"Sad but TRUE !..."

When the tides of life turn against you... And the current upsets your boat... Don't waste those tears on what might have been... Just lay on your back and float!...

Lecture 6 ~Security In Networks~

Assalamualaikum w.b.t..

Lecture 6 kiteorg diterangkan tentang Security In Networks... Topic cover in dis lecture:-
~Introduction to Network
~Who cause security problem
~Network security issues
~Network security controls


Overview Of Computer Networks
Definition
• A computing network is a computing environment with more than one independent
processors
•May be multiple users per system
•Distance between computing systems is not considered (a communications media
problem)
•Size of computing systems is not relevant


Network Resources
•Computers
•Operating system
•Programs
•Processes
•People


Network Architecture



What is a Network Can Provide?
~Logical interface function
•Sending messages
•Receiving messages
•Executing program
•Obtaining status information
•Obtaining status information on other network users and their status


Basic Terminology
~Node
•Single computing system in a network.
~Host
•A single computing system's processor.
~Link
•A connection between two hosts.
~Topology
•The pattern of links in a network.


Types Of Network



Network Topology
Bus Topology
•To provide a single communication network on which any node can place information
and from which any code can retrieve information
•Attachments to the bus do not impact the other nodes on the bus



Star Topology
•Has a central switch
•All nodes wishing to communicate do so through the central host
•The central host receives all messages, identifies the addresses, selects the link
appropriate for that addresses and forwards the messages



Ring Topology
•To connect a sequence of nodes in a loop or ring
•Can be implemented with minimum cabling
•Containing a token can control a “synchronous” loop



Mesh Topology
•Each node can conceptually be connected directly to each other node
•Has integrity and routing advantages
•Not easily subject to destructive failures
•Routing logic can be used to select the most efficient route through multiple
nodes



ISO REFERENCE MODEL
~Open Systems Interconnection (OSI)
•Describes computer network communications.
•Developed by the International Standards Organization (ISO).
•Consists of Seven Layers.
•Model describes peer-to-peer correspondence, relationship between corresponding
layers of sender and receiver.
•Each layer represents a different activity performed in the actual transmission of
a message.
•Each layer serves a separate function.
•Equivalent layers perform similar functions for sender and receiver.


Layer Responsible



Message Assembly In ISO Model



Networks As Systems
~Single System
•Single set of security policies associated with each computing system.
•Each system concerned with:
*integrity of data
*secrecy of data
*availability of service
•Operating system enforces its owns security policies.


Advantages Of Computing Networks
~Resource sharing
•Reduces maintenance and storage costs.
~Increased reliability (i.e. availability of service)
•If one system fails users can shift to another.
~Distributing the workload
•Workload can be shifted from a heavily loaded system to an underutilized one.
~Expandability
•System is easily expanded by adding new nodes


Who Cause Security Problem
•Hacker
•Spy
•Student
•Businessman
•Ex-employee
•Stockbroker
•Terrorist
•etc


Network Security Problem Area
~Authentication
•Deals with determining whom you are talking to before entering into a business
deal or before revealing sensitive information
~Secrecy
•What usually comes to mind when people think about network security
~Non-repudiation
•Deals with signature
~Integrity control
•Keeping information is not modified, add or delete by unauthorized user


Network Security Issues
~Disadvantages of computing networks
•Sharing
*Access controls for a single system may be inadequate.
~Complexity
•A network may combine two or more systems with dissimilar operating systems with
different mechanisms for interhost connection. Complexity of this nature makes
the certification process extremely difficult.
•Unknown perimeter
*One host may be a node on two or more different networks.
~Disadvantages of computing networks
•Many points of attack
*Access controls on one machine preserves the secrecy of data on that processor.
However, files stored in a remote network host may pass through many host
machines to get to the user.
•Unknown path
*May be many paths from one host to another and users generally do not have
control of how their messages are routed.
•Label formats differences
*A problem which may occur in multilevel systems is that the access labels may
have different formats since there is no standard.
~Disadvantages of computing networks
•Anonymity
*Attack can passed through many other hosts in an effort to disguise from where
the attack originated
*Attack remotely without contact the system administrator or user


