0
Firewalls, VPNs, and Modem Security Lesson 07
Filters and Firewalls <ul><li>Filter -- a software program or device that monitors incoming and outgoing packets on a comp...
Junk E-Mail Filters <ul><li>Some ISP’s attempt to filter junk email </li></ul><ul><ul><li>extra load it places on servers ...
Junk e-mail filters <ul><li>Bright Light Technologies developed SW that </li></ul><ul><ul><li>Seeds Internet with 1000’s o...
Mail Abuse Prevention System’s <ul><li>Maintains list of networks friendly to spammers. </li></ul>
<ul><li>Blackholing Due to Spam Origination (Then) </li></ul><ul><ul><li>The original focus of the Realtime Blackhole List...
Mail Abuse Prevention System’s Realtime Blackhole List <ul><li>Blackholing Due to Spam Origination (Now) </li></ul><ul><ul...
Problems with MAPS NetworkWorld, Sept 10,2001.  “One Friday afternoon in January, Internet Billing Company – one of the fi...
Issues with spam filtering <ul><li>Add to the issue the error rate: </li></ul><ul><ul><li>A study showed that </li></ul></...
Web Filtering <ul><li>Used to “prevent certain materials from entering into a system while users are browsing the Web.” </...
Web Filtering <ul><li>Net Shepherd Family Search filter returned only 1% of sites returned by non-filtered search using Al...
Web Filtering <ul><li>World Wide Web Consortium approach to filtering based on assigned labels and ratings and is called t...
Web Filtering - Net Nanny
Web Filtering - Net Nanny <ul><li>“ Net Nanny 4 comes preloaded with a list of both appropriate (Can Go) and objectionable...
Web Filtering - Super Scout
Firewalls ( Firewalls: The complete reference  by Strassberg et al.) <ul><li>“ The computer or computers that stand betwee...
Firewalls <ul><li>Four architectures (???) </li></ul><ul><ul><li>Rule processing on routers  – earliest and simplest </li>...
Packet Filtering Operation source port destination port type discard bad.host * * * * allow our.host 25 * * * discard 128....
Firewall Architectures Internet Screening Router
Firewall Architectures Internet Dual-homed host Architecture Dual-homed host
Firewall Architectures Internet X Screened host Architecture Bastion Host Screening Router
Bastion Hosts <ul><li>A specially ‘armored’ and protected host. </li></ul><ul><ul><li>May run special ‘secure’ or ‘strippe...
Firewall Architectures Internet Screened subnet Architecture Internal Network Perimeter Network Exterior Router Interior R...
So, what’s the difference between them? <ul><li>Screening router </li></ul><ul><ul><li>very primitive, just a souped up ro...
Firewall Architectures Internet Bastion host Multiple Exterior Routers Interior Router Internal Network Perimeter Network ...
Checkpoint Firewall Sample Rule Set
Cisco System PIX Firewall
Network Address Translation (NAT) <ul><li>Firewalls can also provide NAT services </li></ul><ul><li>Allows a LAN to use on...
Network Address Translation (NAT) <ul><li>There are a limited number of IP addresses available and not every system needs ...
Emerging Technologies <ul><li>Consolidated Management Consoles – an attempt to provide a single interface for the variety ...
Personal Firewalls <ul><li>Designed to insulate vulnerable desktop OS from attacks. </li></ul><ul><li>Growth of residentia...
Modem Security, Wardialing, and Telecomm Firewalls
<ul><li>Network Security Technologies Have Focused Almost Entirely on the TCP/IP Network… </li></ul><ul><li>The Weakest Li...
The Data Network <ul><li>One pipe </li></ul><ul><li>High speed </li></ul><ul><li>Thousands of connections </li></ul><ul><l...
The Telephone Network <ul><li>Thousands of pipes </li></ul><ul><li>Low speed </li></ul><ul><li>Uncontrolled </li></ul><ul>...
The TCP/IP Network Users Web Server Router Internet Firewall Intrusion Detection Attacker
The Actual Network Router Firewall Users Intrusion Detection Internet Web Server PBX Public Telephone Network RAS (Dial-in...
PBX Security in The Actual Network Public Telephone Network Router Firewall Users Intrusion Detection Internet Web Server ...
