network devices - KingscliffDipIT - home

droppercauseΔίκτυα και Επικοινωνίες

28 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

74 εμφανίσεις

droppercause_3b5427fd
-
90da
-
46e7
-
a8f4
-
a3a362eed6b0.doc

1

NETWORK DEVICES

Can “private” networks be made more private?

while steps can be taken to encrypt user data sent over
a network, it is usually inconvenient for the users and
costly to do so for LANs

it is generally assumed that a greater security threat lie
s
with intruders outside the private LAN

if a strong perimeter defence can be constructed, this
threat will be minimised while simplifying LAN traffic

various types of network device are naturally found at
network perimeters and so these have the potential

for
security defence and attack

due to the possibility of a compromised perimeter and of
local attacks, the use of network devices is only a part of
a security strategy, not all of it

the security of the network media itself has been largely
overlooked in

the commercial arena

it is assumed that intruders do not want to risk being
physically present to tap into cables

optical cable is more difficult to tap than copper cable

UTP (Unshielded Twisted Pair) radiates signals

these could be picked up and sent to
an intruder by a radio
transmitter in the roof cavity where the UTP is lying

with only a few seconds of downtime, a router in bridging
mode can be inserted in a wiring closet as a man
-
in
-
the
-
middle attack


droppercause_3b5427fd
-
90da
-
46e7
-
a8f4
-
a3a362eed6b0.doc

2

wireless LANs are becoming more popular, and are
c
urrently a security concern

wireless technology that uses SS (Spread Spectrum),
such as standard 802.11, randomly chooses different
frequencies to carry data

each network is described by a Broadcast SSID
(Service Set IDentifier)

but a laptop with a wireles
s card
,

high
-
performance
antenna (
www.hyperlinktech.com
)
and software like
Omni
Peek

(
www.wildpackets.com
) can be parked
outside the building and analyse packets

add a
GPS (Global Positioning System) and software
like
Kismet

(
www.kismetwireless.net
) and “war
-
driving” allows the hacker to drive around
town
logging the location of wireless networks within range

WEP (Wire
d

Equiv
alent Privacy)
, uses relatively weak
encryption designed to simply stop unwitting
eavesdropping, not determined hacking

AirSnort

(
airsnort.shmoo.com
) is a Linux tool for
cracking WEP

c
onsider
using a VPN on top o
f
WEP

WPA (Wi
-
Fi Protected Access)

uses
Extensible Authentication Protocol (EAP)

can use a centralised RADIUS server,

or

WPA
-
PSK

(
Pre
-
Shared Key
)

where
a
matching
password

is
entered into each WLAN node

uses Temporal Key Integrity Protocol (TKIP) to make
decryption harder

uses
Message Integrity Check (MIC)

to make
spoofing harder

WPA2
improve
s

wireless security
to 802.11i standard

droppercause_3b5427fd
-
90da
-
46e7
-
a8f4
-
a3a362eed6b0.doc

3

wiring hubs and repeaters make decisions based on the
Physical layer

packets are only forwarded to working links

it’s up to th
e machines to determine if packet is for them

there is no provision for security

bridges and switching hubs (layer 2 “switches”) make
decisions based on the Data Link layer

packets are only forwarded to machines that match the
destination MAC address

possi
ble to provide security by grouping machines into
VLANs (Virtual LANs) so that a MAC broadcast is only
sent to one group and not all machines

routers make decisions based on the Network layer

packets are only forwarded to a router with information
on how t
o get to the matching network address

possible to provide security by filtering packets
according to their network and node addresses

gateways make decisions based on the Transport and
higher layers

eg firewalls, proxy
-
servers

packets are only forwarded to

the client or server
application with matching application
-
specific data

possible to provide security by filtering packets
according to this data

as you go down the above list:

the slower the packet forward/filter decision process

the greater
the
potentia
l degree of security control

the greater
the
potential for misconfiguration

droppercause_3b5427fd
-
90da
-
46e7
-
a8f4
-
a3a362eed6b0.doc

4

coaxial cable or non
-
switching UTP hub connected
Ethernet allows all network packets to appear at a NIC
(Network Interface Card)

if the NIC was configured for “promiscuous” mode,
all
network traffic can be monitored and potentially “sniffed”
by an intruder controlling that machine

using a “switch” can prevent all network traffic
appearing at the NIC since only machine specific or
MAC broadcast packets should appear on that link, bu
t

IP addresses describe both network and node, however
for a MAC sub
-
layer packet to reach the intended
destination, its MAC address must also be known

ARP (Address Resolution Protocol) is used to
dynamically map IP addresses to MAC addresses

if a machine
wants to send a packet to new machine
(including routers) on the same IP network, it will first
send an ARP broadcast to discover and cache the
MAC address that matches the IP address

ARP is vulnerable to “man
-
in
-
the
-
middle” attacks

eg running
arpredirect

(part of dsniff,
www.monkey.org/~dugsong/dsniff
) and
fragrouter

(
packetstormsecurity.nl
) on “owned” machine on LAN

arpredirect can forge the router’s IP

address in ARP
broadcast replies, so the other machines cache the
intruder machine’s MAC address

fragrouter can then forward packets onto the real router,
after sniffing their contents

arpwatch

(
www.securityfo
cus.com
) can notify the
administrator of any dynamic ARP changes

also it is possible to configure static/permanent ARP
mappings, eg see >
arp /?

and the

s option

droppercause_3b5427fd
-
90da
-
46e7
-
a8f4
-
a3a362eed6b0.doc

5

simple routers can have static routes configured that
describe the desired destination netwo
rk, the interface
and “gateway” or router (if using a LAN interface) to
forward its packets to and the “distance” or “metric”
used to compare this path with any other possibilities

static routes offer greater security than dynamic routes
and are quite mana
geable for small internetworks

eg Windows 9x, see >
route /?

eg Linux, netcfg in Xwindows

eg Windows 2000
+
, RRAS/IP Routing/Static Routes

note Windows NT/2k
+

support “multi
-
homed” NICs,
ie multiple IP addresses per LAN interface

often a “default route”, in
dicated by a destination network
address of 0.0.0.0, is defined to send otherwise
unknown destination packets to the “default gateway”
(typically ISP’s router), hoping it will know where to next

purpose
-
built routers, eg Cisco, dynamically discover
routes
from other routers via a routing protocol

eg RIP (Routing Information Protocol), IGRP (Internal
Gateway Routing Protocol), OSPF (Open Shortest
Path First)

RIP is open standard, uses a distance vector algorithm

every router “hop” adds 1 to the distance

ever
y router periodically advertises its routing table to
neighbouring routers which recalculate their own

IGRP is a Cisco standard, that modifies distance with
bandwidth, delay and reliability, a more accurate metric

OSPF is open standard, creates a total top
ology
database based on each router’s broadcasted LSA (Link
State Advertisements) that contain the router’s ID, its
attached networks and the “cost” of the attachment links

droppercause_3b5427fd
-
90da
-
46e7
-
a8f4
-
a3a362eed6b0.doc

6

configuration usually via Telnet with logon and password

eg Cisco has two levels
of access: user and privileged (or
“Enable mode”), each level requiring a password

strong passwords recommended
, as is the “enable
secret” to strongly encrypt the enable password

disable any web services used for configuration

where possible use SSH for co
nfiguration

monitor logs for interface outages and neighbour
changes

increase physical security

each interface is given a different IP network address

eg Cisco (config
-
int) # ip address
node

netmask

(config
-
int) #
ip address 192.168.0.9 255.255.255.0

static

routes can be optionally configured

eg Cisco (config)# ip route
network netmask router

metric

(config) #
ip route 192.168.2.0 255.255.255.0
192.168.1.10 1

routing protocol is chosen

eg Cisco (config) #
router rip

network addresses to be advertised to othe
r routers
are given

eg Cisco (config) # network
network

(config) #
network 192.168.0.0

OSPF better routing protocol in terms of security since
LSAs include router ID, password and message digest

RIP vulnerable to spoofing:
srip

(
packetstorm.linuxsecurity.com/groups/horizon/ripar.txt
)

droppercause_3b5427fd
-
90da
-
46e7
-
a8f4
-
a3a362eed6b0.doc

7

like PCs, router operating systems can be identified by
an intruder and known vulnerabilities exploited

Cisco routers have an operating system call
ed IOS

recommend a secure IOS template
(
www.cymru.com/Documents/secure
-
ios
-
template.html
)

IRPAS (
www.phenoelit.de
) contains a Unix
command
-
lin
e tool called
cdp

which can flood a
Cisco’s IOS with overly long device ID’s

install the latest patches and upgrades

Windows 2000
+

Server RRAS (Routing and Remote
Access Service) includes the ability to have both static
and dynamic routes

considerably slow
er than a purpose
-
built router

droppercause_3b5427fd
-
90da
-
46e7
-
a8f4
-
a3a362eed6b0.doc

8

SNMP (Simple Network Management Protocol) can be
used with network devices to monitor and control them

SNMP “community names” are passwords

version 1 (still most common) does not encrypt these and
can be seen with
snmpsniff

(
www.antionline.com
)

either turn SNMP off or use versions 2 or 3 with
strong community names

TFTP (Trivial File Transfer Protocol) is used by routers
to backup and restore configuration files

these filenames typi
cally end in .cfg

either disable unneeded tftp or filter at firewall

“source” routing is where the sending computer supplies
extra information in the Network layer header to specify
the path to be taken (even if the routers involved know a
better path)

th
is should be turned off to prevent an intruder from
accessing a back door via say a trusted but less
secure partner organisation’s routers

eg Cisco (config) #
no ip source
-
route

ICMP (Internet Control Message Protocol) Redirect tells
a router to send packe
ts to another destination, possibly
the intruder’s machine

potential security problem which should be turned off

eg Cisco (config
-
int) #
no ip redirects

droppercause_3b5427fd
-
90da
-
46e7
-
a8f4
-
a3a362eed6b0.doc

9

a router can act as a firewall to selectively filter packets

“access lists” are used to define the fil
tering rules

Cisco “standard” access lists filter on source IP

eg (config) # access
-
list
list permit/deny source mask

where
list

is 1 to 99

where
mask

is the inverse of a netmask

(config) #
access
-
list 1 permit 192.168.0.0
0.0.0.255

Cisco “extended” access

lists filter on destination IP,
Transport protocol, port, and established connection

eg (config) #access
-
list
list

permit/deny protocol source
mask destination mask operator port

est

where
list

is 100
-
199

where protocol can be “ip”, “tcp”, “udp”, “icmp”,
“gre”, “igrp”

where
source+mask

or
destination+mask

can
optionally be “any”

where
operator

can be “eq”, “neq”, “lt”, “gt”

(config) #
access
-
list 101 permit tcp any
192.168.2.19 0.0.0.0 eq 80


multiple entries can be added to an access list and
the rules ar
e applied in that order with an assumed
deny everything as the last rule

enter permit rules before deny rules

access list can be cleared with

eg (config) #
no access
-
list
list

once access lists are defined they are applied to one or
more router interfaces

eg (config
-
int) # ip access
-
group
list

in/out

where “in” means inbound, “out” means outbound

(config
-
int) #
ip access
-
group 101 in