Prepared by : Intesar G Ali - IT Department Palestinian Land Authority 1 Security: Defense In Depth

Prepared by : Intesar G Ali - IPrepared by : Intesar G Ali - IT DepartmentT Department

Palestinian Land Authority Palestinian Land Authority 11

Security: Defense In DepthSecurity: Defense In Depth



The layers of defense in depth areThe layers of defense in depth are

DataData.. An attacker’s ultimate target, including An attacker’s ultimate target, including your databases, Active Directory service your databases, Active Directory service information, documents, and so on. information, documents, and so on.

ApplicationApplication.. The software that manipulates the The software that manipulates the data that is the ultimate target of attack. data that is the ultimate target of attack.

HostHost.. The computers that are running the The computers that are running the applications. applications.

Internal NetworkInternal Network.. The network in the corporate The network in the corporate IT infrastructure. IT infrastructure.

Perimeter (DMZ).Perimeter (DMZ). The network that connects The network that connects the corporate IT infrastructure to another the corporate IT infrastructure to another network, such as to external users, partners, or network, such as to external users, partners, or the Internet. the Internet.

Physical.Physical. The tangible aspects in computing: The tangible aspects in computing: the server computers, hard disks, network the server computers, hard disks, network switches, power, and so on. switches, power, and so on.

Policies, Procedures, Awareness.Policies, Procedures, Awareness. The overall The overall governing principles of the security strategy of governing principles of the security strategy of any organization. Without this layer, the entire any organization. Without this layer, the entire strategy fails. strategy fails.



Layer 1:Layer 1: Data Defenses Data Defenses Business data is one of the most valuable resources in many Business data is one of the most valuable resources in many

organizations. If data were to beorganizations. If data were to be DamagedDamaged LostLost Exposed to competitorsExposed to competitors many organizations would be adversely affectedmany organizations would be adversely affected . .

Data is An attacker’s ultimate target, including your Data is An attacker’s ultimate target, including your databases, Active Directory service information, documentsdatabases, Active Directory service information, documents,...,...

Data can be protected through the use of :Data can be protected through the use of :

access control lists (ACLs) on files and folders. access control lists (ACLs) on files and folders.

Encryption. Encryption.

An effective backup and restore strategyAn effective backup and restore strategy



Layer 2: Application DefensesLayer 2: Application Defenses

The application security layer controls access to sensitive information and The application security layer controls access to sensitive information and represents your company's digital presence in the world. It includes your web represents your company's digital presence in the world. It includes your web servers, email, e-commerce, internet services and voice. servers, email, e-commerce, internet services and voice.

Application can be protected through the use of :Application can be protected through the use of :• AuthenticationAuthentication• AuthorizationAuthorization • Password PolicyPassword Policy

you should restrict access to each Application so that only you should restrict access to each Application so that only authorized usersauthorized users can browse them.can browse them.

you should configure you should configure permissionspermissions on the files and folders where the content on the files and folders where the content exists as restrictively as possible. exists as restrictively as possible.

All of the hard work that your IT team undertakes to protect your information All of the hard work that your IT team undertakes to protect your information systems at the perimeter, network, and host layers could be easily bypassed if systems at the perimeter, network, and host layers could be easily bypassed if your organization's internally developed applications are easily compromised your organization's internally developed applications are easily compromised by malicious users.by malicious users.



Layer 2: Application DefensesLayer 2: Application Defenses

Server applications have the potential to be compromised by several different methods, includingServer applications have the potential to be compromised by several different methods, including : :

denial-of-service attacksdenial-of-service attacks : :an attacker attempts to prevent legitimate users from accessing information or an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts (banking, etc.), or other services use, an attacker may be able to prevent you from accessing email, websites, online accounts (banking, etc.), or other services that rely on the affected computer.that rely on the affected computer.

Directory traversal attacks: Directory traversal attacks: is an HTTP exploit which allows attackers to accessis an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.restricted directories and execute commands outside of the web server's root directory.

