Your SlideShare is downloading. ×
0
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Information security advanced
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Information security advanced

185

Published on

A report about advanced topic in information security, also some type of attack and defenses

A report about advanced topic in information security, also some type of attack and defenses

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
185
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. /JamiL.Alagha /JamiLALagha Information Security Advanced CUSTOM REPORT REPORT | A. JAMIL ALAGHA
  2. Agenda  Session Hijacking  Attack  SYN flood  Sequence predictability  Internet Control Message Protocol (ICMP)  Firewalls  The Demilitarized Zone – DMZ  E-Mail Security  Email Communication Report | A. Jamil Alagha ©2013 Risks and Problems
  3. Session Hijacking  used against services with  persistent login sessions  as Telnet, rlogin, or FTP.  cause a great deal of damage. Report | A. Jamil Alagha ©2013
  4. Attacks  There are   two attacks that use this technology SYN flood sequence predictability Report | A. Jamil Alagha ©2013
  5. SYN Flood Attack - 1   uses a TCP connection request (SYN). SYN is sent to the target computer With  the source IP address in the packet “spoofed,”   that belongs to another computer. or replaced with an address that is not in use on the Internet or Report | A. Jamil Alagha ©2013
  6. SYN Flood Attack -2 – When the target computer receives the connection request • • • • it allocates resources (memory + wait) to handle and track the new connection. A SYN_RECEIVED state is stored in a buffer register awaiting the return response (ACK) from the initiating computer – which would complete the three-way handshake. It then sends out an SYN-ACK. – If the response is sent to the “spoofed,” nonexistent IP address, there will never be a response. – If the SYN-ACK is sent to a real computer, it checks to see if it has a SYN in the buffer to that IP address. – Because it does not, it ignores the request. – The target computer retransmits the SYN-ACK a number of times. – After a finite amount of wait time, the original SYN request is purged from the buffer of the target computer. This condition is known as a half-open socket. Report | A. Jamil Alagha ©2013
  7. SYN Flood Attack - 3 • As an example – the default configuration for a Windows NT 3.5x or 4.0 computer is to retransmit the SYNACK five times, doubling the timeout value after each retransmission. • • • • The initial timeout value is 3 seconds, so retries are attempted at 3, 6, 12, 24, and 48 seconds. After the last retransmission, 96 seconds are allowed to pass before the computer gives up on receiving a response and deallocates the resources that were set aside earlier for the connection. The total elapsed time that resources are in use is 189 seconds. ASS: what about Linux Report | A. Jamil Alagha ©2013
  8. C S SYNC1 SYNC2 SYNC3 SYNC4 SYNC5 Report | A. Jamil Alagha ©2013 Listening Store data
  9. SYN Flood Attack -4 • An attacker – will send many of these TCP SYNs – to tie up as many resources as possible on the target computer. • Because the buffer size for the storage of SYNs is a finite size, numerous attempts can cause a buffer overflow. • The effect of tying up connection resources varies, depending on the TCP/IP stack and applications listening on the TCP port. – – – For most stacks, there is a limit on the number of connections that can be in the half-open SYN_RECEIVED state. Once the limit is reached for a given TCP port, the target computer responds with a reset to all further connection requests until resources are freed. Using this method, an attacker can cause a DoS on several ports. Report | A. Jamil Alagha ©2013
  10. SYN Flood Attack -5  Finding the source of a SYN flood attack can be very difficult.  A network analyzer can be used to try to track down the problem  and it may be necessary to contact the ISP for assistance in attempting to trace the source.   Firewalls  should be set up to reject packets from the external network with any IP address from the internal network. Report | A. Jamil Alagha ©2013
  11. Sequence Predictability • The ability to guess sequence numbers is very useful to intruders – – because they can create a short-lived connection to a host without having to see the reply packets. This ability, taken in combination with the fact that many hosts have trust relationships that use IP addresses as authentication; that packets are easily spoofed; and that individuals can mount DoS attacks, means one can impersonate (present) the trusted systems to break into such machines without using source routing. Report | A. Jamil Alagha ©2013
  12. Sequence Predictability • If an intruder wants to spoof a connection between two computers so that the connection seems as if it is coming from computer B to computer A, using your computer C, it works like this: the intruder uses computer C to 1. • mount (+) a SYN Flood attack on the ports on computer B where the impersonating will take place. computer C 2. • sends a normal SYN to a port on computer A. Computer A 3. • returns a SYN-ACK to computer C containing computer A’s current Initial Sequence Number (ISN). Report | A. Jamil Alagha ©2013
  13. Sequence Predictability 4. Computer A - internally increments the ISN. – This incrementation is done differently in different operating systems (OSs). » Operating systems such as BSD, HPUX, Irix, SunOS (not Solaris), and others usually increment by $FA00 for each connection and double each second. With this information, the intruder can now guess the ISN that computer A will pick for the next connection. – Now comes the spoof. Computer C – sends a SYN to computer A using the source IP spoofed as computer B. Computer A – sends a SYN-ACK back to computer B, containing the ISN. – 5. 6. » Report | A. Jamil Alagha ©2013 The intruder on computer C does not see this, but the intruder has guessed the ISN.
