Hands-On Ethical Hacking and Network Security
Download
Report
Transcript Hands-On Ethical Hacking and Network Security
Hands-On Ethical Hacking
and Network Defense
Chapter 13
Protecting Networks with Security
Devices
Objectives
•
•
•
•
Describe network security devices
Describe firewall technology
Describe intrusion detection systems
Describe honeypots
Hands-On Ethical Hacking and Network Defense
2
Understanding Network
Security Devices
• Network security devices
•
•
•
•
Routers
Firewalls
Intrusion detection systems
Honeypots
Hands-On Ethical Hacking and Network Defense
3
Understanding Routers
• Routers are hardware devices used on a
network to send packets to different network
segments
• Operate at the network layer of the OSI model
• Routing protocols used by routers
• Link-state routing protocol
• Router advertises link-state to identify network topology
and any changes on paths
• Distance-vector routing protocol
• Router passes its routing table to all routers
participating on the network
Hands-On Ethical Hacking and Network Defense
4
Understanding Basic
Hardware Routers
• Cisco routers are widely used in the
networking community
• More than one million Cisco 2500 series
routers are currently being used by companies
around the world
• Vulnerabilities exist in Cisco as they do in
any operating system
• Security professionals must consider these
vulnerabilities when conducting a security test
Hands-On Ethical Hacking and Network Defense
5
Cisco Router Components
• A Cisco router uses the Cisco Internetwork
Operating System (IOS) to function
• Components
• Random access memory (RAM)
• Holds the router’s running configuration, routing tables,
and buffers
• If you turn off the router, the contents stored in RAM are
wiped out
• Nonvolatile RAM (NVRAM)
• Holds the router’s configuration file, but the information
is not lost if the router is turned off
Hands-On Ethical Hacking and Network Defense
6
Cisco Router Components
(continued)
• Components (continued)
• Flash memory
• Holds the IOS the router is using
• Is rewritable memory, so you can upgrade the IOS
• Read-only memory (ROM)
• Contains a minimal version of the IOS used to boot
the router if flash memory gets corrupted
• Interfaces
• Hardware connectivity points
• Example: an Ethernet port is an interface that
connects to a LAN
Hands-On Ethical Hacking and Network Defense
7
Hands-On Ethical Hacking and Network Defense
8
Cisco Router Configuration
• Configuration modes:
• User mode
• Administrator can perform basic troubleshooting
tests and list information stored on the router
• Router-name>, indicates that you are in user mode
• Privileged mode
• Administrator can perform full router configuration
tasks
• Router-name#, indicates that you are in privileged
mode
• By default, you are in user mode
Hands-On Ethical Hacking and Network Defense
9
Cisco Router Configuration
(continued)
• Once in privileged mode, you can change
to two more configuration modes
• Global configuration mode
• Administrator can configure router settings that
affect overall router operation
• To use this mode, you enter the command config t
at the Router-name# prompt
• Router-name (config)# tells the user she is in global
configuration mode
Hands-On Ethical Hacking and Network Defense
10
Cisco Router Configuration
(continued)
• Once in privileged mode, you can change to
two more configuration modes (continued)
• Interface configuration mode
• Administrator can configure an interface on the router
• To use this mode, you enter global configuration mode
first
• Next, you enter the command for interface configuration
mode and the interface name you want to configure
• Router-name(config-if)# indicates you are in interface
configuration mode
Hands-On Ethical Hacking and Network Defense
11
Hands-On Ethical Hacking and Network Defense
12
Understanding Access
Control Lists
• There are several types of access control lists
• We will focus on IP access lists
• IP access lists
• Lists of IP addresses, subnets, or networks that
are allowed or denied access through a router’s
interface
• Two different types of access lists on Cisco
router
• Standard IP access lists
• Extended IP access lists
Hands-On Ethical Hacking and Network Defense
13
Standard IP Access Lists
• Can restrict IP traffic entering or leaving a router’s
interface based on source IP address
• The syntax of a standard access list is as follows:
access-list [list #] [permit|deny] [source address]
[source wildcard mask]
• [list #] is a number in the range of 1 to 99
• permit | deny] are keywords to permit or deny traffic
