Date post: | 17-Dec-2015 |
Category: |
Documents |
Upload: | estella-carroll |
View: | 216 times |
Download: | 2 times |
ISP Network Challenges:Network Security, Spam & Virus
ControlsBy Carter Manucy, FMPA
Outline
Securing Your Networks Windows vs. Unix Security Protecting Your Customers Controlling Spam
Securing Your Networks
What is a secure computer?
Any computer that is buried in concrete, with the power shut off and the network cable cut.
Anything less is a compromise.
Securing Your Networks
What protects computers and networks?
Passwords Firewalls Virus protection
Passwords Security guidelines for passwords
All passwords must be at least 20 characters
All passwords must not be in the dictionary Must contain tissue samples from at least 3
vital organs They must be different from all other
passwords on the internet They must be changed prior to every use Binary representation of passwords must
not contain any of the following sequences, as they are know about by hackers: 00, 01, 10, 11
May not contain ASCII characters Color passwords must use a 32-bit pallet
Passwords
Demand that your edge devices (anything that answers requests on the internet) have secure passwords on ALL accounts, not just the administrator accounts!
Passwords do need to be 8 or more characters that include numbers, letters and special characters.
Passwords
Control root/administrator accounts. DO NOT use these accounts for casual use! Only use them when you are required to.
Firewalls Firewalls selectively isolate two or
more networks Firewalls permit and deny traffic
based on rules Organizations need written policies
about what these firewall rules are Firewalls are not just to protect
your internet presence from your networks
Firewalls need to be on all DMZ servers
Firewalls Enable local firewalls on all DMZ
servers, such as IPTABLES on Linux, or TCP/IP filtering in Windows
Unfortunately, you have to allow some traffic in or out – otherwise you wouldn’t need an internet connection!
By allowing traffic, you open yourself up to attack. No firewall can protect you 100% of the time!
Firewalls
Widgets Inc uses a firewall in “Ultra-Paranoid” mode
Only HTTP (port 80) traffic allowed
No JavaScript, Java or ActiveX allowed
Only allow .gif and .jpg files along with web pages (HTML)
Only allow access to 50 approved sites
Firewalls
Joe Blow Hacker wants in! But Widgets Inc is safe… right? Joe Blow uses some crafty social
engineering on Widgets, Inc Joe Blow turns his attention to the
new “Top 50” Joe Blow uploads his new program Joe Blow renames his program Joe Blow resumes his attack
Firewalls
Joe Blow’s new friend runs his program
Joe’s new program is now giving Joe an invisible shell on the secretary’s computer
Joe uses his hacked server as a stepping point…
Game over!
Virus Scanning
Having an up-to-date virus scanner is especially important around inexperienced users
Make as sure as possible that users update their anti-virus software automatically
Offer links to free anti-virus sites such as AVG or WinClam
Know Your Network
Create network baselines Use MRTG (Multi Router Traffic
Grapher) to help you identify problems before they escalate
MRTG can identify Spam attacks MRTG can identify hacked
servers MRTG can identify problem users
MRTG – Normal Traffic
MRTG shows patterns – these patterns can show problems
MRTG – Abnormal Traffic
Abnormal traffic patterns can show network abuse
MRTG – Other Uses
MRTG can monitor any device that sends out SNMP data – including IIS servers, routers, even printers
By monitoring items such as HTTP errors, a high number could indicate attempts to hack at the server
Excessive 404’s on an HTTP server could help track down missing links on a webserver
Know Your Resources National White Collar Crime
Center: www.cybercrime.org High Tech Criminal Investigation
Association: www.htcia.org Computer Security Institute:
www.gocsi.com Carnegie Mellon CERT:
www.cert.org SANS Institute: www.sans.org National Security Institute:
www.nsi.org
Know Your Resources DOD Office of Cyber Security:
www.ciac.org/ciac/ SANS Reading room: www.sans.org/rr/ Security focus: www.securityfocus.com National Security Agency: www.nsa.gov Protocol Analysis Institute: www.packet-
level.com Sentinix all inclusive network monitoring
install: www.sentinix.org CAIDA (Cooperative Association for
Internet Data Analysis): www.caida.org
Know Your Resources Security Dashboard display:
www.securitywizardry.com/radar.htm
Hacker Toolbox
Ethereal: ethereal.com Snort: snort.org nMap: www.insecure.org/nmap LC4 (L0phtCrack):
atstake.com/research LANGuard: gfi.com/languard EtherPeek: wildpackets.com
Hacker Toolbox
NetStumbler: netstumbler.com
Hacker Toolbox
