WINSEM2023-24_BCSE354E_ETH_VL2023240501654_2024-01-11_Reference-Material-I.pptx

BCSE354E - Information Security Management Dr. S K Somasundaram Assistant Professor Senior Grade 2 School of Computer Science and Engineering, Vellore Institute of Technology, Vellore – 632014 Phone No: +91 9843665115 Mail ID: [email protected] Location : PRP Block – 218D Module1: Storage Devices and Servers, Infrastructure Devices , Computer Assets, Content Management

Access Management

Identifying Unauthorized Devices Most organizations today use some form of asset management These systems work great for managing assets that are known and permitted within the environment But offer little visibility or control over rogue machines that may be connecting to the network The challenge with rogue devices is that they are not part of the management framework i.e. they are not part of any standards, policies, security controls, or patch updates They pose a unique threat to an environment

The greater the number of unmanaged systems, the greater the risk to the network. When administrators auditing the network, they can typically check between 1 percent and 10 percent of assets that were previously unknown to them Once detected, local system administrators can manage modest numbers of assets. However, if the volume or location of rogue assets is excessive or dangerous, these results provide justification and motivation for automated and proactive enforcement performed by network access control. Identifying Unauthorized Devices

Identify Assets There are two general approaches to identifying assets on the network, techniques that are very similar in nature to finding viruses: On-access or real-time detection On-demand or scheduled detection

On-access or real-time detection: It relies on detection of traffic generated by the endpoint devices . The benefit is its timely nature and detection is immediate. Consequently, you can take action very quickly. Disadvantage : since detection is based on traffic generated by the endpoint, there must be a sensor located near this traffic. This technique may not be practical for all network topologies. Identify Assets – cont …

Scheduled Detection : The system queries network addresses for a response according to a schedule This model can overcome the proximity limitations of the first approach Sensors can execute scans from a limited number of locations or a single location on the network Disadvantage : The detection is not immediate It is limited to the detection interval determined by the schedule Example: Off-hours scanning, rogue systems may operate on the network between detection scans and escape identification Identify Assets – cont …

Identify Assets – cont … Further steps to identifying unauthorized devices include asset inventory tool. Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to an organization’s public and private network(s). Both, active tools that scan through network address ranges and passive tools that identify hosts based on analysing their traffic should be employed.

Identify Assets – cont … Deploy DHCP server logging , and utilize a system to improve the asset inventory and help detect unknown systems through this DHCP information. All equipment acquisitions should automatically update the inventory system as new, approve devices are connected to the network. Maintain an asset inventory of all systems connected to the network and the network devices themselves recording at least: The network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), Printers, storage area networks, voice over- ip telephones, multi-homed addresses, virtual addresses, etc.

Identify Assets The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether or not they are attached to the organization’s network. Make sure that asset inventory database is properly protected and a copy stored in a secure location. In addition to an inventory of hardware, organizations should develop an inventory of information assets that identifies their critical information.

Identify Assets – cont … Further to the asset inventory tool the organization needs to: Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. Deploy Network Access Control (NAC) to monitor authorized systems so if attacks occur, the impact can be remediated by moving the untrusted system to a virtual local area network that has minimal access. Create separate VLANs for BYOD (bring your own device) systems or other untrusted devices. Utilize client certificates to validate and authenticate systems prior to connecting to the private network.

Identify Assets Organizations must first establish information/asset owners, deciding and documenting which organizations and individuals are responsible for each component of a business process that includes information, software, and hardware. In particular, when organizations acquire new systems, they record the owner and features of each new asset, including its network interface Media Access Control (MAC) address and location.

Identify Assets This mapping of asset attributes and owner-to-mac address can be stored in a free or commercial database management system. Use tools to pull information from network assets such as switches and routers regarding the machines connected to the network.

