Question? Leave a message!




Network Security

Network Security
Network Security Network Security ISOC NTW 2000 ISOC NTW 2000 NTW 2000 © 2000, Cisco Systems, Inc. 1Introduction Introduction NTW 2000 © 200 2000, Cisco 0, Cisco S Sys ys tems, Inc. tems, Inc. 2 2Network Security Components Network Security Components NTW 2000 © 2000, Cisco Systems, Inc. 3ISP Example ISP Example Internet Foreign Site . . . ISP Service Plane Customer Site T1 Pub 2 DNS2 TFTP Pub1 WWW DNS1 . . . ISP Management Plane NTW 2000 © 2000, Cisco Systems, Inc. 4Enterprise Example Enterprise Example Protected Network Engineering Finance Internet Admin WWW DNS Server Server DialUp Business Access Partners NTW 2000 © 2000, Cisco Systems, Inc. 5Current Threats and Current Threats and Attack Methods Attack Methods NTW 2000 © 200 2000, Cisco 0, Cisco S Sys ys tems, Inc. tems, Inc. 6 6Attack Trends Attack Trends • Exploiting passwords and poor configurations • Software bugs • Trojan horses • Sniffers • IP address spoofing • Toolkits • Distributed attacks NTW 2000 © 2000, Cisco Systems, Inc. 7Attack Trends Attack Trends High Attacker Knowledge Attack Sophistication Low 1988 2000 NTW 2000 © 2000, Cisco Systems, Inc. 8Vulnerability Exploit Cycle Novice Intruders Automated Use Crude Scanning/Exploit Exploit Tools Tools Developed Crude Exploit Widespread Use Intruders Begin Tools Distributed of Automated Using New Types Scanning/Exploit of Exploits Tools Advanced Intruders Discover Vulnerability Source: CERT Coordination Center NTW 2000 © 2000, Cisco Systems, Inc. 9Increasingly Serious Impacts Increasingly Serious Impacts • 10M transferred out of one banking system • Loss of intellectual property 2M in one case, the entire company in another • Extensive compromise of operational systems 15,000 hour recovery operation in one case • Alteration of medical diagnostic test results • Extortion demanding payments to avoid operational problems NTW 2000 © 2000, Cisco Systems, Inc. 10Evolving Dependence Evolving Dependence • Networked appliances/homes • Wireless stock transactions • Online banking • Critical infrastructures • Business processes NTW 2000 © 2000, Cisco Systems, Inc. 11The Community’s Vulnerability The Community’s Vulnerability Internal Internal Exploitation Exploitation Internet External External Exploitation Exploitation 100 vulnerable 75 vulnerable Source: Cisco Security Posture Assessments 19961999 NTW 2000 © 2000, Cisco Systems, Inc. 12Unauthorized Use Unauthorized Use Yes 70 60 No Percentage of 50 Don't Respondents Know 40 30 20 10 0 1996 1997 1998 1999 2000 Source: 2000 CSI/FBI Computer Crime and Security Survey NTW 2000 © 2000, Cisco Systems, Inc. 13Conclusion Conclusion Sophisticated attacks + Dependency + Vulnerability NTW 2000 © 2000, Cisco Systems, Inc. 14Classes of Attacks Classes of Attacks • Reconnaisance Unauthorized discovery and mapping of systems, services, or vulnerabilities • Access Unauthorized data manipulation, system access, or privilege escalation • Denial of Service Disable or corrupt networks, systems, or services NTW 2000 © 2000, Cisco Systems, Inc. 15Reconnaissance Methods Reconnaissance Methods • Common commands and administrative utilities nslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, srvinfo, dumpacl • Public tools Sniffers, SATAN, SAINT, NMAP, custom scripts NTW 2000 © 2000, Cisco Systems, Inc. 16Network Sniffers Network Sniffers Router5 … telnet Router5 Got It User Access Verification Username: squiggie password: Sqjkl;T Router5ena Password: jhervq5 Router5 NTW 2000 © 2000, Cisco Systems, Inc. 17ISP Example ISP Example Internet Foreign Site . . . ISP Service Plane Customer Site T1 Pub 2 DNS2 TFTP Pub1 WWW DNS1 . . . ISP Management Plane NTW 2000 © 2000, Cisco Systems, Inc. 18Enterprise Example Enterprise Example Engineering Finance Internet Admin WWW DNS Server Server Protected Network DialUp Business Access Partners NTW 2000 © 2000, Cisco Systems, Inc. 19nmap nmap • network mapper is a utility for port scanning large networks: TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (pingsweep) TCP Ping scanning Direct (non portmapper) RPC scanning Remote OS Identification by TCP/IP Fingerprinting (nearly 500) Reverseident scanning. NTW 2000 © 2000, Cisco Systems, Inc. 20nmap nmap • nmap Scan Type(s) Options host or net list • Example: myunixhost nmap sT myrouter Starting nmap V. 2.53 by fyodorinsecure.org ( www.insecure.org/nmap/ ) Interesting ports on myrouter.example.com (10.12.192.1) (The 1521 ports scanned but not shown below are in state closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 80/tcp open http 110/tcp open pop3 NTW 2000 © 2000, Cisco Systems, Inc. 21Why Do You Care Why Do You Care • The more information you have, the easier it will be to launch a successful attack: Map the network Profile the devices on the network Exploit discovered vulnerabilities Achieve objective NTW 2000 © 2000, Cisco Systems, Inc. 22Access Methods Access Methods • Exploiting passwords Brute force Cracking tools • Exploit poorly configured or managed services anonymous ftp, tftp, remote registry access, nis, … Trust relationships: rlogin, rexec, … IP source routing File sharing: NFS, Windows File Sharing NTW 2000 © 2000, Cisco Systems, Inc. 23Access Methods cont’d Access Methods cont’d • Exploit application holes Mishandled input data: access outside application domain, buffer overflows, race conditions • Protocol weaknesses: fragmentation, TCP session hijacking • Trojan horses: Programs that plant a backdoor into a host NTW 2000 © 2000, Cisco Systems, Inc. 24IP Packet IP Packet • Internet Protocol IP = connectionless network layer SAP = 32 bits IP address RFC 791, Sep 1981 NTW 2000 © 2000, Cisco Systems, Inc. 25IP: Packet Format IP: Packet Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +++++++++++++++++++++++++++++++++ Version IHL Type of Service Total Length +++++++++++++++++++++++++++++++++ Identification Flags Fragment Offset +++++++++++++++++++++++++++++++++ Time to Live Protocol Header Checksum +++++++++++++++++++++++++++++++++ Source Address +++++++++++++++++++++++++++++++++ Destination Address +++++++++++++++++++++++++++++++++ Options Padding +++++++++++++++++++++++++++++++++ Internet Datagram Header NTW 2000 © 2000, Cisco Systems, Inc. 26IP Spoofing IP Spoofing C Attacker A B NTW 2000 © 2000, Cisco Systems, Inc. 27 Hi, my name is BIP: Normal Routing IP: Normal Routing A, C via Ra B via Ethernet Rb B B,C via Ra B via Rb A B C via Rc A Ra A B Rc C Routing based on routing tables NTW 2000 © 2000, Cisco Systems, Inc. 28 A BIP: Source Routing IP: Source Routing Rb B B unknown A B via Ra, Rb C via Rc A Ra A B via Ra, Rb Rc C Routing based on IP datagram option NTW 2000 © 2000, Cisco Systems, Inc. 29 A B via Ra, RbCA via R1, R2 IP Unwanted Routing IP Unwanted Routing C A unknown B via Internet Internet A unknown B via R1 A unknown R1 B via DMZ B DMZ CA via R1, R2 A via Intranet A intranet R2 B via DMZ C unknown CA via R1,R2 NTW 2000 © 2000, Cisco Systems, Inc. 30 CA via R1, R2CA via B IP Unwanted Routing (Cont.) IP Unwanted Routing (Cont.) C A unknown B via Internet Internet A unknown A via Ethernet B via PPP C via PPP A B (acting as router) intranet CA via B NTW 2000 © 2000, Cisco Systems, Inc. 31 dialup PPP CA via BBA via C,Rc Ra AB via Ra, Rc,C IP Spoofing Using Source IP Spoofing Using Source Routing Routing B is a friend allow access Rb B A Ra BA via C,Rc,Ra Rc C AB via Ra,Rc,C BA via C, Rc,Ra AB via Ra, Rc,C Back traffic uses the same source route NTW 2000 © 2000, Cisco Systems, Inc. 32Transport Control Protocol Transport Control Protocol • TCP = connection oriented transport layer • RFC 793, Sep 1981 • SAP= 16 bits TCP ports NTW 2000 © 2000, Cisco Systems, Inc. 33TCP Packet Format TCP Packet Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +++++++++++++++++++++++++++++++++ Source Port Destination Port +++++++++++++++++++++++++++++++++ Sequence Number +++++++++++++++++++++++++++++++++ Acknowledgment Number +++++++++++++++++++++++++++++++++ Data UAPRSF Offset Reserved RCSSYI Window GKHTNN +++++++++++++++++++++++++++++++++ Checksum Urgent Pointer +++++++++++++++++++++++++++++++++ Options Padding +++++++++++++++++++++++++++++++++ data +++++++++++++++++++++++++++++++++ TCP Header Format NTW 2000 © 2000, Cisco Systems, Inc. 34flags=SYN, seq=(Sb,) se =( b flags=ACK, q S ,Sa) TCP connection establishment TCP connection establishment B A NTW 2000 © 2000, Cisco Systems, Inc. 35 flags=SYN+ACK, seq=(Sa,Sb) flags=ACK, seq=(Sb,Sa+8) data=“Username:”TCP blind spoofing TCP blind spoofing C BA masquerading as B C guesses Sa C guesses Sa C guesses Sa A believes the connection A believes the connection A believes the connection comes from B and starts comes from B and starts comes from B and starts the application (e.g. rlogin) the application (e.g. rlogin) the application (e.g. rlogin) NTW 2000 © 2000, Cisco Systems, Inc. 36 flags=SYN, seq=(Sb,) flags=SYN+ACK, seq=(Sa,Sb) flags=ACK, seq=(Sb,Sa) gs C seq=(Sb Sa 8 fla =A K, , + ) t =“ e n : da a Us r ame ” flags=ACK, seq=(Sa+8,Sb+7) data=“myname”TCP blind spoofing (Cont.) TCP blind spoofing (Cont.) • C masquerades as B • A believes the connection is coming from trusted B • C does not see the back traffic • For this to work, the real B must not be up, and C must be able to guess A’s sequence number NTW 2000 © 2000, Cisco Systems, Inc. 37flags=SYN, seq=(Sb,) flags=ACK, seq=(Sb,Sa) “Xyzzy” , seq=(Sa+9,Sb+5) TCP session hijacking TCP session hijacking C BA masquerading B B initiates a connection with A B initiates a connection with A B initiates a connection with A and is authenticated and is authenticated and is authenticated by application on A by application on A by application on A C guesses Sa, Sb C guesses Sa, Sb C guesses Sa, Sb C inserts invalid data C inserts invalid data C inserts invalid data NTW 2000 © 2000, Cisco Systems, Inc. 38 flags=SYN+ACK, seq=(Sa,Sb) “Password:”, seq=(Sb,Sa+9) “delete ”, seq=(Sb+5,Sa+18)It Never Ends It Never Ends Latest FTP Vulnerability “Because of user input going directly into a format string for a printf function, it is possible to overwrite important data, such as a return address, on the stack. When this is accomplished, the function can jump into shell code pointed to by the overwritten eip and execute arbitrary commands as root. While exploited in a manner similar to a buffer overflow, it is actually an input validation problem. Anonymous ftp is exploitable making it even more serious as attacks can come anonymously from anywhere on the internet.” Source: SecurityFocus.Com, 2000 NTW 2000 © 2000, Cisco Systems, Inc. 39Denial of Service Methods Denial of Service Methods • Resource Overload Disk space, bandwidth, buffers, ... Ping floods, SYN flood, UDP bombs, ... • Software bugs Out of Band Data Crash: Ping of death, fragmentation… • Toolkits: TRINOO,Tribal Flood Net and friends • Distributed attacks for amplification NTW 2000 © 2000, Cisco Systems, Inc. 40IP Normal Fragmentation IP Normal Fragmentation • IP largest data is 65.535 == 2161 • IP fragments a large datagram into smaller datagrams to fit the MTU • fragments are identified by fragment offset field • destination host reassembles the original datagram NTW 2000 © 2000, Cisco Systems, Inc. 41IP Normal Fragmentation (Cont.) IP Normal Fragmentation (Cont.) Before fragmentation: TL=1300, FO=0 data length 1280 IP Header IP data After fragmentation (MTU = 500): TL=500, FO=0 data length 480 TL=500, FO=480 data length 480 TL=360, FO=960 data length 340 NTW 2000 © 2000, Cisco Systems, Inc. 42IP Normal Reassembly IP Normal Reassembly Received from the network: TL=500, FO=0 data length 480 TL=360, FO=960 data length 340 TL=500, FO=480 data length 480 Reassembly buffer, 65.535 bytes Kernel memory at destination host NTW 2000 © 2000, Cisco Systems, Inc. 43IP Reassembly Attack IP Reassembly Attack • send invalid IP datagram • fragment offset + fragment size 65.535 • usually containing ICMP echo request (ping) • not limited to ping of death NTW 2000 © 2000, Cisco Systems, Inc. 44IP Reassembly Attack (Cont.) IP Reassembly Attack (Cont.) Received from the network: TL=1020, FO=0 data length 1000 … 64 IP fragments with data length 1000 ... TL=1020, FO=65000 data length 1000 BUG: buffer exceeded BUG: buffer exceeded BUG: buffer exceeded Reassembly buffer, 65.535 bytes 64 IP fragments Kernel memory at destination host NTW 2000 © 2000, Cisco Systems, Inc. 45SYN attack SYN attack C BA masquerading as B A allocates kernel resource A allocates kernel resource A allocates kernel resource for handling the starting connection for handling the starting connection for handling the starting connection No answer from B… No answer from B… No answer from B… 120 sec timeout 120 sec timeout Denial of Services 120 sec timeout Free the resource Free the resource Free the resource kernel resources exhausted NTW 2000 © 2000, Cisco Systems, Inc. 46 flags=SYN, seq=(Sb,) flags=SYN+ACK, seq=(Sa,Sb)SMURF Attack SMURF Attack 160.154.5.0 Attempt to overwhelm WAN ICMP REPLY D=172.18.1.2 S=160.154.5.10 link to destination ICMP REPLY D=172.18.1.2 S=160.154.5.11 ICMP REPLY D=172.18.1.2 S=160.154.5.12 ICMP REPLY D=172.18.1.2 S=160.154.5.13 172.18.1.2 ICMP REPLY D=172.18.1.2 S=160.154.5.14 ICMP REQ D=160.154.5.255 S= 172.18.1.2 • Directed Broadcast PING NTW 2000 © 2000, Cisco Systems, Inc. 47DDoS Step 1: Find Vulnerable DDoS Step 1: Find Vulnerable Hosts Hosts Attacker Us Use reconnaissance tools locate e reconnaissance tools locate vulnerable hosts to be used as masters vulnerable hosts to be used as masters and daemons and daemons NTW 2000 © 2000, Cisco Systems, Inc. 48DDoS Step 2: Install Software on DDoS Step 2: Install Software on Masters and Agents Masters and Agents Innocent Master Attacker Innocent daemon agents 1) Use master and agent programs 1) Use master and agent programs on all cracked hosts on all cracked hosts 2) create a hierarchical covert control 2) create a hierarchical covert control channel using innocent looking ICMP channel using innocent looking ICMP Innocent daemon packets whose payload contains DDoS packets whose payload contains DDoS agents Innocent Master commands. Some DDoS further commands. Some DDoS further encrypt the payload... encrypt the payload... NTW 2000 © 2000, Cisco Systems, Inc. 49DDoS Step 3: Launch the attack DDoS Step 3: Launch the attack Innocent Master Attacker Innocent Daemon Agents Attack Alice NOW Victim Innocent Daemon Innocent Master Agents A NTW 2000 © 2000, Cisco Systems, Inc. 50Today Today • New agent software has been created for Windows hosts… • No longer a problem for just Unix systems • Target may be a router NTW 2000 © 2000, Cisco Systems, Inc. 51Why Should You Care Why Should You Care • Protect your own operational environment • Protect your customer’s data • Protect the services you offer to your customers • In other words….to protect your business NTW 2000 © 2000, Cisco Systems, Inc. 52What Should You Do What Should You Do • Develop security policy for your organization for your customers • Develop your security plan • Secure your network • Develop an incident response procedure NTW 2000 © 2000, Cisco Systems, Inc. 53Security Policy Security Policy NTW 2000 © 200 © 2000, Cisc 0, Cisco S o Sy ys st tems, Inc. ems, Inc. 54 54Why a Site Security Policy Why a Site Security Policy • To protect assets • To help prevent security incidents • To provide guidance when incidents occur NTW 2000 © 2000, Cisco Systems, Inc. 55Security Policy Topics Security Policy Topics • Access • Authentication • Accountability • Privacy • Violations handling • Supporting information • others... NTW 2000 © 2000, Cisco Systems, Inc. 56Site Security Policy Resources Site Security Policy Resources • http://secinf.net/info/policy/AusCERT.html written by Rob McMillan • RFC 2196 Site Security Handbook • RFC 1281 Guidelines for the Secure Operation of the Internet • RFC 2504 Users’ Security Handbook NTW 2000 © 2000, Cisco Systems, Inc. 57Policies Affecting Your Policies Affecting Your Customers Customers • Service expectations • Access policies for customers what type of access is allowed and under what circumstances • Authentication policy for customers what type of authentication must they use when connecting to your site • Protection of your customers’ traffic • Incident handling policies inbound incidents outbound incidents NTW 2000 © 2000, Cisco Systems, Inc. 58Policies Affecting Your Policies Affecting Your Customers 2 Customers 2 • Notification of vulnerabilities and incidents who is coordinating response to the incident the vulnerability how service was affected what is being done to respond to the incident whether customer data may have been compromised what is being done to eliminate the vulnerability the expected schedule for response, assuming it can be predicted • Sanctions for policy violations • See IETF draftietfgripispexpectations03.txt NTW 2000 © 2000, Cisco Systems, Inc. 59Security Plan Security Plan NTW 2000 © 200 © 2000, Cisc 0, Cisco S o Sy ys st tems, Inc. ems, Inc. 60 60Your Security Plan Your Security Plan • Describe the assets you want to protect data hardware and software services • Describe how you will protect the assets access restrictions and authentication redundancy encryption NTW 2000 © 2000, Cisco Systems, Inc. 61Your Security Plan 2 Your Security Plan 2 • Describe disaster recovery plans physical disasters equipment failures intrusions employee or customer mistakes • Regularly test your security plan • Update plan based on results of testing NTW 2000 © 2000, Cisco Systems, Inc. 62Securing Your Network Securing Your Network NTW 2000 © 200 © 2000, Cisc 0, Cisco S o Sy ys st tems, Inc. ems, Inc. 63 63Securing Your Network Securing Your Network • Securing your operational network • Securing services offered to your customers NTW 2000 © 2000, Cisco Systems, Inc. 64Securing Your Operational Securing Your Operational Network Network • Separate your operational networks from your service networks • Restrict services to your organization’s network/hosts • Protect services that are allowed to internal network NTW 2000 © 2000, Cisco Systems, Inc. 65Example: Securing the Usenet Server Example: Securing the Usenet Server Local Office Local Office Local Office Network Carriage Plane Network Access Local Office Upstream Feed Router Server Access Router no loose source routing Radius Mail DNS WWW WWW Usenet no directed broadcast Server Server Server Cache Server Server permit any source to usenet server TCP port 119 permit NetOpsCenter source to usenet server deny all else ISP Service Plane TCP logging SYN protection ISP Management Plane permit any source connect to TCP port 119 permit NetOpsCenter source to any port deny all else Network Accounting Management Server Server Source: ISP Survival Guide, 1999Secure Initial System Setup 1 Secure Initial System Setup 1 • Build offline • Set or disable passwords for all existing accounts • Review account groups and privileges • Review CERT Advisories and VIBs • Install all applicable security patches • Minimize system and network services • Remove unnecessary software compilers, shells, servers, daemons, etc. • Fix file permissions NTW 2000 © 2000, Cisco Systems, Inc. 67Secure Initial System Setup 2 Secure Initial System Setup 2 • Configure logging and quota mechanisms • Install and configure system monitoring tools • Replace weak access mechanisms with more secure ones UNIX e.g., replace telnet, rcommands with SSH • Configure file system integrity tools UNIX e.g., Tripwire • Make a Backup • Deploy on network only when prepared for exposure NTW 2000 © 2000, Cisco Systems, Inc. 68Domain Name Servers Domain Name Servers • Intruders target domain name servers exploit services that trust host names masquerade as another host • Consider using internal and external servers external servers provide information regarding hosts serving the Internet: email, FTP, WWW... internal servers provide information about internal hosts to internal hosts • Use latest version of bind NTW 2000 © 2000, Cisco Systems, Inc. 69Protecting System Password Protecting System Password Information Information • Unix password aging 16character passwords freely available shadow password suite • NT configure to protect SAM database Registry settings and protections Use NTFS file system instead of FAT, set permissions NTW 2000 © 2000, Cisco Systems, Inc. 70Manage Networks Securely Manage Networks Securely • Restrict access to routers and servers • Require strong authentication when accessing any critical system • Use SSH to tunnel through firewalls to access network NTW 2000 © 2000, Cisco Systems, Inc. 71Configuring Public Servers 1 Configuring Public Servers 1 • Turn on logging of all outside access (using TCP Wrappers or other tools) • Use Tripwire or other cryptographic checksums to verify the integrity of information and system configuration • Locate the public servers on a separate network segment • Keep a copy of the information on another system for fast backup • Consider CDROM for information and system files that rarely change NTW 2000 © 2000, Cisco Systems, Inc. 72TFTP TFTP • Disable tftpd if it isn’t absolutely necessary • Otherwise, restrict tftpd access NTW 2000 © 2000, Cisco Systems, Inc. 73Securing the Network Securing the Network • Router/Switch/Server SelfProtection Use good access controls Limit SNMP access Disable unused services Implement privilege levels • Resource Protection • Inband vs Outofband Management • Good network design and management Redundancy, Logging • Audit NTW 2000 © 2000, Cisco Systems, Inc. 74Authentication Mechanisms Authentication Mechanisms • Console, Telnet • Local passwords UNIVERSAL UNIVERSAL Username based PASSPORT PASSPORT • External Authentication USA TACACS+, RADIUS, Kerberos, SSH • Onetime passwords NTW 2000 © 2000, Cisco Systems, Inc. 75Local Passwords Local Passwords line console 0 User Access Verification login Password: one4all password one4all exectimeout 1 30 router • Password in every device • Viewable in plain text in configuration NTW 2000 © 2000, Cisco Systems, Inc. 76Service PasswordEncryption Service PasswordEncryption service passwordencryption hostname Router enable password 7 15181E020F • Encrypts password in configuration • Easily reversible NTW 2000 © 2000, Cisco Systems, Inc. 77Enable Secret Enable Secret hostname Router enable secret 5 1hM3l.s/DgJ4TeKdDkTVCJpIBw1 • Uses MD5 oneway hash to encrypt enable password in configuration NTW 2000 © 2000, Cisco Systems, Inc. 78Use Good Passwords Use Good Passwords Hmm, Snoopy is easy to remember • Don’t use easily guessed passwords • Centralize password management RADIUS, TACACS+ NTW 2000 © 2000, Cisco Systems, Inc. 79Cisco IOS TACACS+ Cisco IOS TACACS+ Login Authentication Login Authentication version 12.0 Encrypts Passwords with Encryption (7) service passwordencryption Define List “Ruth” to Use hostname Router TACACS+ then the Enable Password aaa newmodel Define List “Sarah” to Use aaa authentication login ruth tacacs+ enable TACACS+ then the aaa authentication login sarah tacacs+ local Local User and Password enable secret 5 1hM3l.s/DgJ4TeKdDk… “Enable Secret” Overrides username john password 7 030E4E050D5C the (7) Encryption username bill password 7 0430F1E060A51 Define Local Users NTW 2000 © 2000, Cisco Systems, Inc. 80Cisco IOS TACACS+ Cisco IOS TACACS+ Login Authentication Login Authentication Defines the IP Address tacacsserver host 10.1.1.2 of the TACACS+ Server tacacsserver key key Defines the “Encryption” line con 0 Key for Communicating login authentication ruth with the TACACS+ Server line aux 0 Uses the Authentication login authentication ruth Mechanisms Listed in line vty 0 4 “Ruth”—TACACS+ then login authentication sarah Enable Password Uses the Authentication end Mechanisms Listed in “Sarah”—TACACS+ then a Local User/Password NTW 2000 © 2000, Cisco Systems, Inc. 81PIX TACACS+ PIX TACACS+ Login Authentication Login Authentication Enable Password PIX Version 4.3(1) enable password BjeuCKspwqCc94Ss encrypted Telnet Password passwd nU3DFZzS7jF1jYc5 encrypted Define TACACS+ tacacsserver host 10.1.1.2 key Server and aaa authentication any console tacacs+ Encryption Key no snmpserver location no snmpserver contact Use TACACS+ for Telnet snmpserver community notpublic or Console no snmpserver enable traps (Enable) Access telnet 10.1.1.2 255.255.255.255 … Defines the Device that Cryptochecksum:a21af67f58849f078a515b177df4228 Can Telnet into the PIX : end OK NTW 2000 © 2000, Cisco Systems, Inc. 82Catalyst TACACS+ Catalyst TACACS+ Login Authentication Login Authentication Enable Password Use TACACS+ for Telnet set enablepass or Console 1CBqbj53diREUitkHDGKfAqFpQ (Enable) Access set authentication login tacacs enable set authentication enable tacacs enable set tacacs key secretkey Define TACACS+ set tacacs server 144.254.5.9 Server and Encryption Key NTW 2000 © 2000, Cisco Systems, Inc. 83PassWord of Caution PassWord of Caution • Even passwords that are encrypted in the configuration are not encrypted on the wire as an administrator logs into the router 100101 100101 NTW 2000 © 2000, Cisco Systems, Inc. 84OneTime Passwords OneTime Passwords • May be used with TACACS+ or RADIUS • The same “password” will never be reused by an authorized administrator • Key Cards—CryptoCard token server included with CiscoSecure • Support for Security Dynamics and Secure Computing token servers in Cisco Secure NTW 2000 © 2000, Cisco Systems, Inc. 85Restrict Telnet Access Restrict Telnet Access accesslist 12 permit 172.17.55.0 0.0.0.255 line vty 0 4 accessclass 12 in NTW 2000 © 2000, Cisco Systems, Inc. 86SSH SSH • SSH can be used for secured Command and Control sessions to routers. • Full SSH has three components a terminal session with a secure transport the ability to handle “rcommands” similar to rsh the ability to “forward” other TCPbased protocols NTW 2000 © 2000, Cisco Systems, Inc. 87SSH Authentication SSH Authentication • There are two levels of Authentication required for an SSH session Host (or ‘device’) Authentication User Authentication NTW 2000 © 2000, Cisco Systems, Inc. 88Host Authentication Host Authentication • Each IOS host has its’ own unique RSA key with a user selectable key length up to 2048 bytes. • The RSA authentication will transfer the session key. • This authentication will establish the encrypted session. NTW 2000 © 2000, Cisco Systems, Inc. 89Host Authentication Host Authentication • IOS will store its’ own RSA key and will accept all other keys. • In the “full” implementation, keys of other hosts should be kept in permanent storage and a warning will be presented to the user if the hostname/key do not match. NTW 2000 © 2000, Cisco Systems, Inc. 90User Authentication User Authentication • After the encrypted session is established, user authentication is still required. • Since the SSH feature is tied to the vty’s, user authentication is associated with some of the authentication mechanisms available to the vty’s: RADIUS, TACACS+ and local. • The username and password will pass between the workstation and the router inside of the encrypted session. NTW 2000 © 2000, Cisco Systems, Inc. 91User Authentication User Authentication • The session will be terminated if authentication fails, or if the authentication mechanism fails (e.g. a router cannot establish a session with a TACACS+ server, etc.). • If authentication succeeds, a session is opened using the encryption algorithm selected. NTW 2000 © 2000, Cisco Systems, Inc. 92SNMP Access Control SNMP Access Control RO—Read Only RW—Read + Write accesslist 13 permit 192.85.55.12 accesslist 13 permit 192.85.55.19 snmpserver community PassWord RO 13 NTW 2000 © 2000, Cisco Systems, Inc. 93SNMP SNMP • Change your community strings Do not use public, private, secret • Use different community strings for the RO and RW communities. • Use mixed alphanumeric characters in the community strings: SNMP community strings can be cracked, too NTW 2000 © 2000, Cisco Systems, Inc. 94Transaction Records Transaction Records • How do you tell when someone is attempting to access your router ip accounting ip accounting accessviolations logging 127.0.3.2 • Consider some form of audit trails: Using the syslog feature. SNMP Traps and alarms. Implementing TACACS+, Radius, Kerberos, or third party solutions like OneTime Password token cards. NTW 2000 © 2000, Cisco Systems, Inc. 95Route Update Authentication and Route Update Authentication and Integrity Integrity IP HDR IP HDR Key Key Route Update Data Route Update Data Assemble the Packet Hash Hash Hash with the Key Function Function Function Signature To the Wire Reassemble the Packet with the Signature IP HDR IP HDR Signature Route Update Data Route Update Data NTW 2000 © 2000, Cisco Systems, Inc. 96Route Filtering Route Filtering router rip network 10.0.0.0 distributelist 1 in accesslist 1 deny 0.0.0.0 accesslist 1 permit 10.0.0.0 0.255.255.255 Router sho ip proto Routing Protocol is "rip" Sending updates every 30 seconds, next due in 12 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is 1 Redistributing: rip NTW 2000 © 2000, Cisco Systems, Inc. 97Outofband Management Outofband Management No management traffic in primary POP IP network NAS • Use an access server to connect console ports through reverse Telnet NTW 2000 © 2000, Cisco Systems, Inc. 98Inband Management Inband Management • Use private addresses for backbone routers • Ingress filter at the Edge: SNMP, ICMP, antispoofing, your IP as source or destination addresses • Encryption and integrity NTW 2000 © 2000, Cisco Systems, Inc. 99Inband vs Outofband Inband vs Outofband • Console or Aux ports do not allow SNMP • IOS software upgrade may be easier with console port • Outbound needs a dedicate connection: cost NTW 2000 © 2000, Cisco Systems, Inc. 100Protect Resources Protect Resources • Spoofing • Source routes • Resource consumption NTW 2000 © 2000, Cisco Systems, Inc. 101Spoofing Spoofing interface Serial 1 ip address 172.26.139.2 255.255.255.252 ip accessgroup 111 in no ip directedbroadcast interface ethernet 0/0 ip address 10.1.1.100 255.255.0.0 no ip directedbroadcast Accesslist 111 deny ip 127.0.0.0 0.255.255.255 any 172.16.42.84 Accesslist 111 deny ip 10.1.0.0 0.0.255.255 any 10.1.1.2 IP (D=10.1.1.2 S=10.1.1.1) NTW 2000 © 2000, Cisco Systems, Inc. 102Preventing IP spoofing Preventing IP spoofing Cisco routers, disable source routing (on by default) no ip source route Hosts, disable: 1) IP forwarding, usually easy 2) source routing, usually impossible (Windows had to wait until Win NT4 SP5 May 99) 3) applications check for IP options viagetsockopt(…) NTW 2000 © 2000, Cisco Systems, Inc. 103Ingress Egress Route Filtering Ingress Egress Route Filtering Your customers should not be sending any IP packets out to the Internet with a source address other then the address you have allocated to them NTW 2000 © 2000, Cisco Systems, Inc. 104Including Private Addresses Including Private Addresses • 10.0.0.0 10.255.255.255 (10/8 prefix) 10.0.0.0 10.255.255.255 (10/8 prefix) • 172.16.0.0 172.31.255.255 (172.16/12 172.16.0.0 172.31.255.255 (172.16/12 prefix) prefix) • 192.168.0.0 192.168.255.255 192.168.0.0 192.168.255.255 (192.168/16 prefix) (192.168/16 prefix) Source: RFC 1918 NTW 2000 © 2000, Cisco Systems, Inc. 105Ingress Route Filtering Ingress Route Filtering Allow source address 165.21.0.0/16 ISP Internet 165.21.0.0/16 Serial 0/1 Block source address from all other networks Ex. IP addresses with a source of 10.1.1.1 would be blocked NTW 2000 © 2000, Cisco Systems, Inc. 106Egress Route Filtering Egress Route Filtering Deny source address 165.21.0.0/16 ISP Internet 165.21.0.0/16 Serial 0/1 Allow source addresses from all other networks Ex. IP addresses with a source of 10.1.1.1 would be blocked NTW 2000 © 2000, Cisco Systems, Inc. 107Enterprise Ingress and Egress Enterprise Ingress and Egress Filtering Filtering Internet Use topological information with input ACL to protect deny source=A deny source=A deny source=A your site deny source=B deny source=B deny source=B deny source=127... deny source=127... deny source=127... deny source=10... deny source=10... deny source=10... deny source=192.168.. deny source=192.168.. deny source=192.168.. else permit else permit else permit permit source=B permit source=B permit source=B permit source=A permit source=A permit source=A else den else deny y else deny else deny else deny else deny network A network B NTW 2000 © 2000, Cisco Systems, Inc. 108Enterprise Ingress and Egress Enterprise Ingress and Egress Filtering (Cont.) Filtering (Cont.) Internet Use topological information with output ACL to protect the other sites... permit source=A permit source=A permit source=A permit source=B permit source=B permit source=B else den else deny y else deny network A network B Source: RFC 2167 NTW 2000 © 2000, Cisco Systems, Inc. 109Reverse Path Forwarding Reverse Path Forwarding • Supported from 11.1(17)CC images • CEF switching must be enabled • Source IP packets are checked to ensure that the route back to the source uses the same interface • Care required in multihoming situations NTW 2000 © 2000, Cisco Systems, Inc. 110CEF Unicast RPF CEF Unicast RPF Routing Table: 210.210.0.0 via 172.19.66.7 172.19.0.0 is directly connected, Fddi 2/0/0 CEF Table: If OK, RPF passed 210.210.0.0 172.19.66.7 Fddi 2/0/0 the packet to be 172.19.0.0 attached Fddi 2/0/0 forwarded by CEF. Adjacency Table: Fddi 2/0/0 172.19.66.7 50000603E…AAAA03000800 Unicast Unicast Data IP Header Data IP Header RPF RPF In Out Drop Dest Addr: x.x.x.x Src Addr: 210.210.1.1 RPF Checks to see if the source address’s reverse path matches the input port. NTW 2000 © 2000, Cisco Systems, Inc. 111CEF Unicast RPF CEF Unicast RPF Routing Table: 210.210.0.0 via 172.19.66.7 172.19.0.0 is directly connected, Fddi 2/0/0 CEF Table: 210.210.0.0 172.19.66.7 Fddi 2/0/0 172.19.0.0 attached Fddi 2/0/0 Adjacency Table: Fddi 2/0/0 172.19.66.7 50000603E…AAAA03000800 Unicast Unicast Data IP Header RPF RPF In Out Drop Dest Addr: x.x.x.x Src Addr: 144.64.21.1 If not OK, RPF drops the packet. RPF Checks to see if the source address’s reverse path matches Data IP Header the input port. NTW 2000 © 2000, Cisco Systems, Inc. 112Resource Deprivation Attacks Resource Deprivation Attacks version 11.2 no service finger no service udpsmallservers no service tcpsmallservers • Echo (7) • Daytime (13) • Discard (9) • Chargen (19) • Finger (79) NTW 2000 © 2000, Cisco Systems, Inc. 113Addressing DoS Attacks Addressing DoS Attacks • ISPs can create an AUP that clearly states how they intend to handle the customer’s traffic • ISP's can craft SLA's, and peering transit agreements, to include who is responsible for ingress filtering NTW 2000 © 2000, Cisco Systems, Inc. 114ICMP Filtering ICMP Filtering Extended Access List: Summary of Message Types accesslist 101 permit icmp any any type code 0 Echo Reply 3 Destination Unreachable no ip unreachables (IOS will not send) 4 Source Quench 5 Redirect no ip redirects (IOS will not accept) 8 Echo 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply ICMP Codes are not shown Source: RFC 792, Internet Control Message Protocol NTW 2000 © 2000, Cisco Systems, Inc. 115ICMP Filtering ICMP Filtering • General Case: accesslist 101 permit icmp any any type code no ip unreachables (IOS will not send) no ip redirects (IOS will not accept) • Example: Control the direction of a ping accesslist 101 permit icmp any any 0 Interface Serial 0 Accessgroup 101 out Summary of ICMP Message Types 11 Time Exceeded 0 Echo Reply 12 Parameter Problem 3 Destination Unreachable 13 Timestamp 4 Source Quench 14 Timestamp Reply 5 Redirect 15 Information Request 8 Echo 16 Information Reply NTW 2000 © 2000, Cisco Systems, Inc. 116No IP Directed Broadcast No IP Directed Broadcast interface Serial 1 ip address 172.26.139.2 255.255.255.252 ip accessgroup 111 in no ip directedbroadcast interface ethernet 0/0 ip address 10.1.1.100 255.255.0.0 no ip directedbroadcast Accesslist 111 deny ip 127.0.0.0 0.255.255.255 any Accesslist 111 deny ip 10.1.0.0 0.0.255.255 any NTW 2000 © 2000, Cisco Systems, Inc. 117No Source Routing No Source Routing interface Serial 1 ip address 172.16.139.2 255.255.255.252 ip accessgroup 111 in no ip source routing Accesslist 111 permit ip 10.16.0.0 0.0.255.255 any Private I’m 10.16.99.99— and here’s the route back to me Network 10.16.0.0 RFC 792: Internet protocol NTW 2000 © 2000, Cisco Systems, Inc. 118A Word About Sniffers A Word About Sniffers • Encrypt sensitive information • Use onetime authentication or smart cards • Use switched networks instead of bridges • Ensure good host security NTW 2000 © 2000, Cisco Systems, Inc. 119Audit Audit • Don’t assume everything is ok • Actively watch the network • Investigate any unusual event NTW 2000 © 2000, Cisco Systems, Inc. 120Other Potholes and Chicken Other Potholes and Chicken Nests Nests • Avoid segmentation attacks, and other software bugs, by staying up to date with software versions and patches • Prevent session hijacking through use of encryption and strong random numbers • Dampened TCP syn attacks through use the “TCP Intercept” feature of IOS 11.2F or PIX firewall NTW 2000 © 2000, Cisco Systems, Inc. 121Intrusion Detection Intrusion Detection • To detect individuals attempting attacks against your network, such as the following: Reconnaissance Access Denial of Service NTW 2000 © 2000, Cisco Systems, Inc. 122ProfileBased Detection ProfileBased Detection • Anomaly Behavior departs from known profile of normal activity Requires creation of statistical user profiles NTW 2000 © 2000, Cisco Systems, Inc. 123SignatureBased Detection SignatureBased Detection • Misuse Behavior matches known patterns of malicious activity Requires creation of misuse signatures NTW 2000 © 2000, Cisco Systems, Inc. 124HostBased Intrusion Detection HostBased Intrusion Detection Corporate Network Agent Agent Agent Firewall Untrusted Network Agent Agent Agent Agent Agent Agent WWW DNS Server Server NTW 2000 © 2000, Cisco Systems, Inc. 125NetworkBased Intrusion Detection NetworkBased Intrusion Detection Corporate Network Sensor Sensor Firewall Untrusted Network Director WWW DNS Server Server NTW 2000 © 2000, Cisco Systems, Inc. 126Intrusion Detection Signatures Intrusion Detection Signatures Test Network CERT Bugtraq Exploit Hacker Sites Victim Attacker 10101010101001110100101001010010011 Signature Pattern Analysis NTW 2000 © 2000, Cisco Systems, Inc. 127Intrusion Detection Intrusion Detection Traffic Flow Untrusted Protected Network Network Packet Capture NTW 2000 © 2000, Cisco Systems, Inc. 128Firewall For The Internet Access Firewall For The Internet Access DMZ— Demilitarized Zone WWW Firewall IP Pool 192.168.1.32255 Server 192.1.1.3 .2 Internet .1 DNS Server Private LAN 192.1.1.4 192.168.1.0/24 Mail 192.1.1.5 • Policy All users can access the Internet Servers on DMZ are public NTW 2000 © 2000, Cisco Systems, Inc. 129Firewall For The Internet Access Firewall For The Internet Access • On the router deny all traffic with your own addresses as source authorize any traffic to the DNS, Web or Mail servers authorize returning traffic to the firewall (NAT Pool) • On the firewall statefully allow returning traffic NTW 2000 © 2000, Cisco Systems, Inc. 130AccessGroup ACL On The AccessGroup ACL On The Router Router accesslist 101 deny ip 192.168.1.0 0.0.0.255 any accesslist 101 deny ip 192.1.1.0 0.0.0.255 any accesslist 101 permit ip any host 192.1.1.3 eq www accesslist 101 permit ip any host 192.1.1.4 eq dns accesslist 101 permit ip any host 192.1.1.5 eq smtp accesslist 101 permit ip any 192.1.1.32 0.0.0.31 accesslist 101 permit ip any 192.1.1.64 0.0.0.63 accesslist 101 permit ip any 192.1.1.127 0.0.0.127 Interface Serial 0 accessgroup 101 in NTW 2000 © 2000, Cisco Systems, Inc. 131Opening Holes Through The Opening Holes Through The Firewall Firewall DMZ— Demilitarized Zone SQL from Http, user authenticates WWW 192.1.1.3 only Server 192.1.1.3 .2 Internet .1 DNS Server Private LAN 192.1.1.4 192.168.1.0/24 Mail 192.1.1.5 • Policy After authentication, external user may have access to their bank account NTW 2000 © 2000, Cisco Systems, Inc. 132Opening Holes Through The Opening Holes Through The Firewall Firewall static (inside,outside) 192.1.1.6 10.0.1.6 accesslist acloutside permit tcp any host 192.1.1.3 eq sql accessgroup acloutside in interface outside • To hack the inside host you would first need to hack the web server and then you could use only SQL through the FW NTW 2000 © 2000, Cisco Systems, Inc. 133Good Practices Good Practices • To limit OS/Application weaknesses, dedicate one task per public server • No unnecessary services • Use Intrusion Detection Software probes in the DMZ • Remember that opening holes through a FW means stateless NTW 2000 © 2000, Cisco Systems, Inc. 134Tools Tools NTW 2000 © 2000, Cisco Systems, Inc. 135SSL SSL • SSL = secure socket layer • SSL sits between the HTTP application and TCP and was developed by Netscape to protect web traffic. • SSL is supported by all the major web browsers • Two components of SSL: SSL record layer SSL handshake layer NTW 2000 © 2000, Cisco Systems, Inc. 136How It Works How It Works • A customer contacts a site, accessing a secured URL (indicated by a URL that begins with "https:" instead of just "http:" or by a message from the browser). • The server responds, automatically sending the customer the server site's digital certificate, which authenticates the server’s site. • Your customer's web browser generates a unique "session key" to encrypt all communications with the site. NTW 2000 © 2000, Cisco Systems, Inc. 137How It Works 2 How It Works 2 • The user's browser encrypts the session key itself with the site's public key so only the site can read the session key. • A secure session is now established. It all takes only seconds and requires no action by the user. Depending on the browser, the user may see a key icon becoming whole or a padlock closing, indicating that the session is secure. • If your site doesn't have a digital certificate, visitors will see a warning message when they attempt to offer credit card or personal information. Source: Netscape Communications, Inc. NTW 2000 © 2000, Cisco Systems, Inc. 138How It Works 3 How It Works 3 request Web server Server’s digital certificate Session Key encrypted with server site’s public key Secure communication NTW 2000 © 2000, Cisco Systems, Inc. 139SSH 1 SSH 1 • Secure Shell was designed to replace the UNIX r commands: rsh, rlogin, and rcp (ssh, scp, and slogin) • Added features: strong endtoend encryption improved user and host authentication TCP and X11 forwarding • The r commands depend on the IP address, or the nametoIP address translation and IP address to be trustworthy. But we know that security based on IP addresses is not very good. SSH uses RSA for host authentication NTW 2000 © 2000, Cisco Systems, Inc. 140SSH 2 SSH 2 • When installed on a host, a public and private key pair is generated for that host and stored on the host. These are used to authenticate the host to another host with whom a connection is being established. The public key of the local host will need to be added to to the sshknownhosts file on all remote hosts that the current host wants to access. Or, a user can add the remote host’s public key to a similar file in her home directory. Issue: key management/directory services • Public key cryptography is used for the hosthost authentication. NTW 2000 © 2000, Cisco Systems, Inc. 141SSH 3 SSH 3 Encrypted with B’s PK Host A Host B decrypts it Random string Encrypted with A’s PK Host A Host B Decrypted string NTW 2000 © 2000, Cisco Systems, Inc. 142SSH 4 SSH 4 • Once the host to host authentication has taken place, the user can authenticate. The strongest available way: The user can generate a publicprivate key pair and distribute the public key to the remote hosts to which authentication will be needed. NTW 2000 © 2000, Cisco Systems, Inc. 143SSH 5 SSH 5 • SSH also provides for encrypted tunnels by using the public private key pairs. A symmetric session key is encrypted using the remote host’s public key and sent to the remote host. All transmissions, including the user’s authentication information will then be encrypted. • SSH can also forward TCP ports over the secure connection. For example, email can be configured to go across the encrypted channel. NTW 2000 © 2000, Cisco Systems, Inc. 144Responding to Security Responding to Security Incidents Incidents Incident Response Incident Response NTW 2000 © 200 © 2000, Cisc 0, Cisco S o Sy ys st tems, Inc. ems, Inc. 145 145Typical Network Intrusion Typical Network Intrusion • Locate or identify a target host • Gain regular userlevel access to the host • Obtain elevated privileges on the host • Conduct unauthorized activity • Cover tracks • Jump to another host on the network and continue NTW 2000 © 2000, Cisco Systems, Inc. 146Scope and Impact Scope and Impact • Scope of an incident: the number of systems, networks, data, and other resources affected or accessed during the intrusion • Impact of an incident: the resulting effects of the intrusion on the organization. • The scope and impact of the incident will influence the actions you and your staff will take in response to the intrusion NTW 2000 © 2000, Cisco Systems, Inc. 147Why Should You Care Why Should You Care • Avoid extensive damage to data, systems, and networks due to not taking timely action to contain an intrusion • Minimize the possibility of an intrusion affecting multiple systems both inside and outside an organisation because staff did not know who to notify and what actions to take. • Avoid negative exposure in the news media that can damage an organisation’s public image and reputation. • Avoid possible legal liability and prosecution for failure to exercise due care when systems are inadvertently or intentionally used to attack others. NTW 2000 © 2000, Cisco Systems, Inc. 148Who Should Be Involved Who Should Be Involved Top Management management (CTO, CIO) Legal Public Relations Network Admin HR Users Incident Response Security Teams System Admin NTW 2000 © 2000, Cisco Systems, Inc. 149Components of Response Components of Response • Analyze the event • Contain the incident • Eliminate intruder access • Restore operations • Update procedures based on lessons learned NTW 2000 © 2000, Cisco Systems, Inc. 150Timing Timing Identify and Implement Lessons Learned Restore System to Operations Eliminate Intruder Access Contain the Intrusion Analyze the Incident t t n 1 NTW 2000 © 2000, Cisco Systems, Inc. 151Analyze Event Analyze Event • What systems were used to gain access • What systems were accessed by the intruder • What information assets were available to those systems • What did the intruder do after obtaining access • What is the intruder currently doing NTW 2000 © 2000, Cisco Systems, Inc. 152Contain the Intrusion Contain the Intrusion • Gain control of the systems involved • Attempt to deny the intruder access in order to prevent further damage • Monitor systems and networks for subsequent intruder access attempts NTW 2000 © 2000, Cisco Systems, Inc. 153Eliminate Intruder Access Eliminate Intruder Access • Change all passwords on all systems accessed • Restore system and application software and data, as needed • What other systems might be vulnerable NTW 2000 © 2000, Cisco Systems, Inc. 154Restore Operations Restore Operations • Validate the restored system • Monitor systems and networks • Notify users and management that systems are again operational NTW 2000 © 2000, Cisco Systems, Inc. 155Preparing to Respond Preparing to Respond • Create an archive of original media, configuration files, and securityrelated patches for all router and host operating systems and application software versions • Ensure that backup tools and procedures are working • Create a database of contact information • Select and install tools to use when responding to intrusions NTW 2000 © 2000, Cisco Systems, Inc. 156Preparing to Respond (Cont.) Preparing to Respond (Cont.) • Develop a plan and process to configure isolated test systems and networks when required • Keep response plans, procedures and tools up to date • Consider performing a practice drill to test tools and procedures NTW 2000 © 2000, Cisco Systems, Inc. 157Responding to Security Responding to Security Incidents Incidents Forming an Incident Response Forming an Incident Response Team Team NTW 2000 © 200 © 2000, Cisc 0, Cisco S o Sy ys st tems, Inc. ems, Inc. 158 158Incident Response Team Incident Response Team “ A Computer Security Incident Response Team (CSIRT) is a team that performs, coordinates, and supports the response to security incidents that involve sites within a defined constituency. RFC 2350 “Expectations for ” Computer Security Incident Response” NTW 2000 © 2000, Cisco Systems, Inc. 159Purpose Purpose To facilitate efficient and effective handling of security incidents in order to minimize their impact on the organization NTW 2000 © 2000, Cisco Systems, Inc. 160Elements of a CSIRT Elements of a CSIRT • Constituency • Sponsorship or Affiliation • Authority NTW 2000 © 2000, Cisco Systems, Inc. 161Elements of a CSIRT (Cont.) Elements of a CSIRT (Cont.) • Types of incidents handled • Level of service • Cooperation and disclosure of information • Protected communications NTW 2000 © 2000, Cisco Systems, Inc. 162ISP Issues ISP Issues • Will you provide incident response service for your subscribers • If not, what role will you play in helping your customers with security incidents • Alerting customers of security incidents that affect them. NTW 2000 © 2000, Cisco Systems, Inc. 163ISP Issues (Cont.) ISP Issues (Cont.) • Alerting customers when the ISP’s infrastructure has been breached • Providing accurate contact information for the reporting of security problems NTW 2000 © 2000, Cisco Systems, Inc. 164In Summary In Summary • The question isn’t if you’ll have to handle a significant security incident… • It’s WHEN and HOW BAD will it be NTW 2000 © 2000, Cisco Systems, Inc. 165Are Are You You Ready ReadyResources Resources • Distributed Systems Intruder Tools Workshop Report http://www.cert.org/reports/dsitworkshop.pdf • Denial of Service Information Page http://www.denialinfo.com/ • IOS Essentials Features Every ISP Should Consider http://www.cisco.com/public/cons/isp/documents/IOSEssenti alsPDF.zip • CERT Advisories http://www.cert.org/ • FIRST http://www.first.org/ NTW 2000 © 2000, Cisco Systems, Inc. 167More information More information • Improving Security on Cisco Routers http://www.cisco.com/warp/public/707/21.html • Cisco Product Security Incident Response (PSIRT) http://www.cisco.com/warp/public/707/secincidentresponse.shtml • Cisco Security Advisories http://www.cisco.com/warp/public/707/advisory.html • Characterizing and Tracing Packet Floods Using Cisco Routers http://www.cisco.com/warp/public/707/22.html • Strategies to Protect Against Distributed Denial of Service Attacks http://www.cisco.com/warp/public/707/newsflash.html NTW 2000 © 2000, Cisco Systems, Inc. 168NTW2000 © 2000, Cisco Systems, Inc. 169
Website URL
Comment