network security intrusion (how an attacker gains control of a network)

Network SecurityNetwork Security

IntrusionIntrusion

(How an Attacker Gains (How an Attacker Gains Control of a Network)Control of a Network)

IntroductionIntroduction

There are many techniques used by a hacker to There are many techniques used by a hacker to gain control of a network. The network gain control of a network. The network administrator needs to be aware of the different administrator needs to be aware of the different methods an intruder can use to gain access or methods an intruder can use to gain access or even control of a network. even control of a network.

The information presented in this chapter is an The information presented in this chapter is an example of what the hacker already knows and example of what the hacker already knows and what the network administrator needs to know to what the network administrator needs to know to protect the network.protect the network.

Social EngineeringSocial Engineering

The first issue of The first issue of intrusion is intrusion is social social engineeringengineering. .

This is a way of for an This is a way of for an intruder to gain intruder to gain enough information enough information that enables the that enables the unauthorized user to unauthorized user to gain access to the gain access to the network. network.


An attacker tells a An attacker tells a user that they are user that they are having trouble with having trouble with their account and then their account and then asks for the user’s asks for the user’s name and password. name and password.

Often a user will Often a user will blindly provide the blindly provide the information not information not realizing that the realizing that the person calling is not person calling is not associated with the associated with the network and is in fact network and is in fact an attacker an attacker


This gives the attacker an This gives the attacker an account (username and account (username and password) to attack the password) to attack the network. This is just one network. This is just one example of social example of social engineering. engineering.

This problem is not This problem is not completely solvable completely solvable because as the number of because as the number of users increases, so does the users increases, so does the possible ways to attack the possible ways to attack the network. network.


The solution is educating The solution is educating the user to not share the user to not share information about how they information about how they access the network and to access the network and to always require identification always require identification from support staff. from support staff.

Password CrackingPassword Cracking If the attacker can’t get the password from the If the attacker can’t get the password from the

user, the attacker can use user, the attacker can use password crackingpassword cracking. . This can be done via brute force or via checking This can be done via brute force or via checking for “weak” passwords. Most networks require the for “weak” passwords. Most networks require the users to use strong passwordsusers to use strong passwords

In password cracking, the attacker can try to In password cracking, the attacker can try to guess the user’s password. A way to do this is to guess the user’s password. A way to do this is to use a dictionary attack. The use a dictionary attack. The dictionary attackdictionary attack uses known passwords and many variations uses known passwords and many variations (upper and lower case and combinations) to try to (upper and lower case and combinations) to try to login to your account. login to your account.

A A brute force attackbrute force attack means the attackers uses means the attackers uses every possible combination of characters for the every possible combination of characters for the password. password.

Preventing Password Preventing Password CrackingCracking

Don’t use passwords that are dictionary Don’t use passwords that are dictionary wordswords

Don’t use your user nameDon’t use your user name Don’t use your user name backwardsDon’t use your user name backwards Limit the number of log in attemptsLimit the number of log in attempts Make you password sufficiently long (6 or Make you password sufficiently long (6 or

more characters) with an alpha numeric more characters) with an alpha numeric combination (e.g. A b 1 & G 2 5 h).combination (e.g. A b 1 & G 2 5 h).

Change passwords oftenChange passwords often

Packet SniffingPacket Sniffing Another way attackers Another way attackers

can obtain a password can obtain a password is by sniffing the is by sniffing the network’s data packets. network’s data packets.

This is easy in a network This is easy in a network that uses hubs but not that uses hubs but not in a network that uses in a network that uses switches to interconnect switches to interconnect the computing devices. the computing devices. The attacker will have The attacker will have to insert a device on the to insert a device on the network that allows the network that allows the user to see the data user to see the data packets. packets.

Packet SniffingPacket Sniffing

The attacker will watch The attacker will watch the data packets until a the data packets until a telnet or FTP data packet telnet or FTP data packet passes or many of the passes or many of the other applications that other applications that have unencrypted logins. have unencrypted logins.

Many of these Many of these applications pass the applications pass the user name and password user name and password over the network in plain over the network in plain text. text.


Plain text means that the Plain text means that the information is in a information is in a human readable form. human readable form.

If the attacker captures If the attacker captures all data packets from a all data packets from a user’s computer then the user’s computer then the chances are good that chances are good that the attacker can obtain the attacker can obtain the users login name the users login name and password on one of and password on one of the network’s the network’s computers. computers.


The way to prevent this is by encrypting the users The way to prevent this is by encrypting the users name and password. An encrypted alternative to name and password. An encrypted alternative to Telnet is SSH (Secure Shell). Telnet is SSH (Secure Shell).

The packets that pass across this SSH connection The packets that pass across this SSH connection are encrypted. are encrypted.

SSL (Secure Socket Layer) is an encryption used SSL (Secure Socket Layer) is an encryption used by web servers. For example, the packet by web servers. For example, the packet transmission is encrypted when a credit card transmission is encrypted when a credit card number is entered. number is entered.


There is also a secured version of FTP. In these There is also a secured version of FTP. In these examples, the security is implemented at the examples, the security is implemented at the application layer. Security can also be application layer. Security can also be implemented at layer three using implemented at layer three using IPsecIPsec (IP (IP Security).Security).