Testing the Traffic Filtering Devices There are four basic recommendations for traffic filtering in order to reduce security threats: Traffic-filtering rules The incoming and outgoing traffic flows in the network will be regulated. A set of traffic-filtering rules can be adopted as an independent packet filtering policy or as a part of the information security policy Select a traffic-filtering technology Implemented depending on the requirements and needs Implement defined rules On the defined rules and selected technology, optimize the performance of devices accordingly Maintain all the components of the solution Including not only devices, but also the policy.

Testing the Traffic Filtering Devices Traffic-filtering technologies are commonly divided into Packet filtering/stateless firewall Stateful packet inspection

1. Packet-filtering functionality [Stateless Firewall] It is built into the majority of operating systems and devices with a traffic routing feature. In most cases, it is a router on which Access Control Lists (ACLs) are applied. Packet filtering is the basic feature of all firewall devices. A packet filter enables the implementation of control of access to resources by deciding whether a packet should be allowed to pass, based on the information contained in the IP packet header.

Packet-filtering functionality [Stateless Firewall] The packet filter Does not analyze the content of the packet (unlike a content filter), nor Does it attempt to determine the sessions to which individual packets belong , based on the information contained in the TCP or UPD header It does not make any further decisions in that regard

Packet-filtering functionality [Stateless Firewall] Stateless firewall devices analyse each packet individually and filter them based on the information contained in layers 3 and 4 of the OSI reference model. A filtering decision is made based on the following information: Source IP address Destination IP address Protocol Source port number Destination port number

Packet-filtering functionality [Stateless Firewall] They are commonly implemented as a part of the functionality on routers (ACL, firewall filters, etc.), But can also be implemented on servers

The advantages of applying packet filters: Simple implementation; Supported by most routers, so there is no need to invest in new equipment and software; Rarely cause bottlenecks in the area of their application, even at high speeds in gigabit networks.

The disadvantages of applying packet filters: Vulnerability to IP spoofing attacks; Vulnerability to attacks that exploit problems within the TCP/IP specification and the protocol stack; Problems with filtering packets that are fragmented (causing interoperability an nonfunctioning of VPN connections); No support for the dynamic filtering of some services (the services that require Dynamic negotiation about the ports that will be used in communication – passive FTP).

2. Stateful Packet Inspection It improves the packet filtering process by monitoring the state of each connection established through a firewall device . It is known that the TCP protocol, allows two-way communication and that TCP traffic is characterized by three phases: Establishing the connection Data transfer Terminating the connection

In the connection establishment phase, Stateful packet inspection records each connection in the state-table . In the data transfer phase, The device monitors certain parameters in the header of the L 3 packet and L 4 segment and makes a filtering decision depending on their values and the content of the state-table. Stateful Packet Inspection – cont …

The state-table contains all currently active connections . As a result, a potential attacker trying to spoof a packet with a header indicating that the packet is a part of an established connection can only be detected by the stateful inspection firewall device, which verifies whether the connection is recorded in the state-table. Stateful Packet Inspection – cont …

Stateful Packet Inspection – cont … The state-table contains the following information: Source IP address Destination IP address Source port number Destination port number TCP sequence numbers TCP flag values

Stateful Packet Inspection – cont … The state of the synchronize (SYN), reset (RST), acknowledgment (ACK) and finish (FIN) flags are monitored within the TCP header and a conclusion is reached about the state of a specific connection. The UDP protocol does not have a formal procedure for establishing and terminating a connection.

Stateful Packet Inspection – cont … However, devices with stateful inspection can monitor the state of individual flows and match different flows when they logically correspond to each other (e.g., A DNS response from an external server will only be allowed to pass if the corresponding DNS query from the internal source to that server has previously been recorded).

The advantages of applying stateful firewall devices: A higher level of protection compared to stateless firewall devices (greater efficiency and more detailed traffic analysis); Detection of IP spoofing and dos attacks; More log information compared to packet filters.

