By
Mohammed Abdullah Alfadli
Supervised by
Dr.Abdulaziz Almazyad
and
Dr.Saad Alkasabi
Thul-Qedah 1429H
November 2008G
Abstract
! "$#&%' ( )* +,-!.0/1 234' 5 67
8!
9;:<
=!> ?
@A > BA C5@DBEA > F'G(HEI(> JKLA > BMN OEPQ R KSA HT > UWV
> BX-Y
T > Z[R-\ ] ^> _ `(abR KcR Md e
Q R =?
V(> > B f > > J f OEQ R u f > g h i&] ^> > _ T jbk
HET I
> Q R l
M> > HhA B f > d FW@A ZmMno> `'KLA HET I
> Q R ] p8R q r its _ Pno> h
V(> B f > J f OQ R u f > v hKLA > BMN OBykHT > UWA zEJ f > Q-q MO> {'|> N PQ R k> OEBA } x V
_ B f v
w e
> PEN Q-KLA B f > v Q R
k
HT > > U'V
> > BX-k> > _ N H_ Ci5s _ PEnm> > hk
> > OE}yR ^ByL
T > > ZoX f > > g Q x V
_ B f v
w e
> > PQ R ~'7 i5
i^> > Q R
s Q A > F'=!> ?
] f J f
Q R KoR p(M w N Q@ R ^(@ R f }ypi^^BEXq MO{|$N PQ R kOBEA
KLA BMN OPQ R
k
HT > UW=B f v
w e
> PEQ ] f > J f }'KLA B f > `
i&KLA > g _ T h G(> _ OE h \ @A o> J R .KLA > BMN OPQ R V(> BX-KLA > _ d g h
KLA > P
zEQ R > R ^opM> h i&KLA > {
i^_ Q R pA I
> w R T T e
> J > Q R =T N e
> Q R ^> bR i&k
> OBA
Q R
x kHT I
Q R V
B
R ] q A J Q k_ d BabR KLA !A _ w bR V
B f J PEQ R A v h R ^ J8\ kHT I
Q R N F'k
_ d BEbR
x A zN _ N
h i5A z w {yR p f u Mg d { = w Q R G(jA I
PN Q
¡
Table of Contents
ABSTRACT 2
¢£
¤ ¥ ¦ §'¨© ª 3
TABLE OF CONTENTS 4
LIST OF FIGURES 6
LIST OF TABLES 7
LIST OF ABBREVIATIONS 8
CHAPTER 1: INTRODUCTION TO NETWORK SECURITY 10
1.1 SECURITY DEFINITION: 10
1.2 NETWORK SECURITY DEFINITION 11
1.3 NETWORK SECURITY HISTORICAL BACKGROUND 12
1.4 THE (C.I.A.) SECURITY CONCEPT 14
1.4.1 Confidentiality 14
1.4.2 Integrity 14
1.4.3 Availability 15
1.5 SECURITY ASSESSMENT: 16
1.6 RESEARCH GOALS 18
1.7 PROPOSED CHAPTERS 19
CHAPTER 2: LITERATURE REVIEW 20
2.1 SECURITY IN ACADEMIC INSTITUTIONS 20
2.2 SECURITY DESIGN 22
2.3 MONITORING IN SECURITY 24
2.4 NEW SECURITY APPROACHES 26
2.5 GENERAL NETWORK SECURITY 27
CHAPTER 3: KSU NETWORK SECURITY 29
CHAPTER 4: STUDY AND ANALYSIS 52
4.1 METHODOLOGY OF THE NETWORK SECURITY ASSESSMENT 52
4.2 GATHERING INFORMATION 56
4.3 RISK ASSESSMENT 58
4.3.1 Asset Identification 58
4.3.2 Threat Assessment 59
4.3.3 Vulnerability Assessment 63
4.3.4 Risk Value 71
4.4 PENETRATION TESTING 73
4.5 GAP ANALYSIS 75
4.6 ANALYSIS OF RESULTS 82
CHAPTER 5: PROPOSED SECURITY SOLUTION 86
«
CHAPTER 6: CONCLUSION AND FUTURE WORK 91
6.1 CONCLUSION 91
6.2 FUTURE WORK 92
APPENDIX A: MORE DETAILS FOR EACH THREAT 93
APPENDIX B: TOOLS USED 107
REFERENCES 108
¬
List of Figures
Figure 3.1: Buildings in KSU Deriah …………….………………………… ®
Figure 3.2: ATM Backbone in KSU Deriah ……………………………….. ¯
Figure 3.3: Main and backup ATM Backbone links ………………………
Figure 3.4: Ethernet to ATM Connectivity (ELANs)……………………… 3°
List of Tables
Table 3.1: VLANs in KSU Deriah ……………………………………………. 49
Table 4.4: Average number of Vulnerabilities per asset and the final value. 64
List of Abbreviations
Chapter 1
Security is a process. We can apply the process again and again to our
network and the organization that maintains it, and, by doing so, the system
security can be improved. If we stop applying the process or not yet started,
our security is becoming worse as new threats and techniques emerge [2].
• Balancing the cost of security against the value of the assets they are
protecting.
1.4.1 Confidentiality
When information flows on the network, it can be eavesdropped. If the
information is not encrypted someone else can sniff the network and read it. If
one just browses the web this might not be a problem, maybe he does not care
if someone knows that he has visited CNN’s web site to read the news. But if
he is using his bank’s website and makes transactions, he probably does not
want anyone else to be able to sniff his secret code to the bank account. One
way to secure such transactions and prevent someone from getting the code,
the code must be encrypted [5].
1.4.2 Integrity
Integrity can be defined as prevention of unauthorized modification of
information. Even for data that is not confidential, IT professionals must still
take measures to ensure data integrity. For example, they may not care if
anyone sees their monthly orderings, but they would certainly care if the
numbers were modified. Data integrity ensures that transactions are not
modified [5].
º«
Also data integrity can be thought of as accuracy, and refers to the ability
to protect information, data, or transmissions from unauthorized, uncontrolled,
or accidental alterations [1].
1.4.3 Availability
Availability can be defined as Ensuring that network elements, services,
and applications are available to authorized users [17].
If an organization connects its LAN to the Internet, it will probably require
the Internet to always be available. A LAN usually has a firewall as its only
entry point. This is a critical point of failure and availability. If the firewall is
not functioning as it should, the users will not be able to reach the Internet.
Denial of Service (DoS) is the most common attack to make a service
unavailable. DoS can, for example, be when someone is sending numerous of
Internet packets to a certain host. The receiving computer will get so many
packets to process, then it can not manage them all, and it will start to drop
them. It will also drop packets coming from friendly users and the computer
can not serve the users as it is supposed. Even if the computer can manage all
these packets, the connection might get saturated and it would not be possible
to send any other packets. If availability is very important to a LAN, then DoS
can be disastrous. But DoS attacks of this kind are mostly harmless and only
affect the availability during the attack. Authentication is the best method to
prevent abuse of resources as only authorized users should be able to use
them. Having secondary services (redundant services on other servers offering
the exact same functionality and having the same data) and building a
distributed system is a good way to preserve availability. Then if a service
fails for some reason, another can take over without any loss of functionality
[5].
