This document discusses key concepts related to network defense in depth. It defines common terms like firewalls, DMZs, IDS, and VPNs. It also covers techniques for packet filtering, application inspection, network address translation, and virtual private networks. The goal of defense in depth is to implement multiple layers of security and not rely on any single mechanism.
A talk given by Joseph Lorenzo Hall at the UCB TRUST Privacy workshop on 10/05/2006 that describes the tensions between institutional requirements and technical abilities of the TOR network, which severly limits TOR research on the UCB campus.
The TCP/IP protocol suite has a number of vulnerability and security flaws inherent in the protocols. Those vulnerabilities are often used by crackers for Denial of Service (DOS) attacks, connection hijacking and other attacks. The following are the major TCP/IP security problems:
TCP SYN attacks (or SYN Flooding) ¡§CThe TCP uses sequence numbers to ensure data is given to the user in the correct order. The sequence numbers are initially established during the opening phase of a TCP connection in the three-way handshake. TCP SYN attacks take advantage of a flaw in how most hosts implement TCP three-way handshake. When Host B receives the SYN request from A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds and a host can only keep track of a very limited number of connections. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK the other host sends back. By doing so, the other host's listen queue is quickly filled up, and it will stop accepting new connections, until a partially opened connection in the queue is completed or times out. This ability to effectively remove a host from the network for at least 75 seconds can be used as a denial-of-service attack, or it can be used to implement other attacks, like IP Spoofing.
IP Spoofing - IP spoofing is an attack used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. The IP layer assumes that the source address on any IP packet it receives is the same IP address as the system that actually sent the packet -- it does no authentication. Many higher level protocols and applications also make this assumption, so it seems that anyone able to forge the source address of an IP packet could get unauthorized privileges. There are few variations of IP Spoofing such as Blind and Non-blind spoofing, man-in-the-middle- attack (connection hijacking), etc. For details, please read the IP Spoofing section.
Routing attacks ¡§C This attack takes advantage of Routing Information Protocol (RIP), which is often an essential component in a TCP/IP network. RIP is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network. Like TCP/IP, RIP has no built in authentication, and the information provided
in a RIP packet is often used without verifying it. Attacks on RIP change where data goes to, not where it came from. For example, an attacker could forge a RIP packet, claiming his host "X" has the fastest path out of the network. All packets sent out from that network would then be routed through X, where they could be modified or examined. An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker's machine
Praktické postupy ochrany před DDoS útoky - Přednáška se bude zabývat postupy jak se chránit před DoS/DDoS útoky a to od nejnižší po nejvyšší vrstvu, od malých webů po korporátní sítě.
www.security-session.cz
This slideshow shows the threat ARP poisoning poses by allowing Packet sniffing attacks using Wireshark on a college network and provides possible mitigation action for the vulnerability
A talk given by Joseph Lorenzo Hall at the UCB TRUST Privacy workshop on 10/05/2006 that describes the tensions between institutional requirements and technical abilities of the TOR network, which severly limits TOR research on the UCB campus.
The TCP/IP protocol suite has a number of vulnerability and security flaws inherent in the protocols. Those vulnerabilities are often used by crackers for Denial of Service (DOS) attacks, connection hijacking and other attacks. The following are the major TCP/IP security problems:
TCP SYN attacks (or SYN Flooding) ¡§CThe TCP uses sequence numbers to ensure data is given to the user in the correct order. The sequence numbers are initially established during the opening phase of a TCP connection in the three-way handshake. TCP SYN attacks take advantage of a flaw in how most hosts implement TCP three-way handshake. When Host B receives the SYN request from A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds and a host can only keep track of a very limited number of connections. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK the other host sends back. By doing so, the other host's listen queue is quickly filled up, and it will stop accepting new connections, until a partially opened connection in the queue is completed or times out. This ability to effectively remove a host from the network for at least 75 seconds can be used as a denial-of-service attack, or it can be used to implement other attacks, like IP Spoofing.
IP Spoofing - IP spoofing is an attack used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. The IP layer assumes that the source address on any IP packet it receives is the same IP address as the system that actually sent the packet -- it does no authentication. Many higher level protocols and applications also make this assumption, so it seems that anyone able to forge the source address of an IP packet could get unauthorized privileges. There are few variations of IP Spoofing such as Blind and Non-blind spoofing, man-in-the-middle- attack (connection hijacking), etc. For details, please read the IP Spoofing section.