Threats In Network
~Security Exposures
•Privacy
*With many unknown users on a network, concealing sensitive data becomes more
difficult.
•Data Integrity
*Because more nodes and more users have potential access to a computing system,
the risk of data corruption is higher.
•Authenticity
*It is difficult to assure the identity of a user on a remote system.
•Covert channels
*Networks offer more possibilities for construction of covert channels for data
flow.
~Impersonating
•Involved the use of physical keys and biometrics checks
•Cracker can configures a system to masquerade as another system, thus gaining
unauthorized access to resources or information on system that ‘trust’ the system
being mimicked
~Eavesdropping
•Allows a cracker to make a complete transcript of network activity
•Cracker can obtain sensitive information such as passwords, data and procedures
for performing functions.
•Cracker can eavesdrops:
*Using wiretapping
*By radio
*Via auxiliary ports on terminals
*Using software that monitors packets sent over the network.
~Denial of service
•A user can render the system unusable for legitimates users by ‘hogging’ a
resource or damaging or destroying resources
•Attacks may be caused deliberately or accidentally
•3 forms of network denial of service attacks:
*Service overloading
*Message flooding
*Signal grounding
~Packet replay
•Refers to recording and retransmission of message packets in the network
•Intruder could replay legitimate authentication sequence messages to gain access
to a system
•Frequently undetectable
~Packet modification
•Significant with integrity threat
•Involves a system intercepting and modifying a packet destined for another system


Networks Security Control
~Encryption
~Strong Authentication
~IPSec,VPN,SSH
~Kerberos
~Firewall
~Intrusion Detection System (IDS)
~Intrusion Prevention System (IPS)
~Honeypot


Encryption
~Link to Link VS End to End
~Link to Link
•Covers layer 1 and 2 of the OSI model
•Decryption occurs just as the communication arrives at and enters the receiving
computer.
•If we have good physical security, we may not be too concerned about this
exposure.
~End to End
•Provides security from one end of a transmission to the other layer 6 or 7
•The encryption can be done by:
*A hardware device between the user and the host.
*A software running on the host computer.
•Protect data on every layer


Strong Authentication
~In strong authentication, one entity ‘proves’ its identity to another by
demonstrating knowledge of a secret known to be associated with that entity,
without revealing that secret itself during the protocol.
~Also called ‘challenge-response’ authentication.
~Use cryptographic mechanisms to protect messages in protocol:
•Encryption.
•Integrity mechanism (e.g. MAC).
•Digital signature.


IPSec,SSH,SSL(application level sec.)
~IPSec
•Optional in IPv4
•Defines a standard means for handling encrypted data.
•Implemented at IP layer, so affects all layer above it, in particular TCP and UDP.
•Provide authentication (AH) and encryption (ESP)
~SSH
•Secure remote login (encrypt data send over the network)
~SSL
•Secure socket layer, encrypt data over the transport layer.
•SSL interfaces between applications (such as browsers) and the TCP/IP protocols
to provide server authentication, optional client authentication, and an
encrypted communications channel between client and server.


Kerberos
~Supports authentication in distributed systems.
~Kerberos is based on the idea that a central server provides authentication tokens,
called tickets, to requesting applications.
•A ticket is an unforgeable, nonreplayable, authenticated object.
•It is an encrypted data structure naming a user and a service that is allowed to
obtain.
•Also contain a time value and some control information.



Firewall
•What is a firewall?
•A Firewall is a network security device designed to restrict access to resources
(information or services) according to a security policy.
•Firewalls are not a “magic solution” to network security problems, nor are they a
complete solution for remote attacks or unauthorised access to data
•A Firewall is a network security device
•It serves to connect two parts of a network and control the traffic (data) which
is allowed to flow between them
•Often installed between an entire organisation's network and the Internet
•Can also protect smaller departments
•A Firewall is always the single path of communication between protected and
unprotected networks
•A Firewall can only filter traffic which passes through it
•If traffic can get to a network by other means, the Firewall cannot block it


Intrusion Detection System
~Is a device or software tools or hardware tools that monitor activity to identify
malicious or suspicious events
~Used to detect unauthorized access to a computer system or network
~IDS component
•Sensor
*generate security events
•Console
*to monitor events and alerts and control the sensors
•Central Engine
*records events logged by the sensors in a database and uses a system of rules to
generate alerts from security events received
~Types of IDS
•Signature based
•Anamoly based


