Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Network Security Basics


Published on

  • Network Security Through Data Analysis: Building Situational Awareness ---
    Are you sure you want to  Yes  No
    Your message goes here
  • The Network Security Test Lab: A Step-by-Step Guide ---
    Are you sure you want to  Yes  No
    Your message goes here
  • Network Security For Dummies ---
    Are you sure you want to  Yes  No
    Your message goes here

Network Security Basics

  1. 1. Network Security Basics
  2. 2. Network Security Fundamentals
  3. 3. Agenda Introduction – Firewalls, Routers, IDS Types of Networks Internetworking = Increased Risk Network Security Risks Explained Network Security Defined Network Connections to Control Defense in Depth Principles of Network Security Effective Controls for Network Security ©2002 SecureIT Consulting Group, Inc. 3
  4. 4. Introduction Networks are telecommunication highways over which information travels Networks and their associated information technology resources are exposed to potential points of attack (e.g. spoofing, traffic flow analysis, trap doors, Trojan horses, viruses, worms, etc.) Centralized network management authority does not exist so layered security measures are needed to protect data as it traverses the network These layered security measures include Firewalls Routers Intrusion Detection Systems Other components (VPNs, encryption, etc.) ©2002 SecureIT Consulting Group, Inc. 4
  5. 5. Introduction Before addressing firewall, router and IDS particulars, however, it is necessary to get a good handle on the context of the networks in which firewalls, routers and IDS operate This module provides that context by reviewing the following topics: Networks Risks of connectivity Principles of effective network security controls These topics will help provide the “big picture” in which firewalls and the other network security technologies operate ©2002 SecureIT Consulting Group, Inc. 5
  6. 6. Types of Networks Local Area Network (LAN) – a discrete network that is designed to operate in a specific limited area like a floor of a building; usually within a single organization Wide Area Network (WAN) – a network of subnetworks that interconnects LANs over wide geographic areas; usually within a single organization Intranet – a TCP/IP based logical network within an organization’s internal network Extranet – a TCP/IP based private network that is accessed by users outside the organization (such as trading partners, etc.) but that is not publicly accessible Internet – a global, public TCP/IP network Virtual Private Network (VPN) – a network where packets that are internal to a private network pass across a public network; Traffic is encrypted, integrity protected, and encapsulated into new packets that are sent across the Internet ©2002 SecureIT Consulting Group, Inc. 6
  7. 7. Connecting Networks Together Bridges – operate at the Link Layer to forward data to all other connected networks if the destination computer (MAC address) is not on the local network Routers – operate at the network layer and direct (or route) packets to the appropriate “next hop” based on their routing tables and the destination computer’s IP address Switches – operate at the Link Layer (or Network Layer) to deliver data to the specific port where the destination MAC address is located Firewalls – devices that sit between networks to control and restrict the network traffic that is allowed to flow between those networks. Firewalls enforce network security policy. Modems or Dial-in Line – A device or program that allows a computer to transmit data over telephone lines. These connections can be just as dangerous as if you had a T1 or a T3 line ©2002 SecureIT Consulting Group, Inc. 7
  8. 8. Business Objectives for Connectivity Before the mid-1990s, there was little connectivity between computer systems Networks were primarily used to connect terminals to a mainframe, or to connect workstations to shared resources (e.g., for file sharing, printing, etc.) within an organization’s internal network If an organization’s networks were connected to someone else, usually only a few key business partners were connected, and that was through private lines The Internet and the coming of “open” connectivity through TCP/IP changed this In today’s environment, ease of connectivity is critical to doing business Efficiency – Only key data is sent across the entire supply chain Speed – Transactions need to be processed “real time” Ease – Customers demand a “universal” solution that will interface with multiple technologies Information sharing – Information leads to competitive edge ©2002 SecureIT Consulting Group, Inc. 8
  9. 9. Objectives of Network Security Controls The purpose of network security is to protect internal networks, network devices, and network messages from unauthorized access, usually by outsiders Objective 1: To provide control at all points along the network perimeter in order to block network traffic that is malicious, unauthorized, or that otherwise presents risk to the internal network Objective 2: To detect and respond to attempted and actual intrusions through the network Objective 3: To prevent network messages that are sent across networks from being intercepted or modified in flight Network security controls cannot completely eliminate risk. The goal is to minimize risk as much as possible and to avoid unnecessary or excessive risk The goal of network security is really to “enable” network connectivity. Without network security, the risks/costs of network connectivity would be prohibitive ©2002 SecureIT Consulting Group, Inc. 9
  10. 10. Internetworking Increases Security Risk Network connectivity dramatically changes the risk profile for systems security Question: Who can exploit security weaknesses (e.g., password weaknesses, backdoors, poor access controls, etc.) on internal systems? Answer without connectivity: Only people who can first access my bricks and mortar Answer with connectivity: Anyone who is connected to my network and anyone who is connected to them and anyone who is connected to them and anyone who is connected to them, etc. ©2002 SecureIT Consulting Group, Inc. 10
  11. 11. Network Security Risks (1) Hackers Servers Security Weaknesses: (3) To Exploit - Weak passwords - Weak access controls - Misconfigurations - Access without a (2) Connect through password - Inherent security Networks Networks vulnerabilities - Buffer overflows to get privileged access Business Processes (4) To Attack - Reliable Processing Results Applications - Confidentiality - System - Service to customers (5) To Damage processes - Business reputation or Steal - Business data - Fraudulent payments ©2002 SecureIT Consulting Group, Inc. 11
  12. 12. Network Security Risks Denial of Service – Attacks on the availability of networks or computer systems Network packets that violate protocol compliance or that are malformed can cause some systems to crash Some network attacks flood a network with more packets than the network can handle Other network attacks create half-open connections to utilize system resources until none are left Information theft – Attacks on confidential information (e.g., customer private information, credit card information, etc.) Network services can be abused by malicious users to logon to (or otherwise access) hosts and other devices on the network Confidential information may be easily accessible through network services due to misconfigurations, poor access controls, etc. Confidential information/messages are intercepted while packets are being sent across publicly accessible network lines ©2002 SecureIT Consulting Group, Inc. 12
  13. 13. Network Security Risks Continued Intrusion – Unauthorized access (usually with privileged access rights) to a network or computer system that could compromise the integrity and/or availability of critical systems and data Some network services allow access to the host without any password required results in easy access Some network services allow a user to sign-on across the network to access the host used for attacks on default or easily guessed passwords Some network services use trusted access based on host IP addresses that can be spoofed used to obtain unauthorized access without a password Some network services and malformed packets can be used for surveillance helps hackers focus their attacks Some network services have buffer overflow vulnerabilities that provide attackers with privileged access game over Reputation – Confidence of customers, business partners, etc. is lost. This is perhaps the biggest (but often unthought-of) risk that eBusinesses face ©2002 SecureIT Consulting Group, Inc. 13
  14. 14. Network Security Risks Every connection to external networks introduces risk Internet Extranet TP 2 Internal TP 1 Network The internal network could be attacked from the Internet (highly likely), from the Extranet (moderately likely), or from a Trading Partner (less likely) An attacker from the Internet could also use our internal network connection as a launching point to initiate an attack against the Extranet or one of the Trading Partners The Trading Partners could attack each other through us If the Trading Partners are connected to the Internet, an attacker could use them as a launching point to attack us ©2002 SecureIT Consulting Group, Inc. 14
  15. 15. Causes of Network Security Risk The Computer Emergency Response Team Coordination Center (CERT/CC) believes that the answer is “chronic system administration problems” and inherent “flaws” in the protocols and network services due to poor design The SANS Institute publishes “The Twenty Most Critical Internet Security Vulnerabilities” Default installations that run extraneous network services Accounts with no passwords or weak (default) passwords Unnecessary network service ports left open Packets with spoofed source addresses (packets from outside networks that masquerade as if they originated from the internal network) No logging or incomplete logging Programming flaws and buffer overflows that cause services to crash or execute arbitrary commands with privileged access Unprotected sharing of files and directories over the network Trust relationships that allow access without a password ©2002 SecureIT Consulting Group, Inc. 15