  14. Sequence Predictability 7. 8. 9. 10. At this point, computer B – would respond to computer A with an RST. – This occurs because computer B does not have a SYN_RECEIVED from computer A. – Since the intruder used a SYN Flood attack on computer B, it will not respond. The intruder on computer C – sends an ACK to computer A, using the source IP spoofed as computer B, containing the guessed ISN+1. – If the guess was correct, computer A now thinks there has been a successful three-way handshake and the TCP connection between computer A and computer B is fully set up. – Now the spoof is complete. – The intruder on computer C can do anything, but blindly. Computer C – sends echo + + >>/.rhosts to port 514 on computer A. If root on computer A had computer B in its /.rhosts file, the intruder has root. Report | A. Jamil Alagha ©2013
  15. Sequence Predictability 11. Computer C  now sends a FIN to computer A.  could be brutal and send an RST to computer A just to clean up things.  could also send an RST to the synflooded port on B, leaving no traces. Report | A. Jamil Alagha ©2013
  16. SYN flood + sequence predictability • To – – prevent such attacks Prevent SYN flood attacks by discarding the first SYN packet (causes delay for legitimate users) one • – Routers and firewalls • – should NEVER trust anything from the Internet. should filter out any packets that are coming from – the external (sometimes known as the red) side of the firewall that has an IP address of a computer on the internal (sometimes known as the blue) side. – This only stops Internet trust exploits; it will not stop spoofs that build on intranet trusts. Companies • • • • • should avoid using rhosts files wherever possible. The /etc/hosts.equiv and .rhosts files provide the "remote authentication" database for rlogin, rsh, and rcp The files specify remote hosts and users that are considered "trusted" Trusted users are allowed to access the local system without supplying a password The /etc/hosts.equiv file applies to the entire system, while individual users can maintain their own .rhosts files in their home directories Report | A. Jamil Alagha ©2013
  17. Internet Control Message Protocol (ICMP)  ICMP A major component of the TCP/IP Internet Layer  is used for  flow control, detecting unreachable destinations, redirection routes, and checking remote hosts.  Most users are interested in.  Checking a remote host  • is accomplished by (PING)- sending an ICMP Echo Message. Report | A. Jamil Alagha ©2013
  18. ICMP • When a system receives ICMP Echo Messages, – it places the message in a buffer and then retransmits the message from the buffer back to the source. – Due to the buffer size, the ICMP Echo Message size cannot exceed 64K. • • – UNIX hosts, – by default, will send an ICMP Echo Message that is 64 bytes long. – They will not allow a message of over 64K. Microsoft Windows NT, – longer messages can be sent. – The Windows NT hosts do not place an upper limit on these messages. – Intruders have been sending messages of 1 MB and larger. – When these messages are received, they cause a buffer overflow on the target host. Different operating systems • • will react differently to this buffer overflow. The reactions range from rebooting to a total system crash. Report | A. Jamil Alagha ©2013
  19. Firewalls • The first line of defense between the Internet and an intranet. • a multi-homed host – – placed in the Internet route, such that it stops and can make decisions about each packet that wants to get through. • performs a different function from a router. – A router • • – can be used to filter out certain packets that meet a specific criterion (e.g., an IP address). processes the packets up through the IP Layer. A firewall stops all packets. • • All packets are processed up through the Application Layer. Routers – cannot perform all the functions of a firewall. Report | A. Jamil Alagha ©2013