Security in The Actual Network PBX Public Telephone Network Router Firewall Users Intrusion Detection Internet Web Server ...
Unauthorized access to ISP’s PBX Public Telephone Network Router Firewall Users Intrusion Detection Internet Web Server RA...
Wardialers <ul><li>Step 1, Phone number footprinting </li></ul><ul><li>Public Domains Wardialers </li></ul><ul><ul><li>Ton...
War Dialing the ‘Bay’ <ul><li>In ’97, Peter Shipley dialed the San Francisco Bay area looking for systems answered by a mo...
Some interesting results: <ul><li>An East Bay medical facility gave unrestricted modem access to patient records. </li></u...
Carrier Exploitation <ul><li>Once you have a number, now what? </li></ul><ul><li>Check the wardialing log, you can get som...
The Current Prevention Approach <ul><li>Policy </li></ul><ul><li>Scanning (ad hoc War Dialing) </li></ul><ul><li>Administr...
Current Scanning Challenge <ul><li>Window of Visibility </li></ul><ul><li>Time / Scalability </li></ul><ul><li>Vulnerabili...
Solution <ul><li>A better approach than the ad-hoc wardialing, is to apply the same type of control that is found on the I...
The Telephone Network <ul><li>Thousands of pipes </li></ul><ul><li>Low speed </li></ul><ul><li>Uncontrolled </li></ul><ul>...
A Firewall for Phone Lines <ul><li>One virtual pipe </li></ul><ul><li>Controlled and monitored </li></ul>…  get your hands...
Remote Enterprise-wide Telecom Firewall Protection PBX Public Telephone Network Router Firewall Users Intrusion Detection ...
Remote Enterprise-wide Telecom Firewall Protection PBX Public Telephone Network Router Firewall Users Intrusion Detection ...
TeleWall Telecommunications Firewall
Protect Phone-to-Switch <ul><li>Telephone fraud is a tremendous problem (1999: $5B) </li></ul><ul><li>Most PBX’s have a re...
PBX Hacking <ul><li>Dial-up connections are the most frequent means of remotely managing a PBX.  Also frequently used for ...
Remote Enterprise-wide Telecom Firewall Protection PBX Public Telephone Network Router Firewall Users Intrusion Detection ...
User Connected Modem (IP Phone) Router Internet IP Telephony Security Issues PSTN PBX GW 10/100
Telecommunication Firewalls <ul><li>Log call progress </li></ul><ul><li>Characterize call traffic </li></ul><ul><li>Enforc...
Extensions to Telecomm Firewalls <ul><li>Telephone bill reconciliation package. </li></ul><ul><li>Secure Voice </li></ul><...
Virtual Private Networks (VPN) <ul><li>From WEBOPEDIA: </li></ul><ul><ul><li>a network that is constructed by using public...
VPN’s – IP security issue IP Header Other Headers User Data TCP/IP Packet Which of these is needed for routing across the ...
VPN’s and Tunneling <ul><li>Most VPNs use  tunneling  to create a private network across the Internet. Essentially, tunnel...
VPN
SCADA systems Supervisory control and data acquisition (SCADA) is a system that allows an operator to monitor and control ...
SCADA Elements There are four major elements to a SCADA system: the operator, master terminal unit (MTU), communications, ...
Summary <ul><li>What is the Importance and Significance of this material? </li></ul><ul><li>How does this topic fit into t...
