Professional Documents
Culture Documents
1.it Security
1.it Security
1.it Security
CHAPTER 4
SECURITY & FIREWALL
CONTENTS
VARIOUS METHODS OF SOCIAL ENGINEERING
SITUATIONS TO WATCH OUT FOR
WAYS THAT INFORMATION CAN BE GLEANED FROM
EMPLOYEES.
VARIOUS WAYS TO SECURE THE USERS COMPUTER AND
NETWORK ACCESS
ENFORCED POLICIES
ENCRYPTION AND AUTHENTICATION
FIREWALLS.
INCIDENCE RESPONSE PLAN
DEAL WITH AN INCIDENT WHEN IT HAPPENS
TEST THE PLAN BEFORE AN ACTUAL INCIDENT OCCURS.
BRBRAITT, Jabalpur
Ch.4/1
CHAPTER 4
SECURITY & FIREWALL
OBJECTIVES
After completion of this module you will be able to know:
to reduce the number of ways that information can be gleaned from employees.
In a world where security has become an enormous factor and network administration
must cover everything from desktop support to business continuity planning, the scope of
IT duties has widened and budgets have narrowed.
This lesson covers several different aspects of security to help you find ways to keep your
network safe by spotting potential risks in the user environment before an incident
happens and showing you how to handle a security problem, should it occur. The lesson
also helps you evaluate your disaster recovery plan. It guides you through social
engineering, safe telecommuting, and the pitfalls of wireless LAN, and then takes you
through incident response, disaster recovery.
SOCIAL ENGINEERING
You see new articles about network security and vulnerabilities in software and hardware
every day. This visibility has caused security to become a priority in most companies.
Efforts to make sure the network is secure generally focus on how to implement hardware
and software such as intrusion detection, Web filtering, spam elimination, and patch
installation.
One of the biggest threats of which we, as security professionals, are often unaware and
cannot control is social engineering. There's very attention paid to the person-machine
interaction. This lesson focuses on some of the methods of social engineering that are
commonly used to obtain information that can enable an intruder to penetrate the best
hardware and software network defenses.
Social engineering is a method of obtaining sensitive information about a office through
exploitation of human nature. It's an attempt to influence a person into revealing
information or acting in a manner that would disclose information that normally would
not be provided. It's based on the trusting side of human nature and people's desire to be
BRBRAITT, Jabalpur
Ch.4/2
Gather intelligence.
In the intelligence-gathering phase, the attacker can find readily available information
through the following:
Dumpster diving
Web pages
Ex-employees
Vendors
Contractors
Strategic partners
This information is the foundation for the next phase, in which the intruder looks for
weaknesses in the organization's personnel. Some of the most common targets are people
who work the following:
Help desk
Tech support
Reception
Administrative support
Ego attacks
Sympathy attacks
Intimidation attacks
These attacks are discussed in further detail a little later in this lesson.
BRBRAITT, Jabalpur
Ch.4/3
Employee manuals
Training manuals
Hard drives
Floppy disks
CDs
Printed e-mails
TIP
All these items should be disposed of properly. You should formulate a policy on
destruction of data. The safest policy is to physically destroy the media and the
information stored on it. Destruction is the only safe method of completely removing all
traces of information stored on a removable media device. All paper-generated
information should be shredded and/or taken away by a bonded destruction office.
BRBRAITT, Jabalpur
Ch.4/4
BRBRAITT, Jabalpur
Ch.4/5
You receive a call from someone saying he's a General Manager. He states that
he's in real trouble. He's attempting to do a presentation for Microsoft and has
forgotten his password; therefore he can't log into the Web site to do the
presentation. He just changed it yesterday and can't remember what it is. He needs
to have it right away because he has a room full of clients waiting and he's
starting to look incompetent. This is an extremely important client that could
mean millions of dollars in revenue for the office.
Someone you have never seen before approaches you as you're entering a secured
building. She has her hands full carrying coffee and doughnuts. She smiles
sweetly and says she has her ID badge in her pocket, but just doesn't seem to have
an extra hand to swipe the card and still carry all she has. She asks that you please
hold the door for her.
You receive a call from the corporate office saying that a new mail server is being
put into place and there's an immediate need to verify current user accounts and
passwords. You are told that it's not safe to send this information via e-mail, and
are asked to please print it off and fax it directly to a number given to you. You're
told that the number is a direct line for the person putting the new server into
place.
BRBRAITT, Jabalpur
Ch.4/6
Insists there's some urgency to complete some task or obtain some information.
If met with resistance, uses intimidation and threats such as job sanctions or
criminal charges.
