Tcp ip management & security

TCP/IP Networks Management
and Security
Presented by:
David M. Litton, CPA, CISA, CGFM
Deputy Director, Audit and Management Services
Virginia Commonwealth University
May 7, 2001

5/7/2001 TCP/IP Networks Management and Security 2

Course Objectives:
• What is a TCP/IP Network?
• Common components of a TCP/IP network
• Network environment: TCP/IP protocol and
associated devices functionality
• General network risks
• Specific risks and compensating controls for
TCP/IP network devices
• Areas of a TCP/IP Infrastructure Audit

What is a TCP/IP Network?
• Envelope and post office concept
• Ethernet Frames
• Internet Protocol (IP) – Connectionless datagram;
tries to send but not sure if it gets there
• Transmission Control Protocol (TCP)
• Alternatives to TCP: UDP and ICMP
• Ports
• Socket (Combination of port# & IP address)
• Connection (pair of sockets for a session)

Host
(Ex. Unix/Win NT
Server)
Client
(Ex. Win 98/2000)
Telnet (Also: HTTP, SMTP, POP3...)
Single Control and Data Circuit
IP
128.172.161.139
IP
128.172.2.30
High Random Port
(Ex. Port #3003)
Port 23
FTP
Seperate Control and
Data Circuits
Host
(Ex. Unix/Win NT
Server)
Client
(Ex. Win98/2000)
IP
128.172.161.139
IP
128.172.22.9
Port 21
Port 20
High Random
Port (Ex. Port
#2987)
High Random
Port (Ex. Port
#2986)

Tcp ip management & security

(7)
Application
Layer
(6)
Presentation
Layer
(5)
Session Layer
(4)
Transport Layer
(3)
Network Layer
(2)
Data Link Layer
(1)
Physical Layer
Logical Link
Media Access
Control
(MAC)
FTP, Telnet,
HTTP
TCP, UDP
IP
Ethernet,
Frame Relay,
Token Ring
Twisted Pair,
Fiber
(4)
Application
Layer
(3)
Transport Layer
(2)
Internet Layer
(1)
Network
Interface Layer
OSI Reference
Model Examples
TCP/IP
Protocol Stack
OSI Model
and
TCP/IP
Compared

Common components of a
TCP/IP network
• Cat 5 UTP Wiring & fiber optics lower layer 1
• Hubs emphasis layer 1
• Bridges layer 1 or lower-part of layer 2 (MAC)
• Switches – some layer 1 & emphasis layer 2
• Routers – emphasis layer 3 & some layer 4
• Applications/network utilities: layers 5-7; FTP,
HTTP, NFS, X-Windows, Telnet…
• Protocol Stacks: part of server/work station O/S
• Servers - physical and logical contrasted
• Specialized IP servers: DHCP, BOOTP, DNS…

Network Environment: TCP/IP
Protocol and Associated Devices
Functionality

Ethernet
Token-ring
Ethernet
Workstation
w/s Laptop
Laser printer
Hub
Router
Firewall
`
WAN
(ATM)
(T-1)
(ISDN)
(Frame Relay)
(SMDS)
Firewall
Router
IBM Compatible
Laptop computer
Workstation
HUB
MAU
w/s
Laptop
w/s
Laser printer
Router
Router
Enet[IP[TCP[Data]]]
Enet[IP[TCP[Data]]]
TRing[IP[TCP[Data]]]
ATM[IP[TCP[Data]]]
LAN/WAN Protocol
Example

General network risks
• Inconsistently applied
back-up procedures for
Network Equipment and
Servers
• Lack of a test lab and
change control procedures
• Intercepting clear text,
log-on identifiers and
passwords
• Staff turn-over
• Use of unauthenticated
services on network hosts
and pass through routers
• Lack of spoofing
prevention measures
• Use of default passwords
on network equipment
• Lack of password change
procedures for network
equipment
• Poor O/S controls on
network devices

General network risks
• Improper access to
restricted systems (patient
information, financial
records, payroll, etc.)
• Release of sensitive
information
• Prolonged outages and
inconsistent availability
• Lack of documentation
• Non-compartmentalized
traffic
• Trojan Horses
• Lack of expertise,
training, and cross-
training
• Lack of restoration plans
or spare parts
• Ineffective procedures
• Masquerading as another
individual
• Spying, Sabotage
• Risk from easy-to-use
freeware utilities
• Stolen Passwords

Specific risks and compensating
controls for TCP/IP network
devices

Router Risks and Controls
Inappropriate addresses
or dangerous protocols
accessing hosts/servers
Access Control Lists – filter
through router
Inappropriate addresses
conducting router
maintenance
ACLs to restrict IP
addresses to router
Unauthenticated or
trusted services used for
maintenance
Turn off these services in
router configuration, use
services with stronger
authentication

Damaged router/network
device configuration
Create backups of the
configuration file, store on
network, hard copy, and
“secret” backup
Failed upgrades or changes Development and
maintenance controls &
“back-out” plans
Not capturing network events Turn on logging, secure the
host that the logs are
streaming to

Default passwords and
clear text passwords
transmitted over the
network
Change passwords
periodically with
timeouts
No console passwords Add passwords with
timeouts
Community strings =
PUBLIC, PRIVATE and
pass network in clear text
Change Community
strings and use encrypted
SNMP

