1 Information Security: The Big Picture - SANS GIAC © 2000 1 Information Security: The Big Picture – Part IV Stephen Fried 2 Information Security: The Big Picture - SANS GIAC © 2000 2 Agenda • General Security Introduction • Telecommunications Fundamentals •Network Fundamentals • Network Security • World Wide Web Security • Information Secrecy & Privacy • Identification and Access Control • Programmatic Security •Conclusion Next up is Network Security. This section will take our discussion of network protocols and configuration one step further. In this section we will learn about network configuration, network attacks, and various other network security topics. 3 Information Security: The Big Picture - SANS GIAC © 2000 3 Firewalls • Firewalls protect “inside” from “outside” • Can be a single machine or a series of machines • Allow for filtering and inspection of packets • Basic Types – Application Gateways – Packet Filters – Stateful Inspectors You hear a lot of talk about firewalls in relation to network security. The name “firewall” comes from the building industry and it denotes a wall constructed to stop (or at least slow) the spread of fire from one space to another. In network security, a firewall serves the same purpose. But instead of being built from bricks or steel it is built with computers and routers. But the conceptis still the same. A network firewall is designed to protect what’s “inside” the firewall from what may be “outside.” Most often, you will hear firewalls used in reference to Internet protection, and most companies that are on the Internet today use a firewall to protect their corporate networks from the evils of the Big Bad Internet. A firewall can be as simple as a single box. In some cases you can even use a network router to handle basic firewall protection. More often, a firewall is a dedicated computer running specialized software that can track and analyze the traffic passing into and out of the network and act quickly to prevent “dangerous” connections. However, in some instances the “firewall” is actually a system of several computers combined with specially programmed network equipment to offer more robust protection against a wide variety of attacks. The firewall will be preprogrammed with a series of rules specifying the types of traffic that it will allow and the types of traffic it will not allow. The firewall operates by looking at each packet that passes through it. It may examine the source and destination address, the application that sent the packet, or even the packet’s relationship to other similar packets. It then matches the packet against that list of rules. If the packet is “permitted” based on the rule set, the firewall allows it to pass through. If the packet is “denied” because of a rule violation, the firewall will block it before it passes through to the inside network. There are three basic types of firewalls: • Application gateways use a specialized program for each type of application or service that needs to pass through the firewall. Thus, there may be a program for web traffic, a program for file transfer programs, and a program for terminal sessions. The benefit of an application gateway is that it can do a detailed analysis of the packets and can be customized to the particular needs of the organization using the firewall. The disadvantage is that a customized program must be written for each application that uses the firewall. Application gateways are also slower than other types of firewalls and may not stand up to the performance needs of a large network. • Packet filters simply look at each packet’s source, destination, and application name and make a determination based on the programmed rule set. The advantage to packet filters is that they can work very quickly, a plus on large, fast networks. The disadvantage is that their ability to analyze the packet in greater detail is limited. • Stateful Inspection firewalls do a more detailed analysis than packet filters. They look at the packet’s relationship to other packets that have passed through and can also look at traffic over time. This allows for a more sophisticated analysis of the traffic and makes for a better firewall. 4 Information Security: The Big Picture - SANS GIAC © 2000 4 Demilitarized Zones (DMZs) • Used in many e-business situations • Create a “semi-trusted” zone on the network • Protect DMZ systems from the Internet • Protect internal systems from the DMZ Internet DMZ Internal Network We have seen that firewalls can be used to protect internal organizational resources form the perils of the Big Bad Internet. But firewalls can also be used in many different configurations for different applications. For example, many organizations are rushing to put e-commerce systems on the Internet. However, this presents a double problem for the organization. First, there is the problem of protecting your systems from the Internet – a problem we have already covered (and will cover more later on). The second problem is the one of protecting the systems on your internal network from the Internet commerce systems. This may sound kind of strange. After all, if the commerce systems are yours, why do you need protection against them? Well, look back at your Defense in Depth strategy. You need to present multiple layers to attackers in order to better protect your internal systems. So, in the event your Internet systems get successfully attacked, you need something standing between them and your internal network. One answer is the use of a concept called the Demilitarized Zone, or DMZ. The concept of a Demilitarized Zone comes from the military. It refers to an area of land between two warring armies that belongs to neither side and in which neither army can launch an attack. In the network security field, a DMZ refers to a small network that sits between the Internet and your real internal network. In this zone sits your e-commerce systems. On one side of the DMZ is a firewall that protects the DMZ from the Internet. On the other side of the DMZ is a firewall that protects the internal network from the DMZ. (Editor’s note: in some cases, the term DMZ is used to referred to servers placed outside your firewall which have no protection from the Internet. In these cases, the term screened subnet is used to refer to a protected area that sits between an external firewall (protecting the screened subnet from the Internet) and an internal firewall (protecting your internal network from the screened subnet). – JEK) Why the two firewalls? Well, the outside firewall serves several purposes. First, it limits what systems and protocols can actually get inside the DMZ and touch the systems inside. It also protects against many types of Internet attacks. Remember our mantra – if you are connected to the Internet you need a firewall. OK, so what’s the internal firewall for? This is to protect against the eventuality (no, not the possibility but the eventuality) that the outside firewall will be compromised and attackers will break into your DMZ systems. The inside firewall limits the systems that the DMZ machines can access. So, if the DMZ systems are successfully attacked, the attackers will have only a handful of systems on the inside they can even see on the internal network. DMZs come in many different configurations, and new designs are as common as the number of companies that use them. If you are planning to put e-commerce systems on the Internet, you might want to look at setting up your own DMZ. 5 Information Security: The Big Picture - SANS GIAC © 2000 5 Proxies • Centralized traffic control • More efficient use of network bandwidth • Hides real IP addresses of machines behind the proxy Do you own any stock in a company? I do, and several times a year I get a mailing from one company or another telling me about their annual meeting and asking me to vote on whatever important issues will be discussed at the meeting. The voting form is called a proxy statement, because by filling it out and mailing it in I am allowing somebody else, my proxy, to cast my vote for me (hopefully following my instructions). Well, networks can use proxies too, and the effect is quite the same. A proxy server sits somewhere on the network, usually close to the firewall. When a computer inside the network wishes to communicate with a computer outside the network it asks the proxy to make the connection on its behalf. The proxy makes the connection and acts as an intermediary between the inside computer and the outside computer. Proxies make a lot of sense from a network security standpoint. They concentrate network access to a single machine, making firewall rule sets easier to program. They also hide the actual IP address of the internal machine from the outside machine. All the outside machine ever sees is the IP address of the proxy server. This is an important consideration for security-conscious networks that do not want outside people knowing what IP addresses their inside machines use. Proxies can also store, or cache, information that is repeatedly requested by inside machines. In this way, when a subsequent request is made for that information, the proxy server returns the information from memory rather than having to retrieve it from across the network. This leads to faster response times for the inside computers. 6 Information Security: The Big Picture - SANS GIAC © 2000 6 Proxy Configuration 98.143.54.78 98.143.54.79 98.143.54.80 98.143.54.212 Internet Proxy Server 207.46.131.137 The diagram on this slide illustrates how proxies work in practice. On this network we have four machines. There are three computers with IP addresses 98.143.54.78, 98.143.54.79, and 98.143.54.80. We also have a proxy server with an address of 98.143.54.212. The proxy server is connected to the Internet. When a computer program needs to connect to a machine on the Internet, the request goes first to the proxy server. The request will say something like “computer 98.143.54.78 needs to talk with computer 207.46.131.137 on the Internet.” The proxy server notes the request and then replaces the original IP address with its own. The request will then be “computer 98.143.54.212 needs to talk with computer 207.46.131.137 on the Internet.” The connection is then made to the Internet machine. Once the connection is established, all communications between the original machine, 98.143.54.78 and the Internet machine will be relayed through the proxy server. From the viewpoint of the Internet machine, however, it believes it is communicating with the proxy server, not the original inside machine. So, even if all three computers on this network are communicating simultaneously with the Internet machine, the Internet machine just thinks it has three connections to the same proxy server, not three connections to three separate computers. It is the responsibility of the proxy server to keep track of what connections belong to which machines. 