i c 3-2: network security
DESCRIPTION
I C 3-2: Network security. Part 1 - A general overview of network security. Outline. Network Topologies Network Addressing LANs MANs WANs. Ethernet. IEEE 802.3, technology originated from Xerox Corp. Data packaged into frames Network Interface Card (NIC) CSMA/CD Carrier Sense - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/1.jpg)
IC3-2: Network security
Part 1 - A general overview of network security
![Page 2: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/2.jpg)
Outline>Network Topologies>Network Addressing>LANs>MANs>WANs
![Page 3: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/3.jpg)
Ethernet>IEEE 802.3, technology originated from
Xerox Corp.>Data packaged into frames>Network Interface Card (NIC)>CSMA/CD
>Carrier Sense>Multiple Access>Collision Detection
![Page 4: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/4.jpg)
Network Cabling>Cabling
>Thick Ethernet – 10BASE-5>Thin Ethernet – 10BASE-2>Shielded & Unshielded Twisted Pair (STP,
UTP) – 10BASE-T (Cat 3) 100BASE-T (Cat 5)>Fibre Optic – Gigabit Ethernet>Wireless LAN
>TCP/IP Layer 1
![Page 5: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/5.jpg)
1 Physical2 DataLink3 Network
4 Transport5 Session
6 Presentation7 Application
Cabling in OSI Protocol Stack
Cabling
![Page 6: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/6.jpg)
Cabling Issues> Physical Environment
> Trunking> Network Closets> Risers
> Physical Environment - Issues> Single or multi-occupancy> Access Control to floor building> Network passes through public areas> Network infrastructure easily accessible > Network infrastructure shares facilities> Electromagnetic environment
![Page 7: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/7.jpg)
Thin Ethernet> Short overall cable runs.> Vulnerability: information broadcast to all
devices.> Threat: Information Leakage, Illegitimate Use
> Vulnerability: One cable fault disables network> Threat: Denial of Service
> Easy to install & attach additional devices> Vulnerability: Anyone can plug into hub.
> Threat: Illegitimate Use.> Rarely seen now.
Thin Ethernet
![Page 8: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/8.jpg)
UTP and Hub> Cable between hub and device is a single
entity> Only connectors are at the cable ends> Additional devices can only be added at the
hub> Disconnection/cable break rarely affects other
devices> Easy to install
hub
10/100BASE-T
UTP
![Page 9: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/9.jpg)
Other Layer 1 options> Fibre Optic
> Cable between hub and device is a single entity> Tapping or altering the cable is difficult> Installation is more difficult> Much higher speeds
> Wireless LAN> Popular where building restrictions apply.> Several disadvantages
> Radio signals are subject to interference, interception, and alteration.
> Difficult to restrict to building perimeter.> Security must be built in from initial network design.
![Page 10: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/10.jpg)
Hubs> Data is broadcast to everyone on the hub
> Vulnerability: information broadcast to all devices.> Threat: Information Leakage, Illegitimate Use
> Vulnerability: Anyone can plug into hub.> Threat: Illegitimate Use.
> TCP/IP Layer 1> Intelligent Hubs
> Signal regeneration.> Traffic monitoring.> Can be configured remotely.
![Page 11: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/11.jpg)
1 Physical2 DataLink3 Network
4 Transport5 Session
6 Presentation7 Application
Hubs in OSI Protocol Stack
Cabling, Hubs
![Page 12: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/12.jpg)
Ethernet Addressing >Address of Network Interface Card>Unique 48 bit value
>first 24 bits indicate vendor .>For example, 00:E0:81:10:19:FC
>00:E0:81 indicates Tyan Corporation>10:19:FC indicates 1,055,228th NIC
>Media Access Control (MAC) address
![Page 13: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/13.jpg)
IP Addressing> IP address is 32 bits long > Usually expressed as 4 octets separated by
dots> 62.49.67.170
> RFC 1918 specifies reserved addresses for use on private networks.
