
17e5fa3a94f8234f42d282148bbf647c.ppt
- Количество слайдов: 40
Lesson Six Safeguards & Countermeasures Copyright © Center for Systems Security and Information Assurance
Lesson Objectives • Identify common terms associated with information security countermeasures. • Define and identify the various types of firewalls. • Discuss the approaches to dial-up access and protection. • Identify and describe the two categories of intrusion detection systems and discuss the two strategies behind intrusion detection systems. • Discuss scanning, analysis tools, and content filters. • Understand trap and trace technologies. • Discuss various approaches to biometric access control. Copyright © Center for Systems Security and Information Assurance
IT Security Countermeasures • Countermeasures come in a variety of sizes, shapes, and levels of complexity. • Countermeasures must begin with a thorough organizational security policy and include technologies, education and enforcement. Copyright © Center for Systems Security and Information Assurance
Demilitarized Zone (DMZ) • Sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet • Contains devices accessible to Internet traffic, such as Web (HTTP ) servers, FTP servers, SMTP (e-mail) servers and DNS servers Copyright © Center for Systems Security and Information Assurance
Bastion Host • A gateway between an inside network and an outside network • A security measure to defend against attacks aimed at the inside network Copyright © Center for Systems Security and Information Assurance
Network Address Translation (NAT) • Located where the LAN meets the Internet • Provides a type of firewall by hiding internal IP addresses for external or untrusted users • Expands the number of internal IP addresses available to an organization • No possibility of conflict with IP addresses used by other companies and organizations Copyright © Center for Systems Security and Information Assurance
NAT Reserved NAT addresses: 10. x. x. x 172. 16. x. x 192. 168. x. x Copyright © Center for Systems Security and Information Assurance
Firewalls • Any device that prevents a specific type of information from moving between an untrusted network and a trusted network • Made up of both software and hardware: Ø May reside on a separate and dedicated computer system Ø May reside on an existing computer or network device (router or switch) Ø May reside on a dedicated appliance specifically designed for greater performance Copyright © Center for Systems Security and Information Assurance
First Generation Firewalls • Called packet filtering firewalls. • Examined every incoming packet header and selectively filtered packets based on: Ø addresses Ø packet types Ø port request Ø and others factors • Implemented restrictions based on: Ø IP source and destination address Ø Direction (inbound or outbound) Ø TCP/UDP source and destination port-requests Copyright © Center for Systems Security and Information Assurance
First Generation Firewalls Copyright © Center for Systems Security and Information Assurance
Second Generation Firewalls • Called application-level firewall or proxy server • A dedicated computer separate from the filtering router (filtering routers can still be implemented behind the proxy server) • Exposed to the outside world in the DMZ • Traffic passes through the proxy, which translate the IP address. • Designed for a specific protocol and cannot easily be reconfigured to protect against attacks on protocols for which they are not designed (primary disadvantage) Copyright © Center for Systems Security and Information Assurance
Second Generation Firewalls Copyright © Center for Systems Security and Information Assurance
Third Generation Firewalls • Called a stateful inspection firewalls • Tracks each network connection established between trusted and untrusted networks • Defaults to its access control list to determine whether to allow the packet to pass, if the stateful firewall receives an incoming packet that it cannot match in its state table • Requires additional processing requirements to manage and verify packets against the state table (primary disadvantage) Copyright © Center for Systems Security and Information Assurance
Third Generation Firewalls Copyright © Center for Systems Security and Information Assurance
Fourth Generation Firewalls • Called a context-based access control (CBAC) firewall • Intelligently filters packets based on applicationlayer protocol session information and can be used for intranets, extranets and internets • Configured to permit specified traffic through a firewall only when the connection is initiated from within the network you want to protect • Traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer without CBAC Copyright © Center for Systems Security and Information Assurance
Fourth Generation Firewalls • Allows support of protocols that involve multiple channels created as a result of negotiations in the control channel. • Provides the following benefits: Ø Java blocking Ø Denial-of-Service prevention and detection Ø Real-time alerts and audit trails Copyright © Center for Systems Security and Information Assurance
Fourth Generation Firewalls Copyright © Center for Systems Security and Information Assurance
Fifth Generation Firewalls • Called the kernel proxy, a specialized form that works under the Windows NT Executive (the kernel of Windows NT) • Evaluates packets at multiple layers of the protocol stack • More secure due to the fact that the OS of a firewall provides another vulnerability • More secure and performs additional security inspections because the OS kernel was specifically designed for the firewall Copyright © Center for Systems Security and Information Assurance
Fifth Generation Firewalls Copyright © Center for Systems Security and Information Assurance
Radius • Most common access server for authenticating and authorizing dial-up users of an organization’s network • Comprises three components: Ø An authentication protocol Ø a server (points to RADIUS authentication database) Ø a client • Supports a variety of methods to authenticate a user Ø PPP Ø PAP Ø CHAP Copyright © Center for Systems Security and Information Assurance
Radius Authentication Copyright © Center for Systems Security and Information Assurance
TACACS Authentication • Short for Terminal Access Controller Access Control System • Commonly used in UNIX networks • Allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network Copyright © Center for Systems Security and Information Assurance
TACACS Services Copyright © Center for Systems Security and Information Assurance
Intrusion Detection System IDS • Identifies and tracks packets entering and leaving a monitored network • Acts as alarm system notifying you of unusual events or traffic patterns • Monitors your network and takes automatic predefined action • Available options when implementing IDS: Ø Host based IDS Ø Network based IDS Copyright © Center for Systems Security and Information Assurance
Host-based Intrusion Detection System HIDS • Installed locally on host machines • Installed on many different types of machines (servers, workstations and notebook computers) • Transmitted traffic to the host is analyzed and passed onto the host, if there are not potentially malicious packets within the data transmission • Focused host-Based installations on anomalies on the local machines • Platform specific • Require both host-based and network-based IDS Copyright © Center for Systems Security and Information Assurance
Host-Based Intrusion Detection System HIDS Copyright © Center for Systems Security and Information Assurance
Network-based Intrusion Detection Systems • Operates differently from host-based • Scans network packets auditing packet information and logs any suspicious packets into a special log file with extended information. • Scans its own database for known network attack signatures and assigns a severity level for each packet based on these suspicious packets • Investigates the nature of the anomaly, if severity levels are high enough--a warning email or pager call is placed to security team members Copyright © Center for Systems Security and Information Assurance
Network-Based Intrusion Detection Systems • Known malicious network activity: Ø IP Spoofing Ø Denial-of-service attacks Ø ARP cache poisoning Ø DNS name corruption Ø Man-in-the-middle attacks • Require that the host system network device be set to promiscuous mode, which allows the device to capture every packet passed on the network Copyright © Center for Systems Security and Information Assurance
Network-Based Intrusion Detection Systems Copyright © Center for Systems Security and Information Assurance
Port Scanners • All machines connected to a Local Area Network (LAN) or Internet run many services that listen at well-known and not so well known ports • By port scanning, the attacker finds which ports are available (i. e. , what service might be listing to a port) • A port scan consists of sending a message to each port, one at a time • The kind of response received indicates whether the port is used and can therefore be probed further for weakness Copyright © Center for Systems Security and Information Assurance
Port Scanners Copyright © Center for Systems Security and Information Assurance
Port Numbers • Port numbers are not so controlled, but over the decades certain ports have become standard for certain services • The port numbers are unique only within a computer system • Port numbers are 16 -bit unsigned numbers • The port numbers are divided into three ranges: Ø Well Known Ports (0 - 1023) Ø Registered Ports (1024 - 49151) Ø Dynamic and/or Private Ports (49152 - 65535) Copyright © Center for Systems Security and Information Assurance
Port Numbers Copyright © Center for Systems Security and Information Assurance
Well-Known Ports • Ports numbered 0 to 1023 are assigned to services by the Internet Assigned Numbers Authority (IANA) • Sample ports: Ø Echo 7 tcp Ø FTP-data 20/udp Ø FTP-Control 21/tcp Ø SSH 22/tcp Ø Telnet 23/tcp Ø DNS 53/udp Ø WWW-HTTP 80/tcp Copyright © Center for Systems Security and Information Assurance
Vulnerability Scanners • Capable of scanning networks for very detailed information • Identify exposed usernames and groups • Show open network shares • Expose configuration problems, and other vulnerabilities in servers Copyright © Center for Systems Security and Information Assurance
Packet Sniffers • Collects copies of packets from the network and analyzes them • Eavesdrops on the network traffic • Legal uses include: Ø Being on a network that the organization owns Ø Being under direct authorization of the owners of the network Ø Having knowledge and consent of the content creators (users) Copyright © Center for Systems Security and Information Assurance
Content Filters • Allows administrators to restrict accessible content from within a network • Restricts Web sites with inappropriate content Copyright © Center for Systems Security and Information Assurance
Honey Pots • Detect encrypted attacks in IPv 6 networks and capture the latest in on-line credit card fraud • Designed to distract the attacker while notifying the administrator of a possible attack or break in • Provide two major security features: Ø Slow down the attacker Ø Provide detection and tracking Copyright © Center for Systems Security and Information Assurance
Biometrics • Automatically recognizing a person using distinguishing traits. • Defined as automated methods of identifying or verifying the identity of a living person based on physiological or behavioral characteristics http: //www. idsysgroup. com/ftp/biometrics_101_ISG. pdf Copyright © Center for Systems Security and Information Assurance
Types of Biometrics • • Iris Recognition Finger Scan Hand Geometry Facial Recognition Signature Dynamics Voice Dynamics Retinal Scan Vascular Patterns Copyright © Center for Systems Security and Information Assurance