Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Assessing network security


Published on

Assessing Network Security and Vulnerability assessment of a Network Scanning using Ethical Hacking tools.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Assessing network security

  1. 1. Abhinit Kr Sharma Ravi Ranjan Assessing Network Security Appin
  2. 2.  Hands-on experience with Windows 7 or Linux  Working knowledge of networking, including basics of security and “Ethical Hacking”  Basic knowledge of network security-assessment strategies Appin
  3. 3.  Planning Security Assessments  Gathering Information About the Target  Vulnerability Assessment and Penetration Testing for Intrusive Attacks  Case Study: Assessing Network Security for that Target Appin
  4. 4.  Planning Security Assessments  Gathering Information About the Target  Vulnerability Assessment and Penetration Testing for Intrusive Attacks  Case Study: Assessing Network Security for that Target Appin
  5. 5. Network security fails in several common areas, including: Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date Appin
  6. 6. Increases an attacker’s risk of detection Reduces an attacker’s chance of success Security policies, procedures, and education Policies, procedures, and awareness Guards, locks, tracking devicesPhysical security Application hardeningApplication OS hardening, authentication, security update management, antivirus updates, auditing Host Network segments,Internal network Firewalls, boarder routers, VPNs with quarantine procedures Perameter Strong passwords, backup and restore strategy Data Appin
  7. 7. Security assessments can: Answer the questions “Is our network secure?” and “How do we know that our network is secure?” Provide a baseline to help improve security Find configuration mistakes or missing security updates Reveal unexpected weaknesses in your organization’s security Ensure regulatory compliance Appin
  8. 8. Project phase Planning elements Pre-assessment Scope Goals Timelines Ground rules Assessment Choose technologies Perform assessment Organize results Preparing results Estimate risk presented by discovered weaknesses Create a plan for target Identify vulnerabilities that have not been remediated Determine improvement in network security over time Reporting your findings Create final report Present your findings Appin
  9. 9. Components Example Target All servers running: Windows 2005 Server Windows Server 2008 Target area All servers on the subnets: Timeline Scanning will take place from Jan 31st to Jan 3rd during non- critical business hours Vulnerabilities to scan for Anonymous SAM enumeration Guest account enabled Greater than 10 accounts in the local Administrator group Appin
  10. 10. Vulnerability scanning: Focuses on known weaknesses Can be automated Does not necessarily require expertise Penetration testing: Focuses on known and unknown weaknesses Requires highly skilled testers Carries tremendous legal burden in certain countries/organizations IT security auditing: Focuses on security policies and procedures Used to provide evidence for industry regulations Appin
  11. 11. Develop a process for vulnerability scanning that will do the following: Detect vulnerabilities Assign risk levels to discovered vulnerabilities Identify vulnerabilities that have not been remediated Determine improvement in network security over time FACT!!!! 99.9% secure = 100%vulnerable! Appin
  12. 12. Steps to a successful penetration test include: Determine how the attacker is most likely to go about attacking a network or an application1 Determine how an attacker could exploit weaknesses3 Locate assets that could be accessed, altered, or destroyed4 Locate areas of weakness in network or application defenses2 Determine whether the attack was detected5 Determine what the attack footprint looks like6 Make recommendations7 Appin
  13. 13. Black Box  zero-knowledge testing  Tester need to acquire the knowledge and penetrate.  Acquire knowledge using tools or Social Engineering techniques  Publicly available information may be given to the penetration tester, Benefits: Black box testing is intended to closely replicate the attack made by an outsider without any information of the system. This kind of testing will give an insight of the robustness of the security when under attack by script kiddies Appin
  14. 14. White Box complete-knowledge testing Testers are given full information about the target system they are supposed to attack . Information includes , Technology overviews, Data flow diagrams Code snippets More….. Benefits reveals more vulnerabilities and may be faster. compared to replicate an attack from a criminal hacker that knows the company infrastructure very well. This hacker may be an employee of the company itself, doing an internal attack Appin
  15. 15. Gray-box or crystal-box test The tester simulates an inside employee. The tester is given an account on the internal network and standard access to the network. This test assesses internal threats from employees within the company. Appin
  16. 16. There are NO formal methods of Penetration testing!!!!!!!!  Typically has Seven Stages  Scope/Goal Definition  Information Gathering  Vulnerability Detection  Information Analysis and Planning.  Attack& Penetration/Privilege Escalation.  Result Analysis & Reporting.  Cleanup. Appin
  17. 17. Process Technology Implementation Documentation Operations Start with policy Build process Apply technology Security Policy Model Policy Appin
  18. 18. Compare each area to standards and best practices Security policy Documented procedures Operations What you must do What you say you do What you really do Appin
  19. 19. Organize information into the following reporting framework: Define the vulnerability Document mitigation plans Identify where changes should occur Assign responsibility for implementing approved recommendations Recommend a time for the next security assessment Appin
  20. 20.  Planning Security Assessments  Gathering Information About the Target  Penetration Testing for Intrusive Attacks  Case Study: Assessing Network Security for Target Appin
  21. 21. Examples of nonintrusive attacks include: Information reconnaissance Port scanning Obtaining host information using fingerprinting techniques Network and host discovery Nonintrusive attack: The intent to gain information about an organization’s network in preparation for a more intrusive attack at a later time Appin
  22. 22. Common types of information sought by attackers include: System configuration Valid user accounts Contact information Extranet and remote access servers Information about your network may be obtained by: Querying registrar information Determining IP address assignments Organization Web pages Search engines Public discussion forums Appin
  23. 23. Port scanning tips include: Start by scanning slowly, a few ports at a time To avoid detection, try the same port across several hosts Run scans from a number of different systems, optimally from different networks Typical results of a port scan include: Discovery of ports that are listening or open Determination of which ports refuse connections Determination of connections that time out Appin
  24. 24. Port scanning countermeasures include: Implement defense-in-depth to use multiple layers of filtering Plan for misconfigurations or failures Run only the required services Implement an intrusion-detection system     Expose services through a reverse proxy Appin
  25. 25. Types of information that can be collected using fingerprinting techniques include: IP and ICMP implementation TCP responses Listening ports Banners Service behavior Remote operating system queries Appin
  26. 26. Fingerprinting source Countermeasures IP, ICMP, and TCP Be conservative with the packets that you allow to reach your system Use a firewall or inline IDS device to normalize traffic Assume that your attacker knows what version of operating system is running, and make sure it is secure Port scanning, service behavior, and remote queries Disable unnecessary services Filter traffic coming to isolate specific ports on the host Implement IPSec on all systems in the managed network Appin
  27. 27. "… a firewall is a piece of hardware or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction." Types of Firewalls • Packet filtering gateways • Stateful inspection firewalls • Application proxies • Guards • Personal firewalls Appin
  28. 28. Appin The first firewalls were application gateways, and are sometimes known as proxy gateways. These are made up of bastion hosts that run special software to act as a proxy server. This software runs at the Application Layer of our old friend the ISO/OSI Reference Model, hence the name. Clients behind the firewall must be prioritized (that is, must know how to use the proxy, and be configured to do so) in order to use Internet services. Traditionally, these have been the most secure, because they don't allow anything to pass by default, but need to have the programs written and turned on in order to begin passing traffic.
  29. 29. Appin Packet filtering is a technique whereby routers have ACLs (Access Control Lists) turned on. By default, a router will pass all traffic sent it, and will do so without any sort of restrictions. Employing ACLs is a method for enforcing your security policy with regard to what sorts of access you allow the outside world to have to your internal network, and vice versa. There is less overhead in packet filtering than with an application gateway, because the feature of access control is performed at a lower ISO/OSI layer (typically, the transport or session layer). Due to the lower overhead and the fact that packet filtering is done with routers, which are specialized computers optimized for tasks related to networking, a packet filtering gateway is often much faster than its application layer cousins.
  30. 30. Appin IDS and IPS work together to provide a network security solution. An IDS captures packets in real time, processes them, and can respond to threats, but works on copies of data traffic to detect suspicious activity by using signatures. This is called promiscuous mode. In the process of detecting malicious traffic, an IDS allows some malicious traffic to pass before the IDS can respond to protect the network. An IDS analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating on a copy of the traffic is that the IDS does not affect the packet flow of the forwarded traffic. The disadvantage of operating on a copy of the traffic is that the IDS cannot stop malicious traffic from single-packet attacks from reaching the target system before the IDS can apply a response to stop the attack. An IDS often requires assistance from other networking devices, such as routers and firewalls, to respond to an attack.
  31. 31. Appin An IPS works inline in the data stream to provide protection from malicious attacks in real time. This is called inline mode. Unlike an IDS, an IPS does not allow packets to enter the trusted side of the network. An IPS monitors traffic at Layer 3 and Layer 4 to ensure that their headers, states, and so on are those specified in the protocol suite. However, the IPS sensor analyzes at Layer 2 to Layer 7 the payload of the packets for more sophisticated embedded attacks that might include malicious data. This deeper analysis lets the IPS identify, stop, and block attacks that would normally pass through a traditional firewall device. An IPS builds upon previous IDS technology; Cisco IPS platforms use a blend of detection technologies, including profile-based intrusion detection, signature-based intrusion detection, and protocol analysis intrusion detection. The key to differentiating an IDS from an IPS is that an IPS responds immediately and does not allow any malicious traffic to pass, whereas an IDS allows malicious traffic to pass before it can respond.
  32. 32. Appin IDS ■ Analyzes copies of the traffic stream ■ Does not slow network traffic ■ Allows some malicious traffic into the network IPS ■ Works inline in real time to monitor Layer 2 through Layer 7 traffic and content ■ Needs to be able to handle network traffic ■ Prevents malicious traffic from entering the network IDS and IPS technologies share several characteristics:
  33. 33. "… a honeypot is a trap set to detect or deflect attempts at unauthorized use of information systems. Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information that would be of value to attackers.” The term "honeypot" is often understood to refer to the British children's character Winnie-the-Pooh, a stuffed bear who was lured into various predicaments by his desire for pots of honey. Uses of Honeypots Preventing attacks Detecting attacks Responding to attacks Research HoneyPot Appin
  34. 34.  Firewalls are a prevention technology; they are network or host solutions that keep attackers out.  IDSs are a detection technology; their purpose is to detect and alert security professionals about unauthorized or malicious activity.  Honeypots are tougher to define because they can be involved in aspects of prevention, detection, information gathering, and much more. Appin External DNS IDS Web Server E-Commerce VPN Server Firewall Hony Pot
  35. 35.  Planning Security Assessments  Gathering Information About the Target  Penetration Testing for Intrusive Attacks  Case Study: Assessing Network Security for Target Appin
  36. 36. Examples of penetration testing for intrusive attack methods include: Automated vulnerability scanning Network Attacks Denial-of-service Attacks Password Attacks Network Sniffing Intrusive attack: Performing specific tasks that result in a compromise of system information, stability, or availability Appin
  37. 37. Automated vulnerability scanning makes use of scanning tools to automate the following tasks: Banner grabbing and fingerprinting Exploiting the vulnerability Inference testing Security update detection Appin
  38. 38. Throughout the document, each vulnerability or risk identified has been labeled as a Finding and Categorized as a High-Risk, Medium-Risk, or Low-Risk. In addition, each supplemental testing note. Appin
  39. 39. DoS attacks can be divided into three categories: Flooding attacks Resource starvation attacks Disruption of service Denial-of-Service (DoS) attack: Any attempt by an attacker to deny his victim’s access to a resource Note: Denial-of-service attacks should not be launched against your own live production network Appin
  40. 40. DoS attack Countermeasures Flooding attacks Ensure that your routers have anti-spoofing rules in place and rules that block directed broadcasts Set rate limitations on devices to mitigate flooding attacks Consider blocking ICMP packets Disruption of service Make sure that the latest update has been applied to the operating system and applications Test updates before applying to production systems Disable unneeded services Appin
  41. 41. An attacker can perform network sniffing by performing the following tasks: Compromising the host Installing a network sniffer Using a network sniffer to capture sensitive data such as network credentials Using network credentials to compromise additional hosts Network sniffing: The ability of an attacker to eavesdrop on communications between network hosts 1 2 3 4 Appin
  42. 42. To reduce the threat of network sniffing attacks on your network consider the following: Use encryption to protect data Use switches instead of hubs Secure core network devices Use crossover cables Develop policy Conduct regular scans Appin
  43. 43. Common ways that attackers avoid detection include: Flooding log files Using logging mechanisms Attacking detection mechanisms Using canonicalization attacks Using decoys Appin
  44. 44. Common ways that attackers avoid detection after an attack include: Installing rootkits Tampering with log files Appin
  45. 45. Avoidance Technique Countermeasures Flooding log files Back up log files before they are overwritten Using logging mechanisms Ensure that your logging mechanism is using the most updated version of software and all updates Using canonicalization attacks Ensure that applications normalize data to its canonical form Using decoys Secure the end systems and networks being attacked Using rootkits Implement defense-in-depth strategies Appin
  46. 46.  Planning Security Assessments  Gathering Information About the Target  Penetration Testing for Intrusive Attacks  Case Study: Assessing Network Security for Target Appin
  47. 47. Project goal LON-SRV1 will be scanned for the following vulnerabilities and will be remediated as stated Vulnerability Remediation Network Scan Require developers to fix Network based applications Guest account enabled Disable guest account RPC-over-DCOM vulnerability Network Vulnerability Scan Appin
  48. 48. The tools that will be used for the Target security assessment include the following: Nmap GFI Lan Guard Nessus Wireshark Netcut Metasploit Hydra Ettercap-NG, etc Appin
  49. 49.  Significant, timely, and relevant vulnerability checks available.  It’s easy to write your own checks that are not available.  Engine requires a Linux server, client can be Linux or Microsoft Windows based Intelligent, assumes little, but uses what it learns as it scans.  Vendor neutral, so nothing is “sugar coated” and recommended fixes don’t point you towards their products. 49Appin
  50. 50. 50 Nmap is a free, open source tool that quickly and efficiently performs ping sweeps, port scanning, service identification, IP address detection, and operating system detection. Nmap has the benefit of scanning a large number of machines in a single session. It’s supported by many operating systems, including Unix, Windows, and Linux. The state of the port as determined by an nmap scan can be open, filtered, or unfiltered. Open means that the target machine accepts incoming request on that port. Filtered means a firewall or network filter is screening the port and preventing nmap from discovering whether it’s open. Unfiltered mean the port is determined to be closed, and no firewall or filter is interfering with the nmap requests. Nmap supports several types of scans. Table 3.2 details some of the common scan methods. Appin
  51. 51. 51  Simple Netcat connection between a Linux and Microsoft Windows machine. Appin
  52. 52. 52 Similar to dsniff, Ettercap seems to be a little bit moreversatile and up to date. Appin
  53. 53.  Perform port scanning using Nmap  Use Nmap and nessus to perform a vulnerability scan  Determine buffer overflow vulnerabilities  Use the Microsoft Baseline Security Analyzer to perform a vulnerability scan  Hydra can perform rapid dictionary attack against more then 30 protocols, including telnet, FTP, http, https and much more Appin
  54. 54. Answer the following questions to complete the report: What risk does the vulnerability present? What is the source of the vulnerability? What is the potential impact of the vulnerability? What is the likelihood of the vulnerability being exploited? What should be done to mitigate the vulnerability? Where should the mitigation be done? Who should be responsible for implementing the mitigations? Appin
  55. 55. Plan your security assessment to determine scope and goals Educate users to use strong passwords or pass-phrases Assume that the attacker already knows the exact operating system and version and take as many steps as possible to secure those systems    Keep systems up-to-date on security updates and service packs  Appin
  56. 56.  Find additional security training events:  Sign up for security communications: efault.mspx  Find additional e-learning clinics  Refer to Assessing Network Security Appin
  57. 57. Abhinit Kumar SharmaAppin