In IPsec each packet is encrypted prior to In IPsec each packet is encrypted prior to transmission across the network link. IPsec is transmission across the network link. IPsec is also a method used to encrypt VPN tunnels.also a method used to encrypt VPN tunnels.

Vulnerable SoftwareVulnerable Software

In the process of writing large amounts of code, In the process of writing large amounts of code, errors happen that can open the access to the errors happen that can open the access to the code and to a network. The basic attack that code and to a network. The basic attack that capitalizes on these errors is the capitalizes on these errors is the buffer buffer overflowoverflow. .

The buffer overflow happens when a program The buffer overflow happens when a program attempts to put more data into a buffer than it attempts to put more data into a buffer than it was configured to hold. The computer program was configured to hold. The computer program stack contains data plus instructions that it will stack contains data plus instructions that it will run. run.

Vulnerable SoftwareVulnerable Software

For example, a web application could have a For example, a web application could have a vulnerability with long URLs assigned to a vulnerability with long URLs assigned to a variable within the web application. variable within the web application.

If the attacker makes the URL long enough then If the attacker makes the URL long enough then the buffer overflow could allow the attacker’s the buffer overflow could allow the attacker’s code to be placed in the stack. When the code to be placed in the stack. When the program counter gets to the inserted code, the program counter gets to the inserted code, the inserted code is run and the attacker then has inserted code is run and the attacker then has remote access to the machine. remote access to the machine.

Vulnerable SoftwareVulnerable Software Sometimes buffer overflows don’t allow instructions to be Sometimes buffer overflows don’t allow instructions to be

run but rather the application will crash. A common run but rather the application will crash. A common technique that is used in a buffer overflow application is technique that is used in a buffer overflow application is setting up a backdoor to gain entry into the computer. setting up a backdoor to gain entry into the computer.

What the attacker is doing is creating an application on a What the attacker is doing is creating an application on a port and then the attacker can connect to the port. The port and then the attacker can connect to the port. The attacker can also use this to place viruses in the computer. attacker can also use this to place viruses in the computer.

For example, the attacker finds a vulnerability in the source For example, the attacker finds a vulnerability in the source code for an operating system, e.g. the SSL code on a web code for an operating system, e.g. the SSL code on a web server. The attacker downloads malicious code onto the server. The attacker downloads malicious code onto the web server and then connects to the machine and instructs web server and then connects to the machine and instructs the code to begin attacking other machines. the code to begin attacking other machines.

Preventing Vulnerable Preventing Vulnerable Software AttacksSoftware Attacks

Keep the software patches and service packs for Keep the software patches and service packs for the operating system current.the operating system current.

Turn off all services and ports that are not needed Turn off all services and ports that are not needed on a machine. For example, if your machine does on a machine. For example, if your machine does not use web service then turn this service off. not use web service then turn this service off. Leaving these services on is like leaving the Leaving these services on is like leaving the windows and doors open to your house. You are windows and doors open to your house. You are just inviting an attacker to come in. If you aren’t just inviting an attacker to come in. If you aren’t using a service, shut the access.using a service, shut the access.

The command The command netstat –a netstat –a can be used to display can be used to display the ports currently open on the windows the ports currently open on the windows operating system. This command shows who is operating system. This command shows who is connected to your machine and the port number. connected to your machine and the port number.

netstat -anetstat -ac: netstat -a c: netstat -a Active ConnectionsActive Connections Proto Local Address Foreign Address StateProto Local Address Foreign Address State TCP pc-salsa2:1087 PC-SALSA2:0 LISTENINGTCP pc-salsa2:1087 PC-SALSA2:0 LISTENING TCP pc- salsa2:1088 PC-SALSA2:0 LISTENINGTCP pc- salsa2:1088 PC-SALSA2:0 LISTENING TCP pc- salsa2:135TCP pc- salsa2:135 PC-SALSA2:0 LISTENING PC-SALSA2:0 LISTENING TCP pc- salsa2:137 PC- SALSA2:0 LISTENINGTCP pc- salsa2:137 PC- SALSA2:0 LISTENING TCP pc- salsa2:138 PC- SALSA2:0 LISTENINGTCP pc- salsa2:138 PC- SALSA2:0 LISTENING UDP pc- salsa2:nbname *:* UDP pc- salsa2:nbname *:* UDP pc- salsa2:nbdatagram *:*UDP pc- salsa2:nbdatagram *:*

The ports that are listening are just waiting for a connection. For The ports that are listening are just waiting for a connection. For example, ports 135 and 137 are the NETBIOS and file sharing ports for example, ports 135 and 137 are the NETBIOS and file sharing ports for Microsoft. Every port that is established, shows listening and that port Microsoft. Every port that is established, shows listening and that port can accept a connection. For example if your application is vulnerable can accept a connection. For example if your application is vulnerable and it is listening then the machine is vulnerable to an attack. It is and it is listening then the machine is vulnerable to an attack. It is good idea to check to see what applications are running on your good idea to check to see what applications are running on your machine. It is also a good idea to turn off ports that are not needed. machine. It is also a good idea to turn off ports that are not needed. The steps for turning off ports depends on the application. For The steps for turning off ports depends on the application. For example, if port 80 is running (WEB – IIS) then go to the Windows example, if port 80 is running (WEB – IIS) then go to the Windows services and turn off the web applications. services and turn off the web applications.