Router Risks and Controls:
Methods of Accessing Routers
• Console
• TFTP
• Telnet
• TACACS
• MOP (maintenance
operation protocol by
DEC for CISCO
routers)
• SNMP
• R-Shell
• R-Copy
• FTP
• HTTP
• More being added,
check manufacturer
documentation

Domain Name Service:
Risks and Controls
Allowing zone file transfers to
unauthorized clients provides
MX and HINFO records
Use router filters for TCP port
53 (DNS) or control servers
that receive DNS zone files
Updates require time to
propagate usually 24 hours
Use strong change control
procedures – management
review
Providing information about
internal devices one at a time
Configure external name
servers to provide info on
Internet connected machines
Whois Command Whois returns the DNS IP
addresses + sensitive info.

Network Address Translation
Static translation does not
hide the device from the
Internet
Port translation is needed
to get the full benefit for
security.
Reduced router
performance and can
interfere with
authentication schemes
that verify integrity of the
entire packet
Must weigh these costs
when reviewing NAT

INTERNET
NAT
Router
DHCP Server
Hub
10.xxx.xxx.001
10.xxx.xxx.002
10.xxx.xxx.003
10.xxx.xxx.004
INTERNET
NAT
Router
DHCP Server
Hub
10.xxx.xxx.001
10.xxx.xxx.002
10.xxx.xxx.003
10.xxx.xxx.004
Primary
DNS
Secondary
DNS
TCP/IP Environment Example

Wiring/Hubs:
Risks and Controls
Inability to track wiring
problems
Diagrams, labeling
Sniffing equipment, theft,
inappropriate access to
equipment
Secure wiring
concentrations (closets)
No redundant paths for
backbone/WAN connections
Redundant Layer 1 path
Power surges Surge protectors or UPSs
Heat and water damage Design of locations that
house equipment

Additional Server
Risks and Controls
Legitimate network access
can cause security
problems. Example: Sun
Telnet hack, Microsoft IIS
hacks
Install up to date patches,
Backup (OS, applications &
database) , password
controls, file permissions,
restrict privileges, logging,
disable unnecessary
services
Differences in server
configurations
Use consistent setup
checklists and/or scripts for
servers and user profiles

Dangerous Services to be
Restricted
Zone Transfers
UDP&TCP 53
Link
TCP 87
LPD
TCP 515
BOOTP
UDP 67
RPC
TCP & UDP 111
NFS
UDP 2049
TFTP
UDP 69
SNMP
UDP 161,162
X-Windows
TCP 6000+
Finger
UDP 79
Berkley R-Commands
TCP 512-514
Windows Sharing
TCP 135-139,445
Chargen,Discard
,Echo TCP/UDP
9,19,7
Block ICMP redirects *Internal address
from outside the
network

Work Stations Risks and Controls
Trojan Horses: key
capture, sniffers, remote
control
BOClean, up to date virus
software (for detection)
Viruses Virus software up to date
Modem Lines exposures Policy, inventory,
standardization, dial-in
servers, Unique id &
complex passwords,
Wardial company #s

Encryption
• Examine Encryption Practices
• Determine where the traffic is the most exposed –
going out on the Internet, between business
partners…
• Look for controls like compartmentalization &
VLANs to reduce internal exposure
• Use Encrypted methods like SNMP V.2 and
CHAP V.2 to communicate to network devices
• Consider testing encryption controls with a sniffer

Sniffed PPP Connection in Clear
Text

Areas of a TCP/IP Infrastructure
Audit: Why Examine Network
Infrastructure
• Rarely examined
• Large investment
• Basis for most technology - the
“common denominator”
• Connects to the World
• Lost Revenue on E-Commerce
• Susceptible to Denial of Service Attacks

Areas of a TCP/IP Infrastructure
Audit: Recommended Objectives
• Continuity (consistent reliability and availability
of system -- back-up and ability to recover)
• Management and Maintenance (additions,
change procedures, upgrades, and documentation)
• Security (appropriate physical and logical access
to network devices and hosts)

Auditing TCP/IP Infrastructure
• Review network policies and procedures
• Review network diagrams (layer 1 & 2), design, and walk-
through, list of network equipment and IP address list
• Verify diagrams with Ping and Trace Route
• Review utilization, trouble reports & helpdesk procedures
• Probe systems (Netscan tools and Portscanner)
• Interview network vendors, users, and network technicians
• Review software settings on network equipment
• Inspect computer room and network locations
• Evaluate back-up and operational procedures

Conclusion
• Identify the paths and equipment used to navigate
the network
• Identify TCP/IP infrastructure areas of concern
• Break into manageable pieces
• Every network is different and the components
and risks must be fully understood
• Identify risks and prioritize
• Dedicate more upfront planning
• RELAX !! It’s not that bad !

Additional Information
• Presentation located on line at URL:
http://www.vcu.edu/iaweb/iam_welc.html
• Contact information:
dmlitton@vcu.edu
(804) 828-9248

Tcp ip management & security

More Related Content

What's hot (20)

Similar to Tcp ip management & security (20)

Recently uploaded (20)