620 likes | 916 Views
Chapter 7: Telecommunications and Networking Security (Part B). LAN Networking Routing Networking Devices. LAN Networking (1) . The brief history of networking Network topology What is topology? Physical topology vs. logic topology Features of each topology Summary on P446.
E N D
Chapter 7: Telecommunications and Networking Security (Part B) • LAN Networking • Routing • Networking Devices
LAN Networking (1) • The brief history of networking • Network topology • What is topology? • Physical topology vs. logic topology • Features of each topology • Summary on P446
LAN Networking (2) • LAN vs. WAN vs. internetworking • LAN media access technologies • Ethernet: IEEE 802.3 • Token Ring: IEEE 802.5 • Fiber Distributed Data Interface (FDDI): IEEE 802.8 (comparison table 7-4 on P453)
LAN Networking (3) Ethernet: • Cabling schemes 10Base2, 10Base5 10Base-T, 100Base-TX 1000Base_T • CSMA / CD (detail in next section)
LAN Networking (4) Token Ring: • What is token? (details in token passing later) • MAU
LAN Networking (5) FDDI
LAN Networking (6) • Cabling types • Coaxial cable • Twisted-Pair cable: UTP, STP • Fiber-Optic cable • Security features • Cabling problems: • Noise (interference) • Attenuation • Crosstalk • Fire rating
LAN Networking (7) Transmission Methods • unicast vs. multicast vs. broadcast • Broadcast IP: 255.255.255.255 129.252.226.255 • IGMP in multicast
LAN Networking (8) Media Access Technologies: • Token Passing • Carrier sense multiple access with collision detection (CSMA / CD) • Carrier sense multiple access with collision Avoidance (CSMA / CA): used in Wireless LANs • Polling
LAN Networking (9) • Toke passing • Used by Token Ring & FDDI
LAN Networking (10) CSMA / CD • Back-off algorithm • Collision • Broadcast domain • Collision domain • Benefits of restricting broadcast and collision domains
LAN Networking (10) Polling • Primary station & secondary stations • No collision! • Mainly used in mainframe environments. Also in WLAN standard
LAN Protocols (1) ARP • IP address vs. MAC address Why does a host have two addresses? • MAC and IP addresses must be properly mapped. How?
LAN Protocols (2) • ARP cache poisoning • The ability to associate any IP address with any MAC address provides hackers with many attacks • Denial of Service (DoS) • Man in the Middle • MAC Flooding
LAN Protocols (3) ARP cache poisoning Solutions? • Only local attackers can exploit ARP's insecurities. • For Small Networks:using static IP addresses and static ARP tables. Using commands, such as "ipconfig /all" in Windows or "ifconfig" in UNIX, you can learn the IP address and MAC address of every device in your network. Then using the "arp -s" command, you can add static ARP entries for all your known devices. • For Large Networks:One "Port Security" feature at switch lets you force your switch to allow only one MAC address for each physical port on the switch. This feature prevents hackers from changing the MAC address of their machine or from trying to map more than one MAC address to their machine. It can often help prevent ARP-based Man-in-the-Middle attacks. • The best defense is monitoring for it: using an ARP monitoring tool, such as “ARPwatch”, to alert you when unusual ARP communication occurs.
LAN Protocols (4) • RARP • How to get a IP address? • RARP BOOTP DHCP • Internet Control Message Protocol (ICMP) • ICMP is IP’s “messenger boy.” • Pingutility • ICMP ECHO REQUEST frame & ICMP ECHO REPLY frame • Routers use ICMP to send messages in response to datagrams that could not be delivered. • Other connectionless protocols may use ICMP to send error messages back to the sending system to indicate networking problems.
LAN Protocols (5) Loki Attack • Most routers are configured to allow ICMP traffic to come and go out of the network, based on the assumption that this is safe because ICMP was developed to not hold any data or a payload. • Someone figured out how to insert some data inside of an ICMP packet, which can be used to communicate to an already compromised system. • Loki is a client/server program that is used by hackers to set up back doors on systems. • The attacker attacks a computer and installs the server portion of the Loki software. This server portion “listens” on a port, that an attacker can use to access the system. • To gain access and open a remote shell to this computer, an attacker sends commands inside of ICMP packets.
Index • LAN Networking • Routing • Networking Devices
Routing (1) • Autonomous system (AS) • Router & routing table • routing table contains a list of known routers, the addresses they can reach, and a cost metric associated with the path to each router so that the best available route is chosen. • Interior Gateway Protocol (IGP) • Routing Information Protocol (RIP) • Open Shortest Path First (OSPF) protocol • IGRP • Exterior Gateway Protocol (EGP) • Border Gateway Protocol (BGP)
Routing (4) Attacks on Routing systems • Disrupting peering: SYN flooding, • deny the use of network resources to authorized users • Not very effective • Most routing protocols will rebuild peering session • Redundancy routing technique can defeat this attack • Falsifying routing information: using spoofed ICMP messages to send false routing table information • Misdirecting traffic to form a routing loop • Misdirecting traffic to a monitoring point: Wormhole attack • Misdirecting traffic to a black hole
Routing (6) Wormhole attack • Recording traffic from one region of the network and replaying it in a different region. • It is difficult to detect, and is effective even in a network where confidentiality, integrity, authentication, and non-repudiation (via encryption, digesting, and digital signature) are preserved. • On a distance vector routing protocol, wormholes are very likely to be chosen as routes because they provide a shorter path .
Routing (7) • An intruder node X located within transmission range of legitimate nodes A and B, where A and B are not themselves within transmission range of each other. • Intruder node X merely tunnels control traffic between A and B (and vice versa), without the modification presumed by the routing protocol – e.g. without stating its address as the source in the packets header – so that X is virtually invisible. • This results in an extraneous inexistent A - B link which in fact is controlled by X. Node X can afterwards drop tunneled packets or break this link at will. • Two intruder nodes X and X′, connected by a wireless or wired private medium, can also collude to create a longer (and more harmful) wormhole.
Routing (8) • A false route would be established which would shorten the hop distance between any two normal nodes. • Wormhole attacks can cause • DoS through Data Traffic the malicious node(s) can insinuate itself in a route and then drop data packets. • DoS through Routing Disruptions this attack can prevent discovery of legitimate routes • Unauthorized Access this attack allows access to wireless control system that are based on physical proximity
Routing (9) Countermeasure of Wormhole attack • Leash data that is put into a header of the individual packets. The leash restricts the packet’s maximum allowed transmission distance. • Geographical or temporal leash • Like the idea of invisible fences that are used on animals.
Index • LAN Networking • Routing • Networking Devices
Networking Devices (1) Several types of devices are used in LANs, MANs, and WANs to provide intercommunication between computers and networks. • Repeaters • Bridges • Routers • Switches
Networking Devices (2) • A repeaterprovides the simplest type of connectivity, • repeats and amplifies electrical signals between cable segments, which enables it to extend a network. • works at the physical layer • A hubis a multiport repeater, the signal is broadcast to all the ports • is often referred to as a concentrator • does not understand or work with IP or MAC addresses.
Networking Devices (3) • A bridgeis a LAN device that is used to connect LAN segments. • Works at the data link layer (MAC addresses) • When a frame arrives at a bridge, the bridge determines whether or not the MAC address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment. • divide networks into smaller segments to ensure better use of bandwidth and traffic control.
Networking Devices (4) • The purposes of a Bridge: • Isolates networks by MAC addresses • Manages network traffic by filtering packets • Translate from one protocol to another
Networking Devices (6) Three main types of bridges are used: • Local bridge: connects two or more LAN segments within a local area • Remote bridge: connect two or more LAN segments over a MAN by using telecommunications links • Translation bridge: if the two LANs being connected are different types and use different standards and protocols • E.g. a connection between a Token Ring network and an Ethernet network.