VirusesViruses

A A virusvirus is a piece of malicious piece of code that, when run is a piece of malicious piece of code that, when run on your machine, will open a backdoor to the machine or it on your machine, will open a backdoor to the machine or it might start a program that attacks other applications. might start a program that attacks other applications. Problems caused by viruses include:Problems caused by viruses include:

annoyance annoyance clogging up the mail serverclogging up the mail serverdenial of servicedenial of servicedata lossdata lossopen holes for others to access your machineopen holes for others to access your machineattack other machines or networks on demandattack other machines or networks on demand

WormsWorms are a type of computer virus that typically are a type of computer virus that typically proliferate by themselves. proliferate by themselves.

VirusesViruses

Today, most viruses are exchanged via Today, most viruses are exchanged via attachments to email.attachments to email.

For example, a user receives an email that says For example, a user receives an email that says “Look at this!” trying to coax the user into “Look at this!” trying to coax the user into opening the attachment. If the attachment is opening the attachment. If the attachment is opened the user’s computer could possibly opened the user’s computer could possibly become infected.become infected.

Steps for Preventing VirusesSteps for Preventing Viruses

Only open attachments that come from known Only open attachments that come from known sources. Even this can be a problem because sources. Even this can be a problem because email addresses can be spoofed or the message email addresses can be spoofed or the message can come from a known person whose computer can come from a known person whose computer has been infected.has been infected.

Always run a virus check software on the client Always run a virus check software on the client machines. The virus checker will catch most machines. The virus checker will catch most viruses. viruses.

Include e-mail server filtersInclude e-mail server filters

Keep the virus software up to dateKeep the virus software up to date

MalwareMalware

Nowadays, Nowadays, malwaremalware is the term that is being used is the term that is being used to encompass all malicious programs intended to to encompass all malicious programs intended to harm, disrupt, deny, or gain unauthorized access harm, disrupt, deny, or gain unauthorized access to a computing system. to a computing system.

Malware is short for malicious software. Viruses Malware is short for malicious software. Viruses are worms are considered a type infectious are worms are considered a type infectious malware.malware.

MalwareMalware

It is important to understand that an intruder can It is important to understand that an intruder can gain network access or even control of your gain network access or even control of your network. network.

Remember, the information presented in this Remember, the information presented in this chapter is an example of what the hacker already chapter is an example of what the hacker already knows and what the network administrator needs knows and what the network administrator needs to know to protect the network.to know to protect the network.

DENIAL OF SERVICEDENIAL OF SERVICE

Denial of ServiceDenial of Service

Denial of Service (DoS)Denial of Service (DoS) means that a service is being means that a service is being denied to a computer, network, or network server. denied to a computer, network, or network server.

Denial of Service attacks can be on individual machines Denial of Service attacks can be on individual machines or the attack can be on the network that connects the or the attack can be on the network that connects the machines, or the attack can be on both machines.machines, or the attack can be on both machines.

You can have denial of service attacks by exploiting You can have denial of service attacks by exploiting software vulnerabilities. For example, a vulnerability in software vulnerabilities. For example, a vulnerability in the software can permit a buffer overflow causing the the software can permit a buffer overflow causing the machine to crash. This effects all applications even machine to crash. This effects all applications even secure applications. secure applications.

Denial of ServiceDenial of Service

The vulnerable software denial of service attack The vulnerable software denial of service attack attacks the system by making the system reboot attacks the system by making the system reboot repeatedly. repeatedly.

The denial of service attacks can also be on routers via The denial of service attacks can also be on routers via the software options that are available for connecting the software options that are available for connecting to a router. to a router.

For example, SNMP management software is marketed For example, SNMP management software is marketed by many companies and is supported by many by many companies and is supported by many computer platforms. Many of the SNMP packages use computer platforms. Many of the SNMP packages use a similar core code that could contain the same a similar core code that could contain the same vulnerability. vulnerability.

SYN AttackSYN Attack

Another denial of service attack is a SYN attack. Another denial of service attack is a SYN attack. This refers to the TCP SYN (synchronizing) packet This refers to the TCP SYN (synchronizing) packet (introduced in Chapter 6). (introduced in Chapter 6).

An attacker sends many TCP SYN packets to a An attacker sends many TCP SYN packets to a host opening up many TCP sessions. host opening up many TCP sessions.

The host machine has limited amount of memory The host machine has limited amount of memory set aside for open connections. set aside for open connections.

SYN AttackSYN Attack

If all the TCP connections are opened by the SYN If all the TCP connections are opened by the SYN attack, other users are kept from accessing attack, other users are kept from accessing services from the computer because the services from the computer because the connection buffer is full. Most current operating connection buffer is full. Most current operating systems can employ countermeasures against systems can employ countermeasures against the SYN attack. the SYN attack.

