Security and Privacy in a Networked World/Technology: A mighty knight with no pants

Mitnick: Technology, training, procedures

Introduction

The metaphor used in the title is unfortunately valid for many places - some (more visible) parts could be well-protected, while others that are not so visible are in deep neglect.

...

Tools

Firewalls

The Firewall FAQ defines firewall as "a system or group of systems that enforces an access control policy between two or more networks". Essentially, it has two main methods of access control:

• blocking - stopping traffic that is deemed unwanted - e.g. coming from suspicious addresses (an example: some admins block everything coming from Nigeria).
• permitting - guaranteeing safe passage for known good traffic - e.g. local servers or universally-used services.

Both methods are typically defined as rules. An example of two rules from Linux iptables firewall - the first one allows traffic to port 22 (SSH), the second one forbids all traffic.

iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j DROP

Note: typically, using both rules at the same time means that only SSH is allowed (i.e. the latter "forbid all" does not invalidate the previous "allow this" rule).

While early packet filter firewalls just inspected single packets (without considering their "neighbours"), newer ones also analyzed series of packets (stateful firewalls). Recent application layer firewalls are also able to recognize certain applications and protocol and judge the behaviour of packages accordingly.

A firewall is similar to a container - in the sense that the content (not the vessel) is what matters. Properly configured firewalls are very effective, misconfigured ones are ineffective or sometimes inhibiting. Effective use of firewalls also includes a general policy about what kind of traffic is acceptable and what is not - thus being a good proof for the Mitnick's maxim "technology, training, policies". In an ideal case, the access control rules in a firewall are a concentrated version of the overall access policy.

Firewalls are effective tools for regulating traffic and providing single 'gates' with checkpoints (that are easier to supervise and log) into computer systems. However, they cannot protect against various security risks which bypass them, e.g.

• removal/theft of data on physical media (e.g. by stealing a USB stick)
• attacks from inside - whether involving espionage, sabotage or plain stupidity
• illegal activities using legal channels - e.g. stolen credit card business on IRC
• faulty or Trojan horse applications - e.g. a critical hole in Microsoft Internet Explorer
• poor policies which render them ineffective
• ... and, of course, PIBKAC

They also tend to be ineffective against many kinds of malware - partially due to being too complex to react on rapidly-changing and constantly emerging new malware. Also, most malware tends to use legal channels to propagate (e.g. e-mail attachments).

Vulnerability scanners

Often seen as ambiguous tools used by both attackers and defenders, vulnerability scanners first appeared in the 90s. One of them, aptly named SATAN for Security Administrator Tool for Analyzing Networks, caused one of the biggest scare campaigns in the media at that time (the name was possible the culprit).

Most scanners search for known vulnerabilities in certain systems and software, but also for open ports (some of them may point towards specific problem, e.g. a rootkit), default or very common passwords, outdated or misconfigured software (e.g. an open relay mail server) etc.

The tools include

• port scanners - probe servers for open ports
• network enumerators - retrieve usernames and information on groups, shares and services
• web application testers - find vulnerabilities by anomalies in the web apps' behaviour
• database security scanners - discovers weak passwords, misconfigurations, outdated software etc
• ...

Well-known examples:

• ISS Internet Scanner
• SATAN
• SAINT
• Nessus
• OpenVAS
• Nmap
• ...

A word of caution - although some scanners can discover problems by overall symptoms, they mostly rely on their database of known vulnerabilities (similarly to most antivirus software). This means that unpublished weak spots (zero-day vulnerabilities) will likely go unnoticed. Likewise, creative ignorance of users (whether on their own or fueled and directed by a social engineering attack) may render these systems surprisingly inadequate. On the other hand, latent human errors can and should be minimized.

Intrusion detection and prevention systems

These utilities monitor systems for suspicious activity and report it to those in charge, some of them also contain mechanisms to interrupt/stop the activity (prevention; e.g. the system can change firewall settings, reset connections etc). The former are known as passive (IDS) and the latter as active (IDPS) systems.

The main types by location are

• host-based - analyse in- and outbound traffic at just one computer; usually keeps periodic snapshots of important data (e.g. system files) and compares current situation to it.
• network-based - analyzes traffic in an entire subnet by checking compliance with protocols.
• wireless - analyzes wireless traffic.
• network traffic analysis - analyzes network traffic flows to find threats (e.g. a DDoS attack).

Three main methods of detection are

• statistical anomalies - the system "knows" what behaviour is "normal" and alerts on substantial changes (e.g. sudden surges of traffic). Its strength is customizability (different "normal" levels can be set for specific situations) and chances to intercept new, unpublished attacks. The weakness is a level of false positive alarms, which may be substantial if the system is (even slightly) misconfigured.
• signatures - similarly to antiviruses and some vulnerability scanners, these systems check the signatures of "good" packets and report any deviance. While they do not typically generate false positive alarms, their ability to detect intrusion depends on (and is limited to) the database which may be out of date - and even in case of rapid updates, there will always be a lag between the attack appearing "in the wild" and its signature registered in the database.
• stateful protocol analysis - a somewhat hybrid approach which (akin to stateful firewalls described above) will analyse a series of packages and their compliance with estimated protocols.

READ MORE: https://en.wikipedia.org/wiki/Intrusion_detection_system (especially the limitations and evasion sections) and https://en.wikipedia.org/wiki/Intrusion-prevention_system

Well-known examples:

• Snort
• Suricata
• Bro
• []

• Logging and auditng
• Password checkers
• Sniffers
• Honeypots

---

Additional reading and links

• AMON, Cherie, SHINDER, Thomas W., CARASIK-HENMI, Anne. The Best Damn Firewall Book Period. 2nd Ed. Syngress, 2007
• ANONYMOUS. Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network. 3rd ed. Sams Publishing, 2001.
• FICHERA, Joe, BOLT, Steven. Network Intrusion Analysis: Methodologies, Tools, and Techniques for Incident Analysis and Response. Syngress, 2013
• MCCARTHY, Linda. IT Security: Risking the Corporation. Prentice Hall 2001.
• Internet Firewalls: Frequently Asked Questions. http://www.interhack.net/pubs/fwfaq/
• Web Application Security Scanner List. http://projects.webappsec.org/w/page/13246988/Web%20Application%20Security%20Scanner%20List
• 10 Free Database Security Tools. http://www.darkreading.com/application-security/database-security/slide-show-10-free-database-security-tools/d/d-id/1137998?
• NIST - Guide to Intrusion Detection and Prevention Systems (IDPS). http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
• SecTools.org. http://sectools.org

...