Your SlideShare is downloading. ×
0
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Network security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Network security

1,255

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,255
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
151
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Hardware firewalls are important because they provide a strong degree of protection from most forms of attack coming from the outside world. compared to a set of predefined and/or user-created rules that determine whether the packet is to be forwarded or dropped . Consider this scenario: What would happen if you received an e-mail message or visited a website that contained a concealed program? Let's say this program was designed to install itself on your machine and then surreptitiously communicate with someone via the Internet — a distributed denial of service ( DDoS ) attack zombie or a keystroke logger, for example? And trust me, this is by no means an unlikely scenario. http://www.smallbusinesscomputing.com/webmaster/article.php/3103431
  • Discovery Network sniffer: Documents the discovery of the target IP address and any other useful information, such as protocols being used on the target network Traceroute: Attempts to locate the target device and all intermediate routers, switches, and system Penetration Synflood attack: Used to see whether the firewall can overcome a repeated open connection request and also log the attack Garbage attack: Used to see whether the firewall can overcome random data packets on random ports UDP Ping: Used to see whether the firewall can overcome a large UDP ping packet sent to it TCP Ping: Used to see whether the firewall can overcome a large TCP ping packet sent to it Ping of death:Used to see whether the firewall can overcome a single over-sized packet sent to it
  • Set of rules that have filters
  • Transcript

    • 1. Trish Miller Network Security
    • 2. <ul><li>Types of Attacks </li></ul><ul><li>Attacks on the OSI & TCP/IP Model </li></ul><ul><li>Attack Methods </li></ul><ul><li>Prevention </li></ul><ul><li>Switch Vulnerabilities and Hacking </li></ul><ul><li>Cisco Routers </li></ul><ul><li>Interesting links </li></ul>Objectives Trish Miller
    • 3. <ul><li>Physical Access Attacks </li></ul><ul><ul><li>Wiretapping </li></ul></ul><ul><ul><li>Server Hacking </li></ul></ul><ul><ul><li>Vandalism </li></ul></ul><ul><li>Dialog Attacks </li></ul><ul><ul><li>Eavesdropping </li></ul></ul><ul><ul><li>Impersonation </li></ul></ul><ul><ul><li>Message Alteration </li></ul></ul>Types of Attacks Trish Miller
    • 4. <ul><li>Social Engineering </li></ul><ul><ul><li>Opening Attachments </li></ul></ul><ul><ul><li>Password Theft </li></ul></ul><ul><ul><li>Information Theft </li></ul></ul>Types of Attacks (Cont.) <ul><li>Penetration Attacks </li></ul><ul><ul><li>Scanning (Probing) </li></ul></ul><ul><ul><li>Break-in </li></ul></ul><ul><ul><li>Denial of Service </li></ul></ul><ul><ul><li>Malware </li></ul></ul><ul><ul><ul><li>Viruses </li></ul></ul></ul><ul><ul><ul><li>Worms </li></ul></ul></ul>Trish Miller
    • 5. Risk Analysis of the Attack <ul><li>What is the cost if the attack succeeds? </li></ul><ul><li>What is the probability of occurrence? </li></ul><ul><li>What is the severity of the threat? </li></ul><ul><li>What is the countermeasure cost? </li></ul><ul><li>What is the value to protect the system </li></ul><ul><li>Determine if the countermeasure should be implemented. </li></ul><ul><li>Finally determine its priority. </li></ul>Trish Miller