> 10.0.0.0 to 10.255.255.255> 172.16.0.0 to 172.31.255.255> 192.168.0.0 to 192.168.255.255
> Many large ranges assigned> 13.x.x.x Xerox, 18.x.x.x MIT, 54.x.x.x Merck
![Page 14: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/14.jpg)
IP address to Ethernet address>Address Resolution Protocol (ARP)
>Layer 3 protocol>Maps IP address to MAC address
>ARP Query>Who has 192.168.0.40? Tell 192.168.0.20
>ARP Reply>192.168.0.40 is at 00:0e:81:10:19:FC
>ARP caches for speed>Records previous ARP replies>Entries are aged and eventually discarded
![Page 15: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/15.jpg)
ARP Query & ARP Reply
Web BrowserIP 192.168.0.20
MAC 00:0e:81:10:17:D1Web Server
IP 192.168.0.40MAC 00:0e:81:10:19:FC
(1) ARP QueryWho has
192.168.0.40?
(2) ARP Reply192.168.0.40 is at 00:0e:81:10:19:FC
hub
10/100BASE-T
![Page 16: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/16.jpg)
Switches>Switches only send data to the intended
receiver.>Builds an index of which device has
which MAC address.
switch
10/100BASE-T
00:0e:81:10:19:FCMAC address
2 00:0e:81:32:96:af
Device 1
3 00:0e:81:31:2f:d74 00:0e:81:97:03:058 00:0e:81:10:17:d1
![Page 17: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/17.jpg)
Switch Operation>When a frame arrives at switch
>Switch looks up destination MAC address in index.
>Sends the frame to the device in the index that owns that MAC address.
>Switches are often intelligent:>Traffic monitoring, remotely configurable.
>Switches operate at Layer 2.
![Page 18: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/18.jpg)
1 Physical2 DataLink3 Network
4 Transport5 Session
6 Presentation7 Application
Switches in OSI Protocol Stack
Cabling,HubsSwitches
![Page 19: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/19.jpg)
ARP Vulnerability>ARP spoofing
>Masquerade threat>Gratuitous ARP>ARP replies have no proof of origin>A malicious device can claim any MAC
address>Enables all fundamental threats
![Page 20: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/20.jpg)
Before ARP spoofingIP 192.168.0.20
MAC 00:0e:81:10:17:d1
IP 192.168.0.40MAC 00:0e:81:10:19:FC
AttackerIP 192.168.0.1
MAC 00:1f:42:12:04:72
switch
MAC addressIP address 00:0e:81:10:19:FC192.168.0.40
192.168.0.1 00:1f:42:12:04:72
MAC addressIP address 00:0e:81:10:17:d1192.168.0.20
192.168.0.1 00:1f:42:12:04:72
![Page 21: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/21.jpg)
After ARP spoofingIP 192.168.0.20
MAC 00:0e:81:10:17:d1
IP 192.168.0.40MAC 00:0e:81:10:19:FC
AttackerIP 192.168.0.1
MAC 00:1f:42:12:04:72
switch
MAC addressIP address 192.168.0.40192.168.0.1 00:1f:42:12:04:72
MAC addressIP address 192.168.0.20192.168.0.1 00:1f:42:12:04:72
(2) Gratuitious ARP192.168.0.20 is at00:1f:42:12:04:72
(1) Gratuitious ARP192.168.0.40 is at00:1f:42:12:04:72
00:1f:42:12:04:72
00:1f:42:12:04:72
![Page 22: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/22.jpg)
Effect of ARP spoofingIP 192.168.0.20
MAC 00:0e:81:10:17:d1
IP 192.168.0.40MAC 00:0e:81:10:19:FC
AttackerIP 192.168.0.1
MAC 00:1f:42:12:04:72
switch
MAC addressIP address 192.168.0.40192.168.0.1 00:1f:42:12:04:72
MAC addressIP address 192.168.0.20192.168.0.1 00:1f:42:12:04:72
IP datagramDest: 192.168.0.40
MAC: 00:1f:42:12:04:72
00:1f:42:12:04:72
00:1f:42:12:04:72
MAC addressIP address Attackers relay index
00:0e:81:10:19:FC192.168.0.40192.168.0.20 00:0e:81:10:17:d1
![Page 23: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/23.jpg)
Switch Vulnerability>MAC Flooding
>Malicious device connected to switch>Sends multiple Gratuitous ARPs>Each ARP claims a different MAC address>When index fills, some switches revert to
hub behaviour
switch
00:0e:81:10:19:FCMAC address
4 00:0e:81:32:96:af
Device 1
4 00:0e:81:32:96:b1… …4 00:0e:81:32:97:a4
12
4
9999
44 00:0e:81:32:96:b03 4
![Page 24: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/24.jpg)
Safeguards?>Physically secure the switch>Switches should failsafe when flooded
>Threat: Denial of Service>Arpwatch: monitors MAC to IP address
mappings>Switch port locking of MAC addresses
>Prevents ARP spoofing>Reduces flexibility
![Page 25: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/25.jpg)
IP Routers>Routers support indirect delivery of ip
datagrams.>Employing routing tables.