º¬
2- Literature review: where we will review what has been written in the
literature regarding Network security in general, and techniques we will
be using to improve KSU network security in particular, including the
International security standard ( ISO 17799).
3- KSU Network security: where we will review the current KSU Network
Architecture, including the technical aspects in general and security
aspects in particular.
4- Study and Analysis: where we will study and analyze the current KSU
Network security architecture in details. With focus on Security
Concepts: Confidentiality, Integrity, and Availability (C.I.A).
6- Conclusion and Future work: where we will discuss our conclusions and
future work related to the research topic.
»
Chapter 2
Literature Review
There are many researches have been done in the last years in the field of
network security. In what follows, we will review many researches related to the
network security in educational institutions. The review will be organized to cover the
following issues:
Cui [18] analyzes attacks and probes directed against East Tennessee
State University (ETSU) Network. ETSU has more than 11,000 students
and its network has around 1,000 servers. It says that most of the attacks
detected were ICMP-based. Protocols such as ping, traceroute, and whois
accounted for 81% of all attacks. In general, ICMP-based attacks are less
dangerous than TCP-based and UDP-based attacks. Some of the attacks
discovered were targeting specific ports like 137, 21, and 111. The paper
suggested a multi-level firewall system due to the various requirements for
º
security on academic institutes, which will be a better solution to satisfy
different users’ needs. Also it suggests installing an intrusion detection
system (IDS) that can detect attacks in real time, and a Risk assessment
that should be performed periodically.
Chapter 3
3- LANs in buildings:
As mentioned earlier, the ATM switches are representing the core
switches as part of the Backbone network, and also representing the
distribution switches that connect the edge switches inside the buildings.
All the links between the ATM switch and the Edge switches are OC-3
155 Mbps, and the cables are Multimode Fiber Optics. The topology used
in the buildings is star topology.
The Emulated LANs (ELANs) have been used to connect the Ethernet
segments in Diriah over ATM backbone. There are four categories of
ELANs implemented (See figures 3.4, and 3.5) :
SFBACKBONE1
SFBACKBONE2
SFBACKBONE3
¬
ii.ELANS for Building connectivity, called Building Discovery ELANs.
There are 13 ELANs :
BLD2 BLD16
BLD3 BLD19
BLD4 BLD20
BLD5 BLD23
BLD8 BLD27
BLD14 BLD34
BLD15
4- Structured Cabling:
Structured cabling system means according to standard a clear Star
topology, with certain type of cable for each area. More steps of
termination for flexible management of cabling & easy fault isolation, &
ability of scalability as well. The cabling system is based on LUCENT
SYSTIMAX Structured cabling system.
Working area wiring subsystem consists of the outlets (wall boxes and
face plates), wiring, connectors, patch cords, to connect work area
equipment (PC) via cable systems to Utility rooms (Telecommunication
closets in floors).
The Cabling used to connect PC’s to Utility rooms is UTP CAT5 from
LUCENT which hold rates up to 155 Mbps. Max run distance is 90 meters
+ 10 meters for Patch cords & drop cables.
¼¿
Figure 3.4: Ethernet to ATM Connectivity (ELANs)
¼À
Figure 3.5: ELANs structure in KSU Deriah
¹
Utility rooms contain UTP patch panels, UTP cables, Patch cords & all
this to connect PC’s to Switches. Also these Utility rooms do have Edge
switches inside (Cabletron Switches). There is one Main utility room in
each building that has the ATM BACKBONE switch. All the fiber links
(called Vertical riser) going from this ATM switch to the edge switches in
a building is an indoor 4 core Multi Mode cable between each switch in
the Utility & Main utility (allowed max distance is 2000 meters).
Across the campus is outdoor 12 core Single Mode fiber cable,
between Main utility rooms and the main Computer Center, As well as,
between adjacent buildings for backup links.
Labeling was used on the outlets with an agreed format in all the
buildings, and by this way, the professionals can solve the problems
remotely since they can trace any outlet in any building through its Label.
There is one WAN Router which is from Cisco and has the model
7507. This Router is connecting the KSU networks in branches like
Community colleges in Aflaj, Majma'ah, and other branches. It uses the
Saudi Telecom Company's Network to connect to the branches networks.
This includes Analog lines (traditional leased lines), Digital Data network
lines (DDN), And MPLS (Akeed Service).
There is one Internet Router (Cisco 7206) which used to connect KSU
network with the Internet provider. Currently, KSU is connected to the
Internet Service Unit (ISU) from King Abdulaziz city for Technology and
Sciences (KACST). It connected with a speed of 34 Mbps through an
ATM link provided by STC Company.
7- NO wireless network:
There is an Old network related to the old Mainframe that is still exists
and used by KSU employees. The Mainframe network consists of Control
units which are connected to the Mainframe directly, and the Terminals are
connected to the Control Units with Coaxial cables. The used protocol is
SNA. It is important to mention that there is a windows software that
emulates the terminal screen on the normal PC and it is connected to the
Mainframe by TCP/IP network. This software is widely used in KSU as a
replacement of the old Terminals.
There are two official Remote Access Servers used in the main
computer center. Both from Lucent and called Ascend MAX TNT. One of
them is using the traditional analog lines while the other is using digital
lines (E1's). There is a special zone for the RAS services that has the two
mentioned RAS's , and it their authentication servers (RADIUS), and a
linux firewall (see figure 3.6).
There are two parts of the network management system, the VLAN
manager, and SPECTRUM. The VLAN Manager is a tool to manage all
the VLANs implemented in KSU Deriah and on the SecureFast switches
only. SPECTRUM is an enterprise management tool that monitors and
manages the network equipment used in KSU network. Currently,
SPECTRUM is not used.
¡
11- The Old and the new IBM Mainframes:
1- Internet Firewall:
3- AntiVirus System:
5- No Active Directory:
6- Email Relay:
7- VLANs:
B.3
B.27
B.8 B.20
B.19
B.14
DHCP
B.18
B.15
B.17
B.16
DMZ
Penalty
2
_BOX
The scope of the network security assessment will cover KSU Deriah
network with focusing on network architecture of the main services. We
should note that network security assessment is not information security
assessment, and it covers up to layer 3 according to Open Systems
Interconnection model (OSI model).
Usually, there are some tasks that should be done within the network
security assessment but they are not mentioned explicitly in the methodology.
For example, reporting the results after doing the penetration testing.
ÃÄ
G: Gather information
Gather information about current network security. This includes network/
security drawings, IP addresses, and any related and available information.