The disadvantages of applying stateful firewall devices: No protection against application layer attacks; Performance degradation of the router on which they are deployed (this depends on the size of the network and other services run on the router); Not all of them provide support for UDP, GRE and IPSEC protocols, treating them in the same way as stateless firewall devices; No support for user authentication.

Application Firewalls

1. Application Firewall Application Firewall (AF) devices perform a stateful protocol analysis of the application layer. They support numerous common protocols, such as http, sql , e-mail service ( smtp , pop3 and imap ), voip and xml. Stateful protocol analysis relies on predefined profiles of acceptable operating modes for the selected protocol, enabling the identification of potential deviations and irregularities in the message flow of the protocol through the device . Problems may arise if there is a conflict between the operating mode of a specific protocol, which is defined on the AF device, and the way in which the protocol is implemented in the specific version of the application or of the operating systems used in the network.

1. Application Firewall – cont … The stateful protocol analysis can: Determine whether an e-mail message contains a type of attachment that is not allowed (E.g. Exec files) Determine whether instant messaging is used via an HTTP port Block the connection through which an unwanted command is executed (e.g., An FTP put command on the FTP server) Block access to a page with unwanted active content (E.g., Java) Identify an irregular sequence of commands exchanged in the communication between two hosts (E.g., An unusually large number of repetitions of the same command or the use of a command before using the command it depends on)

1. Application Firewall – cont … Enable the verification of individual commands and the minimum and maximum length of appropriate command-line arguments (e.g., The number of characters used in a username). An AF device cannot detect attacks that meet the generally acceptable procedures of operation of a specific protocol, such as DoS (Denial of Service) attacks caused by the repetition of a large number of acceptable message sequences in a short time interval. Disadvantage: Due to the complexity of the analysis they perform, and the large number of concurrent sessions they monitor, the main disadvantage of the method of stateful protocol analysis is the intensive use of AF devices .

2. Application Proxy Gateway Application Proxy Gateway (APG) devices also perform an analysis of the traffic flow on the application layer . Compared to AF devices, APG devices provide a higher level of security for individual applications since they never allow a direct connection between two hosts, and they can perform an inspection of the content of application-layer messages. APG devices contain so-called proxy agents or “ intermediaries ” in the communication between two end hosts. Each successful connection between the end hosts consists of two connections – one between the client and the proxy server and the other between the proxy server and the destination device.

2. Application Proxy Gateway – cont … Based on the filtering rules defined on the APG device, proxy agents decide whether network traffic will be allowed or not . Traffic-filtering decisions can also be made based on the information contained in the header of an application-layer message or even based on the content conveyed by that message. In addition, proxy agents can require user authentication . There are also APG devices with the capability of packet decryption, analysis and re-encryption , before a packet is forwarded to the destination host.

2. Application Proxy Gateway – cont … Disadvantage : The limitation in the number of services that can be filtered through them . Each type of traffic passing through the device requires a specific proxy agent that acts as an intermediary in the communication . Consequently, APG devices do not always support the filtering of new applications or protocols. Due to their price, APG devices are commonly used for protecting data centres or other networks containing publicly available servers that are of high importance to an organisation . In order to reduce the load on APG devices and achieve greater efficiency, modern networks more frequently use proxy servers (dedicated proxy servers) that are dedicated to specific services that are not so sensitive to time delays (e.g., Email or web proxy servers).

3. Dedicated Proxy Server Like APG devices, Dedicated Proxy (DP) servers also have a role as “ intermediaries” in the communication between two hosts, although their traffic-filtering capabilities are significantly lower . This type of device is intended for the analysis of the operation of specific services and protocols (e.g., HTTP or SMTP). Due to their limited traffic-filtering capabilities, DP devices are deployed behind firewall devices in the network architecture. Perform specialized filtering of a specific type of traffic (based on a limited set of parameters) and carry out the logging operation. The execution of these specific activities significantly reduces the load on the firewall device itself , which is located in front of the DP server.