  20. Firewalls • A firewall should - meet at least, the following criteria – For an internal or external host to connect to the other network, it must log in on the firewall host. – All electronic mail is sent to the firewall, which in turn distributes it. • Firewall should not – mount file systems via NFS, nor should any of its file systems be mounted. – run NIS (Network Information Systems). – Only required users should have accounts on the firewall host. – trust any other host. Report | A. Jamil Alagha ©2013
  21. The Demilitarized Zone - DMZ • Companies - Internet presence. – FTP + WWW sites. – +setting up hosts • to act as a proxy server for Internet mail and a Domain Name Server (DNS). • – that sponsors these functions cannot be on the inside of the firewall. Therefore • Create demilitarized zone (DMZ) or perimeter network – a segment between the router that connects to the Internet and the firewall. Report | A. Jamil Alagha ©2013
  22. Proxy Servers – a One Image  A proxy host  is a dual-homed host - has at least two network interfaces. Report | A. Jamil Alagha ©2013
  23. Proxy Servers – a One Image • A proxy host – – – – – – • One of the functions – • • is a dual-homed host - has at least two network interfaces. that is dedicated to a particular service or set of services, such as mail. All external requests to that service directed toward the internal network are routed to the proxy. The proxy host then evaluates the request and either passes the request on to the internal service server or discards it. The reverse is also true. Internal requests are passed to the proxy from the service server before they are passed on to the Internet. is to protect the company from advertising its internal network scheme. Most proxy software packages contain network address translation (NAT). Take, for example, a mail server. – – – The mail from Albert_Smith@starwars.abc.com would be translated to smith@proxy.abc.com as it went out to the Internet. Mail sent to smith@proxy.abc.com would be sent to the mail proxy. Here It would be readdressed to Albert_Smith@starwars.abc.com and sent to the internal mail server for final delivery. Report | A. Jamil Alagha ©2013
  24. Testing the Perimeter • Use the Internet taking risks to be recognize. • The Internet and intranets – Changes — new protocols, new applications, and new technologies • Company’s security practices – to adapt • • • • to these changes. the security process should be viewed as forming a circle. The first step is to assess the current state of security within one’s intranet and along the perimeter. Once one understands where one is, then one can deploy a security solution. If you do not monitor that solution by enabling some detection and devising a response plan, the solution is useless. Report | A. Jamil Alagha ©2013
  25. Testing the Perimeter assessment • The process may repeated – the solution is monitored and tested, – further weaknesses to be learned and dealt with. – Continuous improvement - ensure protection. • As part of the process – a company must perform some sort of vulnerability checking on a regular basis. – done by • • – the company, or it may choose to have an independent group do the testing. The company’s security policy should state how • • • • the firewall and the other hosts in the DMZ are to be configured. to be validated and then periodically checked to ensure that they have not changed. may find additional weaknesses - the policy needs to be changed. Security = updated technology + clear policy (outline the procedures) Report | A. Jamil Alagha ©2013
  26. Testing the Perimeter • DNS records - One source of information. • Two basic DNS services – Lookup activities • – used to resolve IP addresses into host names or to do the reverse. A zone transfer • • • happens when one DNS server (a secondary server) asks another DNS server (the primary server) for all the information that it knows about a particular part of the DNS tree (a zone). Only between DNS servers that are supposed to be providing the same information. Users can also request a zone Report | A. Jamil Alagha ©2013 transfer.
