Security in Network
CNC LAB
2013/10/04
Security level in network
Host level (Application Hacking)
Network level (VPN, BGP)
Application level (Firewall, IDS/IPS, ...
ARP – Address Resolution Protocol
Required TCP/IP standard defined in RFC 826
Resolved IP addresses used by TCP/IP-based s...
ARP
An attacker sends a fake ARP messages onto
aLAN.
Aim is to associate the attacker’s MAC
address with the IP address of...
RIP Attack
Forging RIP messages
Spoofing source address and sending invalid routes, altering traffic
flow.
◦ Traffic Hijac...
RIP Safeguards
Disabling RIPv1 and using RIPv2 with MD5 authentication.
EnablingMD5 based authentication for RIPv2
Disabli...
OSPF Attacks
Forging OSPF messages
◦ Can be some what difficult but theoreticallypossible if no
authenticationrequired or ...
OSPF Safeguards
Do not use Dynamic Routing on hosts wherevernot required
ImplementMD5 authentication
◦ You need to deal wi...
DNS Hiding
Hiding DNS does not improvesecurity
 Easy to learn about a network once you’ve penetrated it
 Many other ways...
Typical DNS Environment
Hidden DNS Environment
Firewall->Internal Queries
Internal
queries
Firewall
Internal
queries
Firewall->External Queries
Firewall External
queries
External
queries
DNS Infrastructure is Vulnerable Example.com
App Servers
GSLB
LDNS
www.example.com? www.example.com?
123.123.123.123
Hacke...
Securing the DNS Infrastructure
Dynamic and secure DNS with
Global Traffic Manager
Example.com
App Servers
BIG-IP GTM
LDNS...
TLS/SSL
TransportlayerSecure/SocketSecureLayers
Providecommunication securityovertheInternet
UseX.509certificatesandhencea...
HTTPS
Acommunicationprotocolforsecurecommunication
overacomputernetwork.
TheresultofsimplylayeringtheHTTPontopofthe
SSL/TL...
Internet Protocol Security (IPsec)
IPsecisaprotocolsuiteforsecuringInternetProtocol(IP)
communicationsbyauthenticatingande...
Internet Protocol Security (IPsec)
TherearetwomodesofoperationinIPsec
Transportmode:OnlythepayloadofIPpacketis
usuallyencr...
Firewall
AFirewall is ahardware or software device which is configured to permit, deny or
proxy data through a computer ne...
Firewall types
Intrusion Detection System (IDS/IPS)
IDS is a device or software application thatmonitors network or system activities
for...
Intrusion Detection System (IDS/IPS)
Different from a firewall that a firewall looks outwardly for intrusions in order to ...
Anti-virus protection
Therearetwotypesoftheanti-virusprotection:Host-basedantivirus(HAV)andNetwork-
basedantivirus(NAV)
Ho...
Anti-virus protection
Network-basedAVsolutionsareinstalledona
networkgatewaybetweentwonetworks.
NAVsystemstypicallyemployd...
Virtual Private Network (VPN)
Avirtualprivatenetworkallowstheprovisioningofprivatenetworkservicesforan
organizationororgan...
Virtual Private Network (VPN)
AkeycomponentofaVPNsolutionisprovidingdataprivacy,userauthenticationandaccesscontrol.
Protoc...
BGP Hijacking
 AS100 is advertising their owned route(10.0.0.0/8) : Victim AS
 AS400 is advertising invalid route(10.0.0...
Securing the Border Gateway Protocol
Fig: S-BGP Element Interactions
 S-BGPisanarchitecturalsolution
totheBGPsecurityprob...
BGP Threat Mitigations
MD5 carried in TCP
header
Fig: BGP MD5 Neighbor Authentication
Application Hacking
Security flaws in
application level
Un-validated Input
Broken Access Control
Broken authentication
and...
Application Hacking
Application shield: is referred to as an application-level firewall. In ensures that
incoming and outg...
Upcoming SlideShare
Loading in …5
×

Security in network

292 views
213 views

Published on

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
292
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Global Server Load Balancing (GSLB)Local Domain Name Server (LDNS)Domain name server security(DNSSEC)
  • Global Server Load Balancing (GSLB)Local Domain Name Server (LDNS)Domain name server security(DNSSEC)BIG-IP Global Traffic Manager product
  • Invalid BGP route announcementTraffic diverting by BGP route hijacking, unreachable…Detection is not so easy…Recovery is very hard…Not frequently, but it occursEasy outbreak, but big impactNot only global, but localized outbreak
  • http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-3/securing_bgp_s-bgp.htmlIPsec to secure point-to-point communication of BGP control trafficPublic Key Infrastructure to provide an authorization framework representing prefix holders and owners of AS #’s Attestations (digitally-signed data) to represent authorization informationS-BGP is an architectural solution to the BGP security problems described earlier by CiscoS-BGP represents an extension of BGPIt uses a standard BGP facility to carry additional data about paths in UPDATE messagesIt adds an additional set of checks to the BGP route selection algorithmS-BGP avoids the pitfalls of transitive trust that are common in today’s routing infrastructureS-BGP mechanisms exhibit the same dynamics as BGP, and they scale commensurately with BGP
  • Security in network

    1. 1. Security in Network CNC LAB 2013/10/04
    2. 2. Security level in network Host level (Application Hacking) Network level (VPN, BGP) Application level (Firewall, IDS/IPS, Anti-virus) Transmission level (ARP, RIP, OSPF, DNS Hiding, HTTPS, TLS/SSL, IPSec)
    3. 3. ARP – Address Resolution Protocol Required TCP/IP standard defined in RFC 826 Resolved IP addresses used by TCP/IP-based software to Media Access Control (MAC) addresses used by LAN hardware. MAC addresses are obtained by using a network broadcast request ◦ What is the MAC address for a device that is configured with the enclosed IP address? When an ARP request is answered, both the sender of ARP reply and the original ARP requesterrecord each other’s IP address and MAC as an entry in local table called the ARP cachefor future reference.
    4. 4. ARP An attacker sends a fake ARP messages onto aLAN. Aim is to associate the attacker’s MAC address with the IP address of another host, sothat any traffic meant from that IP address are sent to the attacker instead. ARP Spoofing allows attacker to intercept data frames on a LAN. Can only beused on the local network segments.
    5. 5. RIP Attack Forging RIP messages Spoofing source address and sending invalid routes, altering traffic flow. ◦ Traffic Hijacking ◦ Traffic Monitoring ◦ Redirecting traffic from trusted to untrusted. Obtaining Clear text RIPv2 "password" when sent across network. ◦ Using retrieved password to send authenticated updates to RIPv2 routers, altering traffic flow with consequences listed above.
    6. 6. RIP Safeguards Disabling RIPv1 and using RIPv2 with MD5 authentication. EnablingMD5 based authentication for RIPv2 Disabling RIP completelyand using OSPF with MD5 authentication as interior gateway protocol. OSPF is the suggested IGP
    7. 7. OSPF Attacks Forging OSPF messages ◦ Can be some what difficult but theoreticallypossible if no authenticationrequired or clear text password obtained. Identified 4 ospf attacks ◦ Max Age attack ◦ Sequence++attack ◦ Max Sequence attack ◦ Bogus LSA attack Fig: Sequence number attack
    8. 8. OSPF Safeguards Do not use Dynamic Routing on hosts wherevernot required ImplementMD5 authentication ◦ You need to deal with key expiration, changeover and coordination across routers
    9. 9. DNS Hiding Hiding DNS does not improvesecurity  Easy to learn about a network once you’ve penetrated it  Many other ways for host/address information to leak out Hiding DNS may be necessaryif you do not havevalid IP addresses  Or many unreachable nodes/networks
    10. 10. Typical DNS Environment
    11. 11. Hidden DNS Environment
    12. 12. Firewall->Internal Queries Internal queries Firewall Internal queries
    13. 13. Firewall->External Queries Firewall External queries External queries
    14. 14. DNS Infrastructure is Vulnerable Example.com App Servers GSLB LDNS www.example.com? www.example.com? 123.123.123.123 Hacker Spoofing with first response Cache poisoning 012.012.012.012 Problem Need to secure DNS infrastructure • Cache poisoning and spoofing can hijack DNS records • Need a method for trusted responses • Need to meet US Government mandate for DNSSEC compliance Spoofing and cache poisoning allow hijacking of domains
    15. 15. Securing the DNS Infrastructure Dynamic and secure DNS with Global Traffic Manager Example.com App Servers BIG-IP GTM LDNS www.example.com? www.example.com? 123.123.123.123 + public key Hacker 123.123.123.123 + public key Client gets signed, trusted response Solution Secure and dynamic DNS • Ensure users get trusted DNS queries with signed responses • Reduce management costs – Simple to implement and maintain • Meet mandates with DNSSEC compliant solution BIG-IP Global Traffic Manager with DNSSEC
    16. 16. TLS/SSL TransportlayerSecure/SocketSecureLayers Providecommunication securityovertheInternet UseX.509certificatesandhenceasymmetric cryptographytoassurethecounterparty whom theyaretalkingwith,andexchange a symmetrickey. Thesession keyisthenusedtoencryptdata flowingbetweentheparties.Allowsfor data/message confidentiality, message integrity. TLS/SSLisinitializedatlayer5(sessionlayer)then worksatlayer6(presentation layer).Itworkson behalfoftheunderlyingtransportlayer.
    17. 17. HTTPS Acommunicationprotocolforsecurecommunication overacomputernetwork. TheresultofsimplylayeringtheHTTPontopofthe SSL/TLSprotocol,thusaddingthesecurity capabilities ofSSL/TLStostandardHTTPcommunications..
    18. 18. Internet Protocol Security (IPsec) IPsecisaprotocolsuiteforsecuringInternetProtocol(IP) communicationsbyauthenticatingandencryptingeach IPpacketsofacommunicationsession. IPsecusesthefollowingprotocolstoperformvarious functions: ◦ AuthenticationHeadersprovideconnectionless integrityanddataoriginauthenticationforIPdatagrams andprovidesprotectionagainstreplayattacks. ◦ EncapsulationSecurityPayloadsprovideconfidentially, data-originauthentication,connectionintegrity,andanti- replayservice,limitedtraffic-flowconfidentially. ◦ SecurityAssociationsprovidethebundleofalgorithms anddatathatprovidetheparametersnecessarytoAH and/orESPoperations.
    19. 19. Internet Protocol Security (IPsec) TherearetwomodesofoperationinIPsec Transportmode:OnlythepayloadofIPpacketis usuallyencryptedand/orauthenticated. Usingauthenticationheader,IPheadercannotbe translated,asthiswillinvalidatethehashvalue.The transportandapplicationlayersarealwayssecuredby hash,sotheycannotbemodifiedinanyway. Tunnelmode:EntireIPpacketisencryptedand/or authenticated.Itis thenencapsulatedintoanewIP packetwithanewIPheader. Tunnelmodeisusedtocreatevirtualprivatenetworkfor network-to-networkcommunications,host-to-network communications,andhost-to-hostcommunications
    20. 20. Firewall AFirewall is ahardware or software device which is configured to permit, deny or proxy data through a computer network which has difference levels of trust. Hardware firewall is a device located between Internet and end-terminals Apply some “ruleset” filters in Control Plane, and Data Planeto prevent from some attacks that enter an or some interfaces
    21. 21. Firewall types
    22. 22. Intrusion Detection System (IDS/IPS) IDS is a device or software application thatmonitors network or system activities for malicious activities or policy violations and procedures reports to a management station. Focus on identifying possible incidents, logging information about them, and reporting attempts.
    23. 23. Intrusion Detection System (IDS/IPS) Different from a firewall that a firewall looks outwardly for intrusions in order to stop themfrom happening. IDS evaluated a suspected intrusion once it has taken place and signals an alarm. Usestatistical anomaly-based IDS to detect anomalous traffic and signature-based IDS to monitor packets in the network, compare them with pre-configured and pre- determined attack patterns.
    24. 24. Anti-virus protection Therearetwotypesoftheanti-virusprotection:Host-basedantivirus(HAV)andNetwork- basedantivirus(NAV) Host-basedantivirussolutions Bedeployedintheformofsoftwareprogramsthatrunonstandardhostcomputer platforms.Beusedtoprovideprotectionsolelyforthehostonwhichitisinstalled HAVarefile-based,theyalwaysworkinconjunctionwiththefilesysteminstalledonthehost. HAVproductsoperateinanuncontrolledenvironment,requiresignificantadministration,only operateonfilesthathavebeenwrittentothehost’sdiskfilesystem HAVproductstypicallyreducestheoverallperformanceofthehostonwhichitruns,are rarelyusedtoscanreal-timeapplications
    25. 25. Anti-virus protection Network-basedAVsolutionsareinstalledona networkgatewaybetweentwonetworks. NAVsystemstypicallyemploydedicatedplatforms. NAVsystemsprovideasinglebarrierbehindwhich allhostsareprotected. NAVsystemsstopvirusesatthenetworkedge. NAVsystemsreducetheloadonserversby eliminatinginfecteddatabeforetheyreachthe servers. NAVsystemsarewellpositionedinthenetworkto scanWebandothertrafficthattendstobypass conventionalHAVsystems.
    26. 26. Virtual Private Network (VPN) Avirtualprivatenetworkallowstheprovisioningofprivatenetworkservicesforan organizationororganizationsoverapublicorsharedinfrastructuresuchastheInternetor serviceproviderbackbonenetwork. AVPNisacombinationofsoftwareandhardwarethatallowsemployees,telecommuters, businesspartners,andremotesitestouseapublicor“unsecured”mediumsuchastheInternet toestablishasecure,privateconnectionwithahostnetwork AVPNconnectionisapoint-to-pointconnectionbetweentheuser’scomputerandthe company’sserver
    27. 27. Virtual Private Network (VPN) AkeycomponentofaVPNsolutionisprovidingdataprivacy,userauthenticationandaccesscontrol. Protocolsandtechnologiesusedtoenablesite-to-siteVPNsincludeIPsecurity(IPsec),Genericroutingencapsulation (GRE),thelayer2tunnelingprotocol,IEEE802.1Q, MPLS. ProtocolsusedtoenableremoteaccessVPNsincludedtheLayer2forwardingprotocol,Point-to-pointtunneling protocol,thelayer2tunnelingprotocol,IPsecurity,theSecuresocketslayer
    28. 28. BGP Hijacking  AS100 is advertising their owned route(10.0.0.0/8) : Victim AS  AS400 is advertising invalid route(10.0.0.0/8) : Hijacking AS  AS300 is infected by Hijacking : Infected AS  AS200 is Influenced but not infected by Hijacking : Influenced AS AS 200 AS 300 AS 400AS 100 10.0.0.0/8 10.0.0.0/8 10.0.0.0/8 10.0.0.0/8 > 10.0.0.0/8 100 10.0.0.0/8 300 400 10.0.0.0/8 200 100 > 10.0.0.0/8 400
    29. 29. Securing the Border Gateway Protocol Fig: S-BGP Element Interactions  S-BGPisanarchitecturalsolution totheBGPsecurityproblems.  DevelopedbyCisco  S-BGPmakesuseof: IPsec PublicKeyInfrastructure Attestations
    30. 30. BGP Threat Mitigations MD5 carried in TCP header Fig: BGP MD5 Neighbor Authentication
    31. 31. Application Hacking Security flaws in application level Un-validated Input Broken Access Control Broken authentication and Session management Cross site scripting Buffer overflows Injection flaws Improper error handling Insecure storage Denial of Service Insecure configuration Management
    32. 32. Application Hacking Application shield: is referred to as an application-level firewall. In ensures that incoming and outgoing requests are permissible for the given application. It is common installed on Web servers, email servers, database servers, and similar machines. It is transparent to the user but highly integrated with the device on the backend. Access control/authentication, only authorized users are able to access the application. Input validation verify that application input travelling across your network is safeto process.

    ×