Network Security
Intro to Network Security
Network Security
Politeknik Elektronika Negeri Surabaya
2007
PENS-ITS
�Network Security
Introduction
Penilaian
Tugas
UAS
UTS
Kehadiran
25%
40%
30%
5%
Max terlambat 15 menit dari pelajaran dimulai
Di atas 15 menit diberi tugas dan dipresentasikan
PENS-ITS
�Network Security
Overview
PENS-ITS
�Network Services
Network Security
CISCO Router
Using acl , block malware
from outside
ROUTER
GTW
All Server in DMZ
Manage using SSH ,
Secure Webmin
PROXY (Squid )
All access to Internet
must through Proxy
DMZ
INTERNET
-
-IDS
FIREWALLFIREWALL
Linux bridge , iptables
shorewall , snort ,
portsentry , acidlab
SQL Database (MySQL )
Access only from
localhost ([Link])
MULTILAYER
SWITCH
L3 Switch
Block malware on
physical port from inside
network
DOMAIN
E-MAIL
WWW
E-Mail server
HTTPS , SPAM
(Spamassassin ), Virus
Scanner (ClamAV )
Managable Switchs
Block unwanted user from port ,
manage from WEB
PROXY
LECTURER
,
EMPLOYEE
NOC
Traffic Monitoring
CACTI
Http://noc .[Link]
EEPISHOTSPOT
Access from wifi , signal
only in EEPIS campus
Authentication from
Proxy
FILESERVER
STUDENTS
PENS-ITS
EEPISHOTSPOT
EIS
Internal Server
EEPIS -INFORMATION SYSTEM
(EIS http ://[Link] -[Link] )
Http://fileserver .eepis -its .edu
�Network Security
Why Secure a Network?
Internal
attacker
External
attacker
Corporate Assets
Virus
Incorrect
permissions
A network security design protects assets from threats and
vulnerabilities in an organized manner
To design security, analyze risks to your assets and create
responses
PENS-ITS
�Network Security
Computer Security Principles
Confidentiality
Protecting information from exposure and
disclosure
Integrity
Decrease possible problems caused by corruption
of data
Availability
Make information always available
PENS-ITS
�Network Security
Exploits (1)
What is an Exploit?
Crackers break into a computer network by exploiting weaknesses in
operating system services.
Types of attacks
Local
Remote
PENS-ITS
�Network Security
SANS Security Threats
SANS/FBI top 20 security
threats
[Link]
Goals attackers try to
achieve
Gain unauthorized access
Obtain administrative or
root level
Destroy vital data
Deny legitimate users
service
Individual selfish goals
Criminal intent
PENS-ITS
�Network Security
Security Statistics: Attack
Trends
Computer Security Institute ([Link]
Growing Incident Frequency
Incidents reported to the Computer Emergency Response
Team/Coordination Center
1997:
2,134
1998:
3,474 (75% growth from previous year)
1999:
9,859 (164% growth)
2000: 21,756 (121% growth)
2001: 52,658 (142% growth)
Tomorrow?
PENS-ITS
�Network Security
Attack Targets
SecurityFocus
31 million Windows-specific attacks
22 million UNIX/LINUX attacks
7 million Cisco IOS attacks
All operating systems are attacked!
PENS-ITS
�Network Security
Hackers Vs Crackers
Ethical Hackers vs. Crackers
Hacker usually is a programmer constantly seeks
further knowledge, freely share what they have
discovered, and never intentionally damage data.
Cracker breaks into or otherwise violates system
integrity with malicious intent. They destroy vital
data or cause problems for their targets.
PENS-ITS
�Network Security
Pengelompokan Attack
PENS-ITS
�Network Security
Pengelompokan Attacks
Attacks
Social Engineering
Physical Access
-Attacks
Opening Attachments
-Dialog Attacks
Password Theft
Wiretapping/menyadap
-Information Theft
Server Hacking
Eavesdropping
Penetration
Vandalism/perusakan
(Mendengar yg tdk boleh)
Attacks
Impersonation
(Usaha menembus)
(meniru)
Malware
Message Alteration
-Denial
of
Merubah message
Viruses
Break-in
Service
Scanning
Worms
(Probing)
PENS-ITS
�Network Security
Social Engineering
Definisi Social enginering
seni dan ilmu memaksa orang untuk memenuhi harapan anda ( Bernz ),
Suatu pemanfaatan trik-trik psikologis hacker luar pada seorang user
legitimate dari sebuah sistem komputer (Palumbo)
Mendapatkan informasi yang diperlukan (misalnya sebuah password) dari
seseorang daripada merusak sebuah sistem (Berg).
