Presentation Outline Part 1: Threats to Security Part 2: Performing a Risk Assessment Part 3: Hacker Technologies Part 4: Buffer Overflow Exploits Part 5: Firewalls Part 6:
Trang 3 Seminar Objectives
• Provide insight into current efforts and future plans
for network security.
Internet security risk
Trang 4Presentation Outline
Part 1: Threats to Security
Part 2: Performing a Risk Assessment
Part 3: Hacker Technologies
Part 4: Buffer Overflow Exploits
Part 5: Firewalls
Part 6: Denial of Service and Trojans
Part 7: Security Policy
Part 8: How to Handle an Attack?
Part 9: Educational Resources
Trang 5Why Security
90% of large companies & govt agencies had computer security breaches in 2001
Three-quarters suffered financial losses
Most frequent problems
Trang 6External threats, such
as social engineering
or viruses
Internal threats, such as
internal attacks or code
vulnerabilities
Threats to Security
Trang 7Addressing Internal Threats
Failure to update hotfixes and security patches
Blank or weak passwords
Internal attacks
Restricted Area
of Network
Trang 8or competitive advantage
Organizational
Attacks
Bypasses Technology to gain network access
Social Engineering
Connection Fails
Blocks access to data
or services
DoS DoS
Organizational
Attacks
Social Engineering
Denial of Service (DoS)
Automated Attacks
Viruses, Trojan Horses, and Worms
Harmful code, malicious programs, self replicating
Organizational
Attacks
Social Engineering
Denial of Service (DoS)
Automated Attacks
Viruses, Trojan Horses,
Organizational
Attacks
Social Engineering
Viruses, Trojan Horses,
and Worms
Denial of Service (DoS)
Automated Attacks
Accidental Breaches
in Security
Trang 9General Prevention
Test and apply service packs and hotfixes
Run and maintain antivirus software
Run an intrusion detection system at the perimeter to your network
Block all messages containing Readme.exe or
Admin.dll attachments
Reinstall infected systems
Trang 10the Outlook address book or send e-mail
Protecting E-Mail
Trang 11Protecting Web Servers
Apply the latest hotfixes
Install the latest service pack
Install the security roll-up packages
Remove unnecessary IIS components
Install UrlScan with the default rule set
Internet Information Service
Internet Information Service
Trang 12Protecting File Servers
Remove unnecessary file shares
Use an AGDLP or AGUDLP Strategy
Assign the minimum required permissions
Enforce complex passwords
Trang 13Microsoft Strategic Technology
Protection Program
Two-phase program that integrates Microsoft
products, services, and support
• Phase 1: Get Secure
• Phase 2: Stay Secure
Trang 14Phase 1: Get Secure
The Microsoft Security Tool Kit
servers that are connected to the Internet
Toll-free virus support
Trang 15Phase 2: Stay Secure
Worldwide security-readiness events
Tools, updates, and patches
• Enterprise security tools
• Windows Update auto-update functionality
• Bimonthly product roll-up patches
Consulting engagements
Trang 16Part 2: Performing a Risk Assessment
Trang 17Strategies to Manage Risk
Trang 184 Implement
Security Measures
Trang 19Identifying the Resources to Protect
Trang 20Identifying the Threats to Resources
Viruses, Trojan Horses, and Worms
Social Engineering
Automated Attacks
2 Identify
Threats
Threats
Trang 22External Attacks Most Frequent
Greater use of Internet
Tools & techniques evolve to enable new opportunities for
attack
Source: 2000 CSI/FBI Computer Crime and Security Survey
Frequent Points of Attack
Trang 23password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sniffer / sweepers
stealth diagnostics
packet forging / spoofing
GUI
Hacking Tools
Average Intruder
Trang 24Hacking Tools
Kiddie Scripter 2001
Trang 25Part 3: Hacker Technologies
Trang 28The Threats
These hacking tools could be easily
download from the Internet =>
your system
Trang 29The Threats
Your host does not need to be as famous as yahoo
or ebay to be targeted
sites
activities
Trang 32The Threats
The Trends
for RLAB segment) , our site has received the following
security warning
– Web page defacement– Unauthorized system access
– Port scanning– Ping broadcast scanning– Telnet probe scanning
Trang 33Part 4: Buffer Overflow Exploits
Trang 34• Identify the victim host vulnerability
• Attack the victim host via this vulnerability
• Establish backdoors for later access
Trang 35How they Hack in?
Some hacking tools can automate the above steps into a single command
• After break-in, use this victim host to
activities
Trang 36How they Hack in?
