Network Security - University of Northampton

Download Report

Transcript Network Security - University of Northampton

Network Security
A General Introduction
Outline
Network Gatekeepers
 Identifying network threats
and countermeasures
 Using secure router, firewall,
and switch configurations

Network Gatekeepers


Network is the entry
point to application and
control access to the
various servers in the
enterprise environment
The basic components of
a network, which act as
the front-line gatekeepers,
are the:
◦ router,
◦ firewall, and
◦ switch.
Threats and Countermeasures
An attacker looks for poorly configured
network devices to exploit.
The following are high-level network
threats:
 Information gathering
 Sniffing
 Spoofing
 Session hijacking
 Denial of service

Information Gathering
Information gathering can reveal detailed
information about network topology, system
configuration, and network devices.
Attacks
 Using Tracert (Traceroute) to detect
network topology
 Using Telnet to open ports for banner
grabbing
 Using port scans to detect open ports
 Using broadcast requests to enumerate
hosts on a subnet

Countermeasures- Information
gathering
Use generic service banners that do not
give away configuration information such
as software versions or names.
 Use firewalls to mask services that should
not be publicly exposed

Sniffing
Sniffing, also called eavesdropping, is the act
of monitoring network traffic for data,
such as clear-text passwords or
configuration information.
Vulnerabilities
 Weak physical security
 Lack of encryption when sending sensitive
data
◦ With a simple packet sniffer, all plaintext
traffic can be read easily
Countermeasures
Some of the countermeasures:
 Strong physical security that prevents
rogue devices from being placed on the
network
 Encrypted credentials and application
traffic over the network
Spoofing

Spoofing, is a means to hide one's true
identity on the network.
◦ A fake source address is used that does not
represent the actual packet originator's address

Vulnerabilities
Lack of ingress and egress filtering.
◦ Ingress filtering is the filtering of any IP packets
with un-trusted source addresses before they
have a chance to enter and affect your system or
network.
◦ Egress filtering is the process of filtering
outbound traffic from your network.
Countermeasures
Countermeasures
 Use of ingress and egress filtering on
perimeter routers using Access Control
Lists (ACLs)
Denial of Service
Network-layer denial of service attacks
usually try to deny service by flooding the
network with traffic, which consumes the
available bandwidth and resources.
 Vulnerabilities
 Weak router and switch configuration
 Unencrypted communication

Countermeasures – denial of
service
Filtering broadcast requests
 Filtering Internet Control
Message Protocol (ICMP)
requests
 Patching and updating of service
software

Router Considerations
The router is the very first line
of defense.
 It provides packet routing,
 It can also be configured to block
or filter the forwarding of packet
types that are known to be
vulnerable or used maliciously,
such as ICMP

Router Considerations - Protocol

Protocols
◦ Denial of service attacks take advantage of protocol-level
vulnerabilities, for example, by flooding the network
Prevent attack
◦ Use ingress and egress filtering.
 Incoming packets with an internal address can indicate an intrusion
attempt or probe and should be denied entry to the perimeter
network
 set up router to route outgoing packets only if they have a valid
internal IP address
◦ Screen ICMP traffic from the internal network
 Blocking ICMP traffic at the outer perimeter router protects you
from attacks such as cascading ping floods
 ICMP can be used for troubleshooting, it can also be used for
network discovery and mapping
 Enable ICMP in echo-reply mode only
Router Considerations - Protocol


Protocols
◦ Do Not Receive or Forward Directed Broadcast Traffic
 Directed broadcast traffic can be used as a vehicle for a denial
of service attack
 Example:
 10.0.0.0/8
 127.0.0.0/8
 169.254.0.0/16 – link local network
Prevent Traceroute packets
Trace routing is a means to collect network topology
information. By blocking packets of this type, you prevent an
attacker from learning details about your network from trace
routes.
Router Considerations

Patches and updates
◦ stay current with both security issues and service
patch



Disable unused interfaces.
Apply strong password policies.
Use static routing.
◦ An attacker might try to change routes to cause
denial of service or to forward requests to a
rogue server

Audit Web facing administration interfaces
Router Considerations- Services
Services
 To reduce the attack surface area, default
services that are not required should be
shut down.

◦ Examples include bootps and Finger, which
are rarely required.You should also scan your
router to detect which ports are open.
Firewall - 1





The role of the firewall is to block all unnecessary
ports and to allow traffic only from known ports.
A firewall should exist anywhere you interact
with an untrusted network, especially the
Internet.
Separate your Web servers from downstream
application and database servers with an internal
firewall
The firewall should be configured to monitor and
prevent attacks and detecting intrusion attempts.
Firewall may runs on an operating system , hosted
by a router or on a specialist hardware.
Firewall -2
The configuration categories for the
firewall include:
 Patches and updates
 Filters
 Auditing and logging
 Perimeter networks
 Intrusion detection

Switch


Switches are designed to improve network
performance to ease administration
Traffic is not shared between switched
segments. T
◦ This is a preventive measure against packet
sniffing between networks.

An attacker can circumvent this security by
◦ reconfiguring switching rules
 using easily accessed administrative interfaces, I
 known account names and passwords
Considerations - Secure switching


Install latest patches and updates
Virtual Local Area Networks (VLANs)
◦ Virtual LANs separate network segments and
allow application of access control lists based on
security rules.

Insecure defaults
◦ change all factory default passwords and to
prevent network enumeration or total control of
the switch

Services
◦ all unused services are disabled.
Configure router passwords and
banners

Complete the task given in the lab sheet