computer security fundamentals by chuck easttom chapter 9: computer security software
TRANSCRIPT
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 2
Chapter 9 Objectives
Evaluate the effectiveness of a scanner based on how it works
Choose the best type of firewall for a given organization
Understand antispyware Employ intrusion-detection systems to detect
problems on your system
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 3
Introduction
Preceding chapters have described computer crime and computer security.
Now, look at the technical details: Various security devices and software
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 4
Virus Scanners
Purpose: to prevent a virus from infecting the system
Searches for the signature of a known virus Scanners work in two ways:
Signature matching Behavior matching
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 5
Virus Scanners (cont.)
Signature matching List of all known virus definitions Kept in a small .dat file Updating consists of replacing this file AV scans host, network, and incoming e-
mails for a match
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 6
Virus Scanners (cont.)
Behavior matching: Attempts to write to the boot sector Change system files Automate e-mail software Self-multiply
These are typical virus behaviors.
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 7
Virus Scanners (cont.)
Ongoing virus scanners: Run constantly in the background
On-demand virus scanners: Run only when you launch them
Modern AV scanners offer both options.
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 8
Virus-Scanning Techniques
E-mail and attachment scanning Examine e-mail on the server, OR. Scan the host computer before passing to the
e-mail program. Download scanning
Scan downloaded files.
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 9
Virus-Scanning Techniques (cont.) File scanning
Files on the host computer are checked periodically.
Heuristic scanning Most advanced form of virus scanning Uses rules to determine if behavior is virus-like Best way to find an unknown virus Some false positives
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 10
Virus-Scanning Techniques (cont.)
Active code scanning Java applets and ActiveX Visual effects Can be vehicles for malicious code Must be scanned
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 11
Commercial Antivirus Software
www.grisoft.com Commercial product Also freeware for home use
McAfee Norton
Popular commercial products
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 12
Firewalls
A barrier between your network and the outside world
Filters packets based on Size Source IP Protocol Destination port
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 13
Firewalls (cont.)
Need dedicated firewall between trusted network and untrusted network.
Cisco is well known for its routers and firewalls.
Firewalls can be hardware or software.
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 14
Firewall Types and Components
There are several types of firewalls: Screening firewalls Application gateway Circuit-level gateway
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 15
Firewall Types and Components (cont.)
Screening firewalls Most basic type Packet filters Examines packets and will either permit or
deny based on a set of rules Cannot examine for state May be a bastion host, with limited services
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 16
Firewall Types and Components (cont.) Application gateway or proxy
When a client requests a service outside the local network, it negotiates a connection first with the proxy;
The proxy then negotiates the connection with the outside server;
The server thinks it is delivering to the client, when the proxy is actually masquerading as the client to protect the client;
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 17
Firewall Types and Components (cont.)
Circuit-level gateway Similar to a proxy, but more secure. No processing or filtering of protocols. The virtual “circuit” exists after user
authentication takes place. Not appropriate for e-commerce. No URL filtering. Limited auditing.
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 18
How Firewalls Examine Packets
Stateful packet inspection (SPI) Will not only permit or deny based on the
current packet under inspection, but looks at previous packets for data.
It will be aware of the context in which a packet is sent.
SPI can tell whether a packet is part of an existing connection or a bogus packet trying to intrude.
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 19
How Firewalls Examine Packets (cont.) Stateless packet inspection
Does not examine the contents Does not use data from other packets to
determine legitimacy of packet Vulnerable to various types of attacks
Ping floods Syn floods DoS attacks
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 20
Firewall Configurations
The type of firewall tells you how it will evaluate traffic.
The configuration of the firewall tells you how the firewall is set up relative to the network it is protecting: Network host-based Dual-homed host Router-based firewall Screened host
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 21
Firewall Configurations (cont.)
Network host-based: Software solution installed on an existing
operating system. Weakness: It relies on the OS. Must harden the existing operating system.
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 22
Firewall Configurations (cont.)
Dual-homed host: Installed on a server with at least two
network interfaces. Systems inside and outside the firewall can
communicate with the dual-homed host, not with each other.
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 23
Firewall Configurations (cont.)
Router-based firewall Commonly the first layer of protection Usually a packet filter
Screened host Combination firewall A bastion host and a packet filter
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 24
Commercial and Free Firewall Products Zone Labs
www.zonelabs.com Also freeware version
Cisco Outpost Firewall
www.agnitum.com/products/outpost/ Also freeware version
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 25
Commercial and Free Firewall Products (cont.)
www.free-firewall.org www.homenethelp.com/web/howto/free-firew
all.asp www.firewall.com/freeware.htm
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 26
Firewall Logs
All firewalls log activity. Logs can provide valuable information. Can locate source of an attack. Can prevent a future attack. Network administrators regularly check for
data.
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 27
Antispyware
Scans for spyware. Checks for known spyware files, such as AV
software scans for known virus files. Maintain a subscription service to keep
spyware file definitions up to date, or use auto-update.
Be cautious about attachments and downloads.
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 28
Intrusion-Detection Software
Intrusion-detection software (IDS) Inspects all inbound and outbound port activity Scans for patterns that might indicate an
attempted break-in
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 29
Intrusion-Detection Software (cont.) IDS categorization
Misuse detection versus anomaly detection Passive systems versus reactive systems Network-based systems versus host-based
systems
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 30
Intrusion-Detection Software (cont.) Misuse detection versus anomaly detection
Misuse detection Analyzes information it gathers and compares it
to known attack signatures Anomaly detection
Looks for unusual behaviors Behaviors that do not match pattern of normal
user access
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 31
Intrusion-Detection Software (cont.) Passive systems versus reactive systems
Passive systems Upon detection, logs the information and sends
a signal Reactive systems
Upon detection, logs off a suspicious user or reprograms the firewall to block the suspicious network traffic
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 32
Intrusion-Detection Software (cont.) Network-based systems versus host-based
systems Network-based systems
Analyze network traffic Host-based systems
Analyze activity of each individual host
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 33
Intrusion-Detection Software (cont.) IDS approaches
Preemptive blocking Infiltration Intrusion deflection Intrusion deterrence
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 34
Intrusion-Detection Software (cont.)
Preemptive blocking Called banishment vigilance Seeks to prevent intrusions before they
occur Notes any sign of impending threats and
blocks the user or IP Risk of blocking legitimate users
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 35
Intrusion-Detection Software (cont.)
Infiltration Not a software program. The process of infiltrating hacker/cracker
online groups by security administrator. Unusual . Most administrators depend on security
bulletins.
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 36
Intrusion-Detection Software (cont.) Intrusion deflection
Honeypot. Set up an attractive, but fake, system. Lure the attacker into the system and monitor
attacker’s activity.
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 37
Intrusion-Detection Software (cont.) Intrusion deterrence
An attempt to make the system a less palatable target. First, attempt to make the system seem less
attractive—hide the valuable assets. Then, make the system seem more secure than
it is—have warnings of monitoring and so on. Make any potential reward seem more difficult
to attain than it actually is.
© 2012 Pearson, Inc. Chapter 9 Computer Security Software 38
Commercial IDS Providers
Many IDS vendors You must determine which is best for your
business environment. Snort:
www.snort.org Open source