6 - 1 Host Perimeter Defense - SANS ©2001 1 Host Perimeter Defense Security Essentials The SANS Institute Most of us have a problem. We are under attack. At this very moment, our internet-connected computer systems are being subjected to a surprising number of probes, penetration attempts, and other malicious attention. In this talk, we will discuss the types of attacks that are being used against our computers, and how to defend against these attacks. You will learn about both free and commercial software products that will help you improve the security of your systems. These products present a variety of solutions, ranging from easy-to-configure, “hassle-free” products that provide a reasonable level of security, to more complex solutions that provide more stringent measures for high-value assets. 6 - 2 Host Perimeter Defense - SANS ©2001 2 Agenda • Do we have a problem? • Who is vulnerable? • Threats and types of protection • Features to look for •Summary We will begin this talk by examining the scope of the problem, and you will learn about the types of systems that are vulnerable and that may require protection. The main portion of this talk will focus on the various threats to your host’s security, and the types of protection (including specific tools) that can be used to defend against these threats. Finally, we will discuss some features to look for when choosing a host perimeter solution. A summary of important information will round out the talk. At the end of the webcast, you will be able to recommend and implement utilities and policies for host perimeter defense. 6 - 3 Host Perimeter Defense - SANS ©2001 3 Host Perimeter Defense • Defends the borders of your computer • Complements network perimeter defense – Additional layer of protection • May also be first line of defense Host perimeter defense is just what it sounds like: Defending the perimeter of the host itself - the borders of your computer. Most security-conscious organizations protect the borders of their network with tools such as firewalls or packet-filtering routers. In this situation, host perimeter defense complements network perimeter defense by adding a second layer of security. Even if an intruder is able to penetrate your network, he or she will then have to penetrate any host-based security to access protected hosts on your network. There are also instances when host perimeter defense may be your first line of defense. This is true, of course, if there is no network protection. This would be the case, for instance, where your network security is bypassed - for example, through a connection to a dial-up server inside your firewall. It is also the case for systems that are not on a standard network - such as home computers- which nevertheless connect to the Internet through an Internet Service Provider (ISP). 6 - 4 Host Perimeter Defense - SANS ©2001 4 Who is Vulnerable? • Any host that is: – Directly connected to the internet – “Protected” behind a firewall – Networked with any other hosts (even if not connected to the internet) – Connected via modem, cable modem, ISDN, DSL, etc. Any networked host may be a candidate for protection using host perimeter defense solutions, including: • computers directly connected to the Internet. Any host directly connected to the Internet is visible to (and potentially vulnerable to!) any one of the several million other Internet users around the globe. Essentially, anyone from Russia to Brazil to the person next door can “see” your computer - and may be able to compromise it. • computers “protected” by a firewall. A firewall is not a bulletproof solution to your security problems. Dial-up connections may bypass your firewall’s security completely. “Legitimate” traffic allowed through the firewall may contain dangerous code, such as malicious Java applets in HTTP traffic, or Trojan executables in electronic mail (SMTP) traffic. Users may install unauthorized software or modems that create security holes. • hosts on a private network. Even if you are completely disconnected from the Internet, you may need to protect your hosts from each other. A large number of security breaches come from inside an organization. Employees trying to steal information for a competitor, or disgruntled employees who might want to damage or destroy information, present a real threat. The information on threats and defenses in the following slides can be applied to any of the above scenarios. However, for the purpose of this course, we will focus on one scenario in particular that is often overlooked. 6 - 5 Host Perimeter Defense - SANS ©2001 5 Impact of the Problem • Personal information – Financial records – Account names/passwords • Business information – Home-based business – Telecommuters – Connect to corporate LAN from home This problem can be a serious one for home users. Sensitive information such as financial records and account numbers, usernames and passwords may all be stored on a home PC - all of which provide tempting targets for attackers. However, this problem is no longer limited to private home users. Businesses can be seriously affected as well, as the line between home and business computers has increasingly blurred over the past few years. Businesses are operated out of peoples’ homes; employees work at home and “telecommute;” users take work home, or use home computers to dial-in to corporate networks and electronic mail servers. All of these scenarios mean that, in addition to sensitive personal information, it is highly likely that sensitive business information can be found on “personal” computers. Which is more difficult for an attacker: To break into a corporate network that is protected by firewalls, intrusion detection software, and skilled administrators who regularly review log files? Or to break into the CEO’s unprotected home PC, steal his userid and password, and log straight in to the corporate network using the stolen information? 6 - 6 Host Perimeter Defense - SANS ©2001 6 Do We Have a Problem? Many SANS instructors use personal firewalls of course, and a number of them use flashing icons to inform you that an attack has occurred. When Stephen Northcutt teaches intrusion detection he will often leave the BlackIce icon flashing yellow until some student comes up and says “I can’t stand it.” This screen shot was taken April 14, 2001. As you can see this computer has been hit with a number of attacks. Please notice that on your screen you see three DNS probes. This was about three weeks after the Lion worm, malicious code that attacks Linux computers and DNS servers. Clearly it is still running at this time. If you are tuning out because you are a Windows user, the Kak and Qaz Windows worms did a lot of damage only six months ago. So, you are going to get hit. 6 - 7 Host Perimeter Defense - SANS ©2001 7 What are the Threats? • Known vulnerabilities • Malicious code • Unauthorized connections The number and types of vulnerabilities to individual hosts varies greatly. We will examine these vulnerabilities, and the actions you can take to counter them, in the next series of slides. 6 - 8 Host Perimeter Defense - SANS ©2001 8 Known Vulnerabilities • Operating systems and common software – Inherent weaknesses – Default configuration – Misconfiguration – Sample applications Any host is, of course, susceptible to any vulnerabilities in the operating system and software which the host runs. A computer’s operating system (OS) will affect its inherent level of security. An OS with strong authentication mechanisms, privilege and access control, and auditing or logging capabilities (such as Windows NT, Windows 2000, Unix, or Linux) is more secure than an OS that does not have these features (such as Windows 95/98). As the majority of home users still run Windows 95 or 98, this issue becomes a critical one. Unfortunately, NO operating system is secure “out of the box,” and attackers will take advantage of security holes in default OS or application configurations, or user/administrator misconfigurations. Another vulnerability is sample applications that are often included in web server software or software development kits. These samples are not intended for production systems (read: they are NOT SECURE) and can open up additional security holes in your system. These “holes” are often well-known and well-publicized in the “black hat” community. Worse, for any vulnerability that has been known for a period of time, there is most likely a script that exploits the vulnerability. These scripts are readily available on the Internet - making it simple for even the most inexperienced attacker to launch sophisticated attacks on your systems. 6 - 9 Host Perimeter Defense - SANS ©2001 9 Known Vulnerability Defense • Choose a secure OS • Build a secure configuration • Install updates and patches • Remove sample applications • Stay informed Your best defense against known vulnerabilities is information and education. • Choose a secure OS and learn to configure it properly. Most vendors and some third-party organizations now provide recommendations on configuring operating systems and applications securely. Obtain these documents and apply them per your organization’s needs. • Keep your software up-to-date with upgrades and patches. Vendors regularly release updates and patches, many of which address security issues. Keep your systems up-to-date with the latest patches. • Remove sample applications. Do not install sample applications, unless they are loaded on a test system. If sample applications must be installed, secure them just as you would any other software component. • Stay informed. New security vulnerabilities are released daily. A quick and easy way to stay up- to-date is to subscribe to security mailing lists. Several excellent public lists are given at the end of this presentation. Most vendors also have their own mailing lists, or at least post security notices on their web sites. 6 - 10 Host Perimeter Defense - SANS ©2001 10 Malicious Code • Program that performs harmful, unauthorized action –Viruses –Trojans – Java applets and Activex controls • Often easily bypass network security One of the broadest categories of threats to your network hosts is that of malicious code. Malicious code is defined as an executable program that performs an action (often harmful or destructive) without the knowledge of the user. Malicious code includes viruses and Trojan software (malicious software masquerading as a useful program or utility). Recent virus incidents, such as those surrounding the ILOVEYOU virus or the Melissa virus, indicate the seriousness of the threat. The attacker who gained access to Microsoft’s network in October 2000 and viewed source code for a future Microsoft product is suspected to have gained access to internal systems via the QAZ virus, which installs a secret ‘back door’ to allow access to a