Tcp ip management security
-
Upload
asif-qureshi -
Category
Technology
-
view
526 -
download
0
Transcript of Tcp ip management security
TCP/IP Networks Management
and Security
Presented by:
David M. Litton, CPA, CISA, CGFM
Deputy Director, Audit and Management ServicesVirginia Commonwealth University
May 7, 2001
5/7/2001 TCP/IP Networks Management and Security 2
5/7/2001 TCP/IP Networks Management and Security 3
Course Objectives:
• What is a TCP/IP Network?
• Common components of a TCP/IP network
• Network environment: TCP/IP protocol and associated devices functionality
• General network risks
• Specific risks and compensating controls for TCP/IP network devices
• Areas of a TCP/IP Infrastructure Audit
5/7/2001 TCP/IP Networks Management and Security 4
What is a TCP/IP Network?
• Envelope and post office concept
• Ethernet Frames
• Internet Protocol (IP) – Connectionless datagram; tries to send but not sure if it gets there
• Transmission Control Protocol (TCP)
• Alternatives to TCP: UDP and ICMP
• Ports
• Socket (Combination of port# & IP address)
• Connection (pair of sockets for a session)
Host
(Ex. Unix/Win NT
Server)
Client
(Ex. Win 98/2000)
Telnet (Also: HTTP, SMTP, POP3...)
Single Control and Data Circuit
IP
128.172.161.139IP
128.172.2.30
High Random Port
(Ex. Port #3003)Port 23
FTP
Seperate Control and
Data Circuits
Host
(Ex. Unix/Win NT
Server)
Client
(Ex. Win98/2000)
IP
128.172.161.139
IP
128.172.22.9
Port 21
Port 20High Random
Port (Ex. Port
#2987)
High Random
Port (Ex. Port
#2986)
5/7/2001 TCP/IP Networks Management and Security 9
Host
(Ex. Unix/Win NT
Server)
Client
(Ex. Win 98/2000)
Telnet (Also: HTTP, SMTP, POP3...)
Single Control and Data Circuit
IP
128.172.161.139IP
128.172.2.30
High Random Port
(Ex. Port #3003)Port 23
FTP
Seperate Control and
Data Circuits
Host
(Ex. Unix/Win NT
Server)
Client
(Ex. Win98/2000)
IP
128.172.161.139
IP
128.172.22.9
Port 21
Port 20High Random
Port (Ex. Port
#2987)
High Random
Port (Ex. Port
#2986)
(7)
Application
Layer
(6)
Presentation
Layer
(5)
Session Layer
(4)
Transport Layer
(3)
Network Layer
(2)
Data Link Layer
(1)
Physical Layer
Logical Link
Media Access
Control
(MAC)
FTP, Telnet,
HTTP
TCP, UDP
IP
Ethernet,
Frame Relay,
Token Ring
Twisted Pair,
Fiber
(4)
Application
Layer
(3)
Transport Layer
(2)
Internet Layer
(1)
Network
Interface Layer
OSI Reference
Model ExamplesTCP/IP
Protocol Stack
OSI Model
and
TCP/IP
Compared
5/7/2001 TCP/IP Networks Management and Security 16
5/7/2001 TCP/IP Networks Management and Security 17
Common components of a
TCP/IP network
• Cat 5 UTP Wiring & fiber optics lower layer 1
• Hubs emphasis layer 1
• Bridges layer 1 or lower-part of layer 2 (MAC)
• Switches – some layer 1 & emphasis layer 2
• Routers – emphasis layer 3 & some layer 4
• Applications/network utilities: layers 5-7; FTP, HTTP, NFS, X-Windows, Telnet…
• Protocol Stacks: part of server/work station O/S
• Servers - physical and logical contrasted
• Specialized IP servers: DHCP, BOOTP, DNS…
5/7/2001 TCP/IP Networks Management and Security 18
Network Environment: TCP/IP
Protocol and Associated Devices
Functionality
Ethernet
Token-ring
Ethernet
Workstation
w/s Laptop
Laser printer
Hub
Router
Firewall
`
WAN
(ATM)
(T-1)
(ISDN)
(Frame Relay)
(SMDS)
Firewall
Router
IBM Compatible
Laptop computer
Workstation
HUB
MAU
w/s
Laptop
w/s
Laser printer
Router
Router
Enet[IP[TCP[Data]]]
Enet[IP[TCP[Data]]]
TRing[IP[TCP[Data]]]
ATM[IP[TCP[Data]]]
LAN/WAN Protocol
Example
5/7/2001 TCP/IP Networks Management and Security 20
General network risks
• Inconsistently applied
back-up procedures for
Network Equipment and
Servers
• Lack of a test lab and
change control procedures
• Intercepting clear text,
log-on identifiers and
passwords
• Staff turn-over
• Use of unauthenticated services on network hosts and pass through routers
• Lack of spoofing prevention measures
• Use of default passwords on network equipment
• Lack of password change procedures for network equipment
• Poor O/S controls on network devices
5/7/2001 TCP/IP Networks Management and Security 21
General network risks
• Improper access to restricted systems (patient information, financial records, payroll, etc.)