Tujuan dasar social engineering sama seperti umumnya hacking:
mendapatkan akses tidak resmi pada sistem atau informasi untuk
melakukan penipuan, intrusi jaringan, mata-mata industrial,
pencurian identitas, atau secara sederhana untuk mengganggu
sistem atau jaringan.
Target-target tipikal termasuk perusahaan telepon dan jasa-jasa
pemberian jawaban, perusahaan dan lembaga keuangan dengan
nama besar, badan-badan militer dan pemerintah dan rumah
sakit.
PENS-ITS
�Network Security
Bentuk Social Engineering
Social Engineering dengan telepon
Seorang hacker akan menelpon dan meniru seseorang dalam suatu kedudukan
berwenang atau yang relevan dan secara gradual menarik informasi dari user.
Diving Dumpster
Sejumlah informasi yang sangat besar bisa dikumpulkan melalui company
Dumpster.
Social engineering on-line :
Internet adalah lahan subur bagi para teknisi sosiaal yang ingin mendapatkan
password
Berpura-pura menjadi administrator jaringan, mengirimkan e-mail melalui
jaringan dan meminta password seorang user.
Persuasi
Sasaran utamanya adalah untuk meyakinkan orang untuk memberikan
informasi yang sensitif
Reverse social engineering
sabotase, iklan, dan assisting
PENS-ITS
�Network Security
Penetration Attacks Steps
Port scanner
Network enumeration
Gaining & keeping root / administrator access
Using access and/or information gained
Leaving backdoor
Attack
Denial of Services (DoS) :Network flooding
Buffer overflows : Software error
Malware :Virus, worm, trojan horse
Brute force
Covering his tracks
PENS-ITS
�Network Security
Scanning (Probing) Attacks
Reply from
[Link]
Host
[Link]
Probe Packets to
[Link], [Link], etc.
Internet
Attacker
No Host
[Link]
Results
[Link] is reachable
[Link] is not reachable
No Reply
Corporate Network
PENS-ITS
�Network Security
Network Scanning
PENS-ITS
�Network Security
Denial-of-Service (DoS)
Flooding Attack
Message Flood
Server
Overloaded By
Message Flood
Attacker
PENS-ITS
�Network Security
DoS By Example
PENS-ITS
�Network Security
Dialog Attack
Eavesdropping, biasa disebut dengan spoofing,
cara penanganan dengan Encryption
Impersonation dan message alteration
ditangani dengan gabungan enkripsi dan
autentikasi
PENS-ITS
�Network Security
Eavesdropping on a Dialog
Dialog
Hello
Client PC
Bob
Server
Alice
Hello
Attacker (Eve) intercepts
and reads messages
PENS-ITS
�Network Security
Password Attack By Example
PENS-ITS
�Network Security
Sniffing By Example
PENS-ITS
�Network Security
KeyLogger
PENS-ITS
�Network Security
Message Alteration
Dialog
Balance =
$1
Client PC
Bob
Balance =
$1,000,000
Balance =
$1
Balance =
$1,000,000
Attacker (Eve) intercepts
and alters messages
PENS-ITS
Server
Alice
�Network Security
PENS-ITS
�Network Security
Security form Attack
PENS-ITS
�Network Security
Network Penetration Attacks
and Firewalls
Passed Packet
Internet
Firewall
Hardened
Client PC
Attack
Packet
Internet
Attacker
Dropped
Packet
Hardened
Server
Log File
Internal
Corporate
Network
PENS-ITS
�Network Security
Intrusion Detection System
4. Alarm
Network
Administrator
Intrusion
Detection
System
2. Suspicious
Packet Passed
1.
