490 likes | 620 Views
Chapter 13 Network Protection Systems. Hands-On Ethical Hacking and Network Defense Second Edition. Objectives. After reading this chapter and completing the exercises, you will be able to: Explain how routers are used as network protection systems
E N D
Chapter 13 Network Protection Systems Hands-On Ethical Hacking and Network DefenseSecond Edition
Objectives • After reading this chapter and completing the exercises, you will be able to: • Explain how routers are used as network protection systems • Describe firewall technology and tools for configuring firewalls and routers • Describe intrusion detection and prevention systems and Web-filtering technology • Explain the purpose of honeypots Hands-On Ethical Hacking and Network Defense, Second Edition
Understanding Routers • Network protection systems • Routers • Firewalls • Intrusion detection and prevention systems • Web filtering • Honeypots • Security appliance • Single device combining two or more protection functions Hands-On Ethical Hacking and Network Defense, Second Edition
Understanding Routing Protocols • Routers are hardware devices • Used to send packets to different network segments • Operate at network layer of OSI model • Routing protocols • Link-state routing protocol • Router advertises link-state • Distance-vector routing protocol • Router passes routing table to all participating routers • Path-vector routing protocol • Uses dynamically updated paths or routing tables to transmit packets Hands-On Ethical Hacking and Network Defense, Second Edition
Understanding Basic Hardware Routers • Cisco routers • Widely used in networking community • Millions used by companies around the world • Vulnerabilities exist • As they do in any OS • Security professionals must consider the router type when conducting a security test Hands-On Ethical Hacking and Network Defense, Second Edition
Cisco Router Components • Random access memory (RAM) • Holds router’s running configuration, routing tables, and buffers • If turned off, contents stored in RAM are erased • Nonvolatile RAM (NVRAM) • Holds router’s configuration file • Information is not lost if the router is turned off • Flash memory • Holds IOS the router is using • Rewritable memory, so IOS can be upgraded Hands-On Ethical Hacking and Network Defense, Second Edition
Cisco Router Components (cont’d.) • Read-only memory (ROM) • Contains a minimal version of IOS • Used to boot router if flash memory gets corrupted • Interfaces • Hardware connectivity points for components of most concern • Ethernet port is an interface that connects to a LAN Hands-On Ethical Hacking and Network Defense, Second Edition
Cisco Router Configuration • Configuration modes: • User mode • Administrator can perform basic troubleshooting tests and list information stored on router • Indicated by router name followed by > • Default mode • Privileged mode • Administrator can perform full router configuration tasks • Indicated by router name followed by # Hands-On Ethical Hacking and Network Defense, Second Edition
Cisco Router Configuration (cont’d.) • Modes to configure the router (in privileged mode) • Global configuration mode • Configure router settings affecting router operation • Interface configuration mode • Administrator can configure an interface on the router Hands-On Ethical Hacking and Network Defense, Second Edition
Table 13-1 Cisco commands Hands-On Ethical Hacking and Network Defense, Second Edition
Understanding Access Control Lists • Several types of access control lists • This section focuses on IP access lists • Lists IP addresses, subnets, or networks allowed or denied access through a router’s interface • Cisco router access lists • Standard IP access lists • Extended IP access lists Hands-On Ethical Hacking and Network Defense, Second Edition
Standard IP Access Lists • Can restrict IP traffic entering or leaving a router’s interface based on source IP address • To restrict traffic from Network 3 from entering Network 1, access list looks like: access-list 1 deny 173.110.0.0 0.0.255.255 access-list permit any Figure 13-1 Applying access lists to router interfaces Hands-On Ethical Hacking and Network Defense, Second Edition
Extended IP Access Lists • Restricts IP traffic entering or leaving based on: • Source IP address • Destination IP address • Protocol type • Application port number • Configuration • Similar to configuring a standard IP access list Hands-On Ethical Hacking and Network Defense, Second Edition
Understanding Firewalls • Hardware devices with embedded OSs • Controls access to all traffic entering internal network • Controls traffic leaving internal network • Hardware firewall advantages: • Usually faster than software firewalls • Can handle larger throughput than software firewalls • Hardware firewall disadvantage: • Locked into firewall’s hardware Hands-On Ethical Hacking and Network Defense, Second Edition
Understanding Firewalls (cont’d.) • Software firewalls advantage: • NICs are easily added to server running firewall software • Software firewalls disadvantage: • Configuration problems • Rely on running OS • Astaro Hands-On Ethical Hacking and Network Defense, Second Edition
Understanding Firewall Technology • Technologies include: • Network address translation • Access lists • Packet filtering • Stateful packet inspection • Application layer inspection Hands-On Ethical Hacking and Network Defense, Second Edition
