Вы находитесь на странице: 1из 112

KING SAUD UNIVERSITY

COLLEGE OF COMPUTER AND INFORMATION SCIENCES


COMPUTER ENGINEERING DEPARTMENT

Study and Analysis of


KSU Computer Network Security

Submitted in partial fulfillment of the requirements


for the Master degree in department of computer
engineering at the college of computer and
Information sciences in King Saud University

By
Mohammed Abdullah Alfadli

Supervised by
Dr.Abdulaziz Almazyad
and
Dr.Saad Alkasabi

Thul-Qedah 1429H
November 2008G
Abstract

The Security of Computer Networks is becoming a critical


factor in network design/administration especially when the
network is big and provides a variety of services for users. King
Saud University has a network that serves many branches and
thousands of users. Reviewing KSU network security structure is
becoming a must due to the new development in computer
networks security technology. Also, deployment of new
applications and services for KSU network users, degradation of
performance due to virus spread and attacks, and improvement of
security attacks on networks are all imposes more security
measures.
In this thesis, we will study and analyze the current KSU
network security architecture, where we will recommend a general
design review and propose recommendations for solving the
problems analyzed.

 
  

     ! "$#&%'    ( )* +,-!.0/1  234' 5 67

Study and Analysis of KSU Computer Network Security

8! 
9;:< 

=!> ?
@A > BA C5@DBEA > F'G(HEI(> JKLA > BMN OEPQ R KSA HT > UWV
> BX-Y
T > Z[R-\ ] ^> _ `(abR KcR Md e
Q R =?
V(> > B f > > J f OEQ R u f > g h i&] ^> > _ T jbk HET I
> Q R l
M> > HhA B f > d FW@A ZmMno> `'KLA HET I
> Q R ] p8R q r its _ Pno> h
V(> B f > J f OQ R u f > v hKLA > BMN OBykHT > UWA zEJ f > Q-q MO> {'|> N PQ R k> OEBA } x V
_ B f v
w e
> PEN Q-KLA B f > v Q R
k HT > > U'V
> > BX-k> > _ N H_ Ci5s _ PEnm> > hk > > OE}yR ^ByƒL„
T > > ZoX f > > g Q x V
_ B f v
w e
> > PQ R ~'7€ i5
i^> > ‚ Q R
s Q A > F'=!> ?
] f J f … Q R KoR p(M† w N Q‡@ R ^ˆ‰(@ R f }‹Šypi^Œ^BEX‡q MO{‹|$N PQ R kOBEA …
Ž KLA BMN OPQ R
k HT > UW=B f v
w e
> PEQ ] f > J f }'KLA B f > `
i&KLA > g _ T †h G(> _ OE‚ h \ @A o> J R .KLA > BMN OPQ R V(> BX-KLA > _ d g h
KLA > P … zEQ R > ‘ R ^’opM> †h i&KLA > {
i^_ ‚ Q R pA I
> w ‰ R “T T e
> JŠ•” > Q R =T N e
> Q R ^> – bR i&k > OBA … Q R
x kHT I
Q R V
B
R ] q A J šQ k_ d BabR KLA ’!A _ w ™ bR V
B f J šPEQ R › A v h R — ^‚ J8\ kHT I
Q R ˜N F'k _ d BEbR

k HT > U'V


> Ba‹k> _ Q A „
Q R k> _ N H_ zQ R i&k > _ d T Q R G(> _ N „
h i&k > {yR p f Ž u Mg d > {œ\ S> „
T Q R-R ” > CL=!> ?
  MEN „(Q R ž R ^ w Ÿ R i&=Q A „
Q R s _ Pn w Q R kO}yR ^Bœs w _ {'L_ ™ \ q MO{'|$N PQ R kOBEA …
Ž KLA BMN OPQ R

x A zN _ N „
h i5A z w {yR p f Ž u Mg d { = w Q R G(jA I
PN Q
¡

Table of Contents

ABSTRACT 2
¢‡£ ¤ ¥ ¦ §'¨© ª 3
TABLE OF CONTENTS 4
LIST OF FIGURES 6
LIST OF TABLES 7
LIST OF ABBREVIATIONS 8
CHAPTER 1: INTRODUCTION TO NETWORK SECURITY 10
1.1 SECURITY DEFINITION: 10
1.2 NETWORK SECURITY DEFINITION 11
1.3 NETWORK SECURITY HISTORICAL BACKGROUND 12
1.4 THE (C.I.A.) SECURITY CONCEPT 14
1.4.1 Confidentiality 14
1.4.2 Integrity 14
1.4.3 Availability 15
1.5 SECURITY ASSESSMENT: 16
1.6 RESEARCH GOALS 18
1.7 PROPOSED CHAPTERS 19
CHAPTER 2: LITERATURE REVIEW 20
2.1 SECURITY IN ACADEMIC INSTITUTIONS 20
2.2 SECURITY DESIGN 22
2.3 MONITORING IN SECURITY 24
2.4 NEW SECURITY APPROACHES 26
2.5 GENERAL NETWORK SECURITY 27
CHAPTER 3: KSU NETWORK SECURITY 29
CHAPTER 4: STUDY AND ANALYSIS 52
4.1 METHODOLOGY OF THE NETWORK SECURITY ASSESSMENT 52
4.2 GATHERING INFORMATION 56
4.3 RISK ASSESSMENT 58
4.3.1 Asset Identification 58
4.3.2 Threat Assessment 59
4.3.3 Vulnerability Assessment 63
4.3.4 Risk Value 71
4.4 PENETRATION TESTING 73
4.5 GAP ANALYSIS 75
4.6 ANALYSIS OF RESULTS 82
CHAPTER 5: PROPOSED SECURITY SOLUTION 86
«
CHAPTER 6: CONCLUSION AND FUTURE WORK 91
6.1 CONCLUSION 91
6.2 FUTURE WORK 92
APPENDIX A: MORE DETAILS FOR EACH THREAT 93
APPENDIX B: TOOLS USED 107
REFERENCES 108
¬

List of Figures
Figure 3.1: Buildings in KSU Deriah …………….………………………… ­ ®
Figure 3.2: ATM Backbone in KSU Deriah ……………………………….. ­ ¯
Figure 3.3: Main and backup ATM Backbone links ……………………… ­ ­
Figure 3.4: Ethernet to ATM Connectivity (ELANs)……………………… 3°

Figure 3.5: ELANs structure in KSU Deriah ……………………………… 3±

Figure 3.6: Remote access server Zone (RAS) …………………………….. 4­

Figure 3.7: DMZ Zones and Internet Firewall ……………………………. 4²

Figure 3.8: Relationships between the VLANs ……………………....……. ³ ´


Figure 3.9: Current KSU Network Architecture ……………………….…. ³ ®

Figure 4.1: Latest KSU Network Architecture ……………………….…… 5°

Figure 4.2: percentage of source of threat PC's ……………………….….. 5µ

Figure 4.3: Percentage of Threat Sources ……………………………….… ² ¯

Figure 4.4: The Risk Value for Asset categories ………………………….. ° ¯

Figure 4.5: Bandwidth Management problem …………………………..…° ¶

Figure 4.6: Gap Analysis Results ………………………………………..…. 75

Figure 5.1: Suggested KSU Network Architecture ……………………..… 90


·

List of Tables
Table 3.1: VLANs in KSU Deriah ……………………………………………. 49

Table 4.1: Asset Identification ………………………………………………... 58

Table 4.2: Identified Threats …………………………………………………. 60

Table 4.3: Identified Vulnerabilities for asset zones ………………………... 63

Table 4.4: Average number of Vulnerabilities per asset and the final value. 64

Table 4.5: Some Important Vulnerabilities…..……………………………… 65

Table 4.6: Risk Value for each Asset ………………………………………… 71

Table 4.7: Results of Internal Penetration Testing …………………………. 73

Table 4.8: Results of Gap analysis …………………………………………… 76


¸

List of Abbreviations

LAN : Local Area Network


VLAN : Virtual Local Area Network
WAN : Wide Area Network
IETF : Internet Engineering Task Force
IP : Internet Protocol
VoIP : Voice over IP
C.I.A : Confidentiality, Integrity, and Availability
DoS : Denial of Service
DDOS : Distributed Denial Of Service
IDS : Intrusion Detection System
PKI : Public Key Infrastructure
NMS : Network Management System
VPN : Virtual Private Networks
NI : Network Interfaces
NIC : Network Interface Cards
NAS : Network-Attached Storage
ARP : Address Resolution Protocol
DNS : Domain Name System
LDAP : Lightweight Directory Access Protocol
ATM : Asynchronous Transfer Mode
VLSP : Virtual link state protocol
OSPF : Open Shortest Path First
LANE : LAN Emulation
ELAN : Emulated LAN
DDN : Data network lines
RAS : Remote Access Server
DMZ : Demilitarized zone
GRPG : Gather information, Risk Assessment, Penetration testing, and Gap analysis
NIST : National Institute of Standards and Technology
SOC : Security Operations Center
NAC : Network Admission Control
¹
SSH : Secure Shell
CVE : Common Vulnerabilities and Exposures
CVSS : Common Vulnerability Scoring System
SMB : Server Message Block
ADS : Anomaly Detection System
TCP/ IP : Transmission Control protocol / Internet Protocol
HEBCA : Higher Education Bridge Certificate Authority
Multi-PaSS : Multi-Party Security System
RADIUS : Remote Authentication Dial-In User Service
OSI model : Open Systems Interconnection model
º»

Chapter 1

Introduction to Network Security

1.1 Security Definition:

According to Dieter Gollman, security mainly is defined by


confidentiality, integrity and availability, while Scott Mann thinks about
security as confidentiality, integrity and reliability. Also, Black et al defines it
as confidentiality, authentication, integrity, access control and non-repudiation
[5].

Security is a process. We can apply the process again and again to our
network and the organization that maintains it, and, by doing so, the system
security can be improved. If we stop applying the process or not yet started,
our security is becoming worse as new threats and techniques emerge [2].

As stated above, a simple definition for information security can be stated


as follows:
Information security = Confidentiality + Integrity + Availability +
Authentication.

There can be no information security without confidentiality; this


ensures that unauthorized users do not intercept, copy, or replicate
ºº
information. At the same time, integrity is necessary so that organizations
have enough confidence in the accuracy of the information to act upon it.
Moreover, information security requires organizations to be able to retrieve
data; security measures are worthless if organizations cannot gain access to the
vital information they need to operate when they need it. Finally, information
is not secure without authentication- determining whether the end user is
authorized to have access [1].

1.2 Network Security Definition

Network security is a constant task of evaluating new threats,


maintaining the present organizational security, and incorporating new
techniques where needed [17].
It is important to remember that network security is not absolute. All
security is relative. Network security should be thought of as a spectrum that
runs from very unsecure to very secure. The level of security for a system or
network is dependent on where it lands along that spectrum relative to other
systems. It is either more secure or less secure than other systems relative to
that point. There is no such thing as an absolutely secure network or system
[1].

Network security is a balancing act that requires the deployment of


“proportionate defenses”. The defenses that are deployed or implemented
should be proportionate to the threat. Organizations determine what is
appropriate in several ways described as follows [1]:

• Balancing the cost of security against the value of the assets they are
protecting.

• Balancing the probable against the possible.

• Balancing business needs against security needs.


º

1.3 Network Security Historical Background

As stated by John Canavan [1], the need for network security is a


relatively new requirement. Prior to the 1980s most computers were not
networked. It was not due to lack of desire to network them; it was more a
result of the lack of technology. Most systems were Mainframes or Midrange
systems that were centrally controlled and administered. Users used to
interface with the Mainframe through “dumb” terminals. The terminals had
limited capabilities. Terminals actually a physical connection on a dedicated
port. The ports were often serial connections that utilized the RS-232 protocol.
It usually required one port for one terminal. IBM, Digital Equipment, and
other computer manufacturers developed variations on this architecture by
utilizing terminal servers, but the basic concept was the same. There was
nothing equivalent to what we experience today where hundreds if not
thousands of connections can reach a system on a single network circuit.
In 1980s, the combination of the development of the personal
computer (PC), the development of network protocol standards, the decrease
in the cost of hardware, and the development of new applications made
networking a much more accepted practice. As a result, Local Area Network
(LANs), Wide Area Network (WANs), and distributed computing experienced
tremendous growth during that period.
When first deployed in late 1980s, LANs were relatively secure-mainly
because they were physically isolated. They were not usually connected to
WANs, so their standalone nature protected the network resources.

Development of packet switched protocols such as X.25 and


Transmission Control protocol/ internet protocol (TCP/ IP) reduced the cost to
deploy WANs, thus making them more attractive to implement. These
protocols allowed many systems to share communication circuits. Many
people or organizations were able to be interconnected over the shared
º
network. It was no longer necessary to connect systems in a point-to-point
configuration. Vulnerabilities were introduced with the deployment of this
distributed environment utilizing shared, packet-switched networks employing
protocols such as TCP/IP and the concept of trusted systems. Systems on the
network “trusted” each other. This situation was frequently made worse by
connecting relatively secure LANs to an unsecured WAN, where organization
network connections enter the cloud of the packet-switched network. Other
organizations share the cloud, and on the packet-switched network company’s
packets are intermixed with another organization’s packets.
In such distributed environment the emphasis was on providing ease of
access and connectivity. Security was an afterthought, if it was considered at
all. As a result, many systems were wide open and vulnerable to threats that
previously had not existed [1].

Traditional approaches to system security have focused on high level,


application dependent solutions. Network layer security has been accepted as a
necessary element in a multi layer security architecture. In November 1992,
various members of the IETF (Internet Engineering Task Force) decided to
design and deploy a protocol suitable for the large-scale Internet environment,
which uses IP as the network protocol (IP). The first such experimental
protocol was swIPe [SWIPE], and although it never quite caught on, it proved
that the concept was sound and the goal is achievable. A few years later, the
IETF IPSEC Working Group developed a set of specifications, and in
December º ¹ ¹« the first interoperating session was held between several
vendors and individuals who had implementations of the proposed standard
[3].

The Internet is the largest and best known of the packet-switched


network. The Internet utilizes TCP/IP and was primarily designed to connect
computers regardless of their operating systems in an easy and efficient
manner. Security was not part of the early design of TCP/IP, and there have
been a number of widely publicized attacks that have exploited inherent
weaknesses in its design. On a well-known event back in 1986, the Internet
Worm that brought the Internet to its knees had its attack.
º¡

1.4 The (C.I.A.) Security Concept


One of the main concepts in Security is C.I.A, which stands for
Confidentiality, Integrity, and Availability. In what follows, we will explore
each of such terms.

1.4.1 Confidentiality
When information flows on the network, it can be eavesdropped. If the
information is not encrypted someone else can sniff the network and read it. If
one just browses the web this might not be a problem, maybe he does not care
if someone knows that he has visited CNN’s web site to read the news. But if
he is using his bank’s website and makes transactions, he probably does not
want anyone else to be able to sniff his secret code to the bank account. One
way to secure such transactions and prevent someone from getting the code,
the code must be encrypted [5].

