Xem mẫu
- Host Perimeter Defense
Security Essentials
The SANS Institute
Host Perimeter Defense - SANS ©2001 1
Most of us have a problem. We are under attack. At this very moment, our internet-connected
computer systems are being subjected to a surprising number of probes, penetration attempts, and
other malicious attention.
In this talk, we will discuss the types of attacks that are being used against our computers, and how to
defend against these attacks. You will learn about both free and commercial software products that
will help you improve the security of your systems. These products present a variety of solutions,
ranging from easy-to-configure, “hassle-free” products that provide a reasonable level of security, to
more complex solutions that provide more stringent measures for high-value assets.
6-1
- Agenda
• Do we have a problem?
• Who is vulnerable?
• Threats and types of protection
• Features to look for
• Summary
Host Perimeter Defense - SANS ©2001 2
We will begin this talk by examining the scope of the problem, and you will learn about the types of
systems that are vulnerable and that may require protection.
The main portion of this talk will focus on the various threats to your host’s security, and the types of
protection (including specific tools) that can be used to defend against these threats.
Finally, we will discuss some features to look for when choosing a host perimeter solution. A
summary of important information will round out the talk. At the end of the webcast, you will be
able to recommend and implement utilities and policies for host perimeter defense.
6-2
- Host Perimeter Defense
• Defends the borders of your
computer
• Complements network perimeter
defense
– Additional layer of protection
• May also be first line of defense
Host Perimeter Defense - SANS ©2001 3
Host perimeter defense is just what it sounds like: Defending the perimeter of the host itself - the
borders of your computer.
Most security-conscious organizations protect the borders of their network with tools such as
firewalls or packet-filtering routers. In this situation, host perimeter defense complements network
perimeter defense by adding a second layer of security. Even if an intruder is able to penetrate your
network, he or she will then have to penetrate any host-based security to access protected hosts on
your network.
There are also instances when host perimeter defense may be your first line of defense. This is true,
of course, if there is no network protection. This would be the case, for instance, where your
network security is bypassed - for example, through a connection to a dial-up server inside your
firewall. It is also the case for systems that are not on a standard network - such as home computers-
which nevertheless connect to the Internet through an Internet Service Provider (ISP).
6-3
- Who is Vulnerable?
• Any host that is:
– Directly connected to the internet
– “Protected” behind a firewall
– Networked with any other hosts
(even if not connected to the
internet)
– Connected via modem, cable modem,
ISDN, DSL, etc.
Host Perimeter Defense - SANS ©2001 4
Any networked host may be a candidate for protection using host perimeter defense solutions,
including:
• computers directly connected to the Internet. Any host directly connected to the Internet is visible
to (and potentially vulnerable to!) any one of the several million other Internet users around the
globe. Essentially, anyone from Russia to Brazil to the person next door can “see” your computer -
and may be able to compromise it.
• computers “protected” by a firewall. A firewall is not a bulletproof solution to your security
problems. Dial-up connections may bypass your firewall’s security completely. “Legitimate” traffic
allowed through the firewall may contain dangerous code, such as malicious Java applets in HTTP
traffic, or Trojan executables in electronic mail (SMTP) traffic. Users may install unauthorized
software or modems that create security holes.
• hosts on a private network. Even if you are completely disconnected from the Internet, you may
need to protect your hosts from each other. A large number of security breaches come from inside an
organization. Employees trying to steal information for a competitor, or disgruntled employees who
might want to damage or destroy information, present a real threat.
The information on threats and defenses in the following slides can be applied to any of the above
scenarios. However, for the purpose of this course, we will focus on one scenario in particular that is
often overlooked.
6-4
- Impact of the Problem
• Personal information
– Financial records
– Account names/passwords
• Business information
– Home-based business
– Telecommuters
– Connect to corporate LAN from home
Host Perimeter Defense - SANS ©2001 5
This problem can be a serious one for home users. Sensitive information such as financial records
and account numbers, usernames and passwords may all be stored on a home PC - all of which
provide tempting targets for attackers.
However, this problem is no longer limited to private home users. Businesses can be seriously
affected as well, as the line between home and business computers has increasingly blurred over the
past few years. Businesses are operated out of peoples’ homes; employees work at home and
“telecommute;” users take work home, or use home computers to dial-in to corporate networks and
electronic mail servers. All of these scenarios mean that, in addition to sensitive personal
information, it is highly likely that sensitive business information can be found on “personal”
computers.
