240 likes | 366 Views
Design and Implement of Common Network Security Scanning system. By Abhishek Kamalayagari. OUTLINE. WHAT THE PAPER IS ABOUT??? INTRODUCTION SCANNING METHODS COMMON NETWORK SECURITY SCANNING SYSTEM CONCLUSION REFERENCES. WHAT THE PAPER IS ABOUT?.
E N D
Design and Implement of Common Network Security Scanningsystem By Abhishek Kamalayagari
OUTLINE WHAT THE PAPER IS ABOUT??? INTRODUCTION SCANNING METHODS COMMON NETWORK SECURITY SCANNING SYSTEM CONCLUSION REFERENCES
WHAT THE PAPER IS ABOUT? Emphasizes network security scanning system’s role in providing network security. Its positive and negative sides. Talks about some popular scanning methods. To get high performance, a network security scanning system based on libnet and libcap is provided.
INTRTODUCTION • Network security, an important issue today • There are tools such as IDS , firewall , Network security scanning system to take care of security. • Network security scanning has two sides • +ve side: protecting system(admin , auditors…) • -ve side: destroying system( attackers) • Weaknesses may be introduced because of error configuration or bad programming. • Intruder would like to know all the information about the target host. • Simplest security scan: ping scan
Introduction—scanning methods Port scanning: most popular, tells which machines are up ,ports open on each machine, services running on each host and some information about the OS. Vulnerability scanning: tells which machines are vulnerable to “known vulnerabilities”. Remote operation detection : weaknesses and vulnerabilities of a system linked to underlying OS especially in networking environment.
Scanning methods—software examples • Nmap—port scanning, remote OS detection. • Uses raw IP packets to determine what: • Hosts available on network • Services offered(application name,version) • OS running on them • Firewalls/packet filters in use • Dozens of other characteristics.. • Designed to rapidly scan large networks , works fine against single hosts • It is portable. • Has both traditional and GUI versions. • Supports wide range of protocols: tcp,udp,icmp etc….
Cont… Nessus: vulnerability scanning, remote OS detection, it is based on plug-in. Goal is to determine potential vulnerabilities on the tested systems has two parts: a) server—performs scanning b) client– manage server and gives results to the user. Server: nessusd ( nessus daemon) Client: nessus. It’s vulnerability data is compatible with CVE. Uses NASL to write plug-ins.
Known vulnerabilities CVE—Common Vulnerabilities and Exposures. Managed by MITRE corp. It is a list or dictionary of publicly known information security vulnerabilities and exposures. It has CVE identifiers that are unique. CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.
Scanning in detail Port scanning:aim is to find some open ports in the remote host. TCP and UDP make up TCP/IP protocol suite. There are 65535 ports in total for applications and protocols. Send protocol packet to the remote host,get the response packet, result identifies the status of remote host.
Cont… SEND RECEIVE SYN FIN SYN+ACK open RST close.
Cont… Port scanning has three ways: a)open scanning: needs whole network connection b)half scanning: doesn’t finish whole connection ex:SYN c) Stealth scanning: uses techniques for slowing the scan Open is fast ,produces more log,but can be easily detected,stealth can avoid IDS,firewall but sometimes gives error result.
Cont… Remote OS detection is important because different OS has different Kernel and implementation styles Even after you know the vulnerability,knowing OS could help in exploiting it. Intruder can use OS specific hacking tools to crack the target. Example tools: tool Ring means Remote identification next generation designed to identify remote OS with minimal target disturbance. Xprobe, another tool, uses matrix based fingerprinting approach.
Cont… Scan a specified set of ports on remote host and tries to detect the service offered at each port for its known vulnerabilities which can lead some threats to the system. Result is a security assessment of whole system,attacks possible. Vulnerabilities are two types:by programmer,by administrator. Scanners are 2 types: host scanner,network scanner.
COMMON NETWORK SECURITY SCANNING SYSTEM Ssytem architecture: has 9 modules. There are 3 security scanning modules in this system. If needed more scanning modules can be added. Needs 2 important function: a)Send packet b)Get packet Realized by libnet and libcap. Scanning system need strong log analysis module. System can be placed in front of and behind firewall.
Libnet Written by Mike D.Schiffman, libnet is a c library. It can create and send packet for many different protocols and protocol block It can create two types of packet a)Based on link layer—needs to create link layer protocol block by itself b)Based on raw socket—create protocol from the IP protocol layer Three steps: Libnet_init() Build protocol block Libnet_build_write()
Packet construction… tcp = libnet_build_tcp( src_prt, /* source port */ dst_prt, /* destination port */ 0x01010101, /* sequence number */ 0x02020202, /* acknowledgement num */ TH_SYN, /* control flags */ 32767, /* window size */ 0, /* checksum */ 0, /* urgent pointer */ LIBNET_TCP_H + payload_s, /* TCP packet size */ payload, /* payload */ payload_s, /* payload size */ l, /* context */ 0); /* ptag */
Libcap It is a packet capture library. Designed by van Jacobson,craig Leres and Steven McCanne. Uses BPF mechanism to get the special packets quickly. BPF contains 2 components: a)Filter and b)kernel. Kernel buffer has two buffers: Store buffer and hold buffer.
Cont… Filter expression includes 3 qualifiers: a)type: host,net and port b)Direction : network path containing src,dst c)protocol: expresses the protocol used in the packet. Ex:IP,ARP,RARP…. Complex filter rules can be build using ‘and’ , ‘or’…
Cont… Pcap_findalldevs() Pcap_open_live() Pcap_compile() Pcap_setfilter() Pcap_loop() System can analyze the packet to get more useful information. Pcap_close()
CONCLUSION A common network scanning system is designed and implemented, which can help administrator to asses the security weaknesses and identify the risks and refine the security policy. It can find vulnerability before the hacker intrude the system by intrusions like trojans,DOS attack,buffer overflow etc… It is based on libnet and libcap which can make it more transparent.
REFERENCES Wentao Liu, Design and Implement of Common Network Security scanning system, http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5223272&isnumber=5222865 http://www.nmap.org http://netsecurity.about.com/cs/hackertools/a/aa030404.htm