  27. Testing the Perimeter A good security policy is to disallow zone transfers on external DNS servers. – A • • • • zone transfer is accomplished using the nslookup command in interactive mode. can be used to check for information leaks. This procedure can show hosts, their IP addresses, and operating systems. – This information can be used by an intruder to attack or spoof other hosts. – If this is not operationally possible, as a general rule, DNS servers outside of the firewall (on the red side) should not list hosts within the firewall (on the blue side). Listing internal hosts only helps intruders gain network mapping information and gives them an idea of the internal IP addressing scheme. Report | A. Jamil Alagha ©2013
  28. Testing the Perimeter  In addition to trying to do a zone transfer  the DNS records should be   checked to ensure that they are correct and that they have not changed. Domain Information Gofer (DIG) is a flexible command-line tool that is used to  gather information from the DNS servers. Report | A. Jamil Alagha ©2013
  29. Testing the Perimeter • The ping command, – – has the ability to determine the status of a remote host using the ICMP Echo Message. If a host is • running and is reachable by the message, the PING program will return an “alive” message. • – not reachable and the host name can be resolved by DNS, the program returns a “host not responding” message; • otherwise, an “unknown host” message is obtained. An intruder can use • the PING program to set up a “war dialer.” • War dialer = wardialing – is a program that systematically goes through the IP addresses one after another, looking for “alive” or “not responding” hosts. • To prevent intruders from mapping internal networks, – the firewall should screen out ICMP messages. – This can be done by not allowing ICMP messages to go through to the internal network or go out from the internal network. Report | A. Jamil Alagha ©2013
  30. Testing the Perimeter • The traceroute program – – – useful for network debugging. can use to test the corporate perimeter (network component). used to check the “time-to-live” (ttl) parameter and routes. • • • • • – Checking the various jumps not only shows the routes, but it can show possible problems that may give an intruder information or leads. • – – sends a series of three UDP packets with an ICMP packet incorporated during its check. The ttl of each packet is similar. As the ttl expires, it sends the ICMP packet back to the originating host with the IP address of the host where it expired. Each successive broadcast uses a longer ttl. By continuing to send longer ttls, traceroute pieces together the successive jumps. This information might show a place where an intruder might successfully launch an attack. These are hops that could be used by intruders to create DoSs. Duplicate entries for successive hops are indications of bugs in the kernel of that gateway or looping within the routing table. Report | A. Jamil Alagha ©2013
  31. Testing the Perimeter • Important aspect of firewall and proxy server testing – Checking the • – Tools • • • • – open ports and services available the freeware program strobe IBM Network Services Auditor (NSA) ISS Internet Scanner™, and AXENT Technologies NetRecon™ that can perform • • • a selective probe of the target UNIX or Windows NT network communication services, operating systems and key applications. use a comprehensive set of penetration() tests. The software searches for – weaknesses most often exploited by intruders to gain access to a network, – analyzes security risks, and – provides a series of highly informative reports and recommended corrective actions. Report | A. Jamil Alagha ©2013
  32. Testing the Perimeter • There have been numerous attacks in the past year that have been directed at specific ports. – The teardrop, newtear, oob, and land.c are only a few of the recent attacks. • Firewalls and proxy hosts should have only the minimum number of ports open. – By default, the following ports are open as shipped by the vendor, and should be closed: • • • • • • • • • echo on TCP port 7 echo on UDP port 7 discard on TCP port 9 daytime on TCP port 13 daytime on UDP port 13 chargen on TCP port 19 chargen on UDP port 19 NetBIOS-NS on UDP port 137 NetBIOS-ssn on TCP port 139 Report | A. Jamil Alagha ©2013
