Embed Size (px)
Citation preview
OV 4 - 1Copyright © 2005 Element K Content LLC. All rights reserved.
Hardening Internetwork Devices and Services
Harden Internetwork Connection Devices Harden DNS and BIND Servers Harden Web Servers Harden File Transfer Protocol (FTP) Servers Harden Network News Transfer Protocol (NNTP) Servers Harden Email Servers Harden Conferencing and Messaging Servers
OV 4 - 2Copyright © 2005 Element K Content LLC. All rights reserved.
Internetwork Devices
SwitchesRouters Firewalls
OV 4 - 3Copyright © 2005 Element K Content LLC. All rights reserved.
Unnecessary Network Protocols
Transport protocols
NetBEUI
NWLink
AppleTalk
Service protocols
NNTP
FTP
Others
OV 4 - 4Copyright © 2005 Element K Content LLC. All rights reserved.
Firmware Updates
OV 4 - 5Copyright © 2005 Element K Content LLC. All rights reserved.
Internetwork Device Vulnerabilities
SNMP Telnet Router configuration Finger Small server IP filter Default ports IP source routing ICMP redirect RIP v1
OV 4 - 6Copyright © 2005 Element K Content LLC. All rights reserved.
A DMZ
DMZ
Web server
OV 4 - 7Copyright © 2005 Element K Content LLC. All rights reserved.
An Intranet
Employee handbook
OV 4 - 8Copyright © 2005 Element K Content LLC. All rights reserved.
An Extranet
Company A
Company C Company B
OV 4 - 9Copyright © 2005 Element K Content LLC. All rights reserved.
A VLAN
Point-to-pointconnection
Point-to-pointconnection
Point-to-pointconnection
Point-to-pointconnection
VLAN switch
OV 4 - 10Copyright © 2005 Element K Content LLC. All rights reserved.
NAT
192.168.12.100
NAT Server
192.168.12.20 192.168.12.30
24.96.83.120
OV 4 - 11Copyright © 2005 Element K Content LLC. All rights reserved.
Network Media Types
Coax
Twisted pair
Fiber-optic
OV 4 - 12Copyright © 2005 Element K Content LLC. All rights reserved.
Network Media Vulnerabilities
Coax vulnerabilities Twisted-pair vulnerabilities Fiber-optic vulnerabilities General vulnerabilities
OV 4 - 13Copyright © 2005 Element K Content LLC. All rights reserved.
Hardening Internetwork Devices
Protect the devices while maintaining connectivity Follow hardening guidelines Requirements will vary
OV 4 - 14Copyright © 2005 Element K Content LLC. All rights reserved.
DNS
everythingforcoffee.com
www.everythingforcoffee.com192.168.1.2
www.everythingforcoffee.com192.168.1.2
.com .org
OV 4 - 15Copyright © 2005 Element K Content LLC. All rights reserved.
DNS and BIND Vulnerabilities
Spoofing Hijacking Cache corruption Input validation Environment variables Zone transfers Rogue client registrations
OV 4 - 16Copyright © 2005 Element K Content LLC. All rights reserved.
Hardening DNS and BIND
Protect the zone information while maintaining
service availability Follow hardening guidelines Requirements will vary
OV 4 - 17Copyright © 2005 Element K Content LLC. All rights reserved.
HTTP
Web client Web server
OV 4 - 18Copyright © 2005 Element K Content LLC. All rights reserved.
Web Server Authentication
Web client Web server
OV 4 - 19Copyright © 2005 Element K Content LLC. All rights reserved.
Web Server Authentication Methods
Address-based Anonymous Basic Digest Integrated Certificates
OV 4 - 20Copyright © 2005 Element K Content LLC. All rights reserved.
Web Server Vulnerabilities
Format string Improper input validation CGI scripts Code outside web root Web server applications Weak authentication Clear text transmissions HTML source code Buffer overflows
OV 4 - 21Copyright © 2005 Element K Content LLC. All rights reserved.
Hardening Web Servers
Protect data and server while maintaining
website access Follow hardening guidelines Requirements will vary
OV 4 - 22Copyright © 2005 Element K Content LLC. All rights reserved.
FTP
FTP
FTP client
OV 4 - 23Copyright © 2005 Element K Content LLC. All rights reserved.
FTP Vulnerabilities
Basic authentication Anonymous and blind FTP Unnecessary services Clear text transmissions Firewall configuration “Glob” “Bounce” File sharing exploitation
OV 4 - 24Copyright © 2005 Element K Content LLC. All rights reserved.
SSH
PasswordPasswordPassword isencrypted
Password isencrypted
Session issecured
Session issecured
011001slogin
OV 4 - 25Copyright © 2005 Element K Content LLC. All rights reserved.
SFTP
SSH encryptionFTP client
OV 4 - 26Copyright © 2005 Element K Content LLC. All rights reserved.
Hardening FTP Servers
Protect the server and data while
maintaining service Follow hardening guidelines Requirements will vary
OV 4 - 27Copyright © 2005 Element K Content LLC. All rights reserved.
NNTP
Subscriber
OV 4 - 28Copyright © 2005 Element K Content LLC. All rights reserved.
NNTP Vulnerabilities
NNTP
Anonymous access Password privacy Data privacy Email integration
OV 4 - 29Copyright © 2005 Element K Content LLC. All rights reserved.
Hardening an NNTP Server
Prevent unauthorized postings and data
loss while maintaining service Follow hardening guidelines Requirements will vary
NNTP
OV 4 - 30Copyright © 2005 Element K Content LLC. All rights reserved.
SMTP
Email clientEmail server
OV 4 - 31Copyright © 2005 Element K Content LLC. All rights reserved.
Email Vulnerabilities
Email worms Malicious code 8.3 file names Data buffers Spam Hoaxes SMTP relays
OV 4 - 32Copyright © 2005 Element K Content LLC. All rights reserved.
PGP
Public email security Encrypt message contents and encrypt key Digital signing
OV 4 - 33Copyright © 2005 Element K Content LLC. All rights reserved.
S/MIME
Security for email attachments Various attachment file formats Encryption and digital signing
OV 4 - 34Copyright © 2005 Element K Content LLC. All rights reserved.
Hardening Email Servers
Protect server and mail data while
supporting email users Follow hardening guidelines Requirements will vary
OV 4 - 35Copyright © 2005 Element K Content LLC. All rights reserved.
Conferencing and Messaging Vulnerabilities
Sniffing Eavesdropping Privacy Social engineering
OV 4 - 36Copyright © 2005 Element K Content LLC. All rights reserved.
Hardening Conferencing and Messaging Servers
Protect server and data, prevent spoofing,
maintain service availability Follow hardening guidelines Requirements will vary
OV 4 - 37Copyright © 2005 Element K Content LLC. All rights reserved.
Reflective Questions
1. Which internetwork connection device do you think is most important to secure?
2. Which provides a greater security threat to your organization: your border router or your email infrastructure?
