Network Security

1
Chapter 13

• Network Security

2
Objectives

• Understand the many processes involved with the
  development of a comprehensive security policy
  and security architecture
• Understand the importance of a well-developed and
  implemented security policy and associated people
  processes to effective security technology
  implementation

3
Business Impact

• Impact on business when network security is
  violated by on-line thieves ?
• According to federal law enforcement estimates in
  USA, more than 10 billion worth of data is
  stolen annually in the US only
• In a single incident, 60,000 credit and calling
  card numbers were stolen
• 50 of computer crimes are committed by a
  companys current or ex-employee

4
Security Policy DevelopmentLife Cycle
5
Identification of Business-related security issues

• Security requirement assessment
• What do we have to lose?
• What do we have worth stealing?
• Where are the security holes in our business
  processes?
• How much can we afford to lose?
• How much can we afford to spend on network
  security?

6
Analysis of Risks, Threats, Vulnerabilities

• Information asset evaluation what do you have
  thats worth protecting ?
• Network architecture documentation What is the
  current state of your network?
• How many unauthorized modems are dialing in ?
• Identify all assets, threats and vulnerabilities
• Determine risks and create protective measures

7
Architecture and Process Design

• Logical design of security architecture and
  associated processes
• What must be the required functionality of the
  implemented technology ?
• What business processes implemented and monitored
  by people must complement this security
  architecture ?

8
Security Technology and Process Implementation

• Choose security technology based on logical
  design requirements
• Implement all security technology with
  complementary people process
• Increase overall awareness of network security
  and implement training
• Design ongoing education process for all
  employees including senior management

9
Audit Impact of Security Technology and Processes

• Ensure that implemented policy and technology are
  meeting initial goals
• Institute a method to identify exceptions to
  security policy standards and deal with these
  exceptions swiftly

10
Evaluate effectiveness of Current Architecture
and Processes

• Based on results of ongoing audits, evaluate
  effectiveness of current policy and architecture
  of meeting high-level goals
• Adjust policy and architecture as required and
  renew the cycle

11
Security Requirements Assessment (SRA)

• Proper SRA implies that appropriate security
  processes and technology have been applied for
  any given user groups access to/from any
  potential corporate information resource

12
Scope Definition and Feasibility Studies

• Before proceeding blindly with a security policy
  development project, it is important to properly
  define the scope or limitations of the project.
• The feasibility study provides and opportunity to
  gain vital information on the difficulty of the
  security policy development process as well as
  the assets (human and financial) required to
  maintain such a process.
• One of the key issues is deciding on the balance
  between security and productivity

13
Security vs. Productivity Balance
14
Data/Information Classification

• Unclassified/Public
• Info. having no restrictions as to storage,
  transmission, or distribution
• Sensitive
• Info. whose release could not cause damage to
  corporation but could cause potential
  embarrassment or measurable harm to individuals,
  e.g. salaries benefits of employees
• Confidential
• Info. whose release could cause measurable damage
  to the corporation, e.g. corporate strategic
  plans, contracts

15
Data/Information Classification

• Secret
• Info. whose release could cause serious damage to
  a corporation. Trade secrets or engineering
  diagrams are two examples
• Top secret
• Info. whose release could cause grave or
  permanent damage. Release of such information
  could literally put a company out of business.
  Secret formulas for key products would be
  considered top secret.

16
Assets, Threats, Vulnerabilities, and Risks

• How to define the balance between security and
  productivity?
• Identify assets
• Identify threats
• Identify vulnerabilities
• Consider the risks
• Identify risk domains
• Take protective measures

17
Assets

• Corporate property of some value that require
  varying degrees of protection
• Network security
• Corporate data
• Network hardware
• Software
• Media to transport data

18
Threats

• Processes or people that pose a potential danger
  to identified assets.
• Intentional or unintentional, natural, or
  man-made.
• Network related threats include
• Hackers
• Fires
• Floods
• Power failures
• Equipment failures
• Dishonest employees
• Incompetent employees

19
Vulnerabilities

• Manner or path by which threats are able to
  attack assets.
• Can be thought of as weak links in overall
  security architecture and should be identified
  for every potential threat/asset combination
• Vulnerabilities that have been identified can be
  blocked

20
Risks

• Probability of a particular threat successfully
  attacking a particular asset in a given amount of
  time via particular vulnerability
• After identifying vulnerabilities, the questions
  are
• How should a network analyst proceed in
  developing defenses to these vulnerabilities?
• Which vulnerabilities should be dealt with first?
• How can a network analyst determine an objective
  means to prioritize vulnerabilities?
• By considering the risk, network analysts are
  able to quantify the relative importance of
  threats and vulnerabilities.

