3. OUTLINE:
• Project Overview
• Project Task
• Security and Threats
• How can you achieve Network Security?
• Network Security Elements
• LAB
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
3
4. A. Project Overview
Project Aim
• Create an Integrated Computer Network which is satisfied with the most
important requirements needed for any network.
• The most important requirements of the Integrated Network:
Network Administration
System Administration
Network VoIP
Network Security
Virtualization and Cloud Computing
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
4
5. 12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
5
B. Project Task
6. What is Network Security?
National Security Telecommunications and
Information Systems Security Committee (NSTISSC)
Network security is the protection of information and
systems and hardware that use, store, and transmit that
information.
Network security encompasses those steps that are taken
to ensure the confidentiality, integrity, and availability of
data or resources.
C. Security and Threats
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
6
7. Rationale for Network Security
Network security initiatives and network security specialists can
be found in private and public, large and small companies and
organizations.
The need for network security and its growth are driven by many
factors:
1. Internet connectivity is 24/7 and is worldwide
2. Increase in cyber crime
3. Impact on business and individuals
4. Legislation & liabilities
5. Proliferation of threats
6. Sophistication of threats
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
7
8. Goals of an Information Security Program
• Confidentiality
• Prevent the disclosure of sensitive information from unauthorized
people, resources, and processes
• Integrity
• The protection of system information or processes from intentional or
accidental modification
• Availability
• The assurance that systems and data are
accessible by authorized users when needed
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
8
9. Types of Attacks
Structured attack
Come from hackers who are more highly motivated and
technically competent.
Unstructured attack
Consists of mostly inexperienced individuals using easily
available hacking tools such as shell scripts and password
crackers.
External attacks
Initiated by individuals or groups working outside of a company.
They do not have authorized access to the computer systems
or network.
Internal attacks
More common and dangerous. Internal attacks are initiated by
someone who has authorized access to the network.
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
9
10. Types of Attacks
• Passive Attack
• Listen to system passwords
• Release of message content
• Traffic analysis
• Data capturing
• Active Attack
• Attempt to log into someone else’s account
• Wire taps
• Denial of services
• Message modifications
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
10
11. 12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
11
• Packet Sniffing
• Internet traffic consists of data “packets”, and these can be
“sniffed”
• Leads to other attacks such as
password sniffing, cookie
stealing session hijacking,
information stealing
• Man in the Middle attack
• Insert a router in the path between client and server, and change
the packets as they pass through
• DNS hijacking
• Insert malicious routes into DNS tables to send traffic for genuine
sites to malicious sites
• Denial-of-Service attacks
• DoS doesn’t result in information theft or any kind of
information loss, it can cost the target person a large amount of
time and money. As it makes service is inoperable (buffer overflow)
Types of Attacks
1- Network Attack
12. 2-Web Attacks
• Phishing
• An evil website pretends to be a trusted website
• Example:
• You type, by mistake, “mibank.com” instead of
“mybank.com”
• mibank.com designs the site to look like mybank.com so
the user types in their info as usual
• BAD! Now an evil person has your info!
• SQL Injection
• Interesting Video showing an example
• Cross Site Scripting
• Writing a complex JavaScript program that steals data
left by other sites that you have visited in same
browsing session
1212 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
13. 12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
13
3- OS, applications and software attacks
• Virus: Piece of code that automatically reproduces itself. It’s attached to other programs or files,
but requires user intervention to propagate. Its targets Executable files and boot sectors.
• Worm: Piece of code that automatically reproduces itself over the network.
It doesn’t need the user intervention to propagate (autonomous).
Via buffer overflow, file sharing, configuration errors and other vulnerabilities.
• Backdoor: A backdoor is a program placed by a black-hacker that allows him to access a system.
A backdoor have many functionalities such as keyboard-sniffer, display spying, etc.
• Trojan: A Trojan is a software that seems useful or benign,
but is actually hiding a malicious functionality
14. D. How can you achieve security?
• Many techniques exist for ensuring computer and network security
• Antivirus software
• Secure networks
• Firewalls
• Cryptography
• In addition, users have to practice “safe computing”
• Not downloading from unsafe websites
• Not opening attachments
• Not trusting what you see on websites
• Avoiding Scams
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
14
15. Securing Network
Network Foundation Protection (NFP)
NFP is a framework used to break the infrastructure
down into smaller components, and then systematically
focusing on how to secure each of those components.
NFP is broken down into three basic
planes (also called sections/areas):
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
15
16. • Router Security
• Physical Security
• Place router in a secured, locked room
• Install an uninterruptible power supply
• Operating System Security
• Use the latest stable version that meets network requirements
• Keep a copy of the O/S and configuration file as a backup
• Router Hardening
• Secure administrative control
• Disable unused ports and interfaces
• Disable unnecessary services
1- Management Plane
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
16
17. 12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
17
• Configuring the Router for use SSH instead of Telnet.
• Configuring for Privilege Levels
By default:
User EXEC mode (privilege level 1)
Privileged EXEC mode (privilege level 15)
Sixteen privilege levels available
Methods of providing privileged level access infrastructure
access:
• Privilege Levels
• Role-Based CLI Access
• Using Syslog
Syslog servers: Known as log hosts, these systems accept and process log messages
from syslog clients.
• Auto Secure Command.
Methods of Securing the Router
18. • AAA Access Security
Accounting
What did you spend it on?
Authentication
Who are you?
Authorization
which resources the user is allowed to access and which
operations the user is allowed to perform?
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
18
19. Authentication – Password-Only
• Uses a login and password combination on access lines
• Easiest to implement, but most unsecure method
• Vulnerable to brute-force attacks
• Provides no accountability
R1(config)# line vty 0 4
R1(config-line)# password cisco
R1(config-line)# login
Internet
User Access Verification
Password: cisco
Password: cisco1
Password: cisco12
% Bad passwords
Password-Only Method
20. Authentication – Local Database
• Creates individual user account/password on each device
• Provides accountability
• User accounts must be configured locally on each device
R1(config)# username Admin secret
Str0ng5rPa55w0rd
R1(config)# line vty 0 4
R1(config-line)# login local
Internet
User Access Verification
Username: Admin
Password: cisco1
% Login invalid
Username: Admin
Password: cisco12
% Login invalid
Local Database Method
21. 12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
21
AAA
Router (AAA Client)
)
Remote Client
1
2
4
Cisco Secure
ACS Server
3
Server-Based AAA Authentication
22. 2- Control Plane
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
22
23. 3- Data Plane
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
23
24. MAC Address Spoofing Attack
MAC
Address:
AABBcc
AABBcc 12AbDdSwitch Port
1 2
MAC Address:
AABBcc
Attacker
Port 1
Port 2
MAC
Address:
12AbDd
I have associated Ports 1 and 2 with
the MAC addresses of the devices
attached. Traffic destined for each
device will be forwarded directly.
The switch keeps track of the
endpoints by maintaining a
MAC address table. In MAC
spoofing, the attacker poses
as another host—in this case,
AABBcc
• Layer 2 Security
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
24
25. MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without flooding
because the MAC address table contains port-to-MAC-address mappings in the
MAC address table for these PCs.
26. STP Manipulation Attack
Root Bridge
Priority = 8192
Root
Bridge
F F
F F
F B
F B
F
F
F F
Attacker
The attacking host broadcasts out STP
configuration and topology change BPDUs.
This is an attempt to force spanning tree
recalculations.
Solution: Use BPDU Guard
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
26
27. VLAN Hopping Attack
802.1Q
ServerAttacker sees traffic destined for servers
Server
Trunk
VLAN
20
VLAN
10
A VLAN hopping attack can be launched by
spoofing DTP Messages from the attacking host to
cause the switch to enter trunking mode.
Solution: Use Port Security
28. 12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
28
Layer 3 Security
• Access Control List (ACL)
Applied as a Filters on Interfaces, can control which traffic is allowed and
which is denied on the Data plane.
Divided into:
• Standard ACL
1- Numbered IP ACL
2- Named IP ACL
• Extended ACL
1- Numbered IP
2- Named IP ACL
29. • Intrusion Prevention Systems
(IPSs)
1. An attack is launched on a network
that has a sensor deployed in IPS mode
(inline mode).
2. The IPS sensor analyzes the packets as
they enter the IPS sensor interface.
The IPS sensor matches the malicious
traffic to a signature and the attack is
stopped immediately.
3. The IPS sensor can also send an alarm
to a management console for logging
and other management purposes.
4. Traffic in violation of policy can be
dropped by an IPS sensor.
Sensor
Management
Console
1
2
3
Target
4
Bit Bucket
E. Network Security Elements
30. • Intrusion Detection Systems (IDSs)
1. An attack is launched on a network
that has a sensor deployed in
promiscuous IDS mode; therefore
copies of all packets are sent to the
IDS sensor for packet analysis.
However, the target machine will
experience the malicious attack.
2. The IDS sensor, matches the malicious
traffic to a signature and sends the
switch a command to deny access to
the source of the malicious traffic.
3. The IDS can also send an alarm to a
management console for logging and
other management purposes.
Switch
Management
Console
1
2
3
Target
Sensor
31. • Firewalls
• A firewall is a system that enforces an access control policy between
network.
May be
1- Software.
2-Hardware
• Common properties of firewalls:
• Resistant to attacks
• Is the only transit point between networks
• Enforces the access control policy
Visible
IP
Address
Internal
Network
PC Servers
Host
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
31
32. Types of Filtering Firewalls
• Packet-filtering firewall—is typically a router that has the capability to filter on some of the
contents of packets (examines Layer 3 and sometimes Layer 4 information)
• Stateful firewall—keeps track of the state of a connection: whether the connection is in an
initiation, data transfer, or termination state
• Application gateway firewall (proxy firewall) —filters information at Layers 3, 4, 5, and 7. Firewall
control and filtering done in software.
• Address-translation firewall—expands the number of IP addresses available and hides network
addressing design.
• Host-based (server and personal) firewall—a PC or server with firewall software running on it.
• Transparent firewall—filters IP traffic between a pair of bridged interfaces.
• Hybrid firewalls—some combination of the above firewalls. For example, an application
inspection firewall combines a stateful firewall with an application gateway firewall.
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
32
33. Design with DMZ
DMZ
UntrustedTrusted
Private-Public
Policy
Public-DMZ
Policy
DMZ-Private
Policy
Private-DMZ
Policy
Internet
• Demilitarized zone is a physical or logical subnetwork that contains and exposes
an organization's external services to a larger untrusted network, usually the Internet.
Actions
Pass – This action is analogous to permit in an ACL
Drop – This action is analogous to deny in an ACL
Inspect – This action configures Cisco IOS stateful packet
inspection
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
33
34. • VPN
• Virtual: Information within a private network is
transported over a public network.
• Private: The traffic is encrypted to keep the data
confidential.
VPN
VPN
Firewall
CSA
Regional branch with
a VPN enabled
Cisco ISR router
SOHO with a Cisco
DSL Router
VPN
Mobile Worker
with a Cisco
VPN Client
Business Partner
with a Cisco Router
Corporate
NetworkWAN
Internet
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
34
35. What is Cisco ASA ?
• ASA in Cisco ASA stands for Adaptive Security Appliance.
• Cisco ASA is a security device that combines firewall, intrusion
prevention, and virtual private network (VPN) capabilities.
• ASA is valuable and flexible in that it can be used as a security solution for
both small and large networks.
• Cisco ASA can do the following and more:
• Anti virus
• Anti spam
• IDS/IPS engine
• VPN device
• SSL device
• Content inspection
36. • Cryptographic Systems
• Simply – secret codes
• Encryption
• Converting data to unreadable codes to prevent anyone form accessing this information
• Need a “key” to find the original data.
Cryptographic Protocols
Symmetric Encryption Asymmetric Encryption
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
36
37. Hashing Basics
• Hashes are used for integrity
assurance.
• Hashes are based on
one-way functions.
• The hash function hashes arbitrary
data into a fixed-length digest known
as the hash value, message
digest, digest, or fingerprint.
Data of Arbitrary
Length
Fixed-Length
Hash Value
e883aa0b24c09f
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
37
38. Hashing in Action
• Vulnerable to man-in-the-middle attacks
• Hashing does not provide security to transmission.
• Well-known hash functions
• MD5 with 128-bit hashes
• SHA-1 with 160-bit hashes
Pay to Terry Smith
$100.00
One Hundred and xx/100
Dollars
Pay to Alex Jones
$1000.00
One Thousand and
xx/100 Dollars
4ehIDx67NMop9 12ehqPx67NMoX
Match = No changes
No match = Alterations
Internet
I would like to
cash this
check.
39. F. LAB
Used Tools:
VMware (Virtualization Program)
GNS3 (Emulation Program)
Cisco Configuration Professional (CCP-GUI Software)
ASA Firewall Simulation
12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
39
40. 12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
40
Zone- Based Firewall
41. 12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
41
Emulate ASA on GNS3
42. 12 April 2014 42
Security related URLs
• http://www.robertgraham.com/pubs/network-intrusion-
detection.html
• http://online.securityfocus.com/infocus/1527
• http://www.snort.org/
• http://www.cert.org/
• http://www.nmap.org/
• http://grc.com/dos/grcdos.htm
• http://lcamtuf.coredump.cx/newtcp/
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
43. 12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
43
44. 12 April 2014
Menofia University- Faculty of Electronic Engineering
Prepared By E/ Yasser Rabie
44