Sam Spade: spamspade.org
Hacker Toolbox
Ping Plotter: pingplotter.com
Hacker Toolbox
HexWorkshop: bpsoft.com Sniffer: sniffer.com Cain&Able:
www.oxid.it/cain.html Observer:
networkinstruments.com Chkrootkit: chkrootkit.org Netcat: netcat.sourceforge.net
Example – NMAP ScanHost ###.com (xxx.xx.xx.xx) appears to be up ... good.Initiating SYN half-open stealth scan against ###.com (xxx.xx.xx.xx) Adding TCP port 88 (state open).Adding TCP port 17 (state open).Adding TCP port 389 (state open).Adding TCP port 9 (state open).Adding TCP port 19 (state open).Adding TCP port 1068 (state open).Adding TCP port 636 (state open).Adding TCP port 593 (state open).Adding TCP port 1067 (state open).Adding TCP port 53 (state open).Adding TCP port 13 (state open).Adding TCP port 464 (state open).Adding TCP port 445 (state open).Adding TCP port 135 (state open).Adding TCP port 5000 (state open).Adding TCP port 7 (state open).Adding TCP port 1026 (state open).Adding TCP port 3389 (state open).The SYN scan took 0 seconds to scan 1523 ports. For OSScan assuming that port 7 is open and port 1 is closed and neither are
firewalled
Example – NMAP ScanInteresting ports on ###.com (xxx.xx.xx.xx):(The 1505 ports scanned but not shown below are in state: closed)Port State Service7/tcp open echo9/tcp open discard13/tcp open daytime17/tcp open qotd19/tcp open chargen53/tcp open domain88/tcp open kerberos-sec135/tcp open loc-srv389/tcp open ldap445/tcp open microsoft-ds464/tcp open kpasswd5593/tcp open http-rpc-epmap636/tcp open ldapssl1026/tcp open nterm1067/tcp open instl_boots1068/tcp open instl_bootc3389/tcp open msrdp5000/tcp open fics TCP Sequence Prediction: Class=random positive incrementsDifficulty=14410 (Worthy challenge) Sequence numbers: 3AD7953F 3AD8570E 3AD97977 3ADA2100 3ADB1400 3ADB9658 Remote operating system guess: Windows 2000 RC1 through final release
Logging – Your Only Hope Logs are often the only way you
have of determining if and when there is a problem with your machines
Always simultaneously send log files off of the machine to a remote syslog box!
Log files WILL be doctored and/or wiped by a hacker
Use NTsyslog for Windows machines
Logfile Actions/CountermeasuresAttacker Action
Defensive Countermeasure
Logfiles erased Highly visible – at least some part might be unerased using raw access to the file system, unerase tools (where available) or simple forensic tools
Logfiles wiped Highly visible – traces might still be found in swap file
Logfiles edited and saved
Not very visible unless long periods of time are missing. Parts might be recoverable using raw access to file system, unerase or forensic tools
Logfiles edited and appropriate parts zeroed on disk
Not very visible unless long periods of time are missing. Likely cannot be unerased
Windows vs. *nix Security No computer is 100% safe on the
Internet Windows has more problems
than *nix (UNIX/Linux) based systems due to its design
If you use Windows servers, you need to be more careful where you deploy them, and protect them as much as possible
Windows vs. *nix Security Unix started its life as a multi-
user OS Unix grew up on the internet In 1998, the Morris worm taught
Unix mail servers a valuable lesson – e-mail is insecure
In 1999, the Melissa virus duplicated the scenario, but this time for Windows
Windows vs. *nix Security Windows started life as a
standalone, single-user system “The security kernel of the
Windows NT server software was written before the Internet, and the Windows Server 2003 software was written before buffer overflows became a frequent target of recent attacks" (David Aucsmith, Microsoft, Feburary 2004).
Windows vs. *nix Security Unix (and all Unix-like OS’s such as
Linux, BSD, and MacOS X) were designed as a piecemeal system
Windows is a bunch of large integrated components
Windows components feature lots of redundancy – some are not optional
Piecemeal makes patching easier – integration makes patching a nightmare
Windows vs. *nix Security The mutiuser part of *nix is what
makes it both the most and least secure when compared to Windows
Programs have no access to the system by default
*nix does not differentiate between remote and local users
This feature can be controlled and disabled, as most do by default
No root or administrator access by default
Windows vs. *nix Security Windows has the worst of both
worlds Many Windows programs need
full control over the system to run
Some Windows programs require administrator privileges to run
Windows XP and 2003 are the least secure kernel ever designed
Windows vs *nix Security
Counting bug reports between *nix and Windows is a ridiculous practice
“Root Exploits” are standard operating procedure in Windows!
As such, they are not tracked for Windows
Windows vs. *nix Security Another problem with counting
bug reports for OS’s is that many Linux holes are counted multiple times for different vendors
Linux distributions ship with the equivalent of dozens of Microsoft products in one Linux product – to be fair these products must be added to Windows as well.
Windows vs. *nix Security Integration is where Microsoft
continues to have issues Patches for *nix programs or
services can be applied without a reboot
Worse-case scenario for *nix is that the program stops working
Windows patches can affect completely unrelated components
Reboots are often required with Windows patches
Windows vs. *nix Security *nix system are patched quickly
and with little effort Windows requires extensive
configuration management for patches
Even that isn’t enough sometimes – as the SQL Slammer taught us
Most recent patches removed the protection for the SQL Slammer worm!
Windows vs. *nix Security Windows recognizes that
integration is the problem now There is no way out without
breaking compatibility Win16 was abandoned in the
transition to Win32 with Windows NT
Microsoft can’t do that with a Win32 to .NET transition – Win32 is still the foundation of Longhorn
Windows vs. *nix Security Microsoft has given up on trying to
address the problem due to customer base
They will lose this customer base if they break compatibility
If customers tolerated compatibility changes, *nix becomes just as appealing as Windows
Windows Win32 applications don’t port well
Windows vs. *nix Security Probably 98% of Windows
viruses come through e-mail The root issue with e-mail worms
on Windows goes back to the heart of how Windows works
If Microsoft “fixed” Windows, the majority of Windows software would break overnight
Windows vs. *nix Security Microsoft does recognize the
problems The Ten Immutable Laws of
Computinghttp://www.microsoft.com/technet/archive/community/columns/security/essays/
10imlaws.mspx
Ten Immutable Laws of Computing Law #1: Nobody believes
anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don't keep up with security fixes, your network won't be yours for long
Ten Immutable Laws of Computing Law #4: It doesn't do much good
to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Ten Immutable Laws of Computing Law #7: The most secure network
is a well-administered one Law #8: The difficulty of
defending a network is directly proportional to its complexity
Law #9: Security isn't about risk avoidance; it's about risk management
Law #10: Technology is not a panacea
Protecting Your Customers Why should you protect your
customers? Bandwidth = money Wasted bandwidth from viruses
is a problem Hacking is a problem Your customers could
unknowingly be used for DDoS, spam or other kinds of ‘jump points’
Protecting your customers Have your customers: Turn off file/print sharing Install and USE a firewall Install, USE and UPDATE anti-virus
software Delete e-mails from people you
don’t know without reading them! Never accept unsolicited downloads Use anti-spyware software regularly
Protecting Your Customers Many places offer up free
firewalls for protection Windows XP Service Pack 2 has a
decent built-in firewall now Stand-alone firewalls are the best
bet – products such as IPCop (ipcop.org) and SmoothWall (smoothwall.org) can turn old useless computers into stateful packet inspecting firewalls.
Protecting Your Customers Protecting your customers also
means controlling content There is a fine line between
content control and censorship Generally speaking, there are
some specific ports and addresses that can be turned off at your edge devices that have no business on the internet
Protecting Your Customers Cisco ACL tip #1: A sample
Inbound ACL - block spoofed IP’s appearing to be from non-routable IP’s:
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log-input
Protecting Your Customers Cisco ACL tip #2: A sample
Inbound ACL - block Microsoft NetBIOS and file sharing traffic:
access-list 101 deny tcp any any range 135 139
access-list 101 deny udp any any range 135 netbios-ss
access-list 101 deny tcp any any eq 445 log-input
access-list 101 deny udp any any eq 445 log-input
Protecting Your Customers Cisco ACL tip #3: A sample
Inbound ACL – block known Trojan Horse ports:
access-list 101 deny tcp any any eq 4444 log-input
access-list 101 deny tcp any any eq 27374 log-input
access-list 101 deny udp any any eq 1432 log-input
access-list 101 deny udp any any eq 1433 log-input
access-list 101 deny udp any any eq 1434 log-input
access-list 101 deny tcp any any eq 12345 log-input
access-list 101 deny tcp any any eq 31337 log-input
Protecting Your Customers Wireless routers are a problem
Wireless Networks
WEP vs. Non-WEP stats
Protecting Yourself Have someone who is well-versed
in security in charge of it. A little knowledge is a dangerous thing!
Be mindful that not everyone in the world runs Windows, so you have to be aware of other OS’s as well
Subscribe to an advisory system such as SANS
Always keep your networks separate!
Protecting yourself
Read your firewall and IDS logs! If you’re not reading your logs, the only time you’ll use them is after it’s too late
Try migrating away from Internet Explorer whenever possible
Spam and E-mail
Estimates show that between 75-85% of all e-mail is Spam
After the recent hurricanes in Florida, the spam percentage dropped by 10% - I guess they cleaned out more than just the tourists…
Ways To Stop Spam
DNSBL sites SPF (Sender Policy Framework) Bayesian filtering User education Whitelists Greylists Linux-based proxies Commercial appliances
DNSBL sites DNSBL = DNS Black Lists There are currently hundreds of
DNSBL sites – some private, some public
FMPA uses six DNSBL’s to deny mail from even connecting:
bl.spamcop.net
dnsbl.njabl.org
relays.ordb.org
sbl-xbl.spamhaus.org
list.dsbl.org
korea.services.net
DNSBL Sites
FMPA also checks against those sites and two additional ones a second time – this second scan looks at every header in the e-mail to look for black listed sites. If it finds a match, it just tags the e-mail – it doesn’t actually refuse to accept them
An example of a session might go something like this:
DNSBL SessionFor this session, I’ll take an actual e-mail I
just got A mail server connects to FMPA. In
this case, the IP address is 203.211.205.181 – but the sever ‘claims’ it is AOL.COM – which is a lie
Our qmail server looks at the connecting IP against the first list of DNSBL’s. None of them come up positive so it allows the connection.
The spammer dumps off the message. qmail then looks at all of the other
headers in the e-mail to see what other severs have handled the message
DNSBL Session5. There are other servers that handled
this message – before it got to 203.211.205.181 it went thru 80.0.16.8 – a server in Amsterdam!
6. Both IP’s are listed in different DNSBL’s – one is Spamcop, the other is NJAB’s Dynamic IP list. Since NJAB was found first, qmail injects a header into the e-mail marking it as spam
7. My Notes e-mail client picks up on the injected header, and automatically moves the message into my ‘junk mail’ folder
8. Apparently my application was approved for a $400,000 loan at 2.1%...
SPF (Sender Policy Framework) Allows for verification that your
server is authorized to send e-mail
Publishing your authorized servers is a simple DNS TXT entry
SPF In Action SPF records are TXT records in
DNS At FMPA, we accept mail from two
servers, which are listed in our MX recordsfmpa.com mail exchanger = 10 mail.fmpa.com.fmpa.com mail exchanger = 20 tally.fmpa.com.
FMPA’s SPF record is a TXT entryfmpa.com text = "v=spf1 mx ip4:66.192.231.225"
The above servers are the only servers that are authorized to send mail from fmpa.com
SPF In Action
Joe Blow Spammer is sending mail from [email protected]
Joe’s mail server connects to AOL’s mail server
Joe’s MTA tells AOL’s mail server who he is and who he’s sending to
AOL’s mail server checks fmpa.com’s SPF record, finds out that Joe’s server isn’t authorized to send mail from fmpa.com!
SPF In Action
AOL drops the session before the body of the message is delivered
AOL saves its’ customer from the Spam
AOL saves its’ bandwidth
Bayesian Filtering
Bayesian Filtering “reads” the e-mail for content, and normally scores the message accordingly
Too high of a score = spam Needs more processing time
than other methods Needs to be updated regularly to
keep up with trends
User Education
Don’t opt-out of spam Don’t give your e-mail address to
questionable sites – especially for “free” software and adult-content sites!
Don’t put e-mail address on websites
Don’t use the TO: or CC: field in an e-mail to send copies – use the BCC:
Whitelists
Whitelists are a simple way to guarantee delivery of messages
Whitelists are normally maintained on a per-user basis
Individual whitelists don’t do other users any good
Greylists
Greylists temporarily delay e-mail
Works against spammers, but not normally against legitimate e-mail
After the second successful attempt, delays are no longer incurred
Eventually this too will become a passé way of blocking spam
Linux-based Proxies
Linux-based, secure MTA’s such as qmail receive and scan e-mail
Can employ SPF, Bayesian filtering, Virus-Scanning, DNSBL, blacklists, greylists or whitelists
Can work with ANY other MTA – Exchange, Notes, mDaemon – whatever you already have
Aside from the hardware costs (not demanding) – it’s FREE!
Commercial Appliances
Commercial Anti-Spam Appliances and software – very effective tools
Not always appropriate in an ISP environment due to cost
ISP’s cannot afford false-positives for spam filtering
Summary The internet is a hostile place, and
must be treated as such – it is a global network, and in some places hacking is not only legal, but encouraged
Stay on top of security by keeping in mind that you will never know it all
Use tools available to you to help make the job easier
Use secure MTA’s and scan e-mail to put Spam where it belongs – off your network!