>Information about possible destinations and how to reach them.
>Three possible actions for a datagram>Sent directly to destination host.>Sent to next router on way to known
destination.>Sent to default router.
>IP Routers operate at Layer 3.
![Page 26: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/26.jpg)
Routers in OSI Protocol Stack
1 Physical2 DataLink3 Network
4 Transport5 Session
6 Presentation7 Application
Cabling,HubsSwitchesRouters
![Page 27: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/27.jpg)
InternetRouters
switch
Router
switch
Router
192.168.1.10
192.168.1.11192.168.0.40192.168.0.254
62.49.147.170
62.49.147.169IP address 192.168.0.20
Subnet 255.255.255.0Default router 192.168.0.254
![Page 28: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/28.jpg)
InternetRouters
switch
Router
switch
Router
192.168.1.10
192.168.1.11192.168.0.40192.168.0.254
62.49.147.170
62.49.147.169
IP datagramDest: 192.168.0.40
IP address 192.168.0.20
Subnet 255.255.255.0Default router 192.168.0.254
192.168.1.254
![Page 29: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/29.jpg)
InternetRouters
switch
Router
switch
Router
192.168.1.10
192.168.1.11192.168.0.40192.168.0.254
62.49.147.170
62.49.147.169
IP datagramDest: 192.168.1.11
IP address 192.168.0.20
Subnet 255.255.255.0Default router 192.168.0.254
192.168.1.254
![Page 30: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/30.jpg)
InternetRouters
switch
Router
switch
Router
192.168.1.10
192.168.1.11192.168.0.40192.168.0.254
62.49.147.170
62.49.147.169
IP datagramDest: 134.219.200.69
IP address 192.168.0.20
Subnet 255.255.255.0Default router 192.168.0.254
192.168.1.254
![Page 31: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/31.jpg)
VLANs>VLAN is a virtual LAN.>Switch is configured to divide up
devices into VLANs.
>Device on one VLAN can’t send to deviceson another VLAN. switch
![Page 32: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/32.jpg)
VLANs & Routers>How to get from one VLAN to another?
>Connect them with a router.
switch
Router
![Page 33: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/33.jpg)
Secure?
D
CLayer 3…
192.168.0.2
Network 192.168.0.0
Network 192.168.1.0
192.168.1.1
192.168.1.2
A192.168.0.1
B
![Page 34: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/34.jpg)
Secure?
switch
DC
Layer 2…
At Layer 3, the switch is “invisible”At Layer 2, the switch becomes “visible”
AB
![Page 35: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/35.jpg)
TCP handshaking>Each TCP connection begins with three
packets:>A SYN packet from sender to receiver.
>“Can we talk?”>An SYN/ACK packet from receiver to sender.
>“Fine – ready to start?”>An ACK packet from sender to receiver.
