Transcript Session 19

Raval • Fichadia
John Wiley & Sons, Inc. 2007
Network
Security
Chapter Eleven
Prepared by: Raval, Fichadia
Chapter Eleven Objectives

Learn the basic concepts of networks and associated
terminology.

Understand the risks that impact networks and the
controls to mitigate them.

Gain the skills to assess the security posture of a
networks and make management recommendations.

Apply security principles and best practices to a
network.
2
The Big Picture
Elements of a network.
Some risks that impact
networks.
3
Network primer
Networks: A series of interconnected nodes that can
communicate with each other.

Networks allow computers to talk to each other for
functionality (e-mails, B2B), sharing work load (clientserver), for specialization (printers print).

Communication occurs via agreed upon protocols such
as TCP/IP, SNA, etc.

Internet is THE network – interconnecting millions of
computers. Internal company networks are often called
Intranets.
4
Network primer
Networks: OSI model defines the conceptual framework for
putting together a network.

Open Systems Interconnect (OSI) proposes a network
stack with seven layers.

The layers are: application, presentation, session,
transport, network, datalink, and physical.

Layers numbering in descending order – i.e., application
layer is layer 7 and physical layer is layer 1.

Each layer plays a specific task and is independent of
the others.
5
Network primer
Networks: Seven layers of OSI model.

Application layer: Provides different network services to
user applications.

Presentation layer: Deals with the syntax and
semantics of transmitted data. It converts presentation
format for incoming and outgoing data.

Session layer: Sets up, manages, and terminate
conversations between the applications. Deals with
session and connection coordination.

Transport layer: Manages complete data transfer by
providing end-to-end communication control and error
checking.
6
Network primer
Networks: Seven layers of OSI model contd.

Network layer: Deals with addressing and routing data
on the network.

Data link layer: Deals with proper framing of data bits
on the physical media and ensures error control
between adjacent nodes.

Physical layer: Deals with transmission of bits over the
physical media. Provides connectivity of the node to
the transmission media.

Useful pneumonic: All People Seem To Need Data
Processing.
7
Network primer
Networks: Encapsulation/decapsulation of data.

Data has to be passed from application layer to
application layer on a network.

Each layer adds a header and passes the data to the
lower layer. This process is called encapsulation.

Physical layer, the lower most layer, sends the data
over the physical medium to the destination.

Upon reaching destination physical layer, data is
passed up the stack.

Each destination layer strips appropriate header off and
passes it on to upper layer. This process is called
decapsulation.
8
Network primer
Networks: Encapsulation/decapsulation of data.

The headers contain information for corresponding layer
on the receiving end.
9
Network primer
Networks: TCP/IP model defines specifications of network
layers.

TCP/IP model is similar to the OSI model – however
has only four layers.

The layers are: application, transport, internetwork, and
network access.

Layers numbering in descending order – i.e., application
layer is layer 4 and network layer is layer 1.

Each layer plays a specific task and is independent of
the others.
10
Network primer
Networks: TCP/IP model defines specifications of network
layers.

Model provides actual specifications via various
protocol definitions (unlike OSI model).

Model specifies several dozen protocols, but is named
after two of its most famous protocols – TCP and IP.

Similar to OSI model, TCP/IP model goes through the
process of encapsulation and decapsulation.
11
Network primer
Networks: Four layers of TCP/IP model.

Application layer: Corresponds to the first three layers
of the OSI model. Protocols at this layer include STMP
(e-mails), HTTP (web), and FTP (file transfers).

Transport layer: Corresponds to layer 4 (Transport) of
the OSI model. Protocols include TCP and UDP.

Internetwork layer: Corresponds to layer 3 (network) of
the OSI model. Protocols include IP and ICMP.

Network access layer: Corresponds to layers 1 and 2
(physical and data link) of the OSI model. Works with
Ethernet/token ring type of technologies.
(Some refer to Internetwork layer as Network layer and Network access
layer to Data link layer)
12
Network primer
Networks: Role of four layers of TCP/IP model.

Application layer: End user applications use protocols
at this layer to communicate. For example, web
browser uses the HTTP protocol.

Transport layer: Uses protocols like TCP to open
connection with destination and to ensure data sent is
indeed received.

Internetwork layer: Uses protocols like IP to route the
data packets across the Internet to its destination IP
address.

Network access layer: Deals with getting data from
destination router to the appropriate computer on the
network.
13
Network primer
Networks: Encapsulation/decapsulation of data on TCP/IP
network.

Data has to be passed from application layer to
application layer on a network.