WARNING
Employees can exploit social engineering just as well as outsiders. Keep in mind that
more damage is done to a network by disgruntled employees than by outsiders.
You'll learn how to recognize a social engineering situation shortly. Here's a scenario that
actually happened:
A user came to a network administrator with his laptop and requested that it be joined to
the domain. The administrator logged the user off the laptop, logged in as himself, and
joined the laptop to the domain. So, what's wrong with that? The user had keystroke
logging software installed on the laptop. He proceeded to go back to his work area, read
the log file, log in as the administrator, browse to the main server, and copy the SAM
(Security Accounts Manager) to a file. (For those of you unfamiliar with the SAM, it
holds user account information that includes usernames and passwords.) He took the file
home and that evening ran L0phtCrack, which is password-cracking software, on the file.
The next day, he had the logins and passwords for every user in the office. He
periodically logged in as other users and accessed information he should not have. As
time went by, he got bolder, logging in as the administrator and shutting down services,
causing problems on the network. Eventually, his bragging got him into a bind and he
was dismissed for his actions. The best way to avoid this type of situation is to never join
a machine to the domain from a user's machine. The account should be created at the
server console instead.
Learn to recognize a social engineering situation
Well, now that you know about the methods of social engineering, it's time to look at
how to spot a potential situation. To keep from becoming a victim, you should know how
to recognize an intruder. You can be neither suspicious nor trusting of everyone, so where
do you draw the fine line?
BRBRAITT, Jabalpur
Ch.4/7
All employees should have a security mind-set and be able to question situations
that do not seem right.
BRBRAITT, Jabalpur
Ch.4/8
Cleaning crews should search the wastebaskets for sensitive information and turn
it over to management.
Policies need to be in place for data destruction, including paper, hard drives,
CDs, disks, and so on.
Require all guests to sign in, wear a guest badge, and be escorted within the
office.
Extra security training in the area of social engineering and office security
policies should be provided for security guards, receptionists, and help desk
employees.
Put policies in place for how to handle situations where an unknown person tries
to slip in with a legitimate employee (called tailgating). Be sure that all employees
know the policy and enforce it.
Instruct employees on what can and cannot be discussed in social settings outside
of work.
Have polices regarding e-mail and voice mail notifications for employees on
vacation or out of the building for a period of time.
This by no means covers everything or all situations. The important factors to remember
are that there must be policies in place and that all employees must be aware of these
policies. Training must start as soon as the job begins. Employees should know they play
a part in the security of the office and that their jobs depend on their vigilance.
You're faced with customer service and courtesy issues everyday. Technology cannot
control these situations. We all must rely on each other to use our best judgment when
revealing information about our office and ourselves. Remember, the best defense is a
good set of policies, proper education, and continued awareness training.
BRBRAITT, Jabalpur
Ch.4/9
BRBRAITT, Jabalpur
Ch.4/10
Requiring that the machine be either disconnected from the network and the
Internet or turned off completely when the employee finishes working for the day.
Mandating that a boot disk be handy in the event a virus renders the machine
unusable.
Requiring that the operating system and all applications on the machine be kept
up to date.
TIP
Post information about patches and updates, whether the IT department supplies them or
the employee is expected to acquire them on his own. Posting provides no excuse for an
employee failing to comply.
BRBRAITT, Jabalpur
Ch.4/11
Then compare the current responses with the condition in which the machine left the
office. If this is done on a regular basis, you will soon be able to tell who is using the
computer strictly for work purposes and who is not. Often, what you'll find is that
children use the computer to play games and download music files. These require the
installation of additional programs. They also take up disk space and may require better
video cards as well as extra memory.
With policies in position, let's see how machines can be set up to securely connect to the
work environment from home.
Users in an organization can dial a local Internet access number and connect to
the corporate network for the cost of a local phone call.
Administrative overhead is reduced with a VPN because the ISP (Internet Service
Provider) is responsible for maintaining the connectivity once the user is
connected to the Internet.
For users who travel, a local access number usually is available. If possible, you should
provide this information to employees who travel -- it saves phone calls to the help desk
and enables them to test the numbers before they have to give presentations.
Figure 1 shows how a VPN works. Setting up the users' computers (clients) to connect to
the server is a two-step process:
BRBRAITT, Jabalpur
Ch.4/12
Once the client is setup, it can use the VPN. Here's how a client uses a VPN to access a
corporate LAN through the Internet:
The remote user dials into his local ISP and logs into the ISP's network.
The user initiates a tunnel request to the server on the corporate network. The
server authenticates the user and creates the other end of tunnel.
The user then sends data through the tunnel, which is encrypted by the VPN
software before being sent over the ISP connection.
The server receives the encrypted data, decrypts it, and forwards it to the
destination on the corporate network. Any information sent back to the remote
user is encrypted before being sent over the Internet.
VPNs provide great opportunities for employee productivity while reducing longdistance charges, and a good VPN guarantees privacy and encryption. But it is
authentication that ensures the integrity of the data.
We've discussed the situations that home users get themselves into and how easily
passwords can be breached on unsecured machines. In order for a VPN to provide the
level of security that's intended, a solid means of authentication must be established. This
brings us to two-factor authentication.
In two-factor authentication, a user must supply two forms of ID before she can access a
resource: one is something she knows, such as a password, and the other is something she
has or is. For example, you may be required to type password and place your thumb on a
thumbprint scanner to properly identify yourself. Figure 2 illustrates this type of
authentication.
Ch.4/13
Voluntary
Compulsory
In voluntary tunneling, the situation is as described earlier and shown in Figure 2-1. The
cable modem dials the ISP, and the user is then connected to the VPN server via the
Internet.
In compulsory tunneling, the tunnel is set up between two VPN servers that act as routers
for network traffic. This type of tunnel is most useful for connecting a remote office with
its own network to a central office. Sometimes as an office is growing, it allows
employees to run offices out of their homes with those employees hiring several people to
work for them, or it may be in the situation where a contractor works out of an office that
is shared by other contractors. Figure 3 shows an example of this type of tunneling.
BRBRAITT, Jabalpur
Ch.4/14
ZoneAlarm
BlackIce
Hardware firewalls
Hardware firewalls provide an additional outer layer of defense that can more effectively
hide one or more connected PCs. There are inexpensive router appliances that move
traffic between the Internet and one or more machines on home networks, which simply
hide the IP addresses of PCs so that all outgoing traffic seems to come from the same
address. Recently, router manufacturers have been including actual firewalls that block
inappropriate inbound and outbound traffic making these a much better choice.
In general, the average user will like the nature of hardware solutions because they
operate in the background without generating as many queries and alerts as software
firewalls. In addition, the physical installation is easy, but the normal home user won't
know how to configure the firewall should the default settings not be strong enough.
BRBRAITT, Jabalpur
Ch.4/15
INTRUSION DETECTION
We will see what actually happens when your network is invaded or damaged. We
develop and deploy hardware and software in such an extremely quick fashion to meet
the demand of business and home consumers that we don't always take the time to be
sure that these technologies are properly tested and secured. This puts our networks at
risk not only from the professional cracker but also from curious or disgruntled
employees.
Let's first look at intrusion detection and intrusion prevention systems that can help spot a
potential intrusion.
Examine intrusion detection systems
One of the best ways to catch an intruder before too much damage is done is through
IDSs (intrusion detection systems), which are designed to analyze data, identify attacks,
and respond to the intrusion. They're different from firewalls in that firewalls control the
information that gets in and out of the network, whereas IDSs can identify unauthorized
activity.
Intrusion-detection systems are also designed to catch attacks in progress within the
network, not just on the boundary between private and public networks. The two basic
types of IDSs are network based and host based. As the names suggest, network-based
IDSs look at the information exchanged between machines, and host-based IDSs look at
information that originates on the individual machines. Here are some specifics:
Network-based IDSs monitor the packet flow and try to locate packets that may
have gotten through the firewall and are not allowed for one reason or another.
These systems have a complete picture of the network segment they are
configured to protect. They see entire network packets, including the header
information, so they're in a better position to distinguish network-borne attacks
than host-based IDS systems are. They are best at detecting DoS (Denial of
Service) attacks and unauthorized user access. Figure 4 details a network-based
IDS monitoring traffic to the network from the firewall.
BRBRAITT, Jabalpur
Ch.4/16
Host-based IDSs (sometimes called HIDSs) monitor communications on a hostby-host basis and monitor traffic coming into a specific host for signatures that
might indicate malicious intention. They also monitor logs to find indications that
intrusions or intrusions attempts are going on, and some of the HIDSs also
monitor system calls and intercept them. These types of IDSs are good at
detecting unauthorized file modifications and user activity.
Network-based IDSs try to locate packets not allowed on the network that the firewall
missed. Host-based IDSs collect and analyze data that originates on the local machine or
a computer hosting a service. Network-based IDSs tend to be more distributed.
Host-based and network-based approaches are complementary to each other because they
have different strengths and weaknesses. Many successful intrusion detection systems are
built using mixes of both, and ultimately, this is what network administrators should
consider for their own environments.
When an IDS alerts a network administrator of a successful or ongoing attack attempt, it's
important to have documented plans for incident response already in place. There are
several forms of response, including the following:
BRBRAITT, Jabalpur
Ch.4/17
It actually secures internal resources from attacks based inside the network by
restricting behavior of potentially malicious code, providing a record of attack,
and notifying enterprise security personnel when an attack is repelled.
It defines appropriate behaviors and then enforces those behaviors on every enduser desktop and network server across an enterprise. By looking at system and
application behavior and defining which actions are legitimate and which are
suspect, an IPS can stop an errant system action when it attempts to do something
that is not in the realm of expected behavior.
Rules can be configured to control which type of actions applications can perform
on files and system resources. As an intelligent agent, these run by intercepting
system actions, checking rules, and then allowing or denying the action in
question based on those rules.
BRBRAITT, Jabalpur
Ch.4/18
Statistical logging data can be used to generate reports that indicate overall
network health. IT staff can monitor how current rule sets are working and adjust
them, if necessary.
For an intruder, the real value of your network lies in key machines such as database
servers and the information they contain. An intruder won't celebrate breaking through
your firewall if all it gets him is access to a couple of printers. The idea of intrusion
prevention is to ensure exactly that. By allowing only certain behaviors on critical hosts,
the technology leaves an intruder with little freedom to do anything malicious.
If you have a personal firewall such as Norton Personal Firewall or ZoneAlarm, you
may've already seen intrusion prevention in its simplest form. Recall from the above that
this type of software relies on rules and scanning to spot inappropriate activity. It uses
predefined attack signatures, and it also learns what behaviors you'll allow every time
you click yes or no when an application wants to do something.
WARNING
Sometimes the data that is collected by these systems is overwhelming. When you start
trying to do something with the intrusion detection data, you realize the magnitude of
deciphering or reading the data is well beyond the resources and time you want to put in
to make it effective.
Often, incidents happen even though you have firewalls and intrusion detection. So,
you've got ten thousand alarms going off, five of them are probably valid, two of them
you really need to do something about, but you don't have the time or the resources to
find what those five are and what the two really are. You end up doing nothing because
you don't know how to respond. Please do not let this happen. Make the time and
resource to use these tools effectively.
Preventing actual damage to your company's business functionality is critical to
protecting today's open networks. Intrusion prevention technology serves as a strategy for
those who desire proactive and preventive security measures in the face of attacks.
No incident response solution is complete without a proper plan, so let's tackle that next.
Ch.4/19
A war room where the response team can assemble and strategize.
Contact information for the response team, vendors, and third-party providers.
Software listing of the operating systems and applications being used so the scope
of the incident can be properly assessed.
Assign roles
The incidence response team is responsible for containing the damage and getting the
systems back up and running properly. These steps include determination of the incident,
formal notification to the appropriate departments, and recovering essential network
resources. With this in mind, the team should comprise the following personnel:
Create rules
Some basic rules should apply to the response team, which could include the following:
The entire team is responsible for the success of the incident handling.
Everyone works from the war room. This is the central command post and
investigation takes place here.
Lastly, procedures need to be put into place. Let's discuss those procedures now.
Plan the procedures
Incidents happen from time to time in most of organizations no matter how strict security
policies and procedures are. It's important to realize that proper incident handling is just
as vital as the planning stage, and its presence may make the difference between being
BRBRAITT, Jabalpur
Ch.4/20
Initial communication: Notify key personnel, such as the security department and
the response team.
Assemble the response team: Converge in the war room for duty assignment.
Decide who will be the lead for the incident.
Initial containment of the incident: Diagnose the problem and identify potential
solutions. Set priorities and follow them closely. The incident response team has
to be clear about what to do, especially if the potential damage is high.
Intrusion evaluation: Shoot the problem to additional teams if necessary. The key
is to understand what actually happened and how severe the attack was.
Collect forensic evidence: Gather all of the information learned about the incident
up to this moment and store it in a secure location on secure media, in case it's
needed for potential legal action.
Other companies: The incident may be reported to IT security companies for help
or notification to other companies.
News media: If the company is large enough, and the event is worthy of a news
story, expect to be contacted by the media. There needs to be one person
authorized to speak to the media. Incident handling personnel must be aware of
this and direct all media queries to appropriate team member.
BRBRAITT, Jabalpur
Ch.4/21
Prepare an incident report: Determine and document the incident cause and
solution. This report is an internal document that puts everything in perspective,
from the minute the incident was noticed until the minute the service was
restored.
Calculate damage: The ultimate dollar figure should look beyond actual and
obvious losses associated with service outages and business interruptions to
include all costs resulting from the incident, such as legal fees, loss of proprietary
information, system downtime costs, labor costs, hardware/software costs,
consulting fees, bad reputation, and publicity.
Summary and updates: Gather the entire security response team for a meeting and
review the process and timelines in detail making any modifications that are
necessary to the plan.
This is a brief model and by no means is a complete plan. Every company must evaluate
its needs and plan accordingly. Once a plan is formulated, it must be tested, which brings
us to the last part of this lesson.
Test the plan
You formulate a plan, put it on a shelf, and when an incident happens, you realize there
are huge flaws in the plan. You forgot something or the person that you picked to do
internal communications support did an extremely poor job of handling his
responsibilities and left even though the rules for the team stated otherwise. The security
response team lead needs to be sure that every person onboard did the best they could and
performed the most appropriate action given the circumstances. This person also needs to
look at the situation to see if the overall strategy of the department is useful or where it
needs changing or fixing. The only way to do this before an actual incident is to test the
plan ahead of time.
The approach taken to test the plan depends on the strategies selected by the company.
Many times tests are conducted by what are called Tiger Teams. This can be an outside
group of consultants. The tests are often conducted without notification to the
departments involved in order to see how well the plan functions.
The following are key components of a testing plan:
Define the test purpose and approach: Specify the incident that is to be tested.
How a virus infection is handled will be different from how to handle a Denial of
Service attack or a Web server defacement.
Identify the test team: Specify whether employees or outside consultants will
conduct the test. No response team members should be on the test team because
they will be responsible for handling the incident.
Structure the test: Plan exactly what you want to accomplish and set up the
equipment in a testing environment.
BRBRAITT, Jabalpur
Ch.4/22
Conduct the test: To be most effective, this should be done without prior
notification to the departments involved, because that is how incidents happen.
Analyze test results: Evaluate how well or poorly everyone responded and how
easily the incident was resolved.
Modify the plan: After a dry run, there are usually some modifications. Be sure
they're implemented.
FIREWALL
CONTENTS
FAQ.
OBJECTIVES
After completion of this module you will be able to know:
In its most basic terms, a firewall is a system designed to control access between two
networks.
There are many different kinds of firewallspacket filters, application gateways, or
proxy servers. These firewalls can be delivered in the form of software that runs on an
operating system, like Windows or Linux. Or, these firewalls could be dedicated
hardware devices that were designed solely as firewalls.
BRBRAITT, Jabalpur
Ch.4/23
Source IP address
Destination IP address
For example, to allow e-mail to and from an SMTP server, a rule would be inserted into
the firewall that allowed all network traffic with a TCP source and destination port of 25
(SMTP) and the IP address of the mail server as either the source or destination IP
address. If this were the only filter applied, all non-SMTP network traffic originating
outside of the firewall with a destination IP address of the mail server would be blocked
by the firewall.
Many people have asked the question, Is a router with an access list a firewall? The
answer is yes, a packet filter firewall can essentially be a router with packet filtering
capabilities. (Almost all routers can do this.) Packet filters are an attractive option where
your budget is limited and where security requirements are deemed rather low.
But there are drawbacks. Basic packet filtering firewalls are susceptible to IP spoofing,
where an intruder tries to gain unauthorized access to computers by sending messages to
a computer with an IP address indicating that the message is coming from a trusted host.
Information security experts believe that packet filtering firewalls offer the least security
because they allow a direct connection between endpoints through the firewall. This
leaves the potential for a vulnerability to be exploited. Another shortcoming is that this
form of firewall rarely provides sufficient logging or reporting capabilities.
STATEFUL PACKET INSPECTION
Within the same generation of static packet filtering firewalls are firewalls known as
stateful packet inspection firewalls. This approach examines the contents of packets
rather than just filtering them; that is, it considers their contents as well as their addresses.
You can compare this to the security screener at an airport. A ticket validates that you
must be traveling from your source to your destination; however, your carry-on contents
must be checked to get to your final destination.
These firewalls are called stateful because they can permit outgoing sessions while
denying incoming sessions. They take into account the state of the connections they
handle so that, for example, a legitimate incoming packet can be matched with the
outbound request for that packet and allowed in. Conversely, an incoming packet
masquerading as a response to a nonexistent outbound request can be blocked. By using
something known as session or intelligent filtering, most stateful inspection firewalls can
effectively track information about the beginning and end of network sessions to
dynamically control filtering decisions. The filter uses smart rules, thus enhancing the
filtering process and controlling the network session rather than controlling the individual
packets.
BRBRAITT, Jabalpur
Ch.4/24
BRBRAITT, Jabalpur
Ch.4/25
BRBRAITT, Jabalpur
Ch.4/26
BRBRAITT, Jabalpur
Ch.4/27
BRBRAITT, Jabalpur
Ch.4/28