Upcoming SlideShare
Loading in...5
×

Lesson 7

237

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
237
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Lesson 7"

  1. 1. Firewalls, VPNs, and Modem Security Lesson 07
  2. 2. Filters and Firewalls <ul><li>Filter -- a software program or device that monitors incoming and outgoing packets on a computer network to determine whether the packets should be allowed to enter or leave a computer system. </li></ul><ul><li>Firewall -- a network monitor or collection of monitors placed between an organization’s internal network and the Internet or between two local area networks. </li></ul>
  3. 3. Junk E-Mail Filters <ul><li>Some ISP’s attempt to filter junk email </li></ul><ul><ul><li>extra load it places on servers </li></ul></ul><ul><ul><li>annoyance factor </li></ul></ul><ul><li>Attempts to eliminate junk e-mail </li></ul><ul><ul><li>Check “From” field or IP address for known spammers </li></ul></ul><ul><ul><li>Check to see if it originated from mail delivery agent frequently used by spammers </li></ul></ul><ul><li>All approaches potentially eliminate valid (non-spam) email </li></ul>
  4. 4. Junk e-mail filters <ul><li>Bright Light Technologies developed SW that </li></ul><ul><ul><li>Seeds Internet with 1000’s of email addresses </li></ul></ul><ul><ul><li>Addresses picked up by spammer bots </li></ul></ul><ul><ul><li>Messages sent to these email sent to Bright Light which then develops filter for it. </li></ul></ul><ul><li>ISPs that allow spammers to use their site can find all mail originating from it (valid or spam) blocked in response. </li></ul><ul><ul><li>UUNet and Compuserve both had this happen to them. </li></ul></ul>
  5. 5. Mail Abuse Prevention System’s <ul><li>Maintains list of networks friendly to spammers. </li></ul>
  6. 6. <ul><li>Blackholing Due to Spam Origination (Then) </li></ul><ul><ul><li>The original focus of the Realtime Blackhole List (RBL) when it began operations in mid-1997 was on identifying the sources of dedicated, professional spammers. Over time, the success of the RBL forced abusers to resort to other channels for distributing spam such as third party relaying and direct-to-MX contacts. </li></ul></ul><ul><ul><li>These countermeasures to our defenses, as well as newly emerging sources of abuse have made it necessary to modify our own strategies in response. We will describe the RBL strategies in its earliest days before discussing the more recent and more insidious forms of e-mail abuse MAPS is attempting to control. </li></ul></ul><ul><ul><li>When a professional spammer gets a leased line, we find out about it when they start spamming us, and we track down every network object they own and we blackhole all or nearly all of them. Mail servers, web servers, name servers, terminal servers, usenet servers -- everything. If a professional spammer owns it, we don't want it talking to us, no matter what the protocol. </li></ul></ul><ul><ul><li>When an ISP sells dialup or leased line connectivity to a spammer, we try really hard to get them to cancel the contract and strengthen their acceptable use policy (AUP) against future spammers. If they plead inability to break the contract (which is very common),but they are willing to tell us exactly which netblocks have been allocated to the spammers, we will blackhole only the spammer subnetblocks. </li></ul></ul>Mail Abuse Prevention System’s Realtime Blackhole List
  7. 7. Mail Abuse Prevention System’s Realtime Blackhole List <ul><li>Blackholing Due to Spam Origination (Now) </li></ul><ul><ul><li>More recently, legitimate and respected businesses have stumbled into the spamming business. It is even more important to address unsolicited bulk email (UBE) from the Fortune 500 than it is to challenge UBE promoting multi-level marketing schemes. </li></ul></ul><ul><ul><li>When well-respected companies begin using UBE as part of their direct marketing campaigns, it is almost always the result of the mistaken attempt to apply direct mail and telephone marketing principles to e-mail. </li></ul></ul><ul><ul><li>In practice, this means that businesses should never presume to shift the costs of their advertising onto their customers until they have been given explicit permission to do so. Would any respectable marketer even dream of using collect phone calls or postage due mailings to reach potential customers? </li></ul></ul><ul><ul><li>Marketers wishing to use e-mail should consider the foregoing question carefully when preparing their campaigns. Advertising based on permission marketing principles have proven to be extremely successful. Opt-in is a win-win strategy for both marketers and consumers. </li></ul></ul><ul><ul><li>On the other hand, marketers who wish to insist on a so-called opt-out strategy -- in which they take it upon themselves to send as much promotional material as they want to someone's e-mailbox until asked to stop -- are eligible for listing on the RBL The opt-out approach violates our fundamental principle: all communications must be consensual. </li></ul></ul>
  8. 8. Problems with MAPS NetworkWorld, Sept 10,2001. “One Friday afternoon in January, Internet Billing Company – one of the five most visited business-to-business sites on the Web – suddenly found online transaction requests from its customers were being blocked. The reason was that iBill’s name popped up on an antispam group’s blacklist that as many as half of the ISPs in the U.S. use to block e-mail and IP traffic from alleged spammers. Amazingly, no one had ever accused iBill of sending spam. However, someone complained to the antispam group Mail Abuse Prevention System (MAPS) that one of iBill’s thousands of customers had spammed them. MAPS not only placed the accused spammer on its Realtime Blackhole List (RBL), it listed iBill’s entire block of 254 IP addresses as well. ‘ We didn’t know what was going on’ says Marty Essenburg, iBill’s CIO at the time, who estimates that the four-day blacklisting cost iBill $400,000 in lost revenue. “There was no warning, it was automatic and we had to sit back and play catch-up. They hurt our revenue stream, and they tell us how to do business.” Black Ice Software CEO Jozsef Nemeth says MAPS contacted him in March 2000 requesting Black Ice change the way it conducts business with its customers. When someone downloads Black Ice software, the company sends an e-mail thanking the person and listing technical support information. Black Ice later sends periodic e-mail marketing materials to those customers, which includes a provision that lets recipients unsubscribe. MAPS told Black Ice it had to switch to an ‘opt in’ system or its e-mail would be considered spam and it Would be listed on the RBL…When Nemeth refused…his company was slapped on the RBL.”