• Release of sensitive information
• Prolonged outages and inconsistent availability
• Lack of documentation
• Non-compartmentalized traffic
• Trojan Horses
• Lack of expertise, training, and cross-training
• Lack of restoration plans or spare parts
• Ineffective procedures
• Masquerading as another individual
• Spying, Sabotage
• Risk from easy-to-use freeware utilities
• Stolen Passwords
5/7/2001 TCP/IP Networks Management and Security 22
Specific risks and compensating
controls for TCP/IP network
devices
5/7/2001 TCP/IP Networks Management and Security 23
Router Risks and Controls
Inappropriate addresses
or dangerous protocols
accessing hosts/servers
Access Control Lists – filter
through router
Inappropriate addresses
conducting router
maintenance
ACLs to restrict IP
addresses to router
Unauthenticated or
trusted services used for
maintenance
Turn off these services in
router configuration, use
services with stronger
authentication
5/7/2001 TCP/IP Networks Management and Security 24
Router Risks and Controls
Damaged router/network
device configuration
Create backups of the
configuration file, store on
network, hard copy, and
“secret” backup
Failed upgrades or changes Development and
maintenance controls &
“back-out” plans
Not capturing network events Turn on logging, secure the
host that the logs are
streaming to
5/7/2001 TCP/IP Networks Management and Security 25
Router Risks and Controls
Default passwords and
clear text passwords
transmitted over the
network
Change passwords
periodically with
timeouts
No console passwords Add passwords with
timeouts
Community strings =
PUBLIC, PRIVATE and
pass network in clear text
Change Community
strings and use encrypted
SNMP
5/7/2001 TCP/IP Networks Management and Security 26
Router Risks and Controls:
Methods of Accessing Routers
• Console
• TFTP
• Telnet
• TACACS
• MOP (maintenance
operation protocol by
DEC for CISCO
routers)
• SNMP
• R-Shell
• R-Copy
• FTP
• HTTP
• More being added, check manufacturer documentation
5/7/2001 TCP/IP Networks Management and Security 27
Domain Name Service:
Risks and ControlsAllowing zone file transfers to
unauthorized clients provides
MX and HINFO records
Use router filters for TCP port
53 (DNS) or control servers
that receive DNS zone files
Updates require time to
propagate usually 24 hours
Use strong change control
procedures – management
review
Providing information about
internal devices one at a time
Configure external name
servers to provide info on
Internet connected machines
Whois Command Whois returns the DNS IP
addresses + sensitive info.
5/7/2001 TCP/IP Networks Management and Security 28
Network Address Translation
Static translation does not
hide the device from the
Internet
Port translation is needed
to get the full benefit for
security.
