Computer & Network Security

blackstartΔίκτυα και Επικοινωνίες

26 Οκτ 2013 (πριν από 3 χρόνια και 11 μήνες)

205 εμφανίσεις

Networks

1

Computer & Network Security

Introduction to Network Security


Text:

The Complete Reference: Network Security,
Bragg, Rhodes
-
Ousley, Strassberg


Chapter 9


Objectives:

The student should be able to:



Define and describe the purpose of a Demilitarized Zone, D
MZ, zone, bastion host, honeypot
,
war dialer
.



Interpret

outp
ut for ARP, IP, TCP, UDP, ICMP
on a sniffer
: Windump and Ethereal
.


Class Time:

Lecture:


Lecture
-

Protocols


1.5 hour


Lab




1 hour


Lecture


Networks


0.5 hour


Total:




3 hours

Networks

2

Summary of

Networks & Protocols


Protocol Layers of the Internet Stack:


Application:



SMTP: Simple Mail Transfer Protocol (Email): 25



HTTP: HyperText Transfer Protocol (Web): 80



FTP: File Transfer Protocol: 20/21



SNMP: Simple Network Management Protocol: 161



DNS: D
omain Name Server: 53



SSL: Secure Socket Layer: 443


Transport:



TCP: Transport Control Protocol (End
-
to
-
End Error control: Retransmission)



UDP: User Datagram Protocol (Only Port Addressing)


Network:



IP: Internet Protocol (Routing)



ICMP: Internet Control

Message Protocol (Reports errors, performs tests for IP)


Data Link Layer:



PPP: Point
-
to
-
Point Protocol (WAN)


Medium Access Control (MAC):



Ethernet Protocol



ARP: Address Resolution Protocol (Translates IP to MAC addresses)


Physical Layer


Network Topolo
gies

Bus Topology
: Nodes attach to a single cable.



Operates in
promiscuous mode
: Everyone sees everyone else’s transmissions

Star Topology
: All nodes are connected to a central device which forwards packets



Hub
: Packets are forwarded in promiscuous mode



Switch
: Packets are routed only to the destination node

by Layer 2 (MAC) address
.



Router
:

Packets are routed to the destination node by Layer 3 (IP) address

Mesh Topology
: Every computer is connected to every other computer

Tree Topology
: Cables split i
nto branches of cables (e.g. cable TV)

Ring Topology
: Every computer connects to a ring.



All packets travel unidirectionally around the ring

Discussion: Which topologies are more secure than other topologies, and what kinds of security
problems can arise
from the various topologies?

Networks

3

High
-
Level Review of Protocols

Transport Control Protocol (TCP)

TCP is responsible for end
-
to
-
end retransmission, and reordering of packets received out
-
of
-
order.



Addresses applications via 16
-
bit Port number



Performs error

control on an end
-
to
-
end basis:



Reorders out
-
of
-
sequence segments



Retransmits segments when acknowledgements are not received



Performs flow control on an end
-
to
-
end basis (using the window)



Performs congestion control to ensure network is not overwhelmed


Protocol:

TCP is connection
-
oriented, which means that it must explicitly establish and break down a
connection before transmission occurs.



Establishes a connection



Sends data



Each side gracefully disconnects


Windump TCP Data Format:


14:54:55.100898 I
P 192.168.0.5.23 > 192.168.0.4.1226: F 1330:1330(0) ack 312 win
17209 (DF)


time prot sourceIP
.port

> destIP
.port
: flag begSeq:endSeq(length) ackNr windowSize DF


Where:

Time: Time packet sent/received

Prot: protocol (IP)

SourceIP: Source IP addr
ess

DestIP: Destination IP address

Flag: S=SYN, F=FIN, P=PUSH, R=RESET

BegSeq: Beginning Sequence number (byte #)

EndSeq: Ending sequence number (byte #)

Length: Number of bytes

AckNr: Acknowledgment sequence number (=next expected seq #)

WindowSize: Siz
e of empty space in receive buffer (in bytes)

DF: Don’t Fragment

The flags within segments that TCP uses includes:


S=SYN: Request to establish a connection


P=PUSH: Request from application to flush (or force) transmission.


F=FIN: Request to close a tr
ansmission
-

graceful


R=RESET: Notification of aborting of a connection


ack: Contains an ack for previous data

Segments with data in them have a byte count > 0.
Networks

4

Initiate a connection:

SYN






SYN,ACK

ACK




Windump of establish connection:

14:54:50.1
91132 IP 192.168.0.4.1226 > 192.168.0.5.23: S 262694098:262694098(0) win 16384
<mss 1460,nop,nop,sackOK> (DF)


14:54:50.192200 IP 192.168.0.5.23 > 192.168.0.4.1226: S 116356462:116356462(0) ack
262694099 win 17520 <mss 1460,nop,nop,sackOK> (DF)


14:54:50
.192249 IP 192.168.0.4.1226 > 192.168.0.5.23: . ack 1 win 17520 (DF)


Send data:



Each byte of TCP data has a sequence number associated with it.



