Transcript Finding Network Vulnerabilities

Finding Network
Vulnerabilities
Objectives
• Define vulnerabilities
• Name the common categories of
vulnerabilities
• Discuss common system and network
vulnerabilities
• Locate and access sources of information
about emerging vulnerabilities
• Identify the names and functions of the widely
available scanning and analysis tools
2
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 2
Introduction
• To maintain secure networks, information security
professionals must be prepared to identify system
vulnerabilities, whether by hiring system
assessment experts or by conducting selfassessments using scanning and penetration
tools
• Network security vulnerability is defect in product,
process, or procedure that, if exploited, may
result in violation of security policy, which in turn
might lead to loss of revenue, loss of information,
or loss of value to the organization
3
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 3
Common Vulnerabilities
Common vulnerabilities fall into two broad
classes:
• Defects in software or firmware
• Weaknesses in processes and procedures
4
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 4
Defects in Software or Firmware
• Buffer overruns (or buffer overflows) arise when
quantity of input data exceeds size of available
data area (buffer)
• Injection attacks can occur when programmer
does not properly validate user input and allows
an attacker to include input that, when passed to
a database, can give rise to SQL injection
vulnerabilities
• Network traffic is vulnerable to eavesdropping
because a network medium is essentially an
open channel
5
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 5
Defects in Software or Firmware
(continued)
• How can security professionals remain abreast
of all the vulnerabilities?
• First and perhaps foremost, they must know:
– Organization’s security policies
– Software and hardware the organization uses
• Information security professionals should
regularly consult these public disclosure lists:
– Vendor announcements
– Full disclosure mailing lists
– CVE: the common vulnerabilities and exposures
database http://cve.mitre.org/cve/index.html
Firewalls & Network Security, 2nd ed. - Chapter 4
6
Slide 6
Vendor Announcements
7
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 7
BugTraq
http://www.securityfocus.com/archive/1/description
8
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 8
Weaknesses in Processes and
Procedures
• Just as hazardous as software vulnerabilities
• More difficult to detect and fix because they
typically involve the human element
• Often arise when policy is violated or processes
and procedures that implement policy are
inadequate or fail
• To ensure security policy is implemented,
organizations should hold regular security
awareness training and regularly review policies
and their implementation
9
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 9
Scanning and Analysis Tools
• To truly assess risk within computing
environment, technical controls must be
deployed using strategy of defense in depth
• Scanners and analysis tools can find
vulnerabilities in systems, holes in security
components, and unsecured aspects of the
network
• Scanners, sniffers, and other such vulnerability
analysis tools are invaluable because they
enable administrators to see what attackers see
10
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 10
Scanning and Analysis Tools
(continued)
• Scanning tools are typically used as part of an
attack protocol
• Attack protocol is a series of steps or processes
used by attacker, in logical sequence, to launch
attack against target system or network
• This may begin with a collection of publicly
available information about a potential target, a
process known as footprinting
• Attacker uses public Internet data sources to
perform searches to identify network addresses
of the organization
11
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 11
Footprinting
• Most important information for footprinting
purposes is IP address range
• Another piece of useful information is name,
phone number, and e-mail address of the
technical contact
• This research is augmented by browsing the
organization’s Web pages since Web pages
usually contain information about internal
systems, individuals developing Web pages, and
other tidbits, which can be used for social
engineering attacks
12
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 12
Footprinting (continued)
• To assist in footprint intelligence collection
process, an enhanced Web scanner can
be used that, among other things, can
scan entire Web sites for valuable pieces
of information, such as server names and
e-mail addresses
• Sam Spade
– http://www.samspade.org/
13
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 13
Sam Spade
14
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 14
Fingerprinting
• Next phase of attack protocol is datagathering process called fingerprinting, a
systematic survey of all of the target
organization’s Internet addresses that is
conducted to identify network services
offered by hosts in that range
• Fingerprinting reveals useful information
about internal structure and operational
nature of the target system or network
15
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 15
Port Scanners
http://insecure.org/ Nmap, most popular port scanner
• Port scanning utilities (port scanners) are tools
used by both attackers and defenders to identify
computers that are active on a network, as well
as ports and services active on those
computers, functions and roles the machines are
fulfilling, and other useful information
• The more specific the scanner is, the better and
more useful the information it provides is, but a
generic, broad-based scanner can help locate
and identify rogue nodes on the network
16
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 16
Port Scanners (continued)
• Port is a network channel or connection point in a
data communications system
• Within TCP/IP, TCP and UDP port numbers
differentiate multiple communication channels
used to connect to network services being offered
on same device
• In all, there are 65,536 port numbers in use for
TCP and another 65,536 port numbers for UDP
• Ports greater than 1023 typically referred to as
ephemeral ports and may be randomly allocated
to server and client processes
17
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 17
Port Scanners (continued)
• Why secure open ports?