Denial of Service attacks can affect the network Denial of Service attacks can affect the network bandwidth and the endpoints on the network. bandwidth and the endpoints on the network.

Smurf AttackSmurf Attack

Attackers hack into Attackers hack into an intermediate site.an intermediate site.

The attacker sends a The attacker sends a packet to 10.10.1.255 packet to 10.10.1.255 which is a broadcast which is a broadcast address for the address for the 10.10.1.0 subnet. 10.10.1.0 subnet.

All of the machines All of the machines on the 10.10.1.0 on the 10.10.1.0 subnet will send a subnet will send a reply back to the reply back to the source address. source address.

Smurf AttackSmurf AttackIf this attack was If this attack was increased to all of the increased to all of the subnets in the subnets in the 10.0.0.0 network then 10.0.0.0 network then an enormous amount an enormous amount of data packets will be of data packets will be sent to the victim’s sent to the victim’s network. network.

This enables the This enables the attacker to generate a attacker to generate a lot of data traffic on lot of data traffic on the victim’s network the victim’s network without requiring the without requiring the attacker to have many attacker to have many resources.resources.

Stopping Layer 3 Stopping Layer 3 BroadcastsBroadcasts

But aren’t layer 3 devices supposed to stop But aren’t layer 3 devices supposed to stop broadcasts?broadcasts?

This is true for general broadcasts (all 32 bits set This is true for general broadcasts (all 32 bits set to 1’s or “F F F F F F F F” or 255.255.255.255). to 1’s or “F F F F F F F F” or 255.255.255.255). Routers will always stop these broadcasts. The Routers will always stop these broadcasts. The type of broadcast used in this attack is a type of broadcast used in this attack is a ““directed broadcastdirected broadcast” and these broadcasts are ” and these broadcasts are passed through the router.passed through the router.

Preventing Surf type attacksPreventing Surf type attacks

Cisco routers have an interface command:Cisco routers have an interface command:

no ip directed broadcastno ip directed broadcast

This blocks broadcast packets to that subnet. This This blocks broadcast packets to that subnet. This prevents a network from becoming an intermediate prevents a network from becoming an intermediate site for a network attack such as this. Make sure site for a network attack such as this. Make sure this command or a similar command is a default or this command or a similar command is a default or has been enabled on the router’s interfacehas been enabled on the router’s interface

The The no ip directed broadcastno ip directed broadcast command enables command enables only the router to reply.only the router to reply.

PreventionPrevention

To prevent your network from becoming a host for To prevent your network from becoming a host for an attacker, use access lists to only allow specific an attacker, use access lists to only allow specific sources for the network on each of the router’s sources for the network on each of the router’s interfaces. interfaces.

For example, Network B connects to a router. Only For example, Network B connects to a router. Only packets from Network B are allowed to pass through packets from Network B are allowed to pass through the router. the router.

The downside of this is it does become a The downside of this is it does become a maintenance problem, keeping track of the access maintenance problem, keeping track of the access lists, and processing access lists is processor lists, and processing access lists is processor intensive and can slow down the throughput of the intensive and can slow down the throughput of the packets. packets.

PreventionPrevention

This does help eliminate spoofed packets. This does help eliminate spoofed packets. Spoof Spoof means the attacker doesn’t use his IP address but means the attacker doesn’t use his IP address but will insert an IP address from the victim’s network will insert an IP address from the victim’s network as the source IP. There is a lot of software on the as the source IP. There is a lot of software on the Internet that enables someone to spoof an IP Internet that enables someone to spoof an IP address.address.

To prevent yourself from becoming a victim, well To prevent yourself from becoming a victim, well … there isn’t a way unless you aren’t connected … there isn’t a way unless you aren’t connected to any network or any other users.to any network or any other users.

Distributed Denial of ServiceDistributed Denial of Service

Attackers now use worms to distribute an attack. Attackers now use worms to distribute an attack. The attacker will do a port scan and look for an The attacker will do a port scan and look for an open port that is vulnerable to an attack. open port that is vulnerable to an attack.

The machine is attacked and distributes the The machine is attacked and distributes the malicious software from the hacked machine. malicious software from the hacked machine. The attacker will repeat this for many victim The attacker will repeat this for many victim machines. machines.

Once the software is on the victim machines, the Once the software is on the victim machines, the attacker can issue a command or instruction that attacker can issue a command or instruction that starts the attack on a specific site. starts the attack on a specific site.

Distributed Denial of ServiceDistributed Denial of Service

The attack will come from a potentially massive The attack will come from a potentially massive amount of machines that the work has infected.amount of machines that the work has infected.

To stop DDoS attacks, stop intrusions to the To stop DDoS attacks, stop intrusions to the network. The bottom line is network. The bottom line is PREVENT PREVENT INTRUSIONSINTRUSIONS. .

Security Software Security Software and and

HardwareHardware


A healthy network starts from within and the A healthy network starts from within and the most basic component in the network is an most basic component in the network is an individual computer. individual computer.

An individual computer should have similar An individual computer should have similar protection as its big network. Remember, the protection as its big network. Remember, the fundamental of DDoS is to take control of fundamental of DDoS is to take control of vulnerable machines and launch the attack. vulnerable machines and launch the attack.