  16. 16. Network Security What is network security? Network security consists of the technologies and processes that are deployed to protect internal networks from external threats The primary goal of network security is to provide controls at all points along the network perimeter which allow access to the internal network and only let traffic pass if that traffic is authorized, valid, and of acceptable risk Network security controls cannot completely eliminate risk. The goal is to minimize risk as much as possible and to avoid unnecessary or excessive risk When viewed this way, network security is not an “obstacle”, but rather an enabler to doing business. In other words, without network security, the risks of connectivity would be too high ©2002 SecureIT Consulting Group, Inc. 16
  17. 17. Network Connections to Control What do you need to control? First, define what constitutes the perimeter or the “outer edges” of your network Next, define who is “us” and who is “them”, based on trust. Do you, or should you, trust them? It is imperative that ALL external connections be controlled, including Internet, Extranet, direct connections to trading partners, dial-in mechanisms, etc. It may also be necessary to control connections to subsidiaries and other divisions/departments within the same company (e.g., if there are different controls in place for each division or department) ©2002 SecureIT Consulting Group, Inc. 17
  18. 18. Network Security So, how do firewalls, routers and IDS factor into this equation? Firewalls are one of the essential technologies that are used at the perimeter of the network to protect internal networks from external threats. However, network security is about more than just firewalls. Other technologies (e.g., intrusion detection systems, VPNs and other uses of encryption) are important to network security. Routers have software that provides security checking. Processes (including monitoring, administration, etc.) are also a critical component of an effective network security solution. ©2002 SecureIT Consulting Group, Inc. 18
  19. 19. Defense in Depth The key to effective network security controls is the concept of defense in depth – multiple, overlapping layers of controls are required to provide reliable protection to networks A mixture of preventive and detective/corrective controls are needed A mixture of controls at the network and host layers are required “Holes” in one layer are compensated for by the other layers Hackers N e t Routers Network Architecture S e c Logging and Monitoring Firewall P Host Hardening Encryption/VPN o l i Intrusion Detection Intrusion Response c y Internal Network ©2002 SecureIT Consulting Group, Inc. 19
  20. 20. Network Security Principles, Part 1 Least privilege - Only allow access that is legitimately required for authorized business purposes; only allow connectivity and network traffic (protocols and source/destination addresses and ports) that is required, valid, and of acceptable risk Use multiple, overlapping layers of control (Defense in Depth) Do not rely on single solutions, but instead have multiple mechanisms that provide overlapping security controls to back each other up in the case of failure Control the perimeter - Place strong controls at all entry points into the network Deny everything that is not explicitly allowed - Be as restrictive as possible to account for incomplete information (e.g., there are bad things that you don’t know about yet) ©2002 SecureIT Consulting Group, Inc. 20
  21. 21. Network Security Principles, Part 2 Keep it Simple - You need to be able to understand it if you hope to secure it Conceal internal network information - Hide internal network information as much as possible so that hackers cannot target their attacks Technology isn’t enough - Good network security consists of much more than the latest products and buzz words; it requires comprehensive practices that involve technology, people, and processes Network security is a business problem – Network security controls should be determined by business need; a strategy (that is consistent with business need) should drive the deployment of network security products and tools Security policy - Required to define acceptable levels of risk and overall direction for the network security practices and procedures ©2002 SecureIT Consulting Group, Inc. 21
  22. 22. Network Security Principles, Part 3 Logging and Monitoring - Early detection and response to intrusion attempts is critical Encrypt confidential information that is transmitted over untrusted networks - Sensitive information that is sent in clear text could be intercepted Do not establish trust based on IP address - IP addresses can be spoofed with tools that craft network packets Weakest Link - The system of network controls is only as strong as its weakest component, or of a backdoor (if one exists); modems on PCs could be the weakest link Minimize unnecessary risk - Cannot eliminate risk (unless you disconnect!), but you can reduce unnecessary or excessive risk ©2002 SecureIT Consulting Group, Inc. 22
  23. 23. Effective Controls for Network Security Network Security Policy Network Architecture Hardening Hosts Firewalls Routers/Switches Logging and Monitoring Dial-in/Modems Intrusion Detection Systems Intrusion Response Planning Periodic maintenance and validation of network security controls Encryption Digital Certificates/Digital Signatures Virtual Private Networks (Note: all topics except Dial-in/Modems are included in this course) ©2002 SecureIT Consulting Group, Inc. 23
  24. 24. Conclusion Connectivity between networks greatly increases risk because it enables outsiders to exploit internal security weaknesses Network security is the set of control processes and technologies used to protect internal networks from attacks originating on external networks Network security controls are focused primarily on controlling the perimeter or boundaries between networks Generally accepted principles should be applied (especially “least privilege” and “defense in depth”) A well-defined network security policy is a required first step in achieving adequate network security ©2002 SecureIT Consulting Group, Inc. 24
  25. 25. Network Security Policy
  26. 26. Agenda Why Network Security Policy is Needed Effective Network Security Policy Acceptable Risk Network Security Policy Components CERT Security Practices ©2002 SecureIT Consulting Group, Inc. 26
  27. 27. Network Security Policy Networking technologies and the security controls that need to be in place are highly complex Network security controls are essentially a mixture of diverse products, technologies, manual processes, etc. This raises some questions: How do all of these technologies and products fit together? What functions need to be performed so that the network is protected? What is the goal of all of the network security controls? How much “control” is really needed? How can we know that we are secure enough from outsiders? How should the risks of connectivity be balanced against business benefits? The answers to these questions are provided by a network security policy ©2002 SecureIT Consulting Group, Inc. 27
  28. 28. Network Security Policy Organizations can achieve sustainable risk reduction and protect information flowing in and out of the network only if network security controls are founded upon a strong security policy A policy provides direction, focus, and guidance for how network security controls are to be implemented With an effective policy, the diverse control components of a “defense in depth” strategy are well-coordinated, cohesive, integrated, complimentary, and focused. The result is a solid suite of controls that protect internal networks from external threats Without an effective policy, network security controls tend to be ad hoc, poorly integrated, “point solutions” with contradictory goals. The result is a “swiss cheese” implementation that is full of holes that attackers can exploit ©2002 SecureIT Consulting Group, Inc. 28
  29. 29. Network Security Policy Policy development must focus on Starting with the mission needs and business goals Identification and classification of information assets Identification of threats and vulnerabilities Understanding the technology impacts Making informed decisions about trade-offs Identification of residual risks (can never achieve 100% security) Finally, policy must be enforceable – it is of no value if not enforced ©2002 SecureIT Consulting Group, Inc. 29
  30. 30. Network Security Policy An effective policy is shaped by multiple factors Risk analysis and risk tolerance Perceived and real threats Organization’s “visibility” Business and Internal stakeholder requirements Technologies used Fiduciary Responsibility Legal, statutory, regulatory, contractual requirements that an organization must satisfy ©2002 SecureIT Consulting Group, Inc. 30
  31. 31. Network Security Policy To be effective the Network Security Policy must be: Developed by consensus Designed with a long-term focus Clear and Concise Understandable and supported by all stakeholders Outline roles and responsibilities – users and support personnel State acceptable risk Outline requirements Be supported by well-established standards, guidelines, and procedures Reviewed annually or as changes occur Implementable and enforceable ©2002 SecureIT Consulting Group, Inc. 31
  32. 32. Acceptable Risk Organizations have differing security postures with differing levels of acceptable risk Different organizations have different inherent security risks based on the businesses they are in Different businesses have different tolerance levels for security risk, and different viewpoints on the trade-offs of security vs. ease of use and performance The level of network security risk that a company is willing to accept helps to determine its network security policy This policy should be documented to ensure that relevant personnel can understand expectations and effectively implement network security controls and practices to support the policy All network security controls should be consistent with the overall network security policy ©2002 SecureIT Consulting Group, Inc. 32
  33. 33. Acceptable Risk Determining the acceptable level of risk involves performing a risk assessment analysis Examples of risks to consider: Confidentiality – for information to remain confidential, systems and processes must ensure that unauthorized individuals are unable to access private information Vulnerable Authentication Processes – because authentication mechanisms govern trust between users and systems, they are targets for attack Communication Integrity – for the integrity of information to remain intact, systems and processes must ensure that an unauthorized individuals cannot alter or delete information Data Collection over Time – information gathering can be quite dangerous as seemingly insignificant bits of information are collected over time by a skilled attacker ©2002 SecureIT Consulting Group, Inc. 33