  33. Testing the Perimeter • Other sources of information leaks – – – – Telnet, FTP, and Sendmail programs. They all, by default, advertise the operating system or service type and version. They also may advertise the host name. This feature can be turned off and a more appropriate warning messages should be put in its place. • Sendmail – has a feature that will allow the administrator to expand or verify users. This feature should not be turned-on on any host in the DMZ. – An intruder • • • would only have to Telnet to the Sendmail port to obtain user account names. There are a number of well-known user accounts that an intruder would test. This method works even if the finger command is disabled. Report | A. Jamil Alagha ©2013
  34. Testing the Perimeter • VRFY and EXPN – VRFY • • – EXPN • • – – asks the server to verify an address. Its parameter may be an encoded address or a user name in a server-defined format. asks the server for the membership of a mailing list. Its parameter may be an encoded address or a list name in a server-defined format. allow an intruder to determine if an account exists on a system and can provide a significant aid to a brute-force attack on user accounts. If you are running • Sendmail - add the lines Opnovrfy and Opnoexpn to your Sendmail configuration file, usually located in /etc/sendmail.cf. • With other mail servers - contact the vendor for information on how to disable the verify command. Report | A. Jamil Alagha ©2013
  35. Testing the Perimeter • Another important check that needs to be run on these hosts in the DMZ is – a validation that the system and important application files are valid and not hacked. • • This is done by running a checksum or a cyclic redundancy check (CRC) on the files. Because these values are not stored anywhere on the host, external applications need to be used for this function. • Some suggested security products – freeware applications such as • – COPS and Tripwire, or third-party commercial products like • AXENT Technologies Enterprise Security Manager™ (ESM), ISS RealSecure™ or Kane Security Analyst™. Report | A. Jamil Alagha ©2013
  36. E-Mail Security
  37. Communication Layers Report | A. Jamil Alagha ©2013
  38. Current E-mail Standards  Four primary areas  SMTP (Simple Mail Transfer Protocol)  “Standard for the Format of ARPA Internet Text Messages  DNS (Domain Name System)  S/MIME (Secure/MIME), PEM (Privacy Enhancement for Internet Electronic Mail). user agent SMTP Report | A. Jamil Alagha ©2013 sender’s mail server SMTP Access protocls POP3, http receiver’s mail IMAP server user agent
  39. SMTP Simple Mail Transfer Protocol.  Specifies  the format of e-mail messages Header  Readable text  Divided into lines of the form: <keyword>: <value> • Keywords are either required, optional, or uninterpreted  Body  Separated from the header by a blank line  No restrictions on format or contents the details of e-mail exchange between two computers Report | A. Jamil Alagha ©2013
  40. SMTP: protocol for exchanging email msgs RFC 822: standard for text message format: • header lines, e.g., – To: – From: – Subject: different from SMTP commands! • body – the “message”, ASCII characters only Report | A. Jamil Alagha ©2013 header body blank line
  41. SMTP  Send email without using email client    Try telnet servername 25 see 220 reply from server enter HELO, MAIL FROM, RCPT TO, DATA, QUIT commands  how a client on one machine transfers e-mail to a server on another machine  Client establishes a connection to the server (typically using TCP)  waits for server to send a 220 READY FOR MAIL message  sends a HELO message   Server replies   250 <server>, hello <client>, pleased to meet you Client  sends a MAIL FROM: <sender> message Report | A. Jamil Alagha ©2013
  42. Sample SMTP interaction S: C: S: C: S: C: S: C: S: C: C: C: S: C: S: 220 hamburger.edu HELO crepes.fr 250 Hello crepes.fr, pleased to meet you MAIL FROM: alice@crepes.fr 250 alice@crepes.fr... Sender ok RCPT TO: bob@hamburger.edu 250 bob@hamburger.edu ... Recipient ok DATA 354 Enter mail, end with "." on a line by itself Do you like ketchup? How about pickles? 250 Message accepted for delivery QUIT 221 hamburger.edu closing connection Report | A. Jamil Alagha ©2013 required command set: HELO - Initial State Identification MAIL- Mail Sender Reverse Path RCPT - One Recipient’s Forward Path DATA - Mail Message Text State RSET - Abort Transaction and Reset all buffers NOOP - No Operation QUIT- Commit Message and Close Channel