Each layer adds a header and passes the data to the
lower layer. This process is called encapsulation.

Physical layer, the lower most layer, sends the data
over the physical medium to the destination.

Upon reaching destination physical layer, data is
passed up the stack.

Each destination layer strips appropriate header off and
passes it on to upper layer. This process is called
decapsulation.
14
Network primer
Networks: Encapsulation/decapsulation of data on TCP/IP
network.

The headers contain information for corresponding layer
on the receiving end.
15
Network primer
Networks: End to end journey of data across TCP/IP
network.
Internetwork layer needs IP addresses to route data to
destination network (not destination computer).


IP addresses contain a network address and a host (computer
address).

Routers use the network address portion for getting data
packets to the destination network.

Data reaches the right computer after reaching the
destination network is typically via ARP protocol.

Port numbers are used to get the data to the right
application on the destination computer.

Transport layer ensures data reaches destination – else
16
retransmits it.
Network primer
Networks: IP address scheme.

Current version of IP addresses is IP version 4.

IPv4 defines IP address with 32 bits organized in four
octets (8 bits in each). IP version 6 has 128 bits.

Decimal values of the bits in each octet are separated
by dots while writing an IP address.

E.g. 69.58.201.25

Certain bits from the left correspond to the network
address (69.58.201) and the remaining correspond to
define the computer (host) on the network (25).

Subnet mask defines boundary between network
portion and the host portion of the IP address.
17
Network primer
Networks: Ports.
Ports define the unique application/service on a
computer that sends or receives the data.


E.g. Port 80 is used by Web Server software to receive requests
from browsers.

Port numbers can range from 0 through 65,356.

IANA designates “well-known” ports (0-1023) for
specific purposes.

E.g. port 80 is for web traffic, port 25 is for e-mail traffic.
18
Management concerns
Concerns about operating system security typically include
the following:

Ensuring the availability of the networks for web traffic,
e-commerce/EDI EDI transactions, and e-mails.

Maintaining the confidentiality & integrity of data flowing
over the networks (from home and within company).

Building networks with business partners to aid with
B2B transactions without compromising security.

Having an effective backup, recovery, business
resumption and a disaster recovery plan.
19
Risks and controls
Clear-text transmissions: Data that goes over the network
in an unencrypted fashion.

Networks are shared by multiple computers.

These computers place nice and read only those
packets on the network that are addressed to them.
They ignore data packets that aren’t meant for them.

A “sniffer” computer can read packets that aren’t meant
for it by putting its network card into “promiscuous”
mode – thereby by accessing unauthorized data.

Intruders often user sniffers to capture user IDs,
passwords, and other sensitive data.
20
Risks and controls
Clear-text transmissions: Data that goes over the
network in an unencrypted fashion.

Sniffers can capture data belonging to others.
21
Risks and controls
Clear-text transmission risks:

Disclosure of sensitive information.
Controls:

Employ encryption for sensitive data.

Limit access to physical networks.
22
Risks and controls
Modems: Devices that allow users to connect to the
Internet.

Modems can be dial-up modems or cable modems.

Dial-up modems installed in computers communicate
via analog phone lines to modems within company
networks or with the Internet Service Providers (ISP).

Cable-modems are highly popular now and connect
over cable lines with the cable companies that provide
Internet connectivity.

Cable-modems offer much faster speeds than dial-up
modems.
23
Risks and controls
Modems: Devices that allow users to connect to the
Internet.

Cable modems are lot more popular than dial-up
modems.
24
Risks and controls
Dial-up modem risks:

Intruders use war-dialers to identify company modems
and crack the passwords to get in. A single insecure
modem can undo the security offered by a million-dollar
firewall.
Controls:

Company should war-dial itself to identify unauthorized
modems and disable them.

Authorized modems should offer no login banners or
information that helps intruders fingerprint the modem.

Employ intruder lockouts and strong user ID and
password management routines.
25
Risks and controls
Controls contd.

Consider using modems with two-factor authentication
(something you know and something you have).

Consider using callback modems that return calls to
prespecified numbers upon a connection request.
26
Risks and controls
Cable modem risks:

Cable modems provide a static target to attackers often
with the same IP address.

Cable modems may allow users to sniff neighbor’s data.
Controls:

Turn off cable-modems when not required.

Employ personal firewalls on machines behind a cable
modem.

Secure the machines via operating system security
practices.
27
Risks and controls
Virtual Private Networks: Allows for securing traffic sent via
the Internet to company networks.

Remote users often dialed into company modems via
toll-free numbers to connect to company networks.