Confidentiality can also be defined as privacy or secrecy and refers to


the protection of information from unauthorized disclosure. This is usually
achieved either by restricting access to the information or by encrypting the
information so that it is not meaningful to unauthorized individuals or entities
[1].

1.4.2 Integrity
Integrity can be defined as prevention of unauthorized modification of
information. Even for data that is not confidential, IT professionals must still
take measures to ensure data integrity. For example, they may not care if
anyone sees their monthly orderings, but they would certainly care if the
numbers were modified. Data integrity ensures that transactions are not
modified [5].
º«
Also data integrity can be thought of as accuracy, and refers to the ability
to protect information, data, or transmissions from unauthorized, uncontrolled,
or accidental alterations [1].

1.4.3 Availability
Availability can be defined as Ensuring that network elements, services,
and applications are available to authorized users [17].
If an organization connects its LAN to the Internet, it will probably require
the Internet to always be available. A LAN usually has a firewall as its only
entry point. This is a critical point of failure and availability. If the firewall is
not functioning as it should, the users will not be able to reach the Internet.
Denial of Service (DoS) is the most common attack to make a service
unavailable. DoS can, for example, be when someone is sending numerous of
Internet packets to a certain host. The receiving computer will get so many
packets to process, then it can not manage them all, and it will start to drop
them. It will also drop packets coming from friendly users and the computer
can not serve the users as it is supposed. Even if the computer can manage all
these packets, the connection might get saturated and it would not be possible
to send any other packets. If availability is very important to a LAN, then DoS
can be disastrous. But DoS attacks of this kind are mostly harmless and only
affect the availability during the attack. Authentication is the best method to
prevent abuse of resources as only authorized users should be able to use
them. Having secondary services (redundant services on other servers offering
the exact same functionality and having the same data) and building a
distributed system is a good way to preserve availability. Then if a service
fails for some reason, another can take over without any loss of functionality
[5].
º¬

1.5 Security Assessment:


Security assessment is performed with two goals in mind: to identify
the existing security vulnerabilities and make recommendations on
improving security practices or infrastructure. Various areas of a network
can fall under the scope of a security assessment, but most commonly
examine at least one of the following areas:

• External environment – Using hacking techniques and sophisticated


tools, security specialists try to “penetrate” a network from the outside,
usually from the Internet or remote sites. They try to determine how well a
perimeter is protected (routers, firewalls, hosts and other devices that
connect the internal network to non-corporate networks) from external
attacks.
• Internal environment – An organization’s security policies and
procedures are compared with industry best practices and government
regulations, and various audits are conducted of the overall internal network,
including all devices and network applications. Internal hosts are also
assessed for security vulnerabilities. Some also include audits of the physical
environment (eg., are IT facilities kept secure?) and security training and
awareness programs.

More often, the minimum security assessment requested by


organizations or companies consists of an external assessment. Many of
them focus on the threats posed by outside hackers but fail to recognize the
potential threats within their confines: disgruntled employees who may
sabotage the network or perpetrate fraud, instigated by lax security
awareness among IT personnel and general staff, and bad security practices.
The FBI estimates that 71% of security breaches are incurred by authorized
users. Targeting only external hackers does not offer an adequate picture of
an organization’s security status, so both external and internal assessments
must be performed.
º·
Since an organization’s security status could have a significant impact
on its business, management should view the security assessment as a tool to
benchmark progress and evaluate the effectiveness of new security policies
and practices. As networks and regulations change, the organization should
revisit its security status with regular assessments to update security
practices and ensure compliance with new regulations [16].
º¸

1.6 Research Goals

Network security is an essential requirement for IT infrastructure in


educational institutions in general, and in Universities in particular. It has been
proven by practice that current problems in KSU network have a great impact on
the network performance and availability of services.
The main goal of this research is to analyze the current security Architecture
of KSU Network and propose recommendations to solve the main problems that
KSU is facing in its network security. The scope of this research covers the main
network in Deriah campus (LAN). The research will cover the following:

- Review the international standards in Network security, and


what has been written in this field.

- Study and Analysis of current KSU Network Architecture


in general, and network security in particular. This includes
the network security assessment. We will use GRPG
methodology (as we will see in chapter 4).

- Propose a network Security recommendations to


solve the problems analyzed.
º¹

1.7 Proposed Chapters

1- Introduction: where we will present an overview of the thesis topic, and


state the research problem.

2- Literature review: where we will review what has been written in the
literature regarding Network security in general, and techniques we will
be using to improve KSU network security in particular, including the
International security standard ( ISO 17799).

3- KSU Network security: where we will review the current KSU Network
Architecture, including the technical aspects in general and security
aspects in particular.

4- Study and Analysis: where we will study and analyze the current KSU
Network security architecture in details. With focus on Security
Concepts: Confidentiality, Integrity, and Availability (C.I.A).

5- Proposed Security Solution: where we will recommend improvements on


KSU network design and explore solutions to the problems analyzed in
the above step.

6- Conclusion and Future work: where we will discuss our conclusions and
future work related to the research topic.
»

Chapter 2

Literature Review

There are many researches have been done in the last years in the field of
network security. In what follows, we will review many researches related to the
network security in educational institutions. The review will be organized to cover the
following issues:

2.1 Security in Academic institutions

2.1.1) Issue: Security Incidents in Academic institutions.

Cui [18] analyzes attacks and probes directed against East Tennessee
State University (ETSU) Network. ETSU has more than 11,000 students
and its network has around 1,000 servers. It says that most of the attacks
detected were ICMP-based. Protocols such as ping, traceroute, and whois
accounted for 81% of all attacks. In general, ICMP-based attacks are less
dangerous than TCP-based and UDP-based attacks. Some of the attacks
discovered were targeting specific ports like 137, 21, and 111. The paper
suggested a multi-level firewall system due to the various requirements for
º
security on academic institutes, which will be a better solution to satisfy
different users’ needs. Also it suggests installing an intrusion detection
system (IDS) that can detect attacks in real time, and a Risk assessment
that should be performed periodically.

2.1.2) Issue: Challenges of Network Security Remediation at Universities.


Simons [19] describes the challenges encountered during a year-long
effort to improve the security of the 3,300 node administrative computer
network at East Tennessee State University. The key remediation
strategies used included employing the vulnerability scanner Nessus to
profile the network, analyzing the scan results, and attempting to remove
the most critical vulnerabilities found. It succeeded in decreasing known
“high” criticality vulnerabilities on campus by 26.1%. The paper
summarized the observations about the challenges of implementing
network security in Universities like the increasing proliferation of
networked hosts and the increasing queue of vulnerabilities to search for
and repair in Universities.

2.1.3) Issue: Vulnerability Assessment of Universities Computer Network.


Ashe [20] uses security audits to assess the vulnerability of university
computer systems and networks. A security audit examines systems on a
local area network to detect “holes” that may be exploited by malicious
people. Such holes include physical intrusion, abuse of privilege by
legitimate users, and software vulnerabilities. The audit was carried out in
three phases during the Fall 2001, Spring 2002 and Spring 2004 semesters.
A full network audit was conducted during the initial two phases using the
Nmap and Nessus security auditing tools. The third phase was a partial
network scan in Spring 2004 to gauge the degree to which earlier
observations had changed. Unpatched Windows operating system
vulnerabilities were the top security threat accounting for over 80% of all
critical vulnerabilities. The paper suggested a patch management and
deployment system that can guarantee the patching of all windows systems
connected to the network.
2.1.4) Issue: PKI in Universities.
Educause [14] and Franklin [15], discusses the deployment of Public
Key Infrastructure (PKI) in the Universities environment. PKI enables
users of a basically unsecure public network such as the Internet to
securely and privately exchange data and money through the use of a
public and a private cryptographic key pair that is obtained and shared
through a trusted authority. These papers begin the discussion with
benefits of implementing PKI to Universities and colleges. PKI enables
user authentication that is stronger than traditional authentication
(passwords with servers), digital signing of email and other documents for
proving the originators identity, and encryption to protect critical email
and data in a user focused manner. After that, authors discussed the
success deployment of PKI at Dartmouth College. They claims that they
have succeeded to implement PKI easily and they made their PKI users
self-enrolled. Also, they have reported the problems –and their fixes- faced
throughout the initial implementation of PKI. Finally, authors finished
their papers by talking about the future development in PKI which
includes the Higher Education Bridge Certificate Authority (HEBCA) to
allow campuses to trust user’s digital credentials issued by each others PKI
authorities.

2.2 Security Design

2.2.1) Issue: Network Management System Security.


Terlegard [5] propose a design for flexible and secure network
management system (NMS) that is distributed (increases scalability and
reliability) and includes most features a good network management system
should have. The system should fit in both small companies and
enterprises. Also, it should be divided into separate packages or modules
so that one can choose what services to use. The Network management
systems that exist today are often expensive, proprietary, complex, lack
important features (such as security). During this work mostly internal use
in companies have been in mind, i.e. companies that wants network

management systems to manage their networks and lighten up the burden
of the network engineers. The paper suggested a new design for a
complete management system.

2.2.2) Issue: Security Architecture.


Zoysa [7] describes a new model of security architecture for secure
simultaneous transactions between multiple participants. The model
comprises a set of new theoretical concepts, new security protocols, and
secure multi-party applications. The model has been called the Multi-Party
Security System (Multi-PaSS). Most of the current secure electronic
transaction protocols provide security only between two participants.
However, modern electronic transaction concepts have tended to go
beyond those between individual Web sites or personal computers
connected to the Internet to constellations of computers, devices and
servers that work together in order to deliver broader and richer transaction
services. In this scenario, in order to complete a transaction, the
users/servers must interact with more than two parties in a real time.
Therefore, a model of security for such transactions must also
simultaneously support multiple participants. This requires a complete new
model of network security architecture. Multi-PaSS is such a model of a
security architecture. Multi-PaSS provides authenticity, integrity,
confidentiality, and non-repudiation security services to users and
applications. It supports multi-application smart cards, cooperation of
different cross-certified public key infrastructures, single sign-on
authentication protocol with multiple verifiers, and secure multi-party
transactions with various combinations of multiple originators (signers)
and recipients (verifiers).

2.2.3) Issue: Security Design Architecture.


Ingham and Forrest [9] summarize what has been written in firewalls
and suggest architecture of firewalls to solve the problems of current
architectures. Firewalls are network devices which enforce an
organization's security policy. Since their development, various methods
have been used to implement firewalls. These methods filter network
¡
traffic at one or more of the seven layers of the ISO network model, most
commonly at the application, transport, and network, and data-link levels.
In addition, researchers have developed some newer methods, such as
protocol normalization and distributed firewalls. Firewalls involve more
than the technology to implement them. Specifying a set of filtering rules,
known as a policy, is typically complicated and error-prone. High-level
languages have been developed to simplify the task of correctly defining a
firewall's policy. Once a policy has been specified, the firewall needs to be
tested to determine if it actually implements the policy correctly. Because
some data must be able to pass in and out of a firewall, in order for the
protected network to be useful, not all attacks can be stopped by firewalls.
Some emerging technologies, such as Virtual Private Networks (VPN) and
peer-to-peer networking pose new challenges for firewalls.

2.3 Monitoring in security

2.3.1) Issue: DoS and Monitoring in Security.


Habib [10] investigated several methods to detect DoS (Denial of
Service) attacks. It showed that there is no single method that fits all
possible scenarios. Specifically, in ICMP traceback and probabilistic
packet marking mechanisms, the attacker may be able to confuse the
victim by sending false ICMP traceback packets and by randomly marking
attacking packets. Ingress filters need global deployment to be effective,
whereas route-based filters strive against the dynamic change of the
routing information. The paper showed that monitoring techniques have
the potential to detect DoS attacks in early stages before they severely
harm the victim. Its argument is based on the fact that a DoS attack injects
a huge amount of traffic into the network, which may alter the internal
characteristics (e.g., delay and loss ratio) of the network. The monitoring
techniques watch for these changes and identify the congested links, which
helps in locating the attacker and alerting the victim. The presented
comparative study showed several issues. First, it showed that while
«
marking imposes less overhead than filtering, it is only a forensic method.
Filtering, on the other hand, is a preventive method, which tries to stop
attacks before they harm the system. Second, the core-based monitoring
scheme has a high deployment cost because it needs to update all edge as
well as core routers. However, the core-based scheme has less processing
overhead than the stripe-based scheme because it aggregates flow
information when it reports to the monitor. Third, the stripe-based
monitoring scheme has lower communication overhead than the core-
based scheme for relatively small size domains. For large domains,
however, core-based may impose less communication overhead depending
on the attack intensity. Fourth, the distributed scheme outperforms the
other monitoring schemes in terms of deployment cost and overhead in
many of the cases.

2.3.2) Issue: Intrusion Detection.


Stajano and Isozaki [11] have focused primarily on the problems
caused by malicious mobile code such as viruses and worms. It has
proposed the Cyclical Suicide architecture model to prevent such
malicious software from infecting the machine permanently during a
firmware upgrade. It has also shown that remotely managed intrusion
detection systems may constitute an effective solution for appliances,
much more so than for PCs. As a note, at the design stage, manufacturers
ought to attempt to limit the maximum damage that the appliance can
perform if it goes wrong. At the same time, the debate is open on the issue
of liability, which software vendors have so far skillfully dodged: if an
appliance is attacked and cracked, perhaps all too easily, how much of the
blame should be borne by the manufacturer?. Also, if an Internet appliance
is built like a PC, even using the same commodity software components,
we should expect the standard PC security problems to resurface. The
issues discussed in this paper include secure firmware upgrades, intrusion
detection, remote administration and manufacturer liability.
¬

2.4 New Security approaches

2.4.1) Issue: New Security Approaches.


Ganger [8] describes self-securing network interfaces (NIs), their
features, and examples of how these features allow administrators to more
effectively spot and contain malicious network activity. It presents a
software architecture for self-securing NIs that separates scanning software
into applications (called scanners) running on an NI kernel. The resulting
scanner API simplifies the construction of scanning software and allows its
powers to be contained even if it is subverted. It illustrates the potential via
a prototype self-securing NI and two example scanners: one that identifies
and blocks known e-mail viruses and one that identifies and inhibits
rapidly-propagating worms like Blaster.

2.4.2) Issue: New Security Concepts.


Nagle [13] proposes a new approach to network security in which each
individual device erects its own security perimeter and defends its own
critical resources. Together with conventional border defenses (e.g.,
firewalls), such self-securing devices could provide a flexible
infrastructure for dynamic prevention, detection, diagnosis, isolation, and
repair of successful breaches in borders and device security perimeters.
Managing network security is difficult in current systems, because a small
number of border protections are used to protect a large number of
resources. It plans to explore the fundamental principles and practical
costs/benefits of embedding security functionality into infrastructural
devices, such as network interface cards (NICs), network-attached storage
(NAS) devices, video surveillance equipment, and network switches and
routers. The paper offers several examples of how different devices might
be extended with embedded security functionality and outlines some
challenge of designing and managing self-securing devices.
·

2.5 General Network Security

2.5.1) Issue: Taxonomy of Network Security Assessment Techniques.


