lecture9 - network security

8/2/2019 Lecture9 - Network Security

1/37

Prasad Kularatne


2/37

ObjectivesApply the knowledge of TCP/IP stack to understand basic

network security architectures

We will start by understanding the types of basic networksecurity vulnerabilities exist at each layer of the TCP/IP stack

We will discuss common defences available for thosevulnerabilities

We will end up with a discussion of how defence mechanismsare typically deployed in a network


3/37

Motivation

Networked systems have high degree ofexposure andthreat than non-networked systems.

Risk = [Threat * Exposure * Vulnerability ] * [Cost of consequence]

Exposure: Probability a vulnerability is exposed to an attack

Threat: Probability of an attack

Vulnerability: Probability of an exploitable vulnerability

Consequence: Cost of a successful attack


4/37

Some terms

Spoofing: act of impersonating a trusted user

Flooding: act of continuously sending packets to a target with aobjective of bringing down one or more of its critical services

Masquerading:Act of concealing the network addresses to whereit is not need to be known

Sniffing: Act of passively intercepting network traffic that is notintended to you

Snooping: Unauthorized access to another persona or companysdata


5/37

Layered approach

As we learnt, OSI layeredarchitecture is the cornerstone ofunderstanding networked systems

In the same way securing thenetworked systems can be betterunderstood in relation to the OSI

model

We will examine the vulnerabilitiesposed at each layer and how to

defend from them


6/37

Physical Layer

Physical theft or damage of data and Hardware

High-jacking into video surveillance systems

Undetectable Interception of data

Detection of typing patterns Social engineering

Use of psychological weaknesses of human beings to get atthe credentials

Signal disruption for wireless Networks Through deliberate EM interference, e.g. a microwave oven

and Wireless LAN operates at 2.4 GHz


7/37

Defending the Physical Layer

Electronic lock mechanisms for logging & detailedauthorization

PIN & Password secured locks

Biometric Authentication SchemesVideo & Audio Surveillance

With necessary intrusion prevention

Electromagnetic shielding

Prevent interference

Prevent Use EM radiation for intrusion

Analysis of wireless environment for possible

interceptions


8/37

Data Link Layer

ARP Vulnerabilities (MAC based vulnerabilities) ARP Spoofing (ARP cache poisining)

MAC flooding

VLAN Attacks: VLAN Hopping Attacker spoofs a legitimate switch

Switch Spoofing and Double tagging

Spanning Tree Attacks Attacker become the root bridge by exposing a lower

Bridge ID


9/37

ARP Spoofing

Source: Cisco Presentation Network attacks and mitigation by Krzysztof Zygis

What is Gratuitous ARP?A request by a network node that caused other

Nodes to update an ARP cache entry in their table


10/37

MAC Flooding attacks

What is a CAM table?A table maintained by a L2 Ethernet switch that

maintains the MAC addresses and VLAN parameters for each switch portSource: Cisco Presentation Network attacks and mitigation by Krzysztof Zygis


11/37

VLAN Hopping attacks

Hacker will spoof himself as a switch by emulating the trunkport

Hacker will then become a member of all VLANs

Trunk port carries traffic belonging to all VLANs

Hacker can access a devices in any VLAN!Source: Cisco Presentation Hacking the L-2: Fun with Ethernet switches by Sean Convery


12/37

STP attacks

Hacker will take control of the spanning tree by becoming theroot bridge


13/37

Defending the Data Link Layer

Countering ARP attacks Use static ARP Caches

Bind MAC Addresses to the port of the Switch

VLANs should not be idealto enforce securityboundaries Different security segments should be protected using firewalls

or least switch or router-level access lists Disable the feature that allows a switch to automatically trunk itself

with another without any security control

Enable Spanning-Tree Protocol attack mitigation

BPDU Guard, Root Guard


14/37

Network Layer

Most IP Routers have only elementary level security Two peers may exchange routing information securely No means to validate routes that may have propagated from

untrusted parts of the network.

Attacks to Routers Password Attacks Buffer overflow & Denial of Service

IP Spoofing Attacks Attacker forwards packets to a computer with a source

address of a trusted system Many network services uses IP address based authentication

If the IP address is spoofed the services are vulnerable


15/37

IP Spoofing

Attacker generates packets with source address of the Victim X

Victim V will send responses and they will reach the actual source

address as per network which is Victim X Victim X knowing that it didnt initiate such connection will discard

packets

By continuously doing this attacker can keep both Victim X and Y buys may lead to Denial of Service

Diagram Source: TCP/IP Security attacks by Raj Jain, 2007


16/37

IP Spoofing + Guessing SN

Spoofing the IP and successfully guessing the TCPsequence number of an ongoing communication may allowattacker to communicate with a secure hostunauthenticated

Acquire a target Acquire an IP address of a trusted machine Disable communication of the trusted machine (e.g. SYN flooding) Sample a communication between the target and trusted hosts Guess the sequence numbers of the trusted machine Modify the packet headers so that it appears that the packets are

coming from the trusted host with an acceptable sequence number Establish the connection to the target.


