Security and Privacy in a Networked World/Technology: A mighty knight with no pants

Allikas: KakuWiki
Mine navigeerimisribaleMine otsikasti

Mitnick: Technology, training, procedures

Introduction

The metaphor used in the title is unfortunately valid for many places - some (more visible) parts could be well-protected, while others that are not so visible are in deep neglect.

...

Tools

Firewalls

The Firewall FAQ defines firewall as "a system or group of systems that enforces an access control policy between two or more networks". Essentially, it has two main methods of access control:

  • blocking - stopping traffic that is deemed unwanted - e.g. coming from suspicious addresses (an example: some admins block everything coming from Nigeria).
  • permitting - guaranteeing safe passage for known good traffic - e.g. local servers or universally-used services.

Both methods are typically defined as rules. An example of two rules from Linux iptables firewall - the first one allows traffic to port 22 (SSH), the second one forbids all traffic. 

iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j DROP

Note: typically, using both rules at the same time means that only SSH is allowed (i.e. the latter "forbid all" does not invalidate the previous "allow this" rule).

While early packet filter firewalls just inspected single packets (without considering their "neighbours"), newer ones also analyzed series of packets (stateful firewalls). Recent application layer firewalls are also able to recognize certain applications and protocol and judge the behaviour of packages accordingly.

A firewall is similar to a container - in the sense that the content (not the vessel) is what matters. Properly configured firewalls are very effective, misconfigured ones are ineffective or sometimes inhibiting. Effective use of firewalls also includes a general policy about what kind of traffic is acceptable and what is not - thus being a good proof for the Mitnick's maxim "technology, training, policies". In an ideal case, the access control rules in a firewall are a concentrated version of the overall access policy.

Firewalls are effective tools for regulating traffic and providing single 'gates' with checkpoints (that are easier to supervise and log) into computer systems. However, they cannot protect against various security risks which bypass them, e.g.

  • removal/theft of data on physical media (e.g. by stealing a USB stick)
  • attacks from inside - whether involving espionage, sabotage or plain stupidity
  • illegal activities using legal channels - e.g. stolen credit card business on IRC
  • faulty or Trojan horse applications - e.g. a critical hole in Microsoft Internet Explorer
  • poor policies which render them ineffective
  • ... and, of course, PIBKAC

They also tend to be ineffective against many kinds of malware - partially due to being too complex to react on rapidly-changing and constantly emerging new malware. Also, most malware tends to use legal channels to propagate (e.g. e-mail attachments).


Vulnerability scanners

Often seen as ambiguous tools used by both attackers and defenders, vulnerability scanners first appeared in the 90s. One of them, aptly named SATAN for Security Administrator Tool for Analyzing Networks, caused one of the biggest scare campaigns in the media (the name was possible the culprit).

The tools include

  • port scanners - probe servers for open ports
  • network enumerators - retrieve usernames and information on groups, shares and services
  • web application testers - find vulnerabilities by anomalies in the web apps' behaviour
  • database security scanners - discovers weak passwords, misconfigurations, outdated software etc
  • ...

Well-known examples:




  • Intrusion detection systems
  • Logging and auditng
  • Password checkers
  • Sniffers

---

Additional reading and links

...

Pärit leheküljelt "https://wiki.kakupesa.net/index.php?title=Security_and_Privacy_in_a_Networked_World/Technology:_A_mighty_knight_with_no_pants&oldid=4180"