Shostack and Blake [21] present a taxonomy of methods for testing if a
target is vulnerable to a particular attack. Network security testing tools
have existed for several years, and are coming into wider use as an
expected component of a penetration test or security audit. However, the
capabilities and limitations of these tools are poorly understood outside of
the tiny, separated groups working on the tools. The paper attempts to
bring order to the methods for algorithmically determining vulnerability to
known problems. It uses vulnerability in a loose sense which includes not
only software design errors and implementation flaws, but also
misconfigurations and questionable user decisions (such as using weak
passwords).

2.5.2) Issue: Extension to current Network Protocols.


Urtubia [22] proposes an extension to ARP (Address Resolution
Protocol) that adds cryptographical strength authentication. The ARP
protocol has a major flaw used with dynamic updating of the ARP cache, it
lacks an authentication mechanism that works. This flaw has been
recognized for a long time, and has been heavily exploited. The use of this
vulnerability is called ARP poisoning and its widespread use is an
important issue that needs to be addressed. Current solutions provide only
partial protection, while compromising other aspects of the original ARP
protocol. In this paper, the extension to ARP protocol has been designed
and it retains most of its flexibility while focusing on providing not only
authentication, but flexibility, backward compatibly and security.
¸
2.5.3) Issue: Electronic Mail Security.
Josefsson [6] compares the Domain Name System (DNS) and the
Lightweight Directory Access Protocol (LDAP) for use as a certificate
lookup service. In particular, it focuses on the application of secure
electronic mail, used to send messages between persons using the Internet.
It demonstrates that the idea of storing certificates in DNS is practical by
building a prototype. It also discusses and proposes solutions to a
perceived privacy threat, introduced by recent additions to the Domain
Name System protocol. The major problem for a distributed security
system is the management of cryptographic keys. Public key techniques
are often used to overcome many of the problems. However, successful
use of public key techniques in large systems such as the Internet requires
a certificate directory, that is, a mechanism to locate and retrieve the public
keys.

2.5.4) Issue: Internetworking.


Wolthusen [12] discusses the enhancement of security in general
purpose operating systems, especially related to threats caused by
internetworking, using extensions to operating systems. Such mechanisms
have a significantly larger basis for reaching security policy decisions than
older host-level security mechanisms and firewalls. By layering defensive
mechanisms yet enforcing a consistent security policy across the security
layers, goals such as workload distribution, vulnerability
compartmentalization, and hierarchical refinement of security policies can
be achieved.
¹

Chapter 3

KSU NETWORK SECURITY

Before year 1420H, buildings were connected to each other using


FDDI technology as a backbone, Ethernet 10Base2 (thin coaxial cables)
as edge device connectivity. Which means that maximum speed between
buildings were 100Mbps shared at the same time by all buildings, as well
as end user speed was 10Mbps shared at the same time by all users i.e. no
segmentation at all. Used topology was BUS topology.

In 1420H, KSU network has been migrated from FDDI to ATM


(Asynchronous Transfer Mode) network in the core level and Ethernet
10Base-T (UTP cables) for the users except Building 19 and computer
centers in engineering college (Building 3) and Computer college
(Buildings 4) where users have Fast Ethernet 100Base-T. There were
about 3000 network nodes for the end users in Deriah that covers 16
Buildings (see Figure 3.1).

KSU network can be divided into the following:


1- Backbone Network: Core switches (ATM).


KSU network has 14 ATM switches in 14 buildings in Deriah. Each
ATM switch is representing the core switch to connect that building to
core network and also it is representing the distribution switch that
connects the Edge switches in that building (See figures 3.2, and 3.3). The
topology used in the backbone is star topology.

All ATM switches are from Marconi company (Formerly FORE


SYSTEMS) It consists of (3x ASX 1000) switches and (11x200BX)
switches.

The switch in Building 18 Main computer center is ASX1000 of 10


Gig capacity (4 switching fabrics x 2.5 Gig), the switch in Building 3 and
4 are ASX 1000 of capacity 5 Gig (2 switching fabrics x 2.5Gig). All other
buildings each have a 200BX switch of 2.5 Gig capacity.

All switches in all buildings are connected to building 18 except


building 20 which is going directly to building 3. All these links are OC-12
622 Mbps on Single mode fiber cable of 12 cores.
¼½
Figure 3.1: Buildings in KSU Deriah
¼¾
Figure 3.2: ATM Backbone in KSU Deriah
¼¼
Figure 3.3: Main and backup ATM Backbone links

Also there are backup links between pairs of buildings. These links are
OC-3 155 Mbps on fiber cable single mode. These backup links will help
in case of a problem happened in the main link between a building and
main computer center in B.18, but if an ATM switch in that building goes
down, the whole building will be disconnected.

2- New Core switches (Ethernet-6513):


In 1427H, there were two new core switches installed in the main
computer center (B.18) and the other in TV broadcasting center (B.8). The
two switches are Gigabit Ethernet switches and from Cisco Company
(6500 series). In the main computer center, the new switch has been
installed beside the main ATM switch to facilitate the connectivity of the
new projects and the new equipment since the common technology now is
Gigabit Ethernet. In TV broadcasting center (B.8), the new switch has
been replaced the ATM switch (ASX 200BX) and it is connected to the
new switch in the main computer center.

3- LANs in buildings:
As mentioned earlier, the ATM switches are representing the core
switches as part of the Backbone network, and also representing the
distribution switches that connect the edge switches inside the buildings.
All the links between the ATM switch and the Edge switches are OC-3
155 Mbps, and the cables are Multimode Fiber Optics. The topology used
in the buildings is star topology.

All the edge switches (access switches) are from Enterasys


Company (formerly Cabletron). There are 133 switches from Cabletron in
KSU buildings in Deriah; this includes the main computer center in B.18.
There are some other switches in Deriah from different companies (Cisco,
3Com), but they are considered as an attached networks to Cabletron
switches. The major part of the Cabletron switches is 10Base-T switches
(Ethernet); it has the model Cabletron SmartSwitch 2200 (2E42-27). The
second part is 10/100 Base-T switches (Fast Ethernet); it has the model
Cabletron SmartSwitch 2200 (2H252-25R).

The Cabletron Switches are using a special switching mode called


"SecureFast". It uses Virtual link state protocol (VLSP) which is a
modification of the Open Shortest Path First (OSPF) protocol (RFC 1247)
to allow SecureFast switches to support more features such as full active
mesh topologies, best end-to-end path determination, call distribution over
equal cost paths and automatic call re-routing upon network link or switch
failure.

In the Cabletron switches, Ethernet frames are converted into ATM


cells & vice versa. These switches are equipped with an ATM Up-Link. So
two Ethernet users -on different switches- can talk to each other over ATM
transparently, or an Ethernet user can access a mainframe or a main server
over ATM. To make this happen, LAN Emulation (LANE) has been used.

LANE is a way to connect legacy LAN networks to ATM. So


user get the most benefits of IP networks with ATM features. ATM cloud
is transparent for IP networks and users. IP is passed in a connection-
oriented technique, so the LANE layer is acting as carrying media for
links between Cabletron switches.

The Emulated LANs (ELANs) have been used to connect the Ethernet
segments in Diriah over ATM backbone. There are four categories of
ELANs implemented (See figures 3.4, and 3.5) :

i. ELANS for Backbone connectivity, Called Backbone Discovery


ELANs. There are 3-backbone discovery ELANs :

SFBACKBONE1
SFBACKBONE2
SFBACKBONE3

ii.ELANS for Building connectivity, called Building Discovery ELANs.
There are 13 ELANs :

BLD2 BLD16
BLD3 BLD19
BLD4 BLD20
BLD5 BLD23
BLD8 BLD27
BLD14 BLD34
BLD15

iii. ATM attached devices ELANs.


There is IBM390 ELAN to connect the Mainframe.

iv. Management ELAN which is mainly to access ATM switches for


managing them and to connect the WAN Router.

4- Structured Cabling:
Structured cabling system means according to standard a clear Star
topology, with certain type of cable for each area. More steps of
termination for flexible management of cabling & easy fault isolation, &
ability of scalability as well. The cabling system is based on LUCENT
SYSTIMAX Structured cabling system.

Working area wiring subsystem consists of the outlets (wall boxes and
face plates), wiring, connectors, patch cords, to connect work area
equipment (PC) via cable systems to Utility rooms (Telecommunication
closets in floors).

The Cabling used to connect PC’s to Utility rooms is UTP CAT5 from
LUCENT which hold rates up to 155 Mbps. Max run distance is 90 meters
+ 10 meters for Patch cords & drop cables.
¼¿
Figure 3.4: Ethernet to ATM Connectivity (ELANs)
¼À
Figure 3.5: ELANs structure in KSU Deriah

Utility rooms contain UTP patch panels, UTP cables, Patch cords & all
this to connect PC’s to Switches. Also these Utility rooms do have Edge
switches inside (Cabletron Switches). There is one Main utility room in
each building that has the ATM BACKBONE switch. All the fiber links
(called Vertical riser) going from this ATM switch to the edge switches in
a building is an indoor 4 core Multi Mode cable between each switch in
the Utility & Main utility (allowed max distance is 2000 meters).
Across the campus is outdoor 12 core Single Mode fiber cable,
between Main utility rooms and the main Computer Center, As well as,
between adjacent buildings for backup links.
Labeling was used on the outlets with an agreed format in all the
buildings, and by this way, the professionals can solve the problems
remotely since they can trace any outlet in any building through its Label.

5- WAN Router (7507):

There is one WAN Router which is from Cisco and has the model
7507. This Router is connecting the KSU networks in branches like
Community colleges in Aflaj, Majma'ah, and other branches. It uses the
Saudi Telecom Company's Network to connect to the branches networks.
This includes Analog lines (traditional leased lines), Digital Data network
lines (DDN), And MPLS (Akeed Service).

It is important to mention that Ulaishah and Malaz networks are


connected to KSU Deriah Network through the new Gigabit Ethernet
switch in the TV broadcasting center (B.8). Ulaishah network is connected
through a single mode fiber optics From Deriah (B.8) to Ulaishah (B.4)
with speed of 1 Gbps. Malaz network is connected by a Microwave link
with speed of 8 E1's (16 Mbps).
¡»
6- Internet Router (7206):

There is one Internet Router (Cisco 7206) which used to connect KSU
network with the Internet provider. Currently, KSU is connected to the
Internet Service Unit (ISU) from King Abdulaziz city for Technology and
Sciences (KACST). It connected with a speed of 34 Mbps through an
ATM link provided by STC Company.

7- NO wireless network:

There is NO official Wireless network in KSU Deriah.


¡º
8- IBM Old network:

There is an Old network related to the old Mainframe that is still exists
and used by KSU employees. The Mainframe network consists of Control
units which are connected to the Mainframe directly, and the Terminals are
connected to the Control Units with Coaxial cables. The used protocol is
SNA. It is important to mention that there is a windows software that
emulates the terminal screen on the normal PC and it is connected to the
Mainframe by TCP/IP network. This software is widely used in KSU as a
replacement of the old Terminals.

9- Remote Access Server (RAS):

There are two official Remote Access Servers used in the main
computer center. Both from Lucent and called Ascend MAX TNT. One of
them is using the traditional analog lines while the other is using digital
lines (E1's). There is a special zone for the RAS services that has the two
mentioned RAS's , and it their authentication servers (RADIUS), and a
linux firewall (see figure 3.6).

10- Network Management System (NMS):

There are two parts of the network management system, the VLAN
manager, and SPECTRUM. The VLAN Manager is a tool to manage all
the VLANs implemented in KSU Deriah and on the SecureFast switches
only. SPECTRUM is an enterprise management tool that monitors and
manages the network equipment used in KSU network. Currently,
SPECTRUM is not used.
¡
11- The Old and the new IBM Mainframes:

In 1428H, a new Mainframe has been installed in KSU which IBM


890z, this mainframe is connected to the new Gigabit Ethernet core switch
in Main computer center (B.18). The connection type is Fast Ethernet
(UTP cable). All the end users are using this new mainframe. The Old
Mainframe (OS 390) is still connected through the ATM and it is still used
by the Mainframe Department in the main computer center.

12- Email Server:

There is a centralized email server for KSU employees (except


Computer college), this server is connected to the Securefast switches with
FastEthernet link. It is from SUN company and has the model Ultra 5000.
Á¼
Figure 3.6: Remote access server Zone (RAS)
¡¡
13- Internet Proxy:

There is a proxy appliance in the Demilitarized zone (DMZ1), it is


from Bluecoat (8000-1) and it is used as a proxy server for all the
HTTP/HTTPS traffic (browsing the Internet) from all users.

14- Bandwidth management:

In 1427H, KSU has purchased a Bandwidth management appliance to


manage the bandwidth from the network users who is accessing the
Internet. It is from Packeteer and has the model Packeteer 10K. It is
claimed that it can specify the maximum bandwidth for each user (say 10
kbps), and by this way, the browsing will be enhanced for all the users.

• The Security aspects of KSU Computer Network:

We can summarize the security aspects of KSU computer network in


the following:

1- Internet Firewall:

There is a Main Firewall that is located before the Internet Router


(Cisco 7206), and has four interfaces: one for the Internet, second for KSU
LAN, third for DMZ1, and the fourth for DMZ2. DMZ1 is used for the
common services like the Proxy and the Email Relay, while DMZ2 is for
the Colleges web servers (see figure 3.7).
¡«
2- RAS Firewall:

There is a firewall in the RAS Zone (see figure 3.6). It is a software


installed on a linux server.

3- AntiVirus System:

There is a centralized Antivirus server located in the Main computer


center and its clients are installed on the PC's. The enterprise Antivirus
server is updating itself by accessing the Internet, and then it updates all
the PC's. The Antivirus server is from TrendMicro company, and it
supports about 5000 PC's including branches. This server is connected the
Securefast switches with a FastEthenet link.
¡¬

Figure 3.7: DMZ Zones and Internet Firewall


¡·

4- Patch management server:

There is a patch management server installed in the network since


1426H. it can patch the registered clients with the new patches released
from Microsoft. This server doesn't have all the PC's registered, only a
small part of KSU PC's are registered.

5- No Active Directory:

There are NO domain controllers or an Active Directory in KSU


Deriah network except Computer College and Engineering College.
Anyone from outside the University can come and connect his/her Laptop
to KSU' network and it will get an IP from the DHCP and then he/she can
access the Network services.

6- Email Relay:

There is an Email Relay located in DMZ1 and it has Antivirus and


AntiSpam softwares that check all the emails for Viruses and Spams.

7- VLANs:

A VLAN (Virtual LAN) is a logical grouping of switch ports or


endpoints which define a layer 2 broadcast domain. A VLAN is
independent of any particular physical or geographical location. In other
words, endpoints that share a virtual LAN appear to be on a single LAN
segment, regardless of their actual location. VLANs extend direct
communication between users beyond the constraints of a physical LAN
¡¸
segment by allowing users on multiple physical LAN segments to be
administratively grouped. In a traditional routed network, direct
communication between these endpoints would not be possible, because
the users are not all physically located on the same LAN segment. In a
VLAN environment, the physical boundaries imposed by traditional
solutions are removed and direct communication is possible.

There is a heavy use of VLANs in KSU Deriah's Network. There is a


VLAN created for each building, and there is a VLAN created for the main
services. Also there is a VLAN created for DMZ2 to make it easy for
connecting the college web servers to the Internet. In addition the these
VLANs, there is VLAN created to Stop anyone violating the network
usage rules. Find below a table that shows all the VLANs in Deriah's
Network. Also see figure 3.8 for relationships between the VLANs.

In figure 3.9, the current KSU network architecture is shown.


¡¹

VLAN Name Buildings Notes


BASE All buildings Network devices
SERVERS All buildings
DMZ2 -- To connecting
college web
servers
Penelty_Box ÂÂ For stopping
anyone violating
Network usage
rules.
DHCP All buildings except CCIS
and Medical college
CCIS Computer college
B.2 Agriculture college
B.3 Engineering college
B.4+5 Science college
B.8 TV broadcasting ceneter
B.14 Administrative sciences
college
B.15 Education college
B.16 Arts college
B.17 Building 17
B.18 Main computer center
B.19 Building 19
B.20 Maintenance Department
B.23 Pharmacy college
B.27 Library
B.34 Medical college

Table 3.1: VLANs in KSU Deriah


«»

B.34 CCIS B.20


B.2

B.3
B.27

B.4 SERVERS B.23


B.5 VLAN

B.8 B.20

B.19
B.14
DHCP

B.18
B.15

B.17
B.16
DMZ
Penalty
2
_BOX

Figure 3.8: Relationships between the VLANs


Figure 3.9: Current KSU Network Architecture
Chapter 4

Study and Analysis

To study and analyze the KSU network security architecture, we


should use an assessment methodology. We have called this assessment
"network security assessment". Let us start with explaining our methodology
of doing this assessment.

4.1 Methodology of the network security assessment

The scope of the network security assessment will cover KSU Deriah
network with focusing on network architecture of the main services. We
should note that network security assessment is not information security
assessment, and it covers up to layer 3 according to Open Systems
Interconnection model (OSI model).

Usually, there are some tasks that should be done within the network
security assessment but they are not mentioned explicitly in the methodology.
For example, reporting the results after doing the penetration testing.
ÃÄ

The methodology of the network security assessment will be according to


GRPG (in order), which stands for: Gather information, Risk Assessment,
Penetration testing, and Gap analysis. Risk assessment consists of Asset
identification, Threat assessment, Vulnerability assessment, and Risk value.
Also, penetration testing contains two parts: internal penetration testing and
External penetration testing. Tools will be used through the whole assessment,
such as network scanning tools, Vulnerability assessment tools, and network
Analyzers.

• The Methodology in more details (GRPG):

G: Gather information
Gather information about current network security. This includes network/
security drawings, IP addresses, and any related and available information.

R: Risk Assessment
To understand the risk assessment process, it is essential to define the term
risk. National Institute of Standards and Technology (NIST) defines risk as “a
function of the likelihood of a given threat source’s exercising a particular
potential vulnerability, and the resulting impact of that adverse event on the
organization.” In other words, where a threat intersects with vulnerability, risk
is present. Risk assessment consists of:

1- Asset Identification:
This stage will identify the network assets according to its criticality to
KSU.
ÃÅ

2- Threat Assessment:
It will identify the current attacks and threats within the network. A lot
of information should be analyzed to discover those attacks and threats
since there are thousands of PCs connected to KSU's Network. We should
find the average threat value for the realted assets to be used in finding the
final risk value for each asset. As in Stoneburner [33] and since we have
three values for each threat (High, Medium, and Low), we have used the
values 0.1, 0.5, and 1 for Low, Medium, and High levels respectively to
reflect its severity in the final value for each asset.

3- Vulnerability assessment:
Network vulnerabilities are designed to report on network
configuration flaws and security holes that an intruder can take advantage
of. We will find the average vulnerability value for each asset by dividing
the number of vulnerabilities by the number of assets in each zone. Then,
as we have used in threat assessment, we will find the one vulnerability
value for each asset by using:
Final value = 0.1 x (Low) + 0.5 x (Medium) + High

4- Risk value:
The value of the risk will be estimated according to Asset
identification, threat assessment, and vulnerability assessment. Risk value
will be calculated by multiplying average of Asset value, threat value, and
vulnerability value for each category of assets as in Yazar [32]. That is:

Risk Value = Asset Value x Threat Value x Vulnerability Value


ÃÃ

P: Penetration testing
Penetration testing can be overt or covert. The overt involves performing a
penetration test with the knowledge and consent of the organization's IT staff.
The covert involves performing a penetration test without the knowledge of
the organization's IT staff but with knowledge of the management. We will
use the covert approach. There are two types of penetration testing:

1- Internal Penetration Testing:


Internal Penetration testing usually comes after the External penetration
Testing since they like to simulate the hackers that doesn't know much
Information about internal network. In my methodology, I started with the
internal penetration to make the external penetration testing more effective
and hence the recommendations later on will be stronger from security point
of view.

2- External Penetration Testing:


External penetration testing will try to penetrate the network security
to get access to the main KSU's services.

G: Gap analysis:
Gap analysis will be started after getting the reports from threat
assessment, internal penetration testing, and external penetration testing and it
will be analyzed against the network security related aspects of BS ISO IEC
17799 2005 international standard.

We will follow this methodology (the GRPG) within this chapter.


ÃÆ

4.2 Gathering information

We have gathered the information about current network security


in KSU as mentioned in chapter 3. This includes network drawings, IP
addresses, and the related and available information. Unfortunately, after
completing the review of KSU network and documenting the information, a
sudden and major change has been decided, and it was executed quickly. The
decision was to remove all the equipment of KSU Network in Deriah, and
replacing them with newer equipment. This includes changing all the IP
addresses and the configuration of the network. We faced a major challenge
since no documentation is available at KSU for the new network, and we have
started to find the information using some tools to know the needed
information to complete our network security assessment. The new network
has 4 core switches in Deriah Campus, 2 in Building 18, one in building 3,
and the fourth one in building 8. Also it has 30 Distribution switches, 2 in
each building. And it has 250 access switches to connect the users in all
buildings. We have updated the KSU network Architecture as depicted in
Figure-4.1. In this stage, and since there is no documentation for the new
network, we have used a tool to know the new IP scheme, its name
"Superscan". We used to scan the whole 10.0.0.0 subnet, which means 16
million IP addresses, and the software took 6 days to complete the scan.
The alive hosts after doing the scan is 2127 computers connected to network.
Figure 4.1: Latest KSU Network Architecture
4.3 Risk Assessment

After we have got the needed information about the current KSU
network security, we have started Risk Assessment following our
methodology mentioned earlier. Risk Assessment consists of Asset
Identification, threat assessment, vulnerability assessment, and Risk value.

4.3.1 Asset Identification


We have divided the network to 5 different zones from assets point
of view, that is core and distribution switches, Access switches, Internet
servers, Internal servers, and PC's zones (as shown in Figure 4.1) . Each asset
zone has a value according to its Criticality to KSU. It can be calculated by
Understanding the Confidentiality, Integrity, and Availability factors for each
asset (the CIA concept). We have calculated the asset identification as shown
in the table 4.1. The values for the C, I, A and Criticality were approved by
the IT manager in KSU.

3:High, 2:Medium, 1:Low Criticality


Asset zone C I A (C+I+A)/3
Rounded

Core and Distribution Switches 3 3 3 3


Access switches (Edge) 2 3 2 2
Internet Servers 2 3 3 3
Internal servers 3 3 3 3
PC's 1 2 1 1

Table 4.1: Asset Identification


ÃÇ

4.3.2 Threat Assessment

In this stage, we will identify the current threats within the network. Since
the network is big and has thousand of PCs, it is very difficult to identify
every threat for every device connected to network. Also, it needs a
professional tool that can deal with such situation. We have chosen an
excellent and expensive tool called "IBM ISS Anomaly detection system
(ADS)", more information about this tool in Appendix B. This tool is an
appliance that receives the network traffic and analyzes it to find the threats. It
is very important to choose the best location in the network, so we have get an
approval of the IT computer center in KSU to mirror all KSU traffic going to
the main gateway in Deriah to our ADS appliance. The appliance should get
the traffic for at least one month to give us good results. The identified threats
are listed in Table 4.2 (for more details about each threat, kindly see appendix
A).
From Table 4.2, the number of PCs (clients) that are considered a source
of threat is huge. According to the gathering information stage, this means that
at least 26% of the PC's is considered to be source of threat. See Figure 4.2.
Also, from the table, we can see that many threats are considered "ongoing",
which means that there is no monitoring at KSU for the security threats.

source of
threat PC's
26%

Remaining PC's
74%

Figure 4.2: percentage of source of threat PC's


NO. THREAT VALUE BEHAVIOR* TRAFFIC TRAFFIC ALERTS FIRST LAST
3:HIGH,2:MEDIUM,1:LOW ON LAST (AVG/MAX) ALERT ALERT
24H
Phishing Hosting 18:34 4 days
- 0 bps / 0 bps 2 clients
10/02/07 8h15m
1 3 Server Traffic
Identification
406.60 bps / 13:36
Korgo Worm 15.71 kbps
9 clients
10/02/07
2h10m
2 3

FreeVideo Player 28.46 bps /


11 clients
12:52
1h39m
3 2 Trojan 450.27 bps 10/02/07

112.22 kbps / 12:39


Host Scans 220.43 kbps
104 clients
10/02/07
Ongoing
4 2
111.70 kbps / 12:39
Dark IP Traffic 220.25 kbps
137 clients
10/02/07
1h47m
5 2

The Onion Routing


(TOR) Traffic 37.99 bps / 12:40
6 2 49.92 bps
6 clients
10/02/07
Ongoing
Identification

Nebuler Trojan
3.93 bps / 6.40 16:09
7 2 Variants bps
2 clients
10/03/07
Ongoing

13:33
Port Scans 0.16 bps / 5.97 10/02/07
2h03m
8 2 bps
28 clients

0 bps / 0 bps 1 client 05:19 6 days


9 2 Virut Variants - 10/25/07 8h45m
ÈÉ
Microsoft Well 97 clients Ongoing
111.70 kbps / 12:39
10 2 Known Service 220.24 kbps 10/02/07
Scans
101.50 kbps / 12:35
Worm on TCP/445 188.30 kbps
80 clients
10/02/07
Ongoing
11 2

Voice over IP (VoIP)


2.11 bps / 12:40
Traffic Identification: 56.32 bps
65 clients
10/02/07
Ongoing
12 2
Skype

11.20 kbps / 12:35


Worm on TCP/135 40.46 kbps
25 clients
10/02/07
4h54m
13 1

Remote Access
Application(s) 0 bps / 0 bps 2 clients
13:22 3 weeks 1
14 1 Traffic - 10/06/07 day 4h10m
Identification:
Famatech Radmin
Behavior*: for more details about each threat, kindly see appendix A

Table 4.2: Identified Threats


We have looked at all the identified threats to find the Assets that create
these threats. We have found that 98.6% of the threats sources are from PC’s,
0.5% from KSU servers, and 0.9% from Global IP’s. See Figure 4.3.

600 561
( 98.60% )
500

400
No. of Assets

300

200

100
3 ( 0.50% ) 5 ( 0.90% )
0
PC's Servers Global IP's

Figure 4.3: Percentage of Threat Sources


ÆÄ

4.3.3 Vulnerability Assessment

The vulnerability assessment result was huge, it was 1300 pages. We have
revised them to conclude the Table 4.3 as shown below. For the PC’s, we
have selected one PC in each building in Deriah, and then we have found the
average number of vulnerabilities for a PC. To compare the results of
vulnerability assessment between the Assets, we should find the average
number of vulnerabilities per asset. We have found the average by dividing
the number of vulnerabilities by the number of assets in each zone as shown in
Table 4.4. Also, in this table, we have found one Value for the vulnerabilities
for each asset since we have Low, Medium, and High values. We have used
the values 0.1, 0.5, and 1 for Low, Medium, and High levels respectively to
reflect its severity in the final value for each asset. We can see from Table 4.4
that PC’s are the most vulnerable assets among the others. For more details
about the vulnerabilities, see Table 4.5.

Identified Vulnerabilities
Asset zone Notes
High Medium Low

Core and Distribution Switches 23 19 0

Access switches (Edge) 68 45 0

Internet Servers 14 16 5

Internal servers 93 102 23

PC's 105 60 375

Table 4.3: Identified Vulnerabilities for asset zones


ÆÅ

Average number of
Asset zone Vulnerabilities per asset Final value
High Medium Low (0.1 Low + 0.5 Medium + High)

1.42
Core and Distribution Switches 1 0.83 0
1.33
Access switches (Edge) 1 0.65 0
1.61
Internet Servers 1 1.14 0.36
3.29
Internal servers 2.1 2.27 0.51
11.5
PC's 7 4 25

Table 4.4: Average number of Vulnerabilities per asset and the


final value
ÆÃ

Asset zone Some Important Vulnerabilities

1- Description: The remote host is running a telnet server. Using


telnet is not recommended as logins, passwords and commands
are transferred in clear text.

An attacker may eavesdrop on a telnet session and obtain the


Core and credentials of other users.
Distribution
Switches Solution:
Disable this service and use SSH instead

Risk Factor :Medium / Common Vulnerability Scoring System


(CVSS) Base Score : 4

2- Description: The remote /bin/login seems to crash when it


receives too many environment variables.

An attacker may use this flaw to gain a root shell on this system.

See Also : http://www.cert.org/advisories/CA-2001-34.html

Solution: Contact your vendor for a patch


Risk Factor : High
Common Vulnerabilities and Exposures (CVE) : CVE-2001-
0797
ÆÆ

3- Description: It was possible to make the remote Axent raptor


freeze by sending it a IP packet containing special options (of
length equals to 0)

An attacker may use this flaw to make your firewall crash


continuously, preventing your network from working properly.

Solution: filter the incoming IP traffic containing IP options,


and contact Axent for a patch

Risk Factor : High


CVE : CVE-1999-0905

1-Description: The remote host is running a telnet server. Using


telnet is not recommended as logins, passwords and commands
are transferred in clear text.

