1 / 104

ECE579S: Computer and Network Security 4: Network Security Issues

ECE579S: Computer and Network Security 4: Network Security Issues . Professor Richard A. Stanley. PE. Last time. System design should be based on simplicity and restriction Developing secure systems is hard, but security needs to be designed in, not bolted on later

gianna
Download Presentation

ECE579S: Computer and Network Security 4: Network Security Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ECE579S:Computer and Network Security4: Network Security Issues Professor Richard A. Stanley. PE

  2. Last time... • System design should be based on simplicity and restriction • Developing secure systems is hard, but security needs to be designed in, not bolted on later • Covert channels are a serious problem, and steganography is the current method of choice

  3. Thought for the Day “When computers (people) are networked, their power multiplies geometrically. Not only can people share all that information inside their machines, but they can reach out and instantly tap the power of other machines (people), essentially making the entire network their computer.” Scott McNeely, CEOSun Microsystems

  4. Threats and Vulnerabilities • Threats are “just there” • Vulnerabilities occur due to design choices we make along the way • They are not the same thing! • Risks occur at the intersection of threats and vulnerabilities with the assets we are trying to protect

  5. Vulnerability Assessment • What is it? • Why do we care? • Whose job is it? • How good a job do we have to do? • How can we describe vulnerabilities? • OVAL

  6. Warning! • In this lecture, we will discuss techniques for enumerating and attacking networks. This discussion is intended to help you understand how to protect networks, and is not a recommendation for or approval of this sort of activity. • Under no circumstances should you scan or otherwise probe a network without the explicit authorization of its management. Doing so could violate U. S. Federal law (18 USC § 1030).

  7. How To Rob a Bank • Just walk in and demand the money • Where is the bank? • How do you know there is any money? • Where to park the getaway car? • Are there any guards or surveillance devices? • Will you need a disguise? • What kinds of things might go wrong? • What if they say “NO?”

  8. Success Requires Planning • Whether robbing a bank or breaching network security, you need to plan ahead • Planning ahead is known as vulnerability assessment • Acquire the target (case the joint) • Scan for vulnerabilities (find the entry points) • Identify poorly protected data (shake the doors)

  9. Information in Plain Sight • Lots of valuable information is just lying around waiting to be used • telephone directories • company organization charts • business meeting attendee lists • promotional material • The Internet has made having a company web page the measure of being “with it”

  10. Target: FBI

  11. ?

  12. You get the idea • There is a lot of information out there, and it is readily available to anyone • Good intelligence usually consists of open source material properly collated • Law enforcement used to have special access to this sort of information--now it’s out on the ‘net • Network access speeds up the rate at which good intelligence can be collected

  13. Determine Your Scope • Check out the target’s web page • physical locations • related companies or entities • merger/acquisition news • phone numbers, contact information • privacy or security policies • links to other related web servers • check the HTML source code

  14. Refine Your Search • Run down leads from the news, etc. • Search engines are a good way • Check USENET postings • Use advanced search capabilities to find links back to target • Search on “worcester polytechnic security” gives ~ 32,400 hits

  15. Use the Government • EDGAR • SEC site (www.sec.gov/edgarhp.htm) • Search for 10-Q and 10-K reports • Try to find subsidiary organizations with different names • Think about what your organization has on databases available to the public

  16. Zero In On The Networks • InterNIC • http://www.internic.net/ • Organization • Domain • Network • Point of contact • www.networksolutions.com • www.arin.net

  17. Query on Found Data • POC • May be (often is) POC for other domains • Query for email addresses – • Search for @wpi.edu (harder to do than earlier) • Scan found items for addresses and try them out

  18. Query the DNS • Insecure DNS configuration can reveal information that should be kept confidential • Zone transfers are popular attack methodologies • nslookup often used • pipe output to a text file • review the text file at your leisure • select potential “good targets” based on data

