Скачать презентацию Lesson Six Safeguards Countermeasures Copyright Center Скачать презентацию Lesson Six Safeguards Countermeasures Copyright Center

17e5fa3a94f8234f42d282148bbf647c.ppt

  • Количество слайдов: 40

Lesson Six Safeguards & Countermeasures Copyright © Center for Systems Security and Information Assurance Lesson Six Safeguards & Countermeasures Copyright © Center for Systems Security and Information Assurance

 Lesson Objectives • Identify common terms associated with information security countermeasures. • Define Lesson Objectives • Identify common terms associated with information security countermeasures. • Define and identify the various types of firewalls. • Discuss the approaches to dial-up access and protection. • Identify and describe the two categories of intrusion detection systems and discuss the two strategies behind intrusion detection systems. • Discuss scanning, analysis tools, and content filters. • Understand trap and trace technologies. • Discuss various approaches to biometric access control. Copyright © Center for Systems Security and Information Assurance

IT Security Countermeasures • Countermeasures come in a variety of sizes, shapes, and levels IT Security Countermeasures • Countermeasures come in a variety of sizes, shapes, and levels of complexity. • Countermeasures must begin with a thorough organizational security policy and include technologies, education and enforcement. Copyright © Center for Systems Security and Information Assurance

Demilitarized Zone (DMZ) • Sits between a trusted internal network, such as a corporate Demilitarized Zone (DMZ) • Sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet • Contains devices accessible to Internet traffic, such as Web (HTTP ) servers, FTP servers, SMTP (e-mail) servers and DNS servers Copyright © Center for Systems Security and Information Assurance

Bastion Host • A gateway between an inside network and an outside network • Bastion Host • A gateway between an inside network and an outside network • A security measure to defend against attacks aimed at the inside network Copyright © Center for Systems Security and Information Assurance

Network Address Translation (NAT) • Located where the LAN meets the Internet • Provides Network Address Translation (NAT) • Located where the LAN meets the Internet • Provides a type of firewall by hiding internal IP addresses for external or untrusted users • Expands the number of internal IP addresses available to an organization • No possibility of conflict with IP addresses used by other companies and organizations Copyright © Center for Systems Security and Information Assurance

NAT Reserved NAT addresses: 10. x. x. x 172. 16. x. x 192. 168. NAT Reserved NAT addresses: 10. x. x. x 172. 16. x. x 192. 168. x. x Copyright © Center for Systems Security and Information Assurance

Firewalls • Any device that prevents a specific type of information from moving between Firewalls • Any device that prevents a specific type of information from moving between an untrusted network and a trusted network • Made up of both software and hardware: Ø May reside on a separate and dedicated computer system Ø May reside on an existing computer or network device (router or switch) Ø May reside on a dedicated appliance specifically designed for greater performance Copyright © Center for Systems Security and Information Assurance

First Generation Firewalls • Called packet filtering firewalls. • Examined every incoming packet header First Generation Firewalls • Called packet filtering firewalls. • Examined every incoming packet header and selectively filtered packets based on: Ø addresses Ø packet types Ø port request Ø and others factors • Implemented restrictions based on: Ø IP source and destination address Ø Direction (inbound or outbound) Ø TCP/UDP source and destination port-requests Copyright © Center for Systems Security and Information Assurance

First Generation Firewalls Copyright © Center for Systems Security and Information Assurance First Generation Firewalls Copyright © Center for Systems Security and Information Assurance

Second Generation Firewalls • Called application-level firewall or proxy server • A dedicated computer Second Generation Firewalls • Called application-level firewall or proxy server • A dedicated computer separate from the filtering router (filtering routers can still be implemented behind the proxy server) • Exposed to the outside world in the DMZ • Traffic passes through the proxy, which translate the IP address. • Designed for a specific protocol and cannot easily be reconfigured to protect against attacks on protocols for which they are not designed (primary disadvantage) Copyright © Center for Systems Security and Information Assurance

Second Generation Firewalls Copyright © Center for Systems Security and Information Assurance Second Generation Firewalls Copyright © Center for Systems Security and Information Assurance

Third Generation Firewalls • Called a stateful inspection firewalls • Tracks each network connection Third Generation Firewalls • Called a stateful inspection firewalls • Tracks each network connection established between trusted and untrusted networks • Defaults to its access control list to determine whether to allow the packet to pass, if the stateful firewall receives an incoming packet that it cannot match in its state table • Requires additional processing requirements to manage and verify packets against the state table (primary disadvantage) Copyright © Center for Systems Security and Information Assurance

Third Generation Firewalls Copyright © Center for Systems Security and Information Assurance Third Generation Firewalls Copyright © Center for Systems Security and Information Assurance

Fourth Generation Firewalls • Called a context-based access control (CBAC) firewall • Intelligently filters Fourth Generation Firewalls • Called a context-based access control (CBAC) firewall • Intelligently filters packets based on applicationlayer protocol session information and can be used for intranets, extranets and internets • Configured to permit specified traffic through a firewall only when the connection is initiated from within the network you want to protect • Traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer without CBAC Copyright © Center for Systems Security and Information Assurance

Fourth Generation Firewalls • Allows support of protocols that involve multiple channels created as Fourth Generation Firewalls • Allows support of protocols that involve multiple channels created as a result of negotiations in the control channel. • Provides the following benefits: Ø Java blocking Ø Denial-of-Service prevention and detection Ø Real-time alerts and audit trails Copyright © Center for Systems Security and Information Assurance

Fourth Generation Firewalls Copyright © Center for Systems Security and Information Assurance Fourth Generation Firewalls Copyright © Center for Systems Security and Information Assurance

Fifth Generation Firewalls • Called the kernel proxy, a specialized form that works under Fifth Generation Firewalls • Called the kernel proxy, a specialized form that works under the Windows NT Executive (the kernel of Windows NT) • Evaluates packets at multiple layers of the protocol stack • More secure due to the fact that the OS of a firewall provides another vulnerability • More secure and performs additional security inspections because the OS kernel was specifically designed for the firewall Copyright © Center for Systems Security and Information Assurance

Fifth Generation Firewalls Copyright © Center for Systems Security and Information Assurance Fifth Generation Firewalls Copyright © Center for Systems Security and Information Assurance

Radius • Most common access server for authenticating and authorizing dial-up users of an Radius • Most common access server for authenticating and authorizing dial-up users of an organization’s network • Comprises three components: Ø An authentication protocol Ø a server (points to RADIUS authentication database) Ø a client • Supports a variety of methods to authenticate a user Ø PPP Ø PAP Ø CHAP Copyright © Center for Systems Security and Information Assurance

Radius Authentication Copyright © Center for Systems Security and Information Assurance Radius Authentication Copyright © Center for Systems Security and Information Assurance

TACACS Authentication • Short for Terminal Access Controller Access Control System • Commonly used TACACS Authentication • Short for Terminal Access Controller Access Control System • Commonly used in UNIX networks • Allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network Copyright © Center for Systems Security and Information Assurance

TACACS Services Copyright © Center for Systems Security and Information Assurance TACACS Services Copyright © Center for Systems Security and Information Assurance

Intrusion Detection System IDS • Identifies and tracks packets entering and leaving a monitored Intrusion Detection System IDS • Identifies and tracks packets entering and leaving a monitored network • Acts as alarm system notifying you of unusual events or traffic patterns • Monitors your network and takes automatic predefined action • Available options when implementing IDS: Ø Host based IDS Ø Network based IDS Copyright © Center for Systems Security and Information Assurance

Host-based Intrusion Detection System HIDS • Installed locally on host machines • Installed on Host-based Intrusion Detection System HIDS • Installed locally on host machines • Installed on many different types of machines (servers, workstations and notebook computers) • Transmitted traffic to the host is analyzed and passed onto the host, if there are not potentially malicious packets within the data transmission • Focused host-Based installations on anomalies on the local machines • Platform specific • Require both host-based and network-based IDS Copyright © Center for Systems Security and Information Assurance

Host-Based Intrusion Detection System HIDS Copyright © Center for Systems Security and Information Assurance Host-Based Intrusion Detection System HIDS Copyright © Center for Systems Security and Information Assurance

Network-based Intrusion Detection Systems • Operates differently from host-based • Scans network packets auditing Network-based Intrusion Detection Systems • Operates differently from host-based • Scans network packets auditing packet information and logs any suspicious packets into a special log file with extended information. • Scans its own database for known network attack signatures and assigns a severity level for each packet based on these suspicious packets • Investigates the nature of the anomaly, if severity levels are high enough--a warning email or pager call is placed to security team members Copyright © Center for Systems Security and Information Assurance

Network-Based Intrusion Detection Systems • Known malicious network activity: Ø IP Spoofing Ø Denial-of-service Network-Based Intrusion Detection Systems • Known malicious network activity: Ø IP Spoofing Ø Denial-of-service attacks Ø ARP cache poisoning Ø DNS name corruption Ø Man-in-the-middle attacks • Require that the host system network device be set to promiscuous mode, which allows the device to capture every packet passed on the network Copyright © Center for Systems Security and Information Assurance

Network-Based Intrusion Detection Systems Copyright © Center for Systems Security and Information Assurance Network-Based Intrusion Detection Systems Copyright © Center for Systems Security and Information Assurance

Port Scanners • All machines connected to a Local Area Network (LAN) or Internet Port Scanners • All machines connected to a Local Area Network (LAN) or Internet run many services that listen at well-known and not so well known ports • By port scanning, the attacker finds which ports are available (i. e. , what service might be listing to a port) • A port scan consists of sending a message to each port, one at a time • The kind of response received indicates whether the port is used and can therefore be probed further for weakness Copyright © Center for Systems Security and Information Assurance

Port Scanners Copyright © Center for Systems Security and Information Assurance Port Scanners Copyright © Center for Systems Security and Information Assurance

Port Numbers • Port numbers are not so controlled, but over the decades certain Port Numbers • Port numbers are not so controlled, but over the decades certain ports have become standard for certain services • The port numbers are unique only within a computer system • Port numbers are 16 -bit unsigned numbers • The port numbers are divided into three ranges: Ø Well Known Ports (0 - 1023) Ø Registered Ports (1024 - 49151) Ø Dynamic and/or Private Ports (49152 - 65535) Copyright © Center for Systems Security and Information Assurance

Port Numbers Copyright © Center for Systems Security and Information Assurance Port Numbers Copyright © Center for Systems Security and Information Assurance

Well-Known Ports • Ports numbered 0 to 1023 are assigned to services by the Well-Known Ports • Ports numbered 0 to 1023 are assigned to services by the Internet Assigned Numbers Authority (IANA) • Sample ports: Ø Echo 7 tcp Ø FTP-data 20/udp Ø FTP-Control 21/tcp Ø SSH 22/tcp Ø Telnet 23/tcp Ø DNS 53/udp Ø WWW-HTTP 80/tcp Copyright © Center for Systems Security and Information Assurance

Vulnerability Scanners • Capable of scanning networks for very detailed information • Identify exposed Vulnerability Scanners • Capable of scanning networks for very detailed information • Identify exposed usernames and groups • Show open network shares • Expose configuration problems, and other vulnerabilities in servers Copyright © Center for Systems Security and Information Assurance

Packet Sniffers • Collects copies of packets from the network and analyzes them • Packet Sniffers • Collects copies of packets from the network and analyzes them • Eavesdrops on the network traffic • Legal uses include: Ø Being on a network that the organization owns Ø Being under direct authorization of the owners of the network Ø Having knowledge and consent of the content creators (users) Copyright © Center for Systems Security and Information Assurance

Content Filters • Allows administrators to restrict accessible content from within a network • Content Filters • Allows administrators to restrict accessible content from within a network • Restricts Web sites with inappropriate content Copyright © Center for Systems Security and Information Assurance

Honey Pots • Detect encrypted attacks in IPv 6 networks and capture the latest Honey Pots • Detect encrypted attacks in IPv 6 networks and capture the latest in on-line credit card fraud • Designed to distract the attacker while notifying the administrator of a possible attack or break in • Provide two major security features: Ø Slow down the attacker Ø Provide detection and tracking Copyright © Center for Systems Security and Information Assurance

Biometrics • Automatically recognizing a person using distinguishing traits. • Defined as automated methods Biometrics • Automatically recognizing a person using distinguishing traits. • Defined as automated methods of identifying or verifying the identity of a living person based on physiological or behavioral characteristics http: //www. idsysgroup. com/ftp/biometrics_101_ISG. pdf Copyright © Center for Systems Security and Information Assurance

Types of Biometrics • • Iris Recognition Finger Scan Hand Geometry Facial Recognition Signature Types of Biometrics • • Iris Recognition Finger Scan Hand Geometry Facial Recognition Signature Dynamics Voice Dynamics Retinal Scan Vascular Patterns Copyright © Center for Systems Security and Information Assurance