assessing network security
TRANSCRIPT
Assessing Network Security
Abhinit Kr SharmaRavi RanjanAssessing Network SecurityAppin
1 http://www.microsoft.com/technetTNTx-xx
Session PrerequisitesHands-on experience with Windows 7 or Linux
Working knowledge of networking, including basics of security and Ethical Hacking
Basic knowledge of network security-assessment strategies
AppinNetwork Vulnerability
2 http://www.microsoft.com/technetTNTx-xx
Session OverviewPlanning Security Assessments
Gathering Information About the Target
Vulnerability Assessment and Penetration Testing for Intrusive Attacks
Case Study: Assessing Network Security for that TargetAppinNetwork Vulnerability
3
http://www.microsoft.com/technetTNTx-xx
Planning Security AssessmentsPlanning Security Assessments
Gathering Information About the Target
Vulnerability Assessment and Penetration Testing for Intrusive Attacks
Case Study: Assessing Network Security for that Target
AppinNetwork Vulnerability
4
http://www.microsoft.com/technetTNTx-xx
Why Does Network Security Fail?Network security fails in several common areas, including:Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date
Appin
Understanding Defense in-Depth
Increases an attackers risk of detection Reduces an attackers chance of successSecurity policies, procedures, and educationPolicies, procedures, and awareness
Guards, locks, tracking devicesPhysical securityApplication hardeningApplication
OS hardening, authentication, security update management, antivirus updates, auditingHost
Network segments,Internal network
Firewalls, boarder routers, VPNs with quarantine proceduresPerameter
Strong passwords, backup and restore strategyDataAppin
Why Perform Security Assessments?Security assessments can:Answer the questions Is our network secure? and How do we know that our network is secure?Provide a baseline to help improve securityFind configuration mistakes or missing security updatesReveal unexpected weaknesses in your organizations securityEnsure regulatory compliance
Appin
Planning a Security AssessmentProject phasePlanning elementsPre-assessmentScopeGoalsTimelinesGround rulesAssessmentChoose technologiesPerform assessmentOrganize resultsPreparing resultsEstimate risk presented by discovered weaknessesCreate a plan for targetIdentify vulnerabilities that have not been remediated Determine improvement in network security over timeReporting your findingsCreate final reportPresent your findings
Appin
Understanding the Security Assessment ScopeComponentsExampleTargetAll servers running:Windows 2005 ServerWindows Server 2008Target areaAll servers on the subnets:192.168.0.0/24192.168.1.0/24TimelineScanning will take place from Jan 31st to Jan 3rd during non-critical business hoursVulnerabilities to scan forAnonymous SAM enumerationGuest account enabledGreater than 10 accounts in the local Administrator group
Appin
Types of Security AssessmentsVulnerability scanning:Focuses on known weaknessesCan be automated Does not necessarily require expertise Penetration testing:Focuses on known and unknown weaknessesRequires highly skilled testers Carries tremendous legal burden in certain countries/organizations
IT security auditing:Focuses on security policies and proceduresUsed to provide evidence for industry regulations
Appin
Using Vulnerability Scanning to Assess Network SecurityDevelop a process for vulnerability scanning that will do the following:
Detect vulnerabilities Assign risk levels to discovered vulnerabilities Identify vulnerabilities that have not been remediated Determine improvement in network security over time
FACT!!!!99.9% secure = 100%vulnerable!Appin
Using Penetration Testing to Assess Network SecuritySteps to a successful penetration test include:Determine how the attacker is most likely to go about attacking a network or an application 1Determine how an attacker could exploit weaknesses3Locate assets that could be accessed, altered, or destroyed 4Locate areas of weakness in network or application defenses 2Determine whether the attack was detected 5Determine what the attack footprint looks like 6Make recommendations 7
Appin
Methods and Techniques of Pen Test.Black Box zero-knowledge testing Tester need to acquire the knowledge and penetrate.
Acquire knowledge using tools or Social Engineering techniques Publicly available information may be given to the penetration tester,
Benefits:Black box testing is intended to closely replicate the attack made by an outsider without any information of the system. This kind of testing will give an insight of the robustness of the security when under attack by script kiddies Appin
Methods and Techniques of Pen Test.White Box
complete-knowledge testing Testers are given full information about the target system they are supposed to attack .Information includes ,Technology overviews, Data flow diagramsCode snippets More..Benefitsreveals more vulnerabilities and may be faster.compared to replicate an attack from a criminal hacker that knows the company infrastructure very well. This hacker may be an employee of the company itself, doing an internal attack Appin
Methods and Techniques of Pen Test.Gray-box or crystal-box test The tester simulates an inside employee. The tester is given an account on the internal network and standard access to the network. This test assesses internal threats from employees within the company. Appin
Methodology of Penetration Testing.There are NO formal methods of Penetration testing!!!!!!!!Typically has Seven StagesScope/Goal DefinitionInformation GatheringVulnerability DetectionInformation Analysis and Planning.Attack& Penetration/Privilege Escalation.Result Analysis & Reporting.Cleanup.
Appin
Understanding Components of an IT Security Audit
ProcessTechnologyImplementationDocumentationOperations
Start with policyBuild processApply technologySecurity Policy ModelPolicyAppin
Implementing an IT Security AuditCompare each area to standards and best practicesSecurity policyDocumented proceduresOperations
What you must doWhat you say you doWhat you really doAppin
Reporting Security Assessment FindingsOrganize information into the following reporting framework:Define the vulnerability Document mitigation plans Identify where changes should occur Assign responsibility for implementing approved recommendations Recommend a time for the next security assessment
Appin
Gathering Information About the OrganizationPlanning Security Assessments
Gathering Information About the Target
Penetration Testing for Intrusive AttacksCase Study: Assessing Network Security for Target
Appin
20
http://www.microsoft.com/technetTNTx-xx
What Is a Nonintrusive Attack?Examples of nonintrusive attacks include:Information reconnaissancePort scanning Obtaining host information using fingerprinting techniquesNetwork and host discovery Nonintrusive attack: The intent to gain information about an organizations network in preparation for a more intrusive attack at a later time
Appin
21
http://www.microsoft.com/technetTNTx-xx
Information Reconnaissance TechniquesCommon types of information sought by attackers include:System configuration Valid user accounts Contact information Extranet and remote access servers Information about your network may be obtained by:Querying registrar information Determining IP address assignments Organization Web pages Search engines Public discussion forums
Appin
22
http://www.microsoft.com/technetTNTx-xx
What Information Can Be Obtained by Port Scanning?Port scanning tips include:Start by scanning slowly, a few ports at a time To avoid detection, try the same port across several hosts Run scans from a number of different systems, optimally from different networks Typical results of a port scan include:Discovery of ports that are listening or open Determination of which ports refuse connectionsDetermination of connections that time outAppin
23
http://www.microsoft.com/technetTNTx-xx
Port-Scanning CountermeasuresPort scanning countermeasures include:
Implement defense-in-depth to use multiple layers of filteringPlan for misconfigurations or failuresRun only the required servicesImplement an intrusion-detection systemExpose services through a reverse proxyAppin
24
http://www.microsoft.com/technetTNTx-xx
What Information Can Be Collected About Network Hosts?Types of information that can be collected using fingerprinting techniques include:IP and ICMP implementation TCP responses Listening ports Banners Service behavior Remote operating system queries Appin
25
http://www.microsoft.com/technetTNTx-xx
Countermeasures to Protect Network Host InformationFingerprinting sourceCountermeasuresIP, ICMP, and TCPBe conservative with the packets that you allow to reach your systemUse a firewall or inline IDS device to normalize trafficAssume that your attacker knows what version of operating system is running, and make sure it is securePort scanning, service behavior, and remote queriesDisable unnecessary servicesFilter traffic coming to isolate specific ports on the hostImplement IPSec on all systems in the managed network
Appin
26
http://www.microsoft.com/technetTNTx-xx
" a firewall is a piece of hardware or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction."Types of FirewallsPacket filtering gateways Stateful inspection firewallsApplication proxiesGuardsPersonal firewallsFirewallAppin
Application Gateways
AppinThe first firewalls were application gateways, and are sometimes known as proxy gateways. These are made up of bastion hosts that run special software to act as a proxy server. This software runs at the Application Layer of our old friend the ISO/OSI Reference Model, hence the name.
Clients behind the firewall must be prioritized (that is, must know how to use the proxy, and be configured to do so) in order to use Internet services. Traditionally, these have been the most secure, because they don't allow anything to pass by default, but need to have the programs written and turned on in order to begin passing traffic.
Appin
Packet Filtering
Packet filtering is a technique whereby routers have ACLs (Access Control Lists) turned on. By default, a router will pass all traffic sent it, and will do so without any sort of restrictions. Employing ACLs is a method for enforcing your security policy with regard to what sorts of access you allow the outside world to have to your internal network, and vice versa. There is less overhead in packet filtering than with an application gateway, because the feature of access control is performed at a lower ISO/OSI layer (typically, the transport or session layer). Due to the lower overhead and the fact that packet filtering is done with routers, which are specialized computers optimized for tasks related to networking, a packet filtering gateway is often much faster than its application layer cousins.
Appin
Introducing IDS and IPS
IDS and IPS work together to provide a network security solution. An IDS captures packets in real time, processes them, and can respond to threats, but works on copies of data traffic to detect suspicious activity by using signatures. This is called promiscuous mode. In the process of detecting malicious traffic, an IDS allows some malicious traffic to pass before the IDS can respond to protect the network. An IDS analyzes a copy of the monitored traffic rather than the actual forwarded packet.
The advantage of operating on a copy of the traffic is that the IDS does not affect the packet flow of the forwarded traffic. The disadvantage of operating on a copy of the traffic is that the IDS cannot stop malicious traffic from single-packet attacks from reaching the target system before the IDS can apply a response to stop the attack. An IDS often requires assistance from other networking devices, such as routers and firewalls, to respond to an attack.
Appin IDS and IPSAn IPS works inline in the data stream to provide protection from malicious attacks in real time. This is called inline mode. Unlike an IDS, an IPS does not allow packets to enter the trusted side of the network. An IPS monitors traffic at Layer 3 and Layer 4 to ensure that their headers, states, and so on are those specified in the protocol suite. However, the IPS sensor analyzes at Layer 2 to Layer 7 the payload of the packets for more sophisticated embedded attacks that might include malicious data. This deeper analysis lets the IPS identify, stop, and block attacks that would normally pass through a traditional firewall device. An IPS builds upon previous IDS technology; Cisco IPS platforms use a blend of detection technologies, including profile-based intrusion detection, signature-based intrusion detection, and protocol analysis intrusion detection. The key to differentiating an IDS from an IPS is that an IPS responds immediately and does not allow any malicious traffic to pass, whereas an IDS allows malicious traffic to pass before it can respond.
Appin IDS and IPSIDS Analyzes copies of the traffic stream
Does not slow network traffic
Allows some malicious traffic into the network
IPS Works inline in real time to monitor Layer 2 through Layer 7 traffic and content
Needs to be able to handle network traffic
Prevents malicious traffic from entering the networkIDS and IPS technologies share several characteristics:
" a honeypot is a trap set to detect or deflect attempts at unauthorized use of information systems. Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information that would be of value to attackers.The term "honeypot" is often understood to refer to the British children's character Winnie-the-Pooh, a stuffed bear who was lured into various predicaments by his desire for pots of honey.Uses of HoneypotsPreventing attacksDetecting attacksResponding to attacksResearch
HoneyPotAppin
Firewalls, IDS and HoneypotsFirewalls are a prevention technology; they are network or host solutions that keep attackers out.
IDSs are a detection technology; their purpose is to detect and alert security professionals about unauthorized or malicious activity.
Honeypots are tougher to define because they can be involved in aspects of prevention, detection, information gathering, and much more. AppinExternal DNSIDSWeb ServerE-CommerceVPNServer
FirewallHonyPot
Penetration Testing for Intrusive AttacksPlanning Security AssessmentsGathering Information About the Target
Penetration Testing for Intrusive Attacks
Case Study: Assessing Network Security for Target
AppinPenetration Testing
35
http://www.microsoft.com/technetTNTx-xx
What Is Penetration Testing for Intrusive Attacks?Examples of penetration testing for intrusive attack methods include:Automated vulnerability scanningNetwork Attacks Denial-of-service Attacks Password Attacks Network Sniffing Intrusive attack: Performing specific tasks that result in a compromise of system information, stability, or availabilityAppin
36
http://www.microsoft.com/technetTNTx-xx
What Is Automated Vulnerability Scanning?Automated vulnerability scanning makes use of scanning tools to automate the following tasks:Banner grabbing and fingerprinting Exploiting the vulnerability Inference testing Security update detection
Appin
37
http://www.microsoft.com/technetTNTx-xx
Overall Vulnerability Risk ClassificationThroughout the document, each vulnerability or risk identified has been labeled as a Finding and
Categorized as a High-Risk, Medium-Risk, or Low-Risk. In addition, each supplemental testing note.
Appin
What Is a Denial-of-Service Attack?DoS attacks can be divided into three categories:Flooding attacks Resource starvation attacks Disruption of service Denial-of-Service (DoS) attack: Any attempt by an attacker to deny his victims access to a resource Note: Denial-of-service attacks should not be launched against your own live production networkAppin
39
http://www.microsoft.com/technetTNTx-xx
Countermeasures for Denial-of-Service AttacksDoS attackCountermeasuresFlooding attacksEnsure that your routers have anti-spoofing rules in place and rules that block directed broadcastsSet rate limitations on devices to mitigate flooding attacksConsider blocking ICMP packetsDisruption of serviceMake sure that the latest update has been applied to the operating system and applicationsTest updates before applying to production systemsDisable unneeded services
Appin
40
http://www.microsoft.com/technetTNTx-xx
What Is Network Sniffing?An attacker can perform network sniffing by performing the following tasks:Compromising the host Installing a network sniffer Using a network sniffer to capture sensitive data such as network credentials Using network credentials to compromise additional hosts Network sniffing: The ability of an attacker to eavesdrop on communications between network hosts 1234Appin
41
http://www.microsoft.com/technetTNTx-xx
Countermeasures for Network Sniffing AttacksTo reduce the threat of network sniffing attacks on your network consider the following: Use encryption to protect data Use switches instead of hubs Secure core network devices Use crossover cables Develop policyConduct regular scans
Appin
42
http://www.microsoft.com/technetTNTx-xx
How Attackers Avoid Detection During an AttackCommon ways that attackers avoid detection include: Flooding log files Using logging mechanisms Attacking detection mechanisms Using canonicalization attacks Using decoys
Appin
43
http://www.microsoft.com/technetTNTx-xx
How Attackers Avoid Detection After an AttackCommon ways that attackers avoid detection after an attack include: Installing rootkits Tampering with log files
Appin
44
http://www.microsoft.com/technetTNTx-xx
Countermeasures to Detection-Avoidance TechniquesAvoidance TechniqueCountermeasuresFlooding log files Back up log files before they are overwrittenUsing logging mechanisms Ensure that your logging mechanism is using the most updated version of software and all updatesUsing canonicalization attacks Ensure that applications normalize data to its canonical formUsing decoys Secure the end systems and networks being attackedUsing rootkits Implement defense-in-depth strategies
Appin
45
http://www.microsoft.com/technetTNTx-xx
Case Study: Assessing Network Security Planning Security AssessmentsGathering Information About the TargetPenetration Testing for Intrusive Attacks
Case Study: Assessing Network Security for Target
Appin
46
http://www.microsoft.com/technetTNTx-xx
Defining the Security Assessment GoalsProject goalLON-SRV1 will be scanned for the following vulnerabilities and will be remediated as statedVulnerabilityRemediationNetwork Scan Require developers to fix Network based applicationsGuest account enabledDisable guest accountRPC-over-DCOM vulnerabilityNetwork Vulnerability Scan
Appin
47
http://www.microsoft.com/technetTNTx-xx
Choosing Tools for the Security AssessmentThe tools that will be used for the Target security assessment include the following: NmapGFI Lan GuardNessusWiresharkNetcutMetasploitHydraEttercap-NG, etcAppin
48
http://www.microsoft.com/technetTNTx-xx
Nessus, The Champ
Significant, timely, and relevant vulnerability checks available.Its easy to write your own checks that are not available.Engine requires a Linux server, client can be Linux or Microsoft Windows based Intelligent, assumes little, but uses what it learns as it scans.Vendor neutral, so nothing is sugar coated and recommended fixes dont point you towards their products.
49Appin
Nmap for Windows and Linux
50Nmap is a free, open source tool that quickly and efficiently performs ping sweeps, port scanning, service identification, IP address detection, and operating system detection. Nmap has the benefit of scanning a large number of machines in a single session. Its supported by many operating systems, including Unix, Windows, and Linux. The state of the port as determined by an nmap scan can be open, filtered, or unfiltered. Open means that the target machine accepts incoming request on that port. Filtered means a firewall or network filter is screening the port and preventing nmap from discovering whether its open. Unfiltered mean the port is determined to be closed, and no firewall or filter is interfering with the nmap requests. Nmap supports several types of scans. Table 3.2 details some of the common scan methods.Appin
The tools Netcat Session
51Simple Netcat connection between a Linux and Microsoft Windows machine.Appin
Ettercap
52Similar to dsniff, Ettercap seems to be a little bit moreversatile and up to date.
Appin
Demonstration: Performing the Security AssessmentPerform port scanning using NmapUse Nmap and nessus to perform a vulnerability scan Determine buffer overflow vulnerabilitiesUse the Microsoft Baseline Security Analyzer to perform a vulnerability scanHydra can perform rapid dictionary attack against more then 30 protocols, including telnet, FTP, http, https and much more
Appin
53
http://www.microsoft.com/technetTNTx-xx
Reporting the Security Assessment FindingsAnswer the following questions to complete the report: What risk does the vulnerability present?What is the source of the vulnerability? What is the potential impact of the vulnerability?What is the likelihood of the vulnerability being exploited?What should be done to mitigate the vulnerability?Where should the mitigation be done?Who should be responsible for implementing the mitigations?Appin
54
http://www.microsoft.com/technetTNTx-xx
Session Summary
Plan your security assessment to determine scope and goalsEducate users to use strong passwords or pass-phrasesAssume that the attacker already knows the exact operating system and version and take as many steps as possible to secure those systemsKeep systems up-to-date on security updates and service packsAppin
55
http://www.microsoft.com/technetTNTx-xx
Next StepsFind additional security training events:http://www.microsoft.com/ireland/events/default.aspSign up for security communications:http://www.microsoft.com/technet/security/signup/default.mspxFind additional e-learning clinicshttps://www.microsoftelearning.com/security/
Refer to Assessing Network Security
Appin
56
http://www.microsoft.com/technetTNTx-xx
Network SecurityProject PresentationAbhinit Kumar SharmaAppin
57 http://www.microsoft.com/technetTNTx-xx