Which is more difficult for an attacker: To break into a corporate network that is protected by
firewalls, intrusion detection software, and skilled administrators who regularly review log files? Or
to break into the CEO’s unprotected home PC, steal his userid and password, and log straight in to
the corporate network using the stolen information?
6-5
- Do We Have a Problem?
Host Perimeter Defense - SANS ©2001 6
Many SANS instructors use personal firewalls of course, and a number of them use flashing icons to
inform you that an attack has occurred. When Stephen Northcutt teaches intrusion detection he will
often leave the BlackIce icon flashing yellow until some student comes up and says “I can’t stand it.”
This screen shot was taken April 14, 2001. As you can see this computer has been hit with a number
of attacks. Please notice that on your screen you see three DNS probes. This was about three weeks
after the Lion worm, malicious code that attacks Linux computers and DNS servers. Clearly it is still
running at this time. If you are tuning out because you are a Windows user, the Kak and Qaz
Windows worms did a lot of damage only six months ago. So, you are going to get hit.
6-6
- What are the Threats?
• Known vulnerabilities
• Malicious code
• Unauthorized connections
Host Perimeter Defense - SANS ©2001 7
The number and types of vulnerabilities to individual hosts varies greatly. We will examine these
vulnerabilities, and the actions you can take to counter them, in the next series of slides.
6-7
- Known Vulnerabilities
• Operating systems and common
software
– Inherent weaknesses
– Default configuration
– Misconfiguration
– Sample applications
Host Perimeter Defense - SANS ©2001 8
Any host is, of course, susceptible to any vulnerabilities in the operating system and software which
the host runs.
A computer’s operating system (OS) will affect its inherent level of security. An OS with strong
authentication mechanisms, privilege and access control, and auditing or logging capabilities (such
as Windows NT, Windows 2000, Unix, or Linux) is more secure than an OS that does not have these
features (such as Windows 95/98). As the majority of home users still run Windows 95 or 98, this
issue becomes a critical one.
Unfortunately, NO operating system is secure “out of the box,” and attackers will take advantage of
security holes in default OS or application configurations, or user/administrator misconfigurations.
Another vulnerability is sample applications that are often included in web server software or
software development kits. These samples are not intended for production systems (read: they are
NOT SECURE) and can open up additional security holes in your system.
These “holes” are often well-known and well-publicized in the “black hat” community. Worse, for
any vulnerability that has been known for a period of time, there is most likely a script that exploits
the vulnerability. These scripts are readily available on the Internet - making it simple for even the
most inexperienced attacker to launch sophisticated attacks on your systems.
6-8
- Known Vulnerability Defense
• Choose a secure OS
• Build a secure configuration
• Install updates and patches
• Remove sample applications
• Stay informed
Host Perimeter Defense - SANS ©2001 9
Your best defense against known vulnerabilities is information and education.
• Choose a secure OS and learn to configure it properly. Most vendors and some third-party
organizations now provide recommendations on configuring operating systems and applications
securely. Obtain these documents and apply them per your organization’s needs.
• Keep your software up-to-date with upgrades and patches. Vendors regularly release updates
and patches, many of which address security issues. Keep your systems up-to-date with the latest
patches.
• Remove sample applications. Do not install sample applications, unless they are loaded on a test
system. If sample applications must be installed, secure them just as you would any other software
component.
• Stay informed. New security vulnerabilities are released daily. A quick and easy way to stay up-
to-date is to subscribe to security mailing lists. Several excellent public lists are given at the end of
this presentation. Most vendors also have their own mailing lists, or at least post security notices on
their web sites.
6-9
- Malicious Code
• Program that performs harmful,
unauthorized action
– Viruses
– Trojans
– Java applets and Activex controls
• Often easily bypass network
security
Host Perimeter Defense - SANS ©2001 10
One of the broadest categories of threats to your network hosts is that of malicious code. Malicious code
is defined as an executable program that performs an action (often harmful or destructive) without the
knowledge of the user.
Malicious code includes viruses and Trojan software (malicious software masquerading as a useful
program or utility). Recent virus incidents, such as those surrounding the ILOVEYOU virus or the
Melissa virus, indicate the seriousness of the threat. The attacker who gained access to Microsoft’s
network in October 2000 and viewed source code for a future Microsoft product is suspected to have
gained access to internal systems via the QAZ virus, which installs a secret ‘back door’ to allow access to
a system. Over 40,000 known viruses exist as of this writing, and the number continues to increase.
