1 / 49

Network Security

Network Security. Attacks Technical Solutions. The Problem of Network Security. The Internet allows an attacker to attack from anywhere in the world from their home desk. They just need to find one vulnerability: a security analyst needs to close every vulnerability. Physical Break-In

jessie
Download Presentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security Attacks Technical Solutions

  2. The Problem of Network Security The Internet allows an attacker to attack from anywhere in the world from their home desk. They just need to find one vulnerability: a security analyst needs to close every vulnerability.

  3. Physical Break-In Dumpster Diving Google, Newsgroups, Web sites Social Engineering Phishing: fake email Pharming: fake web pages WhoIs Database & arin.net Domain Name Server Interrogations Registrant: Microsoft Corporation One Microsoft Way Redmond, WA 98052 US Domain name: MICROSOFT.COM Administrative Contact: Administrator, Domain domains@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080 Technical Contact: Hostmaster, MSN msnhst@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080 Registration Service Provider: DBMS VeriSign, dbms-support@verisign.com 800-579-2848 x4 Please contact DBMS VeriSign for domain updates, DNS/Nameserver changes, and general domain support questions. Registrar of Record: TUCOWS, INC. Record last updated on 27-Aug-2006. Record expires on 03-May-2014. Record created on 02-May-1991. Domain servers in listed order: NS3.MSFT.NET 213.199.144.151 NS1.MSFT.NET 207.68.160.190 NS4.MSFT.NET 207.46.66.126 NS2.MSFT.NET 65.54.240.126 NS5.MSFT.NET 65.55.238.126 Hacking NetworksPhase 1: Reconnaissance

  4. Hacking NetworksPhase 2: Scanning War Driving: Can I find a wireless network? War Dialing: Can I find a modem to connect to? Network Mapping: What IP addresses exist, and what ports are open on them? Vulnerability-Scanning Tools: What versions of software are implemented on devices?

  5. Passive Attacks Eavesdropping: Listen to packets from other parties = Sniffing Traffic Analysis: Learn about network from observing traffic patterns Footprinting: Test to determine software installed on system = Network Mapping Carl Jennie Packet A B C Bob

  6. Network Attacks: Sniffing (Eavesdropping) IP Address Spoofing Session Hijacking System Attacks: Buffer Overflow Password Cracking SQL Injection Web Protocol Abuse Denial of Service Trap Door Virus, Worm, Trojan horse, Hacking Networks:Phase 3: Gaining Access Login: Ginger Password: Snap

  7. Denial of Service: Message did not make it; or service could not run Masquerading or Spoofing: The actual sender is not the claimed sender Message Modification: The message was modified in transmission Packet Replay: A past packet is transmitted again in order to gain access or otherwise cause damage Some Active Attacks Bill Denial of Service Joe Spoofing Bill Joe (Actually Bill) Ann Message Modification Joe Ann Packet Replay Joe Bill Bill Ann Ann

  8. Man-in-the-Middle Attack 10.1.1.1 10.1.1.3 (2) Login (1) Login (4) Password (3) Password 10.1.1.2

  9. SQL Injection • Java Original: “SELECT * FROM users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”; • Inserted Password: Aa’ OR ‘’=’ • Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘; • Inserted Password: foo’;DELETE FROM users_table WHERE username LIKE ‘% • Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’ • Inserted entry: ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’ Login: Password: Welcome to My System

  10. Password Cracking:Dictionary Attack & Brute Force NIST SP 800-118 Draft

  11. Hacking Networks:Phase 4: Exploit/Maintain Access Control system: system commands, log keystrokes, pswd Useful utility actually creates a backdoor. Backdoor Trojan Horse Replaces system executables: e.g. Login, ls, du User-Level Rootkit Bots Spyware/Adware Replaces OS kernel: e.g. process or file control to hide Kernel-Level Rootkit Slave forwards/performs commands; spreads, list email addrs, DOS attacks Spyware: Collect info: keystroke logger, collect credit card #s, AdWare: insert ads, filter search results

  12. Botnets Botnets: Bots Handler Attacker China Hungary Bots: Host illegal movies, music, pornography, criminal web sites, … Forward Spam for financial gain Zombies

  13. Distributed Denial of Service Zombies Handler Victim Attacker Russia Bulgaria United States Can barrage a victim server with requests, causing the network to fail to respond to anyone Zombies

