Host Perimeter Defense

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:36

lượt xem

Host Perimeter Defense

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Most of us have a problem. We are under attack. At this very moment, our internet-connected computer systems are being subjected to a surprising number of probes, penetration attempts, and other malicious attention. In this talk, we will discuss the types of attacks that are being used against our computers, and how to defend against these attacks.

Chủ đề:

Nội dung Text: Host Perimeter Defense

  1. Host Perimeter Defense Security Essentials The SANS Institute Host Perimeter Defense - SANS ©2001 1 Most of us have a problem. We are under attack. At this very moment, our internet-connected computer systems are being subjected to a surprising number of probes, penetration attempts, and other malicious attention. In this talk, we will discuss the types of attacks that are being used against our computers, and how to defend against these attacks. You will learn about both free and commercial software products that will help you improve the security of your systems. These products present a variety of solutions, ranging from easy-to-configure, “hassle-free” products that provide a reasonable level of security, to more complex solutions that provide more stringent measures for high-value assets. 6-1
  2. Agenda • Do we have a problem? • Who is vulnerable? • Threats and types of protection • Features to look for • Summary Host Perimeter Defense - SANS ©2001 2 We will begin this talk by examining the scope of the problem, and you will learn about the types of systems that are vulnerable and that may require protection. The main portion of this talk will focus on the various threats to your host’s security, and the types of protection (including specific tools) that can be used to defend against these threats. Finally, we will discuss some features to look for when choosing a host perimeter solution. A summary of important information will round out the talk. At the end of the webcast, you will be able to recommend and implement utilities and policies for host perimeter defense. 6-2
  3. Host Perimeter Defense • Defends the borders of your computer • Complements network perimeter defense – Additional layer of protection • May also be first line of defense Host Perimeter Defense - SANS ©2001 3 Host perimeter defense is just what it sounds like: Defending the perimeter of the host itself - the borders of your computer. Most security-conscious organizations protect the borders of their network with tools such as firewalls or packet-filtering routers. In this situation, host perimeter defense complements network perimeter defense by adding a second layer of security. Even if an intruder is able to penetrate your network, he or she will then have to penetrate any host-based security to access protected hosts on your network. There are also instances when host perimeter defense may be your first line of defense. This is true, of course, if there is no network protection. This would be the case, for instance, where your network security is bypassed - for example, through a connection to a dial-up server inside your firewall. It is also the case for systems that are not on a standard network - such as home computers- which nevertheless connect to the Internet through an Internet Service Provider (ISP). 6-3
  4. Who is Vulnerable? • Any host that is: – Directly connected to the internet – “Protected” behind a firewall – Networked with any other hosts (even if not connected to the internet) – Connected via modem, cable modem, ISDN, DSL, etc. Host Perimeter Defense - SANS ©2001 4 Any networked host may be a candidate for protection using host perimeter defense solutions, including: • computers directly connected to the Internet. Any host directly connected to the Internet is visible to (and potentially vulnerable to!) any one of the several million other Internet users around the globe. Essentially, anyone from Russia to Brazil to the person next door can “see” your computer - and may be able to compromise it. • computers “protected” by a firewall. A firewall is not a bulletproof solution to your security problems. Dial-up connections may bypass your firewall’s security completely. “Legitimate” traffic allowed through the firewall may contain dangerous code, such as malicious Java applets in HTTP traffic, or Trojan executables in electronic mail (SMTP) traffic. Users may install unauthorized software or modems that create security holes. • hosts on a private network. Even if you are completely disconnected from the Internet, you may need to protect your hosts from each other. A large number of security breaches come from inside an organization. Employees trying to steal information for a competitor, or disgruntled employees who might want to damage or destroy information, present a real threat. The information on threats and defenses in the following slides can be applied to any of the above scenarios. However, for the purpose of this course, we will focus on one scenario in particular that is often overlooked. 6-4
