assessing network security

Assessing Network Security

Abhinit Kr SharmaRavi RanjanAssessing Network SecurityAppin

1 http://www.microsoft.com/technetTNTx-xx

Session PrerequisitesHands-on experience with Windows 7 or Linux

Working knowledge of networking, including basics of security and Ethical Hacking

Basic knowledge of network security-assessment strategies

AppinNetwork Vulnerability


Session OverviewPlanning Security Assessments

Gathering Information About the Target

Vulnerability Assessment and Penetration Testing for Intrusive Attacks

Case Study: Assessing Network Security for that TargetAppinNetwork Vulnerability

3

http://www.microsoft.com/technetTNTx-xx

Planning Security AssessmentsPlanning Security Assessments


Vulnerability Assessment and Penetration Testing for Intrusive Attacks

Case Study: Assessing Network Security for that Target

AppinNetwork Vulnerability

4


Why Does Network Security Fail?Network security fails in several common areas, including:Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date

Appin

Understanding Defense in-Depth

Increases an attackers risk of detection Reduces an attackers chance of successSecurity policies, procedures, and educationPolicies, procedures, and awareness

Guards, locks, tracking devicesPhysical securityApplication hardeningApplication

OS hardening, authentication, security update management, antivirus updates, auditingHost

Network segments,Internal network

Firewalls, boarder routers, VPNs with quarantine proceduresPerameter

Strong passwords, backup and restore strategyDataAppin

Why Perform Security Assessments?Security assessments can:Answer the questions Is our network secure? and How do we know that our network is secure?Provide a baseline to help improve securityFind configuration mistakes or missing security updatesReveal unexpected weaknesses in your organizations securityEnsure regulatory compliance

Appin

Planning a Security AssessmentProject phasePlanning elementsPre-assessmentScopeGoalsTimelinesGround rulesAssessmentChoose technologiesPerform assessmentOrganize resultsPreparing resultsEstimate risk presented by discovered weaknessesCreate a plan for targetIdentify vulnerabilities that have not been remediated Determine improvement in network security over timeReporting your findingsCreate final reportPresent your findings

Appin

Understanding the Security Assessment ScopeComponentsExampleTargetAll servers running:Windows 2005 ServerWindows Server 2008Target areaAll servers on the subnets:192.168.0.0/24192.168.1.0/24TimelineScanning will take place from Jan 31st to Jan 3rd during non-critical business hoursVulnerabilities to scan forAnonymous SAM enumerationGuest account enabledGreater than 10 accounts in the local Administrator group

Appin

Types of Security AssessmentsVulnerability scanning:Focuses on known weaknessesCan be automated Does not necessarily require expertise Penetration testing:Focuses on known and unknown weaknessesRequires highly skilled testers Carries tremendous legal burden in certain countries/organizations

IT security auditing:Focuses on security policies and proceduresUsed to provide evidence for industry regulations

Appin

Using Vulnerability Scanning to Assess Network SecurityDevelop a process for vulnerability scanning that will do the following:

Detect vulnerabilities Assign risk levels to discovered vulnerabilities Identify vulnerabilities that have not been remediated Determine improvement in network security over time

FACT!!!!99.9% secure = 100%vulnerable!Appin

Using Penetration Testing to Assess Network SecuritySteps to a successful penetration test include:Determine how the attacker is most likely to go about attacking a network or an application 1Determine how an attacker could exploit weaknesses3Locate assets that could be accessed, altered, or destroyed 4Locate areas of weakness in network or application defenses 2Determine whether the attack was detected 5Determine what the attack footprint looks like 6Make recommendations 7

Appin

Methods and Techniques of Pen Test.Black Box zero-knowledge testing Tester need to acquire the knowledge and penetrate.

Acquire knowledge using tools or Social Engineering techniques Publicly available information may be given to the penetration tester,

Benefits:Black box testing is intended to closely replicate the attack made by an outsider without any information of the system. This kind of testing will give an insight of the robustness of the security when under attack by script kiddies Appin

Methods and Techniques of Pen Test.White Box

complete-knowledge testing Testers are given full information about the target system they are supposed to attack .Information includes ,Technology overviews, Data flow diagramsCode snippets More..Benefitsreveals more vulnerabilities and may be faster.compared to replicate an attack from a criminal hacker that knows the company infrastructure very well. This hacker may be an employee of the company itself, doing an internal attack Appin

Methods and Techniques of Pen Test.Gray-box or crystal-box test The tester simulates an inside employee. The tester is given an account on the internal network and standard access to the network. This test assesses internal threats from employees within the company. Appin

Methodology of Penetration Testing.There are NO formal methods of Penetration testing!!!!!!!!Typically has Seven StagesScope/Goal DefinitionInformation GatheringVulnerability DetectionInformation Analysis and Planning.Attack& Penetration/Privilege Escalation.Result Analysis & Reporting.Cleanup.

Appin

Understanding Components of an IT Security Audit

ProcessTechnologyImplementationDocumentationOperations

Start with policyBuild processApply technologySecurity Policy ModelPolicyAppin

Implementing an IT Security AuditCompare each area to standards and best practicesSecurity policyDocumented proceduresOperations

What you must doWhat you say you doWhat you really doAppin

Reporting Security Assessment FindingsOrganize information into the following reporting framework:Define the vulnerability Document mitigation plans Identify where changes should occur Assign responsibility for implementing approved recommendations Recommend a time for the next security assessment

Appin

Gathering Information About the OrganizationPlanning Security Assessments


Penetration Testing for Intrusive AttacksCase Study: Assessing Network Security for Target

Appin

20


What Is a Nonintrusive Attack?Examples of nonintrusive attacks include:Information reconnaissancePort scanning Obtaining host information using fingerprinting techniquesNetwork and host discovery Nonintrusive attack: The intent to gain information about an organizations network in preparation for a more intrusive attack at a later time

Appin

21


Information Reconnaissance TechniquesCommon types of information sought by attackers include:System configuration Valid user accounts Contact information Extranet and remote access servers Information about your network may be obtained by:Querying registrar information Determining IP address assignments Organization Web pages Search engines Public discussion forums

Appin

22


What Information Can Be Obtained by Port Scanning?Port scanning tips include:Start by scanning slowly, a few ports at a time To avoid detection, try the same port across several hosts Run scans from a number of different systems, optimally from different networks Typical results of a port scan include:Discovery of ports that are listening or open Determination of which ports refuse connectionsDetermination of connections that time outAppin

23


Port-Scanning CountermeasuresPort scanning countermeasures include:

Implement defense-in-depth to use multiple layers of filteringPlan for misconfigurations or failuresRun only the required servicesImplement an intrusion-detection systemExpose services through a reverse proxyAppin

24


What Information Can Be Collected About Network Hosts?Types of information that can be collected using fingerprinting techniques include:IP and ICMP implementation TCP responses Listening ports Banners Service behavior Remote operating system queries Appin

25


Countermeasures to Protect Network Host InformationFingerprinting sourceCountermeasuresIP, ICMP, and TCPBe conservative with the packets that you allow to reach your systemUse a firewall or inline IDS device to normalize trafficAssume that your attacker knows what version of operating system is running, and make sure it is securePort scanning, service behavior, and remote queriesDisable unnecessary servicesFilter traffic coming to isolate specific ports on the hostImplement IPSec on all systems in the managed network

Appin

26


" a firewall is a piece of hardware or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction."Types of FirewallsPacket filtering gateways Stateful inspection firewallsApplication proxiesGuardsPersonal firewallsFirewallAppin

Application Gateways

AppinThe first firewalls were application gateways, and are sometimes known as proxy gateways. These are made up of bastion hosts that run special software to act as a proxy server. This software runs at the Application Layer of our old friend the ISO/OSI Reference Model, hence the name.

Clients behind the firewall must be prioritized (that is, must know how to use the proxy, and be configured to do so) in order to use Internet services. Traditionally, these have been the most secure, because they don't allow anything to pass by default, but need to have the programs written and turned on in order to begin passing traffic.

Appin

Packet Filtering

Packet filtering is a technique whereby routers have ACLs (Access Control Lists) turned on. By default, a router will pass all traffic sent it, and will do so without any sort of restrictions. Employing ACLs is a method for enforcing your security policy with regard to what sorts of access you allow the outside world to have to your internal network, and vice versa. There is less overhead in packet filtering than with an application gateway, because the feature of access control is performed at a lower ISO/OSI layer (typically, the transport or session layer). Due to the lower overhead and the fact that packet filtering is done with routers, which are specialized computers optimized for tasks related to networking, a packet filtering gateway is often much faster than its application layer cousins.

Appin

Introducing IDS and IPS

IDS and IPS work together to provide a network security solution. An IDS captures packets in real time, processes them, and can respond to threats, but works on copies of data traffic to detect suspicious activity by using signatures. This is called promiscuous mode. In the process of detecting malicious traffic, an IDS allows some malicious traffic to pass before the IDS can respond to protect the network. An IDS analyzes a copy of the monitored traffic rather than the actual forwarded packet.

