Transcript ch13
Hands-On Ethical Hacking
and Network Defense
Second Edition
Chapter 13
Network Protection Systems
Objectives
• After reading this chapter and completing the
exercises, you will be able to:
– Explain how routers are used as network protection
systems
– Describe firewall technology and tools for configuring
firewalls and routers
– Describe intrusion detection and prevention systems
and Web-filtering technology
– Explain the purpose of honeypots
Hands-On Ethical Hacking and Network Defense, Second Edition
2
Understanding Routers
• Network protection systems
–
–
–
–
–
Routers
Firewalls
Intrusion detection and prevention systems
Web filtering
Honeypots
• Security appliance
– Single device combining two or more protection
functions
Hands-On Ethical Hacking and Network Defense, Second Edition
3
Understanding Routing Protocols
• Routers are hardware devices
– Used to send packets to different network segments
• Operate at network layer of OSI model
• Routing protocols
– Link-state routing protocol
• Router advertises link-state
– Distance-vector routing protocol
• Router passes routing table to all participating routers
– Path-vector routing protocol
• Uses dynamically updated paths or routing tables to
transmit packets
Hands-On Ethical Hacking and Network Defense, Second Edition
4
Understanding Basic Hardware
Routers
• Cisco routers
– Widely used in networking community
• Millions used by companies around the world
• Vulnerabilities exist
– As they do in any OS
– Security professionals must consider the router type
when conducting a security test
Hands-On Ethical Hacking and Network Defense, Second Edition
5
Cisco Router Components
• Random access memory (RAM)
– Holds router’s running configuration, routing tables,
and buffers
• If turned off, contents stored in RAM are erased
• Nonvolatile RAM (NVRAM)
– Holds router’s configuration file
• Information is not lost if the router is turned off
• Flash memory
– Holds IOS the router is using
– Rewritable memory, so IOS can be upgraded
Hands-On Ethical Hacking and Network Defense, Second Edition
6
Cisco Router Components (cont’d.)
• Read-only memory (ROM)
– Contains a minimal version of IOS
• Used to boot router if flash memory gets corrupted
• Interfaces
– Hardware connectivity points for components of
most concern
• Ethernet port is an interface that connects to a LAN
Hands-On Ethical Hacking and Network Defense, Second Edition
7
Cisco Router Configuration
• Configuration modes:
– User mode
• Administrator can perform basic troubleshooting tests
and list information stored on router
• Indicated by router name followed by >
• Default mode
– Privileged mode
• Administrator can perform full router configuration
tasks
• Indicated by router name followed by #
Hands-On Ethical Hacking and Network Defense, Second Edition
8
Cisco Router Configuration (cont’d.)
• Modes to configure the router (in privileged mode)
– Global configuration mode
• Configure router settings affecting router operation
– Interface configuration mode
• Administrator can configure an interface on the router
Hands-On Ethical Hacking and Network Defense, Second Edition
9
Table 13-1 Cisco commands
Hands-On Ethical Hacking and Network Defense, Second Edition
10
Understanding Access Control Lists
• Several types of access control lists
– This section focuses on IP access lists
• Lists IP addresses, subnets, or networks allowed or
denied access through a router’s interface
• Cisco router access lists
– Standard IP access lists
– Extended IP access lists
Hands-On Ethical Hacking and Network Defense, Second Edition
11
Standard IP Access Lists
• Can restrict IP traffic entering or leaving a router’s
interface based on source IP address
– To restrict traffic from Network 3 from entering
Network 1, access list looks like:
access-list 1 deny 173.110.0.0 0.0.255.255
access-list permit any
Figure 13-1
Applying access
lists to router
interfaces
Hands-On Ethical Hacking and Network Defense, Second Edition
12
Extended IP Access Lists
• Restricts IP traffic entering or leaving based on:
–
–
–
–
Source IP address
Destination IP address
Protocol type
Application port number
• Configuration
– Similar to configuring a standard IP access list
Hands-On Ethical Hacking and Network Defense, Second Edition
13
Understanding Firewalls
• Hardware devices with embedded OSs
– Controls access to all traffic entering internal
network
– Controls traffic leaving internal network
• Hardware firewall advantages:
– Usually faster than software firewalls
– Can handle larger throughput than software firewalls
• Hardware firewall disadvantage:
– Locked into firewall’s hardware
Hands-On Ethical Hacking and Network Defense, Second Edition
14
Understanding Firewalls (cont’d.)
• Software firewalls advantage:
– NICs are easily added to server running firewall
software
• Software firewalls disadvantage:
– Configuration problems
– Rely on running OS
Hands-On Ethical Hacking and Network Defense, Second Edition
15
Understanding Firewall Technology
• Technologies include:
–
–
–
–
–
Network address translation
Access lists
Packet filtering
Stateful packet inspection
Application layer inspection
Hands-On Ethical Hacking and Network Defense, Second Edition
16
Network Address Translation
• Most basic security feature
– Internal private IP addresses are mapped to public
external IP addresses
• Hiding internal infrastructure
• Port Address Translation
– Derived from NAT
– Allows thousands of internal IP addresses to be
mapped to one external IP address
Hands-On Ethical Hacking and Network Defense, Second Edition
17
Access Lists
• Used to filter traffic based on:
– Source IP address
– Destination IP address
– Ports or services
• Firewalls also use this technology
• Creating access lists in a firewall
– Similar to creating them in a router
Hands-On Ethical Hacking and Network Defense, Second Edition
18
Packet Filtering
• Packet filters
– Screen packets based on information contained in
packet header
• Protocol type
• IP address
• TCP/UDP port
Hands-On Ethical Hacking and Network Defense, Second Edition
19
Stateful Packet Inspection
• Record session-specific information about a
network connection
– Including state table
• Port scans relying on spoofing or sending packets
after a three-way handshake are made ineffective
• Stateful packet filters
– Recognize anomalies most routers ignore
– Handle each packet on an individual basis
• Not resistant to spoofing or DoS attacks
Hands-On Ethical Hacking and Network Defense, Second Edition
20
Table 13-2 State table example
Hands-On Ethical Hacking and Network Defense, Second Edition
21
Application Layer Inspection
• Inspects network traffic at a higher level in OSI
model
– Makes sure network traffic’s application protocol is
the type allowed by a rule
• Some application-aware firewalls act as a proxy for
all connections
– Safety net for servers or clients (or both)
• Depends on firewall
Hands-On Ethical Hacking and Network Defense, Second Edition
22
Implementing a Firewall
• Placing a firewall between a company’s internal
network and the Internet is dangerous
– Leaves company open to attack if a hacker
compromises the firewall
• Use a demilitarized zone instead
– Adds a layer of defense
Hands-On Ethical Hacking and Network Defense, Second Edition
23
Demilitarized Zone
• Small network
– Contains resources a company wants available to
Internet users
• Helps maintain security on internal network
• Sits between Internet and internal network
– Sometimes referred to as a “perimeter network”
Hands-On Ethical Hacking and Network Defense, Second Edition
24
Figure 13-2 A DMZ protecting an internal network
Hands-On Ethical Hacking and Network Defense, Second Edition
25
Figure 13-3 An additional firewall used to protect the DMZ
Hands-On Ethical Hacking and Network Defense, Second Edition
26
Understanding the Cisco Adaptive
Security Appliance Firewall
• Cisco Adaptive Security Appliance (ASA) firewall
– One of the most widely used firewalls
– Replaced PIX firewall
– Added advanced modular features
• Intrusion detection and prevention
• More sophisticated application layer inspection
Hands-On Ethical Hacking and Network Defense, Second Edition
27
Configuring the ASA Firewall
• Similar logon prompt as Cisco router
– Prompt:
If you are not authorized to be in this XYZ Hawaii
network device, log out immediately!
Username: admin
Password: ********
• Serves a legal purpose
– Prompt after successful log on:
Type help or '?' for a list of available commands.
ciscoasa>
Hands-On Ethical Hacking and Network Defense, Second Edition
28
Configuring the ASA Firewall (cont’d.)
• After entering correct password
– You are in privileged mode
• To enter configuration mode
– Use same command as on a Cisco router
configure terminal or configure t
• Access lists
– Used to filter traffic
Hands-On Ethical Hacking and Network Defense, Second Edition
29
Using Configuration and Risk Analysis
Tools for Firewalls and Routers
• Center for Internet Security
– One of the best Web sites for finding configuration
benchmarks and configuration assessment tools
• Benchmark
– Industry consensus of best configuration practices
• Cisco routers use CIS Cisco IOS Benchmark
• Cisco ASA firewalls use CIS Benchmark for Cisco
Firewall Devices
• Router Audit Tool (RAT)
– Faster and easier to use
Hands-On Ethical Hacking and Network Defense, Second Edition
30
Using Configuration and Risk Analysis
Tools for Firewalls and Routers (cont’d.)
• RedSeal
– Unique network risk analysis and mapping tool
– Identifies configuration vulnerabilities in routers or
firewalls
– Generates professional-looking reports
– Analyzes IPSs and OS vulnerability scans
– Shows a graphical representation of vulnerabilities
discovered
Hands-On Ethical Hacking and Network Defense, Second Edition
31
Figure 13-4 The RedSeal network risk map
Hands-On Ethical Hacking and Network Defense, Second Edition
32
Understanding Intrusion Detection and
Prevention Systems
• Monitor network devices
– Security administrators can identify attacks in
progress and stop them
• Intrusion detection system (IDS)
– Examines traffic and compares it with known exploits
• Similar to virus software using a signature file to
identify viruses
• Intrusion prevention systems (IPSs)
– Similar to IDSs
– Also performs an action to prevent the intrusion
Hands-On Ethical Hacking and Network Defense, Second Edition
33
Network-Based and Host-Based IDSs
and IPSs
• Network-based IDSs/IPSs
– Monitor activity on network segments
– Sniff traffic and alerts if something suspicious occurs
• Host-based IDSs/IPSs
– Used to protect a critical network server or database
server
– Software is installed on server you’re attempting to
protect
Hands-On Ethical Hacking and Network Defense, Second Edition
34
Network-Based and Host-Based IDSs
and IPSs (cont’d.)
