Guide to protecting networks - Eric Vanderburg

GUIDE TO PROTECTING NETWORKSERIC VANDERBURG

2

OBJECTIVES• Describe network security devices

• Describe firewall technology

• Describe intrusion detection systems

• Describe honeypots

3

UNDERSTANDING NETWORK SECURITY DEVICES

• Network security devices• Routers• Firewalls• Intrusion detection systems• Honeypots

4

UNDERSTANDING ROUTERS

• Routers are hardware devices used on a network to send packets to different network segments

• Operate at the network layer of the OSI model

• Routing protocols used by routers

• Link-state routing protocol

• Router advertises link-state to identify network topology and any changes on paths

• Distance-vector routing protocol

• Router passes its routing table to all routers participating on the network

5

UNDERSTANDING BASIC HARDWARE ROUTERS

• Cisco routers are widely used in the networking community

• More than one million Cisco 2500 series routers are currently being used by companies around the world

• Vulnerabilities exist in Cisco as they do in any operating system

• Security professionals must consider these vulnerabilities when conducting a security test

6

CISCO ROUTER COMPONENTS

• A Cisco router uses the Cisco Internetwork Operating System (IOS) to function

• Components

• Random access memory (RAM)

• Holds the router’s running configuration, routing tables, and buffers

• If you turn off the router, the contents stored in RAM are wiped out

• Nonvolatile RAM (NVRAM)

• Holds the router’s configuration file, but the information is not lost if the router is turned off

7

CISCO ROUTER COMPONENTS (CONTINUED)• Components (continued)• Flash memory

• Holds the IOS the router is using• Is rewritable memory, so you can upgrade the IOS

• Read-only memory (ROM)• Contains a minimal version of the IOS used to boot the

router if flash memory gets corrupted

• Interfaces• Hardware connectivity points• Example: an Ethernet port is an interface that connects to a

LAN

8

CISCO ROUTER CONFIGURATION

• Configuration modes:

• User mode

• Administrator can perform basic troubleshooting tests and list information stored on the router

• Router-name>, indicates that you are in user mode

• Privileged mode

• Administrator can perform full router configuration tasks

• Router-name#, indicates that you are in privileged mode

• By default, you are in user mode

• Type “enable” or “en” to change to privileged mode

9

CISCO ROUTER CONFIGURATION (CONTINUED)

• Once in privileged mode, you can change to two more configuration modes

• Global configuration mode

• Administrator can configure router settings that affect overall router operation

• To use this mode, you enter the command config t at the Router-name# prompt

• Router-name (config)# tells the user she is in global configuration mode

10

CISCO ROUTER CONFIGURATION (CONTINUED)

• Once in privileged mode, you can change to two more configuration modes (continued)

• Interface configuration mode

• Administrator can configure an interface on the router

• To use this mode, you enter global configuration mode first

• Next, you enter the command for interface configuration mode and the interface name you want to configure

• Router-name(config-if)# indicates you are in interface configuration mode

11

UNDERSTANDING ACCESS CONTROL LISTS

• There are several types of access control lists

• We will focus on IP access lists

• IP access lists

• Lists of IP addresses, subnets, or networks that are allowed or denied access through a router’s interface

• Two different types of access lists on Cisco router

• Standard IP access lists

• Extended IP access lists

12

STANDARD IP ACCESS LISTS

• Can restrict IP traffic entering or leaving a router’s interface based on source IP address

• The syntax of a standard access list is as follows:access-list [list #] [permit|deny] [source address]

[source wildcard mask]

• [list #] is a number in the range of 1 to 99

• permit | deny] are keywords to permit or deny traffic

• [source address] specifies the IP address of the source host

• [source wildcard mask] signifies which bits of the source address are significant

13

STANDARD IP ACCESS LISTS (CONTINUED)

• Example:access-list 1 deny 173.110.0.0 0.0.255.255access-list permit any

• A wildcard mask is similar to a subnet mask• Example: access-list 1 deny 10.10.1.112 0.0.0.0• The 0s used after the IP address signify that every octet

in the IP address must match the IP address being filtered

• Another example:access-list 1 deny 192.168.10.0 0.0.0.255access-list 1 permit any

14

STANDARD IP ACCESS LISTS (CONTINUED)• Cisco allows a shortcut for the mask 0.0.0.0

access-list 1 deny host 192.168.10.112

• Access lists always end with an implicit deny rule

• To avoid this, you must add the “permit any” statement

access-list 1 deny host 192.168.10.112

access-list 1 permit any

• Steps for applying the access list to an interface

• Enter global configuration mode

• Create the access list

• Enter interface configuration mode

• Use the ip access-group command

15

STANDARD IP ACCESS LISTS (CONTINUED)