R: Risk Assessment
To understand the risk assessment process, it is essential to define the term
risk. National Institute of Standards and Technology (NIST) defines risk as “a
function of the likelihood of a given threat source’s exercising a particular
potential vulnerability, and the resulting impact of that adverse event on the
organization.” In other words, where a threat intersects with vulnerability, risk
is present. Risk assessment consists of:
1- Asset Identification:
This stage will identify the network assets according to its criticality to
KSU.
ÃÅ
2- Threat Assessment:
It will identify the current attacks and threats within the network. A lot
of information should be analyzed to discover those attacks and threats
since there are thousands of PCs connected to KSU's Network. We should
find the average threat value for the realted assets to be used in finding the
final risk value for each asset. As in Stoneburner [33] and since we have
three values for each threat (High, Medium, and Low), we have used the
values 0.1, 0.5, and 1 for Low, Medium, and High levels respectively to
reflect its severity in the final value for each asset.
3- Vulnerability assessment:
Network vulnerabilities are designed to report on network
configuration flaws and security holes that an intruder can take advantage
of. We will find the average vulnerability value for each asset by dividing
the number of vulnerabilities by the number of assets in each zone. Then,
as we have used in threat assessment, we will find the one vulnerability
value for each asset by using:
Final value = 0.1 x (Low) + 0.5 x (Medium) + High
4- Risk value:
The value of the risk will be estimated according to Asset
identification, threat assessment, and vulnerability assessment. Risk value
will be calculated by multiplying average of Asset value, threat value, and
vulnerability value for each category of assets as in Yazar [32]. That is:
P: Penetration testing
Penetration testing can be overt or covert. The overt involves performing a
penetration test with the knowledge and consent of the organization's IT staff.
The covert involves performing a penetration test without the knowledge of
the organization's IT staff but with knowledge of the management. We will
use the covert approach. There are two types of penetration testing:
G: Gap analysis:
Gap analysis will be started after getting the reports from threat
assessment, internal penetration testing, and external penetration testing and it
will be analyzed against the network security related aspects of BS ISO IEC
17799 2005 international standard.
After we have got the needed information about the current KSU
network security, we have started Risk Assessment following our
methodology mentioned earlier. Risk Assessment consists of Asset
Identification, threat assessment, vulnerability assessment, and Risk value.
In this stage, we will identify the current threats within the network. Since
the network is big and has thousand of PCs, it is very difficult to identify
every threat for every device connected to network. Also, it needs a
professional tool that can deal with such situation. We have chosen an
excellent and expensive tool called "IBM ISS Anomaly detection system
(ADS)", more information about this tool in Appendix B. This tool is an
appliance that receives the network traffic and analyzes it to find the threats. It
is very important to choose the best location in the network, so we have get an
approval of the IT computer center in KSU to mirror all KSU traffic going to
the main gateway in Deriah to our ADS appliance. The appliance should get
the traffic for at least one month to give us good results. The identified threats
are listed in Table 4.2 (for more details about each threat, kindly see appendix
A).
From Table 4.2, the number of PCs (clients) that are considered a source
of threat is huge. According to the gathering information stage, this means that
at least 26% of the PC's is considered to be source of threat. See Figure 4.2.
Also, from the table, we can see that many threats are considered "ongoing",
which means that there is no monitoring at KSU for the security threats.
source of
threat PC's
26%
Remaining PC's
74%
Nebuler Trojan
3.93 bps / 6.40 16:09
7 2 Variants bps
2 clients
10/03/07
Ongoing
13:33
Port Scans 0.16 bps / 5.97 10/02/07
2h03m
8 2 bps
28 clients
Remote Access
Application(s) 0 bps / 0 bps 2 clients
13:22 3 weeks 1
14 1 Traffic - 10/06/07 day 4h10m
Identification:
Famatech Radmin
Behavior*: for more details about each threat, kindly see appendix A
600 561
( 98.60% )
500
400
No. of Assets
300
200
100
3 ( 0.50% ) 5 ( 0.90% )
0
PC's Servers Global IP's
The vulnerability assessment result was huge, it was 1300 pages. We have
revised them to conclude the Table 4.3 as shown below. For the PC’s, we
have selected one PC in each building in Deriah, and then we have found the
average number of vulnerabilities for a PC. To compare the results of
vulnerability assessment between the Assets, we should find the average
number of vulnerabilities per asset. We have found the average by dividing
the number of vulnerabilities by the number of assets in each zone as shown in
Table 4.4. Also, in this table, we have found one Value for the vulnerabilities
for each asset since we have Low, Medium, and High values. We have used
the values 0.1, 0.5, and 1 for Low, Medium, and High levels respectively to
reflect its severity in the final value for each asset. We can see from Table 4.4
that PC’s are the most vulnerable assets among the others. For more details
about the vulnerabilities, see Table 4.5.
Identified Vulnerabilities
Asset zone Notes
High Medium Low
Internet Servers 14 16 5
Average number of
Asset zone Vulnerabilities per asset Final value
High Medium Low (0.1 Low + 0.5 Medium + High)
1.42
Core and Distribution Switches 1 0.83 0
1.33
Access switches (Edge) 1 0.65 0
1.61
Internet Servers 1 1.14 0.36
3.29
Internal servers 2.1 2.27 0.51
11.5
PC's 7 4 25
An attacker may use this flaw to gain a root shell on this system.
An attacker may use this flaw to prevent the remote host from
accomplishing its job properly.
See Also :
http://www.apache.org/dist/httpd/Announcement.html
See Also :
http://www.team-teso.net/advisories/teso-advisory-011.tar.gz
http://www.microsoft.com/technet/security/bulletin/ms06-
035.mspx
After we have got the Asset identification values, threat values, and
Vulnerability values, then we can calculate the risk value based on these
values. Risk value can be calculated by multiplying Asset value, threat value,
and vulnerability value for each category of assets as in Yazar [32]. That is:
The Risk Value for each asset is shown in Table 4.5 . As we can see, the
PC’s has the highest Risk Value, then Internal Servers has the second highest
value. Internet servers is the third followed by core and distributions switches.
And the last one is the access switches. The differences is shown in Figure
4.4 .
Average Average
Asset Risk value
Asset zone Threat Value
Value (related to assets)
Vulnerability
Value
Core and Distribution 8.52
3 2 1.42
Switches
5.32
Access switches (Edge) 2 2 1.33
78.3
Internet Servers 3 16.2 1.61
160
Internal servers 3 16.2 3.29
186.3
PC's 1 16.2 11.5
200
180
160
140
Risk Value
120
100
80
60
40
20
0
Core and Access Internet Internal PC's
Distribution switches Servers servers
Switches (Edge)
We have taken in our account two rules before we start the penetration
testing; first, we are doing a network security penetration testing that means it
covers up to layer three according to OSI layers. Second, we will not try any
test that may affect availability of the KSU services, like crashing systems.
We have done the internal penetration testing as shown in Table 4.6.
