1
Information Security: The Big Picture - SANS GIAC
© 2000
1
Information Security:
The Big Picture – Part IV
Stephen Fried
2
Information Security: The Big Picture - SANS GIAC
© 2000
2
Agenda
• General Security Introduction
• Telecommunications Fundamentals
•Network Fundamentals
•
Network Security
• World Wide Web Security
• Information Secrecy & Privacy
• Identification and Access Control
• Programmatic Security
•Conclusion
Next up is Network Security. This section will take our discussion of network protocols and
configuration one step further. In this section we will learn about network configuration, network
attacks, and various other network security topics.
3
Information Security: The Big Picture - SANS GIAC
© 2000
3
Firewalls
• Firewalls protect “inside” from “outside”

needs of a large network.
• Packet filters simply look at each packet’s source, destination, and application name and make a determination based on the
programmed rule set. The advantage to packet filters is that they can work very quickly, a plus on large, fast networks. The
disadvantage is that their ability to analyze the packet in greater detail is limited.
• Stateful Inspection firewalls do a more detailed analysis than packet filters. They look at the packet’s relationship to other
packets that have passed through and can also look at traffic over time. This allows for a more sophisticated analysis of the traffic
and makes for a better firewall.
4
Information Security: The Big Picture - SANS GIAC
© 2000
4
Demilitarized Zones (DMZs)
• Used in many e-business situations
• Create a “semi-trusted” zone on the
network
• Protect DMZ systems from the Internet
• Protect internal systems from the DMZ
Internet
DMZ
Internal
Network
We have seen that firewalls can be used to protect internal organizational resources form the perils of the Big Bad Internet. But
firewalls can also be used in many different configurations for different applications. For example, many organizations are
rushing to put e-commerce systems on the Internet. However, this presents a double problem for the organization. First, there
is the problem of protecting your systems from the Internet – a problem we have already covered (and will cover more later
on). The second problem is the one of protecting the systems on your internal network from the Internet commerce systems.
This may sound kind of strange. After all, if the commerce systems are yours, why do you need protection against them? Well,
look back at your Defense in Depth strategy. You need to present multiple layers to attackers in order to better protect your
internal systems. So, in the event your Internet systems get successfully attacked, you need something standing between them
and your internal network.

company or another telling me about their annual meeting and asking me to vote on whatever
important issues will be discussed at the meeting. The voting form is called a proxy statement,
because by filling it out and mailing it in I am allowing somebody else, my proxy, to cast my vote
for me (hopefully following my instructions).
Well, networks can use proxies too, and the effect is quite the same. A proxy server sits somewhere
on the network, usually close to the firewall. When a computer inside the network wishes to
communicate with a computer outside the network it asks the proxy to make the connection on its
behalf. The proxy makes the connection and acts as an intermediary between the inside computer and
the outside computer.
Proxies make a lot of sense from a network security standpoint. They concentrate network access to
a single machine, making firewall rule sets easier to program. They also hide the actual IP address of
the internal machine from the outside machine. All the outside machine ever sees is the IP address of
the proxy server. This is an important consideration for security-conscious networks that do not want
outside people knowing what IP addresses their inside machines use.
Proxies can also store, or cache, information that is repeatedly requested by inside machines. In this
way, when a subsequent request is made for that information, the proxy server returns the
information from memory rather than having to retrieve it from across the network. This leads to
faster response times for the inside computers.
6
Information Security: The Big Picture - SANS GIAC
© 2000
6
Proxy Configuration
98.143.54.78 98.143.54.79 98.143.54.80
98.143.54.212
Internet
Proxy
Server
207.46.131.137
The diagram on this slide illustrates how proxies work in practice. On this network we have four

