Network Security Basis (2)
Network invader
Attack and attack signal
Main means of attack
Intrusion level analysis
Security of password
Network security administrator quality requirements
Review
Network invader
Attack and attack signal
What is an attack? The legal definition of the attack refers to: Attack only occurs completely completed in intrusion, and invaders have been in the target network. But more active perspectives are (especially for network security administrators): All behaviors that can be damaged will be called attacks. At the moment when an intruder started working on the target machine, the attack started.
Typically, the attacker is first specifically attacked before formal attack, and the target is to obtain the system useful information, including ping scan, port scan, account scan, DNS conversion, and vicious IP Sniffer (IP illegally through technical means Packet, get important information for the system, to achieve the attack on the system, will mention later), Truche horse procedures, etc. The network in the attacked state often exhibits some signals, features, for example:
· Some people in the log are to use old Sendmail is the more obvious attack information, that is, some people have two or three commands on port 25, which is undoubtedly in trusting the server to send the / etc / passwd file to send the copy of the ETC / Passwd file. Give an intruder, the additional show mount command may be someone collecting information about the computer.
• A large number of scans should immediately realize root realize the emergence of security attacks.
· A congestion phenomenon appears on a service port of a host, at which point the type of service that is bound to this port should be checked. The attack and Denial of Service attacks are usually a deceived attack auspicious (or part).
· and many more.
Good careful log records and meticulous analysis are often predicted, positioning attacks, and powerful weapons that have been traveled after attacking attackers. After the network is being attacked, the network security administrator should immediately record according to the operation procedure, report to the competent leadership, corresponding security measures.
Main means of attack
The means of attacking computer networks can be divided into several major types, and their harmfulness and detection defense methods are different:
1 Collect information attack:
Tools that are often used include: NSS, STROBE, NETSCAN, SATAN (Security Aadministrator's Tool for Auditing Network, Jakal, Identtcpscan, FTPSCAN, etc., etc. Collecting information attacks are sometimes in the prelude of other attack methods. For simple port scans, keen security administrators often find an attempt of an attacker from an exception logging. But for the secret Sniffer and Trojan programs, the test is a more advanced and difficult task.
1.1 Sniffer
They can intercept the passwords and other very secret or dedicated information, which can even be used to attack adjacent networks, so the existence of Sniffer in the network will bring a lot of threats. This does not include the security administrator installed to monitor the invader's SNIFFER, which is originally designed to diagnose the connection of the network. It can be a common network analyzer with a strong debug function, or software and hardware Joint form. There is now a SNIFFER working on a variety of platforms, for example:
Gobbler (MS-DOS)
· Ethload (MS-DOS)
· Netman (UNIX)
Esniff.c (SunOS)
· Sunsniff (Sunos)
· Linux-Sniffer.c (Linux)
· Nitwit.c (Sunos) · ETC.
Detecting the existence of Sniffer is a very difficult task, because the Sniffer itself is completely only passive receiving data, not what is sent. And the Sniffer program listed above can be downloaded on the Internet, some of which are published in the source code (with .c extension).
In general, it is only some key data such as user name and password, such as user name and password. Using the IP package level encryption technology, it is difficult to get the true data itself even if the Sniffer can get the data package. Such tools include Secure Shell (SSH), and F-SSH, in particular, the latter provides a very powerful, multi-level encryption algorithm for common transmission of communicating with TCP / IP. SSH has free versions and commercial versions, you can work on UNIX or work in Windows 3.1, Windows 95, and Windows NT.
In addition, the use of network segmentation techniques, reducing trust relationships can be controlled within a smaller range, but also provides convenience for discovering the owner of Sniffer.
1.2 Trojan
This is a technological attack method. The classic definition of the Trojan program is given in RFC1244: Trucheuma is such a program that provides some useful, or just interesting features. But you usually do something you don't want, such as copying files or stealing your password, or directly transferring your important information, or destroying system, etc. High-level dangers, because they are difficult to find, in many cases, Troy programs are found in binary code, most of them cannot read directly, and Troy can act on a lot of systems, Its spread and virus spread very similar. Software downloaded from the Internet, especially free software and sharing software, programs obtained from anonymous servers or Usernet newsgroups, etc., so as used as users in key networks have an obligation to understand their responsibility, consciously Software that is not easy to install.
