1 / 0

Security

Security. Tue Becher Jensen Lecture 3 – Security in networks. Agenda. Firewalls IDS – Intrusion Detection Systems WAF – Web Application Firewalls Security Tools – Network monitor Vulnerability scanning Proxy Onion routing. Communicating data. Network packets

fergus
Télécharger la présentation

Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security

    Tue Becher Jensen Lecture 3 – Security in networks
  2. Agenda Firewalls IDS – Intrusion Detection Systems WAF – Web Application Firewalls Security Tools – Network monitor Vulnerability scanning Proxy Onion routing
  3. Communicating data Network packets Contains info required to route it to the destination Contains info to deliver it to the correct application on the destination system. Network sessions
  4. Firewalls Protecting your computer from the big bad internet… Hardware or software based Checkpoint for communication on a network Blocks unauthorized access 91.182.13.174 Router 192.168.*.*
  5. All-in-one for home use Firewall, router, switch and wireless access point 91.182.13.174 192.168.*.*
  6. Firewall – the basic technologies Packet Filtering Circuit level gateways Application level gateways Statefull Inspection Exercise: Form groups – one technology for each group Prepare a presentation of your subject – 20 minutes
  7. Packet filtering Examine data packets as they attempt to pass through the firewall Rule based filtering using source, destination and port information within the packet Easy to block traffic on specific ports Simple but less secure
  8. Circuit level gateways Act as a proxy Only allow traffic on valid connections (TCP) Does not filter packages Example: NAT – Network address translation
  9. Application level gateways Running proxy applications HTTP, FTP, SMTP, POP3,... No direct communication between outside sources and computers behind the firewall Filtering rules can use the content of the data transmitted No access to *.youtube.com
  10. Statefull inspection Combining packet filtering with gateway methods Not running proxies, but maintaining a request table Packet filtering firewall that examine packet content to match against
  11. IDS – Intrusion Detection Systems Real-time traffic analysis Perform protocol analysis and content searching Detects a variety of attacks and probe attempts buffer overflows, port scans, OS fingerprinting etc.
  12. Exercise – Snort a free IDS Go to the Snort website (www.snort.org) What kind of attacks can Snort detect? CGI attacks Buffer overflows SMB probes OS fingerprinting Port Scans …
  13. CGI attacks Common Gateway Interface (CGI) protocol for interfacing a server side script. Often used to process data from fill-in forms Threat example: Exploit flaws in CGI scripts on a web server HTTP servers often has a demo directory Known to contain scripts with vulnerabilities that allow anyone to execute commands on your server. phf – updates a phonebook style listing of people http://example.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
  14. Buffer overflows Data is stored in a buffer outside the memory set aside for the data. Extra data overwrites adjacent memory. Change of program variables or flow. Threat example: Savant Web Server 3.1 Remote Buffer Overflow Exploit Send overflow data using a GET request – results in error but leaves server in a vulnerable state Allows attacker to open access to the server via another port.
  15. SMB Probes Server Message Block probe checks a system to determine what shared files are available. Can be used to look for file system weaknesses.
  16. OS fingerprinting Sending requests trying to detect server OS If found, attacker can focus on know vulnerabilities. Easy to do using tools like nmap (add –O option) # nmap -O -v scanme.nmap.org Starting Nmap ( http://nmap.org ) ..... Running: Linux 2.6.X OS details: Linux 2.6.20-1 (Fedora Core 5) Uptime guess: 11.433 days (since Thu Sep 18 13:13:01 2008)
  17. Port scans Checking a server for open ports Its like ringing the doorbell to see if someone will answer the door. Check all or only commonly used ports Used to learn more of the target system Focus on known attacks
  18. Exercise Find the default port numbers for : FTP (file transfer protocol) SSH (Secure Shell) SMTP (simple mail transfer protocol) HTTP (Hyper Text Transfer Protocol) POP3 (Post Office Protocol version 3)
  19. Server ports Server is designed to provide services to clients Run on a computer – waiting for requests from clients. Listen on network ports: port 21 : FTP (file transfer protocol) port 22 : SSH (Secure Shell) port 25 : SMTP (simple mail transfer protocol) port 80: HTTP (Hyper Text Transfer Protocol) port 110: POP3 (Post Office Protocol version 3) …
  20. Web Application Firewalls WAF – aka: Deep packet inspection firewall Web Application Shields Web Application Security Filters Apply a set of rules to an HTTP conversation Many current WAF products detect both inbound and outbound attacks
  21. WAF – operations modes Negative model (blacklisting) Maintain a DB of known attack signatures Ex.: Disallow any user input which contain ”<script>” Positive model (whitelisting) Build policies based on valid known requests. Application specific parameter guarding Ex.: Page foo.jsp, field ”id” accept numbers [0-9] in the range 0 to 65535 Mixed
  22. WAF – main benefits Basic protection against know attacks using blacklists PCI DSS – the credit card industry prescribes using WAF Allows hot fixing uncovered application vulnerabilities Safe during the time needed to change application and wait for a deployment window (could be weeks) Source code analysis tools can recommend rule sets May be the only way to secure a 3. part application
  23. WAF – benefits http://www.owasp.org/index.php/File:Best_Practice_WAF-chart-EN.png
  24. WAF – weaknesses Bad rules, design or implementation Makes the overall system more complex WAFs may also have/generate errors May make troubleshooting more difficult Training and testing the WAF can be expensive Tools exists: WAFW00F – identify WAF systems WAFFUN – search for WAF system weaknesses
  25. Security Tools – Network monitor Network monitor aka. Network analyzer Packet sniffer Used to monitor and troubleshoot network traffic Capture packets that pass through a network interface. Normal operation only captures packets with destination matching the machine in question Promiscuous mode enables capturing ALL packets passing the network node
  26. Security Tools – Network monitor Allow capture of all network traffic Analyze captured traffic to reveal info transmitted in clear text. Users on your network may be running rogue packet sniffers experimenting out of curiosity with malicious intent How can you prevent this?
  27. Vulnerability Scanning Help you secure your network Identify weaknesses in your system Identify devices open to known vulnerabilities Use tools to identify and fix weaknesses Use the tools before the bad guys!!!
  28. Vulnerability Scanning Different methods Analysis of windows registry Check for missing patches etc. Attempt to exploit known vulnerabilities Issues: May impact the devices targeted for scanning Scan can be intrusive and cause system crashes Trying to exploit a DoS vulnerability could make the system unavailable Be careful using on production systems
  29. Vulnerability Scan process Initial vulnerability scan Addressing the identified vulnerabilities Install patches / updates If none exist or updating is not feasible for other reasons Search out details of the problem Secunia, Security Focus Bugtraq, CERT, … Find alternative ways to reduce threat Schedule regular vulnerability scans to keep safe
  30. Many available tools MBSA – Microsoft Baseline Security Analyzer Free Scans for missing patches for MS products Alert on missing or weak passwords and other common security issues Report with checklist of problems found GFI Languard Nessus …
  31. Online scanners Many companies offer online services where you can perform vulnerability scans on your servers. Example: Security Space – free basic scan online: Audit the IP you surf from Scan 1500+ ports for open ports 0-1024 & a set of ports known to host possible trojans etc.
  32. Security Audit - Security Space https://secure1.securityspace.com Click the ”Security Audit” tab Click ”Basic” Register to perform a Basic Security Audit Only do this on networks that you control!!! scan may trigger intruder alarms on corporate or shared firewalls
  33. Nessus Comprehensive vulnerability scanning program Free of charge for personal use in a non-enterprise environment (HomeFeed plug-ins) Typical operation (config depending) Port scan – locate open ports on target Try various exploits on the open ports New attack scripts are added daily – update plug-ins before using Nessus
  34. Nessus Disable the option ”Safe checks” Allows for more thorough testing Some of the tests may cause vulnerable services or operating systems to crash Be careful testing live systems!!!
  35. Nessus Scan Report
  36. Proxy server - a server that acts as an intermediary for requests Caching proxy server Content-filtering web proxy Anonymizing proxy server Hostile proxy – eavesdropping
  37. Exercise – use a open proxy Navigate to a webpage with IP based limitation Find and use a proxy to access the webpage Was it easy? Discuss the limitations How about security? Be aware – the proxy owner can still sniff out what you are sending. Proxy example – you find one 
  38. Anonymous communication Anonymizing proxy servers are not safe What can we do?
  39. Onion routing Anonymous communication over a computer network Routing info is encoded using layers of encryption Message travels from source to destination via a sequence of proxies, which re-route messages in an unpredictable path
  40. Tor – The Onion Router https://www.torproject.org
  41. Tor Circuit Setup (from http://freehaven.net/~arma/wth1.pdf)
  42. Tor Circuit Setup (from http://freehaven.net/~arma/wth1.pdf)
  43. Tor Circuit Setup (from http://freehaven.net/~arma/wth1.pdf)
  44. Tor Circuit Setup (from http://freehaven.net/~arma/wth1.pdf)
  45. Tor Circuit Setup (from http://freehaven.net/~arma/wth1.pdf)
  46. Is onion routing safe? Sept. 2007 – DEranged Security reveals: Tor exit nodes in 5 different locations in the world Nodes was equipped with packet sniffer Focusing on POP3 and IMAP traffic Keyword and domain filter: Gov, government, embassy, military, war, terrorism, passport, visa,… Revealed passwords to email-accounts to Embassies and Governments around the world. Lesson: Only use it for what it’s made for!!!
  47. Exercise till next time Do a vulnerability scanning of your own computers Prepare a short presentation on your findings? Was it difficult to do? Did you find any vulnerabilities?
  48. Till next time Info / literature / links on Fronter – keep updated!!! Reading: Wireless Network Security: Vulnerabilities, Threats and Countermeasureshttp://www.sersc.org/journals/IJMUE/vol3_no3_2008/8.pdf Additional reading: Tor – The onion router https://www.torproject.org http://wiki.noreply.org/noreply/TheOnionRouter DEranged Security – Time to reveal… http://www.naavi.org/cl_editorial_07/www_derangedsecurity.pdf OWASP - Best Practices: Use of Web Application Firewalls http://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls Exercise: Do a vulnerability scanning of your own computer (will share your findings via Fronter)
More Related