presentation

Transcription

presentation
Why Security?
•
•
•
•
•
•
•
•
Protect Investment
Maintain Service
Protect Reputation
Protect against Unauthorized Disclosure
Insurance Requirement
Required by Regulations
Lawsuits
Regulatory Sanctions
Logical Steps of Security
• Prevention
• Detection
• Response
Policy
•
Acceptable use policy
3)
No expectation of privacy
A requirement for successfully prosecuting those unauthorized users who
improperly use a computer is that the computer must have a warning banner
displayed at all access points. That banner must warn authorized and
unauthorized users:
•
–
–
–
about what is considered the proper use of the system,
that the system is being monitored to detect improper use and other illicit activity,
that there is no expectation of privacy while using this system.
•
If no policy is in place, defaults to Personal Privacy Act (PPA) and 4th
Amendment*
•
Intrusion Response Policy
*Always consult your legal staff as regulations differ from state to state
Sample Warning Banner
This system is for the use of authorized users only. These systems and equipment are
subject to monitoring to ensure proper functioning, to protect against improper or
unauthorized use or access, and to verify the presence or performance of applicable
security features or procedures, and for other like purposes. Such monitoring may
result in the acquisition, recording, and analysis of all data being communicated,
transmitted, processed or stored in this system by a user. If monitoring reveals
evidence of possible criminal activity, such evidence may be provided to law
enforcement personnel. Use of this system constitutes consent to such monitoring.
Security Provided by IDS
• Detect Attacks
• More cost-effective to deal with attacks using
intrusion detection than other methods
• Provide “Forensic Readiness”
– Maximizing an environment’s ability to collect credible
digital evidence
– Minimizing the cost of forensics in an incident
response
Internet
Typical NIDS
Deployment
Router
External subnet
Attack Database
Stealth
Attack Sensor
Internet DMZ
Internet Firewall
Internet DMZ
IDS
Internal subnet
Stealth
Internal Subnet
IDS
Protected DMZ
Internal Firewall
or
Choke Router
IDS Database
Protected DMZ
IDS
Configuration Issues
• Creating your own signature rules
•
Signature rule for CodeRed v2:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg: "WEB-IIS CodeRed v2 root.exe
access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype: attemptedadmin; sid: 1257; rev: 1;)
•
Sample rule for mail about “Project X”:
alert tcp $EXTERNAL_NET 25 -> $MAIL_SERVERS 25 (msg: “Project X correspondence";
content:“Project X"; nocase;)
• Local rules
Sample Local Rules
SQL Server
192.168.0.100
TCP 1433
Web Server
192.168.0.200
TCP 80
TCP 443
Ethernet
Router
Stealth
IDS
alert
alert
alert
alert
alert
alert
alert
tcp
tcp
udp
tcp
tcp
tcp
udp
any
any
any
any
any
any
any
any
any
any
any
any
any
any
<>
<>
<>
<>
<>
<>
<>
192.168.0.100
192.168.0.100
192.168.0.100
192.168.0.200
192.168.0.200
192.168.0.200
192.168.0.200
1:1432
1434:65535
any
1:79
81:442
444:65535
any
(msg:"UNAUTHORIZED
(msg:"UNAUTHORIZED
(msg:"UNAUTHORIZED
(msg:"UNAUTHORIZED
(msg:"UNAUTHORIZED
(msg:"UNAUTHORIZED
(msg:"UNAUTHORIZED
CONNECTION
CONNECTION
CONNECTION
CONNECTION
CONNECTION
CONNECTION
CONNECTION
ATTEMPT; flags:
ATTEMPT; flags:
ATTEMPT;)
ATTEMPT; flags:
ATTEMPT; flags:
ATTEMPT; flags:
ATTEMPT;)
S;)
S;)
S;)
S;)
S;)
Host-based IDS (HIDS)
• Log Parsers
– Windows event log
– Unix syslog
– Novell logs
– Flat files
• File Integrity Checkers
– MD5 signature
– Checks for changes
Common Sources of Logs
•
•
•
Router (and many network elements)
Firewall
Host
• operating system
• application
• file: hashing or digital signature
•
Intrusion detection system (IDS)
Output from a Log Parser
Sat 02/15/2003
11:55p
==
== [192.168.36.1] -- 'router.gjf-law.com' (1 entries)
==
2/15/2003, 5:54:16 AM, [192.168.36.1] 'router.gjf-law.com' , LOCAL1, INFO, GJFrouter IKE: no matching ph1 profile: sg 192.168.36.140
==
== [192.168.36.140] -- 's2.gjf-law.com' (2 entries)
==
2/15/2003, 4:15:56 PM, [192.168.36.140] 's2.gjf-law.com' , USER, INFO, Feb 15 16:14:58 bigbrotherclient[info] 0 Stopped Big Brother SNM Client 1.08b
2/15/2003, 4:15:56 PM, [192.168.36.140] 's2.gjf-law.com' , USER, INFO, Feb 15 16:15:04 bigbrotherclient[info] 0 Started Big Brother SNM Client 1.08b
==
== [192.168.36.145] -- 'm15.gjf-law.com' (3 entries)
==
2/15/2003, 8:00:59 PM, [192.168.36.145] 'm15.gjf-law.com' , DAEMON, WARNING, Feb 15 20:00:48 w3svc[warning] 100 The server was unable to logon the Windows NT account 'snort' due
to the following error: Logon failure: unknown user name or bad password. The data is the error code. For additional information specific to this message please visit the Microsoft Online
Support site located at: http://www.microsoft.com/contentredirect.asp.