>“OK, start”
![Page 36: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/36.jpg)
TCP HandshakingTCP Packet
SYN flag
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.40TCP Packet
SYN & ACK flag
IP datagramSrc: 192.168.0.40
Dest: 192.168.0.20TCP Packet
ACK flag
IP datagramSrc: 192.168.0.20
Dest: 192.168.0.40
192.168.0.20192.168.0.40
“Can we talk?”
“Fine, ready to start?”
“OK, start”
![Page 37: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/37.jpg)
Tracking TCP handshakes>The destination machine has to track
which machines it has sent a “SYN+ACK” to
>Keeps a list of TCP SYN packets that have had a SYN+ACK returned.
>When ACK is received, packet removed from list as connection is open.
![Page 38: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/38.jpg)
TCP Denial Of Service> What if the sender doesn’t answer with an
ACK?> A SYN packet from sender to receiver.
> “Can we talk?”> An SYN/ACK packet from receiver to sender.
> “Fine – ready to start?”> ………………..nothing…………..……
> If the sender sends 100 SYN packets per second> Eventually receiver runs out of room to track the
SYN+ACK replies> SYN flooding.
![Page 39: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/39.jpg)
IP Spoofing>A machine can place any IP address in
the source address of an IP datagram.>Disadvantage: Any reply packet will
return to the wrong place.>Advantage (to an attacker): No-one
knows who sent the packet.>If the sender sends 100 SYN packets per
second with spoofed source addresses….
![Page 40: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/40.jpg)
TCP Denial of Service
TCP PacketSYN flag
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
TCP PacketSYN & ACK flag
IP datagramSrc: 192.168.0.20Dest: 62.49.10.1
192.168.0.20192.168.0.40
“Can we talk?”
“Fine, ready to start?”
TCP PacketSYN flag
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
TCP PacketSYN flag
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
TCP PacketSYN flag
IP datagramSrc: 62.49.10.1
Dest: 192.168.0.40
TCP PacketSYN & ACK flag
IP datagramSrc: 192.168.0.20Dest: 62.49.10.1
TCP PacketSYN & ACK flag
IP datagramSrc: 192.168.0.20Dest: 62.49.10.1
TCP PacketSYN & ACK flag
IP datagramSrc: 192.168.0.20Dest: 62.49.10.1
![Page 41: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/41.jpg)
TCP/IP Ports> Many processes on a single machine may be
waiting for network traffic.> When a packet arrives, how does the transport
layer know which process it is for?> The port allows the transport layer to deliver
the packet to the application layer.> Packets have source and destination port.
> Source port is used by receiver as destination of replies.
![Page 42: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/42.jpg)
Port Assignments>Well known ports from 0 to 1023
>http=port 80>smtp=port 25>syslog=port 514>telnet=23>ssh=22>ftp=21 + more…
>Registered ports from 1024 to 49151>Dynamic or private ports from 49152 to
65535
![Page 43: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/43.jpg)
Port Multiplexing
putty
Transport Layer
Internet Layer
Network Layer
Physical Network
telnet
Transport Layer
Internet Layer
Network Layer
Message
Packet
Datagram
Frame
Host A Host Bie net
scape apachePort 80Port 23Port
2077Port 2076 Port
2078
![Page 44: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/44.jpg)
Ports in Action
switch
HTTP messageGET index.html
www.localserver.orgTCP Packet
Src Port: 2076Dest Port: 80IP datagram
Src: 192.168.0.20Dest: 192.168.0.40
HTTP messageContents of index.htmlTCP PacketSrc Port: 80
Dest Port: 2076IP datagram
Src: 192.168.0.40Dest: 192.168.0.20
192.168.0.20 192.168.0.40
TELNET message
TCP PacketSrc Port: 2077Dest Port: 23IP datagram
Src: 192.168.0.20Dest: 192.168.0.40
TELNET message
TCP PacketSrc Port: 23
Dest Port: 2077IP datagram
Src: 192.168.0.40Dest: 192.168.0.20
![Page 45: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/45.jpg)
Network Sniffers> Network Interface Cards normally operating in
non-promiscuous mode.> Only listen for frames with their MAC address
> A sniffer changes a NIC into promiscuous mode.> Reads frames regardless of MAC address.