Dedicated modems lines and toll-free numbers was
expensive for companies.

VPNs solved the problem by encrypting and sending
data over the public network (Internet).

Remote users just needed a connection to their ISP and
a VPN client that connected to a VPN server on the
company end.
28
Risks and controls
Virtual Private Networks: Devices that allow users to
connect to the Internet.

Modem banks and dedicated toll-free lines were
required for remote connectivity before VPNs.
29
Risks and controls
Virtual Private Networks: Devices that allow users to
connect to the Internet.

VPNs allowed companies to lower cost by securely
tunneling data to company network via the Internet.
30
Risks and controls
Virtual Private Networks: There are three popular tunneling
protocols used for VPNs.

Point-to-Point Tunneling protocol (PPTP) by Microsoft
works at layer 2 of OSI model and is natively supported
by Windows.

Layer 2 Tunneling Protocol (L2TP) by Cisco also works
at layer 2 of OSI model and combines features of L2F
and PPTP.

IPSec protocol by IETF works at layer 3 of the OSI
model and generally provides for stronger encryption
and data integrity via digital certificates.
31
Risks and controls
VPN risks:

VPN may employ weak authentication mechanisms
(when compared against the risk of sending traffic over
the Internet).

Insecure end user machine may allow intruders to
bridge into the company network.

Encryption protocols may be weak.
Controls:

Use stronger authentication means such as digital
certificates or two-factor authentications.
32
Risks and controls
Controls contd:

Ensure VPN solution uses strong encryption means.

Employ personal firewalls on machines behind a cable
modem.

Secure the machines via operating system security
practices.
33
Risks and controls
Firewalls (FWs): Devices that control traffic entering and
exiting a company network.

Firewalls act as perimeter sentries for a network.

All incoming & outgoing traffic goes through the firewall.

Firewalls has rulesets (policies) that decide what type of
passes and what doesn’t. For example:


Outsiders can access Company web pages and can send emails, but can’t connect to other company servers.

Inside employees can connect to external servers, but can’t to
peer-to-peer networks.
In addition to filtering, some firewalls can provide
additional functionality like authentication, virus
scanning, intrusion detection, spam filtering etc.
34
Risks and controls
Firewalls: There are three main types of firewalls.

Packet filter (PF) FWs filter based on source &
destination IP addresses and/or source & destination port
numbers.
35
Risks and controls
Firewalls: There are three main types of firewalls.

Stateful packet inspection (SPI) FWs build on packetfiltering FWs by looking at the content of the packet.

In addition, SPI FWs look at the state of the packet. This
ensures that packet that is incoming, but wasn’t a
response to a previous outgoing request will be dropped.
36
Risks and controls
Firewalls: There are three main types of firewalls.

Application-level/proxy FWs are conceptually different in
that they broker all transactions between the sender and
receiver by providing a proxy service to both sides.

No other traffic can pass since proxy software for that
traffic isn’t present on the FW.
37
Risks and controls
Firewalls: Firewall placement in network has security
ramifications. Some sample placements include:

Screening router setup wherein packet filter/SPI firewalls
separate trusted networks from the untrusted networks
(Internet).
38
Risks and controls
Firewalls: Firewall placement in network has security
ramifications. Some sample placements include:

Dual-homed host setup wherein a “bastion” host with
proxy FW separates trusted networks from the untrusted
networks (Internet).
39
Risks and controls
Firewalls: Firewall placement in network has security
ramifications. Some sample placements include:

Screened host setup is a combination of a screening
router setup (with packet fitler/SPI FW) and a “bastion”
host inside the trusted network with a proxy FW.
40
Risks and controls
Firewalls: Firewall placement in network has security
ramifications. Some sample placements include:

Screened subnet setup wherein an extra screening router
(with packet filter/SPI FW) is added and a “bastion” host
(with proxy FW) is moved outside the company network in
the DeMilitarized Zone (DMZ).
41
Risks and controls
Firewall risks:

Properly configured FW has no risk. However, the
rulesets can get complicated fast.

Firewalls don’t protect against malicious internal users.

Firewalls can be undone by rogue modems/wireless APs.
Controls:

Audit FW rulesets to ensure policies are correctly
implemented.

Use anti-virus, intrusion detection, etc. in addition to
firewalls.

Prevent rogue modems and/or wireless APs.
42
Risks and controls
Denial of Service (DoS): Attacks on a network aimed at
disrupting service to users of a network.

Attack not aimed at steal data or compromising security,
rather denying legitimate users access to a resource.

