(Book) Carrier-Scale IP Networks: Designing and Operating Internet Networks

This book is pretty old. written in 2001, talking about more than 10 years ago! However, I find there is no change of requirement in terms on Network Security for IP Carrier.

(1.2.4) Network Security

• Make the components of the network secure from attack --- this is done by ensuring that only idenified management systems have access to the management interfaces of network components; there may be capabilities which equipment vendors put in certain items of network equipment to make them easier to manage in a secure enterprise environment, but which are not suitable for an insecure public Internet environment -- these capabilities must therefore be turned off.  (now so-called call port security and back door)

• detecting an attack --- heuristic methods can be used to determine the differences betweeh the legitimate attempts by network management people to access equipment, and those by attackers; similarly heuristic methodes can be used to determine if equipment is being attacked, by scrutiny of appropriate logs of the equipment's activities. (now so-called threat detection, like anti-DDoS)

 

• knowing your own vulnerabilities --- network equipment can be checked by security-checking software to test for vulnerabilities; network operators should also ensure that their equipment vendors notify them of bugs that might affect security (we now call vulnerabilities assessment)

 

• Controlling management access rights carefully --- as a network might be attacked by an insider, it is importment not to grant access rights to everybody in network operations, but only sufficient rights to each individual to enablve that person to perform their identified role; it is also important that, as individuals change jobs or leave network operations, their management rights are changed or revoked in a timely manner. (now so-called segragation of duty)

 

• Shutting-off attackers --- has plans to deal with attackers, eg. by ensuring that an attacker can be cut-off to prevent them doing any more damage; this may require co-ordination with other networks or agencies (now so-called clean pipe)

• undoing an attacker's damage -- configuration management systems are required that can restore the network configuration in the event that the attackers has managed to change the configuration  (now so-called configuration management)

Find this book on Google: http://books.google.com.hk/books?id=5BbTeaFGOIIC&hl=zh-TW

(Demo) Ethical Hacking - Web Parameter Tampering

It could be fun and effective to show simple but interesting hacking demo while discussing application security with clients, to show how easy it is, and how serious the results could be.

One of the recommended "simple demo" is Web Parameter Tampering, on payment gateway.

Scenario:

- When people are going to pay for an item online, it is not difficult to change the price (so-called "Web Parameter") with the assistance of hacking tools.

- There are easy tools for Web Parameter Tampering. I take TamperIE as an example.

Tool: TemperIE (Download: http://www.bayden.com/tamperie/)

Demo Site for a "successful" tempering:

http://www.bayden.com/sandbox/shop/

I would suggest you go through with above demo site first.

Here I "test" this with an online shop......Let's see if I could succeed.

Important Note: I do not engage hacking as a habit, but to share with the public how back guy would perform hacking. Through this exercise, good guy understands how bad guys act, and try a different way to make the bad guy a hard time.

#1 - I (a bad guy) would like to purchase a blouse online, however, I think $45 is too expensive for me.

#2 Once I click "pay now", my pre-installed parameter tampering tool prompts, and shows me parameters on this webpage. Price is one of those as highlighted.

#3 $49 +$30 shipping. Total $79. Too expensive for me! So I change the price to $9 with the tool.

 

#4 However......The website is smart enough to detect the change of a parameter (the price).

#5 How Taobao detect this? We could see a parameter "SecStrNoCCode", which is believed to be a hash of the page and is used to check against the change of web parameters from page to page. Any change of parameter would induce a different hash. My best guess of the full meaning of this name is "Security String No Change of Code"

 

(My Note) Security Solutions Catalog

10 years ago, Security used to be = firewall (gateway) and anti-virus (end point).

Then a few years later, some enterprise thought about IPS.

If your company had a website providing corporate information only, then you didn't have to concern about data / servers side......except website defacement prevention (maybe).

As a security sales person who wanted to sell more? What about those anti-spam solution on email services.

But today's enterprise.....

- More companies understand the business benefit that Internet brings, for example:

- "Cloud" provides an instant service without huge furst time investment, where bring security and data privacy concern

- BYOD allows company to leverage staff mobility resource, and again this also means rapid number of insecure "doors" (mobile devices) which make hacker live easier.

- More security devices in a company means a more difficult operation and monitoring

- etc.

Security is getting more complicated, not for my clients, but for me as well. :P

I always put a so-called "security solution catalog" in my mind as below. This helps my security discussion (selling) with client. More than that, this facilitate me to classify and position differents solution in my security solution portfolio. This is so far the easiest way for my poor memory.