• Open port is an open door and can be used
by attacker to send commands to a computer,
potentially gain access to a server, and
possibly exert control over a networking
device
• The general policy statement is to remove
from service or secure any port not absolutely
necessary to conducting business
18
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 18
Firewall Analysis Tools
• Understanding exactly where organization’s
firewall is located and what existing rule sets
do are very important steps for any security
administrator
• Several tools that automate remote discovery
of firewall rules and assist administrator (or
attacker) in analyzing rules to determine
exactly what they allow and what they reject
– http://packetstormsecurity.org/UNIX/audit/firewalk/ Firwalk
– http://www.hping.org/ hping
19
Slide 19
Firewall Analysis Tools
(continued)
• Administrators wary of using same tools
attackers use should remember:
– Regardless of the nature of the tool used to
validate or analyze firewall’s configuration, it is
the intent of the user that dictates how
information gathered will be used
– To defend a computer or network, it is necessary
to understand ways it can be attacked; thus, a
tool that can help close up an open or poorly
configured firewall helps network defender
minimize risk from attack
20
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 20
Operating System Detection
Tools
• Identifying target computer’s operating
system is very valuable to attacker
• Once the operating system is known, it is
easy to determine all vulnerabilities to which
it might be susceptible
• http://sourceforge.net/projects/xprobe XProbe
21
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 21
Vulnerability Scanners
• Passive vulnerability scanner listens in on
the network and identifies vulnerable
versions of both server and client software
– http://windowsitpro.com/article/articleid/40422/pas
sive-vulnerability-scanning.html NeVO
– http://blog.tenablesecurity.com/2006/07/network_
world_r.html RNA
22
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 22
Vulnerability Scanners (continued)
• Active vulnerability scanners scan networks
for highly detailed information by initiating
network traffic in order to identify security
holes
– These scanners identify exposed usernames and
groups, show open network shares, and expose
configuration problems and other vulnerabilities in
servers
– http://www.gfi.com/lannetscan/ GFI LANguard
– http://www.darknet.org.uk/2006/08/spikesource-spike-phpsecurity-audit-tool/ SPIKE
– http://www.immunitysec.com/ SIKE-SPIKE Proxy
– http://www.nessus.org/nessus/ Nessus
23
Vulnerability Scanners
(continued)
24
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 24
Vulnerability Validation
• Often, an organization requires proof that
system is actually vulnerable to certain attacks
• May require such proof to avoid having system
administrators attempt to repair systems that are
not broken or because they have not yet built
satisfactory relationship with vulnerability
assessment team
• Class of scanners exists that exploit remote
machine and allow vulnerability analyst
(penetration tester) to create accounts, modify
Web pages, or view data
25
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 25
Packet Sniffers
http://www.wireshark.org/news/20060607.html
• Network tool that collects copies of
packets from network and analyzes them
• Sometimes called a network protocol
analyzer
• Can provide network administrator with
valuable information for diagnosing and
resolving networking issues
• In the wrong hands, sniffer can be used to
eavesdrop on network traffic
26
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 26
Wireless Security Tools
http://www.netstumbler.org/
• Wireless connection, while convenient,
has many potential security holes
• Security professional must assess risk of
wireless networks
• Wireless security toolkit should include
ability to sniff wireless traffic, scan wireless
hosts, and assess level of privacy or
confidentiality afforded on wireless
network
27
Firewalls & Network Security, 2nd ed. - Chapter 4
Penetration Testing
• Penetration test involves using all techniques
and tools available to attacker in order to attempt
to compromise or penetrate an organization’s
defenses
• Penetration testing can be performed by internal
group (so called “red teams”) or outsourced to
external organization
• A variable of the penetration test, whether
performed internally or outsourced, is amount of
information provided to the red team
28
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 28
Penetration Testing (continued)
• Three categories of testing:
– Black box: red team is given no information
whatsoever about the organization and
approaches the organization as external attacker
– Gray box: red team is given some general
information about the organization such as
general structure, network address ranges,
software and versions
– White box: red team has full information on the
organization and its structure
29
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 29
Chapter Summary
• To maintain secure networks, information
security professionals must be prepared to
systematically identify system vulnerabilities
• Often done by performing self-assessment
using scanning and penetration tools testing
• Common vulnerabilities fall into two classes:
– Defects in software or firmware
– Weaknesses in processes and procedures
30
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 30
Chapter Summary
(continued)
• Information security professionals should
regularly consult vendor announcements, full
disclosure mailing lists, and the common
vulnerabilities and exposures (CVE) database
• To assess risk within a computing environment,
network professionals must use tools such as
intrusion detection systems (IDPS), active
vulnerability scanners, passive vulnerability
scanners, automated log analyzers, and protocol
analyzers (sniffers)
31
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 31
Chapter Summary
(continued)
• Many organizations use penetration test to
assess their security posture on a regular
basis
• Penetration test team (red team) uses all
techniques and tools available to attackers
in order to attempt to compromise or
penetrate an organization’s defenses
32
Firewalls & Network Security, 2nd ed. - Chapter 4
Slide 32