Network Security Basics3932

Network Security
Basics
Network Security
Fundamentals
Agenda
³ Introduction – Firewalls, Routers, IDS
³ Types of Networks
³ Internetworking = Increased Risk
³ Network Security Risks Explained
³ Network Security Defined
³ Network Connections to Control
³ Defense in Depth
³ Principles of Network Security
³ Effective Controls for Network Security
©2002 SecureIT Consulting Group, Inc. 3

Introduction
³ Networks are telecommunication highways over which
information travels
³ Networks and their associated information technology
resources are exposed to potential points of attack (e.g.
spoofing, traffic flow analysis, trap doors, Trojan horses,
viruses, worms, etc.)
³ Centralized network management authority does not exist
so layered security measures are needed to protect data as
it traverses the network
³ These layered security measures include
O Firewalls
O Routers
O Intrusion Detection Systems
O Other components (VPNs, encryption, etc.)

Introduction
³ Before addressing firewall, router and IDS particulars,
however, it is necessary to get a good handle on the
context of the networks in which firewalls, routers and IDS
operate
³ This module provides that context by reviewing the
following topics:
O Networks
O Risks of connectivity
O Principles of effective network security controls
³ These topics will help provide the “big picture” in which
firewalls and the other network security technologies
operate

Types of Networks
³ Local Area Network (LAN) – a discrete network
that is designed to operate in a specific limited area
like a floor of a building; usually within a single
organization
³ Wide Area Network (WAN) – a network of subnetworks that
interconnects LANs over wide geographic areas; usually within a single
organization
³ Intranet – a TCP/IP based logical network within an organization’s
internal network
³ Extranet – a TCP/IP based private network that is accessed by users
outside the organization (such as trading partners, etc.) but that is not
publicly accessible
³ Internet – a global, public TCP/IP network
³ Virtual Private Network (VPN) – a network where packets that are
internal to a private network pass across a public network; Traffic is
encrypted, integrity protected, and encapsulated into new packets that
are sent across the Internet

Connecting Networks Together
³ Bridges – operate at the Link Layer to forward data to all other
connected networks if the destination computer (MAC address)
is not on the local network
³ Routers – operate at the network layer and direct (or route)
packets to the appropriate “next hop” based on their routing
tables and the destination computer’s IP address
³ Switches – operate at the Link Layer (or Network Layer) to
deliver data to the specific port where the destination MAC
address is located
³ Firewalls – devices that sit between networks to control and
restrict the network traffic that is allowed to flow between those
networks. Firewalls enforce network security policy.
³ Modems or Dial-in Line – A device or program that allows a
computer to transmit data over telephone lines. These
connections can be just as dangerous as if you had a T1 or a T3
line

Business Objectives for Connectivity
³ Before the mid-1990s, there was little connectivity between
computer systems
O Networks were primarily used to connect terminals to a mainframe,
or to connect workstations to shared resources (e.g., for file sharing,
printing, etc.) within an organization’s internal network
O If an organization’s networks were connected to someone else,
usually only a few key business partners were connected, and that
was through private lines
³ The Internet and the coming of “open” connectivity through
TCP/IP changed this
³ In today’s environment, ease of connectivity is critical to doing
business
O Efficiency – Only key data is sent across the entire supply chain
O Speed – Transactions need to be processed “real time”
O Ease – Customers demand a “universal” solution that will interface
with multiple technologies
O Information sharing – Information leads to competitive edge

Objectives of Network Security Controls
³ The purpose of network security is to protect internal
networks, network devices, and network messages from
unauthorized access, usually by outsiders
O Objective 1: To provide control at all points along the
network perimeter in order to block network traffic that is
malicious, unauthorized, or that otherwise presents risk to the
internal network
O Objective 2: To detect and respond to attempted and actual
intrusions through the network
O Objective 3: To prevent network messages that are sent across
networks from being intercepted or modified in flight
³ Network security controls cannot completely eliminate risk.
The goal is to minimize risk as much as possible and to
avoid unnecessary or excessive risk
³ The goal of network security is really to “enable” network
connectivity. Without network security, the risks/costs of
network connectivity would be prohibitive

Internetworking Increases Security Risk
³ Network connectivity dramatically changes the risk profile
for systems security
³ Question: Who can exploit security weaknesses (e.g.,

password weaknesses, backdoors, poor access controls,
etc.) on internal systems?
O Answer without connectivity: Only people who can first
access my bricks and mortar
O Answer with connectivity: Anyone who is connected to my

network and anyone who is connected to them and anyone
who is connected to them and anyone who is connected to
them, etc.

Network Security Risks
(1) Hackers
Servers
Security Weaknesses:
(3) To Exploit - Weak passwords
- Weak access controls
- Misconfigurations
- Access without a
(2) Connect through password
- Inherent security
Networks
Networks vulnerabilities
- Buffer overflows to
get privileged access
Business Processes (4) To Attack

- Reliable Processing
Results Applications
- Confidentiality - System
- Service to customers (5) To Damage processes
- Business reputation or Steal - Business data
- Fraudulent payments
³ Denial of Service – Attacks on the availability of networks or
computer systems
O Network packets that violate protocol compliance or that are
malformed can cause some systems to crash
O Some network attacks flood a network with more packets than the
network can handle
O Other network attacks create half-open connections to utilize
system resources until none are left
³ Information theft – Attacks on confidential information (e.g.,

customer private information, credit card information, etc.)
O Network services can be abused by malicious users to logon to (or
otherwise access) hosts and other devices on the network
O Confidential information may be easily accessible through network
services due to misconfigurations, poor access controls, etc.
O Confidential information/messages are intercepted while packets
are being sent across publicly accessible network lines

Network Security Risks Continued
³ Intrusion – Unauthorized access (usually with privileged
access rights) to a network or computer system that could
compromise the integrity and/or availability of critical
systems and data
O Some network services allow access to the host without any
password required Æ results in easy access
O Some network services allow a user to sign-on across the network
to access the host Æ used for attacks on default or easily guessed
passwords
O Some network services use trusted access based on host IP
addresses that can be spoofed Æ used to obtain unauthorized access
without a password
O Some network services and malformed packets can be used for
surveillance Æ helps hackers focus their attacks
O Some network services have buffer overflow vulnerabilities that
provide attackers with privileged access Æ game over
³ Reputation – Confidence of customers, business partners,
etc. is lost. This is perhaps the biggest (but often
unthought-of) risk that eBusinesses face
³ Every connection to external networks introduces risk
Internet Extranet
TP 2 Internal TP 1
Network
³ The internal network could be attacked from the Internet (highly

likely), from the Extranet (moderately likely), or from a Trading
Partner (less likely)
³ An attacker from the Internet could also use our internal network
connection as a launching point to initiate an attack against the
Extranet or one of the Trading Partners
³ The Trading Partners could attack each other through us
³ If the Trading Partners are connected to the Internet, an attacker
could use them as a launching point to attack us

Causes of Network Security Risk
³ The Computer Emergency Response Team Coordination
Center (CERT/CC) believes that the answer is “chronic
system administration problems” and inherent “flaws” in
the protocols and network services due to poor design
³ The SANS Institute publishes “The Twenty Most Critical
Internet Security Vulnerabilities”
O Default installations that run extraneous network services
O Accounts with no passwords or weak (default) passwords
O Unnecessary network service ports left open
O Packets with spoofed source addresses (packets from outside
networks that masquerade as if they originated from the internal
network)
O No logging or incomplete logging
O Programming flaws and buffer overflows that cause services to
crash or execute arbitrary commands with privileged access
O Unprotected sharing of files and directories over the network
O Trust relationships that allow access without a password

Network Security
What is network security?
³ Network security consists of the technologies and processes that
are deployed to protect internal networks from external threats
³ The primary goal of network security is to provide controls at all
points along the network perimeter which allow access to the
internal network and only let traffic pass if that traffic is
authorized, valid, and of acceptable risk
³ Network security controls cannot completely eliminate risk. The
goal is to minimize risk as much as possible and to avoid
unnecessary or excessive risk
³ When viewed this way, network security is not an “obstacle”,
but rather an enabler to doing business. In other words, without
network security, the risks of connectivity would be too high

Network Connections to Control
What do you need to control?
³ First, define what constitutes the perimeter or the “outer edges”
of your network
³ Next, define who is “us” and who is “them”, based on trust. Do

you, or should you, trust them?
³ It is imperative that ALL external connections be controlled,

including Internet, Extranet, direct connections to trading
partners, dial-in mechanisms, etc.
³ It may also be necessary to control connections to subsidiaries

and other divisions/departments within the same company (e.g.,
if there are different controls in place for each division or
department)

Network Security
So, how do firewalls, routers and IDS factor into this
equation?
³ Firewalls are one of the essential technologies that are used
at the perimeter of the network to protect internal networks
from external threats.
³ However, network security is about more than just
firewalls.
O Other technologies (e.g., intrusion detection systems, VPNs
and other uses of encryption) are important to network
security.
O Routers have software that provides security checking.
O Processes (including monitoring, administration, etc.) are
also a critical component of an effective network security
solution.

Defense in Depth
³ The key to effective network security controls is the concept of
defense in depth – multiple, overlapping layers of controls are
required to provide reliable protection to networks
O A mixture of preventive and detective/corrective controls are needed
O A mixture of controls at the network and host layers are required
O “Holes” in one layer are compensated for by the other layers
Hackers
N
e
t Routers Network Architecture
S
e
c
Logging and Monitoring Firewall
P Host Hardening Encryption/VPN

o
l
i Intrusion Detection Intrusion Response
c
y
Internal Network
Network Security Principles, Part 1
³ Least privilege - Only allow access that is legitimately required
for authorized business purposes; only allow connectivity and
network traffic (protocols and source/destination addresses and
ports) that is required, valid, and of acceptable risk
³ Use multiple, overlapping layers of control (Defense in Depth)
Do not rely on single solutions, but instead have multiple
mechanisms that provide overlapping security controls to back
each other up in the case of failure
³ Control the perimeter - Place strong controls at all entry points
into the network
³ Deny everything that is not explicitly allowed - Be as
restrictive as possible to account for incomplete information
(e.g., there are bad things that you don’t know about yet)

³ Keep it Simple - You need to be able to understand it if you
hope to secure it
³ Conceal internal network information - Hide internal network
information as much as possible so that hackers cannot target
their attacks
³ Technology isn’t enough - Good network security consists of
much more than the latest products and buzz words; it requires
comprehensive practices that involve technology, people, and
processes
³ Network security is a business problem – Network security
controls should be determined by business need; a strategy (that
is consistent with business need) should drive the deployment of
network security products and tools
³ Security policy - Required to define acceptable levels of risk
and overall direction for the network security practices and
procedures

³ Logging and Monitoring - Early detection and response to
intrusion attempts is critical
³ Encrypt confidential information that is transmitted over
untrusted networks - Sensitive information that is sent in clear
text could be intercepted
³ Do not establish trust based on IP address - IP addresses can
be spoofed with tools that craft network packets
³ Weakest Link - The system of network controls is only as
strong as its weakest component, or of a backdoor (if one exists);
modems on PCs could be the weakest link
³ Minimize unnecessary risk - Cannot eliminate risk (unless you
disconnect!), but you can reduce unnecessary or excessive risk

Effective Controls for Network Security
³ Network Security Policy
³ Network Architecture
³ Hardening Hosts
³ Firewalls
³ Routers/Switches
³ Logging and Monitoring
³ Dial-in/Modems
³ Intrusion Detection Systems
³ Intrusion Response Planning
³ Periodic maintenance and validation of network security controls
³ Encryption
³ Digital Certificates/Digital Signatures
³ Virtual Private Networks
(Note: all topics except Dial-in/Modems are included in this course)

Conclusion
³ Connectivity between networks greatly increases risk
because it enables outsiders to exploit internal security
weaknesses
³ Network security is the set of control processes and
technologies used to protect internal networks from attacks
originating on external networks
³ Network security controls are focused primarily on
controlling the perimeter or boundaries between networks
³ Generally accepted principles should be applied
(especially “least privilege” and “defense in depth”)
³ A well-defined network security policy is a required first
step in achieving adequate network security

Network Security Policy
Agenda
³ Why Network Security Policy is Needed
³ Effective Network Security Policy
³ Acceptable Risk
³ Network Security Policy Components
³ CERT Security Practices

³ Networking technologies and the security controls that need
to be in place are highly complex
³ Network security controls are essentially a mixture of
diverse products, technologies, manual processes, etc.
³ This raises some questions:
O How do all of these technologies and products fit together?
O What functions need to be performed so that the network is
protected?
O What is the goal of all of the network security controls?
O How much “control” is really needed?
O How can we know that we are secure enough from outsiders?
O How should the risks of connectivity be balanced against
business benefits?
³ The answers to these questions are provided by a network
security policy

³ Organizations can achieve sustainable risk reduction and
protect information flowing in and out of the network only
if network security controls are founded upon a strong
security policy
³ A policy provides direction, focus, and guidance for how
network security controls are to be implemented
O With an effective policy, the diverse control components of a
“defense in depth” strategy are well-coordinated, cohesive,
integrated, complimentary, and focused. The result is a solid
suite of controls that protect internal networks from external
threats
O Without an effective policy, network security controls tend
to be ad hoc, poorly integrated, “point solutions” with
contradictory goals. The result is a “swiss cheese”
implementation that is full of holes that attackers can exploit

³ Policy development must focus on
O Starting with the mission needs and business goals
O Identification and classification of information assets
O Identification of threats and vulnerabilities
O Understanding the technology impacts
O Making informed decisions about trade-offs
O Identification of residual risks (can never achieve 100%
security)
³ Finally, policy must be enforceable – it is of no value if
not enforced

³ An effective policy is shaped by multiple factors
O Risk analysis and risk tolerance
O Perceived and real threats
O Organization’s “visibility”
O Business and Internal stakeholder requirements
O Technologies used
O Fiduciary Responsibility
O Legal, statutory, regulatory, contractual requirements that an
organization must satisfy

³ To be effective the Network Security Policy must be:
O Developed by consensus
O Designed with a long-term focus
O Clear and Concise
O Understandable and supported by all stakeholders
O Outline roles and responsibilities – users and support
personnel
O State acceptable risk
O Outline requirements
O Be supported by well-established standards, guidelines, and
procedures
O Reviewed annually or as changes occur
O Implementable and enforceable

Acceptable Risk
Ê Organizations have differing security postures with
differing levels of acceptable risk
O Different organizations have different inherent security
risks based on the businesses they are in
O Different businesses have different tolerance levels for
security risk, and different viewpoints on the trade-offs of
security vs. ease of use and performance
³ The level of network security risk that a company is
willing to accept helps to determine its network security
policy
³ This policy should be documented to ensure that relevant
personnel can understand expectations and effectively
implement network security controls and practices to
support the policy
³ All network security controls should be consistent with the
overall network security policy

Acceptable Risk
Ê Determining the acceptable level of risk involves
performing a risk assessment analysis
Ê Examples of risks to consider:
O Confidentiality – for information to remain confidential,
systems and processes must ensure that unauthorized
individuals are unable to access private information
O Vulnerable Authentication Processes – because
authentication mechanisms govern trust between users and
systems, they are targets for attack
O Communication Integrity – for the integrity of information to
remain intact, systems and processes must ensure that an
unauthorized individuals cannot alter or delete information
O Data Collection over Time – information gathering can be
quite dangerous as seemingly insignificant bits of
information are collected over time by a skilled attacker

Acceptable Risk
³ Threats, vulnerabilities and impacts must also be
considered in defining acceptable risk.
O A threat is defined as the potential to cause harm to the
organization – intentional or unintentional
O A vulnerability is a weakness or threat to the information
asset. It there are no vulnerabilities, then a threat cannot put
the organization at risk
O Impacts reflect the degree of harm and is concerned with
how significant the problem is, or how much effect it will
have on the organization

Acceptable Risk
³ The risk is lowest when threat and impact are both low.
As impact, vulnerability, and threat all increase, the issue
becomes one of high risk
Moderate
High Risk
Risk
Threat
Moderate
Low Risk
Risk
Impact
³ High risk is where the greatest return on security
investment is found
Network Security Policy Components
³ Policy components communicate to the users, managers
and support personnel what they need to know. Ideally, this
policy should be documented to ensure that relevant
personnel can understand expectations and effectively
implement practices to support the policy.
³ FIREWALL COMPONENT
O Address specific aspects of security related to the firewall that
are not addressed by other policies
O Clarify how security objectives apply to the firewall
O Responsibilities of firewall administrators
O Firewall configuration: remote access policy, supported
services, blocked services, configuration change
management, etc.
O Firewall audit policy: granularity of logging, frequency of
review, etc.

³ ROUTER COMPONENT
O Articulate the required “level” of security controls for
routers, and guide decision-making regarding the “costs” of
security controls vs. the “benefits” of additional security
protection
O Specify requirements for router configuration
O Provide a baseline for router configuration decisions
O Define roles and responsibilities in the following areas:
privacy, authorization and access (least privilege), auditing
and accountability, identification and authentication,
availability, network traffic, and violations reporting and
notifications
O Define the logging and monitoring requirements for security
activities (e.g., sign-on to router, use of enable password,
etc.) and violations (e.g., denied traffic, failed login attempt,
etc.)

³ IDS COMPONENT
O Define how intrusion monitoring will occur
O Intrusion detection policy: alerts, notification and escalation
procedures, response priorities, etc.
O Procedures for backups and outages
O Define roles and responsibilities in the following areas:
authorization and access (least privilege), auditing and
accountability, and violations reporting and notifications
O Inform users that network monitoring will be in place
O Purpose for monitoring
O Specify the type of unexpected network behaviors that will
be monitored
O Require users to report any suspicious behavior to security
personnel and system administrators

CERT Security Practices
³ Best practices that address 85% of compromises
³ Seven categories of evaluative criteria:

1. Security Policy
2. Secure Network Servers
3. Secure Web Servers
4. Deploy Firewalls
5. Setup Intrusion Detection and Response Processes
6. Detect Signs of Intrusion
7. Responding to Intrusions
³ These criteria can be used as the foundation of a network

security audit or self-evaluation of controls

Security Policy
³ Has an effective security policy been defined with these
characteristics?
O Designed with a long-term focus and kept up-to-date
O Clear, concise, understandable, and supported by all stakeholders
O Role-based and independent of positions and titles
O Realistic, implementable, and enforceable
O Specific about areas of responsibility and authority (e.g., enabling
system administrators to operate with management authority when
needed), as well as separation of duties
O Well-defined, and supported by well-established standards,
guidelines, and procedures
³ Can any user (general, administrator, manager, etc.) answer

questions about the security policy? (e.g., Where are policies
defined? Who establishes them? Who monitors compliance?
How often is the policy updated?)
³ Do security policies cover all necessary topics?

Conclusion
Ê The main function of network security is to control access
to the network and its shared resources.
Ê Organizations can only achieve sustainable risk reduction
and protect information flowing in and out of the network
through development of a strong security policy. The
policy is the foundation of all other network security
controls.
Ê Risk assessment is fundamental in determining the
acceptable level of risk that will be defined in the security
policy.
Ê The security policy should define roles and responsibilities
of users and support personnel.
Ê The expected behaviors of the users of the network are
also defined and enforced.
Ê Standards and procedures on how the policy is
implemented should flow from and add support to the
security policy.
Firewall Topologies &
Architectures
Agenda
³ Definitions and Firewall Components
³ Categories of Firewalls
O Simple Packet Filter
O Stateful Inspection
O Application Proxies
O Firewall Hybrids
O Personal Firewalls
Ê Firewall Network Topologies
Ê CERT Security Practices for Firewalls

Introduction to Firewalls
What is a firewall?
³ A network device used to restrict traffic passing between

networks
³ A firewall can consist of hardware and software, or even several

components working together
³ Used to implement security policies which govern the flow of

traffic between two or more networks
³ Three main categories of firewalls: simple packet filters, stateful

inspection filters, and application proxies

Firewall Components
Firewalls can consist of several components...
³ Software that runs on a standard host operating system (such as

Solaris or Win2000). Example: Check Point Firewall-1 running
on Solaris or Symantec’s Raptor firewall running on WinNT
³ Hardware and software that form an integrated or appliance

firewall. Example: Check Point Firewall-1 running on Nokia
IPSO appliance or Cisco PIX firewall
³ Router running Internetworking Operating System (IOS)

Example: Cisco router
³ A combination of firewall hosts, integrated firewalls, and routers

Categories of Firewalls
³ Simple packet filter: Specifies packets to filter (e.g., allow or discard)

during the routing process
³ Stateful inspection filter: Provides additional filtering based on the

payload (message content) and the context established by prior packets
³ Application proxy: An application program that runs on a firewall

system to make all decisions at the application-layer about establishing
connections and forwarding packets between two networks
³ Hybrid Firewalls: Blending of the firewall types mentioned above
³ Personal Firewalls: Firewalls designed to protect personal computers

and home networks

Simple Packet Filters
What is a simple packet filter?
³ Selectively controls the flow of packets in/out of a network or between networks
³ Control is based and enforced through a series of rules. These rules are based on
information stored in the IP and TCP/UDP/ICMP headers
³ Rule criteria can be based on the following characteristics of the IP packet:

O Source and/or destination IP address
O Protocol, including TCP, UDP, ICMP, or all IP
O TCP or UDP source
and/or destination
ports
O ICMP message type
O TCP flags, especially ACK
(to distinguish a new
connection from a reply
to an established
connection)

Simple Packet Filters
³ Packet filters validate every single packet based on information
contained only within that packet itself
O There are multiple packets involved in a connection (e.g., initiating
packets, reply packets, etc.).
O Each type of packet requires a rule
O Many rules could be required for a single type of connection
O Rules can get very complex
³ Possible actions include:

O Permit the packet to pass
O Drop the packet (e.g., without notifying the sender)
O Reject the packet and send an error message to the sender
O Log information about the packet within audit trails
O Set off an alarm
³ Packet filters can process packets quickly (high-performance),

but cannot reliably track connection state. Additionally, they
cannot handle some protocols (e.g., FTP) that use different ports

Why is State Important?
³ A packet arrives on the outside interface. It could be one of two
things:
1. A packet intended to start a new “connection” originating
from the outside. This is risky because the packet could be
inappropriate or malicious.
2. A packets that is replying to a request initiated from the
inside. This is less likely to present a risk and more likely to
be legitimate.
Ê Both a brand new packet and a “reply” packet both appear very
similar
• Both have source IPs from the outside, destination IPs for the
inside, and appear on the external interface.
• The only difference is in the TCP flag bits:
o New traffic has SYN, return traffic for existing connections has
ACK
o TCP flags can be crafted or manipulated so these are not good ways
to track state
o UDP, ICMP, and other protocols do not have the flags—only TCP

Stateful Inspection Filters
What is a stateful inspection filter?
³ Considers both the current packet (including contents) and prior packets
³ Should be used whenever there is a need to differentiate between “an

incoming return/reply packet for an outgoing connection” and “an
incoming packet for an incoming connection”
³ Extracts state-related information from the application layer, such as the

FTP PORT command that defines the data channel port and opens that
port for the life of the connection

³ Stateful inspection filters maintain tables to track the state
of each packet
³ State tables track: source address, destination address,

source port, destination port, connection expiration time
limit
³ Any packets that match a connection in the table (based on

addresses and ports) is considered part of the same
connection
³ Packets that don’t match an existing connection in the

table are considered new and are added to the table
(assuming that the connection passes the filtering rules
which have been defined)

³ Stateful inspection rules are very different than simple
packet filter rules
O Packet filter rules are written for each packet – may require
two, four, or even more rules for an outbound service
O Stateful inspection rules are written at the connection level –
requires only a single rule for an outbound service
³ Stateful inspection firewalls have two sources of filtering

information: rules and the connection state table
³ Every packet does not need to be checked against the rules

O Only the first packet of a TCP connection (SYN) needs to be
checked against the filtering rules
O Subsequent TCP packets (ACK) only require checking
against the state table

Application Proxies
What is an application proxy?
³ A firewall that understands and is able to interpret information in the “data” part
of network packets, including commands at the application protocol level.
³ Application proxy firewalls “break” the client-server model. Each connection
between client and server actually requires two connections: one between client
and firewall, and the other between firewall and server.
³ Application-level proxy processes run on the firewall to interpret the application
data contained in the network packets. Proxies can analyze application-level
commands and filter out security vulnerabilities, such as HTTP content type,
detection of viruses in mail messages, etc.
³ Proxies rewrite packets before sending them along to internal hosts.

Application Proxies
Advantages of proxy firewalls...
³ Enable filtering based on the entire network packet. Application
layer vulnerabilities can be detected (e.g., CGIs or HTTP parms,
viruses, etc.)
³ Provide authentication capability (IDs/passwords, certificates,
etc. that are passed in the “data” part of the packet)
³ Routing between dual-homed interfaces is not possible, firewall
filtering cannot be bypassed
³ Provide more detailed logging by including application layer
information (e.g., not just IP addresses of web server, but URLs
as well)
³ Prevent direct connections to the inside, the connection is
broken at the firewall
³ Reconstruct network packets, prevents malformed packet
attacks

Application Proxies
Disadvantages of proxy firewalls...
³ Poor performance – application proxies are slow because all

packets have to be processed up the full TCP/IP stack
³ Only a limited number of common services have proxy agents

available

Application Proxies
Services that typically have proxy agents...
³ Telnet
³ FTP
³ HTTP, HTTPS
³ SMTP
³ DNS
³ NNTP
³ LDAP
³ Finger

Application Proxies
³ CERT recommends using proxies for monitoring or
restricting outbound web access, and wherever else as
needed
³ Many organizations use stand-alone, dedicated proxy

servers to perform filtering
O Dedicated proxy servers typically sit behind the firewall
O Commonly used to provide authentication, URL filtering,
and logging of outbound WWW traffic
O Can also be used to filter inbound traffic (e.g., strip Java
applets or ActiveX code, filter viruses in emails, etc.)
O Firewall rules need to support/enforce use of the proxy
servers (e.g., only accept outbound WWW traffic if it
originates from the proxy server)

Firewall Hybrids
³ Most firewalls are hybrids and contain features of several
different types of firewalls
O Some simple packet filters contain limited state functions,
and sometimes even more. For example, Cisco routers can
perform limited state tracking for TCP using reflexive ACLs.
In addition, an optional firewall feature set is available.
O Stateful inspection firewalls also provide some limited proxy

support for authentication and basic filtering. For example,
Firewall-1 contains security servers for HTTP, SMTP, and
FTP.
O Proxy firewalls have packet filtering capabilities for

protocols that are not proxiable. For example, Symantec
Raptor firewall offers simple filtering rules on tunnels.

Firewall Selection
³ Selecting the best firewall depends on several factors:
O Because firewalls are often hybrid, the category of the

firewall (e.g., packet filter, stateful inspection, application
proxy) is not as important as the feature-set
O Generally, a stateful inspection firewall is considered

sufficient
O Check Point Firewall-1 (a stateful inspection firewall with

some HTTP, SMTP, and FTP proxy servers) is the market
leader

Personal Firewalls
³ Workers may be connected to corporate networks from
their home PCs
O High-bandwidth mechanisms – DSL, cable modems

O VPNs for remote connections
³ What happens if home PCs are compromised and used as a

launching point for attacks on corporate networks?
³ This is why companies have to consider personal firewalls

as a part of their total security solutions

Personal Firewalls
³ Personal firewalls can be software products that protect a
particular desktop machine, or they can be hardware
appliances that protect a home network
³ They perform a variety of functions:

O Packet filtering based on port and source address
O Logging and alerting of attacks (especially BlackICE
Defender)
³ They sometimes allow for remote management. This

feature enables a company to centrally manage and
administer rule sets

Firewall Topologies
³ There are several types of firewall topologies

(architectures) for placement of firewalls in a network
³ Firewalls can consist of single hosts or routers, or of

several routers and hosts working together (e.g., routers
directing network traffic to the firewall and the firewall
handling most of the filtering)
³ Dual-homed hosts (one host with two network

connections) are often used as firewalls. A dual-homed
host has one inside interface and one outside interface
O For proxy firewalls, host-level routing is turned off
O The only way to pass traffic between networks is through the
firewall, usually at the proxy or application layer

Firewall Topologies
³ Firewall topologies relate to the network architecture
O How are the networks going to be interconnected?
O Is more than one firewall needed?
O Where will the firewall(s) be placed?
³ A sound network architecture and firewall topology is

required to ensure an effective system
O The placement of the firewall can dramatically affect the
effectiveness of filtering
O Traffic must pass through the firewall in order to be filtered.
Routers must route traffic to the firewall, or physical
connections must ensure that the only way into the network
is through the firewall

Firewall Topologies
Border or Screening Router Firewall
³ A screening router or dual-homed host connects and filters traffic

between two networks
O Could screen the internal network by filtering traffic between the
outside and the many hosts on the internal network that send/receive
traffic from/to outside
O Could screen a hardened host by filtering traffic between that single
host on the internal network that sends/receives traffic from/to the
outside, and deny all outside traffic to/from other internal hosts

Firewall Topologies
Untrustworthy host
³ A hardened hosts exists outside of the border firewall. All traffic is

routed to/from that untrusted host

Firewall Topologies
Perimeter Network or Demilitarized Zone (DMZ)
³ An intermediate network placed between the protected network

and an untrusted network in order to provide an added layer of
security
³ The DMZ serves as a connection point between internal and

external (untrusted) networks. Externally accessible systems are
placed in the DMZ so that outsiders can be blocked from
accessing the internal network
³ The DMZ network (and the hosts that reside on it) should not be
trusted by the internal network
³ The most secure topologies use multiple hosts/routers (e.g.,

defense in depth) with a DMZ in between.
There are two types of DMZ topologies.....

Firewall Topologies
Single firewall with a DMZ
³ A single firewall sits between three networks: the internal
network, the external network, and the DMZ network on which
the untrusted host resides

Firewall Topologies
Screened subnet or dual-firewall DMZ
Ê Two firewalls exist, one between the internal network and the
DMZ, and the other between the DMZ and the external network

Firewall Topologies
³ The most secure topology uses a DMZ with dual firewalls
O The outside firewall filters inbound traffic that is allowed to pass

from the outside into the DMZ (e.g., HTTP, HTTPS, FTP, etc.)
O The untrustworthy hosts are hardened, bastion systems that provide
single-services (e.g., web servers, ftp servers, mail servers, etc.)
O The internal firewall filters inbound traffic that is allowed to pass
from the DMZ to the internal network (e.g., database SQL calls,
application servers, policy servers, etc.)
O No services are allowed to pass from the outside network, through
both firewalls, and to the internal network
O If multiple firewalls are used, there is an advantage to using
different products/brands so that a weakness in one product does
not introduce a “hole” all the way through the network.
³ Each firewall could consist of a firewall host (or integrated
firewall) bordered by two routers
O Router access lists would supplement or complement the filtering
and logging being performed by the firewall host (or integrated
firewall). Typically, firewalls and their surrounding routers need to
be evaluated together

Criteria for Effective Firewall Controls
Effective firewall controls:
³ All traffic passing between the internal network and external networks should
pass through the firewall (via routing, network topology, and/or other controls)
³ Firewalls should allow inbound network services only if they are required,
authorized, appropriate (per security policy), and considered to be of acceptable
risk
³ Firewalls should restrict network services and source/destination host addresses
as much as possible (e.g., limit to particular hosts instead of an entire network)
³ Firewalls should deny network traffic with internal network source addresses
that is received on the external network interface (i.e., this traffic is spoofed)
³ Firewalls should log all traffic that is denied, and summarize all traffic that is
permitted
³ Firewalls should generate real-time alarms for suspicious activity
³ Firewalls should hide the structure of the internal network
³ Firewalls should keep track of state and (if possible) combine control measures
both at the application and network level

Key Audit Steps – Topologies and Architectures
³ Ensure that the chosen firewall product was selected based on
the security functionality that it provides
³ Ensure that the firewall provides stateful inspection filtering,
especially if UDP is allowed through the firewall
³ Ensure that application-layer filtering is provided through
proxies as appropriate (e.g., to filter WWW sites, strip HTTP
and SMTP traffic of unneeded MIME file types, block hostile
java applets, etc.)
³ Ensure that the network topology prevents traffic from bypassing
the firewall (e.g., all traffic is routed through the firewall)
³ Ensure that firewalls drop packets without notifying the senders
(e.g., through ICMP unreachable or TCP RST/FIN)
³ Ensure that authentication is used to restrict access to sensitive
network services

Key Audit Steps – Topologies and Architectures (continued)
³ Ensure that the network topology implements a secured subnet
“DMZ” for all externally accessible hosts
³ Ensure that dual firewalls are used as appropriate, e.g., an
“external” firewall to protect the DMZ from the outside and an
“internal” firewall to protect the internal network from the DMZ
³ Ensure that remote and home-based employees that personal
firewalls installed as appropriate, and ensure that personal
firewalls are managed/monitored by home office (e.g., to prevent
users from disabling or changing filtering rules)


1. Security Policy
4. Deploy Firewalls

security audit, or self-evaluation of controls

Deploy Firewalls (summary)
³ Do network systems security policies address the following topics:
allowed inbound services, allowed outbound services, requirements that
all network traffic go through the firewall (e.g., no traffic is allowed to
bypass the firewall)?
³ Has a secure network topology been chosen (e.g., dual-firewall DMZ)?
³ Have security policy enforcement mechanisms (e.g., firewalls) been
provided at all network boundaries in order to restrict unauthorized
traffic?
³ Have firewall routing configurations been set-up to properly forward or
discard network packets?
³ Have firewall filtering rules been effectively implemented to restrict
access to protected networks?
³ Have firewall filtering rules been documented and validated?
³ Has logging been configured appropriately?
³ Has the firewall system been set-up to alert in real-time when
significant events occur?
³ Has the firewall configuration (the system itself and the filtering, and
logging capabilities) been tested to ensure that it is appropriately
defined?
³ Is the firewall tested/scanned in production to verify its behavior?

Conclusion
³ Firewalls filter malicious or unauthorized network traffic
at the perimeter of the network
³ Simple packet filters are the fastest firewalls, but they are
not secure. Application-layer proxy firewalls are the most
secure, but are slow
³ Stateful inspection firewalls dominate the market and

provide suitable security controls for most organizations
³ A network topology with a DMZ is the most secure

Encryption
Agenda
³ Cryptography Terms
³ Types of Encryption: Symmetric and Asymmetric
³ Security Requirements for Encryption
O Confidentiality
O Integrity using HMAC
O Authentication
³ How Asymmetric Encryption Provides CIA
³ Encryption Products
O SSL
O SSH
O PGP
³ Key Audit Procedures
³ CERT Security Practices

Cryptography Terms
³ Cryptography is the science of concealing the meaning of
a message from unintended recipients
O Only the intended recipient is able to read and understand the
message
³ An encryption algorithm (or a cipher) is a method of
encryption and decryption.
³ All modern algorithms use a key to control encryption and
decryption; a message can be decrypted only if the key
matches the encryption key
³ Good cryptographic systems should always be designed so
that they are as difficult to break as possible

Symmetric Encryption
³ Two main categories of cryptographic techniques:
Symmetric and Asymmetric
³ Symmetric (or secret) key encryption – uses a single secret
key that is shared by the sender and the recipient to
encrypt and decrypt the message.
Secret Key Keys are equal Secret Key
Message Message Message Message

Encrypt Transmit Decrypt
(Clear) (Encrypted) (Encrypted) (Clear)
³ The key advantage of Symmetric encryption methods is

performance – encryption/decryption are relatively fast.
³ The difficulty is that the sender and recipient must have
knowledge of the key. How do both parties learn about the
key to use? Cannot transmit the keys or they will be
compromised.
Symmetric Encryption
³ Examples of symmetric (or secret) key encryption
O DES – Data Encryption Standard uses a 56-bit key systems
(64-bit block with 8 parity bits)
O 3DES – Triple DES encrypts a message three times using
DES. 3DES can use either 2 or 3 encryption keys (for up to
168-bit key length)
Q EDE2 = Encrypt with K1, decrypt with K2, encrypt with K1
Q EE2 = Encrypt with K1, encrypt with K2, encrypt with K1
Q EE3 = Encrypt with K1, encrypt with K2, encrypt with K3; this
is the strongest form of DES
O AES – Advanced Encryption Standard uses the Rijndael
Block Cipher with keys of 128, 192, or 256 bits. AES has
faster performance than 3DES and is stronger.
O IDEA – International Data Encryption Algorithm uses a 128-
bit key

Asymmetric Encryption
³ Asymmetric (or public key) encryption – uses two keys
(one key is public and the other is private) that are
mathematically related to encrypt and decrypt the message.
Keys are different

Encryption Key But related Decryption Key
Message Message Message Message

Encrypt Transmit Decrypt
(Clear) (Encrypted) (Encrypted) (Clear)
³ The advantage of asymmetric key encryption techniques is

that it simplifies the key distribution problem – by
allowing the encryption key used by “other” parties to be
publicly accessible.
³ However, asymmetric encryption methods are very slow
(e.g., up to 1000 times slower and processor intensive than
secret key encryption) and inherently easier to crack.

³ The two keys involved in asymmetric encryption are called
the private key and the public key
O The private key needs to be kept private – only the entity the
owns the key (e.g., a host, a person, etc.) needs to know the
private key. No one else should have access to it.
O The public key is made available to anyone and everyone
who requests it – there is no need to restrict access to the
public key.
³ Characteristics of the keys
O The public key is different from (but mathematically related
to) the private key
O The private key cannot be derived from the public key
O A message encrypted by the private key can be decrypted
only with the public key (and vice versa)
O A message encrypted by the public key cannot be decrypted
with the public key, but only with the private key

³ Examples of asymmetric (or public key) encryption
O RSA – named after the inventors (Rivest, Shamir, and
Addleman); based on the difficulty of factoring the factor of
two large prime numbers. RSA can have 768, 1024, 2048,
or 3072 bit key lengths. To be effective, an RSA key should
be at least 1024 bits (and most likely longer).
O Diffie-Hellman – is a method for securely exchanging secret
keys over a non-secure medium without exposing the key.
D-H uses 768 or 1024-bit keys.

Symmetric vs. Asymmetric Encryption
³ The effectiveness of encryption depends on two things:
the strength of the encryption algorithm and the length of
the encryption key
³ Asymmetric algorithms are easier to crack than symmetric
algorithms and therefore require significantly larger (8-16
times larger) key sizes to protect the reliability of
encryption
O A 64 bit key symmetric algorithm is about as strong as a 512
bit key asymmetric algorithm
O A 112 bit key symmetric algorithm is about as strong as a
1792 bit key asymmetric algorithm
O A 128 bit key symmetric algorithm is about as strong as a
2304 bit key asymmetric algorithm (*** This is the
minimum best practice to use for key length ***)

³ Key management is critical for reliable encryption
O Symmetric key encryption is a challenge because both
parties have to use the same key.
Q Before any communication can occur between parties, they
need to derive a mutual secret key. This adds extra overhead
for each additional user/host that wants to communicate.
Q But the biggest problem is how do they communicate the key
securely? May have to rely on “out of band” communication
(e.g., phone, fax, mail, etc. to share the key between parties).
O Asymmetric key does not have this challenge. Public keys
can be accessed publicly and in many cases are already
universally available. No “secrets” need to be exchanged.
Q Public key encryption has a related challenge. How do you
ensure that the party that has the key is really who you think
they are? More on this later in the presentation.

³ Many standard encryption methodologies represent a
hybrid of symmetric and asymmetric algorithms to take
advantage of the strengths of each type
O At the front-end of a connection, use an asymmetric (public
key) algorithm to handle the negotiation or exchange of a
shared secret key.
Q This shared secret key may be called a session key since it is
valid for only one session and is re-negotiated whenever a new
connection is initiated
Q Usually, the session key has a session timeout to expire the key
and address the risk of capture and replay
O Then, use a symmetric (shared secret key) algorithm to
encrypt and decrypt the “payload” of messages themselves
Q This takes advantage of the higher performance of symmetric
key methods and allows the use of shorter encryption keys
while still ensuring appropriate encryption strength

Security Requirements for Cryptography
³ Cryptographic techniques can be used to provide
O Message confidentiality – preventing unauthorized recipients
from understanding the meaning of a message.
Cryptography is especially useful if sensitive/confidential
messages must be sent over public or insecure networks
where intruders may be eavesdropping.
O Message origination authentication – detecting if a message
is valid or whether it has been sent by an impersonator.
Cryptography can be used to indicate if a message is
authenticate and if was truly sent by the claimed sender.
O Message integrity – detecting any modification of a message
that has occurred. Cryptography can be used with
“hashing” algorithms to identify changes to network traffic
that is changed in-flight or changes to significant
files/messages that are stored on disk.

Confidentiality
³ Encryption techniques can be used to achieve
confidentiality by obscuring the meaning of messages
before they are sent over public or unsecured networks
³ If cryptographic techniques are applied to all sensitive
communications across the network, intruders may be able
to intercept those messages but will not be able to “read”
them
Internet
Internet
The secret The secret
formula is formula is
…. M&28^M7hNt! ….
$v30mNk …
Huh? What does this

Bad gobbledygook mean?
Guy

Origination Authentication
³ The recipient of a message can validate the origin
authenticity of the message by verifying that the originator
knew the appropriate encryption key
³ If the message (or a hash of the message) decrypts
properly, then the recipient can have some assurance that
the message originated from the claimed sender
³ However, origin authentication only provides assurance
that someone with knowledge of the appropriate
encryption key sent the message
O This is not necessarily the claimed originator of the message
(e.g., if the encryption keys have been compromised)
O If the encryption keys were kept confidential, then there is
more assurance that a message did in fact originate from the
claimed sender and is a genuine/valid message

Message Integrity
³ Message integrity is provided via Hashed Message
Authentication Code (HMAC)
³ An HMAC is a cryptographic hash algorithm that uses a
key to generate a checksum for a message
O A hash function condenses a variable length message into a
fixed length message digest or checksum
O The message digest (checksum) that is calculated should be
unique to the original message, like a “fingerprint” of the
message
Q No other message should be able to produce the same
checksum
Q Any change (even a single character) in the original message
should be produce an entirely different checksum
O Cryptographic hashing algorithms (e.g., those using keys)
provide stronger protection, and therefore should be used

Message Integrity
³ Message integrity is validated by the recipient
O The sender generates a message digest
O The sender transmits the message as well as the message
digest to the recipient
O The recipient generates a new message digest (using the
same algorithm and keys as the sender)
O The recipient compares the new message digest to the
message digest transmitted by the sender. If they match,
then the message has not been modified. If they differ, then
the message was modified in flight.
Key
Key
Message
Message Hash
Message Digest
Message Hash
Digest
Match?
Append Message Receive Message

and Send Message And Split Digest
Digest

Message Integrity Algorithms
³ The following HMAC algorithms are commonly used:
O MD5 – The Message Digest 5 algorithm uses a 128-bit
encryption key and generates a message digest that is 128
bits long. The underlying algorithm (MD5) has some
weaknesses.
O SHA-1 – The Secure Hash Algorithm uses a 160-bit
encryption key and generates a message digest that is 160
bits long
O SHA-1 is cryptographically stronger than MD5, but is more
CPU-intensive and may cause performance problems if used
extensively

Confidentiality, Integrity, and Authentication
³ Both symmetric and asymmetric cryptography could be
used to address security requirements
³ Confidentiality, Origin Authentication, and Integrity can
be provided equally by symmetric and asymmetric
encryption
O How symmetric encryption accomplishes is easy to
understand, but asymmetric encryption is not as intuitive
O Asymmetric encryption uses 2 of 4 possible keys (sender’s
public key, sender’s private key, recipient’s public key,
recipient’s private key) to achieve confidentiality and
authentication
O These are described on the following slides

Asymmetric Encryption: Authenticity
³ Public Key Encryption can be used to ensure that messages
are authentic and valid
O Origin authentication is achieved and the identity of the
originator of a message can be definitively proven
O Public key encryption can be used to prove that a message
was in fact originated by the expected party and not an
impersonator. In other words, that the message is valid.
O Sender encrypts the message with his private key and sends
the encrypted message/hash to receiver
O Receiver decrypts the message with the Sender’s public key.
O If the message decrypts properly, then Receiver can be
assured that Sender was the source of the message (e.g., that
whoever sent the message had access to Sender’s private
key)

Asymmetric Encryption: Confidentiality
³ Public Key Encryption can be used to obtain
confidentiality
O Confidentiality is achieved when only the intended recipient
of a message is able to read it
O Public key encryption can be used to ensure that messages
are readable only by the intended recipient
O Sender encrypts the message using Receiver’s public key,
and then sends the message over the network
O Receiver is able to read the message by decrypting it with his
private key
O No one else can read the message because they do not have
access to Receiver’s private key

Asymmetric Encryption Keys
SENDER Keys RECEIVER Keys
ORIGIN AUTHENTICATION
Encrypt Decrypt
Message Message
Sender’s Private Sender’s Public
CONFIDENTIALITY Decrypt
Encrypt
Message Message
Receiver’s Private
Receiver’s Public
ORIGIN AUTHENTICATION AND CONFIDENTIALITY

Decrypt
Encrypt Receiver’s Private
Sender’s Private
Message Message
Encrypt Decrypt
Receiver’s Public Sender’s Public

Asymmetric Keys: When to Use Which One
Sender Receiver
Sender’s Will never use his own public Use to decrypt messages that
Public Key key. have origin authentication
Sender’s Use to encrypt messages that Can never use the other
Private need origin authentication party’s private key – this is
Key not known.
Receiver’s Use to encrypt messages that Will never use his own public
Public Key require confidentiality key.
Receiver’s Can never use the other Use to decrypt message that
Private party’s private key – this is require confidentiality
Key not known.

Asymmetric Encryption: Integrity
³ Public Key Encryption can ensure message integrity
O Message integrity is achieved when any modifications to a
message would be detected
O An HMAC hashing algorithm is used to produce a
“checksum” or integrity check value
O Sender runs the message through a hashing algorithm using
the his own private key.
O Sender sends the message and the checksum value to
Receiver
O Receiver re-hashes the message with the sender’s public key
and compares the derived checksum to the checksum
provided by Sender
O If the checksums are identical, then the message was not
modified. If the checksums are different, then Receiver has
detected that the message has been modified.

Encryption Products
³ Common Encryption Products/Technologies in use today
O SSL “Secured Sockets Layer” (or TLS “Transaction Layer
Security”) for web
O SSH (or “Secured Shell”) for remote logon and file transfer
O PGP “Pretty Good Security” for email and local file system
encryption
O SET “Secure Electronic Transactions” for securing credit
and debit card transactions between customers and
merchants
O S/MIME “Secure Multipurpose Internet Mail Extension”
provides authentication and confidentiality of MIME
formatted email content

SSL – Encryption
³ SSL supports many different encryption algorithms
O For confidentiality, SSL can use DES, 3DES, RC2 or RC4
O For hashing, SSL can use MD5 or SHA
O For authentication (and asymmetric encryption for key
exchange), SSL can use RSA certificates or anonymous
Diffie-Hellman algorithms
O SSL Session keys can be from 40-bits to 168-bits long
³ SSL uses asymmetric encryption to communicate a secret
session key. The web client uses the web server’s public
key (obtained from the server’s digital certificate) to
transmit the session key to the server.
³ SSL uses symmetric encryption to conceal/protect the rest
of the communication session. All additional network
traffic passed between the web server and web client are
encrypted using the session key.

Establishing an SSL Session
1. Client (browser) sends a “hello” message to the server. This
message identifies SSL version, cipher suites, and compression
methods that are supported.
2. Server responds with a message that lists the cipher suite and
data compression method that will be used.
3. Server sends its digital certificate (with its public key) to the
client.
4. The client generates the shared secret session key (using a
random number generator), encrypts the session key with the
server’s public key, and sends it to the server.
5. The client and server send a message to notify that they are
prepared to start communicating with the selected encryption
methods and session key.
6. Both client and server send “finish” messages.
7. All future messages between client and server are encrypted
using the session key.

SSH
³ Secured Shell provides strong authentication and
encryption for remote access and file transfer across a
network
³ An SSH connection occurs as follows:
O The client and server negotiate ciphers, key exchange
methods, and integrity checksums
O The client verifies the server’s identity by encrypting a
message with the server’s public key. Then the server
proves to the client that it has successfully decrypted the
message.
O A key exchange algorithm is used
O The server verifies the client’s identity (using RSA public
key pairs, passwords, etc.), as well as enforcing host address
restrictions
O All data packets are encrypted and include message integrity
checks

PGP
³ PGP stands for “Pretty Good Privacy”
O PGP can be used for encrypting messages and files
O PGP is widely used for storing encrypting information
locally, as well as for email across a network
O PGP uses IDEA (128-bit secret key encryption) to encrypt
files
O To exchange this secret key securely, PGP uses RSA
asymmetric encryption. The sender encrypts the shared
secret key with the recipient’s public key.
O The secret key is not stored in
clear-text on the sender’s computer.
Instead the secret key is encrypted
using a user-entered pass-phrase.
Using the key requires the encrypted
secret key as well as the pass-phrase

Encryption
³ Key Audit Steps:
O Ensure that encryption is used for all sensitive or confidential
messages/data that are transmitted across public or untrusted
networks. This includes administrative access to hardened
hosts, confidential file transfers, sensitive business
transactions, etc.
O Ensure that cryptographic hashes/checksums are used to
validate integrity and identify any unauthorized changes.
O Ensure that encryption uses standard, proven, commercial-
grade ciphers and algorithms. (Proprietary algorithms are
not usually secure.)
O Ensure that encryption key lengths are appropriate to prevent
cracking (e.g., minimum of 1028 bit for asymmetric and 128
bit for symmetric encryption, and possibly more for
especially sensitive information)

Encryption
³ Key Audit Steps (Continued):
O If symmetric (secret key) encryption is used, ensure that
appropriate key exchange and management procedures are
used:
Q Ensure that keys are exchanged out of band (e.g., not over the
network)
Q If keys must be exchanged over the network, ensure that keys
are not transmitted in the clear. Instead, ensure that
asymmetric encryption is used to generate (e.g., D-H) and/or
exchange secret keys securely.
Q Ensure that keys are generated with commercial-class random
number generators
Q Ensure that secret keys have reasonable expiration time-limits
(e.g., to limit the exposure time that a hacker would have to
crack the key)

Encryption
³ Key Audit Steps (Continued):
O If asymmetric encryption is used, ensure that appropriate
controls are in place to protect the private key
Q Ensure that the private key is NEVER transferred over the
network
Q Ensure that the private key remains continually and exclusively
in the possession and control of the owner and no one else
O Ensure that encryption security products (like SSL, SSH,
etc.) are configured to use only strong ciphers and key
lengths
O If “weaker” ciphers must be used to enable greater
accessibility by a broader, larger population of users, then
ensure that the risks (vs. benefits) have been considered,
documented, and approved
O Ensure that web clients are configured to check server-side
certificates in an SSL connection for invalid subject name,
expiration, etc.


1. Security Policy
4. Deploy Firewalls


³ Is SSL used to protect against network sniffers and unauthorized
alteration of web content during transmission?
³ If passwords are used to authenticate users, is SSL encryption
used to protect against sniffers?
³ If stronger authentication is required, are SSL client certificates
and smart cards used?
³ Is SSL server authentication (with an SSL server certificate from
a trusted CA) used to protected users against bogus web sites?
³ Is confidential information retained on the web server encrypted
(with public key technology)?
³ Are administration commands and data encrypted when they
traverse the network?
³ Is encryption technology (e.g., SSH and SSL) used to ensure that
passwords passed across networks are not in clear-text?
³ Are cryptographic checksums captured for all critical
files/directories and use these to identify unauthorized changes?

Conclusion
³ Good cryptographic systems should always be designed so
they are as difficult to break as possible.
³ Symmetric encryption provides relatively fast encryption
and decryption with shorter “secret” keys.
³ Asymmetric encryption (using public and private keys)
simplifies key distribution, but is slow and requires longer
keys to provide security
³ Many standard encryption methodologies represent a
hybrid of symmetric and asymmetric to use the strengths
of both types.
³ Cryptographic techniques provide message confidentiality,
message origination authentication and message integrity.

Introduction to Routers
Agenda
³ Definition of routers
O Routing and Filtering
³ Hardware and software components
O Specialized Memory
O Router Boot Process
O Command Modes
³ Router configurations
O Configuration File Versions
O Configuration Modes

Definition of a Router
³ Most computing environments are made up of a group of
networks that are interconnected
³ Routers are involved whenever packets pass from one
network to another
³ A router is a device that sits between 2 or more networks
and transfers network packets from one network to another
O A router determines the next network
device to which a packet should be
forwarded as it makes its way towards
its destination.
O A router may maintain a table of the
available routes and their conditions.
It uses this information, along with
distance and cost algorithms, to
determine the best route for a given packet

Routing and Filtering
³ Routers perform two basic functions:
O Routing: Occurs when a router makes decisions about where
to send network packets, and then sends those packets
accordingly
Q A router maintains a table of the available routers or paths
through the network
Q This table is used to decide which way to send each network
packet based on its intended destination
Q Routing occurs at the “network layer” of the TCP/IP protocol
stack (the destination of network traffic is derived from the IP
address within the packet’s IP header)
O Filtering: Occurs when a router allows or denies network
packets to pass through the router based on criteria defined
in rules
Q Filtering is important for protecting the router (and hosts that
reside behind the router) from unauthorized or malicious
network traffic
Q Filtering decisions can be based on fields of the packet’s IP
header, as well as the TCP, UDP, and ICMP packet headers

Routing and Filtering
³ Example of routing and filtering:
O A network packet arrives at router interface ‘A’. The router
connects 5 networks, so there are four other interfaces on the
router.
O Which interface should the packet be sent through to reach
it’s destination? What is the next router the packet should be
sent to? These are routing decisions….
O Should the packet be allowed to pass through the router, or
should it be blocked? This is a filtering decision....
Packet

Hardware Components
³ A Cisco router is just a specialized computer
³ Routers have a processor (CPU), memory, and connections
to other devices
O The processor is the component that executes all operating
system instructions and commands
O There are four types of memory (with different degrees of
volatility) that are used to store different parts of the router’s
system, including its operating system and configuration file
O Routers also have input and output ports for connecting two
or more networks. These ports are the physical connections
through which packets enter into and exit the router.
Network interface cards plug into hardware slots and
external cables plug into the cards. These connections can
be of different types (e.g. serial, ethernet, FDDI, token ring)
O Serial terminal ports are available for plugging a console,
and other devices, directly into the router

Hardware Components
³ The router’s specialized memory:
O Random Access Memory (RAM) is highly volatile memory
that is erased when the router is turned off. Usually RAM is
used for holding routing tables, packet queues, a “working
copy” of the router’s configuration file, etc. The router
configuration file contains the installation specific
commands for how the router is supposed to control the flow
of packets (through routing and filtering)
O Nonvolatile RAM (NVRAM) retains its contents even when
the power is turned off. NVRAM stores a copy of the router
configuration that is used when the router boots up
O Flash memory is erasable, reprogrammable ROM (Read
Only Memory) that is used to store the operating system
image
O ROM contains the boot program used to start-up the router
³ Specialized memory means that disk drives are not needed.
No moving parts = fewer hardware problems

Hardware Components
³ Cisco offers a variety of router platforms
O Different platforms have different operational characteristics:
different types of network traffic handled, number of
interfaces, performance/speed, availability, capacity, etc.
O All platforms run the Cisco IOS operating system
O Therefore, the hardware platform isn’t critical for security,
but could be for performance, availability, etc.
³ Hardware platforms:
O 1600, 1700, 2500, and 2600 – for small businesses or branch
office sites
O 3600 and 4000 – for mid range
O 7100 – VPN router
O 7200, 7300, and 7400 – high performance and availability
O 7500 – high end voice, data, and video
O 7600 – optical speeds
O 10000, 10720, 12000 – high-end Internet routers

Software Components
³ The operating system image
O Cisco Internetworking Operating System (IOS)
O Contains instructions for transferring data through the
device, supporting network functions and services, updating
routing tables, executing user commands, etc.
³ The router configuration file
O The configuration file contains the installation specific
commands for how the router is supposed to control the flow
of packets (through routing and filtering)
O The configuration file defines the routing methods, filtering
rules, routing services, etc.
³ The configuration file defines how the router functions
should be performed, while the operating system actually
performs those functions

Router Command Modes
³ Once a user has logged into the router, the system is in
‘user mode’. This is also referred to as ‘EXEC mode’
O In user or ‘EXEC mode’, only a limited set of router
commands can be executed
³ Full access to all router commands (including the ability to

change the router’s configuration) is provided by
‘privileged EXEC mode’
³ Because a user can obtain this level of access only by
entering the “enable” command and password into the
router, this privileged level of access is also known as
‘enable mode’

Router Configuration - Versions
³ At least two versions of the router configuration file are
always stored on the router:
O The current version that is running on the router (which is
stored in RAM)
O The saved version of the configuration that is loaded when
the router starts-up (which is stored in NVRAM)
³ As a general rule, the “running” RAM version of the
configuration and the “start-up” NVRAM version of the
configuration should be almost identical
O If changes made to the running version are not saved to the
start-up NVRAM version, then those changes will be lost
when the router reboots
O The current running version must be saved frequently to
NVRAM to ensure that the correct configuration file will be
retained when the router reboots

Router Configuration - Versions
³ A good practice to address this issue is to periodically
compare the two versions of the router configuration
O The current running version of the router configuration can
be obtained using the “show running” command, and the
saved startup version of the router configuration can be
obtained using the “show startup” command
O If the router configurations are long, it may be useful to save
them to a file and run an automated tool (such as UNIX diff)
to determine if, and how, the two versions differ

Router Configuration Modes
³ There are several configuration modes on routers:
O Many of the router’s settings are defined in the global
configuration mode: router services, logging settings, enable
password settings, security server settings, and others
O In addition to global configuration mode, there are sub-
modes used to configure specific settings for interfaces,
lines, routes, etc. Some of these sub-modes include:
Q Interface (config-if) mode to identify all interfaces, assign IP
addresses, define allowable services per interface, set access-
groups to apply access control lists, etc.
Q Router (config-router) mode for configuring routing protocols
Q Access-lists (config-ext-X for extended access-lists and config-
std-X for standard access-lists) mode to define access control
lists used to filter traffic and enforce addressing constraints
Q Line (config-line) mode to set active terminals, passwords, and
other constraints on the console port, auxiliary port, and virtual
terminal lines used to manage the router

Extract from a Router Configuration
Current configuration
!
version 12.0
!
! Set accurate time-stamping for log and debug messages
service timestamps debug datetime mseo localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
! Control TCP/IP services
no service udp-small-servers
no service tcp-small-servers
!
hostname Perimeterl
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$b4X5$7A7IUNmzGm8vOmi9nBkC1/
!
! Control TCP/IP Services
no ip source_route
no ip finger
ip tcp selective-ack
ip tcp path-mtu-discovery
no ip domain-lookup
!
no ip bootp server
!
interface Serial0
ip address 172.16.1.1 255.255.255.252
ip access-group 101 in
! Control TCP/IP Services
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp

Router Configuration File
³ All of the router’s security settings and commands are
contained within the configuration file
³ Essentially, an audit of Cisco router security consists of
reviewing the router’s configuration file
³ For purposes of the audit, the running configuration (the
one stored in RAM) should be reviewed since this is the
version of the configuration that is currently active on the
router
³ The command to display the current version of the
configuration is as follows:
show running

Conclusion
³ Routers are devices that deliver packets between networks
³ Routers perform routing and filtering on network packets
³ Routers have specialized memory with different levels of
volatility
³ The operating system image and configuration file are the
two main software components of the router
³ The router boot process is controlled by the Configuration
Register
³ The “running” version of the configuration file should be
periodically saved to the NVRAM “startup” version of the
configuration file
³ An audit of a router primarily consists of reviewing the
current configuration file

Routers & Network Security
Agenda
³ Role of routers in overall network security
³ Necessary context for evaluating router security
O External connections
O Network security policy
O Network topology
O Duplication of control and compensating controls
³ Router specific security risks and attack methods

Role of Routers in Network Security
³ The goal of network security is to ensure that network
traffic is allowed to pass between networks only if that
traffic is authorized, valid, and of acceptable risk
O Routers play an important part in providing overall network
security
O A highly-secured router can significantly enhance the
overall level of network security
³ Routers have four main network security functions:
1. Routers transfer all network traffic through a firewall, or
along a “safe” path into the network
2. Routers filter and block invalid and unauthorized network
traffic
3. Routers protect themselves from attacks by outside parties
4. Routers provide logging which enables timely detection of
intrusion attempts

1. Routers transfer all network traffic through a firewall, or
along a “safe” path into the network
O Transferring packets between networks based on predefined
routes serves a key security purpose
O Routers can force all traffic that passes into the network to
follow a particular path that includes appropriate security
safeguards
O Example: A router sends all inbound network traffic to a
firewall which performs extensive filtering of malicious or
unauthorized services. By forcing inbound traffic to follow
this predefined path, the router ensures that all traffic passes
through the firewall, and thus cannot bypass this control
O Example: A router directs sensitive, confidential information
along a trusted network path, preventing this data from
being intercepted over potentially hostile networks

2. Routers filter and block invalid and unauthorized network
traffic
O Routers can be configured to deny malicious and/or
unauthorized network traffic
O Because routers are at the very edge of the network, they
provide a good mechanism for implementing key network
traffic filters to keep particularly malicious network traffic
from ever passing into an organization’s internal networks
O Routers can provide simple, firewall-like filtering of traffic
based on protocol, source and destination IP address, and
source and destination TCP/UDP port
O In some organizations, a router may be the only firewall that
exists between networks

3. Routers protect themselves from attacks by outside parties
O Routers need to be hardened in order to become impervious
to attack
O For routers on the perimeter of the network (i.e., outside of
the firewall), the router’s internal security is the only
protection against malicious network traffic that may be
sent from the external network
O Routers must protect themselves against attacks in order to
reliably perform their other network security functions
O If a router is compromised, an attacker could modify or
disable the router’s configuration related to other network
security functions
O For instance, an attacker could make unauthorized changes
to routes and filtering rules to compromise network
security. Furthermore, potential intruders could use the
router as a launching point for attacking hosts on the
internal networks

4. Routers provide logging which enables timely detection of
intrusion attempts
O Early detection and timely response to malicious attacks is
the key to keeping intruders from circumventing network
security controls at the perimeter of the network
O Router logging and monitoring controls help ensure that
intrusions and malicious attacks (both attempted and
successful) are detected so that responsive actions can be put
in place timely

Routers – Network Security Context
³ Router security can be properly assessed only in the
context of the overall approach to network security
O The primary role of routers is to secure networks, usually in
conjunction with other network devices such as firewalls
O Routers are one part of a broader system of control for
protecting networks from malicious outsiders
O Although a security audit may focus on routers as individual
components, it is critical that the broader system of controls
be kept in mind
O Every audit of routers must take into consideration the
overall network security context (including the following
factors) for the organization that is being audited
1. The nature of the external connections
2. Security policies
3. Network topology (especially the position of routers
relative to firewalls)

1. The nature of the external connections is significant for
determining the level of risk (and consequently, the required
level of security control) for a router
O Some external parties are trusted more than others. This also
means that some networks are more trusted than others.
Q Public networks such as the Internet should not be trusted at all
Q Private networks like Intranets may warrant some level of trust
Q Private dedicated lines to business partners may warrant even more
trust
O However, no connection to any external party should ever be fully

trusted. Some minimum level of control is required regardless of
who is connected to the other end of the line
Q Even if an organization trusts its business partners, those business
partners may be connected to other parties that do not warrant trust
Q If an organization’s business partner also has Internet connectivity,
an attacker form the Internet may be able to compromise the
business partner’s network, and then use that network as a launching
point for attacking the organization.

Routers – Network Security Context – Policy
2. Network security policy is also important to the
router’s context
O Organizations have differing security postures with
differing levels of acceptable risk
Q Different organizations have different inherent security
risks based on the business they are in
Q Different businesses have different tolerance levels for
security risk, and different viewpoints on the trade-offs
of security vs. ease of use and performance
O The level of network security risk that a company is
willing to accept helps to determine its network
security policy

Routers – Network Security Context - Topology
3. The network topology, especially the placement of routers in
relation to firewalls, has a major affect on how a router should be
evaluated
O To fully understand the network topology, obtain and review a
network diagram which shows all external connections, all routers
that are involved, and their positions relative to the firewall, DMZ,
and internal network
O In a typical configuration, a router exists on both sides of a
firewall. The outer router, commonly called a perimeter router or a
border router, resides outside of the firewall and is more risky
O The security requirements for a border router are greater than those
for an inner router, because the border router is on the perimeter
O The required level of security is even greater in situations when
there is no separate firewall; that is, when the router itself serves as
the firewall
O Routers that are within the internal network and are not on the
perimeter of the network generally do not require such restrictive
security and are not typically reviewed in much detail during an
audit. (However, routers that reside between internal network
segments of different levels of trust or sensitivity should be
reviewed because they serve a perimeter-like, screening router
function)
Internet
Internet
DMZ
Border Router
Internal
Internal
Network
Network
Inner Router
Extranet
Extranet
Screening Router (no FW)

Border Inner Router Screening Internal

Router Router Router
Definition Outside FW, Directly inside Edge of network Within the
edge of network the firewall on or perimeter Internal
perimeter the perimeter between Network –
subnets; Router equal trust
is the firewall segments
Routing Extensive Basic routing Extensive N/A
routing controls controls routing controls
(e.g., to FW)
Filtering Special Moderate Extensive N/A
Filtering Filtering Filtering
Required
Hardening Extensive Moderate Extensive N/A (or
hardening Hardening hardening moderate)
Logging Moderate Basic Logging Extensive N/A

logging logging

³ Different components of the network infrastructure may
duplicate (or compensate) for controls that could, or
should, be performed at other components – Defense in
Depth
³ The security controls of all devices on the network
perimeter, when taken as a whole, may adequately
compensate for deficiencies within an individual device
³ Variability in topology, external parties, and network
security posture and policy make assessing router security
complex and challenging
³ The goal of router security is to limit security risk to the
extent possible, consistent with operational requirements
and reasonable risk-taking by organizational management
³ A security problem occurs when unnecessary,
unreasonable, or excessive security risk exists

Router Security Risks and Attack Methods
³ It is necessary to understand some of the ways that the
router could be attacked over the network.
³ Common router security risks and attack methods are
described below:
O Unauthorized access to the router
O Unauthorized access to the internal network
O IP Spoofing
O Rerouting Attacks
O Denial of Service
O Distributed Denial of Service

³ Unauthorized access to the router
O Routers allow users to connect over the network using network
services like telnet, snmp, etc. Attackers may try to exploit these
services to gain unauthorized access to the router
O With access, the attacker may be able to change the router’s
configuration, or at least to read it. Even reading a router’s
configuration can represent a significant breach of security, since
this would enable an attacker to specifically target an attack to
exploit weaknesses in the configuration
O Examples of these types of attacks include: attempts to telnet to the
router, password guessing attacks, snmp attacks to read or update
the configuration, dial-in attacks to a modem connected to the
router, etc
³ Unauthorized access to the internal network
O Particularly malicious attackers may anticipate the presence of
routers and attempt to circumvent their access filters
O For example, an attacker may use IP packet fragmentation to
attempt to bypass the router’s access-list rules

³ IP spoofing
O Router filters typically allow higher levels of access to internal
network traffic than to traffic from the outside. External attackers
may attempt to exploit this by IP spoofing in order to obtain access
that was intended for internal users only
O In a spoofing attack, the attacker crafts or manipulates the network
packets to change their IP source addresses to match addresses
from within the internal network
³ Rerouting attacks
O In a rerouting attack, the attacker attempts to make an unauthorized
change to the router’s routing table, or attempts simply to bypass
those predefined routes
O Examples of this kind of attack include ICMP redirect attacks, or
routing protocol attacks that attempt to change the routing table to
direct traffic to unauthorized destinations. Also, packets with the
source-route IP option set will attempt to control their own routing,
bypassing the router’s controls

³ Denial of Service
O The goal of a Denial of Service (DoS) attack is to crash the router,
or otherwise occupy the router’s system resources so that legitimate
network traffic cannot be processed
O For example, in a TCP SYN attack, the attacker sends many half-
open TCP connections to the router in an attempt to use up all
available connections. Alternatively, an attacker could attempt to
crash a router by sending it malformed packets, or packets that do
not correspond with RFC-defined criteria
³ Distributed Denial of Service

O In a Distributed Denial of Service (DDoS) attack, the attacker
hopes to use the router as a launching point to direct a denial of
service attack against a third party
O Although the attack is aimed at a third party, an organization could
suffer some reputation risk from participating in a distributed denial
of service attack. Also, preventing distributed denial of service
attacks is part of being a “good Internet citizen.”

Conclusion
³ Connectivity between networks greatly increases risk
because it enables outsiders to exploit internal security
weaknesses
³ Routers play an important part in providing network
security through safe routing, filtering, hardening, and
logging
³ Routers are part of an overall system of control which
encompasses many devices. Therefore, routers need to be
evaluated in the context of the whole
³ The external connections, network security policy and
posture, and the network topology have a significant affect
on the required level of security controls over particular
routers
³ Routers are subject to specific network security risks and
attacks

Introduction to Intrusion
Detection Systems
Agenda
³ Intrusion Detection Concepts
³ Intrusion Detection System Components
³ Intrusion Detection Objectives and Goals
³ Intrusion Detection Techniques
³ Types of Intrusion Detection Systems
³ Deployment of Intrusion Detection Systems
³ Strengths and Weaknesses
³ Summary

Intrusion Detection Concepts
³ Intrusion: Any set of actions that attempt to compromise

the integrity, confidentiality or availability of a resource.
³ Intrusion Detection is the art of detecting and responding
to computer misuse.
³ Intrusion Detection Systems (IDS): Systems that collect
information from a variety of system and network sources,
and then analyze the information for signs of intrusion and
misuse.
³ Misuse: Attacks originating from within an organization

Intrusion Detection Concepts
³ Deterrence is to prevent intrusion by increasing the
perceived risk of discovery and punishment.
³ Detection is to detect attacks and other security violation
that are not prevented by other security measures.
³ Anticipation is to detect and proactively deal with
activities that could indicate that an attack is coming
(scans, doorknob rattling, etc.)
³ False positive: an event incorrectly identified by the IDS
as being an intrusion when none has occurred.
³ False negative: actual intrusive action that IDS allows to
pass as non-intrusive behavior
³ Subversion error: when an intruder modifies the
operation of the intrusion detector to force false negative to
occur.
³ Trending: audit analysis to determine how a user or
process will typically behave.

Concepts and Definitions
Signs of an attack:
O Unexpected changes in network performance such as
variations in traffic load at specific times
O Traffic coming from or going to unexpected locations
O Connections made at unusual times
O Repeated, failed connection attempts
O Unauthorized scans and probes
O Non-standard or malformed packets (protocol
violations)
O More on this later in the presentation …

Intrusion Detection System Components
³ Management Console
O Serves as the command center for controlling the entire
system
O Maintains communications with targets over an encrypted
link
O Serves are the interface for policy creation, alert notification
and reporting
³ Network and Host Agents
O Analyzes network traffic, or Analyzes host audit logs
O Accepts commands from and reports back to the
management console

Intrusion Detection System Components Continued
³ Alert Notification
O Contacts individuals responsible for handling security
incidents.
O Capabilities include on-screen alerts, audible alerts, paging,
e-mail and SNMP
³ Response Subsystem
O Provides capability to take action on threats to target systems
O System operator can automatically generate or initiate
O Common responses include reconfiguring a firewall, shutting
down a connection, logging a user off, and disabling a user’s
account
³ Database
O Knowledge repository for the IDS
O Reports are generated from the information contained in the
database.

Intrusion Detection Conceptual
Management Console Target
GUI Agent (Workstation, Server)

Assessment
Security Profile
Reports
Profile
Audit and
Database
Collection Policy
Audit Settings
Real-Time
Audit Detection Policy
Reduction
Network
Detection Policy
Real-Time
Event Log
ID Service
Batch ID
Real-Time and
Service
Network Alerts
Network
Response
ID Service
Raw Event
Log Archive
Network
Card

Intrusion Detection Techniques
Ê IDS are classified according to the method used for
“detecting” intrusions.There are four major techniques
used to detect intruders:
Ê Misuse Detection – commonly called “signature”
detection.
O Information is gathered and compared to a large attack
signatures database. Essentially, the IDS looks for an
already documented specific attack. Like anti-virus
tools, misuse detection is only as good as the database
of attack signatures against which it compares packets.
O Example: a signature is “three failed logins”

Ê Anomaly Detection – The system administrator defines
the baseline, or normal, state of the network’s traffic load,
breakdown, protocol, and typical packet size. The anomaly
detector monitors network segments to compare their state
to the normal baseline and look for anomalies.
O Relies on trending
O Normally, anything past two standard deviations from the
norm causes concern
O Can also investigate user patterns, such as profiling the
program executed daily.
O Example: Joe logs on and off a machine 20 times a day
instead of the normal 1 or 2

Ê Target Monitoring - This technique looks for the
changing of specified files:
O Relies on system integrity
O More of a corrective control, designed to uncover an
unauthorized action
O Can check for the covert editing of files by computing a
cryptographic hash beforehand and comparing this to new
hashes of the file at regular intervals
O Easiest system to implement as it does not require constant
oversight

Ê Stealth Probes – attempts to detect any attackers that
choose to slowly carry out an attack over time.
O Combines anomaly detection and misuse detection
O Collects a wide-variety of data throughout the system
O Checks for any methodical attacks over a long period of time
O Takes a wide-are sampling and attempts to discover any
related attacks

Types of Intrusion Detection Systems
Ê Another way to classify IDS is Network based vs. Host
based.
O Network based systems analyze network packets, captured
from network backbones or LAN segments, to find attackers.
O Host based systems analyze information sources generated
by the operating system or application software for signs of
intrusion.
Ê Hybrid systems contain both host and network
components, and is the recommended configuration.

IDS Protected Network

IDS Objectives and Goals
³ Intrusion detection is all about early detection of malicious
attempts by outsiders (or insiders) to obtain unauthorized
access to system resources. “Detection” here includes
automated notification to security personnel so that timely
responsive action can be taken.
³ Intrusion monitoring and detection provide an organization
with the ability to ensure that:
O protected information is not accessed by unauthorized
parties, and it if is, there is a clear audit record
O the ability to monitor network traffic through “listening” on
the network without impacting the network
O active response to attacks on systems is provided
O information security organization understand the attacks
being made and, as a result, build systems and networks to
resist the attacks
O metrics reporting is being provided

IDS Deployment
³ Deployment of an intrusion monitoring and detection
system enables monitoring at specific sites/locations
within the networks.
O Example: monitoring should be deployed at Internet access
points and the extranets that house many critical business
services on the Internet
³ Organizations should identify the information that people
are not allowed to access and, through intrusion
monitoring, review the access attempts to this information
and block the network connections to that information.

IDS Deployment
³ IDS Deployment can be at different areas within the
network.
³ Monitoring at the Secure Gateway. This monitors the
networks on both sides of the firewall. The implementation
is a passive or nonintrusive mode of network data capture.
O As the firewall retransmits packets received on the one
network to the other network the IDS observes and examine
each packet as it is transmitted on the network.
³ Monitoring at the Remote Access Service Entry. The
intrusion monitoring device is inserted between the remote
access server (RAS) access points and their connections to
the corporate network.
O Since most proprietary and technical information is loss
through authorized inside access, monitoring the remote
access points looks for misuse of corporate and network
services.

IDS Deployment
Ê Monitoring within the Corporate Network. This allows
for additional protection of information on the network
without the requirement for a secure gateway. The IDS is
on the same subnet as the protected servers.
O When the corporate network user attempts to gain access to the
protected servers, the intrusion monitoring server can log, and it
configured, intercept the connection attempt.
O NOTE: It is usually not feasible to monitor all of the network with
an extensive network. A risk assessment will identify the servers
and the connections to these servers that are most at risk and should
be monitored.
³ Monitoring the Extranet. This monitors for attacks
against externally connected machines.
O In this case, two IDSs may be required to offer detection
capabilities for both the extranet and the firewall as the extranet is
not directly on the Internet. This allows additional controls to be in
operation to protect both systems.

Strengths and Weaknesses
³ Strengths of IDS Systems:
O Provides valuable information about malicious network
traffic
O Can be programmed to minimize damage
O Helps identify the source of the incoming probes or attacks
O Similar to having a “burglar alarm” or “camera”
O Can collect information to be used as forensic evidence to
identify an intruder
O Alerts security personnel that someone is rattling the
doorknob
O Alerts security personnel that a network invasion may be in
progress
O Part of a multi-layered “defense-in-depth” security
infrastructure

Strengths and Weaknesses
³ Weaknesses of IDS Systems
O Not a cure-all for security ills
O Produces false positives (false alarms)
O Produces false negatives (failed to alarm)
O High speed networks cannot be properly protected by
network IDS. Requires sampling of network traffic instead
of validating all packets
O Large scale attacks could overwhelm a sensor
O All products have weaknesses
O IDS is not a replacement for other necessary components of
a defense-in-depth security architecture
Q Well managed firewall
Q Regular security audit
Q Strong security policy

Intrusion Detection Myths
³ Network intrusion detection is better than host based. In
reality, there is a place for both in a well-designed system
of “defense in depth” security
³ Network intrusion detection inside the firewall will detect
insider misuse. In reality, insiders may not use (or need to
use) network based attacks to obtain access to resources.
Insiders may already have access assigned.
³ Anomaly detection can automatically distinguish good
users from bad users. In reality, heuristic anomaly
detection is a still-developing technology
³ Automated response can be used effectively to stop
intruders before misuse occurs. In reality, there may be too
many false positives to justify automatic response, unless
the risk of a breach is greater than the risk of denying
access to legitimate system users.

Future Trends in Intrusion Detection
³ Integration with Vulnerability Analysis Tools – IDS will first
determine if a system is vulnerable to an identified attack. If not,
then no alert may be sent. If the system is vulnerable, then a high
priority alert is triggered since responsive action is required
³ Integration of IDS with Firewall and Filtering Devices – The IDS
will identify an attack and instruct the firewall to enforce a policy to
deny the attack from occurring
³ Intrusion Prevention – Diagnostics need to be quicker and more
accurate, and better integration is needed into centralized decision
support systems so that attacks can be proactively prevented
³ Operating System embedded IDS – IDS tools will be contained
within operating systems and other products to provide better
identification of attacks
³ Improved Correlation – Intelligent integration will provide “big
picture” of multiple smaller scale events
³ Merging of IDS technologies – IDS products will merge anomaly
and signature based techniques to provide well-rounded attack
identification

Summary
³ Intrusion monitoring and detection can provide valuable
information that includes metrics describing the state of an
organization's security perimeter.
³ Some intrusion detection systems offer the ability to block
network sessions when they are deemed inappropriate or
undesirable.
³ Organizations should deploy several intrusion detection
techniques, considering both network and host based
intrusion detection devices, to cover multiple areas of
potential attack.
³ IDS does not compensate for weak preventative controls
³ IDS does not automatically investigate attacks without
human intervention and will not defeat new attacks unless
the IDS is kept up to date.

Network Monitoring
Agenda
³ Introduction
³ Leading Indicators and Lagging Indicators
³ Risk Assessment
³ Network Events
³ Host based IDS Events
O Host Events
O System Process Events
O User Events
O Directory and File Events
³ CERT Security Practices for Intrusion Detection

What to Monitor?
³ Determining what events to monitor can be a complex and
difficult decision
³ Deciding on which events and attributes to monitor is a
trade-off decision to help manage risks
O There are limited resources for intrusion monitoring. How
can those resources best be deployed?
O Monitoring “too much” can make the IDS process
cumbersome and unworkable
O Monitoring “too little” can result in failing to discover some
intrusions or attacks
³ Risk Assessment is an important part of deciding what to
monitor
³ But best practices are available as a good baseline

Leading Indicators vs. Lagging Indicators
³ Leading indicators = events that are triggered in the early
stages of an attack. Usually these events are triggered
when an attack is first being attempted.
³ Lagging indicators = events that are triggered in the later
stages of an attack. Usually these events are triggered after
an attack has been (at least partially) successful.
³ Intrusion detection processes should have a balance of
leading indicators and lagging indicators
³ Intrusion detection processes should identify BOTH
attempted intrusions as well as successful intrusions
O Attempted intrusions (through leading indicators) can enable
proactive action to prevent a compromise
O Successful intrusions (through lagging indicators) are
especially urgent. Immediate action is required to contain
the damage and respond to the attack.

Risk Assessment
³ Intrusion detection is needed in to keep pace with current
computer threats and vulnerabilities.
³ Determination of what types of events/attacks an IDS will
monitor should be based on the risk level of the data and
systems to be monitored.
³ IDS should be deployed to protect the confidentiality,
integrity and availability of the organization’s data and
systems.
³ Risk assessment helps determine the level of risk associate
with these threats and vulnerabilities.
³ Threats include people/groups that can potentially
compromise an organization’s computer systems.
O Disgruntled employees
O Employees (intentionally or unintentionally)
O Competitors
O Hackers

Event Monitoring
³ Monitoring of network and system events help to identify
intrusive activity and facilitate investigation of unusual,
unexpected or suspicious activity.
³ Catching suspicious activity early can potentially minimize
and contain any damage.
³ Logs from networks and intrusion detection tools may
contain evidence that indicates that someone has tried to or
actually compromised a system or the network.
³ Regular inspection of log files can also enable the
identification of reconnaissance in advance of an intrusion.

Network Events
³ Monitoring network events is crucial for identifying
intrusive activity at the time is it occurring or soon after is
achieved by monitoring messages as they traverse the
network.
³ Network events are “leading indicators” of an intrusion.
That is, they can provide early notification of an attack
from the very beginning of the attack
³ Many network events can be monitored from device logs
and do not necessarily require the use of a network IDS
³ However, some forms of network events do require a
network IDS

Network Events
³ Network events to monitor include:
O Probes, scans and the use of mapping tools. These tools are
used by intruders to perform reconnaissance.
Q Indication of attempt to identify configuration information
including, but not limited to
– Hosts, operating system, network topology
– Externally accessible paths into the network
– Internet service providers used
O Protocol Violations, such as Invalid option bits in a TCP
packet, invalid sequence numbers or flags (ACK before
SYN) in a TCP packet, and invalid fragments.
Q Protocol violations are often a result of an intruder using a
network scanner in an attempt to bypass the firewall
O Excessive number of ICMP unreachable messages from the
same source
Q Indicates a possible scan to identify reachable host addresses

Network Events
³ Network events to monitor (continued):
O Connections to and from unusual locations.
Q This activity may indicate that the server has been compromised by an
intruder who is now trying to launch attacks on another host.
Q Example: Any outbound connection made by a server host dedicated to
serving a public web site should be suspicious.
O Internal source address packets originating from an external
source. This activity can indicate a spoof attack.
O Packets with source and destination addresses external to the
network.
Q Can indicate that an intruder has bypassed the firewall and is
routing their traffic through the network
Q Can also indicate the presence of an inside intruder
O Packets with unusual protocol or port numbers sent to
broadcast addresses
Q Traffic can indicate a denial-of-service attack.