Reduced router
performance and can
interfere with
authentication schemes
that verify integrity of the
entire packet
Must weigh these costs
when reviewing NAT
INTERNET
NAT
Router
DHCP Server
Hub
10.xxx.xxx.001
10.xxx.xxx.002
10.xxx.xxx.003
10.xxx.xxx.004
INTERNET
NAT
Router
DHCP Server
Hub
10.xxx.xxx.001
10.xxx.xxx.002
10.xxx.xxx.003
10.xxx.xxx.004
Primary
DNS
Secondary
DNS
TCP/IP Environment Example
5/7/2001 TCP/IP Networks Management and Security 30
Wiring/Hubs:
Risks and ControlsInability to track wiring
problems
Diagrams, labeling
Sniffing equipment, theft,
inappropriate access to
equipment
Secure wiring
concentrations (closets)
No redundant paths for
backbone/WAN connections
Redundant Layer 1 path
Power surges Surge protectors or UPSs
Heat and water damage Design of locations that
house equipment
5/7/2001 TCP/IP Networks Management and Security 31
Additional Server
Risks and Controls Legitimate network access
can cause security
problems. Example: Sun
Telnet hack, Microsoft IIS
hacks
Install up to date patches,
Backup (OS, applications &
database) , password
controls, file permissions,
restrict privileges, logging,
disable unnecessary
services
Differences in server
configurations
Use consistent setup
checklists and/or scripts for
servers and user profiles
5/7/2001 TCP/IP Networks Management and Security 32
Dangerous Services to be
RestrictedZone Transfers
UDP&TCP 53
Link
TCP 87
LPD
TCP 515
BOOTP
UDP 67
RPC
TCP & UDP 111
NFS
UDP 2049
TFTP
UDP 69
SNMP
UDP 161,162
X-Windows
TCP 6000+
Finger
UDP 79
Berkley R-Commands
TCP 512-514
Windows Sharing
TCP 135-139,445
Chargen,Discard
,Echo TCP/UDP
9,19,7
Block ICMP redirects *Internal address
from outside the
network
5/7/2001 TCP/IP Networks Management and Security 33
Work Stations Risks and Controls
Trojan Horses: key
capture, sniffers, remote
control
BOClean, up to date virus
software (for detection)
Viruses Virus software up to date
Modem Lines exposures Policy, inventory,
standardization, dial-in
servers, Unique id &
complex passwords,
Wardial company #s
5/7/2001 TCP/IP Networks Management and Security 34
Encryption• Examine Encryption Practices
• Determine where the traffic is the most exposed –
going out on the Internet, between business
partners…
• Look for controls like compartmentalization &
VLANs to reduce internal exposure
• Use Encrypted methods like SNMP V.2 and
CHAP V.2 to communicate to network devices
• Consider testing encryption controls with a sniffer
5/7/2001 TCP/IP Networks Management and Security 35
Sniffed PPP Connection in Clear
Text
5/7/2001 TCP/IP Networks Management and Security 36
Areas of a TCP/IP Infrastructure
Audit: Why Examine Network
Infrastructure
• Rarely examined
• Large investment
• Basis for most technology - the “common denominator”
• Connects to the World
• Lost Revenue on E-Commerce
• Susceptible to Denial of Service Attacks
5/7/2001 TCP/IP Networks Management and Security 37
Areas of a TCP/IP Infrastructure
Audit: Recommended Objectives
• Continuity (consistent reliability and availability
of system -- back-up and ability to recover)
• Management and Maintenance (additions,
change procedures, upgrades, and documentation)
• Security (appropriate physical and logical access
to network devices and hosts)
5/7/2001 TCP/IP Networks Management and Security 38
Auditing TCP/IP Infrastructure• Review network policies and procedures
• Review network diagrams (layer 1 & 2), design, and walk-
through, list of network equipment and IP address list
• Verify diagrams with Ping and Trace Route
• Review utilization, trouble reports & helpdesk procedures
• Probe systems (Netscan tools and Portscanner)
• Interview network vendors, users, and network technicians
• Review software settings on network equipment
• Inspect computer room and network locations
• Evaluate back-up and operational procedures
5/7/2001 TCP/IP Networks Management and Security 39
Conclusion
• Identify the paths and equipment used to navigate the network
• Identify TCP/IP infrastructure areas of concern
• Break into manageable pieces
• Every network is different and the components and risks must be fully understood
• Identify risks and prioritize
• Dedicate more upfront planning
• RELAX !! It’s not that bad !
5/7/2001 TCP/IP Networks Management and Security 40
Additional Information
• Presentation located on line at URL:
http://www.vcu.edu/iaweb/iam_welc.html
• Contact information:
(804) 828-9248