Chapter 5

Host & Network Security

1
 Topics

 Security Planning
 Security Standards and Levels (ISO 15408 standard)
 Password Security
 Access Control and Monitoring: Wrappers
 Firewalls
 Introduction

 A network is a data highway designed to increase access to

computer systems, while security is designed to control access.
 Providing network security is a balancing act between open
access and security.
 The network provides equal access for all - welcome visitors
as well as unwelcome intruders.
 At home, you provide security for your possessions by locking
your house, not by blocking the streets.

 Likewise, network generally means providing

adequate security security
on individual host computers/network
devices
 Cont …

 Hosts attached to a network - particularly the worldwide

Internet - are exposed to a wider range of security threats
than are unconnected hosts.
 What resources are we trying to protect?
 Secrets: Some sites have secrets they wish to protect.
 They might be government or trade secrets or the solutions
to a college exam.
 Personnel data: In your country there are probably rules
about what you must do to safeguard sensitive personal
information.
 This goes for any information about employees, patients,
customers or anyone else we deal with.
 Information about people is private.
 Introduction
 For most of the problem, computer people
want a technical solution.
 We want to find a program that "fixes" the network
security problem.
 However, a well-thought-out security plan will
help you to decide:
 What needs to be protected
 Who will be responsible for carrying out the steps to protect it.
 How much money you/organization are willing to
invest in
protecting it .
 Security planning

 Security planning is the basic building block of

network security, but a plan must be implemented
before it can have any effect.
 assessing the threat,
 assigning security responsibilities, and
 writing a security policy
 Assessing the Threat
 The first step toward developing an effective network security plan
is to assess the threat that connection presents to your systems.

 RFC 1244 (Requests for identifies three

Comments)
distinct types of security threats usually associated with
network connectivity:
 Unauthorized access
A break-in by an unauthorized person.
 Disclosure of information
Any problem that causes the disclosure of valuable or sensitive
information to people who should not have access to the information.
(Maintain security)
 Cont…

Denial of service
 Any problem that makes it difficult or impossible for
the system to continue to perform productive work.
 Assess these threats in relation to the number of users
who would be affected, as well as to the sensitivity of
the information that might be compromised.
 For some organizations, break-ins are an embarrassment that if
they allow unauthorized access then the confidence that others
have in the organization may be reduced.
 Writing a Security Policy
 Security is largely a "people problem."
 People, not computers, are responsible for implementing
security procedures, and people are responsible when
security is breached.
 Therefore, network security is ineffective unless people
know their responsibilities.
 It is important to write a security policy that clearly
states what is expected and who it is expected from.
 Cont..

A network security policy should define:

 The network user's security responsibilities
 The policy may require users:
 to change their passwords at certain intervals,
 to use passwords that meet certain guidelines, or
 to perform certain checks to see if their accounts have been
accessed by someone else.
 Whatever is expected from users, it is important that it be
clearly defined.
 Cont..
The system administrator's security responsibilities
 The policy may require that:
 every host use specific security measures,
 Login banner messages, and
 monitoring and accounting procedures.
 It might list applications that should not be run on any host
attached to the network.
 The proper use of network resources
 Define who can use network resources.
 What things they can do.
 What things they should not do.
 If your organization takes the position that email, files, and histories of computer
activity are subject to security monitoring, tell the users very clearly that this is
the policy.
 Cont…
What should be done when a security problem is detected?
Who should be notified?
The actions taken when a security problem is detected
 It is easy to overlook things during a crisis, so you should
have a detailed list of the exact steps that a system
administrator, or user, should take when a security breach
has been detected.
 This could be as simple as telling the users to "touch
nothing, and call the network security officer." But even
these simple actions should be in the policy so that they
are readily available.
 Generally, RFC 1244 (Requests for Comments) . It is a very good
guide for developing a security plan.
Internet Security Policy
 Connecting to the Internet brings with it
certain security responsibilities.
 RFC 1281, A Guideline for the Secure
Operation of the Internet, provides guidance
for users and network administrators on how to
use the Internet in a secure and responsible
manner.
 Reading this RFC will provide insight into
the information that should be in your
security policy.
 Security Standards and Levels
e.g: University of Florida ‘s Network Security Standard

 Nodes, services and individuals shall not have network exposure

and visibility beyond that which is necessary for their intended
functions.
 Similar IT resources should be logically aggregated to facilitate
network security zone management.
 In cases where network firewalls are used, they must be
documented and coordinated with Network Services.
 ISO 15408 standard
 ISO (International Organization for Standardization) is an
independent, non-governmental membership organization and the
world's largest developer of voluntary International Standards.
 ISO/IEC 15408-1:2009 establishes the general concepts and
principles of IT security evaluation and specifies the general model
of evaluation given by various parts of ISO/IEC 15408 which in its
entirely is meant to be used as the basis for evaluation of security
properties of IT products.
 ISO 15408 standard Abstract
 It provides an overview of all parts of ISO/IEC 15408.
 It defines the terms and abbreviations to be used in all
parts ISO/IEC 15408.
 It establishes the core concept of a Target of Evaluation
(TOE); the evaluation context; and describes the
audience to which the evaluation criteria are addressed.
 An introduction to the basic security concepts
necessary for evaluation of IT products is given.
 Cont…

 ISO/IEC 15408-1:2009 gives guidelines for the

specification of Security Targets (ST) and provides a
description of the organization of components
throughout the model.
 It defines the various operations by which the functional
and assurance components given in ISO/IEC 15408-2
and ISO/IEC 15408-3 may be tailored through the use
of permitted operations.
 The key concepts of protection profiles (PP), packages
of security requirements and the topic of conformance
are specified and the consequences of evaluation and
evaluation results are described.
 RFC
 A Request for Comments (RFC) is a publication of the Internet
Engineering Task Force (IETF) and the Internet Society, the
principal technical development and standards- setting bodies for the
Internet.
 Memos in the Requests for Comments (RFC) document series
contain technical and organizational notes about the Internet.
 They cover many aspects of computer networking, including
protocols, procedures, programs, and concepts, as well as meeting
notes, opinions, and sometimes humor.
 Password
Choosing a Password
 A good password is an essential part of security.
 We usually think of the password used for login; however, one- time
passwords and encryption keys are needed.
 For all of these purposes you want to choose a good password.
 Choosing a good password boils down to this, don't choose a
password that can be guessed using the techniques described above.
 Some guidelines for choosing a good password are:
 Don't use your login name.
 Don't use the name of anyone or anything.
 Don't use any English, or foreign language, word or abbreviation.
 Cont..
 Don't use any personal information associated with the owner of the
account. For example, don't use initials, phone number, social security
number, job title, organizational unit, etc.
 Don't use keyboard sequences, e.g., qwerty.
 Don't use any of the above spelled backwards, or in caps, or otherwise
disguised.
 Don't use an all-numeric password.
 Don't use a sample password, no matter how good, that you've gotten from a
book that discusses computer security.
Do’s
 Do use a mixture of numbers, special characters, and mixed-case letters.
 Do use at least six characters.
 Do use a seemingly random selection of letters and numbers.
 One-Time Passwords
 Sometimes good passwords are not enough.
 Passwords are transmitted across the network as clear text.
 Intruders use protocol-analyzer software to spy on
network traffic and steal passwords.
 If a thief steals your password, it does not matter how good the
password was.
 The thief can be on any network that handles your
TCP/IP
packets.
 If you log in through your local network you have to
worry only about local snoops.
 If you log in over the Internet you must worry about unseen
listeners from any number of unknown networks.
 One time-pad
 The most significant point here is that once an
input cipher text for transposition is used, it is
never used again for any other message( Hence
the name one time-pad)
 Cont…
 The rlogin command is not vulnerable to this type of attack.
 rlogin does not send the password over the network, because user
authentication is done only on the local host.
 The remote host accepts the user because it trusts the local host.
 However, trust should be extended only to UNIX hosts on your
local network that you really do trust.
 Never extend trust to remote systems.
 It is too easy for an intruder to pretend that he is logged into a
trusted system by stealing the trusted system's IP address, or by
corrupting DNS so that it gives his system's address in response to
the trusted system's name.
 Cont…

 rlogin does not help when you log in from a remote site or an
untrusted system.
 Use one-time passwords for remote logins.
 Because a one-time password can be used only once, a thief who
steals the password cannot use it.
 One-time Passwords In Everything (OPIE) is free software from
the U.S. Naval Research Laboratory (NRL) that modifies a UNIX
system to use one-time passwords.
 OPIE is directly derived from SKey, which is a one-time password
system created by Bell Communications Research (Bellcore).
 Access control and monitoring
 Access control is a technique for limiting access.
 Routers and hosts that use access control check the
address of a host requesting a service against an access
control list.
 If the list says that the remote host is permitted to use
the requested service, the access is granted.
 If the list says that the remote host is not permitted to
access the service, the access is denied.
 Access control does not bypass any
normal security checks
 Cont…

 Cisco routers have an access control facility.

 Access control software is also available for
UNIX hosts.
 Two such packages are xinetd and the TCP
wrappers program.
 Clearly, there are a varietyof ways to
implement access controls.
 In this section we use TCP wrappers
("wrapper").
 wrapper
The wrapper package performs two basic functions:
 It logs requests for Internet services, and provides an
access control mechanism for UNIX systems.
 Logging requests for specific network services is a
useful monitoring function, especially if you are looking
for possible intruders.
 If this were all it did, wrapper would be a useful
package.
 But the real power of wrapper is its ability to control
access to network services.
 Security monitoring
 A keyelement of effective network is security
security monitoring.
 wealso monitor the systems to detect unauthorized
user activity, and to locate and close security holes.
 Over time a system will change – active accounts
become inactive; file permissions are changed.
 You need to detect and fix these problems as they arise
Know Your System
 Network security is monitored by examining the files and logs of
individual systems on the network.
 To detect unusual activity on a system, you must know what
activity is normal
 Cont…

 What processes are normally running?