21
(No Transcript)
22
Protective measures

• There might exist multiple vulnerabilities
  (paths) between a given asset and a given threat
• ? multiple protective measures need to be
  established between given threat/asset
  combinations
• Major categories of protective measures
• Virus protection
• Firewalls
• Authentication
• Encryption
• Intrusion Detection

23
Virus Protection

• A comprehensive virus protection plan must
  combine policy, people, processes, and technology
  to be effective.
• Most common microcomputer security breach
• 90 of the organizations surveyed with 500 or
  more PCs experience at least one virus incident
  per month
• Complete recovery from a virus infections costs
  and average of 8300 and 44 hours over a period
  of 22 working days.
• In Jan 1998, there were over 16,000 known
  viruses, with as many as 200 new viruses
  appearing per month

24
Virus Categories

• Virus symptoms, methods of infection, and
  outbreak mechanisms can vary widely, but all
  viruses share a few common behaviors.
• Most viruses work by infecting other legitimate
  programs and causing them to become destructive
  or disrupt the system in some other manner.
• Most viruses use some type of replication method
  to get the virus to spread and infect other
  programs, systems, or networks
• Most viruses need some sort of trigger or
  activation mechanism to set them off. Viruses may
  remain dormant and undetected for long periods

25
Virus Categories

• Two main types
• Time bombs
• Logic bombs
• File infectors
• System/boot infectors
• Multipartite viruses
• Hostile applets
• E-mail viruses
• Cluster/File system viruses

26
Antivirus Strategies (AS)

• Effective AS must include
• Policy
• Procedures
• Technology

27
Antivirus Strategies (AS) Policies and
procedures

• Identify virus infection vulnerabilities and
  design protective measures
• Install virus scanning software at all points of
  attacks
• All diskettes must be scanned at a stand-alone
  scanning PC before being loaded onto network
  attached clients or servers
• All consultants and third party contractors be
  prohibited from attaching notebook computer to
  the corporate network without scanning

28
Antivirus Strategies (AS) Policies and
procedures

• All vendors must run demos on their own equipment
• Shareware/downloaded software should be
  prohibited or controlled and scanned
• All diagnostic and reference diskettes must be
  scanned before use
• Write protect all diskettes with .exe, .com files
• Create a master boot record that disables write
  to hard drive when booting from a diskettes etc.

29
Antivirus Technology

• Viruses can attack
• Locally or remotely attached client platforms
• Server platforms
• Entrance to the corporate network via the
  Internet
• At each entrance point, viruses must be detected
  and removed

30
Antivirus Technology

• Virus Scanning is the primary method for
  successful detection and removal
• Software most often work works off a library of
  known viruses
• New viruses are appearing at approx 200/month
• Purchase antivirus software which updates virus
  signatures at least once per month
• Typically, vendors update virus signatures files
  every 4 hours, with hourly updates expected in
  near future.

31
Antivirus Technology

• Emulation technology attempts to detect as yet
  unknown viruses by running programs with a
  software emulation program known as a virtual PC.
• Proactive rather than reactive
• Execution program can be examined in a safe
  environment for any unusual behavior of other
  tell-tale symptoms of resident viruses.
• Advantage identification of potentially unknown
  viruses based on their behavior rather than by
  relying on identifiable signatures of known
  viruses.

32
Antivirus Technology

• Such programs are also capable of trapping
  encrypted or polymorphic viruses that are capable
  of constantly changing their identities or
  signatures.
• Some of these programs are also self-learning
• Knowledge of virus-like activity increases with
  experience.

33
Antivirus Technology

• CRC checkers or Hashing checkers create and save
  unique cyclical redundancy check character or
  hashing number for each file to be monitored
• Each time the file is saved, the new CRC is
  checked against the reference CRC
• If CRC are different ? file has changed
• A program evaluates changes to determine a
  likelihood that changes were caused by a viral
  infection.
• Disadvantage able to detect virus after
  infection
• Decoys files that are allowed to be infected to
  detect and report on virus activity.

34
Antivirus Technology

• Active content monitor
• to identify viruses and malicious content such as
  Java applets or Active X controls that may be
  introduced via Internet connectivity
• Able to examine transmission from the Internet in
  real time and identify known malicious content
  based on
• contents of reference
• definition libraries

35
(No Transcript)
36
Firewalls

• When a company links to the Internet, a two-way
  access point out of as well as into that
  companys confidential information is created
• To prevent unauthorized access from the Internet
  to companys confidential data, firewall is
  deployed.
• Firewall runs on dedicated server that is
  connected to, but outside of, the corporate
  network
• All network packets are filtered/examined for
  authorized access.
• Firewall provides a layer of isolation between
  inside network and the outside network.