The Gap Analysis will be between the current KSU network Security and
the related aspects of BS ISO IEC 17799 2005 international standard which is
the most well known standard in Information security field. Thiagarajan [23]
has written a paper that has all the parts of the ISO 17799. We have revised
his paper and prepared a table of the network security related aspects of the
standard. According to what we have seen in previous stages (Gathering
information, Risk Assessment, and penetration testing) and to our visits to the
KSU computer center, we then filled up the table to find the Gap as we can
see in Table 4.4. The result of the Gap is that 68% of the network security
aspects of the standard is not exist (Gap at maximum) in the current KSU
network security, while 28% is partially compliant, and only 4% is compliant
(No Gap). This shows the huge Gap in the current KSU network security.
No Gap
4%
Partial
28%
Not exist(Gap at
Maximum)
68%
In the threat assessment phase, the location of the tool is not the only
possible location in the network, but it has been chosen to show the behavior
for most of the traffic. For example, if a PC is infected with a worm and that
worm is targeting the PC's in that building, then our tool will not discover that
worm. Because of this reality, all the numbers mentioned in table 4.2 are
considered as minimum that may increase if there are more tools installed in
all buildings. Some of the new produced switches in the market can help in
such assessments since it has built-in Intrusion Detection system (IDS).
on TCP/445". It is known that worm propagates itself on the network, this can
be done by doing the "Host Scans" to discover the available hosts on the
network. Then, it checks for the vulnerable hosts by doing "Port Scans" which
is the eighth threat in the table. Worms can create the threat "Dark IP traffic",
which means that the infected hosts by this worm will scan for random or
unallocated IP addresses on the network. In many cases, it is a sign of worm's
existence or a hacker who is using scanning tools. Some of the discovered
threats can initiate the Distributed Denial Of Service (DDOS) attacks, that is
sending a huge traffic to stop the service on a specific server usually available
on the Internet. For example, the ninth threat in the mentioned table "Virut
Variants" will launch a DDOS attach against Estonian websites on the
Internet.
We should note that there are threats mentioned in table 4.2 that could be a
good service but with the condition that there is monitoring and control of the
Network security. For example, the fourteenth threat "Remote access
application" can be very helpful to administrators or supervisors, but if a
hacker could use this tool, then he got the administrator's power on the
servers. Unfortunately, since about 50% of the threats mentioned in the table
are considered "Ongoing", then this proves that the monitoring is very weak at
KSU or may be not exist. This means that the mentioned number of infected
clients may increase to large numbers and even stop some services in KSU.
As depicted in figure 4.2, we have found that at least 26% of the PC's is
considered source of threat. In general, we have found that 98.6% of the threat
sources are from PC’s, 0.5% from KSU servers, and 0.9% from Global IP’s.
The risk of this high percentage (98.6%) can be minimized by applying
security controls on the network level, as we will see in the proposed security
solution.
ËÅ
In table 4.5, we have found the risk value for each asset, this includes
finding the average threat value for each asset from table 4.2, and we should
note that only related threats should be calculated in Risk value formula. As
an example, we have found that only two threats out of 14 threats are related
to "core and distribution switches" and "access switches", while all the
fourteen threats are related to the remaining assets in table 4.5. Also, to
calculate average threat value in this table, we have used the same formula
mentioned before for vulnerability value calculation, that is,
Average threat value = (0.1) low + (0.5) medium + High
Applying this formula to all threats in table 4.2 will result in 16.2 (it is the
number mentioned in table 4.5).
In the Gap analysis phase, we have chosen 25 controls out of 139 controls
exists for ISO 17799 international standard. The selection made by checking
ËÃ
every control of the 139 controls against our scope (up to layer three in the
OSI model). From this phase, we have found that 68% of the network security
aspects of the standard is not exist (Gap at maximum) in the current KSU
network security. This number can be minimized by doing simple actions.
Going back to table 4.7, the physical security (the twelfth item in the table)
can be applied by a decision from the IT management.
ËÆ
Chapter 5
4- Since the PC’s are the largest source of threats in KSU, our
recommendation in point 3 above (Domain authentication and NAC) can
be utilized successfully to prevent users from accessing their PC’s with
administrative privileges, install patches for the security vulnerabilities
regularly, and apply the new policies quickly for all the clients.
5- Preventing the use of clear text sessions for all KSU systems. This
includes changing the way of accessing network switches by using
encrypted sessions which is called SSH (Secure Shell) instead of Telnet.
Also, the sessions for the Internet servers like the proxy and the internal
servers like the Mainframe should be all encrypted to minimize the risk of
capturing passwords by the hackers. More restrictions can be applied by
creating an access list of IP addresses from network point of view or from
the servers to allow only the authorized users to access those services.
ËË
9- There should be a way to control the Bandwidth for KSU users. Some
products are available and it can be installed before the Internet Firewalls.
Also, some control can be done on the network switches level. This will
minimize the risk of disturbing the internet service for internal and
external users.
10- Internet Bandwidth has increased to 100 Mbps, this can be seen as an
extra power to the hackers –even from outside Saudi Arabia. It can be
explained by the existence of the threats as we have seen in Chapter 4 and
appendix A. KSU network can be used to originate a distributed Denial of
service attacks (DDOS) against any connected networks on the Internet.
This risk can be minimized by establishing the SOC as mentioned above.
ËÇ
11- Since the Gap between the current KSU network Security and the related
aspects of BS ISO IEC 17799 2005 international standard was huge as we
have seen before, we recommend to revise all the aspects of the standard
and fulfill its parts to minimize the Gap. As an example, the security guard
should be available at night to fulfill the requirement of the physical
security.
Figure 5.1: Suggested KSU Network Architecture
Chapter 6
6.1 Conclusion
In the threat assessment, we have found that at least 26% of the PC's is
considered source of threat. Many threats are considered "ongoing", which
means that there is no monitoring at KSU for the security threats. Also, we
have found that 98.6% of the threat sources are from PC’s, 0.5% from KSU
servers, and 0.9% from Global IP’s.
the man-in-the-middle attack. We could also get the users passwords of proxy
server with same technique. Any clear text sessions can be reconstructed with
the same technique if the right tools are available.
In the Gap analysis phase, we have found that 68% of the network security
aspects of the standard is not exist (Gap at maximum) in the current KSU
network security, while 28% is partially compliant, and only 4% is compliant
(No Gap).
Our study and analysis does not cover everything related to information
security in KSU, so we suggest for the future work the following:
Description
Phishing hosting servers host content that is designed to socially engineer unsuspecting users into surrendering private
information that will be used for identity theft.
Phishing Web sites mimic legitimate Web sites, often of a financial institution, in order to steal logins, passwords, and personal
information. Attackers trick users into using the fake Web site by claiming to be a legitimate institution requesting the information
for valid reasons, such as account verification. They may then use the stolen credentials to withdraw large amounts of money from
the victim's account or commit other fraudulent acts.
Analysis
While the initial incentive for phishing attacks was because of the ease with which unsuspecting users would provide sensitive
personal financial information, there has been an evolution in attackers' motivations for such attacks. For example, attackers could
use malformed Web sites that mimic legitimate financial institutions in order to have a user click on a link that would then
download and install malware. In another example, attackers could potentially gain sensitive corporate information if the mimicked
site represented content from the unsuspecting user's employer. It is important to note that simply because a user visited a
phishing site does not necessarily mean that the user actually sent his or her personal information.
Trigger
This policy triggers when the system identifies TCP traffic to vetted phishing hosting servers via TCP ports. Customers should
note that the phishing servers typically have a short "shelf life," and, as such, servers that exist today may not exist tomorrow.
However, this particular ATF policy is regularly updated to refresh the list of active servers, with inactive servers being retired, i.e.,
removed.
Any host upon which a Web browser can be installed is potentially susceptible.
Remediation
If possible, remove infected hosts from the network, scan for any installed malware, and ensure that all the latest and most
relevant patchsets are installed. In addition, identified hosts should be contacted in order to determine if sensitive information was
disclosed to untrusted third parties and, if so, what the nature of that information was. Any violating hosts should also be scanned
with up-to-date virus tools to determine if a Trojan or other malware was installed on the system.
If possible, instruct users on e-mail best practices, including not sending any personal information as a response to an e-mail that
requests it. Legitimate institutions will most likely never request such information in the form of an e-mail.
Workaround
N/A
ÇÅ
2- Korgo Worm
Summary
ID: ATF-2005-11-13
Published: 2005-11-30 18:01 EST
Updated: 2006-07-12 16:19 EDT
Type: Malicious Code
Revision: 13 - Update trigger descrpition.
Severity: low
Description
Korgo is a worm that attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in
Microsoft Security Bulletin MS04-011) on TCP port 445. Infected hosts will scan for new victims on TCP port 445, launch attacks
against this service, and, once infected, will contact additional sites for updated information and commands from attackers. Many
variants of the worm also create services which listen on TCP ports 113, 2041, 3067, 5111, and other random ports.
Analysis
The Korgo worm is another worm which utilizes a well characterized vulnerability and popular exploit methodology to build a large
botnet. These hosts can cause significant damage to the networks that host them and infected hosts should be remedied quickly.
Trigger
This policy looks for hosts scanning on TCP port 445 followed by connections to the update sites and control servers. The
subjects of the alerts are active Korgo worm hosts.
Remediation
Local hosts found violating this policy should be cleaned with standard antivirus removal tools.
Workaround
There are several variants of the worm which alter infected hosts in different ways. It is best to use antivirus techniques to repair
damaged hosts. Blocking inbound TCP traffic to ports 113, 2041, 5111, and 3067 can help prevent the abuse of infected
machines. To prevent the worm from spreading, apply the patch listed in the Microsoft Security Bulletin MS04-011.
ÇÃ
Summary
ID: ATF-2006-142-4
Published: 2006-11-16 16:55 EST
Updated: 2006-11-28 15:01 EST
Type: Malicious Code
Revision: 4 - Enforce normal Windows ephemeral port ranges for DNS traffic, which should prevent alerts on backscatter.
Severity: high
Description
The "FreeVideo Player" Trojan horse is a set of software that disguises itself as a multimedia codec but is used to redirect website
traffic to malicious webservers. Usually found when users are looking at pornographic websites, they are prompted to install what
appears to be a multimedia codec used to play pornographic movies. The malware has a proper looking installer and even a
license agreement that gives the source of the malware great latitude over the user's machine. The installer will proceed to alter
the user's DNS settings, overriding any DHCP or manually set preferences, and will redirect web traffic to a bank of malicious web
servers. Furthermore, the installed software may install additional software and malware on the user's machine.
Analysis
The "FreeVideo Player" Trojan has several hundred variants, all of which contain minor differences and have altered MD5 values.
All files have names ranging from "dvdaccess1000.exe" to "dvdaccess3000.exe". However, they all appear to perform the same
actions, namely changing the DNS settings in the network connection TCP/IP preferences to use two different servers in the
85.255.112.0/20 netblock. The consequence of this is to redirect the user to their websites, which contain pornographic and
possibly malicious content, if a URL is mistyped. Legitimate, valid hostnames, URLs, and domain names do not appear to be
altered by their DNS servers.
The malware sets the following registry key to ensure that the malware is always running:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "System"="kdfle.exe". This file will be
hidden by a userland rootkit, but it located at %SYSTEM32%\kdyda.exe.
Trigger
This policy looks for DNS and coresponding HTTP traffic to the netblock used by the malware, 85.255.112.0/20. This should
detect the rogue DNS traffic to an offsite, malicious DNS server and the web server used to additionally infect machines.
• Windows 2003
• Windows XP
• Windows 2000
• Windows NT
Remediation
Scan suspect machines with updated antivirus tools to examine for signs of known malware infections.
Workaround
This malware is currently poorly detected by antivirus companies. Blocking network level access to the malicious subnet,
85.255.112.0/20 (AS27595, Intercage), appears to be the best means to block the malware's effects.
ÇÆ
4- Host Scans
Summary
Host scanning is a process whereby automated network sweeps are initiated in search of hosts running any particular service.
Description
Host scanning is a process whereby automated network sweeps are initiated in search of hosts running any particular service.
This may be indicative of either legitimate host scanners (including network management systems and authorized vulnerability
scanners) or an attacker (or automated malicious code, such as a worm) trying to enumerate potential hosts for subsequent
compromise.
Analysis
While host scanning might be innocuous (often an unpleasant byproduct of being Internet-connected) it could be indicative of
suspicious and/or malicious activity. If the identified hosts are not conducting authorized network security auditing, administrators
should immediately inspect them to ensure they are not infected with malicious code and are not controlled by an attacker
attempting to compromise other hosts and/or servers.
Affected
Remediation
Hosts infected with malware or compromised by an attacker should be isolated from the network immediately, scanned with up-to-
date antivirus tools, and patched for any security vulnerabilities.
Workaround
N/A
ÇÊ
5- Dark IP Traffic
Summary
ID: ATF-2005-17-16
Published: 2005-07-06 09:06 EDT
Updated: 2007-01-19 08:25 EST
Type: Other
Revision: 16 - Overdue updates due to allocation changes.
Severity: Medium
Description
Dark IP addresses are globally routable IP addresses that do not have any responding hosts configured. As such, no well-
configured, non-compromised host should be sending packets to such IP addresses.
Packets sent to "Dark IP" addresses can likely be categorized into one of four categories:
Host/Port scanning: Host/Port scanning is a technique used to learn about open hosts/ports within an arbitrary network. Both
legitimate security engineers and malicious attackers can employ scanning applications that generate such packets. However,
malicious code, such as worms, also can employ scanning routines in an attempt to propagate to other infectible hosts.
Distributed Denial of Service (DDoS) Backscatter: Backscatter follows the spread of information requests across the Internet
generated by DDoS attacks. The source IP address(es) of many DDoS attacks is spoofed. As such, when requests for service are
answered by the server under attack, the data is sent across the Internet rather than to the host where the attack originated. This
spread of information is considered backscatter.
Mis-configured devices: A flow that lives for a very short time, and that cannot be categorized into one of the above categories,
is labeled as a configuration mistake of one of the computers in the Internet.
Other: A long flow that could not be categorized into any of the above groupings.
Analysis
Though transmitting packets to unallocated IP address space can occur due to misconfiguration, it is often a telling/clear/distinct
sign of suspicious activity, such as vulnerability scanning or flooding, since very few legitimate applications indiscriminately scan
addresses in this fashion. Hosts that trigger alerts under this policy should be examined closely.
Trigger
This policy triggers when the system identifies traffic destined to any Internet Assigned Numbers Authority (IANA) address on
reserved or unallocated networks. RFC 1918, link-local, and multicast ranges have been omitted, as they are often in legitimate
use internally on an enterprise network.
Remediation
Scan hosts using up-to-date anti-virus tools and check for misconfiguration.
Workaround
Block network traffic to and from the destination network blocks (like 0.0.0.0/8, 1.0.0.0/8, 100.0.0.0/8, 101.0.0.0/8)
Ç
Ë
TOR implementations exist for Microsoft Windows, Apple Mac OS X, Linux, and other Unix variants.
Description
TOR is an anonymizing Internet proxy service designed to circumvent traffic analysis by proxying TCP traffic within chained,
encrypted tunnels. Using this service, a client can disguise what resources (s)he is accessing on the Internet, thereby obfuscating
any Internet activities, malicious or not.
Analysis
Many people believe there are legitimate usages for TOR, especially in cases where privacy is of concern. However, there are just
as many, if not more, illegitimate uses as well. For example, attackers may use this service to hide the true source or destination
of their connections, or an employee could bypass a corporate security policy in order to view prohibited web sites or use
prohibited services like instant messaging without detection. What is even more concerning is the fact that various malicious
codes can, once installed on an exploited host, establish hidden services on the host, such as web/file/FTP servers to allow for the
creation of continuous malware distribute sites should others be cleaned.
Trigger
This policy triggers when the system identifies outbound TCP-related traffic transmitted to known TOR servers.
Any Internet-connected host running Windows, Linux, and/or Unix could potentially be affected. Malicious bots usually propagate
automatically, scanning for unpatched vulnerabilities in popular network software and exploiting them to install malicious code on
a host without the owner's knowledge. Alternatively, bots can propagate like a traditional Trojan horse or virus, tricking users into
running malicious code (e.g., an e-mail that contains a deceivingly-named attachment).
Remediation
N/A
Workaround
Blocking TOR simply by TCP port is difficult because a significant number of servers employ HTTPS (TCP port 443) for their TOR
port, which is the primary port for connection forwarding. In addition, many servers employ TCP ports 9001, 9030, and 9050.
Thus, blocking these ports can significantly hinder TOR operation. Blocking IP traffic to all known TOR servers is a more effective
defense mechanism; however, the list of operational TOR servers changes periodically. As such, any firewall blacklist
enumerating said servers will need to be updated accordingly.
ÇÇ
Summary
ID: ATF-2006-123-3
Published: 2006-07-12 17:42 EDT
Updated: 2006-07-14 15:09 EDT
Type: Malicious Code
Revision: 3 - Publish.
Severity: medium
The Nebuler Trojan family downloads and launches malware from remote sites. This can then be used to further infect a host.
Description
The Nebuler Trojan family downloads and launches malware from remote sites. This can then be used to further infect a host.
Once a host is infected, the infection state is sent to the attacker via a remote website and additional files are downloaded and
executed.
Analysis
Nebuler is a minor family of malware that can arrive via email, peer-to-peer, or hostile websites. It acts as a bootstrap mechanism
for additional malware. It is not a major threat to most networks at this time.
Trigger
This policy looks for at a host contacting at least two of the notification and download websites (here4search.biz, content.jdial.biz
and smart-security.biz) used by the malware.
• Windows 2003
• Windows 2000
• Windows 95
• Windows 98
• Windows Me
• Windows NT
• Windows XP
Remediation
Scan suspicious clients with up-to-date antivirus software for signs of malicious code.
Workaround
8- Port Scans
Summary
Port scanning is a process whereby targeted network sweeps are initiated in search of hosts running any number of services with
vulnerabilities that can potentially be exploited for further compromise.
Affected
The host(s) listed below are suspected of initiating port scanning routines against other internal/external hosts and/or servers.
Description
Port scanning is a process whereby targeted network sweeps are initiated in search of hosts running any number of services with
vulnerabilities that can potentially be exploited for further compromise. This may be indicative of either legitimate port scanners,
including network management systems and authorized vulnerability scanners, or an attacker (or automated malicious code, such
as a worm) trying to enumerate potential services for subsequent compromise.
Analysis
While port scanning may be innocuous (often an unpleasant byproduct of being Internet-connected), it could be indicative of
suspicious and/or malicious activity. If the identified hosts are not conducting authorized network security auditing, administrators
should immediately inspect them to ensure they are not infected with malicious code and are not currently controlled by an
attacker attempting to compromise other hosts and/or servers.
Remediation
Hosts initiating port scans should be isolated from the network immediately and scanned with up-to-date antivirus tool(s) and
vulnerability scanner(s). Assuming the host is not authorized to initiate port scans, it is likely that the host is infected with malicious
code that exploited a software vulnerability to gain initial access.
Workaround
N/A
Í Ì
Í
9- Virut Variants
Summary
ID: ATF-2006-152-4
Published: 2006-12-13 17:02 EST
Updated: 2006-12-15 13:54 EST
Type: Malicious Code
Revision: 4 - Fix some typos.
Severity: medium
Description
The Virut family of malware is a polymorphic worm with backdoor capabilities that also launches a DDoS against several Estonian
websites. Because the worm is polymorphic, the payload changes its hash with every instance, as well as filenames. The binary is
usually 57856 bytes in size, however.
Virut propagates by scanning for vulnerabilities and open Windows file shares using weak passwords and common account
names. Virut hosts are typically very obvious with their ICMP scanning to discover hosts to attack. Once launched, it will modify
the registry to ensure that the malware is started at system boot. The registry modifications are:
The malware may also contact IRC servers dhl4.irc-sgo.org or Proxima.ircgalaxy.pl on TCP port 65520.
Analysis
The Virut family has been quietly loose on the Internet for several months, first gaining a foothold in late summer, 2006. Because it
is polymorphic, some AV tools may fail to detect all variants. A combination of AV tools should be used to examine any suspicious
host.
