Transcript Chapter 4 - Security Your Network

Slides copyright 2010
by Paladin Group, LLC
used with permission by
UMBC Training Centers, LLC
Security+
Chapter 4 – Securing Your Network
Brian E. Brzezicki
Intrusion Detection Systems
No… the other kind
Intrusion Detection Systems (192)
IDS are a tool in a layered security model. The
purpose of an IDS is to
• identify suspicious activity
• log activity
• Respond (alert people)
IDS vs. Firewall (191)
How are they similar?
How are they different?
IDS vs. Anti-Virus (192)
How are they similar?
How are they different?
IDS Components (n/b)
Both type of IDS have several components that make up
the product
• Sensor – Data Collector
– On network segments (NIDS)
– Or on Hosts (HIDS)
• Analysis Engine – Analyzes data collected by the
sensor, determines if there is suspicious activity
• Signature Database – Used by the AE, defines
signatures of previously known attacks
• User Interface and Reporting – the way the system
interacts with users
(visualization next)
IDS Components (general)
HIDS (193)
Hosts Based Intrusion Detection Systems – Examine the operation of
a SINGLE system independently to determine of anything “of
note” is going on.
Some things a HIDS will looks at
• Logins
• System or Application Log files / audit files
• Changes to software or configuration files
• Processes being launched or stopped
• Use of certain programs
• CPU usage
• Network Traffic to/from Computer
HIDS Pros and Cons (193)
Advantages
• Can be operating system and application specific – might
understand the latest attack against a certain service on a
host (example, web server)
• They can look at data after it’s been decrypted (network
traffic is often encrypted)
Disadvantages
• must be loaded on every machine you want to protect /
scalability
• Use local system resources (CPU/memory)
• They don’t see what’s going on other machines
• The HIDS could be disabled if machine is hacked
Network Based IDS (194)
A concept focused on watching an entire network and all
associated machines. Focuses specifically on network traffic, in
this case the “sensor” is sometimes called a “traffic collector”
• Looks at
• SRC IP
• DEST IP
• Protocol (TCP, UDP, ICMP etc)
• Port Numbers
• Data Content
(more)
Network Based IDS (194)
A NIDS system will often look for
• DoS Attacks
• Ping Scans
• Port Scans
• Malicious content
• Vulnerability tests
• Tunneling
• Brute Force Attacks
(more)
NIDS Pros
Advantages
• A single NIDS sensor can cover a whole network.
• Deployment is usually easier
• A NIDS can see things that are happening on
multiple machine, it gets a bigger picture and may
see distributed attacks that a HIDS would miss
NIDS Cons
Disadvantages
• Data must be UNENCRYPTED for a NIDS to analyze. So
many protocols are now encrypted, it’s hard for the
NIDS to see what’s going on.
• Switches cause problems for NIDS. Why? How do we
fix this?
• If only on the perimeter, it can miss things on the
inside.
• It must be able to handle LOTS of data to be effective!
(should be able to handle wire speed+)
• It doesn’t see what’s going on a server directly
IDS Detection Methods
Signature Based IDS (195)
Most network attacks have distinct “signatures” that is data
that is passed between attacker and victim (like the line
“/bin/sh”). A Signature Based NIDS has a database of
known attack signatures, and compares network traffic
against this database.
• Pay for a signature subscription from vendor
• Keep signatures updated
• Does not protect against 0day attacks!
(more)
Example Snort Signature
alert tcp any any -> 192.168.1.14/32 80 (content:
"cgi-bin/phf"; msg: "CGI-PHF attack";)
Send an alert with the message “CGI-PHF attack”, if
the packet is a
• TCP packet coming from anywhere, any port
• To the IP 192.168.1.14 port 80
• And the content contains the string “cgi-bin/phf”
Anomaly based IDS (196)
Example. You have a 15 year old son. Everyday he
normally comes home at 3:30 does his homework
watches TV. All of a sudden he starts “hanging out
at school” till 5PM, comes home, does homework,
then disappears into his room and talks on the
phone till 9:30PM
(more)
Anomaly (196)
Anomaly based system, look for changes in “normal”
behavior. To do this generally you let a anomaly
based system learn what normal behavior is over a
few days or weeks, creating a baseline. The anomaly
based system will then look for traffic types and
volume that is outside of the normal behavior.
