• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Network security
 

Network security

on

  • 1,438 views

 

Statistics

Views

Total Views
1,438
Views on SlideShare
1,437
Embed Views
1

Actions

Likes
1
Downloads
132
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Hardware firewalls are important because they provide a strong degree of protection from most forms of attack coming from the outside world. compared to a set of predefined and/or user-created rules that determine whether the packet is to be forwarded or dropped . Consider this scenario: What would happen if you received an e-mail message or visited a website that contained a concealed program? Let's say this program was designed to install itself on your machine and then surreptitiously communicate with someone via the Internet — a distributed denial of service ( DDoS ) attack zombie or a keystroke logger, for example? And trust me, this is by no means an unlikely scenario. http://www.smallbusinesscomputing.com/webmaster/article.php/3103431
  • Discovery Network sniffer: Documents the discovery of the target IP address and any other useful information, such as protocols being used on the target network Traceroute: Attempts to locate the target device and all intermediate routers, switches, and system Penetration Synflood attack: Used to see whether the firewall can overcome a repeated open connection request and also log the attack Garbage attack: Used to see whether the firewall can overcome random data packets on random ports UDP Ping: Used to see whether the firewall can overcome a large UDP ping packet sent to it TCP Ping: Used to see whether the firewall can overcome a large TCP ping packet sent to it Ping of death:Used to see whether the firewall can overcome a single over-sized packet sent to it
  • Set of rules that have filters

