# Information Security: The Big Picture – Part IV

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:31

0
116
lượt xem
6

## Information Security: The Big Picture – Part IV

Mô tả tài liệu

You hear a lot of talk about firewalls in relation to network security. The name “firewall” comes from the building industry and it denotes a wall constructed to stop (or at least slow) the spread of fire from one space to another. In network security, a firewall serves the same purpose. But instead of being built from bricks or steel it is built with computers and routers. But the concept is still the same. A network firewall is designed to protect what’s “inside” the firewall from what may be “outside.” Most often, you will hear firewalls used in reference to Internet protection, and most...

Chủ đề:

Bình luận(0)

Lưu

## Nội dung Text: Information Security: The Big Picture – Part IV

1. Information Security: The Big Picture – Part IV Stephen Fried Information Security: The Big Picture - SANS GIAC © 2000 1 1
2. Agenda • General Security Introduction • Telecommunications Fundamentals • Network Fundamentals • Network Security • World Wide Web Security • Information Secrecy & Privacy • Identification and Access Control • Programmatic Security • Conclusion Information Security: The Big Picture - SANS GIAC © 2000 2 Next up is Network Security. This section will take our discussion of network protocols and configuration one step further. In this section we will learn about network configuration, network attacks, and various other network security topics. 2
3. Firewalls • Firewalls protect “inside” from “outside” • Can be a single machine or a series of machines • Allow for filtering and inspection of packets • Basic Types – Application Gateways – Packet Filters – Stateful Inspectors Information Security: The Big Picture - SANS GIAC © 2000 3 You hear a lot of talk about firewalls in relation to network security. The name “firewall” comes from the building industry and it denotes a wall constructed to stop (or at least slow) the spread of fire from one space to another. In network security, a firewall serves the same purpose. But instead of being built from bricks or steel it is built with computers and routers. But the concept is still the same. A network firewall is designed to protect what’s “inside” the firewall from what may be “outside.” Most often, you will hear firewalls used in reference to Internet protection, and most companies that are on the Internet today use a firewall to protect their corporate networks from the evils of the Big Bad Internet. A firewall can be as simple as a single box. In some cases you can even use a network router to handle basic firewall protection. More often, a firewall is a dedicated computer running specialized software that can track and analyze the traffic passing into and out of the network and act quickly to prevent “dangerous” connections. However, in some instances the “firewall” is actually a system of several computers combined with specially programmed network equipment to offer more robust protection against a wide variety of attacks. The firewall will be preprogrammed with a series of rules specifying the types of traffic that it will allow and the types of traffic it will not allow. The firewall operates by looking at each packet that passes through it. It may examine the source and destination address, the application that sent the packet, or even the packet’s relationship to other similar packets. It then matches the packet against that list of rules. If the packet is “permitted” based on the rule set, the firewall allows it to pass through. If the packet is “denied” because of a rule violation, the firewall will block it before it passes through to the inside network. There are three basic types of firewalls: • Application gateways use a specialized program for each type of application or service that needs to pass through the firewall. Thus, there may be a program for web traffic, a program for file transfer programs, and a program for terminal sessions. The benefit of an application gateway is that it can do a detailed analysis of the packets and can be customized to the particular needs of the organization using the firewall. The disadvantage is that a customized program must be written for each application that uses the firewall. Application gateways are also slower than other types of firewalls and may not stand up to the performance needs of a large network. • Packet filters simply look at each packet’s source, destination, and application name and make a determination based on the programmed rule set. The advantage to packet filters is that they can work very quickly, a plus on large, fast networks. The disadvantage is that their ability to analyze the packet in greater detail is limited. • Stateful Inspection firewalls do a more detailed analysis than packet filters. They look at the packet’s relationship to other packets that have passed through and can also look at traffic over time. This allows for a more sophisticated analysis of the traffic and makes for a better firewall. 3
6. Proxy Configuration 98.143.54.212 207.46.131.137 Proxy Server Internet 98.143.54.78 98.143.54.79 98.143.54.80 Information Security: The Big Picture - SANS GIAC © 2000 6 The diagram on this slide illustrates how proxies work in practice. On this network we have four machines. There are three computers with IP addresses 98.143.54.78, 98.143.54.79, and 98.143.54.80. We also have a proxy server with an address of 98.143.54.212. The proxy server is connected to the Internet. When a computer program needs to connect to a machine on the Internet, the request goes first to the proxy server. The request will say something like “computer 98.143.54.78 needs to talk with computer 207.46.131.137 on the Internet.” The proxy server notes the request and then replaces the original IP address with its own. The request will then be “computer 98.143.54.212 needs to talk with computer 207.46.131.137 on the Internet.” The connection is then made to the Internet machine. Once the connection is established, all communications between the original machine, 98.143.54.78 and the Internet machine will be relayed through the proxy server. From the viewpoint of the Internet machine, however, it believes it is communicating with the proxy server, not the original inside machine. So, even if all three computers on this network are communicating simultaneously with the Internet machine, the Internet machine just thinks it has three connections to the same proxy server, not three connections to three separate computers. It is the responsibility of the proxy server to keep track of what connections belong to which machines. 6
7. Network Attack Methods • Denial of Service • SYN Flooding • Distributed DoS • Smurf • Session Hijacking • Teardrop • IP Spoofing • Land • Spamming • TCP Sequence Prediction • Junk Mail/Chain Letters • IP Fragmentation • Main in the Middle • Ping of Death • Session Replay Information Security: The Big Picture - SANS GIAC © 2000 7 In the following few slides we are going to talk about various types of attacks that have occurred over the Internet in the past. But before we begin, I should point out a couple of important facts. First, we will not be going into very technical depth about each of these attacks. Some of them can get quite complicated, but we will stick to the high-level description as much as possible. Second, many of these attacks have many variations that have been used over time. You may hear of them referred to in several different ways in your continuing security education. In the interests of time we will restrict our discussion to the original attack, and mention any variations only as necessary for clarification. Finally, while each of these attacks can be used by itself, you will very often see them used in combination, or see one attack used as the basis for another. For example, many of the attacks are based on some form of Denial of Service. 7
8. Denial of Service • Keeping the computer or network from doing anything useful • Can be a system crash, more often just flooding it • Very hard to prevent • Distributed DoS – the latest wrinkle Information Security: The Big Picture - SANS GIAC © 2000 8 Denial of Service, or DoS, is one of the most common attacks in use today. It works just like it sounds: it is used to deny service to a system or network. Denial of Service attacks are aimed at preventing a computer or network from performing its normal duties. This can take the form of crashing a computer, but more often it takes the form of flooding the network or computer with hundreds, or even millions, of information or service requests. The computer quickly gets overwhelmed and can’t handle the load. Once this happens, service is denied to legitimate users of the service because they can’t seem to get the server’s attention. Denial of service attacks are appealing to attackers for a number of reasons. First, they are deceptively simple to do. As we shall see shortly when we talk about SYN flooding, the methods for performing a DoS attack are not that difficult to learn or perform. Second, depending on how the DoS is performed, all you are doing is preventing legitimate traffic from getting to the server. You do not necessarily have to crash the machine or ruin any of the server’s resources. The attacker mentality will say that this is no more harmful than driving slowly on the highway or taking your time at the drive-in line at the bank. Well, tell that to Yahoo, eBay, or any one of the dozen other large Internet sites that got hit with DoS attacks in the spring of 2000. To them, the damage and the losses were very real. Classic DoS attacks occur when a single system or network floods your network with packets. The attack can be stopped by instructing your routers or firewalls not to accept packets from that system. However, a new breed of DoS attacks has recently surfaced, the Distributed Denial of Service, or DDoS. We’ll look at Distributed Denial of Service on the next slide. 8
9. Distributed Denial of Service Handler Agent Agent Agent Internet Agent Attacker Victim Information Security: The Big Picture - SANS GIAC © 2000 9 In DDoS attacks, the attacker is not a single system or network, it comes from a wide distribution of computers from all over the Internet, sometimes seemingly at random. Distributed denial of service attacks are more complicated to set up from an attacker’s point of view, but their effects can be much more devastating. In a classic DDoS attack, there are a number of roles and components. On the roles side, there is the Attacker, the Victim, and a number of “innocent” third parties (called Agents) that play an unwilling role in the attack. The attacker will break into each of the Agent’s computers and plant a program that can perform a DoS attack against the victim. There can be hundreds or even thousands of Agents involved in an attack. One of the Agents is tagged as the Handler. It is the Handler’s responsibility to coordinate the attack on behalf of the Attacker. When the Attacker is ready to launch the attack, he contacts the Handler and tells it who the real Victim is, how long the attack should last, and any other information the Agents will need. The Handler then relays that information to the Agents and off they go. What the Victim sees is a DoS attack from many different sites all coming at once. What makes DDoS attacks so unique and powerful is that it uses the diversity of the Internet to strengthen the attack. The attack seems to be coming from everywhere at once, and since there is no authentication on TCP/IP connections, there is no way to tell the real origin of the attack. 9
20. Man in the Middle Alice Bob Melvin Information Security: The Big Picture - SANS GIAC © 2000 20 Man in the Middle attacks are another way attackers gain information or disrupt communications. The diagram in the slide shows a classic Man in the Middle attack. Alice and Bob establish some sort of communication between them. Melvin then intercepts the communications between Alice and Bob. How does he do this? Well, one way is to spoof his machine to both Alice and Bob. He make Alice think he is Bob and makes Bob think he is Alice. Another way this can happen is to physically tap into the network somewhere between Alice and Bob. In this way, Melvin can see all the traffic typically without being detected. In this position, Melvin can do one of two things. First, he can simply listen in on everything Alice and Bob have to say to each other. Second, if he is feeling particularly mischievous, he can stop direct communications between Alice and Bob and alter all the messages going back and forth. For example, if Alice says “I’ll buy 10 widgets at $10 each,” the attacker can change that to “I’ll buy 100 widgets at$100 each.” Then, when Bob replies, “that will be a total of \$10,000,” the attacker can change that to “No problem, you can have them for free!” Man in the middle attacks are very difficult to detect unless Alice and Bob are using some sort of authentication for each message sent between them. The only way to prevent Man in the Middle attacks is to encrypt the communications between Alice and Bob so that Melvin will not be able to see or use any of the information in the transmission. 20