Contents at a Glance

Transcription

1 Contents at a Glance Introduction 1 I The Essentials of Network Perimeter Security 1 Perimeter Security Fundamentals 7 2 Packet Filtering 23 3 Stateful Firewalls 55 4 Proxy Firewalls 87 5 Security Policy 105 II Fortifying the Security Perimeter 6 The Role of a Router Virtual Private Networks Network Intrusion Detection Host Hardening Host Defense Components Intrusion Prevention Systems 273 III Designing a Secure Network Perimeter 12 Fundamentals of Secure Perimeter Design Separating Resources Wireless Network Security Software Architecture VPN Integration Tuning the Design for Performance Sample Designs 447

2 Contents at a Glance Introduction 1 I The Essentials of Network Perimeter Security 1 Perimeter Security Fundamentals 7 2 Packet Filtering 23 3 Stateful Firewalls 55 4 Proxy Firewalls 87 5 Security Policy 105 II Fortifying the Security Perimeter 6 The Roleofa Router Virtual Private Networks Network Intrusion Detection Host Hardening Host Defense Components Intrusion Prevention Systems 273 III Desigmng a Secure Network Perimeter 12 Fundamentals of Secure Perimeter Design Separating Resources Wireless Network Security Software Architecture VPN Integration Tuning the Design for Performance Sample Designs 447

3 IV Maintaining and Monitoring Perimeter Security 19 Maintaining a Security Perimeter Network Log Analysis Troubleshooting Defense Components Assessment Techniques Design Under Fire A Unified Security Perimeter: The Importance of Defense in Depth 619 V Appendixes A Cisco Access List Sample Configurations 641 B Crypto Index 663

4 Table of Contents Introduction 1 Who Should Read This Book 1 Why We Created This Book's Second Edition 1 Overview of the Book's Contents 2 Conventions 3 I The Essentials of Network Perimeter Security 1 Perimeter Security Fundamentals 7 Terms of the Trade 8 The Perimeter 8 Border Routers 8 Firewalls 8 Intrusion Detection Systems 9 Intrusion Prevention Systems 9 Virtual Private Networks 9 Software Architecture 10 De-Militarized Zones and Screened Subnets 10 Defense in Depth 11 Components of Defense in Depth 12 Case Study: Defense in Depth in Action 21 Summary 22 2 Packet Filtering 23 TCP/IP Primer: How Packet Filtering Works 23 TCP and UDP Ports 24 TCPsThree-way Handshake 25 The Cisco Router as a Packet Filter 26 An Alternative Packet Filter: IPChains 26 The Cisco ACL 27 Rule Order 28 Cisco IOS Basics 28

5 Contents Effective Uses of Packet-Filtering Devices 29 Filtering Based on Source Address: The Cisco Standard ACL 29 Egress Filtering 36 TrackingRejectedTraffic 37 Filtering by Port and Destination Address: The Cisco Extended ACL 37 The Cisco Extended ACL 37 Problems with Packet Filters 40 Spoofing and Source Routing 41 Fragments 41 Opening a "Hole" in a Static Packet Filter 42 Two-way Traffic and the established Keyword 43 Protocol Problems: Extended Access Lists and FTP 45 Dynamic Packet Filtering and the Reflexive Access List 47 FTP Problems Revisited with the Reflexive Access List 49 Reflexive ACLs with UDP and ICMP Traffic: Clearing Up DNS Issues 50 Trouble in Paradise: Problems with Reflexive Access Lists 50 Cisco IPv6 Access Lists 52 Summary 53 References 53 3 Stateful Firewalls 55 How a Stateful Firewall Works 55 The Concept of State 56 Transport and Network Protocols and State 57 Application-Level Traffic and State 62 Stateful Filtering and Stateful Inspection 69 Stateful Firewall Product Examples 70 Summary 86 References 86

6 Proxy Firewalls 87 Fundamentals of Proxying 88 Pros and Cons of Proxy Firewalls 92 Advantages of Proxy Firewalls 92 Disadvantages of Proxy Firewalls 94 Types of Proxies 95 Web Proxies 95 Reverse Proxies 97 Anonymizing Proxies 98 Tools for Proxying 100 Firewall Toolkit (FWTK) 100 SOCKS 101 Squid 102 Summary 103 Security Policy 105 Firewalls Are Policy 105 Active Policy Enforcement 106 Unenforceable Policy 107 How to Develop Policy 113 Identify Risks 113 CommunicateYour Findings 114 Create or Update the Security Policy as Needed 114 Determine Policy Compliance 115 Sound Out the Organization's Rules and Culture 115 Elements of Policy 117 Hallmarks of Good Policy 118 Perimeter Considerations 119 Real-world Operations and Policy 119 Rules of the Road 122 Summary 122 References 122

