1
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
1
Host Perimeter Defense
Jennifer Kolde
Scott Winters
Most of us have a problem. We are under attack. At this very moment, our Internet-connected
computer systems are being subjected to a surprising number of probes, penetration attempts, and
other malicious attention.
In this talk, we will discuss the types of attacks that are being used against our computers, and how
to defend against these attacks. You will learn about both free and commercial software products
that will help you improve the security of your systems. These products present a variety of
solutions, ranging from easy-to-configure, “hassle-free” products that provide a reasonable level of
security, to more complex solutions that provide more stringent measures for high-value assets.
2
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
2
Agenda
• Do we have a problem?
• Who is vulnerable?
• Threats and types of protection
• Features to look for
•Summary
We will begin this talk by examining the scope of the problem, and you will learn about the types of
systems that are vulnerable and that may require protection.
The main portion of this talk will focus on the various threats to your host’s security, and the types of
protection (including specific tools) that can be used to defend against these threats.
Finally, we will discuss some features to look for when choosing a host perimeter solution. A
summary of important information will round out the talk. At the end of the webcast, you will be

able to recommend and implement utilities and policies for host perimeter defense.
3
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
3
Host Perimeter Defense
• Defends the borders of your
computer
• Complements network perimeter
defense
–Additional layer of protection
• May also be first line of defense
Host perimeter defense is just what it sounds like: defending the perimeter of the host itself - the
borders of your computer.
Most security-conscious organizations protect the borders of their network with tools such as
firewalls or packet-filtering routers. In this situation, host perimeter defense complements network
perimeter defense by adding a second layer of security. Even if an intruder is able to penetrate your
network, he or she will then have to penetrate any host-based security to access protected hosts on
your network.
There are also instances when host perimeter defense may be your first line of defense. This is true,
of course, if there is no network protection. This would be the case, for instance, where your
network security is bypassed - for example, through a connection to a dial-up server inside your
firewall. It is also the case for systems that are not on a standard network - such as home computers
- which nevertheless connect to the Internet through an Internet Service Provider (ISP).
4
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
4
The Hole in Security Policies
• Does your organization have a security policy?

• Does it cover the use of modems, or other
connections that don’t go through the main firewall?
• Does it cover employees doing work at home? Are
their systems protected? Are you sure?
• Is it enforced? Are you sure?
If your organization has a written security policy, you are already a step ahead of many. BUT -
security policies typically address internal systems, Intranets, and external (Internet) connectivity. A
number of potential “holes” are often overlooked, including modems, laptops, and particularly home
computers used for business purposes.
Another potential hole in any organization’s security policy lies in enforcement. A policy is merely
ink on paper without means to track its application and enforce its guidelines. If your security policy
does in fact cover remote access or home systems, how are those standards checked or maintained?
How do you know that your users have not installed unauthorized software? How do you know that
employees using home computers for business are informed about threats and adequately protected?
5
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
5
Who Is Vulnerable?
• Any host that is:
–Directly connected to the internet
–“Protected” behind a firewall
–Networked with any other hosts
(even if not connected to the
internet)
–Connected via modem, cable modem,
ISDN, DSL, etc.
Any networked host may be a candidate for protection using host perimeter defense solutions,
including:
• computers directly connected to the Internet. Any host directly connected to the Internet is visible

to (and potentially vulnerable to!) any one of the several million other Internet users around the
globe. Essentially, anyone from Russia to Brazil to the person next door can “see” your computer -
and may be able to compromise it.
• computers “protected” by a firewall. A firewall is not a bulletproof solution to your security
problems. Dial-up connections may bypass your firewall’s security completely. “Legitimate” traffic
allowed through the firewall may contain dangerous code, such as malicious Java applets in HTTP
traffic, or Trojan executables in electronic mail (SMTP) traffic. Users may install unauthorized
software or modems that create security holes.
• hosts on a private network. Even if you are completely disconnected from the Internet, you may
need to protect your hosts from each other! A large number of security breaches come from inside
an organization. Employees trying to steal information for a competitor, or disgruntled employees
who might want to damage or destroy information present a real threat.
The information on threats and defenses in the following slides can be applied to any of the above
scenarios. However, for the purpose of this course, we will focus on one scenario in particular that is
often overlooked.
6
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
6
Personal Systems With
Internet Access
• “Personal” computers internet-
connected through ISP
• Little or no protection
• Increased “always on” access
–Cable modems
–Digital subscriber line (DSL)
• Availability of automated attacks
Perhaps the most underrated security vulnerability today is the threat to “personal” computers.
Home computers are generally thought to be “personal” or “private” - in the security of your home,

they are not vulnerable to attack. However, the reality is that every home user who accesses the
Internet via an Internet Service Provider (ISP) is placing their computer on the Internet, at least for
the duration of their connection.
Because few home users think about security for their “personal” computer, the majority of people
who connect to the Internet have “wide open” systems, easily accessible to a halfway decent
attacker.
The danger to “personal” computers has increased in recent years for two reasons. First, high-speed,
always-on Internet connections such as cable modems and Digital Subscriber Lines (DSL) have
become increasingly available and affordable. This means more home computers are connected to -
and exposed on - the Internet all the time.
Second, the number and types of vulnerabilities and attacks have increased, making it simple for
even unsophisticated attackers to download automated scripts and launch attacks against home users
as well as corporate networks.
7
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
7
Impact of the Problem
• Personal information
–Financial records
–Account names/passwords
• Business information
–Home-based business
–Telecommuters
–Connect to corporate LAN from home
This problem can be a serious one for home users. Sensitive information such as financial records
and account numbers, usernames and passwords may all be stored on a home PC - all of which
provide tempting targets for attackers.
However, this problem is no longer limited to private home users. Businesses can be seriously
affected as well, as the line between home and business computers has increasingly blurred over the

past few years. Businesses are operated out of peoples’ homes; employees work at home and
“telecommute”; users take work home, or use home computers to dial in to corporate networks and
electronic mail servers. All of these scenarios mean that, in addition to sensitive personal
information, it is highly likely that sensitive business information can be found on “personal”
computers.
Which is more difficult for an attacker: to break into a corporate network that is protected by
firewalls, intrusion detection software, and skilled administrators who regularly review log files? Or
to break into the CEO’s unprotected home PC, steal his userid and password, and log straight in to
the corporate network using the stolen information?
8
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
8
Do We Have a Problem?
If you’re still not convinced of the threat to home computers, consider this spreadsheet showing the
number and types of attempted attacks on my computer, located on the outskirts of a major ISP’s
network. The above attacks, which occurred over a two-week period, are representative of typical
activity on “personal” Internet-connected computers.
9
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
9
What Are the Threats?
• Social engineering
• Known vulnerabilities
•Malicious code
• Unauthorized connections
The number and types of vulnerabilities to individual hosts varies greatly. We will examine these
vulnerabilities, and the actions you can take to counter them, in the next series of slides.
10

Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
10
Social Engineering
• Attempt to manipulate or trick a
person into providing information
or access
• Bypass network security by
exploiting human vulnerabilities
“Social engineering” is the term used to describe an attempt to manipulate or trick a person into
providing valuable information or access to that information. It is the process of attacking a network
or system by exploiting the people who interact with that system.
People are often the weakest link in an organization’s security. All of the technology in the world
cannot protect your network from a user who willingly gives out his or her password, or innocently
installs malicious software.
Social engineering often preys on qualities of human nature, such as the desire to be helpful, the fear
of getting in trouble, or the tendency to trust the people - and computers - with which we interact.
11
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
11
Social Engineering (2)
•Human-based
–Impersonation
– Third-person authorization
• Computer-based
–Popup windows
–Mail attachments
Most social engineering is “human based”: it involves one person trying to get valuable information
from another person. Consider this example: A man calls the help desk: “Hello, this is Bob Smith,