Buffer overflow attacks: Buffer overflow attacks: A buffer overflow occurs when a program or process triesA buffer overflow occurs when a program or process tries to store more data in a buffer than it was intended to holdto store more data in a buffer than it was intended to hold the extra data may contain codesthe extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer.designed to trigger specific actions, in effect sending new instructions to the attacked computer.

SQL injection:SQL injection: is an attack in which malicious code is inserted into strings that are later passed to is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.an instance of SQL Server for parsing and execution. Always validate user input by testing type, length, Always validate user input by testing type, length, format, and rangeformat, and range

SELECT * FROM OrdersTable WHERE ShipCity = ‘Nablus';SELECT * FROM OrdersTable WHERE ShipCity = ‘Nablus';drop table OrdersTable-drop table OrdersTable--' -'

poorly configured network applications that expose data to unauthorized users. poorly configured network applications that expose data to unauthorized users.

Password guessing attacks.Password guessing attacks.



Layer 3Layer 3 -Host Defenses -Host Defenses

HostHost.. The computers that are running the applications. The computers that are running the applications. clients and servers. clients and servers.

Host can be protected through the use of :Host can be protected through the use of :

• Operating system hardeningOperating system hardening• Antivirus : Antivirus : antivirus software is installed and up-to-dateantivirus software is installed and up-to-date• Distributed firewall: Distributed firewall: distributed firewall is installed.distributed firewall is installed.• Patch management: Patch management: patches are kept up-to-datepatches are kept up-to-date

• Effective auditing.Effective auditing.

operating system hardeningoperating system hardening

Most current operating systems, such as Windows 2000, Windows XP, and Windows Most current operating systems, such as Windows 2000, Windows XP, and Windows Server 2003, include security features at their core, including Server 2003, include security features at their core, including

• unique names and passwords for each user, unique names and passwords for each user, • access control listsaccess control lists• auditing.auditing.

Legacy Microsoft operating systems, such as Windows 95, 98, and ME, were designed for use Legacy Microsoft operating systems, such as Windows 95, 98, and ME, were designed for use on small networks and for home users; should not be present on your organization's network.on small networks and for home users; should not be present on your organization's network.

replace them with computers running Windows XPreplace them with computers running Windows XP



Layer 3 -Host DefensesLayer 3 -Host Defenses

AntivirusAntivirus Antivirus software protects computer systems from Antivirus software protects computer systems from

hostile code such as computer viruses, Trojans, and hostile code such as computer viruses, Trojans, and worms.worms.

• Symantec.Symantec.• McAfee SecurityMcAfee Security

• Distributed FirewallDistributed Firewall can help prevent attackers and network worms from compromising can help prevent attackers and network worms from compromising

your client and server systems. and protecting computers from your client and server systems. and protecting computers from spyware and Trojan horses. spyware and Trojan horses.

Distributed firewalls are software firewalls installed on each Distributed firewalls are software firewalls installed on each individual systemindividual system



Layer 3 -Host DefensesLayer 3 -Host Defenses

Patch ManagementPatch Management Patch management consists of the tools, utilities, and processes for Patch management consists of the tools, utilities, and processes for

keeping computers current with keeping computers current with new software updatesnew software updates that are that are developed after a software product is releaseddeveloped after a software product is released..

As part of maintaining a secure environment, organizations should As part of maintaining a secure environment, organizations should have applying software updates, there technologies that help to have applying software updates, there technologies that help to automate the processes, such as:automate the processes, such as:

• Microsoft Systems Management Server, Microsoft Systems Management Server, • Windows Software Update Services, Windows Software Update Services, • Microsoft Software Update ServicesMicrosoft Software Update Services..

Ensure that patches are kept up-to-dateEnsure that patches are kept up-to-date



Layer 3 -Host DefensesLayer 3 -Host Defenses Microsoft strongly recommends the use of group policy as a way to distribute Microsoft strongly recommends the use of group policy as a way to distribute

security settings to clients and servers. security settings to clients and servers.

