ECE-6612 http www csc gatech edu copeland jac 6612 Prof John

ECE-6612 http: //www. csc. gatech. edu/copeland/jac/6612/ Prof. John A. Copeland john. copeland@ece. gatech. edu 404 894 -5177 fax 404 894 -0035 Office: Centegy Building 5138 email or call for office visit, or call Kathy Cheek, 404 894 -5696 Network Security Utilities and Organizations

Network Security Utilities It’s difficult for a network manager to frequently physically visit every workstation and check all the configuration files. A number of network security utilities have been developed to let network manager scan a network to look for security holes. Surprisingly many of these are free. The most versatile for port scanning is “nmap. ” Other actually run known exploits against your systems to detect weaknesses (“Saint’ and “Satan’). Some should be studied so that you know what crackers can easily do (e. g. , dsnif). For intrusion detection, their are some expensive commercial services that come with 24 -hour-a-day, 7 -day-a-week monitoring services ( “ ISS” ). Only download “free” utilities in source format, and read the ‘C’ code before you compile and use them. Some of these, like software from Red. Hat, come with a PGP (or GPG) certificates that you should check. Many developers now provide at least a CRC checksum or secure hash for their original (unaltered) binaries. 2

Tripwire - compares mac’s of system files Tripwire HQ Connector Bundle The HQ Connector bundle is comprised of Tripwire's award-winning file integrity software, Tripwire version 2. 2. 1, and a communications agent that allows the software engine to "talk" to the Tripwire HQ Manager. Tripwire provides support for multiple platforms, including Windows NT, Solaris, Linux, HP-UX, IBM-AIX and others. With the Tripwire HQ Connector bundle, you can unequivocally answer the question: is my data the same today as it was yesterday? This information will help you keep your system in optimal working order and manage any changes - malicious or inadvertent - giving you complete control over data integrity. Tripwire HQ Manager is a software console with a graphical user interface that allows you to control hundreds of installations of HQ Connector. Named HQ Manager because it's designed to operate as your information integrity headquarters, this product provides you with the very best way to manage data integrity across an enterprise network from a single, centralized location. Tripwire 2. 2. 1 for Linux With all the same great features as Tripwire 2. 2. 1 for other operating systems, Tripwire for Linux is available as a free download (without the agent that communicates with HQ Manager). In support of the open source community, Tripwire plans to release an open source version of this product this fall. For more information and future announcements about the open source release, check out www. tripwire. org. Tripwire Academic Source Release 1. 3. 1 With only slight changes, the Tripwire Academic Source Release (ASR) version 1. 3. 1 is the same as the original Tripwire software that was developed in 1992 by Dr. Eugene Spafford and Tripwire CTO Gene Kim. Tripwire offers this version as a free download, but does not provide product support for it. www. tripwire. com 3

Saint (and Satan) "Indispendable for checking system vulnerabilities" (Information Security, February, 2000). The Security Administrator's Integrated Network Tool (SAINT™), an updated and enhanced version of SATAN, is designed to assess the security of computer networks. New with this release: Check for vulnerability in wu-ftpd 2. 6. 0 Check for innd control-cancel vulnerability Check for possible vulnerabilities in HP Openview Network Node Manager and Omni. Back server Check for two vulnerabilities in HP Jet. Admin Check for vulnerability in Cmail server Several bug fixes in Netbios checks Improvements in sadmind, tooltalk, and Calendar Manager checks to reduce false alarms. Fixed compilation problems in dds. c affecting Sun. OS 4, thanks to Jim Houser. Saint - http: //www. wwdsi. com/saint/ [gone commercial] http: //www. saintcorporation. com/products/saint_engine. html 4

Nessus The "Nessus" Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner. A security scanner is a software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way. Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port - that is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability. Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs. Test the security of your network http: //www. nessus. org/ 5

dsniff Overview I wrote these tools with honest intentions - to audit my own network, and to demonstrate the insecurity of cleartext network protocols. Please do not abuse this software. Description arpredirect: intercept packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies. this is an extremely effective way of sniffing traffic on a switch. kernel IP forwarding (or a userland program which accomplishes the same, e. g. fragrouter : -) must be turned on ahead of time. macof: flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). a straight C port of the original Perl Net: : Raw. IP macof program. tcpkill: kill specified in-progress TCP connections (useful for libnids-based applications which require a full TCP 3 whs for TCB creation). tcpnice: slow down specified in-progress TCP connections via "active" traffic shaping (useful for sniffing fast networks). forges tiny TCP window advertisements, and optionally ICMP source quench replies. dsniff: password sniffer. handles FTP, Telnet, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, NFS, YP, SOCKS, X 11, CVS, IRC, AIM, ICQ, Napster, Postgre. SQL, Meeting Maker, Citrix ICA, Symantec pc. Anywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase and Microsoft SQL auth info. (more) 6

dsniff - 2 dsniff automatically detects and minimally parses each application protocol, only saving the interesting bits, and uses Berkeley DB as its output file format, only logging unique authentication attempts. full TCP/IP reassembly is provided by libnids(3) (likewise for the following tools as well). filesnarf: saves selected files sniffed from network file system traffic in the current working directory. mailsnarf: a fast and easy way to violate the Electronic Communications Privacy Act of 1986 (18 USC 2701 -2711), be careful. Outputs selected messages sniffed from SMTP traffic in Berkeley mbox format, suitable for offline browsing with your favorite mail reader (mail -f, pine, etc. ). urlsnarf: output all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers), suitable for offline post-processing with your favorite web log analysis tool (analog, wwwstat, etc. ). webspy: sends URLs sniffed from a client to your local Netscape browser for display, updated in realtime (as the target surfs, your browser surfs along with them, automagically). a fun party trick. : -) (more) http: //naughty. monkey. org/~dugsong/dsniff/faq. html 7

Ethereal - A Network Protocol Analyzer (Sniffer) Ethereal is a free network protocol analyzer interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. March 30, 2002 Ethereal 0. 9. 3 has been released. This version fixes problems revealed by the PROTOS test suite that were uncovered after the 0. 9. 2 release. This release addresses all of the security advisories listed on the Ethereal web site. All users are encouraged to upgrade. Error checking while reading various trace files was enhanced. Other improvements were made to the VMS TCPIPTRACE and libpcap/tcpdump file reading code. The pkt-from-core. py utility also received improvements. Support for SCCP XDMCP has been added. Updated protocols include 802. 11, CGMP, COPS, DCE RPC, DEC spanning tree, DIAMETER, EAPOL, IEEE spanning tree, L 2 TP, LDP, M 2 PA, M 3 UA, NETLOGON, NFS, Q. 931, RADIUS, RARP, RSVP, SCCP, SCSI, SIP, Skinny, SAMR, SMB, SMPP, SNMP, SOCKS, SPOOLSS, SSL, TPKT, UCP, and VRRP. Please note that this is a source code release. Binary packages for various operating systems, including Microsoft Windows and Red Hat Linux should be released in a few days. fixes problems revealed by the PROTOS test suite that were uncovered after the 0. 9. 2 release. This release addresses all of the security advisories listed on the Ethereal web site. All users are encouraged to upgrade. www. ethereal. com

Knoppix-STD is a Security Tool. Actually it is a collection of hundreds if not thousands of open source security tools. It's a Live Linux Distro (i. e. it runs from a bootable CD in memory without changing the native operating system of your PC). It's sole purpose in life is to put as many security tools at your disposal with as slick an interface as it can. It's NOT a replacement for your windows box, server, firewall or router. It is not n 00 b friendly. It is ABSOLUTELY NOT an alternative to Knoppix. STD is NOT about Linux, it is about security tools (i. e. STD uses Linux as a means to an end). www. knoppix. org and http: //www. knoppix-std. org/

Internet Security Systems, Inc - Atlanta The backbone of Internet Security Systems' (ISS) total solution, the SAFEsuite family of products offers customers award-winning Security Assessment, Intrusion Detection and Security Management solutions. An integrated set of standards-based, best-of-breed security solutions. SAFEsuite applications help customers develop sound security strategies that effectively monitor and protect critical online assets, providing continuous status updates and necessary automated security improvements with minimal impact on your network performance and business operations. Electronic commerce, remote computing, and other components of today's online economy require networks to be open and accessible – and to keep network security be as transparent to partners, vendors, customers, and internal users as possible. To meet these conditions, Internet Security Systems (ISS) provides Real. Secure, the industry's first completely integrated host- and network-based intrusion detection platform. By combining host- and network-based intrusion detection into a single platform, Real. Secure provides a comprehensive intrusion detection solution. Real. Secure uses a standards-based approach, comparing network traffic and host log entries to the known and likely methods of attackers. Suspicious activities trigger administrator alarms and other configurable responses. Real. Secure is specifically designed to lessen the workload of security administration and easily integrates with leading network and systems management applications. Real. Secure's monitoring parameters easily adjust to different network situations and feature components, and are readily configured from a central console. www. iss. net 10

Network Security Organizations There a number or organizations that provide good advice about network security programs. The Computer Emergency Response Team (US-CERT) encourages reports about cracking activities and releases an annual summary of cracking incidents. CERT is operated by Carnegie-Mellon University for the U. S. government (www. us-cert. gov). SANS, which appears to be “for profit” offers a number free services. Reports on newly discovered exploits (without implementation code) and patched are available by email. The Global Incident Analysis Center in available on the Web (www. sans. org). The National Infrastructure Protection Center (NIPC) run by the FBI has begun to offer a comprehensive set of information about cracking activities (www. nipe. gov). 11

CERT®/CC Contact Information Email: cert@cert. org Encrypting sensitive information: When sending sensitive information by email, please encrypt it. You can find details about our PGP key in Sending Sensitive Information. Phone - CERT Hotline 1 412 -268 -7090 (24 -hour hotline) CERT/CC personnel answer 8: 00 a. m. - 8: 00 p. m. EST(GMT-5) / EDT(GMT-4) on working days; they are on call for emergencies during other hours and on weekends and holidays. FAX 1 412 -268 -6989 CERT® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 -3890 Subscribing to the CERT mailing list. Subscribe to our mailing list if you want to receive our advisories and summaries in email. www. cert. org 12

CERT - 2 www. cert. org 13

SANS Global Incident Analysis Center Welcome to GIAC, our mission is to provide up-to-date reports of malicious activity on the net submitted by your international community of system administrators and intrusion detection analysts. We welcome detects of intrusions, odd log file entries, encryption failures, or other security related information. Three gifts SANS gives to the community are the weekly digest of patches and summaries of traces, the monthly Windows NT Digest of new security holes, patches, and other administrative imperatives, and the weekly digest of the 25 top news stories in secret. We'd be happy to send you any or all, just send an email to info@sans. org with one or more of the following in the subject: Network Security Digest, NT Digest, or Newsbites. GIAC has posted a guide to defensive steps against DDOS attacks in a document based on the Consensus Roadmap developed by the Partnership for Critical Infrastructure Security. Since the DDOS threat will be with us for the long haul we need to take appropriate countermeasures to reduce the impact of the threat. GIAC is committed to train and assist security professional and with your help we can get control of this problem. Thank you! http: //www. sans. org/giac. htm 14

National Infrastructure Protection Center (NIPC) Located in the FBI's headquarters building in Washington, D. C. , the NIPC brings together representatives from the FBI, other U. S. government agencies, state and local governments, and the private sector in a partnership to protect our nation's critical infrastructures. Established in February 1998, the NIPC's mission is to serve as the U. S. government's focal point for threat assessment, warning, investigation, and response for threats or attacks against our critical infrastructures. These infrastructures, which include telecommunications, energy, banking and finance, water systems, government operations, and emergency services, are the foundation upon which our industrialized society is based. Our society is increasingly relying on new information technologies and the Internet to conduct business, manage industrial activities, engage in personal communications, and perform scientific research. While these technologies allow for enormous gains in efficiency, productivity, and communications, they also create new vulnerabilities to those who would do us harm. The same interconnectivity that allows us to transmit information around the globe at the click of a mouse or push of a button also creates unprecedented opportunities for criminals, terrorists, and hostile foreign nation-states who might seek to steal money or proprietary data, invade private records, conduct industrial espionage, cause a vital infrastructure to cease operations, or engage in Information Warfare. Protecting our critical infrastructures in the Information Age raises new challenges for all of us. Above all, it requires a partnership between the government and private industry to reduce our vulnerability to attack and increase our capabilities to respond to new threats. The NIPC provides an important vehicle for carrying that partnership forward. http: //www. nipc. gov/ 15

WASHINGTON, D. C. -- The Department of Justice, in conjunction with the FBI, the Air Force Office of Special Investigation, the National Aeronautic and Space Administration and the Naval Criminal Investigative Service, announced today that the Israeli National Police arrested Ehud Tenebaum, an Israeli citizen, for illegally accessing computers belonging to the Israeli and United States governments, as well as hundreds of other commercial and educational systems in the United States and elsewhere. The arrest of Tenebaum culminates several weeks of investigation into a series of computer intrusions into United States military systems that occurred in February 1998. As part of this investigation, the Department of Justice formally requested legal assistance from the Israeli Ministry of Justice, and U. S. law enforcement agents traveled to Israel to present Israeli law enforcement officials with evidence of the magnitude and the source of the intrusions into United States computers. Attorney General Janet Reno said that the prompt arrest of the Israeli hacker demonstrates the effectiveness of international cooperation in cases involving transnational criminal conduct. She added that the U. S. government's efforts to investigate and prosecute computer crime are on the right track: "This arrest should send a message to would-be computer hackers all over the world that the United States will treat computer intrusions as serious crimes. We will work around the world and in the depths of cyberspace to investigate and prosecute those who attack computer networks, " she said. 16

What to Do if a System in Compromised Regain control 1. Disconnect compromised system(s) from the network To regain control, you will need to disconnect all compromised machines from your network including dial in connections. After that you may wish to operate in single user mode in UNIX or as the local administrator in NT to ensure that you have complete control of the machine; however, by rebooting or changing to single user/local administrator mode, you may lose some useful information because all processes executing at the time of discovery will be killed. Therefore, you may wish to work through steps in section C. 5. Look for signs of a network sniffer to determine if the compromised system is currently running a network sniffer. Operating in single user mode on UNIX systems will prevent users, intruders, and intruder processes from accessing or changing state on the compromised machine while you are going through the recovery process. If you do not disconnect the compromised machine from the network, you run the risk that the intruder may be connected to your machine and may be undoing your steps as you try to recover the machine. 2. Copy an image of the compromised system(s). . . Excerpt from http: //www. cert. org/tech_tips/win-UNIX-system_compromise. html 17