7 Information Security: The Big Picture - SANS GIAC © 2000 7 Network Attack Methods • Denial of Service •Distributed DoS • Session Hijacking •IP Spoofing •TCP Sequence Prediction •IP Fragmentation •Ping of Death •SYN Flooding •Smurf • Teardrop •Land • Spamming • Junk Mail/Chain Letters • Main in the Middle • Session Replay In the following few slides we are going to talk about various types of attacks that have occurred over the Internet in the past. But before we begin, I should point out a couple of important facts. First, we will not be going into very technical depth about each of these attacks. Some of them can get quite complicated, but we will stick to the high-level description as much as possible. Second, many of these attacks have many variations that have been used over time. You may hear of them referred to in several different ways in your continuing security education. In the interests of time we will restrict our discussion to the original attack, and mention any variations only as necessary for clarification. Finally, while each of these attacks can be used by itself, you will very often see them used in combination, or see one attack used as the basis for another. For example, many of the attacks are based on some form of Denial of Service. 8 Information Security: The Big Picture - SANS GIAC © 2000 8 Denial of Service • Keeping the computer or network from doing anything useful • Can be a system crash, more often just flooding it • Very hard to prevent • Distributed DoS – the latest wrinkle Denial of Service, or DoS, is one of the most common attacks in use today. It works just like it sounds: it is used to deny service to a system or network. Denial of Service attacks are aimed at preventing a computer or network from performing its normal duties. This can take the form of crashing a computer, but more often it takes the form of flooding the network or computer with hundreds, or even millions, of information or service requests. The computer quickly gets overwhelmed and can’t handle the load. Once this happens, service is denied to legitimate users of the service because they can’t seem to get the server’s attention. Denial of service attacks are appealing to attackers for a number of reasons. First, they are deceptively simple to do. As we shall see shortly when we talk about SYN flooding, the methods for performing a DoS attack are not that difficult to learn or perform. Second, depending on how the DoS is performed, all you are doing is preventing legitimate traffic from getting to the server. You do not necessarily have to crash the machine or ruin any of the server’s resources. The attacker mentality will say that this is no more harmful than driving slowly on the highway or taking your time at the drive-in line at the bank. Well, tell that to Yahoo, eBay, or any one of the dozen other large Internet sites that got hit with DoS attacks in the spring of 2000. To them, the damage and the losses were very real. Classic DoS attacks occur when a single system or network floods your network with packets. The attack can be stopped by instructing your routers or firewalls not to accept packets from that system. However, a new breed of DoS attacks has recently surfaced, the Distributed Denial of Service, or DDoS. We’ll look at Distributed Denial of Service on the next slide. 9 Information Security: The Big Picture - SANS GIAC © 2000 9 Distributed Denial of Service Internet Attacker Victim Agent Agent Agent Agent Handler In DDoS attacks, the attacker is not a single system or network, it comes from a wide distribution of computers from all over the Internet, sometimes seemingly at random. Distributed denial of service attacks are more complicated to set up from an attacker’s point of view, but their effects can be much more devastating. In a classic DDoS attack, there are a number of roles and components. On the roles side, there is the Attacker, the Victim, and a number of “innocent” third parties (called Agents) that play an unwilling role in the attack. The attacker will break into each of the Agent’s computers and plant a program that can perform a DoS attack against the victim. There can be hundreds or even thousands of Agents involved in an attack. One of the Agents is tagged as the Handler. It is the Handler’s responsibility to coordinate the attack on behalf of the Attacker. When the Attacker is ready to launch the attack, he contacts the Handler and tells it who the real Victim is, how long the attack should last, and any other information the Agents will need. The Handler then relays that information to the Agents and off they go. What the Victim sees is a DoS attack from many different sites all coming at once. What makes DDoS attacks so unique and powerful is that it uses the diversity of the Internet to strengthen the attack. The attack seems to be coming from everywhere at once, and since there is no authentication on TCP/IP connections, there is no way to tell the real origin of the attack. 