  9. 9. Issues with spam filtering <ul><li>Add to the issue the error rate: </li></ul><ul><ul><li>A study showed that </li></ul></ul><ul><ul><ul><li>Brightmail, a for-profit blacklisting and filtering service blocks 94% of spam with 1% false positives. </li></ul></ul></ul><ul><ul><ul><li>MAPS was found to block 24% of spam with 34% false positives. </li></ul></ul></ul><ul><li>Also consider the following from Julian Haight, founder of SpamCop </li></ul><ul><ul><li>“ We list you immediately, and then we can talk about it.” </li></ul></ul><ul><ul><li>They receive 50,000 complaints/day. </li></ul></ul><ul><li>What is the implications in terms of a potential for a DoS attack? </li></ul>
  10. 10. Web Filtering <ul><li>Used to “prevent certain materials from entering into a system while users are browsing the Web.” </li></ul><ul><li>Often offered as an alternative to legislative actions such as the Communications Decency Act. </li></ul><ul><ul><li>Filtering at the receiving end does not inhibit free speech </li></ul></ul><ul><li>The problem is that the filters are not completely accurate </li></ul><ul><ul><li>numerous reports of “inappropriate” material not being filtered or valid info being blocked </li></ul></ul>
  11. 11. Web Filtering <ul><li>Net Shepherd Family Search filter returned only 1% of sites returned by non-filtered search using Alta Vista -- even though search was on items such as “American Red Cross”, “Thomas Edison”, and “National Aquarium”. </li></ul><ul><li>One university’s filtering blocked the Edupage newsletter because of the sentence: </li></ul><ul><ul><li>“ The new bill is more narrowly focused than the CDA, and is targeted strictly at impeding the flow of commercial pornography on the World Wide Web.” </li></ul></ul><ul><li>Cybersitter blocked sites for National Organization for Women, Godiva chocolates, and the teen website Peacefire. </li></ul><ul><li>Cyber Patrol allowed 6 of the first 16 sites listed on Yahoo’s category “Sex: Virtual Clubs” </li></ul>
  12. 12. Web Filtering <ul><li>World Wide Web Consortium approach to filtering based on assigned labels and ratings and is called the Platform for Internet Content Selection (PICS) </li></ul><ul><ul><li>does not dictate labels, instead allows groups to establish their own. </li></ul></ul><ul><li>European Commission proposed a similar rating scheme. Governments could develop site-rating systems and SW provided that would allow teachers and parents to filter unwanted info. </li></ul><ul><li>Another proposal is an adult only domain </li></ul>
  13. 13. Web Filtering - Net Nanny
  14. 14. Web Filtering - Net Nanny <ul><li>“ Net Nanny 4 comes preloaded with a list of both appropriate (Can Go) and objectionable (Can't Go) web sites. Our web site research team is constantly updating this list and it can be automatically updated to your computer - FREE of charge - at anytime. Of course, you have the full capability to scan our web site lists and easily modify them to meet your own family standards. Below are the different categories and criteria we use when determining which web site to add to our lists:” </li></ul><ul><ul><li>Sexually Explicit </li></ul></ul><ul><ul><li>Hate </li></ul></ul><ul><ul><li>Violence </li></ul></ul><ul><ul><li>Crime </li></ul></ul><ul><ul><li>Drugs </li></ul></ul>
  15. 15. Web Filtering - Super Scout
  16. 16. Firewalls ( Firewalls: The complete reference by Strassberg et al.) <ul><li>“ The computer or computers that stand between trusted networks (such as internal networks) and untrusted networks (such as the Internet), inspecting all traffic that flows between them.” </li></ul><ul><li>Firewalls have the following attributes: </li></ul><ul><ul><li>All communications pass through the firewall </li></ul></ul><ul><ul><li>The firewall permits only traffic that is authorized </li></ul></ul><ul><ul><li>The firewall can withstand attacks upon itself </li></ul></ul>
