presentation
Transcription
presentation
Why Security? • • • • • • • • Protect Investment Maintain Service Protect Reputation Protect against Unauthorized Disclosure Insurance Requirement Required by Regulations Lawsuits Regulatory Sanctions Logical Steps of Security • Prevention • Detection • Response Policy • Acceptable use policy 3) No expectation of privacy A requirement for successfully prosecuting those unauthorized users who improperly use a computer is that the computer must have a warning banner displayed at all access points. That banner must warn authorized and unauthorized users: • – – – about what is considered the proper use of the system, that the system is being monitored to detect improper use and other illicit activity, that there is no expectation of privacy while using this system. • If no policy is in place, defaults to Personal Privacy Act (PPA) and 4th Amendment* • Intrusion Response Policy *Always consult your legal staff as regulations differ from state to state Sample Warning Banner This system is for the use of authorized users only. These systems and equipment are subject to monitoring to ensure proper functioning, to protect against improper or unauthorized use or access, and to verify the presence or performance of applicable security features or procedures, and for other like purposes. Such monitoring may result in the acquisition, recording, and analysis of all data being communicated, transmitted, processed or stored in this system by a user. If monitoring reveals evidence of possible criminal activity, such evidence may be provided to law enforcement personnel. Use of this system constitutes consent to such monitoring. Security Provided by IDS • Detect Attacks • More cost-effective to deal with attacks using intrusion detection than other methods • Provide “Forensic Readiness” – Maximizing an environment’s ability to collect credible digital evidence – Minimizing the cost of forensics in an incident response Internet Typical NIDS Deployment Router External subnet Attack Database Stealth Attack Sensor Internet DMZ Internet Firewall Internet DMZ IDS Internal subnet Stealth Internal Subnet IDS Protected DMZ Internal Firewall or Choke Router IDS Database Protected DMZ IDS Configuration Issues • Creating your own signature rules • Signature rule for CodeRed v2: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg: "WEB-IIS CodeRed v2 root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype: attemptedadmin; sid: 1257; rev: 1;) • Sample rule for mail about “Project X”: alert tcp $EXTERNAL_NET 25 -> $MAIL_SERVERS 25 (msg: “Project X correspondence"; content:“Project X"; nocase;) • Local rules Sample Local Rules SQL Server 192.168.0.100 TCP 1433 Web Server 192.168.0.200 TCP 80 TCP 443 Ethernet Router Stealth IDS alert alert alert alert alert alert alert tcp tcp udp tcp tcp tcp udp any any any any any any any any any any any any any any <> <> <> <> <> <> <> 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.200 192.168.0.200 192.168.0.200 192.168.0.200 1:1432 1434:65535 any 1:79 81:442 444:65535 any (msg:"UNAUTHORIZED (msg:"UNAUTHORIZED (msg:"UNAUTHORIZED (msg:"UNAUTHORIZED (msg:"UNAUTHORIZED (msg:"UNAUTHORIZED (msg:"UNAUTHORIZED CONNECTION CONNECTION CONNECTION CONNECTION CONNECTION CONNECTION CONNECTION ATTEMPT; flags: ATTEMPT; flags: ATTEMPT;) ATTEMPT; flags: ATTEMPT; flags: ATTEMPT; flags: ATTEMPT;) S;) S;) S;) S;) S;) Host-based IDS (HIDS) • Log Parsers – Windows event log – Unix syslog – Novell logs – Flat files • File Integrity Checkers – MD5 signature – Checks for changes Common Sources of Logs • • • Router (and many network elements) Firewall Host • operating system • application • file: hashing or digital signature • Intrusion detection system (IDS) Output from a Log Parser Sat 02/15/2003 11:55p == == [192.168.36.1] -- 'router.gjf-law.com' (1 entries) == 2/15/2003, 5:54:16 AM, [192.168.36.1] 'router.gjf-law.com' , LOCAL1, INFO, GJFrouter IKE: no matching ph1 profile: sg 192.168.36.140 == == [192.168.36.140] -- 's2.gjf-law.com' (2 entries) == 2/15/2003, 4:15:56 PM, [192.168.36.140] 's2.gjf-law.com' , USER, INFO, Feb 15 16:14:58 bigbrotherclient[info] 0 Stopped Big Brother SNM Client 1.08b 2/15/2003, 4:15:56 PM, [192.168.36.140] 's2.gjf-law.com' , USER, INFO, Feb 15 16:15:04 bigbrotherclient[info] 0 Started Big Brother SNM Client 1.08b == == [192.168.36.145] -- 'm15.gjf-law.com' (3 entries) == 2/15/2003, 8:00:59 PM, [192.168.36.145] 'm15.gjf-law.com' , DAEMON, WARNING, Feb 15 20:00:48 w3svc[warning] 100 The server was unable to logon the Windows NT account 'snort' due to the following error: Logon failure: unknown user name or bad password. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. 2/15/2003, 8:01:06 PM, [192.168.36.145] 'm15.gjf-law.com' , AUTH/SEC, ALERT, Feb 15 20:00:48 security[failure] 681 The logon to account: snort by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: M15 failed. The error code was: 3221225578 == == [192.168.36.130] -- 's1.gjf-law.com' (7 entries) == 2/15/2003, 11:17:14 AM, [192.168.36.130] 's1.gjf-law.com' , USER, INFO, Feb 15 11:16:34 msexchangeimc[info] 4123 A message passing through the Internet Mail Service has been intentionally dropped. This is most likely an admin notification (message describing mail failure) and out of office notification (OOF), or an automatic reply from a user's mailbox. Dropping of OOF messages and automatic replies is configurable in the admin pages. The gateway must always drop notifications to the administrator, since they often cause mail loops. 2/15/2003, 11:17:14 AM, [192.168.36.130] 's1.gjf-law.com' , USER, ERROR, Feb 15 11:16:35 msexchangeimc[error] 4031 The following message could not be delivered to < updates@madblast.com>. The destination server reported: 550 No such local user From: <> Subject: Undeliverable: Osama In On The Run Again <-- Dubya Is After Him - LOL 2/15/2003, 11:17:14 AM, [192.168.36.130] 's1.gjf-law.com' , USER, WARNING, Feb 15 11:16:35 msexchangeimc[warning] 3004 An NDR could not be sent. This is most likely because the original message had a blank originating address. In most cases this is normal behavior, although it can sometimes indicate a local or remote server configuration problem. If archiving was enabled at the time of failure, you should be able to find the failed message in the file: ..\IMCDATA\IN\ARCHIVE\1XQ5VZNG. 2/15/2003, 11:17:14 AM, [192.168.36.130] 's1.gjf-law.com' , USER, INFO, Feb 15 11:16:37 msexchangeimc[info] 4123 A message passing through the Internet Mail Service has been intentionally dropped. This is most likely an admin notification (message describing mail failure) and out of office notification (OOF), or an automatic reply from a user's mailbox. Dropping of OOF messages and automatic replies is configurable in the admin pages. The gateway must always drop notifications to the administrator, since they often cause mail loops. 2/15/2003, 6:42:24 PM, [192.168.36.130] 's1.gjf-law.com' , USER, INFO, Feb 15 18:41:25 pcanywhere[info] 124 Host Abnormal End Of Session Device Type: TCP/IP Description: Connection lost 2/15/2003, 7:18:06 PM, [192.168.36.130] 's1.gjf-law.com' , USER, ERROR, Feb 15 19:17:09 msexchangeimc[error] 4188 Refused to relay <av2003@mail2000.com.tw> for 211.162.100.144 (211.162.100.144). 2/15/2003, 10:33:48 PM, [192.168.36.130] 's1.gjf-law.com' , USER, INFO, Feb 15 22:33:15 msexchangeimc[info] 4123 A message passing through the Internet Mail Service has been intentionally dropped. This is most likely an admin notification (message describing mail failure) and out of office notification (OOF), or an automatic reply from a user's mailbox. Dropping of OOF messages and automatic replies is configurable in the admin pages. The gateway must always drop notifications to the administrator, since they often cause mail loops. Creating an MD5 Hash C:\md5>md5sum grep.exe 1e7e12b0acdcf85665edebb1f58b6eec *GREP.EXE Output from a File Baseliner S1 Sat 02/01/2003 1:56a iuctl.dll: FAILED iuengine.dll: FAILED wuaueng.dll: FAILED LOCATOR.EXE: FAILED wuauclt.exe: FAILED ========================== S2 Sat 02/01/2003 1:57a iuctl.dll: FAILED iuengine.dll: FAILED wuaueng.dll: FAILED LOCATOR.EXE: FAILED wuauclt.exe: FAILED ========================== M1 Sat 02/01/2003 1:57a iuctl.dll: FAILED iuengine.dll: FAILED wuaueng.dll: FAILED LOCATOR.EXE: FAILED wuauclt.exe: FAILED ========================== M4 Sat 02/01/2003 1:57a iuctl.dll: FAILED iuengine.dll: FAILED wuaueng.dll: FAILED LOCATOR.EXE: FAILED wuauclt.exe: FAILED Time Synchronization War Dialer - Toneloc War Dialer - ToneLoc Toneloc – FOUND.LOG 09-Mar-100 00:34:03 3707 C: CONNECT 9600/ARQ/V32/LAPM/V42BIS 08-Mar-100 20:22:40 3206 C: CONNECT 33600/ARQ/V34/LAPM/V42BIS Welcome to QNX 4.23 Copyright (c) QNX Software Systems Ltd. 1982,1996 login: 08-Mar-100 18:42:32 5244 C: CONNECT 31200/ARQ/V34/LAPM/V42BIS AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996. login: 08-Mar-100 18:48:44 5244 C: CONNECT 2400/ARQ/LAPM/V42BIS UNPUBLISHED WORK. COPYRIGHT GPT LIMITED. ALL RIGHTS RESERVED. iSDX BPFIN6556 40063.01 01.019 5.2.001 0001000 UK 09 26/08/97 B R 175 22/04/98 01:57:04 (CONFIG FAULT) OSL, PLEASE. ? ? ? ? 