2/15/2003, 8:01:06 PM, [192.168.36.145] 'm15.gjf-law.com' , AUTH/SEC, ALERT, Feb 15 20:00:48 security[failure] 681 The logon to account: snort by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: M15 failed. The error code was: 3221225578
==
== [192.168.36.130] -- 's1.gjf-law.com' (7 entries)
==
2/15/2003, 11:17:14 AM, [192.168.36.130] 's1.gjf-law.com' , USER, INFO, Feb 15 11:16:34 msexchangeimc[info] 4123 A message passing through the Internet Mail Service has been
intentionally dropped. This is most likely an admin notification (message describing mail failure) and out of office notification (OOF), or an automatic reply from a user's mailbox. Dropping of
OOF messages and automatic replies is configurable in the admin pages. The gateway must always drop notifications to the administrator, since they often cause mail loops.
2/15/2003, 11:17:14 AM, [192.168.36.130] 's1.gjf-law.com' , USER, ERROR, Feb 15 11:16:35 msexchangeimc[error] 4031 The following message could not be delivered to <
updates@madblast.com>. The destination server reported: 550 No such local user From: <> Subject: Undeliverable: Osama In On The Run Again <-- Dubya Is After Him - LOL
2/15/2003, 11:17:14 AM, [192.168.36.130] 's1.gjf-law.com' , USER, WARNING, Feb 15 11:16:35 msexchangeimc[warning] 3004 An NDR could not be sent. This is most likely because the
original message had a blank originating address. In most cases this is normal behavior, although it can sometimes indicate a local or remote server configuration problem. If archiving was
enabled at the time of failure, you should be able to find the failed message in the file: ..\IMCDATA\IN\ARCHIVE\1XQ5VZNG.
2/15/2003, 11:17:14 AM, [192.168.36.130] 's1.gjf-law.com' , USER, INFO, Feb 15 11:16:37 msexchangeimc[info] 4123 A message passing through the Internet Mail Service has been
intentionally dropped. This is most likely an admin notification (message describing mail failure) and out of office notification (OOF), or an automatic reply from a user's mailbox. Dropping of
OOF messages and automatic replies is configurable in the admin pages. The gateway must always drop notifications to the administrator, since they often cause mail loops.
2/15/2003, 6:42:24 PM, [192.168.36.130] 's1.gjf-law.com' , USER, INFO, Feb 15 18:41:25 pcanywhere[info] 124 Host Abnormal End Of Session Device Type: TCP/IP Description: Connection
lost
2/15/2003, 7:18:06 PM, [192.168.36.130] 's1.gjf-law.com' , USER, ERROR, Feb 15 19:17:09 msexchangeimc[error] 4188 Refused to relay <av2003@mail2000.com.tw> for 211.162.100.144
(211.162.100.144).
2/15/2003, 10:33:48 PM, [192.168.36.130] 's1.gjf-law.com' , USER, INFO, Feb 15 22:33:15 msexchangeimc[info] 4123 A message passing through the Internet Mail Service has been
intentionally dropped. This is most likely an admin notification (message describing mail failure) and out of office notification (OOF), or an automatic reply from a user's mailbox. Dropping of
OOF messages and automatic replies is configurable in the admin pages. The gateway must always drop notifications to the administrator, since they often cause mail loops.
Creating an MD5 Hash
C:\md5>md5sum grep.exe
1e7e12b0acdcf85665edebb1f58b6eec *GREP.EXE
Output from a File Baseliner
S1
Sat 02/01/2003
1:56a
iuctl.dll: FAILED
iuengine.dll: FAILED
wuaueng.dll: FAILED
LOCATOR.EXE: FAILED
wuauclt.exe: FAILED
==========================
S2
Sat 02/01/2003
1:57a
iuctl.dll: FAILED
iuengine.dll: FAILED
wuaueng.dll: FAILED
LOCATOR.EXE: FAILED
wuauclt.exe: FAILED
==========================
M1
Sat 02/01/2003
1:57a
iuctl.dll: FAILED
iuengine.dll: FAILED
wuaueng.dll: FAILED
LOCATOR.EXE: FAILED
wuauclt.exe: FAILED
==========================
M4
Sat 02/01/2003
1:57a
iuctl.dll: FAILED
iuengine.dll: FAILED
wuaueng.dll: FAILED
LOCATOR.EXE: FAILED
wuauclt.exe: FAILED
Time Synchronization
War Dialer - Toneloc
War Dialer - ToneLoc
Toneloc – FOUND.LOG
09-Mar-100 00:34:03 3707 C: CONNECT 9600/ARQ/V32/LAPM/V42BIS
08-Mar-100 20:22:40 3206 C: CONNECT 33600/ARQ/V34/LAPM/V42BIS
Welcome to QNX 4.23
Copyright (c) QNX Software Systems Ltd. 1982,1996
login:
08-Mar-100 18:42:32 5244 C: CONNECT 31200/ARQ/V34/LAPM/V42BIS
AIX Version 4
(C) Copyrights by IBM and by others 1982, 1996.
login:
08-Mar-100 18:48:44 5244 C: CONNECT 2400/ARQ/LAPM/V42BIS
UNPUBLISHED WORK. COPYRIGHT GPT LIMITED.