the Vice-President of Big Corporation. I’m on travel and I’ve forgotten my password. Can you reset
it so I can retrieve an important email for a meeting in 15 minutes?” Would your help desk question
this request? Most people would give out the information without thinking, either because they
want to be helpful or because they are afraid of refusing the “vice-president’s” request.
Social engineering can also be computer-based. Consider this example: A user is browsing the Web
when he sees a pop-up window telling him that his Internet connection has timed out and he needs to
re-enter his user name and password to re-authenticate. Would the average user question this
activity? This is a common means to steal password information.
These examples show that “human nature” can make it trivially easy for an attacker to walk right in
to your network. Why hack through someone’s security system when you can get a user to open the
door for you?
12
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
12
Social Engineering Defense
• Develop appropriate security policies
• Establish procedures for granting
access, etc., and reporting violations
• Educate users about vulnerabilities
and how to report suspicious activity
Social engineering is one of the hardest attacks against which to defend. The weakness is a human
one; there is no hardware to lock up or software to configure. While host perimeter defense products
can provide some protection (for example, anti-virus software to guard against users who run viruses
or Trojan software), your best defense is to establish clear security policies - and enforce them.
• Security policies should establish such things as: the types of access allowed; the people
authorized to grant such access; and the circumstances under which exceptions may be granted.
• In addition to policy, you should define procedures for things like activating and deactivating
accounts; changing or resetting passwords; and granting additional rights or privileges.
• Finally, educate your users about these types of threats. In most cases, users do not maliciously

create security problems - they generally do so out of ignorance. If users are aware of the threats,
they can properly guard against them.
13
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
13
Known Vulnerabilities
• Operating systems and common
software
–Inherent weaknesses
–Default configuration
–Misconfiguration
–Sample applications
Any host is, of course, susceptible to any vulnerabilities in the operating system and software which
the host runs.
A computer’s operating system (OS) will affect its inherent level of security. An OS with strong
authentication mechanisms, privilege and access control, and auditing or logging capabilities (such
as Windows NT, Windows 2000, Unix, or Linux) is more secure than an OS that does not have these
features (such as Windows 95/98). As the majority of home users still run Windows 95 or 98, this
issue becomes a critical one.
Unfortunately, NO operating system is secure “out of the box”, and attackers will take advantage of
security holes in default OS or application configurations, or user/administrator misconfigurations.
Another vulnerability is sample applications that are often included in Web server software or
software development kits. These samples are not intended for production systems (read: they are
NOT SECURE) and can open up additional security holes in your system.
These “holes” are often well-known and well-publicized in the “black hat” community. Worse, for
any vulnerability that has been known for a period of time, there is most likely a script that exploits
the vulnerability. These scripts are readily available on the Internet - making it simple for even the
most inexperienced attacker to launch sophisticated attacks on your systems.
14

Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
14
Known Vulnerability Defense
• Choose a secure OS
• Build a secure configuration
• Install updates and patches
• Remove sample applications
• Stay informed
Your best defense against known vulnerabilities is information and education:
• Choose a secure OS and learn to configure it properly. Most vendors and some third-party
organizations now provide recommendations on configuring operating systems and applications
securely. Obtain these documents and apply them per your organization’s needs.
• Keep your software up to date with upgrades and patches. Vendors regularly release updates
and patches, many of which address security issues. Keep your systems up to date with the latest
patches.
• Remove sample applications. Do not install sample applications, unless they are loaded on a test
system. If sample applications must be installed, secure them just as you would any other software
component.
• Stay informed. New security vulnerabilities are released daily. A quick and easy way to stay up
to date is to subscribe to security mailing lists. Several excellent public lists are given at the end of
this presentation. Most vendors also have their own mailing lists, or at least post security notices on
their Web sites.
15
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
15
Malicious Code
• Program that performs harmful,
unauthorized action