The advantage of operating on a copy of the traffic is that the IDS does not affect the packet flow of the forwarded traffic. The disadvantage of operating on a copy of the traffic is that the IDS cannot stop malicious traffic from single-packet attacks from reaching the target system before the IDS can apply a response to stop the attack. An IDS often requires assistance from other networking devices, such as routers and firewalls, to respond to an attack.

Appin IDS and IPSAn IPS works inline in the data stream to provide protection from malicious attacks in real time. This is called inline mode. Unlike an IDS, an IPS does not allow packets to enter the trusted side of the network. An IPS monitors traffic at Layer 3 and Layer 4 to ensure that their headers, states, and so on are those specified in the protocol suite. However, the IPS sensor analyzes at Layer 2 to Layer 7 the payload of the packets for more sophisticated embedded attacks that might include malicious data. This deeper analysis lets the IPS identify, stop, and block attacks that would normally pass through a traditional firewall device. An IPS builds upon previous IDS technology; Cisco IPS platforms use a blend of detection technologies, including profile-based intrusion detection, signature-based intrusion detection, and protocol analysis intrusion detection. The key to differentiating an IDS from an IPS is that an IPS responds immediately and does not allow any malicious traffic to pass, whereas an IDS allows malicious traffic to pass before it can respond.

Appin IDS and IPSIDS Analyzes copies of the traffic stream

Does not slow network traffic

Allows some malicious traffic into the network

IPS Works inline in real time to monitor Layer 2 through Layer 7 traffic and content

Needs to be able to handle network traffic

Prevents malicious traffic from entering the networkIDS and IPS technologies share several characteristics:

" a honeypot is a trap set to detect or deflect attempts at unauthorized use of information systems. Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information that would be of value to attackers.The term "honeypot" is often understood to refer to the British children's character Winnie-the-Pooh, a stuffed bear who was lured into various predicaments by his desire for pots of honey.Uses of HoneypotsPreventing attacksDetecting attacksResponding to attacksResearch

HoneyPotAppin

Firewalls, IDS and HoneypotsFirewalls are a prevention technology; they are network or host solutions that keep attackers out.

IDSs are a detection technology; their purpose is to detect and alert security professionals about unauthorized or malicious activity.

Honeypots are tougher to define because they can be involved in aspects of prevention, detection, information gathering, and much more. AppinExternal DNSIDSWeb ServerE-CommerceVPNServer

FirewallHonyPot

Penetration Testing for Intrusive AttacksPlanning Security AssessmentsGathering Information About the Target

Penetration Testing for Intrusive Attacks

Case Study: Assessing Network Security for Target

AppinPenetration Testing

35


What Is Penetration Testing for Intrusive Attacks?Examples of penetration testing for intrusive attack methods include:Automated vulnerability scanningNetwork Attacks Denial-of-service Attacks Password Attacks Network Sniffing Intrusive attack: Performing specific tasks that result in a compromise of system information, stability, or availabilityAppin

36


What Is Automated Vulnerability Scanning?Automated vulnerability scanning makes use of scanning tools to automate the following tasks:Banner grabbing and fingerprinting Exploiting the vulnerability Inference testing Security update detection

Appin

37


Overall Vulnerability Risk ClassificationThroughout the document, each vulnerability or risk identified has been labeled as a Finding and

Categorized as a High-Risk, Medium-Risk, or Low-Risk. In addition, each supplemental testing note.

Appin

What Is a Denial-of-Service Attack?DoS attacks can be divided into three categories:Flooding attacks Resource starvation attacks Disruption of service Denial-of-Service (DoS) attack: Any attempt by an attacker to deny his victims access to a resource Note: Denial-of-service attacks should not be launched against your own live production networkAppin

39


Countermeasures for Denial-of-Service AttacksDoS attackCountermeasuresFlooding attacksEnsure that your routers have anti-spoofing rules in place and rules that block directed broadcastsSet rate limitations on devices to mitigate flooding attacksConsider blocking ICMP packetsDisruption of serviceMake sure that the latest update has been applied to the operating system and applicationsTest updates before applying to production systemsDisable unneeded services

Appin

40


What Is Network Sniffing?An attacker can perform network sniffing by performing the following tasks:Compromising the host Installing a network sniffer Using a network sniffer to capture sensitive data such as network credentials Using network credentials to compromise additional hosts Network sniffing: The ability of an attacker to eavesdrop on communications between network hosts 1234Appin

41


Countermeasures for Network Sniffing AttacksTo reduce the threat of network sniffing attacks on your network consider the following: Use encryption to protect data Use switches instead of hubs Secure core network devices Use crossover cables Develop policyConduct regular scans

Appin

42


How Attackers Avoid Detection During an AttackCommon ways that attackers avoid detection include: Flooding log files Using logging mechanisms Attacking detection mechanisms Using canonicalization attacks Using decoys

Appin

43


How Attackers Avoid Detection After an AttackCommon ways that attackers avoid detection after an attack include: Installing rootkits Tampering with log files

Appin

44


Countermeasures to Detection-Avoidance TechniquesAvoidance TechniqueCountermeasuresFlooding log files Back up log files before they are overwrittenUsing logging mechanisms Ensure that your logging mechanism is using the most updated version of software and all updatesUsing canonicalization attacks Ensure that applications normalize data to its canonical formUsing decoys Secure the end systems and networks being attackedUsing rootkits Implement defense-in-depth strategies

Appin

45


Case Study: Assessing Network Security Planning Security AssessmentsGathering Information About the TargetPenetration Testing for Intrusive Attacks

Case Study: Assessing Network Security for Target

Appin

46


Defining the Security Assessment GoalsProject goalLON-SRV1 will be scanned for the following vulnerabilities and will be remediated as statedVulnerabilityRemediationNetwork Scan Require developers to fix Network based applicationsGuest account enabledDisable guest accountRPC-over-DCOM vulnerabilityNetwork Vulnerability Scan

Appin

47


Choosing Tools for the Security AssessmentThe tools that will be used for the Target security assessment include the following: NmapGFI Lan GuardNessusWiresharkNetcutMetasploitHydraEttercap-NG, etcAppin

48


Nessus, The Champ

Significant, timely, and relevant vulnerability checks available.Its easy to write your own checks that are not available.Engine requires a Linux server, client can be Linux or Microsoft Windows based Intelligent, assumes little, but uses what it learns as it scans.Vendor neutral, so nothing is sugar coated and recommended fixes dont point you towards their products.

49Appin

Nmap for Windows and Linux

50Nmap is a free, open source tool that quickly and efficiently performs ping sweeps, port scanning, service identification, IP address detection, and operating system detection. Nmap has the benefit of scanning a large number of machines in a single session. Its supported by many operating systems, including Unix, Windows, and Linux. The state of the port as determined by an nmap scan can be open, filtered, or unfiltered. Open means that the target machine accepts incoming request on that port. Filtered means a firewall or network filter is screening the port and preventing nmap from discovering whether its open. Unfiltered mean the port is determined to be closed, and no firewall or filter is interfering with the nmap requests. Nmap supports several types of scans. Table 3.2 details some of the common scan methods.Appin

The tools Netcat Session

51Simple Netcat connection between a Linux and Microsoft Windows machine.Appin

Ettercap

52Similar to dsniff, Ettercap seems to be a little bit moreversatile and up to date.

Appin

Demonstration: Performing the Security AssessmentPerform port scanning using NmapUse Nmap and nessus to perform a vulnerability scan Determine buffer overflow vulnerabilitiesUse the Microsoft Baseline Security Analyzer to perform a vulnerability scanHydra can perform rapid dictionary attack against more then 30 protocols, including telnet, FTP, http, https and much more

Appin

53


Reporting the Security Assessment FindingsAnswer the following questions to complete the report: What risk does the vulnerability present?What is the source of the vulnerability? What is the potential impact of the vulnerability?What is the likelihood of the vulnerability being exploited?What should be done to mitigate the vulnerability?Where should the mitigation be done?Who should be responsible for implementing the mitigations?Appin

54


Session Summary

Plan your security assessment to determine scope and goalsEducate users to use strong passwords or pass-phrasesAssume that the attacker already knows the exact operating system and version and take as many steps as possible to secure those systemsKeep systems up-to-date on security updates and service packsAppin

55


Next StepsFind additional security training events:http://www.microsoft.com/ireland/events/default.aspSign up for security communications:http://www.microsoft.com/technet/security/signup/default.mspxFind additional e-learning clinicshttps://www.microsoftelearning.com/security/

Refer to Assessing Network Security

Appin

56


Network SecurityProject PresentationAbhinit Kumar SharmaAppin