ALL RIGHTS RESERVED.
iSDX BPFIN6556
40063.01 01.019
5.2.001 0001000 UK 09 26/08/97 B R 175
22/04/98 01:57:04
(CONFIG FAULT)
OSL, PLEASE.
?
?
?
?
08-Mar-100 18:50:31 5244 C: CONNECT 14400/ARQ/V32/LAPM/V42BIS
. Please press <Enter>...
:
Wireless Scanner – Net Stumbler
Port Scanner - NMAP
Interesting ports on (192.168.55.13):
(The 65505 ports scanned but not shown below are in state: closed)
Port
State
Service
7/tcp
open
echo
9/tcp
open
discard
13/tcp
open
daytime
19/tcp
open
chargen
21/tcp
open
ftp
23/tcp
open
telnet
25/tcp
open
smtp
37/tcp
open
time
79/tcp
open
finger
111/tcp
open
sunrpc
512/tcp
open
exec
513/tcp
open
login
514/tcp
open
shell
515/tcp
open
printer
540/tcp
open
uucp
1103/tcp
open
xaudio
4045/tcp
open
lockd
6000/tcp
open
X11
6112/tcp
open
dtspc
7100/tcp
open
font-service
32771/tcp open
sometimes-rpc5
32772/tcp open
sometimes-rpc7
32773/tcp open
sometimes-rpc9
32774/tcp open
sometimes-rpc11
32775/tcp open
sometimes-rpc13
32776/tcp open
sometimes-rpc15
32777/tcp open
sometimes-rpc17
32778/tcp open
sometimes-rpc19
32836/tcp open
unknown
32859/tcp open
unknown
TCP Sequence Prediction: Class=random positive increments
Difficulty=31131 (Worthy challenge)
Sequence numbers: D10BA81D D10C8444 D10E15CE D10E402C D10F49BC D11095F4
Remote OS guesses: Solaris 2.6 - 2.7, Solaris 7
Nmap run completed -- 1 IP address (1 host up) scanned in 77 seconds
Port Mapper - FPort
FPort v1.33 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid
1364
956
868
436
8
8
868
1148
1364
1300
8
1896
1856
1748
8
2348
8
1748
1340
1340
1340
544
956
868
956
436
8
8
1252
8
260
1168
868
248
1364
544
Process
inetinfo
NeTmSvNT
named
svchost
System
System
named
MSTask
inetinfo
vsmon
System
hpscnsvr
navapw32
trillian
System
msimn
System
trillian
svchost
svchost
svchost
awhost32
NeTmSvNT
named
NeTmSvNT
svchost
System
System
snmp
System
lsass
SL4NT
named
services
inetinfo
awhost32
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
Port
21
37
53
135
139
445
953
1037
1054
1055
1059
1078
1079
1120
1439
1563
1590
3558
4319
4321
4322
5631
37
53
123
135
137
138
161
445
500
514
1027
1056
3456
5632
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
Path
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINNT\System32\dns\bin\named.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns\bin\named.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\SCANJET\PrecisionScanPro\hpscnsvr.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trillian\trillian.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINNT\System32\dns\bin\named.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\SL4NT.EXE
C:\WINNT\System32\dns\bin\named.exe
C:\WINNT\system32\services.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
Port Scanner - Nessus
Port Scanner - Nessus
Port Scanner - Nessus
Protocol Analyzer - Ethereal
Protocol Analyzer - Ethereal
Personal Firewall – Zone Alarm
E-mail Security Software
•
•
•
•
•
•
www.spews.org
MX RBLS blocker
spam filter
cloudmark
matador
PGP (free for non-commercial)
Encryption
•
•
•
•
Router-to-router
stunnel
Windows IPSec VPN
Windows IP Security Policies
Clear text = bad / Encryption = good
Vendor Tools
•
•
•
•
HP JetAdmin
Compaq Insite Manager
APC PowerChute
Orinoco AP Manager
Security Extras…
• Malware
– PestPatrol (commercial)
• E-mail Automation
– Blat194
– Kiwi Syslog Daemon
Security Checklists
www.nsa.gov
Performance Monitoring
• Gray area of security
• Can be used to detect DoS attacks
• Availability as part of AAA
Costs
•
•
•
•
•
Hardware purchase
Software purchase
Software maintenance fees
Maintenance costs
Training
Good Security Books
• To be completed
Web Links
• To be completed
(
.
4,
.
7
69
+
38
2
38
7
0
05 4
36 4
/1
05
- .,
3
03 2
/1
/0 .
- +,
) '
*
'
!
"
%
&
"
$#