Network Events
Ê Network activities to monitor (continued):
O Unusual port combination in TCP and UDP packets.
Q Could indicate an unexpected service (such as a backdoor
program) running on the network
Q Can also indicate that an intruder has bypassed the firewall
Q Example: Packets with the same source address and a sequence
of destination ports can indicate that an intruder is trying to
discover both the firewall policy and what services are available
on the system
O Connections made at unusual times
O Unexpected loss of connectivity
O Unexpected changes in performance between current and
previously captured statistics
Q Example: Network traffic being unusually high or low when
compared to expected levels for the time of day and day of the
week

Network Events
Ê Network activities to monitor (continued):
O All of the preceding network events can be monitored
through router logs, firewall logs, device logs, etc. and do
NOT require a network IDS (although a network IDS may
make this monitoring easier)
O Packet headers and data contents that match commonly
exploited attacks.
Q This is what Network IDS systems provide
Q The exact nature of the attacks that can be detected depends on
each specific product
Q The number of signatures may be an indicator of the “depth” of
coverage, but some systems have several related signatures that
may each have a signature that is counted, even though they are
essentially for the same attack

Host level Events
³ All host operating systems have key files that provide
configuration information or otherwise affect the secure
operation of the system
³ Changes to these configuration or system files can enable an
attacker to obtain access, allow the attacker to escalate their
privilege during the attack, or enable the attacker to leave a
secret back-door to re-enter the system on demand
³ Intrusion detection systems must including monitoring of host-
level events indicating a change to critical configuration or
system files
³ Host-level events are a “lagging indicator” of an intrusion.
That is, they are usually triggered later in an attack after the
attacker has obtained a foothold.
³ Most host-level event indicates that an attack has been
successful, which makes them especially urgent. A host level
event warrants immediate investigation.

System Process Events
³ Programs that operate on networked systems include a
variety of operating system and network services, user-
initiated programs, and special purpose applications. Each
program executed represents one or more processes.
³ Each process executes with specific privilege that govern
what system resources, programs and data files can be
accessed.
³ Unexpected or anomalous system performance may
indicate that an intruder is using the system for
unauthorized purposes.
³ A process that exhibits unexpected behavior may indicate
an intrusion.
O Example: An intruder successfully disrupts the access-
control process and gains access to a system that normally
would nave prohibited access.

³ System events to monitor:
O Shutdowns, reboots, and restarts
Q Unexpected shutdowns, reboots and restarts can indicate the
presence of a Trojan horse program
O Process run time, processing cycles, resource and time
utilization (including CPU time, memory and disk)
Q Unusual process behaviors (processes running at unexpected
times of day, during unexpected processing cycles and
excessive resources and time utilization) can indicate an
impending denial of service or the presence of a network sniffer
O Extra or missing processes, or the termination of processes
prematurely
O Password cracking, network packet sniffing or other
unauthorized processes
O The privileges with which processes are executed.
Q An unusual process running with sensitive privileges is highly
suspicious.
Ê System events to monitor:
O Processes with unusually formatted output or arguments
Q Example: (UNIX system) process running as “./telnetd” instead
of “/usr/sbin/telnetd”
O Services in operation
Q Look for new, unexpected, or previously disabled processes or
services running. This can indicate that an intruder has turned
on services or installed their own version of a process or service
O Total number of processes running.
Q A large number of processes running concurrently can be a sign
of an attack.
O The intruder detection system software and log files
Q Intruders compromise processes associated with intrusion
detection and other security tools to compromise the tools and
leverage access to information to generate false alerts and
distract system administrators.

User Events
Ê User behavior events can help identify anomalies and
suspicious patterns that can indicate an attack that is in
process or has been successful
Ê User behavior should be monitored, including login/logout,
authentication and other identification transactions, the
processes they execute and the files they access.
Ê Suspicious, unusual, and unexpected user events can be
either “leading indicators” (e.g., repeated failed logons)
that can identify an attack early or “lagging indicators (e.g.,
attempts to escalate privilege) that identify an attack that is
well underway

User Events
Ê User activity to monitor:
O Login and logout information
O Repeated failed login attempts, especially privileged accounts
O Logins from unusual locations, at unusual times, including
logins via a remote access server
O Users logged in for an abnormal length of time, whether short
or long
O A user executing an unexpected command
O Users trying to change identities (e.g., su)
O Changes to user privileges
O Unusual processes run by users
O Access to restricted files and unauthorized access attempts
O Logins from unexpected terminals (for that particular user)

Directory and File Events
Ê The file systems on a network contain a variety of
software, data files and applications.
Ê Protection of confidential and mission-critical
information is important as these are common intruder
targets. Unexpected changes in directories and files,
especially that are normally restricted, can be a “lagging
indicator” of an attack
Ê Intruders can create, substitute, modify and damage files
on systems once access is gained.
Ê The following directories and files should be monitored:
Operating system and configuration files, security-related
files (such as files that contain authorization or access
control rules), security-related applications and tools, etc.
Ê These files should be relatively “static” so an unexpected
change would be highly suspicious

Directory and File Events
Ê Directory and file events to monitor:
O Files and directory sizes, contents, and file attributes,
especially cryptographic checksums
Q Changes may signify that an intruder has replaced a file or
service or installed a Trojan horse or backdoor.
O Unexpected changes to password files, such as accounts with
no passwords and new account creation
O File and directory and access control lists permissions
Q Improperly permission on system tools can indicate that an
intruder has located and executed security tools authorized for
system administrators.
O Changes to system configuration files
O Access to restricted and sensitive information
O Log file consistency
Q Intruders alter file size and/or log records to cover their tracks
O Viruses, backdoors, and Trojan horses

False Positives
Ê Host, Process, and User events frequently trigger false
positives, but this does not necessarily justify ignoring
these events
O Detecting all root or administrator logins to the host will
trigger an alarm every time an administrator has to be make a
change
Q BUT it will also alarm if an intruder compromises the root or
administrator account
Q The “benefit” of knowing if an intruder gets root access
probably justifies the “cost” of the false alarms for routine
administration, which should be relatively infrequent anyway
O Detecting all changes to the firewall ruleset configuration file
will trigger an alarm every time a valid change is made to the
firewall rules
Q BUT it will also alarm if an attacker changes the firewall rules
to allow dangerous traffic to pass into the network. This is
probably worth the inconvenience of the false alarms.

Key Audit Steps
Ê Key Audit Steps
O Ensure that decisions about what to monitor for intrusion
detection purposes is based on a well-thought-out strategy
(based on risk assessment and consultation with best practice
resources)
O Ensure that intrusion-related events that should be monitored
have been documented and approved by management
O Ensure that the intrusion-related events that are monitored
include a balance of “leading” and “lagging” indicators
O Ensure that intrusion-related events that are monitored
include events for attempted but unsuccessful attacks, as well
as for attacks that may be successful
O Ensure that a combination of network, host, process, and
user-level events are included within the scope of intrusion
detection monitoring to identify anomalous or suspicious
activity
O Ensure that file integrity checking is an integral part of the
intrusion detection process

1. Security Policy
4. Deploy Firewalls


Detect Signs of Intrusion
Ê Are network messages monitored as they traverse the network,
providing the ability to identify intrusive activity as it is
occurring?
Ê Are network traffic log files reviewed on a regular basis to
identify intruder reconnaissance in advance of an intrusion, or to
identify attempted or successful intrusions soon after they take
place?
Ê Are newly collected log data files reviewed often (at least daily)
and regularly rotated to minimize the amount of information that
has to be analyzed at any given time?
Ê Are all user and external reports of possible intrusion reviewed
daily to look for corrections and patterns among reports?
Ê Are all reports of possible intrusions investigated by examining
system and network logs, examining processed on affected
systems, etc.?
Ê Are the results of investigations formally documented and
tracked?

Ê Are system performance statistics reviewed to identify anomalies
in the following areas?
O Total resource user over time (CPU, memory, disk) and
performance stats
O Shutdowns and restarts
O File system status (where mounted, free space by partition, open
files, biggest files) over time and at specific times
O File system warnings (low free space, too many open files, files
exceeding allocated size)
Ê Are the activity and behavior of system processes being
monitored?
O Missing processes, extra processes, unusual process behavior and
resource utilization, and processed that have unusual user
identifications associated with them
O Process start-up time, arguments, and file names
O The amount of resources used by specific processes over time
O System and user processed and services executing at any given time
O The means by which each process is normally initiated, with what
authorization and privilege
O Devices used and files currently open by specific processes

Ê Are instances of unexpected, unusual, or suspicious user
behavior being identified and investigated?
O Login/logout information: successful and failed attempts,
repeated failed login attempts (especially those to privileged
accounts), and logins from unusual locations or at unusual
times or for abnormal lengths of time
O Login/logout information on remote access servers
O Changes in user identity or escalation of privileges: unusual
attempts to change user identities or to run unusual processes
or execute unexpected commands
O Failed attempts to access restricted information, such as
password files
O Violations of user quotas

Ê Are files and directories (attributes and contents) compared
to an authoritative reference at least daily to identify
unexpected changes?
O Cryptographic checksums for all system and configuration
files and directories
O Lists of files, directories, and their attributes
O File accesses (open, create, modify, execute, delete) and their
time/date
O Changes to the sizes, contents, access control permissions,
file types, and locations of files and directories
O Additions and deletions of files and directories
O Results of virus scanners
O Unusual or unexpected open files
O Violations of log file consistency (unexpected changes, gaps
in time between log records, etc.)

Ê Is network traffic monitored to identify intrusive activity as it is
occurring and to watch for unexpected network behavior?
O Unexpected changes in network performance or volume for the day
of the week and time of day
O Traffic coming from, or going to, unexpected locations or using
unexpected protocols and ports
O Connections made at unusual times or failed connection attempts
O Unauthorized scans and probes, including packets with the same
source address and a sequence of destination ports
O Suspicious outbound connections from a host, or packets with
external source & destination addresses
O Nonstandard or malformed packets
O Packets with an internal source address that actually originated
from an external source
O Unusual port combinations of TCP and UDP traffic that could
indicate that an unexpected service is running on the network
O Packets with unusual protocol or port numbers sent to broadcast
addresses
O An unusually high number of ICMP port unreachable packets from
a single host

Conclusion
³ Collection mechanisms to use to watch for signs of
intrusions or intrusion attempts should:
O Monitor and inspect network traffic and connections
O Monitor and inspect system resource use
O Monitor and inspect system process utilization
O Monitor and inspect user account and file access
O Verify file and data integrity

Intrusion Response Planning
Agenda
³ Introduction
³ Policy and Procedures
³ Responding to Intrusions
³ CSIRTs
³ Documenting Incidents
³ Key Components of Intrusion Response Plan

Introduction
³ Detecting intrusion activity is not sufficient unless
personnel are prepared to respond timely
³ Hackers can do substantial harm to a network very
quickly, so immediate action is required
³ A prepared intrusion response strategy eliminates potential
delays, errors, and omissions in advance of an actual
intrusion
³ Documented policies and procedures are needed to prepare
key technical staff and management to respond to
intrusions timely, and in a controlled manner
³ Communication, training, and periodic testing is required
to ensure that staff are aware of their roles and
responsibilities and are adequately prepared to respond to
intrusions

Policy and Procedures
³ An organization’s security policy should define the rules
that regulate how the organization will manage and protect
its information.
³ Detecting intrusions should be one primary purpose
defined in the network security policy.
³ Procedures should include the actions necessary to observe
systems and network for sign of unexpected behavior,
including intrusions.
³ From these procedures all concerned parties should be able
to determine the operations steps to be taken to comply
with the security policy
³ A legal review of the network security policy to ensure
that the policy and supporting procedures are legally
defensible and enforceable.


³ Intrusion detection policies and procedures should clearly
identify duties regarding intrusion detection.
O Document all important and critical information assets and
the level of protection each requires
O Document the type of threats or event that indicate possible
signs of intrusion. Threats may include:
Q Attempts (failed or successful) to gain unauthorized
access to a system or its data
Q Unintended and unauthorized disclosing of information
Q Unwanted disruption or denial of service
Q Unauthorized use of a system to process, store, or
transmit data
Q Changes to system hardware, firmware, or software
characteristics without the knowledge or consent of the
asset owner

³ Intrusion detection policy information continued:
O Document responses to detected intrusions
O Document the requirement to establish and maintain secure,
reliable configuration information for all assets that represent
the known, expected state
O Document roles, responsibilities and authority for:
Q System administrators, security personnel, and users in
detecting intrusions
Q Testing of intrusion detection tools

³ Monitoring procedures should be developed and provided
to only personnel responsible for monitoring. Monitoring
procedures should include:
O Data streams to be monitored
O Monitoring locations on systems and networks.
O Time and frequencies that monitoring is to be performed
O Activation of monitoring after the occurrence of what types
of events
O Operational activities necessary to alert appropriate
personnel to act upon the suspected intrusion
O Who performs the procedure activity, when, and under what
conditions.
O Authority of system administrators and monitoring personnel

³ Periodic review of the policy and procedures should occur.
The review should focus on
O System changes and software upgrades
O Changes in critical assets
O Changes in security requirements
O Changes in key roles and responsibilities
O Public and vendor information sources to include security
vulnerabilities, new methods for detections, new attack
signatures, etc.

Responding to Intrusions
³ Intrusions occur even when sophisticated prevention
measures are in place and effective policies and procedures
have been documented.
³ When an intrusion is detected many decisions are made in
haste because good response planning has not occurred.
This reduces any organization’s ability to:
O Understand the extent and source of intrusions
O Protect sensitive and mission-critical data
O Continue operations
O Recover from an intrusion
O Collect information to analyze and understand what
happened
O Support legal investigations

³ The strategy for handling intrusions include preparation,
detection, and response
O Preparation is the defining of the intrusion response plan
O Detection is the monitoring for intrusion activities
O Response is the rehearsal and eventual action taken once an
intrusion has been detected

³ The objectives of a the intrusion strategy is to:
O Avoid escalation and further incidents
O Assess the impact and damage of the incident
O Recover from the incident
O Establish a process for avoiding further exploitations of the
same vulnerability
O Determine who is responsible and potentially take legal
action
³ Preparedness for intrusion response is analogous to disaster
readiness for business continuity
O The goals are similar
O The controls are similar (e.g., a defined plan, periodic
“testing” of the plan, etc.)

CSIRTs
³ A CSIRT is a Computer Security Incident Response Team
³ A CSIRT is a team that performs, coordinates, and supports the
response to security incidents that involve sites within a defined
constituency
³ The CSIRT is the group that investigates the reported intrusion,
determines if an intrusion has actually occurred, assesses the
extent of the damage, identifies the “root cause” that allowed the
intrusion, eliminates the intruder’s access, and restores the
system
³ The CSIRT must be staffed by the “right” people (e.g., technical
people, Security, Legal, Corp. Communications, etc.)
³ Responsibilities and roles on the CSIRT must be well-understood
and defined
³ A “call-tree” or similar process should be in place to help get the
CSIRT members together quickly in the event of an intrusion

Severity of Attacks
³ The severity of an attack is based on several
characteristics:
O Criticality of the server/device under attack – Does the host
matter?
O Lethality or significance of the attack – How likely is the
attack to do significant damage to the system?
O Strength of countermeasures – Is the system/network
protected from this type of attack?
No Risk
Non-targeted, ineffective, script-based exploit

Network reconnaissance probe
Targeted exploit
Root compromise on a non-critical system
Root compromise on a critical system
Very High Risk

³ Depending on the seriousness of the attack not all responses
will be the same.
³ A tiered response and escalation approach allows for
security breaches to be handled according to risk.
³ These tiers should be documented in the intrusion response
plan.
³ Example of tiers:
O Tier 1 – one instance of potentially unfriendly activity
O Tier 2 – one instance of a clear attempt to obtain unauthorized
information or access or a second Tier 1 attack
O Tier 3 – Serious attempt to breach security or a second level 2
attack.

³ Examples of responses to each Tier’s activity:
O Tier 1
Q Record user/IP address/domain of intruder
Q Watch for future activity from the user
O Tier 2
Q Collect and protect information about intrusion
Q Research origin
Q Research potential risks related to intrusion method
Q Inform intruder of knowledge of intruder’s actions and warn of
actions to be taken on future attempts
O Tier 3- same as Tier 2 plus
Q Contain intrusion
Q Inform client being attacked
Q Eliminate intruder’s means of access and any related
vulnerabilities

Intrusion Response Plan
³ Key components of an Intrusion Response Plan:
O Document procedures (as well as assigned roles and
responsibilities) for the following tasks:
Q analyzing available information; assessing the damage and
extent of the intrusion;
Q communicating with relevant parties (e.g., call trees);
Q collecting and protecting information associated with the
intrusion;
Q containing the intrusion;
Q eliminating the intruder’s means of access and any related
vulnerabilities;
Q returning the system to normal operation; and
Q following-up with a postmortem review of events and
procedures
O Document the types of threats or events that indicate possible
signs of intrusion, as well as how you intend to respond to
them if they are detected

³ Key components of an Intrusion Response Plan continued:
O Indicate what types of responses to an intrusion require
management approval, and which are pre-approved. It is
especially important to understand up-front who is
authorized to make the decision to disconnect the system.
O Document the roles, responsibilities, and authority of system
administrators, security personnel, and users
O Document the priority and sequence of actions to be taken
when dealing with an intrusion
O Specify the order in which services will be restored, if this is
a consideration (for example, restore your e-mail service
before restoring FTP)
³ Users should be trained on their responsibilities listed in
the plan, including drills/tests/simulations to validate that
individuals understand what is expected of them in the
event of an intrusion

Key Audit Steps
³ Ensure that intrusion detection and response policies and procedures are
well-defined, including a documented intrusion response plan
³ Ensure that the intrusion response plan identifies required tasks,
specifies step-by-step instructions for those tasks, and assigns roles and
responsibilities.
³ Ensure that the intrusion response plan establishes a computer security
incident response team (CSIRT) consisting of individuals with the
appropriate knowledge and technical
³ Ensure that the members of the CSIRT are maintained in a “call tree”
that enables rapid notification and assembly of the team to beginning
addressing the intrusion.
³ Ensure that the intrusion response plan requires an assessment of the
damage and extent of compromise.
³ Ensure that the intrusion response plan contains a risk assessment
process to assess the criticality of the intrusion
³ Ensure that the intrusion response plan identifies responsive actions that
are focused on intrusions of different criticality levels and scenarios.

Key Audit Steps (Continued)
³ Ensure that the intrusion response plan identifies steps that need to be
taken to preserve the evidence trail in the event that criminal
prosecution is warranted. Ensure legal counsel has validated these
procedures against local legal requirements.
³ Ensure that decision-making authority has been appointed for making
key decisions, such as when to “pull-the-plug” or shutdown the system.
³ Ensure that intrusion response plans assign responsibility for containing
the intrusion and remove the attacker’s means of access to on-call
technical personnel with the appropriate skills and experience.
³ Ensure that the intrusion response plan requires an exhaustive review of
devices/servers (including system processes, system configurations,
user files, file integrity, etc.) whenever high criticality intrusions are
suspected to ensure that any logic bombs, back doors, etc. installed by
the attacker have been removed
³ Ensure that the intrusion response plan requires identification of the
attacker’s means of access as well as the root cause of any underlying
security exposure or weakness.
³ Ensure that any identifies security exposure or weakness is addressed
and resolved timely on other devices/servers in the network to prevent a
similar intrusion elsewhere

Key Audit Steps (Continued)
³ Ensure that the intrusion response plan requires a thorough assessment
of peer systems (on the same subnet as the intrusion) to ensure that they
have not been compromised as well
³ Ensure that system priorities have been pre-defined so that systems can
be restored in the order that best satisfies business requirements
³ Ensure that all (suspected) intrusions that are detected and/or reported
are documented and tracked through resolution
³ Ensure that all (suspected) intrusions are followed-up on and
incorporated in management reporting and metrics
³ Ensure that the intrusion response plan is accessible to personnel
³ Ensure that training on the intrusion response plan is conducted for all
employees, especially those that will perform key roles in the event of
an attack
³ Ensure that periodic exercises/simulations/tests are conducted to ensure
that key personnel understand their roles and responsibilities and to
validate organizational preparedness for responding to intrusions
³ Ensure that the intrusion response plan is updated periodically (e.g.,
annually) to reflect changes in business environment, technical
environment (e.g., a new platform being introduced into the network) or
risk environment (e.g., a new type of attack has surfaced in the wild)


1. Security Policy
4. Deploy Firewalls


Setup Intrusion Detection and Response Processes
• Have the intrusion response roles, responsibilities, and the authority of
system administrators, security personnel, and users been documented?
• Has a legal review of intrusion response policies and procedures been
conducted?
• Are administrators and security personnel trained on the policies and
procedures regarding how to handle an intrusion?
• Is the effectiveness of each employee’s readiness tested by conducting
practice drills to ensure that all staff members are aware of their rolls
and responsibilities?
• Has the priority and sequence of actions to be taken when dealing with
an intrusion been documented?
• Do guidelines indicate what types of responses to an intrusion require
management approval and which are pre-approved? Do individuals or
teams responsible for intrusion response have pre-authorization from
management to disconnect from the network and shut down the affected
system(s), if appropriate?
• Have persons been assigned to staff and support the intrusion response
activity, and have roles and responsibilities been clearly assigned?

• Will administrators determine to what extent their systems and data have been
compromised, and then take corrective action?
• Will information be obtained about what attacks were used to gain access, what
systems and data were accessed by an intruder, and what an intruder did after
obtaining access?
• Do procedures ensure compromised systems are backed-up, and that volatile
system information (e.g., current network connections, current processes, open
files, users logged on, etc.) is captured?
• Will local host log files and firewall, router, and network monitoring logs be
reviewed to identify additional information about the intrusion?
• Are cryptographic checksums on files/directories used to identify what the
intruder did, such as installing Trojans or back-door programs?
• Does an intrusion notification call tree (listing the sequence of people to call and
who will call whom) exist for informing people quickly?
• Is information about the compromised system (including system and network
logs, network message traffic, user files, IDS tool results, backups, screen shots,
administrator console logs and notes, etc.) captured and stored securely to
preserve chain of custody?
• Have steps been defined for stopping an intruder’s access to compromised
systems and preventing an intruder from causing further damage? (e.g.,
removing access from file systems, disabling compromised services, disabling
accounts used by intruders, etc.)

Responding to Intrusions - Continued
• Do procedures ensure that the affected systems are protected against the same or
similar types of access and attacks in the future?
• Are all passwords on systems to which an attacker may have had access
changed?
• Are the means by which an intruder gained access eliminated? (e.g., by
installing patches, removing malicious code, reinstalling trusted
configuration/password files, etc.)
• Are cryptographic checksums used to validate that all executable files (including
shell scripts) and binary files (such as libraries) were not compromised?
• Are all system configuration files (user accounts, system services and their
configurations, audit and monitoring facilities, and access control lists)
validated?
• Is a security audit conducted (using SATAN, SAINT, SARA, etc.) to determine
if there are uncorrected system and network vulnerabilities?
• Are firewall configurations reviewed and adjusted appropriately (e.g., new IP
addresses to be denied through the filter, strengthening filtering rules, etc.)?
• Do effective procedures exist for restoring and returning a compromised system
to normal operations?
• Are systems restored from installation media, or from the latest trusted, validated
backup?
• Are systems monitored for signs of the intruder’s return: failed logon attempts,
attempts to access back doors, attempts to exploit the original vulnerability, and
attempts to exploit new vulnerabilities?

Conclusion
³ Being prepared is the key to effectively responding to a security
intrusion or attack
³ Intrusion response policies and procedures should be defined to
establish an overall framework for how intrusions are to be
handled
³ A CSIRT should be appointed among technical staff to respond
to intrusion
³ A well-defined intrusion response plan should be defined to
specify tasks, priorities, levels of authority, etc.
³ Key personnel should be trained on the intrusion response plan
and “exercises” should periodically be used to verify that
employees are prepared

www.secureitgroup.com
703-464-7010

Network Security Basics3932

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security Basics3932

Uploaded by

Copyright:

Available Formats

Network Security

©2002 SecureIT Consulting Group, Inc. 3

©2002 SecureIT Consulting Group, Inc. 4

©2002 SecureIT Consulting Group, Inc. 5

©2002 SecureIT Consulting Group, Inc. 6

©2002 SecureIT Consulting Group, Inc. 7

©2002 SecureIT Consulting Group, Inc. 8

©2002 SecureIT Consulting Group, Inc. 9

³ Question: Who can exploit security weaknesses (e.g.,

O Answer with connectivity: Anyone who is connected to my

©2002 SecureIT Consulting Group, Inc. 10

Business Processes (4) To Attack

³ Information theft – Attacks on confidential information (e.g.,

©2002 SecureIT Consulting Group, Inc. 12

³ The internal network could be attacked from the Internet (highly

©2002 SecureIT Consulting Group, Inc. 14

©2002 SecureIT Consulting Group, Inc. 15

©2002 SecureIT Consulting Group, Inc. 16

³ Next, define who is “us” and who is “them”, based on trust. Do

³ It is imperative that ALL external connections be controlled,

³ It may also be necessary to control connections to subsidiaries

©2002 SecureIT Consulting Group, Inc. 17

©2002 SecureIT Consulting Group, Inc. 18

P Host Hardening Encryption/VPN

©2002 SecureIT Consulting Group, Inc. 20

©2002 SecureIT Consulting Group, Inc. 21

©2002 SecureIT Consulting Group, Inc. 22

(Note: all topics except Dial-in/Modems are included in this course)

©2002 SecureIT Consulting Group, Inc. 23

©2002 SecureIT Consulting Group, Inc. 24

©2002 SecureIT Consulting Group, Inc. 26

©2002 SecureIT Consulting Group, Inc. 27

©2002 SecureIT Consulting Group, Inc. 28

©2002 SecureIT Consulting Group, Inc. 29

©2002 SecureIT Consulting Group, Inc. 30

©2002 SecureIT Consulting Group, Inc. 31

©2002 SecureIT Consulting Group, Inc. 32

©2002 SecureIT Consulting Group, Inc. 33

©2002 SecureIT Consulting Group, Inc. 34

©2002 SecureIT Consulting Group, Inc. 36

©2002 SecureIT Consulting Group, Inc. 37

©2002 SecureIT Consulting Group, Inc. 38

³ Best practices that address 85% of compromises

³ Seven categories of evaluative criteria:

³ These criteria can be used as the foundation of a network

©2002 SecureIT Consulting Group, Inc. 39

³ Can any user (general, administrator, manager, etc.) answer

³ Do security policies cover all necessary topics?

©2002 SecureIT Consulting Group, Inc. 40

©2002 SecureIT Consulting Group, Inc. 43

³ A network device used to restrict traffic passing between

³ A firewall can consist of hardware and software, or even several

³ Used to implement security policies which govern the flow of

³ Three main categories of firewalls: simple packet filters, stateful

©2002 SecureIT Consulting Group, Inc. 44

³ Software that runs on a standard host operating system (such as

³ Hardware and software that form an integrated or appliance

³ Router running Internetworking Operating System (IOS)

³ A combination of firewall hosts, integrated firewalls, and routers

©2002 SecureIT Consulting Group, Inc. 45

³ Simple packet filter: Specifies packets to filter (e.g., allow or discard)

³ Stateful inspection filter: Provides additional filtering based on the

³ Application proxy: An application program that runs on a firewall

³ Hybrid Firewalls: Blending of the firewall types mentioned above