Más contenido relacionado
La actualidad más candente (20)
Similar a Information security advanced (20)
Information security advanced
- 2. Agenda
Session Hijacking
Attack
SYN flood
Sequence predictability
Internet Control Message Protocol (ICMP)
Firewalls
The Demilitarized Zone – DMZ
E-Mail Security
Email Communication
Report | A. Jamil Alagha ©2013
Risks and Problems
- 3. Session Hijacking
used against services with
persistent login sessions
as Telnet, rlogin, or FTP.
cause a great deal of damage.
Report | A. Jamil Alagha ©2013
- 5. SYN Flood Attack - 1
uses a TCP connection request (SYN).
SYN is sent to the target computer With
the source IP address in the packet “spoofed,”
that belongs to another computer.
or
replaced with an address that is not in use on the Internet or
Report | A. Jamil Alagha ©2013
- 6. SYN Flood Attack -2
–
When the target computer receives the connection request
•
•
•
•
it allocates resources (memory + wait) to handle and track the new
connection.
A SYN_RECEIVED state is stored in a buffer register awaiting the
return response (ACK) from the initiating computer
– which would complete the three-way handshake.
It then sends out an SYN-ACK.
– If the response is sent to the “spoofed,” nonexistent IP address,
there will never be a response.
– If the SYN-ACK is sent to a real computer, it checks to see if it
has a SYN in the buffer to that IP address.
– Because it does not, it ignores the request.
– The target computer retransmits the SYN-ACK a number of
times.
– After a finite amount of wait time, the original SYN request is
purged from the buffer of the target computer.
This condition is known as a half-open socket.
Report | A. Jamil Alagha ©2013
- 7. SYN Flood Attack - 3
• As an example
– the default configuration for a Windows NT 3.5x or 4.0
computer is to retransmit the SYNACK five times, doubling
the timeout value after each retransmission.
•
•
•
•
The initial timeout value is 3 seconds, so retries are attempted at
3, 6, 12, 24, and 48 seconds.
After the last retransmission, 96 seconds are allowed to pass
before the computer gives up on receiving a response and
deallocates the resources that were set aside earlier for the
connection.
The total elapsed time that resources are in use is 189 seconds.
ASS: what about Linux
Report | A. Jamil Alagha ©2013
- 9. SYN Flood Attack -4
• An attacker
– will send many of these TCP SYNs
– to tie up as many resources as possible on the
target computer.
• Because the buffer size for the storage of SYNs is a finite
size, numerous attempts can cause a buffer overflow.
• The effect of tying up connection resources varies,
depending on the TCP/IP stack and applications listening
on the TCP port.
–
–
–
For most stacks, there is a limit on the number of connections that can
be in the half-open SYN_RECEIVED state.
Once the limit is reached for a given TCP port, the target computer
responds with a reset to all further connection requests until
resources are freed.
Using this method, an attacker can cause a DoS on several ports.
Report | A. Jamil Alagha ©2013
- 10. SYN Flood Attack -5
Finding the source of a SYN flood attack can be
very difficult.
A network
analyzer
can be used to try to track down the problem
and it may be necessary to contact the ISP for assistance in
attempting to trace the source.
Firewalls
should be set up to reject packets from the external network
with any IP address from the internal network.
Report | A. Jamil Alagha ©2013
- 11. Sequence Predictability
• The ability to guess sequence numbers is very
useful to intruders
–
–
because they can create a short-lived connection to a host
without having to see the reply packets.
This ability, taken in combination with the fact that many
hosts have trust relationships that use IP addresses as
authentication; that packets are easily spoofed; and that
individuals can mount DoS attacks, means one can
impersonate (present) the trusted systems to break into such
machines without using source routing.
Report | A. Jamil Alagha ©2013
- 12. Sequence Predictability
• If an intruder wants to spoof
a connection between
two computers so that the connection seems as if it is
coming from computer B to computer A, using your
computer C, it works like this:
the intruder uses computer C to
1.
•
mount (+) a SYN Flood attack on the ports on computer B where
the impersonating will take place.
computer C
2.
•
sends a normal SYN to a port on computer A.
Computer A
3.