37
Firewalls

• Does it provide full protection? No !!, if
• Dial-up modems access remains uncontrolled or
  unmonitored
• Incorrectly implemented firewalls my introduce
  new loopholes

38
Firewall Architectures

• No standards for firewall functionality,
  architectures, or interoperability.
• As a result, user must be especially aware of how
  firewalls work to evaluate potential firewall
  technology purchase.
• Three architectures
• Packet filtering
• Application Gateways
• Internet Firewalls

39
Packet filtering

• Every packet of data on the Internet is uniquely
  identified by the addresses of source and
  destination addresses.
• Addresses in the header
• Filter is a program that examines the source and
  destination address of all incoming packets to
  the firewall server.
• Router are also capable of filtering packets
• Filter tables are list of addresses whose data
  packets and embedded messages are either allowed
  or prohibited from proceeding through the
  firewall server and into the corporate network

40
Packet filtering

• Packet filter gateways on routers
• Maintaining filter tables and access rules on
  multiple routers is not a simple task.
• Packet filtering has limitations in terms of
  level of security it provides.
• Dedicated packet-filtering firewalls are usually
  easier to configure
• IP spoofing is used by hackers to breach packet
  filters
• Hacker can make a packet appear to come from an
  authorized/trusted IP address.

41
Application Level Filters (ALFs)

• Also known as
• Application gateways
• Assured pipelines
• Proxies
• Go beyond port level filters in their attempts to
  prevent unauthorized access.
• Port level filters determine the legitimacy of
  the party asking for information
• ALFs ensure the validity of what they are asking
  for.

42
Application Level Filters (ALFs)

• Circuit-level proxies provide proxy services for
  transport layer protocols such as TCP.
• Socks creates a proxy data channel to the
  application server on behalf of the application
  client
• Socks can control traffic by disabling or
  enabling communication according to TCP port
  numbers
• Sock4 allows outgoing firewall applications
• Sock5 supports both incoming and outgoing
  firewall applications as well as authentication

43
Application Level Filters (ALFs)

• Internal firewalls the need
• 60 of the network attacks are made by internal
  users
• Disgruntled employees, former employees etc. are
  responsible for 568 of 600 incidents of network
  hacking
• 30 of Internet sites that reported breaches had
  firewalls in place.
• Internal firewalls are a new category of software
  to handle internal attacks.
• Filters that work on the datalink, network, and
  application layers to examine communications on
  coroprate internal network.

44
Authentication and Access Control

• The overall purpose of Authentication is toe
  ensure that users attempting to gain access to
  networks are really who they claim to be.
• Password protection no longer sufficient. More
  is needed
• Variety of Authentication Technology (AT)
  developed to ensure authentication. Products fall
  into three main categories.

45
Authentication and Access Control

• The categories are
• What you know AT that delivers single sign-on
  (SSO) access to multiple network-attached servers
  and resources via passwords.
• TrustBroker from CyberSafe
• PassGo SSO from Axent Technologies
• Global Sign On from IBM
• What you have AT that uses one-time or session
  passwords to authenticate user. This AT requires
  the user to possess some type of smart card or
  other token authentication device to generate
  these single use passwords

46
Authentication and Access Control

• What you are AT that validates users based on
  some physical characteristic such as finger
  prints, hand geometry, retinal scans etc.

47
Token Authentication (TAu) Smart Cards

• This technology provides one-time-use session
  passwords that are authenticated by associated
  server software. TAu may take multiple forms
• HW based smart cards that are about the size of a
  credit card with a numeric keypad.
• In-line TAu devices that connect to the serial
  port of a computer for dial-in authentication
  thru a modem
• SW tokens that are installed on client PC and
  authenticate with the server portion of the token
  authentication product transparently to the end
  user. PIN is required to activate authentication
  process

48
Biometric Authentication (BA)

• BA can authenticate users based on
• finger prints
• palm prints
• retinal patterns
• hand geometry
• facial geometry
• voice recognition
• Other physical characteristics
• Not yet perfect or fool proof.
• False rejects BA device comparison algorithm
  configured very sensitive
• False Accepts - BA device comparison algorithm
  not detailed enough

49
Authorization

• Can be seen as subset of authentication
• Authorization ensures that only properly
  authorized users are able to access particular
  network resources or corporate information
  resources
• The authorization security software can be either
  
• Server based also known as brokered
  authorization
• Work-station based also known as trusted node.

50
Kerberos

• Probably the most well-known combination of
  authentication/ authorization software
• Architecture consists of three key components
• Kerberos client software
• Kerberos authentication server software
• Kerberos application server software