• [source address] specifies the IP address of the
source host
• [source wildcard mask] signifies which bits of the
source address are significant
Hands-On Ethical Hacking and Network Defense
14
Hands-On Ethical Hacking and Network Defense
15
Standard IP Access Lists
(continued)
• Example:
access-list 1 deny 173.110.0.0 0.0.255.255
access-list permit any
• A wildcard mask is similar to a subnet mask
• Example: access-list 1 deny 10.10.1.112 0.0.0.0
• The 0s used after the IP address signify that every
octet in the IP address must match the IP address
being filtered
• Another example:
access-list 1 deny 192.168.10.0 0.0.0.255
access-list 1 permit any
Hands-On Ethical Hacking and Network Defense
16
Standard IP Access Lists
(continued)
• Cisco allows a shortcut for the mask 0.0.0.0
access-list 1 deny host 192.168.10.112
• Access lists always end with an implicit deny rule
• To avoid this, you must add the “permit any” statement
access-list 1 deny host 192.168.10.112
access-list 1 permit any
• Steps for applying the access list to an interface
•
•
•
•
Enter global configuration mode
Create the access list
Enter interface configuration mode
Use the ip access-group command
Hands-On Ethical Hacking and Network Defense
17
Standard IP Access Lists
(continued)
• Example
Router> en
Password ******
Router# config t
Router(config)# access-list 1 deny 172.16.5.0 0.0.0.255
Router(config)# access-list 1 permit any
Router(config)# int e0
Router(config-if)# ip access-group 1 out
Router(config-if) Ctrl+z [to save and exit global
configuration mode]
Router#
Hands-On Ethical Hacking and Network Defense
18
Extended IP Access Lists
• Allow packet filtering based on
•
•
•
•
Source IP address
Destination IP address
Protocol type
Application port number
• Syntax for extended IP access lists
access-list [list #] [permit|deny] [protocol] [source IP
address] [source wildcard mask] [destination IP address]
[destination wildcard mask] [operator] [port] [log]
• [list #] is a number in the range of 100 to 199
• [permit | deny] are keywords to permit or deny
traffic
Hands-On Ethical Hacking and Network Defense
19
Extended IP Access Lists
(continued)
• Syntax for extended IP access lists (continued)
• [protocol] can be IP, TCP, UDP, ICMP, and so on
• [source IP address] is the IP address of the source
• [source wildcard mask] determines significant bits of
source IP address
• [destination IP address] is the IP address of the
destination
• [destination wildcard mask] determines significant bits
of destination IP address
• [operator] can be lt, gt, eq, or neq
Hands-On Ethical Hacking and Network Defense
20
Extended IP Access Lists
(continued)
• Syntax for extended IP access lists
(continued)
• [port] port number of the protocol to be filtered
• [log] logs all activity of the access list for the
administrator
• Example:
access-list 100 deny tcp host 172.16.1.112 host
172.30.1.100 eq www
Hands-On Ethical Hacking and Network Defense
21
Extended IP Access Lists
(continued)
• Applying an access list to an interface
Router> en
Password ******
Router# config t
Router(config)# access-list 100 deny tcp host
172.16.1.112 host 172.30.1.100
Router(config)# access-list 100 permit any
Router(config)# int e0
Router(config-if)# ip access-group 100 in
Router(config-if) Ctrl+z
Router#
Hands-On Ethical Hacking and Network Defense
22
Understanding Firewalls
• Firewalls are hardware devices or software
installed on a system and have two purposes
• Controlling access to all traffic that enters an
internal network
• Controlling all traffic that leaves an internal
network
• Advantages of hardware firewalls
• They are usually faster than software firewalls
• They can handle a larger throughput than
software firewalls
Hands-On Ethical Hacking and Network Defense
23
Understanding Firewalls
(continued)
• Disadvantage of hardware firewalls
• You are locked into the firewall’s hardware
• Advantage of software firewalls
• You can easily add NICs to the server running
the firewall software
• Disadvantage of software firewalls
• You might have to worry about configuration
problems
• They rely on the OS on which they are running
Hands-On Ethical Hacking and Network Defense
24
Understanding Firewall
Technology
• Firewall technologies
•
•
•
•
Network address translation (NAT)
Access control lists
Packet filtering
Stateful packet inspection (SPI)
Hands-On Ethical Hacking and Network Defense
25
Network Address Translation
(NAT)
• The most basic security feature of a firewall
• With NAT, internal private IP addresses are
mapped to public external IP addresses
• Hiding the internal infrastructure
• Port Address Translation (PAT)
• Technology derived from NAT
• This allows thousands of internal IP addresses to
be mapped to one external IP address
Hands-On Ethical Hacking and Network Defense
26
Access Control Lists
• Access lists are used to filter traffic based on
source IP address, destination IP address, and
ports or services
• Firewalls also use this technology
• Creating access control lists in a firewall is a
similar process to creating them in a router
Hands-On Ethical Hacking and Network Defense
27
Packet Filtering
• Packet filters screen packets based on
information contained in the packet
header
• Protocol type
• IP address
• TCP/UDP port
Hands-On Ethical Hacking and Network Defense
28
Stateful Packet Inspection (SPI)
• Stateful packet filters record session-specific
information about a network connection
• Create a state table
• Can help reduce port scans that rely on spoofing
or sending packets after a three-way handshake
• Stateful packet filters recognize types of
anomalies that most routers ignore
• Stateless packet filters handle each packet
on an individual basis
• Spoofing or DoS attacks are more prevalent
Hands-On Ethical Hacking and Network Defense
29
Hands-On Ethical Hacking and Network Defense
30
Implementing a Firewall
• Placing a firewall between a company’s internal
network and the Internet is dangerous
• It leaves the company open to attack if a hacker
compromises the firewall
• Use a demilitarized zone instead
Hands-On Ethical Hacking and Network Defense
31
Demilitarized Zone (DMZ)
• DMZ is a small network containing resources
available to Internet users
• Helps maintain security on the company’s internal
network
• Sits between the Internet and the internal
network
• It is sometimes referred to as a “perimeter
network”
Hands-On Ethical Hacking and Network Defense
32
Hands-On Ethical Hacking and Network Defense
33
Hands-On Ethical Hacking and Network Defense
34
Understanding the Private
Internet Exchange (PIX)
Firewall
• Cisco PIX firewall
• One of the most popular firewalls on the market
Hands-On Ethical Hacking and Network Defense
35
Configuration of the PIX
Firewall
• Working with a PIX firewall is similar to working
with any other Cisco router
• Login prompt
If you are not authorized to be in this XYZ Hawaii network
device,
log out immediately!
User Access Verification
Password:
• This banner serves a legal purpose
• General prompt example:
Type help or '?' for a list of available commands.
xyz>
Hands-On Ethical Hacking and Network Defense
36
Configuration of the PIX
Firewall (continued)
• You should enter privileged mode to configure
the PIX firewall
• To enter configuration mode in PIX, you use the
same command as on a Cisco router
xyz# configure terminal
xyz(config)# ?
• Nameif is a PIX command to name an interface
• PIX allows the administrator to assign values to an
interface that designate its security level
• Values can be from 0 to 100
Hands-On Ethical Hacking and Network Defense
37
Configuration of the PIX
Firewall (continued)
• Access lists
• PIX enables an administrator to use descriptive
names for the access list instead of numbers
• PIX also uses the implicit deny rule
Hands-On Ethical Hacking and Network Defense
38
Understanding Microsoft ISA
• Microsoft’s software approach to firewalls
• Microsoft Internet Security and Acceleration
(ISA) Server
• Functions as a software router, firewall, and IDS
• ISA has the same functionality as any
hardware router
• Packet filtering to control incoming traffic
• Application filtering through the examination of
protocols
• Intrusion detection filters
• Access policies to control outgoing traffic
Hands-On Ethical Hacking and Network Defense
39
IP Packet Filters
• ISA enables administrators to filter IP
traffic based on the following:
• Source and destination IP address
• Network protocol, such as HTTP
• Source port or destination port
• ISA provides a GUI for these
configurations
• A network segment can be denied or allowed
HTTP access in the Remote Computer tab
Hands-On Ethical Hacking and Network Defense
40
Hands-On Ethical Hacking and Network Defense
41
Hands-On Ethical Hacking and Network Defense
42
Application Filters
• Can accept or deny data from specific
applications or data containing specific content
• SMTP filter can restrict
•
•
•
•
E-mail with specific attachments
E-mail from a specific user or domain
E-mail containing specific keywords
SMTP commands
• SMTP Filter Properties dialog box
• Administrator can filter a specific e-mail attachment
based on a rule he or she configures
Hands-On Ethical Hacking and Network Defense
43
Hands-On Ethical Hacking and Network Defense
44
Hands-On Ethical Hacking and Network Defense
45
Hands-On Ethical Hacking and Network Defense
46
Application Filters (continued)
• Users/Domains tab in the SMTP Filter
Properties dialog box
• Administrator can filter e-mail messages sent from a
user or from specific domains
• As a security professional, you might be asked
to restrict e-mails containing certain keywords
• SMTP Commands tab
• Administrator can prevent a user from running
SMTP commands
Hands-On Ethical Hacking and Network Defense
47
Hands-On Ethical Hacking and Network Defense
48
Hands-On Ethical Hacking and Network Defense
49
Hands-On Ethical Hacking and Network Defense
50
Intrusion Detection Filters
• Analyze all traffic for possible known intrusions
•
•
•
•
•
•
•
•
•
DNS intrusion detection filter
POP intrusion detection filter
FTP Access filter
H.323 filter
HTTP Redirector filter
RPC filter
SMTP filter
SOCKSV4 filter
Streaming Media filter
Hands-On Ethical Hacking and Network Defense
51
Hands-On Ethical Hacking and Network Defense
52
Hands-On Ethical Hacking and Network Defense
53
Access Policies
• Allow administrators to control outgoing traffic
• An access policy consists of the following
• Policy rules
• Site and content rules
• IP filter rules
Hands-On Ethical Hacking and Network Defense
54
Hands-On Ethical Hacking and Network Defense
55
Understanding Intrusion
Detection Systems (IDSs)
• Monitor network devices so that security
administrators can identify attacks in progress
and stop them
• An IDS look at the traffic and compare it with
known exploits
• Similar to virus software using a signature file to
identify viruses
• Types
• Network-based IDSs
• Host-based IDSs
Hands-On Ethical Hacking and Network Defense
56
Network-Based and Host-Based
IDSs
• Network-based IDSs
• Monitor activity on network segments
• They sniff traffic and alert a security administrator
when something suspicious occurs
• Host-based IDSs
• Used to protect a critical network server or
database server
• The software is installed on the server you’re
attempting to protect
Hands-On Ethical Hacking and Network Defense
57
Network-Based and Host-Based
IDSs (continued)
• IDSs are categorized by how they react when
they detect suspicious behavior
• Passive systems
• Send out an alert and log the activity
• Active systems
• Log events and send out alerts
• Can also interoperate with routers and firewalls
Hands-On Ethical Hacking and Network Defense
58
Hands-On Ethical Hacking and Network Defense
59
Understanding Honeypots
• Honeypot
• Computer placed on the perimeter of a network
• Contains information intended to lure and then trap
hackers
• Computer is configured to have vulnerabilities
• Goal
• Keep hackers connected long enough so they can
be traced back
Hands-On Ethical Hacking and Network Defense
60
How They Work
• A honeypot appears to have important data
or sensitive information stored on it
• Could store fake financial data that tempts
hackers to attempt browsing through the data
• Hackers will spend time attacking the
honeypot
• And stop looking for real vulnerabilities in the
company’s network
• Honeypots also enable security
professionals to collect data on attackers
• Honeypots are available commercially and
through open-source avenues
Hands-On Ethical Hacking and Network Defense
61
Hands-On Ethical Hacking and Network Defense
62
Hands-On Ethical Hacking and Network Defense
63
How They Work (continued)
• Virtual honeypots
• Honeypots created using software solutions instead
of hardware devices
• Example: Honeyd
Hands-On Ethical Hacking and Network Defense
64
Summary
• Security devices
• Routers
• Firewalls
• IDSs
• Routers use access lists to accept or deny
traffic through their interfaces
• Firewalls can be hardware devices or
software installed on computer systems
• Firewalls use NAT, IP filtering, and access
control lists to filter incoming and outgoing
network traffic
Hands-On Ethical Hacking and Network Defense
65
Summary (continued)
• Firewall examples
• Cisco PIX (hardware)
• Microsoft ISA (software)
• Stateful packet filters vs. stateless packet
filters
• PGP is a free public key encryption
program to encrypt e-mail messages
• Demilitarized zones (DMZs)
• Add a layer of defense between the Internet
and a company’s internal network
Hands-On Ethical Hacking and Network Defense
66
Summary (continued)
• Intrusion detection systems (IDSs)
• Network-based IDSs
• Host-based IDSs
• Passive IDSs vs. active IDSs
• Honeypots
Hands-On Ethical Hacking and Network Defense
67