17/37

Defending Network Layer

Route Policy Filters : use strict anti-spoofing and routefilters at network edges

Firewallswith strong filter

We will discuss this in detail later Good password policy on routers

Install the last security fixes

Shutdown unused services in Routers Restricting access to routers

Authenticity and confidentiality and Network Layer

IPSec Protocol


18/37

Transport Layer: Attacks

Mostly tries to exploit the known behavior of transport layerprotocols TCP connection establishment and sequence numbering TCP connection reset

TCP options and their behavior

TCP Port scanning Almost always done by a hacker as a preparation for attack What services can I exploit on my attack target?

OS fingerprinting There are slight variations of TCP implementations between

OSs Detect these variations through TCP interactions and deduce OS


19/37

TCP Port Scanning


20/37

Transport Layer: Attacks

TCP Session Hijacking (Connection Spoofing) First spoof an trusted IP (victim) IP Spoofing Determine the TCP sequence number of the ongoing

interaction (victim and attack target)

Flood the victim Enjoy a TCP session with your attack target

DoS Attacks : Syn Flood, ACK Flood, RST attacks etc.


21/37

TCP Session Hijacking

Diagram Source: Introduction to Network Security, Dr. Doug Jacobson, 2009

Attacker may includemalicious commandsin the DATA to the

Server, may be causingit to crash or send out

sensitive information


22/37

SYN Flood

For each SYN received by Victim V from the attacker (he thinks itcomes from trusted Victim X)

It will allocate buffer space and entry in the connection table Continuously sending these bogus SYN packets may compromise

Victim V

Diagram Source: TCP/IP Security attacks by Raj Jain, 2007


23/37

RST Attack

Source: Introduction to Network Security, Dr. Doug Jacobson, 2009


24/37

Defending Transport Layer

SYN Flood attacks

Using SYN Proxy

Before committing resources for the received SYN let a proxy

decide whether the connection will actually establish Clean up of half open connections

Most OSs support this today and can be enabled as a networkoption

TCP Session high-jacking Generate the TCP Initial Sequence Number (ISN) in an

unpredictable way

Confidentiality at transport layer

SSL and TLS


25/37

Defending Transport Layer Cntd

Strict Firewall rules Limit access to specific transmission protocols an

subprotocol information TCP/UDP port number or ICMP Type

Stateful inspections at firewall layer, preventing out-of-state packets, illegal flags from entering theperimeter.


26/37


27/37

What is a Firewall?

A wall that stops or effect slow progress offireproviding protection at the boundary

A security boundary between networks of differing

trust and security levels by enforcing network levelaccess control policy

Un-bypassable, tamperproof, analyzable

Make decisions to allow or disallow passage of packets

according to a specified Firewall policy Control point where security/audit can be imposed

Limit exposure

Partition the network (security domains)

Minimize damage


28/37

Firewall policies

Firewall policy is defined in line with you securitypolicy

How should I control

Specify a set of rules the firewall should apply toincoming and outgoing traffic


29/37

Types of firewalls

Packet Filters

Packet-by-packet inspection (Stateless)

Source/Dest. IP, Protocol, if TCP/UDP Source/Dest. Port

Stateful inspection firewalls Inspects TCP flags to determine the connection state

Application proxies

Terminates and re-established the connection

Examines beyond TCP and IP header information

Filters the content sent in the payload

Personal Firewalls

Protection for end points


30/37

Firewall configuration

Determine trust zones

Determine ports that need opening

Determine packet type (tcp/udp)

Determines direction of packet flow

Determine any limitations you can set on src/dst


31/37

Advanced Firewall capabilities

Authentication & Access Control

Deep Packet Inspection

Network Address Translation

Load Balancing (among Internet servers) Redundancy and fail-over

Virtual Private Networks

Uses traffic encryption to obtain services equivalent to adedicated link over the Internet

Requires high levels of confidentiality, integrity, andauthentication of communicating parties

May use IPSec, PPTP, L2TP or other methods


32/37

Firewall Challenges

Firewalls are not the ultimate solution

Attacks/Intrusions through legitimate traffic

Software bugs and misconfiguration

Insider threats Phishing attacks, browser exploits

Threats from compromised Mobile devices (laptops)

Social engineering

Exploit ignorance, insecurity and fear of people

Increasingly common psychological technique


33/37


34/37

Network Security design practices

Segmenting the Network

Different network segments/zones for different apps

Threats may not grow to unmanageable proportions

Good defense at the Perimeter Powerful defense at the entrance to each segment

HIPS

Intrusion Prevention at each desktop and Server

Network containment

Keep the network simple and within known extents

Wireless environments


35/37

Network Segmentation example

Source: Practical Network Security, Linkoping University, 2007


36/37

Network Containment

Source: Practical Network Security, Linkoping University, 2007


37/37

lecture9 - network security

Documents