Occurs mostly at the network, although DoS against
operating systems and applications are also possible.

There are several types of DoS/DDoS attacks.
43
Risks and controls
Denial of Service (DoS): Types of DoS attacks on networks.
Network connectivity resource consumption attack


Attacker consumes network connectivity resources denying users
the ability to connect to the network.

Example includes SYN flood attack that exploits TCP handshake
for establishing connection as shown below.
44
Risks and controls
Denial of Service (DoS): Types of DoS attacks on networks.
Network connectivity resource consumption attack contd.


Attacker sends spoofed SYN packets asking for a connection,
however, the victim never receives ACK packets back and keeps
waiting. As spoofed SYN packets increase, the victim runs out of
resources for valid users to connect.
45
Risks and controls
Denial of Service (DoS): Types of DoS attacks on networks.
Bandwidth consumption attack


Attacker consumes all network bandwidth denying users a place
on the network. Attackers magnify their traffic multiple-fold to flood
the victim’s network via “magnification attacks.”

Example includes smurf attack that exploits ICMP broadcast
feature to generate loads of traffic.

Attacker finds susceptible routers on the web that allow broadcast
pings (one ping to the router causes ping responses to all
computers on the network). These are the “amplifiers” sites.

Attacker sends spoofed ICMP pings purporting itself to be the
victim to these amplifiers sites, who all respond back to the victim,
flooding the victim’s network.
46
Risks and controls
Denial of Service (DoS): Types of DoS attacks on networks.
Bandwidth consumption attack contd.


Attacker thus leverages unsuspecting routers on the Internet to
attack a victim.
47
Risks and controls
Denial of Service (DoS): Types of DoS attacks on networks.
Distributed DoS attack.


Single sources of attack can be often be filtered out. Hence
attacker leverage several compromised machines – “zombies” –
to generate a distributed victim. These “zombies” come alive by a
single command from attacker and attack the victim.
48
Risks and controls
DoS risks:
Risks include loss of revenue, decline in customer faith.

Controls:

Increase number of connections & decrease ACK time-outs to
mitigate network resource consumption attacks.

Disable ICMP broadcasts for routers.

DDoS attacks are difficult to prevent.

Receiving routers can’t easily identify spoofed packets coming in.
Plus, they are bogged down under attack.

However, sending routers can detect spoofed packets being
generated. Also, them may not be bogged down.

Hence, it is easier to prevent DDoS attack at closer to source than
at a victim’s site.
49
Risks and controls
Wireless networks: Popular networking wherein data is
passed over the air instead of a physical (wired) media.

Bluetooth/IEEE 802.11 networks are being rapidly
adopted because of the convenience it offers.

Bluetooth works over small distances (few feet) whereas 802.11 networks work over several hundred feet.

Chapter focuses on 802.11 based wireless networks.

While 802.11(b) is the most widely adopted Wireless
LAN (WLAN) standard, 802.11(a) and (g) are gaining
popularity because of higher transmission speeds.
50
Risks and controls
Wireless networks: Popular networking wherein data is
passed over the air instead of a physical (wired) media.

Access points (AP) and wireless cards are required.
51
Risks and controls
Wireless networks: Security mechanisms for wireless
networks include the following.

Shared secret: Devices needs to know the AP’s Service
Set identifier (SSID) to join the network.

Address based restrictions: APs point can be
configured to accept transmissions only from network
cards with predefined MAC addresses.

Encryption: 802.11b networks allow the option of
encrypting all transmissions using the wired equivalent
privacy (WEP) encryption scheme.
52
Risks and controls
Wireless network risks:

Transmissions can’t be limited to company premises.

Security mechanisms aren’t strong enough

SSID is often broadcast in the clear for anyone to read.

MAC addresses can be changed/spoofed.

WEP encryption scheme is flawed and hence can be cracked.

Default password may not be changed.

SNMP services may be enabled.

Unauthorized APs can undo firewall security and
compromise a company network.
53
Risks and controls
Controls:

Don’t use wireless networks if not required.

Change default passwords, disable SNMP.

Disable SSID broadcast.

Adopt newer APs that support 802.11i security standard
(marketed was WiFi Protected Access – WPA) instead
of WEP if possible. If not, use 128-bit WEP encryption.

Consider using digital-certificate-based authentication.

Scan internal network to identify unauthorized APs.

Don’t consider wireless clients trusted. Force them to
use techniques like VPN to join company network.
54
Risks and controls
Intrusion Detection System (IDS): System that provides
warning and/or takes actions against intrusion attempts
on networks and/or computers.

Two key types of IDS: Network and Host-based

Network IDS

Sniffs data on network segments via special sensors

Sends it to a centralized console for identifying attacks
Host-based IDS.



Resides on individual computers (hosts)

Monitors files and process activity to identify attacks (similar to
anti-virus solutions on PCs)
Responses can be active (e.g. close ports, stop service)
or passive (send alerts via pagers, e-mails).
55
Risks and controls
Intrusion Detection System (IDS): Network IDS
Advantages:


Can monitor vast expanses of networks

Has global view of attacks (alerts on “doorknob rattling”)

Don’t need any changes to individual computers

NIDS devices can be made extremely secure
Disadvantages:


Can’t work in encrypted environments

May not work in a switched network topology

May not be able to handle all traffic on a busy network
56
Risks and controls
Intrusion Detection System (IDS): Host IDS
Advantages:


Fewer false positives in assessment

May work in encrypted environments

Works in all network topologies

Better at impact assessment
Disadvantages:


More intrusive to the computer

Has only local view of attacks

More administrative overhead since installed on all machines
57
Risks and controls
Intrusion Detection System (IDS): Analysis methods.

Two key methods are used for analyzing data: attack
signature-based analysis and baseline-based analysis.

Attack-signature-based analysis

Analysis involves matching network data against a bank of
known attack patterns (signatures) (similar to virus definition
signatures used by anti-virus software)

Provides fairly reliable means of attack identification.

Can’t assess new unknown attacks
Baseline-based analysis (anomaly detection)


Compares network data against established baselines.

May detect newer attacks, but higher degree of false positives. 58
Risks and controls
Simple Network Management Protocol (SNMP): Allows
reading or altering of configuration of network devices.

Popular protocol that is very lightweight and versatile.

Allows users to remotely administer network devices
(routers, printers, computers) by reading and/or
modifying their configurations. Can poll devices too.

Client-server architecture. SNMP software on devices
report to a (typically centralized) SNMP manager.

Clients and managers exchange messages called
Protocol Data Units (PDUs).
59
Risks and controls
Simple Network Management Protocol (SNMP): Allows
reading or altering of configuration of network devices.

PDU exchange requires authentication via “community
strings” – which essentially act as passphrases.

Two types of community strings exist – a read-only
string and one that allows reads and writes.

Four types of PDUs exist:

get request

get-next request

set request

trap message
60
Risks and controls
Simple Network Management Protocol (SNMP): Allows
reading or altering of configuration of network devices.

“get request” PDU for getting a specific value from
device’s information table (called MIB – management
information base)

“get next request” PDU for getting value of the next MIB
variable subsequent to previous get/get next request.

“set request” PDU to set a particular MIB variable.
Allows for changing of device configuration.

“trap message” PDU to send messages/alerts (“traps”)
to SNMP managers.
61
Risks and controls
Simple Network Management Protocol (SNMP): Allows
reading or altering of configuration of network devices.

Four types of PDUs are used to exchange messages.
62
Risks and controls
SNMP risks:

SNMP version 1 (most common) sends community
strings in clear-text and hence can be sniffed.

Default community names (“public” and “private”) are
often unchanged.

Often installed, but ignored by administrators.

Preferred tool by intruders to footprint an environment.
Reveals OS, patches, administrator names, etc.

Can be used by intruders to cause DoS attacks.
Controls:

Disable SNMP if not required.
63
Risks and controls
Controls contd.:

Filter incoming SNMP traffic via firewalls.

Change default community names to stronger values.
Periodically change the values.

Use SNMP version 2, if possible since it allow for some
encryption.

Define trusted hosts only which can receive SNMP
messages.

Apply SNMP patches.
64
Assurance considerations
An audit to assess network security should include the
following:

Ensure the company’s network perimeter is well-defined
and documented.

Determine the legitimacy and the business needs for of
trust relationships among networks.

Review the use of firewalls to segregate networks and
to protect the computers within a network.

Audit the firewall rules for filtering traffic and the use of
layered topology for protecting the network.

Ensure that the network security is not undone by use
of unauthorized modems and/or wireless access points.
65
Assurance considerations

Evaluate the use of encryption to protect data in transit.

Determine if controls like personal firewalls are used to
protect remote users’ machines.

Determine if an intrusion detection system is in place.

Ensure insecure network services such as SNMP, tftp,
telnet, etc. are either not used or have been secured.

Determine if network devices and software are patched.

Evaluate the security of wireless networks.

Ensure that functional plans for backup and recovery,
business resumption, disaster recovery are in place.
66
Recap
67