  5. Impact of the Problem • Personal information – Financial records – Account names/passwords • Business information – Home-based business – Telecommuters – Connect to corporate LAN from home Host Perimeter Defense - SANS ©2001 5 This problem can be a serious one for home users. Sensitive information such as financial records and account numbers, usernames and passwords may all be stored on a home PC - all of which provide tempting targets for attackers. However, this problem is no longer limited to private home users. Businesses can be seriously affected as well, as the line between home and business computers has increasingly blurred over the past few years. Businesses are operated out of peoples’ homes; employees work at home and “telecommute;” users take work home, or use home computers to dial-in to corporate networks and electronic mail servers. All of these scenarios mean that, in addition to sensitive personal information, it is highly likely that sensitive business information can be found on “personal” computers. Which is more difficult for an attacker: To break into a corporate network that is protected by firewalls, intrusion detection software, and skilled administrators who regularly review log files? Or to break into the CEO’s unprotected home PC, steal his userid and password, and log straight in to the corporate network using the stolen information? 6-5
  6. Do We Have a Problem? Host Perimeter Defense - SANS ©2001 6 Many SANS instructors use personal firewalls of course, and a number of them use flashing icons to inform you that an attack has occurred. When Stephen Northcutt teaches intrusion detection he will often leave the BlackIce icon flashing yellow until some student comes up and says “I can’t stand it.” This screen shot was taken April 14, 2001. As you can see this computer has been hit with a number of attacks. Please notice that on your screen you see three DNS probes. This was about three weeks after the Lion worm, malicious code that attacks Linux computers and DNS servers. Clearly it is still running at this time. If you are tuning out because you are a Windows user, the Kak and Qaz Windows worms did a lot of damage only six months ago. So, you are going to get hit. 6-6
  7. What are the Threats? • Known vulnerabilities • Malicious code • Unauthorized connections Host Perimeter Defense - SANS ©2001 7 The number and types of vulnerabilities to individual hosts varies greatly. We will examine these vulnerabilities, and the actions you can take to counter them, in the next series of slides. 6-7
  8. Known Vulnerabilities • Operating systems and common software – Inherent weaknesses – Default configuration – Misconfiguration – Sample applications Host Perimeter Defense - SANS ©2001 8 Any host is, of course, susceptible to any vulnerabilities in the operating system and software which the host runs. A computer’s operating system (OS) will affect its inherent level of security. An OS with strong authentication mechanisms, privilege and access control, and auditing or logging capabilities (such as Windows NT, Windows 2000, Unix, or Linux) is more secure than an OS that does not have these features (such as Windows 95/98). As the majority of home users still run Windows 95 or 98, this issue becomes a critical one. Unfortunately, NO operating system is secure “out of the box,” and attackers will take advantage of security holes in default OS or application configurations, or user/administrator misconfigurations. Another vulnerability is sample applications that are often included in web server software or software development kits. These samples are not intended for production systems (read: they are NOT SECURE) and can open up additional security holes in your system. These “holes” are often well-known and well-publicized in the “black hat” community. Worse, for any vulnerability that has been known for a period of time, there is most likely a script that exploits the vulnerability. These scripts are readily available on the Internet - making it simple for even the most inexperienced attacker to launch sophisticated attacks on your systems. 6-8
  9. Known Vulnerability Defense • Choose a secure OS • Build a secure configuration • Install updates and patches • Remove sample applications • Stay informed Host Perimeter Defense - SANS ©2001 9 Your best defense against known vulnerabilities is information and education. • Choose a secure OS and learn to configure it properly. Most vendors and some third-party organizations now provide recommendations on configuring operating systems and applications securely. Obtain these documents and apply them per your organization’s needs. • Keep your software up-to-date with upgrades and patches. Vendors regularly release updates and patches, many of which address security issues. Keep your systems up-to-date with the latest patches. • Remove sample applications. Do not install sample applications, unless they are loaded on a test system. If sample applications must be installed, secure them just as you would any other software component. • Stay informed. New security vulnerabilities are released daily. A quick and easy way to stay up- to-date is to subscribe to security mailing lists. Several excellent public lists are given at the end of this presentation. Most vendors also have their own mailing lists, or at least post security notices on their web sites. 6-9