7 x Contents II Fortifying the Security Perimeter 6 The Role of a Router 125 The Router as a Perimeter Device 125 Routing 126 Secure Dynamic Routing 128 The Router as a Security Device 130 The Router as a Part of Defense in Depth 130 The Router as a Lone Perimeter Security Solution 135 Router Hardening 140 Operating System 140 Locking Down Administration Points 140 SSH 142 The Console Port 144 TFTP and FTP 144 Configuration Management Tricks withtftp and Scripts 145 Simple Network Management Protocol 145 Disable Unneeded Services 149 Configure NTP and NTP Authentication 151 Cisco TCP Keepalives Services 152 Unicast Reverse Path Forwarding 153 Internet Control Message Protocol Blocking 153 Spoofing and Source Routing 155 Router Logging 155 Automatic Securing and Auditing of Cisco Routers 157 Summary Virtual Private Networks 161 VPN Basics 161 Basic VPN Methodology 162 Advantages and Disadvantages ofvpns 165 BenefitsofaVPN 166 Disadvantages ofvpn 168

8 IPSec Basics 170 IPSec Protocol Suite 171 IKE 173 IPSec Security Protocols AH and ESP 177 IPSec Configuration Examples 183 OtherVPN Protocols: PPTP and L2TP 193 PPTP 193 L2TP 194 Comparison of PPTP, L2TP, and IPSec 195 PPTP and L2TP Examples 195 Summary 198 References 199 Network Intrusion Detection 201 Network Intrusion Detection Basics 201 The Need for Intrusion Detection 202 Anomaly Detection 203 Signature Detection 204 False Positives and False Negatives 205 Alerting, Logging, and Reporting 207 Intrusion Detection Software 208 Intrusion-Related Services 209 The Roles of Network IDS in a Perimeter Defense 210 Identifying Weaknesses 210 Detecting Attacks from Your Own Hosts 211 Incident Handling and Forensics 211 Complementing Other Defense Components 212 IDS Sensor Placement 213 Deploying Multiple Network Sensors 213 Placing Sensors Near Filtering Devices 213 Placing IDS Sensors on the Internal Network 214 Working with Encryption 215 Processing in High-traffic Situations 215 Configuring Switches 215

9 Using an IDS Management Network 216 Maintaining Sensor Security 216 Case Studies 217 Case Study 1: Simple Network Infrastructure 217 Case Study 2: Multiple External Access Points 218 Case Study 3: Unrestricted Environment 220 Summary 222 Host Hardening 223 The Need for Host Hardening 223 Removing or Disablmg of Unnecessary Programs 225 Controlling Network Services 225 Removing Extraneous Software Components 230 Limiting Access to Data and Configuration Files 232 Controlling User and Privileges 233 Managing Unattended Accounts 233 Protecting Administrative Accounts 234 Enforcing Strong Passwords 235 Controlling Group Membership 237 Maintaining Host Security Logs 238 Windows Logging and Auditing 238 UNIX Logging and Auditing 238 Applying Patches 240 Additional Hardening Guidelines 241 Automating Host-Hardening Steps 241 Common Security Vulnerabilities 242 Hardening Checklists 242 Summary Host Defense Components 245 Hosts and the Perimeter 245 Workstation Considerations 246 Server Considerations 248