(more)
Anomaly (196)
Advantages
• Can possibly detect 0days
• Can detect behavioral changes that might not be
technical attacks (like employees preparing to commit
fraud)
Disadvantages
• Lots of false positives
• Often ignored due to reason above
• Requires a much more skilled analyst
• Do not detect predefined attacks
IDS vs. IPS (198-199)
IDS systems are PASSIVE. They only warn you of a
possible event. A modification of this idea is an
ACTIVE IDS, which is called an IPS.
IPS are IDS but try to respond and stop an attack.
• How can they do this?
• Disadvantages of this behavior?
Honey Pot (200)
Honey Pot (200)
A “sandbox” where hackers can be contained and
observed without putting real systems at risk.
• Put up to lure an attacker to attack this “sacrificial
system” rather than a real system.
• Learn where the attacker is coming from
• Learn what techniques and exploits they are using.
• Try to catch them
(more)
Problems with Honey Pots (200)
• Takes time and resources to run and maintain
• If you DON’T watch over it, can be used to launch
attacks against a real system!
• Money is often better spent preventing attackers
unless your motivation is research.
Honey Net (200)
Simply multiple honey pots.
Remote Access
Dial Up (203)
Often companies used to have modems for remote
dial up access. If you knew the modems phone
number you could dial up and access computing
resources. This lead to War dialing (next)
War Dialing
Would you like to play a game… NO!
War dialing (n/b)
Countermeasures
• Require authentication
• Require caller id verification
– Problems - spoof able
• Call backs
– Problems - Call forwarding
VPN
VPN (204)
Virtual Private Network – Generic term for building a secure
“virtual” network over a normal network (such as the
Internet)
• Can simply encrypt traffic between two points
• Can actually “tunnel” one type of network traffic over
another Network type
• Can encrypt tunneled data
• Can provide authentication of data endpoints
• Often used for remote access for users
• Often used to tie organizations remote offices together
Tunneling
Tunneling
Encapsulating a network protocol within another
network protocol. (like an envelope within an
envelope)
Tunnels can be encrypted or in the clear
Transport
In Transport layer VPNs, a network protocol is not
encapsulated within another network protocol,
however the “data” in encrypted.
Transport vs. Tunnel
VPN protocols
• PPTP
–
–
–
–
Microsoft tunneling protocol
Can encrypt
Uses TCP / 1723
Uses RC4 encryption with 40 or 128 key
• L2TP
– Cisco Protocol
– No encryption by itself can be used with IPSec
– Uses UDP / 1701
• IPSec
–
–
–
–
IP standard
Encryption (ESP) protocol 50
Authentication (AH) protocol 51
Require TCP port 500 for SA and key agreement
IP SEC SA
From Cisco:
The concept of a security association (SA) is fundamental to IPSec. An
SA is a relationship between two or more entities that describes
how the entities will use security services to communicate
securely. IPSec provides many options for performing network
encryption and authentication. Each IPSec connection can provide
encryption, integrity, authenticity, or all three. When the security
service is determined, the two IPSec peers must determine exactly
which algorithms to use (for example, DES or 3DES for encryption,
MD5 or SHA for integrity). After deciding on the algorithms, the
two devices must share session keys. As you can see, there is quite
a bit of information to manage. The security association is the
method that IPSec uses to track all the particulars concerning a
given IPSec communication session
(more)
IP Sec SA (262)
• Unidirectional, need two for bi-directional
communication
• SAs are identified by an SPI (Security Parameter
Index )
Network Access Control
Network Access Control (208)
Users and end user devices are the weak link in your
infrastructure. You spend lots of time and money
securing your network and servers. But having
uncontrolled computers on the network provides
an avenue for attackers to easily bypass firewalls
and network defenses and compromise your
network. Compromised computers can directly
attack servers, steal network credentials and
perform other nefarious activities.
