Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prepared by : Intesar G Ali - IT Department Palestinian Land Authority 1 Security: Defense In Depth.

Similar presentations


Presentation on theme: "Prepared by : Intesar G Ali - IT Department Palestinian Land Authority 1 Security: Defense In Depth."— Presentation transcript:

1 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority 1 Security: Defense In Depth

2 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority2 The layers of defense in depth are Data. An attackers ultimate target, including your databases, Active Directory service information, documents, and so on. Data. An attackers ultimate target, including your databases, Active Directory service information, documents, and so on. Application. The software that manipulates the data that is the ultimate target of attack. Application. The software that manipulates the data that is the ultimate target of attack. Host. The computers that are running the applications. Host. The computers that are running the applications. Internal Network. The network in the corporate IT infrastructure. Internal Network. The network in the corporate IT infrastructure. Perimeter (DMZ). The network that connects the corporate IT infrastructure to another network, such as to external users, partners, or the Internet. Perimeter (DMZ). The network that connects the corporate IT infrastructure to another network, such as to external users, partners, or the Internet. Physical. The tangible aspects in computing: the server computers, hard disks, network switches, power, and so on. Physical. The tangible aspects in computing: the server computers, hard disks, network switches, power, and so on. Policies, Procedures, Awareness. The overall governing principles of the security strategy of any organization. Without this layer, the entire strategy fails. Policies, Procedures, Awareness. The overall governing principles of the security strategy of any organization. Without this layer, the entire strategy fails.

3 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority3 Layer 1: Data Defenses Business data is one of the most valuable resources in many organizations. If data were to be Business data is one of the most valuable resources in many organizations. If data were to be Damaged Damaged Lost Lost Exposed to competitors Exposed to competitors many organizations would be adversely affected. many organizations would be adversely affected. Data is An attackers ultimate target, including your Data is An attackers ultimate target, including your databases, Active Directory service information, documents,... databases, Active Directory service information, documents,... Data can be protected through the use of : Data can be protected through the use of : access control lists (ACLs) on files and folders. access control lists (ACLs) on files and folders. Encryption. Encryption. An effective backup and restore strategy An effective backup and restore strategy

4 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority4 Layer 2: Application Defenses The application security layer controls access to sensitive information and represents your company's digital presence in the world. It includes your web servers, , e-commerce, internet services and voice. The application security layer controls access to sensitive information and represents your company's digital presence in the world. It includes your web servers, , e-commerce, internet services and voice. Application can be protected through the use of : Application can be protected through the use of : Authentication Authentication Authorization Authorization Password Policy Password Policy you should restrict access to each Application so that only authorized users can browse them. you should restrict access to each Application so that only authorized users can browse them. you should configure permissions on the files and folders where the content exists as restrictively as possible. you should configure permissions on the files and folders where the content exists as restrictively as possible. All of the hard work that your IT team undertakes to protect your information systems at the perimeter, network, and host layers could be easily bypassed if your organization's internally developed applications are easily compromised by malicious users. All of the hard work that your IT team undertakes to protect your information systems at the perimeter, network, and host layers could be easily bypassed if your organization's internally developed applications are easily compromised by malicious users.

5 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority5 Layer 2: Application Defenses Server applications have the potential to be compromised by several different methods, including : Server applications have the potential to be compromised by several different methods, including : denial-of-service attacks : an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing , websites, online accounts (banking, etc.), or other services that rely on the affected computer. denial-of-service attacks : an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing , websites, online accounts (banking, etc.), or other services that rely on the affected computer. Directory traversal attacks: is an HTTP exploit which allows attackers to access Directory traversal attacks: is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory. restricted directories and execute commands outside of the web server's root directory. Buffer overflow attacks: A buffer overflow occurs when a program or process tries Buffer overflow attacks: A buffer overflow occurs when a program or process tries to store more data in a buffer than it was intended to hold the extra data may contain codes to store more data in a buffer than it was intended to hold the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer. designed to trigger specific actions, in effect sending new instructions to the attacked computer. SQL injection: is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Always validate user input by testing type, length, format, and range SQL injection: is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Always validate user input by testing type, length, format, and range SELECT * FROM OrdersTable WHERE ShipCity = Nablus';drop table OrdersTable--' SELECT * FROM OrdersTable WHERE ShipCity = Nablus';drop table OrdersTable--' poorly configured network applications that expose data to unauthorized users. poorly configured network applications that expose data to unauthorized users. Password guessing attacks. Password guessing attacks.

6 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority6 Layer 3 -Host Defenses Host. The computers that are running the applications. clients and servers. Host. The computers that are running the applications. clients and servers. Host can be protected through the use of : Host can be protected through the use of : Operating system hardening Operating system hardening Antivirus : antivirus software is installed and up-to-date Antivirus : antivirus software is installed and up-to-date Distributed firewall: distributed firewall is installed. Distributed firewall: distributed firewall is installed. Patch management: patches are kept up-to-date Patch management: patches are kept up-to-date Effective auditing. Effective auditing. operating system hardening operating system hardening Most current operating systems, such as Windows 2000, Windows XP, and Windows Server 2003, include security features at their core, including Most current operating systems, such as Windows 2000, Windows XP, and Windows Server 2003, include security features at their core, including unique names and passwords for each user, unique names and passwords for each user, access control lists access control lists auditing. auditing. Legacy Microsoft operating systems, such as Windows 95, 98, and ME, were designed for use on small networks and for home users; should not be present on your organization's network. Legacy Microsoft operating systems, such as Windows 95, 98, and ME, were designed for use on small networks and for home users; should not be present on your organization's network. replace them with computers running Windows XP replace them with computers running Windows XP

7 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority7 Layer 3 -Host Defenses Antivirus Antivirus Antivirus software protects computer systems from hostile code such as computer viruses, Trojans, and worms. Antivirus software protects computer systems from hostile code such as computer viruses, Trojans, and worms. Symantec. Symantec. McAfee Security McAfee Security Distributed Firewall Distributed Firewall can help prevent attackers and network worms from compromising your client and server systems. and protecting computers from spyware and Trojan horses. can help prevent attackers and network worms from compromising your client and server systems. and protecting computers from spyware and Trojan horses. Distributed firewalls are software firewalls installed on each individual system Distributed firewalls are software firewalls installed on each individual system

8 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority8 Layer 3 -Host Defenses Patch Management Patch Management Patch management consists of the tools, utilities, and processes for keeping computers current with new software updates that are developed after a software product is released. Patch management consists of the tools, utilities, and processes for keeping computers current with new software updates that are developed after a software product is released. As part of maintaining a secure environment, organizations should have applying software updates, there technologies that help to automate the processes, such as: As part of maintaining a secure environment, organizations should have applying software updates, there technologies that help to automate the processes, such as: Microsoft Systems Management Server, Microsoft Systems Management Server, Windows Software Update Services, Windows Software Update Services, Microsoft Software Update Services. Microsoft Software Update Services. Ensure that patches are kept up-to-date Ensure that patches are kept up-to-date

9 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority9 Layer 3 -Host Defenses Microsoft strongly recommends the use of group policy as a way to distribute security settings to clients and servers. Microsoft strongly recommends the use of group policy as a way to distribute security settings to clients and servers. Settings that can be managed through group policies include : account lockout policies. account lockout policies. password policies. password policies. security options, security options, Internet Explorer security settings, Internet Explorer security settings, Office macro security settings. Office macro security settings. Recommends that organizations give their users the minimum privileges that they need to perform their job functions. Recommends that organizations give their users the minimum privileges that they need to perform their job functions. Users with administrative rights may be able to bypass many of the security countermeasures you put in place. Users with administrative rights may be able to bypass many of the security countermeasures you put in place.

10 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority10 Layer 4-Network Defenses A network segment consists of two or more devices that communicate with each other on the same physical or logical section of the network. A network segment consists of two or more devices that communicate with each other on the same physical or logical section of the network. If the segments are logical, they are referred to as virtual local area networks (VLANs). If the segments are logical, they are referred to as virtual local area networks (VLANs). LANs are created by connecting either multiple network hosts or multiple network segments using the appropriate network devices. LANs are created by connecting either multiple network hosts or multiple network segments using the appropriate network devices. Database server, domain controller should be on a private network that is invisible from the outside. Database server, domain controller should be on a private network that is invisible from the outside. Domain users should not be assigned local administrator access to avoid any unwanted software deletion or installation Domain users should not be assigned local administrator access to avoid any unwanted software deletion or installation An edge firewall (between internal and external (internet)) ISA, in the network is a best possible security measure to detect and eliminate the possible security breaches in the network. An edge firewall (between internal and external (internet)) ISA, in the network is a best possible security measure to detect and eliminate the possible security breaches in the network.

11 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority11 Layer 4-Network Defenses HOW TO SECURE NETWORK HOW TO SECURE NETWORK Access to internet must be restricted. Access to internet must be restricted. SMTP Protection filter must be applied as well. SMTP Protection filter must be applied as well. Sites containing malware and Spywares must be blocked. Sites containing malware and Spywares must be blocked. There must be a SUS (Software Update Server implemented in the network There must be a SUS (Software Update Server implemented in the network which will ensure the smooth installation of Automatic Security Updates across the network. which will ensure the smooth installation of Automatic Security Updates across the network. To protect from External threats, firewall software must be installed on each network node to filter the malicious code attacks on each node. To protect from External threats, firewall software must be installed on each network node to filter the malicious code attacks on each node. A high performance router or a PC with software firewall can detect these breaches and resolve them. A high performance router or a PC with software firewall can detect these breaches and resolve them.

12 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority12 Layer 4 -Network Defenses Organizations can take a number of steps to protect their internal network by Organizations can take a number of steps to protect their internal network by securing wireless LANs securing wireless LANs Internet Protocol Security (IPSec), Internet Protocol Security (IPSec), network segmentation. network segmentation. Securing Wireless LANs Securing Wireless LANs Many organizations have tested the use of wireless LANs (WLANs), its poor security record has kept a large number of organizations from deploying WLANs. Many organizations have tested the use of wireless LANs (WLANs), its poor security record has kept a large number of organizations from deploying WLANs. requires a RADIUS ( Remote Authentication Dial–In User Service ) infrastructure and a Public Key Infrastructure ( PKI). requires a RADIUS ( Remote Authentication Dial–In User Service ) infrastructure and a Public Key Infrastructure ( PKI).

13 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority13 Layer 4-Network Defenses IPSec : Internet Protocol Security IPSec : Internet Protocol Security protects networks from active and passive attacks by securing IP packets through the use of protects networks from active and passive attacks by securing IP packets through the use of Packet filtering. Packet filtering. Encryption. Encryption. Enforcement of trusted communication. Enforcement of trusted communication. IPSec is useful in host-to-host, VPN, site-to-site and secure server scenarios. IPSec is useful in host-to-host, VPN, site-to-site and secure server scenarios. IPSec can be managed by using Group Policy or scripted by using command-line tools. IPSec can be managed by using Group Policy or scripted by using command-line tools. By using IPSec we can ensure that only specific machines, all using the same encryption key, can talk to one another. We can also ensure that machines without this key are not allowed to talk to machines with it. This allows us to isolate trusted domain member computers from untrusted devices at the network level. It also allows trusted domain members to restrict inbound network access to a specific group of domain member computers.

14 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority14 IPSec : Internet Protocol Security secure the network is by restricting who can talk to whom secure the network is by restricting who can talk to whom IPSec is simply a mechanism that allows O/S to talk security through an encrypted channel. (IPsec) is a protocol for securing (IP) communications by authenticating and encrypting each IP packet of a communication session.authenticatingencryptingIP packet IPSec has essentially two modes: Transport Mode, which is used for host-to-host communications, only the payload (the data you transfer) of the IP packet is usually encrypted and/or authenticated.encrypted Tunnel Mode, which is used for portal-to-portal connections. the entire IP packet is encrypted and/or authenticated. Tunnel mode is used to create: virtual private networks for network-to-network communicationsvirtual private networks host-to-network communications (e.g. remote user access), host-to-host communications (e.g. private chat).

15 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority15 IPSec protocols There are two IPSec protocols: There are two IPSec protocols: 1. Authentication Header (AH) 2. Encapsulating Security Payload (ESPAuthentication Header (AH)) AH uses digital signatures to accomplish two goals: AH uses digital signatures to accomplish two goals: It ensures that data is not altered while in transit. It ensures that data is not altered while in transit. It ensures that systems only communicate with other authorized systems. It ensures that systems only communicate with other authorized systems. The data is readable and it is protected from modification. The data is readable and it is protected from modification. AH usually has a minimal effect on overall system performance. AH usually has a minimal effect on overall system performance. Encapsulating Security Payload (ESP). Encapsulating Security Payload (ESP). ESP also uses digital signatures to ensure data integrity and authentication, and it also provides confidentiality by ESP also uses digital signatures to ensure data integrity and authentication, and it also provides confidentiality by Encrypting the data portion of each network packet. Encrypting the data portion of each network packet. By itself, ESP does not ensure the integrity of the IP header. By itself, ESP does not ensure the integrity of the IP header. To protect the entire packet, you have to combine ESP with AH. To protect the entire packet, you have to combine ESP with AH. ESP can have a noticeable impact on system performance, especially systems that use the network extensively. Organizations should select AH, ESP, or both based on their particular requirements. ESP can have a noticeable impact on system performance, especially systems that use the network extensively. Organizations should select AH, ESP, or both based on their particular requirements.

