiring Plant
Establishes electrical and timing specifications (hardware)
T ransmits a bit stream over the physical medium.
because things change
Routing
Network 1
Network 2
Router
Example of two networks interconnected by a router. One network can only see transmissions from the other network if the
router allows it.
because things change
Routing Protocols
Routers communicate paths between themselves with routing protocols.
This way they always know the shortest path between two hosts (hops) and what paths are
available.
Let’s say you’re on the INET in
Omaha and attach to a server in SF
Omaha
St. Louis
Workstation
in Omaha
One potential router path might be:
Omaha-St Louis-LA-SF
N.Y.C.
Another path might be:
Omaha-NYC-Atlanta-SF
Yet a third path could be:
Omaha-Minneapolis-Atlanta-SF
Minneapolis
Atlanta
L.A.
San Francisco
because things change
Routing Concerns
Every hop along the way becomes a potential breach of security.
Minneapolis
Chicago
N.Y.C.
Omaha
S.F.
St.
Louis
L.A.
Atlanta
Dallas
Also remember:
-
a large message will be broken up into multiple packets, with each packet
potentially taking a different path to your PC.
because things change
Domain Name Servers
• In the previous example, assume each site had a Domain Name Server.
– Each DNS contains a listing of other DNS’s in their area.
– As your search propagated from one DNS to another, the risk of packet interception
increases.
– Imagine the potential for disaster is a DNS were compromised.
• Imagine if a host site had multiple servers and one of them was
compromised.
– Once compromised, the hacker now has ‘inside’ details on other servers served by
that server.
– And the saga continues through other servers, into other servers, etc.
because things change
Security Summary
Potential security holes include:
–
–
–
–
–
–
–
–
Connecting to the Internet
Redundancy in connectivity between routers (routing protocols).
IP addressing (source and destination)
TCP port address (source and destination)
DNS table update protocol
Network tools
Passwords
Non-encryption of messages
because things change
Firewalls
• A firewall is a device designed to prevent outsiders from accessing your
network. They can also be used internally to isolate one network from
another.
• They allow you to grant or deny access based on many variables
(rules). These rules are set in the firewall, based on your Security
Policy.
• Two basic types of firewalls:
– Network level
– Application gateway
because things change
Selecting a Firewall
There are 6 general steps to selecting a Firewall that’s right for your
environment.
1)
2)
3)
4)
5)
6)
Identify your topology, applications, and protocol needs.
Analyze trust relationships within your organization.
Develop security policies based on these trust relationships.
Identify the right firewall for your specific configuration.
Employ the firewall correctly.
Test your firewall policies religiously.
because things change
Security Policy Development
a.k.a. inventing the wheel
because things change
A Security Policy is:
A set of instructions, that collectively, determines an organization’s
posture towards security. They set the limits of acceptable behavior,
and what the response to violations will be.
Remember ….
Whether a security policy is formally spelled out, or not, one always
exists.
If nothing else is said or implemented, the default policy is:
ANYTHING GOES!
because things change
Network Security . . . . A Journey,
not a destination.
View security as a critical business process to address the everchanging risk environment.
It is not be a program, but a process.
Use a combinations of Techniques, Tools and Products.
If the only tool you’ve got is a hammer,
it’s amazing how many problems
start looking like nails.
because things change
Security Decisions
Decide what is, and is not permitted.
This process is normally driven by the business or structural needs of the
organization, such as:
– An edict that bars personal use of corporate computers.
– Restrictions on outgoing traffic (employees exporting valuable data).
– Not allowing a specific protocol because it cannot be administered securely.
– Not allowing employees to import software without proper permission
(licensing issues, virus’, etc).
This philosophy extends to opposite ends of the scale.
We’ll run it unless, and until, you
can show me that it’s broken.
Show me it’s both safe and necessary
otherwise we won’t run it at all.
because things change
Fundamental Premise
Anyone can break into anything if they have the sufficient:
- They have to want to do it.
- They have to be good enough to
understand and pierce the defenses.
Opportunity - They have to have enough access to the
defenses for long enough to penetrate
them.
Motivation
Skill
because things change
Identify Resources
• It’s difficult to protect something you don’t know you have - or know
what its worth.
• Identify all resources to be protected, such as:
– Mainframes
– Servers and Workstations (including laptops)
– Interconnection devices (gateways, routers, bridges, hubs, etc.)
– Terminal servers
– Network and applications software
– Network cables
– Information in files and databases
because things change
Ask Yourself
• What resources are you trying to protect, and why?
• Which people do you need to protect the resources from?
– Internal threats
– External threats (Perimeter security)
• How likely are the threats?
• How important is the resource?
• What measures can you take to protect your assets in a cost-effective
and timely manner.
• Periodically examine your network security policy to see if your
objectives and network circumstances have changes.
Understand the Bad Guy!!
because things change
Identify the Threats
An understanding of the technology is important, but common sense is
equally valuable in stopping potential security threats.
– Define Authorized Access
• Physical access to computing facilities.
• Access to computers.
• “Borrowing” another user’s account/password (Training and Policy issues).
– Identify the Risk of Information Disclosure
• Determine the value or sensitivity of the information stored on your computers.
• Encrypt password files.
• Use minimum 8 characters passwords (mixed alpha/numeric, upper/lower case).
– Change passwords on a regular basis.
• Don’t forget laptops.
because things change
Network Use & Responsibilities
•
•
•
•
•
•
Who is allowed to use the network?
What are the proper use of network resources?
Who is authorized to grant access an approve usage?
Who has system administrative privileges?
What the user’s rights and responsibilities? (In WRITING?)
What are the rights and responsibilities of the system administrator
vs. those of the users? (In WRITING).
• What do you do with sensitive information?
•
•
•
•
Outdated IP listings and network drawings?
Crashed hard drives?
Network documentation?
Off site storage of backups and their transportation?
because things change
Plan of Action
• Develop a plan of action when a security policy is violated.
– Response to security violations from the ‘outside’.
– Response to security violations by local users (from the inside).
– Response strategies.
– Define the responsibilities of being a good citizen on the Internet.
– Contacts and responsibilities to external organization (CERT, etc).
because things change
Identify and Prevent Security Problems
• Access points.
• Improperly configured systems.
• Software bugs and patches.
• Insider threats.
• Physical security.
• Confidentiality.
because things change
Publicize the Policy
• How to ‘Get the Word Out’:
– Committee input for policy creation.
– Training.
– User Mailing lists.
– Committee review of the policy on a regular basis.
– Signed policy commitment by all employees.
• Keep on file.
because things change
Additional Administration
• Understand firewall and router functions and limitations.
• Understand your needs and what your trying to protect.
• Have your firewall and routers professionally installed. Initially
configured for minimum passthrough.
• Monitor all Firewall and UNIX/NT logs, and router tables.
• Implement automatic corrective action - where possible.
• Continuous ‘real time’ monitoring of all network devices, applications,
and databases.
• Immediate installation of patches and other software updates.
because things change
Disaster Planning
What would you do if your drove in the parking lot tomorrow
and the building was gone?
An interesting fact:
Of the 350 firms that had Corporate offices in the World Trade Center,
150 were out of business 8 months after the terrorist bombing.
It wasn’t that they lost information - they had no redundancy (disaster plan)
that allowed them to run their business from another location.
because things change
Security = Disaster Planning
The same information derived from your security assessment can be used
for disaster planning and business recovery.
–
–
–
–
Identify key hardware, software, and information.
Identify key personnel.
Identify a backup location and keep backups off-site.
Document all configuration, including:
• hardware installation parameters
• software installation parameters
• file server and workstation boot files
• file/print/FAX/communications server parameters (phone line rollover?)
• application settings and installation parameters
• user access rights
• backup and virus parameters
because things change
Who’s in charge?
Any plan must include staffing.
It should also include standardization.
because things change
Reading Materials
Maximum Security (2nd Edition)
Author: Anonymous
Publisher: SAMS
ISBN: 0-672-31341-3
Firewalls and Internet Security - Repelling the Wily Hacker
Authors: W. Cheswick and S. Bellovin
Publisher: Addison-Wesley
ISBN: 0-201-6337-4
Internet Firewalls and Network Security
Authors: K. Siyan and C. Hare
Publisher: New Riders Publishing
ISBN: 1-56205-437-6
because things change