> Many different sniffers> tcpdump> ethereal> Snort
![Page 46: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/46.jpg)
![Page 47: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/47.jpg)
Sniffing legitimately>Do they have legitimate uses?
>Yes … when used in an authorised and controlled manner.
>Network analyzers or protocol analyzers.>With complex networks, they are used for
fault investigation and performance measurement.
>Useful when understanding how a COTS product uses the network.
![Page 48: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/48.jpg)
Detecting Sniffers>Detecting an sniffing attack>Very difficult, but sometimes possible
>Tough to check remotely whether a device is sniffing. Approaches include:
> Sending large volumes of data, then sending ICMP ping requests.
> Sending data to unused IP addresses and watching for DNS requests for those IP addresses.
> Exploiting operating system quirks.>AntiSniff, Security Software Technologies
![Page 49: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/49.jpg)
Sniffer Safeguards>Preventing attacks or limiting their
effects>Basically a matter of network and system
design security>Examples of safeguards are:
>Use of non-promiscuous interfaces.>Encryption of network traffic.>One-time passwords e.g. SecurId, skey.>Lock MAC addresses to switch ports – not
effective.
![Page 50: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/50.jpg)
Networks at the building level>New Threats
>Backbone which connects LANs>Interconnections between the LAN and the
backbone>Control of information flow within a larger
network>Network Management itself
![Page 51: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/51.jpg)
Backbone
HumanResources
Finance
Sales
Development
![Page 52: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/52.jpg)
Network Backbone Threats 1>Backbone carries all inter-LAN traffic>Confidentiality
>All data could be eavesdropped>Integrity
>Any errors could affect all the network traffic
>Availability>Loss of backbone means that workgroups
would be unable to communicate with each other
![Page 53: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/53.jpg)
Network Backbone Threats 2>Overview of Threats
>Point of interconnection between workgroup and backbone is a sensitive area
>From security viewpoint it:>Provides a point of access to the backbone>Provides a point of access to all the data
associated with a workgroup>Damage at this point could affect both the
workgroup and the backbone
![Page 54: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/54.jpg)
Network Management>An overview
>Management of complex networks is a difficult task
>Specialised tools are available (including HP OpenView, IBM Netview, Cabletron Spectrum, Sun NetManager)
![Page 55: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/55.jpg)
Fault Handling> Without network management, faults will:
> Disrupt network operation> Require substantial effort to identify> Require a long time to repair
> Network Management facilities combined with intelligent devices allows:> Faults to be handled / identified locally> Alert messages to be raised and gathered centrally> Appropriate actions to be taken
![Page 56: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/56.jpg)
Further Integration>Physical Network
>Cable Management Systems>Actual device locations
>Servers and Workstations>Servers disk space monitoring>Printer status
![Page 57: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/57.jpg)
LAN Safeguards - 1> Partitioning
> With a building network there will be different types of information being processed
> Some types of data will require extra protection e.g.> Finance> Personnel / Human Resources> Internal Audit> Divisional heads
> Two situations where extra controls are needed> Physically separate group or team> Widely distributed group of staff
![Page 58: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/58.jpg)
LAN Safeguards - 2>Partitioning
>Network configured so that:>Group workstations cabled to their own switch>Switches programmed to restrict data flow onto
the backbone>Add a Firewall
>Control use of any network services>Control systems that can be contacted
![Page 59: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/59.jpg)
LAN Safeguards – 3> Other Considerations
> If workgroup users are not located in a single area, different measures must be adopted
> In most cases, addressing is used to control traffic flow but does not prevent traffic being read in transit
> Higher level of security can be provided by encryption, but:
> Does encryption mechanism understand the network protocol?
> What is the performance impact of encryption?> How are encryption keys generated, distributed, and
stored?> Will a workstation on the encrypted workgroup be able
to communicate with an unencrypted server?
![Page 60: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/60.jpg)
MAN>Metropolitan Area Network>New Environment
>A network which encompasses several closely located buildings (sometimes also called a campus network)
>Such expanded network environments bring additional security concerns:
>Network exposed to outside world>Problems of scale
![Page 61: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/61.jpg)
MAN example
Building A
Building B
Building C
![Page 62: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/62.jpg)
MAN - 2>Exposure to outside world
>Network has left the security of the building>Small scale may rule out encryption>New risks must be assessed
>Private or public areas>Investigate constraints on solution
>e.g. buried or elevated links>May need non-physical links
>e.g. Laser, infra-red, microwave
![Page 63: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/63.jpg)
MAN - 3>Problem of scale
>Information flow must be controlled, and faulty network components (in one building) must not affect other buildings, so:
>Filters / bridges / firewalls will be needed>Network Information Centre (NIC) is
required>Normally a second level backbone is used
![Page 64: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/64.jpg)
WAN - 1>Wide Area Network
>National or International network>Threats Become More Significant:
>Sensitive data (including passwords) much more widely transmitted
>Switched network rather than point-to-point>Change management errors >Dark-room equipment sites>Unauthorised access to network links>Traffic flow monitoring (is this an issue?)
![Page 66: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/66.jpg)
WAN - 2>Impact of different media
>Fibre>Minimal external radiation>Special equipment required for tapping>Normally a tap causes disruption of service
>Satellite, radio, or microwave>Extensive external radiation>Special (but easily available) equipment needed
for tapping>Tapping does not disrupt services>Carrier MIGHT provide some encryption
![Page 67: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/67.jpg)
WAN - 3>Partitioning Networks - Physical
Separation>Provides good separation>Conceptually easy to understand>Legacy approach - in the days when
adequate logical separation was not possible
>Still done in very secure networks>Sharing data is difficult and uncontrolled>Costly
![Page 68: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/68.jpg)
WAN - 4>Partitioning Networks - Logical
Separation>Closed User Groups
>Multiple virtual networks on one physical one>Based on network addresses>Managed by the Network Management Centre
(NMC)>PVCs (Permanent Virtual Circuits)>Cryptography
![Page 69: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/69.jpg)
WAN - 5>Data Confidentiality
>Choice of physical media>Network Partitioning>Link Encryption (Layer 2)>End-to-end Encryption (Layer 4)>Key and equipment management issues
![Page 70: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/70.jpg)
WAN - 6>Link Encryption
>For individual links>Protocol Independent>Throughput is not normally an issue>Moderate cost (£700-£1000 per unit)
>But Link Encryption for Larger Networks>Is expensive>Is a management burden>Data is not protected inside switches
![Page 71: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/71.jpg)
WAN – 7>Conditions of Connection (COC)
>Very powerful tool for Network Services Dept. when it does not have direct authority
>Details users’ responsibilities>Responsible for security of their end systems>Comply with COC’s standards>Control access to end-systems and equipment>Protect user-ids, passwords etc.>Become security aware>Support tests investigations etc .
>User management signs up to it before getting the network service
![Page 72: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/72.jpg)
Internet> Internet connection prerequisite for most
corporations> Web browsing, email, file transfer> Increasingly used for business critical applications> Possible to replace expensive WAN link with
Internet VPN link> Threats Become Critical
> Route of sensitive data not guaranteed> Availability not guaranteed
> Denial of service attacks are real risk> Any Internet host can probe any other host > Plenty of malicious content (viruses, trojans,
pornography)
![Page 73: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/73.jpg)
Internet Safeguards>Firewalls to filter IP traffic>DeMilitarized Zones to isolate Internet-
facing machines from internal networks>Content filters to filter email & web
traffic content>VPNs to protect critical applications>Vital to understand how applications
communicate, to understand whether risk exists.
![Page 74: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/74.jpg)
IS3-2: Network security
Part 2 - Network management security
![Page 75: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/75.jpg)
Outline>The subject is divided into the following:
> Introduction> SNMP overview> SNMP security
![Page 76: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/76.jpg)
1 Introduction>Network management protocols enable
on-line management of computers & networks.
>They support:>configuration management,>accounting,>event logging,>help with problem diagnosis.
>They are application layer protocols.
![Page 77: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/77.jpg)
Management security>Two aspects of network management
security (as defined in ISO 7498-2):>management of security - support provided
by network management protocols for provision of security services, and
>security of management - means for protecting network management communications.
![Page 78: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/78.jpg)
Internet SNMP overview>The Simple Network Management
Protocol (SNMP) is part of the Internet network management system.>Version 1 (1990/91) is specified in RFCs
1155-1157, and 1212/1213.>Version 2 (1993), with some security
features , is specified in RFCs 1441-1448.>Version 3 (1999), with more complete
security features in RFCs 2570-2576
![Page 79: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/79.jpg)
SNMP V1 Architecture
UDP
Physical Network
Manager
IP
SNMP
Network
Central MIB
UDP
Agent
IP
SNMP
Network
Agent MIB
![Page 80: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/80.jpg)
Architectural model>Model based on
>a network management station (a host system running SNMP, with management s/ware)
>many network elements (hosts, routers, gateways, servers).
>Management agent at a network device implements SNMP>provides access to the Management
Information Base (MIB).
![Page 81: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/81.jpg)
SNMP managementManagement Station
NetworkElements
![Page 82: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/82.jpg)
Connectionless Protocol>Because V1 uses UDP, SNMP is a
connectionless protocol >No guarantee that the management traffic
is received at the other entity >Advantages :
>reduced overhead >protocol simplicity
>Drawbacks : >connection-oriented operations must be built into
upper-layer applications, if reliability and accountability are needed
>V2 & V3 can use TCP.
![Page 83: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/83.jpg)
SNMP Operations> SNMP provides three simple operations :
> GET : Enables the management station to retrieve object values from a managed station
> SET : Enables the management station to set object values in a managed station
> TRAP : Enables a managed station to notify the management station of significant events
> SNMP allows multiple accesses with a single operation
![Page 84: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/84.jpg)
SNMP Protocol Data Units> Get Request : Used to obtain object values from
an agent > Get-Next Request : Similar to the Get Request,
except it permits the retrieving of the next object instance (in lexicographical order) in the MIB tree
> Set Request : Used to change object values at an agent
> Response : Responds to the Get Request, Get-Next Request and Set Request PDUs
> Trap : Enables an agent to report an event to the management station (no response from the manager entity)
![Page 85: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/85.jpg)
SNMP Port Numbers>The UDP port numbers used for SNMP
are : 161 (Requests) and 162 (Traps)
>Manager behaviour : >listens for agent traps on local port 162 >sends requests to port 161 of remote agent
>Agent behaviour : >listens for manager requests on local port
161 >sends traps to port 162 of remote manager
![Page 86: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/86.jpg)
SNMP messages
SNMP messageGET-REQUEST
UDP datagramSrc Port: 3042Dest Port: 161IP datagram
Src: 192.168.0.20Dest: 192.168.0.254
192.168.0.40
192.168.0.254
192.168.1.254
192.168.2.254
192.168.254.254
SNMP messageGET-REQUEST reply
UDP datagramSrc Port: 161
Dest Port: 3042IP datagram
Src: 192.168.0.254Dest: 192.168.0.20
![Page 87: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/87.jpg)
SNMP Message Format> All V1 SNMP PDUs are built in the same way :
> Community - local concept, defined at each device
> SNMP community = set of SNMP managers allowed to access to this device
> Each community is defined using a unique (within the device) name
> Each manager must indicate the name of the community it belongs in all get and set operations.
Version Community SNMP PDU
![Page 88: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/88.jpg)
Trap Examples> Cisco router traps
> authentication> device is the addressee of an SNMP protocol message that is not
properly authenticated. (SNMPv1 - incorrect community string)> linkup
> device recognizes that one of the communication links represented in the agent's configuration has come up.
> linkdown> device recognizes a failure in one of the communication links
represented in the agent's configuration.> coldstart
> device is reinitializing itself so that the configuration may be altered.
> warmstart> device is reinitializing itself, but the configuration will not be
altered.
![Page 89: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/89.jpg)
Base SNMP Security Mechanisms>The basic SNMP Version 1 standard
provides only trivial security mechanisms, based on: >Authentication Mechanism >Access mode Mechanism
![Page 90: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/90.jpg)
Authentication Mechanism> Authentication Service: assure the destination
that the SNMP message comes from the source from which it claims to be
> Based on community name, included in every SNMP message from a management station to a device
> This name functions as a password : the message is assumed to be authentic if the sender knows the password
> No encryption of the community name
![Page 91: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/91.jpg)
SNMP V1 Key Vulnerability>If an attacker can view the community
string>They can masquerade as a member of the
community by including the community string in SNMP messages.
>The attacker may be able to manage any agent that shares that community string.
![Page 92: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/92.jpg)
Access Mode Mechanism>Based on community profiles >A community profile consists of the
combination of : >a defined subset of MIB objects (MIB view) >an access mode for those objects (READ-
ONLY or READ-WRITE) >A community profile is associated to
each community defined by an agent
![Page 93: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/93.jpg)
Security threats>Two primary threats:
>data modification - to an SNMP message,>masquerade - impersonator might send
false SNMP messages.>Two secondary threats:
>message stream modification - reordering, replay and/or delay of SNMP messages,
>eavesdropping - on SNMP messages.
![Page 94: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/94.jpg)
Security services>Identified security services to meet
threats:> data origin authentication,> data integrity,> message sequence integrity,> data confidentiality,> message timeliness & limited replay
protection
![Page 95: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/95.jpg)
User-based Security Model>A User, identified by UserName holds:
>Secret keys>Other security information such as
cryptographic algorithms to be used.>SNMP V3 entities are identified by
snmpEngineID.>Each managed device or management
station has an snmpEngineID
![Page 96: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/96.jpg)
Authoritative SNMP entities>Whenever a message is sent, one entity
is authoritative.>For get or set, receiver is authoritative.>For trap, response or report, sender is
authoritative.>Authoritative entity has:
>Localised keys>Timeliness indicators
![Page 97: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/97.jpg)
Timeliness Indicators>Prevent replay of messages.>Each authoritative entity maintains a
clock.>A non-authoritative entity has to
retrieve the time from the authoritative entity, confirm the received value, then maintain a synchronised clock.
>Messages can arrive within 150 seconds of their generated time.
![Page 98: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/98.jpg)
Keys>Keys generated from user password.>User provides password to all entities.>Each entity generates a key from the
password and generates two further keys using the entities snmpEngineID.>One for authentication>One for confidentiality
![Page 99: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/99.jpg)
Data Integrity and Authenticity> Generate a cryptographic “fingerprint” of any
message to be protected. > Send the “fingerprint” with the message.
> Derive two temporary keys K2, K3 from localized user key K1.
> Compute T = Hash(K3 | SNMP Msg)> Compute M = Hash(K2 | T)> First 96 bits of M are the MAC (Message
Authentication Code)> Must support HMAC-MD5-96, may support
HMAC-SHA-96
![Page 100: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/100.jpg)
Data Confidentiality>DES in Cipher Block Chaining mode.>Second localised key.>Has to be used together with Data
Integrity and Authenticity.
![Page 101: I C 3-2: Network security](https://reader035.vdocument.in/reader035/viewer/2022081507/56816337550346895dd3c5b0/html5/thumbnails/101.jpg)
Management of SNMP security>Following data needs to be managed:
>secret (authentication and privacy) keys,>clock synchronisation (for replay detection),>SNMP party information.
>SNMP can be used to provide key management and clock synchronisation.
>After manually setting up some SNMP parties, rest can be managed using SNMP.