Network Security

homuskratNetworking and Communications

Nov 20, 2013 (3 years and 4 months ago)

54 views

Network Security

A General Introduction


Outline



Network Gatekeepers


Identifying network threats
and countermeasures


Using secure router, firewall,
and switch configurations


Network Gatekeepers



Network is the entry
point to application and
control access to the
various servers in the
enterprise environment


The basic components of
a network, which act as
the front
-
line gatekeepers,
are the:



router,



firewall, and



switch.


Threats and Countermeasures


An attacker looks for poorly configured
network devices to exploit.

The following are high
-
level network
threats:


Information gathering


Sniffing


Spoofing


Session hijacking


Denial of service


Information Gathering



Information gathering can reveal detailed
information about network topology, system
configuration, and network devices.

Attacks


Using
Tracert

(
Traceroute
)

to detect
network topology


Using
Telnet

to open ports for banner
grabbing


Using port scans to detect open ports


Using broadcast requests to enumerate
hosts on a subnet


Countermeasures
-

Information
gathering



Use
generic service banners
that do not
give away configuration information such
as software versions or names.


Use firewalls to mask services that should
not be publicly exposed


Sniffing

Sniffing
, also called
eavesdropping
, is the act
of monitoring network traffic for data,
such as clear
-
text passwords or
configuration information.

Vulnerabilities


Weak physical security


Lack of encryption when sending sensitive
data



With a simple packet sniffer, all plaintext
traffic can be read easily







Countermeasures

Some of the countermeasures:


Strong physical security that prevents
rogue devices from being placed on the
network


Encrypted credentials and application
traffic over the network


Spoofing



Spoofing
, is a means to hide one's true
identity on the network.


A fake source address is used that does not
represent the actual packet originator's address



Vulnerabilities



Lack of ingress and egress filtering.


Ingress filtering is the filtering of any IP packets
with un
-
trusted source addresses before they
have a chance to enter and affect your system or
network.


Egress filtering is the process of filtering
outbound traffic from your network.



Countermeasures

Countermeasures



Use of
ingress and egress filtering
on
perimeter routers using
Access Control
Lists (ACLs)



Denial of Service



Network
-
layer denial of service attacks
usually try to deny service by flooding the
network with traffic, which consumes the
available bandwidth and resources.


Vulnerabilities


Weak router and switch configuration


Unencrypted communication


Countermeasures


denial of
service



Filtering broadcast requests



Filtering Internet Control
Message Protocol (ICMP)
requests


Patching and updating of service
software



Router Considerations



The router is the very first line
of defense.


It provides packet routing,


It can also be configured to block
or filter the forwarding of packet
types that are known to be
vulnerable or used maliciously,
such as ICMP


Router Considerations
-

Protocol


Protocols



Denial of service attacks take advantage of protocol
-
level
vulnerabilities, for example, by flooding the network


Prevent attack



Us
e ingress and egress filtering.


Incoming packets with an internal address can indicate an intrusion
attempt or probe and should be denied entry to the perimeter
network



set up router to

route outgoing packets only if they have a valid
internal IP address


Screen ICMP traffic
from the internal network



Blocking ICMP traffic at the outer perimeter router protects you
from attacks such as cascading ping floods



ICMP can be used for troubleshooting, it can also be used for
network discovery and mapping


Enable ICMP in echo
-
reply mode only



Router Considerations
-

Protocol



Protocols



Do Not Receive or Forward Directed Broadcast Traffic


Directed broadcast traffic can be used as a vehicle for a denial
of service attack



Example:


10.0.0.0/8


127.0.0.0/8



169.254.0.0/16


link local network



Prevent
Traceroute

packets



Trace routing is a means to collect network topology
information. By blocking packets of this type, you prevent an
attacker from learning details about your network from trace
routes.





Router Considerations



Patches and updates


stay current with both security issues and service
patch




Disable unused interfaces.


Apply
strong password
policies.


Use static routing.


An attacker might try to change routes to cause
denial of service or to forward requests to a
rogue server


Audit Web facing administration interfaces



Router Considerations
-

Services


Services


To reduce the attack surface area, default
services that are not required should be
shut down.


Examples include
bootps
and
Finger
, which
are rarely required. You should also scan your
router to detect which ports are open.




Firewall
-

1



The role of the firewall is to block all unnecessary
ports and to allow traffic only from known ports.



A firewall should exist anywhere you interact
with an
untrusted

network, especially the
Internet.



Separate your Web servers from downstream
application and database servers with an internal
firewall


The firewall should be configured to monitor and
prevent attacks and detecting intrusion attempts.


Firewall may runs on an operating system , hosted
by a router or on a specialist hardware.


Firewall
-
2



The configuration categories for the
firewall include:


Patches and updates


Filters


Auditing and logging


Perimeter networks


Intrusion detection


Switch



Switches are designed to improve network
performance to ease administration



Traffic is not shared between switched
segments. T


This is a preventive measure against packet
sniffing between networks.


An attacker can circumvent this security by


reconfiguring switching rules


using easily accessed administrative interfaces, I


known account names and passwords


Considerations
-

Secure switching


Install latest patches and updates


Virtual Local Area Networks (VLANs)



Virtual LANs separate network segments and
allow application of access control lists based on
security rules.


Insecure defaults



change all factory default passwords and to
prevent network enumeration or total control of
the switch


Services



all unused services are disabled.


Configure router passwords and
banners


Complete the task given in the lab sheet