Potential Internet Security Gaps

1
Potential Internet Security Gaps

• Lack of safeguards (no firewalls).
• Poorly configured and administered systems.
• Basic security problems with communication
  protocols (TCP, IP, UDP).
• Faulty service programs.
• Basic security problems with service programs
  (WWW. FTP, Telnet, etc.).

2
Cyber crime bleeds U.S. corporations 2002 CSI
Report Highlights

• Forty percent detected system penetration from
  the outside.
• Forty percent detected denial of service attacks.
• Seventy-eight percent detected employee abuse of
  Internet access privileges (for example,
  downloading pornography or pirated software, or
  inappropriate use of e-mail systems).
• Eighty-five percent detected computer viruses.
• Thirty-eight percent suffered unauthorized access
  or misuse on their Web sites within the last
  twelve months. Twenty-one percent said that they
  didn't know if there had been unauthorized access
  or misuse.
• Twenty-five percent of those acknowledging
  attacks reported from two to five incidents.
  Thirty-nine percent reported ten or more
  incidents.
• Seventy percent of those attacked reported
  vandalism (only 64 in 2000).
• Fifty-five percent reported denial of service
  (only 60 in 2000).
• Twelve percent reported theft of transaction
  information.
• Six percent reported financial fraud (only 3 in
  2000).

Computer Security Institute Survey 2002
3
Classifying Potential Security Threats (From
Most to Least Prevalent)

• Ignorance and Accidents
• Company Employees and Partners
• Casual Doorknob Twisters
• Concerted Individual Efforts
• Coordinated Group Efforts

4
Threats Adversarial Tactics and Techniques

• Programmed attacks including denial-of-service
  attacks.
• E-mail bombing, spamming, and spoofing
• Viruses

5
Internet Security Categories

• 3 Primary categories of security safeguards.
• Network-Layer Security focus on protecting
  assets in transit via communications links.
• Application-Layer Security focus on safeguards
  related to the controlling and authorizing use of
  application software.
• System Security focus on protection of the end
  system and the authorized access and use of the
  technical environment that includes the network
  and application components.

6
Network-Layer Security

• Network-Layer Vulnerability
• Interruption
• Interception
• Modification
• Fabrication
• Application-layer and system safeguards assume
  network unreliability.
• Network-layer safeguards include
• Authentication and integrity
• Confidentiality
• Access control

7
Network-Layer Security (continued)

• Two solution options examined
• Firewalls
• IPsec (used with VPNs)

8
Network-Layer Security (continued)

• Firewalls used to protect internal networked
  assets from public network dangers.
• Main functions include the following.
• Access control.
• Authentication.
• Integrity checking.
• Logging.
• Firewall elements can include the following.
• Screening router packet-level blocker or
  filter protecting against unwanted traffic.
• Proxy servers application-specific programs
  that act as gatekeepers to requests for Internet
  services.
• Demilitarized zone limits or buffers access to
  private network.

9
Firewall Architectures

• Primary consideration meet security policy
  requirements.
• May include port filtering, application
  filtering, and user-based restrictions.
• Firewalls provide a system for logging.
• Minimize the number of access to points to the
  private network.

10
Primary Firewall Technology Options
11
Primary Firewall Technology Options (continued)
12
Primary Firewall Technology Options (continued)
13
Firewall Architectures

• Fundamental firewall architecture consists of an
  access router, a perimeter network, a dual-homed
  proxy server and an interior router.
• The access router would be the first opportunity
  to prevent intruders from accessing the
  restricted systems.
• Packet filters should be used to restrict the use
  of unnecessary protocols on the perimeter network.

14
Firewall Design Options
15
Firewall Design Options (continued)
16
Firewall Design Options (continued)
17
Firewall Types
18
Network Security Enabler IP Security Protocol
(IPsec)

• IPsec is a set of open standards providing
• data confidentiality,
• data integrity, and
• authentication between participating peers at the
  IP layer.
• Relatively new standard.
• Enables a system to select protocols and
  algorithms, and establishes cryptographic keys.
• Uses the Internet Key Exchange (IKE) protocol to
  authenticate IPsec peers.

19
Emerging Standard IPsec

• IKE uses the following technologies
• DES encrypts packet data.
• Diffie-Hellman establishes a shared, secret,
  session key.
• Message Digest 5 (MD5) hash algorithm that
  authenticates packet data.
• Secure Hash Algorithm (SHA) hash algorithm
  that authenticates packet data.
• RSA encrypted nonces provides repudiation.
• RSA signatures provides non-repudiation.

20
Emerging Standard IPsec

• IPsec provides confidentiality, integrity,
  authenticity, and replay protection through two
  new protocols.
• Authentication Header (AH).
• Encapsulating Security Payload (ESP).
• AH provides authentication, integrity, and replay
  protection (but not confidentiality).
• Main difference between the authentication
  features of AH and ESP.
• AH also authenticates portions of the IP header
  of the packet.
• ESP authenticates only the packet payload.
• ESP can provide authentication, integrity, replay
  protection, and confidentiality of the data (it
  secures everything in the packet that follows the
  header).
• Replay protection requires authentication and
  integrity (these two go always together).
• Confidentiality (encryption) can be used with or
  without authentication/integrity.

21
IPsec Issues

• Tunnel mode Authentication Header does not work
  as you might expect, due to restrictions in
  kernel IPsec policy engine.
• Do not try to use tunnel mode AH.
• IPsec policy rule is not tested enough for
  explicit protocol specification other than
  TCP/UDP.

22
Next Session Highlights

• Internet Security (continued)
• Application Security
• Email Security