Networking Devices (7) • A bridge must know to which port the frame must be sent and where the destination host is located. • In transparent bridging, A bridge builds forwarding table according Spanning Tree Algorithm (STA) • Source routingcan be used instead of transparent bridging • Source routing moves a packet throughout a network on a predetermined path. the packets contain the necessary information within them to tell the bridge where they should go • What is explorer packet ? • External devices and border routers should not accept packets with source routing information within their headers.Why?
Networking Devices (8) Router is a device that has two or more interfaces and a routing table so that it knows how to get packets to their destinations. • Works at the network layer • Can filter traffic based on access control lists (ACLs) • Fragments packets when necessary • Discovers information about routes and changes that take place in a network through routing protocols (RIP, BGP, OSPF …)
Networking Devices (9) • Switches combine the functionality of a repeater and the functionality of a bridge. • On Ethernet networks, computers have to compete for the same shared network medium. This contention and the resulting collisions cause traffic delays and use up bandwidth. • Switches reduce or remove the sharing of the network medium
Networking Devices (10) • Multilayered switchescombine data link layer, network layer, and other layer functionalities. • have more enhanced functionalities • Can use tags, which are assigned to each destination network or subnet • The use of these types of tags, referred to as Multiprotocol Label Switching (MPLS), not only allows for faster routing, but also addresses service requirements for the different packet types.
Networking Devices (11) • Switching makes it more difficult for intruders to sniff and monitor network traffic • because no broadcast and collision information is continually traveling throughout the network. • Virtual LANs (VLANs)are also an important part of switching networks • Enable administrators to have more control over their environment • Can isolate users and groups into logical and manageable entities
Networking Devices (12) • VLANs enable administrators to separate and group computers logically based on resource requirements, security, or business needs instead of the standard physical location of the systems. • Enable an administrator to apply particular security policies to respective logical groups. • A VLAN exists on top of the physical network
Networking Devices (13) • Gatewayis a general term for software running on a device that connects two different environments • Acts as a translator for them or restricts their interactions. • E.g. gateway can translate Internetwork Packet Exchange (IPX) protocol packets to IP packets • E.g. gateway can connect FDDI to Ethernet • Gateways perform more complex tasks than routers and bridges. However, some people refer to routers as gateways when they connect two unlike networks
Networking Devices (14) The types of firewalls we will review are • Packet filtering • Stateful • Proxy • Dynamic packet filtering • Kernel proxy
Networking Devices (15) Firewallsare used to restrict access to one network from another network. • A “choke point” in the network, monitors packets coming into and out of the network • Enforces what IP addresses and ranges are to be restricted, and what ports can be accessed • Firewalls are used to construct a demilitarized zone (DMZ), • A network segment that is located between the protected and the unprotected networks.
Networking Devices (16) • The DMZ usually contains web, mail, and DNS servers, • Many DMZs also have an IDS sensor that listens for malicious and suspicious behavior.
Networking Devices (17) Packet filteringis a security method of controlling what data can flow into and out of a network. • The first-generation firewall • Packet filtering takes place by using ACLs • ACLs are lines of text, called rules, that the device applies to each packet that it receives. • E.g.. any packets coming from the IP range 172.168.0.0 must be denied; no packets using the Telnet service are allowed to enter; • This filtering is based on network layer information • Do not keep track of the state of a connection
Networking Devices (18) A proxy firewall intercepts and inspects messages before delivering them to the intended recipients. • The second-generation firewall • a proxy firewall breaks the communication channel: there is no direct connection to internal computers. • makes a copy of each accepted packet before transmitting it. It repackages the packet to hide the packet’s true origin. • If an attacker attempts to scan or probe a company’s network, he will receive only information that has been intercepted and repackaged by the proxy server.