An attacker may eavesdrop on a telnet session and obtain the


Access
credentials of other users.
switches
(Edge)
Solution: Disable this service and use SSH instead

Risk Factor :Medium / CVSS Base Score : 4


ÆÊ

2- Description: It was possible to make the remote Axent raptor


freeze by sending it a IP packet containing special options (of
length equals to 0)

An attacker may use this flaw to make your firewall crash


continuously, preventing your network from working properly.

Solution: filter the incoming IP traffic containing IP options,


and contact Axent for a patch

Risk Factor : High


CVE : CVE-1999-0905

1-Description: It was possible to crash the remote system using


the ‘oshare’ attack.

An attacker may use this problem to prevent your site from


working properly.
Internet
Servers
Solution: contact your vendor for a patch.

Risk Factor : High


CVE : CVE-1999-0357

2- Description: It was possible to crash the remote host by


sending a specially crafted IP packet with a null length for IP
option #0xE4

An attacker may use this flaw to prevent the remote host from
accomplishing its job properly.

Risk Factor : High


CVE : CVE-2005-2577
Æ
Ë

3- Description: The remote host appears to be running a


version of Apache which is older than 1.3.29

There are several flaws in this version, which may allow an


attacker to possibly execute arbitrary code through mod_alias
and mod_rewrite.

Solution: Upgrade to version 1.3.29

See Also :
http://www.apache.org/dist/httpd/Announcement.html

Risk Factor : High


CVE : CVE-2003-0542

1- Description: It was possible to make the remote Axent raptor


freeze by sending it a IP packet containing special options
(of length equals to 0)

An attacker may use this flaw to make your firewall crash


continuously, preventing your network from working properly.
Internal
servers Solution: filter the incoming IP traffic containing IP options,
and contact Axent for a patch.

Risk Factor : High


CVE : CVE-1999-0905

2- Description: It is possible to obtain the default community


names of the remote SNMP server.
An attacker may use this information to gain more knowledge
about the remote host, or to change the configuration of the
remote system (if the default community allows such
modifications).

Solution: Disable the SNMP service on the remote host if you


do not use it, filter incoming UDP packets going to this port, or
change the default community string.

Risk Factor : High / CVSS Base Score : 7.5


ÆÇ

3- Description: The Telnet server does not return an expected


number of replies when it receives a long sequence of 'Are You
There' commands. This probably means it overflows one of its
internal buffers and crashes.

It is likely an attacker could abuse this bug to gain control over


the remote host's superuser.

See Also :
http://www.team-teso.net/advisories/teso-advisory-011.tar.gz

Solution :Disable the telnet service by, for example,


commenting out the 'telnet' line in /etc/inetd.conf.

Risk Factor : High / CVSS Base Score : 10.0

1- Description: The remote host is vulnerable to heap overflow


in the 'Server' service which may allow an attacker to execute
arbitrary code on the remote host with the 'System' privileges.

In addition to this, the remote host is also vulnerable to an


information disclosure vulnerability in SMB which may allow
an attacker to obtain portions of the memory of the remote host.

PC's Solution : Microsoft has released a set of patches for Windows


2000, XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms06-
035.mspx

Risk factor : High / CVSS Base Score : 7.5


CVE : CVE-2006-1314, CVE-2006-1315
ÊÌ

2- Description: The remote version of Windows contains a flaw


in the Server Message Block (SMB) implementation which may
allow an attacker to execute arbitrary code on the remote host.

An attacker does not need to be authenticated to exploit this


flaw.

Solution : Microsoft has released a set of patches for Windows


2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms05-
027.mspx

Risk factor : High/ CVSS Base Score : 10.0


CVE : CVE-2005-1206

3- Description: The remote host contains a version of the Print


Spooler service which is vulnerable to a security flaw which
may allow an attacker to execute code on the remote host or
crash the spooler service.

Solution : Microsoft has released a set of patches for Windows


2000, XP and 2003 :

Risk factor : High / CVSS Base Score : 10


CVE : CVE-2005-1984

Table 4.5: Some Important Vulnerabilities


Ê
Í

4.3.4 Risk Value

After we have got the Asset identification values, threat values, and
Vulnerability values, then we can calculate the risk value based on these
values. Risk value can be calculated by multiplying Asset value, threat value,
and vulnerability value for each category of assets as in Yazar [32]. That is:

Risk Value = Asset Value x Threat Value x Vulnerability Value

The Risk Value for each asset is shown in Table 4.5 . As we can see, the
PC’s has the highest Risk Value, then Internal Servers has the second highest
value. Internet servers is the third followed by core and distributions switches.
And the last one is the access switches. The differences is shown in Figure
4.4 .

Average Average
Asset Risk value
Asset zone Threat Value
Value (related to assets)
Vulnerability
Value
Core and Distribution 8.52
3 2 1.42
Switches
5.32
Access switches (Edge) 2 2 1.33
78.3
Internet Servers 3 16.2 1.61
160
Internal servers 3 16.2 3.29
186.3
PC's 1 16.2 11.5

Table 4.6: Risk Value for each Asset


ÊÎ

200
180
160
140

Risk Value
120
100
80
60
40
20
0
Core and Access Internet Internal PC's
Distribution switches Servers servers
Switches (Edge)

Figure 4.4: The Risk Value for Asset categories


ÊÄ

4.4 Penetration Testing

We have taken in our account two rules before we start the penetration
testing; first, we are doing a network security penetration testing that means it
covers up to layer three according to OSI layers. Second, we will not try any
test that may affect availability of the KSU services, like crashing systems.
We have done the internal penetration testing as shown in Table 4.6.

# Asset Details Yes/No Notes


Zone (success)
1 Core and Eavesdrop on a telnet Using Man-in-
distribution session and obtain the Yes the-middle
switches passwords of other users. attack
2 Eavesdrop on a telnet Using Man-in-
Access
session and obtain the Yes the-middle
switches
password of other users. attack
3 Accessing the Internet Internet Lab at
Internet
servers from Public Yes Library
Servers
Internet Labs
4 Spying on sessions going Using Man-in-
Internet
to Proxy and getting Yes the-middle
Servers
passwords attack
5 Accessing the Internal Internet Lab at
Internal
servers from Public Yes Library
servers
Internet Labs
6 Spying on Sessions and Using Man-in-
Internal
reconstruction them to get Yes the-middle
servers
information attack
7 Accessing PC in building We can access
A from Building B many PC’s in
PC’s Yes
multiple
buildings

Table 4.7: Results of Internal Penetration Testing


ÊÅ

The Man-In-The-Middle Attack is a kind of attacks where the attacker


becomes in the middle of the communication between two network connected
systems. By this way, all the traffic going back and fourth between the two
systems will go through the attacker’s computer, which means he can spy on
all the traffic by using the right tools. There are many tools that can do this
kind of attack (see Appendix C). For the External penetration testing, we
couldn’t access the internal services (i.e. the Internal Servers zone).

As a note, there is no bandwidth management in KSU, this means that one


PC in Deriah may download files from internet with very high speed using
some tools (see Appendix C), and of course the other users in KSU will face a
slowness in Internet browsing even if KSU has speed links with Internet
(currently 100 Mbps). We have tested a tool that uses multithreading to
speedup the downloading from Internet and we have succeeded to reach more
than 50 % (6.567 x 8 = 52.51 Mbps) of the whole KSU internet link, see
Figure 4.5.

Figure 4.5: Bandwidth Management problem


ÊÃ

4.5 Gap Analysis

The Gap Analysis will be between the current KSU network Security and
the related aspects of BS ISO IEC 17799 2005 international standard which is
the most well known standard in Information security field. Thiagarajan [23]
has written a paper that has all the parts of the ISO 17799. We have revised
his paper and prepared a table of the network security related aspects of the
standard. According to what we have seen in previous stages (Gathering
information, Risk Assessment, and penetration testing) and to our visits to the
KSU computer center, we then filled up the table to find the Gap as we can
see in Table 4.4. The result of the Gap is that 68% of the network security
aspects of the standard is not exist (Gap at maximum) in the current KSU
network security, while 28% is partially compliant, and only 4% is compliant
(No Gap). This shows the huge Gap in the current KSU network security.

Gap Analysis Result

No Gap
4%

Partial
28%

Not exist(Gap at
Maximum)
68%

Figure 4.6: Gap Analysis Results


Reference No. Standard area and objective Results
Our ISO Section Details Findings Compliance
Checklist 17799 (No Gap
/Partially
Standard /Not existing)
6.2 External Parties
1 6.2.1 Identification Whether risks to the organization’s information and Any visitor can Not Existing
of risks related information processing facility, from a process access the network
involving external party access, is identified and without
to external appropriate control measures implemented before
parties authentication
granting access.
2 6.2.2 Addressing Whether all identified security requirements are Any visitor can Not Existing
security when fulfilled before granting customer access to the access the network
organization’s information or assets. without
dealing with
customers authentication
7.1 Responsibility for assets
3 7.1.1 Inventory of Whether all assets are identified and an inventory or Portable devices Partially
assets register is maintained with all the important assets. like visitor Laptops
are not identified
4 7.1.2 Ownership of Whether each asset identified has an owner, a defined No classification Not Existing
assets and agreed-upon security classification, and access
restrictions that are periodically reviewed.
5 7.1.3 Acceptable use Whether regulations for acceptable use of information Not exists Not Existing
of assets and assets associated with an information processing
facility were identified, documented and implemented.
7.2 Information classification
6 7.2.1 Classification Whether the information is classified in terms of its No classification Not Existing
guidelines value, legal requirements, sensitivity and criticality to
the organization.
ÏÏ
Reference No. Standard area and objective Results
Our ISO Section Details Findings Compliance
Checklist 17799 (No Gap
/Partially
Standard /Not existing)
7 7.2.2 Information Whether an appropriate set of procedures are defined No classification Not Existing
labelling and for information labelling and handling, in accordance
with the classification scheme adopted by the
handling organization.
9.1 Secure Areas
8 9.1.1 Physical Whether a physical border security facility has beenThere are control Partially
Security implemented to protect the information processing entry gates, but
service. usually it is kept
Perimeter Some examples of such security facilities are card open in official
control entry gates, walls, manned reception, etc.
hours, and there is
no guards at night
shift. I have visited
computer center for
more than 70 times
almost at night
shift, I saw the
guard for about 7
times
9 9.1.2 Physical entry Whether entry controls are in place to allow only Kept open all the Not Existing
Controls authorized personnel into various areas within the time
organization.
10 9.1.3 Securing Whether the rooms, which have the information Rooms have locks, Partially
Offices, rooms processing service, are locked or have lockable but almost kept
cabinets or safes. open. Cabinets
and facilities
have lockable doors
but not locked.
ÏÐ
Reference No. Standard area and objective Results
Our ISO Section Details Findings Compliance
Checklist 17799 (No Gap
/Partially
Standard /Not existing)
11 9.1.4 Protecting Whether the physical protection against damage from Cabinets in No Gap
against fire, flood, earthquake, explosion, civil unrest and other buildings are
forms of natural or man-made disaster should be located in secure
external and designed and applied.
environmental rooms
threats
12 9.1.5 Working in Whether physical protection and guidelines for Any visitor can go Not Existing
Secure Areas working in secure areas is designed and implemented. inside computer
center within
official hours since
the main door kept
open
13 9.1.6 Public access Whether the delivery, loading, and other areas where Network Assets Partially
delivery and unauthorized persons may enter the premises are room has a
controlled, and information processing facilities are lockable doors but
loading areas isolated, to avoid unauthorized access. sometimes kept
open
9.2 Equipment Security
14 9.2.1 Equipment Whether the equipment is protected to reduce the risks Network Assets Partially
sitting from environmental threats and hazards, and room has a
opportunities for unauthorized access. lockable door but
protection
sometimes kept
open
15 9.2.2 Supporting Whether the equipment is protected from power There is no UPS for Not existing
utilities failures and other disruptions caused by failures in the utility rooms in
supporting utilities. buildings
Whether permanence of power supplies, such as a
ÏÑ
Reference No. Standard area and objective Results
Our ISO Section Details Findings Compliance
Checklist 17799 (No Gap
/Partially
Standard /Not existing)
multiple feed, an Uninterruptible Power Supply (ups),
a backup generator, etc. are being utilized.
16 9.2.3 Cabling Whether the power and telecommunications cable, The fiber cables are Partially
Security carrying data or supporting information services, is running in the main
protected from interception or damage. tunnel where labor
can access them
10.1 Operational Procedures and responsibilities
17 10.4.1 Controls Whether detection, prevention and recovery controls, I could scan Not existing
against to protect against malicious code and appropriate user millions of IP
awareness procedures, were developed and addresses over
malicious code implemented. many days and no
one noticed that
18 10.4.2 Controls Whether only authorized mobile code is used. Different Worms Not existing
against mobile Whether the configuration ensures that authorized are exist according
mobile code operates according to security policy. to our threat
code Whether execution of unauthorized mobile code is assessment
prevented.
(Mobile code is software code that transfers from one
computer to another computer and then executes
automatically. It performs a specific function with
little or no user intervention. Mobile code is associated
with a number of middleware services.)
19 10.6.1 Network Whether the network is adequately managed and Clear Text Not existing
Controls controlled, to protect from threats, and to maintain transactions can be
security for the systems and applications using the seen with Arp
network, including the information in transit. poisoning
technique, also
ÐÒ
Reference No. Standard area and objective Results
Our ISO Section Details Findings Compliance
Checklist 17799 (No Gap
/Partially
Standard /Not existing)
threats exist
according to our
threat assessment
20 10.6.2 Security of Whether security features, service levels and Users can access Not existing
network management requirements, of all network services, are the network
identified and included in any network services services that is
services agreement. intended for
Whether the ability of the network service provider, to
employees
manage agreed services in a secure way, is determined
and regularly monitored, and the right to audit is
agreed upon.
10.7 Media handling
21 10.7.4 Security of Whether the system documentation is protected against I could get Not existing
system unauthorized access. documentation for
documentation KSU Mainframe.
22 10.9.2 On-Line Whether information involved in online transactions is Clear Text Not existing
Transactions protected to prevent incomplete transmission, mis- transactions can be
seen with Arp
routing, unauthorized message alteration, unauthorized poisoning technique
disclosure, unauthorized message duplication or replay.
23 11.4.1 Policy on use of Whether users are provided with access only to the Users can access Not existing
network services that they have been specifically authorized to the network
use. services that is
services Whether there exists a policy that does address intended for
concerns relating to networks and network services.
employees
ÐÉ
Reference No. Standard area and objective Results
Our ISO Section Details Findings Compliance
Checklist 17799 (No Gap
/Partially
Standard /Not existing)
24 11.4.5 Segregation in Whether groups of information services, users and Segregation exists Partially
networks information systems are segregated on networks. for some of the
Whether the network (where business partner’s and/ or services and users
third parties need access to information system) is
segregated using perimeter security mechanisms such
as firewalls.
11.5 Operating system access control
25 11.5.2 User Whether unique identifier (user ID) is provided to A visitor can access Not existing
identification every user such as operators, system administrators and the network without
all other staff including technical. authentication
and Whether suitable authentication technique is chosen to
authentication substantiate the claimed identity of user.

