1
Information Security: The Big Picture - SANS GIAC
© 2000
1
Information Security:
The Big Picture – Part IV
Stephen Fried
2
Information Security: The Big Picture - SANS GIAC
© 2000
2
Agenda
• General Security Introduction
• Telecommunications Fundamentals
•Network Fundamentals
•
Network Security
• World Wide Web Security
• Information Secrecy & Privacy
• Identification and Access Control
• Programmatic Security
•Conclusion
Next up is Network Security. This section will take our discussion of network protocols and
configuration one step further. In this section we will learn about network configuration, network
attacks, and various other network security topics.
3
Information Security: The Big Picture - SANS GIAC
© 2000
3
Firewalls
• Firewalls protect “inside” from “outside”

• Can be a single machine or a series of
machines
• Allow for filtering and inspection of
packets
• Basic Types
– Application Gateways
– Packet Filters
– Stateful Inspectors
You hear a lot of talk about firewalls in relation to network security. The name “firewall” comes from the building industry and it
denotes a wall constructed to stop (or at least slow) the spread of fire from one space to another. In network security, a firewall
serves the same purpose. But instead of being built from bricks or steel it is built with computers and routers. But the conceptis
still the same. A network firewall is designed to protect what’s “inside” the firewall from what may be “outside.” Most often, you
will hear firewalls used in reference to Internet protection, and most companies that are on the Internet today use a firewall to
protect their corporate networks from the evils of the Big Bad Internet.
A firewall can be as simple as a single box. In some cases you can even use a network router to handle basic firewall protection.
More often, a firewall is a dedicated computer running specialized software that can track and analyze the traffic passing into and
out of the network and act quickly to prevent “dangerous” connections. However, in some instances the “firewall” is actually a
system of several computers combined with specially programmed network equipment to offer more robust protection against a
wide variety of attacks.
The firewall will be preprogrammed with a series of rules specifying the types of traffic that it will allow and the types of traffic it
will not allow. The firewall operates by looking at each packet that passes through it. It may examine the source and destination
address, the application that sent the packet, or even the packet’s relationship to other similar packets. It then matches the packet
against that list of rules. If the packet is “permitted” based on the rule set, the firewall allows it to pass through. If the packet is
“denied” because of a rule violation, the firewall will block it before it passes through to the inside network.
There are three basic types of firewalls:
• Application gateways use a specialized program for each type of application or service that needs to pass through the firewall.
Thus, there may be a program for web traffic, a program for file transfer programs, and a program for terminal sessions. The
benefit of an application gateway is that it can do a detailed analysis of the packets and can be customized to the particular needs
of the organization using the firewall. The disadvantage is that a customized program must be written for each application that
uses the firewall. Application gateways are also slower than other types of firewalls and may not stand up to the performance

needs of a large network.
• Packet filters simply look at each packet’s source, destination, and application name and make a determination based on the
programmed rule set. The advantage to packet filters is that they can work very quickly, a plus on large, fast networks. The
disadvantage is that their ability to analyze the packet in greater detail is limited.
• Stateful Inspection firewalls do a more detailed analysis than packet filters. They look at the packet’s relationship to other
packets that have passed through and can also look at traffic over time. This allows for a more sophisticated analysis of the traffic
and makes for a better firewall.
4
Information Security: The Big Picture - SANS GIAC
© 2000
4
Demilitarized Zones (DMZs)
• Used in many e-business situations
• Create a “semi-trusted” zone on the
network
• Protect DMZ systems from the Internet
• Protect internal systems from the DMZ
Internet
DMZ
Internal
Network
We have seen that firewalls can be used to protect internal organizational resources form the perils of the Big Bad Internet. But
firewalls can also be used in many different configurations for different applications. For example, many organizations are
rushing to put e-commerce systems on the Internet. However, this presents a double problem for the organization. First, there
is the problem of protecting your systems from the Internet – a problem we have already covered (and will cover more later
on). The second problem is the one of protecting the systems on your internal network from the Internet commerce systems.
This may sound kind of strange. After all, if the commerce systems are yours, why do you need protection against them? Well,
look back at your Defense in Depth strategy. You need to present multiple layers to attackers in order to better protect your
internal systems. So, in the event your Internet systems get successfully attacked, you need something standing between them
and your internal network.