10 Contents xiii Antivirus Software 249 Strengths of Antivirus Software 249 Limitations of Antivirus Software 250 Host-Based Firewalls 252 Firewalls for Workstations 253 Firewalls for Servers 256 Host-Based Intrusion Detection 261 The Role of Host-Based IDS 261 Host-Based IDS Categories 262 Challenges of Host Defense Components 268 Defense Components on Compromised Hosts 269 Controlling Distributed Host Defense Components 269 Summary 271 References Intrusion Prevention Systems 273 Rapid Changes in the Marketplace 273 What Is IPS? 274 An IPS Must Be Fast 276 An IPS Must Keep State 276 An IPS Must Be Accurate and Up to Date 276 An IPS Must Have the Ability to Nullify an Attack 277 IPS Limitations 277 NIPS 279 An Excuse to Ignore Sound Practice 278 An IPS Simply Buys You Time 278 How Chokepoint NIPSWork 280 Switch-Type NIPS 285 Switch NIPS Deployment Recommendations 291 Host-Based Intrusion Prevention Systems 293 Real-world Defense Scenarios 293 Dynamic Rule Creation for Custom Applications 294

11 xiv Contents Monitoring File Integrity 294 Monitoring Application Behavior 295 HIPS Advantages 295 HIPS Challenges 296 More HIPS Challenges 296 HIPS Recommendations 297 Summary 298 III Designing a Secure Network Perimeter 12 Fundamentals of Secure Perimeter Design 301 Gathering Design Requirements 302 DeterminingWhich Resources to Protect 302 DeterminingWho the Potential Attackers Are 306 DefiningYour Business Requirements 309 Design Elements for Perimeter Security 315 Firewall and Router 315 Firewall andvpn 318 Multiple Firewalls 320 Summary 323 References Separating Resources 325 Security Zones 325 A Single Subnet 326 Multiple Subnets 329 Common Design Elements 334 Mail Relay 334 Split DNS 338 Client Separation 343 VLAN-Based Separation 346 VLAN Boundaries 346 JumpingAcrossVLANs 347 Firewalls andvlans 348 Private VLANs 349

12 Contents Summary 350 References Wireless Network Security Fundamentals 353 Securing Wireless Networks 354 Network Design 355 Wireless Encryption 359 Hardening Access Points 363 Defense in Depth for Wireless Networks 366 Auditing Wireless Security 367 Auditing the Wireless Network Design 367 Auditing Encryption 368 Case Study: Effective Wireless Architecture 369 Summary 373 References Software Architecture 375 Software Architecture and Network Defense 375 The Importance of Software Architecture 376 The Need to Evaluate Application Security 377 How Software Architecture Affects Network Defense 377 Firewall and Packet-Filtering Changes 378 Web Services and Interapplication Communications 378 Conflicts with Network Configuration 380 Encrypting Connections 381 Performance and Reliability 382 Atypical Operating System 382 Software Component Placement 382 Single-System Applications 383 Multitier Applications 383 Administrator Access to Systems 383 Applications for Internal Users Only 384

13 xvi Contents Identifying Potential Software Architecture Issues 385 Software Evaluation Checklist 385 Sources of Application Information 386 How to Handle an Unsecurable Application 387 Software Testing 387 Host Security 387 Network Configuration and Security 388 Network Defense Design Recommendations 389 Case Study: Customer Feedback System 389 Deployment Locations 390 Architecture Recommendation 391 Case Study: Web-Based Online Billing Application 391 Deployment Locations 393 Architecture Recommendation 394 Summary 394 References VPN Integration 395 Secure Shell 395 Standard SSH Connections 396 SSH Tunnels 398 Secure Sockets Layer 400 SSL Standard Connections 400 SSL Tunnels 403 SSL Proxy Servers 405 Remote Desktop Solutions 405 IPSec 409 Single Session 406 Multiple Session 408 IPSec Client Integration 410 IPSec Server Integration 411 IPSec Perimeter Defense Adjustments 412 IPSec Architectures 413

14 OtherVPN Considerations 413 ProprietaryVPN Implementations 413 Compromised or MaliciousVPN Clients 414 VPN Design Case Study 414 Gase Study: Home Users and Multiple Applications 414 Summary 418 References 418 Tuning the Design for Performance 419 Performance and Security 419 Defining Performance 419 Understanding the Importance of Performance in Security 421 Network Security Design Elements That Impact Performance 422 The Performance Impacts of Network Filters 422 Network Architecture 425 Case Studies to luustrate the Performance Impact of Network Security Design Elements 430 Impact of Encryption 432 Cryptographic Services 433 Understanding Encryption at the Network and Transport Layers 433 Using Hardware Accelerators to Improve Performance 436 Case Studies to luustrate the Performance Impact of Encryption 437 Using Load Balancing to Improve Performance 439 Problems with Load Balancing 440 Layer 4 Dispatchers 440 Layer 7 Dispatchers 441 Mitigating the Effects of DoS Attacks 441 ICMP Flooding 442 SYN Flooding 444 Summary 445 References 445