Table 4.8: Results of Gap analysis


4.6 Analysis of Results

The GRPG methodology was built carefully to cover many aspects of


network security. Value of assets which represent its importance to
organization (based on CIA concept), practical assessment which evaluate and
shows the current network security threats and vulnerabilities in the
organization, penetration testing to prove the weaknesses (if any), and
checking the compliance of organization's network security to an
international security standard to know at what level the network security has
reached. All these aspects have given our results more power to reflect the
actual network security level of the organization, and hence proposing
appropriate solutions to problems discovered.

Gathering information phase is essential for any assessment. In KSU, and


since the network was just launched, it was easy to collect information for the
new network, although it takes a number of days to complete it. This task can
be very difficult if KSU network has strong security at the network level and
hence minimizing the risk of hackers.

In the threat assessment phase, the location of the tool is not the only
possible location in the network, but it has been chosen to show the behavior
for most of the traffic. For example, if a PC is infected with a worm and that
worm is targeting the PC's in that building, then our tool will not discover that
worm. Because of this reality, all the numbers mentioned in table 4.2 are
considered as minimum that may increase if there are more tools installed in
all buildings. Some of the new produced switches in the market can help in
such assessments since it has built-in Intrusion Detection system (IDS).

We have found 14 threats as mentioned in table 4.2. Actually, some of the


threats can be exist due to other threats. For example, the source of the fourth
threat "Host scans" can be one of the worms like the eleventh threat "Worm
ËÄ

on TCP/445". It is known that worm propagates itself on the network, this can
be done by doing the "Host Scans" to discover the available hosts on the
network. Then, it checks for the vulnerable hosts by doing "Port Scans" which
is the eighth threat in the table. Worms can create the threat "Dark IP traffic",
which means that the infected hosts by this worm will scan for random or
unallocated IP addresses on the network. In many cases, it is a sign of worm's
existence or a hacker who is using scanning tools. Some of the discovered
threats can initiate the Distributed Denial Of Service (DDOS) attacks, that is
sending a huge traffic to stop the service on a specific server usually available
on the Internet. For example, the ninth threat in the mentioned table "Virut
Variants" will launch a DDOS attach against Estonian websites on the
Internet.

We should note that there are threats mentioned in table 4.2 that could be a
good service but with the condition that there is monitoring and control of the
Network security. For example, the fourteenth threat "Remote access
application" can be very helpful to administrators or supervisors, but if a
hacker could use this tool, then he got the administrator's power on the
servers. Unfortunately, since about 50% of the threats mentioned in the table
are considered "Ongoing", then this proves that the monitoring is very weak at
KSU or may be not exist. This means that the mentioned number of infected
clients may increase to large numbers and even stop some services in KSU.

As depicted in figure 4.2, we have found that at least 26% of the PC's is
considered source of threat. In general, we have found that 98.6% of the threat
sources are from PC’s, 0.5% from KSU servers, and 0.9% from Global IP’s.
The risk of this high percentage (98.6%) can be minimized by applying
security controls on the network level, as we will see in the proposed security
solution.
ËÅ

In vulnerability assessment, we have seen that the average number of


vulnerabilities per asset (table 4.4) is changing from asset to another. Usually,
the smaller number in this table means less risk for KSU, and more control on
the asset. For example, the access switches has less number than PC's, then
KSU has more control on access switches and then less risk, but the PC's is
totally different since KSU has less control on them and hence the risk that
may come from PC's is high.

In table 4.5, we have found the risk value for each asset, this includes
finding the average threat value for each asset from table 4.2, and we should
note that only related threats should be calculated in Risk value formula. As
an example, we have found that only two threats out of 14 threats are related
to "core and distribution switches" and "access switches", while all the
fourteen threats are related to the remaining assets in table 4.5. Also, to
calculate average threat value in this table, we have used the same formula
mentioned before for vulnerability value calculation, that is,
Average threat value = (0.1) low + (0.5) medium + High
Applying this formula to all threats in table 4.2 will result in 16.2 (it is the
number mentioned in table 4.5).

In the penetration testing phase, more tests could be done if we are


working in a test environment, because some of the tests may crash the
systems and stop the service. But, we have avoided doing such tests to
maintain the availability of KSU services. Actually, penetration testing is the
prove of vulnerability existence, if there is no vulnerability, then we cannot
penetrate the asset. But as we have mentioned in vulnerability assessment
phase, we are having about 1300 pages of vulnerabilities details for all asset
zones.

In the Gap analysis phase, we have chosen 25 controls out of 139 controls
exists for ISO 17799 international standard. The selection made by checking
ËÃ

every control of the 139 controls against our scope (up to layer three in the
OSI model). From this phase, we have found that 68% of the network security
aspects of the standard is not exist (Gap at maximum) in the current KSU
network security. This number can be minimized by doing simple actions.
Going back to table 4.7, the physical security (the twelfth item in the table)
can be applied by a decision from the IT management.
ËÆ

Chapter 5

Proposed Security Solution

1- Introducing the Service Oriented network concept. In contrast, it means


building and configuring the network according to the target services
planned to be offered to end users. As an example, the goal of establishing
the Internet Lab in KSU library is to access Internet, so it should be
restricted from network point of view to access only the Internet not all
KSU services as we have seen in the penetration testing. This Idea can be
applied to all locations and according to the official services that will be
offered by KSU.

2- We recommend establishing a Security Operations Center (SOC). SOC


monitors and manages all aspects of enterprise security in real time, from
a single, centralized location. It discovers and prioritizes events and
threats, determines risk level and which assets are affected, and
recommends and/or executes the appropriate remediation solution. It
delivers detailed reports at the local and network levels, meeting both real-
time management and audit requirements.
ËÊ

3- Creating a centralized authentication mechanism at the network level


which forces the authentication on every computer once it is connected to
KSU network. If the computer is authorized then it will be connected to
the production network, otherwise it will be disconnected at the switch
port level which in turn prevent the threat from its source. This can be
done by using Domain controllers like Active Directory, and can be
enhanced using network admission control (NAC) mechanism which will
use the port security standard IEEE 802.1X with the domain controllers
concept to control not only giving the access to network or not, but also
finding and remediating the main security problems of the PC’s. For
example, if a PC asks to connect to the network, and it doesn’t have the
latest update of the antivirus, it will be given a temporary IP address and
will be joined to the remediation VLAN till the antivirus is updated, then it
will be joined automatically to the authorized services for that user
according to KSU policy.

4- Since the PC’s are the largest source of threats in KSU, our
recommendation in point 3 above (Domain authentication and NAC) can
be utilized successfully to prevent users from accessing their PC’s with
administrative privileges, install patches for the security vulnerabilities
regularly, and apply the new policies quickly for all the clients.

5- Preventing the use of clear text sessions for all KSU systems. This
includes changing the way of accessing network switches by using
encrypted sessions which is called SSH (Secure Shell) instead of Telnet.
Also, the sessions for the Internet servers like the proxy and the internal
servers like the Mainframe should be all encrypted to minimize the risk of
capturing passwords by the hackers. More restrictions can be applied by
creating an access list of IP addresses from network point of view or from
the servers to allow only the authorized users to access those services.
ËË

6- Preventing the PC’s in different buildings to access each other directly to


minimize the risk of the attacks and also to minimize the risk of worms
spread. KSU should allow the users to communicate with each others by
other secure ways according to its policy like emails, Network Attached
Storage (NAS), and others.

7- The risk of Man-in-the-Middle attacks can be minimized by utilizing


VLAN’s, using the security features that are available in the new switches
like controlling the number of MAC addresses on the switches port level,
matching the IP and MAC addresses together for the important equipment
like servers, this will reject requests to steal the identity of others.

8- Availability in the network design is not fully considered (data center


and core switches). We recommend connecting the data center to at least
two core switches in different buildings, and also connecting buildings to
two different core switches, each one in different building (for example
B.18,B.8 ) to increase the availability. See Figure 5.1.

9- There should be a way to control the Bandwidth for KSU users. Some
products are available and it can be installed before the Internet Firewalls.
Also, some control can be done on the network switches level. This will
minimize the risk of disturbing the internet service for internal and
external users.

10- Internet Bandwidth has increased to 100 Mbps, this can be seen as an
extra power to the hackers –even from outside Saudi Arabia. It can be
explained by the existence of the threats as we have seen in Chapter 4 and
appendix A. KSU network can be used to originate a distributed Denial of
service attacks (DDOS) against any connected networks on the Internet.
This risk can be minimized by establishing the SOC as mentioned above.
ËÇ

11- Since the Gap between the current KSU network Security and the related
aspects of BS ISO IEC 17799 2005 international standard was huge as we
have seen before, we recommend to revise all the aspects of the standard
and fulfill its parts to minimize the Gap. As an example, the security guard
should be available at night to fulfill the requirement of the physical
security.
Figure 5.1: Suggested KSU Network Architecture
Chapter 6

Conclusion and Future work

6.1 Conclusion

We have used our methodology (the GRPG) in the thesis to propose


solutions to the current problems in KSU network security. We have used
professional tools to cover all the stages of our thesis, these tools are
mentioned in Appendix C.

In the threat assessment, we have found that at least 26% of the PC's is
considered source of threat. Many threats are considered "ongoing", which
means that there is no monitoring at KSU for the security threats. Also, we
have found that 98.6% of the threat sources are from PC’s, 0.5% from KSU
servers, and 0.9% from Global IP’s.

In vulnerability assessment, we have seen that PC’s are the most


vulnerable assets among the other asset zones. Also, PC’s has the highest Risk
Value. In the penetration testing phase, we could eavesdrop on telnet sessions
and obtain the passwords of other users who access network switches by using
ÇÎ

the man-in-the-middle attack. We could also get the users passwords of proxy
server with same technique. Any clear text sessions can be reconstructed with
the same technique if the right tools are available.

In the Gap analysis phase, we have found that 68% of the network security
aspects of the standard is not exist (Gap at maximum) in the current KSU
network security, while 28% is partially compliant, and only 4% is compliant
(No Gap).

According to the problems that we have found, we have recommended to


them solutions and architecture as we have mentioned in Chapter 5.

6.2 Future work

Our study and analysis does not cover everything related to information
security in KSU, so we suggest for the future work the following:

1- Full security assessment (information security assessment that


covers the 7 OSI layers).

2- Covering KSU branches in the Assessment.

3- Study the Attacking of encrypted sessions, and trying to decrypt


them (as an example the HTTPS sessions-SSL ).

4- Study and analysis of the Gap between KSU information security


and the International Standard ISO 17799.
Appendix A: More Details for Each Threat
1- Phishing Hosting Server Traffic Identification
Summary
ID: ATF-2005-34-8275
Published: 2005-07-01 12:19 GMT
Updated: 2007-02-14 12:05 GMT
Type: Phishing Traffic Identification
Revision: 8275 - Updated ruleset
Severity: high

Description

Phishing hosting servers host content that is designed to socially engineer unsuspecting users into surrendering private
information that will be used for identity theft.

Phishing Web sites mimic legitimate Web sites, often of a financial institution, in order to steal logins, passwords, and personal
information. Attackers trick users into using the fake Web site by claiming to be a legitimate institution requesting the information
for valid reasons, such as account verification. They may then use the stolen credentials to withdraw large amounts of money from
the victim's account or commit other fraudulent acts.

Analysis

While the initial incentive for phishing attacks was because of the ease with which unsuspecting users would provide sensitive
personal financial information, there has been an evolution in attackers' motivations for such attacks. For example, attackers could
use malformed Web sites that mimic legitimate financial institutions in order to have a user click on a link that would then
download and install malware. In another example, attackers could potentially gain sensitive corporate information if the mimicked
site represented content from the unsuspecting user's employer. It is important to note that simply because a user visited a
phishing site does not necessarily mean that the user actually sent his or her personal information.

Trigger

This policy triggers when the system identifies TCP traffic to vetted phishing hosting servers via TCP ports. Customers should
note that the phishing servers typically have a short "shelf life," and, as such, servers that exist today may not exist tomorrow.
However, this particular ATF policy is regularly updated to refresh the list of active servers, with inactive servers being retired, i.e.,
removed.

Affected Platforms and Versions

Any host upon which a Web browser can be installed is potentially susceptible.

Remediation

If possible, remove infected hosts from the network, scan for any installed malware, and ensure that all the latest and most
relevant patchsets are installed. In addition, identified hosts should be contacted in order to determine if sensitive information was
disclosed to untrusted third parties and, if so, what the nature of that information was. Any violating hosts should also be scanned
with up-to-date virus tools to determine if a Trojan or other malware was installed on the system.

If possible, instruct users on e-mail best practices, including not sending any personal information as a response to an e-mail that
requests it. Legitimate institutions will most likely never request such information in the form of an e-mail.

Workaround

N/A
ÇÅ

2- Korgo Worm

Summary
ID: ATF-2005-11-13
Published: 2005-11-30 18:01 EST
Updated: 2006-07-12 16:19 EDT
Type: Malicious Code
Revision: 13 - Update trigger descrpition.
Severity: low

Description

Korgo is a worm that attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in
Microsoft Security Bulletin MS04-011) on TCP port 445. Infected hosts will scan for new victims on TCP port 445, launch attacks
against this service, and, once infected, will contact additional sites for updated information and commands from attackers. Many
variants of the worm also create services which listen on TCP ports 113, 2041, 3067, 5111, and other random ports.

Analysis

The Korgo worm is another worm which utilizes a well characterized vulnerability and popular exploit methodology to build a large
botnet. These hosts can cause significant damage to the networks that host them and infected hosts should be remedied quickly.

Trigger

This policy looks for hosts scanning on TCP port 445 followed by connections to the update sites and control servers. The
subjects of the alerts are active Korgo worm hosts.

Affected Platforms and Versions

This malware affects the following versions of Microsoft Windows:


Windows 2000
Windows XP

Remediation

Local hosts found violating this policy should be cleaned with standard antivirus removal tools.

Workaround

There are several variants of the worm which alter infected hosts in different ways. It is best to use antivirus techniques to repair
damaged hosts. Blocking inbound TCP traffic to ports 113, 2041, 5111, and 3067 can help prevent the abuse of infected
machines. To prevent the worm from spreading, apply the patch listed in the Microsoft Security Bulletin MS04-011.
ÇÃ

3- FreeVideo Player Trojan

Summary
ID: ATF-2006-142-4
Published: 2006-11-16 16:55 EST
Updated: 2006-11-28 15:01 EST
Type: Malicious Code
Revision: 4 - Enforce normal Windows ephemeral port ranges for DNS traffic, which should prevent alerts on backscatter.
Severity: high

Description

The "FreeVideo Player" Trojan horse is a set of software that disguises itself as a multimedia codec but is used to redirect website
traffic to malicious webservers. Usually found when users are looking at pornographic websites, they are prompted to install what
appears to be a multimedia codec used to play pornographic movies. The malware has a proper looking installer and even a
license agreement that gives the source of the malware great latitude over the user's machine. The installer will proceed to alter
the user's DNS settings, overriding any DHCP or manually set preferences, and will redirect web traffic to a bank of malicious web
servers. Furthermore, the installed software may install additional software and malware on the user's machine.