One answer is the use of a concept called the Demilitarized Zone, or DMZ. The concept of a Demilitarized Zone comes from
the military. It refers to an area of land between two warring armies that belongs to neither side and in which neither army can
launch an attack. In the network security field, a DMZ refers to a small network that sits between the Internet and your real
internal network. In this zone sits your e-commerce systems. On one side of the DMZ is a firewall that protects the DMZ from
the Internet. On the other side of the DMZ is a firewall that protects the internal network from the DMZ. (Editor’s note: in
some cases, the term DMZ is used to referred to servers placed outside your firewall which have no protection from the
Internet. In these cases, the term screened subnet is used to refer to a protected area that sits between an external firewall
(protecting the screened subnet from the Internet) and an internal firewall (protecting your internal network from the screened
subnet). – JEK)
Why the two firewalls? Well, the outside firewall serves several purposes. First, it limits what systems and protocols can
actually get inside the DMZ and touch the systems inside. It also protects against many types of Internet attacks. Remember
our mantra – if you are connected to the Internet you need a firewall. OK, so what’s the internal firewall for? This is to protect
against the eventuality (no, not the possibility but the eventuality) that the outside firewall will be compromised and attackers
will break into your DMZ systems. The inside firewall limits the systems that the DMZ machines can access. So, if the DMZ
systems are successfully attacked, the attackers will have only a handful of systems on the inside they can even see on the
internal network.
DMZs come in many different configurations, and new designs are as common as the number of
companies that use them. If you are planning to put e-commerce systems on the Internet, you might want to look at setting up
your own DMZ.
5
Information Security: The Big Picture - SANS GIAC
© 2000
5
Proxies
• Centralized traffic control
• More efficient use of network
bandwidth
• Hides real IP addresses of
machines behind the proxy
Do you own any stock in a company? I do, and several times a year I get a mailing from one

company or another telling me about their annual meeting and asking me to vote on whatever
important issues will be discussed at the meeting. The voting form is called a proxy statement,
because by filling it out and mailing it in I am allowing somebody else, my proxy, to cast my vote
for me (hopefully following my instructions).
Well, networks can use proxies too, and the effect is quite the same. A proxy server sits somewhere
on the network, usually close to the firewall. When a computer inside the network wishes to
communicate with a computer outside the network it asks the proxy to make the connection on its
behalf. The proxy makes the connection and acts as an intermediary between the inside computer and
the outside computer.
Proxies make a lot of sense from a network security standpoint. They concentrate network access to
a single machine, making firewall rule sets easier to program. They also hide the actual IP address of
the internal machine from the outside machine. All the outside machine ever sees is the IP address of
the proxy server. This is an important consideration for security-conscious networks that do not want
outside people knowing what IP addresses their inside machines use.
Proxies can also store, or cache, information that is repeatedly requested by inside machines. In this
way, when a subsequent request is made for that information, the proxy server returns the
information from memory rather than having to retrieve it from across the network. This leads to
faster response times for the inside computers.
6
Information Security: The Big Picture - SANS GIAC
© 2000
6
Proxy Configuration
98.143.54.78 98.143.54.79 98.143.54.80
98.143.54.212
Internet
Proxy
Server
207.46.131.137
The diagram on this slide illustrates how proxies work in practice. On this network we have four

machines. There are three computers with IP addresses 98.143.54.78, 98.143.54.79, and
98.143.54.80. We also have a proxy server with an address of 98.143.54.212. The proxy server is
connected to the Internet.
When a computer program needs to connect to a machine on the Internet, the request goes first to the
proxy server. The request will say something like “computer 98.143.54.78 needs to talk with
computer 207.46.131.137 on the Internet.” The proxy server notes the request and then replaces the
original IP address with its own. The request will then be “computer 98.143.54.212 needs to talk with
computer 207.46.131.137 on the Internet.” The connection is then made to the Internet machine.
Once the connection is established, all communications between the original machine, 98.143.54.78
and the Internet machine will be relayed through the proxy server.
From the viewpoint of the Internet machine, however, it believes it is communicating with the proxy
server, not the original inside machine. So, even if all three computers on this network are
communicating simultaneously with the Internet machine, the Internet machine just thinks it has
three connections to the same proxy server, not three connections to three separate computers. It is
the responsibility of the proxy server to keep track of what connections belong to which machines.
7
Information Security: The Big Picture - SANS GIAC
© 2000
7
Network Attack Methods
• Denial of Service
•Distributed DoS
• Session Hijacking
•IP Spoofing
•TCP Sequence
Prediction
•IP Fragmentation
•Ping of Death
•SYN Flooding
•Smurf

• Teardrop
•Land
• Spamming
• Junk Mail/Chain
Letters
• Main in the Middle
• Session Replay
In the following few slides we are going to talk about various types of attacks that have occurred
over the Internet in the past. But before we begin, I should point out a couple of important facts.
First, we will not be going into very technical depth about each of these attacks. Some of them can
get quite complicated, but we will stick to the high-level description as much as possible.
Second, many of these attacks have many variations that have been used over time. You may hear of
them referred to in several different ways in your continuing security education. In the interests of
time we will restrict our discussion to the original attack, and mention any variations only as
necessary for clarification.
Finally, while each of these attacks can be used by itself, you will very often see them used in
combination, or see one attack used as the basis for another. For example, many of the attacks are
based on some form of Denial of Service.
8
Information Security: The Big Picture - SANS GIAC
© 2000
8
Denial of Service
• Keeping the computer or network
from doing anything useful
• Can be a system crash, more often
just flooding it
• Very hard to prevent
• Distributed DoS – the latest wrinkle
Denial of Service, or DoS, is one of the most common attacks in use today. It works just like it

sounds: it is used to deny service to a system or network. Denial of Service attacks are aimed at
preventing a computer or network from performing its normal duties. This can take the form of
crashing a computer, but more often it takes the form of flooding the network or computer with
hundreds, or even millions, of information or service requests. The computer quickly gets
overwhelmed and can’t handle the load. Once this happens, service is denied to legitimate users of
the service because they can’t seem to get the server’s attention.
Denial of service attacks are appealing to attackers for a number of reasons. First, they are
deceptively simple to do. As we shall see shortly when we talk about SYN flooding, the methods for
performing a DoS attack are not that difficult to learn or perform. Second, depending on how the
DoS is performed, all you are doing is preventing legitimate traffic from getting to the server. You do
not necessarily have to crash the machine or ruin any of the server’s resources. The attacker
mentality will say that this is no more harmful than driving slowly on the highway or taking your
time at the drive-in line at the bank. Well, tell that to Yahoo, eBay, or any one of the dozen other
large Internet sites that got hit with DoS attacks in the spring of 2000. To them, the damage and the
losses were very real.
Classic DoS attacks occur when a single system or network floods your network with packets. The
attack can be stopped by instructing your routers or firewalls not to accept packets from that system.
However, a new breed of DoS attacks has recently surfaced, the Distributed Denial of Service, or
DDoS. We’ll look at Distributed Denial of Service on the next slide.
9
Information Security: The Big Picture - SANS GIAC
© 2000
9
Distributed Denial of
Service
Internet
Attacker
Victim
Agent
Agent

Agent
Agent
Handler
In DDoS attacks, the attacker is not a single system or network, it comes from a wide distribution of
computers from all over the Internet, sometimes seemingly at random. Distributed denial of service
attacks are more complicated to set up from an attacker’s point of view, but their effects can be much
more devastating.
In a classic DDoS attack, there are a number of roles and components. On the roles side, there is the
Attacker, the Victim, and a number of “innocent” third parties (called Agents) that play an
unwilling role in the attack. The attacker will break into each of the Agent’s computers and plant a
program that can perform a DoS attack against the victim. There can be hundreds or even thousands
of Agents involved in an attack. One of the Agents is tagged as the Handler. It is the Handler’s
responsibility to coordinate the attack on behalf of the Attacker.
When the Attacker is ready to launch the attack, he contacts the Handler and tells it who the real
Victim is, how long the attack should last, and any other information the Agents will need. The
Handler then relays that information to the Agents and off they go. What the Victim sees is a DoS
attack from many different sites all coming at once.
What makes DDoS attacks so unique and powerful is that it uses the diversity of the Internet to
strengthen the attack. The attack seems to be coming from everywhere at once, and since there is no
authentication on TCP/IP connections, there is no way to tell the real origin of the attack.
10
Information Security: The Big Picture - SANS GIAC
© 2000
10
Session Hijacking
• Taking over a connection that has
already been established
• Bypasses any identification or
authentication required to establish
• Attacker pretends to be legitimate

