COMPUTER NETWORK SECURITY PART 3
back
again in the network security article we just discussed for part 3
III.
EVALUATION OF INFORMATION SECURITY SYSTEM
The
Importance of Evaluation
- Security holes found almost daily.
- Configuration errors may occur.
- Added new device that changed the
existing configuration.
Security
Hole Source
- Design is not good
- TCP / IP sequence numbering, IP spoofing
- Weak encryption algorithm
- Implementation is not good
- Implementation in a hurry
- Bad programming, out-of-bound array
- sloppy programming
- Configuration error
- The essential file becomes writeable for
all. Examples: password files, aliases, logs.
- Default account is still active
- False sense of security
- Error using program.
- rm -rf /
- del *, *
System
Security Testers
- Automated information-based tools about
security holes
- Crack: crack the password
- Tripwire: file and directory integrity
- Satan / Saint: Testing system security
over the Web
- Cops
Probing
Services
- See the services provided by a server
- Service is provided via TCP or UDP with a
particular port.
- telnet, port 23
- SMTP, port 25
- HTTP / WWW, port 80
- POP, port 110
- Test manually via telnet
- Test SMTP: telnet localhost 25
Detecting Probling To
detect any probing to the information system can be installed a program that
monitors it. Probing usually leaves a trace in the log file on system. By
observing the entry in the log file can be known the existence of probing.
Example:
root # tail / var / log
/ syslog May 16 15:40:42 epson tcplogd: "Syn probe" notebook
[192.168.1.4]: [8422] - epson [192.168.1.2]: [635] From the above example is
known IP: 192.168.1.4 do the probing Other Probe Programs: courtney, portsentry
and tcplogd.
OS
Finger Printing
Knowing the operating
system (OS) of the target to be attacked is one of the first jobs done by a
cracker. After knowing the intended OS, he can see the database weakness of the
intended system. Fingerprinting is a term commonly used to analyze the OS of the
intended system. Some conventional ways include: telnet, ftp, netcat, etc.
If the server happens
to provide a service, there is often a banner that shows the name of the OS and
its version. Suppose done with telnet with a particular port, or can also use a
particular program.
A more sophisticated
way of fingerprinting is to analyze the system's response to a particular
request. For example by analyzing the serial number of TCP / IP packets issued
by the server can be narrowed the type space of the OS used.
There are several tools
to detect this OS, among others: nmap, and queso
Use
of the Attacker Program
One way to find out the
weaknesses of your information system is to attack yourself with packets of
attacker programs that can be obtained on the Internet. Internet Security
Scanner (ISS) or Security Analysis Tool for Auditing (SATAN) this program will
inform the weakness of the intended system and can scan all domains or sub
networks.
TCP Wrapper to monitor
computer network Crack to do password security testing.IP Scanner, IP Sniper,
Network Analyzer DLL In addition to an aggressive attacker program disabling
the intended system, there are also programs attackers who are in the nature of
theft or data tapping. For data tapping, usually known as "sniffer". Examples
of sniffer programs include:
- pcapture (Unix)
- sniffit (Unix)
- tcpdump (Unix)
- WebXRay (Windows)
Use
of Network Monitoring System
A network monitoring
system can be used to determine the presence of a safety hole. For example if
you have a server that should only be accessible to people from within, but
from a network monitor it can be seen that someone is trying to access it
through another place. In addition to network monitoring can also be seen
attempts to paralyze the system by through a denial of service attack (DoS) by
sending an excessive packet. Network monitoring is usually done using the SNMP
protocol (Simple Network Management Protocol).
Network
monitoring / management program:
- Etherboy (Windows), Etherman (Unix)
- HP Openview (Windows)
- Packetboy (Windows), Packetman (Unix)
- SNMP Collector (Windows)
- Webboy (Windows)
Network
monitoring programs that do not use SNMP:
- iplog, icmplog,
updlog, which is part of the iplog package to monitor the package IP, ICMP,
UDP.
- iptraf, already included in the Debian netdiag
Linux package
- netwatch, already included in the Debian
netdiag Linux package Ntop, monitor networks like top programs that monitor
processes on Unix systems
- Trafshow, showing traffic between hosts in
text-mode
emaga
Attacks
System monitoring
(monitoring system) is used for knowing an uninvited guest (intruder) or the
attack (attack). Another name for this system is the "intruder detection
system" (IDS). This system can notify administrators via e-mail or through
other mechanisms such as through pager.
Examples
of IDS software include:
- Autobuse, detects probing by monitoring
logfile.
- Courtney and portsentry, detecting probing
(port scanning) by monitoring packets passing by. Portsentry even can enter the
attacker IP in the tcpwrapper filter (directly inserted into /etc/hosts.deny
file)
- Shadow of SANS
- Snort, detects the pattern (pattern) on
passing packets and sending alerts if the pattern is detected.
Honeypot
Honeypot is an open
source information system that focuses on the process of gathering information
about the illegal activities of the Attacker trying to infiltrate and explore
the authorization of computer system (server). With Honyepot we can know the
Attacker's behavior such as: which is used, and other types of activities that
can be recorded. Honeypot will protect the original server we have ... krn we
set up a fake server that is unwittingly the Attacker is attacking a system
that is not actually ... so trapped.
What is the purpose of
Honeypot?
- Early Detection. This method will tell & remind us of system server attacks by unauthorized people.
- New Threat Detection This method is a medote used to recognize new threats and new attack techniques used by the Attacker in an attempt to obtain 'Escalating Priviledge'.
- Meng Siel Si Attacker (Know Your Enemy) The method used to find out who the real Attacker, what is done by Attacker also the methods and techniques used.
- Saving System (Safe The System) The method used to trick the Attacker so that Attacker try to keep doing action only on Honeypot system so that the original server remains in safe condition (- not 100% secure)
- Disrupting Attacker Attacker Patterns (MetaTimes that make Attacker fikir patterns become confused in the face of unreal system network patterns.
- Building Defense The built Honeypot will provide a better defense because the Attacker will not directly attack the real server.
- Prevent Hacking Process (Hacking Process Prevention) The defense system that we plant and build will reduce attacks against hacking process.
The
things contained in the Honeypot:
- Network Devices Hardware To establish a honeypot means we also need a computer network device.
- Monitoring or Logging ToolsHoneypot that we founded can directly monitor the activity of the Attacker
- Alerting MechanismHoneypot can provide messenger services for administrators when there are attacks.
- KeyStroke LoggerHoneypot can provide information about what Attacker does including the keypad of the Attacker keyboard.
- Packet AnalyzerHoneypot can provide information about the data packet provided by Attacker to the server honeypot system
- Forensic ToolsHoneypot can provide information about the System forensic used Attacker to the system.
Where
is the Honeypot placed ?. Placement directly by confronting honeypot with
internet without firewall.
-
Placement indirectly, where the honeypot
is between the firewall and internet connection. Placement of honeypot on DMZ.