  19. Map Network Connectivity • traceroute • Unix and Win/NT • tracert in NT for file name legacy reasons • Shows hops from router to destination • Graphical tools exist, too • VisualRoute • www.visualroute.com

  20. Detailed Scanning • Network ping sweeps • Who is active? • Automated capabilities with some tools • ICMP queries • Reveal lots of information on systems • System time • Network mask

  21. Port Scanning • Identify running services • Identify OS • Identify specific applications of a service • Very popular • Very simple • Very dangerous

  22. Some Port Scan Types • Connect Scan--completes 3-way handshake • SYN--should receive SYN/ACK • FIN--should receive RST on closed ports • Xmas tree--sends FIN, URG, PSH; should receive RST for closed ports • Null--turns off all flags; target should send back RST for closed ports • UDP--port probably open if no “ICMP port unreachable” message received

  23. Identify Running Services • nmap • netcat • Udp_scan (and others from SATAN) • Using SYN scan is usually stealthy • Beware of DoS results

  24. OS Detection • Stack fingerprinting • Vendors interpret RFCs differently • Example: • RFC 793 states correct response to FIN probe is none • Win/NT responds with FIN/ACK • Based on responses to specific probes, possible to make very educated guesses as to what OS running • Nmap database so accurate, it is used in commerical products (e.g. eEye Retina scanner) • Automated tools to make this easy! • Nmap (www.insecure.ord/nmap/)

  25. Enumeration • Try to identify valid user accounts on poorly protected resource shares, e.g. on Windows-based systems • net view • lists domains on network • can also list shared resources • nltest -- identifies primary & backup domain controllers • SNMP • open a telnet connection

  26. Automated, Graphical Tools • Can trace network topology very accurately • ID machines by IP, OS, etc. • Makes attack much easier • No shortage of possible tools • Frequent additions to list • One source: http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html

  27. Many Other Scanners • eEye Retina Scanner • http://www.eeye.com/html/resources/tours/retina/index.html • Nessus • Unix-based system and network scanner • NeWT • Windows port of Nessus with graphical front-end • http://www.tenablesecurity.com/products/newt.shtml • …and lots more. Google is your friend.

  28. Network Based Attacks Oldies and Goodies--It Isn’t Magic

  29. Word of Warning • Some of the attacks about to be described are as old as network attacks themselves • This doesn’t make studying them a waste of time • There is nothing new under the sun -- old attacks keep popping up in new clothes “Those who do not study history are condemned to repeat it.” George Santayana

  30. Getting Fingered

  31. Do You Know Who?

  32. TCP Review

  33. TCP Actions • Assumes IP addresses are valid and correct • If sequence number received  sequence number expected, packet is refused (discarded), system waits for correctly numbered packet

  34. Sequence Number Prediction • Determine server’s IP address • Sniffing packets • Trying host numbers in order • Connect w/browser, observe address in status • Try addresses in the server’s address space • Monitor packet sequence numbers • Predict and spoof the next sequence number • Hacker now appears to be a legitimate user

  35. Purpose, Detection & Defense • Once on net as an internal user, hacker can use net as a base for other attacks, or to access information on the net just spoofed • Detection: look for sequential “Access denied” entries in the audit log • Prevention: if available, enable real-time notification of large number of sequential access denial entries

  36. SYN Flood • Send a normal SYN packet to a server, as if to open a TCP connection • When the server returns a SYN/ACK packet, ignore it • Send another SYN packet to the server • Repeat as necessary • ...until server cannot handle any more

  37. FINish, But Don’t Start • Attacker sends FIN packet to server, but has not previously established a TCP connection • Server replies with RST packet • Attacker now knows that port on that server is alive and functioning

  38. Passive Sniffing • Hacker obtains access to network segment; observes and analyzes traffic • Unauthorized access to legitimate computer (packet monitors standard Windows fixture) • Unauthorized added NIC on segment • Purpose: gather intelligence, read traffic • Defense: • Secure authentication schemes (Kerberos) • Data encryption

More Related