Network Security: Trish Miller

Network Security
Trish Miller
Objectives
Types of Attacks
Attacks on the OSI & TCP/IP Model
Attack Methods
Prevention
Switch Vulnerabilities and Hacking
Cisco Routers
Interesting links
Trish Miller
Types of Attacks
Physical Access
Attacks
Wiretapping
Server Hacking
Vandalism
Trish Miller
Dialog Attacks
Eavesdropping
Impersonation
Message Alteration
Types of Attacks (Cont.)

Penetration Attacks
Scanning (Probing)
Break-in
Denial of Service
Malware
Viruses
Worms
Trish Miller
Social Engineering
Opening Attachments
Password Theft
Information Theft
Risk Analysis of the Attack
What is the cost if the attack succeeds?

What is the probability of occurrence?
What is the severity of the threat?
What is the countermeasure cost?
What is the value to protect the system
Determine if the countermeasure should be
implemented.
Finally determine its priority.
Trish Miller
OSI & TCP/IP Related

Attacks
Trish Miller
OSI Model Related Attacks

Application layer:
Attacks on web
Attacks are typically
virus
Presentation:
Cracking of encrypted
transmissions by short
encryption key
Trish Miller
Session
Password theft
Unauthorized Access
with Root permission
Transport & Network:

Forged TCP/IP
addresses
DoS Attacks
OSI Model Related Attacks

Data Link &
Physical
Trish Miller
Network Sniffers
Wire Taps
Trojan Horses
Malicious code
Attacks Related to TCP Packet

Port Number
Applications are identified by their Port
numbers
Well-known ports (0-1023)

HTTP=80, Telnet=23, FTP=21 for supervision,
20 for data transfer, SMTP=25
Allows applications to be accessed by the

root user
Trish Miller

IP address spoofing
Change the source IP address
To conceal identity of the attacker
To have the victim think the packet comes
from a trusted host
LAND attack
Trish Miller

Port Number
Registered ports (1024-49152) for any
application
Not all operating systems uses these port
ranges, although all use well-known ports
Trish Miller
Attack Methods
Trish Miller
Attack Methods
Host Scanning
Network Scanning
Port Scanning
Fingerprinting
Trish Miller
Attack Methods (Cont.)

Host Scanning
Ping range of IP addresses or use
alternative scanning messages
Identifies victims
Types of Host scanning
Ping Scanning
TCP SYN/ACK attacks
Trish Miller

Network Scanning
Discovery of the network infrastructure
(switches, routers, subnets, etc.)
Tracert and applications similar identifies all
routers along the route to a destination host
Trish Miller

Port Scanning
Once a host is identified, scan all ports to find
out if it is a server and what type it is
Two types:
Server Port Scanning
TCP
UDP
Client Port Scanning
Trish Miller
NetBIOS
Ports 135 139 used for NetBIOS ports used for file
and print services.
GRC.com a free website that scan your pc for open
ports.

Fingerprinting
Discovers the host operating system and
applications as well as the version
Active (sends)
Passive (listen)
Nmap does all major scanning methods
Trish Miller

Denial-of-Service (DoS) Attacks
Attacks on availability
SYN flooding attacks overload a host or
network with connection attempts
Stopping DoS attacks is very hard.
Trish Miller

The Break-In
Password guessing
Take advantage of unpatched vulnerabilities

Session hijacking
Trish Miller
After the Compromise

Download rootkit via TFTP
Delete audit log files
Create backdoor account or Trojan

backdoor programs
Trish Miller
After the Compromise (Cont.)