Routing attacks ¡§C This attack takes advantage of Routing Information Protocol (RIP), which is often an essential component in a TCP/IP network. RIP is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network. Like TCP/IP, RIP has no built in authentication, and the information provided
in a RIP packet is often used without verifying it. Attacks on RIP change where data goes to, not where it came from. For example, an attacker could forge a RIP packet, claiming his host "X" has the fastest path out of the network. All packets sent out from that network would then be routed through X, where they could be modified or examined. An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker's machine
Praktické postupy ochrany před DDoS útoky - Přednáška se bude zabývat postupy jak se chránit před DoS/DDoS útoky a to od nejnižší po nejvyšší vrstvu, od malých webů po korporátní sítě.
www.security-session.cz
This slideshow shows the threat ARP poisoning poses by allowing Packet sniffing attacks using Wireshark on a college network and provides possible mitigation action for the vulnerability
Presentation given at the Brucon security conference in Ghent, Belgium. Two new attacks are described. The first is a Denial of Service attack capable of halting all traffic for one minute by injecting only two frames. The second attack allows the injection of arbitrary many packets towards a client. It is shown that this can be used to perform a portscan on any TKIP-secured client.
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
This presentation will give you a basic understanding of what ping is, how it works, DoS attack, traceroute, bandwidth speed, upload and download speed, how to use ping in cmd etc.
This gives an overall idea about wireshark design and how to capture packets using wireshark, tcpdump and tshark. It also covers basics behind measuring network performance and tools to use such as bmon and iperf.
Three new attacks are described. The first is a Denial of Service attack capable of halting all traffic for one minute by injecting only two frames. The second attack allows the injection of arbitrary many packets towards a client. It is shown that this can be used to perform a portscan on any TKIP-secured client. The third attack reset the internal state of the Michael algorithm, allowing an attack to append any (encrypted) TKIP packet with invalidating the MIC. This can be used to decrypt arbitrary packets sent towards the client.
Explains the basics of IPsec: why IPsec, main IPsec protocols (Authentication Header or AH/Encapsulating Security Payload or ESP), modes (tunnel/transport) and ciphers (MD5/AES).
Explains how IPv4 packets are being transformed with IPsec protocols, what are the issues with NAT and what is NAT traversal.
At the very end of the presentation there is a real life example for secure communication between two Linux hosts (using ip xfrm).
Presentation given at the Brucon security conference in Ghent, Belgium. Two new attacks are described. The first is a Denial of Service attack capable of halting all traffic for one minute by injecting only two frames. The second attack allows the injection of arbitrary many packets towards a client. It is shown that this can be used to perform a portscan on any TKIP-secured client.
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
This presentation will give you a basic understanding of what ping is, how it works, DoS attack, traceroute, bandwidth speed, upload and download speed, how to use ping in cmd etc.
This gives an overall idea about wireshark design and how to capture packets using wireshark, tcpdump and tshark. It also covers basics behind measuring network performance and tools to use such as bmon and iperf.
Three new attacks are described. The first is a Denial of Service attack capable of halting all traffic for one minute by injecting only two frames. The second attack allows the injection of arbitrary many packets towards a client. It is shown that this can be used to perform a portscan on any TKIP-secured client. The third attack reset the internal state of the Michael algorithm, allowing an attack to append any (encrypted) TKIP packet with invalidating the MIC. This can be used to decrypt arbitrary packets sent towards the client.
Explains the basics of IPsec: why IPsec, main IPsec protocols (Authentication Header or AH/Encapsulating Security Payload or ESP), modes (tunnel/transport) and ciphers (MD5/AES).
Explains how IPv4 packets are being transformed with IPsec protocols, what are the issues with NAT and what is NAT traversal.
At the very end of the presentation there is a real life example for secure communication between two Linux hosts (using ip xfrm).
Learning spark ch01 - Introduction to Data Analysis with Sparkphanleson
Learning spark ch01 - Introduction to Data Analysis with Spark
References to Spark Course
Course : Introduction to Big Data with Apache Spark : http://ouo.io/Mqc8L5
Course : Spark Fundamentals I : http://ouo.io/eiuoV
Course : Functional Programming Principles in Scala : http://ouo.io/rh4vv
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
Tune in to the full webinar recording here: https://www.beyondtrust.com/resources/webinar/defense-depth-implementing-layered-privileged-password-security-strategy/?access_code=eb6de71b465f16507cadfb2347a9d98f
In this presentation from the live webinar of security expert and TechVangelist Founder/Chief, Nick Cavalancia explores how to apply the defense-in-depth, layered security approach to enterprise password management. Also included in this webinar is an overview of BeyondTrust's PowerBroker Password Safe, the leading solution for enterprise password management.
HBase In Action - Chapter 10 - Operationsphanleson
HBase In Action - Chapter 10: Operations
Learning HBase, Real-time Access to Your Big Data, Data Manipulation at Scale, Big Data, Text Mining, HBase, Deploying HBase
A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
Firewalls have been the first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.
A firewall can be hardware, software, or both.
In this PPT you can learn a firewall and types which help you a lot and you can able to understand. So, that you must read at once I sure that you are understand
Thank you!!!
I
THREATS are possible attacks.
It includes
The spread of computer viruses
Infiltration and theft of data from external hackers
Engineered network overloads triggered by malicious mass e-mailing
Misuse of computer resources and confidential information by employees
Unauthorized financial transactions and other kinds of computer fraud conducted in the company's name
Electronic inspection of corporate computer data by outside parties
Damage from failure, fire, or natural disasters
HBase In Action - Chapter 04: HBase table designphanleson
HBase In Action - Chapter 04: HBase table design
Learning HBase, Real-time Access to Your Big Data, Data Manipulation at Scale, Big Data, Text Mining, HBase, Deploying HBase
Hbase in action - Chapter 09: Deploying HBasephanleson
Hbase in action - Chapter 09: Deploying HBase
Learning HBase, Real-time Access to Your Big Data, Data Manipulation at Scale, Big Data, Text Mining, HBase, Deploying HBase
Learning spark ch04 - Working with Key/Value Pairsphanleson
Learning spark ch04 - Working with Key/Value Pairs
Course : Introduction to Big Data with Apache Spark : http://ouo.io/Mqc8L5
Course : Spark Fundamentals I : http://ouo.io/eiuoV
Course : Functional Programming Principles in Scala : http://ouo.io/rh4vv
Learning spark ch01 - Introduction to Data Analysis with Sparkphanleson
Learning spark ch01 - Introduction to Data Analysis with Spark
References to Spark Course
Course : Introduction to Big Data with Apache Spark : http://ouo.io/Mqc8L5
Course : Spark Fundamentals I : http://ouo.io/eiuoV
Course : Functional Programming Principles in Scala : http://ouo.io/rh4vv
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
2. Terms of the Trade
Border Router
First / last router under control of
system administration.
DMZ
Demilitarized zone.
Security is low, since not protected
by firewall. Locate webservers and
other services there that generate
potentially unsafe traffic.
Firewall
Filters packages based on a
variety of rules.
3. Terms of the Trade
IDS
Intrusion Detection System.
NIDS: glean intrusion signatures
from traffic.
HIDS: monitor activity at a host on
which they are located.
VPN
Virtual private network
Screened subnet
Area protected by an internal
firewall.
5. Terms of the Trade
Configuration Management
Known vulnerabilities account for
most of actually perpetrated
exploits.
For most of them, patches were
available, but not installed.
CM tries to enforce uniform
security policies.
Backdoors
An entrance into the system that
avoids perimeter defenses.
6. Defense in Depth
Rule 1: Multitude of security measures.
Do not relay on one security mechanism.
Rule 2: Do not make security so
expensive / burdensome that you give
legitimate users an incentive to
circumvent security.
7. Defense in Depth
Example: External tcp packet passes:
Internet Perimeter Router
Internet perimeter firewall
DMZ firewall
Network IPS
NetFlow
Analyzes connections on network
Antivirus on host
Host IPS
9. Filtering
Signature
Any distinctive characteristic that identifies
something (with a high degree of
probability)
Signature Types
Atomic Signatures
Single packet, single event, single activity is
examined.
Stateful Signatures
State: Needed when analyzing multiple pieces of
information that are not available at the same time.
10. Filtering
Atomic vs. Stateful Signatures
LAND attack
Attacker sends TCP-SYN packet with same source and
destination address.
Caused TCP stacks to crash.
Can be discovered looking at a single packet.
Search for string “etc/password” in a URL
Attacker fragments the packet so that the string is not in
either fragment.
State is needed in order to recognize the attack.
11. Filtering
Signature Triggers
Pattern Detection
Simple string search
Search for string “etc/passwords” ARP
Protocol decoders search for string only in protocol
fields.
ARP request with source address FF:FF:FF:FF:FF:FF
Anomaly Detection
Traffic going to an unusual port.
Protocol compliance for http traffic
Behavior Detection
Abnormally large / small fragmented packets
Search for RPC requests that do not initially utilize the
PortMapper
12. Filtering
Signature Actions
Generating an alert
Dropping / preventing an activity
Logging the activity
Resetting a TCP connection
Blocking future activity
Allow activity
13. Packet Filtering
Static Packet Filtering
Allow or deny access to packets based on
internal characteristics.
access list 111 deny ip host 205.205.205.205.1 any
access list 111 permit tcp host 205.205.205.205.1 any
access list 111 deny icmp any any echo-request
access list 111 permit icmp any any packet-to-big
access list 111 deny icmp any any
Cisco extended ACL
14. Static Packet Filtering
Difficult to design efficient rules.
Easy to get the rules tables wrong and allow bad
traffic.
Security risks
People can piggy-back bad messages in harmless
ones.
http traffic is known to be used as a backdoor.
Loki uses unused fields in normal TCP packets.
Fragmentation allows the filter to look only at a
fragment
Most only look at the first fragment
15. Static Packet Filtering
Configuring a packet filter:
Security Policy: what is allowed, what is
not allowed.
Allowable types of packets must be
specified logically, in terms of logical
expression on packet fields.
Expressions need to be rewritten in the
firewall vendor’s language.
16. Static Packet Filtering
Example
Security Policy:
Allow inbound mail messages (SMTP, port 25), but only
to gateway.
Block host faucet.
action Our host port Their host port comment
block * * faucet * We don’t trust
these people.
allow OUR-
GW
25 * * Connection to our
SMTP server
17. Static Packet Filtering
Example
If no rule applies, then the packet is dropped.
Without additional rules, our rule set would drop all non-mail
packets. There would also be no replies.
Beware of a rule like this (intended to allow acks)
Based solely on outside host’s port number.
Port 25 is usually the mail port.
But there is no guarantee.
action Our host port Their host port comment
allow * * * 25 Connection to
their SMTP port
18. Static Packet Filtering
Example
Expand rule set to allow connection with the
outside:
action Our host port Their host port Flag comment
block * * faucet *
allow OUR-GW 25 * *
allow (our host) * * 25 Our packets to their port
allow * 25 * * ACK Their replies
Specify the names of all machines allowed to send mail to the outside here.
19. Static Packet Filtering
Combating Address Spoofing
At a minimum:
Don’t allow inside source addresses coming in.
Don’t allow outside source addresses going
out.
Block source routing at the border routers.
20. Static Packet Filtering
Routing Information
If a node is unreachable from the outside then the node is
almost (but not quite) as safe as a node disconnected from
the net.
Internal routers should not advertise paths to such nodes to
the outside.
Filter routes learned from the outside:
Protects against subversion by route confusion.
Route squatting:
Use internal addresses that belong to a different domain.
The nodes are de facto unreachable from the outside.
Use non-announced addresses. (e.g. 10.x.x.x)
But beware, when companies merge, these addresses tend
to be incompatible.
So pick addresses in unpopular address ranges.
21. Static Packet Filtering
Performance
Packet filtering is done at the border.
No degradation for the internal network.
Typically, connection to ISP is the
bottleneck.
However:
Degradation depends on the number of rules
applied.
Can be mitigated by careful ordering of rules.
22. Application Level Filtering
Packet filters only look at
The source address
The destination address
TCP / UDP port numbers
TCP / UDP flags.
Application filters deals with the details of the
service they are checking.
E.g. a mail application filter looks at
RFC 822 headers.
MIME attachments.
Might identify virus infected attachments.
23. Application Level Filtering
Snort:
Allows to set up rules that pass a packet
on to another service.
Commercial firewalls
Include application level filters for many
products.
Use non-disclosure agreement to obtain
proprietary protocols
24. Dynamic Packet Filtering
Stateful Firewall
Still look at each packet.
Maintains a state of each connection.
Implements connection filtering.
Dynamically adjust a filtering table of current
connections.
Implementation
Adjust the filtering rules dynamically.
E.g.: We started an HTTP connection to a given host.
Now HTTP packages from that host are allowed.
OR: Terminate the connection at the firewall and then
have the firewall call the ultimate destination (proxying).
25. Proxy Firewalls
Proxies act on behalf of a client.
Proxy firewall
Reverse Proxy
Receives packages on one card.
Processes requests.
Translates them into internal requests on other card.
Receives answers from inside and translates to the outside.
26. Proxy Firewalls
Proxy firewall
Forward Proxy
Receives requests from the inside.
Processes requests.
Translates them into requests to
the outside on other card.
Receives answers from outside
and translates to the inside.
Acts on behalf of inside machine
that is protected from the vagaries
of the internet.
27. Proxy Firewalls
Application level proxies work at the
level of application.
Circuit-level proxies
does not understand the application
makes filtering decisions by validating and
monitoring sessions.
29. Application Inspection
DNS example (Cisco ASA DNS
inspection)
Guarantees that the ID of the DNS
machine matches the ID of the DNS query
Allows translation of DNS packets using
NAT
Reassembles DNS packets to verify its
length.
30. Application Inspection
SMTP (Cisco ASA protection)
Protects against SMTP-based attacks by
restricting the types of SMTP commands.
Illegal command is modified and forwarded.
Typically, receiver replies with an SMTP error
500 (command not recognized)
Checks size, …
31. Network Address Translation
Originally designed to address the IPv4
address shortage:
Use internal IP addresses
192.168.x.x
172.16.x.x, 172.32.x.x
10.x.x.x
NAT box is dual hosted:
One connection to interior network
Other connection to exterior network
with “overloaded” or “public” address
32. Network Address Translation
Internal host initiates TCP connection to the
outside.
NAT box takes TCP package, replaces
source IP with its public IP, port with a port
chosen for that connection
When reply return to NAT box, forwards
package to internal host.
NAT uses stored connection data to
determine the interior address
34. Network Address Translation
Full Cone NAT (one to one NAT)
all requests from same internal IP address
and port are mapped to the same external
IP address and port.
Allows external host to send package to
the host by using the mapped external
address.
35. Network Address Translation
Restricted Cone NAT
All requests from same internal IP address
and port are mapped to the same external
IP address and port.
External host can only send package to
internal host if the connection has already
been established
36. Network Address Translation
Port Restricted Cone NAT
Like restricted cone NAT,
but only for certain port numbers
Symmetric NAT
All request from the same internal IP address and port to a
specific destination IP and port are mapped to a unique
external source IP address and port.
If the same hosts sends to the same port, but another IP
address, then a different mapping is used.
External host needs to receive a packet before sending a
UDP packet back to the internal host.
In practice:
combinations between these behaviors.
38. Virtual Private Networks
VPN uses connections over an existing
public network
Connection secured with encryption
Host to Host
Host to Gateway
Gateway to Gateway
40. Virtual Private Networks
Encryption can be done at
Application level.
Transport level.
Network level.
Data link level.
41. Virtual Private Networks
VPN Technologies
Application Level
Pretty Good Privacy
Secure Shell (SSH)
Transport Level
Secure Socket Layer
Does not protect the package, but its content.
Typically runs at the application level of the OS, so OS does not need to be
changed.
Network Level
IPSec
Encrypts package itself.
Encrypted package receives a new package header.
IPSec protects port address, but not destination address.
OS need to be changed (but only once: Win2000, WinXP)
Data Link
Layer 2 Tunneling Protocol addition to Point-to-Point protocol (PPP)
Encrypts packets on the data layer.
L2TP (Layer 2 Tunneling)
43. Virtual Private Networks
Alternatives are dedicated point-to-point
connections such as a private T1 line.
Most secure.
Most expensive.
Takes time to set-up.