1 Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 1 Host Perimeter Defense Jennifer Kolde Scott Winters Most of us have a problem. We are under attack. At this very moment, our Internet-connected computer systems are being subjected to a surprising number of probes, penetration attempts, and other malicious attention. In this talk, we will discuss the types of attacks that are being used against our computers, and how to defend against these attacks. You will learn about both free and commercial software products that will help you improve the security of your systems. These products present a variety of solutions, ranging from easy-to-configure, “hassle-free” products that provide a reasonable level of security, to more complex solutions that provide more stringent measures for high-value assets. 2 Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 2 Agenda • Do we have a problem? • Who is vulnerable? • Threats and types of protection • Features to look for •Summary We will begin this talk by examining the scope of the problem, and you will learn about the types of systems that are vulnerable and that may require protection. The main portion of this talk will focus on the various threats to your host’s security, and the types of protection (including specific tools) that can be used to defend against these threats. Finally, we will discuss some features to look for when choosing a host perimeter solution. A summary of important information will round out the talk. At the end of the webcast, you will be able to recommend and implement utilities and policies for host perimeter defense. 3 Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 3 Host Perimeter Defense • Defends the borders of your computer • Complements network perimeter defense –Additional layer of protection • May also be first line of defense Host perimeter defense is just what it sounds like: defending the perimeter of the host itself - the borders of your computer. Most security-conscious organizations protect the borders of their network with tools such as firewalls or packet-filtering routers. In this situation, host perimeter defense complements network perimeter defense by adding a second layer of security. Even if an intruder is able to penetrate your network, he or she will then have to penetrate any host-based security to access protected hosts on your network. There are also instances when host perimeter defense may be your first line of defense. This is true, of course, if there is no network protection. This would be the case, for instance, where your network security is bypassed - for example, through a connection to a dial-up server inside your firewall. It is also the case for systems that are not on a standard network - such as home computers - which nevertheless connect to the Internet through an Internet Service Provider (ISP). 4 Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 4 The Hole in Security Policies • Does your organization have a security policy? • Does it cover the use of modems, or other connections that don’t go through the main firewall? • Does it cover employees doing work at home? Are their systems protected? Are you sure? • Is it enforced? Are you sure? If your organization has a written security policy, you are already a step ahead of many. BUT - security policies typically address internal systems, Intranets, and external (Internet) connectivity. A number of potential “holes” are often overlooked, including modems, laptops, and particularly home computers used for business purposes. Another potential hole in any organization’s security policy lies in enforcement. A policy is merely ink on paper without means to track its application and enforce its guidelines. If your security policy does in fact cover remote access or home systems, how are those standards checked or maintained? How do you know that your users have not installed unauthorized software? How do you know that employees using home computers for business are informed about threats and adequately protected? 5 Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 5 Who Is Vulnerable? • Any host that is: –Directly connected to the internet –“Protected” behind a firewall –Networked with any other hosts (even if not connected to the internet) –Connected via modem, cable modem, ISDN, DSL, etc. Any networked host may be a candidate for protection using host perimeter defense solutions, including: • computers directly connected to the Internet. Any host directly connected to the Internet is visible to (and potentially vulnerable to!) any one of the several million other Internet users around the globe. Essentially, anyone from Russia to Brazil to the person next door can “see” your computer - and may be able to compromise it. • computers “protected” by a firewall. A firewall is not a bulletproof solution to your security problems. Dial-up connections may bypass your firewall’s security completely. “Legitimate” traffic allowed through the firewall may contain dangerous code, such as malicious Java applets in HTTP traffic, or Trojan executables in electronic mail (SMTP) traffic. Users may install unauthorized software or modems that create security holes. • hosts on a private network. Even if you are completely disconnected from the Internet, you may need to protect your hosts from each other! A large number of security breaches come from inside an organization. Employees trying to steal information for a competitor, or disgruntled employees who might want to damage or destroy information present a real threat. The information on threats and defenses in the following slides can be applied to any of the above scenarios. However, for the purpose of this course, we will focus on one scenario in particular that is often overlooked. 6 Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 6 Personal Systems With Internet Access • “Personal” computers internet- connected through ISP • Little or no protection • Increased “always on” access –Cable modems –Digital subscriber line (DSL) • Availability of automated attacks Perhaps the most underrated security vulnerability today is the threat to “personal” computers. Home computers are generally thought to be “personal” or “private” - in the security of your home, they are not vulnerable to attack. However, the reality is that every home user who accesses the Internet via an Internet Service Provider (ISP) is placing their computer on the Internet, at least for the duration of their connection. Because few home users think about security for their “personal” computer, the majority of people who connect to the Internet have “wide open” systems, easily accessible to a halfway decent attacker. The danger to “personal” computers has increased in recent years for two reasons. First, high-speed, always-on Internet connections such as cable modems and Digital Subscriber Lines (DSL) have become increasingly available and affordable. This means more home computers are connected to - and exposed on - the Internet all the time. Second, the number and types of vulnerabilities and attacks have increased, making it simple for even unsophisticated attackers to download automated scripts and launch attacks against home users as well as corporate networks. 