Detecting a Troy procedure requires some deep knowledge about the operating system. You can check if the file is not expected by checking if the file length, checksum, etc. is checked. In addition, file encryption is also a way to check Troyi procedures. Tools that can be used include:
· Trip Wire is a widely used system integrity tool. The system gets environment variables by reading the configuration file. In this file, all filemarks are included, and the user can specify which files should be made? A report, etc. The digital signature is saved in the database. The HASH functions that digital signatures can be used include: MD5, MD4, CRC32, MD2, SNC FRN, SHA, etc.
• TAMU package can check many projects, including items defined by the CERT notification, as well as projects found in the recent intrusion event, all modified system binary flow, and those key paths that require confidentiality.
Hobgoblin
· ATP (The Anti-Tampering Program)
The use of the two tools is not as common as the previous two, but they all have characteristics.
2 Denial of Service:
This is a class of personal or multi-individual uses some aspects of the Internet Protocol group to hinder the legitimate access to the system and information. It is characterized by a tideless connection request to make the system collapsed in a state where it should be. For large networks, such attacks are only a limited impact, but it may lead to smaller network exiting services and have been hit hard.
This is the most uncomfortable attack, because no traces are left, security managers are not easy to determine the source of attacks. Since this attack can make the entire system, and is easy to implement, it is very dangerous. But from the perspective of defense, this attack is more easy. Attackers do not destroy system data or unauthorized permissions through such attacks, just messy and upset. For example, make a user in the network The mailbox is exceeded without normal use. Typical attacks include e-mail bombs, mailing lists,
2.1 Email Bomb
It is a simple and effective intrusion tool. It repeatedly transmits the same information as the target recipient, with the personal mailbox of these garbage congestion targets. It can be used, such as Bomb02.zip (Mail Bomber), run on the Windows platform On, use very simple. The Email Bomb attack is simpler on the UNIX platform, just simply a few line shell programs to make the target mailbox full of garbage.
Its defense is also relatively simple. Both the general mail transceiver provides filtering function, after this type of attack, place the source destination address in the denial of the reception list.
2.2 Mail list connection
The effect it produces is basically the same as the mail bomb. Register the target address to dozens (even hundred thousand) mail lists, because each mailing list will generate a lot of emails every day, what is the overall effect? It can be manually generated by manually accomplishing, or you can automatically generate by establishing a mailing list database. For mailing lists, there is no fast solution. The victim needs to send messages containing information that contains "unsubscribe" information to each list.
Many programs can complete two attacks at the same time, including Up Your (Windows), Kaboom (Windows), Avalanche (Windows), Extreme Mail (Windows), Homicide, Bombtrack (Macintosh), FlamethRower (Macintosh ), ETC.
2.3 Others
There are also some attacks against other services, such as Syn-Flooder, Ping of Death (Packet for Ping Of DEATH (Packet for Ping Operation for Ping Operation, DNSKiller (running on the Linux platform, attacking the DNS on the Windows NT platform) Server), etc.
At the level of the route, filtering the data streams, reducing the likelihood of such attacks through the appropriate configuration. Cisco Systems provides routing solutions.
3 spoofing attack:
Attacking an agreement such as HTTP, FTP, DNS, can steal the permissions of ordinary users and even superusers, arbitrarily modify the information content, causing huge harm. The so-called IP spoof is the source IP address of others. It is essentially a machine to play another machine to achieve the purpose of implied. Some of the services below is easy to enroll such attacks:
· Any configuration using SunRPC calls; RPC refers to Sun's remote procedure calling criteria, which is a group of processing system calls on the network.
· Any web service that uses IP address authentication
· MIT's XWindow system
· Various R services: In the UNIX environment, R services include rlogin and RSH, where R represents remote. The original intention of this two applications is to provide users with remote access to the host's service. The R service is extremely vulnerable to IP spoofing.
Almost all electronic deceptions rely on the trust relationship between the target network (mutual trust between computers, in the UNIX system, can be set by setting Rhosts and Host.equiv). Intruders can use the scanning program to determine the trust relationship between the remote machine. This kind of technique deceived has less cases, requiring intruders to have special tools and techniques (and now it seems to be inadvertently role). In addition, Spoofing has DNS SPOFING.
The solution is to carefully set the host trust relationship between the processing network, especially the trust relationship between the host between different networks. If there is only a trust relationship within the local area network, you can set the router to filter out the IP package of the self-called source address as the internal network address in the external network to resist IP spoof. Some of the companies below provide this feature · Cisco System
· ISS.NET's secure package can test the loopholes of the network in IP deception.
· ETC.
International hackers have entered the organized network attack phase, and the US government is intentionally tolerate the activities of hacker organizations, the purpose is to place the hacker's attack under certain control, and through this channel to obtain the actual experience of preventing attacks. International hackers have developed a lot of tricks that escape detection. Make attacks and safety testing defense tasks more arduous.
Intrusion level analysis
1 division of sensitive layer
Use the concept of sensitive layers to divide the risk of marking attack techniques.
1 Mail Bomb Attack (Emailbomb) (Layer1)
2 Simple Service Refused Attack (Denial of Service) (Layer1 )
3 Local users receive unauthorized read access (Layer2)
4 Local users get their unauthorized file write permissions (Layer3)
5 Remote users get an unauthorized account (Layer3 )
6 Remote users get the read permissions of privileged files (Layer4)
7 Remote users get a write permission for privileged files (Layer5)
8 Remote users have root (ROOT) permissions (hackers have been overcome system) (Layer6)
The above level is almost the same in all networks, basically as an assessment indicator of network security work.
"Local User" is a relatively concept. It refers to any host that is free to log in to any host on the network, and has an account on a host on the network, and has a directory on the hard disk. In a certain sense, it is more difficult for internal personnel to prevent technical difficulties. According to statistics, the attack on the information system mainly comes from the inside, accounting for 85%. Because they have more understanding of the network, there are more time and opportunities to test network security vulnerabilities, and easily escape the monitoring of the system log.
2 different countermeasures
Different countermeasures should be taken according to different levels of the attack.
level one:
At the first floor, attacks should basically be uncoisible, the first floor of the attack includes service refusal to attack and email bomb attacks. The email bomb attack also includes registration list attack (simultaneous login to thousands or more) In the mailing list, this is possible that the target may be submerged by a huge number of mail lists). The best way to deal with such attacks is to analyze the source address, add the host (network) information used by the attacker (network) to the DenyListings in inetd.sec. In addition to making all the hosts in the attacker cannot be Outside your own network, there is no other effective way to prevent this attack.
This type of attack will only bring relatively small hazards. What makes people's headache is that although this type of attack is not harmful, the frequency that occurs may be high, because only limited experience and expertise can make this type of attack.
The second layer and the third layer:
The severity of these two layers of attacks depends on the read or write permissions of those files being illegally obtained. For ISP, the safest way is to focus all shell accounts to a certain (or several) hosts, only they can accept login, which makes management logs, control access, protocol configuration, and related security. The implementation of measures is simpler. In addition, other machines of the CGI program written in the storage user should also be isolated from other machines in the system.
Causes of incurring attacks may be partially configured errors or vulnerabilities in software. For the former, administrators should pay attention to frequent configuration errors that often use security tools, such as Satan. The latter resolution requires a lot of time to spend a lot of time to track the latest software security vulnerability report, download patch or contact supplier. In fact, research security is a never ending learning process. Security administrators can subscribe to some secure mailing lists and learn to use some scripts (such as Perl, et al.) To automatically search for handling messages, find the latest information they need. After discovering users who launched an attack, they should immediately stop accessing their access, freeze their accounts.
