DOCSLIB.ORG

Securing 7 Layers of Insecurity

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Securing 7 Layers of Insecurity Chapter 21 Fingerprinting Module Network Reconnaissance: Curiosity killed the Cat D 7 eep L ay “Fingerprint identification Se occurs when an expert er s c determines that two impressions o V originated from the same finger f I i e n or palm.” nn sec a 2007 (Wikipedia.org) urity Copyright Information Some rights reserved / Einige Rechte vorbehalten Michael Kafka, René Pfeiffer, Sebastian Mayer C.a.T. Consulting and Trainings, Vienna, Austria You may freely use, distribute and modify this work under following D agreement: 7 eep Diese Arbeit darf frei genutzt, verbreitet und bearbeitet werden unter L folgenden Bedingungen: ay Se Authors must be referenced (also for modification) er s Autoren müssen genannt werden (auch bei Bearbeitung) c o V Only for non commercial use f I i Nur für nichtkommerzielle Nutzung e n nn Derivative work under same licence sec Derivative Arbeit unter selber Lizenz a 2007 urity http://www.creativecommons.com © November 2007 21 - Fingerprinting 2 Chapter 21 Fingerprinting Agenda Fingerprinting Basics Passive Fingerprinting D 7 eep Protocol Headers L ay Se Active Fingerprinting er s c Identify Individuals o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 3 Fingerprinting Basics How to Find Valuable Hints? What to look for, what to ignore? What is it good for? D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 4 Fingerprinting Basics Systems may have unique signatures Network stack responses DCE RPC signatures D 7 eep Versions and protocols are crucial L ay Se for matching against weaknesses er s c for capability assessment o V f I i Tools exist for automating scans e n nn Fingerprinting may be active or passive sec a 2007 urity © November 2007 21 - Fingerprinting 5 Fingerprinting Basics Why find out Details? Versions unveil state of maintenance Look for “forgotten systems” Identify “abandoned applications” D 7 eep Gather information for attack approach L ay Se Determine dependencies er s c Important for indirect attacks o V f I i Proper chaining of exploits e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 6 Fingerprinting Information Collect everything Scan and get all you can get Useful to get the “big picture” D 7 eep Information can be used in social engineering L ay Se Facts improve credibility er s c Phone calls can confirm/reject results o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 7 Passive Fingerprinting Just Watch or Listen! D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 8 p0f Passive method Identifies systems that connect to you (SYN) D 7 eep systems you connect to (SYN+ACK) L ay Se systems you cannot connect to (RST) er s c Additionally detects network devices o V f I i NAT e n nn load balancers sec a 2007 urity © November 2007 21 - Fingerprinting 9 Protocol Headers A Wealth of “Hidden” Information. D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 10 Protocol Header Information Network distances Round trip time, TTL Analyse hop count, intermediate devices D 7 eep Hops that change information L ay Se Missing IP options, normalisation er s c NAT devices o V f I i Risk: medium Impact: medium e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 11 Active Fingerprinting “Shout, shout, let it all out. …” D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 12 Banner Grabbing Layer 2 is full of announcements Layer 7 is full of banners Most Internet protocols are based on text D 7 eep Attackers look for L ay Se version strings er s c capabilities o V f I i host / domain names e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 13 Popular banners CDP/LLDP strings FTP servers SMTP dialogues D 7 eep SNMP communities L ay Se HTTP responses er s c SSH version information o V f I i IMAP/POP3 servers e n nn DNS (with suitable tools) sec a 2007 Risk: high Impact: medium urity © November 2007 21 - Fingerprinting 14 DNS Digging DNS zones are very important Public records disclose starting points Avoid secret.fileserver.example.net D 7 eep Attackers will use dictionaries L ay Se Attackers will try to er s c zone transfer all data o V f I i identify DNS infrastructure e n nn Monitoring DNS queries can reveal attacks sec a 2007 Risk: medium Impact: high urity © November 2007 21 - Fingerprinting 15 Firewalking Mapping packet filters by response Attackers investigate IP TTL D 7 eep ICMP responses L ay Se IP/TCP options er s c responses to invalid packets o V f I i Name stems from tool “firewalk” e n nn Risk: medium Impact: medium sec a 2007 urity © November 2007 21 - Fingerprinting 16 SNMP Walking SNMP offers rich informations Many network devices are SNMP-capable Attackers look for unprotected access D 7 eep Port scanners on port 161/162 (UDP/TCP) L ay Se Default information very useful er s c Risk: medium Impact: high o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 17 Tools for Reconnaissance What to Use? D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 18 Tools of the trade Times