A newer threat is that presented by Java applets and ActiveX controls. These are bits of code, like mini-
programs, that run within a web browser when you access a web page that contains the applet. (Java will
run in any browser; ActiveX is specific to Microsoft Internet Explorer.) Both types of code are supposed
to be “safe” and execute only within restricted boundaries on the user’s computer. However, a number of
security holes have been found in this technology. Malicious applets can perform actions such as reading
files (such as a password file) or deleting files. Worse, most applets run within the browser without the
user’s knowledge.
A particular danger of malicious code is that it can easily bypass security measures such as firewalls. This
is because malicious code is often hidden in “legitimate” network traffic. Your firewall probably allows
HTTP (Web) traffic into your network, but this traffic can contain hostile Java and ActiveX code. You
probably also allow SMTP (electronic mail) traffic, but electronic mail often contains attachments with
macro viruses or Trojan software.
6 - 10
- Malicious Code Defense
• Anti-virus software
• Java/Activex protection
Host Perimeter Defense - SANS ©2001 11
Probably the most well-known form of host perimeter defense is anti-virus software, which defends
your computer from malicious code such as viruses and some common Trojan/backdoor programs
(such as NetBus or Back Orifice). Because anti-virus software is covered in its own course, we will
only mention it briefly here.
However, it is important to note that some anti-virus vendors are now offering additional protection
against hostile Java and ActiveX controls. For example, both Norton Anti-Virus and McAfee
VirusScan offer some degree of Java/ActiveX protection. Check your product specifications
carefully; some vendors’ offerings may only provide protection for specific browsers (i.e. for
Netscape Navigator OR Microsoft Internet Explorer, but not both).
Another means to defend against malicious Java and ActiveX controls is to tighten your browser’s
security. Both Netscape Navigator and Microsoft Internet Explorer offer means to customize
browser security to allow, prompt for, or disallow actions such as Java and ActiveX scripting. One
catch to tightening security in this way is that you may block safe applets along with hostile ones -
some Web sites will not display correctly without scripting enabled, or will pop up an annoying
number of warning messages asking if you want to run an applet.
6 - 11
- Unauthorized Connections
• Default services running on a
system
• Software that opens additional
ports
Host Perimeter Defense - SANS ©2001 12
Applications and services used for network or host-to-host communications use a protocol and a port
number to communicate. Protocols include Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP). Common ports include those used for Telnet (23), DNS (53), and POP3
(110).
Computers need to use these various protocols and ports to communicate with each other. The
default installation of any operating system will open various ports. For example, Unix and Linux
systems typically install a Telnet server (port 23). Microsoft Windows systems use the NetBIOS
ports (137 - 139) for Windows networking. Applications may open additional ports; Web servers
may use FTP (21), HTTP (80), or SSL (443). Trojan software may open still more ports, such as
NetBus (12345) or BackOrifice (31337).
All of these ports represent a potential “door” through which someone can enter your computer. A
computer will typically “listen” on a port until a connection is attempted. Depending on the
authorization (if any!) required, the system will then accept or reject the connection attempt.
However, it’s a good bet that most users don’t know what a port is, much less which ports may be
open on their computers.
6 - 12
- Unauthorized Connection
Defense
• Determine open ports
• Block ports that are not needed
• Monitor connection attempts
Host Perimeter Defense - SANS ©2001 13
The first step in protecting your system from unauthorized connection attempts is to determine which
ports are actually open on your system. For example, in Windows 9x or NT, you can type netstat
-a at the command prompt to display a list of all open connections to your system.
This utility is good for generating a “snapshot” view of system activity, as it will also identify the
open ports on your system - including some you may not know you have!
However, it does not provide a means to block ports that you don’t want left open, or to monitor port
activity on an ongoing basis. That is the purpose of personal firewall and host-based intrusion
detection software.
6 - 13
- Personal Security Software
• Combine various firewall and IDS
technologies to successfully defend
your station
– Application-level connectivity control
– Protocol-level data flow control
– Intrusion detection system
component
Host Perimeter Defense - SANS ©2001 14
Personal security software is a key element to defend your home station from the Internet. To
successfully defend our station from outside attacks, a combination of firewall and IDS technologies
is the best means of defense. Many popular product solutions provide packet-filtering, proxying, or
IDS capabilities, or a combination of them all.