Settings that can be managed through group policies include :Settings that can be managed through group policies include : account lockout policies. account lockout policies. password policies. password policies. security options, security options, Internet Explorer security settings,Internet Explorer security settings, Office macro security settings.Office macro security settings.

Recommends that organizations give their users the Recommends that organizations give their users the minimum minimum privilegesprivileges that they need to perform their job functions. that they need to perform their job functions.

Users with administrative rights may be able to bypass many of the Users with administrative rights may be able to bypass many of the security countermeasures you put in place.security countermeasures you put in place.



Layer 4-Network DefensesLayer 4-Network Defenses

A network segment consists of two or more devices that communicate with A network segment consists of two or more devices that communicate with each other on the same physical or logical section of the network.each other on the same physical or logical section of the network.

If the segments are logical, they are referred to as virtual local area If the segments are logical, they are referred to as virtual local area networks (VLANs).networks (VLANs).

LANs are created by connecting either multiple network hosts or multiple LANs are created by connecting either multiple network hosts or multiple network segments using the appropriate network devices.network segments using the appropriate network devices.

Database serverDatabase server, , domain controllerdomain controller should be on a should be on a private networkprivate network that is that is invisible from the outside.invisible from the outside.

Domain users should not be assigned local administrator access to avoid Domain users should not be assigned local administrator access to avoid any unwanted software deletion or installationany unwanted software deletion or installation

An edge firewall (between internal and external (internet)) ISA , in the An edge firewall (between internal and external (internet)) ISA , in the network is a best possible security measure to detect and eliminate the network is a best possible security measure to detect and eliminate the possible security breaches in the network.possible security breaches in the network.



Layer 4-Network DefensesLayer 4-Network Defenses HOW TO SECURE NETWORKHOW TO SECURE NETWORK

Access to internet must be restricted .Access to internet must be restricted .

SMTP Protection filter must be applied as well. SMTP Protection filter must be applied as well.

Sites containing malware and Spywares must be blocked.Sites containing malware and Spywares must be blocked.

There must be a SUS (Software Update Server implemented in the networkThere must be a SUS (Software Update Server implemented in the network which will ensure the smooth installation of Automatic Security Updates across which will ensure the smooth installation of Automatic Security Updates across

the network. the network.

To protect from External threats, firewall software must be installed on each To protect from External threats, firewall software must be installed on each network node to filter the malicious code attacks on each node .network node to filter the malicious code attacks on each node .

A high performance router or a PC with software firewall can detect these A high performance router or a PC with software firewall can detect these breaches and resolve them.breaches and resolve them.



Layer 4 -Network DefensesLayer 4 -Network Defenses

Organizations can take a number of steps to protect their Organizations can take a number of steps to protect their internal network byinternal network by

securing wireless LANssecuring wireless LANs Internet Protocol Security (IPSec), Internet Protocol Security (IPSec), network segmentation.network segmentation.

Securing Wireless LANsSecuring Wireless LANs

Many organizations have tested the use of wireless LANs Many organizations have tested the use of wireless LANs (WLANs), its poor security record has kept a large number of (WLANs), its poor security record has kept a large number of organizations from deploying WLANs. organizations from deploying WLANs.

requires a requires a RADIUSRADIUS ( (Remote Authentication Dial–In User ServiceRemote Authentication Dial–In User Service) ) infrastructure and a infrastructure and a Public Key InfrastructurePublic Key Infrastructure ( (PKIPKI). ).



Layer 4-Network DefensesLayer 4-Network Defenses

IPSec : Internet Protocol SecurityIPSec : Internet Protocol Security

protects networks from active and passive attacks by securing IP packets protects networks from active and passive attacks by securing IP packets through the use ofthrough the use of

• Packet filtering.Packet filtering.• Encryption.Encryption.• Enforcement of trusted communication.Enforcement of trusted communication.

IPSec is useful in host-to-host, VPN, site-to-site and secure server IPSec is useful in host-to-host, VPN, site-to-site and secure server scenarios. scenarios.