3. Dedicated Proxy Server – cont … The most widely used devices of this type are web proxy servers. A common example of their use is an HTTP proxy server (placed behind the firewall device or router), to which users need to connect when they wish to access external web servers. If an institution has an outgoing connection (uplink) of lower bandwidth, the use of the caching function is recommended in order to reduce the level of traffic and improve the response time.

3. Dedicated Proxy Server – cont … As a result of an increase in the number of available web applications and the number of threats transferred through the HTTP protocol, web proxy servers are growing in significance. Consequently, many equipment manufacturers today add the functionality of various firewall technologies to the standard web proxy servers, thus increasing their traffic-filtering capabilities.

4. Web Application Firewall (WAF) To provide web applications security by applying a set of rules to an HTTP conversation. Because applications are online, they have to keep certain ports open to the internet. While proxy firewalls generally protect clients, WAFs protect servers . They detect Distributed Denial Of Service (DDoS) attacks in their early stages, absorb the volume of traffic and identify the source of the attack.

Firewalls: Combining Traffic Filtering with other Technologies In addition to their basic purpose of blocking unwanted traffic, firewall devices often combine their filtering functionality with other technologies , primarily routing . As a result, NAT (Network Address Translation) is sometimes considered to be a firewall technology, although essentially it is a routing technology. Other related functionalities, such as VPN and IDP , are often available on firewall devices.

1. NAT (Network Address Translation) Enables devices that use private IP addresses to communicate with devices on the internet. Translates private IP addresses, which can be used by devices within a Local Area Network (LAN), into publicly available internet addresses. The application of NAT technology may limit (intentionally or unintentionally) the number of available services i.e., it may disable the functioning of the services that require direct, end-to-end connectivity (e.g., VoIP). There are three types of NAT translations: Dynamic Static PAT

a. Dynamic NAT Dynamic NAT uses a set of publicly available IP addresses, successively assigning them to hosts with private IP addresses When a host with a private IP address needs to communicate with a device on the internet, dynamic NAT translates its private IP address into a publicly available IP address, by taking the first available IP address from a defined pool of publicly available IP addresses . Dynamic NAT is suitable for client computers.

b. Static NAT It provides one-to-one mapping between the private IP address of a host and the public IP address assigned to it . The host with a private IP address always appears on the internet with the same public IP address . Static NAT is suitable for servers. In order to support a sufficient number of simultaneous user sessions, an organisation using dynamic and/or static NAT needs to have a sufficient number of public IP addresses.

c. Port Address Translation ( PAT) Performs mapping between several private IP addresses and one or more public IP addresses. The mapping of each private IP address is performed by way of the port number of the public IP address . PAT translation ensures that each client on a LAN that establishes a connection with a device on the internet is assigned a different port number of the public IP address . The response from the internet, which comes as a result of the request, is sent to the port from which the request was forwarded.

2. Proxy server Proxy servers act as negotiators for requests from client software seeking resources from other servers . A client connects to the proxy server and requests some service (E.g. a website); the proxy server evaluates the request and then allows or denies it. Most proxy servers act as forward proxies and are used to retrieve data on behalf of the clients they serve. In organizations, proxy servers are usually used for Traffic filtering (web filters) Performance improvement (load balancers)

2. Proxy server – cont … Web filter Web filters prevent users’ browsers from loading certain pages of particular websites . URL filtering involves blocking websites (or sections of websites) based solely on the URL, restricting access to specified websites and certain web-based applications.

2. Proxy server – cont … Web filter - Example Microsoft, for example, implemented a phishing filter, which acted as a URL filter for their browser, and then replaced it with the SmartScreen filter, Runs in the background and sends the address of the website being visited to the SmartScreen filter server, where it is compared against a list that is maintained of phishing and malware sites. If a match is found, a blocking web page appears and encourages you to not continue.