Buffer Overflow Exploit
• stuffing more data into a buffer than it can handle
• it overwrites the return address of a function
• it switches the execution flow to the hacker code
Trang 37How they Hack in?
Buffer Overflow Exploit
Text Region(program code)Data Region(initialization/unintialization)
Stack Region
Low MemoryAddress
Trang 38How they Hack in?
Buffer Overflow Exploit
Function local variable buffer
Return addressSave Frame Pointer
Trang 39How they Hack in?
Real Case Study I
137.189 network
Daemon) buffer overflow vulnerability
of inetd daemon
Trang 40How they Hack in?
Real Case Study II
scanning
Trang 41Demonstration: Buffer Overflow in
IIS IPP Protocol
Trang 42Part 5: Firewalls
Trang 43Fighting Back
Get Your Security Profile
Set Your Security Policy
Build the Firewall
Trang 44Get Your Security Profile
Act as a hacker and try to break-in your host
applications are vulnerable
any monitoring or intrusion detection system)
built any firewall?)
Trang 45Set Your Security Policy
minimum as possible
you can formulate your host access lists
Trang 46Set Your Security Policy
• sudo
• restrict login shell
Trang 47Build Your Firewall and IDS
Control and monitor the traffic IN and OUT of your
network
Block any unnecessary network connection from
non-trusted hosts and networks
Define your access rules according to your security policy
Use packet filtering and Application Proxy
Build sniffer to monitor your internal network traffic
Trang 48Firewall Architecture
Trang 49Firewall Architecture
Architecture using two routers
Trang 50Firewall Architecture
Trang 51Build Your Firewall
How it protects your network
detection
Trang 52Firewall in IE Network
Set your own filter rules at your host
Here is the example how you use ipchains to block all non-IE network TCP and UDP connections to your host except 80 port
ipchains -A input -s 0.0.0.0./0.0.0.0 -d your_host_ip/255.255.255.255 80 -i eth0 -p 6 -j ACCEPT ipchains -A input -s ! 137.189.96.0/255.255.252.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 6 -j DENY -y
ipchains -A input -s ! 137.189.96.0/255.255.252.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j DENY
Trang 53Firewall Protection Services
LAN
Firewall Internet
Trang 54192.168.10.1
192.168.10.2 192.168.10.3
Network address translation
Source IP Source port Target IP Target port
192.168.10.1 207.46.197.100 1033 1998 Any 80
Protecting the Internal Network
Trang 55Private Network
SMTP POP3 IMAP
Trang 57Private Network
Client: UDP:5555 Public Network
Firewall
Stateful Inspection
Client: UDP 4444
Client
Client sends a packet from UDP port 4444
Trang 58Perimeter Networks
A perimeter network:
the private network
Perimeter networks are also known as:
• DMZs
Trang 60Internet
Using a Mid-Ground Perimeter
Network
External Firewall
Internal Firewall
Perimeter Network
Internal Network
Trang 61Firewall Weaknesses
for network security
target port
• Circuit-level and application filtering can provide
protection against these attacks
firewalls:
authentication of endpoint systems
Trang 62Demonstration: Snort
Trang 63Part 6: Denial of Service and Trojans
Trang 64Today: Parasitic Attacks
Internet exploits
Take advantage of unwitting accomplices
All Internet constituents adversely affected
End users
Loss of data
Downtime
Service providers Loss of revenue Bad publicity
Software and System Vendors
Bad publicity Increased support burden
Network Attack
Trang 65Parasitic Hostile Code
Created to Steal
CPU cycles
Network bandwidth
Identity
Trang 68Many to One:
Stacheldraht & Trinoo DDoS
Focused on web servers
• Ties up all ‘incoming lines’
Uses multiple zombie hosts
Controlled remotely with automated tool
Web Server Requests
Trang 69Many to Many:
Smurf & Fraggle Denial of Service
Affects all systems on a network segment
• Ties up all ‘incoming lines’
Spoofed source packets
Uses multiple routers as amplifiers
Victims
PC Workstation Email sever
DB Server
Trang 70Melissa & PrettyPark:
Workstation Email Parasites
Word Macro Viruses
Cascading victims
• I attack 50
– Some of which are infected & attack another 50
Trang 71One to Many:
Spam
UBE depends upon unwitting relay hosts
By default, Sendmail accepts relay requests
• No exploit tools required
No postage required
Trang 72Parasitic Attacks Need Access
Provide ONLY the access needed in order to do the job
Don’t open up too much
Policy: Least Privilege
Not the possible, just the necessary.
Domain of accessible data and systems
POSSIBLE
Required
Trang 73How do PCs get infected?
Manual insertion
Through shares Physical access
Trang 74Demonstration: NuBus Trojan
Trang 75Part 7: Security Policy
Trang 76Top Challenge to Resolving Network Security Issues
Trang 77How to Respond
New attacks, but same old vulnerabilities
Trang 78Written Security Policy
Written security goals and priorities
Prioritize information security requirements
NOT implementation specific
Develop policy before
technical requirements
If policy isn’t explicit,
it’ll be implicit
Trang 79Policy Priorities Vary
Trang 81User Responsibility
Evaluate security capabilities of suppliers
Don’t become
‘Attractive Nuisance’
Trang 82User Risks & Response
Prevent IP spoofing Disable Directed Broadcast Routers used as amplifiers
Control hostile code
Workstations used to mail
hostile code
Harden OS Server hijacked for zombie
Ask ISP for help Web DoS attack
Response Risk
Trang 83ISP Responsibility
Privileged Position
Must provide incident response
Must protect high-bandwidth hosts
Jealously guard routing and DNS info
Be prepared to crank-up router filtering
Follow GRIP RFCs
• http://www.ietf.org/html.charters/grip-charter.html
Trang 84ISP Risks and Response
Prevent source IP spoof Disable Directed Broadcast Routers used as amplifiers
No client shell accounts UNIX host used for zombie
Don’t allow IP Spoofing DDoS
Authenticate xfer requests SMTP Host used as relay
Response Risk
Trang 85How ISPs can Protect Subscribers
Information
Router configuration
Scan e-mail for hostile code
Provide security software
Support security standards
• E-mail client authentication
Trang 86Vendor Responsibility
Create products that resist compromise
Provide better access control
Anticipate security risks
Trang 87We’re All in this Together
End users
Service Providers
Software and
Network Security
Trang 88The Purpose of the Security Policy
A security policy:
• Defines an organization’s requirements for correct
computer and network usage
• Includes procedures to detect, prevent, and
respond to security incidents
• Provides a framework for implementing security
plans and procedures
Organization security goals reflect:
• The organization’s concerns
• How the organization values data
• How data is secured
Organization security goals reflect:
• The organization’s concerns
• How the organization values data
• How data is secured
Trang 89Categorizing Data
Trang 90Enforcing Security
Conflicting security goals
Banking
Server
Banking Clients Transfer to Savings
X&6y%43hJ3B@2
Trang 91The Security Plan Process
Set the plan scope Create a project team Develop a plan based on the security policy Test and deploy the plan
Trang 92Local Office
Defining the Scope of the Security
Plan
Security Plan
Remote Office
Remote User
Internet
Remote Office
Remote User
Internet
Scope
Trang 93Creating the Project Team
Project Team
Trang 94Creating the Security Plan
Trang 95Obtain participant feedback
Test and implement security plan
Project timeline
- All tasks
- Release date
Update security plan
1
2
3 4
Testing and Deploying the Security Plan
Trang 96Part 8: How to Handle an Attack
Trang 97When an Attack Occurs
Identify the attack Inform personnel Contain the attack Identify defensive strategies
Trang 98 Review event logs
Review variations from the baseline performance
Use Intrusion Detection Systems
Trang 99Identifying the Type of Attack
Research security resource to gather
Trang 100Informing Organization Personnel
Notify all personnel of the attack by:
Trang 101Containing the Effects of the Attack
Shut down affected servers Remove affected computers from network
Remove network from the Internet
Prevents further exposure from the Internet Prevents your organization from infecting others
Remove network from the InternetPrevents further exposure from the Internet Prevents your organization from infecting others
Preserve the evidence
Trang 102Identify Strategies to Defend Against Attacks
External attacks
and the private network
Internal attacks
clean backup
Trang 103Implementing Preventative
Measures
Maintaining service pack versions
Test and install latest service packs and hotfixes
Maintaining service pack versions
Test and install latest service packs and hotfixes
Running intrusion detection systems
Network perimeter and local
Running intrusion detection systems
Network perimeter and local
Reviewing event logs regularly
For example, account logon events
Reviewing event logs regularly
For example, account logon events
Trang 104Collect and record attack details Perform a postmortem meeting Develop an action plan for future attacks
Modify the security policy and security plan
Trang 105Part 9: Educational Resources
Trang 107Web Resources
2600.com
• Hacker magazine that gives a good perspective of the hacker mindset.
allhack.com
• This Web site features a library and download area Library features readmes on hacking and
learning computer basics for the beginner Download area contains everything from scanners to flooders to crackers to denial of service (DoS) attacks.
Trang 109Thank You
Feedback Survey