Internet Security Specialist Compaq Computer

Transcription

1

2 Internet Security Specialist Compaq Computer

3 Proof of Concept Partners Projects Workshop Seminars Customer Briefings Compaq White Paper Performance White Papers ASE Symposium

4

5 $40-80 billion potential losses in the year % of Fortune 500 networks are hacked 142 new exploits discovered from January 1998 until mid of May % of break-ins are from the internal network

6

7 !"# Security impact E-commerce Inter-networked computing Networked client/server computing Number of installed desktops, workstations, and laptops Time

8 $% & Your data Secrecy: you may not want other people to know it Integrity: you may not want other people to change it Availability: you may certainly want to be able to use (hardware / software / information) it yourself Your resources Your reputation

9 '%# ( ) Corporate Partners Remote User Corporate Backbone Corporate Internet Connection Departmental Internet Connection Leased Lines PC s with Modems Modem Bank VAN Connection

10 !" *+" Identification & Authentication Authorization & Access Control Privacy Integrity Accountability

11 %% % +" Firewalls Packet Filter Stateful Inspection Application Level (Proxies) Virtual Private Networks (VPN) Communicate privately with partners and/or remote/mobile users. Intrusion Detection Log based Network based Vulnerability Assessment Secure your servers and desktops

12 *% %% +" Anti-Virus Single Sign On Centralized Audit Backup/Restore Centralized Security Management Malicious Code Scanning Remote/Biometric/Token Authentication Key Management & Certificate Authority Secure Web and Secure Collaboration Secure Ecommerce Dial-In Authentication Laptop/Desktop Authentication and Encryption

13 ,-

14 $%+" -. & Identification Authentication Authorization Access Control

15 $%" %"& No Security Packet Filters Stateful Inspection Application Level Firewalls (Proxies) Total Security -- No Access

16 ,-' Packet Level Filter Firewall. Application Level Firewall (Gateway Proxies). Stateful Inspection Firewall Internal Networks Router Internet Bastion (WWW, FTP, etc.) Firewall

17 /(",- Internal Host Firewall Server External Host Application Presentation Session Transport Application Presentation Session Transport Application Presentation Session Transport Network Network Network Data Link Physical Data Link Physical Packet Level Data Link Physical

18 0(",- Firewall Server Internal Host Application Application Presentation Presentation Session Session Transport Transport Network Network External Host Application Presentation Session Transport Network Data Link Physical Data Link Physical Application Level Gateway Data Link Physical

19 ,- Firewall Server Internal Host Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Dynamic State Tables Data Link Physical Stateful Inspection External Host Application Presentation Session Transport Network Data Link Physical

20 $%',-)& Control access based on: Source, Destination, Service Time, Day, Date IP Address Hiding Authentication Logging and Notification of events Platform for other security measures VPN/encryption is the first Network security visualization and query tools JAVA/AxtiveX blocking URL grading systems & blockers Virus scanners Security scanners

21 01 2-/0 Address Hiding (Proxy) Internal Host Firewall External Host ftp TCP IP Network Interface Hardware ftpd ftpd gwcontrol TCP IP Network Interface Hardware ftp TCP IP Network Interface Hardware Internal Address Network Address Translation (Packet Filter, Stateful Inspection) Destination Address Data Firewall Address Destination Address Data

22 , 0% Multi use passwords (weak) Same password used every time If guessed or stolen, the system will be compromised Single use passwords (strong) A unique password is generated for each connection Challenge Response Authentication (e.g. CRYPTOCard) Bellcore s S/Key Token Cards Certificates

23 $%,-2* )& Prevent Session Hijacking Wait until a session is established through the firewall Prevent Snooping of network data Data is not encrypted (unless VPN are used) Prevent Modification of network data Data is not check-summed Prevent Re-routing of network data Firewall cannot establish fixed routes Prevent spoofing of network messages Data not signed with a signature

24 3"2-/ 32

25 $%+" -. -%32& Authentication (Packet) Identification Privacy Integrity

26 $%32& Technical Definition: The ability to securely transmit data between two computers systems over an untrusted network. Practical Definition: One or more people sending and receiving , files and transactions over the Internet without fear of that data being viewed or modified by an untrusted or unauthorized person.

27 $%32& Implementation Private connection for Remote Users Company to Remote Office communication Company to other Company (extranet) Types of VPN s VPN Appliance (hardware encryption) Firewall add-on module Software based

28 $%%" 324& Allows for use of the Internet globally There are perceived to be big cost savings in communications versus leased lines Flexible access- easy to turn on and off Allows for monitoring and tracking access attempts and packets

29 $%%" 324& Point to multi-point connections versus point to point Ideal for short term projects Allows for shared fixed cost Security

30 $%% " 324& Internet congestion Encryption of packet data causes performance degradation at gateway Poor Quality Of Service Non-interoperable implementations Export Issues

31 , 32 Privacy Encryption of data Authenticity Identification and verification Integrity Assurance that data is not modified

32 " Encryption Algorithms: Symmetric (Secret Key) - (ex. DES, RC2) Uses the same encryption key for encryption and decryption Asymmetric (Public/Private Key) - (ex. RSA) Different key for encryption and decryption Decryption key cannot be derived from encryption key Signatures Encrypting Secret Keys

33 "5)!''675! Original Message 64-bit blocks Start M1 M2 M3 XOR XOR.. Encryption 56-bit #$ #$ % Encrypted 64-bit Cypher- Block C1 C2 Message

34 ".0! Tom s Public Key Symmetric Key Clear Text Message Kim RSA #$ Message to be Sent

35 ".0 #$ DES Tom s Private Key RSA Symmetric Key Clear Text Message Tom

36 0% 32 Firewalls currently do Authentication Static or traditional passwords One-time Passwords Challenge-Response The future yields standardized Authentication for VPN s Asymmetric Encryption Packet Level Authentication (keyed MD5)

37 32 How to ensure safe delivery of packets? Protocols used in the Virtual Private Network Process. The validity of the data through CRC and Checksums Encapsulation techniques Confidentiality of the packet data (encryption)

38 OSI Model Application Presentation Session Transport Network Data Link Physical Traditional Model Telnet, SMTP, HTTP, FTP TCP,UDP IP, ARP ICMP, IPX Ethernet, Token Ring 10/100Base-T, Coax,etc SSL IPSEC PPTP L2F L2TP Protocols used reside on a layer of the network stack. Popular VPN protocols reside on: Transport Level (Layer 4) Transport - Secure Sockets Layer (SSL) Network Level (Layer 3) Tunneling and Transport - IPSEC Tunneling - PPTP, L2F, L2TP

39 !'51-$/ / Hello, Tom Gateway Internet Gateway Original Packet Hello, Tom To: From: Authentication 128-Bit Checksum To: From: MD-5 Checksum Hello, Tom Checksum: Encryption DES or Encryption Header Key: New IP Header Encryptio n Header To: From:

40 !'51-$/ / Gateway Internet Gateway Hello, Tom Checksum: Hello, Tom Hello, Tom To: From: To: From: MD-5 Checksum Original Packet Re-Checksum Key: Encryptio n Header Encryptio n Header To: From: Decapsulate

41 )

42 $%+" )& Accountability Integrity

43 $% )& Firewalls give barrier protection only. 80% of attacks come from within the internal network Vulnerabilities Intentional Vulnerabilities Human Error Managing Hacker-Related Risk Risk results when an active threat has the ability to exploit a vulnerability & risk equates to business cost (e.g. employee productivity)

44 $%) 8 Intrusion Detection (I.D.) A system can detect an intrusion attempts through various mechanisms. Intelligent sniffers watch for events & looks for possible attack signatures. Regularly run programs check file integrity against known checksums. I.D. systems can either notify, or take actions on their own.

45 ) 9 Attack Detection Attack recognition software detects attacks using either rule based or statistical anomaly approaches Attack Response Attack response software can be configured to react automatically

46 ) Log based Intrusion Detection Large administrative tasks Cannot detect low level network attacks Clients on each machine Centrally managed Network Based Intrusion Detection Network sniffer to look for attack signatures Transparent to users on the internal network Runs on per/network segment basis

47 ( ) Firewall Internet Log Based Intrusion Detection Server Clients Queries clients for logs, usually done in batch mode

48 2-/ ) Firewall Internet Network Based Intrusion Detection Server Clients Sees all network data and attack signatures

49 ), Windows Network Attacks Attacks Web Attacks Probing Attacks Denial of Service Attacks Remote Procedure Attacks Popular Service Attacks FTP Exploits Unauthorized Network Traffic

50 2-/ ) All IP traffic going over the network is scanned Everything can be logged, including username and passwords. The logs should be kept on a secure host

51 30

52 $%+" 30& Accountability Integrity Reliability

53 In order to assess the security of your information, you must first understand the source of RISK

54 )9/ Risk = Threat + Vulnerability Threat Hackers Espionage Unscrupulous employees / contractors Vulnerability Security Holes (OS, modem lines, etc.) Configuration Errors / Human Errors Connection to Public Networks (Internet)

55 30 30 Interrogate computers to find holes/bugs/configuration errors in the Operating System or applications Hackers develop tools to exploit holes/bugs Security Industry develop tools and reports to identify holes/bugs. (Satan, CERT) Identified errors can be easily corrected (Patches, Service Packs)

56 30 % Host Resident Run an application on computer to assess it s host vulnerability Can change host configuration Network Based Server Application Assesses computers on the network Centralized Reporting

57 2-/ 30 Servers Internet Network Based VA Server Firewall R Reports Clients

58 30 '%/ Web Server Security Checks if GET requests returns Directory Checks for vulnerable CGI executables finger, phf, sh, csh, perl, tcsh, etc. Tries to crack Password protected directories Checks for vulnerable servers etc.

59 30 '%/ Firewall Server Security Source Porting Source Routing TCP/IP Spoofing RPC Scans Stealth Scan Denial-of-Service etc.

60 30 '%/ Operation System Security Registry Access File Sharing Brute Force Attacks ping, land, out-of-band, etc. Guest Attacks OS Versions and bugs File Ownership and Permission Tests User Rights and Passwords Hacker Specific Tests etc.

61 ' Objective Firewall VPN Identification Authentication X X X Intrusion Detection Vulnerability Assessment Authorization/ Access Control X Privacy X Integrity X X X Accountability X X X

62 9

63 9 Firewalls and Internet Security - Cheswick & Bellovin Virtual Private Networks - Clip Technologies - RFC s and Drafts- IPSEC (RFC RFC1829); L2TP (draft-ietf-pppext-l2tp-sec-01.txt) ISAKMP/Oakley (draft-ietf-ipsec-isakmp-08.txt) Internet Firewalls and Network Security-- Hare & Siyan Raptor Systems On-line Security Library ( RSA (

64 9 ICSA ( CERT ( CheckPoint ( Microsoft:Virtual Private Networking - Solutions for Virtual Private Networks - Raptor Systems On-line Security Library - Applied Cryptography - Bruce Schneier

65 9 Compaq Security keyword search on security IP Security Vulnerability Information Microsoft Security AltaVista ( Link Sites (points to virtually all ISV s)

66