How To Learn The Network Security
Slide berikut merupakan slide yang berisikan dasar-dasar bagi kita dalam memahami konsep keamanan jaringan komputer, baik dari sisi inftrastruktur, teknologi dan paradigma bagi pengguna.
Materi yang diberikan sudah disusun oleh Pakar yang merupakan Trainer CEH dan memang berkompeten dibidang keamanan jaringan.
Slide ini saya dapatkan dari beliau saat mengikut training Certified Computer Security Officer (CCSO) dan Certified Computer Security Analyst (CCSA) dari beliau.
Semoga bermanfaat sebagai acuan bagi kita untuk belajar tentang keamanan jaringan komputer.
Terimakasih
1. Programs:
Certified Computer Security Officer (CCSO)
Certified Computer Security Analyst (CCSA)
LSP Telematika
Semi Yulianto
Created By
Shared By
Linuxer@kaskus.co.id
2. Semi Yulianto
MCT, MCP, MCSA, MCSE, MCSA & MCSE: Security, MCTS, MCITP, CCNA, CCNP, CNI, CNA, CNE, CCA,
CIW-CI, CIW-SA, CEI, CEH, ECSA, CHFI, EDRP, ECSP, etc
Independent Trainer and Consultant
EC-Council Indonesia & Asia Pacific (Jakarta, Indonesia)
Current Roles:
ITS2 (Riyadh, Saudi Arabia)
Senior Technical Trainer/Security Consultant
IshanTech (M) Sdn Bhd (Kuala Lumpur, Malaysia)
Security Consultant (Web Application Pen-Tester)
Security Consultant (ESET Anti-Virus & Smart Security)
semi.yulianto@flexi-learn.com and semi.yulianto2009@gmail.com
Contacts:
+62 852 1325 6600 and +60 14 9377 462
3. 1. Network Security
Part I
2. Threats to Network Security
3. Security and People
4. Secure Network Infrastructure
6. Identity Services
5. Virtual Private Networks (I)
7. Anti-Virus
8. Access Controls
9. Firewalls (II)
11. Bastian Host
10. Intrusion Detection System (IDS) + Iprevention S (III)
12. Honey pot (IV)
4. 1. Policy Management
Part II
2. Vulnerability Assessment
4. Patch Management
3. Encryption (V + VI)
6. Incident Handling
5. OS Hardening (VII)
7. Client-Side Attacks
8. Ethical Hacking and Pen-Test
9. Penetration Testing
10. IT Infra Threat Modeling
11. Do and Don’ts
12. Best Practices
5. Network security involves all activities that
organizations, enterprises, and institutions
undertake to protect the value and ongoing usability
of assets and the integrity and continuity of
operations.
An effective network security strategy requires
identifying threats and then choosing the most
effective set of tools to combat them.
6. Today’s system/network administration should includes
security related activities such as patch management, OS,
host and device hardening and network vulnerability
assessment.
System/Network Administrators should be ready to
perform those related activities to protect and prevent from
malicious hackers, external and internal attacks.
Responsibilities of the System/Network Administrators
should not only limited to managing and administering the
existing system/network, security should be added since it’s
vital to protect the organization’s assets (data, information
and IP).
7. Computer programs written by devious programmers
Viruses
and designed to replicate themselves and infect
computers when triggered by a specific event.
Delivery vehicles for destructive code, which appear to
Trojan Horses Programs
be harmless or useful software programs such as games.
Software applications or applets that cause destruction.
Vandals
8. Attacks
Information-gathering activities to collect data that is later
◦ Reconnaissance attacks
used to compromise networks.
Exploit network vulnerabilities in order to gain entry to e-mail,
◦ Access attacks
databases, or the corporate network.
Prevent access to part or all of a computer system.
◦ Denial-of-service (DoS) attacks
9. Involves eavesdropping on communications or
Data Interception
altering data packets being transmitted.
Obtaining confidential network security information
Social Engineering
through nontechnical means, such as posing as a
technical support person and asking for people's
passwords.
14. None of the approaches alone will be sufficient to
protect a network, but when they are layered
together, they can be highly effective in keeping a
network safe from attacks and other threats to
security.
Well-thought-out corporate policies are critical to
determine and control access to various parts of the
network.
15. Security is not only about the technology, it’s about
people, processes and other related components
linked together. Do not just depend on technology
since they can change very fast and we may not be
able to keep up.
Human is the weakest link in the security chain.
Educate people to reduce the threats and attacks
(fact: 40% of the attacks are coming from the
Insider).
16. Switches and routers have hardware and software
features that support secure connectivity, perimeter
security, intrusion protection, identity services, and
security management.
Dedicated network security hardware and software-
tools such as firewalls and intrusion detection
systems provide protection for all areas of the
network and enable secure connections.
17. Virtual Private Networks (VPN) provide access
control and data encryption between two different
computers on a network.
VPN allows remote workers to connect to the
network without the risk of a hacker or thief
intercepting data.
19. Identity management or ID management is a broad
administrative area that deals with identifying
individuals in a system (such as a country, a network or
an organization) and controlling the access to the
resources in that system by placing restrictions on the
established identities.
Identity management or IDM is a term related to how
humans are identified and authorized across computer
networks. It covers issues such as how users are given
an identity, the protection of that identity and the
technologies supporting that protection such as network
protocols, digital certificates, passwords and so on.
22. Anti-virus software is a necessary part of a good security program.
If properly implemented and configured, it can reduce an
organization’s exposure to malicious programs.
Anti-virus software only protects an organization from malicious
programs (and not all of them—remember Melissa?).
Anti-virus software will not protect an organization from an
intruder who misuses a legitimate program to gain access to a
system.
Nor will anti-virus software protect an organization from a
legitimate user who attempts to gain access to files that he should
not have access to.
25. Each and every computer system within an
organization should have the capability to restrict
access to files based on the ID of the user attempting
the access.
If systems are properly configured and the file
permissions set appropriately, file access controls
can restrict legitimate users from accessing files
they should not have access to.
26. File access controls will not prevent someone from
using a system vulnerability to gain access to the
system as an administrator and thus see files on the
system.
Even access control systems that allow the
configuration of access controls on systems across
the organization cannot do this, to the access control
system, such an attack will look like a legitimate
administrator attempting to access files to which the
account is allowed access.
28. Firewalls are access control devices for the network
and can assist in protecting an organization’s
internal network from external attacks.
By their nature, firewalls are border security
products, meaning that they exist on the border
between the internal network and the external
network.
Properly configured, firewalls have become a
necessary security device.
29. Firewalls can be implemented in either hardware or
software, or a combination of both.
Firewalls are frequently used to prevent unauthorized
Internet users from accessing private networks
connected to the Internet, especially intranets.
All messages entering or leaving the intranet pass
through the firewall, which examines each message and
blocks those that do not meet the specified security
criteria.
30. A firewall will not prevent an attacker from using an
allowed connection to attack a system.
◦ For example: if a Web server is allowed to be accessed
from the outside and is vulnerable to an attack against the
Web server software, a firewall will likely allow this attack
since the Web server should receive Web connections.
Firewalls will also not protect an organization from
an internal user since that internal user is already
on the internal network.
31. Firewall techniques:
Packet filtering inspects each packet passing through the network and accepts or
Packet filter
rejects it based on user-defined rules. Although difficult to configure, it is fairly
effective and mostly transparent to its users. It is susceptible to IP spoofing.
Applies security mechanisms to specific applications, such as FTP and Telnet
Application gateway
servers. This is very effective, but can impose a performance degradation.
Applies security mechanisms when a TCP or UDP connection is established. Once
Circuit-level gateway
the connection has been made, packets can flow between the hosts without further
checking.
Intercepts all messages entering and leaving the network. The proxy server
Proxy server
effectively hides the true network addresses.
35. In computer security, a DMZ, or demilitarized zone is a
physical or logical subnetwork that contains and
exposes an organization's external services to a larger
untrusted network, usually the Internet.
The term is normally referred to as a DMZ by IT
professionals. It is sometimes referred to as a Perimeter
Network.
The purpose of a DMZ is to add an additional layer of
security to an organization's Local Area Network (LAN);
an external attacker only has access to equipment in the
DMZ, rather than any other part of the network.
36. Generally, any service that is being provided to users
from an external network could be placed in the
DMZ.
The most common of these services are web servers,
mail servers, FTP servers, VoIP servers and DNS
servers.
In some situations, additional steps need to be taken
to be able to provide secure services.
39. Intrusion detection systems were once touted as the solution
to the entire security problem.
No longer would we need to protect our files and systems, we
could just identify when someone was doing something
wrong and stop them.
Some of the intrusion detection systems were marketed with
the ability to stop attacks before they were successful.
No intrusion detection system is foolproof and thus they
cannot replace a good security program or good security
practice. They will also not detect legitimate users who may
have incorrect access to information.
40. Types of Intrusion Detection Systems:
It is an independent platform that identifies intrusions by
Network Intrusion Detection System (NIDS)
examining network traffic and monitors multiple hosts. Network
Intrusion Detection Systems gain access to network traffic by
connecting to a hub, network switch configured for port mirroring,
or network tap. An example of a NIDS is Snort.
It consists of an agent on a host that identifies intrusions by
Host-based Intrusion Detection System (HIDS)
analyzing system calls, application logs, file-system modifications
(binaries, password files, capability/acl databases) and other host
activities and state. An example of a HIDS is OSSEC (open source
free host-based intrusion detection system).
43. A bastion host is a special purpose computer on a
network specifically designed and configured to
withstand attacks.
The computer generally hosts a single application, for
example a proxy server, and all other services are
removed or limited to reduce the threat to the computer.
It is hardened in this manner primarily due to its
location and purpose, which is either on the outside of
the firewall or in the DMZ and usually involves access
from untrusted networks or computers.
44. There are two common network configurations that include
bastion hosts and their placement.
◦ The first requires two firewalls, with bastion hosts sitting between
the first "outside world" firewall.
◦ An inside firewall, in a demilitarized zone (DMZ).
Often smaller networks do not have multiple firewalls, so if
only one firewall exists in a network, bastion hosts are
commonly placed outside the firewall.
Bastion hosts are related to multi-homed hosts and screened
hosts. While a dual-homed host often contains a firewall it is
also used to host other services as well. A screened host is a
dual-homed host that is dedicated to running the firewall.
45. 1. Web server
Examples of bastion host systems/services:
2. DNS (Domain Name System) server
3. Email server
4. FTP (File Transfer Protocol) server
5. Proxy server
6. Honeypot
7. VPN (Virtual Private Network) server
47. Honeypot is a trap set to detect, deflect, or in some
manner counteract attempts at unauthorized use of
information systems.
Generally it consists of a computer, data, or a network
site that appears to be part of a network, but is actually
isolated, (un)protected, and monitored, and which
seems to contain information or a resource of value to
attackers.
A honeypot is valuable as a surveillance and early-
warning tool.
48. While it is often a computer, a honeypot can take
other forms, such as files or data records, or even
unused IP address space.
A honeypot that masquerades as an open proxy to
monitor and record those using the system is a
sugarcane.
Honeypots should have no production value, and
hence should not see any legitimate traffic or
activity.
51. Policies and procedures are important components of a good
security program and the management of policies across
computer systems is equally important.
With a policy management system, an organization can be
made aware of any system that does not conform to policy.
Policy management may not take into account vulnerabilities
in systems or misconfigurations in application software,
either of these may lead to a successful penetration.
Policy management on computer systems also does not
guarantee that users will not write down their passwords or
give their passwords to unauthorized individuals.
52. Assessing computer systems for vulnerabilities is an
important part of a good security program. Such
assessment will help an organization to identify
potential entry points for intruders.
Vulnerability assessment will not protect your computer
systems.
Each vulnerability must be fixed after it is identified.
Vulnerability assessment will not detect legitimate users
who may have inappropriate access nor will it detect an
intruder who is already in your systems.
55. Encryption is the primary mechanism for communications
security. It will certainly protect information in transit.
Encryption might even protect information that is in storage
by encrypting files. However, legitimate users must have
access to these files.
The encryption system will not differentiate between
legitimate and illegitimate users if both present the same
keys to the encryption algorithm. Therefore, encryption by
itself will not provide security.
There must also be controls on the encryption keys and the
system as a whole.
58. Patch management is an area of systems
management that involves: acquiring, testing, and
installing multiple patches (code changes) to an
administered computer system.
Effective patch management is the first line of
defense for networks of any size.
Patch management is an important part of every IT
administrator's responsibility.
59. To maintain a secure network, one must ensure that
the latest security patches and operating system
service packs are installed network-wide.
Patch management software also plays a part in
adhering to the most recent compliance regulations
such as the Sarbanes-Oxley Act and HIPAA, which
require enterprises to maintain control of their
information assets.
60. Effective patch management involves not only the
discovery of software vulnerabilities but also the
subsequent patch deployment to the multiple computers
on the network.
IT administrators understand the effects that un-
patched computers can have on a network.
Because they also fully recognize the challenge of
ensuring network-wide protection, an easy-to-
administer patch management solution has quickly
become the tool of choice for IT administrators.
61. A number of products are available to automate
patch management tasks.
Like its real world counterpart, a patch is a "make-
do" fix rather than an elegant-solution. Patches are
sometimes ineffective, and can sometimes cause
more problems than they fix.
62. System administrators take simple steps to avoid
problems, such as performing backups and testing
patches on non-critical systems prior to
installations.
Security patch management is patch management
with a focus on reducing security vulnerabilities. It
should not be a defensive procedure in reaction to
critical incidents.
64. Patch Deployment Cycle:
Detect - Use patch management software to scan for missing security patches.
Detection should be automated and should trigger the patch management process.
Acquire - If the vulnerability is not addressed by the security measures already in
place, download the patch for testing.
Test - Install the patch on a realistic operational environment to ensure that the
security fixes are suitable and do not compromise your system.
Deploy - Allow patch deployment to the other computers on the network. Review
this deployment to ensure its success with minimum impact on system users.
Maintain - Subscribe to notifications that alert you to vulnerabilities as they are
reported. Once a new security patch is available, the process is started again.
65. 1. Maintaining current knowledge of available
Patch Management task include:
patches.
2. Deciding what patches are appropriate for
particular systems.
3. Ensuring that patches are installed properly, testing
systems after installation.
4. Documenting all associated procedures, such as
specific configurations required.
70. OS Hardening is the process to address security
weaknesses in operation systems by implementing
the latest OS paches, hotfixes and updates and
following procedures and policies to reduce attacks
and system down time.
The idea of OS hardening is to minimize a
computer's exposure to current and future threats
by fully configuring the operating system and
removing unnecessary applications.
71. Incident handling is a generalized term that refers to
the response by a person or organization to an
attack.
An organized and careful reaction to an incident can
mean the difference between complete recovery and
total disaster.
72. Incident Handling Steps:
Preparation - Comprehensively addressing the issue of security includes methods
to prevent attack as well as how to respond to a successful one.
Identification of Attack - The first post-attack step in Incident handling is the
identification of an incident. Identification of an incident becomes more difficult as
the complexity of the attack grows.
Containment of Attack - Once an attack has been identified, steps must be taken to
minimize the effects of the attack. Containment allows the user or administrator to
protect other systems and networks from the attack and limit damage.
Recovery and Analysis - The recovery phase allows users to assess what damage
has been incurred, what information has been lost and what the post-attack status
of the system is. Once the user can be assured that the attack has been contained, it
is helpful to conduct an analysis of the attack.
73. Case Study (Discussion)
1. Preparation
Viruses Outbreak
2. Identification of the attack
3. Containment of the attack
4. Recovery & Analysis
1. Preparation
System Compromise
2. Identification of the attack
3. Containment of the attack
4. Recovery & Analysis
74. Traditionally, attackers went for hacking servers, but there has
been a shift to the client side because server-side applications have
been targets for attackers since 2001, and these applications have
matured.
Attackers are going after weaknesses in desktop applications such
as browsers, media players, common office applications and e-mail
clients.
The remedy is to maintain the most current application patch
levels, keep antivirus software updated and seek and remove
unauthorized applications.
Keeping authorized software to a minimum also decreases
exposure.
75. Application vulnerabilities exceeds OS vulnerabilities
76. Two main avenues for exploiting and compromising web servers:
Web Application Attacks
brute force password guessing attacks and web application attacks.
Microsoft SQL, FTP, and SSH servers are popular targets for
password guessing attacks because of the access that is gained if a
valid username/password pair is identified.
SQL Injection, Cross-site Scripting and PHP File Include attacks
continue to be the three most popular techniques used for
compromising web sites.
Automated tools, designed to target custom web application
vulnerabilities, make it easy to discover and infect several thousand
web sites.
77. Attacks on Microsoft Windows operating systems were
Windows: Conficker/Downadup
dominated by Conficker/ Downadup worm variants.
For the past six months, over 90% of the attacks
recorded for Microsoft targeted the buffer overflow
vulnerability described in the Microsoft Security Bulletin
MS08-067.
Although in much smaller proportion, Sasser and
Blaster, the infamous worms from 2003 and 2004,
continue to infect many networks.
78. Attacks on critical Microsoft vulnerabilities
79. Attacks on critical Microsoft vulnerabilities
84. Step 2: Established reverse shell backdoor using HTTPS
85. Step 3: Dump hashes and use pass-the-hash attack to pivot
86. Step 4: Pass the hash to compromise Domain Controller
87. A penetration test of which the goal is to discover
Ethical Hacking
trophies throughout the network within the
predetermined project time limit.
A goal-oriented project of which the goal is the
Penetration Testing
trophy and includes gaining privileged access by
pre-conditional means.
88. A penetration test is a method of evaluating the
security of a computer system or network by
simulating an attack from a malicious source, known
as a Black Hat Hacker, or Cracker.
The process involves an active analysis of the system
for any potential vulnerabilities that may result from
poor or improper system configuration, known
and/or unknown hardware or software flaws, or
operational weaknesses in process or technical
countermeasures.
89. Analysis is carried out from the position of a potential
attacker, and can involve active exploitation of security
vulnerabilities.
Any security issues that are found will be presented to the
system owner together with an assessment of their impact
and often with a proposal for mitigation or a technical
solution.
The intent of a penetration test is to determine feasibility of
an attack and the amount of business impact of a successful
exploit, if discovered.
It is a component of a full security audit.
90. The IT Infrastructure Threat Modeling Guide
provides an easy-to-understand method for
developing threat models that can help prioritize
investments in IT infrastructure security.
This guide describes and considers the extensive
methodology that exists for Security Development
Lifecycle (SDL) threat modeling and uses it to
establish a threat modeling process for IT
infrastructure.
91. Primary steps of the Threat Modeling Process:
92. Threat Modeling Guide is designed to help IT
1. Identify threats that could affect their
professionals accomplish the following:
organizations’ IT infrastructures.
2. Discover and mitigate design and implementation
issues that could put IT infrastructures at risk.
3. Prioritize budget and planning efforts to address
the most significant threats.
4. Conduct security efforts for both new and existing
IT infrastructure components in a more proactive
and cost-effective manner.
93. 1. Do choose your passwords carefully.
Dos:
2. Do learn about network security.
3. Do save your work-related data on the network.
4. Do encrypt data.
5. Do utilize network virus protection software.
6. Do report any unauthorized use of your computer.
7. Do lock your workstation when you step away from
your computer.
8. Do inform administrators of employee departures.
94. 1. Don’t leave passwords around your workplace.
Don’ts:
2. Don’t save personal or sensitive information on
shared network resources.
3. Don’t open suspect e-mails.
4. Don’t leave sensitive data on your hard drive.
5. Don’t use automatic login features.
6. Network security should always be taken seriously.
95. In order to effectively secure your network environment, you must first become
Assess Your Environment
familiar with all of its components.
Being part of the connected world brings many benefits as well as challenges. Any
Protect Your Network
computer within your network that is connected to the Internet, directly or
indirectly, is a potential risk for an attack from viruses or external attackers.
You should be sure to take sufficient steps to harden your core operating systems
Protect Your Servers and Clients
and major applications from common attacks.
Monitoring and auditing are central to an organization's security efforts. We often
Monitor Your Environment
think of monitoring as watching and waiting for an event to occur so that we can
react to the situation.
96. 1. Selecting a Good Anti-Virus Software
2. Testing and Evaluating Anti-Virus Software
3. Analyzing and Implementing File & Folder Permissions
4. Analyzing and Implementing Database Security
5. Analyzing Local Security Policy
6. Analyzing and Implementing Security Templates
7. Implementing Group Policy
8. Implementing Encrypted File System (EFS)
9. Implementing Disk Encryption
10. Selecting Patch Management solutions
11. Implementing Patch Management
12. Configuring IDS and Firewall
13. Analyzing IDS and Firewall Rules
14. Testing IDS and Firewall