IPSec can be managed by using Group Policy or scripted by using IPSec can be managed by using Group Policy or scripted by using command-line tools. command-line tools.

By using IPSec we can ensure that only specific machines, all using the same encryption key, can talk to one another. We can also ensure that machines without this key are not allowed to talk to machines with it.

This allows us to isolate trusted domain member computers from untrusted devices at the network level. It also allows trusted domain members to restrict inbound network access to a specific group of domain member computers.



IPSec : Internet Protocol SecurityIPSec : Internet Protocol Security secure the network is by restricting who can talk to whomsecure the network is by restricting who can talk to whom

IPSec is simply a mechanism that allows O/S to talk security through an encrypted channel.

(IPsec) is a protocol for securing (IP) communications by authenticating and encrypting each IP packet of a communication session.

IPSec has essentially two modes: Transport Mode, which is used for host-to-host communications,

• only the payload (the data you transfer) of the IP packet is usually encrypted and/or authenticated.

Tunnel Mode, which is used for portal-to-portal connections.• the entire IP packet is encrypted and/or authenticated.

Tunnel mode is used to create: virtual private networks for network-to-network communications host-to-network communications (e.g. remote user access), host-to-host communications (e.g. private chat).



IPSec protocols IPSec protocols

There are two IPSec protocols: There are two IPSec protocols: 1.1. Authentication Header (AH) Authentication Header (AH) 2.2. Encapsulating Security Payload (ESPAuthentication Header (AH))Encapsulating Security Payload (ESPAuthentication Header (AH)) AH uses digital signatures to accomplish two goals:AH uses digital signatures to accomplish two goals:• It ensures that data is not altered while in transit.It ensures that data is not altered while in transit.• It ensures that systems only communicate with other authorized systems.It ensures that systems only communicate with other authorized systems.

The data is The data is readablereadable and it is protected from modification. and it is protected from modification. AH usually has a minimal effect on overall system performance.AH usually has a minimal effect on overall system performance.

• Encapsulating Security Payload (ESP).Encapsulating Security Payload (ESP).

ESP also uses digital signatures to ensure data integrity and authentication, and it also ESP also uses digital signatures to ensure data integrity and authentication, and it also provides confidentiality byprovides confidentiality by

• EncryptingEncrypting the data portion of each network packet. the data portion of each network packet. • By itself, ESP does not ensure the integrity of the IP header. By itself, ESP does not ensure the integrity of the IP header.

To protect the entire packet, you have to combine ESP with AH. To protect the entire packet, you have to combine ESP with AH.

ESP can have a noticeable impact on system performance, especially systems that use the ESP can have a noticeable impact on system performance, especially systems that use the network extensively. Organizations should select AH, ESP, or both based on their particular network extensively. Organizations should select AH, ESP, or both based on their particular requirements.requirements.



Layer 5-Perimeter (DMZ) DefensesLayer 5-Perimeter (DMZ) Defenses DMZ stands for DeMilitarized Zone.

DMZ“A network added between a protected network and an external network in order to provide an additional layer of security.”

Any service that is being provided to users on the external network can be placed in the Any service that is being provided to users on the external network can be placed in the network perimeter network perimeter

Web ServersWeb Servers E-mail ServersE-mail Servers DNS ServersDNS Servers

If you are running a If you are running a Web serverWeb server on your LAN, put it on a on your LAN, put it on a DMZDMZ. If your router doesn't have a . If your router doesn't have a DMZ, get a new router. DMZ, get a new router.

Properly configured firewalls and border routers are the cornerstone for perimeter securityProperly configured firewalls and border routers are the cornerstone for perimeter security

Network Access Quarantine ControlNetwork Access Quarantine Control, a new feature in the Microsoft Windows Server™ 2003 family, helps , a new feature in the Microsoft Windows Server™ 2003 family, helps reduce the risk of infection from mobile systems by delaying normal remote access to a private network reduce the risk of infection from mobile systems by delaying normal remote access to a private network until the configuration of the remote access client has been examined and validated by an administrator-until the configuration of the remote access client has been examined and validated by an administrator-provided script. provided script.