2. Proxy server – cont … Web filter Web filter appliances have additional technologies to block malicious internet web sites. They have a database of malware sites but also you can create your own list or policy of blocked web sites. You can apply site whitelisting or blacklisting, see every user’s full web site history, inspect cached pages, and even detect the amount of downloaded traffic. Analyzing this information will help you to understand how your users work on the internet and what their interests are, so it can be a great advantage in insider threat prevention.

Proxy server – cont … Network load balancer (NLB) Load balancers are physical units that direct computers to individual servers in a network based on factors such as server processor utilization, number of connections to a server or overall server performance. Organizations use load balancers to minimize the chance that any particular server will be overwhelmed and to optimize the bandwidth available to each computer in the network . A load balancer can be implemented as a security software or hardware solution, and it is usually associated with a device — a router, a firewall, a network address translation (NAT) appliance and so on.

Proxy server – cont … Network load balancer (NLB) A load balancer s plits the traffic intended for a website into individual requests that are then rotated to redundant servers as they become available. A key issue with load balancers is scheduling determining how to split up the work and distribute it across servers. There are several load balancing methods: Round-robin Affinity Least connection Agent-based adaptive load balancing Chained failover Weighted response time Software-defined networking

2. Proxy server – cont … Load balancing methods Round-robin The first client request is sent to the first group of servers, the second is sent to the second, and so on. When it reaches the last group of servers in the list, the load balancer starts over with the first group of servers.

2. Proxy server – cont … Load balancing methods Affinity Affinity minimizes response time to clients by using different methods for distributing client requests. It has three types: No affinity — NLB does not associate clients with a particular group of servers; every client request can be load balanced to any group of servers. Single affinity — NLB associates clients with particular groups of servers by using the client’s IP address. Thus, requests coming from the same client IP address always reach the same group of servers. Class C affinity —NLB associates clients with particular groups of servers by using the Class C portion of the client’s IP address. Thus, clients coming from the same Class C address range always access the same group of servers.

2. Proxy server – cont … Load balancing methods Least connection This method takes the current server load into consideration. The current request goes to the server that is servicing the least number of active sessions at the current time. Agent-based adaptive load balancing Each server in the pool has an agent that reports on its current load to the load balancer. This real time information is used when deciding which server is best placed to handle a request. Chained failover The order of servers is configured (predefined) in a chain.

2. Proxy server – cont … Load balancing methods Weighted response time Response information from a server health check is used to determine which server is responding the fastest at a particular time. Software-defined networking Combines information about upper and lower networking layers. Allows information about the status of the servers, the status of the applications running on them, the health of the network infrastructure, and the level of congestion on the network to all play a part in the load balancing decision making.

3. Spam filter A mail gateway can be used not only to route mail but to perform other functions as well, such as encryption or, to a more limited scope, DLP. More commonly, spam filters can detect unwanted email and prevent it from getting to a user’s mailbox . Spam filters judge emails based on policies or patterns designed by an organization or vendor. More sophisticated filters use a heuristic approach that attempts to identify spam through suspicious word patterns or word frequency .

3. Spam filter – cont … The filtering is done based on established rules , such as blocking email coming from certain IP addresses , email that contains particular words in the subject line, and the like . Although spam filters are usually used to scan incoming messages, they can also be used to scan outgoing messages to help identify internal PCs that might have contracted a virus.

4. VPN (Virtual Private Network) Used to increase the security of data transfer through a network infrastructure that does not provide a sufficient degree of data security. It enables the encryption and decryption of network traffic between external networks and an internal, protected network . VPN functionality can be available on firewall devices or implemented on VPN servers that are placed behind firewall devices in the network architecture. In many cases, the implementation of VPN services on a firewall device itself is the most optimal solution .