system. Over 40,000 known viruses exist as of this writing, and the number continues to increase. A newer threat is that presented by Java applets and ActiveX controls. These are bits of code, like mini- programs, that run within a web browser when you access a web page that contains the applet. (Java will run in any browser; ActiveX is specific to Microsoft Internet Explorer.) Both types of code are supposed to be “safe” and execute only within restricted boundaries on the user’s computer. However, a number of security holes have been found in this technology. Malicious applets can perform actions such as reading files (such as a password file) or deleting files. Worse, most applets run within the browser without the user’s knowledge. A particular danger of malicious code is that it can easily bypass security measures such as firewalls. This is because malicious code is often hidden in “legitimate” network traffic. Your firewall probably allows HTTP (Web) traffic into your network, but this traffic can contain hostile Java and ActiveX code. You probably also allow SMTP (electronic mail) traffic, but electronic mail often contains attachments with macro viruses or Trojan software. [...]... Test Host Perimeter Defense - SANS ©2001 26 Leak Test is a combination download and remote sensor The download file tries to contact the remote sensor 6 - 26 Houston, We Have A Problem Host Perimeter Defense - SANS ©2001 27 If your personal firewall is able to block unwanted outbound connections, you should get an alert such as the one generated above by ZoneAlarm 6 - 27 No, Actually We Are Fine Host Perimeter. .. organizational security framework Host Perimeter Defense - SANS ©2001 Deployment of perimeter defense utilities and procedures minimizes risk and supplements the organizational security framework Thank you for your time and attention! 6 - 33 33 Resources • Security mailing lists: – Bugtraq – Computer Emergency Response Team (CERT) – NTBugtraq – The SANS Institute Host Perimeter Defense - SANS ©2001 34 The...Malicious Code Defense • Anti-virus software • Java/Activex protection Host Perimeter Defense - SANS ©2001 11 Probably the most well-known form of host perimeter defense is anti-virus software, which defends your computer from malicious code such as viruses and some common Trojan/backdoor... Security • Network Flight Recorder - BackOfficer Friendly ….and for *nix users: • Psionic Software - Portsentry Host Perimeter Defense - SANS ©2001 This slide lists some additional Packet-Filtering products available for host- based protection 6 - 18 18 Zone Labs ZoneAlarm Host Perimeter Defense - SANS ©2001 19 An application-level firewall, such as a proxy, deals directly with the "programs" that communicate... 6 - 23 23 Configuring ZoneAlarm For Alerts Host Perimeter Defense - SANS ©2001 24 Open the ZoneAlarm by right-clicking on the ZA icon in the system tray and choosing “Restore ZoneAlarm Control Console” Click on the “Configure” button to display the above screen Verify that both alert boxes are checked 6 - 24 A Little Help From Steve Gibson Host Perimeter Defense - SANS ©2001 25 Steve Gibson of Gibson... applets along with hostile ones some Web sites will not display correctly without scripting enabled, or will pop up an annoying number of warning messages asking if you want to run an applet 6 - 11 Unauthorized Connections • Default services running on a system • Software that opens additional ports Host Perimeter Defense - SANS ©2001 12 Applications and services used for network or host- to -host communications... trying to tell you 6 - 30 Features to Look for • Configurable • Logging options • Triggers • Investigative capabilities • Responsiveness of vendor • Minimal “leakiness” Host Perimeter Defense - SANS ©2001 31 The variety of host perimeter defense products available can make choosing a solution confusing Which product suits your needs depends on a number of factors, including your environment, your budget,... procedural advice • Checks OS for configuration errors • Combines application level and datagram level control • Has a vendor who is extremely responsive to new threats Host Perimeter Defense - SANS ©2001 32 The “ideal” host perimeter defense product would address all of the potential security issues we have discussed • It would make recommendations for secure policies and procedures • It would check... Personal Firewalls Like ZoneAlarm Host Perimeter Defense - SANS ©2001 This page is intentionally left blank 6 - 22 22 ZoneAlarm Features • • • • Out-of-the-box security Always-on protection Real-time alerts Protects against unwanted outbound connections from Trojans or software that “phones home” • Instantaneous full Internet lock blocks all traffic Host Perimeter Defense - SANS ©2001 This page is... www.nfr.net Network ICE: www.networkice.com Psionic Software: www.psionic.com Symantec (Norton): www.symantec.com Zone Labs: www.zonelabs.com Host Perimeter Defense - SANS ©2001 This slide intentionally left blank 6 - 35 35 Course Revision History Host Perimeter Defense - SANS ©2001 36 V1.0 Grefer/Kolde November 1999 V1.1 - edited by K Rosenthal - 3 Feb 2000 V1.2 - edited by J Kolde - 19 Sept 2000 V2.0 . implement utilities and policies for host perimeter defense. 6 - 3 Host Perimeter Defense - SANS ©2001 3 Host Perimeter Defense • Defends the borders of your. 6 - 1 Host Perimeter Defense - SANS ©2001 1 Host Perimeter Defense Security Essentials The SANS Institute Most