350 likes | 466 Views
Introduction to Network Security. Presented by: Ted Simpson. 1/2014. Security Threats. Malware Virus Spyware Information Theft Unauthorized Access Eavesdropping Denial of Service Attacks . The Target Story.
E N D
Introduction to Network Security Presented by: Ted Simpson 1/2014
Security Threats • Malware • Virus • Spyware • Information Theft • Unauthorized Access • Eavesdropping • Denial of Service Attacks
The Target Story • Just a few days before Christmas, Target confirmed that the scenario had unfolded: Thieves stole account information by installing malicious software on the retailer’s checkout terminals. • Security experts said the timing of the breach corresponds with a recent surge of stolen credentials being offered for sale on underground cybercrime forums. "We started to detect that something was afoot on December 11th when [we] detected a massive increase – 10 - 20x -- in availability of high-value stolen cards on black-market sites,“. • Hord Tipton, executive director of (ISC)2, said in an emailed statement that attackers likely infected massive numbers of POS terminals with malware. "It's one thing to compromise or affect one machine, but to get all of them begs the question of how this was plotted out in the first place," Tipton said. "How were the hackers so efficient? From what I can tell, it looks like an insider threat -- someone on the inside probably helped."
Security Session Overview • Security Threats and TCP/IP • Protocols and Addressing • Security Protocols and Devices • Routers, Firewalls, and WAPs • Break • Software Security Measures • Anti-virus options, Wireless security, Windows, Email security • Security Policies and User Procedures
Introducing TCP/IP • Designed in 1960s by DOD, NASA and research centers. • Originally called ARPA net. • Provided a reliable and flexible communication system. • In today’s Internet world, TCP/IP is not a secure protocol. • The TCP/IP model consists of 4 layers. • Application • Transport • Internet • Network Interface • Each layer presents certain security risks.
Application Layer • Consists of Client and Server software • Client makes requests – Internet Browsers • Servers process requests – Web Server, FTP Server • Each service and client is assigned a Port number • Web servers – Port 80 Telenet – Port 22 • Email servers – Port 25 FTP – Ports 20-21 • The underlying Transport layer uses either TCP or UDP port number to deliver packets to the correct application. • Many application services send data and authentication information in clear text – no encyrption.
Application Layer Threats • Hackers using packet sniffer software can read packets. • Spoofing – fake sites • Links embedded in Web sites or Emails • DNS poisoning • Malware • Virus may infect browser or email client • DNS modification may lead to spoof site • Worms may spread themselves using open ports and software security flaws • Spyware may send data to hacker sites
Transport or Host-to-Host layer • UDP • Connectionless • Used in streaming audio and video • Can be used by hackers to create a Denial of Service Attack that flood and overload a service by focusing large streams of UDP packets at the server • TCP • Connection oriented (no encryption) • Used by HTTP, FTP, and EMail • Acknowledges packet delivery using sequence numbers and acknowledgment packets (more overhead)
Transport Layer Security Risks • Denial of Service Attacks • Flood Attacks. • Hacker continuously sends ACK packets without actually opening session. Brings down host through overloading. • Hijacking Attack • Hacker intercepts packets and then responds to host using sequence number of original client taking over the session. • Best defense is firewalls and recognizing symptoms of the attack.
Common Port Numbers One way to help secure the network is to use a firewall to block insecure or unneeded port number – called packet filtering Port 3389 used with Remote Desktop on Windows.
Network Layer - Internet • Routers use IP Addresses to route packets between networks • Uses ICMP Protocols to exchange messages • Security Threats • IP Spoofing • IP address of packet is changed by hacker to a valid or different address • ICMP Tunneling • Uses ICMP packets to encapsulate transmission between hosts • Smurf Attack • Uses ICMP to send packets and overload network. • Ping of Death • Use ICMP to send extra large packets. • Best defense is to use Firewalls to block ICMP traffic
Public and Private Addresses • Not directly routable on the Internet • Require some sort of Network Address Translation (NAT) to connect private network devices to the Internet • SNAT • PAT • Used on private networks.