  34. 34. Acceptable Risk Threats, vulnerabilities and impacts must also be considered in defining acceptable risk. A threat is defined as the potential to cause harm to the organization – intentional or unintentional A vulnerability is a weakness or threat to the information asset. It there are no vulnerabilities, then a threat cannot put the organization at risk Impacts reflect the degree of harm and is concerned with how significant the problem is, or how much effect it will have on the organization ©2002 SecureIT Consulting Group, Inc. 34
  35. 35. Acceptable Risk The risk is lowest when threat and impact are both low. As impact, vulnerability, and threat all increase, the issue becomes one of high risk Moderate High Risk Risk Threat Moderate Low Risk Risk Impact High risk is where the greatest return on security investment is found ©2002 SecureIT Consulting Group, Inc. 35
  36. 36. Network Security Policy Components Policy components communicate to the users, managers and support personnel what they need to know. Ideally, this policy should be documented to ensure that relevant personnel can understand expectations and effectively implement practices to support the policy. FIREWALL COMPONENT Address specific aspects of security related to the firewall that are not addressed by other policies Clarify how security objectives apply to the firewall Responsibilities of firewall administrators Firewall configuration: remote access policy, supported services, blocked services, configuration change management, etc. Firewall audit policy: granularity of logging, frequency of review, etc. ©2002 SecureIT Consulting Group, Inc. 36
  37. 37. Network Security Policy Components ROUTER COMPONENT Articulate the required “level” of security controls for routers, and guide decision-making regarding the “costs” of security controls vs. the “benefits” of additional security protection Specify requirements for router configuration Provide a baseline for router configuration decisions Define roles and responsibilities in the following areas: privacy, authorization and access (least privilege), auditing and accountability, identification and authentication, availability, network traffic, and violations reporting and notifications Define the logging and monitoring requirements for security activities (e.g., sign-on to router, use of enable password, etc.) and violations (e.g., denied traffic, failed login attempt, etc.) ©2002 SecureIT Consulting Group, Inc. 37
  38. 38. Network Security Policy Components IDS COMPONENT Define how intrusion monitoring will occur Intrusion detection policy: alerts, notification and escalation procedures, response priorities, etc. Procedures for backups and outages Define roles and responsibilities in the following areas: authorization and access (least privilege), auditing and accountability, and violations reporting and notifications Inform users that network monitoring will be in place Purpose for monitoring Specify the type of unexpected network behaviors that will be monitored Require users to report any suspicious behavior to security personnel and system administrators ©2002 SecureIT Consulting Group, Inc. 38
  39. 39. CERT Security Practices Best practices that address 85% of compromises Seven categories of evaluative criteria: 1. Security Policy 2. Secure Network Servers 3. Secure Web Servers 4. Deploy Firewalls 5. Setup Intrusion Detection and Response Processes 6. Detect Signs of Intrusion 7. Responding to Intrusions These criteria can be used as the foundation of a network security audit or self-evaluation of controls ©2002 SecureIT Consulting Group, Inc. 39
  40. 40. CERT Security Practices Security Policy Has an effective security policy been defined with these characteristics? Designed with a long-term focus and kept up-to-date Clear, concise, understandable, and supported by all stakeholders Role-based and independent of positions and titles Realistic, implementable, and enforceable Specific about areas of responsibility and authority (e.g., enabling system administrators to operate with management authority when needed), as well as separation of duties Well-defined, and supported by well-established standards, guidelines, and procedures Can any user (general, administrator, manager, etc.) answer questions about the security policy? (e.g., Where are policies defined? Who establishes them? Who monitors compliance? How often is the policy updated?) Do security policies cover all necessary topics? ©2002 SecureIT Consulting Group, Inc. 40
  41. 41. Conclusion The main function of network security is to control access to the network and its shared resources. Organizations can only achieve sustainable risk reduction and protect information flowing in and out of the network through development of a strong security policy. The policy is the foundation of all other network security controls. Risk assessment is fundamental in determining the acceptable level of risk that will be defined in the security policy. The security policy should define roles and responsibilities of users and support personnel. The expected behaviors of the users of the network are also defined and enforced. Standards and procedures on how the policy is implemented should flow from and add support to the security policy. ©2002 SecureIT Consulting Group, Inc. 41
  42. 42. Firewall Topologies & Architectures
  43. 43. Agenda Definitions and Firewall Components Categories of Firewalls Simple Packet Filter Stateful Inspection Application Proxies Firewall Hybrids Personal Firewalls Firewall Network Topologies CERT Security Practices for Firewalls ©2002 SecureIT Consulting Group, Inc. 43
  44. 44. Introduction to Firewalls What is a firewall? A network device used to restrict traffic passing between networks A firewall can consist of hardware and software, or even several components working together Used to implement security policies which govern the flow of traffic between two or more networks Three main categories of firewalls: simple packet filters, stateful inspection filters, and application proxies ©2002 SecureIT Consulting Group, Inc. 44
  45. 45. Firewall Components Firewalls can consist of several components... Software that runs on a standard host operating system (such as Solaris or Win2000). Example: Check Point Firewall-1 running on Solaris or Symantec’s Raptor firewall running on WinNT Hardware and software that form an integrated or appliance firewall. Example: Check Point Firewall-1 running on Nokia IPSO appliance or Cisco PIX firewall Router running Internetworking Operating System (IOS) Example: Cisco router A combination of firewall hosts, integrated firewalls, and routers ©2002 SecureIT Consulting Group, Inc. 45
  46. 46. Categories of Firewalls Simple packet filter: Specifies packets to filter (e.g., allow or discard) during the routing process Stateful inspection filter: Provides additional filtering based on the payload (message content) and the context established by prior packets Application proxy: An application program that runs on a firewall system to make all decisions at the application-layer about establishing connections and forwarding packets between two networks Hybrid Firewalls: Blending of the firewall types mentioned above Personal Firewalls: Firewalls designed to protect personal computers and home networks ©2002 SecureIT Consulting Group, Inc. 46
  47. 47. Simple Packet Filters What is a simple packet filter? Selectively controls the flow of packets in/out of a network or between networks Control is based and enforced through a series of rules. These rules are based on information stored in the IP and TCP/UDP/ICMP headers Rule criteria can be based on the following characteristics of the IP packet: Source and/or destination IP address Protocol, including TCP, UDP, ICMP, or all IP TCP or UDP source and/or destination ports ICMP message type TCP flags, especially ACK (to distinguish a new connection from a reply to an established connection) ©2002 SecureIT Consulting Group, Inc. 47
  48. 48. Simple Packet Filters Packet filters validate every single packet based on information contained only within that packet itself There are multiple packets involved in a connection (e.g., initiating packets, reply packets, etc.). Each type of packet requires a rule Many rules could be required for a single type of connection Rules can get very complex Possible actions include: Permit the packet to pass Drop the packet (e.g., without notifying the sender) Reject the packet and send an error message to the sender Log information about the packet within audit trails Set off an alarm Packet filters can process packets quickly (high-performance), but cannot reliably track connection state. Additionally, they cannot handle some protocols (e.g., FTP) that use different ports ©2002 SecureIT Consulting Group, Inc. 48
  49. 49. Why is State Important? A packet arrives on the outside interface. It could be one of two things: 1. A packet intended to start a new “connection” originating from the outside. This is risky because the packet could be inappropriate or malicious. 2. A packets that is replying to a request initiated from the inside. This is less likely to present a risk and more likely to be legitimate. Both a brand new packet and a “reply” packet both appear very similar • Both have source IPs from the outside, destination IPs for the inside, and appear on the external interface. • The only difference is in the TCP flag bits: o New traffic has SYN, return traffic for existing connections has ACK o TCP flags can be crafted or manipulated so these are not good ways to track state o UDP, ICMP, and other protocols do not have the flags—only TCP ©2002 SecureIT Consulting Group, Inc. 49
  50. 50. Stateful Inspection Filters What is a stateful inspection filter? Considers both the current packet (including contents) and prior packets Should be used whenever there is a need to differentiate between “an incoming return/reply packet for an outgoing connection” and “an incoming packet for an incoming connection” Extracts state-related information from the application layer, such as the FTP PORT command that defines the data channel port and opens that port for the life of the connection ©2002 SecureIT Consulting Group, Inc. 50