10 Information Security: The Big Picture - SANS GIAC © 2000 10 Session Hijacking • Taking over a connection that has already been established • Bypasses any identification or authentication required to establish • Attacker pretends to be legitimate user With many computer services a user is required to identify himself to the service and provide proof of his identity. This process is called authentication. Without proper authentication, a computer can not be assured of the identity of the user and will not grant that user access to its services. Many attackers wish to use services that they would normally not have authorization to use. And while they can try to connect to the computer to gain access to the service, they will not be able to pass through the authentication process. The answer to this problem is to take over a session that somebody has already established. This process is called session hijacking. In a Session Hijacking attack, the attacker monitors the network waiting for a user to establish an authorized connection to a computer or service. Then, the attacker sets up his computer to look just like the victim’s computer, with the same IP address, name, etc. He then uses a Denial of Service attack, or some other method, to block access to the victim’s computer and effectively take it off the network. Once this is done, the attacker then appears to be the original user and computer that originally authenticated. The attacker’s computer looks to the service like a legitimate computer and the attacker never has to authenticate himself. [...]... broadcast address then re-directs the ping to all the other hosts on that network, which then act as the agents for the attack Being good little agents, they want to reply to the request However the only information they have is the spoofed IP address of the victim All the computers on the network then send replies back to the poor victim The victim then becomes overwhelmed with replies The result can... than a network can handle, they are fragmented in multiple parts • Fragmented parts are reassembled at destination • Attacks – Tiny fragment – Overlapping fragments – Teardrop Information Security: The Big Picture - SANS GIAC © 2000 11 In the IP protocol, there are allowances for the fact that there may be many different types of equipment, computers, and networks connected together For instance, a computer... however, the attacker spoofs the information in the echo request Instead of using the attacker’s machine as the source machine, the attacker uses the address of the target machine as the source address It also uses a broadcast address as the destination instead of a single IP address Thus, the request will be sent to all the computers on the network, A, B, C and D in the diagram When A, B, C and D get the. .. weaknesses or bugs in the implementation of the network protocols within the system Many of these weaknesses arise from the fact that system designers do not think that users (human or automated) will give or use bad input or bad information as part of their processing The designers may put in some error checking as part of their processes, but by and large they trust that the information given to a program... all the hosts on that network There are three parties in a Smurf Attack: The attacker, the agent(s), and the victim Note that the agent can also be a victim To launch the attack, the attacker sends an ICMP echo request (or Ping) packet send to the broadcast address of a local network In addition to doing this, the attacker also spoofs the source address of the request to be that of the victim The broadcast... potential capacity problems 19 Man in the Middle Alice Bob Melvin Information Security: The Big Picture - SANS GIAC © 2000 20 Man in the Middle attacks are another way attackers gain information or disrupt communications The diagram in the slide shows a classic Man in the Middle attack Alice and Bob establish some sort of communication between them Melvin then intercepts the communications between Alice... between them The only way to prevent Man in the Middle attacks is to encrypt the communications between Alice and Bob so that Melvin will not be able to see or use any of the information in the transmission 20 Session Replay • Record transmissions as they occur • Start another session with host • Send old packets during new session • Acting as authorized user Information Security: The Big Picture -... other unique criteria By putting this information into the formula you get a unique mathematical value for each file The values for all the files are then stored for future reference You also recalculate the values every time you knowingly change the files in the system After the calculations are completed, you then run the same calculations periodically, for instance every day, week or month If the. .. packets from the old session Depending on the application in use and the protocol used, the victim computer may once again perform the funds transfer from the last connection If the attacker is clever (and smart) he will change the account number in the original transmission to his own to receive the benefits of his labor Session replay attacks are highly dependent on the circumstances of the connection,... security at IP layer Authentication header (AH) Encapsulating Security Payload (ESP) Offers security services not available in normal IP transmission – – – – – Access control Connectionless integrity Data origin authentication Protection against replays Confidentiality Information Security: The Big Picture - SANS GIAC © 2000 23 Unlike previous efforts that tried to add security at the user application . Information Security: The Big Picture - SANS GIAC © 2000 1 Information Security: The Big Picture – Part IV Stephen Fried 2 Information Security: The Big. long the attack should last, and any other information the Agents will need. The Handler then relays that information to the Agents and off they go. What the