Transcript Security Fundamentals

Security fundamentals
Topic 6
Securing the network infrastructure
Agenda
• Security at the TCP/IP layers
• Security at the physical layer
• Securing network devices
Network layer attacks
• MAC address spoofing
– Attackers can create packets with the MAC address of a different
computer and impersonate that computer
• Denial of Service (DoS)
– Overloads a single system so that it cannot provide the service it is
configured to provide
– Sends frames designed to use up all the resources of the target device
• ARP cache poisoning
– Incorrect or spoofed entries are added to the ARP cache – messages
are sent to incorrect destinations
Internet layer attacks
• IP address spoofing
– Source addresses of IP packets are spoofed to impersonate another computer
• Man-in-the-middle attack
– Attacker intercepts and reads or modifies packet contents without the knowledge of the
source or destination computers
• Denial of Service
– Attacker overloads the TCP/IP stack with a large number of invalid packets which
prevents processing of legitimate packets
– Attacker changes entries in routing tables to prevent delivery of packets
• Incorrect reassembly of fragmented datagrams
– Offset field used to reassemble fragments is changed so that they can’t be reassembled
correctly – datagram could pass through a firewall when it shouldn’t
• Avoiding detection by fragmenting datagrams
– An attacker might fragment a packet to hide patterns (such as virus signatures) to avoid
detection
• Corrupting packets
– Information in IP header fields is modified
Transport layer attacks
• Manipulation of UDP or TCP ports
– Attacker can format packets so they appear to come from a port
allowed by the firewall
• Denial of service
– SYN flood attack to leave sessions half open until router cannot accept
anymore connections
• Session hijacking
– After the connection is established, attacker predicts TCP sequence
numbers and takes over the connection with his own segments
Application layer attacks
• Specific to the application layer protocol
• Common attacks exploit:
– Email protocols
– Web protocols
– DNS
Network cabling security
• Coaxial cables
– Cutting or destroying cables
– Noise from EMI or RFI
– Removing a terminator
• Eavesdropping traffic by tapping into coaxial cable at any
point on network
• Mitigation
–
–
–
–
–
Protect the Cable: bury it, inside walls, tamperproof containers
Document the cable infrastructure
Investigate all outages
Inspect your cables regularly
Investigate undocumented hosts and connections
Network cabling security
• Twisted pair
– Cutting or destroying cables
– Noise from EMI or RFI, STP mitigates the impact of EMI and RFI
• Mitigation
–
–
–
–
–
–
Protect the cables
Protect the switches and patch panels
Document the cable infrastructure
Investigate all outages
Inspect your cables and infrastructure regularly
Investigate undocumented hosts and connections
• Eavesdropping
– Using a protocol analyser or packet sniffer (requires physical connection)
– Splicing into a cable
– Listening to electromagnetic signals from the signals passing through the
wire
Network cabling security
• Fiber optic cables
– Bend or snap the cable
– Any damage will disrupt the signal
• Eavesdropping
– Virtually impossible – requires cutting cable and polishing ends and
connecting a device
• Mitigation
–
–
–
–
–
–
Protect the cables
Protect the switches and patch panels
Document the cable infrastructure
Investigate all outages
Inspect your cables and infrastructure regularly
Investigate undocumented hosts and connections
Device security
• Compromising switches and bridges
– If an attacker has physical access, he can disable a switch
– Attach a computer to a span port which receives all switch traffic
– Transmit frames with spoofed MAC address to corrupt the MAC
address table
– Flood the switch with frames to disrupt operations
• Gaining administrative access
– Port mirroring: map the input and output of one or more ports to a
single port to eavesdrop on communications
– Change the MAC address table to redirect traffic
• ARP cache poisoning
– Attacker can overwrite entries in the ARP cache allowing attacker to
eavesdrop or hijack a session
Securing switches and bridges
• Physical security
– Limit physical access, use security personnel and monitoring (cameras)
• Protecting admin functions with passwords
– Set complex passwords and change routinely
– Restrict access to few staff
– Manually enter ARP mappings on critical devices: servers, switches
and bridges
– Keep up to date with patches
– Document configurations so you know what is normal and authorised
• Monitoring for security breaches
– Monitor devices for unauthorised connections
– ARPWATCH to monitor traffic and keep MAC-to-IP address mappings
Securing routers
• Compromising routers
– Susceptible to ARP cache poisoning
– Routing tables can be changed either administratively or with
incorrect routing updates
– RIP spoofing – updating routing tables with bogus updates
– ACLs can be changed if admin access is compromised
– Insecure protocols, services could be enabled
Securing routers
• Keep routers in secure locations: locked server rooms and
wiring closets
• Secure all physical connections to network segments
• Use security personnel and monitoring (cameras)
• Set complex passwords and change regularly
• Keep up to date with latest patches
• Restrict staff with access and locations access can come from
• Set ACLs to prevent inappropriate connections
• Set passwords for routing updates
• Disable insecure protocols and services
• Document and regularly review the network
Securing telecommunications
• Compromised by
– Free long distance calls by changing billing records
– Compromise or shut down the organisation’s
voice mail system
– Reroute incoming, transferred or outgoing calls
– Gain access to voice mail boxes of employees
Securing PBX systems
• Vulnerabilities
–
–
–
–
–
Insecure or default passwords are used
Older PBX systems don’t implement latest security technology
Lack of knowledge and security procedures: social engineering
Remote management connections could be compromised
Unused floors and offices may have active connections
• Protecting PBX
–
–
–
–
–
–
–
–
–
–
Physically securing PBX equipment
Control access to PBX wiring room and switching equipment
Document
Routinely check unauthorised connections
Secure offsite transfers with passwords (for updates)
System exclusion lists to limit long distance calling
Shut down services not required during off days and hours
Educate users
Enforce PBX password change and audit policy
Secure maintenance ports, limit entry ports, log all system access
Securing modems
Compromising modems
• Can be used to circumvent firewall security
• Can be used to provide direct access to internal computers
• War dialling to discover computers with modems attached
Mitigation
• Remove all unnecessary modems
• If modem is required for outgoing calls make sure it is configured
not to accept incoming calls
• Software/security updates for computers with modems
• Monitor security bulletins
• Isolate computers with modems to limit the damage
• Monitor computers with modems to ensure they have not been
compromised
Lesson summary
• What some TCP/IP layer attacks are, and
security practices
• What some physical layer attacks are, and
security practices
• Practices for securing network cabling and
network devices and threats associated