Network Access Control (208)
Just like normal access control network access
control requires
• Authentication
• Authorization (Remote access polices)
Furthermore NAC can query computers (like
workstations and laptops) for their compliance to
corporate security policies and baselines and
provide or restrict access based on the findings.
Wireless Networking
Look No Wires!
Wireless
Attempt at communication using non-physical links.
Examples
• Radio Waves
• Light Pulses
Often used for networking, but can be used simply
to eliminate wires for device to device
communication.
802.11 (211)
Wireless LAN protocols are defined by the 802.11
series of standards.
•
•
•
•
802.11a 54Mbs 5Ghz
802.11b 11Mbs 2.4 Ghz
802.11g 54Mbs 2.4 Ghz
802.11n 600Mbs 2.4 and 5Ghz
Wireless Problems
Easy to get access to airwaves, hard to restrict!
• Eavesdrop on communication
• Internal Access to organizations networks
How do we solve this problem?
Wireless Security (212 – 216)
In the next couple slides we will talk about the
different attempts to secure wireless
• WEP
• WPA-PSK, WPA-Enterprise
• WPA2-PSK, WPA2-Enterprise
Wireless Security (212 – 216)
WEP
– Shared passwords (why is this bad?)
– 64/40 or 128/104 bit key
– Uses RC4
– Easily crack able (due to key reuse)
– Only option for 802.11b
(more)
Wireless Security (212-216)
• WPA PSK
– Shared password
– Uses TKIP normally
• 104 bit RC4 with changing keys
– Can use AES (not certified)
• 256 bit key
• WPA2 PSK
– Uses AES (normally)
• 256 bit key
– Can use TKIP
• RC4 with changing keys
(more)
Wireless Security (212-216)
• WPA or WPA2 in Enterprise Mode
– Uses 802.1X authentication to have individual
passwords for individual users
– RADIUS
• 802.11i – the official IEEE wireless security spec,
officially supports WPA2
Other Wireless Security Steps (216)
• Change Default AP Password
• Change Default SSID
– Why bother?
• Disable SSID Broadcasting
– Why doesn’t this work?
• Enable MAC filtering
– Why doesn’t this work either?
Attacks Against Wireless
Networks
War Driving (218)
Driving around looking for open wireless networks
• Uses tools like NetStumbler or Kismit or hardware
wireless detectors
NetStumbler (218)
War chalking
Wireless Cracking
Tools like aircrack, and airsnort (deprecated) as well
as modern versions such as aircrack-ng
WEP – can be cracked in a few minutes
WPA-PSK and WPA2-PSK are susceptible to brute
force password attacks if passwords are weak
WPA enterprise and WPA2 enterprise are not
currently susceptible
Man in the Middle / Air snarfing / Rogue
Access Points
Put up a fake access point get people to connect
with you.
Bluetooth (220)
Bluetooth (220)
• What is Bluetooth
• What is the purpose of Bluetooth, is it
networking?
• Bluetooth Modes
– Discovery Mode
– Automatic Pairing
Bluetooth Attacks (221)
• Bluejacking
– Sending forged message to nearby bluetooth devices
– Need to be close
• Bluesnarfing
– Copies information off of remote devices
• Bluebugging
–
–
–
–
More serious
Allows full use of phone
Allows one to make calls
Can eavesdrop on calls
Bluetooth Countermeasures (221)
• Disable it if your not using it
• Disable auto-discovery
• Disable auto-pairing
WAP
WAP (n/b)
Wireless Application Protocol – a protocol developed
mainly to allow wireless devices (cell phones) access
to the Internet.
• Requires a Gateway to translate WAP <-> HTML (see
visual)
• Uses WTLS to encrypt data (modified version of TLS)
• Uses HMAC for message authentication
• WAP GAP problem (see visual and explain)
• A lot of wireless devices don’t need WAP anymore…
why?
WAP (n/b)
WAP GAP (n/b)
As the gateway decrypts from WTLS and encrypts as
SSL/TLS, the data is plaintext. If someone could
access the gateway, they could capture the
communications