It is not cost effective to guard each computer It is not cost effective to guard each computer with dedicated hardware, but there are many with dedicated hardware, but there are many security software packages that can help. security software packages that can help.

Antivirus SoftwareAntivirus Software

The first line of defense against the viruses and The first line of defense against the viruses and worms is antivirus software. worms is antivirus software.

It is always recommended that every computer It is always recommended that every computer have an antivirus installed. Even though antivirus have an antivirus installed. Even though antivirus software cannot give 100% protection, it will software cannot give 100% protection, it will protect against most of the viruses out there.protect against most of the viruses out there.


Antivirus software uses so-called signatures or Antivirus software uses so-called signatures or definitions to match against the viruses and definitions to match against the viruses and worms.worms.

Each virus or worm has its own trait and this trait Each virus or worm has its own trait and this trait is defined in a signature or a definition. is defined in a signature or a definition.


This is why it is important to keep the antivirus This is why it is important to keep the antivirus software up-to-date. software up-to-date.

Most of the antivirus software is launched at the Most of the antivirus software is launched at the start up of the operating system, and it will try to start up of the operating system, and it will try to update its signatures or its definitions at that update its signatures or its definitions at that time. time.

When a virus is found on the computer, the virus When a virus is found on the computer, the virus program is usually quarantined or removed. program is usually quarantined or removed.

Personal FirewallPersonal Firewall

Another software protection that is readily available for Another software protection that is readily available for a computer is a personal firewall. a computer is a personal firewall.

Most of the operating systems (Windows, Mac OS, Most of the operating systems (Windows, Mac OS, Linux) today are equipped with a personal firewall. Linux) today are equipped with a personal firewall.

Some of them might not be enabled by default. The Some of them might not be enabled by default. The personal firewall software is typically based on basic personal firewall software is typically based on basic packet filtering inspections where the firewall accepts or packet filtering inspections where the firewall accepts or denies incoming network traffic based on information denies incoming network traffic based on information contained in the packets’ TCP or IP headers. contained in the packets’ TCP or IP headers.

Personal FirewallPersonal Firewall

The Windows 7 firewall allows for both packet filtering The Windows 7 firewall allows for both packet filtering and application based firewall. It also gives the and application based firewall. It also gives the firewall software both inbound and outbound control. firewall software both inbound and outbound control.

In the Linux world, In the Linux world, iptablesiptables has been a de facto has been a de facto firewall program for a long time. firewall program for a long time. iptablesiptables is a is a network packet filtering firewall program. network packet filtering firewall program.

Mac OS X uses Mac OS X uses ipfwipfw, a BSD Linux based firewall. , a BSD Linux based firewall. Starting in version 10.5, Mac OS X turned to an Starting in version 10.5, Mac OS X turned to an application based firewall instead. application based firewall instead.

FirewallsFirewalls

Firewalls are used in computer networks for Firewalls are used in computer networks for protection against the “network elements” (for protection against the “network elements” (for example, intrusions, denial of service attacks, etc.). example, intrusions, denial of service attacks, etc.).

Access control lists (ACLs) are the basic form of Access control lists (ACLs) are the basic form of firewall protection, although an access list is not firewall protection, although an access list is not stateful and is not by itself a firewall. stateful and is not by itself a firewall.

ACLs can be configured on a router, on a true ACLs can be configured on a router, on a true dedicated firewall, or on the host computer. dedicated firewall, or on the host computer.

FirewallsFirewalls

Firewalls allow traffic from inside the network to exit Firewalls allow traffic from inside the network to exit but don’t allow general traffic from the outside to but don’t allow general traffic from the outside to enter the network. enter the network.

The firewall monitors the data traffic and recognizes The firewall monitors the data traffic and recognizes where packets are coming from. The firewall will allow where packets are coming from. The firewall will allow packets from the outside to enter the network if they packets from the outside to enter the network if they match a request from within the network. match a request from within the network.

Firewalls are based on three technologies:Firewalls are based on three technologies:

•• Packet filteringPacket filtering

•• Proxy serverProxy server

•• Stateful packet filteringStateful packet filtering

Packet FilteringPacket Filtering

In packet filtering, a limit is placed on the packets In packet filtering, a limit is placed on the packets that can enter the network. that can enter the network.

Packet filtering can also limit information moving Packet filtering can also limit information moving from one segment to another. ACLs are used to from one segment to another. ACLs are used to enable the firewall to accept or deny data packets. enable the firewall to accept or deny data packets.

The disadvantages of packet filtering are:The disadvantages of packet filtering are:

•• Packets can still enter the network by Packets can still enter the network by fragmenting the data packets.fragmenting the data packets.

•• It is difficult to implement complex ACLs.It is difficult to implement complex ACLs.

•• Not all network services can be filtered.Not all network services can be filtered.

Proxy ServerProxy Server A proxy server is used by clients to communicate with A proxy server is used by clients to communicate with

secure systems using a proxy. The client gets access to secure systems using a proxy. The client gets access to the network via the proxy server. the network via the proxy server.

This step is used to authenticate the user, establish the This step is used to authenticate the user, establish the session, and set policies. The client must connect to the session, and set policies. The client must connect to the proxy server to connect to resources outside the network. proxy server to connect to resources outside the network.

The disadvantages of the proxy server are:The disadvantages of the proxy server are:

•• The proxy server can run very slow.The proxy server can run very slow.

•• Adding services can be difficult.Adding services can be difficult.

•• There can be a potential problem with network There can be a potential problem with network failure if the proxy server fails or is corrupted.failure if the proxy server fails or is corrupted.

Stateful FirewallStateful Firewall

In a stateful firewall, the inbound and outbound In a stateful firewall, the inbound and outbound data packets are compared to determine if a data packets are compared to determine if a connection should be allowed. connection should be allowed.

This technique is used to protect the inside of the This technique is used to protect the inside of the network from the outside world but still allow traffic network from the outside world but still allow traffic to go from the inside to the outside and back. to go from the inside to the outside and back.

The firewall needs to be stateful to accomplish this.The firewall needs to be stateful to accomplish this.

Perimeter Firewall Perimeter Firewall DeploymentDeployment

A firewall is usually placed in-line between a A firewall is usually placed in-line between a trusted (internal) network and an untrusted trusted (internal) network and an untrusted (external) network. (external) network.

Its primary function is to protect its trusted Its primary function is to protect its trusted network. network.

An example of how a perimeter firewall is often An example of how a perimeter firewall is often deployed is provideddeployed is provided

FirewallsFirewalls

A big problem with firewalls is that users assume A big problem with firewalls is that users assume a firewall catches all possible problems. a firewall catches all possible problems.

This is a wrong assumption. The user may be This is a wrong assumption. The user may be slow to update the patches and fixes to the slow to update the patches and fixes to the software. software.

A firewall is not the end-to-end solution.A firewall is not the end-to-end solution.

Other Security AppliancesOther Security Appliances

There are more security appliances in the market There are more security appliances in the market today that help protect the network. today that help protect the network.

An IPS (Intrustion Prevention System) monitors and An IPS (Intrustion Prevention System) monitors and analyzes the network traffic. In real time, it identifies analyzes the network traffic. In real time, it identifies misuse and anomaly on the network. misuse and anomaly on the network.

The IPS detects a misuse intrusion by matching the The IPS detects a misuse intrusion by matching the network packets with its IPS signatures for known network packets with its IPS signatures for known attacks or activities that are classified as bad. attacks or activities that are classified as bad.

The IPS has an ability to stop or prevent malicious The IPS has an ability to stop or prevent malicious attacks that it detects by interacting with the firewall.attacks that it detects by interacting with the firewall.


Another appliance that is widely deployed is a Web Another appliance that is widely deployed is a Web filter appliance. Lots of places have very strict filter appliance. Lots of places have very strict policies of how their users can use the network. policies of how their users can use the network.

Web traffic is usually one of the first to be Web traffic is usually one of the first to be monitored and filtered, and a web filer appliance is monitored and filtered, and a web filer appliance is designed to do just that. designed to do just that.

In the K-12 environment, web filtering is critical. In the K-12 environment, web filtering is critical. K-12 school districts are required by law to K-12 school districts are required by law to implement filtering to block adult, illegal or implement filtering to block adult, illegal or offensive content from minors. offensive content from minors.


A web filter appliance has a database containing A web filter appliance has a database containing inappropriate web sites. inappropriate web sites.

A web filter appliance monitors the web traffic A web filter appliance monitors the web traffic both via http and https and matched it against both via http and https and matched it against the database. the database.

If an inappropriate web site is detected it is either If an inappropriate web site is detected it is either discarded or the user the will be redirected to a discarded or the user the will be redirected to a security web page for further action. security web page for further action.

The web filter appliance constantly gets its The web filter appliance constantly gets its database updated all the time. database updated all the time.

Introduction to Virtual Introduction to Virtual Private Network (VPN) Private Network (VPN)


When a network is protected behind the firewall, it is When a network is protected behind the firewall, it is sometimes referred to as a private network. Only sometimes referred to as a private network. Only computers on the same private network are computers on the same private network are considered to be trusted. considered to be trusted.

Access to a private network requires special Access to a private network requires special permission to be granted on the firewall. permission to be granted on the firewall.

Imagine a sales company that has its sales workforce Imagine a sales company that has its sales workforce throughout the country. The sales people need to throughout the country. The sales people need to access the company’s servers and databases at its access the company’s servers and databases at its headquarters, which is protected behind a firewall. headquarters, which is protected behind a firewall.


It would be a network administrator’s nightmare It would be a network administrator’s nightmare to grant individual access through the company’s to grant individual access through the company’s firewall. firewall.

Virtual Private Network (VPN) offers a solution to Virtual Private Network (VPN) offers a solution to this problem. As the name implies, VPN is a this problem. As the name implies, VPN is a concept of extending a private or a trusted concept of extending a private or a trusted network over public infrastructure like the network over public infrastructure like the Internet. Internet.

A VPN accomplishes this by establishing a secure A VPN accomplishes this by establishing a secure connection between the remote end and the connection between the remote end and the private network, therefore enabling the remote private network, therefore enabling the remote clients to become part of the trusted network. clients to become part of the trusted network.