  10. Malicious Code • Program that performs harmful, unauthorized action – Viruses – Trojans – Java applets and Activex controls • Often easily bypass network security Host Perimeter Defense - SANS ©2001 10 One of the broadest categories of threats to your network hosts is that of malicious code. Malicious code is defined as an executable program that performs an action (often harmful or destructive) without the knowledge of the user. Malicious code includes viruses and Trojan software (malicious software masquerading as a useful program or utility). Recent virus incidents, such as those surrounding the ILOVEYOU virus or the Melissa virus, indicate the seriousness of the threat. The attacker who gained access to Microsoft’s network in October 2000 and viewed source code for a future Microsoft product is suspected to have gained access to internal systems via the QAZ virus, which installs a secret ‘back door’ to allow access to a system. Over 40,000 known viruses exist as of this writing, and the number continues to increase. A newer threat is that presented by Java applets and ActiveX controls. These are bits of code, like mini- programs, that run within a web browser when you access a web page that contains the applet. (Java will run in any browser; ActiveX is specific to Microsoft Internet Explorer.) Both types of code are supposed to be “safe” and execute only within restricted boundaries on the user’s computer. However, a number of security holes have been found in this technology. Malicious applets can perform actions such as reading files (such as a password file) or deleting files. Worse, most applets run within the browser without the user’s knowledge. A particular danger of malicious code is that it can easily bypass security measures such as firewalls. This is because malicious code is often hidden in “legitimate” network traffic. Your firewall probably allows HTTP (Web) traffic into your network, but this traffic can contain hostile Java and ActiveX code. You probably also allow SMTP (electronic mail) traffic, but electronic mail often contains attachments with macro viruses or Trojan software. 6 - 10
  11. Malicious Code Defense • Anti-virus software • Java/Activex protection Host Perimeter Defense - SANS ©2001 11 Probably the most well-known form of host perimeter defense is anti-virus software, which defends your computer from malicious code such as viruses and some common Trojan/backdoor programs (such as NetBus or Back Orifice). Because anti-virus software is covered in its own course, we will only mention it briefly here. However, it is important to note that some anti-virus vendors are now offering additional protection against hostile Java and ActiveX controls. For example, both Norton Anti-Virus and McAfee VirusScan offer some degree of Java/ActiveX protection. Check your product specifications carefully; some vendors’ offerings may only provide protection for specific browsers (i.e. for Netscape Navigator OR Microsoft Internet Explorer, but not both). Another means to defend against malicious Java and ActiveX controls is to tighten your browser’s security. Both Netscape Navigator and Microsoft Internet Explorer offer means to customize browser security to allow, prompt for, or disallow actions such as Java and ActiveX scripting. One catch to tightening security in this way is that you may block safe applets along with hostile ones - some Web sites will not display correctly without scripting enabled, or will pop up an annoying number of warning messages asking if you want to run an applet. 6 - 11
  12. Unauthorized Connections • Default services running on a system • Software that opens additional ports Host Perimeter Defense - SANS ©2001 12 Applications and services used for network or host-to-host communications use a protocol and a port number to communicate. Protocols include Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). Common ports include those used for Telnet (23), DNS (53), and POP3 (110). Computers need to use these various protocols and ports to communicate with each other. The default installation of any operating system will open various ports. For example, Unix and Linux systems typically install a Telnet server (port 23). Microsoft Windows systems use the NetBIOS ports (137 - 139) for Windows networking. Applications may open additional ports; Web servers may use FTP (21), HTTP (80), or SSL (443). Trojan software may open still more ports, such as NetBus (12345) or BackOrifice (31337). All of these ports represent a potential “door” through which someone can enter your computer. A computer will typically “listen” on a port until a connection is attempted. Depending on the authorization (if any!) required, the system will then accept or reject the connection attempt. However, it’s a good bet that most users don’t know what a port is, much less which ports may be open on their computers. 6 - 12
  13. Unauthorized Connection Defense • Determine open ports • Block ports that are not needed • Monitor connection attempts Host Perimeter Defense - SANS ©2001 13 The first step in protecting your system from unauthorized connection attempts is to determine which ports are actually open on your system. For example, in Windows 9x or NT, you can type netstat -a at the command prompt to display a list of all open connections to your system. This utility is good for generating a “snapshot” view of system activity, as it will also identify the open ports on your system - including some you may not know you have! However, it does not provide a means to block ports that you don’t want left open, or to monitor port activity on an ongoing basis. That is the purpose of personal firewall and host-based intrusion detection software. 6 - 13