• ExampleRouter> en

Password ******

Router# config t

Router(config)# access-list 1 deny 172.16.5.0 0.0.0.255

Router(config)# access-list 1 permit any

Router(config)# int e0

Router(config-if)# ip access-group 1 out

Router(config-if) Ctrl+z [to save and exit global

configuration mode]

Router#

16

EXTENDED IP ACCESS LISTS

• Allow packet filtering based on

• Source IP address

• Destination IP address

• Protocol type

• Application port number

• Syntax for extended IP access lists

access-list [list #] [permit|deny] [protocol] [source IP

address] [source wildcard mask] [destination IP address]

[destination wildcard mask] [operator] [port] [log]

• [list #] is a number in the range of 100 to 199

• [permit | deny] are keywords to permit or deny traffic

17

EXTENDED IP ACCESS LISTS (CONTINUED)

• Syntax for extended IP access lists (continued)

• [protocol] can be IP, TCP, UDP, ICMP, and so on

• [source IP address] is the IP address of the source

• [source wildcard mask] determines significant bits of source IP address

• [destination IP address] is the IP address of the destination

• [destination wildcard mask] determines significant bits of destination IP address

• [operator] can be lt, gt, eq, or neq

18


• Syntax for extended IP access lists (continued)

• [port] port number of the protocol to be filtered

• [log] logs all activity of the access list for the administrator

• Example:access-list 100 deny tcp host 172.16.1.112 host

172.30.1.100 eq www

19


• Applying an access list to an interfaceRouter> en

Password ******

Router# config t

Router(config)# access-list 100 deny tcp host

172.16.1.112 host 172.30.1.100

Router(config)# access-list 100 permit any

Router(config)# int e0

Router(config-if)# ip access-group 100 in

Router(config-if) Ctrl+z

Router#

20

UNDERSTANDING FIREWALLS

• Firewalls are hardware devices or software installed on a system and have two purposes

• Controlling access to all traffic that enters an internal network

• Controlling all traffic that leaves an internal network

• Advantages of hardware firewalls

• They are usually faster than software firewalls

• They can handle a larger throughput than software firewalls

21

UNDERSTANDING FIREWALLS (CONTINUED)

• Disadvantage of hardware firewalls

• You are locked into the firewall’s hardware

• Advantage of software firewalls

• You can easily add NICs to the server running the firewall software

• Disadvantage of software firewalls

• You might have to worry about configuration problems

• They rely on the OS on which they are running

22

UNDERSTANDING FIREWALL TECHNOLOGY

• Firewall technologies

• Network address translation (NAT)

• Access control lists

• Packet filtering

• Stateful packet inspection (SPI)

23

NETWORK ADDRESS TRANSLATION (NAT)

• The most basic security feature of a firewall

• With NAT, internal private IP addresses are mapped to public external IP addresses

• Hiding the internal infrastructure

• Port Address Translation (PAT)

• Technology derived from NAT

• This allows thousands of internal IP addresses to be mapped to one external IP address

24

ACCESS CONTROL LISTS

• Access lists are used to filter traffic based on source IP address, destination IP address, and ports or services

• Firewalls also use this technology

• Creating access control lists in a firewall is a similar process to creating them in a router

25

PACKET FILTERING• Packet filters screen packets based on

information contained in the packet header

• Protocol type

• IP address

• TCP/UDP port

26

STATEFUL PACKET INSPECTION (SPI)• Stateful packet filters record session-specific

information about a network connection

• Create a state table

• Can help reduce port scans that rely on spoofing or sending packets after a three-way handshake

• Stateful packet filters recognize types of anomalies that most routers ignore

• Stateless packet filters handle each packet on an individual basis

• Spoofing or DoS attacks are more prevalent

27

IMPLEMENTING A FIREWALL

• Placing a firewall between a company’s internal network and the Internet is dangerous

• It leaves the company open to attack if a hacker compromises the firewall

• Use a demilitarized zone instead

28

DEMILITARIZED ZONE (DMZ)

• DMZ is a small network containing resources available to Internet users

• Helps maintain security on the company’s internal network

• Sits between the Internet and the internal network

• It is sometimes referred to as a “perimeter network”

29

UNDERSTANDING THE PRIVATE INTERNET EXCHANGE (PIX) FIREWALL

• Cisco PIX firewall

• One of the most popular firewalls on the market

30

CONFIGURATION OF THE PIX FIREWALL

• Working with a PIX firewall is similar to working with any other Cisco router

• Login promptIf you are not authorized to be in this XYZ Hawaii network device,

log out immediately!

User Access Verification

Password:

• This banner serves a legal purpose

• General prompt example:Type help or '?' for a list of available commands.

xyz>

31

CONFIGURATION OF THE PIX FIREWALL (CONTINUED)

• You should enter privileged mode to configure the PIX firewall

• To enter configuration mode in PIX, you use the same command as on a Cisco routerxyz# configure terminal

xyz(config)# ?

• Nameif is a PIX command to name an interface

• PIX allows the administrator to assign values to an interface that designate its security level

• Values can be from 0 to 100

32

CONFIGURATION OF THE PIX FIREWALL (CONTINUED)

• Access lists

• PIX enables an administrator to use descriptive names for the access list instead of numbers

• PIX also uses the implicit deny rule

33

UNDERSTANDING MICROSOFT ISA• Microsoft’s software approach to firewalls

• Microsoft Internet Security and Acceleration (ISA) Server

• Functions as a software router, firewall, and IDS

• ISA has the same functionality as any hardware router

• Packet filtering to control incoming traffic

• Application filtering through the examination of protocols

• Intrusion detection filters

• Access policies to control outgoing traffic

34

IP PACKET FILTERS• ISA enables administrators to filter IP traffic

based on the following:

• Source and destination IP address

• Network protocol, such as HTTP

• Source port or destination port

• ISA provides a GUI for these configurations

• A network segment can be denied or allowed HTTP access in the Remote Computer tab

35

APPLICATION FILTERS

• Can accept or deny data from specific applications or data containing specific content

• SMTP filter can restrict

• E-mail with specific attachments

• E-mail from a specific user or domain

• E-mail containing specific keywords

• SMTP commands

• SMTP Filter Properties dialog box

• Administrator can filter a specific e-mail attachment based on a rule he or she configures

36

APPLICATION FILTERS (CONTINUED)

• Users/Domains tab in the SMTP Filter Properties dialog box

• Administrator can filter e-mail messages sent from a user or from specific domains

• As a security professional, you might be asked to restrict e-mails containing certain keywords

• SMTP Commands tab

• Administrator can prevent a user from running SMTP commands

37

INTRUSION DETECTION FILTERS

• Analyze all traffic for possible known intrusions

• DNS intrusion detection filter

• POP intrusion detection filter

• FTP Access filter

• H.323 filter

• HTTP Redirector filter

• RPC filter

• SMTP filter

• SOCKSV4 filter

• Streaming Media filter

38

ACCESS POLICIES

• Allow administrators to control outgoing traffic

• An access policy consists of the following

• Policy rules

• Site and content rules

• IP filter rules

39

UNDERSTANDING INTRUSION DETECTION SYSTEMS (IDSS)

• Monitor network devices so that security administrators can identify attacks in progress and stop them

• An IDS look at the traffic and compare it with known exploits

• Similar to virus software using a signature file to identify viruses

• Types

• Network-based IDSs

• Host-based IDSs

40

NETWORK-BASED AND HOST-BASED IDSS


• Monitor activity on network segments

• They sniff traffic and alert a security administrator when something suspicious occurs

• Host-based IDSs

• Used to protect a critical network server or database server

• The software is installed on the server you’re attempting to protect

41

NETWORK-BASED AND HOST-BASED IDSS (CONTINUED)

• IDSs are categorized by how they react when they detect suspicious behavior

• Passive systems

• Send out an alert and log the activity

• Active systems

• Log events and send out alerts

• Can also interoperate with routers and firewalls

42

UNDERSTANDING HONEYPOTS

• Honeypot

• Computer placed on the perimeter of a network

• Contains information intended to lure and then trap hackers

• Computer is configured to have vulnerabilities

• Goal

• Keep hackers connected long enough so they can be traced back

43

HOW THEY WORK• A honeypot appears to have important data or

sensitive information stored on it

• Could store fake financial data that tempts hackers to attempt browsing through the data

• Hackers will spend time attacking the honeypot

• And stop looking for real vulnerabilities in the company’s network

• Honeypots also enable security professionals to collect data on attackers

• Honeypots are available commercially and through open-source avenues

44

HOW THEY WORK (CONTINUED)

• Virtual honeypots

• Honeypots created using software solutions instead of hardware devices

• Example: Honeyd

45

SUMMARY• Security devices

• Routers

• Firewalls

• IDSs

• Routers use access lists to accept or deny traffic through their interfaces

• Firewalls can be hardware devices or software installed on computer systems

• Firewalls use NAT, IP filtering, and access control lists to filter incoming and outgoing network traffic

46

SUMMARY (CONTINUED)• Firewall examples

• Cisco PIX (hardware)

• Microsoft ISA (software)

• Stateful packet filters vs. stateless packet filters

• PGP is a free public key encryption program to encrypt e-mail messages

• Demilitarized zones (DMZs)

• Add a layer of defense between the Internet and a company’s internal network

47

SUMMARY (CONTINUED)• Intrusion detection systems (IDSs)


• Host-based IDSs

• Passive IDSs vs. active IDSs

• Honeypots