return to Computers

INFORMATION SECURITY





DNSSec  Security extensions for the Domain Name System

Every site should have a security plan.

Running a secure web site with HTTPS and SSL

Analysis of a compromised "hacked" server.

Testing your network's exposure with tools such as:
   PHLAK Professional Hacker's Linux Assault Kit
   netstat
   lsof
   nmap

You can determine information about a computer from its MAC Address

 

the ENIGMA and the Turing BOMBE




Encryption


Steganography
Steganography is the art of hiding or concealing messages within other messages, photographs, audio files, etc...


 

FIREWALLS
Historically, there are two different engineering approaches to designing firewalls:

Stateful Packet Filtering
         operate at OSI level 4 - the transport level
         firewalls maintain information on each connection and its session states "stateful"

         pros:  high performance
                   support for new protocols

         cons:  does not inspect data for virus definitions at application level

Check Point, Cisco, and Juniper Networks' firewall offerings employ this design approach



Application Proxy
         operate at OSI level 7 - the application level
         use application-aware forwarding modules

         pros:  offers higher level of protection/security
                  
         cons:  low performance can affect network performance
                    lack of support for new protocols
                    inability to perform stateful failovers

 

OSI Model






Intrusion Detection Systems    an IDS identifies attempted attacks based on signatures of common attacks

Intrustion Prevention Systems    an active IDS

Virtual Private Networks    a VPN provides authentication and encryption for each connection
                                              typically VPNs use ciphers such as AES


Firewalls    use ACLs (Access Control Lists) to determine what is allowed in or out

Multifunction Gateways

Deep Packet Inspection    conventional Layer 4 stateful packet filtering that has additional
                                            Layer 7 application-aware inspection capabilities




 

 

Computer Security "best practices":
• run the minimum - disable all unused services
• install the minimum - remove all unnecessary applications
• disable TELNET - use SSH for remote access
• disable SSH login for ROOT -use SU

 

 

How To Eliminate The Ten Most Critical Internet Security Threats
http://www.sans.org/top20/top10.php

01.   BIND weakness
        a. disable BIND on systems that are not DNS servers
        b. update BIND if still running v8.x
        c. run BIND as a non-privileged user
        d. run BIND in a 'chroot' environment / directory

02.   Vulnerable CGI programs and application extensions installed on web server
        a. do not run web servers as root
        b. remove CGI script interpreters in BIN directories
        c. remove unsafe CGI scripts
        d. don't configure CI support on web servers that don't need it
        e.  run web server in a 'chroot' environment / directory

03.   RPC weakness

04.   RDS security hole is Microsoft IIS

05.   Sendmail root attack

06.   mountd and sadmind (Solaris)

07.   NetBIOS, NFS, AppleShare

08.   null password/default password left unchanged

09.   IMAP and POP buffer overflows

10.   SNMP defaults





 

Common firewall configuration errors

In "A Quantitative Study of Firewall Configuration Errors", author Avishai Wool lists
12 common firewall configuration errors.
Wool received a PhD in computer science from the Weizmann Institute of Science, Israel.
He is CTO at Algorithmic Security, a network security company he co-founded,
and is a senior member of the IEEE.

01.   stealth rule
        to protect the firewall itself from unauthorized access
        a rule of the form "from anywhere, to the firewall, any service, drop"

02.   DNS-TCP
        dns is one of the most attacked services
        a narrow, explicit rule is needed

03.   DNS-UDP
        dns is one of the most attacked services
        a narrow, explicit rule is needed

04.   all ICMP
        with any-to-any ICMP, attackers can scan the internal network and propagate worms
        a narrow, explicit rule is needed

05.   insecure access
        access to the firewall over unencrypted or poorly authenticated protocols such as telnet, ftp, x11
        deny access to the firewall except from authenticated, encrypted sources

06.   >5 GUI clients
        too many management machines - this is a subjective threshold
        firewalls should be managed from a small number of machines

07.   external management
        machines outside the network perimeter should not be able to manage the firewall
        if remote administration is required, manage the firewall from "inside" via a VPN

08.   NetBIOS
        Microsoft Windows operating systems use NetBIOS to support file and print sharing
        NetBIOS services are frequently attacked and very insecure, and should be blocked in both directions.

09.   Sun - RPC
        NFS and the portmapper daemon have a long history of being insecure
        TCP and UDP traffic to port 111 should be denied.

10.   zone-spanning objects
        a defined network object (a set of IP addresses) which includes addresses that reside on more than one
        side / interface of the firewall (i.e. both internal and external addresses) is a zone-spanning object.
        any use of zone-spanning objects in firewall rule sets can cause unintended consequences.

11.   inbound services
        Allowing "any" service to enter the network is a gross mistake, since "any" includes numerous high-risk
        services such as NetBIOS and RPC

12.   outbound destinations
        Allowing "any" outbound destination could open up a hole between your trusted network and the servers
        in the DMZ (demilitarized zone).  The DMZ servers should not have access to the internal network, and
        using a predefined "any" is inherently "zone-spanning".

Errata

 

advanced computer security
http://www.intenseschool.com/

 

Tripwire
(Swarthmore uses Tripwire [licensed, commercial version] on its servers

http://www.eccouncil.org/312-50.htm

http://www.eff.org/Privacy/printers/list.php

 

PGP KEYS

# gpg --list-keys abcd1234

# gpg --list-sigs 1234abcd

# gpg --check-sigs


PGP fingerprint
There are 2 kinds of PGP signatures:
1. inline armor (older)
     plain text email only
     text file attachments
     not blocked by servers which block all attachments
     does not alarm recipient with the attachment
2. PGP/MIME attachments
    separate signature file = .asc file = short for ascii = a text file
    computes fingerprint based on the message itself & a 1024 byte private key
    

 

 

 

 

 

Government Security Specifications

DoD 5220.22-M specifies a 3-pass standard for deleted files













Corporate Computer Security
44% of corporations monitor employees' internet usage
40% of companies review employee phone logs
33% monitor instant messaging
33% monitor the opening of email attachments
30% track employees' time in the office
25% screen the content of outbound email
20% review fax transmissions
15% track printing and photocopying
10% monitor productivity of home workers
2% monitor keystrokes per hour

-InformationWeek, 2005.10.17

 

 

 

return to top
home

Copyright © billhance.com.  All rights reserved.