  14. Personal Security Software • Combine various firewall and IDS technologies to successfully defend your station – Application-level connectivity control – Protocol-level data flow control – Intrusion detection system component Host Perimeter Defense - SANS ©2001 14 Personal security software is a key element to defend your home station from the Internet. To successfully defend our station from outside attacks, a combination of firewall and IDS technologies is the best means of defense. Many popular product solutions provide packet-filtering, proxying, or IDS capabilities, or a combination of them all. Application-level connectivity control is generally easier to configure, particularly for the less- technical user. Access is controlled by rules that specify which applications are allowed to perform particular actions. For example, the user may create a rule that says Netscape is allowed to initiate connections to particular Internet sites, or that Outlook Express is allowed to connect to your ISP’s mail server. Packet-filtering/IP-level data flow control requires more technical expertise on the part of the user in order to configure properly. Access is controlled by rules that specify which protocols are allowed or disallowed. For example, a user may create rules that block all traffic except for HTTP, SMTP, and POP3. In the following slides we will explore examples of products that demonstrate the effective application of these technologies to defend our stations from perimeter attacks. 6 - 14
  15. Network ICE BlackICE Defender Host Perimeter Defense - SANS ©2001 15 One example of a packet-filtering personal firewall is Network ICE’s BlackICE Defender. It combines a packet-filtering firewall component with an intrusion detection component that has stateful inspection capabilities, monitoring your network connection for "signatures" of popular attacks. Many host-based security systems like BlackICE Defender will combine multiple technologies to optimize the overall effect on the station's security. BlackICE Defender uses its intrusion detection system in conjunction with its packet-filtering capabilities to provide an enhanced form of stateful inspection. It can actually determine whether the incoming traffic is "malicious" in nature, before allowing the traffic access to the system. Upon discovery of an attacker, BlackICE Defender will not only block them from further access, and log the attack and all packets from the attack, it will go so far as to attempt to collect information about the attacker, including host name and MAC address. Even if the hostile traffic in question is allowed in by the current packet filtering rules, the stateful inspection process will still detect the attack and deny the perpetrator access. For example, say you were running an FTP server on your station and had a configuration allowing incoming FTP traffic. If a known attack was tried on port 21 (the default port for FTP traffic) BlackICE would identify the traffic as hostile in nature and block the attacker from accessing the system. The negative aspect of such an inspection system is that false positives can be registered, and in some cases prevent normal usage between systems. BlackICE circumvents this issue by allowing the editing of the BLACKICE.INI file, to specify issues that should no longer be identified as an attack. The line: trust.issue = would discontinue false positives for the event identified as . A list of issue numbers and their definitions are listed on Network ICE's website. 6 - 15
  16. BlackICE Defender Security Configuration Host Perimeter Defense - SANS ©2001 16 Easy configuration is an important feature of a good personal security system. The common dilemma when designing such a system is how to make the software easily configurable for a novice while allowing the flexibility that an advanced user will need. To configure the default packet- filtering rules for BlackICE Defender, two different systems are used. For the novice, BlackICE Defender provides an easy to use graphical interface that allows you to choose between four pre- configured "levels" of protection, ranging from "trusting" to "paranoid." Each setting blocks a progressively more aggressive range of TCP and UDP ports. “Trusting” doesn’t block any TCP or UDP ports. “Cautious” blocks TCP ports 0-1023. “Nervous” blocks all TCP ports and UDP ports 0- 1023. While “Paranoid” blocks all TCP and UDP ports. (Note: These rules refer to incoming traffic ONLY. All outgoing traffic and TCP return traffic is allowed no matter which security level is selected.) 6 - 16