• IDSs are also categorized by how they react when
they detect suspicious behavior
– Passive systems
• Don’t take preventative action
• Send out an alert and log the activity
– Active systems
• Log events and send out alerts
• Can also interoperate with routers and firewalls
Hands-On Ethical Hacking and Network Defense, Second Edition
35
Network-Based and Host-Based IDSs
and IPSs (cont’d.)
• Vendors have started focusing on IPSs
– True network-based IPS are installed inline to
network infrastructure
• Traffic has to pass through IPS before going into or
out of the network
– More capable of stopping malicious traffic
– Host-based IPSs operate at the OS (or kernel) level
• Intercept traffic not allowed by host policy
Hands-On Ethical Hacking and Network Defense, Second Edition
36
Network-Based and Host-Based IDSs
and IPSs (cont’d.)
• Network-based IDSs and IPSs are further
categorized by the way they detect attacks
– Signature detectors
• Detect malicious activity by using a database of
known attack signatures
– Anomaly detectors
• Use a baseline of normal activity and send an alert if
activity deviates significantly
Hands-On Ethical Hacking and Network Defense, Second Edition
37
Table 13-3 Intrusion detection and prevention systems
Hands-On Ethical Hacking and Network Defense, Second Edition
38
Web Filtering
• Statistically, firewalls and IPSs do a good job of
protecting a network from Internet attacks
– Hackers know statistics
• Now using least restricted pathway through a firewall
– Target devices allowed access out of the network
automatically: user workstations
• Get internal user to visit a bogus Web site or install
malicious code from an e-mail attachment
• Don’t need to break through the firewall
• Firewall application layer inspection might not detect
this kind of attack
Hands-On Ethical Hacking and Network Defense, Second Edition
39
Web Filtering (cont’d.)
• Web filtering is used to detect users’ attempts to
access malicious Web sites and block tem
– Some block malicious code
• Before it gets to a user’s workstation
• Before it connects to an attacker’s control system
outside the network
• Mass compromises are used to initiate drive-by
downloads
– Web site visitors download malicious code without
their knowledge
Hands-On Ethical Hacking and Network Defense, Second Edition
40
Security Incident Response Teams
• Large organizations with sensitive or critical data
– Normal administrative expertise isn’t enough to do:
• Follow up and damage assessment
• Risk remediation and legal consultation
• Security incident response team (SIRT)
– Permanent team
– Responsible solely for security-response functions
• Ad hoc team
– Members normally have other roles
– Called in response to a specific incident
Hands-On Ethical Hacking and Network Defense, Second Edition
41
Understanding Honeypots
• Honeypot
– Computer placed on network perimeter
• Contains information to lure and trap hackers
• Configured to have vulnerabilities
– Keeps hackers connected long enough so they can
be traced back
– Serves as an excellent data collector and early
warning system
Hands-On Ethical Hacking and Network Defense, Second Edition
42
How Honeypots Work
• Honeypot appears to have important data or
sensitive information stored on it
– Could store fake financial data
– Hackers will spend time attacking the honeypot
• Stop looking for real vulnerabilities
• Enables security to collect data on attackers
• Available honeypots
– Commercial and open-source
• Virtual honeypots
– Created using programming language
Hands-On Ethical Hacking and Network Defense, Second Edition
43
Table 13-4 Commercial honeypots
Hands-On Ethical Hacking and Network Defense, Second Edition
44
Table 13-5 Open-source honeypots
Hands-On Ethical Hacking and Network Defense, Second Edition
45
Summary
• Network protection systems
– Routers, firewalls, IDSs, IPSs, Web filters, etc.
• Routers
– Use access lists to accept or deny traffic
• Firewalls
– Can be hardware devices or software installed on
computer systems
– Use NAT, packet filtering, access control lists,
stateful packet inspection, and application layer
inspection
Hands-On Ethical Hacking and Network Defense, Second Edition
46
Summary (cont’d.)
• DMZ
– Small network containing resources that sits
between the Internet and internal network
• Intrusion detection systems
– Monitor network traffic
• Network-based IDSs
– Monitor activity on network segments
• Host-based IDSs
– Protect a critical network server or database server
Hands-On Ethical Hacking and Network Defense, Second Edition
47
Summary (cont’d.)
• Passive IDSs
– Don’t take any action or prevent an activity from
continuing to occur
• Active IDSs
– Log, send alerts, and interoperate with routers and
firewalls
• Intrusion prevention systems (IPSs)
– Detect malicious activity
– Can block or prevent malicious activity
Hands-On Ethical Hacking and Network Defense, Second Edition
48
Summary (cont’d.)
• Anomaly detectors
– Detect activity varying from a set baseline
• Configuring routers and firewalls securely
– Easier with benchmark tools
• Web filtering
– Can block Web sites containing malicious code
• Large organizations
– Might need a security incident response team
• Honeypots
– Lure hackers away from legitimate resources
Hands-On Ethical Hacking and Network Defense, Second Edition
49