Isys20261 lecture 06


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Isys20261 lecture 06

  1. 1. Computer Security Management(ISYS20261)Lecture 6 - Network-based Attacks (1) Module Leader: Dr Xiaoqi Ma School of Science and Technology
  2. 2. Last week …• Host-based attacks: – Malicious Code – Malicious Software• Malicious Code – Backdoors – Computer Viruses• Malicious Software (Malware) – Computer Worms – Trojan Horses (Trojans) – Rootkits – SpywareComputer Security ManagementPage 2
  3. 3. Today ...• Computer networking• Network-based attacksComputer Security ManagementPage 3
  4. 4. Computer networking• Need for communication between computer systems or devices• Systems are connected via physical networks and talk to each other using standard protocols• Networking, routers, routing protocols, etc., are specified by the Internet Engineering Task Force (IETF)• Published in Requests for Comments (RFCs)• ISO standard for worldwide communication: Open Systems Interconnect (OSI) reference modelComputer Security ManagementPage 4
  5. 5. The OSI Reference Model (1)• abstract description for layered communications and computer network protocol design• it divides network architecture into seven layers – Application – Presentation – Session – Transport – Network – Data-Link – Physical Layer• Layer: collection of conceptually similar functions that provide services to the layer above it and receives service from the layer below itComputer Security ManagementPage 5
  6. 6. The OSI Reference Model (2)• Application Layer – interacts with software applications that implement a communicating component – Examples: File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), etc.• Presentation Layer – establishes a context between Application Layer entities• Session Layer – controls the dialogues/connections (sessions) between computers – establishes, manages and terminates the connections between the local and remote application• Transport Layer – provides transparent transfer of data between end users – provides reliable data transfer services to the upper layersComputer Security ManagementPage 6
  7. 7. The OSI Reference Model (3)• Network Layer – provides the functional and procedural means of transferring variable length data sequences from a source to a destination via one or more networks – Maintains the quality of service requested by the Transport Layer• Data Link Layer – provides the functional and procedural means to transfer data between network entities – detects and possibly corrects errors that may occur in the Physical layer• Physical Layer – defines the electrical and physical specifications for devices – includes the layout of pins, voltages, cable specifications, Hubs, repeaters, network adapters, Host Bus Adapters, etcComputer Security ManagementPage 7
  8. 8. The OSI Reference Model (4) Layer Data Unit Function Application 7 Network process to application Presentation 6 Data Data representation and encryption Session 5 Inter-host communication End-to-end connections and Transport 4 Segment reliability Path determination and logical Network 3 Packet addressing Data link 2 Frame Physical addressing (MAC & LLC) Physical 1 Bit Media, signal and binary transmissionComputer Security ManagementPage 8
  9. 9. OSI Reference Model vs. TCP/IP Layer OSI Reference Model TCP/IP 7 Application 6 Presentation Application 5 Session 4 Transport Transport 3 Network Internet 2 Data link Network access 1 PhysicalComputer Security ManagementPage 9
  10. 10. Network devices (1)• Network Interface Card (NIC) – computer hardware – designed to allow computers to communicate over a computer network – provides physical access to a networking media and often provides a low-level addressing system through the use of Media Access Control (MAC) addresses• Repeater – electronic device that receives a signal and retransmits it at a higher power level so that the signal can cover longer distances without degradation – Example: in most twisted pair Ethernet configurations, repeaters are required for cable runs longer than 100 meters away from the computerComputer Security ManagementPage 10
  11. 11. Network devices (2)• Hub – contains multiple ports – when a packet arrives at one port, it is copied to all the ports of the hub for transmission• Example: Workstation Network Hub Workstation WorkstationComputer Security ManagementPage 11
  12. 12. Network devices (3)• Router – networking device that forwards data packets between networks using headers and forwarding tables to determine the best path to forward the packets – work at the network layer of the TCP/IP model or layer 3 of the OSI model – Embedded computer system running dedicated OS, e.g. IOS (Cisco) or JUNOS (Juniper Networks)• Example: LAN LAN Internet Router RouterComputer Security ManagementPage 12
  13. 13. Network devices (4)• Switch – Hardware that allow traffic to be sent only where it is needed – Ethernet switch: operates at the data-link layer to create a different collision domains (segments) per switch port• Example: Workstation A Workstation B Network Switch Workstation D Workstation CComputer Security ManagementPage 13
  14. 14. Network-based attacks• Primary attempt to – forge or steal data – gain unauthorised access to a system• Means – Sniffing data – Redirecting data• Take advantage of vulnerabilities of OS and by exploiting inherent weaknesses of the Internet, Transport, and/or Application layer of TCP/IP• Usually involves a sequence of preceding steps to identify a potential vulnerability that can be exploited – Reconnaissance – ScanningComputer Security ManagementPage 14
  15. 15. Reconnaissance phase• Information gathering step• intruder ties to gather as much information about the network and the target computer(s) as possible• avoids to raise alarms about his/her activities• collects data regarding network settings, subnet ids, router configurations, host names, DNS server information, security level settings, etc.• Application servers are often targets of attacks – web servers – DNS servers – SMTP mail servers – Etc.Computer Security ManagementPage 15
  16. 16. Scanning phase• Network scanning – Sending probing packets to the identified network-specific devices to gain information about their configuration settings – Example: get IP address from DNS server etc.• Host scanning – Connect to target host – probe target machine to check if any known vulnerabilities specific to the OS are present – Example: using port scanning to identify services running on the host systemComputer Security ManagementPage 16
  17. 17. Attacks (1)• Sniffing• IP address spoofing• Man-in-the-middle attack• Denial-of-service attack (DoS) – SYN flooding – Smurf attack – Distributed Denial of Service attack (DDoS)Computer Security ManagementPage 17
  18. 18. Attacks (2)• OS-based attacks – Stack smashing – Buffer overflows – Password attacks• Web application attacks – Phishing – Pharming – Session Hijacking – Cross-site scripting (XSS)Computer Security ManagementPage 18
  19. 19. Sniffing (1)• computer software or computer hardware (sniffer) intercepts and logs traffic passing over a digital network (eavesdropping)• Works on data link layer of TCP/IP• as data streams flow across the network, the sniffer captures each packet and eventually decodes and analyses its content according to the appropriate specifications, e.g. RFC• Not only done by criminals: legally used by network administrator, e.g. for fault detection• In the UK: it is legal to monitor network traffic only if you get official permission from the dedicated network administratorComputer Security ManagementPage 19
  20. 20. Sniffing (2)• sniffer needs to be placed inside the network• When nodes are connected to a hub: easy to monitor traffic• When nodes are connected to a switch port rather than a hub the sniffer will be unable to read the data due to the intrinsic nature of switched networks• Exception: when a network switch with a so-called monitoring port is in use it is easy to monitor all data packets in a LANComputer Security ManagementPage 20
  21. 21. Sniffing (3)• Legally used for: – Analyse network problems – Detect network intrusion attempts – Gain information for affecting a network intrusion – Monitor network usage – Gather and report network statistics – Filter suspect content from network traffic – Debug client/server communications – Debug network protocol implementations• Criminal use: – Spy on other network users and collect sensitive information, e.g. passwords – Reverse engineer protocols used over the networkComputer Security ManagementPage 21
  22. 22. Sniffing (4)• Sniffers usually software based• tcpdump – common packet sniffer used on UNIX machines – runs under the command line – allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached• Wireshark: – Free tool – Available for a wide range of OSs, including Linux, Mac OS, MS Windows, etc. – similar to tcpdump but offers a graphical user interface – More information:• Commercial tools – E.g. Microsoft Network Monitor, NetScout, etc.Computer Security ManagementPage 22
  23. 23. Sniffing (5)• Hardware network sniffers: Network Taps• Network Tap – hardware device for monitoring the network traffic between two points in the network – has at least three ports: A port, a B port, and a monitor port – To place the Tap between points A and B, the network cable between point A and point B is replaced with a pair of cables, one going to the Taps A port, one going to the Taps B port – The Tap passes through all traffic between A and B, so A and B still think they are connected to each other, but the Tap also copies the traffic between A and B to its monitor port, enabling a third party to listen• Problem: expensive to monitor all data in a 10Gbit network• Solution: use of filterable Tap, parse off the data, applications, VLAN...etc to a 1 Gig port for deep analysis and monitoringComputer Security ManagementPage 23
  24. 24. Next week …… we will continue looking at network-based attacksComputer Security ManagementPage 24