  43. SMTP 1 user agent 2 mail server 3 4 mail server 5 6 user agent Mail servers: Always on and always accessible, Transferring e-mail to and from other servers  User agents: Sometimes on and sometimes accessible, Intuitive interface for the user  1) Alice uses UA to compose message “to” bob@someschool.edu 2) Alice’s UA sends message to her mail server; message placed in message queue 3) Client side of SMTP opens TCP connection with Bob’s mail server Report | A. Jamil Alagha ©2013 4) SMTP client sends Alice’s message over the TCP connection 5) Bob’s mail server places the message in Bob’s mailbox 6) Bob invokes his user agent to read message
  44. SMTP Security  SMTP does not provide any protection of e-mail messages  Intermediate hosts (MTA - message Transfer Agents) can:  Read, Modify, Delay, Destroy  Sender Authentication limitation  e-mail forgery   E-mail spamming   Easy to create phony (fraud) e-mail messages that appear to have come from an arbitrary source is still a major problem. SMTP-AUTH Report | A. Jamil Alagha ©2013
  45. Standard for the Format of ARPA Internet Text Messages  defines   the format of the messages to be exchanged. Important- MIME Multipurpose Internet Mail Extensions  that specify a standard method to encode multi-part message bodies, including nontextual information.  Report | A. Jamil Alagha ©2013
  46. DNS  DNS (Domain Name System).  Purpose to relate Internet IP addresses with computer names.  Extended to aid SMTP e-mail routing.  Currently - MX (Mail eXchanger) records. Use over the Internet Replaced the routing originally defined in SMTP. Report | A. Jamil Alagha ©2013
  47. S/MIME, PEM  PEM (Privacy Enhancement for Internet Electronic Mail) (Secure/MIME)  & S/MIME allow for a variety of security features Including encryption and decryption of e-mail content  message integrity protection  nonrepudiation of origin.  Report | A. Jamil Alagha ©2013
  48. Access Protocol :Standards to Retrieve Msg from servers   IMAP (Interactive Mail Access Protocol). POP (Post Office Protocol). user agent SMTP sender’s mail server Report | A. Jamil Alagha ©2013 POP3 or IMAP SMTP receiver’s mail server user agent
  49. IMAP  IMAP - Interactive Mail Access Protocol  defines a standard for client/server interaction between e-mail clients and servers.  It is currently the de facto standard for open-standards e-mail systems but is also available as an alternate access method for many proprietary e-mail server systems.   designed  to allow clients extensive control message store  Retrieval  Deletion  server-based searches  refiling messages between folders  message status  shared public (multiuser) folders  etc. Report | A. Jamil Alagha ©2013
  50. POP  POP - Post Office Protocol.  defines a standard for how e-mail clients can  retrieve headers or messages from a server  request messages to be deleted from the server.  While still in widespread use, it is currently relegated to minimal client and server implementations, and is being overtaken in robust systems by IMAP.  Report | A. Jamil Alagha ©2013
  51. GOALS AND NON-GOALS  Basic design goals of email  an effective e-mail system  communication  ease of use  reliability.  Security - Policies, plans, techniques, and devices DO NOT  unduly limit the functionality  prevent ease of use of the application. Report | A. Jamil Alagha ©2013
  52. GOALS AND NON-GOALS  Basic elements of email application  Standard format message format  users to exchange messages   Organization   All messages include fields  originator (from), recipients (to, and possibly cc bcc), submission date, and subject. Security  Users can only read  their own mail,  messages they create are identified as originating from their accounts. Report | A. Jamil Alagha ©2013
  53. GOALS AND NON-GOALS  Improve the elements:  Interoperability (to be solve)   ≠ often in direct conflict with security The ability to exchange messages between networks of individual computer systems. Transport of contextual information  The capability to include or attach computer data types such as  audio, video, static images, databases, spreadsheets, executable files or scripts, etc. Report | A. Jamil Alagha ©2013
  54. Elements with Security Areas  Control access  only legitimate users can access systems and services.  Prevent  loss of or damage to data.  theft of data or services.  inappropriate dissemination of data.  Monitor  for compliance with law  organizational policies.  Report | A. Jamil Alagha ©2013