  51. 51. Stateful Inspection Filters Stateful inspection filters maintain tables to track the state of each packet State tables track: source address, destination address, source port, destination port, connection expiration time limit Any packets that match a connection in the table (based on addresses and ports) is considered part of the same connection Packets that don’t match an existing connection in the table are considered new and are added to the table (assuming that the connection passes the filtering rules which have been defined) ©2002 SecureIT Consulting Group, Inc. 51
  52. 52. Stateful Inspection Filters Stateful inspection rules are very different than simple packet filter rules Packet filter rules are written for each packet – may require two, four, or even more rules for an outbound service Stateful inspection rules are written at the connection level – requires only a single rule for an outbound service Stateful inspection firewalls have two sources of filtering information: rules and the connection state table Every packet does not need to be checked against the rules Only the first packet of a TCP connection (SYN) needs to be checked against the filtering rules Subsequent TCP packets (ACK) only require checking against the state table ©2002 SecureIT Consulting Group, Inc. 52
  53. 53. Application Proxies What is an application proxy? A firewall that understands and is able to interpret information in the “data” part of network packets, including commands at the application protocol level. Application proxy firewalls “break” the client-server model. Each connection between client and server actually requires two connections: one between client and firewall, and the other between firewall and server. Application-level proxy processes run on the firewall to interpret the application data contained in the network packets. Proxies can analyze application-level commands and filter out security vulnerabilities, such as HTTP content type, detection of viruses in mail messages, etc. Proxies rewrite packets before sending them along to internal hosts. ©2002 SecureIT Consulting Group, Inc. 53
  54. 54. Application Proxies Advantages of proxy firewalls... Enable filtering based on the entire network packet. Application layer vulnerabilities can be detected (e.g., CGIs or HTTP parms, viruses, etc.) Provide authentication capability (IDs/passwords, certificates, etc. that are passed in the “data” part of the packet) Routing between dual-homed interfaces is not possible, firewall filtering cannot be bypassed Provide more detailed logging by including application layer information (e.g., not just IP addresses of web server, but URLs as well) Prevent direct connections to the inside, the connection is broken at the firewall Reconstruct network packets, prevents malformed packet attacks ©2002 SecureIT Consulting Group, Inc. 54
  55. 55. Application Proxies Disadvantages of proxy firewalls... Poor performance – application proxies are slow because all packets have to be processed up the full TCP/IP stack Only a limited number of common services have proxy agents available ©2002 SecureIT Consulting Group, Inc. 55
  56. 56. Application Proxies Services that typically have proxy agents... Telnet FTP HTTP, HTTPS SMTP DNS NNTP LDAP Finger ©2002 SecureIT Consulting Group, Inc. 56
  57. 57. Application Proxies CERT recommends using proxies for monitoring or restricting outbound web access, and wherever else as needed Many organizations use stand-alone, dedicated proxy servers to perform filtering Dedicated proxy servers typically sit behind the firewall Commonly used to provide authentication, URL filtering, and logging of outbound WWW traffic Can also be used to filter inbound traffic (e.g., strip Java applets or ActiveX code, filter viruses in emails, etc.) Firewall rules need to support/enforce use of the proxy servers (e.g., only accept outbound WWW traffic if it originates from the proxy server) ©2002 SecureIT Consulting Group, Inc. 57
  58. 58. Firewall Hybrids Most firewalls are hybrids and contain features of several different types of firewalls Some simple packet filters contain limited state functions, and sometimes even more. For example, Cisco routers can perform limited state tracking for TCP using reflexive ACLs. In addition, an optional firewall feature set is available. Stateful inspection firewalls also provide some limited proxy support for authentication and basic filtering. For example, Firewall-1 contains security servers for HTTP, SMTP, and FTP. Proxy firewalls have packet filtering capabilities for protocols that are not proxiable. For example, Symantec Raptor firewall offers simple filtering rules on tunnels. ©2002 SecureIT Consulting Group, Inc. 58
  59. 59. Firewall Selection Selecting the best firewall depends on several factors: Because firewalls are often hybrid, the category of the firewall (e.g., packet filter, stateful inspection, application proxy) is not as important as the feature-set Generally, a stateful inspection firewall is considered sufficient Check Point Firewall-1 (a stateful inspection firewall with some HTTP, SMTP, and FTP proxy servers) is the market leader ©2002 SecureIT Consulting Group, Inc. 59
  60. 60. Personal Firewalls Workers may be connected to corporate networks from their home PCs High-bandwidth mechanisms – DSL, cable modems VPNs for remote connections What happens if home PCs are compromised and used as a launching point for attacks on corporate networks? This is why companies have to consider personal firewalls as a part of their total security solutions ©2002 SecureIT Consulting Group, Inc. 60
  61. 61. Personal Firewalls Personal firewalls can be software products that protect a particular desktop machine, or they can be hardware appliances that protect a home network They perform a variety of functions: Packet filtering based on port and source address Logging and alerting of attacks (especially BlackICE Defender) They sometimes allow for remote management. This feature enables a company to centrally manage and administer rule sets ©2002 SecureIT Consulting Group, Inc. 61
  62. 62. Firewall Topologies There are several types of firewall topologies (architectures) for placement of firewalls in a network Firewalls can consist of single hosts or routers, or of several routers and hosts working together (e.g., routers directing network traffic to the firewall and the firewall handling most of the filtering) Dual-homed hosts (one host with two network connections) are often used as firewalls. A dual-homed host has one inside interface and one outside interface For proxy firewalls, host-level routing is turned off The only way to pass traffic between networks is through the firewall, usually at the proxy or application layer ©2002 SecureIT Consulting Group, Inc. 62
  63. 63. Firewall Topologies Firewall topologies relate to the network architecture How are the networks going to be interconnected? Is more than one firewall needed? Where will the firewall(s) be placed? A sound network architecture and firewall topology is required to ensure an effective system The placement of the firewall can dramatically affect the effectiveness of filtering Traffic must pass through the firewall in order to be filtered. Routers must route traffic to the firewall, or physical connections must ensure that the only way into the network is through the firewall ©2002 SecureIT Consulting Group, Inc. 63
  64. 64. Firewall Topologies Border or Screening Router Firewall A screening router or dual-homed host connects and filters traffic between two networks Could screen the internal network by filtering traffic between the outside and the many hosts on the internal network that send/receive traffic from/to outside Could screen a hardened host by filtering traffic between that single host on the internal network that sends/receives traffic from/to the outside, and deny all outside traffic to/from other internal hosts ©2002 SecureIT Consulting Group, Inc. 64
  65. 65. Firewall Topologies Untrustworthy host A hardened hosts exists outside of the border firewall. All traffic is routed to/from that untrusted host ©2002 SecureIT Consulting Group, Inc. 65
  66. 66. Firewall Topologies Perimeter Network or Demilitarized Zone (DMZ) An intermediate network placed between the protected network and an untrusted network in order to provide an added layer of security The DMZ serves as a connection point between internal and external (untrusted) networks. Externally accessible systems are placed in the DMZ so that outsiders can be blocked from accessing the internal network The DMZ network (and the hosts that reside on it) should not be trusted by the internal network The most secure topologies use multiple hosts/routers (e.g., defense in depth) with a DMZ in between. There are two types of DMZ topologies..... ©2002 SecureIT Consulting Group, Inc. 66
  67. 67. Firewall Topologies Single firewall with a DMZ A single firewall sits between three networks: the internal network, the external network, and the DMZ network on which the untrusted host resides ©2002 SecureIT Consulting Group, Inc. 67
  68. 68. Firewall Topologies Screened subnet or dual-firewall DMZ Two firewalls exist, one between the internal network and the DMZ, and the other between the DMZ and the external network ©2002 SecureIT Consulting Group, Inc. 68
  69. 69. Firewall Topologies The most secure topology uses a DMZ with dual firewalls The outside firewall filters inbound traffic that is allowed to pass from the outside into the DMZ (e.g., HTTP, HTTPS, FTP, etc.) The untrustworthy hosts are hardened, bastion systems that provide single-services (e.g., web servers, ftp servers, mail servers, etc.) The internal firewall filters inbound traffic that is allowed to pass from the DMZ to the internal network (e.g., database SQL calls, application servers, policy servers, etc.) No services are allowed to pass from the outside network, through both firewalls, and to the internal network If multiple firewalls are used, there is an advantage to using different products/brands so that a weakness in one product does not introduce a “hole” all the way through the network. Each firewall could consist of a firewall host (or integrated firewall) bordered by two routers Router access lists would supplement or complement the filtering and logging being performed by the firewall host (or integrated firewall). Typically, firewalls and their surrounding routers need to be evaluated together ©2002 SecureIT Consulting Group, Inc. 69
