Network Security

2

Network Security Overview

•  A campus network is vulnerable to many types of network attacks.

•  While network attacks can’t be prevented, there are some steps that can be taken to minimize the impact an attack has on the network.

3

http://www.youtube.com/watch?v=dFsgggsxw6Q&feature=relmfu

4

Introduction

• There are many techniques used by a hacker to gain control of a network. The network administrator needs to be aware of the different ways an intruder can use to gain access or even control of a network.

• The information presented here is an example of what the hacker already knows and what the network administrator needs to know to protect the network.

5

Content Intrusions (How an attacker gains control of a network)

Social Engineering Issues Password Cracking Packet Sniffing Vulnerable Software Viruses (email) Wireless

Denial of Service Denial of Service Attacks Smurf Distributed Denial of Service Attacks

Firewalls Intrusion Detection

Intrusion

(How an Attacker Gains Control of a Network)

7

Social Engineering

•  Social engineering is a way of for an intruder (unauthorized user) to gain enough information that enables him to gain access to the network.

http://www.youtube.com/watch?v=9uFZ5jzBTYk

8

Social Engineering

•  Social engineering is a way of for an intruder (unauthorized user) to gain enough information that enables him to gain access to the network.

•  Examples: –  Attacker calls or emails –  Looking at discarded trash

•  Solutions? –  Problem not completely solvable. –  As number of users increases, the

possible ways to attack increases too.

•  The solution is educating the user –  To not share passwords and log names – Require identification from support

staff.

9

http://www.youtube.com/watch?v=K8lWLwuiDwk&feature=relmfu

10

11

Password Cracking

12

Password Cracking • If the attacker can’t get the password from the

user, the attacker can use password cracking.

• Guessing for the user’s password

• Checking for “weak” passwords. You should use strong passwords.

• Dictionary attack: Using known passwords (list) and many variations (upper and lower case and combinations) to try to login.

• Brute force attack means the attackers uses every possible combination of characters for the password.

13

Preventing Password Cracking

•  Don’t use passwords that are dictionary words

•  Don’t use your user name

•  Don’t use your user name backwards

•  Limit the number of log in attempts

•  Make you password sufficiently long (6 or more characters) with an alpha numeric combination (e.g. A b 1 & G 2 5 h).

•  Change passwords often

14

Packet Sniffing

15

Packet Sniffing •  Another way attackers can obtain a

password is by sniffing the network’s data packets. This assumes that the attacker can see the network data packets.

•  Easy in a network that uses hubs but not in a network that uses switches.

•  The attacker will have to insert a device on the network that allows the user to see the data packets

•  The attacker will watch the data packets until a packets from an application such as telnet or FTP passes.

•  Many of these applications pass the user name and password over the network in plain text (unencrypted logins).

16

•  The way to prevent this is by encrypting the users name and password. –  An encrypted alternative to telnet is SSH (Secure Shell).

•  SSL (Secure Socket Layer) is an encryption used by web servers. –  For example, the packet transmission is encrypted when a credit card

number is entered.

•  There is also a secured version of FTP.

•  Think about it. In what OSI layer, in these examples, the security is implemented? –  The application layer.

Packet Sniffing

17

–  Security can also be implemented at layer three using IPSec (IP Security).

–  In IPSec each packet is encrypted prior to transmission across the network link.

–  IPSec is also a method used to encrypt VPN tunnels

Packet Sniffing •  Do you know any method implemented in another OSI layer?

18

Vulnerable Software

•  In the process of writing large amounts of code, errors happen that can open the access to the code and to a network.

19

http://www.youtube.com/watch?v=J0QXD2ts4Qc&feature=relmfu

20

Preventing vulnerable software attacks

•  Keep the software patches and service packs for the operating system current.

•  Turn off all services and ports that are not needed on a machine. – For example, if your machine does use web service then

turn this service off. Leaving these services on is like leaving the windows and doors open to your house. You are just inviting an attacker to come in. If you aren’t using a service, shut the access.

•  The command netstat –a can be used to display the ports currently open on the windows operating system. This command shows who is connected to your machine and the port number.

21

netstat -a c: netstat -a

Active Connections

Proto Local Address Foreign Address State

TCP pc-salsa2:1087 PC-SALSA2:0 LISTENING

TCP pc- salsa2:1088 PC-SALSA2:0 LISTENING

TCP pc- salsa2:135 PC-SALSA2:0 LISTENING

TCP pc- salsa2:137 PC- SALSA2:0 LISTENING

TCP pc- salsa2:138 PC- SALSA2:0 LISTENING

UDP pc- salsa2:nbname *:*

UDP pc- salsa2:nbdatagram *:*

The ports that are listening are just waiting for a connection. Every port that is established, shows listening, can accept a connection.