  14. Question An attack where multiple computers send connection packets to a server simultaneously to slow the firewall is known as: • Spoofing • DDOS • Worm • Rootkit

  15. Question A man in the middle attack is implementing which additional type of attack(s): • Spoofing • DoS • Phishing • Pharming

  16. Network Security Network Defense Encryption

  17. Security: Defense in Depth Border Router Perimeter firewall Internal firewall Intrusion Detection System Policies & Procedures & Audits Authentication Access Controls

  18. Bastion Host Computer fortified against attackers • Applications turned off • Operating system patched • Security configuration tightened

  19. Attacking the NetworkWhat ways do you see of getting in? Border Router/Firewall The Internet De-Militarized Zone Commercial Network WLAN Private Network Private Network

  20. Filters The good, the bad & the ugly… Filter The Good The bad & the ugly Route Filter: Verifies sources and destination of IP addresses Packet Filter: Scans headers of packets and discards if ruleset failed (e.g., Firewall or router) Content Filter: Scans contents of packets and discards if ruleset failed (e.g., Intrusion Prevention System or firewall)

  21. Packet Filter Firewall Web Response Illegal Dest IP Address Web Request Email Response SSH Connect Request DNS Request Web Response Ping Request Illegal Source IP Address Email Response FTP request Microsoft NetBIOS Name Service Email Connect Request Telnet Request

  22. FirewallConfigurations terminal host Router Packet Filtering: Packet header is inspected Single packet attacks caught Very little overhead in firewall: very quick High volume filter firewall A A terminal host Stateful Inspection State retained in firewall memory Most multi-packet attacks caught More fields in packet header inspected Little overhead in firewall: quick firewall A A A

  23. FirewallConfigurations terminal host Circuit-Level Firewall: Packet session terminated and recreated via a Proxy Server All multi-packet attacks caught Packet header completely inspected High overhead in firewall: slow firewall A B A B terminal host Application-Level Firewall Packet session terminated and recreated via a Proxy Server Packet header completely inspected Most or all of application inspected Highest overhead: slow & low volume firewall A B A B

  24. Multi-Homed Firewall:Separate Zones Internet Screening Device Router IDS Screened Host Firewall Demilitarized Zone With Proxy Interface External DNS VPN Server IDS Web Server E-Commerce Protected Internal Network Zone The router serves as a screen for the Firewall, preventing Denial of Service attacks to the Firewall. IDS Database/File Servers

  25. Writing Rules Policies Network Filter Capabilities Write Rules Corrections Audit Failures Protected Network

  26. Services and ServersWorkbook

  27. Path of Logical AccessHow would access control be improved? Border Router/ Firewall The Internet De-Militarized Zone Router/Firewall WLAN Private Network

  28. Protecting the Network Border Router: Packet Filter The Internet De-Militarized Zone Bastion Hosts Proxy server firewall WLAN Private Network

  29. Serviced ApplicationsWorkbook

  30. Network DiagramWorkbook Internet Router Demilitarized Zone External DNS Public Web Server E-Commerce Email Firewall Zone 3:Student Data Student Scholastic Student Billing Student History Zone 1: Student Labs & Files Zone 2: Faculty Labs & Files Student Records Student Billing Transcripts

  31. Network IDS=NIDS Examines packets for attacks Can find worms, viruses, org-defined attacks Warns administrator of attack IPS=Packets are routed through IPS Host IDS=HIDS Examines actions or resources for attacks Recognize unusual or inappropriate behavior E.g., Detect modification or deletion of special files Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Router IDS Firewall

  32. Signature-Based: Specific patterns are recognized as attacks Statistical-Based: The expected behavior of the system is understood If variations occur, they may be attacks (or maybe not) Neural Networks: Statistical-Based with self-learning (or artificial intelligence) Recognizes patterns IDS Intelligence Systems NIDS:ALARM!!! NastyVirus Attacks: NastyVirus BlasterWorm Normal

  33. Honeypot & Honeynet Honeypot: A system with a special software application which appears easy to break into Honeynet: A network which appears easy to break into • Purpose: Catch attackers • All traffic going to honeypot/net is suspicious • If successfully penetrated, can launch further attacks • Must be carefully monitored Firewall Honey Pot External DNS VPN Server IDS Web Server E-Commerce