change, tools adapt telnet, ping, traceroute telnet, hping2, tcptraceroute D 7 eep Any packet generator will do L ay Se Any tool capable of TCP will do likewise er s c telnet is still common o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 19 nmap nmap is around since 1997 Host discovery OS detection D 7 eep Port scanning L ay Se Support for scripting er s c nmap offers parallel scanning o V f I i TCP, UDP, ICMP capability e n nn Protocol scan sec a 2007 Idle scan urity Banner grabbing (version strings) © November 2007 21 - Fingerprinting 20 Idle Scan D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 21 xprobe2 Active scanning tool, around since 2001 Early focus on ICMP footprints Key features include fuzzy fingerprinting D 7 eep Multiple signatures used L ay Se TCP, UDP, ICMP er s c SNMP V2 o V f I i SMB e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 22 hping2/hping3 “ping on steroids” Sends crafted UDP, ICMP, TCP packets Collects TCP ISN, pioneered Idle Scan D 7 eep Has API for automated tests L ay Se Useful for firewall/IDS/IPS testing er s c More capable than standard tools o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 23 Large networks Attackers map large networks Automated scans for popular ports “Auto-r00ter” attached D 7 eep Parallel scans may appear on monitoring L ay Se Large scans reduce number of ports er s c Bulk scanners look for specifics o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 24 Port Scanning Risks Risk: medium Impact: medium Mitigation Drop malformed/useless/unwanted packets D 7 eep Detect port sweeps, packet rates L ay Se Limit ICMP error rate er s c Reassemble fragments at border o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 25 Identify Individuals Matching Addresses to People. D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 26 Personal Information Look out for anything like E-mail addresses Telephone numbers, FAX numbers D 7 eep “Personalised” network addresses L ay Se Personal namespaces (in DNS) er s c Personal information improves credibility o V f I i Important for social engineering e n nn Useful for faking other information sec a 2007 Risk: medium Impact: high urity © November 2007 21 - Fingerprinting 27 Chapter 21 Fingerprinting Summary Reconnaissance is about information. Any protocol is affected. D 7 eep Carefully design access to network(s). L ay Se Monitor incoming traffic. er s c Limit access wherever you can. o V f I i Know where your data is and what to do e n nn with it. sec a 2007 urity © November 2007 21 - Fingerprinting 28 Thank you for your attention! Questions? D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 29 DeepSec Conference Vienna © November 2007 Chapter 21 Fingerprinting Module Network Reconnaissance: Curiosity killed the Cat D 7 eep L ayers o “Fingerprint identification occurs when an expert Sec determines that two impressions Vien originated from the same finger f I or palm.” n secu n a 2007 (Wikipedia.org) rity © November 2007 21 - Fingerprinting 1 Fingerprinting is a reconnaissance technique which allows to identify systems, versions of operating systems, patch levels, services packs etc. by observing a target for individual responses or actions. This chapter presents the latest developments in different techniques and discusses methods how risks can be mitigated.
Load more

Recommended publications
  • Inferring TCP/IP-Based Trust Relationships Completely Off-Path
    ONIS: Inferring TCP/IP-based Trust Relationships Completely Off-Path Xu Zhang Jeffrey Knockel Jedidiah R. Crandall Department of Computer Science Department of Computer Science Department of Computer Science University of New Mexico University of New Mexico University of New Mexico [email protected] [email protected] [email protected] Abstract—We present ONIS, a new scanning technique that researcher in country X who wants to learn if network traffic can perform network measurements such as: inferring TCP/IP- from a host in country Y can connect to a Tor server in country based trust relationships off-path, stealthily port scanning a Z. Performing this measurement off-path is necessary when target without using the scanner’s IP address, detecting off- path packet drops between two international hosts. These tasks vantage points (VPNs, Planet Lab nodes, etc.) are limited or typically rely on a core technique called the idle scan, which is unavailable in some countries. Ensafi et al. detail this off- a special kind of port scan that appears to come from a third path trust relationship testing by using the idle scan in [2]. machine called a zombie. The scanner learns the target’s status Specifically, they measured packet drops from clients to Tor from the zombie by using its TCP/IP side channels. directory servers by using machines with global incrementing Unfortunately, the idle scan assumes that the zombie has IP identifiers (IPIDs) which exhibit the now-discouraged behavior IPIDs as vantage points without those machines being under of being globally incrementing. The use of this kind of IPID their control.
    [Show full text]
  • Hacking Techniques & Intrusion Detection
    Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons “Share Alike” license. • http://creativecommons.org/licenses/by-sa/3.0/ 2 # whoami • Ali Al-Shemery • Ph.D., MS.c., and BS.c., Jordan • More than 14 years of Technical Background (mainly Linux/Unix and Infosec) • Technical Instructor for more than 10 years (Infosec, and Linux Courses) • Hold more than 15 well known Technical Certificates • Infosec & Linux are my main Interests 3 Scanning and Fingerprinting Outline • Diving into Important Network Protocols (TCP, UDP, ICMP, ARP, etc) • Nmap – Intro. • Host Discovery • Tracing the Route • Port Scanning • OS and Service Fingerprinting • Learning Python in 4 Slides • Packet Crafting 5 Diving into Important Network Protocols • Diving into Important Network Protocols: – TCP – UDP – ICMP – ARP – HTTP – etc 6 Nmap • "Network Mapper” is a free and open source utility for network discovery and security auditing. - Fyodor • IMO: #1 tool in your security arsenal! Important Note: A huge difference between running Nmap as a privileged/unprivileged user! 7 Host Discovery • Identifying Live Systems • Also called “Network Sweep” • Nmap ping sweeps: – Ping Only (-sP) – ARP Ping (-PR) – ICMP Echo Request Ping (-PE) – TCP SYN Ping (-PS) – TCP ACK Ping (-PA) – UDP Ping (-PU) DEMO 8 Assignment #1 • Why do host discovery or network sweeping if we already have the target list of IP(s)? 9 Tracing the Route • Nmap --traceroute option • DEMO DEMO 10 Port Scanning • The act of testing a remote
    [Show full text]
  • How to Scan a Network with Hping3
    How To Scan a Network With Hping3 Hping3 Hping3 is a command-line oriented TCP/IP packet assembler and analyser and works like Nmap. The application is able to send customizes TCP/IP packets and display the reply as ICMP echo packets, even more Hping3 supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features like DDOS flooding attacks. Hping3 can be used to perform: OS fingerprinting ICMP pings Traceroute Port scanning Firewall testing Test IDSes Network testing and auditing MTU discovery Exploit and vulnerabilities discovery DDOS and ICMP flooding Hping3 comes pre-installed with Kali Linux but and can also be installed on most Linux distros, also you need to run the commands with sudo privileges. Visit the official documentation at to learn more on how you can use Hping3 http://www.hping.org/documentation.php Useful Options -h Show this help -v Show version -c Packet count -i –interval –flood -V Verbose mode -D Debugging -f Fragment packets -Q Display sequence number -0 RAW IP mode -1 ICMP mode -2 UDP mode -8 SCAN mode -9 listen mode -F Set the FIN flag -S Set the SYN flag -P Set the PUSH flag -A Set the ACK flag -U Set the URG flag Commands Send a ACK packet to a target hping3 –A 192.168.100.11 HPING 192.168.100.11 (eth0 192.168.100.11): A set, 40 headers + 0 data bytes len=46 ip=192.168.100.11 ttl=128 id=29627 sport=0 flags=R seq=0 win=32767 rtt=4.0 ms len=46 ip=192.168.100.11 ttl=128 id=29628 sport=0 flags=R seq=1 win=32767 rtt=2.0 ms len=46 ip=192.168.100.11
    [Show full text]
  • Nmap Tutorial 1/10 2004-10-10 Lätt Redigerad Av Jan-Erik Jonsson
    NMap tutorial 1/10 2004-10-10 Lätt redigerad av Jan-Erik Jonsson Basic Scan Types [-sT, -sS] TCP connect() Scans [-sT] SYN Stealth Scanning [-sS] FIN, Null and Xmas Tree Scans [- sF, -sN, -sX] Ping Scanning [-sP] UDP Scans [-sU] IP Protocol Scans [-sO] Idle Scanning [-sI] ACK Scan [-sA] Window Scan, RPC Scan, List Scan [-sW, -sR, -sL] Timing And Hiding Scans Timing Decoys FTP Bounce Turning Pings Off Fragmenting Idle Scanning http://www.security-forums.com/forum/viewtopic.php?t=7872 NMAP - A Stealth Port Scanner by Andrew J. Bennieston 1 INTRODUCTION ................................................................................................................................................. 2 2 DISCLAIMER...................................................................................................................................................... 2 3 BASIC SCAN TYPES [-ST, -SS] ........................................................................................................................... 2 3.1 TCP connect() Scans [-sT]........................................................................................................................ 2 3.2 SYN Stealth Scanning [-sS]....................................................................................................................... 2 4 FIN, NULL AND XMAS TREE SCANS [-SF, -SN, -SX] ......................................................................................... 3 5 PING SCANNING [-SP] ......................................................................................................................................
    [Show full text]
  • Censored Planet: Global Censorship Observatory
    Censored Planet: Global Censorship Observatory Roya Ensafi University of Michigan Dec 27,2018 In my research lab, we ... develop frameworks to detect network interference, apply these frameworks to understand the behavior of network intermediaries, and use this understanding to defend against interference by building tools that safeguard users. Reports suggest Internet censorship practices are at rise! Network Interference Can Happen on Any Layer 1 A user types www.cnn.com into the browser 2 OS sends a DNS query to learn the IP address 3 Browser fetches the website Authoritative 4 Browser loads third-party resources DNS resolver DNS resolver www.cnn.com Server CDN PoP Home ISP User gateway router ISP router Server Transit Client Side Network Server Side Network Interference Can Happen on Any Layer 1 A user types www.cnn.com into the browser 2 OS sends a DNS query to learn the IP address 3 Browser fetches the website 4 Browser loads third-party resources DNS resolver www.cnn.com Server CDN PoP Home ISP User gateway router ISP router Server Transit Client Side Network Server Side Measuring Censorship is a Complex Problem! Internet censorship practices are diverse in their methods, targets, timing, differing by regions, as well as across time. Why Measure Censorship? NETWORK CENSORSHIP IS ON THE RISE ● Information controls harm citizens ● Spreading beyond the large powers ● Frequently opaque in topic & technique WE NEED DATA TO: ● Support transparency & accountability ● Improve technological defenses ● Inform users & public policy Why Measure
    [Show full text]
  • NMAP - a Stealth Port Scanner
    NMAP - A Stealth Port Scanner Andrew J. Bennieston http://www.nmap-tutorial.com Contents 1 Introduction 4 2 Disclaimer 4 3 Basic Scan Types [-sT, -sS] 4 3.1 TCP connect() Scan [-sT] . 4 3.2 SYN Stealth Scan [-sS] . 5 4 FIN, Null and Xmas Tree Scans [-sF, -sN, -sX] 6 5 Ping Scan [-sP] 7 6 UDP Scan [-sU] 8 7 IP Protocol Scans [-sO] 8 8 Idle Scanning [-sI] 9 9 Version Detection [-sV] 10 10 ACK Scan [-sA] 10 11 Window Scan, RPC Scan, List Scan [-sW, -sR, -sL] 11 12 Timing and Hiding Scans 11 12.1 Timing . 11 12.2 Decoys . 11 12.3 FTP Bounce . 12 12.4 Turning Off Ping . 12 12.5 Fragmenting . 12 12.6 Idle Scanning . 13 13 OS Fingerprinting 13 14 Outputting Logs 13 15 Other Nmap Options 13 15.1 IPv6 . 13 15.2 Verbose Mode . 13 15.3 Resuming . 13 15.4 Reading Targets From A File . 14 15.5 Fast Scan . 14 15.6 Time-To-Live . 14 2 16 Typical Scanning Session 14 17 Frequently Asked Questions 18 17.1 I tried a scan and it appeared in firewall logs or alerts. What else can I do to help hide my scan? . 18 17.2 NMAP seems to have stopped, or my scan is taking a very long while. Why is this? . 19 17.3 Will -sN -sX and -sF work against any host, or just Windows hosts? 20 17.4 How do I find a dummy host for the Idle Scan (-sI)? . 20 17.5 What does ”Host seems down.
    [Show full text]
  • CEH Study Guide
    CEH Study Guide Exam Code 312-50v8 Version 8 Study Guide Provided by TrainACE© The Certified Ethical Hacker Certification covers the fundamentals of hacking, footprinting and scanning. A CEH certification indicates than an individual possess the skills, knowledge and ability to effectively exploit and defend their own systems. This study guide focuses on Trojans, Linux, Servers, Networks and other forms of hacking to equip future Ethical Hackers with the tools to pass the CEHv8 exam and succeed in their field. Study Guide Provided by TrainACE© Q: Robert hopes to start a career in computer security. As a new college-level student, he has just learned the term ethical hacking, which is a key part of secure information systems. Of the below options, choose which will be key areas of expertise for Robert’s future career. Answer is complete. Select more than one answer if applicable. a. Robert needs to gain a large body of knowledge about how computers function, with special regard to networking and programming. b. Operating systems are very important to Robert’s career. Because companies utilize varying operating systems, including Windows (multiple versions), Mac (multiple versions), UNIX, and Linux, he must develop an advanced understanding of each of the major operating systems. c. Robert should gain familiarity with computing and hardware platforms, which are key to software development. d. Robert should be able to write reports related to his field and have great expertise in communication relating to computer security. Solution: All of the above are correct. Breakdown: Each of the above areas is important for Robert’s future career.
    [Show full text]
  • Openbsd DNS Cache Poisoning and Multiple OS Predictable IP ID
    OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability Amit Klein October-November 2007 OpenBSD DNS Cache Poisoning for OpenBSD and Multiple O/S Predictable IP ID Vulnerability Abstract The paper describes a weakness in the pseudo random number generator (PRNG) in use by OpenBSD, Mac OS X, Mac OS X Server, Darwin, NetBSD, FreeBSD and DragonFlyBSD to produce random DNS transaction IDs (OpenBSD) and random IP fragmentation IDs (OpenBSD, Mac OS X, Mac OS X Server, Darwin, NetBSD, FreeBSD and DragonFlyBSD – the latter three only if the kernel flag net.inet.ip.random_id is 1). A technique is disclosed that allows an attacker to detect the algorithm used and predict its next values. This technique can be used to conduct DNS cache poisoning attack on OpenBSD DNS server (which is a modified BIND 9 server) in caching mode. A predictability algorithm is described that typically provides 8-10 possible guesses for the next transaction ID value, thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS cache poisoning than the currently known attacks against the OpenBSD DNS server. The net effect is that pharming attacks are feasible against OpenBSD caching DNS servers, without the need to directly attack neither DNS servers nor clients (PCs). A similar technique is disclosed to detect the algorithm used for the IP fragmentation ID generation (thereby enabling fingerprinting, traffic analysis and host alias detection for OpenBSD, Mac OS X, Mac OS X Server and Darwin (and NetBSD, FreeBSD, DragonFlyBSD, if the kernel flag net.inet.ip.random_id is 1), as well as detecting “missing” IDs, which can be used in nmap’s IdleScan method (as the “zombie” machine whose IP is used to scan the actual target host).
    [Show full text]
  • Network Sniffers and Tools in Cyber Security
    © 2018 JETIR November 2018, Volume 5, Issue 11 www.jetir.org (ISSN-2349-5162) NETWORK SNIFFERS AND TOOLS IN CYBER SECURITY 1Rachana R. Buch, 2Sachi N. Shah 1Assistant Professor, 2Assistant Professor 1Department of Computer Engineering 1Atmiya University, Rajkot, India Abstract:In the cyber world, there are numerous kinds of programmers which is utilized to hack username, passwords and personal details, account subtle elements, and touchy data about the client through their gadget or network. A procedure of catching, interpreting, and investigating network activity is called network sniffing. Network sniffers are same as a programmer which is gathered or assemble data from the Network i.e. IP address, MAC address, Hostname and so forth through which they can keep an eye on the network movement or they watch or gather a log of packets by packet sniffing. Network sniffers have utilized a few tools like Wireshark, Kismet, hping, TCPdump, and Windump for checking packets which are traverses the network. Index Terms: Cyber Security, Network sniffers, Packet Sniffers, Tools, Wireshark, hping, Kismet, TCPdump, and Windump. I. Introduction to Network Sniffers: fig.1 how network sniffer works 1.1 Network Sniffing: The procedure of catching, decoding, and analyzing network movement is called network sniffing. [2] Network Sniffing is a technique of observing each packet that crosses the network. Network sniffing is a tool that can enable you to find network issues by enabling you to catch and view packet level data on your network it likewise screens or sniffs out the data flowing over computer network links in real time. [2] A few sniffers work with TCP/IP packets yet more sophisticated tools can work with numerous other network protocols and at lower levels including Ethernet frames.[14] JETIR1811392 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 685 © 2018 JETIR November 2018, Volume 5, Issue 11 www.jetir.org (ISSN-2349-5162) 1.2 Network Sniffer types: fig.
    [Show full text]
  • Measuring and Circumventing Internet Censorship | 2014:65
    Philipp Winter | Measuring and circumventing Internet censorship | | Measuring Philipp Winter Measuring and circumventing Internet censorship Measuring and An ever increasing amount of governments, organisations, and companies employ Internet censorship in order to filter the free flow of information. These efforts are supported by an equally increasing number of companies focusing on circumventing the development of filtering equipment. Only what these entities consider right can pass the filters. This practice Internet censorship constitutes a violation of the Universal Declaration of Human Rights and hampers progress. This thesis contributes novel techniques to measure and 2014:65 to circumvent Internet censorship. In particular, we 1) analyse how the Great Firewall of China is blocking the Tor network by using active probing techniques Philipp Winter as well as side channel measurements, we 2) propose a concept to involve users in the process of censorship analysis, we 3) discuss the aptitude of a globally- deployed network measurement platform for censorship analysis, and we 4) propose a novel circumvention protocol. We attach particular importance to practicality and usability. Most of the techniques proposed in this thesis were implemented and some of them are deployed and used on a daily basis. ISBN 978-91-7063-605-9 Faculty of Health, Science and Technology ISSN 1403-8099 Computer Science DISSERTATION | Karlstad University Studies | 2014:65 DISSERTATION | Karlstad University Studies | 2014:65 Measuring and circumventing Internet
    [Show full text]
  • A Survey of Ethernet LAN Security Timo Kiravuo, Mikko S¨Arel¨A, and Jukka Manner
    IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO. 3, THIRD QUARTER 2013 1477 A Survey of Ethernet LAN Security Timo Kiravuo, Mikko S¨arel¨a, and Jukka Manner Abstract—Ethernet is the survivor of the LAN wars. It is switched, full-duplex, collision free Ethernet is considered the hard to find an IP packet that has not passed over an Ethernet standard low cost LAN solution for workstations and laptops, segment. One important reason for this is Ethernet’s simplicity and 10 Gbps is commonly available for servers and high and ease of configuration. However, Ethernet has always been known to be an insecure technology. Recent successful malware throughput hosts. attacks and the move towards cloud computing in data centers Ethernet segments are also being expanded, both in distance demand that attention be paid to the security aspects of Ethernet. and capacity, using various techniques [4]. Network operators In this paper, we present known Ethernet related threats and are starting to design edge to edge Ethernets, using the layer 2 discuss existing solutions from business, hacker, and academic communities. Major issues, like insecurities related to Address Ethernet internally to replace higher layer activities like IP Resolution Protocol and to self-configurability, are discussed. The routing and addressing, leaving them to be considered only solutions fall roughly into three categories: accepting Ethernet’s at the edges of the network. The motivation for having larger insecurity and circling it with firewalls; creating a logical Ethernet segments is to handle traffic at a layer lower than the separation between the switches and end hosts; and centralized IP layer.
    [Show full text]
  • 1587053527.Pdf
    ii Network Security Auditing Network Security Auditing Chris Jackson, CCIE No. 6256 Copyright © 2010 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. ISBN-13: 978-1-58705-352-8 ISBN-10: 1-58705-352-7 Printed in the United States of America First Printing June 2010 Library of Congress Cataloging-in-Publication Data: Library of Congress Cataloging-in-Publication data is on file. Warning and Disclaimer This book is designed to provide information about Cisco network security. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The author, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompa- ny it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. xxi Introduction Mention the word audit to IT professionals and you will probably see their eyes glaze over as they imagine frightening visions of auditors with pointy tails, pitchforks, and checklists run- ning around and pointing out all of the things they have done wrong to their manager.
    [Show full text]