16 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority16 Layer 5-Perimeter (DMZ) Defenses DMZ stands for DeMilitarized Zone. DMZA network added between a protected network and an external network in order to provide an additional layer of security. Any service that is being provided to users on the external network can be placed in the network perimeter Any service that is being provided to users on the external network can be placed in the network perimeter Web Servers Web Servers Servers Servers DNS Servers DNS Servers If you are running a Web server on your LAN, put it on a DMZ. If your router doesn't have a DMZ, get a new router. If you are running a Web server on your LAN, put it on a DMZ. If your router doesn't have a DMZ, get a new router. Properly configured firewalls and border routers are the cornerstone for perimeter security Properly configured firewalls and border routers are the cornerstone for perimeter security Network Access Quarantine Control, a new feature in the Microsoft Windows Server 2003 family, helps reduce the risk of infection from mobile systems by delaying normal remote access to a private network until the configuration of the remote access client has been examined and validated by an administrator- provided script. Network Access Quarantine Control, a new feature in the Microsoft Windows Server 2003 family, helps reduce the risk of infection from mobile systems by delaying normal remote access to a private network until the configuration of the remote access client has been examined and validated by an administrator- provided script. Personal Firewalls for Remote Laptops Personal Firewalls for Remote Laptops Traditional packet-filtering firewalls are great at blocking network ports and computer addresses. Traditional packet-filtering firewalls are great at blocking network ports and computer addresses.

17 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority17 Single firewall Single firewall A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface.ISP The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network.

18 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority18 Dual firewalls Dual firewalls A more secure approach is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" firewall) allows only traffic from the DMZ to the internal network. A more secure approach is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" firewall) allows only traffic from the DMZ to the internal network. Some recommend that the two firewalls be provided by two different vendors. If an attacker manages to break through the first firewall, it will take more time to break through the second one if it is made by a different vendor. (This architecture is, of course, more costly.) Some recommend that the two firewalls be provided by two different vendors. If an attacker manages to break through the first firewall, it will take more time to break through the second one if it is made by a different vendor. (This architecture is, of course, more costly.)

19 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority19 Network Security Password Policy Passwords should include non alphanumeric characters, such as Passwords should include non alphanumeric characters, such as Passwords should not be dictionary words. Passwords should not be dictionary words. They should be completely random in their composition. Family names, pet names and so on, are definitely out. They should be completely random in their composition. Family names, pet names and so on, are definitely out. Automatic password generators can be implemented to avoid staff thinking up easy to hack passwords. Automatic password generators can be implemented to avoid staff thinking up easy to hack passwords. Passwords should expire, the shorter the expiry time the better. Passwords should expire, the shorter the expiry time the better. Users should not be allowed to use the same password twice within a given period of time. Users should not be allowed to use the same password twice within a given period of time. A minimum acceptable length of a password should also be set. The longer the password the harder it is to crack. A minimum acceptable length of a password should also be set. The longer the password the harder it is to crack.

20 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority20 Layer 6: Physical Security Is the alarm system adequate? Is the alarm system adequate? Is there enough control over who comes or goes from the building? Is there enough control over who comes or goes from the building? Is the server room secure? Is the server room secure? Physical access to the computer will give a data thief the opportunity to disable passwords. Physical access to the computer will give a data thief the opportunity to disable passwords. Servers should be kept is a secure environment where only certain personnel have access. Servers should be kept is a secure environment where only certain personnel have access. A solid brick room with a strong room type door is recommended A solid brick room with a strong room type door is recommended Is there Gates Gates Guards Guards video video Guns Guns

21 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority21 Layer 7: Policies, Procedures, and Awareness Policies, Procedures, Awareness. The overall governing principles of the security strategy of any organization. Without this layer, the entire strategy fails. Policies, Procedures, Awareness. The overall governing principles of the security strategy of any organization. Without this layer, the entire strategy fails. good written security policies and practices. good written security policies and practices. Most important of all, its about actually enforcing the policies you create. Most important of all, its about actually enforcing the policies you create. train all employees. train all employees.

22 Prepared by : Intesar G Ali - IT Department Palestinian Land Authority22 Thank You Date : Date :


Download ppt "Prepared by : Intesar G Ali - IT Department Palestinian Land Authority 1 Security: Defense In Depth."

Similar presentations


Ads by Google