Securing E-Commerce. Agenda. The Security Problem IC Security: Key Elements Designing and Implementing _06_2000_c1_sec3

Transcription

1 Securing E-Commerce 1 Agenda The Security Problem IC Security: Key Elements Designing and Implementing 2

2 The Security Dilemma Internet Business Value Internet Access Corporate Intranet Internet Presence e-commerce VPN and Extranets Security Considerations 3 Are You Secure? Internet External Exploitation 65+% vulnerable Dial In Exploitation Internal Exploitation 75% vulnerable; 95+% vulnerable externally with secondary exploitation 100% vulnerable Source: Cisco Secure Consulting Engagements,

3 Distributed Denial of Service (DDoS( DDoS) 5 DDoS,, How Does It Work? 1. Scan for Systems to Hack 4. Client Issues Commands to Handlers which Control Agents in a Mass Attack Client System 2. Install Software to Scan for, Compromise and Infect Agents Handler Systems 3. Agents Get Loaded with Remote Control Attack Software Agent Systems 6

4 Smurf Attack ICMP REPLY D= S= ICMP REPLY D= S= ICMP REPLY D= S= ICMP REPLY D= S= ICMP REPLY D= S= Attempt to Overwhelm WAN Link to Destination ICMP REPLY D= S= ICMP REQ D= S= Root Kits 8

5 Application Layer Attacks 9 Network Recon Scorecard: Network Security 0 Hacker 0 Ping sweep Port scan Others Whois DNS Web pages SMTP DNS Internet Attacker HTTP/SSL 10

6 Own a System bash-2.02$ id uid=11117(networkers) gid=1(other) bash-2.02$ cat /etc/shadow cat: cannot open /etc/shadow bash-2.02$ ls -l total 48 -rwxr-xr-x 1 networkersother Nov 10 13:58 ex_lib bash-2.02$./ex_lib Scorecard: jumping address : efffe7b8 Network # id Security 0 Hacker uid=11117(networkers) 01 gid=1(other) euid=0(root) egid=3(sys) # cat /etc/shadow root:07aubkfmbv7o2:11043:::::: toor:r1cjewyewnmdk:10955:::::: daemon:np:6445:::::: SMTP Vulnerability scan CGI-BIN vulnerability Start xterm Buffer overflow vulnerability Get root Result ownership of one host DNS Internet Attacker HTTP/SSL OWNED: HTTP/SSL 11 Exploit Trust Scorecard: Network Security 0 Hacker 1 More recon Log files Processes Config files Password cracking Sniffing Back-end database discovered SMTP Back-End Database DNS Internet Attacker OWNED: HTTP/SSL 12

7 Own the Network Scorecard: Network Security 0 Hacker 752 Past the firewall No more security More recon Vulnerability exploits Hacker has a new playground! DNS SMTP OWNED: Back-End Database Internet Attacker OWNED: HTTP/SSL 13 Security Risks Policy vulnerabilities Configuration vulnerabilities Technology vulnerabilities And People Eager to Take Advantage of Them!! 14

8 Policy The Security Foundation Enterprise-wide security policy Who can see what information? Who can change it? From where? How protected is it? What are the assets? What is the cost? USA UNIVERSAL PASSPORT 15 Network Security: A Physical Analogy Security Camera Security Office Traditional Locks Card Key Guard 16

9 Agenda The Security Problem IC Security: Key Elements Designing and Implementing 17 Elements of IC Security Outside ISP VPN - Intranet/Extranet Internet Access DMZ WWW front-end Inside DB back-end 18

10 Points of Vulnerability Outside Routing Protocol (BGP) IP Services (Ping, ICMP, Trace, Finger) Management of Network Devices De-Militarized Zone O/S and Applications on Web servers Domain Name Services (DNS) Ethernet Broadcast medium Inside Username/Password Port redirection Database communication 19 Access Router ACL (no State Inbound s0) ISP Source Destination Protocol Action Outside DMZ SMTP Permit Outside DMZ SSL,HTTP Permit Outside DMZ DNS Permit Outside Router BGP Permit Outside Outside Any Any Estab. TCP, UDP Replies ICMP Echo/ Reply Permit Permit 20

11 ISP Access Router ISP Ingress to ISP RFC 1918 Address Filtering RFC 2827 Filtering Egress from ISP Rate Limiting (CAR) of: ICMP (ping, ping-reply) TCP SYN, others Return Path Verification ip verify unicast reverse path 21 Private VLANs ISP Promiscuous Port Community A x x Isolated Ports 22

12 Firewall Rules ISP Source Destination Protocol Action Internal Any Any Permit Web Server Back-End Database SQL Permit Pub. SMTP Int. SMTP SMTP Permit Any Any ICMP Echo- Reply Permit 23 Intrusion Detection Systems Host and network both have their place False positives Placement Alarm or enforce? Public Services Internal Users Attacker Internal Services 24

13 Intrusion Detection ISP IDS A IDS A DNS Zone Transfer Requests Trace Route Requests TCP/UDP port scans ping address sweeps Frequent Alarms to be logged IDS B IDS B User/Password sweeps O/S fingerprinting Infrequent but Critical Alarms 25 Agenda The Security Problem IC Security: Key Elements Designing and Implementing 26

14 Implementing Security on E-Commerce te Co-lo Partner ISP-2 1- Route Filter/ACL 2- Wire Rate EX-ACL 3- Per Virtual Port Assignment on SLB 4- Private VLAN on 6K 5- SQLNET, ODBC, JDBC 6- IDS on promiscuous ports of switches 27 Design Considerations High Availability = Uptime = $$$$ Scalability = Return Shopper Manageability = Control Security = Threat Mitigation 28

15 Uptime = $$$$ BGP to two service providers HSRP on the ingress routers Stateful Failover on PIX Firewalls Resiliency built-in to Catalyst Performance = Return Shopper 75xx router with VIP functionality Offload ACL filtering Offload QoS for rate limiting PIX Firewall Supports up to 250,000 sessions and 400 Mbps 30

16 Security Control Implement Good System Administration Implement Proper Trust Model Network Audit and Monitor TACACS+ for administrative login 31 Good System Administration Fundamentals Mailing lists Patches Logging Basics Strong or one-time passwords Encryption Switched infrastructure Tips Firewalls or sysadmins? After you log it, read or analyze it! 32

17 Proper Trust Model Public Host A ok Public Host B x Admin Host C x ok Database Server Host D 33 Network Audit Fundamentals Syslog Least common denominator for most network equipment Nearly all Cisco products support output to a syslog system IP accounting Adds additional visibility into ACL violations Network vulnerability analysis Allows an external perspective of your network 34

18 Optional Network Audit Tools Dedicated log analysis tool Allows drill down into multiple systems for manual event correlation Homegrown scripts Great for specific logging applications Event correlation systems Just beginning to be seen in the market Very promising idea 35 Additional Security Design Options Firewall the Access Router Use the DMZ interface on the firewall Separate E-Commerce links to the Internet DNS hosted by ISP 36

19 Firewall the Access Routers Co-lo Partner ISP-2 PRO No topology impact session vs. packet tracking Multiple perimeters CON Performance impact 37 Separate Internet Links Internet Co-lo Partner ISP-2 ISP-3 ISP-4 VPN Remote Access te-to-te Corporate Internet Access 38

20 Remember One Thing.... OK maybe three: 1. Enforce a Security Policy 2. Embed Security in the Network 3. Monitor the Security Policy 39 Networkers Sessions to go to: Introduction to Security - Securing Electronic Business Deploying Secure Networks Troubleshooting Intrusion Detection Cisco Secure Firewall Product Update Intrusion Detection and Prevention Product Update 40

21 41