  34. Confidentiality: Unauthorized parties cannot access information (->Secret Key Encryption Authenticity: Ensuring that the actual sender is the claimed sender. (->Public Key Encryption) Integrity: Ensuring that the message was not modified in transmission. (->Hashing) Nonrepudiation: Ensuring that sender cannot deny sending a message at a later time. (->Digital Signature) Data Privacy Bill Confidentiality Joe Bill Authenticity Joe (Actually Bill) Ann Ann Integrity Joe Non-Repudiation Joe Bill Ann Ann

  35. Encryption – Secret KeyExamples: DES, AES Encrypt Ksecret Decrypt Ksecret plaintext plaintext ciphertext P = D(Ksecret, E(Ksecret,P)) NIST Recommended: 3DES w. CBC AES 128 Bit

  36. Encryption (e.g., RCS) Joe Encrypt Kpublic Decrypt Kprivate Key owner Message, private key Authentication, Non-repudiation Joe Decrypt Kpublic Encrypt Kprivate Key owner Digital Signature Public Key EncryptionExamples: RSA, ECC, Quantum P = D(kPRIV, E(kPUB,P)) NIST Recommended: RSA 1024 bit 2011: RSA 2048 bit P = D(kPUB, E(kPRIV,P))

  37. Remote Access Security Firewall VPN Concentrator The Internet Virtual Private Network (VPN) often implemented with IPSec • Can authenticate and encrypt data through Internet (red line) • Easy to use and inexpensive • Difficult to troubleshoot, less reliable than dedicated lines • Susceptible to malicious software and unauthorized actions • Often router or firewall is the VPN endpoint

  38. Secure Hash FunctionsExamples: SHA1, SHA2, MD2, MD4, MD5 Ensures the message was not modified during transmission Message Message H Message H H Compare H H H K K Message Authentication Code H H Message Message H Message H Compare H H E D H K K One Way Hash NIST Recommended: SHA-1, SHA-2 2011: SHA-2

  39. Digital Signature • Electronic Signature • Uses public key algorithm • Verifies integrity of data • Verifies identity of sender: non-repudiation Message Encrypted K(Sender’s Private) Msg Digest

  40. Public Key Infrastructure (PKI) 7. Tom confirms Sue’s DS 5. Tom requests Sue’s DC  6. CA sends Sue’s DC  Tom Digital Certificate User: Sue Public Key: 2456 4. Sue sends Tom message signed with Digital Signature Certificate Authority (CA) 3. Send approved Digital Certificates 1. Sue registers with CA through RA Sue Register(Owner, Public Key) 2. Registration Authority (RA) verifies owners

  41. Network Access Server 1. Dial up and authenticate 2. Call back 3. Connect RADIUS or TACACS • NAS: Network Access Server • Handles user authentication, access control and accounting • Calls back to pre-stored number based on user ID • Prone to hackers, DOS, misconfigured or insecure devices RADIUS: Remote Access Dial-in User Service TACACS: Terminal Access Control Access

  42. Web Page Security SQL Filtering: Filtering of web input for SQL Injection Encryption/Authentication: Ensuring Confidentiality, Integrity, Authenticity, Non-repudiation Web Protocol Protection: Protection of State

  43. Vulnerability Assessment • Scan servers, work stations, and control devices for vulnerabilities • Open services, patching, configuration weaknesses • Testing controls for effectiveness • Adherence to policy & standards • Penetration testing

  44. Serviced ApplicationsWorkbook

  45. Network Security Techniques Encryption: Public and Private key, Wireless WPA2 Virtual Private Network (VPN): Secure communications tunnel Secure Hashing Digital Signature Bastion Host Configuration Certificate Authority: PKI Network Protection Devices Firewall: Packet, Stateful, Circuit, Application-Level Proxy server Demilitarized Zone (DMZ) Intrusion Detection System Intrusion Prevention System Network access server (RADIUS or TACACS) Honeypot, honeynet Secure Protocols SSL: Secure web SSH: Secure telnet/rlogin or file transfer S/MIME: Secure email Secure Information Mgmt: Log mgmt Summary of Network Controls

  46. Question The filter with the most extensive filtering capability is the • Packet filter • Application-level firewall • Circuit-level firewall • State Inspection

  47. Question The technique which implements non-repudiation is: • Hash • Secret Key Encryption • Digital Signature • IDS

  48. Question Anti-virus software typically implements which type of defensive software: • Neural Network • Statistical-based • Signature-based • Packet filter

  49. Question MD5 is an example of what type of software: • Public Key Encryption • Secret Key Encryption • Message Authentication • PKI

More Related