Suspicious
Packet
Internet
Attacker
3. Log
Packet
Hardened
Server
Log File
Corporate Network
PENS-ITS
�Network Security
Encryption for Confidentiality
Encrypted
Message
100100110001
Client PC
Bob
Server
Alice
100100110001
Original
Message
Hello
Attacker (Eve) intercepts
but cannot read
PENS-ITS
Decrypted
Message
Hello
�Impersonation and
Authentication
Network Security
Im Bob
Client PC
Bob
Attacker
(Eve)
Prove it!
(Authenticate Yourself)
PENS-ITS
Server
Alice
�Network Security
Secure Dialog System
Secure Dialog
Client PC
Automatically Handles
Bob
Negation of Security Options
Authentication
Encryption
Integrity
Server
Alice
Attacker cannot
read messages, alter
messages, or impersonate
PENS-ITS
�Network Security
Hardening Host Computers
The Problem
Computers installed out of the box have known
vulnerabilities
Not just Windows computers
Hackers can take them over easily
They must be hardeneda complex process that
involves many actions
PENS-ITS
�Network Security
Hardening Host Computers
Elements of Hardening
Physical security
Secure installation and configuration
Fix known vulnerabilities
Turn off unnecessary services (applications)
Harden all remaining applications (Chapter 9)
(more on next page)
PENS-ITS
�Network Security
Hardening Host Computers
Elements of Hardening (continued)
Manage users and groups
Manage access permissions
For individual files and directories, assign access
permissions specific users and groups
Back up the server regularly
Advanced protections
PENS-ITS
�Network Security
Hardening Host Computers
Security Baselines Guide the Hardening
Effort
Specifications for how hardening should be done
Different for different operating systems
Different for different types of servers
(webservers, mail servers, etc.)
Needed because it is easy to forget a step
PENS-ITS
�Network Security
Installation and Patching
Installation Offers Many Options, Some of
Which Affect Security
For example, in Windows, the NTFS file system
is better for security than FAT32
Need a security baseline to guide option choices
during installation
PENS-ITS
�Network Security
Installation and Patching
Known Vulnerabilities
Most programs have known vulnerabilities
Exploits are programs that take advantage of
known vulnerabilities
PENS-ITS
�Network Security
Installation and Patching
Known Vulnerabilities
Vulnerability reporters send vulnerability reports
to vendors
Vulnerability reporters often say that vendors take
too long to fix vulnerabilities
Vendors say that vulnerability reporters do not
give them enough time, report too much detail to
the press
PENS-ITS
�Network Security
Installation and Patching
Fixes
Work-around: A series of actions to be taken; no
new software
Patches: New software to be added to the
operating system
Upgrades: Newer versions of programs usually
fix older vulnerabilities.
PENS-ITS
�Network Security
Installation and Patching
Upgrades
Often, security vulnerabilities are fixed in new
versions
If a version is too old, the vendor might stop
offering fixes
It might be good to wait to upgrade until after the
first round of bug and security fixes
PENS-ITS
�Network Security
Turning Off Unnecessary
Services
Unnecessary Services
Operating system vendors used to install many
services by default
This made them easier to use. When use changes,
services do not have to be turned on.
Attackers have found flaws in many of these rare
services
PENS-ITS
�Network Security
Turning Off Unnecessary
Services
Unnecessary Services
Vendors now install fewer services by default
lock down mode
Turn to security baseline to see what services to
turn on and off
Easier to install too few and add than to install too
many and remove unwanted services
PENS-ITS
�Network Security
Managing Users and Groups
Introduction
Every user must have an account
There can also be groups
Can assign security measures to groups
These measures apply to the individual group members
automatically
Faster and easier than assigning security measures to
individuals
PENS-ITS
�Network Security
Managing Permissions
Principle of Least Permissions: Give Users
the Minimum Permissions Needed for Their
Job
More feasible to add permissions selectively than
to start with many, reduce for security
PENS-ITS
�Network Security
Advanced Server Hardening
Techniques
Reading Event Logs
The importance of logging to diagnose problems
Failed logins, changing permissions, starting
programs, kernel messages, etc.
Backup
File Encryption
File Integrity Checker
PENS-ITS