Analysis

The "FreeVideo Player" Trojan has several hundred variants, all of which contain minor differences and have altered MD5 values.
All files have names ranging from "dvdaccess1000.exe" to "dvdaccess3000.exe". However, they all appear to perform the same
actions, namely changing the DNS settings in the network connection TCP/IP preferences to use two different servers in the
85.255.112.0/20 netblock. The consequence of this is to redirect the user to their websites, which contain pornographic and
possibly malicious content, if a URL is mistyped. Legitimate, valid hostnames, URLs, and domain names do not appear to be
altered by their DNS servers.

The malware sets the following registry key to ensure that the malware is always running:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "System"="kdfle.exe". This file will be
hidden by a userland rootkit, but it located at %SYSTEM32%\kdyda.exe.

Trigger

This policy looks for DNS and coresponding HTTP traffic to the netblock used by the malware, 85.255.112.0/20. This should
detect the rogue DNS traffic to an offsite, malicious DNS server and the web server used to additionally infect machines.

Affected Platforms and Versions

The FreeVideo Player malware family affects Win32 systems:

• Windows 2003
• Windows XP
• Windows 2000
• Windows NT

Remediation

Scan suspect machines with updated antivirus tools to examine for signs of known malware infections.

Workaround

This malware is currently poorly detected by antivirus companies. Blocking network level access to the malicious subnet,
85.255.112.0/20 (AS27595, Intercage), appears to be the best means to block the malware's effects.
ÇÆ

4- Host Scans

Summary

Host scanning is a process whereby automated network sweeps are initiated in search of hosts running any particular service.

Description

Host scanning is a process whereby automated network sweeps are initiated in search of hosts running any particular service.
This may be indicative of either legitimate host scanners (including network management systems and authorized vulnerability
scanners) or an attacker (or automated malicious code, such as a worm) trying to enumerate potential hosts for subsequent
compromise.

Analysis

While host scanning might be innocuous (often an unpleasant byproduct of being Internet-connected) it could be indicative of
suspicious and/or malicious activity. If the identified hosts are not conducting authorized network security auditing, administrators
should immediately inspect them to ensure they are not infected with malicious code and are not controlled by an attacker
attempting to compromise other hosts and/or servers.

Affected

Any connected computer to the network.

Remediation

Hosts infected with malware or compromised by an attacker should be isolated from the network immediately, scanned with up-to-
date antivirus tools, and patched for any security vulnerabilities.

Workaround

N/A
ÇÊ

5- Dark IP Traffic
Summary
ID: ATF-2005-17-16
Published: 2005-07-06 09:06 EDT
Updated: 2007-01-19 08:25 EST
Type: Other
Revision: 16 - Overdue updates due to allocation changes.
Severity: Medium

Description

Dark IP addresses are globally routable IP addresses that do not have any responding hosts configured. As such, no well-
configured, non-compromised host should be sending packets to such IP addresses.

Packets sent to "Dark IP" addresses can likely be categorized into one of four categories:
Host/Port scanning: Host/Port scanning is a technique used to learn about open hosts/ports within an arbitrary network. Both
legitimate security engineers and malicious attackers can employ scanning applications that generate such packets. However,
malicious code, such as worms, also can employ scanning routines in an attempt to propagate to other infectible hosts.
Distributed Denial of Service (DDoS) Backscatter: Backscatter follows the spread of information requests across the Internet
generated by DDoS attacks. The source IP address(es) of many DDoS attacks is spoofed. As such, when requests for service are
answered by the server under attack, the data is sent across the Internet rather than to the host where the attack originated. This
spread of information is considered backscatter.
Mis-configured devices: A flow that lives for a very short time, and that cannot be categorized into one of the above categories,
is labeled as a configuration mistake of one of the computers in the Internet.
Other: A long flow that could not be categorized into any of the above groupings.

Analysis

Though transmitting packets to unallocated IP address space can occur due to misconfiguration, it is often a telling/clear/distinct
sign of suspicious activity, such as vulnerability scanning or flooding, since very few legitimate applications indiscriminately scan
addresses in this fashion. Hosts that trigger alerts under this policy should be examined closely.

Trigger

This policy triggers when the system identifies traffic destined to any Internet Assigned Numbers Authority (IANA) address on
reserved or unallocated networks. RFC 1918, link-local, and multicast ranges have been omitted, as they are often in legitimate
use internally on an enterprise network.

Affected Platforms and Versions

Any TCP/IP enabled device is potentially affected.

Remediation

Scan hosts using up-to-date anti-virus tools and check for misconfiguration.

Workaround

Block network traffic to and from the destination network blocks (like 0.0.0.0/8, 1.0.0.0/8, 100.0.0.0/8, 101.0.0.0/8)
Ç
Ë

6- The Onion Routing (TOR) Traffic Identification


Summary
ID: ATF-2005-21-122
Published: 2005-07-15 06:22 GMT
Updated: 2007-02-13 20:15 GMT
Type: Other
Revision: 122 - Updated ruleset based on advertised Tor routers.
Severity: high

TOR implementations exist for Microsoft Windows, Apple Mac OS X, Linux, and other Unix variants.

Description

TOR is an anonymizing Internet proxy service designed to circumvent traffic analysis by proxying TCP traffic within chained,
encrypted tunnels. Using this service, a client can disguise what resources (s)he is accessing on the Internet, thereby obfuscating
any Internet activities, malicious or not.

Analysis

Many people believe there are legitimate usages for TOR, especially in cases where privacy is of concern. However, there are just
as many, if not more, illegitimate uses as well. For example, attackers may use this service to hide the true source or destination
of their connections, or an employee could bypass a corporate security policy in order to view prohibited web sites or use
prohibited services like instant messaging without detection. What is even more concerning is the fact that various malicious
codes can, once installed on an exploited host, establish hidden services on the host, such as web/file/FTP servers to allow for the
creation of continuous malware distribute sites should others be cleaned.

Trigger

This policy triggers when the system identifies outbound TCP-related traffic transmitted to known TOR servers.

Affected Platforms and Versions

Any Internet-connected host running Windows, Linux, and/or Unix could potentially be affected. Malicious bots usually propagate
automatically, scanning for unpatched vulnerabilities in popular network software and exploiting them to install malicious code on
a host without the owner's knowledge. Alternatively, bots can propagate like a traditional Trojan horse or virus, tricking users into
running malicious code (e.g., an e-mail that contains a deceivingly-named attachment).

Remediation

N/A

Workaround

Blocking TOR simply by TCP port is difficult because a significant number of servers employ HTTPS (TCP port 443) for their TOR
port, which is the primary port for connection forwarding. In addition, many servers employ TCP ports 9001, 9030, and 9050.
Thus, blocking these ports can significantly hinder TOR operation. Blocking IP traffic to all known TOR servers is a more effective
defense mechanism; however, the list of operational TOR servers changes periodically. As such, any firewall blacklist
enumerating said servers will need to be updated accordingly.
ÇÇ

7- Nebuler Trojan Variants

Summary
ID: ATF-2006-123-3
Published: 2006-07-12 17:42 EDT
Updated: 2006-07-14 15:09 EDT
Type: Malicious Code
Revision: 3 - Publish.
Severity: medium

The Nebuler Trojan family downloads and launches malware from remote sites. This can then be used to further infect a host.

Description

The Nebuler Trojan family downloads and launches malware from remote sites. This can then be used to further infect a host.
Once a host is infected, the infection state is sent to the attacker via a remote website and additional files are downloaded and
executed.

Analysis

Nebuler is a minor family of malware that can arrive via email, peer-to-peer, or hostile websites. It acts as a bootstrap mechanism
for additional malware. It is not a major threat to most networks at this time.

Trigger

This policy looks for at a host contacting at least two of the notification and download websites (here4search.biz, content.jdial.biz
and smart-security.biz) used by the malware.

Affected Platforms and Versions

The following Windows platforms are affected by this malware:

• Windows 2003
• Windows 2000
• Windows 95
• Windows 98
• Windows Me
• Windows NT
• Windows XP

Remediation

Scan suspicious clients with up-to-date antivirus software for signs of malicious code.

Workaround

Block access to the following websites: here4search.biz, content.jdial.biz and smart-security.biz.


Í ÌÌ

8- Port Scans

Summary

Port scanning is a process whereby targeted network sweeps are initiated in search of hosts running any number of services with
vulnerabilities that can potentially be exploited for further compromise.

Affected

The host(s) listed below are suspected of initiating port scanning routines against other internal/external hosts and/or servers.

Description

Port scanning is a process whereby targeted network sweeps are initiated in search of hosts running any number of services with
vulnerabilities that can potentially be exploited for further compromise. This may be indicative of either legitimate port scanners,
including network management systems and authorized vulnerability scanners, or an attacker (or automated malicious code, such
as a worm) trying to enumerate potential services for subsequent compromise.

Analysis

While port scanning may be innocuous (often an unpleasant byproduct of being Internet-connected), it could be indicative of
suspicious and/or malicious activity. If the identified hosts are not conducting authorized network security auditing, administrators
should immediately inspect them to ensure they are not infected with malicious code and are not currently controlled by an
attacker attempting to compromise other hosts and/or servers.

Remediation

Hosts initiating port scans should be isolated from the network immediately and scanned with up-to-date antivirus tool(s) and
vulnerability scanner(s). Assuming the host is not authorized to initiate port scans, it is likely that the host is infected with malicious
code that exploited a software vulnerability to gain initial access.

Workaround

N/A
Í Ì
Í

9- Virut Variants

Summary
ID: ATF-2006-152-4
Published: 2006-12-13 17:02 EST
Updated: 2006-12-15 13:54 EST
Type: Malicious Code
Revision: 4 - Fix some typos.
Severity: medium

Description

The Virut family of malware is a polymorphic worm with backdoor capabilities that also launches a DDoS against several Estonian
websites. Because the worm is polymorphic, the payload changes its hash with every instance, as well as filenames. The binary is
usually 57856 bytes in size, however.

Virut propagates by scanning for vulnerabilities and open Windows file shares using weak passwords and common account
names. Virut hosts are typically very obvious with their ICMP scanning to discover hosts to attack. Once launched, it will modify
the registry to ensure that the malware is started at system boot. The registry modifications are:

• Creates key "HKCR\CLSID\{EDFE42DB-520D-3376-A5C0-CF95929CCC70}".Sets value "default"="lvehvjlxtstjsjst" in


key "HKCR\CLSID\{EDFE42DB-520D-3376-A5C0-CF95929CCC70}".
• Creates key "HKCR\CLSID\{EDFE42DB-520D-3376-A5C0-CF95929CCC70}\LocalServer32". These specific registry
keys may change. The malware can use various filenames, usually 8 random letters (ie eognqmolw.exe). The malware
also opens connections to three Estonian websites: "www.starman.ee" and "www.if.ee" on port 80, and
"www.online.if.ee" on port 443.

The malware may also contact IRC servers dhl4.irc-sgo.org or Proxima.ircgalaxy.pl on TCP port 65520.

Analysis

The Virut family has been quietly loose on the Internet for several months, first gaining a foothold in late summer, 2006. Because it
is polymorphic, some AV tools may fail to detect all variants. A combination of AV tools should be used to examine any suspicious
host.

Trigger

This policy looks for hosts connecting to the Estonian websites "www.starman.ee" and "www.if.ee" on port 80, and
"www.online.if.ee" on port 443, or contacting the IRC servers dhl4.irc-sgo.org or Proxima.ircgalaxy.pl on TCP port 65520. This
policy will generate alerts when these suspicious hosts begin ICMP scanning. This traffic indicates a Virut-infected host.

Affected Platforms and Versions

The Virut family of malware affects the following Windows systems:

• Windows NT4.0
• Windows 2000
• Windows XP
• Windows 2003

Remediation

Scan hosts that show signs of infection with updated AV tools for signs of infection and scan the registry for suspicious keys that
may indicate an infected host.

Workaround

Block access to the websites "www.starman.ee" and "www.if.ee" on port 80, and "www.online.if.ee" on port 443. To prevent the
bot from accepting commands from the attacker, block access to the IRC servers dhl4.irc-sgo.org or Proxima.ircgalaxy.pl on TCP
port 65520.
Í ÌÎ

10- Microsoft Well Known Service Scans

Summary
ID: ATF-2005-60-20
Published: 2005-10-24 10:43 EDT
Updated: 2006-11-14 14:21 EST
Type: Vulnerability/Exploit Scanning
Revision: 20 - Update for November, 2006, security bulletins from Microsoft (add two references, three CVE references).
Severity: medium

Scans for the most common well-known services in Microsoft Windows.

Description

This policy detects scanning activity on the most common well known services in Microsoft Windows. Attackers look for these
ports to identify Microsoft Windows systems and to launch attacks against well characterized vulnerabilities in these services.
These ports and services are:

• 135/TCP - Distributed Computing Environment (DCE) RPC Endpoint Resolution


• 137/UDP - NetBIOS Name Service
• 138/UDP - NetBIOS Datagram
• 139/TCP - NetBIOS Session Service
• 445/TCP - Direct-Hosted SMB
• 593/TCP - DCE RPC Endpoint Resolution over HTTP
• 3372/TCP - MSDTC, MS Distributed Transaction Coordinator

The vulnerabilities listed in the references have been identified by Microsoft in the past year and are accessible via these services.
The vendor's patches should be installed to mitigate these vulnerabilities.
Analysis

Attackers have been using Microsoft Windows' well known services for several years to launch attacks. The sources of these
scans may be malicious software or attackers actively looking for hosts to attack. Several vulnerabilities are present in any one
service, making it important to evaluate all of the patches applied to hosts to ensure that they are up to date.

Trigger

This policy looks for host scans against well known Microsoft services on TCP ports 135, 139, 445, 593, 3372 and UDP ports 137,
138.

Affected Platforms and Versions

These vulnerabilities affect the following Windows platforms:


Windows 2000
Windows 95
Windows 98
Windows Me
Windows NT
Windows Server 2003
Windows XP

Remediation

To prevent exploitation of the vulnerabilities by attackers, apply the patches in the advisories listed in the references.

Workaround

Block access to the services from untrusted networks and hosts.


Í ÌÄ

11- Worm on TCP/445

Summary

Traffic indicative of a potential worm has been identified emanating from the hosts listed below.

Affected

The hosts listed are suspected of being worm-infected hosts that are now attempting to propagate to other hosts and/or servers.

Description

Traffic indicative of a potential worm has been identified emanating from the hosts listed below.

