Information Security Management CSE3502: Dr. Parimala M, Associate Professor, SITE
Information Security Management CSE3502: Dr. Parimala M, Associate Professor, SITE
Information Security Management CSE3502: Dr. Parimala M, Associate Professor, SITE
CSE3502
Dr. Parimala M,
Associate Professor, SITE
Module – 1: Information Security Devices
• DHCP Server logging - utilize a system to improve the asset inventory and
help detect unknown systems through this DHCP information
Asset Inventory Tool Cont.…
• All equipment acquisitions should automatically update the inventory system
• Maintain an asset inventory of all systems connected to the network and the network
devices themselves
• The inventory should include every system that has an Internet Protocol (IP) address on
the network
• The asset inventory created must also include data on whether the device is a portable
and/or personal device
• Make sure that asset inventory database is properly protected and a copy stored in a
secure location.
– Create separate VLANs for BYOD (bring your own device) systems or
other untrusted devices.
• Use tools to pull information from network assets such as switches and routers
regarding the machines connected to the network.
• other asset identification tools passively listen on network interfaces looking for
devices to announce their presence by sending traffic.
• The asset inventory database and alerting system must be able to identify the location,
department, and other details of where authorized and unauthorized devices are
plugged into the network.
• To evaluate the implementation of Control 1 on a periodic basis, the
evaluation team
– will connect hardened test systems to at least 10 locations on the network,
including a selection of subnets associated with demilitarized zones (DMZs),
workstations, and servers. Two of the systems must be included in the asset
inventory database, while the other systems are not.
– must verify that the systems generate an alert or e-mail notice regarding the
newly connected systems within 24 hours of the test machines being connected
to the network.
– must verify that the system provides details of the location of all the test
machines connected to the network.
– must verify that the system provides information about the asset owner.
– must verify that the test systems are automatically isolated from the production
network within one hour of initial notification and that an e-mail or alert
indicating the isolation has occurred.
– must verify that the connected test systems are isolated from production
systems.
1.2. Testing the Traffic Filtering Devices
• Traffic Filtering - to reduce security threats, organisations use
various devices, technologies and techniques
• institution/organisation - to improve the efficiency of filtering
and increase the level of security in its network should apply
the following recommendations:
– Define traffic-filtering rules
– Select a traffic-filtering technology
– Implement defined rules
– Maintain all the components of the solution
Packet-filtering functionality
(stateless firewall)
• A packet filter enables the implementation of control of access to resources by
deciding whether a packet should be allowed to pass, based on the information
contained in the IP packet header.
• Does not analyse the content of the packet (unlike a content filter), nor does it
attempt to determine the sessions to which individual packets belong, based on the
information contained in the TCP or UPD header, and therefore it does not make
any further decisions in that regard. For this reason, the process is also known as
stateless packet inspection
• Stateless firewall devices analyse each packet individually and filter them based
on the information contained in Layers 3 and 4 of the OSI reference model
Packet Filters
Filtering Decision is made based on the following information:
• source IP address
• destination IP address
• protocol
• source port number
• destination port number
The advantages of applying packet filters:
• simple implementation
• supported by most routers, so there is no need to invest in new equipment and software
• rarely cause bottlenecks in the area of their application, even at high speeds in Gigabit
networks.
The disadvantages of applying packet filters:
• vulnerability to IP spoofing attacks
• vulnerability to attacks that exploit problems within the TCP/IP specification and the protocol
stack
• problems with filtering packets that are fragmented (causing interoperability and
nonfunctioning of VPN connections)
• no support for the dynamic filtering of some services
• dynamic negotiation about the ports that will be used in communication – passive FTP).
Stateful packet inspection
• improves the packet filtering process by monitoring the state of each connection established through a
firewall device.
• TCP protocol, allows two-way communication and that TCP traffic is characterized by three phases:
• establishing the connection- records each connection in the state table
• data transfer
– -device monitors the parameters in the header of L3 packet and L4 segment and makes a filtering
decision depending on their values and the content of state table.
– The state-table contains all currently active connections. As a result, a potential attacker trying to
spoof a packet with a header indicating that the packet is a part of an established connection can
only be detected by the stateful inspection firewall device, which verifies whether the connection
is recorded in the state-table.
• Based on the filtering rules defined on the APG device, proxy agents decide whether
network traffic will be allowed or not.
• Traffic-filtering decisions can also be made based on the information contained in the
header of an application-layer message or even based on the content conveyed by that
message.
• There are also APG devices with the capability of packet decryption, analysis and re-
encryption, before a packet is forwarded to the destination host.
APG devices Deficiencies
• requires a significantly greater utilisation of resources, i.e., they require more
memory and greater utilization of processor time for analyzing and
interpreting each packet passing through the device.
• As a result, APG devices are not suitable for filtering real-time applications.
• Another deficiency of these devices is the limitation in the number of
services that can be filtered through them.
• APG devices do not always support the filtering of new applications or
protocols.
• Due to their price, APG devices are commonly used for protecting data
centres or other networks containing publicly available servers that are of
high importance to an organisation.
• In order to reduce the load on APG devices and achieve greater efficiency,
modern networks more frequently use dedicated proxy servers.
Dedicated Proxy (DP) Server
• Dedicated Proxy (DP) servers also have a role as “intermediaries” in the
communication between two hosts, although their traffic-filtering
capabilities are significantly lower,
• intended for the analysis of the operation of specific services and protocols
(e.g., HTTP or SMTP).
• Due to their limited traffic-filtering capabilities, DP devices are deployed
behind firewall devices in the network architecture.
• Their main function is to perform specialised filtering of a specific type of
traffic (based on a limited set of parameters) and carry out the logging
operation.
• The execution of these specific activities significantly reduces the load on
the firewall device itself, which is located in front of the DP server.
• The most widely used devices of this type are Web Proxy servers.
Solutions Combining Traffic Filtering with
Other Technologies
1. NAT (Network Address Translation)
NAT is a technology that enables devices that use private IP addresses to
communicate with devices on the Internet.
• This technology translates private IP addresses, which can be used by
devices within a Local Area Network (LAN), into publicly available
Internet addresses.
• There are three types of NAT translations:
– Dynamic NAT- dynamically allocates the private address to publicly
available IP addresses
– Static NAT – Each private address is translated into separate public
IP address
– Port Address Translation PAT- Each client on a LAN establishes a
connection with a device on the internet is assigned a different port
number of the public IP address
2. VPN (Virtual Private Network)
• VPN (Virtual Private Network) technology is used to increase the security of data
transfer through a network infrastructure that does not provide a sufficient degree
of data security.
• It enables the encryption and decryption of network traffic between external
networks and an internal, protected network.
• VPN functionality - available on firewall devices or implemented on VPN
servers that are placed behind firewall devices in the network architecture.
• firewall device cannot perform an inspection, access control or logging of the
network traffic, and therefore cannot scan it for certain security threats.
• VPN service requires the application of certain filtering rules of the firewall
device in order to enable its uninterrupted operation.
• special attention should always be paid to making sure that the appropriate
protocols and the TCP/UDP services that are necessary for the functioning of the
chosen VPN solution are supported.
3. IDP (Intrusion Detection and Prevention)
• Network Intrusion Detection (ID)
– based on monitoring the operation of computer systems or networks and
analysing the processes they perform, which can point to certain incidents.
• Network Intrusion Prevention (IP)
– process of detecting network intrusion events, but also includes the process
of preventing and blocking detected or potential network incidents.
• Network Intrusion Detection and Prevention systems (IDP)
– based on identifying potential incidents
– logging information about them
– attempting to prevent them
– alerting the administrators responsible for security
– identify problems concerning the adopted security policies
– To document existing security threats and
– To discourage individuals from violating security rules
– IDP systems use various incident detection methods
Primary Classes of Detection Methodology
– 1. Signature-based detection-
• process of comparing the known forms in which the threat
has appeared in the network
• Cannot identify new threats and complex forms of
communication
– 2. Anomaly-based detection
• Based on behaviour of users, hosts or application
• It detects even the previously unknown threats
– 3. Detection based on stateful protocol analysis
• Protocols are defined by the manufactures of IDP devices
Intrusion Detection
System
Configuring Secure Content
Management
Content Management
• Advent of Web 2.0 technologies and proliferation of file sharing protocols,
data sharing portals, media streaming, etc. by the users expand the attack
surface of an organization. They create enormous opportunities for external
threats to exploit weaknesses.
• Allowing the inbound and outbound connections — as access given to the
employees to initiate or receive traffic — creates issues of employee
productivity. Also contributes to bandwidth issue as connection to public or
media streaming sites consumes an organization’s network bandwidth.
• While allowing legitimate traffic, organizations may not like their employee
to indulge in different forms of entertainment and attractions available
online, which can lead to security threats, data leakage and productivity
issues.
• Security has been evolving to address these challenges through a set of
practices and technical solutions under a category which can broadly be
classified as ‘Secure Content Management’ (SCM).
The Importance of Secure Content
Management
Unrestricted Access - The Risks include:
• Impacted employee productivity
– Prevent non-productive web surfing
– Preserves network bandwidth
• Liability Exposure
– Peer-to-peer networking
– File sharing
• Hacker Attacks and Privacy Violations
– Vulnerable to backdoor attacks
How Secure Content Management Works
• Securing content starts with controlling access to
certain Web sites based on predetermined criteria.
– At a basic level, user access to Internet content is controlled
using the URL address or the URL content category (such as
nudity or gambling).
– Basic content management solutions can also examine the
way the content is delivered, such as through Java applets or
ActiveX scripts, and determine access permissions
accordingly.
• More advanced content management solutions also
provide the ability to block applications such as instant
messaging and peer-to-peer services.
Site Blocking Versus Content Monitoring
Site Blocking Content Monitoring
list-based or URL-based filters to keyword-blocking approach
identify and block certain Web sites
Some solutions rely on white lists that compares the keyboard data to a user-
allow access to only those sites that defined library of words and phrases.
appear on the list. When a match to one of the blocked
Ex: a retail store might create a white list words or phrases is detected, the solution
containing only the company’s Web site, filters or blocks the data, or in some
shipping Web sites and supplier Web sites. cases even closes the application.
Other solutions use black lists, which The problem with this approach is that it
permit access to all sites except those on can inadvertently block legitimate pages
the black list. The black list approach is based on the fact that they contain one or
preferable for businesses whose more targeted keywords.
employees need less restrictive Internet For example, a Web site about cancer
access. With a black list approach, the research could be blocked because it
database of Web sites is organized into contains the word “breast.”
categories, such as “violence” or “drugs,” More advanced content monitoring
and network administrators can solutions not only examine the individual
selectively block categories. words on the page, but also evaluate
context and other data such as HTML
tags.
Site Blocking
• Effectiveness and manageability of site blocking
depends on a number of factors:
– Database size
– Update frequency
– Category organization
• A general limitation of site blocking is that it
focuses exclusively on HTTP-based Web traffic.
• It does not block instant messaging, e-mail
attachments, peer-to-peer applications and other
applications that could contain security threats.
Solution Architecture
• CMS can be embedded on a network device
such as a proxy server, on firewall or on
dedicated server.
• Three deployment methods includes,
– Client solutions
– Standalone solutions
– Integrated solutions
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies: