Security Mgt. Tools and Subsystems

(1)

ICS

Security Mgt. Tools

and Subsystems

some attack and defense security tools at work

Classes of tools

(network-bound) • Reconaissance – Passive – Active • Penetration

(2)

ICS

Passive Reconaissance

• Passively listen and analyze the traffic on the network,

or log and analyze events on hosts

• Do not change the state on the entity in question • Can be used for attack or defensive purposes • Examples

– Network sniffer

– Intrusion Detection System

ICS

Active Reconaissance

• Gathers information by doing something in a

potentially detectable way (often by sending network traffic) and waiting for responses

• Examples

– WHOIS – Traceroute – Port scanner

(3)

ICS

Methodology for Reconnaissance

• Intelligence Gathering • Footprinting • Verification • Vitality

Penetration Testing

• Penetration tools

– Aid the user in breaking into and gaining unauthorized access to a

network entity and/or respective hosts

– Often work by exploiting a specific vulnerability in software or

unintended interactions between entities

• Penetration Testing Tools

– similar to attack tools, may have damage control mechanisms to

minimize negative impact

– example tools: – nmap

– wireshark – nessus – metasploit

(4)

ICS

Penetration Testing

 nmap

 Port scanning

 OS fingerprinting

 Service version detection

ICS

Penetration Testing

• Wireshark

– Previously known as “Ethereal” is a multi-platform open-source

network protocol analyzer

– It allows one to examine data from a live network or from a capture

file on a disk (previously recorded by tcpdump, for instance)

– Understands hundreds of protocols – Rich display filter language

(5)

ICS

Penetration Testing

• Metasploit Framework

• The attack tool par excellence (at least for real

hackers)

• It is an advanced open-source platform for

developing, testing, and using exploit code

• It is currently used for just about cutting-edge

exploitation research

• Already ships with hundreads of exploits and

shellcode

Penetration Testing

• other specific tools exist for:

– Databases

– Web Applications – Wirelless

– ...

• Extended open source security tools

(6)

ICS

Fighting back ....

ICS

Defense and Countermeasures:

methodology and tools

• Systematic measures to defend systems and

networks from intrusion

• Defensive security management

(7)

ICS

Security management

and defensive functions

• security enhancement

• fault (attack, vulnerability) diagnosis • attack prevention

• intrusion detection • auditing

Security management

and defensive functions

(8)

ICS

Security management functions

• security enhancement tools

• in this class we have tools that render machines and

software more robust, by preventing/removing vulnerabilities;

• for example cryptographic software, filtering and

wrapping software, or packages that encrypt, sign or checksum critical software, to detect modifications;

• e.g., Crypto libraries, Wrappers or Integrity Checkers • examples of such software are Tripwire, Xinetd,

Tcpwrapper, Portmapper, and Cracklib

ICS

Wrappers and Integrity Checkers

• Wrappers and Integrity Checkers can significantly

improve the resilience of otherwise vulnerable software, by:

– neutralising vulnerabilities – detecting modifications

(9)

ICS

Tripwire

• Defensive tool (more specifically an integrity checker) • Configuration control

• Monitors ‘important’ file and registry values and

properties (like access times, flags, owner, etc)

• Enables Admins to detect files that are added,

modified or deleted

• Provides a history of what changes during patching • Two Components

– Tripwire for Servers (command line) – Tripwire Manager (GUI front end)

Security management

and defensive functions

(10)

ICS

Security management functions

• fault (attack, vulnerability) diagnosis tools

– in this class we have for example packages that scan the facility

looking for design or configuration vulnerabilities;

• Vulnerability Scanners

– e.g., test systems to activate vulnerabilities, discover them and

correct them (removal) or filter them (neutralisation)

– examples of such software used over the past few years are Crack,

COPS, Tiger, ISS, Satan, Saint, Nessus, Merlin, Trojan

ICS

On Vulnerability Scanners

• vulnerability scanners are useful but have limitations:

» exercise the system in order to activate vulnerabilities: often

only find those they look for; only those reachable by the interface method

» do not detect attacks

(11)

ICS

Bringing it all together

• there have been over the past few years, releases of

powerful packages integrating several tools of the classes seen above

– Hiren's BootCD – Syst. diagnosis & management – Metasploit - Penetration Testing

– BackTrack - Penetration Testing

Security management

and defensive functions

(12)

ICS

Security management functions

• attack prevention

– in this class we have all types of tools that attempt at blocking

attacks to internal, perhaps vulnerable, components

• Firewall Systems

– e.g., restrict access to systems, to prevent attacks from getting to

the vulnerabilities

– examples of such software are Firewall-1, IPtables, Gauntlet, Raptor

ICS

Limitations of Firewalls

• firewalls are an excellent tool, but not perfect:

– not transparent (except for bridge-level) – slow networks down

– do not block all attacks – block legitimate interactions

• something more proactive is needed in the way of:

– taking care of residual vulnerabilities (most subtle) – taking care of on-going or successful attacks

(13)

ICS

Security management

and defensive functions

Security management functions

• intrusion detection tools

– in this class we have for example packages that perform real-time

supervision, looking for anomalous behavior or state of the system, or abnormal patterns of usage, in order to detect intrusions;

– they act as a last resource, when a successful attack/vulnerability

match occurred

• Intrusion Detection Systems

– e.g., detect symptoms derived from ongoing or successful attacks – examples of such software are Scandetector, CPM, AID, AAID, NID,

(14)

ICS

Intrusion Detection Systems

• complement the protection offered by scanners and

firewalls

• IDS are based on sensors

• sensors are programs, sometimes in boxes, which

detect intrusions in parts of systems and generate reports to consoles

• consoles interpret and/or generate appropriate

responses

ICS

Security management

and defensive functions

(15)

ICS

Security management functions

• auditing tools

– in this class we have for example packages that perform logging and

build audit trails of the system, in order for the administrator to analyze events a posteriori e.g., correlate attacks to detect intrusion campaigns;

– audits should be secure, in the sense of indelible

• e.g., Secure logging and auditing tools and Protocol Analyzers

– examples of such software are Tcpdump, Analyzer, Swatch,

Logdaemon, Netlog, Netman

Protocol Analyzers

(ex. Wireshark)