4. VPN (Virtual Private Network) – cont … Placing a VPN server behind the firewall device requires the VPN traffic to pass through the firewall device in an encrypted form. As result, the firewall device cannot perform an inspection, access control or logging of the network traffic, and therefore cannot scan it for certain security threats. However, regardless of the place of the implementation, the VPN service requires the application of certain filtering rules of the firewall device in order to enable its uninterrupted operation. Accordingly, special attention should always be paid to making sure that the appropriate protocols and the TCP/UDP services that are necessary for the functioning of the chosen VPN solution are supported.

4. VPN (Virtual Private Network) – cont …

Content Management

Secure Content Management - Overview Organizations are increasingly moving toward collaboration encouraging usage of the internet for knowledge access and productivity enhancement, advocating widespread adoption of email as communication means and promoting instant messaging for better coordination. The global nature of business transactions — involving service providers and third party solutions — rel ies on communication protocols such as SMTP, HTTP, HTTPS, FTP, ipsec VPN, etc. For exchange of information and execution of a transaction. This has been contributing to increased dependencies of an organization on the inbound and outbound traffic flowing across its boundaries.

The Importance of Secure Content Management Unrestricted Access The use of the internet is on the rise, as are the risks of uncontrolled access. When employees and staff inadvertently or deliberately access sites containing inappropriate, illegal or dangerous content, businesses suffer losses of productivity, expose themselves to legal liabilities and can experience degraded network performance that negatively affects mission-critical tasks. There are also a growing number of security risks—including trojans and worms—that can seriously impact operations.

Unrestricted Access The risks include: Impacted employee productivity Liability exposure Hacker attacks and privacy violations

Unrestricted Access – cont … Impacted employee productivity Restricting access to inappropriate web sites helps companies prevent excessive non-productive web surfing and preserves network bandwidth. Liability Exposure Employees who visit pornographic or racist/hate sites represent a major legal liability concern. Businesses need to shield themselves from potential legal liability that can arise if an employee is repeatedly exposed to offensive material on a co-worker’s computer or anywhere in the workplace. Other sources of liability exposure include peer-to-peer networking and file sharing, which have opened the door to charges of copyright violations and high-profile litigation. Corporations can be held liable for breaking copyright laws if employees use company networks to download music or movies illegally.

Unrestricted Access – cont … Hacker Attacks and Privacy Violations Instant messaging, peer-to-peer file sharing and multimedia downloads make businesses vulnerable to backdoor attacks.

How Secure Content Management Works? Securing content starts with controlling access to certain web sites based on predetermined criteria. At a basic level, user access to internet content is controlled using the URL address or the URL content category (such as nudity or gambling). Basic content management solutions can also examine the way the content is delivered, such as through Java Applets or ActiveX scripts , and determine access permissions accordingly. More advanced content management solutions also provide the ability to block applications such as instant messaging and peer-to-peer services.

Site Blocking Versus Content Monitoring Secure content management solutions employ one of two basic approaches: site blocking or content monitoring While there are considerable differences between these two approaches, both are based on pass-through filtering technology i.e., all requests for web pages pass through an internet control point such as a firewall, proxy server or caching device The device then evaluates each request to determine whether it should be allowed or denied based on company policy.

a. Site blocking The site blocking approach for content management typically uses list-based or URL-based filters to identify and block certain web sites. Some solutions rely on white lists that allow access to only those sites that appear on the list. Eg. a retail store might create a white list containing only the company’s web site, shipping web sites and supplier web sites. Other solutions use black lists, which permit access to all sites except those on the black list. The black list approach is preferable for businesses whose employees need less restrictive internet access. With a black list approach, the database of web sites is organized into categories, such as “violence” or “drugs,” and network administrators can selectively block categories.

a. Site blocking – cont … The effectiveness and manageability of site blocking depends on a number of factors: Database size A larger database allows more sites to be added to the restricted list. Update frequency New sites continually emerge, and many existing sites are relocated. Most site blocking solutions update their databases on a daily basis, often automatically downloading new URL’s every night. Category Organization Definition of categories must be carefully considered and established with enough granularity to accomplish effective restrictions while allowing access when appropriate. A general limitation of site blocking is that it focuses exclusively on http-based web traffic. It does not block instant messaging, e-mail attachments, peer-to-peer applications and other applications that could contain security threats.

b. Content monitoring The most basic level of content monitoring uses a keyword-blocking approach. Instead of blocking URL’s, it compares the keyboard data to a user-defined library of words and phrases. When a match to one of the blocked words or phrases is detected, the solution filters or blocks the data, or in some cases even closes the application. The problem with this approach is that it can inadvertently block legitimate pages based on the fact that they contain one or more targeted keywords. For example, a web site about cancer research could be blocked because it contains the word “breast.” More advanced content monitoring solutions not only examine the individual words on the page, but also evaluate context and other data such as HTML tags.

Solution Architectures Content management software can be embedded on a networked device such as a proxy server, caching appliance or firewall, or it can reside on a dedicated server running the Microsoft windows, Linux or UNIX operating system . The three common deployment methods vary in terms of effectiveness, cost and manageability. Client Solutions Standalone Solutions Integrated Solutions Integrated Content Management and Firewalls Standalone Appliances

Solution Architectures – cont … Client Solutions Installed on the desktop, client solutions are most suited for home environments where parental control is the primary application. Client software solutions include a management interface and a database of blocked web sites; the parent downloads database updates via the internet. Leading providers of client solutions include zone labs, net nanny® and internet service providers ( ISP’s ) such as Microsoft® MSN and AOL®.

Solution Architectures – cont … Standalone Solutions Standalone solutions consist of a dedicated database server for defining policies and a separate gateway or firewall that enforces the content management policies. These solutions are more manageable than client based solutions because an administrator can create a policy once on the gateway and then apply it across all desktops. However, most standalone solutions require organizations to purchase and manage two separate hardware devices in addition to content management software. They also require additional storage to be purchased as needed, when the policy database grows to exceed the storage available. Key vendors of standalone solutions include SonicWALL ®, Websense and Surf Control®.

Solution Architectures – cont … Integrated Solutions Integrated solutions consolidate management and processing in a single gateway or firewall, thereby reducing capital and operational expenses. However, when the gateway or firewall is also used for services like anti-virus and intrusion prevention, performance can suffer. Key vendors of integrated content filtering solutions include SonicWALL ®, Symantec™ and Watch Guard®.

Solution Architectures – cont … Integrated content management and firewalls Content filtering integrated on a firewall is a cost-effective content management solution that is ideal for businesses with small to mid-sized networks. Integrates the existing firewall technology, or is installed simultaneously with a new firewall solution. A typical service will make available a continuously updated, comprehensive database of millions of web sites, domains and IP addresses. Minimal administrative overhead means that businesses can either manage the solution themselves or outsource the task to their IT service provider.

Solution Architectures – cont … Standalone Appliances Beyond these advantages and basic web site access controls, other advantages of a standalone appliance include: Seamless integration Dynamic rating engine Protection from attacks Advanced security for bandwidth protection and reduced legal liabilities

Solution Architectures – cont … Standalone Appliances – cont … For larger businesses and enterprise environments requiring more comprehensive content control abilities, a standalone content filtering appliance maximizes the protection of any network from today’s sophisticated internet threats. Although it requires the purchase of additional hardware, ease of installation and use make this an attractive solution. The appliance can be dropped into the existing network without any reconfiguration of existing hardware or software. Appliances are also an affordable way to upgrade existing firewalls by introducing new functionality without an actual upgrade on the firewall itself. A standalone appliance can affordably combine internet content management with real-time gateway anti-virus and antispyware capabilities, and the best appliances are rich in features and functionality and deliver superior value for the investment.