VPN TunnelVPN Tunnel

A secure VPN connection between two endpoints A secure VPN connection between two endpoints is known as a tunnel. is known as a tunnel.

A tunnel is created by an encapsulation A tunnel is created by an encapsulation technique, which encapsulates the data inside a technique, which encapsulates the data inside a known protocol that is agreed upon by the two known protocol that is agreed upon by the two end points. end points.

There are two types of VPNs that are commonly There are two types of VPNs that are commonly used today. One is a remote access VPN and used today. One is a remote access VPN and another is a site-to-site VPN. another is a site-to-site VPN.

VPN TunnelVPN Tunnel

A remote access VPN is used to facilitate network A remote access VPN is used to facilitate network access for users in remote office networks or for access for users in remote office networks or for remote users that travel a lot and need access to remote users that travel a lot and need access to the network. the network.

The client usually initiates this type of VPN The client usually initiates this type of VPN connection. A site-to-site VPN is used to create a connection. A site-to-site VPN is used to create a virtual link from one site to the other. virtual link from one site to the other.

It essentially replaces the traditional WAN type It essentially replaces the traditional WAN type connection used in connecting typical sites. This connection used in connecting typical sites. This type of VPN requires network hardware like a type of VPN requires network hardware like a router or a firewall to create and maintain the router or a firewall to create and maintain the connection.connection.

VPN Tunneling ProtocolsVPN Tunneling Protocols

One of the original tunneling protocols is the One of the original tunneling protocols is the Generic Routing Encapsulation (GRE). Generic Routing Encapsulation (GRE).

GRE is commonly used as a site-to-site VPN GRE is commonly used as a site-to-site VPN solution because of its simplicity and versatility. solution because of its simplicity and versatility.

It is the only tunneling protocol that can It is the only tunneling protocol that can encapsulate up to 20 different types of protocols. encapsulate up to 20 different types of protocols.

Point-to-Point ProtocolPoint-to-Point Protocol

To better understand remote access VPN, one To better understand remote access VPN, one should at least understand the importance of PPP should at least understand the importance of PPP or Point to Point Protocol. or Point to Point Protocol.

PPP was the key to the remote access solution for PPP was the key to the remote access solution for dialup networking. dialup networking.

In those days, people would make a dialup In those days, people would make a dialup connection to their ISP and establish a PPP connection to their ISP and establish a PPP session to the Internet. session to the Internet.


Even though, authentication is optional for PPP, Even though, authentication is optional for PPP, most implementations of PPP provide user most implementations of PPP provide user authentication using protocols like PAP or CHAP. authentication using protocols like PAP or CHAP.

PAP (Password Authentication Protocol) is a PAP (Password Authentication Protocol) is a simple, clear-text (unencrypted) authentication simple, clear-text (unencrypted) authentication methodmethod

CHAP (Challenge Handshake Authentication CHAP (Challenge Handshake Authentication Protocol). CHAP is an encrypted authentication Protocol). CHAP is an encrypted authentication method, which uses the MD5 hashing algorithm. method, which uses the MD5 hashing algorithm.


Later on, EAP (Extensible Authentication Protocol) Later on, EAP (Extensible Authentication Protocol) was introduced as another PPP authentication was introduced as another PPP authentication method. method.

During the PPP authentication phase, the ISP During the PPP authentication phase, the ISP dialup server collects the user authentication dialup server collects the user authentication data and validates it against an authentication data and validates it against an authentication server like a RADIUS server.server like a RADIUS server.

RADIUS stands for Remote Authentication Dial-In RADIUS stands for Remote Authentication Dial-In User Service. RADIUS is an IETF standard User Service. RADIUS is an IETF standard protocol. protocol.

The RADIUS server supports many different The RADIUS server supports many different methods of user authentication including PAP, methods of user authentication including PAP, CHAP, and EAP. CHAP, and EAP.


Point-to-Point Tunneling Protocol (PPTP) was developed Point-to-Point Tunneling Protocol (PPTP) was developed jointly by Microsoft, 3Com, and Alcatel-Lucent in 1996. jointly by Microsoft, 3Com, and Alcatel-Lucent in 1996. It has never been ratified as a standard. It has never been ratified as a standard.

Microsoft was a big advocate of PPTP and made PPTP Microsoft was a big advocate of PPTP and made PPTP available as part of Microsoft Windows Dialup available as part of Microsoft Windows Dialup Networking. Networking.

PPTP was widely used as a remote access solution. PPTP was widely used as a remote access solution. PPTP was designed to work in conjunction with a PPTP was designed to work in conjunction with a standard Point to Point Protocol (PPP). standard Point to Point Protocol (PPP).


A PPTP clientA PPTP client software would establish a PPP software would establish a PPP connection to an ISP. Once the connection is connection to an ISP. Once the connection is established, it will then make the PPTP tunnel established, it will then make the PPTP tunnel over the Internet to the PPTP server. over the Internet to the PPTP server.

