1 / 51

EE579T Network Security 3: Vulnerability Assessment

EE579T Network Security 3: Vulnerability Assessment. Prof. Richard A. Stanley. Overview of Today’s Class. Projects Review last week’s lesson Logistics for next class Look at network security in the news Vulnerability assessment. Project Definitions. Who? What? Problems, issues?.

gaille
Download Presentation

EE579T Network Security 3: Vulnerability Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EE579TNetwork Security3: Vulnerability Assessment Prof. Richard A. Stanley WPI

  2. Overview of Today’s Class • Projects • Review last week’s lesson • Logistics for next class • Look at network security in the news • Vulnerability assessment WPI

  3. Project Definitions • Who? • What? • Problems, issues? WPI

  4. Last Time... • IPSec is a complex security protocol, originally developed for roll-out with IP v6 • Provides authentication, integrity, and confidentiality services to IP transmission • Improves on basic protocols like D-H • Many implementations available for IP v4, so it is usable today • Authentication and encapsulation services provide a basis for VPNs WPI

  5. Next time... • Next class topic is SSL and SET • I must be away next Monday. How do we proceed? • The class is available on videotape • The slides will be sent to you • Please meet as normally scheduled, watch the lecture and discuss the slides, and we’ll go over any questions on July 28th WPI

  6. Network Security Checklist(searchSecurity.com) • Check systems for zombie agent software • Minimize external exposure by minimizing Internet access and connectivity [do not leave non-mission critical Internet connections open continuously and deny Internet access to employees who do not need it.] • Review security policies and ensure that they are current, implemented and enforced. WPI

  7. Security checklist - 2 • Ensure all current service-level and security patches have been installed on operating systems and software, including antivirus updates • Enhance the review and monitoring of all critical system logs for suspect activity, and consider implementing an intrusion-detection system • Revisit firewall configurations and rules to ensure that unnecessary ports and services are turned off and that access control is tightly managed WPI

  8. Security checklist - 3 • Consider curtailing remote access by employees, business partners, customers and consultants to essential business. • Consider changing passwords for all super-user or power IDs such as Root, dbadmin, application manager IDs, etc., especially if that information has become widely shared. (emphasis added) • Revisit access control lists to ensure that access to critical functions and resources is limited. WPI

  9. Security checklist - 4 • Discuss with your ISP what measures they are taking to ensure the security and reliability of the services they are providing you. • Regularly back up all critical systems and test actual systems recovery procedures . • Consider an incident response plan for addressing actions to be taken should a debilitating cyber-incident/event occur, affecting your business. WPI

  10. Security checklist - 5 • Ensure all users of your corporate computer systems (including employees, consultants, contractors and temporary workers) understand the importance of protecting the business and their role in the overall program. • Users working from home via high-speed, broadband connections should be required to have a firewall installed on their system. In addition, they should only be allowed to connect to the corporate network through a VPN tunnel. WPI

  11. What do all these security issues have in common? WPI

  12. Thought for the Day “The network is the computer.” Scott McNeely CEOSun Microsystems WPI

  13. Is this quote for real or is it for marketing? • What is typical PC bus speed? • What sort of network data transfer rates can be attained? • What does this mean for the future of networked computing? WPI

  14. How To Rob a Bank • Just walk in and demand the money • Where is the bank? • How do you know there is any money? • Where to park the getaway car? • Are there any guards or surveillance devices? • Will you need a disguise? • What kinds of things might go wrong? • What if they say “NO?” WPI

  15. Success Requires Planning • Whether robbing a bank or breaching network security, you need to plan ahead • Planning ahead is known as vulnerability assessment • Acquire the target (case the joint) • Scan for vulnerabilities (find the entry points) • Identify poorly protected data (shake the doors) WPI

  16. Information in Plain Sight • Lots of valuable information is just lying around waiting to be used • telephone directories • company organization charts • business meeting attendee lists • promotional material • The Internet has made having a company web page the measure of being “with it” WPI

  17. Target: FBI WPI

  18. WPI

  19. WPI

  20. WPI

  21. WPI

  22. WPI

  23. WPI

  24. WPI

  25. WPI

  26. ? WPI

  27. WPI

  28. WPI

  29. You get the idea • There is a lot of information out there, and it is readily available to anyone • Good intelligence usually consists of open source material properly collated • Law enforcement used to have special access to this sort of information--now it’s out on the ‘net • Network access speeds up the rate at which good intelligence can be collected WPI

  30. Determine Your Scope • Check out the target’s web page • physical locations • related companies or entities • merger/acquisition news • phone numbers, contact information • privacy or security policies • links to other related web servers • check the HTML source code WPI

  31. Refine Your Search • Run down leads from the news, etc. • Search engines are a good way • FerretSoft • Dogpile • Check USENET postings • Use advance search capabilities to find links back to target • Search on wpi + security gives ~ 2900 hits WPI

  32. WPI

  33. Use the Government • EDGAR • SEC site (www.sec.gov/edgarhp.htm) • Search for 10-Q and 10-K reports • Try to find subsidiary organizations with different names • Think about what your organization has on databases available to the public WPI

  34. WPI

  35. Zero In On The Networks • InterNIC • Organization • Domain • Network • Point of contact • www.networksolutions.com • www.arin.net WPI

  36. Search for wpi.edu WPI

  37. Other Sources • InterNIC has 50-record limit, so… • ftp://rs.internic.net/domain • http://samspade.org/ssw/ • freeware • www.nwpsw.com • Netscan tools • Single copy price = $32.00 • www.ipswitch.com • WS_Ping ProPack = $37.50 WPI

  38. Example: Sam Spade WPI

  39. Query on Found Data • POC • May be (often is) POC for other domains • Query for email addresses -- here are a few from @wpi.edu Amiji, Murtaza (MA3608) murti@WPI.EDU (508) 831-5395 Baboval, John (JBJ116) jbaboval@WPI.EDU XXX-XXXX Ballard, Richard (RBS722) rick@WPI.EDU 508-831-6731 Barnett, Glenn S (GSB14) rhythm@WPI.EDU (315)475-5920 Bartelson, Jon (JB12891) jonb@WPI.EDU (508) 831-5725 (FAX) (508) 831-5483 Berard, Keith (KB2414) keithb@WPI.EDU (508)754-4502 Blank, Karin (KBJ257) blankk@WPI.EDU 203-762-0532 Blomberg, Adam (AB5417) scarpa@WPI.EDU 508-755-7699 WPI

  40. Query the DNS • Insecure DNS configuration can reveal information that should be kept confidential • Zone transfers are popular attack methodologies • nslookup often used • pipe output to a text file • review the text file at your leisure • select potential “good targets” based on data WPI

  41. Map the Network • traceroute • Unix and Win/NT • tracert in NT for file name legacy reasons • Shows hops from router to destination • Graphical tools exist, too • VisualRoute • www.visualroute.com WPI

  42. WPI

  43. Detailed Scanning • Network ping sweeps • Who is active? • Automated capabilities with some tools • ICMP queries • Reveal lots of information on systems • System time • Network mask WPI

  44. Port Scanning • Identify running services • Identify OS • Identify specific applications of a service • Very popular • Very simple • Very dangerous WPI

  45. Port Scan Types • Connect Scan--completes 3-way handshake • SYN--should receive SYN/ACK • FIN--should receive RST on closed ports • Xmas tree--sends FIN, URG, PSH; should receive RST for closed ports • Null--turns off all flags; target should send back RST for closed ports • UDP--port probably open if no “ICMP port unreachable” message received WPI

  46. Identify Running Services • Strobe • Udp_scan (from SATAN) • netcat • PortPro & Portscan • nmap • Using SYN scan is usually stealthy • Beware of DoS results WPI

  47. OS Detection, etc. • Stack fingerprinting • Different vendors interpret RFCs differently • Example: • RFC 793 states correct response to FIN probe is none • Win/NT responds with FIN/ACK • Based on responses to specific probes, possible to make very educated guesses as to what OS running • Automated tools to make this easy! • Nmap www.insecure.org/nmap/ • Retina www.eeye.com/html/Products/Retina/ WPI

  48. Enumeration • Try to identify valid user accounts on poorly protected resource shares • Windows NT • net view • lists domains on network • can also list shared resources • nltest -- identifies PDC & BDC • SNMP • open a telnet connection WPI

  49. Automated, Graphical Tools • Can trace network topology very accurately • ID machines by IP, OS, etc. • Makes attack much easier • Cheops • www.marko.net/cheops/ • Tkined • wwwhome.cs.utwente.nl/~schoenw/scotty/ WPI

  50. Summary • Attacking a network is no different from robbing a bank; you have to plan if you expect to be successful • There are three basic steps to planning, which is called vulnerability assessment: • Acquire the target (case the joint) • Scan for vulnerabilities (find the entry points) • Identify poorly protected data (enumeration) • This applies if you are inside or outside the protected perimeter! WPI

More Related