Solution Architectures: Standalone Appliances Seamless integration Appliances can be easily installed in virtually any network, and combined with any existing firewall . Plug-and-play designs speed installation, making them drop-in solutions that eliminate the need for additional servers or hardware. Dynamic rating engine Built-in capabilities can dynamically evaluate new URL’s. Real-time analysis of page content, context for flagged words, HTML tags and other data can produce a rating and category for immediate access or blocking based on the organizations’ predetermined policies. New ratings can be automatically added to a master ratings database for subsequent requests.

Solution Architectures: Standalone Appliances Protection from attacks Deep packet inspection technology can block viruses, worms, Trojans, spyware, phishing, malicious code and other attacks before they are able to infect a network. Appliances can scan and clean network traffic over a multitude of ports and protocols including HTTP, SMTP, POP3, FTP and NetBIOS.

Solution Architectures: Standalone Appliances Advanced security for bandwidth protection and reduced legal liabilities Appliances can provide controls for managing instant messaging, peer-to-peer and multimedia applications. Management and reporting capabilities—integrated support enables network administrators to manage all users through a single interface, while the option to create custom categories and URL rating lists provides more granular control over filtering policies. Advanced reporting and analysis tools provide granular insight into network usage through custom reports.

Why are CMS platforms so vulnerable? When you consider the different issues in play it becomes obvious why hackers deem CMSes to be appealing targets. It is easy for some to assume that since WordPress, Joomla, and Drupal are such recognizable names, they must be providing some form of protection. However, the opposite is true. Fact is, CMSes are vulnerable by nature because they are built on open source frameworks . Such shared development environments offer several benefits but they also have their share of flaws, many of which arise form a lack of accountability. With no price tag, and with no one to take direct responsibility for potential problems, it’s no surprise when the final product has some security issues. Since the top CMSes are so popular, these security vulnerabilities are actively sought after — both by security researchers and members of the hacker community.

Why are CMS platforms so vulnerable? Once identified, these flaws can turn into a virtual gold mine for hackers, creating a much more efficient way for them to execute automated mass-scale attacks. Adding to the issue are website operators who use weak passwords, leaving their admin accounts vulnerable to automated brute force attacks. In past we’ve showed how such weak passwords were used to inject the website with malware, turning them into DDoS zombies . Obviously, with administrative access hackers can also deal other kinds of damage: anything from defacing the site (for fun) to using it for malware distribution, which eventually gets it blacklisted in google and in other search engines.

Why are CMS platforms so vulnerable? Finally, there is also the issue of various CMS plugins and themes , which are also exposed to attacks. Each of these is created by a different developer and may introduce an additional set of vulnerabilities. A recent study found that over 20% of the fifty most popular WordPress plugins were vulnerable to hacking, while a staggering eight million susceptible plugins had been downloaded from WordPress alone. Considering that most users have at least 3-4 plugins running on their CMS platform, it’s apparent how they can further expose their sites to new security risks.

Why are CMS platforms so vulnerable? What users can do to protect themselves from CMS vulnerabilities There are a number of things users can do to protect themselves: Create a regular schedule to update or patch their CMS, and all installed plugins and themes. This will ensure that all components are up-to-date. CMS platforms usually display a dashboard message whenever a new update is available; users should quickly install it even if it’s outside their update schedule. Regularly backup the CMS and its underlying database. This should be performed weekly at a minimum. Subscribe to a regularly-updated list of vulnerabilities for the specific CMS being used (e.g., WordPress ).

Why are CMS platforms so vulnerable? What users can do to protect themselves from CMS vulnerabilities Delete default admin usernames (e.g., ‘Admin’•) and use strong passwords (at least eight characters long, with a combination of upper and lower case, as well as both letters and numerical characters). Use a plugin for strong authentication , or two-factor authentication (2FA) for an additional layer of protection.

WINSEM2023-24_BCSE354E_ETH_VL2023240501654_2024-01-11_Reference-Material-I.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

WINSEM2023-24_BCSE354E_ETH_VL2023240501654_2024-01-11_Reference-Material-I.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77

7-10. STP + Branding and Product & Services Strategies.pptx