Server and Domain Isolation Using IPsec and Group Policy
Appendix D: IT Threat Categories
This appendix provides a list of potential threats and attacks that can affect an organization and explains how a server and domain isolation solution can help mitigate them. On This Page
Threats Identified by STRIDEThis section describes a number of network security threats identified by the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) model and how the security measures implemented as part of this solution can be used to help mitigate them. Spoofing Identify ThreatsSpoofing identity threats include anything done to illegally obtain or access and use another person's authentication information, such as a user name or password. This category of threat includes man-in-the-middle attacks and trusted host communications with untrusted hosts. Man-in-the-Middle AttacksOne common technique used by hackers is the man-in-the-middle attack. This technique places a computer between two communicating computers in a network connection, and the in-between computer then impersonates one or both of the original computers. This technique provides the "man in the middle" with a live connection to the original computers and the ability to read and/or modify messages as they pass between them while the two computers' users think they are communicating only with each other. Some Internet service providers (ISPs) have developed filtering practices that attempt to combat both man-in-the-middle attacks and spoofing of e-mail. For example, many ISPs only authorize users to send e mail through the ISP's servers, and they justify this restriction by the need to fight junk e-mail. However, the restriction also prevents authorized users from using a legitimate e-mail service provided by a third party, which many advanced users resent. Some cable ISPs try to block audio or video traffic in an attempt to force users to use their own voice-over-IP or video-streaming services. Other examples include attempts to ban some forms of virtual private networking (VPN) traffic, reasoning that VPN is a business service that requires a higher fee subscription, and attempts to prevent users from running servers in their homes. ISP filters are typically implemented by using hardware functions of routers that operate on specific protocol types (User Datagram Protocol [UDP] or Transmission Control Protocol [TCP]), port numbers, or TCP flags (initial connection packet, and not data or acknowledgement). The use of IPsec effectively disables this kind of filtering, leaving the ISP with only two very extreme options: ban all IPsec traffic, or ban traffic with certain identified peers. If IPsec is widely used, both of these options could generate serious consumer backlash. Trusted Hosts Communicating with Untrusted HostsThis threat is actually a superset of several smaller threats and includes the issues of general spoofing of identity, modification of data between endpoints in a transmission, and eavesdropping. However, the greatest threat is spoofing, because the intent is to deceive a trusted host into thinking it is communicating with a trusted host. Not every host that will be isolated requires communication with untrusted hosts. Because IPsec uses a policy-based mechanism to determine the level of security required between two hosts when negotiations begin, most of these issues are addressed by careful consideration of the tradeoffs between security and communication and then thoughtful design and implementation of an IPsec policy that reflects the preferred outcome. Chapter 5, "Creating IPsec Policies for Isolation Groups," depicts the communication requirements for the Woodgrove Bank scenario and also the methodology that was used to create IPsec policies that govern how communications occur. Tampering with DataTampering with data threats involve the malicious modification of data. Examples include unauthorized changes made to persistent data (such as defacement of a Web site), information held in a database, or data as it flows between two computers on an open network. One specific threat in this category is session hijacking. Session HijackingProperly designed authentication mechanisms and long random passwords will resist network sniffing and dictionary attacks, respectively. However, attackers may use session hijacking to capture a session after the regular user has been authenticated and authorized. Session hijacking could enable an attacker to use a regular user’s privileges to access or modify a database, or possibly to install software for further penetration, even without obtaining the regular user’s credentials. The simplest way to perform session hijacking is to first attempt to place the attacker’s computer somewhere in the connection path by using a specialized hacking tool. The attacker will observe the exchange and at some point take over. Because the attacker is in the middle of the exchange, they can terminate one side of the TCP connection and maintain the other side by using the correct TCP/IP parameters and sequence numbers. The use of IPsec for either encryption or authentication protects endpoints from session hijacking. RepudiationRepudiation threats involve users who deny that they performed an action, and other parties have no way to prove otherwise. An example of this type of threat would be a user performing a prohibited operation in a system that lacks the ability to trace the prohibited operation. Nonrepudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item from a Web-based vendor might have to sign for the item when they receive it. The vendor can then use the signed receipt as evidence that the user received the package. Information DisclosureInformation disclosure threats involve the exposure of information to individuals who are not supposed to have access to it. Examples include the ability of users to read files to which they were not granted access and the ability of an intruder to read data that is in transit between two computers. Threats in this category include unauthorized connections and network sniffing. Unauthorized ConnectionsMany network configurations have a very trusting security posture and grant access to vast amounts of information from computers inside the perimeter. This access is sometimes explicit (as in the case of intranet Web servers) and sometimes implicit because of the poor security protection of some applications. Some policies rely on simple address tests, but attackers can bypass these tests by forging addresses. IPsec can be used to implement an additional connection check. It is possible to set up policy rules that require a set of applications to be accessible only after a successful IPsec negotiation. Network SniffingAttackers attempt to capture network traffic for two reasons: to obtain copies of important files during their transmission, and to obtain passwords so that the attackers can extend their penetration. On a broadcast network, hackers use network sniffing tools to log TCP connections and obtain a copy of the communicated information. Although these tools do not work very well on switched networks, it is possible even on switched networks to attack the Address Resolution Protocol (ARP) by using other specialized tools, which redirect IP traffic through the attacker’s computer and make it easy to log all connections. A few protocols (Post Office Protocol 3 [POP3] and File Transfer Protocol [FTP], for example) still send plaintext passwords over the network, and an attacker who sniffs the network will find this information easy to obtain. Many applications use a challenge-response mechanism, which avoids the problem of sending a plaintext password but is only slightly more challenging. The attacker will not be able to read the password directly, but dictionary attacks can often deduce it from a copy of the challenge and response. Using IPsec to encrypt such exchanges effectively protects against network sniffing. Denial of ServiceDenial of service