Fourth layer:
This level of attack involves how remote users get the right to access internal files. Most of its causes are improper configurations, vulnerabilities and overflow issues of the CGI program.
Fifth and sixth floor:
This fatal attack can only be used to use the vulnerabilities that should not appear.
The third, fourth and five-level attacks indicate that the network is already in unsafe states, and the security administrator should take effective measures to protect important data, log records and reports, and strive to locate attacks:
· Separate the network segment of the attack, limit this attack range within a small range
· Record the current time, backup system log, check the range of records, and extent
· Analyze if it is necessary to interrupt network connection
· Let the attack behavior continue
· If possible, do a 0-level backup for the system
· Report the detailed situation of the invasion to the competent leadership and relevant competent authorities; if the system is seriously damaged, affecting network business function, immediately call spare parts recovery system
· A lot of log work for this attack behavior
· (On another network segment) Do your best to judge the search source
In short, less than 10,000 cases can not be used to exit the service. The most important task of finding intruders is to do log records and positioning intruders, and finding intruders and forcing it to stop attacks through legal means. means.
Password safety
Certification via password is one of the main means of implementing computer security. The password of a user is informed by illegal users, and the illegal user obtains all permissions of the user, so, especially the password leakage of the high-definition user, The host and the network have lost security. When the hacker attack target, the password of the ordinary user is often used as the beginning of the attack. Then use a dictionary exhaustion to attack. Its principle is this: the user on the network often uses an English word or its own name, birthday as a password. With some programs, a word is automatically removed from the computer dictionary, and the user's password is automatically input to the remote host, and apply for entering the system. If the password is wrong, take the next word in order to perform the next attempt. And it is loop until you find the correct password, or the word test of the dictionary. Since this deciphering process is automatically completed by a computer program, you can try all the words of the dictionary for a few hours. Such tests are easy to leave a significant attack feature on the host log, so more attackers will use other means to get / etc / passwd files or even / etc / shadow files on the host system, and then do it locally. Dictionary attack or violent crack. The attacker does not need the password of everyone. They get a few user passwords to get the control of the system, so even if the ordinary user taking the password is too simple to have a big threat to system security. System administrators and all other users should take responsible attitude toward passwords, eliminate luck and lazy thinking.
However, many users do not have a good safety aware of their passwords. It is easy to get guessed, such as: account itself, first letter uppercase, or all uppercase, or simply add a number, even just Simple numbers, such as 0, 1, 123, 888, 6666, 168, etc., some are the names of the system or host, or common nouns such as System, Manager, Admin, etc. In fact, based on the algorithm and capabilities of the current computer encrypted decryption, it is also very simple to prevent your password to use the Dictionary attack method, so that your password is not in the dictionary of the corresponding decryption program. A good password should have at least 7 characters long, do not use personal information (such as birthday, name, etc.), there are some non-letters (such as numbers, punctuation, control characters, etc.) in the password, but also know some, can't write A good way to select the password is connected to a number or control character in the file on the paper or in the computer, and the two unrelated words (preferably in case case) are connected to a number or control character, and truncated 8 characters. For example, ME2.HK97 is a very good password from a security perspective. Some points in keeping password security are as follows:
· Password length should not be less than 6 bits, and should include letters and numbers, as well as punctuation and control characters
· Do not use commonly used words (avoid dictionary attacks), English abbreviation, personal information (such as birthday, name, reverse spelling name, room visible in the room), year, and command in the machine, etc.
· Do not write the password.
· Do not save your password in your computer file.
· Don't let others know.
· Do not use the same password on different systems, especially different levels of users.
· In order to prevent people from eye-catching, the password should be confirmed when entering the password.
· Regularly change the password, change at least 6 months.
• The system installs a hidden program or settings for the password file. (E.G. Shadow Suite for Linux)
• The system is configured to detect the user password setting, and enforce the user regularly change the password. The fragility of any user password will affect the security of the entire system. (E.G. Passwd , CRACK, ETC)
Finally, this is very important, never pays too self-confidence to your password, maybe it is unintentional to disclose the password. Change the password regularly, which will reduce the risk of hacker attacks to a certain limit. Once you find your own password, you should not enter your computer system, you should immediately report to the system administrator, which is checked by the administrator.
