1 UNIT - I 1 INFORMATION SECURITY OVERVIEW Unit Structure 1.0 Objectives 1.1 Definition 1.2 Introduction 1.3 The Evolution of Information Security 1.3.1 Government perimeter blockade model 1.3.2 Academic world 1.4 Three Ds of security 1.5 How to Build a Security Program ? 1.5.1 Authority 1.5.2 Framework 1.5.3 Assessment 1.5.4 Planning 1.5.5 Action 1.5.6 Maintenance 1.6 The Impossible Job 1.7 The Weakest Link 1.8 Justifying Security Investment 1.9 Strategy and Tactics 1.10 Business Processes vs. Tec hnical Controls 1.11 Summary 1.12 Questions 1.13 Reference s 1.0 OBJECTIVES Security means protecting data and information. Computer security has four objectives: confidentiality, integrity, avail ability, and nonrepudiation . Securing information is ensuring that computers keep your secrets, hold valid information and keep records of all the user’s transactions in a secure manner. 1.1 DEFINITION Information is an important asset. Information can be classified into different categories. munotes.in
Page 2
2 Security in Computing This is typica lly done to control access to the information in different ways, depending on its importance, its sensitivity, and its vulnerability to theft or misuse. For eg : The U.S. government, uses a five -level classification system that progresses from Unclassified information (which everyone can see) to Top Secret information (to which only the most trusted people have access). 1.2 INTRODUCTION Organizations classify information in different ways to differently manage aspects of its handling, such as labeling (wheth er headers, footers, and watermarks specify how it should be handled), distribution (who gets to see it), duplication (how copies are made and handled), release (how it is provided to outsiders), storage (where it is kept), encryption (if required), dispos al (whether it is shredded or strongly wiped), and methods of transmission (such as e -mail, fax, print, and mail). Information intended for internal use only is usually meant to be seen by employees, contractors, and service providers, but not by the gene ral public. Examples include internal memos, correspondence, general e -mail and instant message discussions, company announcements, meeting requests, and general presentation materials. Companies may have confidential information, such as research and development plans, manufacturing processes, strategic corporate information, product roadmaps, process descriptions, customer contact information, financial forecasts, and earnings announce ments that are intended for internal use on a need -to-know basis. Los s or theft of confidential information could violate the privacy of individuals Specialized information or secret information may include trade secrets, such as formulas, production details, and other intellectual property, proprietary methodologies and pr actices that describe how services are provided, research plans, electronic codes, passwords, and encryption keys. If disclosed, this type of information may severely damage the company’s competitive advantage. A Case Study : Egghead Software was a well-known software retailer that discovered in 2000 that Internet attackers might have stolen as many as 3.7 million c redit card numbers from its web site, housed offsite at an e - commerce service provider that lacked good security. This information quickly made the news. The media coverage cleaned out the company’s reputation. Egghead’s stock price dropped dramatically, along with its sales. munotes.in
Page 3
3 Information Security Overview In some business sectors , the protection of information is not just desirable, it’s mandatory. For example, health care or ganizations are heavily regulated. Regulations also required financial institutions to protect customer information, PII, and financial records. 1.3 THE EVOLUTION OF INFORMATION SECURITY 1.3.1 Government perimeter blockade model : The government was mainly concerned with blocking access to computers, restricting internal access to confidential data, and preventing interception of data. This method of protecting assets provided a hard -to-penetrate perimeter, as shown below.
1.3.2 Academic world: The goal was to share information openly, so security controls were limited to accounting functions in order to charge money for the use of computer time. These two models are diametrically opposite —the government model blocks everything, while the academic model allows everything. munotes.in
Page 4
4 Security in Computing Case Study: Dangers of the Academic Open -Access Model: InterNex was an Internet service provider (ISP) headquartered in Palo Alto, California. The only security control was the basic username and password authentication. The ideolog y of InterNex was that the Internet should be open to everyone. Many of its systems were compromised by attackers who were able to guess the passwords of various user accounts. One o f the most famous attackers, Kevin Mitnick, used InterNex’s systems while attacking other networks, including during the 1994 IP spoofing attack against computers in San Diego. Mitnick was eventually captured and served five years in jail. The concepts of intranets and extranets were developed to accommodate internal and extern al customers, respectively, with secured boundaries that resembled miniature versions of the firewall perimeter. Virtual private networks (VPNs) were developed to provide a secure channel (or tunnel) from one network to another. As more companies started doing business on the Internet, concepts such as Software -as-a-Service (SaaS) were developed to provide business services over the Internet. And the threats found on the Internet evolved as well. Basic viruses and worms along with man -in-the-middle attack s found.
Modern information is shared among many consumers, via many channels . Security Methodology : The field of security is concerned with protecting assets in general. munotes.in
Page 5
5 Information Security Overview Information security is concerned with protecting information in all its forms, w hether written, spoken, electronic, graphical, or using other methods of communication. Network security is concerned with protecting data, hardware, and software on a computer network. 1.4 THREE D ’S OF SECURITY Defense, Detection, and Deterrence.
The three D’s of security Defensive : Its controls on the network can include access control devices such as stateful firewalls, network access control, spam and malware filtering, web content filtering, and change control processes. These controls protect from software vulnerabilities, bugs, attack scripts, ethical and policy violations, accidental data damage, and the like. Detective : Its controls include video surveillance cameras in local stores, motion sensors, and house or car alarm systems that alert p assers -by of an attempted violation of a security perimeter. Detective controls on the network include audit trails and log files, system and network intrusion detection and prevention systems , and security information and event management (SIEM) alerts, reports, and dashboards. A security operations center (SOC) can be used to monitor these controls. Without adequate detection, a security breach may go unnoticed for hours, days, or even forever. Deterrence : It is another aspect of security. It is consid ered to be an effective method of reducing the frequency of security compromises, and thereby the total loss due to security incidents. munotes.in
Page 6
6 Security in Computing Many companies implement deterrent controls for their employees, using threats of discipline and termination for violat ions of policy. These deterrent controls include communication programs to employees about acceptable usage and security policies, monitoring of web browsing behavior, training programs to acquaint employees with acceptable usage of company computer syste ms, and employee signatures on agreements indicating that they understand and will comply with security policies. With the use of deterrent controls such as these, attackers may decide not to cause damage. Case Study on the Illusion of Security : Many driv ers of Toyota vehicles in the 1980s were unaware that the door keys for those vehicles had only a small number of variations. They naturally assumed that so many different keys existed, the chance of opening the door of the wrong car was practically impos sible. They were wrong. Toyota had so few key variations that thieves were able to carry a full set to steal the cars. One person who encountered this phenomenon was Betty Vaughn, a retired schoolteacher, Betty returned from a shopping trip to the local mall to find her Toyota’s passenger -side mirror broken off and the garage door opener missing. When her husband arrived home, he noticed the front license plate was also missing. They assumed their car had been vandalized. But the tires were the wrong bra nd! What kind of vandal would switch their tires? It was then that they checked and discovered from the registration that it wasn’t their car. The 1992 Toyota Camry had been parked two cars away from Charles Lester’s 1993 model. The keys to both vehicles were the same. 1.5 HOW TO BUILD A SECURITY PROGRAM? There are many components that go into the building of a security program: Authority: The security program must include the right level of responsibility and authorization to be effective. Framework: A security framework provides a defensible approach to building the program. Assessment: Assessing what needs to be protected, why, and how leads to a strategy for improving the security posture. munotes.in
Page 7
7 Information Security Overview Planning: It produces priorities and timelines for security in itiatives. Action: The actions of the security team produce the desired results based on the plans. Maintenance: The end stage of the parts of the security program that have reached maturity is to maintain them. 1.5.1 Authority: A security program charte r defines the purpose, scope, and responsibilities of the security organization and gives formal authority to the program. Usually, the security organization is responsible for information protection, risk management, monitoring, and response. Other resp onsibilities may incl ude physical security, disaster recovery and business continuity planning, regulatory and internal compliance, and auditing. The set of responsibilities varies by company but should be clearly specified in the security program charter , which should be authorized by the company’s executive staff. 1.5.2 Framework: The security policy provides a framework for the security effort. The policy describes the intent of executive management concerning what must be done to comply with the busi ness requirements. The policy drives all aspects of technical implementations, as well as policies and procedures. Ideally, a security policy should be documented and published before any implementation begins. The security policy represents business deci sions about what to do based on certain assumptions. If the assumptions are not documented, they may be unclear or conflict with other activities. Documenting the se assumptions in a clear, easy -to-read, accessible policy helps communicate expectations to everyone involved. Standards are the appropriate place for product -specific configurations to be detailed. Standards are documented to provide continuity and consistency in the implementation and management of network resources.
munotes.in
Page 8
8 Security in Computing 1.5.3 Assessment: Risk analysis provides a perspective on current risks to the organization’s assets. This analysis is used to prioritize wor k efforts and budget allocation so that the greater risks can receive a greater share of attention and resources. A risk analysis result s in a well -defined set of risks that the organization is concerned about. These risks can be mitigated, transferred, or accepted. A gap analysis compares the desired state of the security program with the actual current state and identifies the differenc es. Those differences, or gaps, form a collection of objectives to be acted on over the course of a remediation effort to improve the organization’s security posture to bring it in line with one or more standards, requirements, or strategies. Remediation planning considers the risks, gaps, and other objectives of the security program, and puts them together into a prioritized set of steps to move the security program from where it is today to where it needs to be at a future point. 1.5.4 Planning : A roadm ap is a plan of action for how to implement the security remediation plans. It describes when, where, and what is planned. The roadmap is useful for managers who need the information to plan activities and to target specific implementation dates and the o rder of actions. It is also useful for implementers who will be responsible for putting everything together. The roadmap is a relatively high -level document that contains information about major activities and milestones coming up in the next defined per iod (often some combination of quarters, one year, three years, five years, or a “rolling” period that advances periodically). A good tool for architecture documents is a block diagram — a diagram that shows the various components of a security architectur e at a relatively high level so the reader can see how the components work together. A block diagram does not show individual network devices, machines, and peripherals, but it does show the primary building blocks of the architecture. munotes.in
Page 9
9 Information Security Overview Block diagrams des cribe how various components interact, but they don’t necessarily specify who made those components, where to buy them, what commands to type in, and so on. 1.5.5 Action : This describes how processes are performed by people on an ongoing basis to produce the desired outcomes of the security program in a repeatable, reliable fashion. Maintenance and support are part of maintaining the ongoing operations of the security program and its associated technologies, as part of a normal lifecycle of planning, upda ting, reviewing, and improving. The actions that should be taken when a security event occurs are defined in the incident response plan. 1.5.6 Maintenance: Policy enforcement is necessary to ensure that the intentions of management are carried out by the various people responsible for the behavior and actions defined in the security policies. Often, this enforcement is a shared effort between security management, company management, and Human Resources. Security awareness programs are used to educate em ployees, business partners, and other stakeholders about what behaviors are expected of them, what actions they should take under various circumstances to comply with security policies, and what consequences may ensue if they don’t follow the rules. 1.6 THE IMPOSSIBLE JOB The job of the attacker is always easier than the job of the defender. The attacker needs only to find one weakness, while the defender must try to cover all possible vulnerabilities. The attacker has no rules —the attacker can follow un usual paths, abuse the trust of the system, or resort to destructive practices. Defender s must try to keep their assets intact, minimize damage, and keep costs down. Eg: Homeowners who want to protect their property must try to anticipate every attack th at is likely to happen, while attackers can simply use, bend, break, or mutilate the house’s defens es. In an extreme example, the attacker can cut through the exterior, break the windows, knock down the walls, or set the house on fire. munotes.in
Page 10
10 Security in Computing Homeowners have th e more difficult job, of trying to protect their assets against all types of attack s. Every defender performs a risk assessment by choosing which threats to defend against, which to insure against, and which to ignore. Mitigation is the process of defense, transference is the process of insurance, and acceptance is deciding that the risk does not require any action.
1.7 THE WEAKEST LINK A security infrastructure will drive an attacker to the weakest link. For example, a potential intruder who is trying to break into a house may start with the front door. If the front door lock is too difficult to pick, the intruder may try side doors, back doors, and other entrances. If the intruder can’t get through any of those, he may try to open a window. If they’re all locked, he may try to break one. If the windows are unbreakable or barred, he may try to find other weaknesses. If the doors, windows, roof, and basement are all impenetrable, a determined intruder may try to cut a hole in the wall with a chainsaw. In what order will the intruder try these attacks? Usually, from the easiest to the hardest. The weakest link will attract the greatest number of attacks. munotes.in
Page 11
11 Information Security Overview For example, securing a credit card number should also include securing the system on which it resid es, the network attached to that system, the other systems on the network, non -computer equipment (such as fax machines and phone switches) attached to that network, and the physical devices for each of these. Securing the data means discovering its path throughout the system and protecting it at every point. If the credit card number is stored on the most secure network but a business process that prints the card numbers and stores them is kept in an unlocked room, the attacker will exploit this weakest link. In a computer network, firewalls are often the strongest point of defense. They encounter their fair share of attacks, but most attackers know that properly configured firewalls are difficult to penetrate, so they will look for easier prey. This ca n take the form of lines in labs or small offices that aren’t firewalled, modems and other remote access systems, Private Branch Exchange (PBX) phone switches, home computers and laptops that are sometimes connected to the company network, unpatched web servers and other Internet -facing servers, e -mail servers, and Domain Name Service (DNS) servers that are accessible from the Internet. All these typically offer less resistance to attackers than firewalls offer. That’s why the security of these objects need s to be equally as strong as the firewall. 1.8 JUSTIFYING SECURITY INVESTMENT Specific benefits of a strong security program are business agility, cost reduction, and portability. a. Business Agility : Every company wants to open up its business operatio ns to its customers, suppliers, and business partners, in order to reach more people and facilitate the expansion of revenue opportunities. For example, manufacturers want to reach individual customers and increase sales through e -commerce web sites. Weak security leaves many companies blind to the daily flow of information to and from their infrastructure . Security allows information to be used more effectively in advancing the goals of the organization because that organization can safely allow more outsi de groups of people to utilize the information when it is secure. The more access you provide; the more people you can reach. munotes.in
Page 12
12 Security in Computing b. Cost Reduction : Modern security practices do reduce some costs, such as those resulting from the loss of data or equipment. D ata loss due to mishandling, misuse, or mistakes can be expensive. An extensive virus outbreak, a website, or a denial of service (DoS) attack can result in service outages during which customers cannot make purchases and the company cannot transact busin ess. An increasing number of attacks are categorized as advanced persistent threats (APTs). These attacks are designed to deploy the malware into a network and remain undetected until triggered for some malicious purpose. Often, the goal of the attacks i s the theft of financial information or intellectual property. Loss of service or leakage of sensitive data can result in fines, increased fees, and an overall decrease in corporate reputation and stock price. Strong security reduces loss of information a nd increases service availability and confidentiality. c. Portability : Portability means that software and data can be used on multiple platforms or can be transferred/transmitted within an or ganization, to a customer, or a business partner. The “consum erization” of information has placed demands on companies to be able to provide meaningful and accurate information at a moment’s notice. Portability also enables business and creates value. For example, Apple’s ability to both host music and allow person al music libraries to be synchronized to a tablet, mobile phone, and MP3 player. 1.9 STRATEGY AND TACTICS A security strategy is the definition of all the architecture and policy components that make up a complete plan for defense, detection, and deterren ce. Security tactics are the day -to-day practices of the individuals and technologies assigned to the protection of assets. Strategies are usually proactive, and tactics are often reactive. Both are equally important, and a successful security program nee ds to be both strategic and tactical in nature. Strategic planning can proceed on a weekly, monthly, quarterly, and yearly basis. munotes.in
Page 13
13 Information Security Overview If a company finds itself focusing only on strategy or only on tactics, it should review its priorities and consider adding a dditional staff to address the shortfall. Figure demonstrates the interplay of strategy and tactics.
1.10 BUSINESS PROCESSES VS. TECHNICAL CONTROLS
1.11 SUMMARY Information is an important asset. Information can be classified into different categori es. This is typically done to control access to the information in different ways, depending on its importance, its sensitivity, and its vulnerability to theft or misuse. The field of security is concerned with protecting assets in general. Information se curity is concerned with protecting information in all munotes.in
Page 14
14 Security in Computing its forms, whether written, spoken, electronic, graphical, or using other methods of communication. Network security is concerned with protecting data, hardware, and software on a computer network. 1.12 QUESTIONS 1. Differentiate data and information. 2. What is security? Why it is needed. 3. Differentiate w.r.t security Government perimeter blockade model & Academic world. 4. What are the three D ’s of security? 5. What are the components needed to build a security p rogram? 6. Justify the statement “An impossible job: The job of the attacker is always easier than the job of the defender”. 7. Brief about the weakest link in security. 8. Explain the benefits of a strong security program: business agility, cost reduction, and por tability. 9. What is meant by Strategy and Tactics? 1.13 REFERENCES “The complete reference: Information Security, Second Edition, By Mark Rhodes -Ousley”. All contents are taken from this book.
***** munotes.in
Page 15
15 2 RISK ANALYSIS, SECURE DESIGN PRINCIPLES Unit Structure 2.0 Objectives 2.1 Definition 2.2 Introduction 2.3 Risk Analysis 2.4 Threat Definition 2.5 Threat Vectors 2.6 Threat sources & target 2.7 Types of Attacks 2.8 Viruses 2.9 Worms 2.10 Troja ns 2.11 Malicious HTML 2.12 Advanced Persistent Threats (APTs) 2.13 Network -Layer Attacks 2.14 Application -Layer Attacks 2.15 Risk Analysis 2.16 The CIA Triad and Other Models 2.17 Defense Models 2.18 Zones of Trust 2.19 Summary 2.20 Ques tions 2.21 Reference s 2.0 OBJECTIVES The objectives are: To study various security breaches & attacks happening in an organization day by day. To prevent, and protect against such attacks with advance d tools & techniques. 2.1 DEFINITION Security profes sionals know that many real -world threats come from inside the organization, which is why building a wall around your munotes.in
Page 16
16 Security in Computing truste d interior is not good enough. Y ou need to make sure your security controls focus on the right threats. 2.2 INTRODUCTION Any compute r that is accessible from the Internet will be attacked. It will constantly be probed by attackers and malicious programs intending to exploit vulnerabilities. 2.3 RISK ANALYSIS The objective of a security program is to mitigate risks. Mitigating risks d oes not mean eliminating them, it means reducing them to an acceptable one to make sure your security controls are effectively controlling the risks in your environment. One need s to anticipate wh at kinds of incidents may occur and also need s to identify w hat you are trying to protect, and from whom. 2.4 THREAT DEFINITION There are important threat s and attacks given as follows: Threat vectors Threat sources and targets Types of attacks Malicious mobile code Advanced Persistent Threats (APTs) Manual attac ks 2.5 THREAT VECTORS A threat vector is a term used to describe where a threat originates and the path it takes to reach a target. An example of a threat vector is an e-mail message sent from outside the organization to an inside employee, containing an i rresistible subject line along with an executable attachment that happens to be a Trojan program, which will compromise the recipient’s computer if opened. Trojan programs are installed pieces of software that perform functions with the privileges of auth orized users but are unknown to those users. Common functions of Trojans include stealing data and passwords, providing remote access and/or monitoring to someone outside the trusted network, or performing specific functions such as spamming. munotes.in
Page 17
17 Risk Analysis, Secure Design Principles Trojans can be exploited over the Internet, through the firewall, or across the internal network by users who are not authorized to have access. Trojans are dangerous because they can hide in authorized communication channels such as web browsing. Viruses typically arrive in documents, executable files, and e -mail. They may include Trojan components that allow direct outside access, or they may automatically send private information, such as IP addresses, personal information, and system configurations, to a receiver on the Internet. These viruses usually capture and send password keystrokes as well. A further example is the girlfriend exploit . It refers to a Trojan program planted by an unsuspecting employee who runs a program provided by a trusted friend from a sto rage device like a disk or USB stick that plants a back door (also known as a trap door) inside the network. Another example is a malicious e -mail attachment that exploits the access rights of the person who opens the attachment to send confidential infor mation out to the Internet. 2.6 THREAT SOURCES AND TARGETS Security controls can be logically grouped into several categories: Preventative : Block security threats before they can exploit a vulnerability Detective : Discover and provide notification of atta cks or misuse when they happen Deterrent : Discourage outsider attacks and insider policy violations Corrective Restore the integrity of data or another asset Recovery Restore the availability of a service Compensative In a layered security strategy, provid e protection even when another control fails. Each category of security control may have a variety of implementations to protect against different threat vectors: Physical : Controls that are physically present in the “real world” Administrative : Controls d efined and enforced by management Logical/technical : Technology controls performed by machines Operational : Controls that are performed in person by people munotes.in
Page 18
18 Security in Computing Virtual : Controls that are triggered dynamically when certain circumstances arise 2.7 TYPES OF ATTAC KS When plain ASCII text was used to attack MS-DOS systems. It was possible because of a default -loaded device driver called ansi.sys , to create a plain -looking text file that was capable of remapping the keyboard. These malicious programs were called ANS I bombs. It was possible that after reading a text message, the next key pressed would format the hard drive —it did happen. Attacks can take the form of automated, malicious, mobile code traveling along networks looking for exploit opportuniti es or they ca n take the form of manual attempts by an attacker. An attacker may even use an automated program to find vulnerable hosts and then manually attack the victims, exploiting a single system vulnerability, which can compromise millions of computers in less than a minute. Malicious Mobile Code : There are three generally recognized variants of malicious mobile code: viruses, worms, and Trojans. In addition, many malware programs have components that act like two or more of these types, which are called hybrid th reats or mixed threats. The lifecycle of malicious mobile code looks like this: 1. Find 2. Exploit 3. Infect 4. Repeat It just goes on every second of every day churning out replication cycles. Automated attacks are often very good at their exploit and only die down over time as patches close holes and technology passes them by. 2.8 COMPUTER VIRUSES A virus is a self -replicating program that uses other host files or code to replicate. Most viruses infect files so that every time the host file is execut ed, the virus is executed too. A virus infection is simply another way of saying the virus made a copy of itself (replicated) and placed its code in the host in such a way that it will always be executed when the host is executed. munotes.in
Page 19
19 Risk Analysis, Secure Design Principles Viruses can infect prog ram files, boot sectors, hard drive partition tables, data files, memory, macro routines, and scripting files. Anatomy of a Virus: The damage routine of a virus (or really of any malw are program) is called the payload. The vast majority of malicious progra m files do not carry a destructive payload beyond the requisite replication. Payloads can be intentionally destructive, deleting files, corrupting data, copying confidential information, formatting hard drives, and removing security settings. Some viruses are devious. Many send out random files from the user’s hard drive to everyone in the user’s e -mail address list. There are even viruses that infect spreadsheets, changing numeric zeros into letter O’s, making the cell’s numeric contents bec ome text and consequently, have a value of zero. The spreadsheet owner may think the spreadsheet is adding up the figures correctly, but the hidden O will make column and row sums add up incorrectly. This slowly corrupts all files on the hard drive. Viruses have been k nown to encrypt hard drive contents in such a way that if you remove the virus, the files become unrecoverable. A virus called Caligula even managed to prove that. A virus could steal private encryption keys. Viruses cannot break hard drive read -write head s, electrocute people, or cause fires. It happens when a virus focuses a single pixel on a computer screen for a very long time and causes the monitor to catch fire. Types of Viruses: If the virus executes, does its damage, and terminates until the next time it is executed, it is known as a non-resident virus . A non -resident virus may, for example, look for and infect five EXE files on the hard disk and then terminate until the next time an infected file is executed. These types of viruses are easier for malicious coders to write. If the virus stays in memory after it is executed, it is called a memory -resident virus. Memory -resident viruses insert themselves as part of the operating system or application and can manipulate any file that is executed, copied , moved, or listed. Memory -resident viruses are also able to manipulate the operating system to hide from administrators and inspection tools. These are called stealth viruses . Other stealth viruses will hide the increase in file size and memory incurred because of the infection, make the infected file invisible to disk tools and virus scanners, and hide file modification attributes. munotes.in
Page 20
20 Security in Computing If the virus overwrites the host code with its own code, effectively destroying much of the original contents, it is called an overwriting virus. If the virus inserts itself into the host code, moving the original code around so the host programming remains and is executed after the virus code, the virus is called a parasitic virus . Viruses that copy themselves to the beginni ng of the file are called prepending viruses , and viruses placing themselves at the end of a file are called appending viruses . Viruses appearing in the middle of a host file are labell ed mid-infecting viruses . The modified host code doesn’t always have to be a file —it can be a disk boot sector or partition table, in which case the virus is called a boot sector or partition table virus , respectively. For a pure boot sector virus to infect a computer, the computer must have b ooted, or attempted to boot, an infected disk.
Some boot sector viruses, like Tequila, are classified as multipartite viruses because they can infect both boot sectors and program files. If activated in their executable file form, they will attempt to infect the hard drive and place the infected boot code without having been transferred from an infected booted disk. Boot sector viruses move the original operating system boot sector to a new location on the disk, and partition table viruses manipulate the disk partition table in order to gain control first. munotes.in
Page 21
21 Risk Analysis, Secure Design Principles Most boot sector virus damage routines run at the beginning of the virus’s execution before Windows is loaded. The virus can damage Windows by preventing it from loading or by formatting the hard drive. Macro viruses infect the data running on top of an application by using the program’s macro or scripting language. 2.9 COMPUTER WORMS A computer worm uses its own coding to replicate, although it may rely on the existence of other related code. The key to a worm is that it does not dir ectly modify other host code s to replicate. A worm may travel the Internet trying one or more exploits to compromise a computer, and if successful, it then writes itself to the computer and begins replicating again. An example of an Internet worm is Bugbea r. Bugbear was released in June 2003, arriving as a file attachment in a bogus e -mail. It adds itself to the Windows start -up group so it gets executed each time Windows starts. Bugbear looks for and attempts to gain access to weakly password -protected net work shares and terminates antivirus programs. E-Mail Worms : E-mail worms are the intersection of social engineering. They appear in people’s inboxes as messages and file attachments from friends, strangers, and companies. They pose as cute games, official patches from Microsoft, or unofficial applications found in the digital marketplace. The worm first modifies the PC in such a way that it makes sure it is always loaded into memory when the machine starts. Then it looks for additional e -mail addresses to send itself to. It might use Microsoft’s Messaging Application Programming Interface (MAPI) or use the registry to find the physical location of the address book file. 2.10 TROJANS Trojan horse programs, or Trojans, work by posing as legitimate programs t hat are activated by an unsuspecting user. After execution, the Trojan may attempt to continue to pose as the other legitimate program (such as a screensaver) while doing its malicious actions in the background. Many people are infected by Trojans for mon ths and years without realizing it. If the Trojan simply starts its malicious actions and doesn’t pretend to be a legitimate program, it’s called a direct -action munotes.in
Page 22
22 Security in Computing Trojan . Direct -action Trojans don’t spread well because the victims notice the compromise and are unlikely, or unable, to spread the program to other unsuspecting users. Remote Access Trojans : A powerful t ype of Trojan program called a Remote A ccess Trojan (RAT) is very popular. Once installed, a RAT becomes a back door and allows the remote attack ers to do virtually anything they want to the compromised PC. RATs can delete and damage files, download data, manipulate the PC’s input and output devices, and record keystroke screenshots and screen -capturing. It allows the attacker to track what the us er is doing, including the entry of passwords and other sensitive information. If the compromis ed user visits their bank’s web site, the attacker can record their login information. RATs have even been known to record video and audio from the host computer’ s web camera and microphone. Imagine malware that is capable of recording every conversation made near the PC. Zombie Trojans and DDoS Attacks : Zombie Trojans infect a host and wait for their originating attacker’s commands telling them to attack other hos ts. The attacker installs a series of zombie Trojans. With one predefined command, the attacker can cause all the zombies to begin to attack another remote system with a distributed denial of service (DDoS) attack. DDoS attacks flood the intended victim ’s computer with so much traffic, legitimate or malformed, that it becomes over utilized or locks up, denying legitimate connections . Zombie Trojan attacks have been responsible for some of the most publicized attacks on the Internet, temporarily paralyzing ta rgets like Yahoo, eBay, Microsoft, Amazon, and the Internet’s DNS root servers. 2.11 MALICIOUS HTML The Internet allows for many different types of attacks, many of which are HTML -based Pure HTML coding can be malicious when it breaks browser security zon es or when it can access local system files. For example, the user may believe the y are visiting a legitimate web site, when in fact an attacker has hijacked their browser session and the user is inputting confidential information into an attacker’s site. Malicious HTML has often been used to access files on local PCs, too. Specially crafted munotes.in
Page 23
23 Risk Analysis, Secure Design Principles HTML links can download files from the user’s workstation, retrieve passwords, and delete data. 2.12 ADVANCED PERSISTENT THREATS (APTS) The use of sophisticated malware for targeted cybercrime is known as advanced persistent threats (APTs). APTs are created and directed by hostile governments and organized criminals for financial or political gain. APTs are intentionally stealthy and difficult to find and remove —they may hide for months on an organi zation’s network doing nothing until they are called upon by their controllers. Once the malware infects the victim’s computer, usually silently and without the user’s knowledge, it “phones home” to download further malware. In this second phase of the attack, the malware reaches out to a command and control server (CnC server) to bring down rootkits, Trojans, RATs, and other sophisticated malware —in effect, complete ly compromise the victim’s computer and usually without any indication that anything is wrong. APTs use the very latest infection techniques against newly discovered vulnerabilities. Finally, in the third phase of the attack, the RATs open up connection s to their CnC servers, to be used by their human controllers at their leisure. When malicious operators take over the victim’s computer, they have full access to everything inside the organization that the user has access to. This can be a targeted attack against a victim within the organization, such as an engineer or researcher with access to confidential material. The attacker may send an infected document, such as a PDF file, to the victim, along with a highly believable e -mail message to trick the victim into opening the file. Alternatively, the attacker may se nd a URL that points to a web server that executes malicious Java or ActiveX code on the victim’s browser —even without the victim’s intervention. This is known as a drive -by download. Manual Attacks : While automated attacks may satisfy virus writers, typic al attackers want to test their own mental wits and toolkits against a foreign computer, changing their attack plan as the host exposes its weaknesses. Physical Attacks : Another means of attack is direct physical access, but if an attacker can physically access a computer, it’s game over. They literally can do munotes.in
Page 24
24 Security in Computing anyth ing, including physically damaging the computer, and stealing passwords and data. In some cases, the attacker may first compromise a leg itimate web site the victim may run across during normal bu siness research, or poison DNS entries to send the victim to their compromised web site. In either case, the malicious code is run by the victim’s web browser without requiring the user to respond “Yes” or “Continue” to any prompts. All of these targeted a ttacks are collectively known as spear -phishing. 2.13 NETWORK -LAYER ATTACKS Many attacker attacks are directed at the lower six layers of the Open Systems Interconnection (OSI) network protocol model. Netwo rk-layer attacks include packet sniffing and proto col-anomaly exploits. Packet Sniffing : Sniffing occurs when an unauthorized third party captures network packets destined for computers other than their own. Packet sniffing allows the attacker to look at transmitted content and may reveal passwords and co nfidential data. Specialized packet driver software, must be connected to the network segment they want to sniff, and must use sniffer software. By default, a network interface card (NIC) in a computer will usually drop any traffic not destined for it. By putting the NIC in promiscuous mode, it will read any packet going by it on the network wire. Packet -sniffing attacks are more common in areas where many computer hosts share the same collision domain. Protocol -Anomaly Attacks : Network -layer attacks usual ly require that the attacker create malformed traffic, which can be created by tools called packet injectors or traffic generators. Packet injectors are used by legitimate sources to test the throughput of network device s or to test the security defenc es of firewalls and IDSs. Attackers can even manually create the malformed traffic as a text file and then send it using a traffic replay tool. 2.14 APPLICATION -LAYER ATTACKS Application -layer attacks include any exploit directed at the applications running on top of the OSI protocol stack. Application -layer attacks include exploits directed at application programs, as well as against operating systems. Application -layer attacks include content attacks, buffer overflows, and password -cracking attempts. munotes.in
Page 25
25 Risk Analysis, Secure Design Principles Buffe r Overflows : Buffer overflows occur when a program expecting input does not do input validation Password Cracking : Password crackers either try to guess passwords or use brute -force tools. Brute -force tools attempt to guess a password by trying all the c haracter combinations listed in an accompanying dictiona ry. The dictionary may start of blindly guessing passwords using a simple incremental algorithm. (example, trying aaaaa, aaaab, aaaac, and so on) or it may use passwords known to be common on the host (such as password, blank, michael, and so on). If the attacked system locks out accounts after a certain number of invalid login attempts, some password attackers will gain enough access to copy down the password database, and then brute -force it offline. P2P Attacks : With the advent of peer -to-peer (P2P) services, malicious programs are spreading from PC to PC without having to jump on e -mail or randomly scan the Internet for vulnerabilities. No matter how the attack occurs, whether automated or manual, m ost exploits are only successful on systems without basic countermeasures installed. Man -in-the-Middle Attacks : Man-in-the-middle (MITM) attacks are a valid and extremely successful threat vector. A MITM attack can take a few different forms. ARP poisonin g is the most common, but DHCP, DNS, and ICMP poisoning are also effective, as well as the use of a malicious wireless access point (AP). Fake APs have become a common threat vector, exploiting the manner in which clients automatically connect to known SS IDs. This enables an attacker to connect and intercept the victim’s network traffic without the victim seeing any indication they are under attack. To hasten a connection, attacks against the legitimate AP can be made to help the malicious AP become the la st AP standing. ARP Poisoning : ARP poisoning works by simply responding to Address Resolution Protocol (ARP) requests with the attacker’s MAC address. The attacker tells the device that wishes to communicate with the victim’s computer that the attacker kn ows how to reach the victim, and then the attacker tells the network that the attacker’s computer is the victim’s computer —effectively masquerading (pretending) as the victim’s computer and responding on its behalf. munotes.in
Page 26
26 Security in Computing The switch then updates its table of MA C addresses with the attacker’s MAC address. The sw itch uses this to route traffic and now believes the attacker’s system is the victim’s system. An ARP poisoning attack can be executed so that it only updates the ARP table of the victim and not the gatewa y (one -way poison). Many organizations protect the network Architecture. MAC Flooding : Technically known as MAC address flooding, is where an application injects a specially crafted layer two and layer three packet onto the network repe atedly. This causes the layer t o switch to fill up its buffers and crash. Since the switch crash behavior is to fail/open, all ports are flooded with all frames, thus causing the denial of service. DHCP Poisoning : This attack allows an attacker to compromise victims with thr ee simple steps: provide the pool of addresses to assign f or the victims, provide the netmask for the victims, and finally provide the DNS IP address. DNS Spoofing Attack : A DNS spoofing attack is just as easy to execute as a DHCP poisoning attack. All tr affic from the victim is forwarded through the attacker’s fake DNS service and redirected so that all requests for Internet or internal sites land at the attacker’s site, from which the attacker can harvest credentials or possibly launch browser -based atta cks, such as Java runtime error, to trick the victim. This can also be done through the local “hosts” file on the computer. The fundamentals of this attack come from “name resolution order” and manipulating that process. DNS is designed so that every DNS q uery first goes to a DNS server, usually a local one on the network or provided by the ISP. That server will have been pre -configured with the IP addresses of the top - level (root) DNS servers on the Internet that are the authoritative “source of truth” fo r all IP addresses and hostnames. The root server that responds would respond with the address of a lower -level DNS server. This process continues until the name and IP address are found, usually at least three levels down. ICMP Poisoning : The attacker wi shing to execute an ICMP attack is that they need to be able to see all traffic; if they are attached to a switch, this attack is not useful becau se this is a layer three attack unless the attacker’s computer is connected to a spanning port, which in turn would forward all traffic to the attacker’s system so they could see it. munotes.in
Page 27
27 Risk Analysis, Secure Design Principles Simple, easy -to-use attack tools are available on the Internet that automate s the attack. An attacker only has to provide the MAC address of the gateway and the IP address of the gate way. The attack tool will do the rest. 2.15 RISK ANALYSIS Risk analysis needs to be a part of every s ecurity effort. It should analyz e and categorize the assets that need to be protected and the risks that need to be avoided, and it should facilitate the i dentification and prioritization of protective elements. It can also provide a means to measure the effectiveness of the overall security architecture, by tracking those risks and their associated mitigation over time to observe trends. Risk = Probability (Threat + Exploit of Vulnerability) * Cost of Asset Damage. One commonly used approach to assigning a cost to risks is annualized loss expectancy (ALE). This is the cost of an undesired event —a single loss expectancy (SLE) —multiplied by the number of time s you expect that event to occur in one year —the annualized rate of occurrence (ARO). Annualized Loss (ALE) = Single Loss (SLE) * Annualized Rate (ARO) 2.16 THE CIA TRIAD AND OTHER MODELS Confidentiality : Confidentiality refers to the restriction of acces s to data only to those who are authorized to use it. This means a single set of data is accessible to one or more authorized people or systems, and nobody else can see it. Confidentiality is distinguishable from privacy in the sense that “confidential” i mplies access to one set of data by many sources, while “private” usually means the data is accessible only to a single source. As an example, a password is considered private because only one person should know it, while a patient record is considered confidential because multiple members of the patient’s medical staff are allowed to see it. Integrity : Integrity, which is particularly relevant to data, refers to the assurance that the data has not been altered in an unauthorized way. munotes.in
Page 28
28 Security in Computing Integrity controls are meant to ensure that a set of data can’t be modified (or deleted entirely) by an unauthorized party. Part of the goal of integrity controls is to block the ability of unauthorized people to make changes to data, and another part is to provide a means of restoring data back to a known good state. Availability : Availability refers to the “uptime” of computer -based services —the assurance that the service will be available when it’s needed. Service availability is usually protected by implementing high -availability (or continuous -service) controls on computers, networks, and storage. High -availability (HA) pairs or clusters of computers, redundant network links, and RAID disks are examples of mechanisms to protect availability. The best -known attributes o f security defined in the preceding mode ls and others like them include Confidentiality , Integrity, Availability, Accountability , Accuracy, Authenticity , Awareness, Completeness, Consistency, Control Democracy, Ethics, Legality, Non -repudiation, Ownership, Physical Poss ession, Reassessment, Relevance , Response, Responsibility, Risk Assessment Security Design and Implementation, Security Management, Timeliness, Utility. 2.17 DEFENSE MODELS Ther e are two approaches to preserving the confidentiality, integrit y, availability, and authenticity of electronic and physical assets such as the data on your network: Build a defensive perimeter around those assets and trust everyone who has access inside. Use many different types and levels of security c ontrols in a l ayered defense -in-depth approach. a. The Lollipop Model : The most common form of defense, known as perimeter security, involves building a virtual (or physical) wall around objects of value. Perimeter security is like a lollipop with a hard, crunchy shell on the outside and a soft, chewy center on the inside. Consider the example of a house —it has walls, doors, and windows to protect what’s inside (a perimeter). But does that make it impenetrable? No, because a determined attacker can find a way in — either b y breaking through the perimeter exploiting some weakness in it, or convincing someone inside to let them in. By comparison, in network security, a firewall is like a house —it is a perimeter that can’t keep out all attackers. munotes.in
Page 29
29 Risk Analysis, Secure Design Principles The firewall is the most com mon choice for controlling outside access to the internal network, creating a virtual perimeter around the internal network.
b. The Onion Model : It is a layered strategy, often referred to as defense in depth. This model addresses the contingency of a p erimeter security breach occurring. It includes the strong wall of the lollipop. A layered security architecture, like an onion, must be peeled away by the attacker, layer by layer, with plenty of crying. The more layers of controls that exist, the better the protection against a failure of any one of those layers. The layered security approach can be applied at any level where security controls are placed, not only to increase the amount of work required for an atta cker to break down the defenses but also to reduce the risk of unintended failure of any single technology. munotes.in
Page 30
30 Security in Computing 2.18 ZONES OF TRUST Different areas of a network trust each other in different ways. Some communications are trusted completely —the services rely on assumptions that the sender and recipient are on the same level as if they were running on a single system. Some are trusted incompletely — they involve less trusted networks and systems, so communications should be filtered. Some networks (like the Internet or wireless hot spots) are untrus ted. The security controls should carefully screen the interfaces between each of these networks. These definitions of trust levels of networks and computer systems are known as zones of trust.