Personal Firewalls for Remote LaptopsPersonal Firewalls for Remote Laptops

Traditional packet-filtering firewalls are great at blocking network ports and computer addressesTraditional packet-filtering firewalls are great at blocking network ports and computer addresses ..



Single firewallSingle firewall

A single firewall with at least 3 network interfaces can be used to create a A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. network architecture containing a DMZ.

The external network is formed from the ISP to the firewall on the first The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. interface, and the DMZ is formed from the third network interface.

The firewall becomes a single point of failure for the network and must be The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal able to handle all of the traffic going to the DMZ as well as the internal network. network.



Dual firewallsDual firewalls

A more secure approach is to use two firewalls to create a DMZ. The first firewall A more secure approach is to use two firewalls to create a DMZ. The first firewall (also called the "(also called the "front-endfront-end" firewall) must be configured to allow traffic destined to the " firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "DMZ only. The second firewall (also called "back-endback-end" firewall) allows only traffic from " firewall) allows only traffic from the DMZ to the internal network.the DMZ to the internal network.

Some recommend that the two firewalls be provided by two different vendors. If an Some recommend that the two firewalls be provided by two different vendors. If an attacker manages to break through the first firewall, it will take more time to break attacker manages to break through the first firewall, it will take more time to break through the second one if it is made by a different vendor. (This architecture is, of through the second one if it is made by a different vendor. (This architecture is, of course, more costly.)course, more costly.)



Network Security Password PolicyNetwork Security Password Policy

Passwords should include non alphanumeric characters, such as - @#$.Passwords should include non alphanumeric characters, such as - @#$.

Passwords should not be dictionary words. Passwords should not be dictionary words.

They should be completely random in their composition. Family names, pet names and so They should be completely random in their composition. Family names, pet names and so on, are definitely out. on, are definitely out.

Automatic password generators can be implemented to avoid staff thinking up easy to Automatic password generators can be implemented to avoid staff thinking up easy to hack passwords.hack passwords.

Passwords should expire, the shorter the expiry time the better.Passwords should expire, the shorter the expiry time the better.

Users should not be allowed to use the same password twice within a given period of time.Users should not be allowed to use the same password twice within a given period of time.

A minimum acceptable length of a password should also be set. The longer the password A minimum acceptable length of a password should also be set. The longer the password the harder it is to crack.the harder it is to crack.



Layer 6: Physical Security Layer 6: Physical Security

Is the alarm system adequate? Is the alarm system adequate? Is there enough control over who comes or goes from the building? Is there enough control over who comes or goes from the building? Is the server room secure?Is the server room secure? Physical access to the computer will give a data thief the opportunity Physical access to the computer will give a data thief the opportunity

to disable passwords.to disable passwords. Servers should be kept is a secure environment where only certain Servers should be kept is a secure environment where only certain

personnel have access. personnel have access. A solid brick room with a “strong room” type door is recommendedA solid brick room with a “strong room” type door is recommended

Is there Is there GatesGates GuardsGuards videovideo GunsGuns



Layer 7: Policies, Procedures, and AwarenessLayer 7: Policies, Procedures, and Awareness

Policies, Procedures, Awareness.Policies, Procedures, Awareness. The overall governing principles of the The overall governing principles of the security strategy of any organization. Without this layer, the entire strategy security strategy of any organization. Without this layer, the entire strategy fails. fails.

good written security policies and practices .good written security policies and practices . Most important of all, it’s about actually enforcing the policies you create.Most important of all, it’s about actually enforcing the policies you create. train all employees.train all employees.



Thank YouThank You

Date :27-Date :27-44-2011-2011

Documents

Prepared by : Intesar G Ali - IT Department Palestinian Land Authority 1 Security: Defense In Depth