Network Address Translation • Most basic security feature • Internal private IP addresses are mapped to public external IP addresses • Hiding internal infrastructure • Port Address Translation • Derived from NAT • Allows thousands of internal IP addresses to be mapped to one external IP address Hands-On Ethical Hacking and Network Defense, Second Edition
Access Lists • Used to filter traffic based on: • Source IP address • Destination IP address • Ports or services • Firewalls also use this technology • Creating access lists in a firewall • Similar to creating them in a router Hands-On Ethical Hacking and Network Defense, Second Edition
Packet Filtering • Packet filters • Screen packets based on information contained in packet header • Protocol type • IP address • TCP/UDP port Hands-On Ethical Hacking and Network Defense, Second Edition
Stateful Packet Inspection • Record session-specific information about a network connection • Including state table • Port scans relying on spoofing or sending packets after a three-way handshake are made ineffective • Stateful packet filters • Recognize anomalies most routers ignore • Handle each packet on an individual basis • Not resistant to spoofing or DoS attacks Hands-On Ethical Hacking and Network Defense, Second Edition
Table 13-2 State table example Hands-On Ethical Hacking and Network Defense, Second Edition
Application Layer Inspection • Inspects network traffic at a higher level in OSI model • Makes sure network traffic’s application protocol is the type allowed by a rule • Some application-aware firewalls act as a proxy for all connections • Safety net for servers or clients (or both) • Depends on firewall Hands-On Ethical Hacking and Network Defense, Second Edition
Implementing a Firewall • Placing a firewall between a company’s internal network and the Internet is dangerous • Leaves company open to attack if a hacker compromises the firewall • Use a demilitarized zone instead • Adds a layer of defense Hands-On Ethical Hacking and Network Defense, Second Edition
Demilitarized Zone • Small network • Contains resources a company wants available to Internet users • Helps maintain security on internal network • Sits between Internet and internal network • Sometimes referred to as a “perimeter network” Hands-On Ethical Hacking and Network Defense, Second Edition
Figure 13-2 A DMZ protecting an internal network Hands-On Ethical Hacking and Network Defense, Second Edition
Figure 13-3 An additional firewall used to protect the DMZ Hands-On Ethical Hacking and Network Defense, Second Edition
Understanding the Cisco Adaptive Security Appliance Firewall • Cisco Adaptive Security Appliance (ASA) firewall • One of the most widely used firewalls • Replaced PIX firewall • Added advanced modular features • Intrusion detection and prevention • More sophisticated application layer inspection Hands-On Ethical Hacking and Network Defense, Second Edition
Configuring the ASA Firewall • Similar logon prompt as Cisco router • Prompt: If you are not authorized to be in this XYZ Hawaii network device, log out immediately! Username: admin Password: ******** • Serves a legal purpose • Prompt after successful log on: Type help or '?' for a list of available commands. ciscoasa> Hands-On Ethical Hacking and Network Defense, Second Edition
Configuring the ASA Firewall (cont’d.) • After entering correct password • You are in privileged mode • To enter configuration mode • Use same command as on a Cisco router configure terminal or configure t • Access lists • Used to filter traffic Hands-On Ethical Hacking and Network Defense, Second Edition
Using Configuration and Risk Analysis Tools for Firewalls and Routers • Center for Internet Security • One of the best Web sites for finding configuration benchmarks and configuration assessment tools • Benchmark • Industry consensus of best configuration practices • Cisco routers use CIS Cisco IOS Benchmark • Cisco ASA firewalls use CIS Benchmark for Cisco Firewall Devices • Router Audit Tool (RAT) • Faster and easier to use Hands-On Ethical Hacking and Network Defense, Second Edition
Using Configuration and Risk Analysis Tools for Firewalls and Routers (cont’d.) • RedSeal • Unique network risk analysis and mapping tool • Identifies configuration vulnerabilities in routers or firewalls • Generates professional-looking reports • Analyzes IPSs and OS vulnerability scans • Shows a graphical representation of vulnerabilities discovered Hands-On Ethical Hacking and Network Defense, Second Edition
Figure 13-4 The RedSeal network risk map Hands-On Ethical Hacking and Network Defense, Second Edition
Understanding Intrusion Detection and Prevention Systems • Monitor network devices • Security administrators can identify attacks in progress and stop them • Intrusion detection system (IDS) • Examines traffic and compares it with known exploits • Similar to virus software using a signature file to identify viruses • Intrusion prevention systems (IPSs) • Similar to IDSs • Also performs an action to prevent the intrusion Hands-On Ethical Hacking and Network Defense, Second Edition
Network-Based and Host-Based IDSs and IPSs • Network-based IDSs/IPSs • Monitor activity on network segments • Sniff traffic and alerts if something suspicious occurs • Host-based IDSs/IPSs • Used to protect a critical network server or database server • Software is installed on server you’re attempting to protect Hands-On Ethical Hacking and Network Defense, Second Edition
Network-Based and Host-Based IDSs and IPSs (cont’d.) • IDSs are also categorized by how they react when they detect suspicious behavior • Passive systems • Don’t take preventative action • Send out an alert and log the activity • Active systems • Log events and send out alerts • Can also interoperate with routers and firewalls Hands-On Ethical Hacking and Network Defense, Second Edition
Network-Based and Host-Based IDSs and IPSs (cont’d.) • Vendors have started focusing on IPSs • True network-based IPS are installed inline to network infrastructure • Traffic has to pass through IPS before going into or out of the network • More capable of stopping malicious traffic • Host-based IPSs operate at the OS (or kernel) level • Intercept traffic not allowed by host policy Hands-On Ethical Hacking and Network Defense, Second Edition
Network-Based and Host-Based IDSs and IPSs (cont’d.) • Network-based IDSs and IPSs are further categorized by the way they detect attacks • Signature detectors • Detect malicious activity by using a database of known attack signatures • Anomaly detectors • Use a baseline of normal activity and send an alert if activity deviates significantly Hands-On Ethical Hacking and Network Defense, Second Edition
Table 13-3 Intrusion detection and prevention systems Hands-On Ethical Hacking and Network Defense, Second Edition
Web Filtering • Statistically, firewalls and IPSs do a good job of protecting a network from Internet attacks • Hackers know statistics • Now using least restricted pathway through a firewall • Target devices allowed access out of the network automatically: user workstations • Get internal user to visit a bogus Web site or install malicious code from an e-mail attachment • Don’t need to break through the firewall • Firewall application layer inspection might not detect this kind of attack Hands-On Ethical Hacking and Network Defense, Second Edition
Web Filtering (cont’d.) • Web filtering is used to detect users’ attempts to access malicious Web sites and block tem • Some block malicious code • Before it gets to a user’s workstation • Before it connects to an attacker’s control system outside the network • Mass compromises are used to initiate drive-by downloads • Web site visitors download malicious code without their knowledge Hands-On Ethical Hacking and Network Defense, Second Edition
Security Incident Response Teams • Large organizations with sensitive or critical data • Normal administrative expertise isn’t enough to do: • Follow up and damage assessment • Risk remediation and legal consultation • Security incident response team (SIRT) • Permanent team • Responsible solely for security-response functions • Ad hoc team • Members normally have other roles • Called in response to a specific incident Hands-On Ethical Hacking and Network Defense, Second Edition
Understanding Honeypots • Honeypot • Computer placed on network perimeter • Contains information to lure and trap hackers • Configured to have vulnerabilities • Keeps hackers connected long enough so they can be traced back • Serves as an excellent data collector and early warning system • Honeyd.org Hands-On Ethical Hacking and Network Defense, Second Edition
How Honeypots Work • Honeypot appears to have important data or sensitive information stored on it • Could store fake financial data • Hackers will spend time attacking the honeypot • Stop looking for real vulnerabilities • Enables security to collect data on attackers • Available honeypots • Commercial and open-source • Virtual honeypots • Created using programming language Hands-On Ethical Hacking and Network Defense, Second Edition
Table 13-4 Commercial honeypots Hands-On Ethical Hacking and Network Defense, Second Edition
Table 13-5 Open-source honeypots Hands-On Ethical Hacking and Network Defense, Second Edition
Summary • Network protection systems • Routers, firewalls, IDSs, IPSs, Web filters, etc. • Routers • Use access lists to accept or deny traffic • Firewalls • Can be hardware devices or software installed on computer systems • Use NAT, packet filtering, access control lists, stateful packet inspection, and application layer inspection Hands-On Ethical Hacking and Network Defense, Second Edition
Summary (cont’d.) • DMZ • Small network containing resources that sits between the Internet and internal network • Intrusion detection systems • Monitor network traffic • Network-based IDSs • Monitor activity on network segments • Host-based IDSs • Protect a critical network server or database server Hands-On Ethical Hacking and Network Defense, Second Edition
Summary (cont’d.) • Passive IDSs • Don’t take any action or prevent an activity from continuing to occur • Active IDSs • Log, send alerts, and interoperate with routers and firewalls • Intrusion prevention systems (IPSs) • Detect malicious activity • Can block or prevent malicious activity Hands-On Ethical Hacking and Network Defense, Second Edition
Summary (cont’d.) • Anomaly detectors • Detect activity varying from a set baseline • Configuring routers and firewalls securely • Easier with benchmark tools • Web filtering • Can block Web sites containing malicious code • Large organizations • Might need a security incident response team • Honeypots • Lure hackers away from legitimate resources Hands-On Ethical Hacking and Network Defense, Second Edition