Intrusion Prevention System
~network security device that monitors network and/or system activities for
malicious or unwanted behavior and can react, in real-time, to block or prevent
those activities
~Network-based IPS, for example, will operate in-line to monitor all network traffic
for malicious code or attacks
~When an attack is detected, it can drop the offending packets while still allowing
all other traffic to pass
~Intrusion prevention technology is considered by some to be an extension of
intrusion detection (IDS) technology
~In addition, most IPS solutions have the ability to look at (decode) layer 7
protocols like HTTP, FTP, and SMTP which provides greater awareness


Honeypot
~Decoy systems that are designed to lure a potential attacker away from critical
systems
~Design to
•Divert attacker from critical system
•Collect information on attacker’s activity
•Encourage attacker to stay long enough for admin. to notice
~Contain fabricated info. not for normal user to used
~Simulated traffic that emulate real network


Hacking And Prevention
~motivated by thrill of access and status
•hacking community a strong meritocracy
•status is determined by level of competence
~benign intruders might be tolerable
•do consume resources and may slow performance
•can’t know in advance whether benign or malign
~IDS / IPS / VPNs can help counter
~awareness led to establishment of CERTs
•collect / disseminate vulnerability info / responses
~Hacker Behavior Example
1. select target using IP lookup tools
2. map network for accessible services
3. identify potentially vulnerable services
4. brute force (guess) passwords
5. install remote administration tool
6. wait for admin to log on and capture password
7. use password to access remainder of network


Criminal Enterprise
~organized groups of hackers now a threat
•corporation / government / loosely affiliated gangs
•typically young
•often Eastern European or Russian hackers
~common target credit cards on e-commerce server criminal hackers usually have
specific targets
~once penetrated act quickly and get out
~IDS / IPS help but less effective
~sensitive data needs strong protection


Criminal Enterprise Behavior
1. act quickly and precisely to make their activities harder to detect
2. exploit perimeter via vulnerable ports
3. use trojan horses (hidden software) to leave back doors for re-entry
4. use sniffers to capture passwords
5. do not stick around until noticed
6. make few or no mistakes.


Inside Attacker
~among most difficult to detect and prevent
~employees have access & systems knowledge
~may be motivated by revenge / entitlement
•when employment terminated
•taking customer data when move to competitor
~IDS / IPS may help but also need:
•least privilege, monitor logs, strong authentication,
~termination process to block access & mirror data


Inside Behavior Example
1. create network accounts for themselves and their friends
2. access accounts and applications they wouldn't normally use for their daily jobs
3. e-mail former and prospective employers
4. conduct furtive instant-messaging chats
5. visit web sites that cater to disgruntled employees, such as f'dcompany.com
6. perform large downloads and file copying
7. access the network during off hours.


Hacking And Prevention
~Exploitation of machine/Unauthorized used of machine and network resources
~Hacking involves 5 phase
•Reconaisance
•Scanning
•Gaining access
•Maintaining access
•Covering track


Reconaisance And Scanning
~Gaining general information on the target host
•Company background
•Number of machine
•Types of machine
•OS
•Domain name
•IP address
•Location


How To?
~Find out initial information
*Google,whois,Nslookup
~Find out address range
*ARIN
*Traceroute
~Find active machine
*Ping
~Find open port
*Ports scanner
*Nmap
*War dialers
~Figure out OS
*Nmap
~Map Out Network
*VisualRoute


Gaining And Maintaining Access
~The info. Gather from previous step can help identifying vulnerabilities
~Exploit vulnerabilities to gain access
*Un patch system is dangerous as the vulnerabilities has been made worldwide
*Milw0rm.com, www.securityfocus.com, insecure.org and etc
*Vulnerabilities is used to install backdoor than can be used for future attack.
~Tools are available online
*Backtrack, metasploit and etc


Covering Track
~Every activity is logged
~Syslog, accesslog, eventlog,


Lam lecture nie encek go thru jer semue coz encek ckp kiteorg da biaser sgt daa blajar mender nie.. ermm.. mmg pn.. tp.. kiteorg jer xbraper nk ingt.. encek kater bacer ajer sniri.. bacer ajer ler...


alhamdulillah...



"Live your life in the manner that you would like your kids to live theirs.."

dikarang oleh Azma Green

0 komplen:

Post a Comment

Subscribe to: Post Comments (Atom)
Related Posts with Thumbnails