15 18 Sample Designs 447 Review of Security Design Criteria 447 Case Studies 449 Case Study 1: Telecommuter Who Is Using a Broadband Connection 450 Case Study 2: A Small Business That Has a Basic Internet Presence 452 Case Study 3: A Small E-Commerce Site 456 Case Study 4: A Complex E-Commerce Site 462 Summary 468 IV Maintaining and Monitoring Perimeter Security 19 Maintaining a Security Perimeter 471 System and Network Monitoring 471 Big Brother Fundamentals 472 Establishing Monitoring Procedures 475 Security Considerations for Remote Monitoring 483 Incident Response 486 Notification Options 486 General Response Guidelines 487 Responding to Malicious Incidents 488 Automating Event Responses 489 Accommodating Change 490 Fundamentals of Change Management 490 Implementing Change-Management Controls 492 Summary 495 References Network Log Analysis 497 The Importance of Network Log Files 497 Characteristics of Log Files 498 Purposes of Log Files 500

16 Contents xix Log Analysis Basics 502 Getting Started with Log Analysis 502 Automating Log Analysis 504 Timestamps 507 Analyzing Router Logs 508 Cisco Router Logs 508 Other Router Logs 509 Analyzing Network Firewall Logs 509 Cisco PIX Logs 509 Check Point FireWall-1 Logs 510 IPTables Logs 511 Analyzing Host-Based Firewall and IDS Logs 512 ZoneAlarm 512 Norton Personal Firewall 513 Summary Troubleshooting Defense Components 517 The Process of Troubleshooting 517 Collecting Symptoms 518 Reviewing Recent Changes 518 Forming a Hypothesis 519 Testing the Hypothesis 519 Analyzing the Results 519 Repeating If Necessary 519 Troubleshooting Rules of Thumb 520 Make Only One Change at a Time 520 Keep an Open Mind 520 Get a Second Opinion 520 Stay Focused on Fixing the Problem 521 Don't Implement a FixThat Further CompromisesYour Security 521 The Obvious Problems Are Often Overlooked 521 Document, Document, Document! 521 The Troubleshooter's Toolbox 522 Application Layer Troubleshooting 523 Other Useful Utilities 525

17 Contents Transport Layer Troubleshooting 527 Network Layer Troubleshooting 540 Link Layer Troubleshooting 545 Summary 548 References Assessment Techniques 551 Roadmap for Assessing the Security ofyour Network 551 Planning 553 Reconnaissance 555 Network Service Discovery 560 System Enumeration 560 Service Discovery 563 Vulnerability Discovery 566 Nessus 567 ISS Internet Scanner 568 Retina 569 LANguard 570 Vulnerability Research 572 Verification of Perimeter Components 573 Preparing for the Firewall Validation 573 Verifying Access Controls 575 Remote Access 577 Wardialing 577 Wardriving 579 VPNs and Reverse Proxies 582 Exploitation 585 Results Analysis and Documentation 586 Summary Design Under Fire 589 The Hacker Approach to Attacking Networks 589 Adversarial Review 590 GIAC GCFW Student Practical Designs 592 Practical Design Practical Design Summary 616 References 617

18 24 A Unified Security Perimeter: The Importance of Defense in Depth 619 Castles: An Example of Defense-in-Depth Architecture 620 Hard Walls and Härder Cannonballs 621 Secret Passages 621 Hiding in the Mist 626 Defense on the Inside 628 Absorbent Perimeters 632 Honeypots 632 Rate Limiting 633 Failover 635 Defense in Depth with Information 635 The Problem of Diffusion 636 Cryptography and Defense in Depth 637 Summary 638 V A Appendixes Cisco Access List Sample Configurations 641 Complete Access List for a Private-Only Network 641 Complete Access List for a Screened Subnet Network That Allows Public Server Internet Access 645 Example of a Router Configuration as Generated by the Cisco Auto Secure Feature 650 B Crypto Encryption Algorithms 657 Shared Key: Symmetrie 658 Public-Private Key: Asymmetrie 659 Digital Signatures and Hash Algorithms 660 References 661 Index 663