attacks are directed attacks against a specific host or network. These attacks usually send more traffic to a host or router than it can handle within a given time, which results in an inability of the network to handle the traffic and thereby disrupts the legitimate flow of traffic. Denial of service attacks can be distributed across many attackers to focus the effort on a particular target. Target computers are usually compromised somehow, and a malware script or program is installed on them that allows the attacker to use the computers to direct a coordinated flood of network traffic to another computer or group of computers. The compromised computers are referred to as zombies, and such attacks are called distributed denial of service attacks. IPsec requires authentication before establishing communications, and therefore helps mitigate most distributed denial of service attacks (except those that use a trusted attacker scenario). In other words, Internet-based distributed denial of service attacks will be rendered harmless, but a denial of service attack launched from within an organization's network would still succeed if the attacking host or hosts can authenticate and communicate using IPsec. Discriminating Between Standard and Attack TrafficShortly after the Slammer worm struck in January 2003, it was observed that networks would not have been flooded with the worm's traffic if they would have had simple rules in place that limited UDP traffic to up to 50 percent of available bandwidth. The infected hosts would have quickly filled up 50 percent of the bandwidth with UDP traffic, but the rest of the bandwidth would have remained available for operational traffic. Automatic teller machines (ATM) would have continued working, and administrators would have been able to use TCP to apply patches and propagate policies. Although the policy of limiting UDP traffic is simplistic, such simple policies that can be left in place can provide a reliable safety net. By using IPsec for important traffic, administrators can apply a slightly more sophisticated version of the UDP policy. In typical conditions, network administrators can monitor the mix of traffic on the network and determine how much of it is UDP traffic, TCP traffic, Internet Control Message Protocol (ICMP) traffic, and so on. Under stress, a weighted fair queuing algorithm can engage to ensure that the resource is shared according to a standard pattern. In fact, it is usually possible to program such a policy by default in routers, collect long term trends and statistics during periods of standard network activity, and apply these collected statistics as fair queuing weights during periods of heavy congestion. Worms and Denial of Service AttacksThe recent past has shown that networks are vulnerable to denial of service attacks, which operate by sending excess traffic to saturate either a specific server or a specific portion of a network. One form of denial of service attack operates in a distributed fashion that directs a number of computers to simultaneously attack traffic to a selected target; these can be especially difficult to defend against. The CodeRed worm first tried to penetrate a number of Web servers, which were all supposed to send crippling traffic to whitehouse.gov (the domain of the White House in Washington, DC, USA). In fact, the propagation mechanisms of the CodeRed, Nimda, and Slammer worms were denial of service attacks against the Internet. Each infected computer performed hundreds of thousands of infection attempts on indiscriminate targets, and the resulting traffic crippled many local and regional networks. IPsec protects against denial of service attacks in several ways, and provides an added level of protection to potential victims of the attack. It slows down attackers by forcing expensive computations, and it allows network operators to distinguish between different types of traffic. Elevation of PrivilegeThis type of threat allows an unprivileged user to gain privileged access that enables them to compromise or possibly destroy an entire system environment. Elevation of privilege threats include situations in which an attacker has effectively penetrated all system defenses to exploit and damage the system. Other ThreatsNot all threats fit cleanly into the STRIDE model. The following items depict other threats and describe their potential impact on a server and domain isolation solution. Physical SecurityPhysical security involves providing physical access to a system or resource to only the minimum number of users who need it. Physical security is the lowest layer of defense for most IT security threats. However, in most network-level attacks, physical security is completely bypassed. Physical security still provides significant value as part of a defense-in-depth approach. For example, physical security in the form of security guards, cameras in data centers, access controls to sensitive locations, and keycards or keys on doors all help prevent a trusted device from becoming compromised. Using multiple methods of physical security is important and can help prevent some of the more serious data center security breaches. It should be very clear that compromised physical security always means that all security layers have been compromised. All security discussed in this solution is based on the assumption that physical security has been addressed. Without physical security, no other security measures can be considered effective. Network SecurityA network is a system of interconnected computers. Most of the protocols and services designed for networks were not created with the potential for malicious intent in mind. The advent of high-speed computing, easy network access, and the wide availability of the Internet caused many malicious users to focus their efforts on systems and services for exploitative purposes or to cause disruption. A number of network threats were described in some detail earlier in this appendix. Additional information about how IPsec protects against some of these network attacks can be found in the “Configuring TCP/IP Name Resolution” section of the “Configuring IP Addressing and Name Resolution” chapter within the Windows® XP Professional Resource Kit. Application SecurityMost attacks that are directed at applications attempt to exploit vulnerabilities that exist in those applications or the operating system. Because IPsec is implemented at the network layer of the Open System Interconnection (OSI) model, it determines whether a packet is permitted or discarded before that packet ever reaches the application. This behavior means that IPsec cannot make application-level determinations but can be used provide security for application traffic at a lower level. Social EngineeringSocial engineering is the act of exploiting weaknesses in human behavior to gain access to or learn more about a system. For example, a would-be attacker could use the telephone to call the target company and then ask for the name of the supervisor in charge of a particular project. This project is one in which the company is developing a new product or service, which is what the attacker wants to know more about. If the operator provides the attacker with the name of the supervisor and perhaps even the location or contact information for that person, the attacker has more information that they can use to focus their efforts. Because this type of attack targets the user of the computer, IPsec cannot protect against it. Similarly, a malicious user who has access to isolated systems and abuses that access (often referred to as a trusted attacker) will need to be prevented using other security technologies. SummaryClearly, using server and domain isolation will not resolve all of the threats that organizations face. Only a thorough understanding of available options and a detailed knowledge of the technical challenges will allow organizations adequately to protect their IT environments.
|
In This Article
|