A worm is a class of malicious code that propagates by identifying other potentially exploitable hosts and/or servers and then
exploiting ubiquitous software vulnerabilities. The infected hosts initiate a propagation routine and start scanning for other
susceptible hosts. This activity causes worms to spread exponentially, often infecting every potential vulnerable host on a large
network within minutes. Worms frequently contain a "payload," i.e., logic that will perform some additional function exclusive of the
worm propagating. Often, this is used to open a "backdoor" for future remote (and unauthorized) system access -- maybe to have
the host join a "botnet" that can conduct denial of service (DoS) attacks, send spam e-mail, or delete crucial system files. Worms
sometimes install "rootkits" that modify the host's OS (operating system) functionality to disguise infection, thereby concealing the
worm's activities.

Analysis

Worms can be very destructive, and worm propagation in a corporate network is a severe danger. A worm's payload can allow
attackers to enter the internal network and expose potentially sensitive information. Also, it can cause potential liability if infected
hosts are employed to attack other external hosts and/or servers. Further, the simple act of exponential propagation and scanning
can place a tremendous load on network bandwidth, causing severe service degradation or failure on many a network.

Remediation

Hosts that are initiating worm scanning routines should be isolated from the network immediately and scanned with up-to-date
antivirus tools and an up-to-date vulnerability scanner. It is likely that the host is infected with malicious code that exploited a
software vulnerability to gain initial access.

Workaround

N/A
Í ÌÅ

12- Voice over IP (VoIP) Traffic Identification: Skype

Summary
ID: ATF-2006-97-118
Published: 2006-01-30 11:25 GMT
Updated: 2007-02-13 20:15 GMT
Type: Voice over IP (VoIP) Traffic Identification
Revision: 118 - Updated ruleset
Severity: medium

Description

Skype is a Voice over IP (VoIP) application that allows for IP-based telephone communication with other users throughout the
world. Users can make high quality voice calls to other users and, optionally, place calls directly to standard telephone numbers.

Much like a file sharing network or a text-based chat network such as AIM or IRC, Skype users can make point-to-point two-party
calls or even set up chat rooms and conference calls. Skype also allows for users to send text messages to eachother as well as
files, much like a typical instant messaging network.

Skype employs a hybrid network architecture. Authentication is centralized, and calls are placed directly between peers. The
traffic can pass over a variety of TCP ports, but typically uses TCP 33033 (the default port) or TCP ports 80 or 443 (when behind a
proxy).

Analysis

The Skype protocol is designed to circumvent firewalls, maximizing the size of the network and the availability of the service. To
that end, it works with proxies to forward traffic and announce the ports available for direct P2P connections. Skype itself has few
public security issues associated with it. Third-party code audits have demonstrated that it's well designed and resilient to many
known attacks. Additionally, the protocol uses encryption to protect all login credentials and conversations.

In addition to the possibly unauthorized communications channel that Skype introduces, the biggest threat to a network from
Skype appears to be its bandwidth consumption. Like any P2P application, this can place a strain on bandwidth and also on
infrastructure materials.

VoIP protocols often employ a large amount of bandwidth, and, consequently, can place a strain on bandwidth and infrastructure
materials. In addition, by permitting VoIP activity at work, employee productivity could be affected. Therefore, monitoring for time
and bandwidth use on those applications during work hours might be warranted.

Trigger

This policy will trigger when individual clients initiate outbound TCP traffic (using TCP ports 33033 or 443) to any of the
aforementioned central Skype login servers.

Affected Platforms and Versions

Skype can be installed on the following operating systems:

• Microsoft Windows 2000


• Microsoft Windows XP
• Microsoft Pocket PC Windows Mobile 5.0
• Microsoft Pocket PC Windows Mobile 2003
• Apple Mac OS X
• Linux x86
Remediation

N/A

Workaround

Block TCP traffic to the the following central Skype login servers: 212.72.49.141, 195.215.8.141, 193.163.158.230, 195.41.46.86,
and 80.160.91.11. A number of bandwidth-shaping devices can also detect and rate limit Skype traffic.
Í ÌÃ

13- Worm on TCP/135

Summary

Traffic indicative of a potential worm has been identified emanating from the hosts listed below.

Affected

The hosts listed are suspected of being worm-infected hosts that are now attempting to propagate to other hosts and/or servers.

Description

Traffic indicative of a potential worm has been identified emanating from the hosts listed below.

A worm is a class of malicious code that propagates by identifying other potentially exploitable hosts and/or servers and then
exploiting ubiquitous software vulnerabilities. The infected hosts initiate a propagation routine and start scanning for other
susceptible hosts. This activity causes worms to spread exponentially, often infecting every potential vulnerable host on a large
network within minutes. Worms frequently contain a "payload," i.e., logic that will perform some additional function exclusive of the
worm propagating. Often, this is used to open a "backdoor" for future remote (and unauthorized) system access -- maybe to have
the host join a "botnet" that can conduct denial of service (DoS) attacks, send spam e-mail, or delete crucial system files. Worms
sometimes install "rootkits" that modify the host's OS (operating system) functionality to disguise infection, thereby concealing the
worm's activities.

Analysis

Worms can be very destructive, and worm propagation in a corporate network is a severe danger. A worm's payload can allow
attackers to enter the internal network and expose potentially sensitive information. Also, it can cause potential liability if infected
hosts are employed to attack other external hosts and/or servers. Further, the simple act of exponential propagation and scanning
can place a tremendous load on network bandwidth, causing severe service degradation or failure on many a network.

Remediation

Hosts that are initiating worm scanning routines should be isolated from the network immediately and scanned with up-to-date
antivirus tools and an up-to-date vulnerability scanner. It is likely that the host is infected with malicious code that exploited a
software vulnerability to gain initial access.

Workaround

N/A
Í ÌÆ

14- Remote Access Application(s) Traffic Identification: Famatech Radmin

Summary
ID: ATF-2006-143-2
Published: 2006-11-22 10:22 EST
Updated: 2006-11-27 11:58 EST
Type: Remote Access Application(s)
Revision: 2 - Publish.
Severity: low

Description

Radmin provides a way to access the windowing system interface of a workstation or server over the Internet. Users can access
the system as though they were physically present, even though they are in fact accessing the system from another location. The
graphical user interface (GUI) of an operating system is intended for a user with physical access to the computer. Remote access
applications alleviate this requirement and allow users to interact with an operating system's GUI over a remote network,
frequently the Internet. Radmin uses encryption to protect the data sent over the network.

Analysis

Radmin was created for the legitimate purpose of allowing authorized users to remotely access systems. However, since it
essentially operates as a server on the internal network, it creates a tunnel through the firewall to the corporate Intranet that is
(most likely) not monitored or administered. Remote access applications such as this often have lax security mechanisms that
may be appropriate for home users but not for enterprise environments. Radmin requires that each client and server system have
the correct software installed.

Users may be enticed to install the Radmin software application on their systems due to heavy advertising, particularly on
computer-related programs. The potential risks to corporate networks and liability in potentially violating corporate security policies
are not part of the radio campaign.

Attackers use remote access applications, including Radmin, to compromise internal networks by first compromising the accessed
host and then installing a remote access application to run in the background. This essentially provides a graphical backdoor that
allows for easy access to compromised systems on the internal network at any time.

At this time (November, 2006), no security issues specific to Radmin are publicly known.

Trigger

This policy will trigger when clients connect to Radmin-enabled systems on the default TCP ports 4899.

Affected Platforms and Versions

Radmin 2.x supports the following versions of Windows:

• Windows 95
• Windows 98
• Windows ME
• Windows NT4.0
• Windows 2000
• Windows XP
• Windows 2003

Remediation

If remote access is a necessity for corporate employees, an enterprise-level application provider with higher security requirements
and more stringent access control is used, and all other remote access applications are prohibited. Radmin has built-in firewalling
for each workstation or server to allow for network-level authorized connections.

Workaround

Block access to the default Radmin services, TCP port 4899. Application layer firewalls and IPS devices may also be able to
identify Radmin traffic and block it selectively.
Í ÌÊ

Appendix B: Tools used


There are many professional tools have been used along our thesis, a summary of them
is described below:

# Name Description Used for Notes


1 IBM ISS Anomaly An appliance to Threat Costs more than
Detection System find threats in Assessment SR 220,000
(ADS) Networks See [24]

2 Superscan IP Scanner in Gathering


networks information See [25]

3 Nessus 3 Vulnerability Vulnerability


scanner Assessment See [26]

4 Ethereal Network Analyzer Penetration


(Sniffer) Testing See [27]

5 Commview Network Analyzer Penetration


(Sniffer) Testing See [28]

6 Cain & Able Arp poising tool to Penetration


do Man-in-the Testing See [29]
Middle attacks
7 Ettercap Arp poising tool to Penetration
do Man-in-the Testing See [30]
Middle attacks
8 IDM Internet Download Penetration
Manager Testing See [31]

We should mention that we have used 2 PC's, one server, and one Laptop as hardware for
doing the practical part of our thesis. Also, there are some tools that are used in the thesis
but not frequently like NetSpy (Network Analyzer), and GFI LanGuard (Security
Scanner).
Í Ì
Ë

References

[1] John Canavan; Fundamentals of Networks Security, Book published by Artech


House Publishers (USA), 2001.

[2] Thomas Wadlow ; The Process of Network Security, Book published by Addison
Wesley Longman Inc (USA), 2000.

[3] Angelos D. Keromytis, John Ioannidis and Jonathan M. Smith; "Implementing


IPsec", University of Pennsylvania (USA), August 1997.
http://www1.cs.columbia.edu/~angelos/Papers/ipsec.pdf

[4] Ajaya Chitturi; "Implementing Mandatory Network Security in a Policy –Flexible


system", Master Thesis, The University of Utah (USA), June 1998.
http://www.cs.utah.edu/flux/papers/ajay-thesis.ps.gz

[5] Tim Terlegard; "Design of a Secure Network Management System", Master


Thesis, Linkopings University (Sweden), 2002.
http://www.diva-portal.org/diva/getDocument?urn_nbn_se_liu_diva-1133-1__fulltext.pdf

[6] Simon Josefsson; "Network Application Security Using The Domain Name
System", Master Thesis, Royal Institute of Technology (Sweden), 2001.
http://josefsson.org/exjobb/josefsson_simon_master_thesis.pdf

[7] T. Nandika Kasun De Zoysa; "A Model of Security Architecture for Multi-Party
Transactions", PhD Thesis, Stockholm University (Sweden), March 2003.
http://dsv.su.se/en/seclab/pages/pdf-files/03-005.pdf
Í ÌÇ

[8] Gregory R. Ganger, Gregg Economou, Stanley M. Bielski; "Self-Securing


Network Interfaces: What, Why and How", Carnegie Mellon University, Pittsburg
(USA), May 2002.
http://www.ece.cmu.edu/~bielski/CMU-CS-02-144.pdf

[9] Kenneth Ingham and Stephanie Forrest; "A History and Survey of Network
Firewalls", University of New Mexico (USA), 2002.
http://www.cs.unm.edu/~treport/tr/02-12/firewall.pdf

[10] Ahsan Habib, Mohamed M. Hefeeda, and Bharat K. Bhargava; "Detecting


Service Violations and DoS Attacks", Purdue University (USA), 2003.
http://www.isoc.org/isoc/conferences/ndss/03/proceedings/papers/12.pdf

[11] Frank Stajano and Hiroshi Isozaki; "Security Issues for Internet Appliances",
Toshiba Corporate R&D Center (JAPAN), 2001.
http://citeseer.ist.psu.edu/update/613831

[12] Stephen D. Wolthusen; "Layered multipoint network defense and security policy
enforcement", Fraunhofer-IGD (GERMANY), 2001.
http://www.itoc.usma.edu/Workshop/2001/Authors/Submitted_Abstracts/paperT2
B1(04).pdf

[13] Gregory R. Ganger and David F. Nagle; "Enabling Dynamic Security


Management of Networked Systems via Device-Embedded Security", Carnegie
Mellon University, Pittsburg (USA), 2000.
http://www.pdl.cmu.edu/PDL-FTP/Storage/CMU-CS-00-174.pdf

[14] Educause Org; "PKI and Security for Higher Education", (USA),1999.
http://www.educause.edu/Elements/Attachments/netatedu/pki/report.pdf
ÍÍ Ì

[15] Mark Franklin; "PKI: A Technology whose time has come in Higher Education",
Dartmouth College, Educause review Magazine, March/April issue (USA), 2004,
Pages 52-53.
http://www.educause.edu/ir/library/pdf/erm0427.pdf

[16] NEC Business Network Solutions; "Security Assessment: The First Step in
Managing Network Risk", (USA), 2001.
http://www.necunified.com/Downloads/WhitePapers/NEC_SecurityAssessment_
WhPpr.pdf

[17] Andrew R. McGee, S. Rao Vasireddy, Chen Xie, David D.Picklesimer, Uma
Chandrashekhar, and Steven H. Richman; "A Framework for Ensuring Network
Security", Bell Labs Technical Journal, Date: 2004, Volume: 8, Issue: 4, p. 7 - 27
(USA), 2004.

[18] Zhiqiang Cui; "Security Incidents in an academic setting: A case study", Master
Thesis, East Tennessee State University, (USA), 2002.

[19] William R. Simons; "The Challenges of Network Security Remediation at a


Regional University", Master Thesis, East Tennessee State University, (USA),
2005.

[20] James P. Ashe; "A Vulnerability Assessment of the East Tennessee State
University Administrative Computer Network", Master Thesis, East Tennessee
State University, (USA), 2004.

[21] Adam Shostack and Scott Blake; "Towards a Taxonomy of Network Security
Assessment Techniques", (USA), 1999.
http://www.blackhat.com/presentations/bh-usa-99/AdamS/shostack-blackhat.pdf
ÍÍÍ

[22] Hector Urtubia; "Local Area Network Security: Authenticating The ARP
Protocol", Master Thesis, University of Nevada, (USA), 2003.

[23] Val Thiagarajan; "Information Security Management", SANS, (USA), 2006.


http://www.sans.org/score/checklists/ISO_17799_checklist.pdf

[24] IBM ISS Anomaly Detection System (ADS);


http://www-935.ibm.com/services/us/index.wss/offering/iss/a1026942

[25] Superscan Tool;


http://www.snapfiles.com/get/superscan.html

[26] Nessus 3 Tool;


http://www.nessus.org

[27] Ethereal Tool;


http://www.etherealsoft.com

[28] Commview Tool;


http://www.tamos.com/products/commview/

[29] Cain & Able Tool;


http://www.oxid.it/cain.html

[30] Ettercap Tool;


http://ettercap.sourceforge.net

[31] Internet Download Manager Tool;


http://www.internetdownloadmanager.com/
ÍÍ Î

[32] Zeki Yazar; “A qualitative risk analysis and management tool – CRAMM”,
SANS, (USA), 2002.
https://www2.sans.org/reading_room/whitepapers/auditing/83.php

[33] Gary Stoneburner, Alice Goguen, and Alexis Feringa; “Risk Management Guide
for Information Technology Systems”, NIST, (USA), 2002.
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf