Networking Strategies

Copyright James B. Maginnis 2000-2005

1

Organizational Kinetics
Copyright 2003 - 2009

Network Design, Security Analysis,

Risk Assessment, DR, and BCP

Presentation By Jim Maginnis


2
Today, There are >1 Billion Internet Users!

600
Gartner
500

400 eMarketer
300

200 Nielsen/NetRati
ngs
100
Computer
0 Industry
Internet Users Worldwide Almanac ( CIA)
2001 (in millions)

Source: Projections vs. Reality, January 2002: www.emarketer.com


3
Agenda

• Technologies for PANs, LANs, MANs, WANs
• IT Architecture and Network Design
considerations
• Outsourcing Decisions
• Security Issues and Risk Assessments
• Fault Tolerance Planning
• Disaster Recover Planning
• Business Continuity Planning
• Management Responsibilities


4
Analog Signals

• Sound Waves ~ Electrical Waves in a Wire
• Analog Signal Electrical Wave
• Sound Wave Characteristics
frequency (hertz)
– Frequency (Hz) = cycles per second

amplitude (volts)
– Spectrum
• 100 – 6,000 Hz
• 300 – 3,000 Hz Time
(sec)
– Bandwidth = diff
– Amplitude (dB) 1 cycle
– Phase (alignment)


5
Analog Communications Technology

• Amplitude Modulation (AM), Frequency
Modulation (FM), Phase Modulation (PM)


6
Digital Signaling

• Represented by square waves or pulses
• Bit loss rather than attenuation loss
amplitude (volts)

1 cycle

time
(sec)

frequency (hertz)
= cycles per second


7
Broadband, Baseband, and Narrowband
• Broadband means telecommunications in
which a wide band of frequencies is
available to transmit multiplexed information
– DSL and Cable (with bandwidth expectations)
• Usually analog with modem and/or multiplexer
• At least 256,000 bps – Jupiter Communications
• Over 6 MHz – IBM Dictionary of Computing
• Baseband means one digital channel
– Ethernet (―BASE‖) / Token Ring (―single band‖)
• Narrow means just voice (500 to 64 kbps)
– Mobile, Radio, Paging services (―dual-band‖)


8
Connection Data Rates / Speed / Bandwidth
Technology Max Data Rate Medium Technology Max Data Rate Medium
GSM 9.6 to 14.4 Kbps RF USB 1.0 12 Mbps TP
POTS 56 Kbps TP DS3/T-3 44.736 Mbps Coax
GPRS 56 to 114 Kbps RF OC-1/DC-1 51.84 Mbps Fiber/Coax
BRI ISDN 64-128 Kbps TP 802.11g 54-108 Mbps RF
EDGsmE 384 Kbps RF Fast E-net 100 Mbps TP, Fiber
Satellite 400 Kbps RF FDDI 100 Mbps Fiber
Frame Relay Normal 56 Kbps TP/Coax OC-3/SDH 155.52 Mbps Fiber
Bluetooth 1 Mbps RF IEEE 1394 400 Mbps TP
DS1/T-1 1.544 Mbps Various ATM 155 / 622 Mbps TP / Fiber
UMTS/.16.20 1-3/2-155 Mbps RF OC-12/STM-4 622.08 Mbps Fiber
T-1C 3.152 Mbps Various SSA or SCSI 80 Mbytes/sec TP, Fiber
Token Ring 4 to 16 Mbps Various Gigabit E-net 1 / 10 Gbps TP, Fiber
DSL D:½ to 8 Mbps TP Fiber Channel 1 Gbps Fiber
Cable D:½ to 52 Mbps Coax OC-768 40 Gbps Fiber
Ethernet 10 Mbps Various DWDM 1 Petabit, 1015 Fiber


Advantages of Segmenting – Internetworking
9

• Reduces the number of users per segment
– Increase effective bandwidth and security
• Switch VLANs work at wire speed
• Using Bridges to segment
– Each segment in a different collision domain
– Same broadcast domain for non-routed protocols
• Using Routers (layer-3) to segment
– Reduced broadcast messages
– Improved manageability
• Multiple active paths
• Flow and congestion control, explicit packet controls
– 30% slower connectivity than a bridge


1
0 Switches, Routers, Bridges, and Gateways
• LinkSys G-kit: $183.00
• 3Com NJ200 4-port, SNMP
QoS, VLAN, 1.4‖ Switch
• Modular Systems start with
a chassis (Cisco 6509
sold $1 billion in 1999)
• Forum Phone ―Bridge‖
• Gateways (e.g. Mail)
– A traffic controller from one
network or service to another
– Often a proxy server for
security and caching


Processors – Firewalls
1
1

• A ―real‖ firewall supports ―stateful packet
inspection‖ with the ability to open packets to
ensure that the ones coming from the Internet
were responses to ones that went out.
– SOHOware NBG800 Router/Firewall for $70
– 3COM OfficeConnect Secure Gateway for $250,
NetScreen, WatchGuard, SonicWALL, SnapGear,
and Cisco processors also support IPsec VPNs
• Strongest firewall is Secure Computing’s
SideWinder with a hardened OS, and can be
purchased separately, on servers from Dell,
or embedded in 3COM Ethernet cards


Devices From The OSI Model’s Perspective
1
2

• SSL, S/MIME,
PGP, and SET
• NOS API
• VoIP
• Router/Firewall
• IPsec
• Bridge/Switch
• Hubs/Modems


1
3 What is a Virtual Private Network Connection?
• A VPN (virtual private network) uses a public
infrastructure (Internet) to provide remote
offices or users access to an organization's
network using ―tunneling‖ rather than using
more expensive private or leased lines.
• IPsec (Internet Protocol Security) provides
two choices of security service:
– Authentication Header (AH), which essentially
allows authentication of the sender of data
– Encapsulating Security Payload (ESP), which
supports both authentication of the sender and
encryption of data as well.


1
4 Network Design Process

• Consider Cost, Functionality, Manageability,
Scalability, Adaptability, and Effectiveness
• WAN vs. LAN and
Upfront vs. Support Costs
– Labor as much as 43% of TCO
– Support normally 80% of TCO
– Training, Downtime, DRP/Recovery
– Client/Server, N-tier, Distributed
– HP Openview
– Cisco Netsys
– Modeling tools


1
5 Information Architecture Plan

• Especially critical in today’s multi-vendor,
distributed environment
• Common vision on mandatory standards and
key information & communication interfaces
• Derive IT Architecture from department’s
strategic and business requirements
• A long term process based
on as many IT and business
staff as practicable with
continuous review and update


1
6 What is an Enterprise IT Architecture?
• IT Architecture “A blueprint to guide
how IT elements
Components should work
– Business flows together”
and relationships
– Application
development
– Data descriptions
– Network / Telecom
– Operating System(s)
– Security and privacy
– Risk factors
– Migration Plan


1
7 IAP Models, Protocols, and Standards

• Reference Model (e.g. OSI)
– a generic framework
– logical breakdown of an activity
• Protocol (e.g TCP/IP)
– details of how to accomplish specific task
– required to implement models
• Standard (e.g. IEEE 802.3)
– what a reference model and its protocol become
when approved by an important standard-setting
group (de jure standard), or are adopted by the
marketplace ( de facto standard).
Standards are, in essence, the blueprint for the Information Architecture


1
8 Who Sets Standards?