The acknowledgment indicates the sequence number of the byte of data expected next


(PUSH)





ACK


Windump of da
ta transmission:

14:54:54.898690 IP 192.168.0.5.23 > 192.168.0.4.1226: P 1300:1315(15) ack 309
win 17212 (DF)

14:54:54.929536 IP 192.168.0.4.1226 > 192.168.0.5.23: P 309:310(1) ack 1315 win
16206 (DF)


Terminate connection:



Graceful Disconnect: Both sid
es must disconnect


FIN





ACK



FIN

ACK




Session Abort:



Uses Reset


RST




Windump of close connection:

14:54:55.100898 IP 192.168.0.5.23 > 192.168.0.4.1226: F 1330:1330(0) ack 312 win
17209 (DF)

14:54:55.100964 IP 192.168.0.4.1226 > 192.168.0.5.23: . ac
k 1331 win 16191 (DF)

14:54:55.101465 IP 192.168.0.4.1226 > 192.168.0.5.23: F 312:312(0) ack 1331 win
16191 (DF)

14:54:55.102295 IP 192.168.0.5.23 > 192.168.0.4.1226: . ack 313 win 17209 (DF)



Networks

5

User Datagram Protocol (UDP)

UDP can be used instead of TCP

to address an application



Does NOT support end
-
to
-
end retransmission, reorder out
-
of
-
order packets, or perform flow
control or congestion control.



Addresses applications via 16
-
bit Port number


Protocol:

UDP is connectionless, which means it sends packe
ts without establishing a connection first. If
packets cannot be successfully sent, there may be no indication of failure.



Sends data


Windump UDP Data Format:


14:54:55.100898 IP 192.168.0.5.138 > 192.168.0.4.138: UDP, length: 174

Internet Protocol (IP
)



Performs routing



Addresses hosts



Performs fragmentation/reassembly



Security problem: Spoofed fragments replace or confuse real data



Security problem: Fragmented attacks may not be noticed by firewalls, IDS (depending on
their sophistication)


IP Header

Nibbles:

First 8 nibbles:

0
-
3: IP Version

4
-
7: Header length (in 32
-
bit words)

8
-
15: Type of service

16
-
31: Total length

Second 8 nibbles:

0
-
15: Identification (used with fragmentation)

16
-
18: Flags: More bit, Don’t Fragment

19
-
31: Fragment offset

Third 8

nibbles:

0
-
7: Time to live

8
-
15: Protocol (e.g. TCP, ICMP)

16
-
31: Header Checksum

Fourth 8 nibbles: Source Address

Fifth 8 nibbles: Destination Address


Networks

6

15:19:42.744527 IP 192.168.0.4 > 192.168.0.5: icmp 1480: echo request seq 7168 (frag
924:1480@0+)





4500 05dc 039c 2000 8001 902b c0a8 0004





c0a8 0005 0800 2859 0200 1c00 6162 6364





6566 6768 696a 6b6c 6d6e 6f70 7172 7374





7576 7761 6263 6465 6667 6869 6a6b 6c6d





6e6f 7071 7273 7475 7677 6162 6364 6566





6768


Performs fragmentation:

(f
rag 924:1480@0+): Datagram ID=924 : Length=1480 @ Offset=0
+=More_Fragments

15:19:42.744527 IP 192.168.0.4 > 192.168.0.5: icmp 1480: echo request
seq 7168 (frag 924:1480@0+)

15:19:42.744570 IP 192.168.0.4 > 192.168.0.5: icmp (frag 924:576@1480)

Internet C
ontrol Message Protocol (ICMP)



Reports errors (e.g. Destination not reachable)



Replies to requests (routing info)



Test connectivity (ping)


Windump of Ping command:

15:19:42.744527 IP 192.168.0.4 > 192.168.0.5: icmp 1480: echo request seq 7168

15:19:42.74
8241 IP 192.168.0.5 > 192.168.0.4: icmp 1480: echo reply seq 7168

Note: 1480 is the length


15:19:42.748241 IP 192.168.0.5 > 192.168.0.4: 131.210.42.3 udp port 53 unreachable

Address Resolution Protocol (ARP)



Converts an IP Address (192.164.53.25) to a MAC

Address (e.g. 0:90:27:1c:50:d0)


Protocol:



Requester broadcasts to all nodes on subnet: ARP Request (IP_Address)



Replier (Me) sends: ARP Response (IP_Address, MAC Address)


Windump:

14:54:50.190823 arp who
-
has 192.168.0.5 tell 192.168.0.4

14:54:50.191108

arp reply 192.168.0.5 is
-
at 0:90:27:1c:50:d0


Networks

7

Securing a Network: Introduction


Perimeter
: What is the entrance into our network?



Devices which interface with perimeter: Firewall., Border/Internal Router, Wireless Access
Point, (Dial up) Modems, (Floppy
/CD drives)


A business’s private network is divided into zones


Zones of Trust



Each zone has separate security/protection needs



Allows networks to scale



Allows outside users access to specific locations and prohibits access to other areas



Can have multipl
e zones: Factory, Administration, External Interface, Development, …


Zones:

Most
-
Secure Zone
: Internal network



Little or no access from the public



Private file systems, servers

De
-
Militarized Zone (DMZ
): Access to the public in a controlled way.



Web pages
, Business
-
2
-
Business (B2B)



Segregated from internal network



Less stringent security compared to most
-
secure zone

Example: CISCO PIX firewall allows up to 8 zones to be created.



Low
-
security zones cannot access high
-
security zones unless configured to do s
o.


Bastion Host
: Host that is strengthened to face network attacks



Must be kept current with security patches



Most tools and configuration utilities are removed from host



Extensive logging is used



Assume host may become compromised



Does not share authenti
cation system with private network


To combat physical attack:



Redundancy: network links, devices, power supply



Backups: at physically separate locations



Restricted Access



Monitoring cameras



Physical security audits


Networks

8

For the following configurations,



Whic
h are cheaper?



Which make the DMZ more secure?



Which make the private network more secure?





Private

Network

Internet

DMZ

FW

3
-
Legged Firewall

Internet

FW

DMZ

Private

Networ
k

Dirty DMZ:

Edge Router rejects
requests from DMZ to
FW

Private

Network

Internet

FW

FW

FW

DMZ

DMZ

Internet

Private

Network

Router

Networks

9

Fault Tolerance


Single Point of Failure
: When one part fails, functionality is lost



Redundancy: If one path fails, routers reconfi
gure to find an alternative path



Fully meshed network is fully redundant but expensive


Fault Tolerance
: A redundant device takes over when one device fails



Hot Standby Router Protocol (HSRP)



Virtual Router Redundancy Protocol (VRRP)



Failover: Pass control

to hot standby


Hot Standby Router Protocol (HSRP):



Virtual router: When active router fails, a standby owner assumes ownership of the IP address
& MAC address



Hosts can continue sending with no disruption



Standby group: Group of routers ready to become a
ctive



Procedure:



Active and Standby routers send HELLO packets to multicast address 224.0.0.2 containing
their priority



The highest priority router always becomes active


War Dialers



What telephone numbers allow login into the network?



Does the answering m
odem provide info via banner of the type of modem?



Auditing Tools: THC Scan, Phone Tag, Modem Scan, Phone Sweep, Sandtrap, Procomm Plus



Be careful


do a test run on 2
-
3 phones (yours +). Do not include known emergency numbers



Some PBXs and phone networks

will recognize sequential war dialing


so beware!



Best
-
practices exist for dialup modem use. Look them up!

Networks

10

WinDump Lab

Before starting the lab:



Open up the Windows XP VMware

according to separate directions.



O
pen up my web page notes within Windows X
P, at
www.cs.uwp.edu/Classes/Cs490

. These
will help you to interpret the packets you see.



We will be working with Telnet. E
nable Telnet as follows:


Start
-
> Control Panel
-
> Switch to Classic View
-
> Ad
ministrative Tools
-
> Services


Scroll down and double click on the Telnet option, Set to Automatic,

Press Start, Apply, OK



Set the password for the CyberSecStudent to “TelnetMe”


Start
-
> Control Panel
-
> User Accounts
-
> CyberSecStudent
-
> Create a Password

Set password to “TelnetMe”



Try having a neighbor telnet into your machine. If it doesn’t work, turn off your firewall.

1) Using
IPCONFIG

to learn your IP address

Learn your IP address using ipconfig:


Start
-
>Accessories
-
>Command Prompt


>
ipconfig

1B)
Your IP address is:




2
) Getting Familiar with Windump

Windump is a MS Windows tool to monitor what is being transmitted on the LAN. TCPdump is an
equivalent UNIX tool. To start windump execute:


Start
-
>Accessories
-
>Command Prompt


>
w
indump


i2

-
n

You

are now monitoring all transmissions

on Interface 2
. You may occasionally see messages
being sent. Your instructor has a translation list of port numbers and services.

2
A) Copy down the IP addresses and port numbers
/services

you see transmissions for
.












Networks

11

WINDUMP OPTIONS

To monitor
interface 2
without IP address translation (prevents packet loss):


windump

i2
-
n

To monitor transmissions sent or received only from your IP address:


windump

i2
-
n host 10.1.1.20n

To monitor transmissions exce
pt to specific ports and except for arp:


windump

i2
-
n tcp port !80 and !443 and !21 and !arp

To monitor only icmp messages:


windump

i2
-
n icmp

To monitor headers and data

for a particular IP address
:


windump

i2
-
n
-
x

host 10.1.1.20n

To save what yo
u monitor in readable from to a file:


windu
mp

i2

> savefile.txt

To save output to a file in binary, then reread it:


windump

i2

-
w binfile


windump
-
r binfile


Start up Windump to monitor transmissions
to your own host
:


> windump

i2

n host 10.1.1
.20m

Or to see data:


> windump

i2
-
n
-
x host 10.1.1.20n


3
) Monitoring ARP and ICMP

Next learn which IP addresses are in your ARP cache. The ARP protocol is responsible for
translating IP addresses to MAC addresses. Perform the following command to see y
our ARP
cache:


>
arp
-
a

Find a machine that is NOT in your arp cache. Open another cmd window and try doing a PING to
the IP address that is not in your arp cache. This will force the ARP protocol to run. Ping uses
ICMP. ICMP is a protocol that provid
es error messages and implements network tools for IP. Ping
sends an echo request packet to a remote destination and expects an echo reply packet back.

Open a second window to run ping, while the first window runs windump. Select another machine
to ping:


>
ping
10.1.1.20q

3
A) You should now see both arp and icmp messages.
The arp messages provide the MAC
address for the ping messages to use. Copy down the arp sequence. Circle the MAC address.





3B) Now copy down the ping exchange (one request
-
resp
onse sequence) seen in windump.





Networks

12


4) Ethereal


To open Ethereal, click on the Ethereal icon in Windows XP or select as follows:


All programs
-
> Ethereal

Then open the capture screen, which will allow you to configure capturing:


Capture
-
>Interfaces

We
will try each one of the options provided there.


Select “Capture”

4a) What kinds of protocols are being observed?





Now we will try another mode where we can actually see the packets. Select ‘Exit’.


Select “Prepare”


(If asked, select “Continue wi
thout saving”)

We need to select a number of options to collect packets and exclude translations, since they take
time and will cause loss of packets:


Select Update list of packets in real time


Clear all Name Resolution boxes (e.g., MAC name resolution,
etc.)

We want to see only those packets that are for our host


not part of the regular network noise.

Here are some example Capture Filters that can be used:


tcp port 23 and host 10.0.0.5


tcp src port 42 and not host 10.0.0.5

Enter a filter that monitor
s only your own IP address (i.e., no broadcast messages).

Once you begin monitoring, connect via the SSH icon and log in to: 10.1.1.128 as ‘Student’ with
password ‘badpass’

4b) What filter did you enter?






4c) Fill in what you see:


Application protoc
ol used (SSH1/SSH2):


Transport protocol used (TCP/UDP):



Source

Destination

IP Address




Port Numbers




Networks

13


5
) IP & Fragmentation


This section is optional. Return to this section after learning the Ethereal tool.


IP is responsible for routing. IP
version 4 is also responsible for fragmentation and reassembly.
Below we will do a ping message that is so large it requires fragmentation. Windump shows the IP
(and TCP) headers in formatted form. You may also see the headers in unformatted form when
u
sing the
-
x option with windump. Start windump to show data and do a ping command with a
length of 2048 bytes. Monitor transmissions to/from your IP addresses

using Ethereal
:


>
ping
10.1.1.20q

-
l 2048


5
a) Number of fragments:


5
b) Size of each fragme
nt:


5
c) Fragment number:


5
d) Next fragment number (Are fragment numbers sequential)?



6
) TCP

Next we look at TCP. To see a TCP connection via Windump, start up windump with one window
and start up telnet on another
.


Start
-
>Accessories
-
>Command Prom
pt


telnet

10.1.1.20q

You should see the telnet application use TCP.

6
A) What port number does the client and server use?


Source

Destination

IP Address




Port Number




Starting Sequence #





6
B) On each SYN a Maximum Segment Size (MSS)
-

or TCP
packet length
-

is specified. What is
the MSS used?





Networks

14

6
C) What happens with the connection, both from the user perspective and from the TCP protocol
perspective?







6
D)
Disable

or reenable

the firewall by performing the following sequence:


Start
-
> Control Panel
-
> Security Center
-
> Windows Firewall
-
> Select ‘Off’

Attempt to telnet into your neighbor machine (after they have disabled their firewall). What
happens now?







6
E) Using the following windump command to monitor telnet, what text can y
ou see being sent
through telnet? To monitor headers and data for your IP address:


windump

i2
-
n
-
x host 10.1.1.20m