The PPTP tunnel uses a modified GRE tunnel to The PPTP tunnel uses a modified GRE tunnel to carry its encapsulated packet for IP transmission. carry its encapsulated packet for IP transmission.

PPTP does not have any authentication PPTP does not have any authentication mechanism, therefore it relies heavily on the mechanism, therefore it relies heavily on the underlying PPP authentication. underlying PPP authentication.

Layer 2 Forwarding ProtocolLayer 2 Forwarding Protocol

L2F was developed by Cisco. L2F was not used widely L2F was developed by Cisco. L2F was not used widely in the consumer market due to its requirement of L2F in the consumer market due to its requirement of L2F hardware.hardware.

Unlike PPTP where the VPN client software is installed Unlike PPTP where the VPN client software is installed and initiated from the client, L2F does not require any and initiated from the client, L2F does not require any VPN client software. A L2F connection is intended to VPN client software. A L2F connection is intended to be established by the L2F hardware. be established by the L2F hardware.

This requires coordination between the ISP and the This requires coordination between the ISP and the corporate network. L2F relies on the PPP corporate network. L2F relies on the PPP authentication to be passed on to the corporate authentication to be passed on to the corporate authentication server. authentication server.

Layer 2 Tunneling ProtocolLayer 2 Tunneling Protocol L2TP was created with the intention of merging two L2TP was created with the intention of merging two

incompatible proprietary tunneling protocols, PPTP and incompatible proprietary tunneling protocols, PPTP and L2F. L2F.

L2TP is considered to be an enhancement of the two L2TP is considered to be an enhancement of the two previous protocols. previous protocols.

L2TP does not require a specific hardware. It can be L2TP does not require a specific hardware. It can be initiated directly from the client. L2TP Tunnel initiated directly from the client. L2TP Tunnel encapsulation is done on UDP port 1701. encapsulation is done on UDP port 1701.

If L2TP is used over an IP network where PPP is not If L2TP is used over an IP network where PPP is not used, the tunnel can be created with its own used, the tunnel can be created with its own authentication mechanism. authentication mechanism.

IPsecIPsec All of the previously discussed tunneling protocols are All of the previously discussed tunneling protocols are

lacking one important security feature, encryption. lacking one important security feature, encryption.

An encryption can guarantee data confidentiality in the An encryption can guarantee data confidentiality in the tunnel. IPsec or IP Security offers encryption features that tunnel. IPsec or IP Security offers encryption features that the others lack. the others lack.

IPsec was designed for the purpose of providing a secure IPsec was designed for the purpose of providing a secure end-to-end connection. The VPN can take advantage of end-to-end connection. The VPN can take advantage of IPsec to provide network layer encryption as well as IPsec to provide network layer encryption as well as authentication techniques. authentication techniques.

IPsec is versatile in that it can be implemented easily as a IPsec is versatile in that it can be implemented easily as a remote access VPN or as a site-to-site VPN. remote access VPN or as a site-to-site VPN.

IPsec and IPv6IPsec and IPv6

For IPv6, IPsec becomes an even more integral For IPv6, IPsec becomes an even more integral part as it is embedded within the IPv6 packets. part as it is embedded within the IPv6 packets. There are 2 primary security protocols used by There are 2 primary security protocols used by IPsec. IPsec.

AH (Authentication Header)AH (Authentication Header)

ESP (Encapsulating Security Payload). ESP (Encapsulating Security Payload).

AH guarantees the authenticity of the IP packets. AH guarantees the authenticity of the IP packets.

ESP provides confidentiality to the data messages ESP provides confidentiality to the data messages (payloads) by ways of encryption. (payloads) by ways of encryption.

IPsec TunnelIPsec Tunnel

Before an IPsec tunnel can be established, there are Before an IPsec tunnel can be established, there are quite a few security parameters that have to be quite a few security parameters that have to be negotiated and agreed upon by both ends. IPsec uses negotiated and agreed upon by both ends. IPsec uses the Internet Key Exchange (IKE) protocol to manage the Internet Key Exchange (IKE) protocol to manage such a process. such a process.

IKE is a hybrid protocol that encompasses several key IKE is a hybrid protocol that encompasses several key management protocols, most notably ISAKMP (Internet management protocols, most notably ISAKMP (Internet Security Association and Key Management Protocol). Security Association and Key Management Protocol).

There are 2 negotiation phases that the two network There are 2 negotiation phases that the two network nodes must perform before the IPsec tunnel is complete.nodes must perform before the IPsec tunnel is complete.

IPsec TunnelIPsec Tunnel

The IKE Phase 1 - both network nodes The IKE Phase 1 - both network nodes authenticate each other and set up an IKE SA authenticate each other and set up an IKE SA (Security Association). (Security Association).

IKE Phase 2 uses the secure channel established IKE Phase 2 uses the secure channel established in phase 1 to negotiate the unidirectional IPsec in phase 1 to negotiate the unidirectional IPsec SAs, inbound and outbound, to setup the IPsec SAs, inbound and outbound, to setup the IPsec tunnel. tunnel.

This is where the parameters for AH and ESP This is where the parameters for AH and ESP would be negotiated.would be negotiated.

network security intrusion (how an attacker gains control of a network)

Documents