Weaken security
Access to steal information, do
damage
Install malicious software (RAT, DoS
zombie, spam relay, etc.)
Trish Miller
Prevention
Trish Miller
Preventions
Stealth Scanning
Access Control
Firewalls
Proxy Servers
Trish Miller
IPsec
Security Policies
DMZ
Host Security
Stealth Scanning
Noisiness of Attacks
Exposure of the Attackers IP Address
Reduce the rate of Attack below the IDS
Threshold
Scan Selective Ports
Trish Miller
Access Control
The goal of access control is to prevent
attackers from gaining access, and stops them if
they do.
The best way to accomplish this is by:
Determine who needs access to the resources
located on the server.
Decide the access permissions for each resource.
Implement specific access control policies for each
resource.
Record mission critical resources.
Harden the server against attacks.
Disable invalid accounts and establish policies
Trish Miller
Firewalls
Firewalls are designed to
protect you from outside
attempts to access your
computer, either for the
purpose of
eavesdropping on your
activities, stealing data,
sabotage, or using your
machine as a means to
launch an attack on a
third party.
Trish Miller
Firewalls (Cont.)
Hardware
Provides a strong
degree of protection
from the outside world.
Can be effective with
little or no setup
Can protect multiple
systems
Trish Miller
Software
Better suite to protect
against Trojans and
worms.
Allows you to
configure the ports you
wish to monitor. It
gives you more fine
control.
Protects a single
system.
Firewalls
Can Prevent
Discovery
Network
Traceroute
Penetration
Trish Miller
Synflood
Garbage
UDP Ping
TCP Ping
Ping of Death
Proxy
A proxy server is a buffer between your
network and the outside world.
Use an anonymous Proxy to prevent
attacks.
Trish Miller
IPSec
Provides various security services for traffic at
the IP layer
These security services include
Authentication
Integrity
Confidentiality
Trish Miller
IPsec overview - how IPsec helps

Problem
How IPsec
helps
Details
Unauthorized
system access
Authentication,
tamperproofing
Defense in depth by isolating

trusted from untrusted
systems
Targeted
attacks of highvalue servers
Authentication,
tamperproofing
Locking down servers with

IPsec. Examples: HR
servers, Outlook Web
Access (OWA), DC
replication
Eavesdropping
Authentication,
confidentiality
Defense in depth against

password or information
gathering by untrusted
systems
Government
guideline
compliance
Authentication,
confidentiality
Example: All
communications between
financial servers must be
encrypted.
Trish Miller
DMZ Image
Trish Miller
Host Security
Trish Miller
Hardening Servers
Cisco IOS
Upgrades and Patches
Unnecessary Services
Network Monitoring tools
Switch Vulnerabilities and

Hacking
Trish Miller
CDP Protocol
Used to locate IP address, version, and
model.
Mass amounts of packets being sent can
fake a crash
Used to troubleshoot network, but should
be disabled.
Trish Miller
ARP Poisoning
Give users data by poisoning ARP cache
of end node.
MAC address used to determine
destination. Device driver does not check.
User can forge ARP datagram for man in
the middle attack.
Trish Miller
SNMP
SNMP manages the network.
Authentication is weak. Public and
Private community keys are clear text.
Uses UDP protocol which is prone to
spoofing.
Enable SNMPv3 without backwards
compatibility.
Trish Miller
Spanning Tree Attacks

Standard STP takes 30-45 seconds to
deal with a failure or Root bridge
change.
Purpose: Spanning Tree Attack reviews
the traffic on the backbone.
Trish Miller
Spanning Tree Attacks

Only devices affected by the failure
notice the change
The attacker can create DoS condition
on the network by sending BPDUs
from the attacker.
Trish Miller
Spanning Tree Attacks (Cont.)

STEP 1: MAC flood the access switch
STEP 2: Advertise as a priority zero
bridge.
Trish Miller
SpanningTree
TreeAttacks
Attacks (Cont.)
(Cont.)
Spanning
STEP 3: The attacker becomes the
Root bridge!
Spanning Tree recalculates.
The backbone from the original network is
now the backbone from the attacking host
to the other switches on the network.
Trish Miller
STP Attack Prevention

Disabling STP can introduce
another attack.
BPDU Guard
Disables ports using portfast upon
detection of a BPDU message on
the port.
Enabled on any ports running
portfast
Trish Miller
STP Attack Prevention

Root Guard
Prevents any ports that can become the
root bridge due to their BPDU
Trish Miller
CSM and CSM-S
Cisco Content Switching Modules

Cisco Content Switching Module with
SSL
Trish Miller
CDM
Cisco Secure Desktop
3 major vulnerabilities
Maintains information after an Internet
browsing session. This occurs after an SSL
VPN session ends.
Evades the system via the system policies
preventing logoff, this will allow a VPN
connection to be activated.
Allow local users to elevate their privileges.
Trish Miller
Prevention
Cisco has software to address the
vulnerabilities.
There are workarounds available to mitigate
the effects of some of these vulnerabilities.
Trish Miller
Cisco Routers
Trish Miller
Cisco Routers
Two potential issues with Cisco
Routers
Problems with certain IOS software
SNMP
Trish Miller
Devices running Cisco IOS versions

12.0S, 12.2, 12.3 or 12.4
Problem with the software
Confidential information can be leaked out
Software updates on the CISCO site can fix
this problem
Trish Miller
Virtual Private Networks
Virtual connection 1
Virtual Connection 2
Trish Miller
Virtual Private Networks
Error
Connection
Information leak
Trish Miller
Cisco uBR10012 series devices automatically

enable SNMP read/write access
Since there are no access restrictions on this
community string , attackers can exploit this to
gain complete control of the device
Trish Miller
CISCO
Router
Attacking
Computer
By sending an SNMP set request with a spoofed source IP address

the attacker will be able to get the Victim router to send him its
configuration file.
Trish Miller
CISCO
Router
With this information, the remote computer will be able to

have complete control over this router
Trish Miller
Attacking
Computer
Fixes- Software updates available on

the CICSO site that will fix the
Read/Write problem
Trish Miller
Links
http://sectools.org/tools2.html
http://insecure.org/sploits/l0phtcrack.lanma
n.problems.html
http://www.grc.com/intro.htm
http://www.riskythinking.com
http://www.hidemyass.com/
Trish Miller
References
http://www.bmighty.com/network/showArticle.jhtml;jsessi
onid=2YYDWJHHX3FL2QSNDLPSKHSCJUNN2JVN?ar
ticleID=202401432&pgno=2
http://www.juniper.net/security/auto/vulnerabilities/vuln19
998.html
http://www.blackhat.com/presentations/bh-usa-02/bh-us02-convery-switches.pdf
http://www.askapache.com/security/hacking-vlanTrishswitched-networks.html
Miller
Trish
TrishMiller
Miller
Trish Miller

Network Security: Trish Miller

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Network Security: Trish Miller

Enviado por

Direitos autorais:

Formatos disponíveis

Network Security

Types of Attacks (Cont.)

Risk Analysis of the Attack

What is the cost if the attack succeeds?

OSI & TCP/IP Related

OSI Model Related Attacks

Transport & Network:

OSI Model Related Attacks

Attacks Related to TCP Packet

Well-known ports (0-1023)

Allows applications to be accessed by the

Attacks Related to TCP Packet

Attacks Related to TCP Packet

Attack Methods (Cont.)

Attack Methods (Cont.)

Attack Methods (Cont.)

Client Port Scanning

Attack Methods (Cont.)

Nmap does all major scanning methods

Attack Methods (Cont.)

Attack Methods (Cont.)

Take advantage of unpatched vulnerabilities

After the Compromise

Create backdoor account or Trojan

After the Compromise (Cont.)

IPsec overview - how IPsec helps

Defense in depth by isolating

Locking down servers with

Defense in depth against

Switch Vulnerabilities and

Spanning Tree Attacks

Spanning Tree Attacks

Spanning Tree Attacks (Cont.)

STP Attack Prevention

STP Attack Prevention

CSM and CSM-S

Cisco Content Switching Modules

Devices running Cisco IOS versions

Virtual Private Networks

Virtual Private Networks

Cisco uBR10012 series devices automatically

By sending an SNMP set request with a spoofed source IP address

With this information, the remote computer will be able to

Fixes- Software updates available on

Você também pode gostar