Trigger
This policy looks for hosts connecting to the Estonian websites "www.starman.ee" and "www.if.ee" on port 80, and
"www.online.if.ee" on port 443, or contacting the IRC servers dhl4.irc-sgo.org or Proxima.ircgalaxy.pl on TCP port 65520. This
policy will generate alerts when these suspicious hosts begin ICMP scanning. This traffic indicates a Virut-infected host.
• Windows NT4.0
• Windows 2000
• Windows XP
• Windows 2003
Remediation
Scan hosts that show signs of infection with updated AV tools for signs of infection and scan the registry for suspicious keys that
may indicate an infected host.
Workaround
Block access to the websites "www.starman.ee" and "www.if.ee" on port 80, and "www.online.if.ee" on port 443. To prevent the
bot from accepting commands from the attacker, block access to the IRC servers dhl4.irc-sgo.org or Proxima.ircgalaxy.pl on TCP
port 65520.
Í ÌÎ
Summary
ID: ATF-2005-60-20
Published: 2005-10-24 10:43 EDT
Updated: 2006-11-14 14:21 EST
Type: Vulnerability/Exploit Scanning
Revision: 20 - Update for November, 2006, security bulletins from Microsoft (add two references, three CVE references).
Severity: medium
Description
This policy detects scanning activity on the most common well known services in Microsoft Windows. Attackers look for these
ports to identify Microsoft Windows systems and to launch attacks against well characterized vulnerabilities in these services.
These ports and services are:
The vulnerabilities listed in the references have been identified by Microsoft in the past year and are accessible via these services.
The vendor's patches should be installed to mitigate these vulnerabilities.
Analysis
Attackers have been using Microsoft Windows' well known services for several years to launch attacks. The sources of these
scans may be malicious software or attackers actively looking for hosts to attack. Several vulnerabilities are present in any one
service, making it important to evaluate all of the patches applied to hosts to ensure that they are up to date.
Trigger
This policy looks for host scans against well known Microsoft services on TCP ports 135, 139, 445, 593, 3372 and UDP ports 137,
138.
Remediation
To prevent exploitation of the vulnerabilities by attackers, apply the patches in the advisories listed in the references.
Workaround
Summary
Traffic indicative of a potential worm has been identified emanating from the hosts listed below.
Affected
The hosts listed are suspected of being worm-infected hosts that are now attempting to propagate to other hosts and/or servers.
Description
Traffic indicative of a potential worm has been identified emanating from the hosts listed below.
A worm is a class of malicious code that propagates by identifying other potentially exploitable hosts and/or servers and then
exploiting ubiquitous software vulnerabilities. The infected hosts initiate a propagation routine and start scanning for other
susceptible hosts. This activity causes worms to spread exponentially, often infecting every potential vulnerable host on a large
network within minutes. Worms frequently contain a "payload," i.e., logic that will perform some additional function exclusive of the
worm propagating. Often, this is used to open a "backdoor" for future remote (and unauthorized) system access -- maybe to have
the host join a "botnet" that can conduct denial of service (DoS) attacks, send spam e-mail, or delete crucial system files. Worms
sometimes install "rootkits" that modify the host's OS (operating system) functionality to disguise infection, thereby concealing the
worm's activities.
Analysis
Worms can be very destructive, and worm propagation in a corporate network is a severe danger. A worm's payload can allow
attackers to enter the internal network and expose potentially sensitive information. Also, it can cause potential liability if infected
hosts are employed to attack other external hosts and/or servers. Further, the simple act of exponential propagation and scanning
can place a tremendous load on network bandwidth, causing severe service degradation or failure on many a network.
Remediation
Hosts that are initiating worm scanning routines should be isolated from the network immediately and scanned with up-to-date
antivirus tools and an up-to-date vulnerability scanner. It is likely that the host is infected with malicious code that exploited a
software vulnerability to gain initial access.
Workaround
N/A
Í ÌÅ
Summary
ID: ATF-2006-97-118
Published: 2006-01-30 11:25 GMT
Updated: 2007-02-13 20:15 GMT
Type: Voice over IP (VoIP) Traffic Identification
Revision: 118 - Updated ruleset
Severity: medium
Description
Skype is a Voice over IP (VoIP) application that allows for IP-based telephone communication with other users throughout the
world. Users can make high quality voice calls to other users and, optionally, place calls directly to standard telephone numbers.
Much like a file sharing network or a text-based chat network such as AIM or IRC, Skype users can make point-to-point two-party
calls or even set up chat rooms and conference calls. Skype also allows for users to send text messages to eachother as well as
files, much like a typical instant messaging network.
Skype employs a hybrid network architecture. Authentication is centralized, and calls are placed directly between peers. The
traffic can pass over a variety of TCP ports, but typically uses TCP 33033 (the default port) or TCP ports 80 or 443 (when behind a
proxy).
Analysis
The Skype protocol is designed to circumvent firewalls, maximizing the size of the network and the availability of the service. To
that end, it works with proxies to forward traffic and announce the ports available for direct P2P connections. Skype itself has few
public security issues associated with it. Third-party code audits have demonstrated that it's well designed and resilient to many
known attacks. Additionally, the protocol uses encryption to protect all login credentials and conversations.
In addition to the possibly unauthorized communications channel that Skype introduces, the biggest threat to a network from
Skype appears to be its bandwidth consumption. Like any P2P application, this can place a strain on bandwidth and also on
infrastructure materials.
VoIP protocols often employ a large amount of bandwidth, and, consequently, can place a strain on bandwidth and infrastructure
materials. In addition, by permitting VoIP activity at work, employee productivity could be affected. Therefore, monitoring for time
and bandwidth use on those applications during work hours might be warranted.
Trigger
This policy will trigger when individual clients initiate outbound TCP traffic (using TCP ports 33033 or 443) to any of the
aforementioned central Skype login servers.
N/A
Workaround
Block TCP traffic to the the following central Skype login servers: 212.72.49.141, 195.215.8.141, 193.163.158.230, 195.41.46.86,
and 80.160.91.11. A number of bandwidth-shaping devices can also detect and rate limit Skype traffic.
Í ÌÃ
Summary
Traffic indicative of a potential worm has been identified emanating from the hosts listed below.
Affected
The hosts listed are suspected of being worm-infected hosts that are now attempting to propagate to other hosts and/or servers.
Description
Traffic indicative of a potential worm has been identified emanating from the hosts listed below.
A worm is a class of malicious code that propagates by identifying other potentially exploitable hosts and/or servers and then
exploiting ubiquitous software vulnerabilities. The infected hosts initiate a propagation routine and start scanning for other
susceptible hosts. This activity causes worms to spread exponentially, often infecting every potential vulnerable host on a large
network within minutes. Worms frequently contain a "payload," i.e., logic that will perform some additional function exclusive of the
worm propagating. Often, this is used to open a "backdoor" for future remote (and unauthorized) system access -- maybe to have
the host join a "botnet" that can conduct denial of service (DoS) attacks, send spam e-mail, or delete crucial system files. Worms
sometimes install "rootkits" that modify the host's OS (operating system) functionality to disguise infection, thereby concealing the
worm's activities.