The system administrator should also regularly run these decipher passwords, try to decipher the shadow file, if there is a user's password password being deciphered, indicating that the password of these users is too simple or regular, and should notify them as soon as possible. Timely Correct password to prevent hackers from intrusion.
Network security administrator quality requirements
· Invitably understand at least two operating systems, one of which is unusual to be UNIX. Proficiency Configuring the security options and settings of the host, timely understand the security vulnerabilities that have been seen, and can download the corresponding patches in time. In special emergencies, we can develop suitable safety tools or patches independently, and improve system security.
· There is a thorough understanding of the TCP / IP protocol family, which is a must-have quality for any qualified security administrator. And this kind of knowledge is not only on the basics such as Internet basic construction, and must be able to perform accurate analysis based on the detected network information data, to achieve security warning, effectively stop the attack and discovery attackers.
• Proficiency in programming using languages such as C, C , Perl. This is the basic requirement because many basic security tools are written in some languages. Security administrators can interpret, compile and execute these programs at least correctly. Higher requirements are to portally transplanting tools that do not have a specific platform development to their platform. At the same time, they can also develop tools that extend their system network security, such as the extension and upgrade of Satan and Safe Suite (they allow users to develop tools to be attached to themselves) · Regularly maintain effective contact with the Internet society. Not only do you have to understand your own machines and local area networks, you must also understand what you are familiar with the Internet. Experience is irreplaceable.
· Proficiency in English reading and writing, establish a regular connection with all security forums on the Internet.
· Usually pay attention to the various information of the network, including hardware to identify its construction, manufacturer, working mode, and models of each workstation, router, hub, network card, etc .; all types of software network software and their version number; protocol The network is being used; network planning, such as the number of workstations, network segments, network extensions, such as overview of security strategies in the network, have been experienced, and historical records that have suffered.
Review
Now, reports on computers and incidents such as computer networks and social attention have increased significantly. On the one hand, the computer penetration rate has been greatly improved in recent years. The number of computers in the Internet is also increased rapidly, providing a mass base and material conditions for illegal crimes such as computer intrusion. On the other hand, it should be said that society is safe for computer security. The importance and serious understanding is not enough. From the invasive motivation, including the resentment of the main unit, the challenge of network security technology, network access account, credit card number and other money interests, or simple to use the attack network site, and curiosity to the network (This is mainly the behavior of children), as well as political purposes, etc. Of course, all other reasons can also cause the attacker's deliberate attack behavior. However, from a computer criminal case that has been reported, most computer network arson said that it did not know that this is a crime. Most system management personnel and engineering construction workers are indifferent in security issues, in the construction or construction of the construction or after construction, connect the host to the Internet, and open the door for computer crimes. Make some adolescents can use simple intrusion methods from online schools to pass unimpeded, while satisfying their own curiosity, violations of national laws. To this end, strengthen computer security education, including the level of understanding of network management personnel on network management, to promote the seriousness of computer network invasion, especially the network security of adolescents with Internet access capabilities. Legal concept.
Specific measures may include publicize the seriousness and legal meaning of computer network security in the form of public welfare advertisements. On the homework in the main page of the telecommunications sector and government departments, the network users of invasive incidents; various ISPs in registered users When you sign a security agreement with the user, you should have a guardian guarantee to access the network. When you find that there is an unidentified user, you should make an identity, and a warning will stop it in advance. Network crime; major ISP and network business units should have special network security managers to regular safety inspections on the network, configure equivalent security detection tools in the network;
From the perspective of telecom operators and internet access service providers, the security configuration and management of the network is effectively strengthened. To prevent frequencies, it can effectively reduce frequency and loss of computer network crime, while safety Improvements, will also increase users' information about the network, which is conducive to the introduction and development of e-commerce, and increase business revenue.