  55. Email Communication Risks and Problems  Limiting network connectivity from the Internet to e- mail servers.  Communication   e-mail to allow the users in different organization to communicate (Internet). it does not require direct network connectivity between those e-mail servers and the Internet.  To limit network connectivity from the Internet to an organization’s e-mail servers  one will have standard bastion network between the Internet (insecure) and the organization’s internal network, and  a mail relay device will need to be installed on the bastion network  Report | A. Jamil Alagha ©2013
  56. Limiting network connectivity from the Internet to e-mail servers. Report | A. Jamil Alagha ©2013
  57. Email Communication Risks and Problems  Exterior firewall  provide   some protection to the e-mail relay system, must allow  some communications between the e-mail relay and external servers.  Hackers  have the opportunity to attempt attacks through the e-mail channels provided.  The protections:  implementing the relay system in the bastion network include the following:  intrusion  Because it is the only system that can be directly attacked from the Internet.  transient  detection - ID messages - TM If compromised, the relay system contains only transient messages.  Denial-of-service  attacks - DoS launched against the relay may not prevent intra-organizational traffic from functioning normally. Report | A. Jamil Alagha ©2013
  58. Email Communication Risks and Problems  Hacker  will only be able to do limited damage and  disrupt service between internal users and external users.   will need to have the ability to fully compromise the relay server,  spend the time and effort to do so before being able to use it as a platform to directly attack the internal mail servers.  Report | A. Jamil Alagha ©2013
  59. Email Communication Risks and Problems  Some firewall vendors  provide a similar functionality within a single firewall. the firewall itself assumes the role of the e-mail relay.  not as robust a solution as a functionally separate  allowing direct network communications between the insecure network and the internal mail servers.  Report | A. Jamil Alagha ©2013
  60. Email Communication Risks and Problems  Problem: sensitive information  Content of e-mail messages traveling over the Internet  need to be protected from third-party monitoring.  Solution: encryption  Multiple standards for e-mail encryption  none is currently widely deployed.  achieved by utilizing encryption that occurs within each user’s e-mail client software. Report | A. Jamil Alagha ©2013
  61. Encryption Report | A. Jamil Alagha ©2013
  62. Encryption  Message  encrypted within the sender’s system.  Problems  Encryption only occurs when the sender remembers to activate the feature.  Two sides must agree on utilizing the same encryption schemes (S/MIME, PGP, etc.).  Key(s) - exchange  Report | A. Jamil Alagha ©2013
  63. Solution: Encrypted VPN  for network connectivity between geographically separate offices of the same or related organizations. Report | A. Jamil Alagha ©2013
  64. Encrypting Appliance ??  encrypting appliance  For communications between   can be installed between   two business partners’ systems ≠ VPN the internal mail servers and the insecure networks. is configure to  encrypt/decrypt traffic exchanged with specific configured sites  allowing  pass traffic to through nonencrypted to nonconfigured sites Report | A. Jamil Alagha ©2013
  65. Encrypting Appliance Report | A. Jamil Alagha ©2013
  66. Encryption Standards  For massage passing  between the servers and the users’ workstations.  Most e-mail application software systems  have the ability to encrypt the communications channel between the client and server software.  encryption using increases the load on the server.  it is generally disabled by default.  Some systems utilize encryption schemes (SSL/TLS). Report | A. Jamil Alagha ©2013
  67. Access Methods  Special attention  for users accessing (remotely) e-mail from home or while traveling. Economically increasingly utilizing the Internet as connectivity. Access methods - need to be considered when planning this encryption  SMTP, POP, IMAP, etc.  Alternative   encryption-capable remote access servers Report | A. Jamil Alagha ©2013
  68. Encryption-capable remote access servers  used   Forming   to form encrypted tunnels directly to software installed on the user’s workstation. VPN tunnels Provides  more than e-mail connectivity. Report | A. Jamil Alagha ©2013
  69. Thanks to watching FOR QUESTION | CONTACT TO ME /JamiLALagha /JamiL.Alagha

×