Network security Network security Presentation Transcript

  • Trish Miller Network Security
    • Types of Attacks
    • Attacks on the OSI & TCP/IP Model
    • Attack Methods
    • Prevention
    • Switch Vulnerabilities and Hacking
    • Cisco Routers
    • Interesting links
    Objectives Trish Miller
    • Physical Access Attacks
      • Wiretapping
      • Server Hacking
      • Vandalism
    • Dialog Attacks
      • Eavesdropping
      • Impersonation
      • Message Alteration
    Types of Attacks Trish Miller
    • Social Engineering
      • Opening Attachments
      • Password Theft
      • Information Theft
    Types of Attacks (Cont.)
    • Penetration Attacks
      • Scanning (Probing)
      • Break-in
      • Denial of Service
      • Malware
        • Viruses
        • Worms
    Trish Miller
  • Risk Analysis of the Attack
    • What is the cost if the attack succeeds?
    • What is the probability of occurrence?
    • What is the severity of the threat?
    • What is the countermeasure cost?
    • What is the value to protect the system
    • Determine if the countermeasure should be implemented.
    • Finally determine its priority.
    Trish Miller
  • OSI & TCP/IP Related Attacks Trish Miller
    • Session
      • Password theft
      • Unauthorized Access with Root permission
    • Transport & Network:
      • Forged TCP/IP addresses
      • DoS Attacks
    OSI Model Related Attacks
    • Application layer:
      • Attacks on web
      • Attacks are typically virus
    • Presentation:
      • Cracking of encrypted transmissions by short encryption key
    Trish Miller
    • Data Link & Physical
      • Network Sniffers
      • Wire Taps
      • Trojan Horses
      • Malicious code
    OSI Model Related Attacks Trish Miller
  • Attacks Related to TCP Packet
    • Port Number
      • Applications are identified by their Port numbers
      • Well-known ports (0-1023)
        • HTTP=80, Telnet=23, FTP=21 for supervision, 20 for data transfer, SMTP=25
      • Allows applications to be accessed by the root user
    Trish Miller
    • IP address spoofing
      • Change the source IP address
      • To conceal identity of the attacker
      • To have the victim think the packet comes from a trusted host
      • LAND attack
    Attacks Related to TCP Packet Trish Miller
  • Attacks Related to TCP Packet
    • Port Number
      • Registered ports (1024-49152) for any application
      • Not all operating systems uses these port ranges, although all use well-known ports
    Trish Miller
  • Attack Methods Trish Miller
    • Host Scanning
    • Network Scanning
    • Port Scanning
    • Fingerprinting
    Attack Methods Trish Miller
    • Host Scanning
      • Ping range of IP addresses or use alternative scanning messages
      • Identifies victims
      • Types of Host scanning
        • Ping Scanning
        • TCP SYN/ACK attacks
    Attack Methods (Cont.) Trish Miller
    • Network Scanning
      • Discovery of the network infrastructure (switches, routers, subnets, etc.)
      • Tracert and applications similar identifies all routers along the route to a destination host
    Attack Methods (Cont.) Trish Miller
    • Port Scanning
      • Once a host is identified, scan all ports to find out if it is a server and what type it is
      • Two types:
        • Server Port Scanning
          • TCP
          • UDP
        • Client Port Scanning
          • NetBIOS
          • Ports 135 – 139 used for NetBIOS ports used for file and print services.
          • GRC.com a free website that scan your pc for open ports.
    Attack Methods (Cont.) Trish Miller
    • Fingerprinting
      • Discovers the host operating system and applications as well as the version
        • Active (sends)
        • Passive (listen)
      • Nmap does all major scanning methods
    Attack Methods (Cont.) Trish Miller
    • Denial-of-Service (DoS) Attacks
      • Attacks on availability
      • SYN flooding attacks overload a host or network with connection attempts
      • Stopping DoS attacks is very hard.
    Attack Methods (Cont.) Trish Miller
    • The Break-In
      • Password guessing
      • Take advantage of unpatched vulnerabilities
      • Session hijacking
    Attack Methods (Cont.) Trish Miller
    • Download rootkit via TFTP
    • Delete audit log files
    • Create backdoor account or Trojan backdoor programs
    After the Compromise Trish Miller
    • Weaken security
    • Access to steal information, do damage
    • Install malicious software (RAT, DoS zombie, spam relay, etc.)
    After the Compromise (Cont.) Trish Miller
  • Prevention Trish Miller
  • Preventions
    • Stealth Scanning
    • Access Control
    • Firewalls
    • Proxy Servers
    • IPsec
    • Security Policies
    • DMZ
    • Host Security
    Trish Miller
    • Noisiness of Attacks
    • Exposure of the Attacker’s IP Address
    • Reduce the rate of Attack below the IDS Threshold
    • Scan Selective Ports
    Stealth Scanning Trish Miller
    • The goal of access control is to prevent attackers from gaining access, and stops them if they do.
    • The best way to accomplish this is by:
      • Determine who needs access to the resources located on the server.
      • Decide the access permissions for each resource.
      • Implement specific access control policies for each resource.
      • Record mission critical resources.
      • Harden the server against attacks.
      • Disable invalid accounts and establish policies
    Access Control Trish Miller
  • Firewalls
    • Firewalls are designed to protect you from outside attempts to access your computer, either for the purpose of eavesdropping on your activities, stealing data, sabotage, or using your machine as a means to launch an attack on a third party.
    Trish Miller
  • Firewalls (Cont.)
    • Hardware
      • Provides a strong degree of protection from the outside world.
      • Can be effective with little or no setup
      • Can protect multiple systems
    • Software
      • Better suite to protect against Trojans and worms.
      • Allows you to configure the ports you wish to monitor. It gives you more fine control.
      • Protects a single system.
    Trish Miller
  • Firewalls
    • Can Prevent
      • Discovery
        • Network
        • Traceroute
      • Penetration
        • Synflood
        • Garbage
        • UDP Ping
        • TCP Ping
        • Ping of Death
    Trish Miller
  • Proxy
    • A proxy server is a buffer between your network and the outside world.
    • Use an anonymous Proxy to prevent attacks.
    Trish Miller
  • IPSec
    • Provides various security services for traffic at the IP layer
    • These security services include
      • Authentication
      • Integrity
      • Confidentiality
    Trish Miller
  • IPsec overview - how IPsec helps Trish Miller Problem How IPsec helps Details Unauthorized system access Authentication, tamperproofing Defense in depth by isolating trusted from untrusted systems Targeted attacks of high-value servers Authentication, tamperproofing Locking down servers with IPsec. Examples: HR servers, Outlook ® Web Access (OWA), DC replication Eavesdropping Authentication, confidentiality Defense in depth against password or information gathering by untrusted systems Government guideline compliance Authentication, confidentiality Example: “All communications between financial servers must be encrypted.”
  • DMZ Image Trish Miller
    • Hardening Servers
    • Cisco IOS
    • Upgrades and Patches
    • Unnecessary Services
    • Network Monitoring tools
    Host Security Trish Miller
  • Switch Vulnerabilities and Hacking Trish Miller
    • Used to locate IP address, version, and model.
    • Mass amounts of packets being sent can fake a crash
    • Used to troubleshoot network, but should be disabled.
    CDP Protocol Trish Miller
    • Give users data by poisoning ARP cache of end node.
    • MAC address used to determine destination. Device driver does not check.
    • User can forge ARP datagram for man in the middle attack.
    ARP Poisoning Trish Miller
    • SNMP manages the network.
    • Authentication is weak. Public and Private community keys are clear text.
    • Uses UDP protocol which is prone to spoofing.
    • Enable SNMPv3 without backwards compatibility.
    SNMP Trish Miller
    • Standard STP takes 30-45 seconds to deal with a failure or Root bridge change.
    • Purpose: Spanning Tree Attack reviews the traffic on the backbone.
    Spanning Tree Attacks Trish Miller
    • Only devices affected by the failure notice the change
    • The attacker can create DoS condition on the network by sending BPDUs from the attacker.
    Spanning Tree Attacks Trish Miller
    • STEP 1: MAC flood the access switch
    • STEP 2: Advertise as a priority zero bridge.
    Trish Miller Spanning Tree Attacks (Cont.)
  • Spanning Tree Attacks (Cont.)
    • STEP 3: The attacker becomes the Root bridge!
      • Spanning Tree recalculates.
      • The backbone from the original network is now the backbone from the attacking host to the other switches on the network.
    Trish Miller Spanning Tree Attacks (Cont.)
    • Disabling STP can introduce another attack.
    • BPDU Guard
      • Disables ports using portfast upon detection of a BPDU message on the port.
      • Enabled on any ports running portfast
    STP Attack Prevention Trish Miller
    • Root Guard
      • Prevents any ports that can become the root bridge due to their BPDU
    STP Attack Prevention Trish Miller
    • Cisco Content Switching Modules
    • Cisco Content Switching Module with SSL
    CSM and CSM-S Trish Miller
    • Cisco Secure Desktop
      • 3 major vulnerabilities
        • Maintains information after an Internet browsing session. This occurs after an SSL VPN session ends.
        • Evades the system via the system policies preventing logoff, this will allow a VPN connection to be activated.
        • Allow local users to elevate their privileges.
    Trish Miller CDM
    • Prevention
      • Cisco has software to address the vulnerabilities.
      • There are workarounds available to mitigate the effects of some of these vulnerabilities.
    Trish Miller
  • Cisco Routers Trish Miller
    • Two potential issues with Cisco Routers
      • Problems with certain IOS software
      • SNMP
    Cisco Routers Trish Miller
    • Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4
      • Problem with the software
      • Confidential information can be leaked out
      • Software updates on the CISCO site can fix this problem
    Trish Miller
  • Trish Miller
    • Virtual Private Networks
    Virtual connection 1 Virtual Connection 2
  • Trish Miller
    • Virtual Private Networks
    Information leak Error Connection
    • Cisco uBR10012 series devices automatically enable SNMP read/write access
    • Since there are no access restrictions on this community string , attackers can exploit this to gain complete control of the device
    Trish Miller
  • Trish Miller CISCO Router Attacking Computer By sending an SNMP set request with a spoofed source IP address the attacker will be able to get the Victim router to send him its configuration file.
  • Trish Miller CISCO Router Attacking Computer With this information, the remote computer will be able to have complete control over this router
    • Fixes- Software updates available on the CICSO site that will fix the Read/Write problem
    Trish Miller
  • Links
    • http://sectools.org/tools2.html
    • http://insecure.org/sploits/l0phtcrack.lanman.problems.html
    • http://www.grc.com/intro.htm
    • http://www.riskythinking.com
    • http://www.hidemyass.com/
    Trish Miller
  • References
    • http://www.bmighty.com/network/showArticle.jhtml;jsessionid=2YYDWJHHX3FL2QSNDLPSKHSCJUNN2JVN?articleID=202401432&pgno=2
    • http://www.juniper.net/security/auto/vulnerabilities/vuln19998.html
    • http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf
    • http://www.askapache.com/security/hacking-vlan-switched-networks.html
    • http://marc.info/?l=bugtraq&m=116300682804339&w=2
    • http://www.secureroot.com/security/advisories/9809702147.html
    Trish Miller
  • Trish Miller Trish Miller Trish Miller