  70. 70. Criteria for Effective Firewall Controls Effective firewall controls: All traffic passing between the internal network and external networks should pass through the firewall (via routing, network topology, and/or other controls) Firewalls should allow inbound network services only if they are required, authorized, appropriate (per security policy), and considered to be of acceptable risk Firewalls should restrict network services and source/destination host addresses as much as possible (e.g., limit to particular hosts instead of an entire network) Firewalls should deny network traffic with internal network source addresses that is received on the external network interface (i.e., this traffic is spoofed) Firewalls should log all traffic that is denied, and summarize all traffic that is permitted Firewalls should generate real-time alarms for suspicious activity Firewalls should hide the structure of the internal network Firewalls should keep track of state and (if possible) combine control measures both at the application and network level ©2002 SecureIT Consulting Group, Inc. 70
  71. 71. Criteria for Effective Firewall Controls Key Audit Steps – Topologies and Architectures Ensure that the chosen firewall product was selected based on the security functionality that it provides Ensure that the firewall provides stateful inspection filtering, especially if UDP is allowed through the firewall Ensure that application-layer filtering is provided through proxies as appropriate (e.g., to filter WWW sites, strip HTTP and SMTP traffic of unneeded MIME file types, block hostile java applets, etc.) Ensure that the network topology prevents traffic from bypassing the firewall (e.g., all traffic is routed through the firewall) Ensure that firewalls drop packets without notifying the senders (e.g., through ICMP unreachable or TCP RST/FIN) Ensure that authentication is used to restrict access to sensitive network services ©2002 SecureIT Consulting Group, Inc. 71
  72. 72. Criteria for Effective Firewall Controls Key Audit Steps – Topologies and Architectures (continued) Ensure that the network topology implements a secured subnet “DMZ” for all externally accessible hosts Ensure that dual firewalls are used as appropriate, e.g., an “external” firewall to protect the DMZ from the outside and an “internal” firewall to protect the internal network from the DMZ Ensure that remote and home-based employees that personal firewalls installed as appropriate, and ensure that personal firewalls are managed/monitored by home office (e.g., to prevent users from disabling or changing filtering rules) ©2002 SecureIT Consulting Group, Inc. 72
  73. 73. CERT Security Practices Best practices that address 85% of compromises Seven categories of evaluative criteria: 1. Security Policy 2. Secure Network Servers 3. Secure Web Servers 4. Deploy Firewalls 5. Setup Intrusion Detection and Response Processes 6. Detect Signs of Intrusion 7. Responding to Intrusions These criteria can be used as the foundation of a network security audit, or self-evaluation of controls ©2002 SecureIT Consulting Group, Inc. 73
  74. 74. CERT Security Practices Deploy Firewalls (summary) Do network systems security policies address the following topics: allowed inbound services, allowed outbound services, requirements that all network traffic go through the firewall (e.g., no traffic is allowed to bypass the firewall)? Has a secure network topology been chosen (e.g., dual-firewall DMZ)? Have security policy enforcement mechanisms (e.g., firewalls) been provided at all network boundaries in order to restrict unauthorized traffic? Have firewall routing configurations been set-up to properly forward or discard network packets? Have firewall filtering rules been effectively implemented to restrict access to protected networks? Have firewall filtering rules been documented and validated? Has logging been configured appropriately? Has the firewall system been set-up to alert in real-time when significant events occur? Has the firewall configuration (the system itself and the filtering, and logging capabilities) been tested to ensure that it is appropriately defined? Is the firewall tested/scanned in production to verify its behavior? ©2002 SecureIT Consulting Group, Inc. 74
  75. 75. Conclusion Firewalls filter malicious or unauthorized network traffic at the perimeter of the network Simple packet filters are the fastest firewalls, but they are not secure. Application-layer proxy firewalls are the most secure, but are slow Stateful inspection firewalls dominate the market and provide suitable security controls for most organizations A network topology with a DMZ is the most secure ©2002 SecureIT Consulting Group, Inc. 75
  76. 76. Encryption
  77. 77. Agenda Cryptography Terms Types of Encryption: Symmetric and Asymmetric Security Requirements for Encryption Confidentiality Integrity using HMAC Authentication How Asymmetric Encryption Provides CIA Encryption Products SSL SSH PGP Key Audit Procedures CERT Security Practices ©2002 SecureIT Consulting Group, Inc. 77
  78. 78. Cryptography Terms Cryptography is the science of concealing the meaning of a message from unintended recipients Only the intended recipient is able to read and understand the message An encryption algorithm (or a cipher) is a method of encryption and decryption. All modern algorithms use a key to control encryption and decryption; a message can be decrypted only if the key matches the encryption key Good cryptographic systems should always be designed so that they are as difficult to break as possible ©2002 SecureIT Consulting Group, Inc. 78
  79. 79. Symmetric Encryption Two main categories of cryptographic techniques: Symmetric and Asymmetric Symmetric (or secret) key encryption – uses a single secret key that is shared by the sender and the recipient to encrypt and decrypt the message. Secret Key Keys are equal Secret Key Message Message Message Message Encrypt Transmit Decrypt (Clear) (Encrypted) (Encrypted) (Clear) The key advantage of Symmetric encryption methods is performance – encryption/decryption are relatively fast. The difficulty is that the sender and recipient must have knowledge of the key. How do both parties learn about the key to use? Cannot transmit the keys or they will be compromised. ©2002 SecureIT Consulting Group, Inc. 79
  80. 80. Symmetric Encryption Examples of symmetric (or secret) key encryption DES – Data Encryption Standard uses a 56-bit key systems (64-bit block with 8 parity bits) 3DES – Triple DES encrypts a message three times using DES. 3DES can use either 2 or 3 encryption keys (for up to 168-bit key length) EDE2 = Encrypt with K1, decrypt with K2, encrypt with K1 EE2 = Encrypt with K1, encrypt with K2, encrypt with K1 EE3 = Encrypt with K1, encrypt with K2, encrypt with K3; this is the strongest form of DES AES – Advanced Encryption Standard uses the Rijndael Block Cipher with keys of 128, 192, or 256 bits. AES has faster performance than 3DES and is stronger. IDEA – International Data Encryption Algorithm uses a 128- bit key ©2002 SecureIT Consulting Group, Inc. 80
  81. 81. Asymmetric Encryption Asymmetric (or public key) encryption – uses two keys (one key is public and the other is private) that are mathematically related to encrypt and decrypt the message. Keys are different Encryption Key But related Decryption Key Message Message Message Message Encrypt Transmit Decrypt (Clear) (Encrypted) (Encrypted) (Clear) The advantage of asymmetric key encryption techniques is that it simplifies the key distribution problem – by allowing the encryption key used by “other” parties to be publicly accessible. However, asymmetric encryption methods are very slow (e.g., up to 1000 times slower and processor intensive than secret key encryption) and inherently easier to crack. ©2002 SecureIT Consulting Group, Inc. 81
  82. 82. Asymmetric Encryption The two keys involved in asymmetric encryption are called the private key and the public key The private key needs to be kept private – only the entity the owns the key (e.g., a host, a person, etc.) needs to know the private key. No one else should have access to it. The public key is made available to anyone and everyone who requests it – there is no need to restrict access to the public key. Characteristics of the keys The public key is different from (but mathematically related to) the private key The private key cannot be derived from the public key A message encrypted by the private key can be decrypted only with the public key (and vice versa) A message encrypted by the public key cannot be decrypted with the public key, but only with the private key ©2002 SecureIT Consulting Group, Inc. 82
  83. 83. Asymmetric Encryption Examples of asymmetric (or public key) encryption RSA – named after the inventors (Rivest, Shamir, and Addleman); based on the difficulty of factoring the factor of two large prime numbers. RSA can have 768, 1024, 2048, or 3072 bit key lengths. To be effective, an RSA key should be at least 1024 bits (and most likely longer). Diffie-Hellman – is a method for securely exchanging secret keys over a non-secure medium without exposing the key. D-H uses 768 or 1024-bit keys. ©2002 SecureIT Consulting Group, Inc. 83
  84. 84. Symmetric vs. Asymmetric Encryption The effectiveness of encryption depends on two things: the strength of the encryption algorithm and the length of the encryption key Asymmetric algorithms are easier to crack than symmetric algorithms and therefore require significantly larger (8-16 times larger) key sizes to protect the reliability of encryption A 64 bit key symmetric algorithm is about as strong as a 512 bit key asymmetric algorithm A 112 bit key symmetric algorithm is about as strong as a 1792 bit key asymmetric algorithm A 128 bit key symmetric algorithm is about as strong as a 2304 bit key asymmetric algorithm (*** This is the minimum best practice to use for key length ***) ©2002 SecureIT Consulting Group, Inc. 84
  85. 85. Symmetric vs. Asymmetric Encryption Key management is critical for reliable encryption Symmetric key encryption is a challenge because both parties have to use the same key. Before any communication can occur between parties, they need to derive a mutual secret key. This adds extra overhead for each additional user/host that wants to communicate. But the biggest problem is how do they communicate the key securely? May have to rely on “out of band” communication (e.g., phone, fax, mail, etc. to share the key between parties). Asymmetric key does not have this challenge. Public keys can be accessed publicly and in many cases are already universally available. No “secrets” need to be exchanged. Public key encryption has a related challenge. How do you ensure that the party that has the key is really who you think they are? More on this later in the presentation. ©2002 SecureIT Consulting Group, Inc. 85
  86. 86. Symmetric vs. Asymmetric Encryption Many standard encryption methodologies represent a hybrid of symmetric and asymmetric algorithms to take advantage of the strengths of each type At the front-end of a connection, use an asymmetric (public key) algorithm to handle the negotiation or exchange of a shared secret key. This shared secret key may be called a session key since it is valid for only one session and is re-negotiated whenever a new connection is initiated Usually, the session key has a session timeout to expire the key and address the risk of capture and replay Then, use a symmetric (shared secret key) algorithm to encrypt and decrypt the “payload” of messages themselves This takes advantage of the higher performance of symmetric key methods and allows the use of shorter encryption keys while still ensuring appropriate encryption strength ©2002 SecureIT Consulting Group, Inc. 86
  87. 87. Security Requirements for Cryptography Cryptographic techniques can be used to provide Message confidentiality – preventing unauthorized recipients from understanding the meaning of a message. Cryptography is especially useful if sensitive/confidential messages must be sent over public or insecure networks where intruders may be eavesdropping. Message origination authentication – detecting if a message is valid or whether it has been sent by an impersonator. Cryptography can be used to indicate if a message is authenticate and if was truly sent by the claimed sender. Message integrity – detecting any modification of a message that has occurred. Cryptography can be used with “hashing” algorithms to identify changes to network traffic that is changed in-flight or changes to significant files/messages that are stored on disk. ©2002 SecureIT Consulting Group, Inc. 87
  88. 88. Confidentiality Encryption techniques can be used to achieve confidentiality by obscuring the meaning of messages before they are sent over public or unsecured networks If cryptographic techniques are applied to all sensitive communications across the network, intruders may be able to intercept those messages but will not be able to “read” them Internet Internet The secret The secret formula is formula is …. M&28^M7hNt! …. $v30mNk … Huh? What does this Bad gobbledygook mean? Guy ©2002 SecureIT Consulting Group, Inc. 88
  89. 89. Origination Authentication The recipient of a message can validate the origin authenticity of the message by verifying that the originator knew the appropriate encryption key If the message (or a hash of the message) decrypts properly, then the recipient can have some assurance that the message originated from the claimed sender However, origin authentication only provides assurance that someone with knowledge of the appropriate encryption key sent the message This is not necessarily the claimed originator of the message (e.g., if the encryption keys have been compromised) If the encryption keys were kept confidential, then there is more assurance that a message did in fact originate from the claimed sender and is a genuine/valid message ©2002 SecureIT Consulting Group, Inc. 89
  90. 90. Message Integrity Message integrity is provided via Hashed Message Authentication Code (HMAC) An HMAC is a cryptographic hash algorithm that uses a key to generate a checksum for a message A hash function condenses a variable length message into a fixed length message digest or checksum The message digest (checksum) that is calculated should be unique to the original message, like a “fingerprint” of the message No other message should be able to produce the same checksum Any change (even a single character) in the original message should be produce an entirely different checksum Cryptographic hashing algorithms (e.g., those using keys) provide stronger protection, and therefore should be used ©2002 SecureIT Consulting Group, Inc. 90
  91. 91. Message Integrity Message integrity is validated by the recipient The sender generates a message digest The sender transmits the message as well as the message digest to the recipient The recipient generates a new message digest (using the same algorithm and keys as the sender) The recipient compares the new message digest to the message digest transmitted by the sender. If they match, then the message has not been modified. If they differ, then the message was modified in flight. Key Key Message Message Hash Message Digest Message Hash Digest Match? Append Message Receive Message and Send Message And Split Digest Digest ©2002 SecureIT Consulting Group, Inc. 91
  92. 92. Message Integrity Algorithms The following HMAC algorithms are commonly used: MD5 – The Message Digest 5 algorithm uses a 128-bit encryption key and generates a message digest that is 128 bits long. The underlying algorithm (MD5) has some weaknesses. SHA-1 – The Secure Hash Algorithm uses a 160-bit encryption key and generates a message digest that is 160 bits long SHA-1 is cryptographically stronger than MD5, but is more CPU-intensive and may cause performance problems if used extensively ©2002 SecureIT Consulting Group, Inc. 92
  93. 93. Confidentiality, Integrity, and Authentication Both symmetric and asymmetric cryptography could be used to address security requirements Confidentiality, Origin Authentication, and Integrity can be provided equally by symmetric and asymmetric encryption How symmetric encryption accomplishes is easy to understand, but asymmetric encryption is not as intuitive Asymmetric encryption uses 2 of 4 possible keys (sender’s public key, sender’s private key, recipient’s public key, recipient’s private key) to achieve confidentiality and authentication These are described on the following slides ©2002 SecureIT Consulting Group, Inc. 93
  94. 94. Asymmetric Encryption: Authenticity Public Key Encryption can be used to ensure that messages are authentic and valid Origin authentication is achieved and the identity of the originator of a message can be definitively proven Public key encryption can be used to prove that a message was in fact originated by the expected party and not an impersonator. In other words, that the message is valid. Sender encrypts the message with his private key and sends the encrypted message/hash to receiver Receiver decrypts the message with the Sender’s public key. If the message decrypts properly, then Receiver can be assured that Sender was the source of the message (e.g., that whoever sent the message had access to Sender’s private key) ©2002 SecureIT Consulting Group, Inc. 94
  95. 95. Asymmetric Encryption: Confidentiality Public Key Encryption can be used to obtain confidentiality Confidentiality is achieved when only the intended recipient of a message is able to read it Public key encryption can be used to ensure that messages are readable only by the intended recipient Sender encrypts the message using Receiver’s public key, and then sends the message over the network Receiver is able to read the message by decrypting it with his private key No one else can read the message because they do not have access to Receiver’s private key ©2002 SecureIT Consulting Group, Inc. 95
  96. 96. Asymmetric Encryption Keys SENDER Keys RECEIVER Keys ORIGIN AUTHENTICATION Encrypt Decrypt Message Message Sender’s Private Sender’s Public CONFIDENTIALITY Decrypt Encrypt Message Message Receiver’s Private Receiver’s Public ORIGIN AUTHENTICATION AND CONFIDENTIALITY Decrypt Encrypt Receiver’s Private Sender’s Private Message Message Encrypt Decrypt Receiver’s Public Sender’s Public ©2002 SecureIT Consulting Group, Inc. 96
  97. 97. Asymmetric Keys: When to Use Which One Sender Receiver Sender’s Will never use his own public Use to decrypt messages that Public Key key. have origin authentication Sender’s Use to encrypt messages that Can never use the other Private need origin authentication party’s private key – this is Key not known. Receiver’s Use to encrypt messages that Will never use his own public Public Key require confidentiality key. Receiver’s Can never use the other Use to decrypt message that Private party’s private key – this is require confidentiality Key not known. ©2002 SecureIT Consulting Group, Inc. 97
  98. 98. Asymmetric Encryption: Integrity Public Key Encryption can ensure message integrity Message integrity is achieved when any modifications to a message would be detected An HMAC hashing algorithm is used to produce a “checksum” or integrity check value Sender runs the message through a hashing algorithm using the his own private key. Sender sends the message and the checksum value to Receiver Receiver re-hashes the message with the sender’s public key and compares the derived checksum to the checksum provided by Sender If the checksums are identical, then the message was not modified. If the checksums are different, then Receiver has detected that the message has been modified. ©2002 SecureIT Consulting Group, Inc. 98
  99. 99. Encryption Products Common Encryption Products/Technologies in use today SSL “Secured Sockets Layer” (or TLS “Transaction Layer Security”) for web SSH (or “Secured Shell”) for remote logon and file transfer PGP “Pretty Good Security” for email and local file system encryption SET “Secure Electronic Transactions” for securing credit and debit card transactions between customers and merchants S/MIME “Secure Multipurpose Internet Mail Extension” provides authentication and confidentiality of MIME formatted email content ©2002 SecureIT Consulting Group, Inc. 99
  100. 100. SSL – Encryption SSL supports many different encryption algorithms For confidentiality, SSL can use DES, 3DES, RC2 or RC4 For hashing, SSL can use MD5 or SHA For authentication (and asymmetric encryption for key exchange), SSL can use RSA certificates or anonymous Diffie-Hellman algorithms SSL Session keys can be from 40-bits to 168-bits long SSL uses asymmetric encryption to communicate a secret session key. The web client uses the web server’s public key (obtained from the server’s digital certificate) to transmit the session key to the server. SSL uses symmetric encryption to conceal/protect the rest of the communication session. All additional network traffic passed between the web server and web client are encrypted using the session key. ©2002 SecureIT Consulting Group, Inc. 100
  101. 101. Establishing an SSL Session 1. Client (browser) sends a “hello” message to the server. This message identifies SSL version, cipher suites, and compression methods that are supported. 2. Server responds with a message that lists the cipher suite and data compression method that will be used. 3. Server sends its digital certificate (with its public key) to the client. 4. The client generates the shared secret session key (using a random number generator), encrypts the session key with the server’s public key, and sends it to the server. 5. The client and server send a message to notify that they are prepared to start communicating with the selected encryption methods and session key. 6. Both client and server send “finish” messages. 7. All future messages between client and server are encrypted using the session key. ©2002 SecureIT Consulting Group, Inc. 101
  102. 102. SSH Secured Shell provides strong authentication and encryption for remote access and file transfer across a network An SSH connection occurs as follows: The client and server negotiate ciphers, key exchange methods, and integrity checksums The client verifies the server’s identity by encrypting a message with the server’s public key. Then the server proves to the client that it has successfully decrypted the message. A key exchange algorithm is used The server verifies the client’s identity (using RSA public key pairs, passwords, etc.), as well as enforcing host address restrictions All data packets are encrypted and include message integrity checks ©2002 SecureIT Consulting Group, Inc. 102
  103. 103. PGP PGP stands for “Pretty Good Privacy” PGP can be used for encrypting messages and files PGP is widely used for storing encrypting information locally, as well as for email across a network PGP uses IDEA (128-bit secret key encryption) to encrypt files To exchange this secret key securely, PGP uses RSA asymmetric encryption. The sender encrypts the shared secret key with the recipient’s public key. The secret key is not stored in clear-text on the sender’s computer. Instead the secret key is encrypted using a user-entered pass-phrase. Using the key requires the encrypted secret key as well as the pass-phrase ©2002 SecureIT Consulting Group, Inc. 103
  104. 104. Encryption Key Audit Steps: Ensure that encryption is used for all sensitive or confidential messages/data that are transmitted across public or untrusted networks. This includes administrative access to hardened hosts, confidential file transfers, sensitive business transactions, etc. Ensure that cryptographic hashes/checksums are used to validate integrity and identify any unauthorized changes. Ensure that encryption uses standard, proven, commercial- grade ciphers and algorithms. (Proprietary algorithms are not usually secure.) Ensure that encryption key lengths are appropriate to prevent cracking (e.g., minimum of 1028 bit for asymmetric and 128 bit for symmetric encryption, and possibly more for especially sensitive information) ©2002 SecureIT Consulting Group, Inc. 104
  105. 105. Encryption Key Audit Steps (Continued): If symmetric (secret key) encryption is used, ensure that appropriate key exchange and management procedures are used: Ensure that keys are exchanged out of band (e.g., not over the network) If keys must be exchanged over the network, ensure that keys are not transmitted in the clear. Instead, ensure that asymmetric encryption is used to generate (e.g., D-H) and/or exchange secret keys securely. Ensure that keys are generated with commercial-class random number generators Ensure that secret keys have reasonable expiration time-limits (e.g., to limit the exposure time that a hacker would have to crack the key) ©2002 SecureIT Consulting Group, Inc. 105
  106. 106. Encryption Key Audit Steps (Continued): If asymmetric encryption is used, ensure that appropriate controls are in place to protect the private key Ensure that the private key is NEVER transferred over the network Ensure that the private key remains continually and exclusively in the possession and control of the owner and no one else Ensure that encryption security products (like SSL, SSH, etc.) are configured to use only strong ciphers and key lengths If “weaker” ciphers must be used to enable greater accessibility by a broader, larger population of users, then ensure that the risks (vs. benefits) have been considered, documented, and approved Ensure that web clients are configured to check server-side certificates in an SSL connection for invalid subject name, expiration, etc. ©2002 SecureIT Consulting Group, Inc. 106
  107. 107. CERT Security Practices Best practices that address 85% of compromises Seven categories of evaluative criteria: 1. Security Policy 2. Secure Network Servers 3. Secure Web Servers 4. Deploy Firewalls 5. Setup Intrusion Detection and Response Processes 6. Detect Signs of Intrusion 7. Responding to Intrusions These criteria can be used as the foundation of a network security audit or self-evaluation of controls ©2002 SecureIT Consulting Group, Inc. 107
  108. 108. CERT Security Practices Is SSL used to protect against network sniffers and unauthorized alteration of web content during transmission? If passwords are used to authenticate users, is SSL encryption used to protect against sniffers? If stronger authentication is required, are SSL client certificates and smart cards used? Is SSL server authentication (with an SSL server certificate from a trusted CA) used to protected users against bogus web sites? Is confidential information retained on the web server encrypted (with public key technology)? Are administration commands and data encrypted when they traverse the network? Is encryption technology (e.g., SSH and SSL) used to ensure that passwords passed across networks are not in clear-text? Are cryptographic checksums captured for all critical files/directories and use these to identify unauthorized changes? ©2002 SecureIT Consulting Group, Inc. 108
  109. 109. Conclusion Good cryptographic systems should always be designed so they are as difficult to break as possible. Symmetric encryption provides relatively fast encryption and decryption with shorter “secret” keys. Asymmetric encryption (using public and private keys) simplifies key distribution, but is slow and requires longer keys to provide security Many standard encryption methodologies represent a hybrid of symmetric and asymmetric to use the strengths of both types. Cryptographic techniques provide message confidentiality, message origination authentication and message integrity. ©2002 SecureIT Consulting Group, Inc. 109
  110. 110. Introduction to Routers
  111. 111. Agenda Definition of routers Routing and Filtering Hardware and software components Specialized Memory Router Boot Process Command Modes Router configurations Configuration File Versions Configuration Modes ©2002 SecureIT Consulting Group, Inc. 111
  112. 112. Definition of a Router Most computing environments are made up of a group of networks that are interconnected Routers are involved whenever packets pass from one network to another A router is a device that sits between 2 or more networks and transfers network packets from one network to another A router determines the next network device to which a packet should be forwarded as it makes its way towards its destination. A router may maintain a table of the available routes and their conditions. It uses this information, along with distance and cost algorithms, to determine the best route for a given packet ©2002 SecureIT Consulting Group, Inc. 112
  113. 113. Routing and Filtering Routers perform two basic functions: Routing: Occurs when a router makes decisions about where to send network packets, and then sends those packets accordingly A router maintains a table of the available routers or paths through the network This table is used to decide which way to send each network packet based on its intended destination Routing occurs at the “network layer” of the TCP/IP protocol stack (the destination of network traffic is derived from the IP address within the packet’s IP header) Filtering: Occurs when a router allows or denies network packets to pass through the router based on criteria defined in rules Filtering is important for protecting the router (and hosts that reside behind the router) from unauthorized or malicious network traffic Filtering decisions can be based on fields of the packet’s IP header, as well as the TCP, UDP, and ICMP packet headers ©2002 SecureIT Consulting Group, Inc. 113
  114. 114. Routing and Filtering Example of routing and filtering: A network packet arrives at router interface ‘A’. The router connects 5 networks, so there are four other interfaces on the router. Which interface should the packet be sent through to reach it’s destination? What is the next router the packet should be sent to? These are routing decisions…. Should the packet be allowed to pass through the router, or should it be blocked? This is a filtering decision.... Packet A ©2002 SecureIT Consulting Group, Inc. 114
  115. 115. Hardware Components A Cisco router is just a specialized computer Routers have a processor (CPU), memory, and connections to other devices The processor is the component that executes all operating system instructions and commands There are four types of memory (with different degrees of volatility) that are used to store different parts of the router’s system, including its operating system and configuration file Routers also have input and output ports for connecting two or more networks. These ports are the physical connections through which packets enter into and exit the router. Network interface cards plug into hardware slots and external cables plug into the cards. These connections can be of different types (e.g. serial, ethernet, FDDI, token ring) Serial terminal ports are available for plugging a console, and other devices, directly into the router ©2002 SecureIT Consulting Group, Inc. 115
  116. 116. Hardware Components The router’s specialized memory: Random Access Memory (RAM) is highly volatile memory that is erased when the router is turned off. Usually RAM is used for holding routing tables, packet queues, a “working copy” of the router’s configuration file, etc. The router configuration file contains the installation specific commands for how the router is supposed to control the flow of packets (through routing and filtering) Nonvolatile RAM (NVRAM) retains its contents even when the power is turned off. NVRAM stores a copy of the router configuration that is used when the router boots up Flash memory is erasable, reprogrammable ROM (Read Only Memory) that is used to store the operating system image ROM contains the boot program used to start-up the router Specialized memory means that disk drives are not needed. No moving parts = fewer hardware problems ©2002 SecureIT Consulting Group, Inc. 116
  117. 117. Hardware Components Cisco offers a variety of router platforms Different platforms have different operational characteristics: different types of network traffic handled, number of interfaces, performance/speed, availability, capacity, etc. All platforms run the Cisco IOS operating system Therefore, the hardware platform isn’t critical for security, but could be for performance, availability, etc. Hardware platforms: 1600, 1700, 2500, and 2600 – for small businesses or branch office sites 3600 and 4000 – for mid range 7100 – VPN router 7200, 7300, and 7400 – high performance and availability 7500 – high end voice, data, and video 7600 – optical speeds 10000, 10720, 12000 – high-end Internet routers ©2002 SecureIT Consulting Group, Inc. 117
  118. 118. Software Components The operating system image Cisco Internetworking Operating System (IOS) Contains instructions for transferring data through the device, supporting network functions and services, updating routing tables, executing user commands, etc. The router configuration file The configuration file contains the installation specific commands for how the router is supposed to control the flow of packets (through routing and filtering) The configuration file defines the routing methods, filtering rules, routing services, etc. The configuration file defines how the router functions should be performed, while the operating system actually performs those functions ©2002 SecureIT Consulting Group, Inc. 118
  119. 119. Router Command Modes Once a user has logged into the router, the system is in ‘user mode’. This is also referred to as ‘EXEC mode’ In user or ‘EXEC mode’, only a limited set of router commands can be executed Full access to all router commands (including the ability to change the router’s configuration) is provided by ‘privileged EXEC mode’ Because a user can obtain this level of access only by entering the “enable” command and password into the router, this privileged level of access is also known as ‘enable mode’ ©2002 SecureIT Consulting Group, Inc. 119
  120. 120. Router Configuration - Versions At least two versions of the router configuration file are always stored on the router: The current version that is running on the router (which is stored in RAM) The saved version of the configuration that is loaded when the router starts-up (which is stored in NVRAM) As a general rule, the “running” RAM version of the configuration and the “start-up” NVRAM version of the configuration should be almost identical If changes made to the running version are not saved to the start-up NVRAM version, then those changes will be lost when the router reboots The current running version must be saved frequently to NVRAM to ensure that the correct configuration file will be retained when the router reboots ©2002 SecureIT Consulting Group, Inc. 120
  121. 121. Router Configuration - Versions A good practice to address this issue is to periodically compare the two versions of the router configuration The current running version of the router configuration can be obtained using the “show running” command, and the saved startup version of the router configuration can be obtained using the “show startup” command If the router configurations are long, it may be useful to save them to a file and run an automated tool (such as UNIX diff) to determine if, and how, the two versions differ ©2002 SecureIT Consulting Group, Inc. 121
  122. 122. Router Configuration Modes There are several configuration modes on routers: Many of the router’s settings are defined in the global configuration mode: router services, logging settings, enable password settings, security server settings, and others In addition to global configuration mode, there are sub- modes used to configure specific settings for interfaces, lines, routes, etc. Some of these sub-modes include: Interface (config-if) mode to identify all interfaces, assign IP addresses, define allowable services per interface, set access- groups to apply access control lists, etc. Router (config-router) mode for configuring routing protocols Access-lists (config-ext-X for extended access-lists and config- std-X for standard access-lists) mode to define access control lists used to filter traffic and enforce addressing constraints Line (config-line) mode to set active terminals, passwords, and other constraints on the console port, auxiliary port, and virtual terminal lines used to manage the router ©2002 SecureIT Consulting Group, Inc. 122
  123. 123. Extract from a Router Configuration Current configuration ! version 12.0 ! ! Set accurate time-stamping for log and debug messages service timestamps debug datetime mseo localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! ! Control TCP/IP services no service udp-small-servers no service tcp-small-servers ! hostname Perimeterl ! logging buffered 4096 debugging no logging console enable secret 5 $1$b4X5$7A7IUNmzGm8vOmi9nBkC1/ ! ! Control TCP/IP Services no ip source_route no ip finger ip tcp selective-ack ip tcp path-mtu-discovery no ip domain-lookup ! no ip bootp server ! interface Serial0 ip address ip access-group 101 in ! Control TCP/IP Services no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp ©2002 SecureIT Consulting Group, Inc. 123
  124. 124. Router Configuration File All of the router’s security settings and commands are contained within the configuration file Essentially, an audit of Cisco router security consists of reviewing the router’s configuration file For purposes of the audit, the running configuration (the one stored in RAM) should be reviewed since this is the version of the configuration that is currently active on the router The command to display the current version of the configuration is as follows: show running ©2002 SecureIT Consulting Group, Inc. 124
  125. 125. Conclusion Routers are devices that deliver packets between networks Routers perform routing and filtering on network packets Routers have specialized memory with different levels of volatility The operating system image and configuration file are the two main software components of the router The router boot process is controlled by the Configuration Register The “running” version of the configuration file should be periodically saved to the NVRAM “startup” version of the configuration file An audit of a router primarily consists of reviewing the current configuration file ©2002 SecureIT Consulting Group, Inc. 125
  126. 126. Routers & Network Security
  127. 127. Agenda Role of routers in overall network security Necessary context for evaluating router security External connections Network security policy Network topology Duplication of control and compensating controls Router specific security risks and attack methods ©2002 SecureIT Consulting Group, Inc. 127
  128. 128. Role of Routers in Network Security The goal of network security is to ensure that network traffic is allowed to pass between networks only if that traffic is authorized, valid, and of acceptable risk Routers play an important part in providing overall network security A highly-secured router can significantly enhance the overall level of network security Routers have four main network security functions: 1. Routers transfer all network traffic through a firewall, or along a “safe” path into the network 2. Routers filter and block invalid and unauthorized network traffic 3. Routers protect themselves from attacks by outside parties 4. Routers provide logging which enables timely detection of intrusion attempts ©2002 SecureIT Consulting Group, Inc. 128
  129. 129. Role of Routers in Network Security 1. Routers transfer all network traffic through a firewall, or along a “safe” path into the network Transferring packets between networks based on predefined routes serves a key security purpose Routers can force all traffic that passes into the network to follow a particular path that includes appropriate security safeguards Example: A router sends all inbound network traffic to a firewall which performs extensive filtering of malicious or unauthorized services. By forcing inbound traffic to follow this predefined path, the router ensures that all traffic passes through the firewall, and thus cannot bypass this control Example: A router directs sensitive, confidential information along a trusted network path, preventing this data from being intercepted over potentially hostile networks ©2002 SecureIT Consulting Group, Inc. 129
  130. 130. Role of Routers in Network Security 2. Routers filter and block invalid and unauthorized network traffic Routers can be configured to deny malicious and/or unauthorized network traffic Because routers are at the very edge of the network, they provide a good mechanism for implementing key network traffic filters to keep particularly malicious network traffic from ever passing into an organization’s internal networks Routers can provide simple, firewall-like filtering of traffic based on protocol, source and destination IP address, and source and destination TCP/UDP port In some organizations, a router may be the only firewall that exists between networks ©2002 SecureIT Consulting Group, Inc. 130
  131. 131. Role of Routers in Network Security 3. Routers protect themselves from attacks by outside parties Routers need to be hardened in order to become impervious to attack For routers on the perimeter of the network (i.e., outside of the firewall), the router’s internal security is the only protection against malicious network traffic that may be sent from the external network Routers must protect themselves against attacks in order to reliably perform their other network security functions If a router is compromised, an attacker could modify or disable the router’s configuration related to other network security functions For instance, an attacker could make unauthorized changes to routes and filtering rules to compromise network security. Furthermore, potential intruders could use the router as a launching point for attacking hosts on the internal networks ©2002 SecureIT Consulting Group, Inc. 131