Active Defense and Prevention

Transcription

1 Active Defense and Prevention Coleman Kane October 15, 2014 Cyber Defense Overview Active Defense 1 / 11

2 Active Defense and Prevention are the strategies employed to prevent, obstruct, or otherwise block unwanted access to the system. This lecture will discuss some preventative systems, an overview of their operation, as well as measures which can be taken at the application configuration level for common services to enforce protections against undesirable access. Cyber Defense Overview Active Defense 2 / 11

3 IP firewalls can be used to parse the contents of packet headers and take action based upon the value of certain packet header fields. In a stateful IP firewall, one action that can be taken is to update global state variables within a table which can then be used elsewhere in the firewall to conditionally apply rules/actions. Cyber Defense Overview Active Defense 3 / 11

4 Some examples using Linux s iptables. iptables uses a firewall appraoch where a list of firewall rules are evaluated against every packet, and the first matching rule is used to determine the action to be taken. Linux supports a "default" action, typically either a permissive "ACCEPT" or restrictive "DROP" action. iptables -A INPUT -s j ACCEPT # Allow one client if default is DROP iptables -A INPUT -s /24 -j ACCEPT # Allow an entire network iptables -A INPUT -p tcp dport j ACCEPT # Allow all hosts on a certain port Examples from CentOS IPTables HowTo[1] Cyber Defense Overview Active Defense 4 / 11

5 A proxy server is an application-level gateway which can be used to control access, hide implementation details from view, and add visibility to application traffic. Some example proxy servers are: Privoxy Squid Apache mod_proxy Cyber Defense Overview Active Defense 5 / 11

6 A few applications for proxy servers: Place an HTTPS proxy server in front of an HTTP server, gaining visibility on the encrypted network traffic without sacrificing confidentiality or authentication Route user traffic through a central device to enable filtering and policies Conceal the underlying organization of a system using URL "rewrite" rules Add authentication in front of an application without exposing the auth system to application vulnerabilities Cyber Defense Overview Active Defense 6 / 11

7 Careful selection and configuration of network applications to provide desirable services (e.g. file sharing, , etc.) is an important security practice. Keeping an inventory of your installed application base is also important to helping manage the patching of your network. A few examples with discussion follow. Cyber Defense Overview Active Defense 7 / 11

8 A common legacy Internet file-sharing protocol is called FTP (File Transfer Protocol). Many FTP servers come pre-configured with authorization for unauthenticated "anonymous" users to write arbitrary into a public folder. The SSH protocol (Secure SHell) now provides a similar encapsualted protocol called SFTP (Secure File Transfer Protocol), and there exist many Windows-compatible applications compatible with it. Replacing FTP with SFTP where it is needed can be an effective mitication. Cyber Defense Overview Active Defense 8 / 11

9 The original SMTP, POP3, and IMAP protocols were originally designed as plain-text protocols with simple authentication methods. Since their publication, a number of new features have been added: STARTTLS supporting secure-sockets with modern encryption Challenge-based authentication Mandatory authentication for non-local SMTP Cyber Defense Overview Active Defense 9 / 11

10 Historically, protocols such as Telnet and RSH (Remote SHell) were used to provide access. These protocols lacked modern authentication and encryption. The SSH (Secure SHell) protocol was designed as a replacement for all the use-cases of these protocols, and to overcome some of the inherent security flaws. Cyber Defense Overview Active Defense 10 / 11

11 [1] Christoph Galuschka. Howtos network iptables. September Cyber Defense Overview Active Defense 11 / 11