  17. BlackICE Defender FIREWALL.INI [MANUAL IP ACCEPT] [MANUAL UDP low REJECT] REJECT, 137, NETBIOS Name Service, 1999-07-22 20:26:53, PERPETUAL REJECT, 138, NETBIOS Datagram Service, 1999-07-22 20:26:53, PERPETUAL [MANUAL UDP high ACCEPT] [MANUAL TCP low REJECT] ACCEPT, 113, identd, 1999-07-19 20:50:26, PERPETUAL REJECT, 139, SMB, 1999-07-19 20:50:26, PERPETUAL [MANUAL TCP high ACCEPT] Host Perimeter Defense - SANS ©2001 17 For advanced users, BlackICE provides an editable configuration file, FIREWALL.INI. Manual packet-filtering rules can be applied to allow or disallow various types of protocol level traffic. This is how to custom-tailor BlackICE Defender to suit a more advanced environment. For example, you can set packet-filtering rules to allow a local HTTP or FTP server on your system. An example filter would be as follows: Under the [MANUAL TCP low REJECT] heading of the FIREWALL.INI you would enter a line like: ACCEPT, 80, HTTP, 2000-10-16 20:30:53, PERPETUAL This line is not unlike the packet filters that are applied in various commercial firewalls, including router access control lists. It would allow any HTTP traffic on port 80. In this example, because the BlackICE configuration is set to “paranoid” the default for TCP low traffic (traffic below port 1024) is set to REJECT (hence the name of the section heading). Therefore, the default rule applied to any traffic would be an implicit deny, which means disallow ALL traffic, unless it is otherwise noted. If the security setting was set to “trusting” then the default setting for TCP traffic below port 1024 would be an implicit accept. In that case, rules would be added only if there were particular traffic types that needed to be denied. Either way, a custom configuration can be tailored for almost any need. Under the [PARMS] section of FIREWALL.INI, other advanced settings can be configured. Included among these are how long attackers should be blocked, settings blocking Denial of Service attacks (including attacks using fragmentation), and the enabling of stateful inspection to allow DNS and NetBIOS responses. 6 - 17
  18. Other Packet-filtering Personal Firewalls • Dynamic Solutions, Inc - NukeNabber • Network Associates - PGP Desktop Security • Network Flight Recorder - BackOfficer Friendly ….and for *nix users: • Psionic Software - Portsentry Host Perimeter Defense - SANS ©2001 18 This slide lists some additional Packet-Filtering products available for host-based protection. 6 - 18
  19. Zone Labs ZoneAlarm Host Perimeter Defense - SANS ©2001 19 An application-level firewall, such as a proxy, deals directly with the "programs" that communicate to and from the internet, in contrast to protocol-level firewalls which don't care what application is accessing the network, just the individual packets which are being sent. An example of a personal application-level software program is ZoneAlarm, a "free for personal use" offering by Zone Labs. ZoneAlarm intervenes at an application level when users are accessing the Internet. Whenever an application on your system tries to contact the internet, ZoneAlarm intercepts the traffic. It checks to see if the application that sent the traffic has a rule set up for it in its current rules database. If it does, it either allows or disallows the program access based on that rule. If it doesn't currently have a rule configured, it will ask the user if they want to allow the program to gain access to the Internet. If the user chooses to have ZoneAlarm remember the way they respond, a rule is created for that application and added to the rules list. If the user doesn’t have ZoneAlarm save their response, then every time the program is run, ZoneAlarm will again ask the user whether or not they want to allow the program access. This means rules by application can make the protection of a system less complicated for a novice. Hopefully, most users should be familiar enough with the applications that they use to decide whether or not a given application should be allowed to communicate with the outside world. This feature can also keep Trojans, “spyware”, and viruses from subverting your system’s defenses by warning you when they try to contact the outside world or propagate themselves. ZoneAlarm also integrates an Internet lock which completely disables internet access after a predetermined period of station inactivity. An email-level VBS blocker is also included to screen for this popular email virus type. 6 - 19
  20. Security Configuration Host Perimeter Defense - SANS ©2001 20 ZoneAlarm’s security screen allows configuration of Internet and local security zones, with an easy slide bar setting. Each setting level (High, Medium, or Low) provides a different selection of security features. All three levels enforce the application rules. High and Medium settings block all Internet traffic with the “internet lock” feature, while the Low setting only blocks application traffic. High and Medium settings also block access to Windows services and shares, while the low setting allows such access. Finally, the High setting level enables a “stealth mode” that completely hides all ports that are not in use by an application. Medium level leaves you visible to outsiders on the Internet, and the Low level leaves you and your resources visible and allows traffic to and from the Internet. Setting the Internet level to High is recommended for most environments. Local network settings depend mostly on your particular situation. Medium will serve well for most common configurations. Servers can be blocked from local or Internet access by checking the respective boxes at the bottom of the “settings” screen. At the very bottom, the “Enable MailSafe” check-box is offered, to allow additional protection from VBS email viruses. Since ZoneAlarm is an application-level firewall, it can detect content and can stop a VBS file from being executed… another safety against one of the Internet’s fastest spreading threats. Finally, an Advanced button is offered to allow the adding of station and network addresses to the Local or Internet zone. This can be a way to customize your environment. 6 - 20
Đồng bộ tài khoản