7 Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 7 Impact of the Problem • Personal information –Financial records –Account names/passwords • Business information –Home-based business –Telecommuters –Connect to corporate LAN from home This problem can be a serious one for home users. Sensitive information such as financial records and account numbers, usernames and passwords may all be stored on a home PC - all of which provide tempting targets for attackers. However, this problem is no longer limited to private home users. Businesses can be seriously affected as well, as the line between home and business computers has increasingly blurred over the past few years. Businesses are operated out of peoples’ homes; employees work at home and “telecommute”; users take work home, or use home computers to dial in to corporate networks and electronic mail servers. All of these scenarios mean that, in addition to sensitive personal information, it is highly likely that sensitive business information can be found on “personal” computers. Which is more difficult for an attacker: to break into a corporate network that is protected by firewalls, intrusion detection software, and skilled administrators who regularly review log files? Or to break into the CEO’s unprotected home PC, steal his userid and password, and log straight in to the corporate network using the stolen information? 8 Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 8 Do We Have a Problem? If you’re still not convinced of the threat to home computers, consider this spreadsheet showing the number and types of attempted attacks on my computer, located on the outskirts of a major ISP’s network. The above attacks, which occurred over a two-week period, are representative of typical activity on “personal” Internet-connected computers. 9 Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 9 What Are the Threats? • Social engineering • Known vulnerabilities •Malicious code • Unauthorized connections The number and types of vulnerabilities to individual hosts varies greatly. We will examine these vulnerabilities, and the actions you can take to counter them, in the next series of slides. 10 Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 10 Social Engineering • Attempt to manipulate or trick a person into providing information or access • Bypass network security by exploiting human vulnerabilities “Social engineering” is the term used to describe an attempt to manipulate or trick a person into providing valuable information or access to that information. It is the process of attacking a network or system by exploiting the people who interact with that system. People are often the weakest link in an organization’s security. All of the technology in the world cannot protect your network from a user who willingly gives out his or her password, or innocently installs malicious software. Social engineering often preys on qualities of human nature, such as the desire to be helpful, the fear of getting in trouble, or the tendency to trust the people - and computers - with which we interact. [...]... this traffic can contain hostile Java and ActiveX code You probably also allow SMTP (electronic mail) traffic, but electronic mail often contains attachments with macro viruses or Trojan software 15 Malicious Code Defense • Anti-virus software • Java/activex protection Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 16 Probably the most well-known form of host perimeter defense is anti-virus... Security Network Flight Recorder - BackOfficer Friendly ….and for *nix users: • Psionic Software - Portsentry Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 34 This slide lists some additional Packet-Filtering products available for host- based protection 34 Zone Labs ZoneAlarm Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 35 An application level firewall, such as a proxy, deals directly... with hostile ones some Web sites will not display correctly without scripting enabled, or will pop up an annoying number of warning messages asking if you want to run an applet 16 Unauthorized Connections • Default services running on system • Software that opens additional ports Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 17 Applications and services used for network or host- to -host communications... most inexperienced attacker to launch sophisticated attacks on your systems 13 Known Vulnerability Defense • Choose a secure OS • Build a secure configuration • Install updates and patches • Remove sample applications • Stay informed Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 14 Your best defense against known vulnerabilities is information and education: • Choose a secure OS and learn... activity on an ongoing basis That is the purpose of personal firewall and host- based intrusion detection software 18 Firewalls Internet Attack Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 19 A firewall is a device that blocks access to one computer or network from another computer or network It is the primary means of defense used to protect networks and stations from Internet attacks The... Operating systems and common software – Inherent weaknesses – Default configuration – Misconfiguration – Sample applications Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 13 Any host is, of course, susceptible to any vulnerabilities in the operating system and software which the host runs A computer’s operating system (OS) will affect its inherent level of security An OS with strong authentication... attacks against which to defend The weakness is a human one; there is no hardware to lock up or software to configure While host perimeter defense products can provide some protection (for example, anti-virus software to guard against users who run viruses or Trojan software), your best defense is to establish clear security policies - and enforce them • Security policies should establish such things as:... However, it’s a good bet that most users don’t know what a port is, much less which ports may be open on their computers 17 Unauthorized Connection Defense • Determine open ports • Block ports that are not needed • Monitor connection attempts Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 18 The first step in protecting your system from unauthorized connection attempts is to determine which... Program that performs harmful, unauthorized action – Viruses – Trojans – Java applets and activex controls • Often easily bypass network security Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 15 One of the broadest categories of threats to your network hosts is that of malicious code Malicious code is defined as an executable program that performs an action (often harmful or destructive) without... that it is possible to spoof, they can’t afford the same level of protection as an application-based system 21 What Is a Firewall? Return Traffic Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 22 A common application of a firewall is as a means of defense between a private network and the Internet Such a firewall would allow users on the private network to have full access to the Internet, . utilities and policies for host perimeter defense. 3 Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 3 Host Perimeter Defense • Defends the borders. 1 Host Perimeter Defense – SANS GIAC LevelOne © 2000, 2001 1 Host Perimeter Defense Jennifer Kolde Scott Winters Most