•
returns a SYN-ACK to computer C containing computer A’s
current Initial Sequence Number (ISN).
Report | A. Jamil Alagha ©2013
- 13. Sequence Predictability
4.
Computer A - internally increments the ISN.
–
This incrementation is done differently in different operating
systems (OSs).
»
Operating systems such as BSD, HPUX, Irix, SunOS (not
Solaris), and others usually increment by $FA00 for each
connection and double each second.
With this information, the intruder can now guess the ISN
that computer A will pick for the next connection.
–
Now comes the spoof.
Computer C
–
sends a SYN to computer A using the source IP spoofed as
computer B.
Computer A
–
sends a SYN-ACK back to computer B, containing the ISN.
–
5.
6.
»
Report | A. Jamil Alagha ©2013
The intruder on computer C does not see this, but the intruder
has guessed the ISN.
- 14. Sequence Predictability
7.
8.
9.
10.
At this point, computer B
–
would respond to computer A with an RST.
–
This occurs because computer B does not have a SYN_RECEIVED
from computer A.
–
Since the intruder used a SYN Flood attack on computer B, it will
not respond.
The intruder on computer C
–
sends an ACK to computer A, using the source IP spoofed as
computer B, containing the guessed ISN+1.
–
If the guess was correct, computer A now thinks there
has been a successful three-way handshake and the TCP connection
between computer A and computer B is fully set up.
–
Now the spoof is complete.
–
The intruder on computer C can do anything, but blindly.
Computer C
–
sends echo + + >>/.rhosts to port 514 on computer A.
If root on computer A had computer B in its /.rhosts file, the intruder
has root.
Report | A. Jamil Alagha ©2013
- 15. Sequence Predictability
11.
Computer C
now sends a FIN to computer A.
could be brutal and send an RST to computer A just to
clean up things.
could also send an RST to the synflooded port on B,
leaving no traces.
Report | A. Jamil Alagha ©2013
- 16. SYN flood + sequence predictability
• To
–
–
prevent such attacks
Prevent SYN flood attacks by discarding the first SYN packet (causes delay for legitimate
users)
one
•
–
Routers and firewalls
•
–
should NEVER trust anything from the Internet.
should filter out any packets that are coming from
– the external (sometimes known as the red) side of the firewall that has an IP address of
a computer on the internal (sometimes known as the blue) side.
– This only stops Internet trust exploits; it will not stop spoofs that build on intranet
trusts.
Companies
•
•
•
•
•
should avoid using rhosts files wherever possible.
The /etc/hosts.equiv and .rhosts files provide the "remote authentication" database for
rlogin, rsh, and rcp
The files specify remote hosts and users that are considered "trusted"
Trusted users are allowed to access the local system without supplying a password
The /etc/hosts.equiv file applies to the entire system, while individual users can maintain
their own .rhosts files in their home directories
Report | A. Jamil Alagha ©2013
- 17. Internet Control Message Protocol (ICMP)
ICMP
A major component of the TCP/IP Internet Layer
is used for
flow control, detecting unreachable destinations, redirection
routes, and checking remote hosts.
Most users are interested in.
Checking a remote host
• is accomplished by (PING)- sending an ICMP Echo Message.
Report | A. Jamil Alagha ©2013
- 18. ICMP
• When a system receives ICMP Echo Messages,
– it places the message in a buffer and then retransmits the message from
the buffer back to the source.
– Due to the buffer size, the ICMP Echo Message size cannot exceed 64K.
•
•
–
UNIX hosts,
– by default, will send an ICMP Echo Message that is 64 bytes long.
– They will not allow a message of over 64K.
Microsoft Windows NT,
– longer messages can be sent.
– The Windows NT hosts do not place an upper limit on these messages.
– Intruders have been sending messages of 1 MB and larger.
– When these messages are received, they cause a buffer overflow on the
target host.
Different operating systems
•
•
will react differently to this buffer overflow.
The reactions range from rebooting to a total system crash.
Report | A. Jamil Alagha ©2013
- 19. Firewalls
• The first line of defense between the Internet and an
intranet.
• a multi-homed host
–
–
placed in the Internet route,
such that it stops and can make decisions about each packet that
wants to get through.