Application-level connectivity control is generally easier to configure, particularly for the less-
technical user. Access is controlled by rules that specify which applications are allowed to perform
particular actions. For example, the user may create a rule that says Netscape is allowed to initiate
connections to particular Internet sites, or that Outlook Express is allowed to connect to your ISP’s
mail server.
Packet-filtering/IP-level data flow control requires more technical expertise on the part of the user in
order to configure properly. Access is controlled by rules that specify which protocols are allowed
or disallowed. For example, a user may create rules that block all traffic except for HTTP, SMTP,
and POP3.
In the following slides we will explore examples of products that demonstrate the effective
application of these technologies to defend our stations from perimeter attacks.
6 - 14
- Network ICE BlackICE Defender
Host Perimeter Defense - SANS ©2001 15
One example of a packet-filtering personal firewall is Network ICE’s BlackICE Defender. It combines a
packet-filtering firewall component with an intrusion detection component that has stateful inspection
capabilities, monitoring your network connection for "signatures" of popular attacks.
Many host-based security systems like BlackICE Defender will combine multiple technologies to optimize
the overall effect on the station's security. BlackICE Defender uses its intrusion detection system in
conjunction with its packet-filtering capabilities to provide an enhanced form of stateful inspection. It can
actually determine whether the incoming traffic is "malicious" in nature, before allowing the traffic access to
the system. Upon discovery of an attacker, BlackICE Defender will not only block them from further access,
and log the attack and all packets from the attack, it will go so far as to attempt to collect information about
the attacker, including host name and MAC address.
Even if the hostile traffic in question is allowed in by the current packet filtering rules, the stateful inspection
process will still detect the attack and deny the perpetrator access. For example, say you were running an FTP
server on your station and had a configuration allowing incoming FTP traffic. If a known attack was tried on
port 21 (the default port for FTP traffic) BlackICE would identify the traffic as hostile in nature and block the
attacker from accessing the system.
The negative aspect of such an inspection system is that false positives can be registered, and in some cases
prevent normal usage between systems. BlackICE circumvents this issue by allowing the editing of the
BLACKICE.INI file, to specify issues that should no longer be identified as an attack. The line:
trust.issue =
would discontinue false positives for the event identified as . A list of issue numbers and
their definitions are listed on Network ICE's website.
6 - 15
- BlackICE Defender
Security Configuration
Host Perimeter Defense - SANS ©2001 16
Easy configuration is an important feature of a good personal security system. The common
dilemma when designing such a system is how to make the software easily configurable for a novice
while allowing the flexibility that an advanced user will need. To configure the default packet-
filtering rules for BlackICE Defender, two different systems are used. For the novice, BlackICE
Defender provides an easy to use graphical interface that allows you to choose between four pre-
configured "levels" of protection, ranging from "trusting" to "paranoid." Each setting blocks a
progressively more aggressive range of TCP and UDP ports. “Trusting” doesn’t block any TCP or
UDP ports. “Cautious” blocks TCP ports 0-1023. “Nervous” blocks all TCP ports and UDP ports 0-
1023. While “Paranoid” blocks all TCP and UDP ports. (Note: These rules refer to incoming traffic
ONLY. All outgoing traffic and TCP return traffic is allowed no matter which security level is
selected.)
6 - 16
- BlackICE Defender
FIREWALL.INI
[MANUAL IP ACCEPT]
[MANUAL UDP low REJECT]
REJECT, 137, NETBIOS Name Service, 1999-07-22 20:26:53,
PERPETUAL
REJECT, 138, NETBIOS Datagram Service, 1999-07-22
20:26:53, PERPETUAL
[MANUAL UDP high ACCEPT]
[MANUAL TCP low REJECT]
ACCEPT, 113, identd, 1999-07-19 20:50:26, PERPETUAL
REJECT, 139, SMB, 1999-07-19 20:50:26, PERPETUAL
[MANUAL TCP high ACCEPT]
Host Perimeter Defense - SANS ©2001 17
For advanced users, BlackICE provides an editable configuration file, FIREWALL.INI. Manual
packet-filtering rules can be applied to allow or disallow various types of protocol level traffic. This
is how to custom-tailor BlackICE Defender to suit a more advanced environment. For example, you
can set packet-filtering rules to allow a local HTTP or FTP server on your system. An example filter
would be as follows:
Under the [MANUAL TCP low REJECT] heading of the FIREWALL.INI you would enter a line
like:
ACCEPT, 80, HTTP, 2000-10-16 20:30:53, PERPETUAL
This line is not unlike the packet filters that are applied in various commercial firewalls, including
router access control lists. It would allow any HTTP traffic on port 80. In this example, because the
BlackICE configuration is set to “paranoid” the default for TCP low traffic (traffic below port 1024)
is set to REJECT (hence the name of the section heading). Therefore, the default rule applied to any
traffic would be an implicit deny, which means disallow ALL traffic, unless it is otherwise noted. If
the security setting was set to “trusting” then the default setting for TCP traffic below port 1024
would be an implicit accept. In that case, rules would be added only if there were particular traffic
types that needed to be denied. Either way, a custom configuration can be tailored for almost any
need.
Under the [PARMS] section of FIREWALL.INI, other advanced settings can be configured.
Included among these are how long attackers should be blocked, settings blocking Denial of Service
attacks (including attacks using fragmentation), and the enabling of stateful inspection to allow DNS
and NetBIOS responses.
6 - 17
- Other Packet-filtering Personal
Firewalls
• Dynamic Solutions, Inc - NukeNabber
• Network Associates - PGP Desktop Security
• Network Flight Recorder - BackOfficer Friendly
….and for *nix users:
• Psionic Software - Portsentry
Host Perimeter Defense - SANS ©2001 18
This slide lists some additional Packet-Filtering products available for host-based protection.
6 - 18
- Zone Labs ZoneAlarm
Host Perimeter Defense - SANS ©2001 19
An application-level firewall, such as a proxy, deals directly with the "programs" that communicate
to and from the internet, in contrast to protocol-level firewalls which don't care what application is
accessing the network, just the individual packets which are being sent.
An example of a personal application-level software program is ZoneAlarm, a "free for personal use"
offering by Zone Labs. ZoneAlarm intervenes at an application level when users are accessing the
Internet. Whenever an application on your system tries to contact the internet, ZoneAlarm
intercepts the traffic. It checks to see if the application that sent the traffic has a rule set up for it in
its current rules database. If it does, it either allows or disallows the program access based on that
rule. If it doesn't currently have a rule configured, it will ask the user if they want to allow the
program to gain access to the Internet. If the user chooses to have ZoneAlarm remember the way
they respond, a rule is created for that application and added to the rules list. If the user doesn’t have
ZoneAlarm save their response, then every time the program is run, ZoneAlarm will again ask the
user whether or not they want to allow the program access.
This means rules by application can make the protection of a system less complicated for a novice.
Hopefully, most users should be familiar enough with the applications that they use to decide
whether or not a given application should be allowed to communicate with the outside world. This
feature can also keep Trojans, “spyware”, and viruses from subverting your system’s defenses by
warning you when they try to contact the outside world or propagate themselves. ZoneAlarm also
integrates an Internet lock which completely disables internet access after a predetermined period of
station inactivity. An email-level VBS blocker is also included to screen for this popular email virus
type.
6 - 19
- Security Configuration
Host Perimeter Defense - SANS ©2001 20
ZoneAlarm’s security screen allows configuration of Internet and local security zones, with an easy
slide bar setting. Each setting level (High, Medium, or Low) provides a different selection of
security features. All three levels enforce the application rules. High and Medium settings block all
Internet traffic with the “internet lock” feature, while the Low setting only blocks application traffic.
High and Medium settings also block access to Windows services and shares, while the low setting
allows such access. Finally, the High setting level enables a “stealth mode” that completely hides all
ports that are not in use by an application. Medium level leaves you visible to outsiders on the
Internet, and the Low level leaves you and your resources visible and allows traffic to and from the
Internet. Setting the Internet level to High is recommended for most environments.
Local network settings depend mostly on your particular situation. Medium will serve well for most
common configurations. Servers can be blocked from local or Internet access by checking the
respective boxes at the bottom of the “settings” screen. At the very bottom, the “Enable MailSafe”
check-box is offered, to allow additional protection from VBS email viruses. Since ZoneAlarm is an
application-level firewall, it can detect content and can stop a VBS file from being executed…
another safety against one of the Internet’s fastest spreading threats.
Finally, an Advanced button is offered to allow the adding of station and network addresses to the
Local or Internet zone. This can be a way to customize your environment.
6 - 20
nguon tai.lieu . vn