  17. 17. Firewalls <ul><li>Four architectures (???) </li></ul><ul><ul><li>Rule processing on routers – earliest and simplest </li></ul></ul><ul><ul><li>Packet Filtering – Also called packet screening : decide to allow or reject specific packets as they enter your network </li></ul></ul><ul><ul><li>Stateful Inspection – looks at contents of packet not just header </li></ul></ul><ul><ul><li>Application Level Gateway -- also known as proxy gateways, used to forward service-specific traffic (e.g. email). </li></ul></ul><ul><ul><ul><li>Proxies act as a middleman preventing direct connection, the proxy will take the request and, if allowed by the policy, will forward it. </li></ul></ul></ul><ul><ul><ul><li>Proxy ‘understands’ the service and can make better filtering decisions (thus theoretically more secure) but less flexible and more time consuming </li></ul></ul></ul><ul><ul><li>Circuit Level Gateway -- simply relays bytes from a port on one system to another on an external network. </li></ul></ul><ul><ul><ul><li>Connection appears to originate from firewall and not internal system </li></ul></ul></ul><ul><ul><ul><ul><li>No direct connection between internal and external systems – but not filtered </li></ul></ul></ul></ul><ul><ul><li>Hybrid Firewalls – e.g. filter some protocols, use application gateway on others </li></ul></ul>
  18. 18. Packet Filtering Operation source port destination port type discard bad.host * * * * allow our.host 25 * * * discard 128.236.*.* >1023 our.host >1023 tcp Operation source port destination port type allow bad.host 25 our.host 25 * discard bad.host * * * * allow our.host 25 * * * discard 128.236.*.* >1023 our.host >1023 tcp allow * * * * *
  19. 19. Firewall Architectures Internet Screening Router
  20. 20. Firewall Architectures Internet Dual-homed host Architecture Dual-homed host
  21. 21. Firewall Architectures Internet X Screened host Architecture Bastion Host Screening Router
  22. 22. Bastion Hosts <ul><li>A specially ‘armored’ and protected host. </li></ul><ul><ul><li>May run special ‘secure’ or ‘stripped down’ version of OS </li></ul></ul><ul><ul><li>Only essential services are run on it. </li></ul></ul><ul><ul><li>User accounts generally not permitted (admin only) </li></ul></ul><ul><li>Machines inside of the firewall should not trust the Bastion Host. </li></ul>
  23. 23. Firewall Architectures Internet Screened subnet Architecture Internal Network Perimeter Network Exterior Router Interior Router Bastion host
  24. 24. So, what’s the difference between them? <ul><li>Screening router </li></ul><ul><ul><li>very primitive, just a souped up router </li></ul></ul><ul><li>Dual-homed host (firewall) </li></ul><ul><ul><li>Routing function turned off, external systems can’t communicate directly with internal systems! </li></ul></ul><ul><ul><li>Provides services through proxies </li></ul></ul><ul><li>Screened Host </li></ul><ul><ul><li>router provides routing and packet filtering functions </li></ul></ul><ul><ul><li>Bastion provides single system to heavily secure. </li></ul></ul><ul><li>Screened subnet </li></ul><ul><ul><li>no defenses between bastion and other systems in screened host firewall, thus if bastion compromised, the internal network is vulnerable. </li></ul></ul><ul><ul><li>Screened subnet adds another router to add another layer of protection. This router can be configured to only allow certain services. </li></ul></ul>
  25. 25. Firewall Architectures Internet Bastion host Multiple Exterior Routers Interior Router Internal Network Perimeter Network Exterior Router Supplier Network Exterior Router Lab Network
  26. 26. Checkpoint Firewall Sample Rule Set
  27. 27. Cisco System PIX Firewall
  28. 28. Network Address Translation (NAT) <ul><li>Firewalls can also provide NAT services </li></ul><ul><li>Allows a LAN to use one set of addresses for internal purposes and a second set for external traffic </li></ul><ul><ul><li>Not all systems need a globally unique IP address </li></ul></ul><ul><ul><ul><li>Saves on IP addresses which is a concern for IPv4 </li></ul></ul></ul><ul><ul><li>Shields internal addresses from public view </li></ul></ul>
  29. 29. Network Address Translation (NAT) <ul><li>There are a limited number of IP addresses available and not every system needs one. </li></ul><ul><li>NAT was developed to provide a means to translate private IP addresses into public IP addresses. </li></ul><ul><ul><li>A device (typically a router or firewall) will accomplish this translation process. </li></ul></ul>Source: 10.1.1.123 Destination: 207.25.71.23 Source: 63.69.110.110 Destination: 207.25.71.23 Source: 207.25.71.23 Destination: 10.1.1.123 Source: 207.25.71.23 Destination: 63.69.110.110 Firewall performs NAT
  30. 30. Emerging Technologies <ul><li>Consolidated Management Consoles – an attempt to provide a single interface for the variety of security devices an administrator may face (e.g. firewall, ACL’s on routers) </li></ul><ul><li>Content vectoring – “shuffle” certain traffic off to ancillary internal or external handlers for additional inspection or processing. </li></ul><ul><li>Multifunction Devices – integration of multiple security products into single platform (e.g. IDS and Firewall, firewall with router, …) </li></ul>
  31. 31. Personal Firewalls <ul><li>Designed to insulate vulnerable desktop OS from attacks. </li></ul><ul><li>Growth of residential and small-business broadband Internet access also has increased the need for personal firewalls. </li></ul><ul><li>Spread of various Distributed Denial of Service attacks which take advantage of unprotected platforms has also helped to bring this issue forward. </li></ul>
  32. 32. Modem Security, Wardialing, and Telecomm Firewalls
  33. 33. <ul><li>Network Security Technologies Have Focused Almost Entirely on the TCP/IP Network… </li></ul><ul><li>The Weakest Link is Now the Phone Network. </li></ul>What is the Network? There is a growing connectivity between the Data Network and the Telephone Network
  34. 34. The Data Network <ul><li>One pipe </li></ul><ul><li>High speed </li></ul><ul><li>Thousands of connections </li></ul><ul><li>Controlled and monitored </li></ul><ul><li>One chokepoint </li></ul>Cat V … your Internet connection is just a dedicated, high-speed telephone line.
  35. 35. The Telephone Network <ul><li>Thousands of pipes </li></ul><ul><li>Low speed </li></ul><ul><li>Uncontrolled </li></ul><ul><li>Unmonitored </li></ul><ul><li>No chokepoint </li></ul>… think of your telephone network as thousands of low-speed internet connections. Public Switched Telephone Network (PSTN)
  36. 36. The TCP/IP Network Users Web Server Router Internet Firewall Intrusion Detection Attacker
  37. 37. The Actual Network Router Firewall Users Intrusion Detection Internet Web Server PBX Public Telephone Network RAS (Dial-in Servers)
  38. 38. PBX Security in The Actual Network Public Telephone Network Router Firewall Users Intrusion Detection Internet Web Server RAS (Dial-in Servers) Attacker
  39. 39. Security in The Actual Network PBX Public Telephone Network Router Firewall Users Intrusion Detection Internet Web Server RAS (Dial-in Servers) Attacker “ 2-4% of all telephone lines have active modems”
  40. 40. Unauthorized access to ISP’s PBX Public Telephone Network Router Firewall Users Intrusion Detection Internet Web Server RAS (Dial-in Servers) Virus protection mechanisms can be circumvented Proprietary data can be uploaded by users
  41. 41. Wardialers <ul><li>Step 1, Phone number footprinting </li></ul><ul><li>Public Domains Wardialers </li></ul><ul><ul><li>ToneLoc </li></ul></ul><ul><ul><li>THC </li></ul></ul><ul><li>Commercial </li></ul><ul><ul><li>PhoneSweep </li></ul></ul><ul><ul><li>TeleSweep Secure </li></ul></ul>