• performs a different function from a router.
– A router
•
•
–
can be used to filter out certain packets that meet a specific criterion
(e.g., an IP address).
processes the packets up through the IP Layer.
A firewall stops all packets.
•
•
All packets are processed up through the Application Layer.
Routers
–
cannot perform all the functions of a firewall.
Report | A. Jamil Alagha ©2013
- 20. Firewalls
•
A firewall should - meet at least, the following criteria
– For an internal or external host to connect to the other network,
it must log in on the firewall host.
– All electronic mail is sent to the firewall, which in turn
distributes it.
• Firewall should not
– mount file systems via NFS, nor should any of its file systems be
mounted.
– run NIS (Network Information Systems).
– Only required users should have accounts on the firewall host.
– trust any other host.
Report | A. Jamil Alagha ©2013
- 21. The Demilitarized Zone - DMZ
• Companies - Internet presence.
– FTP + WWW sites.
– +setting up hosts
•
to act as a proxy server for Internet mail and a Domain Name
Server (DNS).
•
–
that sponsors these functions cannot be on the inside of the firewall.
Therefore
•
Create demilitarized zone (DMZ) or perimeter network
– a segment between the router that connects to the Internet and
the firewall.
Report | A. Jamil Alagha ©2013
- 22. Proxy Servers – a One Image
A proxy host
is a dual-homed host - has at least two network interfaces.
Report | A. Jamil Alagha ©2013
- 23. Proxy Servers – a One Image
•
A proxy host
–
–
–
–
–
–
•
One of the functions
–
•
•
is a dual-homed host - has at least two network interfaces.
that is dedicated to a particular service or set of services, such as mail.
All external requests to that service directed toward the internal network are routed to the
proxy.
The proxy host then evaluates the request and either passes the request on to the internal
service server or discards it.
The reverse is also true.
Internal requests are passed to the proxy from the service server before they are passed on to
the Internet.
is to protect the company from advertising its internal network scheme.
Most proxy software packages contain network address translation (NAT).
Take, for example, a mail server.
–
–
–
The mail from Albert_Smith@starwars.abc.com would be translated to smith@proxy.abc.com
as it went out to the Internet.
Mail sent to smith@proxy.abc.com would be sent to the mail proxy.
Here It would be readdressed to Albert_Smith@starwars.abc.com and sent to the internal mail
server for final delivery.
Report | A. Jamil Alagha ©2013
- 24. Testing the Perimeter
• Use the Internet taking risks to be recognize.
• The Internet and intranets
– Changes — new protocols, new applications, and new
technologies
• Company’s security practices
–
to adapt
•
•
•
•
to these changes.
the security process should be viewed as forming a circle.
The first step is to assess the current state of security within one’s
intranet and along the perimeter.
Once one understands where one is, then one can deploy a security
solution.
If you do not monitor that solution by enabling some detection and
devising a response plan, the solution is useless.
Report | A. Jamil Alagha ©2013
- 25. Testing the Perimeter
assessment
• The
process may repeated
– the solution is monitored and tested,
– further weaknesses to be learned and dealt with.
– Continuous improvement - ensure protection.
• As part of the process
– a company must perform some sort of vulnerability checking on a
regular basis.
– done by
•
•
–
the company, or
it may choose to have an independent group do the testing.
The company’s security policy should state how
•
•
•
•
the firewall and the other hosts in the DMZ are to be configured.
to be validated and then periodically checked to ensure that they have not
changed.
may find additional weaknesses - the policy needs to be changed.
Security = updated technology + clear policy (outline the procedures)
Report | A. Jamil Alagha ©2013
- 26. Testing the Perimeter
• DNS records - One source of information.
• Two basic DNS services
– Lookup activities
•
–
used to resolve IP addresses into host names or to do the
reverse.
A zone transfer
•
•
•
happens when one DNS server (a secondary server) asks
another DNS server (the primary server) for all the information
that it knows about a particular part of the DNS tree (a
zone).
Only between DNS servers that are supposed to be providing the
same information.
Users can also request a zone
Report | A. Jamil Alagha ©2013
transfer.
- 27. Testing the Perimeter
A good security policy is to disallow zone transfers on external DNS servers.
–
A
•
•
•
•
zone transfer
is accomplished using the nslookup command in interactive mode.
can be used to check for information leaks.
This procedure can show hosts, their IP addresses, and operating
systems.
– This information can be used by an intruder to attack or spoof
other hosts.
– If this is not operationally possible, as a general rule, DNS
servers outside of the firewall (on the red side) should not list
hosts within the firewall (on the blue side).
Listing internal hosts only helps intruders gain network mapping
information and gives them an idea of the internal IP addressing
scheme.
Report | A. Jamil Alagha ©2013
- 28. Testing the Perimeter
In addition to trying to do a zone transfer
the DNS records should be
checked to ensure that they are correct and that they have not
changed.
Domain Information Gofer (DIG) is a flexible command-line
tool that is used to
gather information from the DNS servers.
Report | A. Jamil Alagha ©2013
- 29. Testing the Perimeter
• The ping command,
–
–
has the ability to determine the status of a remote host using the ICMP Echo
Message.
If a host is
• running and is reachable by the message, the PING program will return an
“alive” message.
•
–
not reachable and the host name can be resolved by DNS, the program
returns a “host not responding” message;
• otherwise, an “unknown host” message is obtained.
An intruder can use
• the PING program to set up a “war dialer.”
• War dialer = wardialing
– is a program that systematically goes through the IP addresses one after another,
looking for “alive” or “not responding” hosts.
• To prevent intruders from mapping internal networks,
– the firewall should screen out ICMP messages.
– This can be done by not allowing ICMP messages to go through to the internal
network or go out from the internal network.
Report | A. Jamil Alagha ©2013
- 30. Testing the Perimeter
• The traceroute program
–
–
–
useful for network debugging.
can use to test the corporate perimeter (network component).
used to check the “time-to-live” (ttl) parameter and routes.
•
•
•
•
•
–
Checking the various jumps not only shows the routes, but it can show possible
problems that may give an intruder information or leads.
•
–
–
sends a series of three UDP packets with an ICMP packet incorporated during its
check.
The ttl of each packet is similar.
As the ttl expires, it sends the ICMP packet back to the originating host with the IP
address of the host where it expired.
Each successive broadcast uses a longer ttl.
By continuing to send longer ttls, traceroute pieces together the successive jumps.
This information might show a place where an intruder might successfully launch
an attack.
These are hops that could be used by intruders to create DoSs.
Duplicate entries for successive hops are indications of bugs in the kernel of that
gateway or looping within the routing table.
Report | A. Jamil Alagha ©2013
- 31. Testing the Perimeter
• Important aspect of firewall and proxy server testing
– Checking the
•
–
Tools
•
•
•
•
–
open ports and services available
the freeware program strobe
IBM Network Services Auditor (NSA)
ISS Internet Scanner™,
and
AXENT Technologies NetRecon™
that can perform
•
•
•
a selective probe of the target UNIX or Windows NT network
communication services, operating systems and key applications.
use a comprehensive set of penetration() tests.
The software searches for
– weaknesses most often exploited by intruders to gain access to a
network,
– analyzes security risks,
and
– provides a series of highly informative reports and recommended
corrective actions.
Report | A. Jamil Alagha ©2013
- 32. Testing the Perimeter
• There have been numerous attacks in the past year that
have been directed at specific ports.
–
The teardrop, newtear, oob, and land.c are only a few of the recent
attacks.
• Firewalls and proxy hosts should have only the minimum
number of ports open.
–
By default, the following ports are open as shipped by the vendor, and
should be closed:
•
•
•
•
•
•
•
•
•
echo on TCP port 7
echo on UDP port 7
discard on TCP port 9
daytime on TCP port 13
daytime on UDP port 13
chargen on TCP port 19
chargen on UDP port 19
NetBIOS-NS on UDP port 137
NetBIOS-ssn on TCP port 139
Report | A. Jamil Alagha ©2013
- 33. Testing the Perimeter
• Other sources of information leaks
–
–
–
–
Telnet, FTP, and Sendmail programs.
They all, by default, advertise the operating system or service type and
version.
They also may advertise the host name.
This feature can be turned off and a more appropriate warning messages
should be put in its place.
• Sendmail
– has a feature that will allow the administrator to expand or verify users. This
feature should not be turned-on on any host in the DMZ.
– An intruder
•
•
•
would only have to Telnet to the Sendmail port to obtain user account names.
There are a number of well-known user accounts that an intruder would test.
This method works even if the finger command is disabled.
Report | A. Jamil Alagha ©2013
- 34. Testing the Perimeter
• VRFY and EXPN
– VRFY
•
•
–
EXPN
•
•
–
–
asks the server to verify an address.
Its parameter may be an encoded address or a user name in a server-defined
format.
asks the server for the membership of a mailing list.
Its parameter may be an encoded address or a list name in a server-defined format.
allow an intruder to determine if an account exists on a system and can provide a
significant aid to a brute-force attack on user accounts.
If you are running
•
Sendmail - add the lines Opnovrfy and Opnoexpn to your Sendmail
configuration file, usually located in /etc/sendmail.cf.
•
With other mail servers -
contact the vendor for
information on how to disable the verify
command.
Report | A. Jamil Alagha ©2013
- 35. Testing the Perimeter
• Another important check that needs to be run on these
hosts in the DMZ is
–
a validation that the system and important application files are valid
and not hacked.
•
•
This is done by running a checksum or a cyclic redundancy check
(CRC) on the files.
Because these values are not stored anywhere on the host, external
applications need to be used for this function.
• Some suggested security products
–
freeware applications such as
•
–
COPS and Tripwire, or
third-party commercial products like
•
AXENT Technologies Enterprise Security Manager™ (ESM), ISS
RealSecure™ or Kane Security Analyst™.
Report | A. Jamil Alagha ©2013
- 38. Current E-mail Standards
Four primary areas
SMTP (Simple Mail Transfer Protocol)
“Standard for the Format of ARPA Internet Text
Messages
DNS (Domain Name System)
S/MIME (Secure/MIME), PEM (Privacy Enhancement
for Internet Electronic Mail).
user
agent
SMTP
Report | A. Jamil Alagha ©2013
sender’s mail
server
SMTP
Access protocls
POP3, http
receiver’s mail
IMAP
server
user
agent
- 39. SMTP Simple Mail Transfer Protocol.
Specifies
the format of e-mail messages
Header
Readable text
Divided into lines of the form: <keyword>: <value>
• Keywords are either required, optional, or
uninterpreted
Body
Separated from the header by a blank line
No restrictions on format or contents
the details of e-mail exchange between two computers
Report | A. Jamil Alagha ©2013
- 40. SMTP: protocol for exchanging
email msgs
RFC 822: standard for text
message format:
• header lines, e.g.,
– To:
– From:
– Subject:
different from SMTP
commands!
• body
– the “message”, ASCII
characters only
Report | A. Jamil Alagha ©2013
header
body
blank
line
- 41. SMTP
Send email without using email client
Try
telnet servername 25
see
220 reply from server
enter HELO, MAIL FROM, RCPT TO, DATA, QUIT commands
how a client on one machine transfers e-mail to a server on another
machine
Client
establishes a connection to the server (typically using TCP)
waits for server to send a 220 READY FOR MAIL message
sends a HELO message
Server replies
250 <server>, hello <client>, pleased to meet you
Client
sends a MAIL FROM: <sender> message
Report | A. Jamil Alagha ©2013
- 42. Sample SMTP interaction
S:
C:
S:
C:
S:
C:
S:
C:
S:
C:
C:
C:
S:
C:
S:
220 hamburger.edu
HELO crepes.fr
250 Hello crepes.fr, pleased to meet you
MAIL FROM: alice@crepes.fr
250 alice@crepes.fr... Sender ok
RCPT TO: bob@hamburger.edu
250 bob@hamburger.edu ... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Do you like ketchup?
How about pickles?
250 Message accepted for delivery
QUIT
221 hamburger.edu closing connection
Report | A. Jamil Alagha ©2013
required command
set:
HELO - Initial State Identification
MAIL- Mail Sender Reverse Path
RCPT - One Recipient’s Forward Path
DATA - Mail Message Text State
RSET - Abort Transaction and Reset all
buffers
NOOP - No Operation
QUIT- Commit Message and Close Channel
- 43. SMTP
1
user
agent
2
mail
server
3
4
mail
server
5
6
user
agent
Mail servers: Always on and always accessible, Transferring e-mail to and from other servers
User agents: Sometimes on and sometimes accessible, Intuitive interface for the user
1) Alice uses UA to compose message “to”
bob@someschool.edu
2) Alice’s UA sends message to her mail
server; message placed in message queue
3) Client side of SMTP opens TCP
connection with Bob’s mail server
Report | A. Jamil Alagha ©2013
4) SMTP client sends Alice’s message
over the TCP connection
5) Bob’s mail server places the message
in Bob’s mailbox
6) Bob invokes his user agent to read
message
- 44. SMTP Security
SMTP does not provide any protection of e-mail
messages
Intermediate hosts (MTA - message Transfer Agents) can:
Read, Modify, Delay, Destroy
Sender Authentication limitation
e-mail forgery
E-mail spamming
Easy to create phony (fraud) e-mail messages that appear to have come
from an arbitrary source
is still a major problem.
SMTP-AUTH
Report | A. Jamil Alagha ©2013
- 45. Standard for the Format of ARPA Internet Text Messages
defines
the format of the messages to be exchanged.
Important- MIME
Multipurpose Internet Mail Extensions
that specify a standard method to encode multi-part message
bodies, including nontextual information.
Report | A. Jamil Alagha ©2013
- 46. DNS
DNS (Domain Name System).
Purpose
to
relate Internet IP addresses with computer
names.
Extended
to
aid SMTP e-mail routing.
Currently
- MX (Mail eXchanger) records.
Use over the Internet
Replaced the routing originally defined in SMTP.
Report | A. Jamil Alagha ©2013
- 47. S/MIME, PEM
PEM
(Privacy Enhancement for Internet Electronic Mail)
(Secure/MIME)
& S/MIME
allow for a variety of security features Including
encryption and decryption of e-mail content
message integrity protection
nonrepudiation of origin.
Report | A. Jamil Alagha ©2013
- 48. Access Protocol :Standards to Retrieve Msg from servers
IMAP (Interactive Mail Access Protocol).
POP (Post Office Protocol).
user
agent
SMTP
sender’s mail
server
Report | A. Jamil Alagha ©2013
POP3 or
IMAP
SMTP
receiver’s mail
server
user
agent
- 49. IMAP
IMAP - Interactive Mail Access Protocol
defines
a standard for client/server interaction between e-mail clients and
servers.
It is currently the de facto standard for open-standards e-mail systems
but is also available as an alternate access method for many proprietary
e-mail server systems.
designed
to allow clients extensive control message store
Retrieval
Deletion
server-based searches
refiling messages between folders
message status
shared public (multiuser) folders
etc.
Report | A. Jamil Alagha ©2013
- 50. POP
POP - Post Office Protocol.
defines
a standard for how e-mail clients can
retrieve headers or messages from a server
request messages to be deleted from the server.
While still in widespread use, it is currently relegated to minimal
client and server implementations, and is being overtaken in
robust systems by IMAP.
Report | A. Jamil Alagha ©2013
- 51. GOALS AND NON-GOALS
Basic design goals of email
an effective e-mail system
communication
ease of use
reliability.
Security - Policies, plans, techniques, and devices DO NOT
unduly limit the functionality
prevent ease of use of the application.
Report | A. Jamil Alagha ©2013
- 52. GOALS AND NON-GOALS
Basic elements of email application
Standard format
message format
users to exchange messages
Organization
All messages include fields
originator (from), recipients (to, and possibly cc bcc), submission
date, and subject.
Security
Users can only read
their own mail,
messages they create are identified as originating from their
accounts.
Report | A. Jamil Alagha ©2013
- 53. GOALS AND NON-GOALS
Improve the elements:
Interoperability (to be solve)
≠ often in direct conflict with security
The ability to exchange messages between networks of individual
computer systems.
Transport of contextual information
The capability to include or attach computer data types such as
audio, video, static images, databases, spreadsheets, executable
files or scripts, etc.
Report | A. Jamil Alagha ©2013
- 54. Elements with Security Areas
Control access
only legitimate users can access systems and services.
Prevent
loss of or damage to data.
theft of data or services.
inappropriate dissemination of data.
Monitor
for compliance with
law
organizational policies.
Report | A. Jamil Alagha ©2013
- 55. Email Communication
Risks and Problems
Limiting network connectivity from the Internet to e-
mail servers.
Communication
e-mail to allow the users in different organization to communicate
(Internet).
it does not require direct network connectivity between those e-mail
servers and the Internet.
To limit network connectivity from the Internet to an
organization’s e-mail servers
one will have
standard bastion network between the Internet (insecure) and the
organization’s internal network, and
a mail relay device will need to be installed on the bastion network
Report | A. Jamil Alagha ©2013
- 57. Email Communication
Risks and Problems
Exterior firewall
provide
some protection to the e-mail relay system,
must allow
some communications between the e-mail relay and external servers.
Hackers
have the opportunity to attempt attacks through the e-mail channels provided.
The protections:
implementing the relay system in the bastion network include the following:
intrusion
Because it is the only system that can be directly attacked from the Internet.
transient
detection - ID
messages - TM
If compromised, the relay system contains only transient messages.
Denial-of-service
attacks - DoS
launched against the relay may not prevent intra-organizational traffic from functioning
normally.
Report | A. Jamil Alagha ©2013
- 58. Email Communication
Risks and Problems
Hacker
will only be able to do
limited damage and
disrupt service between internal users and external users.
will need to
have the ability to fully compromise the relay server,
spend the time and effort to do so before being able to use it as a
platform to directly attack the internal mail servers.
Report | A. Jamil Alagha ©2013
- 59. Email Communication
Risks and Problems
Some firewall vendors
provide a similar functionality within a single firewall.
the firewall itself assumes the role of the e-mail relay.
not as robust a solution as a functionally separate
allowing direct network communications between the insecure
network and the internal mail servers.
Report | A. Jamil Alagha ©2013
- 60. Email Communication
Risks and Problems
Problem: sensitive information
Content of e-mail messages traveling over the Internet
need to be protected from third-party monitoring.
Solution: encryption
Multiple standards for e-mail encryption
none is currently widely deployed.
achieved by utilizing encryption that occurs within each user’s
e-mail client software.
Report | A. Jamil Alagha ©2013
- 62. Encryption
Message
encrypted within the sender’s system.
Problems
Encryption only occurs when the sender remembers to activate
the feature.
Two sides must agree on
utilizing the same encryption schemes (S/MIME, PGP, etc.).
Key(s) - exchange
Report | A. Jamil Alagha ©2013
- 63. Solution: Encrypted VPN
for network connectivity between geographically separate offices
of the same or related organizations.
Report | A. Jamil Alagha ©2013
- 64. Encrypting Appliance ??
encrypting appliance
For communications between
can be installed between
two business partners’ systems ≠ VPN
the internal mail servers and the insecure networks.
is configure to
encrypt/decrypt traffic exchanged with specific configured sites
allowing
pass
traffic to
through nonencrypted to nonconfigured sites
Report | A. Jamil Alagha ©2013
- 66. Encryption Standards
For massage passing
between the servers and the users’ workstations.
Most e-mail application software systems
have the ability to encrypt the communications channel
between the client and server software.
encryption using increases the load on the server.
it is generally disabled by default.
Some systems utilize encryption schemes (SSL/TLS).
Report | A. Jamil Alagha ©2013
- 67. Access Methods
Special attention
for users accessing (remotely) e-mail from home
or while traveling.
Economically
increasingly utilizing the Internet as
connectivity.
Access methods - need to be considered when planning this encryption
SMTP, POP, IMAP, etc.
Alternative
encryption-capable remote access servers
Report | A. Jamil Alagha ©2013
- 68. Encryption-capable remote access servers
used
Forming
to form encrypted tunnels directly to software installed on the user’s workstation.
VPN tunnels
Provides
more than e-mail connectivity.
Report | A. Jamil Alagha ©2013