computer security fundamentals by chuck easttom chapter 9: computer security software

Computer Security Fundamentals

by Chuck Easttom

Chapter 9: Computer Security Software

© 2012 Pearson, Inc. Chapter 9 Computer Security Software 2

Chapter 9 Objectives

Evaluate the effectiveness of a scanner based on how it works

Choose the best type of firewall for a given organization

Understand antispyware Employ intrusion-detection systems to detect

problems on your system


Introduction

Preceding chapters have described computer crime and computer security.

Now, look at the technical details: Various security devices and software


Virus Scanners

Purpose: to prevent a virus from infecting the system

Searches for the signature of a known virus Scanners work in two ways:

Signature matching Behavior matching


Virus Scanners (cont.)

Signature matching List of all known virus definitions Kept in a small .dat file Updating consists of replacing this file AV scans host, network, and incoming e-

mails for a match



Behavior matching: Attempts to write to the boot sector Change system files Automate e-mail software Self-multiply

These are typical virus behaviors.



Ongoing virus scanners: Run constantly in the background

On-demand virus scanners: Run only when you launch them

Modern AV scanners offer both options.


Virus-Scanning Techniques

E-mail and attachment scanning Examine e-mail on the server, OR. Scan the host computer before passing to the

e-mail program. Download scanning

Scan downloaded files.


Virus-Scanning Techniques (cont.) File scanning

Files on the host computer are checked periodically.

Heuristic scanning Most advanced form of virus scanning Uses rules to determine if behavior is virus-like Best way to find an unknown virus Some false positives


Virus-Scanning Techniques (cont.)

Active code scanning Java applets and ActiveX Visual effects Can be vehicles for malicious code Must be scanned


Commercial Antivirus Software

www.grisoft.com Commercial product Also freeware for home use

McAfee Norton

Popular commercial products


Firewalls

A barrier between your network and the outside world

Filters packets based on Size Source IP Protocol Destination port


Firewalls (cont.)

Need dedicated firewall between trusted network and untrusted network.

Cisco is well known for its routers and firewalls.

Firewalls can be hardware or software.


Firewall Types and Components

There are several types of firewalls: Screening firewalls Application gateway Circuit-level gateway


Firewall Types and Components (cont.)

Screening firewalls Most basic type Packet filters Examines packets and will either permit or

deny based on a set of rules Cannot examine for state May be a bastion host, with limited services


Firewall Types and Components (cont.) Application gateway or proxy

When a client requests a service outside the local network, it negotiates a connection first with the proxy;

The proxy then negotiates the connection with the outside server;

The server thinks it is delivering to the client, when the proxy is actually masquerading as the client to protect the client;


Firewall Types and Components (cont.)

Circuit-level gateway Similar to a proxy, but more secure. No processing or filtering of protocols. The virtual “circuit” exists after user

authentication takes place. Not appropriate for e-commerce. No URL filtering. Limited auditing.


How Firewalls Examine Packets

Stateful packet inspection (SPI) Will not only permit or deny based on the

current packet under inspection, but looks at previous packets for data.

It will be aware of the context in which a packet is sent.

SPI can tell whether a packet is part of an existing connection or a bogus packet trying to intrude.


How Firewalls Examine Packets (cont.) Stateless packet inspection

Does not examine the contents Does not use data from other packets to

determine legitimacy of packet Vulnerable to various types of attacks

Ping floods Syn floods DoS attacks


Firewall Configurations

The type of firewall tells you how it will evaluate traffic.

The configuration of the firewall tells you how the firewall is set up relative to the network it is protecting: Network host-based Dual-homed host Router-based firewall Screened host


Firewall Configurations (cont.)

Network host-based: Software solution installed on an existing

operating system. Weakness: It relies on the OS. Must harden the existing operating system.



Dual-homed host: Installed on a server with at least two

network interfaces. Systems inside and outside the firewall can

communicate with the dual-homed host, not with each other.



Router-based firewall Commonly the first layer of protection Usually a packet filter

Screened host Combination firewall A bastion host and a packet filter


Commercial and Free Firewall Products Zone Labs

www.zonelabs.com Also freeware version

Cisco Outpost Firewall

www.agnitum.com/products/outpost/ Also freeware version


Commercial and Free Firewall Products (cont.)

www.free-firewall.org www.homenethelp.com/web/howto/free-firew

all.asp www.firewall.com/freeware.htm


Firewall Logs

All firewalls log activity. Logs can provide valuable information. Can locate source of an attack. Can prevent a future attack. Network administrators regularly check for

data.


Antispyware

Scans for spyware. Checks for known spyware files, such as AV

software scans for known virus files. Maintain a subscription service to keep

spyware file definitions up to date, or use auto-update.

Be cautious about attachments and downloads.


Intrusion-Detection Software

Intrusion-detection software (IDS) Inspects all inbound and outbound port activity Scans for patterns that might indicate an

attempted break-in


Intrusion-Detection Software (cont.) IDS categorization

Misuse detection versus anomaly detection Passive systems versus reactive systems Network-based systems versus host-based

systems


Intrusion-Detection Software (cont.) Misuse detection versus anomaly detection

Misuse detection Analyzes information it gathers and compares it

to known attack signatures Anomaly detection

Looks for unusual behaviors Behaviors that do not match pattern of normal

user access


Intrusion-Detection Software (cont.) Passive systems versus reactive systems

Passive systems Upon detection, logs the information and sends

a signal Reactive systems

Upon detection, logs off a suspicious user or reprograms the firewall to block the suspicious network traffic


Intrusion-Detection Software (cont.) Network-based systems versus host-based

systems Network-based systems

Analyze network traffic Host-based systems

Analyze activity of each individual host


Intrusion-Detection Software (cont.) IDS approaches

Preemptive blocking Infiltration Intrusion deflection Intrusion deterrence


Intrusion-Detection Software (cont.)

Preemptive blocking Called banishment vigilance Seeks to prevent intrusions before they

occur Notes any sign of impending threats and

blocks the user or IP Risk of blocking legitimate users


Intrusion-Detection Software (cont.)

Infiltration Not a software program. The process of infiltrating hacker/cracker

online groups by security administrator. Unusual . Most administrators depend on security

bulletins.


Intrusion-Detection Software (cont.) Intrusion deflection

Honeypot. Set up an attractive, but fake, system. Lure the attacker into the system and monitor

attacker’s activity.


Intrusion-Detection Software (cont.) Intrusion deterrence

An attempt to make the system a less palatable target. First, attempt to make the system seem less

attractive—hide the valuable assets. Then, make the system seem more secure than

it is—have warnings of monitoring and so on. Make any potential reward seem more difficult

to attain than it actually is.


Commercial IDS Providers

Many IDS vendors You must determine which is best for your

business environment. Snort:

www.snort.org Open source


Summary

Any network needs a firewall and proxy server between the trusted and untrusted networks.

Also consider IDS and antispyware,

computer security fundamentals by chuck easttom chapter 9: computer security software

Documents

computer security fundamentals

host computer

computer crime

unknown virus

system slide

ongoing virus scanners

virus scanners purpose

demand virus scanners