  42. 42. War Dialing the ‘Bay’ <ul><li>In ’97, Peter Shipley dialed the San Francisco Bay area looking for systems answered by a modem. He eventually finished the entire range but the final report hasn’t been published. Early results reported, however, included: </li></ul><ul><ul><li>1.4 million numbers dialed </li></ul></ul><ul><ul><ul><li>500 an hour, 12,000 a day </li></ul></ul></ul><ul><ul><li>14,000 of the lines dialed were reportedly modems </li></ul></ul>
  43. 43. Some interesting results: <ul><li>An East Bay medical facility gave unrestricted modem access to patient records. </li></ul><ul><li>An Internet company offering financial services did not require a password to modify its modem-accessible firewall. </li></ul><ul><li>A Fortune 100 company’s air conditioner and environmental control units could be easily changed by modem allowing lights to be turned off or heating/air conditioning to be changed. </li></ul><ul><li>Only 3 of every 1000 modem lines he checked posted a warning banner (a requirement for gov. machines). </li></ul><ul><li>Some of the welcome banners gave the name of the operating system, release, and name of corporation. </li></ul>
  44. 44. Carrier Exploitation <ul><li>Once you have a number, now what? </li></ul><ul><li>Check the wardialing log, you can get some clues, then dial back. </li></ul><ul><ul><li>CONNECT 57600 </li></ul></ul><ul><ul><li>HP995-400: </li></ul></ul><ul><ul><li>Expected a HELLO command. (CIERR 6057) </li></ul></ul><ul><li>Many default sequences (e.g. HP MPE-XL systems) </li></ul><ul><ul><li>CONNECT 57600 </li></ul></ul><ul><ul><li>HP995-400: HELLO FIELD.SUPPORT </li></ul></ul><ul><ul><li>PASSWORD=TeleSup </li></ul></ul><ul><li>Default for pcAnywhere -- no password/userid </li></ul><ul><li>and…you can always try brute force password guessing if nothing else works! </li></ul>
  45. 45. The Current Prevention Approach <ul><li>Policy </li></ul><ul><li>Scanning (ad hoc War Dialing) </li></ul><ul><li>Administrative Action </li></ul>
  46. 46. Current Scanning Challenge <ul><li>Window of Visibility </li></ul><ul><li>Time / Scalability </li></ul><ul><li>Vulnerability Measurement </li></ul><ul><li>Cost (Long Distance Charges) </li></ul><ul><li>Data Collection and Consolidation </li></ul><ul><li>Logging / Reporting </li></ul>
  47. 47. Solution <ul><li>A better approach than the ad-hoc wardialing, is to apply the same type of control that is found on the IP network to the telephone network. </li></ul><ul><li>Thus, the solution is a firewall for the telephone network </li></ul>
  48. 48. The Telephone Network <ul><li>Thousands of pipes </li></ul><ul><li>Low speed </li></ul><ul><li>Uncontrolled </li></ul><ul><li>Unmonitored </li></ul><ul><li>No chokepoint </li></ul>… think of your telephone network as thousands of low-speed internet connections. Public Switched Telephone Network (PSTN)
  49. 49. A Firewall for Phone Lines <ul><li>One virtual pipe </li></ul><ul><li>Controlled and monitored </li></ul>… get your hands around the problem, and take control of the telephone network. Phone Firewall Public Switched Telephone Network (PSTN)
  50. 50. Remote Enterprise-wide Telecom Firewall Protection PBX Public Telephone Network Router Firewall Users Intrusion Detection Internet Web Server RAS (Dial-in Servers) Telecom Firewall <ul><li>Detect </li></ul><ul><li>Log </li></ul><ul><li>Alarm </li></ul><ul><li>Block </li></ul>Voice Modem Fax
  51. 51. Remote Enterprise-wide Telecom Firewall Protection PBX Public Telephone Network Router Firewall Users Intrusion Detection Internet Web Server RAS (Dial-in Servers) Telecom Firewall Attacker <ul><li>Detect </li></ul><ul><li>Log </li></ul><ul><li>Alarm </li></ul><ul><li>Block </li></ul>Voice Modem Fax
  52. 52. TeleWall Telecommunications Firewall
  53. 53. Protect Phone-to-Switch <ul><li>Telephone fraud is a tremendous problem (1999: $5B) </li></ul><ul><li>Most PBX’s have a remote dial-up port for maintenance purposes. </li></ul><ul><ul><li>Often protected with a numeric password </li></ul></ul><ul><li>The same device used to protect against attacks to unauthorized modems can be used to protect the PBX as well. </li></ul>
  54. 54. PBX Hacking <ul><li>Dial-up connections are the most frequent means of remotely managing a PBX. Also frequently used for vendor external support. </li></ul><ul><li>Just like computers with default passwords, PBX’s often have default access codes. </li></ul><ul><li>What companies should do is remove defaults and if a problem occurs, then provide access code to vendor, unfortunately…this seldom is done. </li></ul>
  55. 55. Remote Enterprise-wide Telecom Firewall Protection PBX Public Telephone Network Router Firewall Users Intrusion Detection Internet Web Server RAS (Dial-in Servers) Attacker Telecom Firewall <ul><li>Detect </li></ul><ul><li>Log </li></ul><ul><li>Alarm </li></ul><ul><li>Block </li></ul>DTMF Signaling Detection
  56. 56. User Connected Modem (IP Phone) Router Internet IP Telephony Security Issues PSTN PBX GW 10/100
  57. 57. Telecommunication Firewalls <ul><li>Log call progress </li></ul><ul><li>Characterize call traffic </li></ul><ul><li>Enforce Security and Usage Policy </li></ul><ul><li>Control remote maintenance facility and port access </li></ul><ul><li>Report resource utilization </li></ul><ul><li>Fraud detection/prevention </li></ul><ul><li>Trunk line status and usage </li></ul><ul><li>Emergency notification </li></ul><ul><li>ROI </li></ul><ul><li>Protection of VoIP </li></ul>
  58. 58. Extensions to Telecomm Firewalls <ul><li>Telephone bill reconciliation package. </li></ul><ul><li>Secure Voice </li></ul><ul><li>Secure VoIP </li></ul><ul><li>Additional ‘password’ (DTMF signaling) for increased security. </li></ul><ul><li>Securing of SCADA (Supervisory Control and Data Acquisition) systems. </li></ul><ul><ul><li>Roosevelt Dam in Arizona </li></ul></ul>
  59. 59. Virtual Private Networks (VPN) <ul><li>From WEBOPEDIA: </li></ul><ul><ul><li>a network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. </li></ul></ul>
  60. 60. VPN’s – IP security issue IP Header Other Headers User Data TCP/IP Packet Which of these is needed for routing across the Internet?
  61. 61. VPN’s and Tunneling <ul><li>Most VPNs use tunneling to create a private network across the Internet. Essentially, tunneling is the process of placing an entire packet within another packet and transmitting it over a network. The protocol of the outer packet is understood by the network and both endpoints, called tunnel interfaces , where the packet enters and exits the network. </li></ul><ul><li>Firewalls, which can be used for NAT, can also perform VPN services: e.g. Cisco PIX </li></ul>
  62. 62. VPN
  63. 63. SCADA systems Supervisory control and data acquisition (SCADA) is a system that allows an operator to monitor and control processes that are distributed among various remote sites. There are many processes that use SCADA systems: hydroelectric, water distribution and treatment utilities, natural gas, etc. SCADA systems allow remote sites to communicate with a control facility and provide the necessary data to control processes. For many of its uses, SCADA provides an economic advantage. As distance to remote sites increase and difficulty to access increases, SCADA becomes a better alternative to an operator or repairman’s visiting the site for adjustments and inspections. Distance and remoteness are two major factors for implementing SCADA systems
  64. 64. SCADA Elements There are four major elements to a SCADA system: the operator, master terminal unit (MTU), communications, and remote terminal unit (RTU). RTU 1 RTU 2 MTU RTU 3 RTU 4
  65. 65. Summary <ul><li>What is the Importance and Significance of this material? </li></ul><ul><li>How does this topic fit into the subject of “Voice and Data Security”? </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×