 Who is usually logged in?
 Who commonly logs in after hours?.
 Some common UNIX commands - ps and who - can
help you learn what normal activity is for your system.
 The ps command displays the status of currently running
processes.
 Run ps regularly to gain a clear picture of what
processes run on the system at different times of the day,
and who runs them.
 Cont…

 Looking for Trouble :Intruders often leave behind

files or shell scripts to help them re-enter the system
or gain root access.
 Executable files Check all executable files, binaries, and
shell files to make sure they have not been modified by
the intruder.
 Checking files: The find command is a powerful tool
for detecting potential file system security problems
because it can search the entire file system for files
based on file permissions.
 Cont…

Checking login activity: Strange login activity, at odd

times of the day or from unfamiliar locations, can
indicate attempts by intruders to gain access to your
system.
 We have already used the who command to check who
is currently logged into the system.
 To check who has logged into the system in
the past, use the last command.
 The last command displays the contents of
the
wtmp file.
 Firewalls
 A Firewall is one of the most effective security tools
available for protecting internal network users from
external threats.
 A firewall resides between two or more networks and
controls the traffic between them as well as helps to prevent
unauthorized access.
 Firewall products use various techniques for determining
what is permitted or denied access to a network.
 In addition to protecting individual computers and servers
attached to the network, it is important to control traffic
traveling to and from the network.
 Additional function of firewall
 Firewall products may support one or more of these
filtering capabilities.
 Additionally, Firewalls often perform
Network Address Translation (NAT).
Some firewalls provide:
 DNS name service for the outside world
 Email forwarding
 Proxy services
 Types of firewall
 Packet Filtering - Prevents or allows access based on
IP or MAC addresses.
 Application / Web Site Filtering - Prevents or allows
access based on the application.
 Websites can be blocked by specifying a website URL
address or keywords.
 State full Packet Inspection (SPI) - Incoming packets
must be legitimate responses to requests from internal
hosts. Unsolicited packets are blocked unless permitted
specifically.
 SPI can also include the capability to recognize and filter
out specific types of attacks such as DoS.
 Cont…
Firewall products come packaged in various forms:
 Appliance-based firewalls - An appliance -based firewall is a
firewall that is built-in to a dedicated hardware device known as a
security appliance.
 Server-based firewalls - A server-based firewall consists of a
firewall application that runs on a network operating system
(NOS) such as UNIX, Windows or Novell.
 Cont…

 Integrated Firewalls - An integrated firewall is

implemented by adding firewall functionality to an
existing device, such as a router.
 Personal firewalls - Personal firewalls reside on host
computers and are not designed for LAN
implementations.
 They may be available by default from the OS or may be
installed from an outside vendor.
Cont…
Using of firewall
End of Chapter 5
 Chapter 6
Automated System Administration
 Tools for Automation
 Most system administration tools developed and sold
today are based either on the idea of control interfaces
(interaction between administrator and machine to make
manual changes)
 Many ideas for automating system administration have
been reported.
 Their main focus in commercial system administration
solutions has been the development of man–machine
interfaces for system management
 Cont…

Tivoli provides a variety of ways for activating

scripts, rather like cfengine:
 Execute by hand when required.
 Schedule tasks with a cron-like feature.
 Execute an action (run a task on a set of hosts,
copy a package out) in response to an event.
 Automated Monitoring
 Manually monitoring system is time-
your
consuming and to errors and
 prone
Fortunately, automated monitoring
omissions.
several tools are
available.
COPS
SATAN
COPS (Computer Oracle Password and Security)

 COPS are a collection of programs that automate many

of the computer monitoring procedures
 As with any monitoring system, COPS detects potential
problems; it does not correct them.
 COPS does not replace personal monitoring by the
system administrator, but it does provide additional tools
to help the administrator perform monitoring tasks.
 Cont…

The tools in the COPS package check:

 Permissions for files, directories, and devices
 Contents of /etc/passwd and /etc/group files
 Contents of /etc/hosts.equiv and ~/.rhosts files
 Changes in SUID status
 SATAN
 Another tool for testing the security of your system is
the Security Administrator's Tool for Analyzing
Networks (SATAN).
 SATAN's introduction was met by near hysteria in the
popular press, largely because of the tool's name.
Despite its name, SATAN is just another security tool.
 SATAN does have some unique features.
 While COPS is intended for use on an individual
system, SATAN is designed to test entire networks of
systems.
 This is both a feature and a problem.
 Cont…

 If you are the administrator of your network, running

SATAN allows you to check all of the systems on the
network from one central system.
 If, however, you are responsible for only one system
and you use SATAN to probe the other systems on your
network, you will irritate all of the other system
administrators on the network who will view the
SATAN probes as attempted break-ins.
 Use SATAN only to test systems on your own network
that you have officially recognized authority over.
 Cont…

 Another feature of SATAN is that it uses your system's

Web browser as the interface for viewing the security
reports it generates.
 This is helpful if you have a large network of systems.

 The ability to link together related

browser's
documents allows SATAN to organize various
hierarchies of security information.
 Use the browser to search for the most critical errors, the
most troublesome subnets, or the most vulnerable hosts.
End of the Course

Thanks