–Viruses
–Trojans
– Java applets and activex controls
• Often easily bypass network
security
One of the broadest categories of threats to your network hosts is that of malicious code. Malicious code
is defined as an executable program that performs an action (often harmful or destructive) without the
knowledge of the user.
Malicious code includes viruses and Trojan software (malicious software masquerading as a useful
program or utility). Recent virus incidents such as those surrounding the ILOVEYOU virus or the Melissa
virus indicate the seriousness of the threat. The attacker who gained access to Microsoft’s network in
October 2000 and viewed source code for a future Microsoft product is suspected to have gained access to
internal systems via the QAZ virus, which installs a secret ‘back door’ to allow access to a system. Over
40,000 known viruses exist as of this writing, and the number continues to increase.
A newer threat is that presented by Java applets and ActiveX controls. These are bits of code, like mini-
programs, that run within a Web browser when you access a Web page that contains the applet. (Java will
run in any browser; ActiveX is specific to Microsoft Internet Explorer.) Both types of code are supposed
to be “safe” and execute only within restricted boundaries on the user’s computer. However, a number of
security holes have been found in this technology. Malicious applets can perform actions such as reading
files (such as a password file) or deleting files. Worse, most applets run within the browser without the
user’s knowledge.
A particular danger of malicious code is that it can easily bypass security measures such as firewalls. This
is because malicious code is often hidden in “legitimate” network traffic. Your firewall probably allows
HTTP (Web) traffic into your network, but this traffic can contain hostile Java and ActiveX code. You
probably also allow SMTP (electronic mail) traffic, but electronic mail often contains attachments with
macro viruses or Trojan software.
16
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
16

Malicious Code Defense
• Anti-virus software
• Java/activex protection
Probably the most well-known form of host perimeter defense is anti-virus software, which defends
your computer from malicious code such as viruses and some common Trojan/backdoor programs
(such as NetBus or Back Orifice). Because anti-virus software is covered in its own course, we will
only mention it briefly here.
However, it is important to note that some anti-virus vendors are now offer additional protection
against hostile Java and ActiveX controls. For example, both Norton Anti-Virus and McAfee
VirusScan offer some degree of Java/ActiveX protection. Check your product specifications
carefully; some vendors’ offerings may only provide protection for specific browsers (i.e., for
Netscape Navigator OR Microsoft Internet Explorer, but not both).
Another means to defend against malicious Java and ActiveX controls is to tighten your browser’s
security. Both Netscape Navigator and Microsoft Internet Explorer offer means to customize
browser security to allow, prompt for, or disallow actions such as Java and ActiveX scripting. One
catch to tightening security in this way is that you may block safe applets along with hostile ones -
some Web sites will not display correctly without scripting enabled, or will pop up an annoying
number of warning messages asking if you want to run an applet.
17
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
17
Unauthorized Connections
• Default services running on system
• Software that opens additional
ports
Applications and services used for network or host-to-host communications use a protocol and a port
number to communicate. Protocols include Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP). Common ports include those used for Telnet (23), DNS (53), and POP3
(110).

Computers need to use these various protocols and ports to communicate with each other. The
default installation of any operating system will open various ports. For example, Unix and Linux
systems typically install a Telnet server (port 23). Microsoft Windows systems use the NetBIOS
ports (137 - 139) for Windows networking. Applications may open additional ports; Web servers
may use FTP (21), HTTP (80), or SSL (443). Trojan software may open still more ports, such as
NetBus (12345) or BackOrifice (31337).
All of these ports represent a potential “door” through which someone can enter your computer. A
computer will typically “listen” on a port until a connection is attempted. Depending on the
authorization (if any!) required, the system will then accept or reject the connection attempt.
However, it’s a good bet that most users don’t know what a port is, much less which ports may be
open on their computers.
18
Host Perimeter Defense – SANS GIAC LevelOne
© 2000, 2001
18
Unauthorized Connection
Defense
• Determine open ports
• Block ports that are not needed
• Monitor connection attempts
The first step in protecting your system from unauthorized connection attempts is to determine which
ports are actually open on your system. For example, in Windows 9x or NT, you can type netstat
-a at the command prompt to display a list of all open connections to your system.
This utility is good for generating a “snapshot” view of system activity, as it will also identify the
open ports on your system - including some you may not know you have!
However, it does not provide a means to block ports that you don’t want left open, or to monitor port
activity on an ongoing basis. That is the purpose of personal firewall and host-based intrusion
detection software.