Network Address Translation • Helps prevent hackers from gaining access to machines on Internal Network. • Machines are still vulnerable if they are infected with some type of Spyware or zombie software
Subnetting Subnet mask: 255.255.255.0 Packet destination: 172.16.2.5
IPv6 • New Internet Layer • Creates parallel network independent of IPv4 • Supports existing Transport and Application protocols • Advantages: • Better network security • Includes IPSec encryption • Improved prioritization • Unlimited address range
IPv6 Address Format • Not compatible with IPv4 • 128-bit address • 8 16-bit fields specified as 4 hex digits (0 – F) separated by colons. • Leading zeros unnecessary • :: may be used to specify a number of zero-value fields. • FF22:00FF:002D:0000:0000:0000:3012:CCE3 = • FF22:FF:2D::3012:CCE3 • The substitution of :: for multiple zero-value fields can only be used once.
IPv6 Address Scopes • Unicast address (link-local) • FE80: … (link-local – packet not routable) • FEC0: ... (site-local– not routable on public Internet) • 01xx: … through 03xx: … (global Internet) • Multicast • Send to all computers in a multi-cast group • FF0x: … (x represents the multicast group) • Anycast address • Standard unicast address assigned to multiple machines • Used with routers to all nearest router to accept the packet • Packet can be accepted by first available device
Summary • TCP/IP consists of 4 major Protocol layers. • TCP/IP protocols were not designed to deal with today’s security needs. • IPv4 addresses consist of four dotted decimal numbers divided into Public and Private address classes. • IPv6 supports better security and much large address ranges. • Additional software and hardware necessary to secure Internet Connections. • Firewalls and encryption
Network Technology • Network Layer Hardware • Hubs, Switches and WAPs • Firewalls • Proxy Servers
Switches vs Hubs • Switches are more secure than older hubs. • Hubs send packets to all ports. • Switches direct packets based on destination MAC address • Reduce access to network packets by sniffers
Packet Sniffers and Port Scanners • A packet sniffer connects to a wired or wireless network and captures data packets as they traverse the network. • Packet sniffers are most effective on wireless networks and simple hubs • Best defense is using switches, VLANS, and encryption. • Port Scanners send packets to specific network addresses in an attempt to communicate with an application that is listening on an open port. • Best defense: • Keep the applications and Windows up-to-date with the latest patches. • Use Firewalls to restrict access to known secure ports.
VLANs • VLANs allow individual switch ports to be configured independently. • Ports on a single switch can belong to different networks based on security and performance rather than physical equipment. • Increase security by separating network traffic into different broadcast zones
Wireless Access Points • Function as Switch, Router, and Firewall • Wireless transmissions are easily intercepted and must be encrypted • Encryption methods • WEP • Provides a password to prevent unauthorized access • Encryption is easily broken • WPA and WPA2 • Improved Encryption • WPA2 is the best if supported by the wireless devices
Wireless Configuration • Set administrative Password • Set a unique SSID • Pick a unused channel range • Consider WAP location to reduce outside access • Set security encryption type to WPA2 when possible
Firewalls • Device or software that goes between the application and Internet. • Firewalls can block traffic by port number or identify potentially malicious network activity. • Can block traffic by Protocol such as ICMP. • A Wireless Access Point can serve as a Firewall.
Types of Firewalls Packet-filtering firewall (screening firewall) Simplest firewall Blocks traffic into LAN Check for IP address, Port number, IP header flags Blocks traffic attempting to exit LAN Stops spread of worms Stops Zombie programs/spyware Based on TCP or UDP port numbers Prevents connection to and transmission completion through ports Built into Wireless Access Points and Windows
Advanced Firewall Functions Stateless firewall – Block individual packets Access Control Lists (ACL) Permit or deny traffic according to variables: Network layer protocol (IP, ICMP) Transport layer protocol (TCP, UDP) Source or destination IP address TCP, UDP port number Stateful - Monitor data stream from end to end IDS (intrusion detection system) Software monitoring traffic – sends alerts for suspicious traffic IPS (Intrusion Preventions System) Block suspicious traffic Requires Port mirroring Port configured to send copy of all traffic to another port for monitoring purposes
Proxy Servers • Proxy service • Network host software application • Intermediary between external, internal networks • Screens all incoming and outgoing traffic • Proxy server • Network host running proxy service • Application layer gateway, application gateway, and proxy • Manages security at Application layer • Provides caching
Creating a Demilitarized Zone • Network’s protective perimeter created by firewall/router. • IDS sensors installed at network edges • WAP port forwarding can be used to create a SOHO (Small Office Home Office) DMZ. • More later on WAP configurations