Zones of trust are connected with one another, and business requirements evolve and require communications between various disparate networks, systems, and other entities on the networks. The use of multiple zones allows access between a less and a more trusted zone to be controlled to protect a more trusted reso urce from attack by a less trusted one. The importance of trust models is that they allow a broad, enterprise - wide view of networks, systems, and data communications, and they highlight the interactions among all of these components. Trust can also be vie wed from a transaction perspective. During a particular transaction, several systems may communicate through various zones of trust. In a transaction -level trust model, instead of systems being separated into different trust zones based on their locations on the network (as is done with the Internet, a DMZ, and an internal network), systems can be separated into functional categories based on the types of transactions they process. For example, a credit card transaction may pass through a web server, an ap plication server, a database, and a credit -checking service on the Internet. During the transaction, all of these systems must trust each other equally, even though the transaction may cross several network boundaries. Thus, security controls at the system and network levels munotes.in
Page 31
31 Risk Analysis, Secure Design Principles should allow each of these systems to perform their authorized functions while preventing other systems not involved in the transaction from accessing these resources. Segmenting network data resources based on their access requirement s is a good security practice. Segmentation allows greater refinement of access control based on the audience for each particular system, and it helps confine the communications between systems to the services that have transactional trust relationships. A layered segmentation approach also provides a useful conceptual model for network and system administrators. Several groups of servers can be included in a layer, defined by the types of services they perform, the types of data they handle, and the place s they need to communicate to and from. For example, a public layer may contain systems that accept communication directly from the Internet. An application layer may contain systems that accept communication from the public layer. A data layer may accep t communication from the application layer. Communication between these layers can be managed by a firewall, or by ACLs. Best Practices for Network Defense : There are many countermeasures you can implement to minimize the risk of a successful attack, such as securing the physical environment, hardening the operating systems, keeping patches updated, using an antivirus scanner, using a firewall, securing network share permissions, using encryptions, securing applications, backing up the system, cre ating a c omputer security defense plan, and i mplementing ARP poisoning defens es. Secure the Physical Environment : Regular PCs need physical protection. Depending on the environment, PCs and laptops might need to be physically secured to their desks. There are seve ral diff erent kinds of lockdown devices. If anyone leaves their laptop on their desk overnight, it should be secured. There are also other steps that need to be taken on every PC in your environment. Password Protect Booting : Consider requiring a boot -up p assword before the operating system will load. This can usually be set in the CMOS/BIOS and is called a user or boot password. This is especially important for portable computers, such as laptops and tablets , and smartphones. munotes.in
Page 32
32 Security in Computing Password Protect CMOS : The C MOS/BIOS settings of a computer contain many potential security settings, such as boot order, remote wake -up, and antivirus boot-sector protection. It is important to ensure that unauthorized users do not have access to the CMOS/BIOS settings. Most CMOS/B IOSs allow you to set up a password to prevent unauthorized changes. The password should not be the same as other administrative passwords, but for simplicity’s sake, a common password can be used for all machines. Harden the Operating System : Reduce the a ttack surface of the operating system by removing unnecessary software, disabling unneeded se rvices, and locking down access. Reduce the attack surface of systems by turning off unneeded services. Install secure software. Configure software settings secure ly. Patch systems regularly and quickly. Segment the network into zones of trust and place systems into those zones based on their communication needs and Internet exposure. Strengthen authentication processes. Limit the number (and privileges) of administ rators Keep Patches Updated : A solid patch management plan is essential for protecting any platform, regardless of operating system and regardless of whether or not it is connected directly to the Internet Use an Antivirus Scanner (with Real -Time Scanning) : In today’s world, an antivirus (AV) scanner is essential. It should be deployed on your desktop, with forced, automatic updates, and it should be enabled for real -time protection. By placing the antivirus solution on the desktop, you are ensuring that no matter how it gets there, it will be blocked. E -mail and gateway AV are the only solutions that work most of the time, but they will fail if the malware comes in via any other method or on an unexpected port. The AV solution should be enabled for real -time protection so it scans every file as it comes into the system or enters the computer’s memory, so it can prevent malware from executing. munotes.in
Page 33
33 Risk Analysis, Secure Design Principles Use Firewall Software : Firewalls have come a long way since their days of simple port filtering. Today’s devices ar e stateful insp ection systems capable of analyz ing threats occurring anywhere in layers three through seven with software that runs directly on the computer. Firewalls are able to collate separate events into one threat description and can identify the at tack by name. Every PC should be protected by firewall software. Desktop firewall software can protect a PC against internal and external threats and usually offer the added advantage of blocking unauthorized software applications (such as Trojans) from initiating outbound traffic. Secure Network Share Permissions : Folders and files accessed remotely over the network should have discretionary ACLs (DACLs) applied using the principle of least privilege and should have complex passwords. By default, Windows assigns, and most administrators allow, the E veryone group to have Full Control or Read permissions throughout the operating system and on every newly created share. A better strategy is to assign share and NTFS permissions to the smallest allowable list o f groups and users. That way, if you accidentally se t your NTFS file permissions to open, the share permissions might counteract the mistake. Use Encryption : Encrypting File System (EFS) is one of the most exciting features in Windows. EFS encrypts and dec rypts protected files and folders on the fly. Once turned on by a user, EFS will automatically generate public/private encryption key pairs for the user and the recovery agent. All the encrypt ing and decrypting are done invisibly in the background. If an u nauthorized user tries to access an EFS -protected file, they will be denied access. It won’t prevent malware occurrences while the authorized user is logged on. However, EFS -protected folders and files will be protected when the authorized user is not logg ed on. EFS can h elp provide additional security and is virtually invisible to the end user. Secure Applications : Managing your applications and their sec urity should be a top priority for any administrator. Applications can be managed by configuring applic ation security, installing applications to nonstandard directories and ports, locking down applications, securing P2P services, and making sure your application programmers code securely. munotes.in
Page 34
34 Security in Computing Securely Configure Applications : Applications should be configured with the vendors’ recommended security settings. In end -user PC environments, however, you want to keep the applications and minimize the risk at the same time. You can do this by regularly applying security patches and making sure security settings are se t at the vendor’s recommended settings, if not higher. Outlook and Outlook Express should both have their security zone set to Restricted. Internet Explorer’s Internet zone should be set to Medium -High or High. The o ffice offers administrative templates (called ADM files) that can be configured and deployed using System Policies or Group Policies. Securing E -Mail E-mail worms continue to be the number one threat to computer systems . Most worms arrive as a file attachment or as an embedded script that the e nd user executes. You can significantly decrease your network’s exposure risk by securing e -mail. This can be done by disabling HTML content and blocking potentially malicious file attachments. For that reason, it is important to restrict e -mails to plain text only or, if you must allow it, plain HTML coding only. You should disable scripting languages and active content, such as ActiveX controls, Java, and VBScript objects. Secure P2P Services Peer-to-peer (P2P) applications, like instant messaging (IM) and music sharing, are likely to remain strong attack targets in the future. This is because P2P applications have very limited security, if any, and are often installed in the corporate environment without the administrator’s authorization. And, they are designed to access files on the end user’s computer, which makes the job of stealing those files that much easier. A firewall is configured to explicitly stop P2P traffic. a. Implement Static ARP Tables : From a console, if you execute the command arp –a, it will display the ARP table for your system. This is how the system knows how to route traffic. This is the address for the switch where traffic will pass if the device wants to send information to a device that doesn’t exist in its ARP table. A simple A RP request is sent to ask for the information. The information is then added to the ARP table of the device. The switch follows the same steps to build its ARP table. This is known as dynamic updating munotes.in
Page 35
35 Risk Analysis, Secure Design Principles Static ARP tables, instead of using the basic ARP req uest/reply method, the tables are managed by the organization, and essentially hard coded. This helps to prevent an ARP poisoning attack. b. Configure Port Rate Limiting : In this scenario, the amount of traffic passing over a port during a given length of time is monitored. If the configured threshold is tripped, the port closes itself until either it is enabled manually or a specified length of time passes (usually 15 minutes). In order to establish an effective threshold, an organization will need to mon itor the amount of traffic for a “normal” system. By monitoring traffic correctly, a proper threshold can be set. If the organization does not do its research ahead of time and simply implements what it thinks is a “good” threshold, it may find that its us ers are constantly exceeding the threshold and unable to perform their day -to-day work. In order to establish an effective threshold, an organization will need to monitor the amount of traffic for a “normal” system over the course of a few weeks. By monito ring traffic correctly, a proper threshold can be set. c. Use DHCP Snooping and Dynamic ARP Inspection : The most effective defense against ARP poisoning is to use DHCP snooping with Dynamic ARP inspection (DAI). The basis of this defense is that it drops all ARP reply requests not contained within its table. The organization needs to run DHCP snooping for two to three weeks in order to build a proper table of IP addresses and MAC addresses. After it has built that table, it can implement DAI. 2.19 SUMMAR Y In this cha pter, various topics covered are Network layer attacks, Application level attack s, DNS, DHCP , etc. 2.20 QUESTIONS 1. What is meant by risk analysis? 2. What is a Threat? Define threat vector. 3. What is vir us & Trojans? 4. Name seven categories of differe nt security controls. 5. Explain di fferent types of threat attacks. 6. Explain the following : a. Malicious Mobile Code munotes.in
Page 36
36 Security in Computing b. Computer Viruses c. Computer Worms d. E-Mail Worms e. Trojans f. Remote Access Trojans g. Zombie Trojans h. DDoS Attacks i. Malicious HT ML 7. Write about the Anatomy of a Virus. 8. What are the different types of viruses? 9. Write short notes on Advanced Persistent Threats (APTs) 10. What is meant by packet sniffing? 11. Explain the CIA Triad. 12. Describe the two types of defens e models. 13. What is meant by zone s of trust? 14. What are the Best Practices for Network Defense? 15. Briefly describe risk analysis. 16. Explain the following: a. Protocol -Anomaly Attacks b. Application -Layer Attacks c. Buffer Overflows attacks d. P2P Attacks e. Man-in-the-Middle Attacks f. ARP Poisoning g. MAC Flood ing h. DHCP Poisoning i. DNS Spoofing Attack j. ICMP Poisoning 2.21 REFERENCES The complete reference: Information Security, Second Edition, By Mark Rhodes -Ousley. All contents are taken from this book. ***** munotes.in
Page 37
37 UNIT - II 3 AUTHENTICATION AND AUTHORIZATION, ENCRYPTION Unit Structure 3.0 Objectives 3.1 Introduction 3.2 Authentication 3.2.1 Usernames and Passwords 3.2.2 One-Time Password Systems 3.2.3 Certificate -Based Authentication 3.2.3.1 SSL/TLS 3.2.4 Biometrics 3.3 Authorizat ion 3.3.1 User Rights 3.3.2 Role -Based Authorization (RBAC) 3.3.3 Access Control Lists (ACLs) 3.3.4 Rule -Based Authorization 3.4 Encryption 3.4.1 Symmetric -Key Cryptography 3.4.2 Public Key Cryptography 3.5 Public Key Infrastructure 3.6 Summary 3.7 Questi ons 3.8 References 3.0 OBJECTIVES To understand Authentication To understand Authorization To learn Encryption 3.1 INTRODUCTION One of the most common ways to control access to computer systems is to identify who is at the keyboard (and prove that identity), a nd then decide what they can access. This twin controls authentication and authorizati on respectively, ensuring that only authorized users get ac cess to the computing resources while blocking access to unauthorized users. munotes.in
Page 38
38 Security in Computing Authentication is the means of ve rifying a person (or process) to whom they claim to be , while authorization determines what they’re allowed to do. This should be done in accordance with the principle of least privilege —giving each person only the amount of access they require to be effect ive in their job function, and no more. 3.2 AUTHENTICATION Authentication is the process by which people prove they are what they say they are. It consists of two parts: a public statement of identity (usually a username) combined with a private response to a challenge (such as a password). The secret response to the authentication challenge can be based on one or more factors something you know (a secret word, number, or passphrase for example) something you have (such as a smartcard, ID tag, or code gen erator) or something you are (like a biometric factor like a fingerprint or retinal print). A password is a means of identifying someone through something only they should know, and it is the most common form of challenge -response and is an example of si ngle-factor authentication. Single -factor authentication is the simplest form of authentication method. With SFA, a person matches one credential to verify him or herself online. This is not considered a strong authentication method because a password can be intercepted or stolen in a variety of ways —for example, passwords are frequently written down or shared with others, they can also be captured from the system or the network, and they are often weak and easy to guess. Year after year, studies find that password s such as “123456,” “password” and other poor passwords remain extremely popular. Imagine if you could only identify your friends by being handed a previously agreed secret phrase on a piece of paper instead of by looking at them or hearing their v oices. How reliable would that be? This type of identification is often portrayed in spy movies, where a secret agent uses a password to impersonate someone the victim is supposed to meet but has never seen. This trick works precisely because it is so fall ible—the password is the only means of identifying the individual. Passwords are just not a good way of authenticating someone. Unfortunately, password - based authentication was the easiest type to implement in the early days of computing, and the model has persisted to this day. Other single -factor authentication methods are better than passwords. Tokens and smart cards are better than passwords because they must be in the physical possession of the user. Biometrics, which use a sensor or scanner to identif y unique features such as fingerprints, facial recognition, hand geometry, iris recognition, and retinal identification of individual body parts are better than passwords because they can’t be shared —the munotes.in
Page 39
39 Authentication and Authorization, Encryption user must be present to log in. However, there are w ays to defeat these methods. Tokens and cards can be lost or stolen, and biometrics can be spoofed. Yet, it’ s much more difficult to do that than of stealing or obtaining a password. Passwords are the worst possible method of proving identity, despite bein g the most popular method. Multifactor authentication refers to using two or more methods of checking identity. Multi -factor authentication (or MFA) is a multi -layered protection framework that verifies the login or other transaction identities of users. A few examples of multi -factor authentication are codes created by mobile apps, answers to personal security questions, codes sent to an email address, fingerprints , etc. These methods include (listed in increasing order of strength): Something you know (a password or PIN code) Something you have (such as a card or token) Something you are (a unique physical characteristic)
Figure 3.1 Multifactor Authentication Two -factor authentication is the most common form of multifactor authentication, such as a passw ord-generating token device with an LCD screen that displays a number (either time based or sequential) along with a password, or a smart card along with a password. Again, passwords aren’t very good choices for a second factor, but they are ingrained into our technology and collective consciousness, they are built into all computer systems, and they are convenient and cheap to implement. A token or smart card along with biometrics would be much better —this combination is practically impossible to defeat. H owever, most organizations aren’t equipped with biometric devices. The following sections provide a detailed introduction to these types of authentication systems available today: Systems that use username and password combinations, Systems that use certif icates or tokens Biometrics munotes.in
Page 40
40 Security in Computing 3.2.1 Usernames and Passwords : In the familiar method of password authentication, a challenge is issued by a computer and the user wishing to be identified provides a response. If the response can be validated, the user is said to be authenticated, and the user can access the system. Otherwise, the user is prevented from accessing the system.
Figure 3.2 Username and password -based authentication 3.2.2 One-Time Password Systems : Two problems plague passwords. First, they are (in most cases) created by people. Thus, people n eed to be taught how to create strong passwords, and most people aren’t taught (or don’t care enough to follow what they’re taught). These strong passwords must also be remembered by a person and not written do wn. People do write passwords down and often leave them where others can find them. People commonly share passwords despite all your warnings and threats. Passwords are subject to a number of different attacks. They can be captured and cracked, or used in a replay attack in which the passwords are intercepted and later used to repeat authentication. One solution to this type of attack is to use an algorithm that requires the password to be different every time it is used. In systems other than computers, th is has been accomplished with the use of a one -time pad. When two people need to send encrypted messages, if they each have a copy of the one -time pad, each can use that password or some other method for determining which password to use. The advantage, of course, to such a system , is that even if a key is cracked or deduced, it is only good for the current message. The next message uses a different key. One-Time Password as SMS Message : Originally, most OTP’s were sent as SMS messages. Once the user has begun his login attempt, filling in his/her username and the correct password, a n SMS OTP is sent to the mobile number connected to his/her account. The user then enters the code shown on this phone in the login screen, completing the authentication process. munotes.in
Page 41
41 Authentication and Authorization, Encryption
Figure 3.3 OTP Based authentication 3.2.3 Certificate -Based Authentication : A certificate is a collection of information that binds an identity (user, computer, service, or device) to the public key of a public/private key pair. The typical certificate includes information about the identity and specifies the purposes for which the certificate may be used, a serial number, and a location where more information about the authority that issued the certificate may be found. The certificate is digitally signed by the issuing authority, the certificate authority (CA). The infrastructure used to support certificates in an organization is called the Public Key Infrastructure (PKI) . The certificate, in addition to being stored by th e identity it belongs to, may itself be broadly available. It may be exchanged in e -mail, distributed as part of some application’s initialization, or stored in a central database of some sort where those who need a copy can retrieve one. Each certificate’ s public key has its associated private key, which is kept secret, and usually only stored locally by the identity. (Some implementations provide private key archiving, but often it is the security of the private key that provides the guarantee of identity .) Public/Private key algorithms use two keys: one key is used to encrypt, the other to decrypt. If the public key encrypts, only the related private key can decrypt. If the private key encrypts, only the related public key can decrypt. When certificates a re used for authentication, the private key is used to encrypt or digitally sign some request or challenge. The related public key (available from the certificate) can be used by the server or a central authentication server to decrypt the request. If the result matches what is expected, then proof of identity is obtained. These authentication steps are given as follows: munotes.in
Page 42
42 Security in Computing 1. The client issues an authentication request. 2. A challenge is issued by the server. 3. The workstation uses its private key to encr ypt the challenge. 4. The response is returned to the server. 5. Since the server has a copy of the certificate, it can use the public key to decrypt the response. 6. The received result is compared to the challenge. 7. If there is a match, the client is authenticated.
Figure 3.4 Certificate authentication uses public and private keys It is useful here to understand that the original set of keys is generated by the client, and only the public key is sent to the CA. The CA generates the certificate and signs it using its private key, and then returns a copy of the certificate to the user and to its database. In some systems, another database also receives a copy of the certificate. It is the digital signing of the certificate that enables other systems to evaluate the certificate for its authenticity. If they can obtain a copy of the CA’s certificate, they can verify the signature on the client certificate and thus be assured that the certificate is valid. 3.2.3.1 SSL/TLS : Secure Sockets Layer (SSL) is a digital certificate system that is used to provide authentication of secure web servers & clients and to share encryption keys between servers and clients. SSL is a security protocol that creates an encrypted link between a web server and a web browser. SSL works by ensuring that any data transferred between users and websites, or between two systems, remains impossible to read. It uses encryption algorithms to scramble data in transit, which prevents hackers from reading it as it is sent over the connecti on. This data includes potentially sensitive information such as names, addresses, credit card numbers, or other financial details. munotes.in
Page 43
43 Authentication and Authorization, Encryption The authentication process works like this: 1. The user enters the URL in the browser. 2. The client’s request for the we b page is sent to the server. 3. The server receives the request and sends its server certificate to the client. 4. The client’s browser checks its certificate store for a certificate from the CA that issued the server certificate. 5. If the CA certific ate is found, the browser validates the certificate by checking the signature on the server’s certificate using the public key provided on the CA’s certificate. 6. If this test is successful, the browser accepts the server certificate as valid. 7. A symm etric encryption key is generated and encrypted by the client, using the server’s public key. 8. The encrypted key is returned to the server. 9. The server decrypts the key with the server’s own private key. The two computers now share an encryption key that can be used to secure communications between them.
Figure 3.5 SSL for secure communications between a web server and a client munotes.in
Page 44
44 Security in Computing 3.2.4 Biometrics : In biometric authentication, “something you have” is something that is physically part of you. Biometric systems include the use of facial recognition and identification, retinas, iris scans, fingerprints, hand geometry, voice recognition, lip movement, and keystroke analysis. Biometric devices are used for security identification and authentication. These d evices can recognize a user and then correctly prove whether the identified user holds the identity they claim to have. Biometric security systems use automated techniques, in which human intervention is reduced to the minimum to recognize and then confirm an individual's identity based on disti nctive physiological or behavio ral features, such as fingerprints, face pictures, iris recognition, and voice recognition.
Figure 3.6 Biometric authentication The pr ocess hinges on two things: first, that the body part examined can be said to be unique, and second, that the system can be tuned to require enough information to establish a unique identity and not result in a false rejection, while not requiring so littl e information as to provide false positives. All of the biometrics currently in use ha ve been established because they represent characteristics that are unique to individuals. The relative accuracy of each system is judged by the number of false rejection s and false positives that it generates . In addition to false negatives and false positives, biometrics live under the shadow, popularized by the entertainment industry, of malicious attackers cutting body parts from the real person and using them to authe nticate to systems. Other attacks on fingerprint systems have also been demonstrated —one such is the gummy finger attack . In May 2002, Tsutomu Matsumoto, a graduate student of environment and information science at Yokohama National University, obtained an imprint of an audience member’s finger and prepared a fake finger with the impression. He used about $10 of commonly available items to produce something the texture of the candy gummy worms. He then used the “gummy finger” to defeat ten different commerc ial fingerprint readers. While this attack would require access to munotes.in
Page 45
45 Authentication and Authorization, Encryption the individual’s finger, another similar attack was demonstrated in which Matsumoto used latent fingerprints from various surfaces. This attack was also successful. These attacks not only d efeat systems most people believe to be undefeatable, but after the attack, you can eat the evidence! 3.3 AUTHORIZATION Authentication is an act of validating who the user is; authorization specifies what that user can do. Typically thought of as a way of establishing access to resources, such as files and printers, authorization also addresses the suite of privileges that a user may have on the system or on the network. In its ultimate use, authorization even specifies whether the user can access the syste m at all. Let us take the example of boarding a plane. You have your boarding pass that states you are authorized to fly with that plane. However, it is not enough for the gate agent to let you get on board. You also need your passport stating your identi ty. In this case, the gate agent compares the name on the passport with the name on the boarding pass and let s you go through it if they match. In the authorization context, your name is an attribute of your identity. Other attributes are your age, your language, your credit card, and anything else relevant in a specific case. Your name on the passport is a claim , that is, a declaration stating you've got that attribute. Someone reading the name on your passport can be sure of your name because they trust t he government which issued your passport. The boarding pass along with the proof of identity of consumers represents a kind of ‘access token’ that grants access rights to jump onto the plane. In the scenarios described above, you can see that the act of authorizing enables entities to execute tasks that other entities are not allowed to complete. Computer systems that use authorization work in a similar manner.
Figure 3.7 Authorization There are a variety of types of authorization systems, including user rights, role-based authorization, access control lists, and rule -based authorization. munotes.in
Page 46
46 Security in Computing 3.3.1 User Rights : Privileges or user rights are different from permissions. User rights provide the authorization to do things that affect the entire system. The abilit y to create groups, assign users to groups, log in to a system, and many more user rights can be assigned. Other user rights are implicit and are rights that are granted to default groups —groups that are created by the operating system instead of by admini strators. These rights cannot be removed. 3.3.2 Role -Based Authorization (RBAC) : Each job within a company has a role to play. Each employee requires privileges (the right to do something) and permissions (the right to access particular resources and do sp ecified things with it) to do their job. Early designers of computer systems recognized that the needs of possible users of systems would vary, and not all users should be given the right to administer the system. Two early roles for computer systems were user and administrator. Early systems defined roles for these types of users to play and granted them access based on their membership in one of these two groups. Administrators (superusers, root, admins, and the like) were granted special privileges and a llowed access to a larger array of computer resources than that of ordinary users. Administrators, for example, could add users, assign passwords, access system files and programs and reboot the machine. Ordinary users could log in and perhaps read data, m odify it, and execute programs. This grouping was later extended to include the role of auditor (a user who can read system information and information about the activities of others on the system, but not modify system data or perform other administrator role functions). As systems grew, the roles of users were made more granular. Users might be quantified by their security clearance, for example, and allowed access to specified data or allowed to run certain applications. Other distinctions might be made based on the user’s role in a database or other application system. Commonly, roles are assigned by departments such as Finance, Human Resources, Information Technology , and Sales. 3.3.3 Access Control Lists (ACLs) : Attendance at some social events is limi ted to invitees only. To ensure that only invited guests are welcomed to the party, a list of authorized individuals may be given to those who permit the guests in. If you arrive at the event, the name you provide is checked against this list and then an entry is granted or denied. Authentication, in the form of a photo identification check, may or may not play a part here, but this is a good, simple example of the use of an access control list (ACL). Information systems may also use ACLs to determine wheth er the requested service or resource is authorized. Access to files on a server is often controlled by information that is maintained on each file. Likewise, munotes.in
Page 47
47 Authentication and Authorization, Encryption the ability for different types of communication to pass a network device can be controlled by ACL s. 3.3.4 Rule -Based Authorization : Rule -based authorization requires the development of rules that stipulate what a specific user can do on a system. These rules might provide information such as “User Alice can access resource Z but cannot access resource D.” More complex rules specify combinations, such as “User Bob can read file X only if he is sitting at the console in the data center.” In a small system, rule -based authorization may not be too difficult to maintain, but in larger systems and networks, it is excruciatingly tedious and difficult to administer. 3.4 ENCRYPTION Encryption is a way of scrambling data so that only authorized parties can understand the information is an ancient practice. It evolved into the modern practice of cryptography —the s cience of secret writing, or the study of obscuring data using algorithms and secret keys. History of Encryption : Once upon a time, keeping data secret was not hard. Hundreds of years ago, when few people were literate, the use of written language alone often sufficed to keep information from becoming general knowledge. To keep secrets then, you simply had to write them down, keep them hidden from those few people who could read, and prevent others from learning how to read. Deciphering the meaning of a doc ument is difficult if it is written in a language you do not know. Early Codes : Early code used transposition. They simply rearranged the order of the letters in a given message. This rearrangement had to follow some order, otherwise , the recipient would n ot be able to restore the original message. The use of the scyta le by the Spartans in the fifth -century b.c. is the earliest record of a pattern being used for a transposition code. The scytale was a rod around which a strip of paper was wrapped. The messa ge was written down the side of the rod, and when it was unwound, the message was unreadable. If the messenger was caught, the message was safe. If he arrived safely, the message was wound around an identical rod and read. Other early attempts at cryptogra phy (the science of data protection via encryption) used substitution. A substitution algorithm replaces each character in a message with another character. Caesar’s cipher is an example of a substitution algorithm. I t is a type of substitution algorithm in which each letter in the plaintext is 'shifted' a certain number of places down the alphabet. For example, with a shift of 1, A would be replaced by B, B would become C, and so on. munotes.in
Page 48
48 Security in Computing Example : To pass an encrypted message from one person to another, it is first necessary that both sender and receiver have the 'key' for the cipher, so that the sender may encrypt it and the re ceiver may decrypt it. For the Caesar cipher, the key is the number of characters to shift the cipher alphabet. Here is an example of the encryption and decr yption steps involved with the C aesar cipher. The text we will encrypt is ‘my password is root’, with a shift (key) of 1. plain text: my password is root cipher text: nz qbttxpse jt sppu It is easy to see how each character in the plaintext is shifted up the alphabet. Decryption is just as easy, by using an offset of -1. plain text: abcdefghijklmnopqrstuvwxyz cipher text: bcdefghijklmnopqrstuvwxyza Obviously, if a different key is used, the cipher alphabet will be shifted a differe nt amount. The use of such codes, in which knowledge of the algorithm is all that keeps the message safe, has long been known to be poor practice. Sooner or later, someone will deduce the algorithm, and all is lost. 3.4.1 Symmetric -Key Cryptography : Symmet ric key cryptography is a type of encryption in which a similar key is used to encrypt and decrypt messages. This secret key is known only to the sender and to the receiver. It is also called secret -key cryptography . The message exchange using symmetric ke y cryptography involves the following steps -
Figure 3.8 Symmetric Key Cryptography munotes.in
Page 49
49 Authentication and Authorization, Encryption Before starting the communication, sender and receiver share the secret key. This secret key is shared through some external means. At sender side, sender encrypts the mes sage using his copy of the secret key. The cipher text is then sent to the receiver over the communication channel. At receiver side, receiver decrypts the cipher text using his copy of the secret key. After decryption, the message converts back into reada ble format. Some of the encryption algorithms that use symmetric key are : Advanced Encryption Standard (AES) Data Encryption Standard (DES) For example, suppose we take a plaintext message, "hello," and encrypt it with a key; let's say the key is "2jd8932k d9." Encrypted with this key, our simple "hello" now reads "X5xJCSycg15=", which seems like random garbage data. However, by decrypting it with that same key, we get "hello" back. Plaintext + key = ciphertext: hello + 2jd8932kd9 = X5xJCSycg14= Ciphertext + key = plaintext: X5xJCSycg15= + 2jd8932kd9 = hello (This is an example of symmetric encryption, in which only one key is used.) The advantages of symmetric key algorithms are : They are efficient. They take less time to encrypt and decrypt the message. 3.4.2 Public Key Cryptography : Public key encryption, or public key cryptography, is a method of encrypting data with two different keys and making one of the keys, the public key, available for anyone to use. The other key is known as the private key. Da ta encrypted with the public key can only be decrypted with the private key, and data encrypted with the private key can only be decrypted with the public key. Public key encryption is also known as asymmetric key cryptography. The message exchange using p ublic key cryptography involves the following steps: munotes.in
Page 50
50 Security in Computing
Figure 3.9 Public Key Cryptography The famous asymmetric encryption algorithms are : 1. RSA Algorithm 2. Diffie -Hellman Key Exchange 3.5 PUBLIC KEY INFRASTRUCTURE Public Key Infrastructure (PKI) has become o ne of the most prevalent forms of encryption in modern electronic transactions. Today, organizations rely on PKI to manage security through encryption. The most common form of encryption used today involves a public key, which anyone can use to encrypt a message, and a private key (also known as a secret key), which only one person should be able to use to decrypt those messages. These keys can be used by people, devices, and applications. An associated key pair is bound to a security principal (user or co mputer) by a certificate. A certificate authorit y (CA) issues, catalogs, renew, and revokes certificates under the management of a policy and administrative control. Common examples of PKI security today are SSL certificates on websites so that site visito rs know they’re sending information to the intended recipient, digital signatures, and authentication for Internet of Things devices. There are three key components: digital certificates, certificate authority , and registration authority. 1. Digital Certi ficates : PKI functions because of digital certificates. A digital certificate is like a driver’s license —it’s a form of electronic identification for websites and organizations. Secure connections between two communicating machines are made available throu gh PKI because the identities of the two parties can be verified by way of certificates. So how do devices get these certificates? You can create your own certificates for internal communications. If you would like certificates for a commercial site or som ething of a larger scale, you can obtain a PKI digital cert ificate through a trusted third -party issuer, called a Certificate Authority.
munotes.in
Page 51
51 Authentication and Authorization, Encryption 2. Certificate Authority : A Certificate Authority (CA) is used to authenticate the digital identities of the users, w hich can range from individuals to computer systems to servers. Certificate Authorities prevent falsified entities and manage the life cycle of any given number of digital certificates within the system. Much like the state government issuing you a license , certificate authorities vet the organizations seeking certificates and issue one based on their findings. Just as someone trusts the validity of your license based on the authority of the government, devices trust digital certificates based on the author ity of the issuing certificate authorities. This process is similar to how code signing works to verify programs and downloads. 3. Registration Authority : Registration Authority (RA), which is authorized by the Certificate Authority to provide digital cert ificates to users on a case -by-case basis. All of the certificates that are requested, received, and revoked by both the Certificate Authority and the Registration Authority are stored in an encrypted certificate database. Certificate history and informati on is also kept on what is called a certificate store, which is usually grounded on a specific computer and acts as a storage space for all memory relevant to the certificate history including issued certificates and private encryption keys. Google Wallet is a great example of this. 3.6 SUMMARY Authentication is the process of proving you are who you say you are. If someone possesses your user credentials, it is possible for that person to say they are you, and to prove it to the satisfaction of the system . While many modern systems are based on hardware, such as tokens and smart cards, and on processes that can be assumed to be more secure, such as one-time passwords, most systems still rely on passwords for authentication. These systems are not well prote cted because passwords are a terrible way to identify people. Other authentication methods are better. You should always evaluate an authentication system based on how easy it would be to defeat its controls. Authorization, on the other hand, determines wh at an authenticated user can do on the system or network. A number of controls exist that can help define these rights of access explicitly. User rights are often provided directly by the operating system, either via permissions granted to the user account directly or through the use of groups. If the user account belongs to a particular group, it is granted rights to do certain things. This method of authorization, while commonly found in most organizations, is not easy to manage and has a high potential f or error. Role -based access controls are similar to group authorization, but they are organized into sets of functions based on some key common characteristic. munotes.in
Page 52
52 Security in Computing In this chapter, we started with a brief history of encryption in order to establish a context r egarding the limited lifespan of cryptographic techniques. Looking at early codes, and the progression to more modern codes, we saw how the encryption methods evolve to stay one step ahead of those who want to break the confidentiality of the protected dat a. Symmetric -key cryptography evolved naturally from early methods of hiding data using mathematical transformations. In these algorithms, key exchange is a key challenge. Whoever possesses the key can decrypt the message —thus, properly secured key exchang e is critical to the continued confidentiality of the data. Public key cryptography is the next evolution of encryption. Using two keys, one public and one private, helps deal with the problem of key exchange that was encountered in symmetric -key encryptio n. Public Key Infrastructure (PKI) uses public key cryptography to create certificates, which are used for a variety of purposes. 3.7 QUESTIONS 1) Explain Authentication. 2) Describe Biometric authentication. 3) Explain Authorization. 4) Write short note on Encryptio n. 5) Explain Symmetric Key Cryptography. 6) Explain Public Key Cryptogr aphy. 7) Explain Certificate Based authentication. 3.8 REFERENCES https://docs.oracle.com/cd/E19424 -01/820 -4811/gdzeq/index.html https://www.cm.com/en -in/glossary/what -is-one-time-password/ https://www.thalesgroup.com/en/markets/digital -identity -and security/government/inspired/biometrics https://web.mit.edu/6.857/OldStuff/Fall03/ref/gummy -slides.pdf https://www.gatevidyalay.com/cryptography -symmetric -key- cryptography/ The Complete Reference: Information Secu rity, Mark Rhodes -Ousley, McGrawHill, Second Edition.
***** munotes.in
Page 53
53 4 STORAGE SECURITY, DATABASE SECURITY Unit Structure 4.0 Objec tives 4.1 Introduction 4.1.1 Evolution of Storage Security 4.2 Modern Storage Security 4.2.1 Storage Infrastructure 4.3 Risks to Data 4.3.1 Confidentiality Risks 4.3.1.1 Data Leakage, Theft, Exposure, Forwa rding 4.3.1.2 Espionage, Packet Sniffing, Packet Replay 4.3.1.3 Inappropriate Administrator Access 4.3.1.4 Storage Persistence 4.3.1.5 Misuse of Data 4.3.1.6 Fraud 4.3.1.7 Hijacking 4.3.1.8 Phishing 4.4 Integrity Risks 4.4.1 Malfunctions 4.4.2 Data Deletion and Data Loss 4.4.3 Data Corruption and Data Tampering 4.4.4 Accidental Modification 4.5 Availability Risks 4.5.1 Denial of Service 4.5.2 Outage 4.5.3 Instability and Application Failure 4.5.4 Slowness 4.5.5 High Availability Failure 4.5.6 Backup Failure 4.6 Database Security and Database Security Layers 4.6.1 Server -Level Security 4.6.2 Network -Level Security 4.6.3 Operating System Security 4.7 Database Backup and Recovery 4.7.1 Determining Backup Constraints 4.7.2 Determin ing Recovery Requirements 4.8 Keeping Your Servers Up to Date munotes.in
Page 54
54 Security in Computing 4.9 Database Auditing and Monitoring 4.10 Summary 4.11 Questions 4.12 Reference s 4.0 OBJECTIVES Learn Modern Storage Security Learn Database Security and Database Security Layers Databas e Backup and Recovery Database Auditing and Monitoring 4.1 INTRODUCTION The primary concern of network security is to protect assets (data) that reside on the network. Data resides in storage, which is either controlled or unmanaged. Storage technologies have evolved over the past de cade in complexity, capability, and capacity . The effectiveness of storage security controls and technologies has advanced accordin gly. Today’s storage technologies can protect data natively in many ways; for example, many modern storage technolo gies have built-in encryption and access control to protect confidentiality, integrity , and redundancy to protect the availability and onboar d protection against malware. In this chapter, we’ll cover the ways in which the built -in security features of modern storage infrastructures ca n be leveraged to protect data. W e’ll review best practices for building storage infrastructures to provide the best protection for data assets. Let’s begin with a look at how storage security has changed in recent years. 4.1.1 Evolution o f Storage Security : Almost ten years ago, 3.5 -inch floppy disk drives were still included on some computers. Being portable stora ge devices, floppy disks were hard t o secure. They were easily lost or the data on them became corrupted. They could be used to propagate malware. The use of floppy disks was largely phased out by the late 2000s. The next generation of storage devices, com pact discs (CDs) and digital video discs (DVDs), posed a unique threat due to their longevity. Unlike other, more volatile storage media, these polycarbonate -encased metal optical data storage devices seem like they will la st forever if handled properly. I f someone place s private, confidential data on a CD or DVD and then misplace s the disc, who knows how long it might stick around and wh o may discover it in the future? For this reason, optical storage devices were banned in many corporate environments, esp ecially those required to comply with privacy regulations. Moreover, once the data is burned to the media, it can’t be changed, so you can’t retroactively apply protection to it. munotes.in
Page 55
55 Storage Security, Database Security Flash drives (USB sticks and the l ike) have become popular over the past few years. These devices have become so cheap and prevalent that they have practically supplanted optical storage devices. Who needs to burn when you can simply copy? Flash drives are a significant source of malware infections in many environments. In addition , they make data theft remarkably easy with their small size, portability, and compatibility with every major computing platform . Portable hard drives, like flash drives , are cheap and plentiful. P ortable USB hard drives have so much storage capacity that they can be used to steal all the data in many organizations. Ev en modern smartphones, cameras , and tablets contain large amounts of flash memory and are accessible via USB, allowing data thieves to copy files unobtrusively. In addition to the previously m entioned dedicated storage devices, the security practitioner now also has to contend with smartphones and mobile devices, which have significant amounts of onboard storage. These devices pose a significant risk to an organization’s data because they are less “obvious” than a hard drive or memory stick and because any stolen data hiding on them can be hard to detect. All of th e storage devices mentioned so far are considered to be unmanaged. The bes t protections for them are encryption and access control. Encrypting confidential data can stop, or discourage, data theft. Information rights ma nagement can protect co nfidential documents such that even if they are stolen, they can’t be opened by unauthorized users. In addition, USB device control software can b lock access to the USB ports on computers where it’s installed, and it can allow or block various activities such as copying to or from USB devices, based on the type of document. Ultimately, unmanaged storage devices are hard to secure and hard to control . That’s why organizations have turned to managed storage, which allows their data to be accessed in secure, controlled ways. With managed storage, organizations can block USB storage devices and drive users toward the managed storage instead . 4.2 MODERN S TORAGE SECURITY Modern storage solutions have moved away from endpoint computers to the network. Network -attached storage (NAS) and storage area networks (SANs) consist of large hard drive arrays with a controller that serves up their contents on the netw ork. NAS can be accessed by most computers and other devices on the network, while a SAN is typically used by servers. These storage systems have many built -in security features to choose from. Based on the security requirements of the environment, these security settings can be configured to meet the obj ectives of the security policy. M odern storage environments can be considered separate IT infrastructures of their own. Many organizations are now dividing their IT organizations along the lines of networks , servers , and, storage — acknowledging that storage merits a place alongside these long -venerated institutions. munotes.in
Page 56
56 Security in Computing 4.2.1 Storage Infrastructure : Storage infrastructure refers to the overall set of hardware and software components needed to facilitate storage f or a system. This is often applied to cloud computing, where cloud storage infrastructure is composed of hardware elements like servers, as well as software elements like operating systems and proprietary delivery applications. Cloud storage infrastructure and other types of storage infrastructure can vary quite a bit, partly because of new and emerging storage technologies. For example, with storage virtualization, the infrastructure is changed to become more software -driven than hardware -driven. In a typi cal storage virtualization environment, a set of physical hard drives are replaced by a set of "logical drives" or "virtual drives" that are partitioned and operated by software. Engineers use different types of strategies like a redundant array of indepen dent disks (RAID) design to create more versatile storage systems that use hardware in more sophisticated ways. 4.3 RISKS TO DATA The first risk involves data that can be accessed via an unauthorized system. The second risk is data access by unauthorized persons . Risk Remediation : In this section , we have categorized the risks associated with data storage according to the classic CIA triad of Confidentialit y, Integrity , and Availability . For each identified risk, where possible, security controls consiste nt with the “three Ds” of se curity —defense, detection , and deterrence —are applied in an effort to mitigate the risk using the principle of layered security (also known as defense -in-depth). What’s left after those controls are applied to mitigate the risks is then identified as residual risks. 4.3.1 Confidentiality Risks : Confidentiality risks are associated with vulnerabilities and threats pertaining to the privacy and control of information, given that we want to make the information available in a contr olled fashion to those who need it without exposing it to unauthorized parties. 4.3.1.1 Data Leakage, Theft, Exposure, Forwarding : A data leak is when sensitive data is accidentally exposed physically, on the Internet , or in any other form including lost hard drives or laptops. This means a cybercriminal can gain unauthorized access to sensitive data without effort . There are four major threat vectors for data leakage: theft by outsiders, malicious sabotage by insiders (including unauthorized data printin g, copying, or forwarding), inadvertent misuse by authorized users, and mistakes created by unclear policies. munotes.in
Page 57
57 Storage Security, Database Security Defense : Employ software controls to block inappropriate data access using a data loss prevention (DLP) solution and/or an information ri ghts ma nagement (IRM) solution. Detection : Use watermarkin g and data classification label ing techniques along with monitoring softw are to track the flow of data . Deterrence : Establish security policies that assign serious consequences to employees who leak da ta, and include clear language in contracts with service providers specifying how data privacy is to be protected and maintained, and what penalties will be there for failure to protect and maintain it. Residual risks : Data persistence within the storage environment can expose data after it is no longer needed, especially if th e storage is hosted on a vendor -provided service that dynamically moves data around in an untraceable manner. Administrative access that allows system administrators full access to a ll files, folders, and directories, as well as the underlying storage infrastructure itself , can expose private data to administrators . 4.3.1.2 Espionage, Packet Sniffing, Packet Replay : Espionage refers to the unauthorized interception of network traffic to gain information intentionally. Packet sniffing is the act of gathering, collecting , and moni toring the data packets that travel through a computer network or the internet. Using tools to reproduce traffic and data that was previously sent on a network is called packet replay. Defense : Encrypt data at rest and in transit th rough the use of modern robust encryption technologies for file encryption, a nd network encryption between servers and over the Internet. Detection : An information rights managemen t (IRM) solution can keep track of data access, which can provide the ability to detect unauthorized access attempts. In addition, an intrusion detection system (IDS) can help identify anomalous behavior on the network that may indicate unauthorized access . Deterrence : In storage environments that are hosted by a third party, employ contract language that makes the service provider liable for damages resulting from unauthorized access. munotes.in
Page 58
58 Security in Computing Residual risk : Data can be stolen from the network through tools that take advantage of network topologies, network weaknesses, compromised servers , network equipment , and direct access to network devices . 4.3.1.3 Inappropriate Administrator Access : If users are given privilege levels usually reserved for system administrat ors which provide full access to a system and all data that the system has access to, they will be able to view data or make changes without being properly restricted through the system’s authorization processes. Administrators have the authority to bypass all security controls , and they can be used to intentionally or mistakenly compromise private data. Defense : Reduce the number of administrators for each function (servers, network , and storage) to as low a number as possible (definitely fewer than ten and preferably fewer than five) and ensure that background checks are used to screen personnel who have administrative access. A vendor security review should be performed to validate these practices before engaging any vendors. Detection : Review the pro vider’s administrative access logs for its internal infrastructure on a monthly or quarterly basis. Review the provider’s list of administrators on a biannual basis. Deterrence : Establish security policies , especially for administrators that assign serio us consequences for inappropriate data access. In hosted environments, select only providers that have good system and network administration practices and make sure t heir practices are reviewed regular ly. Residual risk : Because administrators have full control (all rights) , they can abuse their access privileges either intentionally or accidentally, resulting in the compromise of personal information or service availabilit y. 4.3.1.4 Storage Persistence : Data remains on storage devices long after it is n o longer needed, and even after it is deleted. Data that remains in storage after it is no longer needed, or that is deleted but not strongly overwritten, poses a risk of later discovery by unauthorized individuals. munotes.in
Page 59
59 Storage Security, Database Security Defense : Maintain a U.S. Department of Defense (DoD) level program of disk wiping or file shredding when disks are decommissioned or replaced, and after old data is archived. Detection : There isn’t much that can be done to discover that your data persists on a disk that has been taken offline. Deterrence : Establish data -wiping requirements before selecting a storage product and ensure that contract language establishes these requirements. Residual risk : Data can remain on physical media long after it is thought to have been deleted . Later data can be recovered. 4.3.1.5 Misuse of Data : People who have authorized access to data can misuse the data that they are not supposed to do. Examples are employees who leak information to competitors, developers who perform testing with production data, and employees who take data out of the controlled environment of the organization’s network into their unprotected home environment. Defense : For employees, use security controls similar to those in private data networks, such as DLP, RBAC , and scrambling of test and development data. Block the ability to send e -mail attachments to external e -mail addresses. Detection: Use watermarking and data classification labe ling along with monitoring software to track data flow. IRM can be used to perform these func tions. Deterrence : Employ a strict security policy paired with an awareness program to deter people from extracting data from controlled environments and moving it to uncontrolled environments. Residual risk : People can find ways around controls and tr ansfer data into uncontrolled environments, where it can be stolen or misused . munotes.in
Page 60
60 Security in Computing 4.3.1.6 Fraud : A person who illegally or deceptively gains access to information they are not authorized to access commits fraud. Fraud may be perpetrated by outsiders but is u sually committed by trusted employees. Defense : Use checks and balances along with separation of duties and approvals to reduce the dependence on single individuals for information access, so if somebody does perform a fraudulent action, it will be notic ed. This can also be a deterrent action. Detection : Perform regular audits on computin g system access and data usage giving special attention to unauthorized access. Deterrence : Ensure that security policies include penalties for employees who access data they are not authorized for. In hosted environments, transfer risk to service providers using contractual language that holds the service provider responsible for fraud committed by a service provider employee. Residual risk : Fraudulent data access c an occur despite the controls that are designed to prevent it . 4.3.1.7 Hijacking : Hijacking in the context of computing refers to the exploitation o f a valid computer session also called a session key to gain unauthorized access to information or services in a computer system. In particular, it’s the theft of a magic cookie used to authenticate a user to a remote server. For example, the HTTP cookies used to maintain a session on many websites can be stolen using an intermediary computer or with access to the saved cookies on the victim’s computer. If an attacker can steal the authentication cookie, they can make requests themselves as if they were genuine user s, gaining access to pr ivileged information or they may modify data. If this cookie is a persisten t cookie, then the impersonation can continue for a considerable period . Any protocol in which a state is maintained using a key passed between two parties is vulnerable, especially if it’s not encrypted. Defense : Look for solid identity management solut ions that specifically address this risk using strong, difficult -to-guess session keys with encryption. Use good key management, key escrow , and key recovery practices as a customer so that employee departures do not result in the inability to manage your data. munotes.in
Page 61
61 Storage Security, Database Security Detection : Routinely monitor logs, looking for unexpected behavior. Deterrence : Not much can be done to deter attackers from hijacking sessions, other than an aggressive legal response. Residual risk : Attackers can impersonate valid users or eve n use administrative credentials to lock you out or damage your infrastructure. 4.3.1.8 Phishing : Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. Phishing is an attempt to trick a victim into disclosing personal information. The most common method of phishing is to send potential victims an e -mail message that appears to be from a legitimate organization and directs the recipients to log in and provide a username, pas sword, credit card inf ormation , or other sensitive information. Defense : Employ anti -phishing technologies to block rogue web sites and detect false URLs. Use multifactor authentication for customer -facing systems to ensure that users are aware when they are r edirected to a fake website. Send periodic informational updates and educational materials to customers explaining how the system works and how to avoid phishing attempts. Never send e -mails that include or request personal details, including ID or passwords. Detection : Use an application fir ewall to detect when remote web sites are try ing to copy or emulate your web site. Deterrence : Maintain educational and awareness programs for individuals who use and store personal information of employees or customers. Residual risk : Employees can become victim s of phishing scams despite the best training and awareness programs, especially if those scams are sophisticated. This can result in data loss. 4.4 INTEGRITY RISKS Integrity risks affect both the validity of information and the assurance that the information is correct. Some government regulations are munotes.in
Page 62
62 Security in Computing particularly concerned with ensuring that data is accurate. If information can be changed without warning, authorization, or an audit trail, its integrity cannot be guaranteed. 4.4.1 Malfunctions : Computer and storage failures that corrupt data damage the integrity of that data. Defense : Make sure the storage infrastructure you select has appropriate RAID redundancy built in and that archives of important data are part of the service. Detection : Employ integrity verification software that uses checksums or other means of data verification. Deterrence : Due to the nature of data, because th ere is no human involvement , there isn’t much that can be done. Residual risk : Techno logy failures that damage data may result in operational or compliance risk (especially relating to Sarbanes -Oxley requirements for publicly traded companies to ensure the integrity of their financial data). 4.4.2 Data Deletion and Data Loss : Data can be accidentally or intentionally destroyed due to computer system failures or mishandling. Such data may include financial, organizational, personal, and audit trail information. Defense : Ensure that your critical data is stored and housed in more than one location (back up). Detection : Maintain and review audit logs of data deletion. Deterrence : Maintain educational and awareness programs for individuals who access and manage data. Ensure tha t data owners are assigned authority and control over data and r esponsibility for its loss. Residual risk : If important data is gone, it can’t be restored under any circumstances. munotes.in
Page 63
63 Storage Security, Database Security 4.4.3 Data Corruption and Data Tampering : Changes to data caused by a malfunction ing in computer or storage systems, or by malicious indi viduals or malware, can damage the integrity of that data. Integrity can also be damaged by people who modify data with the intent to defraud. Defense : Utilize version control software to maintain archive copies of important data before it is modified. E nsure that all data is protected by antivirus software. Maintain role -based access control over all data based on least privilege principles, pursuant to job function and need to know. Detection : Use integrity -checking software to monitor and report al terations to key data. Deterrence : Maintain educational and awareness programs for individuals who access and manage data. Ensure tha t data owners are assigned authority and control over data and responsibility for its loss. Residual risk : Corrupted or damaged data can cause significant issues because valid, reliable data is the cornerstone of any computing system. 4.4.4 Accidental Modification : This is the most common cause of data integrity loss, accidental modification occurs either when a user inte ntionally makes changes to data but makes the changes to the wrong data or when a user inputs data incorrectly. Defense : Utilize version control software to maintain archive copies of important data before it is modified. Maintain role -based access contr ol over all data based on least privilege principles, pursuant to job function and need to know. Detection : Use integrity -checking software to monitor and report alterations to key data. Deterrence : Maintain educational and awareness programs for indiv iduals who access and manage data. Ensure that data owners are assigned that have authority and control over data and responsibility for its loss. munotes.in
Page 64
64 Security in Computing Residual risk : Corrupted or damaged data can cause significant issues because valid, reliable data is the c ornerstone of any computing system. 4.5 AVAILABILITY RISKS Availability risks are associated with vulnerabilities and threats pertaining to the reliability of services, given that we want the services that we use to be reliable, to pose a low risk, and to have a low incidence of an outage. 4.5.1 Denial of Service : A denial -of-service (DoS) attack is a type of cyber attack in which a malicious actor aims to render a computer or other device unavailable to its intended users by interrupting the device's normal functioning. This type of attack commonly involves saturating the target machine with too many communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. Defense : Select a storage platform that has solid protection against network attacks. Implement firewalls, an IPS, and network filtering at the perimeter of the storage network to block attacks. Detection : Monitor intrusion detection systems 24×7×365. Deterrence : Work with your legal department to ensure that attackers are found and prosecuted. Residual risk : Because most DoS and DDoS attacks make use of compromised systems across the globe, they can be hard to track, and because they flood system and network res ources, they can get through an environment’s defenses. 4.5.2 Outage : An outage is any unexpected downtime or unreachability of a computer system or network. Defense : The primary defense against any service outage is redundancy. Ensure th at individual s ystems, devices , and network links are clustered or set up to use high availability. Outages are expensive —calculate the cost of downtime and use that to justify investment in the additional equipment needed for redundancy. Additionally, employ a solid dis aster recovery plan to ensure that you are ready for extended outag es so that the storage munotes.in
Page 65
65 Storage Security, Database Security environment can be automatically switched to a different location during an outage. Detection : Employ monitoring tools to continuously monitor the availability and response time of the storage environment. Deterrence : Because outages generally occur as a result of software problems, little can be done to stop them from happening. Residual risk : Unforeseen outages can occur even when all devices and network paths are completely redundant, due to malfunctions or human error, so storage infrastructures may be down for as long as it takes to switch over to the disaster recovery environment. 4.5.3 Instability and Application Failure : Problems, such as flaws in software o r firmw are can cause freezing, locking , or crashing of applications making them unresponsive and resulting in loss of functionality or failure of an entire computer or network. Defense : Ensure that all software updates are applied to the infrastructure o n a frequent basis. Detection : Implement service monitoring to detect and alert when an application does not respond correctly. Deterrence : In contracts with storage suppliers, include clear language that specifies penalties and remuneration for instabi lity issues. Residual risk : Because instability in applications and infrastructure generally occurs as a result of software problems, little can be done to stop them from happening . 4.5.4 Slowness : When the response time of a computer or network is cons idered unacceptably slow, its availability is affected. munotes.in
Page 66
66 Security in Computing Defense : Using redundant storage system s and network connections set up the architecture so that application access will automatically switch to the fastest environment. Also , ensure that you have i mplemented high - capacity services with demand -driven expansion of resources. Detection : Monitor the response time of applications on a continuous basis and ensure that alerts have an out -of-band path to support staff so that response problems don’t stop alerts from being delivered. Deterrence : Establish contract language with storage a manufacturer that provides compensation for unacceptable response times. Residual risk : Slowness can persist despite best efforts, resulting in a loss of efficiency and effective downtime. 4.5.5 High Availability Failure : A service that is supposed to fail over in the event of a problem with one device to another, functioning devices may not actually fail over properly. This can happen, for example, when a primary devi ce slows down to the point where it becomes effectively unresponsive, but the HA software doesn’t actually consider it to be “down.” Defense : Monitor the health of secondary systems or all systems in an HA cluster. Detection : Perform periodic failover testing. Deterrence : Not much can be done to guarantee that systems will switch over when they are supposed to. Residual risk : Sometimes, a primary device slows down to the point that it becomes unresponsive for all practical purposes, but because it’s not officially “down” according to its software, the backup system doesn’t take over. 4.5.6 Backup Failure : When you discover that those backups you were relying on aren’t actually any good, either because the media is damaged or the backup data is corru pted or missing, data is lost. munotes.in
Page 67
67 Storage Security, Database Security Defense : Leverage storage elasticity to avoid the use of traditional offl ine (tape or optical) backups. Detection : Frequently perform recovery testing to validate the resilience of data. Deterrence : Establish a data -loss clause in the contract with the storage manufacturer so that they have the incentive to help with unforeseen loss of data. Residual risk : Backups fail, but multiple recovery paths can eliminate most of the risk. The practice of backing up data has been around for a long time and, consequently, is one of the most reliable security practices. As long as data is appropriately replicated, it can live forever, so the majority of residual risk, in this case , would be due to substandard data replication practi ces or lack of attention to this matter. 4.6 DATABASE SECURITY Modern organizations rely heavily on the information stored in their database systems. From sales transactions to human resources records, mission -critical, sensitive data is tracked within the se systems. It is very important that business and systems administrators take the proper precautions to ensure that these systems and applications are as secure as possible. You wouldn’t want a junior -level database administrator to be able to access info rmation that onl y the executive team should see, but you also wouldn’t want to prevent your staff from doing their jobs. As with all security implementations, the key is to find a balance between security and usability. Modern databases must meet differen t goals. The y must be reliable, provide quick access to information and provide advanced features for data storage and analysis. Furthermore, they must be flexible enough to adapt to many different scenarios and types of usage. Many organizations rely on d atabases to serve as the “back end” for purchased applications or custom -developed applications. The “front end” of these systems is generally client applications or web user interfaces. Because of the heavy reliance that modern organizations place on thei r data storage systems, it’s very important to understand, implement, and manage database security. Let’s start by looking at an overview of vario us layers of database security and how they interact. Database Security Layers : Relational databases can supp ort a wide array of different types of applications and usage patents; they generally utilize security at multiple layers. Each layer of security is designed for a specific purpose and can be munotes.in
Page 68
68 Security in Computing used to provide authorization rules. In order to get access to y our most trusted information, users must have appropriate permissions at one or more of these layers. 4.6.1 Server -Level Security : A database application is only as secure as the server it is running on. Therefore, it’s important to start considering sec urity settings at the level of the physical server or servers on which your databa ses will be hosted. In small simple configurations, you might need to secu re only a single machine. Large organizations will likely have to make accommodations for many serve rs. These servers may be geographically distributed and even arranged in complex clustered configurations. One of the first step s you need to take in order to secure a server is to determine which users and applications should have access to it. Modern database platforms are generally accessible over a network, and most database administration t asks can be performed remotely. It’s also very important to physically protect databases in order to prevent unauthorized users from accessing database files and da ta backups. If an unauthorized user can get physical access to your servers, it’s much more difficult to protect against further breaches. 4.6.2 Network -Level Security : As mentioned previously, databases work with their respective operating system platfor ms to serve users with the data they need. Therefore, general operating system and net work -level security also apply to databases. If the underlying platform is not secure, this can create significant vulnerabilities for the database. Since they are design ed as network applications, you must take reasonable steps to ensure that only specific clients can access these machines. Some standard “best practices” for securing databases include limiting the networks and/or network addresses that have direct access to the computer. For example, you might implement routing rules and packet filtering to ensure that only specific users on your internal network will even be able to communicate with a server. As an example, Microsoft’s SQL Server database platform uses a default TCP port of 1433 for communications between clients and the database. If you know for certain that there is no need for users on certain subnets of your network to be able to access this server directly, it would be advisable to block network acce ss to this TCP port. Doing so can also prevent malicious users and code (such as viruses) from attacking this machine over the network. Another security practice involves changing the default port on which the server listens. Of course, few real -world dat abases work alone. Generally, these systems are accessed directly by users, and often by mission -critical applications. munotes.in
Page 69
69 Storage Security, Database Security 4.6.3 Operating System Security : On most platforms, database security goes hand in hand with operating system security. Network configu ration settings, file system permissi ons, authentication mechanisms , and operating system encryption features can all play a role in ensuring that databases remain secure. For example, on Windows -based operating systems, only the NTFS file system offers an y level of file system security (FAT and FAT32 partitions do not provide any file system security at all). In environments that use a centralized directory services infrastructure, it’s important for systems administrators to keep permissions settings up t o date and to ensure that unnecessary accounts are deactivated as soon as possible. Fortunately, many modern relational database platforms can leverage the strengths of the operating systems that they run on. Let’s look at this in more detail. Managing Dat abase Logins : Most database systems require users to enter some authentication details before they can access a database. The first level of database security can be based on a standard username and password combination. Or, for improved manageability and single sign -on purposes, the database systems can be integrated with an organization’s existing authentication system. For example, many relational database products that operate on Microsoft’s Windows operating system platform can utilize the security features of a domain -based security model. Based on an individual’s user account and group membership, he or she can perform a seamless “pass - through authentication” that does not require rekeying a username or password. Among the many benefits of this meth od is the ability to centrally administer user accounts. When a user account is disabled at the level of the organization’s directory service, no further steps need to be taken to prevent the user from accessing database systems. In addition, organizations are increasingly turning to biometric -based authentication (authentication through the use of fingerprint identification, retinal scans, and related methods), as well as smart -card and token -based authentication. Database administrators can take advantage of these mechanisms by relying on the operating system for identifying users. Therefore, integrated security is highly recommended, both for ease of use and for ease of management. Server l ogins can be granted permission directly. For example, a user may be given permission to shut down or restart a database or the ability to create a new database on the server. Login -level permissions generally apply to the server as a whole and can be used to perform tasks related to backup and recovery, performance moni toring, and the creation and deletion of databases. In some cases, users with server login permissions may be able to grant these permissions to other users. Therefore, it’s very important to fully understand the security architecture of the database platform you’re depending on to keep your information safe. Another important consideration to keep in mind is that most relational database platforms allow operating system administrators to have much implicit permission on the database. For example, system administrators munotes.in
Page 70
70 Security in Computing can start and stop the services and can move or delete database files. Additionally, some database platforms automatically grant the system administrator a database login that allows full permissions. Although this is probably desirable in som e cases, it’s something that must be kept in mind when trying to enforce overall security. In some situations, it’ s important that not all system administrators have permission to access sensitive data that is stored on these servers. Configuring systems i n this way can be a challenge, and the exact method of implementation will be based on the operating system and database platform you’re running. Most often, a server login only allows a user to connect to a database. It does not implicitly allow the user to perform any specific actions within databases. In the next section, we’ll take a look at how database -level security can be used to assign granular permissions to database logins. 4.7 DATABASE BACKUP AND RECOVERY An integral part of any overall databas e security strategy should be providing for database backup and recovery. Backups serve many different purposes. Most often, it seems that systems administrators perform backups to protect the information in the ca se of server hardware failures. Data can b e lost due to accidental human errors, flawed application logic, defects in the database or operating system platform, and, of course, malicious users who are able to circumvent secur ity measures. In the event , that data is incorrectly modified or dest royed altogether, the only method to recover data is from backups. Since all relational datab ase systems have some methods for performing database backups while a server is running, there isn’t much of an excuse for not implementing backups. The real challeng e is in determining what backup str ategies apply to your environment. You’ll need to find out what your working limitations are. This won’t be an easy task, even in the best - managed organizations. It involves finding information from many different individ uals and departments within your organization. You’ll have to work hard to find existing data and make the best guesses and estimates for areas in which data isn’t available. So, how do you decide what to protect? One method is to classify the importance of the relative types of information you need to protect. For example, your sales databases might be of “mission critical” importance, whereas a small decision -support system might rank “low priority” on the scale (since the data can relatively easily be r e-created, if necessary). It’s also important to keep in mind that business managers may have a very different idea of the importance of data when compared to other users who actually deal with this information frequently. Keep in mind that determining how to protect information must be a team effort if it is to be accurate and successful. An example of high -level data protection requirements is shown in Table 4. 1. munotes.in
Page 71
71 Storage Security, Database Security
Table 4.1 Sample Categorization of Data Based on Importance 4.7.1 Determining Backup Constr aints : Once you have an idea of what your organization needs to back up, it’s time to think about ways in which you can implement a data protection strategy. It is of critical importance that you define your business requirements before you look at the te chnical requirements for any kind of data protection solution. Table 4.2 provides an example of a requirements worksheet that summarizes data protection needs. In addition to these requirements, you might also have a preliminary budget limit that can serv e as a guideline for evaluating solutions. You should also begin thinking about personnel and the types of expertise you’ll need to have available to implement a solution .
Table 4.2 Sample Data Protection Requirements Worksheet Based on Business Requirem ents 4.7.2 Determining Recovery Requirements : The purpose of data protection is not to create backups. The real purpose is to provide the ability to recover information, in case it is lost. To that end, a good practice is to begin designing a backup solut ion based on your recovery requirements. You should take into account the cost of downtime, the value of the data , and the amount of acceptable data loss in a worst -case scenario. Also, keep in mind the likelihood of certain types of disasters. When plann ers are evaluating business needs, they may forget to factor in the potential time for recovering information. The question they should munotes.in
Page 72
72 Security in Computing ask is the following: “If we lose data due to failure or corruption, how long will it take to get it back?” In some case s, the answer will be based on the technical limitations of the hardware you select. For example, if you back up 13GB of data to tape media and then the database becomes corrupted, the recovery time might be two hours. But what if that’s not fast enough? S uppose your systems must be available within half that time—one hour. In that case, you’ll need to make some important decisions. An obvious choice is to find suitable backup hardware to meet these constraints. If budgetary considerations don’t allow that, however, you’ll need to find another way. 4.8 KEEPING YOUR SERVERS UP TO DATE An important security best practice that also applies to databases is keeping systems up to date. In order to ensure that known vulnerabilities and server problems are repaired , you must apply the latest security and application patches. It’s especially difficult to keep active databases up to date, since downtime, testing, and potential performance degradation can be real concerns. H owever, you should always check for available updates and find out if the servers you manage have problems that are potentially solved by an update. If so, plan to install the updates as soon as you can test and deploy them. Additionally, relevant patches should be applied to the operating system on which the database is running. Most dat abase vendors offer support web sites that offer technical details and updates for their server platforms. 4.9 DATABASE AUDITING AND MONITORING The idea of accountability is an important one when it comes to network and database security. The process of auditing involves keeping a log of data modifications and permissions usage. Often, users that are attempting to overstep their security permissions (or users that are unauthorized altogether) can be detected and dealt with before significant damage is done; or, once data has been tampered with, auditing can provide details about the extent of loss or data cha nges. There’s another benefit of implementing auditing: when users know that certain actions are being tracked, t hey might be less likely to attempt to snoop around your databases. Thus, this technique can serve as a deterrent. Unfortunately, in many environments, auditing is overlooked. Though it won’t necessarily prevent users from modifying information, auditing can be a very powerful security tool. Most relational databases provide you with the ability to track specific actions based on user roles or to track actions on specific database objects. For example, you might want to create an audit log entry whenever i nformation in the EmployeeSalary table is updated, or you might choose to implement auditing of logins and certain actions to deter systems administrators (who might require full permissions on a database) from casually “snooping around” in a database. Perhaps one of the reasons that auditing is not often implemented is that it requires significant planning and management. Unlike some types of “set munotes.in
Page 73
73 Storage Security, Database Security and forget” functions, it’s important to strike a balance between technical requirements and capturing enough information to provide meaningful analysis. In many cases, auditing too much information can decrease system performance. Also, audit logs can take up significant disk space. Finally, a few database administrators would enjoy the task of looking through th ousands of audit log entries just to find a few items that may be of interest. Most relational database systems offer some level of auditing functionality. Even if one or more of the types of database s you support does not include this feature, yo u can al ways implement your own. At a minimum, most database administrators should configure logging of both successful and failed database login attempts. Although this measure, by itself, will provide limited information, it will provide for some level of accoun tability. Of course, capturing data is only one part of overall auditing. 4.10 SUMMARY As the storage of data has evolved from individually carried media to a specialized infrastructure environment, storage now requires specific planning and implementatio n of security in order to protect the data. This chapter has presented several options, techniques, and best practices to equip the storage administrator to make the best choices for the specific environment of the organization. In this chapter, we covered a lot of information that is specific to implementing and maintaining security for relational databases. Although many of the same policies, procedures, tools, and techniques covered in earlier chapters also apply to databases, there are some special considerations that should be kept in mind. We began by looking at the roles that databases can play in a typical organization. Then we examined the various levels of security that are implemented in most relational database platforms. Specifically, we looked at server -level, network -level, and database -level security. The permissions at each of these levels can help narrowly define what users can and cannot do, and can help prevent accidental or malicious data modifications. Next, we looked at how application -level security can be used to maintain strict permissions while simplifying database administration. Another important aspect related to ensuring the security of database systems is implementing a data protection plan. We looked at the reasons for performi ng backups, how backups should be planned, and various backup operations that can be performed in relational databases. Finally, we looked at the importance of auditing and monitoring servers. 4.11 QUESTIONS 1) Write a short note on Storage security evolution . 2) Explain risk remediation for integrity risk. munotes.in
Page 74
74 Security in Computing 3) Explain risk remediation for confidentiality risk. 4) Explain risk remediation for availability risk. 5) Describe various Database Security layers. 6) Explain Database Backup and recovery. 7) What are database auditing an d monitoring? 4.12 REFERENCE S The Complete Reference: Information Security, Mark Rhodes -Ousley, McGrawHill, Second Edition .
***** munotes.in
Page 75
75 UNIT - III 5 SECURE NETWORK DESIGN, NETWORK DEVICE SECURITY Unit Structure 5.0 Objectives 5.1 Introduction to Secure Network Design 5.1.1 Acceptable Risk 5.1.2 Designing Security in a Network 5.1.3 Designing an Appropriate Network 5.1.4 The Cost of Security 5.2 Performance 5.3 Availability 5.4 Security 5.5 Network Device Security 5.5.1 Switch and Router Basics 5.5.2 MAC Addresses, IP Addresses, and ARP 5.5.3 TCP/IP 5.5.4 Brief Overview of the OSI Layer 5.5.5 Hubs 5.5.6 Switches 5.5.7 Routers 5.6 Network H ardening 5.7 Summary 5.8 Questions 5.9 References 5.0 OBJECTIVES Understand Secure Network Design Learn Performance, Availability and Security Understand Network Device Security 5.1 INTRODUCTION TO SECURE NETWORK DESIGN All information systems create risks to an organization, and whether the level of risk introduced is acceptable is ultimately a business decision. Controls such as firewalls, resource isolation, hardened system munotes.in
Page 76
76 Security in Computing configurations, authentication, access control systems , and encryption can be used to help mitigate identified risks to acceptable levels. 5.1.1 Acceptable Risk : What constitutes an acceptable level of risk d epends on the individual organization and its ability to tolerate ris k. A risk-averse organization will ultimately accept lower levels of risk and require more security controls in deployed systems. Management’s risk tolerance is expressed through the policies, procedures , and guidelines issued to the staff. A complete set of policies outlining management’s preferences and its tolerance of information security risks enables employees to make appropriate infrastructure decisions when designing and securing n ew systems and networks. Thus, the design and configuration of the infrastructure become the enforcement of those documents. Many enterprises inadvertently violate certain laws without even knowing that they are doing so (for example, storing credit card n umbers without taking into account Payment Card Industry Data Security Standard [PCI DSS], or storing patient data without factoring in Health Insurance Portability and Accountability Act [HIPAA] provisions). This modifies the level of residual risk produc ed after the controls are applied, since the planned controls may not address risks that are not clearly defined prior to control plan development. 5.1.2 Designing Security into a Network : Security is often an overlooked aspect of network design and attemp ts at retrofitting security on top of an existing network can be expensive and difficult to implement properly. Separating assets of the differing trust and security requirements should be an integral goal during the design phase of any new project. Aggreg ating assets that have similar security requirements in dedicated zones allows an organization to use small numbers of network security devices, such as firewalls and intrusion - detection systems to secure and monitor multiple application systems. Other in fluences on network design include budgets, avai lability requirements, network size and scope, future growth expectations, capacity requirements, and management’s tolerance of risks. For example, dedicated WAN links to remote offices can be more reliable t han virtual private networks (VPNs), but they are costly especially when covering large distances. Fully redundant networks can easily recover from failures, but having duplicate hardware increases costs; and when more routing paths are available, harder i t is to secure and segregate traffic flows. A significant but often missed or under -considered factor in determining an appropriate security design strategy is to identify how the network will be used and what is expected from the business it supports. Thi s design diligence can help avoid expensive and difficult retrofits after the network is implemented. Let’s consider some key network design strategies . munotes.in
Page 77
77 Secure Network Design, Network Device Security Network Design Models : To understand how the overall design impacts security, let’s examine the design s of a shopping mall and an airport. In a shopping mall to make ingress and egress as convenient as possible numerous entrances and exits are provided. However, the large number of entrances and exits makes attempts to control access to the shopping mall e xpensive and difficult. Screening mechanisms would be required at each door to identify and block unwanted visitors. Furthermore, implementing a screening mechanism isn’t the only hurdle; after it is deployed, each mechanism must be kept properly configure d and updated to ensure that an unauthorized person doesn’t slip through. In contrast, an airport is designed to funnel all passengers through a small number of well -controlled checkpoints for inspection. Networks built on the shopping mall model are inhe rently harder to secure than networks designed around the airport model. The design of an airport does much more than just facilitate the passenger screening performed just inside a terminal. Overall, the airport has a highly compartmentalized design that requires an individual to pass through a security check whenever passing between compartments. Not all screening is explicit —some monitoring is passive, involving cameras and undercover police officers stationed throughout the airport. There are explicit checkpoints between the main terminal and the gate areas as well as between the gate area and the plane. There are security checks for internal airport movements as well and staffs need special access keys to move into the internal areas, such as baggage p rocessing and the tarmac. An average big -city airport also maintains multiple terminals to handle the traffic load which reduces the impact of a security breach in a single terminal. These smaller, higher -security terminals can have more stringent security checks, and it allows passengers with different security requirements, such as politicians and federal prisoners to be segregated, lowering the risk that one group could affect the other. All of these elements can be translated into network design such as using firewalls and authentication systems for controlling traffic movement around the network, using the network to segregate traffic of differing sensitivity levels , and using monitoring systems to detect unauthorized activities. 5.1.3 Designing an Appr opriate Network : There are invariably numerous requirements and expectations placed upon a network, such as meeting and exceeding the organization’s availability and performance requirements, providing a platform that is conducive to securing sensitive ne twork assets , and enabling effective and secure links to other networks. On top of that, the overall network design must provide the ability to grow and support future network requirements. As illustrated earlier with the airport and mall analogies, the ov erall design of the network will affect an organization’s ability to provide levels of security commensurate with any risks associated with the resources or on that network. munotes.in
Page 78
78 Security in Computing To design and maintain a network, network architects and engineers must have a so lid understanding of the needs of its users. The best way to do this is to involve those architects and engineers in the application development process. By getting involved early in the development cycle, engineers can suggest more secure designs and topo logies and additionally can assure the project team that they have a clear understanding of the security considerations and capabilities. In addition, they can ensure that new projects are more compatible with the existing corporate infrastructure. Common steps for obtaining such information include meeting with project stakeholders, application and system owners, developers, management , and users. It is important to understand their expectations and needs about performance, security, availability, budget , and the overall importance of the new project. Adequately understanding these elements will ensure that those project goals are met, and appropriate network performance and security controls are included in the design. One of the most common problems encou ntered in a network implementation is unmet expectations resulting from a difference in assumptions. That’s why expectations should be broken down into mutually observable (and measurable) facts as much as possible, so the security designers ensure that th ere is an explicit agreement with any functional proposals clearly understood and agreed. 5.1.4 The Cost of Security : Security control mechanisms have expenses associated with their purchase, deployment, and maintenance , and redundantly implementing these systems can increase costs significantly. When deciding on appropriate redundancy and security controls for a given system or network, it is helpful to create several negative scenarios in which a security breach or an outage occurs, to determine the corp oration’s costs for each occurrence. This risk -model approach should help management determine the value to the corporation of the various security control mechanisms. For example, what costs are incurred to recover from a security breach or when respondin g to a system outage outside of normal business hours? Be sure to include cost estimates for direct items such as lost sales, reduced productivity , and replacement costs as well as for indirect items such as damage to the organization’s reputation and bran d name and the resultant loss of customer confidence. Armed with an approximation of expected loss, corporations can determine appropriate expenditure levels. For example, spending $200,000 to upgrade a trading system to achieve 99.999 percent availability may seem overly expensive on the surface, but it is a trivial expense if system downtime can cost the corporation $250,000 per hour of outage. munotes.in
Page 79
79 Secure Network Design, Network Device Security 5.2 PERFORMANCE The network will play a huge ro le in meeting the performance requirements of an organization. N etworks are getting faster and faster, evolving from 10 megabit s to 100 megabit s to gigabit speeds, with 10GE commonly deployed and 40GE, 100GE , and InfiniBand technologies available today. When determining the appropriate network technology, be sure that it can meet the bandwidth requirements projected for three to five years in the future. Otherwise, expensive replacements or upgrades may be required. Applications and networks that have a low tolerance for latency such as those supporting video and voice streaming will require higher - performance network connections and hardware. What about applications that move data in large chunks (for example, storage snapshots or disk -to- disk offsite replication)? In stead o f an expensive, dedicated, high bandwidth con nection, it may be more economical to implement links that are burstable, meaning that the provider will allow short bursts of traffic above the normal subscribed rate. If applications will share common network infrastructure components, the design team ma y also consider implementing Quality of Service (QoS) technologies to prevent one application from consuming too much band width, or to ensure that higher - priority applications always have sufficient bandwidth available. The legacy Cisco Hierarchical Inter networking model is a common design implemented in large -scale networks today, although many new types of purposed designs have been developed that support emerging technologies like class fabrics, lossless Ethernet, layer two bridging with a trill or IEEE 802.1aq, and other data center –centric technologies. The three -tier hierarchy still applies to campus networks, but no longer to data centers. This is a “legacy” model socialized by Cisco, but even Cisco has newer thinking for data centers. Networks are becoming much more specialized, and the security thinking for different types of networks is significantly different. The Cisco three -tier model is derived from the Public Switched Telephone Network (PSTN) model, which is in use for much of the world’s tel ephone infrastructure. The Cisco Hierarchical Internetworking model, depicted in Figure 5.1, uses three main layers commonly referred to as the core, distribution, and access layers: Core layer : It forms the network backbone and is focused on moving data as fast as possible between distribution layers. As performance is the core layer’s primary focus, it should not be used to perform CPU -intensive operations such as filtering, compressing, encrypting, or translating network addresses for traffic. Distribut ion layer : It sits between the core and the access layer. This layer is used to aggregate access -layer traffic for transmission into and out of the core. munotes.in
Page 80
80 Security in Computing Access layer : It is composed of user networking connections. Filtering, compressing, encrypting, and address -translating operations should be performed at the access and distribution layers. The Cisco model is highly scalable. As the network grows, additional distribution and access layers can be added seamlessly. As the need for faster connections and m ore bandwidth arises, the core and distribution equipment can be upgraded as required. This model also assists corporations in achieving higher levels of availability by allowing for the implementation of redundant hardware at the distribution and core lay ers. And because the network is highly segmented, a single network failure at the access or distribution layers does not affect the entire network. Although the Cisco three -tier model is perhaps the most commonly known and referenced model for designing L AN environments, it has its limitations and is rapidly being supplanted by newer models aimed at addressing the specific needs of highly virtualized data centers, the specific needs of different industry verticals and the specific needs of cloud computing and multitenancy environments.
Figure 5.1 The Cisco Hierarchical Internetworking model 5.3 AVAILABILITY Network availability requires that systems are appropriately resilient and available to users on a timely basis (whenever us ers require them). The opposite of availability is a denial of service, which is when users cannot access the resources they need on a timely basis. Denial of service can be intentional (for example, the act of malicious individuals) or accidental (such as when hardware or software fails). Business availability needs munotes.in
Page 81
81 Secure Network Design, Network Device Security have driven some organizations to construct duplicate data centers that perform real -time mirroring of systems and data to provide failover and reduce the risk of a natural disaster or terroris t attack destroying their only data center. Depending on the specific business and risk factors, redundancy often increases both cost and complexity. Determining the right level of availability and redundancy is an important design element, which is best influenced by a balance between business requirements and resource availability. The best practice for ensuring availability is to avoid single points of failure within the architecture. This can require redundant and/or failover capabilities at the hardw are, network, and application functions. A fully redundant solution can be extremely expensive to deploy and maintain, because as the number of failover mechanisms increases, system complexity increases, which can raise support costs and complicate trouble shooting. Numerous security appliance vendors have failover mechanisms that enable a secondary firewall to take over responsibilities when the primary firewall fails. Beyond firewalls, routers can also be deployed in a high -availability configuration. Implementing a redundant firewall or router solution is only one step in achieving full high -availability network architecture. For example, a high - availability firewall solution provides no value when both firewalls are plugged into the same switch. The swit ch becomes a single point of failure and any interruption in its normal operation would take both firewalls off the network, negating any benefit of the firewall failover mechanism. The same holds f or a router —if there is only a single router between the firewalls and the rest of the network, the failure of that router would also cause an outage. A true high -availability design will incorporate redundant hardware components at the switch, network, firewall, and application levels. When eliminating failure p oints, be sure to consider all possible components. You may want to guarantee reliable power via a battery backup, commonly called an uninterruptible power supply (UPS), or even an emergency generator for potential long -term interruptions. Designers should consider maintaining multiple Internet links to different Internet service providers to insulate an organization from problems at any one provider. 5.4 SECURITY Each element on a network performs different functions and contains data of differing securit y requirements. Some devices contain highly sensitive information that could damage an organization if disseminated to unauthorized individuals such as payroll records, internal memorandums, customer lists , and even internal job -costing documents. Other de vices have more exposure due to their location on the network. For example, munotes.in
Page 82
82 Security in Computing internal file servers will be protected differently than publicly available web servers. When designing and implementing security into network and system architectures, it is nece ssary to identify critical security controls and understand the consequences of a failure in those controls. For example, firewalls protect hosts by limiting what services users can connect to on a given system. Firewalls can allow different sets of users’ selective access to different services, such as allowing system administrators to access administrative services while preventing non -administrative users from accessing those same services. This provides an additional level of control over that provided by the administrative mechanisms themselves. By denying a non -administrative user the ability to connect to the administrative service, that user is prevented from mounting an attack directly on that service without first circumventing the firewall. Howev er, simply restricting users to specific services may be insufficient to achieve the desired level of security. For example, it is necessary to allow traffic through the firewall to connect to various authorized services. For an organization to send and re ceive an e-mail, firewalls must be configured to permit e -mail traffic. Firewalls have limited capability in preventing attacks directed at authorized applications, so overall network security is dependent on the proper and secure operation of those applic ations. Flaws, such as buffer overflows, can allow an attacker to turn a vulnerable server into a conduit through the firewall. Once through the firewall, the attacker can mount attacks against the infrastructure behind the protection of the firewall. If t he server is on the internal network, the entire network could be attacked without the protection provided by the firewall, but if the server is on a separate firewalled segment instead of the internal network, only the hosts on the same subnet could be di rectly attacked. Because all traffic exiting that subnet still must pass back through the firewall, it can still be relied upon to protect any additional communications from this compromised subnet to any other internal subnets. In addition to the best pr actice of segmenting the traffic, using the advanced inspection capabilities and application -layer gateways of current -generation firewalls can help protect segmented networks by ensuring that traffic being sent as a particular service over a particular po rt is well -formed traffic for that service. For example, if a server in a segregated network zone is compromised via an HTTP exploit and the attacker attempts to create a connection to another host within a d ifferent firewall zone using SSH but over port 80, the firewall s hould be able to detect that SSH is not HTTP traffic, and warn or block accordingly (based on how it is configured to behave). Thus, the network design can increase security by segregating servers from each other with firewalls. However, t his is not the only control mechanism that should be used. While it may not be initially obvious, the munotes.in
Page 83
83 Secure Network Design, Network Device Security proper operation of the service itself is a security control , and limiting the privileges and capabilities of that service provides an additional layer of control. For example, it is good practice to run services without administrative privileges wherever possible. 5.5 NETWORK DEVICE SECURITY This chapter is about how to use routers and switches to increase the security of the network. The first half of the chapter is about basics of routers and switches, while the second half provides configuration steps for protecting the devices themselves against attacks. Traditionally, routers and switches have been managed by using a command -line interface (CLI), but i nterfaces have evolved over time toward graphical configuration solutions. CLIs are still available, but web user interfaces (web UIs) have become ubiquitous and are the most used configuration tools these days. 5.5.1 Switch and Router Basics : The dominant internetworking protocol in use today is known as Transmission Control Protocol/Internet Protocol version 4 (TCP/IP or IPv4), although IPv6 is on the horizon and is deployed in some carrier networks today. TCP/IP provides all the necessary components and mechanisms to transmit data between two computers over a network. TCP/IP is actually a suite of protocols and applications that have discrete functions that map to the Open Systems Interconnection (OSI) model. 5.5.2 MAC Address, IP Address, and ARP : Each d evice on a network has two network -related addresses: a layer two address known as the Media Access Control (MAC) address (also known as the hardware address or physical address), and a layer three address known as the IP address. MAC addresses are 48 -bit hexadecimal numbers that are uniquely assigned to each hardware network interface by the manufacturer. Each hardware manufacturer has been assigned a range of MAC addresses to use, and each MAC address that has ever been assigned to a physical network inte rface card (NIC) is globally unique because it allows the underlying communication protocols to select the right system for network communications (although virtual MAC addresses may be used in more th an one place because although the algorithms used to generate them are similar and can start with the same reference values, as long as the same two MACs do not appear on the same network segment, they will work). IPv4 addresses are 32 -bit numbers assigned by your network administrator that allow for the crea tion of logical and ordered addressing on a local network. IPv6 addresses are 128 -bit, but like IPv4, each IP address must be unique on a given network. To send traffic, a device must have the destination device’s IP address as well as a MAC address. Knowi ng the destination device’s host name, the sending device can obtain the destination device’s IP address using protocols such as Domain Name munotes.in
Page 84
84 Security in Computing Service (DNS). To ascertain a MAC address, the host uses the Address Resolution Protocol (ARP), which functions by s ending a broadcast message to the network that basically says, “Who has 192.168.2.10, tell 192.168.2.15.” If a host receives that broadcast and knows the answer, it responds with the MAC address: “ARP 192.168.2.10 is at ab:cd:ef:00:01:02.” Does this sound like an overly trusting protocol? It was designed by people who had no reason to think anybody would ever abuse it. However, note that no authentication or verification is done for any ARP replies that are received. This facilitates an attack known as ARP poisoning. ARP poisoning is one of the most effective and hard -to-defend attack techniques still in widespread use today. 5.5.3 TCP/IP : The fundamental purpose of TCP/IP is to provide computers with a method of transmitting data from one computer to anoth er over a network. The purpose of a firewall is to control the passage of TCP/IP packets between hosts and networks. TCP/IP is a suite of protocols and applications that perform discrete functions corresponding to specific layers of the Open Systems Inter connection (OSI) model. Data transmission using TCP/IP is accomplished by independently transmitting blocks of data across a network in the form of packets, and each layer of the TCP/IP model adds a header to the packet. Depending on the firewall technolog y in use, the firewall will use the information contained in these headers to make access control decisions. If the firewall is application -aware, as application gateways are, access control decisions can also be made on the data portion or payload of the packet.
Figure 5.2 The TCP/IP model and the OSI reference model munotes.in
Page 85
85 Secure Network Design, Network Device Security 5.5.4 Brief Overview of the OSI Layer : The OSI model uses a seven -layer structure to represent the transmission of data from an application residing on one computer to an application residin g on another computer. TCP/IP does not strictly follow the seven - layer OSI model, having integrated the upper OSI layers into a single application layer. Figure 5.2 shows a graphical representation of the OSI reference model and its relationship to the TCP /IP implementation.
Figure 5.3 OSI Model 1. Physical Layer : The physical layer is responsible for the physical cable or wireless connection between network nodes. It defines the connector, the ele ctrical cable, or wireless technology connecting the devic es, and is responsible for the t ransmission of the raw data, which is simply a series of 0s and 1s while taking care of bit rate control. 2. Data Link Layer : The data link layer establishes and terminates a connection between two physically -connected nodes on a network. It breaks up packets into frames and sends them from source to destination. This layer is composed of two parts —Logical Link Control (LLC), which identifies network protocols, performs er ror checking, and synchronizes frames, and Media Acces s Control (MAC) which uses MAC addresses to connect devices and define permissions to transmit and receive data. 3. Network Layer : The network layer has two main functions. One is breaking up segments into network packets and reassembling the packets on th e receiving end. munotes.in
Page 86
86 Security in Computing The other is routing packets by discovering the best path across a physical network. The network layer uses network addresses (typically Internet Protocol addresses) to route packets to a destination node. 4. Transport Layer : The transport layer takes data transferred in the session layer and breaks it into “segments” on the transmitting end. It is responsible for reassembling the segments on the receiving end, and turning them back into data that can be used by the session layer. The trans port layer carries out flow control, sending data at a rate that matches the connection speed of the receiving device, and error control, checking if data was received incorrectly and if not, request it again. 5. Session Layer : The session layer creates co mmunication channels called sessions between devices. It is responsible for opening sessions and ensuring they remain open and functional while data is being transferred and closing them when communication ends. The session layer can also set checkpoints d uring a data transfer —if the session is interrupted, devices can resume data transfer from the last checkpoint. 6. Presentation Layer : The presentation layer prepares data for the application layer. It defines how two devices should encode, encrypt and co mpress data so it is received correctly on the other end. The presentation layer takes any data transmitted by the application layer and prepares it for transmission over the session layer. 7. Application Layer : The application layer is used by end -user s oftware such as web browsers and email clients. It provides protocols that allow the software to send and receive information and present meaningful data to users. A few examples of application layer protocols are the Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Post Office Protocol (POP), Simple Mail Transfer Protocol (SMTP), and Domain Name System (DNS). 5.5.5 Hubs : Hubs were dumb devices used to solve the most basic connectivity issue: how to connect more than two devices together. They transmitted packets between devices connected to them, and they functioned by retransmitting each and every packet received on one port out through all of its other ports without storing or remembering any information about the hosts connected to them. Th is created scalability problems for legacy half - duplex Ethernet networks, because as the number of connected devices and volume of network communications increased, collisions became more frequent, degrading performance. munotes.in
Page 87
87 Secure Network Design, Network Device Security A collision occurs when two devices transmit a packet onto the network at almost the exact same moment, causing them to overlap and thus mangling them. When this happens, each device must detect the collision and then retransmit its packet in its entirety. As more devices are attached to th e same hub, and more hubs are interconnected, the chance that two nodes transmit at the same time increases, and collisions became more frequent. In addition, as the size of the network increases, the distance and time a packet is in transit over the netwo rk also increase making collisions even more likely. Thus, it is necessary to keep the size of such networks very small to achieve acceptable levels of performance. 5.5.6 Switches : Switches are the evolved descenda nts of the network hub. A network switch c onnects devices within a network (often a local area network, or LAN) and forwards data packets to and from those devices. Switches were developed to overcome the historical performance shortcomings of hubs. Switches are more intelligent devices that lear n the various MAC addresses of connected devices and transmit packets only to the devices they are specifically addressed to. Since each packet is not rebroadcast to every connected device, the likelihood that two packets will collide is significantly redu ced. In addition, switches provide a security benefit by reducing the ability to monitor or “sniff” another workstation’s traffic. With a hub, every workstation would see all traffic on that hub; with a switch, every workstation sees only its own traffic.
Figure 5.4 Switch A local area network (LAN) is a group of connected devices within close physical proximity. Home WiFi networks are one common example of a LAN. When the source wants to send the data packet to the destination, the packet first enters the switch and the switch reads its header and finds the MAC address of the destination to identify the device then it sends the packet out through the appropriate ports that lead to the destination devices. Switch establishes a temp orary connection between the source and destination for communication and terminates the connection once the conversation is done. Also, it offers full bandwidth to network traffic going to and from a device at the same time to reduce collision. munotes.in
Page 88
88 Security in Computing 5.5.7 Rout ers: A router is a device that communicates between the internet and the devices in your home that connect s to the internet. As its name implies, it “routes” traffic between the devices and the internet. A router is a key part of your home’s internet netwo rk. Your laptop, smartphone, smart TV, and other devices can connect to your home Wi -Fi. Routers are primarily used to move traffic between different networks, as well as between different sections of the same network. Routers learn the locations of variou s networks in two different ways: dynamically via routing protocols and manually via administratively defined static routes. Networks usually use a combination of the two to achieve reliable connectivity between all necessary networks.
Figure 5.5 Router 5.6 NETWORK HARDENING There are several configuration steps that you can take to ensure the proper operation of your routers and switches. These steps include applying patches as well as taking the time to configure the device for incre ased security. The more steps and time you take to patch and harden a device, the more secure it will be. You should apply patches and updates released by the product vendor in a timely manner. Quick identification of potential problems and installation o f patches to address newly discovered security vulnerabilities can make the difference between a minor inconvenience and a major security incident. To receive timely notification of such vulnerabilities, subscribe to your vendor’s e - mail notification servi ces, as well as to general security mailing lists. You will want to keep a special eye out for knowledge base (KB) articles and release notes, which describe changes in device behavior and default settings from one code version to another, in addition to s pecific vulnerabilities or code bugs being addressed. Ignoring these details can cause potential security issues on your network by negating previous steps you’ve taken to secure your devices. munotes.in
Page 89
89 Secure Network Design, Network Device Security 5.7 SUMMARY The ultimate goal of network security is to enable authorized communications while mitigating information risk to acceptable levels. Design elements such as segregating and isolating high -risk or other sensitive assets as well as defining and maintaining a strong network perimeter go a long way toward achi eving those goals. As networks become ever more interconnected, a thorough and strongly typed network architecture/design will be required to achieve and maintain a well - secured network. Routers and switches provide a number of mechanisms that, when proper ly implemented, increase the overall security and performance of the local network. 5.8 QUESTIONS 1. Explain different layers of OSI Model. 2. What is IP Address? 3. Define MAC address. 4. Define switch and routers. 5.9 REFERENCES The Complete Reference: Information Security, Mark Rhodes -Ousley, McGrawHill, Second Edition. https://www.imperva.com/learn/application -security/osi -model/
***** munotes.in
Page 90
90 6 FIREWALLS Unit Structure 6.0 Objectives 6.1 Introduction 6.2 Overview 6.2.1 The Evolution of Firewalls 6.2.2 Application Control 6.2.3 When Applications Encrypt 6.3 Must -Have Firewall Features 6.4 Core Firewall Functions 6.5 Additional Firewall Capabilities 6.6 Firewall Design 6.7 Types of Attack 6.8 Firewall Strengths and Weaknesses 6.8.1 Firewall Strengths 6.8.2 Firewall Weaknesses 6.9 Firewall Placement 6.10 Firewall Configuration 6.11 Top three risks of not having a firewall 6.12 Summary 6.13 Questions 6.14 Reference 6.0 OBJECTIVES To learn basics of f irewall Firewall features and functions Firewall Configuration Tops risks of not having a firewall 6.1 INTRODUCTION Firewalls have been the most popular and important tools used to secure networks since the early days of interconnected computers. The basic function of a firewall is to screen network traffic to prevent unauthorized access between computer networks. munotes.in
Page 91
91 Firewalls 6.2 OVERVIEW Firewalls are the first line of defense between the internal network and untrusted networks like the Internet. We should think about firewalls in terms of what you need to protect, so we will achieve the right level of protection for our environment. First introduced conceptually in the late 1980s in a whitepaper from Digital Equipment Corporation, “firewalls” provided a then new and important function to the rapidly growing networks of the day. Befor e dedicated hardware was commercially available, router -based access control lists were used to provide basic protection and segregation for networks. However, they proved to be inadequate as emerging malware and hacking techniques rapidly developed. Conse quently, firewalls evolved over time, so their functionality moved up the OSI stack from layer three to layer seven.
Figure 6.1 Firewall 6.2.1 The Evolution of Firewalls : First -generation firewalls were simply permit ted/deny engines for layer three traff ic, working much like a purposed access control list appliance. Originally, first -generation firewalls were primarily used as header -based packet filters, capable of understanding source and destination information up to OSI layer four (ports). However, th ey could not perform any “intelligent” operations on the traffic other than “allow or deny it from this predefined source IP address to this predefined destination IP address on these predefined TCP and UDP ports.” Second -generation firewalls were able to keep track of active network sessions, putting their functionality effectively at layer four. These were referred to as stateful firewalls or, less commonly, circuit gateways. When an IP address (for example, a desktop computer) is connected to another IP address (say, a web server) on a specific TCP or UDP port, the firewall would enter these identifying characteristics into a table in its memory. This allowed the firewall to keep track of network sessions, which could give it the capability to block man -in-the-middle (MITM) attacks from other IP addresses. In some sophisticated firewalls, a high -availability (HA) pair could swap session tables so that if one firewall failed, a network session could resume through the other firewall. munotes.in
Page 92
92 Security in Computing The third generation of firewalls ventured into the application layer i.e . layer seven. These “application firewalls” were able to decode data inside network traffic streams for certain well -defined, preconfigured applications such as HTTP (the language of the web), DNS (the pro tocol for IP address lookups), and older, person -to-computer protocols such as FTP and Telnet. Generally, they were unable to decrypt traffic, so they were unable to check protocols like HTTPS and SSH. They were designed with the World Wide We b in mind, wh ich made them well -suited to detect and block web site attacks that were generating a great deal of concern at the time, like cross -site scripting and SQL injection. Consider these in comparison to today’s current generation of firewalls (commonly termed th e fourth generation), which have the intelligence and capability to look inside packet payloads and understand how applications function. As silicon has increased in speed, advanced router -based firewalls exist today that can provide IP inspection as a sof tware component of a multipurpose router, although they do not provide the speed or sophistication of today’s industrial -strength firewalling solutions. In addition, unified threat management (UTM) devices have combined sophisticated, application -layer fir ewalling capability with antivirus, intrusion detection and prevention, network content filtering, and other security functions. These are true layer seven devices. Fourth -generation firewalls can run application -layer gateways, which are specifically desi gned to understand how an application should function and how its traffic should be constructed. There are fifth -generation firewalls, which are internal to hosts and protect the operating system kernel, and some sixth -generation firewalls have been descri bed (meta firewalls), but most network appliances you will find today fall into the generally accepted fourth -generation firewall definition. Some manufacturers call their devices “next -generation firewalls” or “zone - based firewalls,” and these essentially function under the same guiding principles of the fourth -generation designs. In this chapter, we primarily focus on fourth -generation firewalls and the key functionality that they enable. 6.2.2 Application Control : Firewalls have been intended to handle a pplication traffic. Some applications are authorized, and some aren’t. For example, web t raffic outbound to Internet web sites is commonly permitted, while some types of peer-to-peer software are not. On those applications that are allowed, certain behavior s are allowed within the application and others aren’t. For instance, web -based meeting and collaboration software might be approved for use on the Internet, but the file -sharing capabilities might be restricted. First and second -generation firewalls could restrict simple applications that functioned on well -known ports. Ba ck then, applications were well - behaved, communicating o n assigned ports that were well -documented, so they were easy to control. But application developers did not always want munotes.in
Page 93
93 Firewalls to be subj ect to control, so they devised a simple but effective way to get through the firewall —use port 80. This is known as “tunneling” or “circumventing.” Since web traffic uses the HTTP protocol over TCP port 80, it had to be allowed to pass through the firewal l unrestricted. There was no practical way to keep track of the millions of IP addresses on the Internet, so applications could freely communicate and their developers were happy. But then application firewalls came along. These devices could observe the c ontents of the HTTP traffic traversing port 80 and determ ine whether it consisted of website -to-browser requests and responses, or something else tunneling through from an application on a local workstation to a remote server. This provided a rudimentary a bility to block applications that were prohibited by security policies, but it didn’t usually help with controlling application behavior such as allowing voice but not video, or transfer of document files but not photos and movies. Security administrators were concerned about different types of software that could violate security policies, such as: Peer -to-peer file sharing: Direct system -to-system communication from an inside workstation to another workstation on the Internet could leak confidential docum ents, or expose the organization to liability from music and movie copyright violations. Browser -based file sharing : Web sites that provide Internet file storage via a web browser, allow trusted people inside an organization’s network to copy files outside the security administrator’s area of control. Web mail : Mail services with the ability to add file a ttachments to messages provide a path to theft and leakage of confidential materials. Internet proxies and circum vents: Service s running on the Internet o r local workstations are explicitly designed to bypass security controls like web filtering. Remote access : Remote administration tools are normally used by system administrators to support internal systems from the Internet, which could be abused by Internet attackers. None of these were easy to control using application -aware firewalls, which could only block broad categories of applications from functioning, or the Internet addresses they needed to connect to, but never with 100 percent effectiveness. T hat’s where fourth -generation firewalls come in. These devices have advanced heuristic application detection and behavior munotes.in
Page 94
94 Security in Computing management capabilities. Circumventing network security controls by using allowed ports isn’t effective anymore. Until application dev elopers come up with a new way to circumvent the firewall, the security administrator is back in control. 6.2.3 When Applications Encrypt: Applications that want to bypass firewalls may encrypt their traffic. This makes the firewall’s job more difficult by rendering most of the communication unreadable. Blocking all encrypted traffic isn’t feasible except in highly restricted environments where security is more important than application functionality, and a “permit by exception” policy blocks all encrypted application traffic except for that on a whitelist of allowed, known applications. However, controlling application communications can still be done even if traffic is encrypted, by some of the more advanced fourth -generation firewalls. Applications are easiest to identify by the unique signatures inside their data streams, but there are other identifying features as well. Most have a “handshake protocol” that governs the start of a session, and these usually have an identifiable pattern. Many also have i dentifiable IP addresses on the Internet they communicate with. Even traffic pattern analysis is possible with advanced heuristic capabilities. A lot of information can be gleaned just from the frequency, size, and timing of communications. Applications th at encrypt their network traffic can be controlled by fourth - generation firewalls, although it’s easier to permit or deny the entire application than it is to control the specific functions within it. Today’s fourth -generation firewalls have extensive list s of known applications based on extensive research and analysis ready to drag and drop into a policy configuration. 6.3 MUST -HAVE FIREWALL FEATURES Today’s firewalls are expected to do much more than simply block traffic based on the outward appearance of the traffic (such as the TCP or UDP port). As applications have become increasingly complex and adaptive, the firewall has become more sophisticated in an attempt to control those applications. You should expect at least the following capabilities from your firewall. Application Awareness : The firewall must be able to process and interpret traffic at least from OSI layers three through seven. At layer three, it should be able to filter by IP address; at layer four by port; at layer five by network sessions ; at layer six by data type, and most significantly, at layer seven to properly manage the communications between applications. munotes.in
Page 95
95 Firewalls Accurate Application Fingerprinting : The firewall should be able to correctly identify applications, not just based on their out ward appearance, but by the internal contents of their network communications as well. Correct application identification is necessary to ensure that all applications are properly covered by the firewall policy configuration. Granular Application Control : In addition to allowing or denying communication among applications, the firewall also needs to be able to identify and characterize the features of applications so they can be managed appropriately. File transfer, desktop sharing, voice and video, and in -application games are examples of potentially unwanted features that the firewall should be able to control. Bandwidth Management (QoS) : The Quality of Service (QoS) of preferred applications, which might include Voice over IP (VoIP) for example, can be ma naged through the firewall based on real -time network bandwidth availability. If a sporting event is broadcast live via s treaming video on a popular web site, your firewall should be able to proactively limit or block access so all those people who want to watch it don’t bring down your network. The firewall should integrate with other network devices to ensure the highest possible availability for the most critical services. 6.4 CORE FIREWALL FUNCTIONS Due to their placement within the network infrastructu re, firewalls are ideally situated for performing certain functions in addition to controlling application communication. These include Network Address Translation (NAT), which is the process of converting one IP address to another, and traffic logging . Network Address Translation (NAT) : The primary version of TCP/IP used on the Internet is version 4 (IPv4). Version 4 of TCP/IP was created with an address space of 32 bits divided into four octets, mathematically providing approximately four billion address es. Strangely enough, this is not sufficient. A newer version of IP, called IPv6, has been developed to overcome this address -space limitation, but it is not yet in widespread deployment. To conserve IPv4 addresses, RFC 1918 specifies blocks of addresses that will never be used on the Internet. These network ranges are referred to as “private” networks and are identified in Table 6.1. This allows organizations to use these blocks for their corporate networks without worrying about conflicting with an Inter net network. However, when these networks are connected to the Internet, they must translate their private IP network addresses into public IP addresses (NAT) to be routable. By munotes.in
Page 96
96 Security in Computing doing this, a large number of hosts behind a firewall can take turns or share a few public addresses when accessing the Internet.
Table 6.1 Private Addresses Specified in RFC 1918
Figure 6.2 Network Address Translation NAT is usually implemented separately from the policy or rule set in a firewall . It is useful to remember that just because a NAT has been defined to translate addresses between one host and another; it does not mean those hosts will be able to communicate. This is controlled by the policy defined in the firewall rule set. When hosts have both public and private IP addresses, the IP information contained within a packet header will change depending on where the packet is viewed. For this discussion, the addresses when viewed on the trusted side of the firewall will be referred to as local addresses. Once the packet crosses the firewall and is translated, the addresses will be called the host’s global addresses. These terms, as depicted in Figure 6.2, will be used in the following sections to describe the various types and nuances of NAT. In this figure and the other figures in this chapter, the abbreviations “DA” and “SA” refer to “destination address” and “source address” respectively. Static NAT : A static NAT configuration always results in the same address translation. The host is defined with one local address an d a corresponding global address in a 1:1 relationship, and they don’t change. The static NAT translation rewrites the source and destination IP addresses as required for each packet as it travels through the firewall. No other part of the packet is affect ed. This is typically used for internal servers that need to be reachable from the Internet reliably on an IP address that doesn’t change. See Figure 6.3 munotes.in
Page 97
97 Firewalls
Figure 6.3 NAT replacing global terms with actual IP addresses Because of this simplistic approach, most protocols will be able to traverse a static NAT without problems. The most common use of static NAT is to provide Internet access to a trusted host inside the firewall perimeter, or inbound access to a specific host, such as a web server that needs to be accessible via a public IP address. Dynamic NAT : Dynamic NAT is used to map a group of inside local addresses to one or more global addresses. The global address set is usually smaller than the number of inside local addresses, and the conservation of addresses intended by RFC 1918 is accomplished by overlapping this address space. Dynamic NAT is usually implemented by simply creating static NATs when an inside host sends a packet through the firewall. The NAT is then maintained in the firewall tables until some event causes it to be terminated. This event is often a timer that expires after a predefined amount of inactivity from the inside host, thus removing the NAT entry. This address can then be reused by a different host. One advantage of dynamic N AT over static NAT is that it provides a constantly changing set of IP addresses from the perspective of an Internet -based attacker, which makes targeting individual systems difficult. The greatest disadvantage of dynamic NAT is the limit on the number of concurrent users on the inside who can access external resources simultaneously. The firewall will simply run out of global addresses and not be able to assign new ones until the idle timers start freeing up global addresses. Port Address Translation : With Port Address Translation (PAT), the entire inside local address space can be mapped to a single global address. This is done by modifying the communication port addresses in addition to the source and destination IP addresses. Thus, the firewall can use a single IP address for multiple communications by tracking which ports are associated with which sessions. In the example depicted in Figure 6.4, the sending host initiates a web connection on source port 1045. When the packet traverses the firewall, in a ddition to replacing the source IP address, the firewall translates the source port to port 5500 and creates an entry in a mapping table for use in translating future packets. When the firewall receives a packet back for destination port 5500, it will know how to translate the munotes.in
Page 98
98 Security in Computing response properly. Using this system, thousands of sessions can be PATed behind a single IP address simultaneously.
Figure 6.4 an example of Port Address Translation PAT provides an increased level of security because it cannot be u sed for incoming connections. However, a downside to PAT is that it limits connection -oriented protocols, such as TCP. Some firewalls will try to map UDP and ICMP connections, allowing DNS, Network Time Protocol (NTP), and ICMP echo replies to return to the proper host on the inside network. However, even those firewalls that do use PAT on UDP cannot handle all cases. With no defined end of the session, they will usually time out the PAT entry after some predetermined time. This timeout period must be set to be relatively short (from seconds to a few minutes) to avoid filling the PAT table (although, on modern firewalls, the tables used for these sessions, commonly called translation tables, can frequently handle tens of thousands or even millions of sessio ns). Connection -oriented protocols have a defined end -of-session built into them that can be picked up by the firewall. The timeout period associated with these protocols can be set to a relatively long period (hours or even days). Auditing and Logging : Firewalls are excellent auditors. Given plenty of disk space or remote logging capabilities, they can record any traffic that passes through them. Attack attempts will leave the evidence in logs, and if administrators are watching systems diligently, attac ks can be detected before they are successful. Therefore, system activity must be logged and monitored. Firewalls should record system events that are both successful and unsuccessful. Verbose logging and timely reviews of those logs can alert administrato rs for any suspicious activity before a serious security breach occurs. Since this can generate a huge volume of log traffic, the logs are best sent to a Security Information and Event Management (SIEM) system that can filter, analyze and perform heuristic behavior detection to help the network and security administrators. munotes.in
Page 99
99 Firewalls 6.5 ADDITIONAL FIREWALL CAPABILITIES Modern firewall s can do more than just manage application communications and behaviors; they can also assist in other areas of network quality and per formance. Features vary by manufacturer and brand, but you will probably find that you can solve other problems in your environment with the same firewall you use to secure network traffic. Application and Website Malware Execution Blocking : In the old day s (just a few years ago), viruses required a user to click on some disguised link or button to execute. If the end users were sophisticated enough to recognize the virus writers’ tricks, these viruses wouldn’t get very far. Modern malware can execute and s pread itself without the intervention of end users. Through automatic, browser -based execution of code (via ActiveX or Java, for example), simply opening a web page can activate a virus. Adobe PDF files can also transmit malware, due to their extensive und erlying application framework. Firewalls with advanced anti -malware capabilities should be able to detect these “invisible” malware vectors and stop them in their tracks. They should also be able to block the communication “back home” to a command and control (CnC) server once malware successfully implants itself on a victim system and tries to reach back to its controller for instructions. Antivirus : Firewalls that are sophisticated enough to detect malware can (and should) block it on the network. Worms t hat try to propagate and spread themselves automatically on the network, and malware that tries to “phone home,” can be stopped by the firewall, confining their reach. Malware control solutions should be layered, and the firewall can form an important comp onent of a network -based malware -blocking capability to complement your organization’s endpoint antivirus software. Intrusion Detection and Intrusion Prevention : Firewalls can provide IDS and IPS capabilities at the network perimeter, which can be a useful addition or substitution for standard purpose -built intrusion detection and prevention systems, especially in a layered strategy. Web Content (URL) Filtering and Caching : The firewall is optimally positioned on the network to filter access to websites (be tween an organization’s internal networks and the Internet). You can choose to implement a separate URL filtering system or service, or you can get a firewall that has the built-in capability. Today’s firewalls are demonstrating web content filtering capab ilities that rival those of purpose -built systems, so you may be able to save money by doing the filtering on the firewall —especially if it doesn’t cost extra. munotes.in
Page 100
100 Security in Computing E-Mail (Spam) Filtering : As with web content filtering, modern firewalls can subtract spam from your e -mail messages before they get delivered to your mail server. You can sign up for an external service or buy a purpose -built spam filter instead, but with a firewall that includes this capability, you have another option. Enhance Network Performance : Firewalls need to run at “wire speed” —fast enough to avoid bottlenecking application traffic. They should be able to perform all the functions that have been enabled without impacting performance. In addition, firewalls should be able to allocate network bandwidth to the most critical applications to ensure QoS, without sacrificing filtering functionality. As firewall features continue to become more sophisticated, the underlying hardware needs to keep up. If your network has a low tolerance for performanc e impact, you’ll want to consider firewall platforms that are built for speed. 6.6 FIREWALL DESIGN Firewalls may be software -based or, more commonly, purpose -built appliances. Sometimes the firewalling functions are provided by a collection of several diff erent devices. The specific features of the firewall platform and the design of the network where the firewall lives are key components of securing a network. To be effective, firewalls must be placed in the right locations on the network and configured ef fectively. Best practices include All communications must pass through the firewall. The effectiveness of the firewall is greatly reduced if an alternative network routing path is available; unauthorized traffic can be sent through a different network pat h, bypassing the control of the firewall. Think of the firewall in terms of a lock on your front door. It can be the best lock in the world, but if the back door is unlocked, intruders don’t have to break the lock on the front door —they can go around it. T he door lock is relied upon to prevent unauthorized access through the door, and a firewall is similarly relied upon to prevent access to your network. The firewall permits only traffic that is authorized. If the firewall cannot be relied upon to different iate between authorized and unauthorized traffic, or if it is configured to permit dangerous or unneeded communications, its usefulness is also diminished. In a failure or overload situation, a firewall must always fail into a “deny” or closed state, under the principle that it is better to interrupt communications than to leave systems unprotected. The firewall must be designed and configured to withstand attacks upon itself. Because the firewall is relied upon to stop attacks, and munotes.in
Page 101
101 Firewalls nothing else is deployed to protect the firewall against such attacks, it must be hardened and capable of withstanding attacks directly upon itself. 6.7 TYPES OF ATTACK Before determining exactly what type of firewall you need, you must first understand the nature of security th reats that exist. The Internet is one large community, and as in any community , it has both good and bad elements. The bad elements range from incompetent outsiders who do damage unintentionally, to proficient, malicious hackers who mount deliberate assaul ts on companies using the Internet as their weapon of choice. Generally, there are three types of attack that could potentially affect your business: Information theft : Stealing a company’s confidential information such as employee records, customer recor ds, or company’s intellectual property. Information sabotage : Changing information to damage an individual or company’s reputation, such as changing employee ’s medical or educational records or uploading derogatory content onto your website. Denial of se rvice (DoS) : Bringing down your company’s network or servers so that legitimate users cannot access service and normal company operations such as production are impeded. 6.8 FIREWALL STRENGTHS AND WEAKNESSES A firewall is just one component of an overall security architecture. Its strengths and weaknesses should be taken into consideration when designing network security. 6.8.1 Firewall Strengths : Consider the f ollowing firewall strengths while designing network security: Firewalls are excellent at enforci ng security policies. They should be configured to restrict communications to what management has determined and agreed with the business to be acceptable. Firewalls are used to restrict access to specific services. Firewalls are transparent on the network —no software is needed on end-user workstations. munotes.in
Page 102
102 Security in Computing Firewalls can provide auditing. Given plenty of disk space or remote logging capabilities, they can log interesting traffic that passes through them. Firewalls can alert appropriate people of specified event s. 6.8.2 Firewall Weaknesses : You must also consider the following firewall weaknesses when designing network security: Firewalls are only as effective as the rules they are configured to enforce. An overly permissive rule set will diminish the effectivene ss of the firewall. Firewalls cannot stop social engineerin g attacks or authorized users intentionally using their access for malicious purposes. Firewalls cannot enforce security policies that are absent or undefined. Firewalls cannot stop attacks if the traffic does not pass through them. 6.9 FIREWALL PLACEMENT A firewall is usually located at the network perimeter, directly between the network and any external connections. However, additional firewall systems can be located inside the network perimeter t o provide more specific protection to particular hosts with higher security requirements. 6.10 FIREWALL CONFIGURATION When building a rule set on a firewall, consider the following practices: Build rules from most to least specific. Most firewalls process t heir rule sets from top to bottom and stop processing once a match is made. Putting more specific rules on top prevents a general rule from hiding a specific rule further down the rule set. Place the most active rules near the top of the rule set. Screenin g packets is a processor -intensive operation, and as mentioned earlier, a firewall will stop processing the packet after matching it to a rule. Placing your popular rules first or second, instead of 30th or 31st, will save the processor from going through over 30 rules for every packet. In situations where millions of packets are being processed and rule sets can be thousands of entries in length, CPU savings could be considerable. Configure all firewalls to drop “impossible” or “unroutable” packets from th e Internet such as those from an outside interface with source addresses matching the internal network, RFC 1918 “private” IP addresses, and broadcast packets. None of these would be expected from the Internet, so if they are seen, they represent unwanted traffic such as that produced by attackers. munotes.in
Page 103
103 Firewalls 6.11 TOP THREE RISKS OF NOT HAVING A FIREWALL While having a firewall won't ensure that your business will be safe from all manner of attacks, the consequences of not having one are exponentially worse. Look belo w at the top three risks of not having a firewall: 1. Unlimited Public Access :
Not having a firewall is practically the same as leaving your front door wide open. It's like you're inviting criminals to hack into your network -- and they will. A business without a firewall is easy pickings, as it means everyone can gain access to their network, and they will have no way of monitoring potential threats and untrustworthy traffic. 2. Unrestricted Data Access :
If anyone can waltz into your IT network, they a re free to access all your data. Now, if you think that your small business doesn't have to worry because the data you generate doesn't have value outside your organization, you should seriously reconsider. Your data is valuable and cybercriminals know it. Without a firewall, you a re giving attackers free rein over your information. With that, they can choose to steal your data, leak it to the public, encrypt it and hold it for ransom, or simply delete it. Failing to protect your network with a firewall is n't just a mistake that can cost you a lot of money; it can cost you your business. munotes.in
Page 104
104 Security in Computing 3. Network Downtime :
One of the worst possible scenarios you can encounter without a firewall is total network collapse. Without adequate protection, malicious criminals can effectively shut your business down. And that can result in catastrophic damage to your business. Not only can you lose data, but it might also take days or even weeks before your systems can be brought back up and running. 6.12 SUMMARY This chapter p rovided an in -depth overview of firewalls, their relevance to applications and OSI layer seven, and their roles in protecting the network. Good security practices dictate that firewalls should be deployed between any two networks of differing security requ irements; this includes perimeter connections, as well as connections between sensitive internal networks. 6.13 QUESTIONS 1. Explain the Firewall in detail. 2. Explain Firewall functions. 3. List Firewall Strength s and Weakness. 6.14 REFERENCE S The Complete Referen ce: Information Security, Mark Rhodes -Ousley, McGrawHill, Second Edition.
*****
munotes.in
Page 105
105 7 WIRELESS NETWORK SECURITY Unit Structure 7.0 Objectives 7.1 Introduction 7.2 Radio Frequency Security Basics 7.2.1 Security Benefits of RF Knowledge 7.2.2 Layer One Security Solutions 7.3 Data -Link Layer Wireless Security Features, Flaws , and Threats 7.3.1 802.11 and 802.15 Data -Link Layer in a Nutshell 7.3.2 802.11 and 802.15 Data -Link Layer Vulnerabilities and Threats 7.3.3 Closed -System SSIDs, MAC Filtering, and Protocol Filtering 7.3.4 Built -in Bluetooth Network Data -Link Security and Threats 7.4 Wireless Vulnerabilities and Mitigations 7.4.1 Wired Side Leakage 7.4.2 Rogue Access Points 7.4.3 Misconfigured Access Points 7.4.4 Wireless Phishing 7.4.5 Client Isolation 7.5 Wireless Network Positioning and Secure Gateways 7.6 Summary 7.7 Questions 7.8 Reference 7.0 OBJECTIVES To learn Radio Frequency Security Basics Data -Link Layer Wireless Security Features, Flaws , and Threats Wireless Vulnerabilities and Mitigations Wireless Network Positioning and Secure Gateways 7.1 INTRODUCTION Wireless network security is the process of designing, implementing , and ensuring security on a wireless computer network. It is a subset of network security that adds protection for a wireless computer network. This ch apter covers how wireless networking works —because securing a wireless network requires understanding how protocols and signals work —along with wireless threats and countermeasures. We focus on the 802.11 family of wireless LAN protocols collectively known as Wi -Fi, munotes.in
Page 106
106 Security in Computing commonly found in many organizations and households. Wireless security has improved significantly over the past several years, through the use of advanced encryption and access control methods, which means the low - security and simple Wi -Fi targe ts from ten years ago, are no longer prevalent. Securing a wireless network today can be done through the features of the Wi -Fi products themselves, to the point that today your wireless network will probably be more secure than your wired LAN. The focus o f this chapter is on protecting wireless local area networks . 7.2 RADIO FREQUENCY SECURITY BASICS In the field of information security, it is an accepted fact that in order to defend against attacks, you have to understand what you’re defending. Unfortun ately, this fact is not well understood in wireless networking in general because many network s and IT security professionals lack essential knowledge about radio technology. At the same time, radio frequency (RF) experts who switch to the IT field may not be familiar with networking protocols, in particular, complex security -related protocols such as IPSec. 7.2.1 Security Benefits of RF Knowledge : The following sections describe the security benefits of understanding RF fundamentals. Proper Network Desig n: Security must be taken into account at the earliest stage of network planning and design. This applies to wireless network design even more than to its wired sibling. Poorly designed wireless networks are unfortunately quite common and easy for attacker s to spot; they possess low resistance to attacks and tend to slow down to a standstill if network traffic overhead is increased by VPN deployment and rich content such as streaming voice and video. The Principle of Least Access : Your wireless LAN (WLAN) should provide coverage where users need it and not anywhere else. The WLAN must be installed and designed in such a way as to encompass your premises’ territory and minimize outside signal leakage as much as possible. This ensures that potential attacker s have less opportunity to discover your network, less traffic to collect and eavesdrop on, and lower bandwidth to abuse, even if they are successful at circumventing y our security measures and managing to associate with the network. It also means the atta cker has to stay close to your offices, which makes triangulating and/or physical and video surveillance (CCTV) detection of wireless attackers more likely to succeed. Distinguishing Security Violations from Malfunctions : Is it radio interference, or has someone launched a DoS attack? Are these SYN TCP packets coming because the sending host cannot receive SYN -munotes.in
Page 107
107 Wireless Network Security ACK properly, or is an attacker trying to flood your servers? Why are there so many fragmented packets on the network? Is an attacker running a scanning tool, or is your wireless LAN’s maximum transmission unit (MTU) value, which limits the size of network packets, causing frequent retransmits when large packets are sent? The answer is not always obvious. Attacks and malfunctions can appear identical. Most problems on wireless networks can be traced to layer one connectivity issues. Some problems can be caused by neighboring wireless LANs. You shouldn’t transmit on the same frequency as your neighbors or one close to it for at least two reasons: interf erence and the risk of your neighbor accidentally tapping into your data. Compliance with FCC Regulations : You don’t want to get in trouble with the Federal Communications Commission (FCC) in the United States or its equivalents abroad. Because wireless L AN devices operate in unlicensed bands, these wireless networks can break regulations only by using inappropriately high transmission power. In addition to creating possible legal problems, very high transmission power may send your data further than it ne eds to go, as discussed in the previous section. 7.2.2 Layer One Security Solutions: Most issues pertaining to wireless network layer one security can be solved by tuning the transmitter’s output power, choosing the right frequency, selecting the correct a ntennas , and positioning those antennas in the most appropriate way to prov ide a quality link wherever needed while limiting your network’s “fuzzy” borders. Proper implementation of these measures requires knowledge of RF behavior, transmitter power estima tion and calculations , and antenna concepts. Most enterprise controller -based systems with lightweight access points (LWAPs —basically dummies that take all instructions from a central controller) have features like auto frequency switching/hopping, which allows access points to choose the ideal radio frequency depending on current conditions, and dynamic power sensing and adjustment, which raises or lowers the power of the signal so that the communication is optimized without being too weak or too strong. S ome systems even have add-on components that can perform real -time frequency management and can use an access point as a “sampler” or air monitor to read the environment around it to provide feedback on how “busy” the air is. Importance of Antenna Choice a nd Positioning: A radio frequency signal is a high -frequency alternating current (AC) passed along the conductor and radiated into the air via an antenna. The emitted waves propagate away from the antenna in a straight line and form RF beams or lobes, whic h are dependent on antenna horizontal and vertical beam -width values. There are three generic types of antennas, which can be further divided into subtypes: munotes.in
Page 108
108 Security in Computing
Antennas are the best friends of wireless network designers, administrators , and consultants . They can also be their worst enemy in the hands of a skillful attacker. They can increase the range of your wireless signal and capture higher volumes of data which the attacker should manage to associate with the target network. Examples of antenna irradiati on patterns are given in Figure 7.1. When choosing necessary antennas, you need to consider antenna irradiation patterns. Get it right, and your coverage is exactly where you need it. Get it wrong, and you’ll have dead areas where no one can connect, or yo u’ll exceed the normal boundaries of your environment and broadcast your network beyond reasonable boundaries. When planning network coverage, remember that irradiation happens in two planes: horizontal and vertical. Try to envision the coverage zone in three dimensions: for example, an omnidirectional beam forms a doughnut -shaped coverage zone with the antenna going vertically through the center of the “doughnut” hole. Sectorized, patch and , panel antennas form a “bubble” typically spreading 60 –120 degrees . Yagi antennas , named after one of their designers, are directional antennas composed of a dipole and reflector. Yagis form a more narrow “extended bubble” with side and back lobes. Highly directional antennas irradiate a narrowing cone beam, which can re ach as far as the visible horizon. Horizon tal and vertical planes of semi and highly -directional antennas are often similar in shape but have different beam widths; consult the manufacturer’s description of the antenna irradiation pattern before selecting an appropriate antenna for your site. As you can see from the patterns shown in Figure 7.1, omnidirectional antennas are typically used in point -to-multipoint (hub -and-spoke) wireless network topologies, often together with a variety of semi - directional an tennas. Multiple -input multiple -output (MIMO) antennas, which use multiple antenna types to improve coverage, have become common in enterprise systems today. Yagis are frequently deployed in medium -range point -to-point bridging links, whereas highly direct ional antennas are used when long -range point - to-point connectivity is required. Highly directional antennas are sometimes used to blast through obstacles such as thick walls. Please note that attackers can also use highly directional dishes to blast throu gh the thick wall of a corporate building, or even through a house that lies in the way of the targeted network. From the top of a hill or a tall building, they can also be used to reach targeted networks 20 to 25 miles away, which makes tracing such attac kers hard. On the other hand, at least three highly directional antennas are necessary to triangulate transmitting attackers in order to find their physical position. munotes.in
Page 109
109 Wireless Network Security Controlling the Range of Your Wireless Devices via Power Output Tuning : One way to contr ol your wireless signal spread is correct antenna positioning. Another method is to adjust the transmitter power output to suit your networking needs and not the attackers’. Understanding th e concept of gain is essential f or doing this.
Figure 7.1 Exampl es of antenna irradiation patterns supplied with quick antenna type –specific beam -width reference values Gain is a fundamental RF term and has already been referred to several times. Gain describes an increase in RF signal amplitude, as shown in Figure 7.2 . munotes.in
Page 110
110 Security in Computing You can achieve a gain in two ways. First, focusing the beam with an antenna increases the signal’s amplitude: a narrower beam width means a higher gain. Contrary to popular belief, omnidirectional antennas can possess significant gain reached by decreas ing the vertical beam width (squeezing the coverage “doughnut” into a coverage “pancake”). Second, using an amplifier to inject external direct current (DC) power fed into the RF cable (so -called “phantom voltage”) can increase gain. Whereas the antenna’s direction and position influence where the signal will spread, gain affects how far it will spread by increasing the transmitting power of your wireless devices.
Figure 7.2 Radio frequency signal gain is an increase in the signal’s amplitude The transmit ting power output is estimated at two points on a wireless system. The first point is the intentional radiator (IR), which includes the transmitter and all cabling and connectors but excludes the antenna. The second point is the power actually irradiated b y the antenna, or equivalent isotropically radiated power (EIRP). Both IR and EIRP output is legally regulated by the U.S. Federal Communications or the European Telecommunications Standards Institute (ETSI). To measure the power of irradiated energy (and the receiving sensitivity of your wireless device), watts (more often milliwatts [mW]) or decibels are used. Power gain and loss (the opposite of gain —a decrease in signal amplitude) are estimated in decibels or, to be more precise, dBm. The m in dBm signi fies the reference to 1 mW: 1 mW = 0 dBm. Decibels have a logarithmic relationship with watts: Pdbm = 10 log pmW. Thus, every 3 dB would double or halve the power, and every 10 dB would increase or decrease the power by an order of magnitude. The receiving sensitivity of your wireless devices would be affected in the same way. Antenna gain is estimated in dBi (i stands for isotropic), which is used in the same manner as dBm in RF power calculations. The best way to find how high your EIRP shou ld be so that it provides a quality link without leaving large areas accessible to attackers is to conduct a site survey with a tool capable of measuring the signal -to-noise ratio (SNR, also estimated in dB as signal strength minus RF noise floor) and pinging remote hos ts. Such a tool could be a wireless -enabled laptop munotes.in
Page 111
111 Wireless Network Security or PDA loaded with the necessary software or a specialized wireless site survey device. You can estimate EIRP and loss mathematically before running the actual site survey, taking into account the events d epicted in Figure 7.3.
Figure 7.3 Wireless link power gain and loss Free space path loss is the biggest cause of energy loss on a wireless network. It ha ppens because of the radio wave front broadening and transmitted signal dispersion (think of a force d ecreasing when it is applied to a larger surface area). Free space path loss is calculated as 36.56 + 20 log 10 (frequency in GHz) +20 log 10 (distance in miles). The Fresnel zone in Figure 7.4 refers to a set of specific areas around the line of sight betwe en two wireless hosts. You can try to imagine it as a set of elliptical spheres surrounding a straight line between two wireless transmitters, building a somewhat rugby ball –shaped zone along this line. The Fresnel zone is essential for wirele ss link integ rity since any objects obstructing this zone by more than 20 percent introduce RF interference and can cause signal degradation or even complete loss. At its widest point, the radius of the Fresnel zone can be estimated as
Free space path loss and Fresne l zone calculators are available online at the web sites already mentioned when referring to RF power output calculations. In the real world, the power loss between hosts on a wireless network is difficult to predict, owing to the likely objects in the Fres nel zone (for example, trees or office walls) and the interaction of radio waves with these objects and other entities in the whole coverage area. Such interactions can include signal reflection, refraction, and scattering (see Figure 7.4). Apart from weak ening the signal, these interactions can leak out your network traffic to unpredicted areas, making network discovery more likely and giving potential attackers the opportunity to eavesdrop on network traffic where no one expects the traffic’s (and the att ackers’) presence. munotes.in
Page 112
112 Security in Computing
Figure 7.4 Electromagnetic wave -object interactions Although you may wonder what the relationship is between legal limitations on acceptable wireless power output and wireless security, you don’t want to be a major source of interferen ce in your area and end up on the same side of the law as the attackers. Besides attackers are not limited by the FCC —if one is going to break the law anyway, why care about FCC rules and regulations? This point is important when reviewing layer one DoS (j amming) and layer one man -in-the-middle attacks on wireless networks. Although a wireless systems administrator cannot “outpower” attackers by exceeding the legal power limits, he or she can implement other measures, such as a wireless IDS capable of detec ting layer one anomalies like sudden RF power surges or signal quality failures on the monitored network, to alleviate the problem. Interference, Jamming , and the Coexistence of Spread Spectrum Wireless Networks : The basic concepts of spread spectrum commu nications are necessary for an understanding of interference, jamming , and the coexistence of wireless networks. Spread spectrum refers to wide -frequency low -power transmission, as opposed to narrowband transmission, which uses just enough spectrum to carr y the signal and has a very large SNR (see Figure 7.5).
Figure 7.5 Spread spectrum versus narrowband transmission All 802.11 and 802.15 IEEE standards –defined wireless networks employ spread spectrum band technology. This technology was originally develo ped during World War II, with security being the primary munotes.in
Page 113
113 Wireless Network Security development aim. Anyone sweeping across the frequency range with a wideband scanner who doesn’t know how the data is carried by the spread spectrum signal and which frequencies are used will perceive such a signal as white noise. Using spread spectrum technology in military communications is a good example of “security through obscurity” that works and is based on very specific equipment compatibility. In everyday commercial and hobbyist wireless nets , however, this obscurity is not possible. The devices used must be highly compatible, interoperable , and standards -compliant (in fact, interoperability is the main aim of the Wireless Ethernet Compatibility Alliance (WECA) “WiFi” certification for wireles s hardware devices, which many confuse with the IEEE 802.11b data -link layer protocol standard). When the link between communicating devices is established, the two devices must agree on a variety of parameters such as communication channels. Such agreemen t is done via unencrypted frames sent by both parties. Anyone running a wireless sniffer can determine the characteristics of a wireless link after capturing a few management frames off the air. Thus, the only security advantage brought to civil wireless n etworks by implementing spread spectrum technology is the heightened resistance of these networks to interference and jamming as compared to narrowband transmission. There are two ways to implement spread spectrum communications: Frequency hopping spread s pectrum (FHSS) Direct sequence spread spectrum (DSSS) In FHSS, a pseudorandom sequence of frequency changes (hops) is followed by all hosts participating in a wireless network (see Figure 7.6). The carrier remains at a given frequency for a dwell time per iod and then hops to a nother frequency (spending a hop time to do it); the sequence is repeated when the list of frequencies to hop through is exhausted. FHSS was the first spread spectrum implementation technology proposed.
Figure 7.6 FHSS frequency hop ping munotes.in
Page 114
114 Security in Computing It is used by legacy 1 –2 Mbps 802.11 FHSS networks and most importantly, 802.15 networks (Bluetooth). Bluetooth hops 1600 times per second (~625 μs dwell time) and must hop through at least 75 MHz of bandwidth in the middle ISM band. As such, Bluetooth is very resistant to radio interference unless the interfering signal covers the whole middle ISM band. At the same time, Bluetooth devices (Class 3 transmitters) introduce wideband interference capable of disrupting 802.11, 802.11b, and 802.11g LANs. Thus, a Bluetooth -enabled phone, PDA, or laptop can be an efficient (unintentional or intentional) wideband DoS/jamming tool against other middle ISM ba nd wireless networks. As for interference issues arising from using multiple Bluetooth networks in the same area, it is theoretically possible to keep 26 Bluetooth networks in the same area owing to the different frequency hopping sequences on these networ ks. In practice, however, exceeding 15 networks per area is not recommended, but the time when widespread Bluetooth use will create such a density of networks is coming —and is closer than it seems — colleges now plan for 7 devices per user for campus -provide d wireless networks. You can imagine that in a dorm room with 4 to 6 tenants in proximity, the number of Bluetooth networks could easily exceed 15 networks. The 802.11 range of network uses DSSS. As compared to FHSS networks (with a maximum 5 MHz –wide carr ier frequency), DSSS networks use wider channels (802.11b/g: 22 MHz, 802.11a: 20 MHz), which allow higher data transmission rates. On the other hand, because the transmission on a DSSS n etwork goes through a single 20 to 22 -MHz channel and not the whole IS M/UNII band range or the 75 MHz defined by the FCC for FHSS networks, DSSS networks are more vulnerable to interference and jamming. An 802.11b or g LAN would suffer from colocation with a Bluetooth network to a greater extent than the network would be neg atively affected by the 802.11b/g LAN.
Figure 7.7 DSSS data “hiding” and transmission UNII band DSSS channels are split by 5 MHz between the channel “margins”; thus, they do not overlap. On the contrary, middle ISM band munotes.in
Page 115
115 Wireless Network Security DSSS channels are split by the 5 -MHz distance between the middle of each channel, which means severe channel overlapping takes place. The 802.11b/g channel width is 22 MHz, so you need at least 5 channels (5×5 MHz = 25 MHz > 22 MHz) between two nonoverlapping channels, or so the theory goe s. In reality, even these channels would interfere with each other for a variety of reasons. In the U.S., you can use 11 802.11b/g channels, so the maximum number of coallocated access points is three, taking channels 1, 6, and 11, as the following illustr ation of the 802.11b/g frequency channels allocation shows.
In Europe, 13 channels are allocated for 802.11b/g use, making access point coallocation more flexible (however, only the channels from 10 to 13 are used in France and 10 to 11 in Spain). All 14 channels can be used in Japan. Channel allocation has high relevance to the much -discussed issue of rogue access points. There are various definitions for a “rogue access point” and, therefore, different ways of dealing with the problem: Access points and bridges that belong to neighboring LANs and interfere with your LAN by operating on the same or overlapping channels : Solution: Be a good neighbor and reach an agreement with other users on the channels used so they do not overlap. Ensure your data is en crypted and an authentication mechanism is in place. Advise your neighbors to do the same if their network appears to be insecure. Note that interference created by access points operating on close channels (such as 6 and 7) is actually higher than interf erence created by two access points operating on the same channel. Nevertheless, two or more access points operating on the same channel do produce significant signal degradation. Unfortunately, many network administrators who do not understand RF basics t end to think that all access points belonging to the same network or organization must use the same channel, which is not true. Access points, bridges, USB adapters , and other wireless devices installed by users without permission from enterprise IT manage ment : Solution: Have a strictly defined ban on unauthorized wireless devices in your corporate security policy and be sure all employees are aware of the policy contents. Detect wireless devices in the area by using wireless munotes.in
Page 116
116 Security in Computing sniffers or specific wireless tools and appliances. Remove discovered unwanted devices and check if the traffic that originated from such devices produced any alerts in logs. Access points or other wireless devices installed by intruders provide a back channel into the corporate LAN, e ffectively bypassing egress filtering on the firewall : Solution: This is a physical security breach and should be treated as such. Apart from finding and removing the device and analyzing logs (as in the preceding point), treat the rogue device as serious evidence. Handle it with care to preserve attackers’ fingerprints, place it in a sealed bag, and label the bag with a note showing the time of discovery as well as the credentials of the person who sealed it. Investigate if someone has seen the potential intruder and check the information provided by CCTV. Outside wireless access points and bridges employed by attackers to launch man -in-the-middle attacks : This is a “red alert” situation and indicates skill and determination on the part of the attacker. T he access point can be installed in the attacker’s car and plugged into the car accumulator battery, or the attacker could be using it from a neighboring apartment or hotel room. Alternatively (and more comfortably for an attacker), a PCMCIA card can be se t to act as an access point. An attacker going after a public hotspot may try to imitate the hotspot user authentication interface in order to capture the login names and passwords of unsuspecting users. Solution: Above all, such attacks indicate that the assaulted network was wide open or data encryption and user authentication mechanisms were bypassed. Deploy your wireless network wisely, implementing security safeguards. If the attack still takes place, consider bringing down the wireless network and ph ysically locating the attacker. To achieve the latter aim, contact a specialized wireless security firm capable of attacker triangulation. 7.3 DATA -LINK LAYER WIRELESS SECURITY FEATURES, FLAWS , AND THREATS The peculiarities of physical layer operations, a s well as the expected wireless network topology and size, determined the design of data -link layer protocols and associated security features for wireless communications. Unfortunately, reality rarely meets the designer’s expectations. Wireless LANs were initially developed for limited -size networks and short -to-medium point -to-point bridging links. 7.3.1 802.11 and 802.15 Data -Link Layer in a Nutshell : Here, we’ll briefly review layer two operations of commonly used wireless networks such as 802.11 LANs and Bluetooth networks. Despite the common use of the terms “wireless Ethernet” and “ethX” as wireless munotes.in
Page 117
117 Wireless Network Security interface designations, the data -link layer on 802.11 networks is quite different from Ethernet frames, as Figure 7.8 demonstrates. A wireless LAN’s mod e of operation is also dissimilar to that of an Ethernet. As a radio transceiver can only transmit or receive at a given time on a given frequency, all 802.11 -compliant networks are half -duplex. Whereas an access point is a translational bridge in relation to the wired network it may be connected to, for wireless network clients, the access point acts as a hub, making packet sniffing an easy task. Because detecting collisions on a wireless network is not possible, the Carrier Sense Media Access/Collision Av oidance (CSMA/CA) algorithm is used on wireless LANs instead of Ethernet’s CSMA/ CD algorithm. CSMA/CA is based on receiving a positive ACK for every successfully transmitted frame and retransmitting data if the ACK frame is not received. On wired networks , by plugging in the cable, you are associated with the network. On wireless networks, you can’t do this, and the exchange of association request and response frames followed by the exchange of authentication request and response frames is required. Before requesting association, wireless hosts have to discover each other. Such discovery is done by means of passive scanning (listening for beacon frames sent by access points or ad hoc wireless hosts on all channels) or active scanning (sending probe request frames and receiving back probe responses). If a wireless host loses connectivity to the network, another exchange of reassociation, request and response frames takes place. Finally, a deauthentication frame can be sent to an undesirable host.
Figure 7.8 Comparison between 802.11 and 802.3 frames MIMO, in the context of Wi -Fi, is still half -duplex, but MIMO allows a fancy way to “hide” or get around the duplex limitation by simultaneously transmitting in both directions (send and receive) on different ant ennas. Bluetooth wireless networks can function in circuit -switching (voice communications) and packet -switching (TCP/IP) modes, which can be used simultaneously. The Bluetooth stack is more complicated than its 802.11 counterparts, spanning all the OSI m odel layers (see Figure 7.9). munotes.in
Page 118
118 Security in Computing
Figure 7.9 Bluetooth protocol stack The Link Manager Protocol (LMP) is responsible for setting up the link between two Bluetooth devices. It decides and controls the packet size, as well as provides security services such as authentication and encryption using link and encryption keys. The Logical Link Control and Adaptation Protocol (L2CAP) is responsible for controlling the upper layer protocols. RFCOMM is a cable replacement protocol that interfaces with the core Bluetooth protocols. The Service Discovery Protocol (SDP) is present so that Bluetooth -enabled devices can gather information about device types, services , and service specifications to set up the connection between devices. Finally, there are a variety of applicat ion-layer protocols such as TCS BINARY and AT Commands; these are telephony control protocols that allow modem and fax services over Bluetooth. 7.3.2 802.11 and 802.15 Data -Link Layer Vulnerabilities and Threats : The main problem with layer two wireless p rotocols is that in both 802.11 and 802.15 standards, the management frames are neither encrypted nor authenticated. Anyone can log, analyze and transmit them without necessarily being associated with the target network. While intercepting management frame s is not the same as intercepting sensitive data on the network, it can still provide a wealth of information, including network SSIDs (basically, the network name), wireless hosts’ MAC addresses, DSSS LAN channels in use, FHCC frequency hop patterns, and so on. Every Bluetooth device has a unique ID transmitted in clear text in the management frames. Thus, eavesdropping on these frames can be helpful in tracking such a device and its user. Preventing this is hard —short of turning off the Bluetooth device e ntirely. Unfortunately, the information presented by management frames is only a tiny fraction of the problem. The attacker can easily knock wireless hosts munotes.in
Page 119
119 Wireless Network Security offline by sending deauthenticate and disassociate d frames. Even worse, the attacker can insert his or her machine as a rogue access point by spoofing the real access point’s MAC and IP addresses, providing a different channel to associate, and then sending a disassociate frame to the target host(s). 7.3.3 Closed -System SSIDs, MAC Filtering, and Protocol Filtering : Common nonstandard wireless LAN safeguards include closed -system SSIDs, MAC address filtering, and protocol filtering. Closed -system SSID is a feature of many higher -end wireless access points and bridges. It refers to the removal of SSID fro m the beacon frames and/or probe response frames, thus requiring the client hosts to have a correct SSID in order to associate. This turns SSID into a form of shared authentication password. Closed -system SSIDs can be found in management frames other than beacons and probe responses, however. Just as in the case of shared key authentication mode, wireless hosts can be forced to disassociate in order to capture the SSID in the management frame’s underlying reassociation process. Attackers can easily circumve nt closed -system SSID security by using deassociation/deauthentication frames. MAC filtering, unlike closed -system SSID, is a common feature that practically every modern access point supports. It does not provide data confidentiality and is easily bypass ed (again, an attacker can force the target host to disassociate without waiting for the host to go offline so its MAC address can be assumed). Nevertheless, MAC filtering may stop script kiddie (unsophisticated) attackers from associating with the network . Finally, protocol filtering is less common than closed systems and MAC address filtering; it is useful only in specific situations and when it is sufficiently selective. For example, when the wireless hosts only need web and mail traffic, you can filter all other protocols and use the built -in encryption capabilities of web and mail servers to provide a sufficient degree of data confidentiality. Alternatively, SSH port forwarding can be used. Protocol filtering combined with secure layer six protocols ca n provide a good security solution for wireless LANs built for handheld users with low -CPU power devices limited to a specific task (barcode scann ing, browsing the corporate web site for updates, and so on) 7.3.4 Built -in Bluetooth Network Data -Link Securit y and Threats : Bluetooth has a well -thought -out security mechanism covering both data authentication and confidentiality. This mechanism relies on four entities: two 128 -bit shared keys (one for encryption and one for authentication), one 128 -bit random n umber generated for every transaction, and one 48 - bit IEEE public address (BD_ADDR) unique to each Bluetooth device. Setting up a secure Bluetooth communication channel involves five steps: munotes.in
Page 120
120 Security in Computing 1. An initialization key is generated by each device using the r andom number, BD_ADDR, and shared PIN. 2. Authentication keys (sometimes called link keys) are generated by both ends. 3. The authentication keys are exchanged using the initialization key, which is then discarded. 4. Mutual authentication via a chal lenge -response scheme takes place. 5. Encryption keys are generated from authentication keys, BD_ADDR, and a 128 -bit random number. Streaming cipher E0 is used to encrypt data on Bluetooth networks. A modification of the SAFER+ cipher is used to generat e the authentication keys. Three Bluetooth security modes are known: insecure mode 1, service -level security mode 2, and link -level enforced security mode 3. Mode 3 is the most secure and should be used where possible. 7.4 WIRELESS VULNERABILITIES AND MITI GATIONS Since Wi -Fi primarily operates at layer two in the OSI stack, most of the attacks against it occur at layer two. But wireless attacks, such as jamming, can also occur at layer one. In this section, we describe five types of wireless attacks. 7.4.1 Wired Side Leakage : Network attacks —whether on the wired or wireless network —typically begin with some form of reconnaissance. On wireless networks, reconnaissance involves promiscuously listening for wireless packets using a wireless sniffer so the att acker can begin to develop a footprint of the wireless network. We will ideally focus on layer two packets, whereby we are not connected (associated) to an access point. If the attacker s were associated with an access point, then he or she could sniff laye r three and above. Broadcast and multicast traffic run rampant on most wired networks, thanks to protocols such as NetBIOS, OSPF , and HSRP, among others that were designed to be chatty about their topology information because they were envisioned to be us ed only on protected internal networks. What many administrators don’t realize is that when they connect wireless networks to their wired networks , this broadcast and multicast traffic can leak into the wireless airspace, as shown in Figure 7 -10, if not pr operly segmented and firewalled. Most access points and wireless switches allow this traffic to leak into the airspace without being blocked. Figure 17 -10 illustrates this concept with a network device that is connected to an AP via a wired network, leakin g internal protocol communications onto the airwaves. Unfortunately, this traffic may reveal network topology, device types, usernames, and even passwords! munotes.in
Page 121
121 Wireless Network Security
Figure 7.10 Network device traffic can leak onto the wireless airspace For instance, Cisco’s Hot S tandby Router Protocol (HSRP), which is used for gateway failover, sends multicast packets. By default, these packets broadcast heartbeat messages back and forth that include the hot standby password for the router in clear text. When these packets leak fr om the wired network to the wireless airspace, they reveal information about the network topology as well as the password, as shown in Figure 7 -11.
Figure 7.11 A password is revealed by an internal routing protocol via wireless . When deploying wireless, you need to ensure that, like a firewall, ingress , as well as egress is considered. Outbound traffic on the wireless switch and access point should be properly filtered of broadcast traffic to prevent this sensitive wired traffic from leaking into the local airspace. A wireless intrusion prevention system (IPS) can help to identify this wired -side leakage by monitoring packets for signs of data leakage, so administrators can block any leaks on their access points, wireless switche s, or firewalls. 7.4.2 Rogue Access Points : The most common type of rogue access point involves a user who brings a consumer -grade access point like a Linksys router into the office. Many organizations attempt to detect rogue APs through wireless assessme nts. It is important to note that although you may detect access points in your vicinity, it is equally important to validate if they are connected to your physical network. The definition of a rogue AP is an unsanctioned wireless access point connected to your physical network. Any other visible AP that’s not yours is simply a neighboring access point. munotes.in
Page 122
122 Security in Computing
Figure 7.11 A password is revealed by an internal routing protocol via wireless Vetting out the potential rogue APs requires some prior knowledge of the legitimate wireless environment and sanctioned access points. This approach for detecting rogue APs involves determining the anomalous access points in the environ ment and, therefore, is really the best -effort approach. As mentioned earlier, this approach d oesn’t necessarily confirm whether the access points are physically connected to your network. That requires assessing the wired side as well and then correlating the wired assessment to the wireless assessment. Otherwise, the only other option is to check each physical access point to determine if the anomalous AP is connected to your network. Doing this can be impractical for a large assessment. For this reason, wireless IPSs are far more effective at detecting rogue APs. A wireless IPS correlates what it sees with its wireless sensors to what it sees on the wired side. Through a variety of algorithms, it determines if the access point is truly a rogue access point, one that is physically connected to the network. Even quarterly spot checks for rogue acces s points still give malicious hackers a huge window of opportunity, leaving days if not months for someone to plug in a rogue access point, perform a compromise, and then remove it without ever being detected. 7.4.3 Misconfigured Access Points : Enterprise wireless LAN deployments can be riddled with misconfigurations. Human error coupled with different administrators installing the access points and switches can lead to a variety of misconfigurations. For example, an unsaved configuration change can allow a device to return to its factory default setting if, say, the device reboots during a power outage. And numerous other misconfigurations can lead to a plethora of vulnerabilities. Therefore, these devices must be monitored for configurations that are in l ine with your policies. Some of this monitoring can be done on the wired side with WLAN management products. Additionally, mature wireless IPS products can also monitor for munotes.in
Page 123
123 Wireless Network Security misconfigured access points if you predefine a policy within the wireless IPS to mo nitor for devices not compliant with policy. Modern systems have different considerations —the controller -based approach largely prevents this issue, but some organizations, especially smaller ones, will still face this type of problem. Human error on the controller side poses a larger and more significant risk —all the access points will have a problem or configuration vulnerability, not just one. 7.4.4 Wireless Phishing : Since organizations are becoming more disciplined with fortifying their wireless netw orks, trends indicate that wireless users have become the low-hanging fruit. Enforcing secure Wi -Fi usage when it concerns human behavior is difficult. The average wireless user is simply not familiar with the threats imposed by connecting to an open Wi -Fi network at a local coffee shop or airport. In addition, users may unknowingly connect to a wireless network that they believe is the legitimate access point but that has, in fact, been set up as a honeypot or open network specifically to attract unsuspect ing victims. For example, they may have a network at home called “Linksys.” As a result, their laptop may automatically connect to any other network known as “Linksys.” This built -in behavior can lead to an accidental association with a malicious wireless network, more commonly referred to as wireless phishing. Once an attacker gains access to the user’s laptop, not only could the attacker pilfer information such as sensitive files, but the attacker could also harvest wireless network credentials for the user’s corporate network. This attack may be far easier to perform than attacking the enterprise network directly. If an attacker can obtain the credentials from a wireless user, he or she can then use those credentials to access the corporate enterpr ise wireless network, bypassing any encryption or safety mechanisms employed to prevent more sophisticated attacks. 7.4.5 Client Isolation : Users are typically the easiest target for attackers, especially when it comes to Wi -Fi. When users are associated with an access point, they can see others attempting to connect to the access point. Ideally, most users connect to the access point to obtain Internet access or access to the corporate network, but they can also fall victim to a malicious user of that same wireless network. In addition to eavesdropping, a malicious user can also directly target other users as long as they’re associated with the same access point. Specifically, once a user authenticates and associates to the access point, he or she obtains an IP address and, therefore, layer three access. Much like a wired network, the malicious wireless user is now on the same network as the other users of that access point, making them direct targets for attack. munotes.in
Page 124
124 Security in Computing Wireless vendors are aware of this vulnerab ility and have released product features to provide client isolation for guest and corporate networks. Essentially, client isolation allows people to access the Internet and other resources provided by the access point, minus the LAN capability. When secur ing a Wi -Fi network, isolation is a necessity. Typically the feature is disabled by default, so ensure that it’s enabled across all access points. 7.5 WIRELESS NETWORK POSITIONING AND SECURE GATEWAYS The final point to be made about wireless network harde ning is related to the position of the wireless network in the overall network design topology. Owing to the peculiarities of wireless networking, described earlier in this chapter in “Radio Frequency Security Basics,” wireless networks should never be dir ectly connected to the wired LAN. Instead, they must be treated as an insecure public net work connection or, in the laxest security approach, as a DMZ. Plugging an access point directly into the LAN switch is asking for trouble (even though 802.1x authenti cation can alleviate the problem). A secure wireless gateway with stateful or proxy firewalling capability must separate the wireless network from the wired LAN. The most common approach today is to have APs that can be connected anywhere on the LAN, but c reate an encrypted tunnel back to the controller and send all traffic through it before it hits the local network. The controller will run firewalling and IDS/IPS capabilities to check this traffic before it is exposed to the internal network. If the wirel ess network includes multiple access points across the area and roaming user access, the access points on the “wired side” must be put on the same VLAN, securely separated from the rest of the wired network. Higher -end specialized wireless gateways combine access point s, firewalling, authentication, VPN concentrator, and user roaming support capabilities. The security of the gateway protecting your wireless network —even the security of the access point itself —should never be overlooked. The majority of secu rity problems with wireless gateways, access points, and bridges stem from insecure device management implementations, including using telnet, TFTP, default SNMP community strings, and default passwords, as well as allowing gateway and access point remote administration from the wireless side of the network. Ensure that each device’s security is properly audited and use wireless -specific IDS features in concert with more traditional intrusion -detection systems working above the data -link layer. 7.6 SUMMARY Wireless security is a multila yered time and resource -consuming process, which is nevertheless essential because wireless networks are a highly prized target for attackers looking for anonymous, free Internet access and backchannel entry into otherwise se curely separated networks. Wireless security encompasses wireless -specific security policy (many tips in this chapter are helpful in constructing one), radio frequency security, layer munotes.in
Page 125
125 Wireless Network Security two–specific wireless protocol security issues and solutions, higher -layer VPN and device management security, and above all, correct wireless network design with security in mind. 7.7 QUESTIONS 1) Write a short note on Wireless Vulnerabilities and Mitigations. 2) Explain Radio Frequency Security. 7.8 REFERENCE The Complete Referenc e: Information Security, Mark Rhodes - Ousley, McGrawHill, Second Edition.
*****
munotes.in
Page 126
126 UNIT - IV 8 INTRUSION DETECTION AND PREVENTION SYSTEMS Unit Structure 8.0 Objectives 8.1 Introduction 8.1.1 IDS Concepts 8.1.2 IDS Types 8.1.3 Detection Models 8.1.4 IDS Features 8.1.5 IDS Deployment Considerations 8.1.6 Security Info rmation and Event Management (SIEM) 8.2 Let us Sum Up 8.3 Questions 8.4 Bibliography 8.5 References 8.0 OBJECTIVES After going through this unit, you will be able to: Understand IDS/IPS concepts Describe the different IDS and IPS types Identify feat ures to help you evaluate different solutions Discuss real -life deployment considerations. Understanding of both systems Prepare to navigate the toughest operational issues. 8.1 INTRODUCTION Intrusion detection systems (IDSs) and intrusion prevention syst ems (IPSs) are important tools in a computer security arsenal. Often thought of as a tertiary extra after antivirus software and firewalls, an IDS is often the best way to detect a security breach. As useful as they can be, however, successfully deployin g an IDS or IPS is one of the biggest challenges a security administrator can face. munotes.in
Page 127
127 Intrusion Detection and Prevention Systems 8.1.1 IDS Concepts : Intrusion detection (ID) is the process of monitoring and identifying specific malicious traffic. Most network administrators do ID all the time withou t realizing it. Security administrators are constantly checking system and security log files for something suspicious. An antivirus scanner is an ID system when it checks files and disks for known malware. Administrators use other security audit tools to look for inappropriate rights, elevated privileges, altered permissions, incorrect group memberships, unauthorized registry changes, malicious file manipulation, inactive user accounts, and unauthorized applications. An IDS is just another tool that ca n mo nitor host system changes (host -based) or sniff network packets of the wire (network -based) looking for signs of malicious intent. An IDS can take the form of a software program installed on an operating system, but today’s commercial network -sniffing IDS/IPS typically takes the form of a hardware appliance because of performance requirements. An IDS uses either a packet -level network interface driver to intercept packet traffic or it “hooks” the operating system to insert inspection subroutines. An IDS is a sort of virtual food taster, deployed primarily for early detection, but increasingly used to prevent attacks. When the IDS notices a possible malicious threat, called an event, it logs the transaction and takes appropriate action. The action may simply be to continue to log, send an alert, redirect the attack, or prevent maliciousness. If the threat is a high risk, the IDS will alert the appropriate people. Alerts can be sent by e -mail, Simple Network Management Protocol (SNMP), pager, SMTP to a mobile device, or console broadcast. An IDS supports the defense -in-depth security principle and can be used to detect a wide range of rogue events, including but not limited to the following: o Impersonation attempts o Password cracking o Protocol attacks munotes.in
Page 128
128 Security in Computing o Buffer overflows o Installation of root kits o Rogue commands o Software vulnerability exploits o Malicious code, like viruses, worms, and Trojans o Illegal data manipulation o Unauthorized file access o Denial of service (DoS) attacks
8.1.2 IDS Types :
Depending on what assets you want to protect, an IDS can protect a host or a network. All IDSs follow one of two intrusion detection models — anomaly (also called profile, behavior, heuristic, or statistical) detection or signature (knowledge -based ) detection - although some systems use parts of both when it’s advantageous. Both anomaly and signature detection work by monitoring a wide population of events and triggering based on predefined behaviors. Intrusion Detection Systems Misuse IDS munotes.in
Page 129
129 Intrusion Detection and Prevention Systems 1. Host -Based IDS 2. Network -Based IDS (NIDS) 1. Host -Based IDS:
A host -based IDS (HIDS) is installed on the host which is intended to monitor. The host can be a server, workstation, or any networked device (such as a printer, router, or gateway). HIDS installs as a service or daemon, or it modifies the underlying operating system’s kernel or application to gain first inspection authority. Although HIDS may include the ability to sniff network traffic intended for the monitored host, it excels at monitoring and reporting direct interactions at the a pplication layer. Application attacks can include memory modifications, maliciously crafted application requ ests, buffer overflows, or file modification attempts. HIDS ca n inspect each incoming command looking for signs of maliciousness, or simply track u nauthorized file changes. A file -integrity HIDS (sometimes called a snapshot or checksum HIDS) takes a cryptographic hash of important files in a known clean state and then checks them again later for comparison. If any changes are noted, the HIDS alerts the administrator that there may be a change in integrity. A behavior -monitoring HIDS performs real -time monitoring and intercepts potentially malicious behavior. For instance, a Windows HIDS reports on attempts to modify the registry, manipulate files, a ccess the system, change passwords, escalate privileges, and otherwise directly modify the host. munotes.in
Page 130
130 Security in Computing On a Unix host, a behavior -monitoring HIDS may monitor attempts to access system binaries, attempts to download password files, and change permissions and sch eduled jobs. A behavior -monitoring HIDS on a web server may monitor incoming requests and report maliciousl y crafted HTML responses, cross -site scripting attacks, or SQL injection code. Early warning and prevention are the greatest advantages of real -time HIDS. Because real -time HIDS is always monitoring system and application calls, it can stop potentially malicious events from happening in the first place. On the downside, real -time monitoring takes up significant CPU cycles, which may not be acceptable on a high -performance asset, like a popular web server or a large database server. Real-time behavior monitoring only screens previously defined threats, and new attack vectors are devised several times a year, meaning that real -time monitors must be upda ted, much like databases for an antivirus scanner. In addition, if an intrusion successfully gets by the real -time behavior blocker, the HIDS won’t be able to provide as much detailed information about what happened thereafter as a snapshot HIDS would. Sn apshot HIDSs are reactive by nature. They can only report maliciousness, not stop it. A snapshot HIDS excels at forensic analysis. With one report, you can capture all the changes between a known good state and the corrupted state. You will not have to p iece together several different progressing states to see all the changes made since the baseline. Damage assessment is significantly easier than w ith a real -time HIDS because a Snapshot HIDS can tell you exactly what has changed. You can use comparative reports to decide whether you have to rebuild the host completely or whether a piecemeal restoration can be done safely. You can also use the before and after snapshots as forensic evidence in an investigation. Snapshot systems are useful outside the real m of computer security, too. You can use a snapshot system for configuration and change management. A snapshot can be valuable when you have to build many different systems with the same configuration settings as a master copy. You can configure the addit ional systems and use snapshot comparison to see if all configurations are identical. You can also run snapshot reports later to see if anyone has made unauthorized changes to a host. munotes.in
Page 131
131 Intrusion Detection and Prevention Systems The obvious disadvantage of a snapshot HIDS is that alerting and report ing are done after the fact. By then, the changes have already occurred, and the damage is done. 2. Network -Based IDS (NIDS) :
Network -based IDS (NIDS) is the most popular IDS , and they work by capturing and analyzing network packets speeding by on the wi re. Unlike HIDS, NIDS is designed to protect more than one host. It can protect a group of computer hosts, like a server farm, or monitor an entire network. Captured traffic is compared against protocol specifications and normal traffic trends or the pac ket’s payload data is examined for malicious content. If a security threat is noted, the event is logged and an alert is generated. With HIDS, you install the software on the host you want to monitor and the software does all the work. Because NIDS works by examining network packet traffic, including traffic not intended for the NIDS host on the network, it has a few extra deployment considerations. It is common for brand -new NIDS users to spend hours wondering why their IDS isn’t generating any alerts. Sometimes it’s because there is no threat traffic to alert on, and other times it’s because the NIDS isn’t set up to capture packets headed to other hosts. A sure sign that the network layer of your NIDS is misconfigured is that it only picks up broadcast traffic and traffic headed for it specifically. munotes.in
Page 132
132 Security in Computing Traffic doesn’t start showing up at the NIDS simply because it was turned on. You must configure your NIDS and the network so the traffic you want to examine is physically passed to NIDS. NIDS must have p romiscuous network cards with packet -level drivers, and they must be installed on each monitored network segment. Network taps, a dedicated appliance used to mirror a port or interface physically, and Switch Port Analysis (SPAN), are the two most common m ethods for setting up monitoring on a switched network. 2.1 Packet -Level Drivers : Network packets are captured using a packet -level software driver bound to a network interface card. Many Unix and Windows systems do not have native packet -level drivers b uilt in, so IDS implem entations commonly rely on open - source packet -level drivers. Most commercial IDSs have their own packet -level drivers and packet -sniffing software. 2.2 Promiscuous Mode : For NIDS to sniff packets, the packets have to be given to the packet - level driver by the network interface card. By default, most network cards are not promiscuous, me aning they only read packets of the wire that are intended for them. This typically includes unicast packets, meant solely for one particular worksta tion, broadcast packets meant for every computer that can listen to them, and multicast traffic meant for two or more previously defined hosts. Most networks contain unicast and broadcast traffic. Multicast traffic isn’t as common, but it is gaining in po pularity for web -streaming applications. By default, a network card in normal mode drops traffic destined for other computers and packets with transmission anomalies (resulting from collisions, bad cabling, and so on). If you are going to set up an IDS, make sure its network interface card has a promiscuous mode and is able to inspect all traffic passing by on the wire. munotes.in
Page 133
133 Intrusion Detection and Prevention Systems Sensors for Network Segments : For the purposes of this chapter, a network segment can be defined as a single logical packet domain. For NIDS, this definition means that all network traffic heading to and from all computers on the same network segment can be physically monitored. You should have at least one NIDS inspection device per network segment to monitor a network effectively. This device can be a fully operational IDS interface or, more commonly, a router or switch interface to which all network traffic is copied, known as a span port, or a traffic repeater device, known as a sensor or tap. One port plugs into the middle of a con nection on the network segment to be monitored, and the other plugs into a cable leading to the central IDS console. Routers are the edge points of network segments, and you must place at least one sensor on each segment you wish to monitor. Most of today ’s networks contain switch devices. With the notable exception of broadcast packets, switches only send packets to a single destination port. On a switched network, an IDS will not see its neighbor’s non - broadcast traffic. Many switches support port mirr oring, also called port spanning or traffic redirection. Port mirroring is accomplished by instructing the switch to copy all traffic to and from a specific port to another port where the IDS sits . 8.1.3 Detection Models : Anomaly -Detection (AD) Model : Anomaly detection (AD) was proposed in 1985 by noted security laureate Dr. Dorothy E. Denning, and it works by establishing accepted baselines and noting exceptional differences. Baselines can be established for a particular computer host or for a particular network segment. Some IDS vendors refer to AD systems as behavior -based since they look for deviating behaviors. If an IDS looks only at network packet headers for differences, it is called protocol anomaly detection. munotes.in
Page 134
134 Security in Computing Several IDSs have anomaly -based de tection engines. Several massively distributed AD systems monitor the overall health of the Internet, and a handful of high -risk Internet threats have been minimized over the last few years because unusual activity was noticed by a large number of correlat ed AD systems. The goal of AD is to be able to detect a wide range of malicious intrusions, including those for which no previous detection signature exists. By learning known good behaviors during a period of “profiling,” in which an AD system identifie s and stores all the normal activities that occur on a system or network, it can alert to everything else that doesn’t fit the normal profile. Anomaly detection is statistical in nature and works on the concept of measuring the number of events happening in a given time interval for a monitored metric. A simple example is someone logging in with the incorrect password too many times, causing an account to be locked out and generating a message to the security log. Anomaly detection IDS expands the same c oncept to cover network traffic patterns, application events, and system utilization. Here are some other events AD systems can monitor and trigger alerts from: Unusual user account activity Excessive file and object access High CPU utilization Inappr opriate protocol use Unusual workstation login location Unusual login frequency A High number of concurrent logins A High number of sessions Any code manipulation Unexpected privileged use or escalation attempts Unusual content munotes.in
Page 135
135 Intrusion Detection and Prevention Systems An accepted baselin e may be that network utilization on a particular segment never rises above 20 percent and routinely only inclu des HTTP, FTP, and SMTP traffic: An AD baseline might be that there are no unicast packets between workstations and only unicasts between server s and workstations. If a DoS attack pegs the network utilization above 20 percent for an extended period of time, or someone tries to telnet to a server on a monitored segment, the IDS would create a security event. Excessive repetition of identical char acters in an HTTP response might be indicative of a buffer overflow attempt. When an AD system is installed, it monitors the host or network and creates a monitoring policy based on the learned baseline. The IDS or installer chooses which events to measur e and how long the AD system should measure to determine a baseline. The installer must make sure that nothing unusual is happening during the sampling period that might skew the baseline. Anomalies are empirically measured as a statistically significant change from the baseline norm. The difference can be measured as a number, a percentage, or as a number of standard deviations. In some cases, like the access of an unused system file or the use of an inactive account, one instance is enough to trigger the AD system. For normal events with ongoing activity, two or more statistical deviations from the baseline measurement create an alert. AD Advantages : AD systems are great at detecting a sudden high value for some metric. For example, when the SQL Slamm er worm ate up all available CPU cycles and bandwidth on affected servers and networks within seconds of infection, you can bet AD systems went off. They did not need to wait until an antivirus vendor released an updated signature. As another example, if your AD system defines a buffer overflow as any traffic with over a thousand repeating characters, it will catch any buffer overflow, known or unknown that exceeds that definition. It doesn’t need to know the character used or how the buffer overflow work s. If your AD system knows your network usually experiences ten FTP sessions in a day, and suddenly it experiences a thousand, it will likely catch the suspicious activity. munotes.in
Page 136
136 Security in Computing AD Disadvantages : Because AD systems base their detection on deviation from what’s normal, they tend to work well in static environments, such as on servers that do the same thing day in and day out, or on networks where traffic patterns are consistent throughout the day. On more dynamic systems and networks that, therefore, have a wid er range of normal behaviors, false positives can occur when the AD triggers something that wasn’t captured during the profiling period. Signature -Detection Model : A Signature -detection or misuse IDS is the most popular type of IDS, and they work by using databases of known bad behaviors and patterns. This is nearly the exact opposite of AD systems. When you think of a signature -detection IDS, think of it as an antivirus scanner for network traffic. Signature -detection engines can query any portion of a network packet or look for a specific series of data bytes. The defined patterns of code are called signatures, and often they are included as part of a governing rule when used within an IDS. Signatures are byte sequences that are unique to a particular malady. A byte signature may contain a sample of virus code, a malicious combination of keystrokes used in a buffer overflow, or text that indicates the attacker is looking for the presence of a particular file in a particular directory. For performance reasons, the signature must be crafted so it is the shortest possible sequence of bytes needed to detect its related threat reliably. It must be highly accurate in detecting the threat and not cause false positives. Signatures and rules can be collected together into larger sets called signature databases or rule sets. Signature -Detection Rules : Rules are the heart of any signature -detection engine. A rule usually contains the following information as a bare minimum: o Unique signature byte sequence o Protocol to examine (such as TCP, UDP, ICMP) munotes.in
Page 137
137 Intrusion Detection and Prevention Systems o IP port requested o IP addresses to inspect (destination and source) o Action to take if a threat is detected (such as allow, deny, alert, log, disconnect) Most IDSs come with hundreds of predefined signatures and ru les. They are either all turned on automatically or you can pick and choose. Each activated rule or signature adds processing time for analyzing each event. If you were to turn on every rule and inspection option of a signature - detection IDS, you would l ikely find it couldn’t keep up with traffic inspection. Administrators should activate the rules and options with an acceptable cost/benefit tradeoff. Most IDSs also allow you to make custom rules and signatures, which is essential for responding immedia tely to new threats or for fine - tuning an IDS. Here are some hints when creating rules and signatures: o Byte signatures should be as short as possible, but reliable, and they should not cause false positives. o Similar rules should be near each other. Organ izing your rules speeds up future maintenance tasks. o Some IDSs and firewalls require rules that block traffic to appear before rules that allow traffic. Check with your vendor to see if rule placement matters. o Create wide -sweeping rules that do the quick est filtering first. For example, if a network packet has a protocol anomaly, it should cause an alert event without the packet ever getting to the more processor -intensive content scanning. o To minimize false positives, rules should be as specific as poss ible, including information that specifically narrows down the population of acceptable packets to be inspected. Some threats, like polymorphic viruses or multiple -vector worms, require multiple signatures to identify the same threat. For instance, many c omputer worms arrive as infected executables, spread over internal drive shares, send themselves out with their own SMTP engines, drop other Trojans and viruses, and use Internet chat channels to spread. Each attack vector would require a different signat ure. munotes.in
Page 138
138 Security in Computing Advantages of Signature Detection : A Signature -detection IDS is proficient at recognizing known threats. Once a good signature is c reated, signature detection IDS is great at finding patterns, and because they are popular, a signature to catch a new popular attack usually exists within hours of it first being reported. This applies to most open -source and commercial vendors . Another advantage of a signature -detection IDS is that it will specifically identify the threat, whereas an AD engine can only point out a generality. An AD IDS might alert you that a new TCP port opened on your file server, but a signature -detection IDS will tell you what exploit was used. Because a signature -detection engine can better identify specific threats, it has a bette r chance of providing the correct countermeasure for intrusion prevention. Disadvantages of Signature Detection : Although signature -detection IDS is the most popular type of IDS, they have several disadvantages as compared to an AD IDS. Cannot Recognize Un known Attacks : Just like antivirus sc anners, signature -detection IDS is not able to recognize previously unknown attacks. Attackers can change one byte in the malware program (creating a variant) to invalidate an entire signature. Hundreds of new malware threats are created ever y year, and signature -based IDS is always playing catch up. To be fair, there hasn’t been a significant threat in the last few years that didn’t have a signature identified by the next day, but your exposure is increased in the so -called zero hour s. Performance Suffers as Signatures or Rules Grow : Because each network packet or event is compared against the signature database or at least a subset of the signature database, performance suffers as rules increase. Most IDS administra tors using signature detection usually end up only using the most common signatures and not the less common rules. The more helpful vendors rank the different rules with threat risks so the administrator can make an informed risk tradeoff decision. munotes.in
Page 139
139 Intrusion Detection and Prevention Systems Altho ugh this is an efficient use of processing cycles, it does decrease detection reliability. Because a signature is a small, unique series of bytes, all a threat coder has to do is change one byte that is identified in the signature to make the threat undet ectable. Threats with small changes like these are called variants. Luckily, most variants share some common portion of code that is still unique to the whole class of threats, so that one appropriate signature, or the use of wildcards, can identify the w hole family. What Type of IDS Should You Use? There are dozens of IDS to choose from. The first thing you need to do is survey the computer assets you want to protect and identify the most valuable computer assets that should get a higher level of securit y assurance. These devices are usually the easiest ones to use when making an ROI case to management. New IDS administrators should start small, learn, fine -tune, and then grow. A HIDS should be used when you want to protect a specific valuable host ass et. 8.1.4 IDS Features : A NIDS should be used for general network awareness and as an early warning detector across multiple hosts. You need to pick an IDS that supports your network topology, operating system platforms, budget, and experience. If you h ave a significant amount of wireless traffic exposed in public areas, consider investing in a wireless IPS. If you have high -speed links that you need to monitor, make sure your IDS has been rated and tested at the same traffic levels. IDS should be base d on a product that does both, anomaly , and signature detection. The best IDS utilize s all techniques, combining the strengths of each type to provide a greater defense strategy. o IDS is more than detection engines. o Detection is their main purpose, but if you can’t configure the system or get the appropriate information out of the IDS, it won’t be much help ful. munotes.in
Page 140
140 Security in Computing IDS End -User Interfaces : IDS end -user interfaces let you configure the product and see ongoing detection activities. You should be able to configu re operational parameters, rules, alert events, actions, log files, and update mechanisms. IDS interfaces come in two flavors: syntactically difficult command prompts or less -functional GUIs. Historically, IDS is a command -line beast with user -configurab le text files. Command line consoles are available on the host computer or can be obtained by a Telnet session or proprietary administrative software. The configuration files control the operation of the IDS detection engine, define and hold the detectio n rules, and contain the log files and alerts. You configure the files, save them, and then run the IDS. If any runtime errors appear, you have to reconfigure and rerun. A few of the command -line IDS programs have spawned GUI consoles that hide the comm and-line complexities. Although text -based user interfaces may be fast and configurable, they aren’t loved by the masses. Hence, more and more IDS are coming up with user -friendly GUIs that make installation a breeze and configuration a matter of point -and- click. With few exceptions, the GUIs tend to be less customizable than their text-based cousins and, if connected to the detection engine in real time can cause slowness. Many of the GUI consoles pres ent a pretty picture to the end user but end up writ ing settings to text files, so you get the benefits of both worlds. Intrusion -Prevention Systems (IPS) : Since the beginning, IDS developers have wanted the IDS to do more than just monitor and report maliciousness. What good is a device that only tells yo u you’ve been maligned when the real value is in preventing the intrusion? That’s like a car alarm telling you that your car has been stolen, after the fact. Like intrusion detection, intrusion prevention has long been practiced by network administrators as a daily part of their routine. munotes.in
Page 141
141 Intrusion Detection and Prevention Systems Setting access controls, requiring passwords, enabling real -time antivirus scanning, updating patches, and installing perimeter firewalls are all examples of common intrusion -prevention controls. Intrusion -prevention con trols, as they apply to IDSs, involve real -time countermeasures taken against a specific, active threat. For example, the IDS might notice a ping flood and deny all future traffic originating from the same IP address. Alternatively, a host -based IDS might stop a malicious program from modifying system files. Going far beyond mere monitoring and alerting, second -generation IDS is being cal led an intrusion -prevention system (IPS ). They either stop the attack or interact with an external system to put down the threat. If the IPS, as shown in Figure A, is a mandatory inspection point with the ability to filter real -time traffic, it is considered inline. Inline IPS can drop packets, reset connections, and route suspicious traffic to quarantined areas for ins pection. If the IPS isn’t in line and is only inspecting the traffic, it still can instruct other network perimeter systems to stop an exploit. It may do this by sending scripted commands to a firewall, instructing it to deny all traffic from the remote attacker’s IP address, calling a virus scanner to clean a malicious file, or simply telling the monitored host to deny the hacker’s intended modification. For an IPS to cooperate with an external device, they must share a common scripting language, API, o r some other communicating mechanism. Another common IPS method is for the IDS device to send reset (RST) packets to both sides of the connection, forcing both source and destination hosts to drop the communication. This method isn’t seen as being very a ccurate, because often the successful exploit has happened by the time a forced reset has occurred, and the sensors themselves can get in the way and drop the RST packets. munotes.in
Page 142
142 Security in Computing
Figure A IPS Disadvantages : A well -known consequence of IPS is its ability to exac erbate the effects of a false positive. With an IDS, a false positive lead s to wasted log space and time, as the administrator researches the threat’s legitimacy. IPS is proactive, and a false positive means a legitimate service or host is being denied. Malicious attackers have even used prevention countermeasures such as DoS attack. IDS Management : Central to the IDS field are the definitions of management console and agent. An IDS agent (which can be a probe, sensor, or t ap) is the software process or device that does the actual data collection and inspection. If you plan to monitor more than two network segments, you can separately manage multiple sensors by connecting them to a central management console. This allows y ou to concentrate your IDS expertise at one location. IDS management consoles usually fulfill two central roles: o Configuration and reporting. If you have multiple agents, a central console can configure and update multiple distributed agents at once. For example, if you discover a new type of attack, you can IDS Database Server IDS Central management Console IDS agent IDS agent IDS agent munotes.in
Page 143
143 Intrusion Detection and Prevention Systems use the central console to update the attack definitions for all sensors at the same time. o A central console also aids in determining agent status —active and online or otherwise. o In environments with more than one IDS agent, reporting captured events to a central console is crucial. o This is known as event aggregation. If the central console attempts to organize seemingly distinct multiple events into a smaller subset of related attacks, it is known as event correlation. o For exa mple, if a remote intruder port scans five different hosts, each running its own sensor, a central console can combine the events into one larger event. o To aid in this type of correlation analysis, most consoles allow you to so rt events by: Destination IP address Source IP address Type of attack Type of protocol Time of attack o You can also customize the policy that determines whether two separate events are related. For example, you can tell the console to link all IP fragmentation attacks in the last five minutes into one event, no matter how many source IP addresses were involved. o Agents are configured to report events to the central console, and then the console handles the job of alerting system administrators. o This centralization of duties helps with setting useful alert thresholds and specifying who should be alerted. o Changes to the alert notification list can be made on one computer instead of on numerous distributed agents. o A management console can also pl ay the role of an expert analyzer. o A lightweight IDS performs the role of agent and analyzer on one machine. o In larger environments with many distributed probes, agents collect data and send it to the central console without determining whether the monit ored event was malicious or not. o The centr al console manages the database warehousing for all the collected event data. munotes.in
Page 144
144 Security in Computing o As shown in Figure B, the database may be maintained on a separate computer connected with a fast link. 8.1.5 IDS Deployment Considerat ions: IDS is a beneficial tool , but it has weaknesses. They need to be fine -tuned if you want to maximize their usefulness, and if you intend to deploy one, you’ll need to come up with a deployment plan to do so successfully. Creating this usually repres ents a substantial amount of work. This section summarizes these deployment issues. IDS Fine -Tuning : Fine-tuning an IDS means doing three things: o Increasing inspection speed o Decreasing false positives o Using efficient logging and alerting. Increasing Insp ection Speed : Most IDS administrators start monitoring all packets and capturing full packet decodes. You can narrow down what packets an IDS inspects by telling it to include or ignore packets based on source and destination addresses. For example, if yo u are most concerned with protectin g your servers, modify the IDS packet inspection engine so it only captures packets with server destination addresses. Another common packet filter is a rule that excludes broadcast packets between routers. Routers are always busy chatting and broadcasting to learn routes and reconstruct routing tables, but if you aren’t worried about internal ARP poisoning, don’t capture ARP packets. The more packets the IDS can safely ignore, the faster it will be. Another strategy is to let other faster perimeter devices do the filtering. Routers and firewa lls are usually faster than IDS, so when possible, configure the packet filters of your routers and firewalls to deny traffic that should not be on your network in the first place. For example, tell your router to deny IP address spoofs, and tell your firewall to drop all NetBIOS traffic originating from the Internet. munotes.in
Page 145
145 Intrusion Detection and Prevention Systems The more traffic that you can block with th e faster device, the higher - performing your IDS will be. That’s the wa y it should be —each security device should be configured to excel at what it does best, at the layer from which it does it best. Decreasing False Positives : Because IDS have so many false positives, the number one job of any IDS administrator is to track d own and troubleshoot false positives. In most instances, false positives will outweigh all other events. Track them all down, rule out maliciousness, and then appropriately modify the source or IDS to prevent them. Often the source of the false positive is a misbehaving program or a chatty router. If you can’t stop the source of the false positive, modify the IDS so it will not track the event. The key is that you want your logs to be as accurate as they can be, and they should only alert you to events that need human intervention. o Don’t get into the habit of ignoring the frequently occurring false positives in your logs as a way of doing business. o This will quickly lead to your missing the real events buried inside all the false positives —or to the l ogs not being read at all. Using Efficient Logging and Alerting : Most vendor products come with their own preset levels of event criticalities, but when setting up the IDS, take the time to customize the criticalities for your environment. For instance, i f you don’t have any Apache web servers, set Apache exploit notices with a low level of prioritization. Better yet, don’t track or log them at all. IPS Deployment Plan : So you want to deploy your first IPS. You’ve mapped your network, surveyed your needs, decided what to protect, and picked an IPS solution. Here are the steps to a successful IPS deployment: o Document your environment’s security policy. o Define human roles. o Decide the physical location of the IPS and sensors. munotes.in
Page 146
146 Security in Computing o Configure the IPS sensors and ma nagement console to support your security policy. o Plan and configure device management (including the update d policy). o Review and customize your detection mechanisms. o Plan and configure any prevention mechanisms. o Plan and configure your logging, alerting, and reporting. o Deploy the sensors and console (do not encrypt communication between sensors and links to lessen troubleshooting). o Test the deployment using IPS testing tools (initially use very broad rules to make sure the sensors are working). o Encrypt com munications between the sensors and console. o Test the IPS setup with actual rules. o Analyze the results and troubleshoot any deficiencies. o Fine-tune the sensors, console, logging, alerting, and reporting. o Implement the IPS system in the live environment in monitor -only mode. o Validate alerts generated from the IPS. o One at a time, set blocking rules for known reliable alerts that are important in your environment. o Continue adding blocking rules over time as your confidence in each rule increases. o Define contin uing education plans for the IPS administrator. o Repeat these steps as necessary over the life of the IPS. Installing and testing an IPS is a lot of work. The key is to take small steps in your deployment and plan and configure all the parts of your IPS be fore just turning it on. The more time you spend on defining reporting and database mechanisms at the beginning, the better the deployment will go. Use a test rule that is sure to trigger the IPS sensor or console on every packet. This ensures that the physical part of the sensor is working and lets you test the logging and alerting mechanisms. munotes.in
Page 147
147 Intrusion Detection and Prevention Systems Once you know the physical layer is working, you can remove that test rule (or comment it out or unselect it, in case you need it later). Do not turn on encrypt ion, digital signing, or any other self -securing components until after you’ve tested the initial physical connections. This reduces troubleshooting time caused by mistyped passphrases or incorrectly configured security settings. Finally, keep on top of your logs, and research all critical events. Quickly rule out false positives, and fine -tune your IPS on a regular basis to minimize false positives and false negatives. Once you get behind in your log duty, catching up again is tough. Successful IPS ad ministrators track and troubleshoot everything as quickly as they can. The extra effort will pay dividends with smaller and more accurate logs. 8.1.6 Security Information and Event Management (SIEM) : Multiple security systems can report to a centralized S ecurity Information and Event Management (SIEM) system, bringing together logs and alerts from several disparate sources. You may find different combinations of references to the acronym SIEM, owing to the evolution of capabilities and the consequent variety of names attached to SIEM products over the years, such as “Security Incident and Event Management” or “Security Incident and Event Monitoring.” These are all the same thing —a technology to collect, analyze, and correlate events and alerts generated b y monitoring systems. SIEM platforms take the log files, find commonalities (such as attack types and threat origination), and summarize the results for a particular time period. For example, a ll logs and alerts from all IDSs , perimeter firewalls, persona l firewalls, antivirus scanners, and operating systems can be tied together. Events from al l logs are then gathered, analyz ed, and reported on from one location. SIEMs offer the ultim ate in -event correlation, giving you one place to get a quick snapshot of your system’s security or to get trend information. SIEMs can also coordinate signature and product updates. munotes.in
Page 148
148 Security in Computing SIEMs have a huge advantage over individual IDS systems because they have the capability to collect and analyze many different sources of inform ation to determine what’s really happening. As a result, the SIEM can significantly reduce false positives by verifying information based on other data. That data comes from many sources, including workstations, servers, computing infrastructure, databas es, applications, network devices, and security systems. Because all those sources generate a vast amount of real -time data, SIEM products need to be fast and effective, with a significant amount of storage and computing power. Today’s network attacks are often complex —slow, multifaceted, and stealthy. Attackers use many techniques to circumvent security controls. Slow attacks can spread malicious network traffic over days, weeks, or even months, hiding inside the massive data streams experienced on any given network. Multifaceted attacks use a variety of techniques in the hope that at least one will succeed, or that the distributed nature of the attacks will distract attention away from the source. Stealthy attacks use obscure or nonstandard aspects o f network technologies and protocols to slip past traditional monitoring capabilities that have been programmed based on the assumption that network traffic will always follow normal standards. An IDS needs SIEM to detect these advanced attacks. SIEM is o ne of the most important tools used by security operations and monitoring staff because it provides a one-stop visibility processing environment and attacks against those areas. Let’s take a look at what SIEM can do: - Data Aggregation : SIEM collect s infor mation from every available source that is relevant to a security event. These sources take the form of alerts, real -time data, logs, and supporting data. Together, these provide the correlation engine of the SIEM with information it can use to make decis ions about what to bring to the security administrator’s attention. munotes.in