user
With many computer services a user is required to identify himself to the service and provide proof
of his identity. This process is called authentication. Without proper authentication, a computer can
not be assured of the identity of the user and will not grant that user access to its services.
Many attackers wish to use services that they would normally not have authorization to use. And
while they can try to connect to the computer to gain access to the service, they will not be able to
pass through the authentication process. The answer to this problem is to take over a session that
somebody has already established. This process is called session hijacking.
In a Session Hijacking attack, the attacker monitors the network waiting for a user to establish an
authorized connection to a computer or service. Then, the attacker sets up his computer to look just
like the victim’s computer, with the same IP address, name, etc. He then uses a Denial of Service
attack, or some other method, to block access to the victim’s computer and effectively take it off the
network.
Once this is done, the attacker then appears to be the original user and computer that originally
authenticated. The attacker’s computer looks to the service like a legitimate computer and the
attacker never has to authenticate himself.
11
Information Security: The Big Picture - SANS GIAC
© 2000
11
• If packets are larger than a network can
handle, they are fragmented in multiple parts
• Fragmented parts are reassembled at
destination
• Attacks
–Tiny fragment
–Overlapping fragments
– Teardrop
IP Fragmentation
In the IP protocol, there are allowances for the fact that there may be many different types of equipment,

computers, and networks connected together. For instance, a computer may want to transmit packets of 1
kilobyte (1024 bytes) in size, but the routers between the computer and the destination may only be able to
handle packets of 512 bytes in size. If this is the case, IP will automatically split the original packet into
smaller pieces that will be able to make it all the way across the network. This process is called
fragmentation. Once the fragments reach their destination they are reassembled to recreate the original
packet. Fragmentation is good because it ensures the accurate transmission of information in a way that is
transparent to the user or application.
However, like all good things, packet fragmentation has also been used for evil purposes as a way of attacking
computers and slipping past firewalls. There have been three basic types of IP fragmentation attacks. The first
is the “Tiny Fragment” attack. In the Tiny Fragment attack, the attacker creates a packet and then fragments
the packet into very small pieces. The fragment is so small, in fact, that some of the header information gets
forced into more than one packet. The tiny fragments take advantage of the fact that many filtering firewalls
can not handle incomplete header information and allow such fragments through, even if the re-assembled
packet would not be allowed through the same firewall.
The overlapping fragment attack works by the attacker again splitting the packet into fragments. However,
instead of the fragments being reassembled sequentially, the fragments are reassembled so that subsequent
packets actually overwrite sections of the first fragment.
Finally, an attack called the teardrop attack was launched by creating fragments so that a second fragment
was placed entirely inside the first fragment. Many fragment reassemblers couldn’t handle the offsets involved
and crashed the machine.
Packet fragmentation may seem a bit esoteric for ordinary folks to worry about, but it is a classic example of
the technical lengths and the in-depth knowledge attackers will seek in order to work their evil.
12
Information Security: The Big Picture - SANS GIAC
© 2000
12
Ping of Death
• Maximum PING packet size 64K
• Microsoft allows larger packets
• Send a PING packet greater than

64K …
POOF!
A popular attack for a while was the so-called Ping of Death. The Ping of Death worked by
exploiting a problem known as a Buffer Overflow. We will cover buffer overflows later in the
course. For now all you need to know is that normal TCP/IP packets have a maximum allowable size
of 64K, or roughly 65,000 bytes.
Almost all TCP/IP-based computers come with a utility package called PING – the Packet InterNet
Groper. Ping is an application level implementation of the ICMP protocol. It is generally used to
see if a host computer is running and available on a network. It works by sending a number of
characters to the remote host and waiting for the host to send them back to the originating computer.
In most implementations, the amount of data ping will send is less that 100 bytes.
However, a programming error in the Microsoft TCP/IP stack allowed ping to use packets of any
size, including larger than the 64K TCP/IP packet limit. All an attacker has to do is to use the ping
utility with one of these huge packets against a machine susceptible to this attack. Once the packet
hits the victim machine it will instantly crash.