MPE/iX Network Security


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Explain the contents of the presentation First section will be on general networking security concepts inherit in all computer systems Next section will focus on MPE/iX networking security issues and concepts
  • What is security? Security is a moving target..unique to each individual company/user. Any solution for security should include 3 basic ideas in order to be a complete solution How do I prevent an attack from the network? How do I detect an attack? How do I react to an attack?
  • What are the threats? There are two areas that need to be considered when thinking about security: The types of attacks that can be expected The types of the attackers. Different attackers have different motivations and different resources. This will influence the type of attack they will bring to your systems. It is most important to think and plan BEFORE and attack and try to understand which adversary will try and disrupt your operations.
  • Attacks are characterized by Unchanging and Changing factors or “natures” when comparing computer attacks vs. real-world “bricks and mortar attacks Vast majority attacks are financial and focus on: Robbery Embezzlement Fraud…etc That is the Unchanging nature of attacks. The CHANGING nature of attacks is directly related to how computers operate Attacks are more common. Computer speed and ability to automate tasks allows for greater frequency of attacks. The more times they knock on the door with different methods, the greater chance it will be opened. Attacks are more widespread. Safe-haven locations that seemed to be immune from crime can be just as easily hit as any other area. In the bricks and mortar world, attackers have to make themselves visible to attack. In the computer world, the can be invisible, hiding behind multiple identities in multiple locations. It is very difficult to track, capture and prosecute the attacker.
  • There are three characteristics of the Internet that make it aid attackers Automation – A simple task can be developed that can then be sent out to go after multiple systems. Even if the rate of return on a single attack is very low, enough attacks can make it profitable Action at a distance – Attackers don’t have to be local to attack your systems and do their damage. Also, international attackers maybe difficult, if not impossible to prosecute.
  • Electronic/computer techniques are easily transferable and duplicated. One very smart individual can do the creating and multiple average individuals can modify for unique situations. Talent level doesn’t have to be very high and distributed.
  • Types of attacks are: Criminal – Used mostly for financial gain…low risk Privacy violations – Used to gather private information about an individual for multiple purposes Publicity attacks – “Because it is there” No specific reason for the attack other than to see their name in the papers or on TV. More dangerous because pattern is random and potentially destructive
  • - Legal Attacks – Very rare, but considerably disruptive. Attacker sets up a situation where they can use the legal discovery process to gather information about a companies systems/security for further attacks.
  • Adversaries out in the internet vary greatly depending on motivations, risk and resources These adversaries are categorized in multiple ways, including: Objectives – What is the purpose of the attack..damage, money, information… Access – Are they an insider or outsider Resources – What type of funding, education and equipment do they have access. Risk – What is the level of risk is the attacker willing to absorb?
  • Who are the adversaries? Hackers – Usually young, males on societies fringe who belong to a subculture based on computer attacks. View attacks as an end to itself, not to gain any type of money or fame. They are willing to try anything to succeed in their attacks and consider attempts to thwart them great challenges. Lone criminals – Their attacks are for financial gain. The bulk of corporate computer related crime is attributed to this class of attacker. They usually study a target for a long time to develop a single method of attack that will succeed. Once they are done, they move out quickly and stay low until its time for another attack. Methods will vary greatly, depending on the target.
  • Malicious insiders – Most dangerous type of attacker. They already know the system, how it operates, where the data is located and how security is setup. Can very easily exploit security holes and are extremely difficult to catch, as they can cover their tracks very easily. Industrial Espionage – Attempts to gain information from a competitor in order to better their products on the market. Press – The press’ goal is to sell newspapers and increase circulation. The stories have to be eye-catching, dramatic and hard hitting. In order to get the information necessary, news organization may use a multiple of means to get information. Organized crime – This group usually has a lot of resources to put behind attacks, so they can go after very lucrative elements. A wide ranging reach may include multiple attackers, including hackers and insiders.
  • Police – When trying to gather information to solve a crime, it is possible that the line is crossed between legal and illegal methods. Again, resources may be potentially great and complaints fall into a fuzzy area between illegal data gathering and legal discovery. Terrorists – Main goal is disruption and damage, with no specific target in mind. An attack my affect one system or one thousand. Resources are somewhat limited as well as skillset. National Intelligence Organizations – Most powerful at all in terms of resources and skills. Hundreds of individual attacks can be attempted to gain the information they need. However, they are VERY risk adverse. If something would go bad, it would be very damaging to their creditability.
  • - Infowarriors – Most dangerous yet. These are military based attackers with large numbers of resources and very risk tolerant. If the short term gain is great enough, no risk is too high.
  • Types of network attacks Viruses Code based that attaches to other programs Can’t be eliminated or avoided. Only cured with virus inoculation software.
  • Worms Particular to network computer systems as they use the network resources to spread themselves. They are rarely dangerous and mostly just annoying Trojan Horses Code blocks that imbed themselves into something useful and gather information while the normal code is operating. Keyboard copiers and password stealers are classic examples. They can also be designed to allow access into the system and takeover from an external source. Back Orifice is a Trojan Horse the can takeover some Windows systems.
  • Previous examples are older types of code and have mostly been eliminated. MALWARE, Modern Malicious Code is now much more command and insidious. This code is usually script based and takes advantage of bugs in code modules to gain access to the system. The common methods MALWARE uses to gain access are: E-mail attachments Multi-module code and plugins Dynamic link libraries Mobile code (Java, JavaScript, ActiveX, Plugins) provide a mechanism for the delivery of all different types of Malware
  • The Methods of attacking the network itself are wide and varied: Password sniffing – Setup a data sniffer on a network and program it to look for certain packet types and collect data on these packets. Other automated tools can then filter this data for potential user/password pairs. IP Spoofing – A false packet with exact characteristics of existing sessions are injected into a networking stream to “hijack” the connection and allow the takeover of the system. DNS Overrides – In this case, an attacker compromises a DNS server an configures it to route traffic to specific systems that allow for easy data capture. DOS – An attacker sends a large number of SYN (TCP hello) packets with a dummy return address. This forces the target system to deal with the packet, waiting for a confirmation. Since none will come, resources are wasted on this attack. If many thousands of SYN packets are sent, the system will crash. This is further categorized as single or distributed. Single comes from a single location and distributed comes from multiple locations. E-mail bombs – A massive number of e-mails is sent to a system to bog it down and potentially crash it.
  • Port scanning – An automated process will search a range of IP addresses for favorable responses to SYN packets on multiple ports on each system. This can be started and left to run for a period of time. The attacker can then look at the log file for the systems that responded favorable to start to customize the attack to those systems. Buffer overrun packets – A specially crafted packet is sent to a particular port on a system. The attacker knows the type of service on that port and the behavior of that service. When the packet is received, it is too large for the service buffer and causes the process to abort. The extra data in the packet has been overlaid on the stack and now executes. This data executes as code that will then give the attacker greater access to the system. Very ingenious and time consuming but potentially very lucrative.
  • What are the methods to defend a computer on the network? Firewalls – These are devices, usually routers, that check traffic into the network to verify that it is allowed. The system administrator needs to make sure the firewall is properly configured and that there are NO backdoors into the network. Firewalls are good for general networking traffic, but specific types of traffic will still be allowed into the network, bypassing the firewall by design. DMZs – It is possible to setup two firewalls, with a system in the middle that needs access to the outside Internet. This area, known as the DMZ, provides an extra level of protection as the two firewalls can be configured to be more limiting to outside packets. VPNs – Provide encrypted access into a network through the firewall for remote users. With high speed internet access available for many people, VPNs are a good alternative to a direct connect/leased line setup.
  • More methods for defending a network: Burglar alarms are traps set on specific network objects that are not usually accessed. This is a mechanism that can alert the sys admin of potential attacker activity. Honey pots are dummy objects that are setup to attract and trace attackers. These can be individual systems with suggestive names to whole sub networks with defined systems and activity. These are usually implemented when a series of serious attacks have been setup. The Cuckoo’s Nest describes the use of a honey pot to track an international hacker. Vulnerability scanners are application tools that look for holes in the network. Because they are suppose to be benign in nature, most VS systems don’t do a very good job of catching potential problems. If they did, they would crash the system or the network. Cryptography has a lot of potential, but because of its complexity and affect, it is usually limited to very specific, small networking segments.
  • MPE networking consists of several abstract layers. F intrinsics are file intrinsics FOPEN, FCLOSE, FREAD, FWRITE…etc All networking links shared by multiple stacks.
  • Need to understand access questions into the MPE system before developing security strategy.
  • There are basic steps that can first be taken when implementing a security policy.
  • MPE has an advantage because of it proprietary nature. A common type of attack usually will not work or if it did, it would only result in a process abort.
  • At the API layer, there are a set of secure sockets tools that can be downloaded off of the jazz site. These are RSA tools and are thus supported through RSA with the purchase of a license.
  • MPE supports the Webwise MPE/iX Secure Web Server that is based on Apache. Includes encryption between the browser and the server.
  • It is not a substitute for other security methods, including firewalls and good host, application and human security policies.
  • Available from Jazz and it bundled in the MPE/iX FOS on 7.5 and available as a patch on 7.0
  • The MPE services layers has configuration files that can help with security issues. These files are: SERVICES.NET.SYS, INETDCNF.NET.SYS and INETDSEC.NET.SYS
  • What other resources are there for checking MPE/iX security? NETCONTROL – This is a tool that can provide a snapshot of networking activity. Run this on occasion to see what is going on with the network and see if there is any suspicious activity. Network Packet Sniffers maybe easier to use than NETCONTROL, as it is somewhat clumsy to use.
  • INETD allows logging of all connections. This will show if there have been an unusual number of connection attempts to unexpected ports, which is usually a sure sign that somebody is trying to hack the system. The FTP logging capability has been altered to include the remote IP address for connection attempts. Review this on occasion to see if there is any abnormal activity. The SHOWCONN command will show who is logged on and that networking service they are using to connect. This will provide a good sanity check to make sure your users are who you expect them to be and they are coming from know locations.
  • Stay ahead of what’s going on in the industry. Monitor CERT bulletins and network with industry co-workers/acquaintances for potential new attacks. Finally, make sure a proactive, formalized strategy is in place and continue to review this strategy. Remember to try and be a moving target as much as possible.
  • MPE/iX Network Security

    1. 1. Network Security: An MPE/iX Overview Jeff Bandle HP MPE/iX Networking Architect
    2. 2. CONTENTS <ul><li>General Networking Security </li></ul><ul><ul><li>Overview of security vulnerabilities </li></ul></ul><ul><ul><li>What can be done to make systems more secure </li></ul></ul><ul><li>MPE/iX Specific Networking Security </li></ul><ul><ul><li>Overview of MPE/iX networking stacks </li></ul></ul><ul><ul><li>What security tasks exist for MPE? </li></ul></ul>
    3. 3. INTRODUCTION <ul><li>What is security? </li></ul><ul><ul><li>Unique to each individual user/company </li></ul></ul><ul><ul><li>Solution should contain three components for completeness </li></ul></ul><ul><ul><ul><li>Prevention </li></ul></ul></ul><ul><ul><ul><li>Detection </li></ul></ul></ul><ul><ul><ul><li>Reaction </li></ul></ul></ul>
    4. 4. GENERAL NETWORKING <ul><li>What are the threats? </li></ul><ul><ul><li>Types of attacks </li></ul></ul><ul><ul><li>Types of attackers </li></ul></ul><ul><li>Plans before technology. </li></ul><ul><ul><li>Understand the “enemy” first </li></ul></ul><ul><ul><li>“A moat around a castle does no good if attacks are from the air” </li></ul></ul>
    5. 5. GENERAL NETWORKING <ul><li>The Unchanging and Changing Nature of Attacks </li></ul><ul><ul><li>Unchanging – similar to “bricks and mortar” crimes </li></ul></ul><ul><ul><ul><li>Robbery </li></ul></ul></ul><ul><ul><ul><li>Embezzlement </li></ul></ul></ul><ul><ul><ul><li>Fraud </li></ul></ul></ul><ul><ul><ul><li>… etc… </li></ul></ul></ul><ul><ul><li>Changing </li></ul></ul><ul><ul><ul><li>More common </li></ul></ul></ul><ul><ul><ul><li>More widespread </li></ul></ul></ul><ul><ul><ul><li>More difficult to track, capture and convict </li></ul></ul></ul>
    6. 6. GENERAL NETWORKING <ul><li>Internet has three characteristics that aid attacks. </li></ul><ul><ul><li>Automation </li></ul></ul><ul><ul><ul><li>Speed of computers and networks makes minimal rate of return attacks possible. </li></ul></ul></ul><ul><ul><ul><li>Data mining is easy and getting easier, affecting privacy </li></ul></ul></ul><ul><ul><li>Action at a Distance </li></ul></ul><ul><ul><ul><li>Attackers can be far away from their prey and still do damage. </li></ul></ul></ul><ul><ul><ul><li>Interstate/International differences in laws can affect prosecution </li></ul></ul></ul>
    7. 7. GENERAL NETWORKING <ul><li>Internet has three characteristics that aid attacks. (cont) </li></ul><ul><ul><li>Physical techniques hard to duplicate/propagate </li></ul></ul><ul><ul><ul><li>Cable descramblers </li></ul></ul></ul><ul><ul><ul><li>Counterfeiting U.S. currency </li></ul></ul></ul><ul><ul><li>Electronic techniques easily transferable/duplicated </li></ul></ul><ul><ul><ul><li>Counterfeiting e-money </li></ul></ul></ul><ul><ul><ul><li>Attack tools can be created by single person </li></ul></ul></ul><ul><ul><ul><ul><li>Easily modified per situation </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Less intellectual capital needed to make tool effective. </li></ul></ul></ul></ul>
    8. 8. GENERAL NETWORKING <ul><li>Types of Attacks </li></ul><ul><ul><li>Criminal Attacks </li></ul></ul><ul><ul><ul><li>Basis is in financial gain </li></ul></ul></ul><ul><ul><ul><li>Includes fraud, destruction and theft (personal, brand,identity) </li></ul></ul></ul><ul><ul><li>Privacy Violations </li></ul></ul><ul><ul><ul><li>Private/personal information acquired by organizations not authorized. </li></ul></ul></ul><ul><ul><ul><li>Includes surveillance, databases, traffic analysis </li></ul></ul></ul><ul><ul><li>Publicity Attacks </li></ul></ul><ul><ul><ul><li>Attacker wants to get their name(s) in the papers </li></ul></ul></ul><ul><ul><ul><li>Can affect ANY system, not just related to profit centers </li></ul></ul></ul><ul><ul><ul><li>Denial of service. </li></ul></ul></ul>
    9. 9. GENERAL NETWORKING <ul><li>Types of Attacks (cont) </li></ul><ul><ul><li>Legal Attack </li></ul></ul><ul><ul><ul><li>Setup situation to use discovery process to gather information </li></ul></ul></ul><ul><ul><ul><li>Rare, but possibly devastating </li></ul></ul></ul>
    10. 10. GENERAL NETWORKING <ul><li>Who are the adversaries? </li></ul><ul><ul><ul><li>Categorized in multiple ways: </li></ul></ul></ul><ul><ul><ul><ul><li>By objective – Raw damage, financial gain, information </li></ul></ul></ul></ul><ul><ul><ul><ul><li>By access – Insider vs. external </li></ul></ul></ul></ul><ul><ul><ul><ul><li>By level of resources – funding level, technical expertise..etc. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>By level of risk – Willing to die, go to jail </li></ul></ul></ul></ul>
    11. 11. GENERAL NETWORKING <ul><li>Who are the adversaries? (cont) </li></ul><ul><ul><ul><li>Hackers </li></ul></ul></ul><ul><ul><ul><ul><li>Attacks for the challenge </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Own subculture with names, lingo and rules </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Stereotypically young, male and socially on the fringe </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Can have considerable expertise and passion for attacks </li></ul></ul></ul></ul><ul><ul><ul><li>Lone criminals </li></ul></ul></ul><ul><ul><ul><ul><li>Attack for financial gain </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Cause the bulk of computer-related crimes </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Usually target a single method for the attack </li></ul></ul></ul></ul>
    12. 12. GENERAL NETWORKING <ul><li>Who are the adversaries? (cont) </li></ul><ul><ul><ul><li>Malicious insiders </li></ul></ul></ul><ul><ul><ul><ul><li>Already inside the system </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Knows weaknesses and tendencies of the organization </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Very difficult to catch </li></ul></ul></ul></ul><ul><ul><ul><li>Industrial Espionage </li></ul></ul></ul><ul><ul><ul><ul><li>Gain a competitive advantage by stealing trade secrets </li></ul></ul></ul></ul><ul><ul><ul><li>Press </li></ul></ul></ul><ul><ul><ul><ul><li>Gather information for a story to sell papers/commercial time </li></ul></ul></ul></ul><ul><ul><ul><li>Organized crime </li></ul></ul></ul><ul><ul><ul><ul><li>Lots of resources to put behind their attacks…usually very lucrative </li></ul></ul></ul></ul>
    13. 13. GENERAL NETWORKING <ul><li>Who are the adversaries? (cont) </li></ul><ul><ul><ul><li>Police </li></ul></ul></ul><ul><ul><ul><ul><li>Lines are sometimes crossed when gathering information to pursue a case </li></ul></ul></ul></ul><ul><ul><ul><li>Terrorists </li></ul></ul></ul><ul><ul><ul><ul><li>Goal is disruption and damage. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Most have few resources and our unskilled. </li></ul></ul></ul></ul><ul><ul><ul><li>National intelligence organizations </li></ul></ul></ul><ul><ul><ul><ul><li>Highly funded and skilled </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Very risk averse </li></ul></ul></ul></ul>
    14. 14. GENERAL NETWORKING <ul><li>Who are the adversaries? (cont) </li></ul><ul><ul><ul><li>Infowarriors </li></ul></ul></ul><ul><ul><ul><ul><li>Military based group targeting information or networking infrastructures </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Lots of resources </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Willing to take high risks for short term gain </li></ul></ul></ul></ul>
    15. 15. GENERAL NETWORKING <ul><li>Specific types of Network attacks and solutions </li></ul><ul><ul><li>Viruses </li></ul></ul><ul><ul><ul><li>String of computer code that attaches to other programs and replicates </li></ul></ul></ul><ul><ul><ul><ul><li>File infectors – Oldest type of virus, now mostly extinct </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Boot-sector viruses – Reside on the boot portion of a disk. Also mostly extinct </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Macro viruses – Written in a scripting language and affects data files, not programs. Future of viruses. </li></ul></ul></ul></ul><ul><ul><ul><li>No absolute cure for viruses </li></ul></ul></ul><ul><ul><ul><ul><li>Antivirus programs work, but need continual updating. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Virus makers depend on laziness of users to let virus defs get out of date. </li></ul></ul></ul></ul>
    16. 16. GENERAL NETWORKING <ul><li>Specific types of Network attacks and solutions </li></ul><ul><ul><li>Worms </li></ul></ul><ul><ul><ul><li>Particular to networked computer systems </li></ul></ul></ul><ul><ul><ul><li>Gains access to resources that point to other computers </li></ul></ul></ul><ul><ul><ul><li>Replicates itself to multiple systems </li></ul></ul></ul><ul><ul><ul><li>Rarely dangerous, mostly annoying </li></ul></ul></ul><ul><ul><li>Trojan Horses </li></ul></ul><ul><ul><ul><li>Code that imbeds itself into something useful </li></ul></ul></ul><ul><ul><ul><li>Collects information and sends to known site on the network </li></ul></ul></ul><ul><ul><ul><li>Also can allow external takeover of your system (Back Orifice) </li></ul></ul></ul>
    17. 17. GENERAL NETWORKING <ul><li>Modern Malicious Code – “Malware” </li></ul><ul><ul><li>Around 1999 was first occurrence of large propagation of e-mail infecting malware </li></ul></ul><ul><ul><li>Virus protection is now more reactive </li></ul></ul><ul><ul><li>E-mail infections are insidious by bypassing firewalls. </li></ul></ul><ul><ul><li>Multi-module programs and plugins increase vulnerability </li></ul></ul><ul><ul><li>Dynamic linking increase problems also </li></ul></ul><ul><ul><li>Mobile code (Java, JavaScript, ActiveX, Plugins) allows for easier delivery mechanism </li></ul></ul>
    18. 18. GENERAL NETWORKING <ul><li>Methods of Attacking the Network </li></ul><ul><ul><li>Password sniffing </li></ul></ul><ul><ul><ul><li>Collect first parts of data packet and look for login attempts </li></ul></ul></ul><ul><ul><li>IP Spoofing </li></ul></ul><ul><ul><ul><li>Fake packet to “hijack” a session and gain access </li></ul></ul></ul><ul><ul><li>DNS Overrides </li></ul></ul><ul><ul><ul><li>Malicious access to a DNS server can compromise a network </li></ul></ul></ul><ul><ul><li>Denial of Service Attacks – Single and Distributed </li></ul></ul><ul><ul><ul><li>Large number of “SYN” packets to establish dummy connections </li></ul></ul></ul><ul><ul><ul><ul><li>System gets throttled handling all the “hello” requests. </li></ul></ul></ul></ul><ul><ul><ul><li>Massive number of e-mail messages will flood a system. </li></ul></ul></ul>
    19. 19. GENERAL NETWORKING <ul><li>Methods of Attacking the Network (cont) </li></ul><ul><ul><li>Port scanning </li></ul></ul><ul><ul><ul><li>Automated process that looks for open networking ports </li></ul></ul></ul><ul><ul><ul><li>Logs positive hits for later exploits </li></ul></ul></ul><ul><ul><li>Buffer overrun packets </li></ul></ul><ul><ul><ul><li>Attacker sends carefully built packet to computers on network that support specific services. (E-mail, IIS) </li></ul></ul></ul><ul><ul><ul><li>Packet causes accepting process to abort, leaving system in unknown state, potentially with root access </li></ul></ul></ul><ul><ul><ul><li>Packet contains code that executes to get root access. </li></ul></ul></ul>
    20. 20. GENERAL NETWORKING <ul><li>Methods of Defending a Network </li></ul><ul><ul><li>Firewalls </li></ul></ul><ul><ul><ul><li>Networking devices (routers) that check traffic coming into a private network </li></ul></ul></ul><ul><ul><ul><li>Needs to be complete and properly configured to ensure protection </li></ul></ul></ul><ul><ul><ul><li>Good protection for general networking traffic, but specific traffic will still get through. </li></ul></ul></ul><ul><ul><li>DMZs </li></ul></ul><ul><ul><ul><li>Network space between two firewalls </li></ul></ul></ul><ul><ul><li>VPNs </li></ul></ul><ul><ul><ul><li>Provides encrypted access from outside a network. </li></ul></ul></ul><ul><ul><ul><li>Current versions aren’t reliable enough and aren’t useful against “slow” attacks. </li></ul></ul></ul>
    21. 21. GENERAL NETWORKING <ul><li>Methods of Defending a Network (cont) </li></ul><ul><ul><li>Burglar alarms </li></ul></ul><ul><ul><ul><li>Traps set on specific networked objects that go off if accessed </li></ul></ul></ul><ul><ul><li>Honey pots </li></ul></ul><ul><ul><ul><li>Dummy objects used to attract attacks. Range from single devices to whole sub networks. </li></ul></ul></ul><ul><ul><li>Vulnerability scanners </li></ul></ul><ul><ul><ul><li>Tools that scan a network periodically for holes/open gateways/misconfigured routers </li></ul></ul></ul><ul><ul><ul><li>Limited in scope because of potential damage to the network </li></ul></ul></ul><ul><ul><li>Cryptography </li></ul></ul><ul><ul><ul><li>Has potential, but complexity limits its use to local sites. </li></ul></ul></ul>
    22. 22. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX Networking Stacks Made of Multiple Layers </li></ul>F Intrinsics Sockets/NetIPC APIs ADCP AFCP Telnet TCP/IP/UDP Network Links
    23. 23. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX Networking Security </li></ul><ul><ul><li>In securing your MPE/iX system there are a few things that need to be considered/understood before even thinking about security technology </li></ul></ul><ul><ul><li>- How is your MPE/iX system laid out on your network </li></ul></ul><ul><ul><li>- What is the important resource on your MPE/ix system you want to protect </li></ul></ul><ul><ul><li>- Who are the users that you want access to you MPE/iX system </li></ul></ul><ul><ul><li>- Where are these users coming from…internal vs. external </li></ul></ul>
    24. 24. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX Networking Security </li></ul><ul><li>Once a good understanding of the MPE/iX systems roll has been understood, there are some basic first steps to take with strengthening security. </li></ul><ul><ul><li>- Change default passwords </li></ul></ul><ul><ul><li>- Keep the OS up-to-date </li></ul></ul><ul><ul><li>- Keep applications up-to-date </li></ul></ul><ul><ul><li>- Monitor security bulletins </li></ul></ul><ul><ul><li>- Use appropriate file and user security </li></ul></ul><ul><ul><li>- When possible, carefully validate all input data </li></ul></ul><ul><ul><li>- Social engineering </li></ul></ul><ul><ul><li>- communicate the importance of protecting sensitive or proprietary data </li></ul></ul><ul><ul><li>- no password sharing </li></ul></ul>
    25. 25. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX Networking Security </li></ul><ul><ul><li>Top security advantage is MPE/iX nature </li></ul></ul><ul><ul><ul><li>Common types of attacks would not work </li></ul></ul></ul><ul><ul><ul><li>Worst result would be a process abort with a loss of a networking service </li></ul></ul></ul><ul><ul><li>Other options for securing network into MPE/iX </li></ul></ul>
    26. 26. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX security measures (cont) </li></ul><ul><ul><li>API layer – Secure sockets </li></ul></ul><ul><ul><ul><li>RSA Bsafe SSL Toolkit </li></ul></ul></ul><ul><ul><ul><li>Software suite for building SSL enabled applications </li></ul></ul></ul><ul><ul><ul><ul><li>Includes 128 bit encryption, V.509 authentication and session caching </li></ul></ul></ul></ul><ul><ul><ul><li>Available for download from </li></ul></ul></ul><ul><ul><ul><li>Not supported directly by HP and requires an RSA user license for support. </li></ul></ul></ul>
    27. 27. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX security measures (cont) </li></ul><ul><ul><li>Services layer - HP Webwise MPE/iX Secure Web Server </li></ul></ul><ul><ul><ul><li>Secure,encrypted communications between browser and server </li></ul></ul></ul><ul><ul><ul><li>What does it include? </li></ul></ul></ul><ul><ul><ul><ul><li>Apache 1.3.22 </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Mod_ssl 2.8.5 SSL security add-ons for Apache </li></ul></ul></ul></ul><ul><ul><ul><ul><li>MM 1.1.3 shared memory library </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Openssl 0.9.6b cryptographic/SSL library </li></ul></ul></ul></ul><ul><ul><ul><ul><li>RSA BSAFE Crypto-C 5.2 cryptographic library (for the RC2, RC4, RC5, and RSA algorithms) </li></ul></ul></ul></ul>
    28. 28. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX security measures (cont) </li></ul><ul><ul><li>Services layer - HP Webwise MPE/iX Secure Web Server (cont) </li></ul></ul><ul><ul><ul><li>IT IS NOT…? </li></ul></ul></ul><ul><ul><ul><ul><li>a substitute for a firewall (explicitly allow acceptable connections, etc.) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>a substitute for good host security practices (change default passwords, keep the OS up-to-date, etc.) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>a substitute for good application security practices (use appropriate file and user security, carefully validate all input data, etc.) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>a substitute for good human security practices (communicate the importance of protecting sensitive or proprietary data, no password sharing, etc.) </li></ul></ul></ul></ul>
    29. 29. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX security measures (cont) </li></ul><ul><ul><li>Services layer - HP Webwise MPE/iX Secure Web Server (cont) </li></ul></ul><ul><ul><ul><li>Available from </li></ul></ul></ul><ul><ul><ul><li>Supported through HP </li></ul></ul></ul><ul><ul><ul><li>Latest version is A.03.00 </li></ul></ul></ul><ul><ul><ul><ul><li>Bundled in 7.5 in FOS </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Available as a patch on 7.0 WBWGDT7A </li></ul></ul></ul></ul>
    30. 30. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX security measures (cont) </li></ul><ul><ul><li>Services layer - Configurations </li></ul></ul><ul><ul><ul><li>Networking services controlled by configuration files </li></ul></ul></ul><ul><ul><ul><ul><li>SERVICES.NET.SYS – Configures the ports the MPE/iX networking subsystem will handle requests. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>INETDCNF.NET.SYS – Configures the services INETD will handle. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>INETDSEC.NET.SYS – Configures security domains for the INETD process </li></ul></ul></ul></ul>
    31. 31. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX security measures (cont) </li></ul><ul><ul><li>SERVICES.NET.SYS </li></ul></ul><ul><ul><ul><li>echo 7/tcp # Echo </li></ul></ul></ul><ul><ul><ul><li>echo 7/udp # </li></ul></ul></ul><ul><ul><ul><li>discard 9/tcp sink null # Discard </li></ul></ul></ul><ul><ul><ul><li>discard 9/udp sink null # </li></ul></ul></ul><ul><ul><ul><li>daytime 13/tcp # Daytime </li></ul></ul></ul><ul><ul><ul><li>daytime 13/udp # </li></ul></ul></ul><ul><ul><ul><li>chargen 19/tcp ttytst source # Character Generator </li></ul></ul></ul><ul><ul><ul><li>chargen 19/udp ttytst source # </li></ul></ul></ul><ul><ul><ul><li>ftp 21/tcp </li></ul></ul></ul><ul><ul><ul><li>telnet 23/tcp </li></ul></ul></ul><ul><ul><ul><li>time 37/tcp timeserver # Time </li></ul></ul></ul><ul><ul><ul><li>time 37/udp timeserver # </li></ul></ul></ul>
    32. 32. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX security measures (cont) </li></ul><ul><ul><li>INETDCNF.NET.SYS </li></ul></ul><ul><ul><ul><li>echo stream tcp nowait MANAGER.SYS internal </li></ul></ul></ul><ul><ul><ul><li>echo dgram udp nowait MANAGER.SYS internal </li></ul></ul></ul><ul><ul><ul><li>daytime stream tcp nowait MANAGER.SYS internal </li></ul></ul></ul><ul><ul><ul><li>daytime dgram udp nowait MANAGER.SYS internal </li></ul></ul></ul><ul><ul><ul><li>time stream tcp nowait MANAGER.SYS internal </li></ul></ul></ul><ul><ul><ul><li>time dgram udp nowait MANAGER.SYS internal </li></ul></ul></ul><ul><ul><ul><li>discard stream tcp nowait MANAGER.SYS internal </li></ul></ul></ul><ul><ul><ul><li>discard dgram udp nowait MANAGER.SYS internal </li></ul></ul></ul><ul><ul><ul><li>chargen stream tcp nowait MANAGER.SYS internal </li></ul></ul></ul><ul><ul><ul><li>chargen dgram udp nowait MANAGER.SYS internal </li></ul></ul></ul><ul><ul><ul><li>telnet stream tcp nowait MANAGER.SYS internal </li></ul></ul></ul>
    33. 33. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX security measures (cont) </li></ul><ul><ul><li>INETDSEC.NET.SYS </li></ul></ul><ul><ul><ul><li>telnet allow 10.3-5 ahost anetwork </li></ul></ul></ul><ul><ul><ul><li># The above entry allows the following hosts to attempt to access your system </li></ul></ul></ul><ul><ul><ul><li># using telnet: </li></ul></ul></ul><ul><ul><ul><li># hosts in subnets 3 through 5 in network 10, </li></ul></ul></ul><ul><ul><ul><li># the host with Internet Address of, </li></ul></ul></ul><ul><ul><ul><li># the host by the name of &quot;ahost&quot;, </li></ul></ul></ul><ul><ul><ul><li># all the hosts in the network &quot;anetwork&quot; </li></ul></ul></ul><ul><ul><ul><li># </li></ul></ul></ul><ul><ul><ul><li>tftp deny </li></ul></ul></ul>
    34. 34. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX security measures (cont) </li></ul><ul><ul><li>Other checking measures </li></ul></ul><ul><ul><ul><li>NETCONTROL checks </li></ul></ul></ul><ul><ul><ul><ul><li>Run NETCONTROL to take periodic traces of your network for potential attacks </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Check to see if unused ports are being probed </li></ul></ul></ul></ul><ul><ul><ul><ul><li>NETCONTROL TRACEON=MSDB;PROT=TCP – Starts tracing </li></ul></ul></ul></ul><ul><ul><ul><ul><li>NETCONTROL TRACEOFF;PROT=TCP – Stops tracing </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Use NMDUMP to format data – TCP is type 3 </li></ul></ul></ul></ul><ul><ul><ul><li>Network Packet Sniffers </li></ul></ul></ul><ul><ul><ul><ul><li>Some MPE/iX networking tools are difficult to use </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Independent checks maybe easier and quicker to grasp </li></ul></ul></ul></ul>
    35. 35. MPE/iX SPECIFIC NETWORKING <ul><li>MPE/iX security measures (cont) </li></ul><ul><ul><li>Other checking measures </li></ul></ul><ul><ul><ul><li>Enable logging within INETD </li></ul></ul></ul><ul><ul><ul><ul><li>Starting INETD with the –l option will force verbose logging to console </li></ul></ul></ul></ul><ul><ul><ul><ul><li>RUN INETD.NET.SYS;info=“-l pri=cs” </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Use this to check for strange inetd traffic </li></ul></ul></ul></ul><ul><ul><ul><li>Check the FTP log file, FTPLOG.ARPA.SYS for unusual FTP behavior </li></ul></ul></ul><ul><ul><ul><ul><li>These log entries include originating IP addresses </li></ul></ul></ul></ul><ul><ul><ul><li>SHOWCONN </li></ul></ul></ul><ul><ul><ul><ul><li>Connection display command that includes connection information of user </li></ul></ul></ul></ul><ul><ul><ul><ul><li>JOBNUM INTRO DATE AND TIME LDEV USERNAME </li></ul></ul></ul></ul><ul><ul><ul><ul><li>REMOTE ADDRESS RPORT LPORT FLAGS PIN(PROGRAM) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>#S1025 WED MAR 12 2003 08:18 34 JEFF.PTD,BANDLE </li></ul></ul></ul></ul><ul><ul><ul><ul><li> 2581 telnet jtcibd 155(JSMAIN.PUB.SYS) </li></ul></ul></ul></ul>
    36. 36. WRAPUP <ul><li>Continue to monitor and evolve </li></ul><ul><ul><ul><li>Listen to CERT bulletins and evaluate those to your systems </li></ul></ul></ul><ul><ul><ul><li>Network with industry acquaintances for possibly new styles of attacks </li></ul></ul></ul><ul><ul><ul><li>Try to be proactive </li></ul></ul></ul><ul><ul><ul><li>Formalize a security strategy: </li></ul></ul></ul><ul><ul><ul><ul><li>WHO is accessing your data? </li></ul></ul></ul></ul><ul><ul><ul><ul><li>WHAT is the key resource(s) you need to protect? </li></ul></ul></ul></ul><ul><ul><ul><ul><li>WHEN is data access expected? </li></ul></ul></ul></ul><ul><ul><ul><ul><li>WHERE are your users who are accessing your data? </li></ul></ul></ul></ul>