• Teardrop
•Land
• Spamming
• Junk Mail/Chain
Letters
• Main in the Middle
• Session Replay
In the following few slides we are going to talk about various types of attacks that have occurred
over the Internet in the past. But before we begin, I should point out a couple of important facts.
First, we will not be going into very technical depth about each of these attacks. Some of them can
get quite complicated, but we will stick to the high-level description as much as possible.
Second, many of these attacks have many variations that have been used over time. You may hear of
them referred to in several different ways in your continuing security education. In the interests of
time we will restrict our discussion to the original attack, and mention any variations only as
necessary for clarification.
Finally, while each of these attacks can be used by itself, you will very often see them used in
combination, or see one attack used as the basis for another. For example, many of the attacks are
based on some form of Denial of Service.
8
Information Security: The Big Picture - SANS GIAC
© 2000
8
Denial of Service
• Keeping the computer or network
from doing anything useful
• Can be a system crash, more often
just flooding it
• Very hard to prevent
• Distributed DoS – the latest wrinkle
Denial of Service, or DoS, is one of the most common attacks in use today. It works just like it

Agent
Agent
Handler
In DDoS attacks, the attacker is not a single system or network, it comes from a wide distribution of
computers from all over the Internet, sometimes seemingly at random. Distributed denial of service
attacks are more complicated to set up from an attacker’s point of view, but their effects can be much
more devastating.
In a classic DDoS attack, there are a number of roles and components. On the roles side, there is the
Attacker, the Victim, and a number of “innocent” third parties (called Agents) that play an
unwilling role in the attack. The attacker will break into each of the Agent’s computers and plant a
program that can perform a DoS attack against the victim. There can be hundreds or even thousands
of Agents involved in an attack. One of the Agents is tagged as the Handler. It is the Handler’s
responsibility to coordinate the attack on behalf of the Attacker.
When the Attacker is ready to launch the attack, he contacts the Handler and tells it who the real
Victim is, how long the attack should last, and any other information the Agents will need. The
Handler then relays that information to the Agents and off they go. What the Victim sees is a DoS
attack from many different sites all coming at once.
What makes DDoS attacks so unique and powerful is that it uses the diversity of the Internet to
strengthen the attack. The attack seems to be coming from everywhere at once, and since there is no
authentication on TCP/IP connections, there is no way to tell the real origin of the attack.
10
Information Security: The Big Picture - SANS GIAC
© 2000
10
Session Hijacking
• Taking over a connection that has
already been established
• Bypasses any identification or
authentication required to establish
• Attacker pretends to be legitimate

computers, and networks connected together. For instance, a computer may want to transmit packets of 1
kilobyte (1024 bytes) in size, but the routers between the computer and the destination may only be able to
handle packets of 512 bytes in size. If this is the case, IP will automatically split the original packet into
smaller pieces that will be able to make it all the way across the network. This process is called
fragmentation. Once the fragments reach their destination they are reassembled to recreate the original
packet. Fragmentation is good because it ensures the accurate transmission of information in a way that is
transparent to the user or application.
However, like all good things, packet fragmentation has also been used for evil purposes as a way of attacking
computers and slipping past firewalls. There have been three basic types of IP fragmentation attacks. The first
is the “Tiny Fragment” attack. In the Tiny Fragment attack, the attacker creates a packet and then fragments
the packet into very small pieces. The fragment is so small, in fact, that some of the header information gets
forced into more than one packet. The tiny fragments take advantage of the fact that many filtering firewalls
can not handle incomplete header information and allow such fragments through, even if the re-assembled
packet would not be allowed through the same firewall.
The overlapping fragment attack works by the attacker again splitting the packet into fragments. However,
instead of the fragments being reassembled sequentially, the fragments are reassembled so that subsequent
packets actually overwrite sections of the first fragment.
Finally, an attack called the teardrop attack was launched by creating fragments so that a second fragment
was placed entirely inside the first fragment. Many fragment reassemblers couldn’t handle the offsets involved
and crashed the machine.
Packet fragmentation may seem a bit esoteric for ordinary folks to worry about, but it is a classic example of
the technical lengths and the in-depth knowledge attackers will seek in order to work their evil.
12
Information Security: The Big Picture - SANS GIAC
© 2000
12
Ping of Death
• Maximum PING packet size 64K
• Microsoft allows larger packets
• Send a PING packet greater than