• Federal government:
– by law can establish regulatory standards
– National Institute for Standards and Technology
• National standards bodies
– ANSI, IEEE, or ISO
• International standards bodies
– ISO (International Organization for
Standardization)
– International Telecommunication Union (CCITT)
• Other vendor groups, professional
associations, trade associations, etc
– IEEE, VESA, ATM Alliance, SQL group, IETF


1
9 Standards Openness Continuum
Closed • proprietary and closed
(unpublished) – Intel chip, MS Windows
– IBM mainframe
• proprietary but licensed (for fee)
– postscript
• proprietary but published (free or token fee)
– IBM’s original ISA bus
– SUN’s NFS (network file system)
– Intel’s PCI (peripheral component
interconnect)
• non-proprietary consortia or similar
– VESA bus
– ATM (asynchronous transfer mode) protocol
– DVD
Open • „official‟ de jure (open) standards products
(published) – Ethernet, ISDN, DSL


―Well-Formed‖ Risk Statement
2
0

Asset Threat Vulnerability Mitigation
What are you What are you How could the What is currently
trying to protect? afraid of threat occur? reducing the
happening? risk?

Impact Probability
What is the impact to the How likely is the threat given
business? the controls?

Well-Formed Risk Statement


2
1 Defining Roles / Responsibilities

Executive
Determine
Sponsor acceptable risk
“What's
important?”

Information
Assess risks Define security Measure security
Security Group requirements solutions
“Prioritize risks”

IT Group Design and build Operate and
“Best control solution” security solutions support security
solutions


2
2 Security Risk Management Process

4 Measuring 1 Assessing
Program Risk
Effectiveness

3 Implementing
Controls
2 Conducting
Decision Support


2
3 Internet Enabled Technology Architectures
Policies and Standards Network Management
Software
Management

Firewalls
Passwords
Encryption Content Software Authoring
Security
and Data Tools Tools

Infrastructure

TCP/IP Hypermedia
Servers Browsers
Network Databases


2
4 Requirement Sets for Two Design Options

Bare
“Cadillac”
Bones

Win- Implementation Win-
UNIX UNIX
dows Environments dows

Off Off
In Out Con- In Out Con-
the the
House Source sult House Source sult
shelf shelf
Sources


2
5 Architecture - Internal vs. External sourcing

• Costs and Knowledge base
– Investment in hardware, software and facilities
– Applications and database technologies
• Reliability, (DRP and BCP)
– Redundancy (no single point of failure)
• Components, systems, multiple sites
• Entire project or just portion (computer room)
• Pull campus network lines or pay carrier
• SSL, certificates, dynamic passwords
– SecureID, CryptoCard, Safeword


2
6 Comparison Criteria
• Feasibility and Cost/Benefit
• Available Resources: What can you do?
• Development Time
• Developmental and Operational Costs
• Efficiency and Ease of Use
• Compatibility
• Security
• Emotional: What do you want to do?
• ―Evaluation_Tools‖…http://mime1.marc.gate
ch.edu/mm_tools/evaluation.html


2
7 Different Sources of Software Components

Source of When to Go to This Internal Staffing
Application Type Organization Requirements
Producers
Software? for Software

Hardware Generally For system software and Varies
Manufacturers not utilities

Packaged Yes When supported Some IS and user
Software task is generic staff to define
Producers requirements and
evaluate packages
Custom Software Yes When task requires Internal staff may
Producers custom support and be needed,
system depending on
can’t be built internally application
In-House Yes When resources and Internal staff
Developers staff are available and necessary though
system must be built staff size may vary
from scratch


Applications – Voice Over IP
2
8

• Transmit voice over • Motivations
IP data networks – Very cost effective
– Voice Signal – Multimedia
• Digitized communication
• Compressed – Integrated voice and
• Converted to IP packets data network
and transmitted over IP
network • Challenges
– Signaling Protocols – Quality of voice
• Set-up and tear down the – Interoperability
calls – Security
• Locate users – Integration with PSTN
• Negotiate capabilities
– Scalability
• Waiting for IPv6


Applications – New IPv6 Functionality
2
9

• 128-bit Addressing
– Then every IP address with a microphone and
speaker will be a phone and vice versa, every
camera will also be searchable in real time
• More Secure – Phone bill vs. credit card
• Quality of Service (QoS) Queuing
– Critical for CIT Voice and Video
• Multicast Services
– The ability to send real time information to
multiple locations – Pay-per-View and per-Play
• Improved Mobile Support
– No wires for a billion devices remotely monitored


Applications – Voice over ISDN and ATM
3
0

• Point-to-point ISDN and ATM networks are
the solution today
• 128kbps ISDN Video Conferencing works
better than sharing a 1.54Mbps T1
• ATM (asynchronous transfer mode) use 53-
byte cell units in a multiplexed dedicated-
connection switching environment
• ATM is the current most common solution for
internetworking a campus or WAN backbone
with real-time analog and data requirements


3
1 5 Top Ways To Lower Costs & Raise Uptime

• Converge multiple WAN/MAN backbones
• Improve Quality of Service (QoS)
• Support Voice Over IP (VOIP)
• Cheap & easy IPsec VPNs to remote users
• Improve network management control
• All with
different
security
issues


3
2 Network Management Goals

• Monitor network, backup, and vendor health
• Automatic restoration options
• Dedicated 7 x 24 hour local support w/DRP
• Demonstrate business continuity plans
• Dynamic reconfigurations
• Bandwidth-on-demand (BoD) pools
alternative to temporary peeking or DRP
• Renewal of insurance policies
• Meeting industry rules


3
3 Need To Consider Current Environments

• Platform alternatives
– Host or mainframe
– Mid-tier (UNIX) platforms
– Mid-tier (Windows NT)
– Client/Server
– Three-tier web-based
– Peer to Peer
– Distributed
• Hardware and software standards
• Support resources’ ability to deploy solutions


3
4 Metropolitan Area Nets (MANs)

• Metropolitan backbones
• SONET rings – solving the
vulnerabilities of last mile
• 25 Mbps Microwave
• Single mode fiber, 10-Gigabit
Ethernet will go 40 kilometers
this year ($24 billion). Expected
to capture 30% of high speed
Internet market by ’05. (Gartner)
• More ASPs, MSPs, SSPs – Trust / Security


3
5 Trends in Telecommunications and Voice

• Convergent system for V&D requirements
• Open access with large bandwidth changes
• Starbucks began with 2,000 802.11 routers
• Virtual Private Networks for Global Model
• Rainbow consortium of Microsoft, IBM, Intel,
AT&T Wireless, and Verizon to create a
single nationwide Wi-Fi company / network
• In the meantime, Cable will be the big winner
for Internet, TV, movies, and phone services
– Satellite’s 25% share of TV will hold
– DOCSIS 1.1 supports tiered services


3
6 Trends in Telecommunications and Voice

• Need to get all this new stuff to work
together = increase in central network
management software
• Need to get it to work harder (60% idle)
– Reselling excess capacity
– Return to MIS Data Center focus
• Increasing security (esp. governmental and
biotechnologies) and ethical concerns
• Thinner margins and continued bankruptcies
• New SPAM laws and New Taxes!


EDI – B2B Legacy Communications
3
7

High Support Needs = Security Issues

Buyer Supplier
RFP

Response to RFP
Purchase Order
P.O. Acknowledgement

Purchase Order Change
P.O. Change Acknowledgement

Functional Acknowledgement
(for each Transaction )

RFP = Request for Proposal P.O. = Purchasing Order


3
8 The Role of Extranets (was called internets)
Adds everyone else‟s security problems

Access Issues

eBusiness
No Firewalls
Insecure VPNs
Viruses
Wireless Access


3
9 Internet Applications = More Security Issues
Businesses are rapidly installing intranets, extranets,
and enterprise information portals throughout their
organizations in order to enhance communication
and collaboration, and to publish and share business
information easily and at lower cost.

E-mail (S/MIME) Telnet (SSH)

Popular
Uses of the File
E-Commerce (SSL) Internet Transfer
Protocol (PGP)

Internet Relay Search Engines
Chat (VPN) (Anonimizer)


4
0 Groupware for Enterprise Collaboration
Enterprise Collaboration Groupware Database
Systems (ECS) support for Access
communication, coordination Enterprise
Security
and collaboration among the Collaboration
Concerns
members of business teams
and workgroups. Often set up with full access

Electronic Electronic Collaborative Work
Communications Conferencing Management
Tools Tools Tools

•E-Mail •Data Conferencing •Calendaring
•Voice Mail, IP Phone •Voice Conferencing •Task and Project Mgt
•Web Publishing •Videoconferencing •Workflow Systems
•Faxing •Discussion Forums •Knowledge Mgt
•Electronic Meetings •Document Sharing


4
1 Electronic Conferencing = Access Issues

• Data Conferencing
– E.g.. MS-Netmeeting
• Voice Conferencing
• Videoconferencing
– Real time need point
to point connections
• Discussion Forums
• P-T-P Chat (IRC)
• Electronic Meetings


4
2 Communications and Collaboration Tools

• Electronic Mail
• Voice Mail
• Faxing
• Web Publishing
• Calendaring/Scheduling
• Task/Project Management
• Workflow Systems
• Knowledge Management
More Access Worries!


Applications – Internal and Off The Shelf
4
3

• Web Pages
– Static vs. dynamic
• Database
– Storage
• Legacy MIS
systems

Access control is
a never-ending
security effort!


Applications – Buffer Overflow Prevention
4
4

#include <stdio.h>
void main(void){
char buffer[50];
// gets( buffer );
fgets( buffer, 49, stdin );
buffer[49] = 0;
printf("Input: %sn", buffer);
}
When using gets(), indeterminate behavior
may result from excessive input length.
Thus, fgets() should be favored over gets().


4
5 Security Must Be Integrated With SDLC
• All security considerations should be
documented in the standard SDLC docs
• Develop Needs Statement
– Access and other Controls
– Audit and Integrity Review
• All test plans will include testing security,
internal controls, and audit trail features and
take place in a secure area
• The CSO will work with the component
sponsor to build and sign off on a Security
Requirements Workplan and Validation Plan


4
6 Security - Overview

Accessibility to
authorized, but
not others
– Permanent - not
alterable (can't
edit, delete)
– Reliable -
(changes
detectable)


Security – Firewalls
4
7

Stateful Inspection
Checking inside packets
One firewall is not
enough!
A DMZ (demilitarized zone)
is a small network
inserted between a
company's private
network and the outside
networks to prevent
external users from
getting direct access to
sensitive company data.


4
8 Processors Internet Web Browsers

• Modems Router

Switch
• Multiplexers Firewall
• Internetwork Processors Load Balancer
SSL Acceleration
– Repeaters
Switch Appli-
– Hubs cation
and
– Switches Web
Servers
– Bridges Switch

– Routers Firewall
LAN Backbone Switch
– Gateways V.92 New and
Modem Legacy Data
• Firewalls Bank Resources


Security – Threats / Responses / Newsletters
4
9

• Hacking, viruses, theft, patches, shredding
• Web related, DOS, spoofing, firewalls
• CERT Coordination Center
– At Carnegie-Mellon (www.us-cert.org)
• SANS Institute
– For-profit with free services (www.sans.org)
• National Infrastructure Protection Center
– Now Homeland Security (www.dhs.gov)
• Microsoft (www.microsoft.com/security)
• Trend Micro Anti-virus Software
– Now Japanese owned (www.trendmicro.com)


5
0 Passive vs. Active Threats

CERT received
53,000 reports
of active attacks
in 2001

Eavesdropping / traffic Packets intended to disrupt
analysis for attack or service, to gain access, or
info “black markets” modify information.


5
1 Model for Network Security


NAT Router ―Firewall‖ Web Service Example
5
2

Web Host
Internet
130.27.8.35
To 24.88.48.47:20 To 130.27.8.35:80
from 130.27.8.35:80 from 24.88.48.47:20

Router 24.88.48.47 with NAT that Masquerades
To 192.168.0.20:x To 130.27.8.35:80
from 130.27.8.35:80 from 192.168.0.20:x

Host Web Client Host Host
192.168.0.10 192.168.0.20 192.168.0.30 192.168.0.40
Web Server FTP Server
port 80 port 23


5
3 PGP (Pretty Good Privacy) Encryption

• See www.pgpi.com and www.pgp.com

Mostly used for
encrypting FTP
files and e-mail;
is international
banking standard


5
4 Example PGP Encrypted eMail

To: “John Doe" <johndoe@hotmail.com>
From: Jim Maginnis <jimmaginnis@email.uophx.edu>
Subject: EBUS400: PGP Endeavor...
Cc:
Bcc:
X-Attachments:

-----BEGIN PGP MESSAGE-----
Version: PGPfreeware 6.5.2 for non-commercial use
<http://www.pgp.com>

qANQR1DBwU4D6cjDU+QAxCwQB/9IZFOIuDSIIQbwa28SQ63DDioFb4bH4bmKfopX
cvdDVQ1X53fSJzyLt12RslfQToje8YxRNidYMNg1zDTT7CR9q7LRFoAwBFVtQhWJ
jFNXn1+aE8oePReMi6vS0DXSSDfgDuUb1R+c8htHoeik6Oebe9R90J3d51yyCojV
/5Io5nlM7T11PDaWqsjLr2ttrSySzARt5fAJ9l1mOH+hSl1YebRjZPaxWw+bsYuqN
a0GYr2UdwgE1u5HQuhZ+bOIbSliShfKiNuDGHe6VJrchROHnC9Po2JWAOD7wMFq6
STZ/MPGzViaCUaaWPLSKleiURUh4Ly5/LaNYkaumO9vh+241FPqtZKqRVmHRg6dY
Ro9edu01qTiXJj25cXHxeNMdA1txLxR3ontbExow+ML5kxs=
=68Hd
-----END PGP MESSAGE-----


PGP: Things to be aware of…
5
5

• Does not encode mail headers
– Subject can give away useful information
– To and From provides traffic analysis
information as well as usernames
• PGP uses original file name and
modification date
• Certificates often verify that the sender is
―John Smith‖ but not which ―John Smith.‖
So, PGP allows pictures in certificates.


5
6 Kerberos For Authentication
(Radius Server also for
centralized passwords)


5
7 Kerberos Issues

• Kerberos transfers username/passwords
in open text from Masters to Slaves
• Cryptographers worry that it might be
breakable through reversing Ksession
• V4 only uses 4 bytes for IP address, so
does not support Novel, Appletalk, IPv6
• V5 allows easier spoofing and delegation
but greatly improves ticket renewal and
allows for public key cryptography


5
8 Breaking DES

• DES released
March 17th, 1975
• Electronic Frontier Foundation concerned with
wide use and exaggerated government claims
of being unbreakable while attempting to bully
companies into only using DES method
• In 1997, RSA offered $10,000 to break; was
claimed 5 months later using the Internet
• Everyone now uses Triple-DES
• NIST has chosen the Rijndael encryption
algorithm to supplant DES starting in 2003


5
9 Breaking RFID (40-48 bit key / 24-bit packets)
• Small, wireless Radio-Frequency ID (RFID) Digital
Signature Transponder (DST) consisting of a small
encapsulated passive microchip and antenna coil.
– Vehicular Immobilizers (automobile keys w/rolling codes)
– Electronic Payment (ExxonMobil SpeedPass )
• Future use by Wal-mart and others of an EPC
(Electronic Product Code) wireless barcode and
may soon be available for as little as 5 cents/unit.
• EPC tags lack sufficient circuitry to implement even
symmetric-key cryptographic primitives, don’t use
128-bit keys, and key case/slots are not shielded


6
0 Private and Public-Key Use


6
1 Future Encryption Keys

Secret value is added by both parties to
message before the ―hash‖ function is used
to get the Message Integrity Check.


6
2 Global Scanning Activities

http://www.incidents.org/


6
3 Examples of Weak Passwords

• Default or empty passwords
• Same as the username
• The word ―password‖
• Short words, 1 to 3 characters long
• Words in an electronic dictionary (60,000)
• User’s hobbies, family names, birthday, etc.
=> most likely last or maiden name
• Phone number, social security number,
street address, license plate number, etc.


6
4 Password Gathering
• Look under keyboard, telephone etc.
• Look in the Rolodex under ―X‖ and ―Z‖
• Call up pretending to from ―micro-support‖ or
a senior merger manager and ask for it
• ―Snoop‖ a network for plaintext passwords.
• Tap a phone line with special modem
• Forward the phone line remotely and fake
login request (and pass to legitimate login)
• Use a ―Trojan Horse‖ program to record key
stokes (e.g.: http://www.winwhatwhere.com/)


6
5 Viruses, Worms, and Trojan Horses
• Virus - code that copies itself into other programs
• Bacteria - replicates until fills disks or CPU cycles
• Worm - uses email / file undocumented features
• Payload - harmful things it does after it has spread
• Trojan Horse - looks good, but does bad things
• Logic Bomb - malicious code activates on an event
• Trap Door (Back Door) - undocumented entry point.

Needs Host Program Independent

Trapdoors Logic Trojan Viruses Bacteria Worms
Bombs Horses


6
6 Types of Viruses
• Boot Sector Virus - infects the boot sector of a
disk, activating on boot up (1st MS-DOS viruses)
• Memory-resident Virus - lodges in main memory
as part of the residual OS
• Parasitic Virus - attaches itself to executable files
as part of their code. Runs when program runs
• Stealth Virus - explicitly designed to hide from
Virus Scanning programs
• Polymorphic Virus - mutates with every new host
to prevent signature detection
• KEEP PATCHES & DEFINITIONS UP TO DATE


6
7 Honey Pots, Tar Pits, and Sink Holes

• A Honey pot is a trap to detect and deflect
attacks with a ―dangle‖ computer or data
– Such as 9/11 ―no plane at the Pentagon‖ hoax
• Tar Pits are a section of a honey pot or DMZ
designed to slow down TCP based attacks
• Sink Holes are the network equivalent with
BGP routers to assist analyzing attacks
– Monitor attack noise, scans, and use of dark IPs
– Ready to advertise routes and accept traffic to
minimize risk while investigating incident


6
8 What To Monitor In A Sink Hole

• Scan ―Dark‖ unused IP space
• Scan for infections of Worms and Bots
• Look for backscatter from attacks & garbage
traffic on networks (RFC-1918 leaks)
• Expand dedicated Sink Hole router with a
variety of tools to pull DOS/DDOS attack
– Arbor Network’s Peakflow checks scan rates
• 2 Router IP addresses: 1 for management
and 1 for Anycast DNS caches to share load


6
9 More Sink Hole Notes

• SQL Slammer Worm doubled infections
every 8.5 sec to spread 100x than Code Red
– at peak, was scanning 55 million hosts / second
• Sink holes have proven their value, with
worm mitigation (after containment)
• Need to work at various security levels
• No IGB on Sinkhole; Sinkhole is a RRc
• Must not loop traffic back out management
interface (remotely controlled: VNC / Telnet)


7
0 The Good, Bad, and Ugly Packets
• The Good - legitimate communications
• The Bad - poorly configured equipment
• The Ugly - intended to do damage
– Speed is too high (storming)
– Host is violating port-usage policy
– UDP packet contains no data
– No data transfer, too many ports or IP
destinations
– Offset + Length > 65,608 bytes for Fragments
– Responses without requests, responses have
different data from requests


7
1 So Many Packets, And So Little Time
• A 50% loaded 100base-t Ethernet carries
about 20,000 pps, or 1.2 million per minute
• Detecting the Ugly is difficult because they
are such a small fraction of the total, and the
Bad often set off false alarms. Among the
techniques that are being used are:
– Single packet signatures
• illegal flags, long fragments
– Timing based techniques
• DOS Floods / automated Telnet
– AI programs that train or learn characteristics
– Flow-based statistical schemes


True Examples of ―Bad‖ and ―Ugly‖
7
2

• A T1 Internet is completely jammed for 45
minutes from 120 hosts downloading 1.2 MB
of files from an CAI FTP server.
• One week-end before Napster was
reportedly going out of business, two hosts
jam the T1 connection by downloading
Gigabytes of data from peer-to-peer servers.
• A host appears to be repeatedly scanning
the network for servers on a half-dozen
different port numbers.
• A rapid rate of short fragmented packets
brings down a top-ten site for half a day.


7
3 Some Techniques to Determine The Ugly

1. Data Flow follows IP Rules, transfers data:
Good unless -
Ugly - Speed is too high
Ugly - Host is violating port-usage policy
Ugly - UDP packet contains no data
2. Host is receiving rejects (TCP or ICMP)
Bad - Web Server or client ending persistent
connections, such as Napster
Ugly - From, or to, too many ports or IP
destinations


7
4 Examples of The Ugly (continued)

3. Host is sending packets, but no replies:
Bad - Web load-balancer is bypassed for
down-stream traffic
Ugly - No data transfer, too many ports or IP
destinations
4. Fragmented IP packets. Bad unless:
Ugly - very short and/or speed is too high
Ugly - Offset + Length > 65,608 bytes


7

5. Pings and Ping Responses
Good - if balanced and reasonable
Ugly - Responses without requests,
responses have different data from requests
(covert channel)
Only a few new types of legitimate network
activity appear each year. It’s much easier to
characterize the new legitimate network
protocols, than it is to keep up with the
hacker community’s latest creations.


7
• Packets that violate Internet Protocols in ways that
have been found to cause computers, firewalls, or
intrusion detection systems (IDS) to crash or
operate improperly.
– Teardrop Attack - IP Fragments that overlap.
– Ping of Death - IP Fragmented Datagram with Offset
plus Length > 65,507
– (one method - # ping -l 65510 192.168.4.5 )
• Short packets, perhaps belonging to A above, that
arrive at such a high rate that they cause damage.
– Rapid TCP ―SYN‖ packets, or Isolated Fragments - tie
up computer memory.


7

• Packets going to various hosts and ports that are
being used to map the network - looking for
vulnerable hosts.
– TCP ―SYN-FIN‖ or other improper TCP Flag
combinations
– UDP Packets with zero data bytes
– TCPs that cause TCP ―Reject‖, or UDPs that causes
ICMP ―Host Unavailable‖
• Hardest to detect, packets that would belong to
"The Good" except that the two hosts should not be
talking to each other, at least not on that service or
port number.
– Detection - Compare to database of allowed Server ports.


7
8 Microsoft Break-in Example

• Employee created file on PC at home and
caught 2-month old virus
• Employee e-mailed virus to self at work
• Was not caught by a Mail Gateway
• Workstation also did not have patches nor
definition files up to date
• Payload was an open tunnel to a Ukrainian
• Who downloaded all development source
(e.g. Windows XP); was not caught = no IDS


7
9 Anomaly-based Intrusion Detection

High statistical variation in
most measurable network
behavior parameters results
in high false-alarm rate


8
0 Distributed Host-based IDS

Highly recommended
for critical servers

Modules must be installed and configured on hosts.


8
1 Signature-based IDS
Data Packets are compared to a growing library
of known attack signatures. These include port
numbers or sequence numbers that are fixed in
the exploit application, and sequences of
characters that appear in the data stream.


Six ―Signatures‖ from the Snort Database
8
2

• alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg: "IDS411
- RealAudio-DoS"; flags: AP; content: "|fff4 fffd 06|";)

• alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS362
- MISC - Shellcode X86 NOPS-UDP"; content: "|90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90|";)

• alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS359 -
OVERFLOW-NOOP-HP-TCP2";flags:PA; content:"|0b39 0280 0b39
0280 0b39 0280 0b39 0280|";)

• alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS345 -
OVERFLOW-NOOP-Sparc-TCP";flags:PA; content:"|13c0 1ca6 13c0
1ca6 13c0 1ca6 13c0 1ca6|";)

• alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS355 -
OVERFLOW-NOOP-Sparc-UDP2"; content:"|a61c c013 a61c c013
a61c c013 a61c c013|";)

• alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS291
- MISC - Shellcode x86 stealth NOP"; content: "|eb 02 eb 02
eb 02|";)


8
3 Signature-based IDS May Miss New Attacks

Back Orifice
Land Attack
Attacks with Names

Win Nuke
Attacks without Names
(not analyzed yet)
IP Blob

Trino
Alarm on Activities
in these areas.


8
4 Flow-based IDS Technology

An approach that recognizes normal traffic
can detect new types of intrusions
Attacks with Names
Back Orifice
Attacks without Names
Land Attack (not analyzed yet)
FTP Web
Win Nuke Normal Network Activities

IP Blob
Alarm on Activities
Trino in this areas.
NetBIOS
Email


8
5 Flow-based Statistical Analysis
A “Flow” is the stream of
packets from one host to
another related to the same
service (e.g., Web, email,
telnet, …). Data in packet
Flow- Flow-
Statistics Statistics headers is used to build up
Counters Counters counts (leads to high
Number of Packets
speed).
Number of Total Bytes After the flow is over,
Number of Data Bytes counters are analyzed and a
Start Time of Flow
value is derived for the
Stop Time of Flow
probability that the flow was
crafted, perhaps for probing
Duration of Flow
the network for
Flag-Bit True-False Combo vulnerabilities or for denial
Fragmentation Bits of service.
ICMP Packet Responses to
UDP Packets

Counters


8
6 IDS Types Should be Combined

Host- Can detect misuse of OS access
Based and file permissions.
Signature Can detect attacks embedded in
-Based network data - if signature is known
Anomaly On host or network: can detect new
-Based types, but high false alarm rate
Flow- Can detect new types of attacks by
Based network activity. Should be used
with Host- and/or Signature-Based


8
7 The Stages of a Network Intrusion

1. Scan the network to: Flow-based "CI" and/or signature-based
• locate which IP addresses are in use,
• what operating system is in use,
• what TCP or UDP ports are ―open‖
(being listened to by Servers).
Signature-based
2. Run ―Exploit‖ scripts against open ports
3. Gain access to ―suid‖ Shell (―root‖ privileges) Host-based
4. Download from Hacker Web site special versions of
systems files that will let Cracker have free access in the
future without CPU or disk usage being noticed by auditing
programs. Signature-based "Port-Locking", Host-based
5. Use IRC (Internet Relay Chat) to invite others to the feast.
Signature-based "Port-Locking", Host-based


8 Web Server Browser
8 One Solution: Segment
Application Application
Layer Bridge-Router-Firewall Layer
(HTTP) can drop packets (HTTP)
Port 80 Port 31337
Transport
based on Transport
Layer source or destination, Layer
(TCP,UDP) IP address, and/or port (TCP,UDP)

Segment No. Segment No.
Network Network
Layer (IP) Layer (IP)
IP Address Network Network IP Address
130.207.22.5 Layer Layer 24.88.15.22

E'net Data Token Ring Token Ring
E'net Data
Link Layer Link Layer Data Link Layer Data-Link Layer

Ethernet Token Ring Token Ring
E'net Phys.
Phys. Layer Layer Phys. Layer Phys. Layer


8
9 Simple Network Man. Protocol v1, v2, and v3

• SNMPv2 makes use of TCP for ―reliable,
connection-oriented‖ server. SNMPv1 is
―connectionless‖ since it utilized UDP (rather
than TCP) as the transport layer protocol.
• Addressed by version 2:
– Lack of support for distributed management
– Functional deficiencies (since v2 can use
TCP/IP and Novel IPX)
• Addressed by version 3:
– V1 used a community name as a password


9
0 Security - Authentication

• Authentication – process to ensure both
the message’s content and sender’s identity
have been verified by an authorized source
and content was not altered.
• Digital Certificate – contains digital identity
information including; name, public key,
operational period, and serial number.
• Certificate Authority – authorized issuer of
digital certificates


9
1 X.509 Authentication Service (e.g. Verisign)
• An International Telecommunications Union
(ITU) recommendation (versus ―standard‖)
for allowing computer host or users to
securely identify themselves over a network.
• An X.509 certificate purchased from a
―Certificate Authority‖ (trusted third party)
allows a merchant to give you his public key
in a way that your Browser can generate a
session key for a transaction, and securely
send that to the merchant for use during the
transaction (padlock icon on screen closes to
indicate transmissions are encrypted).


9
2 X.509 Authentication Service (continued)

• Once a session key is established, no one
can ―high jack‖ the session (after your enter
your credit card information, an intruder can
not change the order and delivery address).
• User only needs a Browser that can
encrypt/decrypt with the appropriate
algorithm, and generate session keys.
• Merchant’s Certificate is available to the
public, only the secret key must be
protected. Certificates can be cancelled if
secret key is compromised.


9
3 VISA SET Steps in a Transaction
1. Customer opens account with card company or bank that supports SET
2. Bank issues X.509 certificate to Customer with RSA Public-Private Keys
3. Merchant has two certificates, one for signing messages and one for key
exchange
----
4. Customer places an order
5. The Merchant sends the customer a copy of his certificate
6. The Customer sends Order Information (OI), and Payment Information
(PI) encrypted so the Merchant can not read it
---
7. Merchant requests payment by sending PI to the ―Payment Gateway‖
(who can decrypt it) and verifies Customer’s credit is good
8. Merchant confirms the order to the Customer
9. Merchant ships goods to Customer
10. Merchant sends request for payment to the Payment Gateway which
handles transfer of funds


9
4 Why Is SET Not Happening? (but PayPal is)

But, Merchant must pay
Issuer gets
greatest benefit


9
5 Covert Channels

• Sending data in a way that network watchers
(sniffer, IDS, ..) will not be aware that data is
being transmitted.
• For IP Networks:
– Data hidden in the IP header
– Data hidden in ICMP Echo Request and
Response Packets
– Data tunneled through an SSH connection
– ―Port 80‖ Tunneling, (or DNS port 53 tunneling)
– In image files.


9
6 Packet Header Hiding: Normal Packet
20-64 bytes 20-64 bytes 0-65,488 bytes

IP Header TCP Header DATA

Dear Friend,
I am having a good
time at the beach.

TCP Source Port

TCP Destination Port

IP Source Address

IP Destination Address


9
7 NOTE: Long IP Packets Are Fragmented
20-64 bytes 20-64 bytes 0-65,488 bytes

IP Header TCP Header DATA

Dear Friend,
watching the waves
I am having a good
roll in.
time at the beach.

TCP Source Port
The
TCP
TCP Destination Port

Header
IP Source Address IP Source Address
is not
IP Destination Address IP Destination Address

IP Ident = x IP Ident = x repeated
More Fragments = True. More Fragments = False.


9
8 Other Convert Channel Tools

• SSH (SCP, FTP Tunneling, Telnet
Tunneling, X-Windows Tunneling, ...) - can
be set to operate on any port (<1024 usually
requires root privilege).
• Loki (ICMP Echo R/R, UDP 53)
• NT - Back Orifice (BO2K) plugin BOSOCK32
• Reverse WWW Shell Server - looks like a
HTTP client (browser). App headers mimic
HTTP GET and response commands.


9
9 Steganography

The hiding of a secret message within an
ordinary message so that no one suspects it
exists. Ideally, anyone scanning the data will
fail to know it contains encrypted data.
see http://www.jjtc.com/Steganography


1
0
0
Detecting Covert Channels
• A network IDS will detect a ―Ping Unbalance‖
- more Ping Responses than Requests
• Block all ICMP packets at firewall
• Signature-based IDS will detect known
rogue programs
• Port 53 Tunneling - Block inbound and
outbound TCP/UDP-53 packets at firewall
except to/from known internal DNS servers
• Port 80 Tunneling - look for long-lasting
flows to outside server, excess client-to-
server data flow


1
0
1
Detecting Covert Channels (continued)
• Port-profile violation
• Steganography - If Zombie, look for Port-
profile violation, or known hacker-site server.
• Monitor for new and unknown processes
• Check for new or unknown ports and
devices
• Know and understand all ―suid root‖ or
administrator programs
• If you don’t need an account - delete it!
• Check System logs


1
0
2
Middleware Security Policies and Software
• No Read Up (Simple Security Property): - a
subject can only read an object of less or
equal security level
• No write down (*-Property): - a subject can
only write to an object of greater or equal
security level (can not lower the security
classification of information by writing to an
object with a lower security level). You can
contribute information to a higher security
level report, but can not read the report
• Reference Monitor: - a way to enforce the
two rules above (security middleware)


Alice’s program has a Trojan Horse inside
1
0
3


Running Alice’s Program Reads Secret file
1
0
4


1
0
5
Reference Monitor Controls Access


1
0
6
Will Not Allow Secret Information Out


1
0
7
www.trustedsystems.com


1
0
8
Other Utilities to Scan for Security Holes

• Saint and Satan run exploits
– Saint - http://www.wwdsi.com/saint/
– Satan - http://www.fish.com/satan/
• www.ethereal.com protocol analyzer
• www.nessus.org/intro.html scanner
• naughty.monkey.org/~dugsong/dsniff/
• www.tripwire.com (has academic version)
• Public snmpwalk or Bay Networks nman
• Only download source format with a PGP (or
GPG) certificate that you can check
• www.iss.net makes popular commercial IDS


1
0
9
Some MS-Windows Considerations
• Standard install NOT Secure! Use few local
Accounts (only Administrator and Guest)
• Many undocumented and unchecked system
variables and functions
• SMB challenge-response and compatibility
system problems, especially ports 135-139
• All powerful Administrator account, and
completely open EVERYONE account
• Uses more secure microkernel technologies
and networking Redirectors
• Trusted Domain architectures similar to NIS,
but has not yet seen the same security


1
1
0
Some UNIX Considerations
• Berkley ―r‖ commands not a good idea,
routinely delete all .rhost files
• Issues with SUID utilities and anonymous
• SunRPC, NFS, YP, NIS designed with few
security mechanisms - naïve client / server
assumptions allows spoofing opportunities
• Open /etc/password file, use shadow file
• More mature OS = fewer system calls with
unchecked parameters and ACL (Access
Control Lists) now similar to NT
• All modern Unix’s enforce resource limits so
that programs can not over inflate its priority


1
1
1
Network Tunnels

• Modems
• VPNs – Virtual Private Networks
• Wireless Hubs – biggest threat today!


1 Anyone can convert their cube or office Ethernet jack into a
1
2 Wireless Hub (and add a public entry point into the Network)

“30 percent of all enterprises risk security breaches
because they've deployed 802.11b wireless local
area networks without proper security.”
- Gartner Inc.

Linksys Wireless
D-Link Wireless
SMC Wireless Cable/DSL Router
Router/Print
Cable/DSL $119
Server & Card
$129 Router $115


A vs. G ―fixed‖ Wireless 802.11 Technologies
1
1
3

• Up to 11Mbps (4- • Up to 54Mbps
5Mbps common)
• Very inexpensive • Only 10% premium
and simple, conflicts for five times the
with cordless bandwidth
phones / microwave
ovens, 100 – 300 ft
range, penetrates • 100-150 ft
most walls
• Growing public • Compatible with
access (2,000 802.11a
Starbucks in 2003)


1
1
4
Freeware WEP Cracking Tools

• Of 120 wireless systems located by the
Atlanta Journal, only 32 had activated the
included encryption protection and no
hardware used ―real‖ random numbers
• Adam Stubblefield was the first to
implement, but AirSnort and WEPCrack
are the first made publicly available
• AirSnort only needs approximately 5-10
million encrypted packets to guess the
encryption password in under a second
(http://airsnort.sourceforge.net)


1
1
5
WPA vs. WEP (vs. 802.1x) on WAP

• Wireless Access Point (WAP) is the bridge
• Weak WEP is the standard way to encrypt
• WPA adds Temporal Key Integrity Protocol
(TKIP); password MUST not be simple ones
• 802.1x is only about port access, usually
using a username/password challenge,
thus, should be used with WEP (or WPA)
• MAC filtering and SSID hiding don’t help
• Most networks unsecured (see USA Today
article and another about FBI presentation)


1
1
6
Network Stumbler Displays 802.11 Networks

―Wardriving‖
web site
maintains
data base of
all user
uploads


1
1
7
AiroPeek Maps Out Users

WEP uses the RC4 encryption algorithm (with 40
or 80 bit key), which is weak and inappropriate
(assumes packets arrive in order) to save CPU


1
1
8
AiroPeek Maps Out Users (continued)

Data sniffed off
the air from
non-WEP
session with
AiroPeek.


1
1
9
WEP Problems

• One start-up, AirDefense,
has catalogued
– 100 types of denial-of-service attacks jamming the
airwaves with noise to shut down wireless LANs
– 27 attacks to take over wireless LAN stations
– 490 probes to scan wireless LANs for weaknesses
– 190 ways to spoof media access control (MAC)
addresses and SSIDs to assume another’s identity
• Wireless LANs are a billion-dollar a year
business and growing fast, but NIST has
recommended against the govt. using them


1
2
0
Wireless Defense Best Efforts

• Enable highest encryption available (up to
256-bit), and upgrade firmware often
• Use WPA with a strong key, change often
• Change the default Admin password
• Turn off router with $5 lamp timer at night
• Often recommended but easy to bypass:
– Using MAC address filtering, also very
cumbersome for large corp. environments
– Changing the default SSID, re-changing
periodically, and turning off broadcasts


1
2
1
WEP Defense Efforts (continued)

• Purchase only 802.11 Hubs and PC
Cards that have flash memory and can
be field upgraded for new standards
• Treat wireless subnets like attachments
to the Web, isolated by Firewalls and
Intrusion Detection Systems (IDS)
• Move the transmitter inside buildings
and away from windows (most common)
• Use higher level security protocols


1
Process
Defense => Add Higher Process
2
2 Level Secure Protocols
Application Application

SSL SSL
Router
Transport Transport
Buffers Packets that Layer
Layer
need to be forwarded (TCP,UDP)
(TCP,UDP) (based on IP address).

Network Network
Layer (IP) Layer (IP)
Network Network
IPsec Layer Layer IPsec
802.11 802.11 Ethernet Ethernet
Link Layer Link Layer Data Link Layer Data-Link Layer

WEP WEP Ethernet Ethernet
802.11 802.11 Phys. Layer Phys. Layer
Phys. Layer Phys. Layer


Privacy – Cookies, Will You Allow Them?
1
2
3

• Piece of information that allows a Web site
to record one’s comings and goings
– Session and Permanent
• Cookies are Bad
– Advertising / Receiving and transmitting of
data (unknown and unencrypted)
– Europe is considering banning cookies
• Cookies are Good
– Passwords and login (encryption)


1
2
4
What is spamming?

• Spamming (from Monty Python reference)
– “the practice of indiscriminate distribution of
messages (for example junk mail) without
permission of the receiver and without
consideration for the messages’
appropriateness”
• Spamming’s negative impacts
– Spam has comprised 30% of all mail sent
on America Online
• slowing the Internet in general
• shutting ISPs down completely


1
2
5
Controlling Spamming

• Disable the relay feature on SMTP (mail)
servers so mail cannot be bounced off the
server
• Tell users not to validate their addresses by
answering spam requests for replies if they
want to be taken off mailing lists. Delete
spam and forget it— it’s a fact of life and not
worth wasting time over
• Software packages, e.g. www.getlost.com
and www.junkbusters.com


10-Minute Break…
1
2
6

Question:
What do you
get what you
cross an
instructor with
a spud?

Answer:
A Facili-Tator


1
2
7
Encryption Policy

• The 128-BIT Encryption Debate
– Export 128-bit encryption is 3X10 to the 26th
power times more difficult to decipher than
the preceding legally exportable technology.

Secure e-commerce Government‟s legal requirements
For the past 20 years Recent legislation
there was a limitation allows 128 bit in
on exported specific circumstances
encryption devices of thus paving the way for
56 bit codes the Compaq permit


Privacy – Legislation Examples
1
2
8

• Electronic Theft (NET) Act
– Imposed criminal liability for individuals who
reproduce or distribute copies of copyrighted work
• Digital Copyright Clarification and Technology
Education Act
– Limits the scope of digital copyright infringement
by allowing distance learning exemptions
• Online Copyright Liability Limitation Act
– Seeks to protect Internet access providers from
liability for direct and vicarious liability under
specific circumstances where they have no control
or knowledge of infringement


Clinton’s Intellectual Property Legacy
1
2
9

• Harassment of Phil Zimmerman (PGP)
• Intelligence Auth Act (IAA) of 1996
– Expands Foreign Intl Surveillance Court (FISC),
circumventing 1st, 4th, 5th, and 6th amendments
• Economic Espionage Act (EEA) of 1996
– Replaces most state and federal copyright laws
– Violates several international treaties
• Digital Millennium Copyright Act of 1998
– Makes anti-copying technology illegal – forbids
even some copying of public domain information
– Threatens free speech and the right of fair use


1
3
0
Now, The PATRIOT Act
• “Provide Appropriate Tools Required to
Intercept and Obstruct Terrorism”
• Anti-Terrorism Act (ATA), formerly known as
the Mobilization Against Terrorism Act
(MATA), was co-sponsored by Jon Kyl
• Stewart Baker (employed by NSA to block
unbreakable cryptography), "Don't look for a
dramatic increase in <new wiretaps>,
because the Bureau was performing such
surveillance years before the bill passed,
without Congress' explicit approval."
• Also frees the CIA to recruit unsavory
infiltrators (other terrorists) without restraint


1
3
1
Copyright Protection Techniques

• Digital Watermarks
– Embedding of invisible marks
– Can be represented by bits in digital content
– Hidden in the source data, becoming
inseparable from such data
• Digital Signatures
– Used to authenticate the identity of the sender of
a message or the signer of a document (not to
be confused with a digital certificate)
– Electronic Signatures in Global and National
Commerce Act (referred as the e-signature bill)


1
3
2
Electronic Contracts and Licenses

• Shrink-wrap agreements (or box top licenses)
– The user is bound to the license by opening the package
– This has been a point of contention for some time
– The court felt that more information would provide more
benefit to the consumer given the limited space available
on the exterior of the package
• Click-wrap contracts
– The software vendor offers to sell or license the use of
the software according to the terms accompanying the
software
– The buyer agrees to be bound by the terms based on
certain conduct


1
3
3
Biometrics Controls

• Photo of face (―Snooper‖ Bowl)
• Fingerprints (Laptops)
• Hand geometry
• Blood vessel pattern in the retina of eye
• Voice Recognition
• Signature
• Keystroke dynamics

All can be easily beaten!


1
3
4
Security Summary

• Segment and use ―real‖ firewalls with DMZ
• Remove databases from Internet
• Control VPN nodes and Fill wireless holes
• Keep IE and application patches and viral
definitions up to date (Update Expert)
• Improve network management (ManageX)
• Build Security Policy and Awareness
• Get involved in software development
• Check system / network logs and alerts


1
3
5
Security Summary (continued)

• Encrypt with 3DES or Rijndael
• Setup Kerberos, Radius, Directory Services,
and Window’s roaming profiles
• Verify good passwords
• Use host, signature, anomaly, and flow IDS
• Consider Monitor Middleware
• Regularly scan for security holes
• Don’t use default installation for Windows
• Review legal issues


1
3
6
Other Security Policy Items

• Use individual customer digital certificates
over SSL for all client data access
• Internet access only with hardware token
• Enforce utilizing ―strong‖ passwords and
every person having own account
• Strict limitation of Java applet functionality
• Applications not in root or nobody accounts
• Track Inventory and licenses (TrackIT)
• Use WebTrends Security Analyzer


Number one security issue still remains…
1
3
7

Use cross or dot (not strip)
shredder with good document
destruction procedures

• Targeted attack will mostly likely come
through your trash
– Everything there is in the ―public domain‖
– All your ―secrets‖ are out in the open


1
3
8
Risk Assessment and Management
• Part of the New Economy is a willingness to
take more risks - many companies, however,
work in a ―risk denial‖ mode: estimating and
planning as if all variables are known
• Get inputs from Software Development
Plans, QA Plans, and/or Technology Plans
• Identify and Prioritize exposed uncertainties
and risk factors
– Identify Risk Indicators (e.g. discussed security
issues or technology and project experience)
– Decide on avoidance, transfer, or acceptance


1
3
9
Risk Assessment Planning (continued)
• Recommend mitigation strategies for minimizing
the top 10 risks => ―Actions taken to reduce or
eliminate the detrimental impact of certain events.‖
– Build Prototypes and do tests modeling the workload
– Management tools, regular reviews, change control
– A project being late is an effect, not a risk
• Don’t forget alternatives and backup plans (do
nothing is always one approach)
• Each with varying risk approaches
– Decisions to Build or Buy Solutions (Can you imagine
this effort/product for sale?)
– Outsourcing and Technology Insurance can share the
risks of doing business


1
4
0
Information Gathering Methods

• Tools and methods to obtain information
about a subject (including the existing
systems) aka Fact Finding
– Interviews
– Questionnaires or surveys
– Workshops, Brainstorming, Storyboarding
– Reviewing Documentation
– Observation
– Measuring
– Prototyping and proofs of concept


1
4
1
Systems Analysis Means a Holistic Approach

Actively
Organizational learning to
Technology
better use the
best people,
Productivity practices, &
technology to
Key positively
People Process Areas of influence
Systems productivity.
Analysis

Present Functional
System Requirements


1
4
2
The Big Picture


1
4
3
The Risk Management Mindset
Identification Mitigation
2. “Java 2. Mitigation by
Project skills not Project avoidance: Use
Finish high Finish Visual Basic
enough.” (or by transfer:
Out source

Risk 2 Risk 2

Risk 1 Risk 1 1. mitigation
by conquest:
1. “May not be
Avoid / Delay, Demonstrate
image super-
possible to Transfer, imposition (or
superimpose by delay or by
images Project Accept, or Project
tolerance)
adequately.” Start Tolerate Start
Adapted from Software Engineering: An Object-Oriented Perspective by Eric J. Braude (Wiley 2001), with permission.


1
4
4
Investigation Includes Feasibility Analysis

Economic Organizational
Feasibility Feasibility
Can we afford it? Is it a good fit?

Technical Operational
Feasibility Feasibility
Does the Will it be accepted?
capability exist?


Accounting – Do benefits outweigh costs?
1
4
5

• Payback Analysis: how long will it take
(usually in years) to pay back
• Return on Investment (ROI): compares the
lifetime profitability of alternative solutions
• Net Present Value: determines the
profitability in terms of today’s dollar values.
This will require an estimated inflation and
discount rate (for industry/company)
• Currency conversion in business context
allows tracking in management’s language


1
4
6
Who is responsible for What?
• Chairman of the Board => To
protect and insure for continuity of
the corporation
• President => To protect and insure
for profitability of the corporation
• Managers => To maintain
information as a strategic asset of the corporation
• IS Security Manager => To insure written security
policies are developed, implemented and followed
• Users => Ultimate responsibility for accidental or
intentional destruction or disclosure


1
4
7
Security Policies
• ―Guidelines‖ if management support is weak
• Less effective if not applied consistently
• Assures proper implementation of controls
• Guides product selection and development
• Demonstrates management support
• Avoids liability and protects trade secrets
• Helps adapt to dynamic communications
• Coordinates the activities of groups
– Only software approved by IT, Passwords will
never be hard coded or written down, Users
must sign Responsibility/Liability documents


1
4
8
Physical Security

• Access to every office, computer room, and
work area must be restricted by need
• And, by an appropriate method: guard or
receptionist, key lock, card lock, etc.
• Use of physical firewalls and fire doors for
physical access security
• All multi-user or communication equipment
must be locked and cable kept in conduit
• Use of ID Badges
• Workers must never allow admittance to
someone not identified


1
4
9
Physical Security (continued)

• Propped open doors require a guard
• Sign-out sheets and bar code stickers for
tracking all equipment
• Fire Resistance materials, self-closing
openings, fire extinguishing for secure areas
• Example physical security systems inspector
guide:http://www.oa.doe.gov/guidedocs/000
9pssig/0009pssig.html


1
5
0
Other Physical Security Issues
• Limited access to letter head, Check Stock,
employee lists, and other forms
• No Smoking, Eating, and Drinking in the
Computer Room, not be an access site
• Access to Software Installation Media
• Three or more officers, or five or more
employees, must not take the same airplane
• Decide areas where electronic monitoring of
workers will and will not be used
• ―Clean Desk‖ Policy and Storage of Laptops
• Positioning and moving computer screens
away from windows and close blinds


1
5
1
Other Physical Security Issues (continued)
• Sensitive data not stored on local drives
• Approved methods for the storage and
destruction of discarded hardcopies
• Can disk drives be returned to
manufacturers under maintenance?
• White boards must be erased after meetings
• No signs indicating computer room location
• Location of facilities will be in-town and away
from natural and man-made hazards
• Background checks or escorts for anyone
being granted physical access


1
5
2
Awareness Raising Methods
• Change the log-on banner or log-in screen
• New Employee packet with security policy
• Ticket warnings reflecting policy violations
• Conduct audits and vulnerability demos
• Adopt an Annual Information Security Day
• Add security questions to reviews
• Purchase Security CBT and log when run
• Regular emails concerning current security
issues, virus warnings, etc
• Post Security Policy on company Intranet
• Survey middle and upper managers


1
5
3
Tiger Team Best Practices (without panic)
• Protection, Detections, and Reaction (PDR)
• Computer Incident Response Team (CIRT)
includes both technicians and management
• Clear procedures for activating the team
– Different incidents may require different people
• What can be done while they’re on their way?
– Do Install Plans have back out plans
(capacity is a security issue)?
– Automated shutdown for containment subnetting
– Heighten automatic monitoring
• Determine nature and scope of incident
– Intrusion-logs, check modifications, monitor
network / systems, coordinate with remote sites


1
5
4
Tiger Team Best Practices (continued)
• Produce, Approve, and Implement an
Emergency Response Plan
– E.G. backup systems, undo modifications
found, and rebuild secure network
• Increase security perimeter defenses,
monitoring, and awareness
• Non-technical issues: Public image, legal
actions, customer relations, and reporting
• Attack and penetration assessments
– Identify Achilles heels and potential costs
– Assess Risk Level of each system/subnet
– Setup Automated and Manual scanning


1
5
5
Vulnerability Report should include:

• Tracking Information
• Identification of the affected products,
vendors, and partners
• Initial impact assessment
• Description of recommended test environment
• Technical description
• Possible exploitation details
• Initial work-around, if possible
• Contact information


1
5
6
Response Team Performance Delay Metrics
a. From discovery to
verification
b. From verification
to reporting
c. From reporting to
acknowledgement
d. From reporting to
patch release
e. From reporting to
advisory release
f. Total = (a+b) +
max (d, e)


1
5
7
Issues to Settle by Launch
• Process to be used
• Security goals
• Manner of tracking security goals
• How team will make decisions
• What to do if security goals not attained
– fallback positions
• What to do if plan not approved
– fallback positions
• Define team roles
• Assign team roles


1
5
8
Distributed versus Centralized Systems

A distributed system is one in which the
DATA, PROCESS, and INTERFACE
components of an information system are
distributed to multiple locations in a computer
network. Accordingly, the processing workload
is distributed across the network.

In centralized systems, a central, multi-user
computer hosts all the DATA, PROCESS, and
INTERFACE components of an information
system. Users interact with the system via
terminals (or terminal emulators).


1
5
9
Flavors of Distributed Computing


Client/Server Architecture – The Clients
1
6
0

A client/server system is a solution in which the
presentation, presentation logic, application logic,
data manipulation, and data layers are distributed
between client PCs and one or more servers.
A thin client is a A fat client is a personal
personal computer that computer or workstation
does not have to be very that is typically more
powerful (or expensive) powerful (and expensive)
in terms of processor in terms of processor
speed and memory speed, memory, and
because it only presents storage capacity. Most
the user interface. PCs are fat clients.


1
6
1
Multi-Tier Architecture = Better Security/Perf
• A database server hosts one or more shared
databases and executes all data manipulation.
• A transaction server hosts services that ultimately
ensure that all database updates for a single
transaction succeed or fail as a whole.
• An application server hosts the application or
business logic and services for an IT system.
• A messaging or groupware server hosts
services for e-mail, calendaring, etc.
• A web server hosts Internet or intranet web sites
and services, communicating through thin-client
interfaces such as web browsers.


1
6
2
On-Line Transaction Processing (OLTP)

• File, Database, Record, Field … Then …
• What is Transaction Processing?
• Audit Trails, Backup and Recovery
• Data entry validation
• Interactive, Real-time, and Batch
• Applications
– Inventory Control
– Payroll
– General Ledger
– Financial, Marketing, Manufacturing, HR, ERP

Networking Strategies

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (7)

Similar a Networking Strategies

Similar a Networking Strategies (20)

Más de Jim Maginnis, MBA

Más de Jim Maginnis, MBA (9)

Último

Último (20)

Networking Strategies