08-Mar-100 18:50:31 5244 C: CONNECT 14400/ARQ/V32/LAPM/V42BIS . Please press <Enter>... : Wireless Scanner – Net Stumbler Port Scanner - NMAP Interesting ports on (192.168.55.13): (The 65505 ports scanned but not shown below are in state: closed) Port State Service 7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 111/tcp open sunrpc 512/tcp open exec 513/tcp open login 514/tcp open shell 515/tcp open printer 540/tcp open uucp 1103/tcp open xaudio 4045/tcp open lockd 6000/tcp open X11 6112/tcp open dtspc 7100/tcp open font-service 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 32773/tcp open sometimes-rpc9 32774/tcp open sometimes-rpc11 32775/tcp open sometimes-rpc13 32776/tcp open sometimes-rpc15 32777/tcp open sometimes-rpc17 32778/tcp open sometimes-rpc19 32836/tcp open unknown 32859/tcp open unknown TCP Sequence Prediction: Class=random positive increments Difficulty=31131 (Worthy challenge) Sequence numbers: D10BA81D D10C8444 D10E15CE D10E402C D10F49BC D11095F4 Remote OS guesses: Solaris 2.6 - 2.7, Solaris 7 Nmap run completed -- 1 IP address (1 host up) scanned in 77 seconds Port Mapper - FPort FPort v1.33 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid 1364 956 868 436 8 8 868 1148 1364 1300 8 1896 1856 1748 8 2348 8 1748 1340 1340 1340 544 956 868 956 436 8 8 1252 8 260 1168 868 248 1364 544 Process inetinfo NeTmSvNT named svchost System System named MSTask inetinfo vsmon System hpscnsvr navapw32 trillian System msimn System trillian svchost svchost svchost awhost32 NeTmSvNT named NeTmSvNT svchost System System snmp System lsass SL4NT named services inetinfo awhost32 -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> Port 21 37 53 135 139 445 953 1037 1054 1055 1059 1078 1079 1120 1439 1563 1590 3558 4319 4321 4322 5631 37 53 123 135 137 138 161 445 500 514 1027 1056 3456 5632 Proto TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP Path C:\WINNT\System32\inetsrv\inetinfo.exe C:\Program Files\NetTime\NeTmSvNT.exe C:\WINNT\System32\dns\bin\named.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\dns\bin\named.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\SCANJET\PrecisionScanPro\hpscnsvr.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Trillian\trillian.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\Program Files\Symantec\pcAnywhere\awhost32.exe C:\Program Files\NetTime\NeTmSvNT.exe C:\WINNT\System32\dns\bin\named.exe C:\Program Files\NetTime\NeTmSvNT.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\snmp.exe C:\WINNT\system32\lsass.exe C:\WINNT\SL4NT.EXE C:\WINNT\System32\dns\bin\named.exe C:\WINNT\system32\services.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\Program Files\Symantec\pcAnywhere\awhost32.exe Port Scanner - Nessus Port Scanner - Nessus Port Scanner - Nessus Protocol Analyzer - Ethereal Protocol Analyzer - Ethereal Personal Firewall – Zone Alarm E-mail Security Software • • • • • • www.spews.org MX RBLS blocker spam filter cloudmark matador PGP (free for non-commercial) Encryption • • • • Router-to-router stunnel Windows IPSec VPN Windows IP Security Policies Clear text = bad / Encryption = good Vendor Tools • • • • HP JetAdmin Compaq Insite Manager APC PowerChute Orinoco AP Manager Security Extras… • Malware – PestPatrol (commercial) • E-mail Automation – Blat194 – Kiwi Syslog Daemon Security Checklists www.nsa.gov Performance Monitoring • Gray area of security • Can be used to detect DoS attacks • Availability as part of AAA Costs • • • • • Hardware purchase Software purchase Software maintenance fees Maintenance costs Training Good Security Books • To be completed Web Links • To be completed ( . 4, . 7 69 + 38 2 38 7 0 05 4 36 4 /1 05 - ., 3 03 2 /1 /0 . - +, ) ' * ' ! " % & " $#