For example, ports 135 and 137 are the NETBIOS and

file sharing ports for Microsoft.

22

netstat -a c: netstat -a

Active Connections

Proto Local Address Foreign Address State

TCP pc-salsa2:1087 PC-SALSA2:0 LISTENING

TCP pc- salsa2:1088 PC-SALSA2:0 LISTENING

TCP pc- salsa2:135 PC-SALSA2:0 LISTENING

TCP pc- salsa2:137 PC- SALSA2:0 LISTENING

TCP pc- salsa2:138 PC- SALSA2:0 LISTENING

UDP pc- salsa2:nbname *:*

UDP pc- salsa2:nbdatagram *:*

•  For example if your application is vulnerable and it is listening then the machine is vulnerable to an attack.

•  It is good idea to check to see what applications are running on your machine.

•  It is also a good idea to turn off ports that are not needed (How to turn them off depends on the application).

•  For example, if port 80 is running …

•  (WEB – IIS) then go to the Windows services and turn off web the web applications.

23

24

http://www.youtube.com/watch?v=_4sFZgUWhB4&feature=relmfu

25

Viruses

•  What is virus?

•  What are the problems a virus can cause?

•  What is a worm?

•  How do virus spread?

•  How can you prevent acquiring viruses?

26

Viruses

A virus is a malicious piece of code that when run on your machine will open a backdoor to the machine, might start a program that attacks other applications. Problems caused by viruses include:

annoyance

clogging up the mail server

denial of service

data loss

open holes for others to access your machine

attack other machines or networks on demand

Worms are a type of computer virus that typical proliferate by themselves.

27

Viruses

•  Today, most viruses are exchanged via attachments via email.

•  For example, a user receives an email that says “Look at this!” trying to coax the user into opening the attachment. If the attachment is opened the user’s computer could possible become infected.

28

Do you want a see a virus in action?

http://www.youtube.com/watch?v=KbV-U_amx4M

29

Steps for preventing viruses

•  Only open attachments that come from known sources. – Even this can be a problem because email addresses

can be spoofed or the message can come from a known person whose computer has been infected.

•  Always run a virus check software on the client machines. The virus checker will catch most viruses.

•  Include e-mail server filters

•  Keep the virus software up to date

30

Wireless vulnerabilities

•  WEP – Wired Equivalent Privacy, the goal is to provide the same security of a wireless connection that a wired connection provides.

•  The problem with WEP is the encryption is not very strong and an attacker can gain access through decrypting the data packets. This relates to 802.11b Wi-Fi (Wireless Fidelity).

•  Are there better methods?

•  An improvement with wireless security is provided with WPA and WPA2.

•  WPA stands for WiFi Protected Access, and it supports user authentication and replaces WEP as the primary way for securing wireless transfers.

•  WPA2 is an improved version of WPA that enhances wireless security by incorporating authentication of the user.

31

Key Terms

•  Social Engineering

•  Password Cracking

•  Dictionary Attack

•  Brute Force Attack

•  Packet Sniffing

•  IPSec

•  Buffer Overflow

The attacker tries to guess the user’s password

A way for an intruder to obtain enough information from people to gain access to the network

Uses known passwords and many variations (upper and lowercase and combinations) to try to log in to your account

32

Key Terms

•  Social Engineering

•  Password Cracking

•  Dictionary Attack

•  Brute Force Attack

•  Packet Sniffing

•  IPSec

•  Buffer Overflow

A technique where the contents of data packets are watched

Attacker uses every possible combination of characters for the password

(IP Security), in IPsec each packet is encrypted prior to transmission across the network link

Happens when a program tries to put more data into a buffer than it was configured to hold

33

Key Terms

•  netstat –a

•  Virus

•  Worm

•  WEP (wired equivalent privacy)

(-a) Command used to display the ports currently open on a Windows operating system and (-b) used to display the executable involved in creating the connection or listening port

34

Key Terms

•  netstat –a

•  Virus

•  Worm

•  WEP (wired equivalent privacy)

A piece of malicious computer code that, when opened, can damage your hardware, software, or other files.

A type of virus that attacks computers, typically proliferates by itself and can deny service to networks

The goal is to provide the same security of a wireless connection that a wired connection provides

Denial of service

36

http://www.youtube.com/watch?v=jc-S4fa5BxQ

37

Denial of Service

•  Denial of Service (DoS) means that a service is being denied to a computer, network, or network server.

•  Denial of Service attacks can be on individual machines or the attack can be on the network that connects the machines, or the attack can be on both machines.

•  You can have denial of service attacks by exploiting software vulnerabilities. For example, a vulnerability in the software can permit a buffer overflow causing the machine to crash. This effects all applications even secure applications.

38

Denial of Service

•  The vulnerable software denial of service attack attacks the system by making the system reboot repeatedly.

•  The denial of service attacks can also be on routers via the software options that are available for connecting to a router.

39

Spoof

•  Spoof means the attacker doesn’t use his IP address but will insert an IP address from the victim’s network as the source IP.

•  There is a lot of software on the Internet that enables someone to spoof an IP address

40

Smurf Attack

Attackers hacks into an intermediate site.

The attacker sends a packet to 10.10.1.255 which is a broadcast address for the 10.10.1.0 subnet.

All of the machines on the 10.10.1.0 subnet will send a reply back to the source address.

41

Smurf Attack

If this attack was increased to all of the subnet’s in the 10.0.0.0 network then an enormous amount of data packets will be sent to the victim’s network.

This enables the attacker to generate a lot of data traffic on the victim’s network without requiring the attacker to have many resources.

42

Preventing Surf type attacks

Cisco routers have an interface command

no ip directed broadcast

This blocks broadcast packets to that subnet. This prevents a network from becoming an intermediate site for a network attack such as this. Make sure this command or a similar command is a default or has been enabled on the router’s interface

The no ip directed broadcast command enables only the router to reply.

43

Prevention

•  To prevent your network from becoming a host for an attacker, use access lists to only allow specific sources for the network on each of the router’s interfaces.

•  For example, network B connects to a router. Only packets from Network B are allowed to pass through the router.

•  The downside of this is it does become a maintenance problem, keeping track of the access lists, and processing access lists in processor intensive and can slow down the throughput of the packets.

44

Distributed Denial of Service

•  Attackers now use worms to distribute an attack. The attacker will do a port scan and look for an open port that is vulnerable to an attack.

•  The machine is attacked and distribute their malicious software from the hacked machine. The attacker will repeat this for many victim machines.

•  Once the software is on the victim machines, the attacker can issue a command or instruction that starts the attack on a specific site.

•  The attack will come from potentially a massive amount of machines that the work has infected.

•  To stop DDoS attacks, stop intrusions to the network. The bottom line is PREVENT INTRUSIONS.

45

Key Terms

•  Denial of Service (DOS)

•  Directed Broadcast

•  Spoof

A service is being denied to a computer, network, or server

The broadcast is sent to a specific subnet

Inserting a different IP address in place of an IP packet’s source address to make it appear that the packet came from another network

Firewalls

Firewalls

47

Introduction

•  Firewalls are used in computer networks for protection against the “network elements (e.g. intrusions, denial of service attacks, etc.).

•  Access lists (ACLs) are the basic form of firewall protection although an access list is not by itself a firewall. Access lists can be configured on a router, a true dedicated firewall, or they could be configured on the host computer.

48

Firewalls •  Firewalls allow traffic from inside the network to exit but don’t allow

general traffic from the outside to enter the network.

•  The firewall monitors the data traffic and recognizes where packets are coming from. The firewall will allow packets from the outside to enter the network if they match a request from within the network.

•  Firewalls are based on three technologies:

Packet filtering

Proxy server

Stateful packet filtering

49

Access-lists

•  Access lists provide very basic protection for the network. The access list compares the source and destination IP address, the source and destination port numbers, and sometimes the access list might examine the packet contents above layer 4 (transport).

•  However, the access lists primarily focus on the network (layer 3) and transport (layer 4) layers. A router is often placed on the edge of a network to handle data traffic entering and exiting the network and it is common practice to block some data traffic.

50

Access-Lists

•  Access-lists (ACLs) are classified as follows:

51

Applying access-lists The first two steps for applying access-lists on a router is to:

1) identify the problem

2) decide where to place the access list.

52

Intrusion Detection

The intrusion box will sit on the edge of your network so that data packets entering the network from the Internet can be monitored. The following are examples of what an intrusion box looks for: Signatures – indicators of known attacks. For example, patterns of probes, Probing – indicators of repeated attempts to make connections to certain machines and/or ports.