Analysis
Worms can be very destructive, and worm propagation in a corporate network is a severe danger. A worm's payload can allow
attackers to enter the internal network and expose potentially sensitive information. Also, it can cause potential liability if infected
hosts are employed to attack other external hosts and/or servers. Further, the simple act of exponential propagation and scanning
can place a tremendous load on network bandwidth, causing severe service degradation or failure on many a network.
Remediation
Hosts that are initiating worm scanning routines should be isolated from the network immediately and scanned with up-to-date
antivirus tools and an up-to-date vulnerability scanner. It is likely that the host is infected with malicious code that exploited a
software vulnerability to gain initial access.
Workaround
N/A
Í ÌÆ
Summary
ID: ATF-2006-143-2
Published: 2006-11-22 10:22 EST
Updated: 2006-11-27 11:58 EST
Type: Remote Access Application(s)
Revision: 2 - Publish.
Severity: low
Description
Radmin provides a way to access the windowing system interface of a workstation or server over the Internet. Users can access
the system as though they were physically present, even though they are in fact accessing the system from another location. The
graphical user interface (GUI) of an operating system is intended for a user with physical access to the computer. Remote access
applications alleviate this requirement and allow users to interact with an operating system's GUI over a remote network,
frequently the Internet. Radmin uses encryption to protect the data sent over the network.
Analysis
Radmin was created for the legitimate purpose of allowing authorized users to remotely access systems. However, since it
essentially operates as a server on the internal network, it creates a tunnel through the firewall to the corporate Intranet that is
(most likely) not monitored or administered. Remote access applications such as this often have lax security mechanisms that
may be appropriate for home users but not for enterprise environments. Radmin requires that each client and server system have
the correct software installed.
Users may be enticed to install the Radmin software application on their systems due to heavy advertising, particularly on
computer-related programs. The potential risks to corporate networks and liability in potentially violating corporate security policies
are not part of the radio campaign.
Attackers use remote access applications, including Radmin, to compromise internal networks by first compromising the accessed
host and then installing a remote access application to run in the background. This essentially provides a graphical backdoor that
allows for easy access to compromised systems on the internal network at any time.
At this time (November, 2006), no security issues specific to Radmin are publicly known.
Trigger
This policy will trigger when clients connect to Radmin-enabled systems on the default TCP ports 4899.
• Windows 95
• Windows 98
• Windows ME
• Windows NT4.0
• Windows 2000
• Windows XP
• Windows 2003
Remediation
If remote access is a necessity for corporate employees, an enterprise-level application provider with higher security requirements
and more stringent access control is used, and all other remote access applications are prohibited. Radmin has built-in firewalling
for each workstation or server to allow for network-level authorized connections.
Workaround
Block access to the default Radmin services, TCP port 4899. Application layer firewalls and IPS devices may also be able to
identify Radmin traffic and block it selectively.
Í ÌÊ
We should mention that we have used 2 PC's, one server, and one Laptop as hardware for
doing the practical part of our thesis. Also, there are some tools that are used in the thesis
but not frequently like NetSpy (Network Analyzer), and GFI LanGuard (Security
Scanner).
Í Ì
Ë
References
[2] Thomas Wadlow ; The Process of Network Security, Book published by Addison
Wesley Longman Inc (USA), 2000.
[6] Simon Josefsson; "Network Application Security Using The Domain Name
System", Master Thesis, Royal Institute of Technology (Sweden), 2001.
http://josefsson.org/exjobb/josefsson_simon_master_thesis.pdf
[7] T. Nandika Kasun De Zoysa; "A Model of Security Architecture for Multi-Party
Transactions", PhD Thesis, Stockholm University (Sweden), March 2003.
http://dsv.su.se/en/seclab/pages/pdf-files/03-005.pdf
Í ÌÇ
[9] Kenneth Ingham and Stephanie Forrest; "A History and Survey of Network
Firewalls", University of New Mexico (USA), 2002.
http://www.cs.unm.edu/~treport/tr/02-12/firewall.pdf
[11] Frank Stajano and Hiroshi Isozaki; "Security Issues for Internet Appliances",
Toshiba Corporate R&D Center (JAPAN), 2001.
http://citeseer.ist.psu.edu/update/613831
[12] Stephen D. Wolthusen; "Layered multipoint network defense and security policy
enforcement", Fraunhofer-IGD (GERMANY), 2001.
http://www.itoc.usma.edu/Workshop/2001/Authors/Submitted_Abstracts/paperT2
B1(04).pdf
[14] Educause Org; "PKI and Security for Higher Education", (USA),1999.
http://www.educause.edu/Elements/Attachments/netatedu/pki/report.pdf
ÍÍ Ì
[15] Mark Franklin; "PKI: A Technology whose time has come in Higher Education",
Dartmouth College, Educause review Magazine, March/April issue (USA), 2004,
Pages 52-53.
http://www.educause.edu/ir/library/pdf/erm0427.pdf
[16] NEC Business Network Solutions; "Security Assessment: The First Step in
Managing Network Risk", (USA), 2001.
http://www.necunified.com/Downloads/WhitePapers/NEC_SecurityAssessment_
WhPpr.pdf
[17] Andrew R. McGee, S. Rao Vasireddy, Chen Xie, David D.Picklesimer, Uma
Chandrashekhar, and Steven H. Richman; "A Framework for Ensuring Network
Security", Bell Labs Technical Journal, Date: 2004, Volume: 8, Issue: 4, p. 7 - 27
(USA), 2004.
[18] Zhiqiang Cui; "Security Incidents in an academic setting: A case study", Master
Thesis, East Tennessee State University, (USA), 2002.
[20] James P. Ashe; "A Vulnerability Assessment of the East Tennessee State
University Administrative Computer Network", Master Thesis, East Tennessee
State University, (USA), 2004.
[21] Adam Shostack and Scott Blake; "Towards a Taxonomy of Network Security
Assessment Techniques", (USA), 1999.
http://www.blackhat.com/presentations/bh-usa-99/AdamS/shostack-blackhat.pdf
ÍÍÍ
[22] Hector Urtubia; "Local Area Network Security: Authenticating The ARP
Protocol", Master Thesis, University of Nevada, (USA), 2003.
[32] Zeki Yazar; “A qualitative risk analysis and management tool – CRAMM”,
SANS, (USA), 2002.
https://www2.sans.org/reading_room/whitepapers/auditing/83.php
[33] Gary Stoneburner, Alice Goguen, and Alexis Feringa; “Risk Management Guide
for Information Technology Systems”, NIST, (USA), 2002.
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf