I. Security Fundamentals

a. Why Needed?

i. A closed network allows no connection to a public network; although security is still an issue due to a majority of attacks coming from inside networks today

ii. Open networks - these are very common and feature multiple connections to public networks - now two major threats - inside and outside

iii. The sophistication of tools for compromising security have increased and the knowledge required to use them has decreased

iv. E-business and more open networks increase the challenges

v. New laws require security - growing levels of terrorist and criminal activities

vi. Information Assurance - availability and protection of information - organizations can classify information and decide on access levels and levels of protection; a typical diagram would show what types of information are going to be accessible to the public, versus what types of information will be available to all employees versus what types of information will be available to specific groups

vii. Organizations should define threats in three terms:

1. Adversaries - terrorists, disgruntled employees, competitors

2. Motivations - DOS, theft, challenges , etc

3. Classes of attacks

a. Passive - these attacks include monitoring of communications and passwords

b. Active - these attacks attempt to steal or modify information, or introduce malicious code

c. Close-in - regular individuals gaining close physical proximity to networks or systems for the purpose of gaining information

d. Insider - attacks from internal employees can be malicious or non-malicious in nature

e. Distribution - the malicious modification of hardware or software at the factory or during distribution

viii. Defense-in-depth strategy to information assurance requires a balanced focus on People, Technology, and Operations

1. People - Training and awareness, physical security, personnel security, policies and procedures

2. Technology - use of evaluated products and solutions, use of a layered defense strategy

3. Operations - enforcement of security policies, quick response and restoration of critical service disruptions

ix. Defense-in-Depth recommends:

1. Defense in multiple areas

2. Layered defenses

3. Use of robust equipment

4. Robust key management

5. Deployment of IDS and IPS

x. Corporations should consider the Security Wheel - a continuous process of:

1. Secure - authentication, encryption, firewalls, vulnerability patching

2. Monitor - detect violations, auditing

3. Test - vulnerability scanning, auditing

4. Improve - adjust the policy as issues are found

xi. Companies should consider the use of:

1. Security policy

2. Security architecture

3. Security technologies

b. Network Attack Mitigation Techniques

i. Before you begin - recognize the low risk devices from the high risk devices

ii. Physical Installation Threats

1. Hardware Threat Mitigation - lock up equipment and prevent physical access; monitor entry with logs; use security cameras

2. Environmental Threat Mitigation - temperature and humidity controls; positive air flow; remove electrostatic and magnetic issues; remotely monitor and alarm

3. Electrical Threat Mitigation - UPS; backup generator; test UPS/generator regularly; redundant power supplies; monitors and alarms

4. Maintenance-related Threat Mitigation - cable labels; neat cable runs; electrostatic discharge procedures; replacement stock; disconnect console ports; do not rely on locked room alone

iii. Reconnaissance Attacks and Mitigation

1. Packet sniffers

a. Authentication

b. Switched Infrastructure

c. Antisniffer tools

d. Cryptography - the best method

2. Port Scans and Ping Sweeps

a. IPS at the network and host levels

3. Internet Information Queries

iv. Access Attacks

1. Password Attacks

a. No same password across systems

b. Disable accounts after incorrect guesses

c. No plain text passwords

d. Strong passwords

2. Trust Exploitation

a. Systems inside the firewall should never assume absolute trust of systems outside the firewall

3. Port Redirection

a. Attacker uses host to get traffic through a firewall that would normally be dropped

b. Host based intrusion prevention and proper trust models

4. Buffer Overflow

a. IPS and IDS

b. Stack smashing protection

c. Executable space protection

d. Safe libraries

v. Spoofing Attacks

1. IP Spoofing

a. Blind - calculates sequence numbers

b. Nonblind - sniffs information

c. Mitigate - ACLS, Encryption, Authentication

2. Man-in-the-Middle

a. Encryption

vi. DoS

1. SYN Flooding

2. ACLS, Antivirus, Anti-DoS features, traffic rate limiting

vii. Worm, Virus, Trojan Horse

1. Containment, Inoculation, Quarantine, Treatment

2. Antivirus, Keep up to Date

viii. Application Layer

1. Log files, mailing lists, latest patches, IDS/IPS

ix. Management Protocols

1. Do not use Telnet

a. SSH

b. ACLs for Telnet

c. RFC 3704 filtering

2. SNMP

a. Version 3

b. ACLs

c. Read only

3. Logging

a. Encrypt

b. RFC 3704 filtering

c. Access control

4. TFTP

a. Encrypt

5. NTP

a. Private master clock

b. NTP v 3

c. ACLs and authentication

x. Determining Vulnerabilities

1. GNU Netcat

2. Blues Port Scan

3. Ethereal

4. MBSA