Page 149
149 Intrusion Detection and Prevention Systems Consider the following examples of specific data sources consumed by SIEM. Alerts : When is an alert real, and when is it a false positive? This is the key question associated with an IDS and a source of frustration for security adminis trators in charge of tuning IDS . This is where SIEM enters into the picture. The key function of SIEM is to validate security alerts using many different sources of data to reduce false positives, so only t he most reliable alerts get sent on to the security administrator. Thus, the alerts from all IDS sources as well as all other security monitoring systems should be given only to the SIEM, so it can decide which ones to pass along. Real -Time Data : Real-time data such as network flow data (for instance, Cisco’s NetFlow and similar traffic monitoring protocols from other vendors) gives the SIEM additional information to correlate. Streaming this data into the SIEM provides important information about normal and abnormal traffic patterns that can be used in conjunction with alerts to determine whether an attack is in progress. For example, an unusually high amount of SMTP traffic that accompanies several malware alerts may result in a high confidence alert th at an e -mail worm is on the loose. Similarly, an abnormally high amount of inbound Internet traffic, combined with a high number of firewall deny events, can indicate a denial of service attack. Another example is fragmented or truncated network packets, which may indicate a network -based attack. Each of these real -time data elements gives the SIEM important validation data for IDS alerts. Logs : Logs are different from events, in that they are a normal part of system activity and are usually meant for de bugging purposes. Logs can be an important additional data source for a SIEM, however. Logs contain valuable information about what’s happening on a system, and they can give the SIEM a deeper view of what’s happening. munotes.in
Page 150
150 Security in Computing For example, login failures that m ay otherwise go unnoticed by a system administrator because they are buried in a system log might be of great interest to SIEM, especially if there are many login failures for a single account (indicating a possible focused attempt to break into that accou nt) or, similarly, if there are login failures on many different accounts, which may indicate a broad -based attempt to break into accounts using common passwords. System errors that are logged and collected by SIEM are a valuable source of correlating info rmation. In addition to providing the SIEM itself with detailed information, logs can be used to make decisions about the validity of IDS alerts and they are easier for humans to view in SIEM. The system administrator who needs to find a particular log en try may find SIEM is the best option for searching and finding that log entry. Ideal log sources for any SIEM include the following : o End-user computers o Windows and Unix servers o Domain controllers o DNS and DHCP servers o Mail servers o Databases o Web servers o Appl ications o Switches and routers o VPN concentrators o Firewalls o Web filters and proxies o Antivirus Logs can be sent to the SIEM in a couple of different ways: they can be pushed to the SIEM by the individual devices that collect the logs, or they can be pulled in by the SIEM itself. The S yslog protocol , which is widely used by Unix systems as well as network devices, is an example of a push technique. When the IP address of the SIEM is configured in the Syslog service of a server or device, each log entry that the device produces will be sent over the network to the SIEM. munotes.in
Page 151
151 Intrusion Detection and Prevention Systems For systems that don’t support Syslog, such as Windows, third -party software can be used to collect static log information and send it to the SIEM. The third -party software agent can be instal led directly on the reporting server, or on a central server built for log collection, in which case the software periodically connects to the server, grabs the latest log entries, and pushes them to the SIEM. Whether pushed or pulled, log entries need to be parsed. Every vendor has a different format for the fields in their S yslog data. Even though they all use the same protocol, the information contained within the log is not standardized. Modern SIEM products come with dozens of parsers that have been preconfigured to convert the Syslog fields of different manufacturers into a format the SIEM can use. In the rare cases where a built -in parser is not available for a particular vendor’s S yslog format, the SIEM allows the administrator to define a custom mapping. Supporting Data : You can enhance the quality of a SIEM’s correlation even more by providing the SIEM with supporting data that has been previously collected. Data can be imported into the SIEM, and it will use that data to make comparative determ inations. For example, asset management data containing names, IP addresses, operating systems, and software versions gives the SIEM valuable information it can use to determine whether an IDS alert makes sense within the context of the software environmen t. Coupled with risk weighting data, the SIEM can use this information to prioritize and escalate alerts that pertain to high -risk systems. You can also use vulnerability scans to give the SIEM information it can use to compare an alert about an exploit with an associated vulnerability to determine if the exploit is real and whether it was successful. Moreover, geolocation information can be used to prioritize alerts from high -risk countries or even lo cal areas such as the data cent er or public hotspots in which mobile devices might be attacked. munotes.in
Page 152
152 Security in Computing Analysis : A SIEM takes all the data given to it and makes decisions, so the security administrator can focus on the most important alerts. For this reason, event correlation is SIEM’s most important feature. The correlation engine of every SIEM product is its most distinguishing feature. The better the analysis, the cleaner the end result. In effect, a SIEM is a sort of artificial intelligence system, working much like the human brain in putting together differ ent elements that individually may not be important, but taken together form a picture of a critical security situation. A SIEM does this at a much faster rate than any human possibly could, giving the security administrator a time advantage so he or she can react quickly to attacks in progress. Real-time analysis of security events is only made possible with a SIEM. Thousands or even millions of events occur every second across most networks. No human can hope to see, absorb, and understand all of them at once. By comparison, forensic investigations in which the investigator looks at a few different data sources to decide who did what and when often take weeks of intense, focused effort. That’s too long a timeframe for an effective response to an attac k. To stop an attack in progress, real -time analysis is required. Because it collects so much data from across the enterprise, a SIEM can do more than alert. It can provide system administrators and network administrators with advanced search capabilities which they will not find on any other platform. For this reason, the SIEM represents an excellent shared platform that can make every administrator’s job easier and more efficient. Thus, the SIEM is not just a security tool; it’s also a valuable IT mana gement tool. The SIEM can also perform historical and forensic analysis based on the log information it collects. munotes.in
Page 153
153 Intrusion Detection and Prevention Systems Depending on how much storage is allocated to the SIEM, either on - board or over the network, it can retain logs and alerts for a long enough period of time that it can investigate past events. Security investigators can dig into the logs to find out what happened in a prior situation, and system administrators can look at past events to troubleshoot and evaluate functional issues. 8.2 LET US S UM UP We have seen an intrusion detection system should be a part of every network security administrator’s protection plan. An IDS provides the “detection” aspect of the three Ds of security. Along with other ID tools and methods, an IDS can monitor a ho st for system changes or sniff network packets of the wire, looking for malicious intent. NIDS uses the same technology to make decisions about blocking network traffic. An IDS in blocking mode is known as IPS. A HIPS would be appropriate on strategically valuable hosts, an IDS across the network for general early -warning detection, and an IPS for critical networks that need active protection. SIEM systems greatly enhance the accuracy, effectiveness, and completeness of IDS alerts. 8.3 QUESTIONS 1. Explain th e concept of IDS. 2. Explain different IDS types based on the network. 3. What are the different IDS detection methods? Explain. 4. Write a note on SIEM. 5. Explain different considerations of IDS deployment. 6. Explain the different features of IDS. 8.4 BIBLIOGRAPHY Carter, Earl, and Jonathan Hogue. Intrusion Prevention Fundamentals. Cisco Press, 2006. The Complete Reference: Information Security, Mark Rhodes -Ousley munotes.in
155 9 VOICE OVER IP (VOIP) AND PBX SECURITY Unit Structure 9.0 Objectives 9.1 Introduction 9.1.1 Background 9.1.2 VoIP Components 9.1.3 VoIP Vulnerabilities and Countermeasures 9.1.4 PBX 9.1.5 TEM: Telecom Expense Management 9.2 Let us Sum Up 9.3 Question s 9.4 Bibliography 9.5 References 9.0 OBJECTIVES After going through this unit, you will be able to: Understand the security of enterprise voice, telephony, and streaming multimedia systems such as video conferencing, webcast , and multicast systems . Study practical approaches to both VoIP and non -VoIP telephony system security . Understand best practices for protecting voice communications . Focus on the various components of modern telecommunication infrastructure . Understand best practices for securing each of those components . 9.1 INTRODUCTION Attackers have been targeting computing systems for the last 25 years or so using intentionally exploitative behavior such as hacking and denial of service attacks. However, telephony exploits (originally referred to as phone phreaking but now included as part of mainstream hacking) have been used by clever individuals and organizations as far back as the 1960s to do everything from gaining free long distance to secretly passing malicious data right under the senso rial noses of otherwise diligent security systems. munotes.in
Page 156
156 Security in Computing One of the most practical approaches to VoIP and non -VoIP tele phony system security is making yourself the least attractive target. In modern telecommunication infrastructures, many protocols are used, and nearly all of them cross over onto the data communication network. There is no longer a strict delineation between voice and data, and as a result, the risks to both data networks and voice networks consist of a superset of the risks to each. 9.1.1 Backgr ound : When a VoIP system is layered on the top of an IP network, risks are associated with both which are defined as: Many VoIP systems are server -based and rely on common operating systems (mainly Windows and Linux) to run their hardware interface. Theref ore, they are susceptible to a class of problems that from a voice systems perspective were not previously a threat. While providing low -cost, advanced end -user features and reliable transport mechanisms for voice traffic, IP-based voice protocols also give attackers a new method for exploiting voice systems and additional avenues for compromising data networks in general. The f ollowing are the components of a modern enterprise IP -based phone or video system: Call control elements (call agents) : Appliance o r server -based call control —Internet protocol private branch exchange (IPPBX) Soft switches Session border controllers (SBCs) Proxies Gateways and gatekeepers : Dial peers Multi -conference units (MCUs) and specialized conference bridges Hardware endpoints : Phones Video codecs Other devices and specialized endpoints Soft clients and software endpoints : IP phones munotes.in
Page 157
157 Voice Over IP (VOIP) And PBX Security Unified messaging (UM) integrated chat and voice clients Desktop video clients IP-based smartphone clients Contact center components : Automated call distribution (ACD) and interactive voice response (IVR) systems Call center integrations and outbound dialers Call recording systems Call center workflow solutions Voicemail systems : List of protocols commonly used on enterprise networks, the PTN, and the Internet: H.248 (also known as Megaco) Media gateway control protocol (MGCP) Session initiation protocol (SIP) H.323 The Skinny call control protocol (SCCP) and other proprietary protocols Session description protocol (SDP), real -time protocol (RTP), real - time control protocol (RTCP), and real -time streaming protocol (RTSP) Secure real -time transport protocol (SRTP) Inter -Asterisk eXchange protocols (IAX and IAX2) T.38 and T.125 Integrated services digital network (ISDN) Signa ling system number seven (SS7) and SIGTRAN Short message service (SMS) During traditional carrier networks, switches were introduced by a class with five different roles as U.S. -centric standards, these classes are: Class 1 : International gateways handing off and receiving traffic from outside the U.S and Canadian networks munotes.in
Page 158
158 Security in Computing Class 2 : Tandem switches interconnecting whole regions Class 3: Tandem switches connecting major population centers within a region Class 4 : Tandem switches connecting the various areas of a city or town in a region Class 5 : Switches connecting subscribers and end -users Anything below this level was considered a PBX or key system which effectively controls toll center s and long distances, but limited the availability of extended features such as least -cost routing. The portability of IP and flexibility of VoIP have allowed enterprises to provide their own transport across significant geographical distances, as they are no longer relegated to the functions and features of PBX. The main drivers of VoIP technology are the o pportunities for cost savings, from lowering the cost of structured cabling by sharing Ethernet connections to advanced features like VoIP backhaul and global tail -end hop-off. 9.1.2 VoIP Components : The major components of a VoIP network, while different in approach, deliver very similar functionality to that of a PSTN and enable VoIP networks to perform all of the same tasks that the PSTN does. The one additional requirement is that VoIP networks must contain a gateway component that enables VoIP calls to be sent to a PSTN, and vice versa. There are four maj or components to a VoIP network: Call processing Server / IP PBX Voice and Media Gateways and Gatekeepers MCUs Media / VoIP Gateways IP network
munotes.in
Page 159
159 Voice Over IP (VOIP) And PBX Security Call processing Server / IP PBX/ Call Control :
The cal l control element (the “brains” of the operation) of a VoIP system can be either a purposed appliance, a piece of software that runs on a common or specialized server operating system, or a piece of network hardware embedded or integrated into another netw orking component such as a switch blade or software module (soft switch). The enterprise ’s original IP phone systems were traditional digital time-division multiplexing (TDM) systems with an IP -enabled component, designed like digital systems. They eventual ly evolved into full IP -based systems (IPPBX). They have now evolved far beyond the early designs that mimicked the “old thinking” of voice networks by leveraging the tools and resiliency available in IP networking, high -availability server architecture, and virtualization. Primarily responsible for call setup and teardown, signaling, device software serving, and feature configuration, call control is one of the easier pieces of the voice infrastructure to protect. This does not mean that security for thi s component should be taken lightly. Call control is critical to the infrastructure, particularly if any part of your business’s revenue is dependent on phone calls (customer service, call centers, etc.). If your shop runs an IP phone system that you mana ge internally, this hardware sits well within your physical and logical security perimeter and should be relatively straightforward to secure. munotes.in
Page 160
160 Security in Computing Following best practices related to patching, backup, and configuration management is paramount, but as long as this component is not exposed to the outside world, it is a difficult target to all but internal threats. There are special types of call control elements such as session border controllers (SBCs) and voice proxies that are designed to be exposed to or int erface with systems under a different administrative domain. SBCs can also perform functions frequently required by regulations such as emergency call prioritization and lawful intercept. It would be wise to use one of these and to ensure they are hardened , particularly if you allow VoIP -to-PSTN calls. Network access control lists (ACLs) and firewalls can be employed to help and protect these and other elements of the voice infrastructure that must be exposed, and many advanced stateful firewalls now have built-in application -level gateway (ALG) capabilities designed specifically for voice protocols. Voice and Media Gateways and Gatekeepers :
The voice (or media) gateway is the pathway to the outside world. This component is what allows termination to a P STN, transcoding between TDM and IP networks, media termination, and other types of analog/digital / IP interface s required in today’s multimedia -rich IP infrastructures. Gateways are configured to use dial peers (defined as “addressable endpoints”) to or iginate and receive calls. munotes.in
Page 161
161 Voice Over IP (VOIP) And PBX Security Some gateways are directly managed by the call control elements via a control protocol (MGCP or H.248), whereas others operate in a more independent, stand -alone capacity (H.323 or SIP). Voice gateways can also run soft switche s and perform primary (or survivable) call processing or “all -in-one” functions, an approach commonly used in the SMB space. The critical piece to consider about voice gateways is that, in stark contrast to the call control components, the gateways are nea rly always exposed to the outside world in some way. Although not universally true based on the specific application, in an enterprise, voice gateways are the termination points for the PSTN and, as such, need to be carefully protected. Always ensure str ong authentication methods are u sed to access the device itself and pay special attention to disabling unneeded services on a gateway, especially H.323 and SIP if they are not being used. Some systems have these protocols enabled by default, which is a recipe for disaster if they are exposed unprotected to the Internet. For example, even if you are not running SIP on your network, a voice gateway with an Internet connection, a PSTN connection, and SIP. Gatekeepers, not to be confused with gateways, provide intelligence and control certain routing and authentication, authorization, and accounting (AAA) security functions. They can also perform and assist with certa in types of address translation and can consolidate administrative control elements such as cal l detail records (CDR), communication with monitoring and management systems, and bandwidth management for a given zone. MCUs : Conferencing and collaboration are used extensively within and across all enterprises as part of the fundamental communications capability that connects all users to each other. At the heart of this technology is the Conference Bridge , or multi - conference unit (MCU), a multiport bridging system for audio, video, and multimedia collaboration. The trend between internally hosted MCU s and provider -hosted MCUs has been stuck in the yoyo of corporate decision -making, with each specific situation warranting one direction or the other based on the cost to own, cost to operate, features, and security. Special attention should be paid to M CU functionality, whether they are hosted on the premise or externally, in order to make sure they are secure. munotes.in
Page 162
162 Security in Computing Consider the following: The easier it is to use, the more people will use it —even the ones you don’t want to use it. Convenience and ease of use need to be balanced with secure practices. A problem with MCU can affect a lot of users at once. MCUs can connect different types of media; require those facilities to be secured . Hardware Endpoints : Endpoint compromises today are frequently targeted at mo bile devices, and much of the attention in the industry right now is focused on how to secure the mobile environment. The hardware phone or video codec, sitting quietly idle in the office but running 24/7, may, however, become an important tool for advanc ed corporate espionage, eavesdropping, or denial of service attacks. Modern VoIP phones have a fair bit of intelligence built into them and offer a previously unavailable avenue —some phones have a built -in layer two switch and are capable of executing XML scripts or Java code locally. Video codecs run all kinds of custom code required for video conferencing and content sharing and are sometimes directly exposed to the Internet. None of these devices have particularly robust mechanisms for authenticating to their c ontrol components unless a diligent administrator goes out of his or her way to enable them. Generally, these local capabilities are used to make the devices more interactive and functional, but they can be exploited in a variety of ways. Accord ing to the research firm Gartner, XML -based attacks are the next big thing, based on comments released after the disclosure of vulnerabilities related to remote code execution and DoS ability from exploited XML code. Part of what makes this a problem for the enterprise is the sheer number of endpoints connected to the system —a single phone system may manage thousands of endpoint devices, offering a massive exploitable base from which to wreak havoc via DDoS or other types of disruptive attacks. With VoIP in place, it not only disables your ability to make phone calls and causes productivity loss but also can compromise your entire enterprise network from within. munotes.in
Page 163
163 Voice Over IP (VOIP) And PBX Security Specialized endpoints are also employed for a variety of situations. Ensure that the vendors o r OEMs supplying these components or devices have a suitable approach to security and understand their responsibility in the security of the overall infrastructure. It is important to recognize in this context that one phone can be the snowflake that star ts the avalanche. Software Endpoints: Enterprise desktop strategy focuses on c onvergence and extending simple and useful technologies to end users. This focus is intended to increase overall productivity and collaboration. One component of this strategy is the soft phone or voice and video - enabled chat client. This is a piece of software that runs on a PC or mobile device and acts like a hardware endpoint by registering the call control element(s) as a device. Why would you install a soft client on a mob ile device, which already has mobile capability? Two reasons: Cost is, of course, the first one. In many places, data usage on a cell phone is less costly than calling minutes, and by running a soft client, you convert what would otherwise be cellular usa ge minutes into an IP data stream (thank the “unlimited data plan” for this being a viable option). Second, by running the soft client, you can extend your enterprise features to the mobile user, including functionality not typically available on mobile d evices such as consolidated extension -based or URI dialing. Some enterprises are even using direct inward system access (DISA) features or forking in order to make the mobile device itself an augmentation of the desk phone, creating a Single Number Reach (SNR) environment and automatically employing intelligent features like tail -end hop -off without direct user invocation. System administrators need to consider the fact that, although enabling these types of features is great for users and allows the unprecedented ability to control cost, the virtual voice security perimeter now extends well beyond the physical perimeter they are charged with managing, sometimes reaching around the globe and well outside of the traditional realms of control. Additionally, this trend mandates that much more granular attention be paid to the end -user computing environment. munotes.in
Page 164
164 Security in Computing Call and Contact Center Components : Call centers have made a remarkable evolutionary leap, from initially being used as a place to take orders and field c omplaints to, being a strategic asset that most enterprises cannot survive without. Within the last decade, call centers have morphed into “contact centers” and “centers of excellence.” Trusted to sustain 24/7/forever operation and provide all levels of support to customers across every industry imaginable, these highly complex distributed systems, which now support millions of agents worldwide, have taken advantage of VoIP technologies in new and exciting ways —or, for the security administrator, in comple tely frightening ways. Their complexity has increased exponentially as the expectations of agents and customers alike have increased in sophistication. The two core components of any call center are automatic call detection (ACD) and interactive voice res ponse (IVR). Simply put, the ACD moves calls around, and the IVR collects information from the caller and queues those calls in the appropriate places, based on defined variables such as agent skills. Whereas some systems simply queue calls and route the m when an agent is available, others have advanced speech recognition capability and complicated algorithms predicting variables such as wait time for the next agent. Because of the complexity of these systems, it is especially important to ensure that th ey are patched and updated on a regular basis. A compromise of ACD or IVR could spell disaster for the victim, up to and including unrecoverable brand damage. Increasingly, these systems are being integrated with SaaS -based external solutions, especially CRM and other customer experience database systems. Although this offers the ability to drive a valuable and unique customer experience by having a single source of truth for customer data, it also warrants heavy scrutiny from a trained security professio nal. Many call centers employ predictive dialers or low -tech outbound dialers, which are powerful tools in the wrong hands unless best practices are followed to ensure that they are only allowed to call the numbers you want them to dial. Call recording a nd workflow management solutions can be very helpful for the overall productivity of your agent workforce, but they can also present a liability —these systems should have a known, munotes.in
Page 165
165 Voice Over IP (VOIP) And PBX Security published policy for how they are used, how long data is stored, how archive s are maintained, and what practices are used if data must or must not be destroyed. Voicemail Systems : A m ajor component of a VoIP -based telephony system is the voicemail system. Auto attendants, direct inward system access (DISA) features used for manua l call forwarding, automatic call forwarding, and other voicemail features are a “standard” component of enterprise life, which nearly everyone has come to expect and rely on. Unfortunately, they have historically been one of the easiest systems to abuse for three main reasons: o Access to mailboxes is typically numeric -only, and people find long strings of numbers difficult to remember. o Easy (and often default) passwords are commonplace. War dialers can be set up to target these systems and record successf ul logins for attackers to return to later. o Anyone who has ever built a voicemail system knows the practice of initially setting everyone’s default password to their extension, or perhaps the last four digits of their direct inward dialing (DID) phone numb er, or some other easy -to-figure -out formula. o This is a good opportunity to stretch your creative brain muscle and come up with something better. o Since voicemail systems have never really been considered a “key” component of enterprise infrastructure, muc h less attention has been paid to securing these systems than to, say, the enterprise ERP or financial systems. o Keep in mind, access to this type of functionality in the wrong hands can cause permanent damage to an organization in financial (and worse) wa ys. o More often than not system -level access to and from the outside world is not carefully controlled or audited, as some of a voicemail system’s convenience “features” need outside access in order to work properly. o To preserve the sanctity of your voicem ail system, always deactivate and preferably delete unused mailboxes, never leave default passwords in place, consider requiring more than a four - digit access code , and seriously evaluate how these systems will be used within your infrastructure. munotes.in
Page 166
166 Security in Computing 9.1.3 VoIP Vulnerabilities and Countermeasures : Having outlined the components that may fall under your purview in an enterprise VoIP infrastructure, let’s now consider the three main exploitable paths from which you may be attacked: The “low-tech” hacks Attacks on server, appliance, or hardware infrastructure Advanced threats directed against specific systems or protocol o Telephony systems are frequently targeted partly because of the maturity of their services and partly owing to their sheer numbers. o Everyone has a phone system. o Here’s what you can do to ensure that you’ve done your due diligence when it comes to protecting your VoIP and multimedia -rich infrastructure. o The following areas require specific attention from security administrators and these are the areas we’ll focus on in this section: The original hacks —how to protect yourself from the oldest tricks in the book? Adding insult to injury: consider who tries to exploit vo ice services vs. VoIP services. Vulnerabilities and exploits: o The network o The serv ers o The appliances o The “other stuff” The protocols —examining specific areas of concern System integrators, hosted systems, and TEM as part of an enterprise security posture , Putting it all together: process makes perfect. Old Dogs, Old Tricks: The Origi nal Hacks : John Draper discovered (and exploited) a vulnerability in the Dual - tone multi -frequency signaling (DT MF) dialing systems of the time when he found that a toy whistle from a cereal box could be used to produce a 2600 Hz sound to manipulate the co mmunication protocol of public phone systems to obtain free long distance. He was sentenced to two months in prison. You might think that telephone companies would have immediately munotes.in
Page 167
167 Voice Over IP (VOIP) And PBX Security fixed the vulnerability so other people couldn’t repeat the exploit. Low-tech approaches like this worked for many phone systems around the globe well into the 1980s. While most modern IP -based systems are smart enough not to fall for the old DTMF tricks, you want to take precautions against equally simple attacks that will pr obe your defenses on a daily basis. Information on exploits of various systems is so readily available, that taking advantage of open relays is a common recreational and for - profit activity. In addition, the security of a fixed location, such as a land line, is no longer a reliable way to ensure that you know where a call is originating from, an important part of understanding what someone is trying to do. The portability of public IP address space means that spoofing the physical location of a phone is a relatively easy matter, and tracking it down can be quite difficult. The VoIP predator’s basic approach is to sell a VoIP service to end customers and then use compromised systems to route those calls for free from and to virtually anywhere. The predato r charges for service on the front end but gets a free service on the back end. There’s always a phone bill —but it is generally left up to the victim to settle, as the victim’s carrier has to pay their partner provider for the calls regardless. In the ent erprise, the trick is to not become one of those relays. Often, people or businesses think they are subscribing to a legitimate service, as there are hundreds, even thousands, of exploited gateways. Of little help is the fact that hiding voice transit and routing among other IP -based traffic is easy. Assessment Audit : Create a risk profile for low -tech hacks in your organization by doing the following audit. What is your external facing profile? Are there exposed numbers that can reach internal systems and access them? If so, do those internal systems have password or PIN protection? What complexity? If simple access is required for any reason, can you audit access? munotes.in
Page 168
168 Security in Computing Who is responsible for accepting the risk of a breach? Is this person aware of this respo nsibility and what it means to the organization? Have you performed an inventory of all voice protocols enabled on your gateways for use later? If not, do so now. Is DISA enabled? Given that some organizations prefer a “live answer” experience for their internal and external customers, have the operators been trained and given process documentation to follow in the event of a suspected malicious call? War dialers are still out there … do you have the capability to determine if someone is trying to breach your defenses? Then use it. Enlist the phone company’s help in tracking down malicious behavior before the culprit finds an opening. Do you have a Telecom Expense Management (TEM) program that tracks and reports on the costs of phone usage and identifies which phones have the largest bills? Action Steps : 1. Create a scorecard from the information you’ve gathered from your audit in order to identify your most significant risks and areas in nee d of attention; prioritize high -risk items with a standard likeliho od and severity graph or matrix. 2. Know your dial -in numbers; only publish them for those who may need to use them, and ensure the executive team is aware of the risk of offering this service. 3. Enforce password requirements for system access. 4. Delete old and unused mailboxes as soon as possible. 5. Use restrictions to preven t DISA from being used for long -distance and international calling; if not possible or if the feature is needed, ensure that all calls made via DISA are logged and auditable and users with a ccess to the service are educated on the risks. 6. Limit exposure where possible by using fewer external dial -in numbers; enforce a business process that requires security team review and approval prior to enabling new services. 7. Do not offer all user featur es to all users by default, unless your security program can support the ongoing use, auditing, and management of these features for the full user population. 8. Pay attention to call forwarding and who is allowed to use the feature to send calls outside of your perimeter. munotes.in
Page 169
169 Voice Over IP (VOIP) And PBX Security 9. Determine how your TEM program can flag abnormal patterns or utilization in order to give you visibility into when you may have a problem. Vulnerabilities and Exploits : For our purposes in this section, vulnerability means a weakness that h as not yet been used to compromise a perimeter, whereas exploit is a compromised vulnerability. Network: Security administrators need to understand how to strike a balance between functionality and security, particularly when their peers (network and syste ms administrators) have the job of trying to move traffic in an unobstructed fashion across common multiaccess networks. Inspecting packets takes resources and adds transit time, which can lead to an adversarial relationship between the teams working to mo ve packets from place to place seamlessly and the teams trying to ensure that legitimate data is contained within those packets. Sit down with the parties responsible for the network and the voice systems, and use a cooperative approach citing the greater good . Discuss the following topics: What protocols will be allowed and used for VoIP on the network? What protocols should be explicitly blocked? How much bandwidth is “normal” for your call volumes? If you’re using a G.711 codec, you should expect ~80 kb per call. G.729 can vary depending on the compression used and specific subprotocol. Can you create segregated security areas (zones) for your voice components? Subnets for voice control and voice gateways. Subnets for phones (many network switches no w have a voice VLAN command that allows the phone to exist on a different VLAN than the device attached behind the phone). Only allow the protocols in and out that you need; if a system integrator (SI) is implementing the system for you, have them provide this information, or consult your system documentation from the manufacturer. munotes.in
Page 170
170 Security in Computing Servers : As with any server -based system, understand your key weaknesses and most vulnerable areas. As described in the previous section, having updated diagrams and an invento ry of all of the components of your voice platform will help ensure that those assets can be secured in a reasonable way. Documentation is a critical but frequently overlooked part of a security management strategy, which applies to VoIP as well. For any server -based system that runs on a commodity OS (typically Windows or Unix), ensure that your network or server teams are prepared to follow patch management procedures for these resources along with the rest of the environment. With companies like Micro soft enabling features like enterprise voice services and voicemail, system administrators have the added responsibility of ensuring that Windows servers are patched for these in addition to the rest of their KB patches. In addition, many contact center an d workforce productivity solutions, some of which have special versions supported only by the manufacturer, also run -on Windows under the hood. Appliances : Once upon a time, when DTMF ruled the voice world, dialogic boards were the key for interpreting dia led digits, and every voice system had them in either the PBX controller or voicemail system. Back then, nearly all voice systems would have been considered “custom appliances” by today’s standards. The common modern practice for many manufacturers today is to buy OEM hardware from one of the big server suppliers and to run either a proprietary OS or a custom version of a commodity operating system to create their “appliance.” Some voice hardware providers still make their own application - specific integr ated circuit (ASIC) chips and hardware chassis, but this is becoming less common as standardization and virtualization gain adoption in the voice space. The real relevance for security administrators is in the amount of customization the provider does in order to offer their features. In one sense, a certain “security by obscurity” is achieved with highly customized platforms because there are generally fewer of them in the field and they present a less attractive target than something more widely deploye d. munotes.in
Page 171
171 Voice Over IP (VOIP) And PBX Security Inversely, an exploit specific to a unique platform may remain undiscovered for a longer period of time, as you are dependent on the manufacturer or specific product community to identify such vulnerabilities. Everything Else : There’s a lot that falls into the “other stuff” category, from hosted systems to all of the components that are not considered call control. Hosted systems are covered later, as they require special considerations. The two most commonly exploited systems in the “other stuff” category are DISA -enabled voicemail servers and gateways that allow connections from the Internet. No matter what brand of phone system you are running, keep the following information handy: For the voicemail system: Use a least -privilege model in which admi nistrators do not have mailboxes accessible via external means; require a VPN and strong authentication. Delete unused mailboxes. Force complexity requirements for voicemail passwords and access codes Carefully consider the risks of allowing remote call forwarding or other call forwarding features, particularly those that can be enabled remotely; if a feature is not absolutely necessary for your users, do not allow it. Use strong authentication for “remote desti nation” calling or calling - card-type featur es. For the voice gateways: Explicitly disable unused services, especially those with Internet - facing connections. Lock down via ACL or firewall what systems are allowed to communicate with the gateways via IP; use a secondary system (IPS) to watch what th e gateways are doing if you are running SIP or a similar protocol. The Protocols : At the heart of the family of VoIP , technologies are the specific protocols that enable the transit and real -time conversations that IP networks were not originally designed to handle. munotes.in
Page 172
172 Security in Computing Security filtering and analysis for most network -based communications have become quite advanced, but VoIP -specific capability has not kept up with the rest of the industry. While current -generation firewall ALGs can tell you that a VoIP conve rsation is, in fact, a valid protocol (RTP, RTSP) and they cannot: o Tell you what is taking place in that conversation o Guarantee that no one else is listening in o Determine that a voice conversation is the only thing taking place over that communication ch annel Outside of the U.S. Department of Defense or Department of Homeland Security, advanced heuristic electronic listening is not widely employed for security purposes. Realistically and within the reach of ordinary organizations, the following section l ists the mechanics of the protocols you’ll encounter on an enterprise network, some associated risks, and practical suggestions for protecting them. Protocol: SIP : Governing Standard : The Session Initiation Protocol (SIP) standards and extensions are so numerous that an RFC is dedicated to identifying all of the other SIP RFCs, and there are books to help navigate the situation. For the basics, RFC 3261 is the core SIP standard. SIP is a highly complex set of protocols —really a protocol suite with volumes dedicated to implementing, managing, and securing the entire stack based on different use cases . This overview is not a substitute for deeper research on how SIP is being used within an enterprise and the methods required to ensure it has been securely imp lemented and suitably protected. Purpose : Application layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. Sessions include Internet telephone calls, multimedia calls and distribution, and mul timedia conferencing. In plain English: SIP is used for all kinds of voice and multimedia applications and is prolific both on corporate networks and the Internet, sometimes appearing unintentionally in enterprise environments via voice -enable d chat clien ts that are both sponsored (e.g., Lync, Connect, Jabber, etc.) and unauthorized (Yahoo messenger, AIM, etc.). munotes.in
Page 173
173 Voice Over IP (VOIP) And PBX Security Function : SIP is a session -based protocol that uses SIP invitations that are used to create sessions. These carry session descriptions that allow participants to negotiate a set of compatible media types. SIP makes use of proxy servers to route requests to a user’s registered location, authenticate and authorize services, implement provider call - routing policies, and provide features. SIP also pr ovides a registration function that allows users to upload their current locations for use by SIP proxies. SIP runs on top of several different transport protocols and relies on a variety of different mechanisms for security . Known Compromises and Vulnera bilities : Because there are so many SIP -related vulnerabilities that exist based on the different implementations of the protocol and extensions, it is worth classifying them into the following categories: Control system and SIP proxy Device -based (includ ing a mobile device) DoS, DDoS, flooding SPAM over Internet Telephony (SPIT) Vishing (the criminal practice of using social engineering over a telephony system, widely facilitated by VoIP and SIP -based systems) Spoofing, barging, and redirection Replay and interception Recommendations : If you’re going to allow SIP on the network or enable SIP -based enterprise applications, either for voice and video or other converged services or for less specific us es third -party IM clients, etc., seriously consider the minimum level users need in order to function. Discuss this with whoever in your organization is responsible for the services that use SIP and ensure that they understand the risks of this highly dynamic protocol. If SIP is required, and particularly if such a requirement includes SIP services be available via the Internet, ensure you are using a device that has the capability to inspect the traffic and validate that the information in the SIP header is correctly formed and is accurate. munotes.in
Page 174
174 Security in Computing This is the easie st way to tell if there is a spoof attempt or other malicious activity in process. 9.1.4 PBX :
A Private Branch Exchange (PBX) is a computer -based switch that can be thought of as a local phone company. Following are some common PBX features: Multiple ex tensions Voicemail Call forwarding Fax management Remote control (for support) Hacking a PBX : Attackers hack PBXs for several reasons: To gain confidential information (espionage) To place outgoing calls that are charged to the organization’s account (and thus free to the attacker) To cause damages by crashing the PBX Administrative Ports and Remote Access : Administrative ports are needed to control and diagnose the PBX. In addition, vendors often require remote access via a modem to be able to support a nd upgrade the PBX. This port is the number one hacker entry point. An attacker can connect to the PBX via the modem; or if the munotes.in
Page 175
175 Voice Over IP (VOIP) And PBX Security administrative port is shared with a voice port, the attacker can access the port from outside the PBX by calling and manipulat ing the PBX to reach the administrative port. Voicemail : An attacker can gain information from voicemail or even make long - distance phone calls using a “through -dial” service. After a user has been authenticated by the PBX, that user is allowed to make c alls to numbers outside the PBX. An attacker can discover a voicemail password by running an automated process that “guesses” easy passwords such as “1111,” “1234,” and so on. Denial of Service : A PBX can be brought down in a few ways: PBXs store their voi cemail data on a hard drive. An attacker can leave a long message, full of random noises, in order to make compression less effective —whereby a PBX might have to store more data than it anticipated. This can result in a crash. An attacker can embed code s inside a message. Securing a PBX : Here is a checklist for securing a PBX: Connect administrative ports only when necessary. Protect remote access with a third -party device or a dial -back. Review the password strength of your users’ passwords. Allow pas swords to be different lengths, and require the # symbol to indicate the end of a password, rather than revealing the length of the password. Disable all through -dialing features. If you require dial -through, limit it to a set of predefined needed numbers . Block all international calls, or limit the number of users who can initiate them. Block international calls to places such as the Caribbean that fraudsters tend to call. munotes.in
Page 176
176 Security in Computing Train your help desk staff to identify attempted PBX hacks, such as excessive ha ng-ups, wrong number calls, and locked -out mailboxes. Make sure your PBX model is immune to common DoS attacks. 9.1.5 TEM: Telecom Expense Management :
Telecom Expense Management is both a methodolo gy and a software platform that permits an organization t o manage expenses tied to the critical strategic asse ts of its telecom network. It encompasses the technology, processes, policy , and people required to manage and use a business telecommunications system. The technology and services involved include: Mobi le services, Pagers Voice lines, PRI, VoIP Data Circuits, DSL, T1, T3, MPLS Calling cards Conferencing (Audio, Video , and Web) TEM is offered as software as a service (SaaS) where vendors are able to target net savings for clients and supports the followin g practices: Invoice and auditing & processing Procurement (Provisioning and escalation) Inventory validation and asset management Mobile usage policy (Implementation and management) Integration of mobile and landline systems munotes.in
Page 177
177 Voice Over IP (VOIP) And PBX Security Management of multi -currency, multi -vendor system Contract management and compliance Reporting with business intelligence and role -based flow The goals of TEM are to streamline management, validate assets, and provide data on costs and billing for efficient management of accountability , mobile services , and cost savings. Phone bills can be more complex to read than ancient hieroglyphs, and there has been little progress made i n simplifying or decoding them for the average consumer or telecom manager. Understanding what is on your phone bill so you can tell whether your voice providers are doing the right thing is important (there are alarming statistics on the error percentage in consumer and corporate phone bills). But that’s the job of your telecom group —why would a security professi onal care about phone bills? Your phone bill can have some clues to other problems in your environment, and a TEM program can help automate the process of getting to the goodies, the high -quality information you need to tell quickly if you have a security problem related to your phone system. TEM is a relatively new discipline in the telephony space, gaining major adoption within the last decade. There are many firms armed with specialized software ready to help you collect, organize, understand, interpret , and audit your telephone bills, all for a modest gain -share or percentage of savings fee. While effort is involved in the setup and optimization of the billing, once you’ve reached the point where a TEM firm can actually audit bills, you’re likely to hav e a useful tool to spot irregular or suspicious activity that may otherwise be tough to catch. At some point in his or her career, every security professional gets pulled into a conversation about some malicious phone calls or fraudulent billing. Even if the administrator hasn’t had much to do with telecom prior to that, suddenly he or she has to figure out how the telephone fraud happened. With TEM in place, the security administrator has a powerful tool to search for precursors or other suspicious activ ity that could be related to the exploited vector the attacker used and can help identify where it may happen again. If e.g., an unexpected Rs.10,000 phone bill arrives out of nowhere with calls to countries your users have no reason to call, and through munotes.in
Page 178
178 Security in Computing investigation , you determine that it was the result of a gateway compromise, you could use the TEM capability to check the rest of the PRI or voice services globally to determine if any of the same suspicious or exploited numbers were being called and to he lp determine if there are other potentially compromised gateways. You would, of course, also want to do an internal network audit of the services and security on the gateways themselves, as you’ll want to plug the holes you know about at the same time tha t the TEM and audit function is checking for leaks elsewhere for you. Although phone bills are generally not directly related to the security group’s main role, it is the objective of every security group to protect stakeholder interests, and TEM can help a security group detect anomalous behavior and operate more quickly and effectively when they are called in to action for this type of an issue. 9.2 LETS US SUM UP Successful security administrators should keep this mantra in mind in all things that they do: process, process, process. Having solid, repeatable processes to support any efforts on which they embark can not only help to build trust in the security group but also help elevate the level to which security supports and enables the business. Speci fically with voice systems, investing the time to create a process cycle for evaluating new voice initiatives and maintaining updated documentation will pay dividends in the long run. Voice systems warrant special attention from security groups. 9.3 QUESTI ONS 1. Explain the main functionality of VoIP. 2. Explain the different components of VoIP. 3. Explain the features of different protocols of VoIP. 4. What is the role and functionality of PBX? 5. Write a note on TEM. 6. Explain SIP in details. 9.4 BIBLIOGRAPHY Dwivedi, Hi manshu. Hacking VoIP: Protocols, Attacks, and Countermeasures. No Starch Press, 2008 munotes.in
Page 179
179 Voice Over IP (VOIP) And PBX Security The Complete Reference: Information Security – The Complete Reference: Information Security, McGraw Hill 9.5 REFERENCE https://www.researchgate.net/publication/313101329_The_Evaluation _of_Voice -over_Internet_Protocol_VoIP_by_means_of_Trixbox https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=1705876
*****
munotes.in
Page 180
180 10 OPERATING SYSTEM SECURITY MODELS Unit Structure 10.0 Objectives 10.1 Introduction 10.1.1 Operating System Models 10.1.2 Classic Security Models 10.1.3 Reference Monitor 10.1.4 Trustworthy Computing 10.1.5 International standards for operating System Security 10.2 Let us Sum Up 10.3 Questions 10.4 Bibliography 10.5 References 10.0 OBJECTIVES After going through this unit, you will be able to: Understand the security reference monitor and how it manages the security of its related elements Aware of access control —the heart of information security Learn International standards for operating system security, which provide organizations with a level of assurance and integrity. 10.1 INTRODUCTION An operating system security model is the foundation of the operating system’s security functionality. All security functionality is architected, specified, and detailed in advance —before a single line of code is written. Everything built on top of the security model must be mapped back to it, and any action t hat violates the security model should be denied and logged. Protection and security require that computer resources such as CPU, software, memory , etc. are protected. This extends to the operating system as well as the data in the system. This can be don e by ensuring integrity, confidentiality , and availability in the operating system. 10.1.1 Operating System Models : The operating system security model also known as the trusted computing base, or TCB is simply the set of rules, or protocols, for munotes.in
Page 181
181 Operating System Security Models security functionality. Security commences at the network protocol level and maps all the way up to the operations of the operating system. An effective security model protects the entire host and all of the software and hardware that operate off it. Previous sy stems used an older, monolithic design, which proved to be less than effective. Current operating systems are optimized for security, using a compartmentalized approach. The trend in operating systems has been toward a microkernel architecture. In contr ast to the monolithic kernel, microkernels are platform - independent. Although they lack the performance of monolithic systems, they are catching up in terms of speed and optimization. A microkernel approach is built around a small kernel with a common hardware level. The key advantage of a microkernel is that the kernel is small and easy to port to other systems. The Underlying Protocols Are Insecure : Extending the submarine analogy, the security protocol has a direct connection to the communication prot ocol. Today, the protocol is TCP/IP —the language of the Internet and, clearly, the most popular and utilized protocol. If the operating system is an island, then TCP/IP is the sea. Given that fact, any operating system used today must make up for TCP/IP’s shortcomings. Even the best operating system security model can’t operate in a vacuum or as an island, however. If the underlying protocols are insecure, then the operating system is at risk. What’s frightening about this insecurity is that while the language of the Internet is TCP/IP, effective security functionality was not added to TCP/IP until version 6 in the late 1990s. Given that the vast majority of the Internet is still running an insecure version of TCP/IP, version 4, the entire Internet and corporate munotes.in
Page 182
182 Security in Computing computing infrastructure is built on and running on an insecure infrastructure and foundation. The TCP/IP protocol’s main problems are as follows: Vulnerable to spoofing : Spoofing is the term for establishing a connection with a forged sender a ddress. Normally this involves exploiting trust relations between the source address and the destination address. The ability to spoof the source IP address assists those carrying out DoS attacks by making it difficult for victims to block the DoS traffi c, and the predictability of the initial sequence number (ISN), which is a unique number that is supposed to guarantee the authenticity of the sender, contributes more to spoofing attacks by allowing an attacker to impersonate legitimate systems and take o ver a connection (as in a man in the middle attack). Vulnerable to session hijacking: An attacker can take control of a connection by intercepting the session key and using it to insert his own traffic into an established TCP/IP communication session, usua lly in combination with a DoS attack against the legitimate sender so that traffic cannot get through, as in a man in the middle attack. Predictable sequence guessing: The sequence number used in TCP connections is a 32 -bit number, so the odds of guessing the correct ISN would seem to be exceedingly low. If the ISN for a connection is assigned in a predictable way, however, it becomes relatively easy to guess. The truth is that the ISN problem is not a protocol problem but rather an implementation problem. The protocol actually specifies pseudorandom sequence numbers, but many implementations have ignored this recommendation. No authentication or encryption : The lack of authentication and encryption with TCP/IP is a major weakness. Vulnerable to SYN floodi ng: SYN flooding takes advantage of the three -way handshake in establishing a connection. When Host B receives a n SYN request from A, it must keep track of munotes.in
Page 183
183 Operating System Security Models the partially opened connection in a listen queue, enabling successful connections even with long n etwork delays. The problem is that many implementations can keep track of only a limited number of connections. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host but never replying to the SYN and A CK sent by the other hosts. By doing so, the malicious host quickly fills up the other host’s listen queue, and that host stops accepting new connections until a partially opened connection in the queue is completed or times out. The security benefits of TCP/IP version 6 include : IP Sec security Authentication and encryption Resilience against spoofing Data integrity safeguards Confidentiality and privacy An effective security model recognizes and is built around the fact that because security is such a n important design goal for the operating system, every resource that the operating system interfaces with memory, files, hardware, device drivers, and so on must interact from a security perspective. By giving each of these objects an access control list (ACL), the operating system can detail what that object can and can’t do by limiting its privileges. Access Control Lists : Much of the security functionality afforded by an operating system is via the ACL. Access control comes in many forms, but in whatev er form it is implemented, it is the foundation of any security functionality. Access control enables you to protect a server or parts of the server such as directories, files, file types, and so on. When the server receives a request, it determines acce ss by consulting a hierarchy of rules in the ACL. An access control list is defined as a table that tells a computer operating system w hich access rights each user has for a particular system object, such as a file directory or an individual file. Each o bject has a security attribute that identifies its access control list. munotes.in
Page 184
184 Security in Computing The list has an entry for each system user with access privileges. The most common privileges include the ability to read a file or all the files in a directory, to write to the file or files, and to execute the file if it is an executable file or program. Each operating system implements the ACL differently. In Windows, an ACL is associated with each system object. Each ACL has one or more access control entries (ACEs), each consi sting of the name of a user or a group of users. The user can also be a role name, such as a programmer or tester. For each of these users, groups, or roles, the access privileges are stated in a string of bits called an access mask. Generally, the syst em administrator or the object owner creates the access control list for an object. Each ACE identifies a security principal and specifies a set of access rights that are allowed, denied, or audited for that security principal. An object’s security descri ptor can contain two ACLs: A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access A system access control list (SACL) controls how access is audited . Unix systems also have access control based on user permissions and roles defined by groups. System objects have permissions defined within them, which can be controlled on the basis of read, write, and execute permissions for each user or group defined on the system. MAC vs. DAC : Access control lis ts can be further refined into both required and optional settings. This refinement is carried out more precisely with discretionary access control and is implemented by discretionary access control lists (DACLs). The difference between discretionary acc ess control and its counterpart, mandatory access control, is that DAC provides an entity or object with access privileges it can pass to other entities. Depending on the context in which they are used, these controls are also called rule -based access cont rol (RBAC) and identity -based access control (IBAC). Mandatory access control requires that access control policy decisions be beyond the control of the individual owners of an object. munotes.in
Page 185
185 Operating System Security Models MAC is generally used in systems that require a very high level of security. With MAC, only the administrator and not the owner of the resource may make decisions that bear on or derive from the security policy. Only a security administrator may change a resource’s category, and no one may grant a right of access that is explicitly forbidden in the access control policy. MAC is always prohibitive and not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. All of the major operating s ystems such as Solaris, Windows, NetWare , and so on use DAC. MAC is implemented in more secure, trusted operating systems such as Trusted BSD and Trusted Solaris. Table Below details the difference in functionality between discretionary and mandatory acce ss control: Control Type Functionality Discretionary Individual users may determine the access controls. Works well in the commercial and academic sectors. Not suited for the military. Effective for private websites, etc. Mandatory Allows the system administrator to set up policies and accounts that will allow each user to have full access to the files and resources needed, but no access to other information and resources Not immediately necessary to perform assigned tasks. Site-wide security policy is enforced by the system in addition to the discretionary access controls. Better suited to environments with rigid information. Effective access restrictions. Access permission cannot be passed from one user to another. Requires labeling: sensitivity and integrity labels. Table: The Difference in Functionality Between Discretionary and Mandatory Access Control munotes.in
Page 186
186 Security in Computing 10.1.2 Classic Security Models : The f ollowing three most famous security models in computer security are: Bell-LaPadula Biba Clark -Wilson Those designing operating system security models have the liberty of picking and choosing from the best of what the famous models have, without being encumbered by their myriad details. Bell-LaPadula : While the Bell -LaPadula model was revolutionary when it was published in 1976, descriptions of its functionality today are almost anticlimactic. The Bell -LaPadula model was one of the first attempts to formalize an information security model. The Bell -LaPadula model was designed to prevent users and processe s from reading above their security level. This is used within a data classification system —so a given classification cannot read data associated with a higher classification —as it focuses on the sensitivity of data according to classification levels. In addition, this model prevents objects and processes with any given classification from writing data associated with a lower classification. This aspect of the model caused a lot of consternation in the security space. Most operating systems assumed that the need to write below one’s classification level is a necessary function. But the military influence on which Bell -LaPadula was created mandated that this be taken into consideration. munotes.in
Page 187
187 Operating System Security Models
Biba : Biba is often known as a reversed version of Bell -LaPadula, as it focuses on integrity labels, rather than sensitivity and data classification. Bell-LaPadula was designed to keep secrets, not to protect data integrity. Biba covers integrity levels, which are analogous to sensitivity levels in Bell -LaPadula, and th e integrity levels cover inappropriate modification of data. Biba attempts to preserve the first goal of integrity, namely to prevent unauthorized users from modifying data. munotes.in
Page 188
188 Security in Computing Clark -Wilson : Clark -Wilson attempts to define a security model based on accepte d business practices for transaction processing. Much more real -world -oriented than the other models described, it articulates the concept of well -formed transactions that: o Perform steps in order o Perform exactly the steps listed o Authenticate the individ uals who perform the steps
TCSEC : In the early 1970s, the United States Department of Defense published a series of documents to classify the security of operating systems, known officially as the Trusted Systems Security Evaluation Criteria . The TCSEC was heavily influenced by Bell -LaPadula and classified systems at levels A through D. TCSEC was developed to meet three objectives: To give users a yardstick for assessing how much they can trust computer systems for the secure processing of classified o r other sensitive information To guide manufacturers in what to build into their new, widely available commercial products to satisfy trust requirements for sensitive applications To provide a basis for specifying security requirements for software and har dware acquisitions. munotes.in
Page 189
189 Operating System Security Models Although TCSEC offered a lot of functionality, it was, by and large, not suitable for the era of client/server computing. The client/server computing world was embryonic when the TCSEC was created, although its objectives were admirable . The t able below provides a brief overview of the different classification levels: TCSEC Rating Usage D—Minimal Protection Any system that does not comply with any other category or has failed to receive a higher classification No security requiremen ts Was used as a catch -all category for such operating systems as MS -DOS and Windows 95/98/ME C1—Discretionary Protection DACL/ACL User/Group/World Protection Usually for users who are all on the same security level Protected operating system and system operations mode Periodic integrity checking of TCB Tested security mechanisms with no obvious bypasses Documentation for user security Documentation for systems administration security Documentation for security testing TCB design documentation C2—Controlled Access Protection Everything in C1 plus: Object protection can be on a single-user basis, for example, through an ACL or trustee database Authorization for access may be assigned only by authorized users Object reuse protection Mandatory identification and authorization procedures for users, such as username/password Full auditing of security events Protected system mode of operation Added protection for authorization and audit data Documentation as C1 plus information on examining audit information One of the most common certifications, including VMS, IBM OS/400, Windows NT 3.51, Novell NetWare 4.11, Oracle 7, and DG AOS/VS II munotes.in
Page 190
190 Security in Computing B1—Labeled Security Protection Everything in C2 plus: Mandatory security and access labeling of all objects, for example, files, processes, devices Label integrity checking (for example, maintenance of sensitivity labels when data is exported) Auditing of labeled objects Mandatory access control for all operations Enhanced auditing Enhanced prote ction of operating systems Improved documentation Operating systems: HP -UX BLS, Cray Research Trusted Unicos 8.0, Digital SEVMS, Harris CS/SX, and SGI Trusted IRIX Table: Classifications of Operating Systems Security TCSEC Rating Usage B2—Structured Protection Everything in B1 plus: Notification of security level changes affecting interactive users Hierarchical device labels Mandatory access over all objects and devices Trusted path communications between user and system Tracking down of cove rt storage channels Tighter system operations mode into multilevel independent units Covert channel analysis Improved security testing Formal models of TCB Version, update, and patch analysis and auditing Example systems: Honeywell Multics and Truste d XENIX B3—Security Domains Everything in B2 plus: ACL additionally based on groups and identifiers Trusted path access and authentication Automatic security analysis TCB models more formal Auditing of security auditing events Trusted recovery after the system was down and relevant documentation munotes.in
Page 191
191 Operating System Security Models Zero design flaws in TCB and minimum implementation flaws Only B3-certified OS is Getronics/Wang Federal XTS-300 A1—Verified Design A1 is the highest level of certification and demands a formal s ecurity verification method to ensure that security controls protect classified and other sensitive information. At this level, even the National Security Agency cannot break in. A1 requires everything in B3 plus: Formal methods and proof of the integrity of TCB Label integrity checking (for example, maintenance of sensitivity labels when data is exported) Only A1 -certified systems: Gemini Trusted Network Processor and Honeywell SCOMP Table: Classifications of Operating Systems Security (continued) Labels: TCSEC makes heavy use of the concept of labels. Labels are simply security -related information that has been associated with objects such as files, processes, or devices. The ability to associate security labels with system objects is also under sec urity control. Sensitivity labels, used to define the level of data classification, are composed of a sensitivity level and possibly some number of sensitivity categories. The number of sensitivity levels available is dependent on the specific operating system. In a commercial environment, the label attribute could be used to classify, for example, levels of a management hierarchy. Each file or program has one hierarchical sensitivity level. A user may be allowed to use several different levels, but only one level may be used at any given time. While sensitivity labels identify whether a user is cleared to view certain information, integrity labels identify whether data is reliable enough for a specific user to see. An integrity label is composed of an integrity grade and some number of integrity divisions. The number of hierarchical grades to classify the reliability of information is dependent on the operating system. munotes.in
Page 192
192 Security in Computing While TCSEC requires the use of labels, other regulations and standards such as the Common Criteria also require security labels. There are many other models around, including the Chinese wall, Take -Grant , and more. But in practice, none of these models has found favor in contemporary operating systems (Linux, Unix, Windows) —they are o verly restrictive and reflect the fact that they were designed before the era of client/server computing. Current operating system architects are able to use these references as models, pick and choose the best they have to offer, and design their systems accordingly. 10.1.3 Reference Monitor : The Computer Security Technology Planning Study Panel called together by the United States Air Force developed the reference monitor concept in 1972. They were brought together to combat growing security problems in a shared computer environment. In 1972, they were unable to come up with a fail -safe solution; however, they were responsible for reshaping the direction of information security today. The Reference Monitor Concept : The National Institute of Standards an d Technologies describes the reference monitor concept as an object that maintains the access control policy. It does not actually change the access control information; it only provides information about the policy. The security reference monitor is a se parable module that enforces access control decisions and security processes for the operating system. All security operations are routed through the reference monitor, which decides if the specific operation should be permitted or denied. Perhaps the mai n benefit of a reference model is that it can provide an abstract model of the required properties that the security system and its access control capabilities must enforce. The main elements of an effective reference monitor are that it is: Always on : Sec urity must be implemented consistently and at all times for the entire system and for every file and object. Not subject to preemption : Nothing should be able to preempt the reference monitor. If this were not the case, then it would be possible for an en tity to bypass the mechanism and violate the policy that must be enforced. munotes.in
Page 193
193 Operating System Security Models Tamperproof: It must be impossible for an attacker to attack the access mediation mechanism such that the required access checks are not performed and authorizations are not enforc ed. Lightweight: It must be small enough to be subject to analysis and tests, proving its effectiveness. The reference monitor concept has proved itself to be a useful tool for computer security practitioners. It can also be used as a conceptual tool in computer security education . Windows Security Reference Monitor : The Windows Security Reference Monitor (SRM) is responsible for validating Windows process access permissions against the security descriptor for a given object. The Object Manager then, in t urn, uses the services of the SRM while validating the process’s request to access any object. Windows is clearly not a bulletproof operating system, as is evident from the number of security advisories alone. In fact, it is full of security holes. But the fact that it is the most popular operating system in use in corporate settings and that Microsoft has been, for the most part, open with its security functionality, makes it a good case study for a real - world example of how an operating system security model should operate . 10.1.4 Trustworthy Computing : The four goals of the Trustworthy Computing initiative are: Security : As a customer, you can expect to withstand attack. In addition, you can expect the data is protected to prevent availability problems and corruption. Privacy : You have the ability to control information about yourself and maintain the privacy of data sent across the network. Reliability: When you need your system or data, they are available. Business integrity : The vendor of a produc t acts in a timely and responsible manner, releasing security updates when a vulnerability is found. munotes.in
Page 194
194 Security in Computing To track and assure its progress in complying with the Trustworthy Computing initiative, Microsoft created a framework to explain its objectives: 1. Its prod ucts are secure by design, 2. Secure by default, and 3. Secure in deployment and that it provides communications. Secure by design simply means that all vulnerabilitie s are resolved prior to shipping the product. Secure by design requires three steps: 1. Build a secure architecture. This is imperative. Software needs to be designed with security in mind first and then features. 2. Add security features. Feature sets need to be added to deal with new security vulnerabilities. 3. Reduce the number of vulnerabilities in new and existing code. The internal process at Microsoft was revamped to make developers more conscious of security issues while designing and developing software. Secure deployment means ongoing protection, detection, defense, recovery, and maintenance t hrough good tools and guidance. Communication is the key to the whole project. 10.1.5 International Standards for Operating System Security : Although Microsoft’s Trustworthy Computing initiative has been heralded as a giant step forward for computer secu rity, much of the momentum started years earlier. And one of the prime forces has been the Common Criteria. The need for a common information security standard is obvious. Security means many things to different people and organizations. But this subjecti ve level of security cannot be objectively valuable. Therefore, common criteria were needed to evaluate the security of an information technology product. Common Criteria : The need for a common agreement is clear. When you buy a DVD, put gas in your car, or make a purchase from an online retailer, all of these activities function because they operate in accordance with a common set of standards and guidelines. And that is precisely what the Common Criteria are meant to be, a global security standard ensu ring that there is a common mechanism for evaluating the security of technology products and systems. munotes.in
Page 195
195 Operating System Security Models By providing a common set of requirements for comparing the security functions of software and hardware products, the Common Criteria enable users to hav e an objective yardstick by which to evaluate a product’s security. Common Criteria certification is slowly but increasingly being used as a touchstone for many Requests for Proposals, primarily in the government sector. By offering a consistent, rigorou s, and independently verifiable set of evaluation requirements for hardware and software, Common Criteria certification is intended to be the Good Housekeeping seal of approval for the information security sector. But what is especially historic about the Common Criteria is that this is the first -time governments around the world have united in support of an information security evaluation program. Common Criteria Origins : In the United States, the Common Criteria have their roots in the Trusted Computer S ystem Evaluation Criteria (TCSEC), also known as the Orange Book. But by the early 1990s, it was clear that TCSEC was not viable for the new world of client/server computing. Its main problem was that it was not accommodating to new computing paradigms. And with that, TCSEC as it was known is dead. The very last C2 and B1 Orange Book evaluations performed by the NSA under the Orange Book itself were completed and publicly announced at the NISSC conference in October 2000. The C2 and B1 classes have been converted to protection profiles under the Common Criteria, however, and C2 and B1 evaluations are still being performed by commercial laboratories under the Common Criteria. According to the TPEP web site, NSA is still willing to perform Orange Book eval uations at B2 and above, but most vendors prefer to evaluate against newer standards cast as Common Criteria protection profiles. Another subtle point is that the Orange Book and the Common Criteria are not exactly the same types of documents. Whereas th e Orange Book is a set of requirements that reflect the practice and policies of a specific community, the Common Criteria are policy -independent and can be used by many organizations to articulate their security requirements. munotes.in
Page 196
196 Security in Computing In Europe, the Information T echnology Security Evaluation Criteria (ITSEC), already in development in the early 1990s, were published in 1991 by the European Commission. This was a joint effort with representatives from France, Germany, the Netherlands, and the United Kingdom contri buting. Simultaneously, the Canadian government created the Canadian Trusted Computer Product Evaluation Criteria as an amalgamation of the ITSEC and TCSEC approaches. In the United States, the draft of the Federal Criteria for Information Technology Secu rity was published in 1993, in an attempt to combine the various methods for evaluation criteria. With so many different approaches going on at once, there was a consensus to create a common approach. At that point, the International Organization for Sta ndardization (ISO) began to develop a new set of standard evaluation criteria for general use that could be used internationally. The goal was to unite the various international and diverse standards into new criteria for the evaluation of information tech nology products. This effort ultimately led to the development of the Common Criteria, now an international standard in ISO 15408:1999. The official name of the standard is the International Common Criteria for Information Technology Security. Common Crit eria Sections : Common Criteria is a set of three distinct but related parts. These are the three parts of the Common Criteria: Part 1 : It is the introduction to the Common Criteria. It defines the general concepts and principles of information technolog y security evaluation and presents a general model of evaluation. It also presents the constructs for expressing information technology security objectives, selecting and defining information technology security requirements, and writing high -level specif ications for products and systems. In addition, the usefulness of each part of the Common Criteria is described in terms of each of the target audiences. munotes.in
Page 197
197 Operating System Security Models Part 2 : It details the specific security functional requirements and details a criterion for express ing the security functional requirements for Targets of Evaluation (TOE). Part 3 : It details the security assurance requirements and defines a set of assurance components as a standard way of expressing the assurance requirements for TOE. It lists the s et of assurance components, families, and classes and defines evaluation criteria for protection profiles (PPs). A protection profile is a set of security requirements for a category of TOE and security targets (STs). Security targets are the set of secur ity requirements and specifications to be used as the basis for evaluating an identified TOE. Part 3 also presents evaluation assurance levels that define the predefined Common Criteria scale for rating assurance for a TOE, namely the evaluation assurance levels (EALs) Protection Profiles and Security Targets : Protection profiles (PPs) and security targets (STs) are two building blocks of the Common Criteria. A protection profile defines a standard set of security requirements for a specific type of produc t (for example, operating systems, databases, or firewalls). These profiles form the basis for the Common Criteria evaluation. By listing required security features for product families, the Common Criteria allow products to state conformity to a relevan t protection profile. During Common Criteria evaluation, the product is tested against a specific PP, providing reliable verification of the product’s security capabilities. The overall purpose of Common Criteria product certification is to provide end u sers with a significant level of trust. Before a product can be submitted for certification, the vendor must first specify a security target. The security target description includes an overview of the product, potential security threats, detailed inform ation on the implementation munotes.in
Page 198
198 Security in Computing of all security features included in the product, and any claims of conformity against a PP at a specified EAL. The vendor must submit the ST to an accredited testing laboratory for evaluation. The laboratory then tests the pr oduct to verify the described security features and evaluate the product against the claimed PP. The end result of a successful evaluation includes official certification of the product against a specific protection profile at a specified evaluation assur ance level. Figure: Common criteria modular component hierarchy
Problems with the Common Criteria : Although there are benefits to the Common Criteria, there are also problems with this approach. The point of this section is not to detail those problems, but in a nutshell, to give you a brief summary of the issues: Administrative overhead: The overhead involved with gaining certification takes a huge amount of time and resources. Expense: Gaining certification is extremely expensive. Labor -intensive cert ification : The certification process takes months. munotes.in
Page 199
199 Operating System Security Models Need for skilled and experienced analysts : Availability of information security professionals with the required experience is still lacking. Room for various interpretations : The Common Criteria leave r oom for various interpretations of what the standard is attempting to achieve. A paucity of Common Criteria testing laboratories: There are only seven laboratories in the United States. Length of time to become a Common Criteria testing laboratory : Even for those organizations that are interested in becoming certified, the process in and of itself takes quite a while. 10.2 LET US SUM UP We explored different security models for operating systems, including the classics: Bell-LaPadula Biba Clark -Wilson TCSEC. These classic models ultimately led to today’s operating system security standards. We also saw how the security reference monitor is a critical aspect of the underlying operating system’s security functionality. Because all security functionalit y is architected, specified, and detailed in the operating system, it is the foundation of all security above it. Understanding how this functionality works, and how it is tied specifically to the operating system used within your organization, is crucial to ensuring that information security is maximized. Finally, we discussed the Trustworthy Computing initiative, international standards for operating system security, and the Common Criteria —its origins, sections, protection profiles, security targets, a nd shortcomings. 10.3 QUESTIONS 1. Explain the vulnerabilities of TCP/IP protocol. 2. What is the main functionality of the Access Control List? munotes.in
Page 200
200 Security in Computing 3. Explain the role of MAC and DAC Lists. 4. Explain the different security models. 5. Explain the functionalities of Trusted Computer System Evaluation Criteria. 6. Explain the significance of the Reference Monitor. 7. Explain the significance of Bill gates ’ initiative TWC. 8. Explain the common criteria for Information Technology Security Evaluation of International Standards for Operat ing System Security. 10.4 BIBLIOGRAPHY Bach, Maurice. The Design of the UNIX Operating System. Prentice Hall, 1986. Tanenbaum, Andrew, and Albert Woodhull. Operating Systems Design and Implementation. Prentice Hall, 2006 Principles of Computer Security: C ompTIA Security+ and Beyond, Principles of Computer Security: CompTIA Security+ and Beyond, McGraw Hill, Second Edition, 2010 10.5 REFERENCES https://ww w.researchgate.net/publication/228409741_Issues_of_Oper ating_Systems_Security https://ieeexplore.ieee.org/document/5072066 https://ieeexplore.ieee.org/document/1342833/similar#similar
***** munotes.in
Page 201
201 UNIT - V 11 VIRTUAL MACHINES AND CLOUD COMPUTING Unit Structure 11.0 Objectives 11.1 Virtual Machines 11.1.1 Protecting the Hypervisor 11.1.2 Protecting the Guest OS 11.1.3 Protecting Virtual Storage 11.1.4 Protecting Virtual Networks 11.2 Cloud Comput ing 11.2.1 Types of Cloud Services 11.2.2 Cloud Computing Security Benefits 11.2.3 Security Considerations 11.2.4 Cloud Computing Risks and Remediation 11.2.5 Cloud Computing Security Incidents 11.2.6 Cloud Security Technologies 11.2.7 Vendor Security Revi ew 11.3 Risk a nd Remediation Analysis 11.3.1 Confidentiality Risks 11.4 Integrity Risks 11.5 Availability Risks 11.6 Secure Development Lifecycle 11.7 Application Security Practices 11.7.1 Security Training 11.7.2 Secure Development Infrastructure 11.7.3 Security Requirements 11.7.4 Secure Design 11.7.5 Threat Modeling: 11.7.6 Secure Coding 11.7.7 Security Code Review 11.7.8 Security Testing 11.7.9 Security Documentation 11.7.10 Secure Release Management 11.7.11 Dependency Patch Monitoring 11.7.12 Prod uct Security Incident Response 11.7.13 Decisions to Proceed 11.8 Web Application Security 11.8.1 SQL injection munotes.in
Page 202
202 Security in Computing 11.8.2 Forms and Scripts 11.8.3 Client -Side Scripts 11.8.4 Passing Parameters via URLs 11.8.5 Passing Data via Hidden Fields 11.8.6 Solving Data -Transfer Problems 11.8.7 General Attacks 11.9 Client Application Security 11.10 Remote Administration Security 11.10.1 Need for Remote administration 11.10.2 Remote Administration Using a Web Interface 11.10.3 Authenticating Web -Based Remote Administra tion 11.10.4 Securing Web -Based Remote Administration 11.10.5 Session Security 11.11 Summary 11.12 Question s 11.13 References 11.0 OBJECTIVES Traditionally, applications have run directly on an operating system (OS) on a personal computer (PC) or on a server. Each PC or server would run only one OS at a time. A single application would be written many times so as to run on different OS/platform s, this created a big overhead on the part of the application designer for adding new feature s, testing, and marketing and also co nsumed much time and money . One effective strategy for dealing with this problem is known a s shareware virtualization. Virtualization technology enables a single PC or server to simultaneously run multiple operating systems or multiple sessions of a single OS. A machine running virtualization software can host numerous applications, including those that run on different operating systems, on a single hardware platform. In essence, the host operating system can support a number of virtual machines (VMs), eac h of which has the characteristics of a particular OS and, in some versions of virtualization, the characteristics of a particular hardware platform . 11.1 VIRTUAL MACHINES The solution that enables virtualization is a virtual machine monitor (VMM), or comm only known today as a hypervisor. This software sits between the hardware and the VMs acting as a resource broker. The hypervisor allows multiple VMs to safely coexist on a single physical server host and share that host’s resources. VMs also require the s ame level of security settings as that is applicable to Windows and Unix -based systems, apart from it that the data storage security must also be applied if VMs are utilizing it. munotes.in
Page 203
203 Virtual Machines and Cloud Computing The virtual environment apart from the VMs must also be protected, VMs are vu lnerable to all the security attacks which are faced by physical servers hence they require additional protection . 11.1.1 Protecting the Hypervisor : The hypervisor is responsible for managing all guest OS installations on a VM server, therefore any comprom ise of the hypervisor can cause significant damage. It would effectively allow all security controls on the virtual servers to be bypassed. With respect to protecting the Hypervisor following must be considered: 1) Hypervisor and service console servers need to be properly patched and secured . 2) Hypervisor and service console servers must also be logically separated through the use of isolated networks with strict access controls. 3) The administration interfaces should reside on a network separate from the virtua l machines . 4) Firewalls should be used to block access attempts from the virtual machines to the management consoles. 5) Administrative access to the hypervisor should be strictly controlled else an attacker will gain too much control o ver all the VMs . 6) Supervi sory account s for the hypervisor must get the same level of protection as privileged accounts for server and network administrator use. 7) The administrative account must not only be password protected but must have an additional way of authentication. 8) Physi cal access to the mach ine hardware must be restricted. 9) The number of administrators and their privileges must be limited . 10) Hypervisor administrators should not use the same privileged accounts they also use to manage VMs and other systems. 11) A trusted third p arty must perform a periodic review of administrator activities . 11.1.2 Protecting the Guest OS : The two most commonly implemented techniques for protecting the guest OSs are : 1) Partitioning 2) Introspection munotes.in
Page 204
204 Security in Computing 1) Partitioning: Partitioning is considered an important security measure. The hypervisor manages access to hardware resources and each OS gets a share of its resource such as CPU, memory and storage, no OS can get access to the resources allocated to other guest OSs. This characteristic is known as partitioning, it is designed to protect each guest OS from other guest OS instances, so attacks and malware are unable to cross over. Partitioning also reduces the threat of side -channel attacks that take advantage of hardware usage characteristics to crack encryption algorithms. 2) Introspection: An attack referred to as escape occurs if an attacker attempts to break out of a guest OS to access the hypervisor or neighboring guest O S. If the attacker is successful to escape and access the hypervisor then the attacker would take control ove r all the hypervisor’s guest OS . The hypervisor monitors and tracks the state of its guest OS, which is a function commonly, referred to as introspection. Introspection can be integrated with intrusion detection systems (ID S) or intrusion prevention systems (IPS) and security information and event management (SIEM), to identify and alert when escape attempts occur. 11.1.3 Protecting Virtual Storage : Guest OS systems can util ize virtual or physical network -attached storage (NAS) and storage area networks (SAN) allocated by the hypervisor to meet data storage requirements as if these storage devices were directly attached to the system. Protection in this area is focused on providing secure and controlled access to files on the virtual hard drive. 11.1.4 Protecting Virtual Networks : The hypervisor can present the guest OS with either physical or virtual network interfaces. Hypervisors provide three choices for network configurations: 1) Network bridging: The guest OS has direct acc ess to the actual physical network interface cards (NIC) of the real server hardware. 2) Network Address Translation (NAT) : The guest OS has virtual access to a simulated physical NIC that is connected to a NAT emulator by the hypervisor. 3) Host -only network ing: A guest OS has virtual access to a virtual NIC that does not actually route to any physical NIC. munotes.in
Page 205
205 Virtual Machines and Cloud Computing With respect to security in such situations , security devices, such as IDS or IPS, can monitor and control network traffic using network bridging and NAT and, to a lesser extent, host -only networking. In the case of host -only networking, introspection can be used to compensate for this lack of visibility. Network segmentation is one of the best security practices irrespective of environment . 11.2 CLOUD CO MPUTING There is an increasingly prominent trend in many organizations to move a substantial portion or even all information technology (IT) operations to an Internet -connected infrastructure known as enterprise cloud computing. Also at the same time , individual users of PCs and mobile devices are relying more and more on cloud computing services to backup data, synch devices, and share. Cloud Computing can be defined as "A model for enabling ubiquitous, convenient, on -demand network access to a shared po ol of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 11.2.1 Types of Cloud Services : The fo llowing are the most common types of services with which we find the term cloud associated 1) Software as a Service (SaaS): SaaS cloud provides service to customers in the form of software, specifically application software running on and accessible in th e cloud. 2) Platform as a Service (PaaS): A PaaS cloud provides service to customers in the form of a platform on which the customer’s applications can run. 3) Infrastructure as a Service (IaaS): IaaS offers the customer processing, storage, networks, a nd other fundamental computing resources so that the customer can deploy and run arbitrary software, which can include operating systems and applications 4) Communications as a Service (CaaS): The integration of real -time interaction and collaboration ser vices to optimize business processes. This service provides a unified interface and consistent user experience across multiple devices. munotes.in
Page 206
206 Security in Computing 5) Data Storage as a Service (DSaaS): The provision and use of data storage and related capabilities. DSaaS describes a storage model where the client leases storage space from a thirdparty provider. 6) Network as a Service (NaaS): NaaS involves the optimization of resource allocations by considering network and computing resources as a unified whole. NaaS can include flexible and extended virtual private network (VPN), bandwidth on demand, custom routing, multicast protocols, security firewall, intrusion detection and prevention, wide -area network (WAN), content monitoring and filtering, and antivirus. 7) Database as a Service: Database functionalities are on demand where the installation and maintenance of the databases are performed by the cloud service provider. 8) Desktop as a Service: The ability to build, configure, manage, store, execute, and deliver user deskt op functions remotely. 9) E-mail as a Service: A complete e -mail service, including related support services such as storage, receipt, transmission, backup, and recovery of e -mail. 11.2.2 Cloud Computing Security Benefits : Cloud computing can provide a h igher level of security as compared to traditional computing environments. A properly designed cloud computing infrastructure offers better physical and operational security controls at lower costs. Some of the services are: 1) Centralized data: Data leak age through laptop data loss and backup tape loss could be reduced by cloud computing . 2) Monitoring: Centralized storage is easier to control and monitor. 3) Forensics and incident response: A dedicated forensic server can be built in the same cloud as the corporate servers but placed offline, ready to be used , and brought online as required. munotes.in
Page 207
207 Virtual Machines and Cloud Computing 4) Password assurance testing: For organizations that routinely crack passwords to check for weaknesses, password cracking times can be significantly decreased. 5) Logging: Effectively unlimited storage for logging, with reduced concerns about insufficient disk space being allocated for system logging. 6) Testing security changes: Vendor updates and patches, as well as configuration changes for security purpose s, can be applied using a cloned copy of the production server, with low -cost i mpact testing and reduced start -up time. 7) Security infrastructure: SaaS providers that offer security technologies to customers share the costs of those technologies among th eir customers who use them. 11.2.3 Security Considerations : 1) While considering the security aspects, private data and public data must be separated. 2) Private data requires strict security controls as compared to public data. 3) Organizations must make a slow tr ansition to the cloud rather than do it all at a time . 4) Organizations that are currently leveraging cloud computing to streamline their business processes and systems so they can minimize the amount of integration needed to use cloud platforms are realizing the greatest benefits today. 5) Public clouds are accessed over the Internet and face bandwidth limitations hence scaling to larger Internet bandwidths can significantly increase the overall ownership cost of cloud solutions. 6) Review the potential cost saving s of cloud environments. 7) Knowing and controlling the location of data is important for many reasons . 8) If the data servers are in hostile nations, then it can cause security concerns . 9) For sensitive and private data, colocation is also a concern. The sensitiv e data must be logically separated . 10) Any sensitive or confidential information placed into a cloud environment should be protected beyond the security features of the cloud service itself . munotes.in
Page 208
208 Security in Computing 11.2.4 Cloud Computing Risks and Remediation : Cloud together with d ata center s raises important issues and concerns, which must be addressed . 1) Availability: The availability issue in Cloud services can be managed by using redundant service providers so a failure at one provider will not result in a loss of service. 2) Data persistence: This is concerned with what happens to the data wh en it is deleted from the cloud. 3) Patriot Act ramifications: Some countries like the US impose their right to monitor and capture all traffic from a service provider on demand. 4) Com pliance ramifications: Some government regulations do not allow cloud computing. 5) PCI compliance: Requires that you know and can demonstrate exactly where and on what physical server your data resides . 6) Migration: Physical -to-cloud and cloud -to-phys ical capability may be required to move data into the cloud from the local computing environment, or vice versa. 7) Confidentiality: The responsibility for controlling data in a cloud environment is shared between the cloud provider and the customer. Any data that an organization feels is confidential must be housed in a private network or private cloud, not in a public cloud. 11.2.5 Cloud Computing Security Incidents : The following table shows some of the secu rity incident s recorded by websites run by a security professional . Provider Incident Type Incident Subtype Affected Notes Apple Outage Disaster recovery All Full extended outage Google Outage Change management Many Users unable to use webmail due to issues with loading contacts between munotes.in
Page 209
209 Virtual Machines and Cloud Computing 14:00 and 16:00 PT Nirvanix MediaMax Data loss Closure 20,000 Data claimed to be safe but inaccessible. FlexiScale AWS Outage Design fault All Full outage for eight (weekend) hours. Apple Outage Migration All The Scheduled outage window exceeded during the upgrade to MobileMe 11.2.6 Cloud Security Technologies : Cloud computing providers offer several security services to remediate some of the risks inherent to the cloud environment. Some of them include the following : 1) Communication encryption 2) File-system encr yption 3) Auditing 4) Traditional network firewalls 5) Application firewalls 6) Content filtering 7) Intrusion detection 8) Geographic diversity 11.2.7 Vendor Security Review : A third -party security review must be performed to validate the security practices of cloud provid ers. The following attributes must be reviewed : 1) Physical security 2) Backups and/or data protection 3) Administrator access 4) Firewalls 5) Hypervisor security 6) Customer and instance isolation munotes.in
Page 210
210 Security in Computing 7) Intrusion detection and anomaly monitoring 8) Data transmission security 9) Data storage security 11.3 RISK AND REMEDIATION ANALYSIS The risks associated with cloud computing include the set of risks associated with traditional data centers combined with those of Internet - based services, added to a new set of risks that arise from the convergence of private and public environments. The following categories of risks are divided according to the classic “CIA” triad of Confidentiality, Integrity, and Availability . Within each identified risk, the three Ds of security (Defence, Detection, and Deterrence) are applied accordingly . 11.3.1 Confidentiality Risks : These risks are associated with vulnerabilities and threats concerned with privacy and control of information. It is required to make the information available in a controlled fashion to only those parties that need it, without exposing it to unauthorized parties. Data leakage, theft, exposure, and forwarding : The loss of information such as customer data and other types of intellectual property through intentional or unintentional means . There are four major threat vectors for data leakage: 1. Theft by outsiders 2. Malicious sabotage by insiders 3. Inadvertent misuse by authorized users and 4. Mistakes created by unclear policies. i) Defence : Employ software controls to block inappropriate dat a access through a data loss prevention (DLP) solution. Avoid placing sensitive, confidential, or personally identifiable (PII) information in the cloud. ii) Detection : Use water -marking and data classification label ing along with monitoring software to t rack data flows. munotes.in
Page 211
211 Virtual Machines and Cloud Computing iii) Deterrence : Establish clear and strong language in contractual agreements with service providers that specify how data privacy will be enforced and maintained. iv) Residual risk : Data persistence within the cloud vendor environmen t in relation to multiple untraceable logical disk storage locations and vendor administrative access that exposes private data to administrators. Espionage, packet sniffing, packet replay : The unauthorized interception of network traffic for the purpose of gaining information intentionally, using tools to capture network packets or tools to reproduce traffic and data that was previously sent on a network. i) Defence : Encrypt data at rest as well as data in transit through the use of strong encryption tec hnologies for file encryption (e.g., PGP), as well as network encryption between servers and over the Internet (e.g., TLS, SSL, SFTP). Preference should be given to cloud providers that offer link -layer data encryption. ii) Detection : Not much can be done today to find out when somebody has intercepted your data; however, an IDS capability can hel p to identify anomalous behavio r on the network that may indicate unauthorized access attempts. iii) Deterrence : Transfer the risk of unauthorized access to the service provider using specific contract language. iv) Residual risk : Data can be stolen from the network through tools that take advantage of network topologies, network weaknesses, compromised servers and network equipment, and direct access to network devices. Inappropriate administrator acces s: Using privilege for access privileges levels generally reserved for system administrators that provide full access to a system and all data that system has access to, in order to view data or make changes witho ut going through the system’s authorization processes. Administrators have the capability of bypassing all security controls, and this can be used to intentionally or mistakenly compromise private data. munotes.in
Page 212
212 Security in Computing i) Defense : Minimize the number of service provider administrators for each cloud service function . Perform a vendor security review to validate these practices before engaging or signing with a cloud vendor. ii) Detection: Review the cloud provider’s administrative access logs for their internal infrastr ucture on a monthly or quarterly basis. Review the provider’s list of administrators on a biannual basis. iii) Deterrence: Select only those cloud providers that can demonstrate robust system and network administration practices that are also willing to a gree with customer conditions. iv) Residual risk: Because administrators have full control, there is a possibility that they will intentionally or accidentally abuse their access privileges, resulting in the compromise of personal information or service a vailability. Storage persistence: Data may remain on a hard drive long after it is no longer required and also potentially after it has been deleted. As this data may be deleted but not strongly overwritten, it is at an increased risk of future data recov ery by unauthorized individuals. i) Defence: Insist that vendors maintain a program that includes Department of Defence (DoD) disk wiping when disks are replaced or reallocated. Dead disks should be degaussed or destroyed to prevent data disclosure. ii) Detection: Not much can be done to find out when data persists on a disk that has been taken offline. iii) Deterrence: Establish disk wiping practices before selecting a vendor and ensure that contract language clearly establishes these requirements. iv) Residual risk: Data can remain on physical media long after it has been deleted.
munotes.in
Page 213
213 Virtual Machines and Cloud Computing Storage platform attacks : Direct attacks against a SAN or storage infrastructure, including the use of a storage system’s management control, can provide access to private data, bypassing the controls built into an operating system because the operating system is out of the loop. i) Defence: Ensure that vendors have implemented strong compartmentalization and role-based access control on their storage systems that access t o the management interface of vendor storage systems is not accessible through the customer network. ii) Detection: Implement IDS for the storage network and review storage system access control logs on a quarterly basis. iii) Deterrence: Ensure that the cloud service provider has strong legal representation and a commitment to identifying and prosecuting attackers. iv) Residual risk: Data can be stolen directly from the SAN and you may find out about it after the fact or not at all. Misuse of data: Peop le who are authorized to access data also have the opportunity to do anything with that data, including actions that they are not permitted to perform. Examples include employees who leak information to competitors, developers who perform testing with prod uction data, and people who take data out of the controlled environment of the organization’s private network into their unprotected home environment. i) Defence: For employees, use security controls similar to those in private data networks, such as DLP, role-based access controls, and scrambling of test and development data. Block the ability to send e -mail attachments to external e -mail addresses. ii) Detection: Use water -marking and data classification labelling along with monitoring software to track data flows. munotes.in
Page 214
214 Security in Computing iii) Deterrence: Use a security awareness program along with penalties and sanctions to deter people from transferring data from a controlled environment to an uncontrolled environment . iv) Residual risk: People can find ways around control s to put data into uncontrolled environments where it can be stolen or misused. Fraud : Illegally (or deceptively) gaining access to information that a person is not authorized to access. Fraud can be perpetrated by outsiders but is usually performed by tr usted employees. i) Defence: Use checks and balances along with sufficient separation of duties to reduce the dependence on single individuals. Ensure that business processes include management reviews and approvals. ii) Detection: Perform regular audits on computing system access and data usage with special attention to unauthorized access. iii) Deterrence: For employees, ensure that there is a suitable penalty process. For service providers, transfer risks through the use of contractual language. iv) Residual risk: Fraudulent practices can result in significant reputation and financial damages. Hijacking : The exploitation of a valid session to gain unauthorized access to information or services in a computer system, in particular, the theft of a magic cookie used to authenticate a user to a remote server. Any protocol in which a state is maintained using a key passed between two parties is vulnerable, especially if it’s not encrypted. This also applies to the cloud environment’s management credentials ; if the entire cloud service is managed using session keys, the entire environment can be taken over through the effective use of a session hijacking attack. i) Defence: Look for solid identity management implementations from service providers that speci fically address this risk using strong, non -guessable session keys with encryption. Use good key management processes and munotes.in
Page 215
215 Virtual Machines and Cloud Computing practices and key escrow and key recovery practices as a customer so employee departures do not result in the inability to manage your service. ii) Detection: Routinely monitor logs for access to cloud resources and their management interface to identify unexpected behavior. iii) Deterrence: Not much can be done to deter attackers from hijacking sessions outside of aggressive legal res ponse. iv) Residual risk: Attackers can impersonate valid users of cloud services or even use administrative credentials to lock you out or damage your entire infrastructure. 11.4 INTEGRITY RISKS Any change in the information intentionally or unintentiona lly can c ause integrity risks. These risks affect the validity of information and the assurance that the information is correct. If information can be changed without warning, authorization, or an audit trail, its integrity cannot be guaranteed. Malfunctio ns: Computer and storage failures can cause data corruption. i) Defence: Make sure the service provider you select has appropriate RAID redundancy built into its storage network and that creating archives of important data is part of the service. ii) Detection: Employ integrity verification software that uses checksums or other means of data verification. iii) Deterrence: Owing to the nature of the data and the fact that there is no human interaction, little can be accomplished. iv) Residual risk: Tech nology failures that damage data may result in operational or compliance risks .
munotes.in
Page 216
216 Security in Computing Data deletion and data loss: Accidental or intentional destruction of any data, including financial, company, personal, and audit trail information. Destruction of data due to computer system failures or mishandling. i) Defense : In the cloud environment, ensure that your critical data is redundantly stored and housed with more than one cloud service provider. ii) Detection: Maintain and review audit logs that relate to data deletion. iii) Deterrence: Maintain education and awareness programs for individuals who access and manage data. Ensure that appropriate data owners are assigned who have full authority and control over data. iv) Residual risk: Once critical data is gon e, if it can’t be restored it is gone forever. Data corruption and data tampering: Changes to data are caused by a malfunction in computer or storage systems, or by malicious individuals or malware. Modification of data with intent to defraud. i) Defense : Cloud services offer virtually unlimited data storage, hence we can keep virtually unlimited copies of prior versions. All virtual servers must be protected by antivirus (AV) software. ii) Detection : Use integrity -checking software to monitor and report on any alteration of key data. iii) Deterrence : Maintain education and awareness programs for individuals who access and manage data. Ensure that suitable data owners are assigned who have authority and control over data. iv) Residual risk: Corrupted or damaged data can cause significant issues because valid, reliable data is the cornerstone of any computing system.
munotes.in
Page 217
217 Virtual Machines and Cloud Computing Accidental modification: This is the most common cause of data integrity loss, changes made to data either because the individual thought he or she was mod ifying something else or because of incorrect input. i) Defense : Since cloud services offer virtually unlimited data storage hence we can store and maintain virtually unlimited copies of prior versions. Ensure that all virtual servers are protected by AV sof tware. Maintain role -based access control to all data based on the least privilege principle . ii) Detection: Use integrity -checking software to monitor and report on alterations to key data. iii) Deterrence: Maintain education and awareness programs for individua ls who access and manage data. Ensure that appropriate data owners are assigned who have full authority and control over data. iv) Residual risk: Corrupted or damaged data can cause significant issues because valid, reliable data is the cornerstone of any com puting system. Phishing: Often come through e -mail, the act of tricking a victim into giving out personal information is a common tactic of social engineering. i) Defense : Employ anti -phishing technologies to block rogue web sites and detect false URLs. Use multifactor authentication for customer -facing systems to ensure that users are aware when they are redire cted to fake copies of your websites. Send periodic informational updates and educational materials to customers explaining how the system works and h ow to avoid phishing. Never send e -mails to customers that include or request personal details, including customer IDs or passwords. ii) Detection: Use an application firewall to detect when remote sites are try ing to copy or emulate your web site. iii) Deterrence: Maintain education and awareness programs for individuals who use and store personal information about employees or customers. munotes.in
Page 218
218 Security in Computing iv) Residual risk: Significant reputation risk owing to exposure in the public media or allegations of personal data loss commens urate with the business risks of losing backup tapes or a compromise of a database containing customer information. Bad publicity can lead to both long and short -term loss of corporate reputation. 11.5 AVAILABILITY RISKS These risks are associated with vul nerabilities and threats pertaining to the reliability of services, given the need to use services reliably with low risk and incidence of an outage . Denial of service: A denial of service (DoS) attack or distributed denial of service (DDoS) attack is an attempt to make a computer resource unavailable to its intended users. Cloud services can be especially vulnerable to volumetric DDoS attacks, in which large numbers of computers flood the cloud networks and servers with more data than they can handle, cau sing them to grind to a halt. i) Defense : Select a service provider that has solid protection against network -based attacks. Implement firewalls and network filtering at the network perimeter of the cloud infrastructure (primarily the Internet access point) to block attacks and hostile networks using a network blacklist. In addition, use redundant providers because an attack against one provider’s environment may not affect another. ii) Detection: Select a service provider that performs and monitors intrusion d etection on a 24×7 basis and sign up for any appropriate additional services relating to this capability. iii) Deterrence: Work with the service provider’s legal department to ensure that attackers are found and prosecuted. iv) Residual risk: As most DoS attacks originate from other countries and can be hard to detect and track, there is little that you can do about the ones that get through an environment’s defen ses. Outage : Any unexpected downtime or unreachability of a computer system or network. munotes.in
Page 219
219 Virtual Machines and Cloud Computing i) Defense : The primary defense against any service outage is redundancy. Ensure that environments can be automatically switched to a different provider during an outage. A solid disaster recovery plan must be ready for extended outages. ii) Detection: Employ monitoring too ls to monitor the availability and response time of the cloud environment continuously. iii) Deterrence: Outages are expensive. Calculate the cost of downtime and make sure the contract with the service provider allows compensation for real costs incurred, not just remuneration for the cost of the service itself. iv) Residual risk: Because outages generally occur because of software problems, little can be done to stop them from happening. Instability and application failure: Loss of functionality or failure of a computer or network owing to problems (bugs) in the software or firmware. Freezing, locking, or crashing of a program causing unresponsiveness. i) Defence: Ensure that the vendor applies all software updates for its infrastructure on a frequent basis. Do the same for all customer -owned virtual systems. ii) Detection: Implement service monitoring to detect and alert when an applica tion does not respond correctly. iii) Deterrence: Use legal language to clearly set the expectation that the service provider will maintain a stable environment. iv) Residual risk: As the instability of applications and infrastructure generally occurs as a result of a software problem, little can be done to stop them from occurring. Slowness: Unacceptable response time of a com puter or network. munotes.in
Page 220
220 Security in Computing i) Defence: Using redundant providers and Internet connections set up the architecture so application access will automatically switch to the fastest environment. Also , ensure service providers have implemented high -capacity services with automatic expansion of resources. ii) Detection: Monitor the response time of applications on a continuous basis and ensure that alerts have an out -of-band path to support staff so response problems don’t stop alerts from being delivered. iii) Deterren ce: Establish contract language with service providers that provide penalties in the form of compensation to you for unacceptable response times. HA failure: The discovery is a device that was supposed to fail over doesn’t actually take over when it shou ld. i) Defence: Monitor the health of secondary systems or all systems in an HA cluster. ii) Detection: Perform periodic failover testing. iii) Deterrence: Not much can be done from a service provider perspective to guarantee that customer systems will switch over when they are supposed to. iv) Residual Risk: Sometimes a primary device slows down to the point that it becomes unresponsive for all practical purposes, but because it’s not officially “down” according to the software, the backup system doesn ’t take over. Backup failure: The discovery that those data backups you were relying on aren’t actually any good. i) Defence: Leverage provider elasticity to avoid the use of traditional offline (tape or optical) backups. ii) Detection: Frequently perfo rm recovery testing to validate the resilience of data. munotes.in
Page 221
221 Virtual Machines and Cloud Computing iii) Deterrence: Establish a data -loss clause in the contract with the service provider so they are obligated to assist with unforeseen data loss. iv) Residual risk: Backups fail, but multiple recov ery paths can eliminate most of the risk. Secure Application Design : Applications such as web applications, client applications, and remote administration are designed for some purpose and to run in an environment. These applications after being deployed in their original form could defend themselves from threats, mistakes , or misuse. A malicious user can exploit the vulnerability of the applications and launch an attack. Such attacks would eventually lead to customers who are unhappy with their software v endors, regardless of whether or not the customers were willing to pay for a security before the incident occurred. Therefore, security is becoming more important to organizations that produce software, and buildin g security into the software up front is e asier (and cheaper) than waiting until the software is already out in the field and then providing security updates. While the deployment environment can help protect the application to some extent, every application must be secure enough to protect itself from whatever meaningful attacks the deployment environment cannot prevent, for long enough for the operator to notice and respond to attacks in progress. 11.6 SECURE DEVELOPMENT LIFECYCLE A secure development lifecycle (SDL) is essentially a development process that includes sec urity practices and decision -making inputs. A typical SDL actually affects two to three lifecycles, the specifics of which vary by organization: 1. The application lifecycle: In which an application begins as an idea and then is plan ned, designed, developed, tested, documented, released, sometimes deployed and operated, maintained, and eventually ended. 2. The employee lifecycle: In which an employee is selected, hired, brought on board, changes job responsibilities, and eventually leave s the organization. 3. The project or contract lifecycle: If any development is outsourced, in which a contract is negotiated, results are accepted, and vendors are paid. munotes.in
Page 222
222 Security in Computing The SDL itself is created, operated, measured, and changed over time following a busines s process lifecycle. Typically, an SDL contains three primary elements: 1. Security activities that don’t exist at all in the original lifecycle; for instance, threat modeling . 2. Security modifications to existing activities; for instance, adding security chec ks to existing peer reviews of code . 3. Security criteria that should affect existing decisions; for instance, the number of open high -severity security issues when a decision to ship is made . Adding security is cheapest if it is included from the beginning o f the lifecycle. 11.7 APPLICATION SECURITY PRACTICES Most secure development lifecycles contain the following practices and decisions in various forms. 11.7.1 Security Training : A security training program for development teams includes technical security awareness training for everyone and role -specific training for most individuals. Role -specific training goes into more detail about the security activities a particular individual participates in, and the technologies in use (for developers). 11.7.2 Secure Development Infrastructure : At the beginning of a new project, source code repositories, file shares, and build servers must be configured for team members’ exclusive access, bug tracking software must be configured to disclose security bugs only accordin g to organization policies, project contacts must be registered in case any application security issues occur, and licenses for secure development tools must be acquired. 11.7.3 Security Requirements : Security requirements may include access control matric es, security objectives, abuse cases, references to policies and standards, logging requirements, security bug bars, assignment of a security risk or impact level, and low -level security requirements such as key sizes or how specific error conditions shoul d be handled. 11.7.4 Secure Design Secure design activities usually revolve around secure design principles and patterns. They also frequently include adding information about security properties and responsibilities to design documents. munotes.in
Page 223
223 Virtual Machines and Cloud Computing 11.7.5 Threat Mod eling : Threat modeling is a technique for reviewing the security properties of a design and identifying potential issues and fixes. Architects can perform it as a secure design activity, or independent design reviewers can perform it to verify architects’ work. 11.7.6 Secure Coding : Secure coding includes using safe or approved versions of functions and libraries, eliminating unused code, following policies, handling data safely, managing resources correctly, handling events safely, and using security techn ology correctly. 11.7.7 Security Code Review : To find security issues by inspecting application code, development teams may use static analysis tools, manual code review, or a combination. Static analysis tools are very effective at finding some kinds of mechanical security issues but are usually ineffective at finding algorithmic issues like incorrect enforcement of business logic. Manual code review by someone other than the code author is more effective at finding iss ues that involve code semantics but requires training and experience. Manual code review is also time -consuming and may miss mechanical issues that require tracing large numbers of lines of code or remembering many details. 11.7.8 Security Testing : To find security issues by running applicat ion code, developers and independent testers perform repeatable security testing, such as fuzzing and regression tests for past security issues, and exploratory security testing, such as penetration testing. 11.7.9 Security Documentation : When an applicati on will be operated by someone other than the development team, the operator needs to understand what security the application needs the deployment environment to provide, what settings can affect security, and how to handle any error messages that have a security impact. The operator also needs to know if a release fixes any vulnerabilities in previous releases. 11.7.10 Secure Release Management : When an application will be shipped, it should be built on a limited -access build server and packaged and distr ibuted in such a way that the recipients can verify it is unchanged. Depending on the target platform, this may mean code signing or distributing signed checksums with the binaries. 11.7.11 Dependency Patch Monitoring : Any application that includes third -party code should monitor that external dependency for known security issues and updates, and issue a patch to update the application when any are discovered. munotes.in
Page 224
224 Security in Computing 11.7.12 Product Security Incident Response : Product security incident response includes contacting people who should help respond, verifying and diagnosing the issue, figuring out and implementing a fix, and possibly managing public relations. It does not usually include forensics. 11.7.13 Decisions to Proceed : Any decision to ship an application or co ntinue its development should take security into account. At ship time, the relevant question is whether the application can be reasonably expected to meet its security objectives. It means that security validation activities have occurred and no critical or high-severity security issues remain open. 11.8 WEB APPLICATION SECURITY Web application security includes understanding the vulnerabilities attackers can exploit in insecure web applications and compromi se a web server or deface a web site, and how deve lopers can avoid introducing these vulnerabilities. The several web application security concerns to be considered are as follows: 1. SQL injection 2. Forms and scripts 3. Cookies and session management 4. General attacks 11.8.1 SQL injection : SQL injection is a techn ique to inject crafted SQL into user input fields that are part of web forms —it is mostly used to bypass custom logins to websites. However, SQL injection can also be used to log i n to or even to take over a web site, so it is important to secure against su ch attacks. SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior. Example 1: In some situ ations, an attacker can escalate an SQL injection attack to compromise the underlying server o r other back -end infrastructure or perform a denial -of-service attack. munotes.in
Page 225
225 Virtual Machines and Cloud Computing Consider a shopping application that displays products in different categories. When the us er clicks on the Gifts category, their browser requests the URL: https://insecure -website.com/products?category=Gifts This causes the application to make an SQL query to retrieve details of the relevant products from the database: SELECT * FROM products WH ERE category = 'Gifts' AND released = 1 This SQL query asks the database to return: all details (*) from the products table where the category is Gifts and released is 1. The restriction released = 1 is being used to hide products that are not released. Fo r unreleased products, presumably released = 0. The application doesn't implement any defenses against SQL injection attacks, so an attacker can construct an attack like: https://insecure -website.com/products?category=Gifts' -- This results in the SQL query : SELECT * FROM products WHERE category = 'Gifts' --' AND released = 1 The key thing here is that the double -dash sequence -- is a comment indicator in SQL, and means that the rest of the query is interpreted as a comment. This effectively removes the remai nder of the query, so it no longer includes AND released = 1. This means that all products are displayed, including unreleased products. Going further, an attacker can cause the application to display all the products in any category, including categories that they don't know about: https://insecure -website.com/products?category=Gifts'+OR+1=1 -- This results in the SQL query: SELECT * FROM products WHERE category = 'Gifts' OR 1=1 --' AND released = 1 The modified query will return all items where either the c ategory is Gifts, or 1 is equal to 1. Since 1=1 is always true, the query will return all items. Example 2: Consider an application that lets users log in with a username and password. If a user submits the username wiener and the password munotes.in
Page 226
226 Security in Computing bluecheese, the application checks the credentials by performing the following SQL query: SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese' If the query returns the details of a user, then the login is successful. Otherwise, it is rejected. Here, an attacker can log in as any user without a password simply by using the SQL comment sequence -- to remove the password check from the WHERE clause of the query. For example, submitting the username administrator' -- and a blank password results in the fol lowing query: SELECT * FROM users WHERE username = 'administrator' --' AND password = '' This query returns the user whose username is ‘administrator ’ and successfully logs the attacker in as that user. Solutions for SQL Injection : Developers and administra tors can take a number of different steps in order to solve the SQL injection problem. These are some solutions for developers: 1. Filter all input fields for apostrophes (') to prevent unauthorized logins. 2. Filter all input fields for SQL commands like insert , select, union, delete, and exec to prevent server manipulation. 3. Limit input field length (which will limit attackers’ options), and validate the input length with server -side scripts. 4. Use the option to filter “escape characters” (characters that can be used to inject SQL code, such as apostrophes) if the database offers that function. 5. Place the database on a different computer than the web server. If the database is hacked, it’ll be harder for the attacker to reach the web server. 6. Limit the user privileg es of the server -side script. 7. Delete all unneeded extended stored procedures to limit attackers’ possibilities. 8. Place the database in a separate container (behind a firewall), separated from the web container and application server. munotes.in
Page 227
227 Virtual Machines and Cloud Computing The administrator can mitigate the risks by running some tests and making sure that the code is secure : 1. Make sure the web server returns a custom error page. This way, the server won’t return the SQL error, which will make it harder for the attacker to gain data about the SQL q uery. 2. Deploy only web applications that separate the database from the web server. 3. Hire an outside agency to perform penetration tests on the web server and to look for SQL injection exploits. 4. Use a purpose -built automated scanning device to discover SQL injection exploits that result from programmers’ mistakes. 5. Deploy security solutions that validate user input and that filter SQL injection attempts. 11.8.2 Forms and Scripts : Forms are used to allow a user to enter input, but forms can also be used to manage sessions and to transfer crucial data within the session (such as a user or session identifier). Attackers can exploit the data embedded inside forms and can trick the web application into either exposing information about another user or charge a low er price in e -commerce applications. Three methods of exploiting forms are these: 1. Disabling client -side scripts 2. Passing parameters in the URLs 3. Passing parameters via hidden fields 11.8.3 Client -Side Scripts : Some developers use client -side scripts to vali date input fields in various ways: 1. Limit the size of the input fields 2. Disallow certain characters (such as apostrophes) 3. Perform other types of validation (these can be specific to each site) By disabling client -side scripting (either JavaScript or VBScript ), this validation can be easily bypassed. A develop er should validate all fields on the server side. This may require additional resources on the server. 11.8.4 Passing Parameters via URLs : The Web Parameter Tampering attack is based on the manipulation o f parameters exchanged between client and server in order to modify munotes.in
Page 228
228 Security in Computing application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, a nd is used to increase application functionality and control. This attack can be performed by a malicious user who wants to exploit the application for their own benefit or an attacker who wishes to attack a third person using a Man -in-the-middle attack. I n both cases, tools li ke Webscarab and Paros proxy are mostly used. The attack ’s success depends on integrity and logic validation mechanism errors, and its exploitation can result in other consequences including XSS, SQL Injection, file inclusion, and pat h disclosure attacks. Example 1 : The parameter modification of form fields can be considered a typical example of a Web Parameter Tampering attack. For example, consider a user who can select form field values (combo box, check box, etc.) on an application page. When these values are submitted by the user, they could be acquired and arbitrarily manipulated by an attacker. Example 2 : When a web application uses hidden fields to store status information, a malicious user can tamper with the values stored on t heir browser and change the referred information. For example, an e -commerce shopping site uses hidden fields to refer to its items, as follows:
In this example, an attacker can modify the “value” i nformation of a specific item, thus lowering its cost. 11.8.5 Passing Data via Hidden Fields : The post method sends the data using the POST HTTP command. Although the data does not travel in the URL, it can be exploited rather easily as well. Consider the following form: ...
... munotes.in
Page 229
229 Virtual Machines and Cloud Computing This form transmits the user identifier using POST. An attacker can save the HTML, modify the UserID field, and modify the checkout.asp path (to link to the original site, like this:
Page 230
230 Security in Computing 1) Session Theft : Whenever a us er logs into a website, the web site t ags the session as authenticated and allows the user to browse to secure areas f or authenticated users. The web site uses cookies in order to save sensitive data, but an attacker can exploit this. Server -side cookies are another alternative, suppose the web site uses e -mail addresses as the identifying data. After the user has logged in, the system will send the browser a cookie containing the user’s e -mail address. For every page this user will visit, the browser will transmit the cookie containing the user’ s e-mail address. The site checks the data in the cookie and allows the user to go where their profile permits. An attacker could modify the data in the cookie, suppose the cookie contains smilemail@site.com . Each time we access the site we can automatica lly access restricted areas. If the attacker changes the e -mail address in his cookie (located on his computer) to some smilemail@site.com, the next time the attacker accesses the site, it will think he is the user somesmilemail and allow him to access tha t user’s data. 2) Managing Sessions without Sending Data to the User: Some users disable cookies, which mean s they also don’t allow session management which requires cookies. Unless the site is using the less secure get or post methods to manage sessions, the only way to keep track of users is by using their IP address as an identifier. However, this method has the following problems: a) Some users surf through Network Address Translation (NAT), such as corporate users, and they will share one or a limited number of IP addresses. b) Some users surf through anonymous proxies, and they w ill share this proxy IP address. c) Some users use dial -up connections and share an IP address pool, which means that when a user disconnects, the next connected user will get that IP address. 3) Web Server Cookie Attacks: a) An attacker can exhaust the resources of a web server using cookie management by opening many connections from dedicated software. b) Each session will consume the system resources such as memory or hard d rive. c) The solution to this problem is to configure a firewall so that it does not allow more than a particular number of connections per second, which will prevent an attacker from initiating an unlimited number of connections. munotes.in
Page 231
231 Virtual Machines and Cloud Computing 4) Securing Session Track ing: Securing the session can be done in the following ways : a) By using a hard -to-guess identifier that is not derived from the user’s data, such as an encrypted string or GUID. b) In case of multiple users, the IP addres s can be tied to the identifier. c) A short timeout can be used to delete an active session after the time limit has elapsed, to ensure that the session is closed by the server if the user does not end the session properly. 11.8.7 General Attacks : These are those attacks that do not come under any category but pose a significant risk, some of which are as follows 1) Vulnerable scripts 2) Attempts to brute -force logins 3) Buffer overflows 1) Vulnerable Scripts: a) Some publicly used scripts contain bugs that allow attackers to view or modify files or even take over the web server’s computer. b) The best way to find out if the web server contains such scripts is t o run a vulnerability scanner. c) If such a script is found, it should be either updated (with a non - vulnerable version) or replaced with a n alternative script . 2) Brute -Forcing Logins: An attacker can try to brute -force the login (trying all the possible ways) using a dictionary. There are a number of ways to combat brute -force attacks: a) Limit the number of connections per second per IP ad dress . b) Force users to choose stro ng passwords that contain upper and lowercase letters and digits . 3) Buffer Overflows: a) Buffer overflows can be used to gain control over the web server. b) The attacker sends a large input that contains assembly code , and if the script is vulnerable, this string is executed and usually runs a Trojan that will allow the attacker to take over the computer. munotes.in
Page 232
232 Security in Computing 11.9 CLIENT APPLICATION SECURITY Application security is mainly controlled by the developer of the application. Wr iting a secure application is difficult, because every aspect of the application, like the GUI, network connectivity, OS interaction, and sensitive data management, requires extensive security knowledge in order to secure it. The following security issues must be kept in mind while designing an application : 1) Running privileges 2) Administration 3) Application updates 4) Integration with OS security 5) Adware and spyware 6) Network access 1) Running Privileges : An administrator must strive to run an application with the le ast privileges possible, it prevents the system from the following attacks a) If the application is exploited by attackers, they will have the privileges of the application. If the privileges are low enough, the attackers won’t be able to take the attack f urther. b) Low privileges protect the computer from an embedded Trojan (in the application) because the Trojan will have fewer options at its disposal. c) When an application has low privileges, the user won’t be able to save data in sensitive areas or eve n access key network resources . d) If an application requires administrative privileges but there is no obvious reason why it needs them, then they can be run within a sandbox . e) Sandboxes can limit access to the registry, OS data directory, and network u sage. This isolates the application from sensitive OS areas and other user -defined locations, such as those containing sensitive data. 2) Application Administration: Most applications offer some type of interface for administration, and each administration method poses security risks that must be add ressed, the interfaces used are. a) INI/Conf file munotes.in
Page 233
233 Virtual Machines and Cloud Computing b) GUI c) Web -based control a) INI/Conf Files: This is the most basic method of administrating an application Application can be secured in the following scenari os: i) Local access: To secure such an application running on the local machine, the administrator needs to limit access to the configuration files by using built-in OS access management. ii) Remote access: To secure application s in this scenario, strong authentication methods must be followed . b) GUIs: Most applications have a GUI for administrating them. Therefore, apart from providing security at the GUI level, the communication between the GUI and the application must also be secured. Two cases arise i) Local access: When GUI and the application are on the same system, the administrator should provide security for the communications between the GUI and the application. The GUI must be given the least privilege and the application can be giv en higher pri vilege if required. ii) Remote access: When the GUI controls the system remotely, the most important issue is how the GUI controls the application . c) Web -Based Control: A popular way to allow application administration is through a web interface, the adva ntage is that it does not require a dedicated client and can be used from multiple platforms. 3) Application Updates : Keeping applications up to date with the latest security patches is one of the m ost important security measures. Some mechanisms for easil y updating applications are : a) Manual updates b) Automatic updates c) Semi -automated updates d) Physical updates munotes.in
Page 234
234 Security in Computing a) Manual Updates: Manual updates require the administrator to physically download a file and install the update on the relevant system. This option is not preferred by the administrator as it consumes too much time . b) Automatic Updates: When an application uses automatic updates, it checks its web site every so often for an update, and if one exists, it downloads it and installs it on the system. There are two problems with this method: i) Bandwidth usage ii) Installing problematic patches c) Semi -Automated Updates: Some applications allow the administrator to decide when to download an update. After the update is downloaded, the application distributes the update to all the connected clients. d) Physical Updates: It’s possible to update the system using an update received physically. In order to thwart an attacker from forging an update, the administrator can check for the size and CRC32 sig nature of the update at the vendor’s site and compare it to the physical copy. 4) Integration with OS Security: When an application is integrated with OS security, it can use the security information of the OS, and also modify it if required. a) Importance of OS Security Integration: OS security integration allows an application to either import or access in real time the OS’s list of users and their privileges. The disadvantage would be if the administrator wants to enter the information of thousands of em ployees along with the information of their privileges, such a method would be time consuming and if the organization has more than one central system that requires manual user entry, this scenario would be even worse. b) Manual Import of Security Informat ion: An application may allow the administrator to import all the user information and use it to manage authentication for the application. Although this method may speed up application deployment, there is still double administration afterward. For exampl e, when an employee leaves the organization, the administrator has to delete the user both from the organization’s user list and from the application list. munotes.in
Page 235
235 Virtual Machines and Cloud Computing c) Automatic Integration of Security Information: Automatic integration of security information allo ws the application t o query the OS in real time for user credentials. This way, both the initial deployment time and the double administrative issues are solved. There are two problems with this option, though: i) If the OS’s user database is deleted or l ost, the application can’t be accessed. ii) The network connection between the application and the OS user database must be secured to prevent attackers from either eavesdropping on the line or using a fake server to gain information about users’ credentia ls. d) Using OS Security for Authorization: An application can use OS security to authorize sessions. In this scenario, the application sets up a special directory or resource that can be accessed only by users who possess certain privileges, and the OS pr otects access to that directory or resource. e) Keeping OS Security Integration Optional: Sometimes it’s necessary to deploy a small application that will be used by only one or two users, and if the application demands integrat ion with the OS security in an organization with thousand users. Then it will only decrease the security and deployment speed . Also the administrator may be reluctant to give an application the ability to modify (and potentially damage) the user directory . 11.10 REMOTE ADMINISTRATION SECURITY Most of today’s applications offer remote administration as part of their features, hence it must be secure, if an attacker manages to penetrate the administration facilities, other security measures can be compromised or bypassed. 11.10.1 Remote administration is needed for various reasons which are as follows : 1) Relocated servers: An administrator needs an interface to administer any relocated web servers . 2) Outsourced services: Managing security products requires knowledge that some organiz ations don’t possess, so they often outsource their entire security management to a firm specializing in that area, the management of such security is done through the internet. munotes.in
Page 236
236 Security in Computing 3) Physical distance: An administrator may need to manage a large number of c omputers in the organization; these computers are physically separated by large distances. In such situations , it would become tedious and time -consuming to manage the system by physically attending, so remote access may make it simple. 11.10.2 Remote Admi nistration Using a Web Interface : Using a web interface to remotely administer an application or a computer has many advantages, but it also has its costs, and some advantages are also disadvantages. Some advantages of remote web administration: 1) Quick d evelopment time: Developing a web interface is faster than developing a GUI client, in terms of development, debugging, and deployment. 2) OS support: A web interface can be accessed from all the major OSs by using a browser . 3) Accessibility: A web in terface can be accessed from any location on the Internet. 4) User learning curve: An administrator knows how to use a browser, so the learning curve for the administrator will be shorter. Remote web administration has some disadvantages, but they are usually not critical, they are as follows : 1) Accessibility: Because web administration is accessible from anywhere on the Internet, it’s also accessible to an attacker who may try to hack it. 2) Browser control: Because a browser controls the interface, an attacke r doesn’t need to deploy a specific product control GUI . 3) Support Web -based applications are typically easier to support and maintain . 11.10.3 Authenticating Web -Based Remote Administration : When connecting to the remote web administration interface, the fi rst step is the authentication process. If the authentication is weak, an attacker can bypass it and take control of the application or computer. munotes.in
Page 237
237 Virtual Machines and Cloud Computing HTTP Authentication Methods : Some of the common methods to authenticate HTTP connections are 1) Basic authentica tion: When a page requires basic authentication, the user sends the encoded username and password using BASE64 encoding and sends it back to the server. If the login is correct, the server returns message number 200, which means everything is OK. If the lo gin fails, it replies with the same 401 error as before. 2) Digest authentication: Digest authentication uses MD5 to hash the username and password, using a challenge supplied by the web server. 3) Secure Sockets Layer (SSL): SSL can be configured to require a client certificate (optional) and authenticate a user only if they have a known certificate. 4) Encrypted basic authentication: Basic authentication can be used in conjunction with regular SSL, thus encrypting the entire session, including the BASE64 encoded u sername and password . 5) CAPTCHA method: This is a popular method of verifying that the person on the other end is a human being, by showing a distorted image of letters and numbers and req uiring the user to type them correctly. 11.10.4 Securing Web -Based Rem ote Administration : The best solution for securely logging in to a web -administered server is to use either SSL, which checks for client certificates, or encrypted basic authentication. Another option is to use secured custom logins (implemented with serv er- side scripts), but they may contain web exploits. Custom Remote Administration : Some applications are controlled remotely through a GUI or through console applications examples of such applications are SQL Server, Exchange Server s, firewalls, and intrus ion detection syst ems (IDS ). Custom remote administration has both advantages and disadvantages. The advantages of custom remote administration are : 1) Complex graphics: Sometimes the console needs to display complex graphics that can’t be shown using a regul ar web administration interface. 2) Authentication and encryption: The application may use either a stronger authentication method or a stronger encryption method to secure the session . munotes.in
Page 238
238 Security in Computing 3) Availability: Since the application can only be controlled from a dedicat ed GUI, the attacker will need to install it on his computer. The disadvantages of custom remote administration are : 1) Specific OS: Some vendors will require a specific OS to run the controlling GUI, and the administrator will have to install it if it isn’t already installed . 2) Unavailability: The application can be administered only from computers on which the GUI is installed, if the administrator is not in the office, it may not be possible to administer it from other computers. 11.10.5 Session Security : It’s important that the session between the client (GUI or console) and the application be secure. Otherwise, attackers may be able to gain information, steal credentials, or even conduct a replay attack. If the session is known to be insecure, the administra tor can easily relay it through a VPN or a secure tunnel (SSH). Authentication : It’s important that authentication take s place and that it should not depend on the IP or MAC address of the computer. The sequence of the authentication process is also critic al. The best way to exchange login information is either after the session is secured, or using a known method like EAP for insecure sessions. Using OS Networking Services : Some applications use OS networking services, such as remote procedure calls (RPC) or Distributed Component Object Model (DCOM), which allows the administrator to add data integrity, encryption, and authentication. If the OS security is non -trustworthy then either SSH or VPN connection can be used. 11.11 SUMMARY Virtual machines present greater risks, because they provide computing environments that are based on software, which has inherent vulnerabilities, and because virtual machines are controlled by a master operating system known as the hypervisor. Attacks against vulnerabilities in the software that runs the guest operating systems or the hypervisor itself can lead to compromises in one, many, or all virtual systems in your infrastructure. For that reason, special consideration must be given to the virtual environment. Securing the hypervisor is of paramount importance —it needs t o be isolated from the guest OS and administrative access to it needs to be strictly controlled. munotes.in
Page 239
239 Virtual Machines and Cloud Computing The guest OS themselves need to be protected with standard security software, as well as secure configurations within the virtual environment. Virtual storage and networks deserve the same consideration. Cloud computing takes many forms, but they all have one thing in common —the Internet. And because cloud services are housed on the Internet, they carry all the ris ks inherent in the Internet as well as additional risks associated with the proximity of other users of the service, especially if any of those other users are malicious. Along with confidentiality risks that come from putting private data in the cloud, an d integrity risks associated with the loss of direct control of data, the cloud also presents availability risks, because the Internet is an inherently unreliable medium. Real incidents that have been tracked by various agencies prove that service outage i s the most commonly experienced security issue with commercial cloud services. Redundancy is the best way to mitigate those availability risks, just as with any other Internet service. Application security needs to be done right from the start because it’s much harder to actively fix security problems in the field than it is to do so in the programmer’s chair. Training, corporate standards, reviews at the design phase, and formal code reviews can all help ensure that security is integrated from the beginni ng in any new application. Every programmer who isn’t focused on security when writing an application, whether web -based or client can leave the application vulnerable to outside attackers. Because application security problems primarily result from human errors and omissions, the best solution is education. To produce an application that is secure enough, define “secure enough” near the beginning of the development process. Keep this definition in mind when you construct each deliverable. As each deliverab le is completed, check it for security issues. At the end of the development process, ship it only if the application meets your definition of secure enough. 11.12 QUESTIONS 1) What are Virtual Machines? What are the security requirements for a VM? 2) What are the ways to protect the hypervisor? 3) How is the guest OS protected in a Virtual environment? 4) What is Cloud computing? Give its types . 5) Elaborate on the benefits of Cloud computing . munotes.in
Page 240
240 Security in Computing 6) Write a note on Risk and Remediation with respect to cloud computing . 7) What ar e the various c loud security technologies? 8) Explain the Confidentiality risks associated with cloud computing . 9) Explain the Integrity risks associated with cloud computing . 10) Explain the Availability risks associated with cloud computing . 11) Explain the secure de velopment life cycle . 12) What are the Application security practices? 13) How is SQL injection performed? 14) What are the solutions to SQL injection attack s? 15) Explain the methods to exploit Forms and scripts . 16) What are the various ways for solving the data transfer pr oblem? 17) Explain the following attacks a) Brute -force login b) Buffer overflows 18) Write a note on client application security 19) How remote administration is performed using a web interface? 20) Explain the HTTP authentication . 11.13 REFERENCES The Complete Refer ence: Information Security by Mark Rhodes - Ousley Essential Cyber security Science by Josiah Dykstra Principles of Computer Security: CompTIA Security+ and Beyond By Wm. Arthur Conklin, Greg White
***** munotes.in
Page 241
241 12 PHYSICAL SECURITY Unit Structure 12.0 Objectives 12.1 Classification of Assets 12.2 Physical Vulnerability Assessment 12.2.1 Building 12.2.2 Computing Devices and Peripherals 12.2.3 Documents 12.2.4 Records and Equipment 12.3 Choosing Site Location for Security 12.3.1 Accessibility 12.3.2 Lighting 12.3.3 Proximity to Other Buildings 12.3.4 Proximity to Law Enforcement and Emergency Response 12.3.5 RF and Wireless Transmission Interception 12.3.6 Utilities Reliability 12.3.7 Construction and Excavation 12.4 Securing Assets: Locks and Entry Controls 12.4.1 Locks 12.4.2 Doors and File Cabinets 12.4.3 Laptops 12.4.4 Data Centers, Wiring Closets, Network Rooms 12.4.5 Entry Controls 12.4.6 Building Access Control Systems 12.4.7 Mantraps 12.4.8 Building and Employee IDs 12.4.9 Biometrics 12.4.10 Security Guards 12.5 Physical Intrusion Detection 12.5.1 Closed -Circuit Television (CCTV) 12.5.2 Alarms 12.6 Summary 12.7 Questions 12.8 References
munotes.in
Page 242
242 Security in Computing 12.0 OBJECTIVES The Objective of the chapter is to make the learner aware of various security breaches with respect to physical security and their solutions, the classification of assets and their security requirements fo r asse ts. 12.1 CLASSIFICATION OF ASSETS Any resource having direct or indirect monetary value can be classified as an asset. An asset can be classified on the basis of criticality and the value each asset carries, based on it we need to develop security procedures and measures to protect them. The classification of corporat e physical assets will generally fall under the following categories: 1) Computer equipment: Servers, network -attached storage (NAS) and storage area networks (SAN ), desktops, laptops, tablets, pads, etc. 2) Communications equipment: Routers, switches, firewalls , modems, private br anch exchanges (PBX ), fax machines, etc. 3) Technical equipment: Power supplies, unin terruptable power supplies (UPS ), power conditioners, air conditioners, etc. 4) Storage media: Magnetic tapes, DAT, CD -ROM , Zip drives, hard drive arrays, s olid-state drives, Secure Digital (SD), microSD, Compact Flash, and Memory Stick , etc. 5) Furniture and fixtures: Racks, enclosures, etc. 6) Assets with direct monetary value: Cash, jewellery, bonds, stocks, credit cards, personal data, cell phones, etc. 12.2 PH YSICAL VULNERABILITY ASSESSMENT After classifying the asset, the physical security must be assessed. There are four main areas that must be part of physical vulnerability assessment . 1) Building 2) Computing devices and Peripherals 3) Documents 4) Records and Equipmen t 12.2.1 Building : Physical Vulnerability assessment in this case can be done in the following ways : 1) Walking around the building to check for unlocked doors and windows . munotes.in
Page 243
243 Physical Security 2) Checking the areas around the building for obstructions such as bushes or shrubs . 3) Check for poor lighting conditions . 4) Also , check whether anyone can ea sily tailgate into the building. 5) Is it possible to walk into the building through an unattended gate? 6) Whether building passes are collected from the visitors once they leave the building? 12.2.2 Computing Devices and Peripherals : Physical Vulnerability assessment in this case can be done in the following ways : 1) The accessibility and lockdown to systems and peripherals must be verified . 2) Unattended systems should be logged off or have their s creens locked. 3) Critical Servers must be placed in a locked room, and access to the room must be through a card reader . (It can be used to audit .) 4) In case of a shortage of space logical isolation must be done. 5) The Physical lock must be used to protect the r ooms and cases housing the resources . 6) BIOS must be password -protected through a complex password . 7) Booting from floppy/CD/DVD/USB drives must be disabled . 8) The monitor and the keyboard must be placed in such a way that they are only visible to the operator . 9) Unused modems and network ports must be removed or disabled . 10) Store tools separately, preferably locked up. 11) Limit the number of people with access to the server room, and document their access. 12) Place a sign -in sheet inside the door, or electronically track access with a card reader or biometric entry control. 12.2.3 Documents : Physical Vulnerability assessment in this case can be done in the following ways : 1) The Documents must be classified as a part of data classification and information policies . munotes.in
Page 244
244 Security in Computing 2) Confiden tial documents must not be lying around, a check must be made for them. 3) All the Post -it notes with passwords and credentials, documents not collected from print jobs and faxes, and documents in the trash or a recycle bin must be shredded . 4) A walk around mu st be carried to check if shoulder -surfing could be possible. 5) Employees must be educated on various espionage techniques . 12.2.4 Records and Equipment : Physical Vulnerability assessment in this case can be done in the following ways : 1) Records generally cont ain employee timesheets, receipts, accounts payable/receivable , etc. 2) Records must be locked up when not in use and only be accessed by an authorized person . 3) Equipment items such as faxes, printers, modems, copiers , and other equipment have their own secur ity recommendations, depending upon their use and location. 4) Devices such as smartphone s or tablet s must not be kept unlocked on the desk . 12.3 CHOOSING SITE LOCATION FOR SECURITY When selec ting a location for a data cent er or office site, survivability should be considered more important than cost. Selecting Low -cost sites may cause some unforeseen damages which could be more than the cost of selecting a high -cost site. If the s elected site is in a flood zone or expecting a tornado or hur ricane every year, or if it is seismic active or has a high crime rate then any one such event could cause a lot of expensive damage. Hence choosing a secure and reliable site location makes sense from a financial perspective as well as from a security point of view. There are many security considerations for choosing a secure site location, some of which are as follows: 1) Accessibility 2) To the site 3) From the site (in the event of evacuation) 4) Lighting 5) Proximity to other buildings 6) Proximity to law enforcement and emergency respon se munotes.in
Page 245
245 Physical Security 7) RF and wireless transmission interception 8) Utility reliability 9) For a data center, the loss of power may be overcome through the use of generators, but if the water supply is cut off, the AC units will be unable to cool the servers . 10) Construction and excav ation (past and present) 12.3.1 Accessibility : 1) Accessibility of the site is typically the first consideration and with a good reason. 2) If a site is remotely located then it would be difficult to commute, utilize and make practical usage. 3) If the site is eas ily accessible then it would be accessible f or others too (may be attackers) . 4) The site should be such that, i n case of any untoward incident such as a bomb threat, fires, or terrorist attack s, the evacuation must be easily carried out. 12.3.2 Lighting : 1) Proper lighting, especially for organizations with 24×7 operations, should be evaluated and taken into consideration. 2) Poor lighting result s in threats to employee safety and is a potential for break -ins. 3) Mirrored windows or windows with highly reflective co atings should face north -south rather than east -west. 4) Lighting should be positioned in such a way that it never blinds those leaving the building at night. 12.3.3 Proximity to Other Buildings : 1) Sharing a building with a branch of law enforcement would be considered less risky than sharing a building with pubs a nd clubs. 2) The closer the proximity to other buildings and companies, the higher the probability is for a physical security incident to occur. 3) Any problems in an adjacent or connected building might ha ve could potentially become our problem as well. 12.3.4 Proximity to Law Enforcement and Emergency Response : 1) The location of organiz ations relative proximity to law enforcement and/or emergency response units can be useful. munotes.in
Page 246
246 Security in Computing 2) In areas having a history of cr ime, delay s to get a response from the agencies could cause significant loss . 3) If an emergency service unit were to be called to respond to an incident and there was a delay in the response, then it would also cause dearly to the organization . 12.3.5 RF and Wireless Transmission Interception : 1) With wireless networking becoming more prevalent, wireless hacking and hijacking become more of a threat. 2) Wireless protocols such as radio frequency devices, cordless phones, cell phones, PIMs, and mobile e -mail devices must be taken into consideration. 3) Scanners must be used to check the vulnerability of the protocols. 4) Frequency ranges that are heavily used must be avoided . 5) Encryption must be used for sensitive traffic . 12.3.6 Utilities Reliability : 1) Problems such as powe r outages, network outages , and disruption in phone services can cause serious damage to the organization. 2) Power outages can be compensated by using UPS systems or generators (both having their own shortcomings). 3) Network issue s and phone service disruption can be taken care by switching to other operator s, but this is not possible always . 4) While replacing old wires with ne w ones can also cause downtime. 5) For data centers loss of power can make a serious impact, as it requires constant cooling . 12.3.7 Construc tion and Excavation : 1) Construction and excavation can take the entire network and communications infrastructure down in one go . 2) Past construction activi ties in the area, must be noted. 3) Town or city records provide information regarding any construction/exca vation/demolition, both past , and present. 4) Information about power/telecom outages must be obtained. munotes.in
Page 247
247 Physical Security 12.4 SECURING ASSETS: LOCKS AND ENTRY CONTROLS Some more methods in securing physical assets. 12.4.1 Locks : 1) Any asset used in the organization must be sec ured in a location with a lock . 2) Devices such as laptops, smartphones, tablets, MP3 players, jewelry, and keys, must be secured using locks . 3) Asset owners must be educated about its importance . 12.4.2 Doors and File Cabinets : 1) Locked doors must be checked . 2) The functioning of the door must be checked properly . 3) Doors must withsta nd sufficient force . 4) File cabinets containing sensitive information or valuable equipment should be kept locked when not in use. 5) The keys to these should also be kept out of common rea ch. 12.4.3 Laptops : 1) Laptops at the office should be physically locked to the desk . 2) Cable locks ensure that the laptop doesn’t fall into the wrong hands. 3) Laptop theft has become most common, so special care must be taken while travelling . 4) While going throu gh a metal detector special care must be taken . 5) Operating system security and software safeguards must also be considered . 12.4.4 Data Ce nters, Wiring Closets, Network Rooms : 1. All of these areas should have common access controls since they all perform a si milar function. 2. Rooms housing thes e resources must be kept locked. 3. If automatic entry -tracking mechanisms are not in use then the access log must be kept . 12.4.5 Entry Controls : 1. Entry controls have their own security considerations which change with the security plan and business needs . munotes.in
Page 248
248 Security in Computing 2. It is first necessary to locate the site where the entry controls need to be deployed . 3. Some of the common scenarios are an existing structure with a single tenant, a suite in a multitenant building, a campus group of buildin gs with specific public entrances, and a high -rise building. 12.4.6 Building Access Control Systems : 1. Many existing structures may already have an access control system, which can be reused. 2. Multitenant buildings typically have access control systems that control entrance into the building or entrance to a special parking area which is common to the entire building . 3. In order to implement an access control system that is not compatible with an existing system, multiple access cards may be necessary. 4. The most important factor when dealing with a multitenant building is to make sure that anyone passing from the unsecured region to the secured region must pass through the security check . 12.4.7 Mantraps : 1. A mantrap is an area designed to allow only one authorized individual entrance at any given time and prevent an unauthorized person from closely following an authorized person through an open door (an anti - tailgating mechanism) . 2. Typical areas of concer n are high -security areas, cash -handling areas, and data cente rs. 12.4.8 Building and Employee IDs : 1. Any organization hiring new employees must provide them with ID badges. 2. Building and/or employee identification should be displayed at all times . 3. Anyone not having a visible ID should be challenged. 12.4.9 Biometrics : 1. A biometric device is classified as any device that uses distinctive personally identifiable characteristics or unique physical traits to positively identify an individual. 2. Some of the most common devices employing biometrics follow the characteristics s uch as fingerprint, voice, face, retina, iris, handwriting, hand geometry, and keystroke dynamics. The most commonly deployed biometric technologies are currently fingerprint and hand geometry devices. munotes.in
Page 249
249 Physical Security 3. The latest fingerprint readers now read the corpuscle s under the skin, so they can be used for nearly everyone, even individuals who do not have strong fingerprint ridges. 4. The recent trend of implementing fingerprint readers in commercial devices such as laptops and time and attendance devices has resulted in this technology becoming more cost effective. 12.4.10 Security Guards : 1. A security guard is not just a person but also a resource . 2. Security Guards are the best deterrent . 3. They also perform the duties such as patrol ling, guard ing, monitor ing, preserving , protect ing, support ing, and maintain ing the security and safety of personnel and property. 4. Security guards deter, detect, and report infractions of organizational rules, policies, and procedures. 5. Security guards help limit or prevent unauthorized activit ies, including but not limited to trespass, forcible entry or intrusion, vandalism, pilferage, theft, arson, abuse, and/or assault. 6. Guard placement, number of guards, and use would be as per the requirement. 7. Background checks should be done for all securit y guards, and appropriate licenses and clearances obtained wherever applicable. 12.5 PHYSICAL INTRUSION DETECTION Physical intrusion detection requires forethought, planning, and tuning to obtain optimal effectiveness. Some security considerations for phys ical intrusion detection are as follows 12.5.1 Closed -Circuit Television (CCTV) : 1. CCTV must be placed considering the financial and operational limitations of the organization . 2. They must be placed to cover high -traffic areas, critical function areas (such a s parking structures, loading d ocks, and research areas), cash - handling areas, and areas of transition. 3. The cabling used for CCTV devices must not be readily accessible, making tapping difficult . 4. Lighting will also play a critical role in the effectiveness of the camera. 5. When installing wireless CCTV, a transmission must be checked for any interception by an attacker . munotes.in
Page 250
250 Security in Computing 12.5.2 Alarms : 1. Alarms should be tested every month and a test log must be maintained . 2. Points of entry and exit should be fitted with intrusio n alarms. 3. A response plan should be ready in a dvance in case of any intrusion. 4. Duress alarms (silent alarms used in the time of distress) should also be taken into consideration for areas that may require them. 12.6 SUMMARY There are many physical securit y considerations that should coincide with your data security goals. Both physical and data security are cente red on the protection of assets, so some concepts apply directly to both worlds. Common se nse, forethought, experience, and clear, and logical thi nking are an essential part of any security plan. 12.7 QUESTIONS 1) What is an asset? Give the classification of Assets . 2) Explain Physical Vulnerability assessment . 3) What factors must be considered while selecting a site location for security? 4) What are the ways to secure assets using physical security devices? 5) What role do security guards play in providing security? 6) What are the ways to detect and alert any physical intrusion? 12.8 REFERENCES The Complete Reference: Information Security by Mark Rhodes – Ousley Essential Cyber security Science by Josiah Dykstra Principles of Computer Security: CompTIA Security+ and Beyond By Wm.Arthur Conklin, Greg White