    • 6. OSI & TCP/IP Related Attacks Trish Miller
    • 7. <ul><li>Session </li></ul><ul><ul><li>Password theft </li></ul></ul><ul><ul><li>Unauthorized Access with Root permission </li></ul></ul><ul><li>Transport & Network: </li></ul><ul><ul><li>Forged TCP/IP addresses </li></ul></ul><ul><ul><li>DoS Attacks </li></ul></ul>OSI Model Related Attacks <ul><li>Application layer: </li></ul><ul><ul><li>Attacks on web </li></ul></ul><ul><ul><li>Attacks are typically virus </li></ul></ul><ul><li>Presentation: </li></ul><ul><ul><li>Cracking of encrypted transmissions by short encryption key </li></ul></ul>Trish Miller
    • 8. <ul><li>Data Link & Physical </li></ul><ul><ul><li>Network Sniffers </li></ul></ul><ul><ul><li>Wire Taps </li></ul></ul><ul><ul><li>Trojan Horses </li></ul></ul><ul><ul><li>Malicious code </li></ul></ul>OSI Model Related Attacks Trish Miller
    • 9. Attacks Related to TCP Packet <ul><li>Port Number </li></ul><ul><ul><li>Applications are identified by their Port numbers </li></ul></ul><ul><ul><li>Well-known ports (0-1023) </li></ul></ul><ul><ul><ul><li>HTTP=80, Telnet=23, FTP=21 for supervision, 20 for data transfer, SMTP=25 </li></ul></ul></ul><ul><ul><li>Allows applications to be accessed by the root user </li></ul></ul>Trish Miller
    • 10. <ul><li>IP address spoofing </li></ul><ul><ul><li>Change the source IP address </li></ul></ul><ul><ul><li>To conceal identity of the attacker </li></ul></ul><ul><ul><li>To have the victim think the packet comes from a trusted host </li></ul></ul><ul><ul><li>LAND attack </li></ul></ul>Attacks Related to TCP Packet Trish Miller
    • 11. Attacks Related to TCP Packet <ul><li>Port Number </li></ul><ul><ul><li>Registered ports (1024-49152) for any application </li></ul></ul><ul><ul><li>Not all operating systems uses these port ranges, although all use well-known ports </li></ul></ul>Trish Miller
    • 12. Attack Methods Trish Miller
    • 13. <ul><li>Host Scanning </li></ul><ul><li>Network Scanning </li></ul><ul><li>Port Scanning </li></ul><ul><li>Fingerprinting </li></ul>Attack Methods Trish Miller
    • 14. <ul><li>Host Scanning </li></ul><ul><ul><li>Ping range of IP addresses or use alternative scanning messages </li></ul></ul><ul><ul><li>Identifies victims </li></ul></ul><ul><ul><li>Types of Host scanning </li></ul></ul><ul><ul><ul><li>Ping Scanning </li></ul></ul></ul><ul><ul><ul><li>TCP SYN/ACK attacks </li></ul></ul></ul>Attack Methods (Cont.) Trish Miller
    • 15. <ul><li>Network Scanning </li></ul><ul><ul><li>Discovery of the network infrastructure (switches, routers, subnets, etc.) </li></ul></ul><ul><ul><li>Tracert and applications similar identifies all routers along the route to a destination host </li></ul></ul>Attack Methods (Cont.) Trish Miller
    • 16. <ul><li>Port Scanning </li></ul><ul><ul><li>Once a host is identified, scan all ports to find out if it is a server and what type it is </li></ul></ul><ul><ul><li>Two types: </li></ul></ul><ul><ul><ul><li>Server Port Scanning </li></ul></ul></ul><ul><ul><ul><ul><li>TCP </li></ul></ul></ul></ul><ul><ul><ul><ul><li>UDP </li></ul></ul></ul></ul><ul><ul><ul><li>Client Port Scanning </li></ul></ul></ul><ul><ul><ul><ul><li>NetBIOS </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Ports 135 – 139 used for NetBIOS ports used for file and print services. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>GRC.com a free website that scan your pc for open ports. </li></ul></ul></ul></ul>Attack Methods (Cont.) Trish Miller
    • 17. <ul><li>Fingerprinting </li></ul><ul><ul><li>Discovers the host operating system and applications as well as the version </li></ul></ul><ul><ul><ul><li>Active (sends) </li></ul></ul></ul><ul><ul><ul><li>Passive (listen) </li></ul></ul></ul><ul><ul><li>Nmap does all major scanning methods </li></ul></ul>Attack Methods (Cont.) Trish Miller
    • 18. <ul><li>Denial-of-Service (DoS) Attacks </li></ul><ul><ul><li>Attacks on availability </li></ul></ul><ul><ul><li>SYN flooding attacks overload a host or network with connection attempts </li></ul></ul><ul><ul><li>Stopping DoS attacks is very hard. </li></ul></ul>Attack Methods (Cont.) Trish Miller
    • 19. <ul><li>The Break-In </li></ul><ul><ul><li>Password guessing </li></ul></ul><ul><ul><li>Take advantage of unpatched vulnerabilities </li></ul></ul><ul><ul><li>Session hijacking </li></ul></ul>Attack Methods (Cont.) Trish Miller
    • 20. <ul><li>Download rootkit via TFTP </li></ul><ul><li>Delete audit log files </li></ul><ul><li>Create backdoor account or Trojan backdoor programs </li></ul>After the Compromise Trish Miller
    • 21. <ul><li>Weaken security </li></ul><ul><li>Access to steal information, do damage </li></ul><ul><li>Install malicious software (RAT, DoS zombie, spam relay, etc.) </li></ul>After the Compromise (Cont.) Trish Miller
    • 22. Prevention Trish Miller
    • 23. Preventions <ul><li>Stealth Scanning </li></ul><ul><li>Access Control </li></ul><ul><li>Firewalls </li></ul><ul><li>Proxy Servers </li></ul><ul><li>IPsec </li></ul><ul><li>Security Policies </li></ul><ul><li>DMZ </li></ul><ul><li>Host Security </li></ul>Trish Miller
    • 24. <ul><li>Noisiness of Attacks </li></ul><ul><li>Exposure of the Attacker’s IP Address </li></ul><ul><li>Reduce the rate of Attack below the IDS Threshold </li></ul><ul><li>Scan Selective Ports </li></ul>Stealth Scanning Trish Miller
    • 25. <ul><li>The goal of access control is to prevent attackers from gaining access, and stops them if they do. </li></ul><ul><li>The best way to accomplish this is by: </li></ul><ul><ul><li>Determine who needs access to the resources located on the server. </li></ul></ul><ul><ul><li>Decide the access permissions for each resource. </li></ul></ul><ul><ul><li>Implement specific access control policies for each resource. </li></ul></ul><ul><ul><li>Record mission critical resources. </li></ul></ul><ul><ul><li>Harden the server against attacks. </li></ul></ul><ul><ul><li>Disable invalid accounts and establish policies </li></ul></ul>Access Control Trish Miller
    • 26. Firewalls <ul><li>Firewalls are designed to protect you from outside attempts to access your computer, either for the purpose of eavesdropping on your activities, stealing data, sabotage, or using your machine as a means to launch an attack on a third party. </li></ul>Trish Miller
    • 27. Firewalls (Cont.) <ul><li>Hardware </li></ul><ul><ul><li>Provides a strong degree of protection from the outside world. </li></ul></ul><ul><ul><li>Can be effective with little or no setup </li></ul></ul><ul><ul><li>Can protect multiple systems </li></ul></ul><ul><li>Software </li></ul><ul><ul><li>Better suite to protect against Trojans and worms. </li></ul></ul><ul><ul><li>Allows you to configure the ports you wish to monitor. It gives you more fine control. </li></ul></ul><ul><ul><li>Protects a single system. </li></ul></ul>Trish Miller
    • 28. Firewalls <ul><li>Can Prevent </li></ul><ul><ul><li>Discovery </li></ul></ul><ul><ul><ul><li>Network </li></ul></ul></ul><ul><ul><ul><li>Traceroute </li></ul></ul></ul><ul><ul><li>Penetration </li></ul></ul><ul><ul><ul><li>Synflood </li></ul></ul></ul><ul><ul><ul><li>Garbage </li></ul></ul></ul><ul><ul><ul><li>UDP Ping </li></ul></ul></ul><ul><ul><ul><li>TCP Ping </li></ul></ul></ul><ul><ul><ul><li>Ping of Death </li></ul></ul></ul>Trish Miller
    • 29. Proxy <ul><li>A proxy server is a buffer between your network and the outside world. </li></ul><ul><li>Use an anonymous Proxy to prevent attacks. </li></ul>Trish Miller
    • 30. IPSec <ul><li>Provides various security services for traffic at the IP layer </li></ul><ul><li>These security services include </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Confidentiality </li></ul></ul>Trish Miller
    • 31. IPsec overview - how IPsec helps Trish Miller Problem How IPsec helps Details Unauthorized system access Authentication, tamperproofing Defense in depth by isolating trusted from untrusted systems Targeted attacks of high-value servers Authentication, tamperproofing Locking down servers with IPsec. Examples: HR servers, Outlook ® Web Access (OWA), DC replication Eavesdropping Authentication, confidentiality Defense in depth against password or information gathering by untrusted systems Government guideline compliance Authentication, confidentiality Example: “All communications between financial servers must be encrypted.”
    • 32. DMZ Image Trish Miller
    • 33. <ul><li>Hardening Servers </li></ul><ul><li>Cisco IOS </li></ul><ul><li>Upgrades and Patches </li></ul><ul><li>Unnecessary Services </li></ul><ul><li>Network Monitoring tools </li></ul>Host Security Trish Miller
    • 34. Switch Vulnerabilities and Hacking Trish Miller
    • 35. <ul><li>Used to locate IP address, version, and model. </li></ul><ul><li>Mass amounts of packets being sent can fake a crash </li></ul><ul><li>Used to troubleshoot network, but should be disabled. </li></ul>CDP Protocol Trish Miller
    • 36. <ul><li>Give users data by poisoning ARP cache of end node. </li></ul><ul><li>MAC address used to determine destination. Device driver does not check. </li></ul><ul><li>User can forge ARP datagram for man in the middle attack. </li></ul>ARP Poisoning Trish Miller
    • 37. <ul><li>SNMP manages the network. </li></ul><ul><li>Authentication is weak. Public and Private community keys are clear text. </li></ul><ul><li>Uses UDP protocol which is prone to spoofing. </li></ul><ul><li>Enable SNMPv3 without backwards compatibility. </li></ul>SNMP Trish Miller
    • 38. <ul><li>Standard STP takes 30-45 seconds to deal with a failure or Root bridge change. </li></ul><ul><li>Purpose: Spanning Tree Attack reviews the traffic on the backbone. </li></ul>Spanning Tree Attacks Trish Miller
    • 39. <ul><li>Only devices affected by the failure notice the change </li></ul><ul><li>The attacker can create DoS condition on the network by sending BPDUs from the attacker. </li></ul>Spanning Tree Attacks Trish Miller
    • 40. <ul><li>STEP 1: MAC flood the access switch </li></ul><ul><li>STEP 2: Advertise as a priority zero bridge. </li></ul>Trish Miller Spanning Tree Attacks (Cont.)
    • 41. Spanning Tree Attacks (Cont.) <ul><li>STEP 3: The attacker becomes the Root bridge! </li></ul><ul><ul><li>Spanning Tree recalculates. </li></ul></ul><ul><ul><li>The backbone from the original network is now the backbone from the attacking host to the other switches on the network. </li></ul></ul>Trish Miller Spanning Tree Attacks (Cont.)
    • 42. <ul><li>Disabling STP can introduce another attack. </li></ul><ul><li>BPDU Guard </li></ul><ul><ul><li>Disables ports using portfast upon detection of a BPDU message on the port. </li></ul></ul><ul><ul><li>Enabled on any ports running portfast </li></ul></ul>STP Attack Prevention Trish Miller
    • 43. <ul><li>Root Guard </li></ul><ul><ul><li>Prevents any ports that can become the root bridge due to their BPDU </li></ul></ul>STP Attack Prevention Trish Miller
    • 44. <ul><li>Cisco Content Switching Modules </li></ul><ul><li>Cisco Content Switching Module with SSL </li></ul>CSM and CSM-S Trish Miller
    • 45. <ul><li>Cisco Secure Desktop </li></ul><ul><ul><li>3 major vulnerabilities </li></ul></ul><ul><ul><ul><li>Maintains information after an Internet browsing session. This occurs after an SSL VPN session ends. </li></ul></ul></ul><ul><ul><ul><li>Evades the system via the system policies preventing logoff, this will allow a VPN connection to be activated. </li></ul></ul></ul><ul><ul><ul><li>Allow local users to elevate their privileges. </li></ul></ul></ul>Trish Miller CDM
    • 46. <ul><li>Prevention </li></ul><ul><ul><li>Cisco has software to address the vulnerabilities. </li></ul></ul><ul><ul><li>There are workarounds available to mitigate the effects of some of these vulnerabilities. </li></ul></ul>Trish Miller
    • 47. Cisco Routers Trish Miller
    • 48. <ul><li>Two potential issues with Cisco Routers </li></ul><ul><ul><li>Problems with certain IOS software </li></ul></ul><ul><ul><li>SNMP </li></ul></ul>Cisco Routers Trish Miller
    • 49. <ul><li>Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 </li></ul><ul><ul><li>Problem with the software </li></ul></ul><ul><ul><li>Confidential information can be leaked out </li></ul></ul><ul><ul><li>Software updates on the CISCO site can fix this problem </li></ul></ul>Trish Miller
    • 50. Trish Miller <ul><li>Virtual Private Networks </li></ul>Virtual connection 1 Virtual Connection 2
    • 51. Trish Miller <ul><li>Virtual Private Networks </li></ul>Information leak Error Connection
    • 52. <ul><li>Cisco uBR10012 series devices automatically enable SNMP read/write access </li></ul><ul><li>Since there are no access restrictions on this community string , attackers can exploit this to gain complete control of the device </li></ul>Trish Miller
    • 53. Trish Miller CISCO Router Attacking Computer By sending an SNMP set request with a spoofed source IP address the attacker will be able to get the Victim router to send him its configuration file.
    • 54. Trish Miller CISCO Router Attacking Computer With this information, the remote computer will be able to have complete control over this router
    • 55. <ul><li>Fixes- Software updates available on the CICSO site that will fix the Read/Write problem </li></ul>Trish Miller
    • 56. Links <ul><li>http://sectools.org/tools2.html </li></ul><ul><li>http://insecure.org/sploits/l0phtcrack.lanman.problems.html </li></ul><ul><li>http://www.grc.com/intro.htm </li></ul><ul><li>http://www.riskythinking.com </li></ul><ul><li>http://www.hidemyass.com/ </li></ul>Trish Miller
    • 57. References <ul><li>http://www.bmighty.com/network/showArticle.jhtml;jsessionid=2YYDWJHHX3FL2QSNDLPSKHSCJUNN2JVN?articleID=202401432&pgno=2 </li></ul><ul><li>http://www.juniper.net/security/auto/vulnerabilities/vuln19998.html </li></ul><ul><li>http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf </li></ul><ul><li>http://www.askapache.com/security/hacking-vlan-switched-networks.html </li></ul><ul><li>http://marc.info/?l=bugtraq&m=116300682804339&w=2 </li></ul><ul><li>http://www.secureroot.com/security/advisories/9809702147.html </li></ul>Trish Miller
    • 58. Trish Miller Trish Miller Trish Miller

    ×