Network Securitysecurity

Network Securitysecurity

NetworkNetwork SecuritySecurity ISOCISOC NTWNTW 20002000 NTW 2000 © 2000, Cisco Systems, Inc. 1 IntroductionIntroduction NTW 2000 ©2000, 2000, Cisco Cisco Systems, Systems, Inc. Inc. 2 NetworkNetwork SecuritySecurity ComponentsComponents NTW 2000 © 2000, Cisco Systems, Inc. 3 ISPISP ExampleExample Internet Foreign Site . ISP Service Plane Customer Site T1 WWW DNS1 Pub 2 DNS2 TFTP Pub1 ISP Management Plane . NTW 2000 © 2000, Cisco Systems, Inc. 4 EnterpriseEnterprise ExampleExample Protected Network Engineering Finance Internet Admin WWW Server DNS Server Dial-Up Business Access Partners NTW 2000 © 2000, Cisco Systems, Inc. 5 CurrentCurrent ThreatsThreats andand AttackAttack MethodsMethods NTW 2000 ©2000, 2000, Cisco Cisco Systems, Systems, Inc. Inc. 6 AttackAttack TrendsTrends • Exploiting passwords and poor configurations • Software bugs • Trojan horses • Sniffers • IP address spoofing • Toolkits • Distributed attacks NTW 2000 © 2000, Cisco Systems, Inc. 7 AttackAttack TrendsTrends High Attacker Knowledge Attack Sophistication Low 1988 2000 NTW 2000 © 2000, Cisco Systems, Inc. 8 Vulnerability Exploit Cycle Novice Intruders Automated Use Crude Scanning/Exploit Exploit Tools Tools Developed Crude Exploit Widespread Use Intruders Begin Tools Distributed of Automated Using New Types Scanning/Exploit of Exploits Tools Advanced Intruders Discover Vulnerability Source: CERT Coordination Center NTW 2000 © 2000, Cisco Systems, Inc. 9 IncreasinglyIncreasingly SeriousSerious ImpactsImpacts • $10M transferred out of one banking system • Loss of intellectual property - $2M in one case, the entire company in another • Extensive compromise of operational systems - 15,000 hour recovery operation in one case • Alteration of medical diagnostic test results • Extortion - demanding payments to avoid operational problems NTW 2000 © 2000, Cisco Systems, Inc. 10 EvolvingEvolving DependenceDependence • Networked appliances/homes • Wireless stock transactions • On-line banking • Critical infrastructures • Business processes NTW 2000 © 2000, Cisco Systems, Inc. 11 TheThe Community’sCommunity’s VulnerabilityVulnerability Internal Exploitation Internet External Exploitation 100% vulnerable 75% vulnerable Source: Cisco Security Posture Assessments 1996-1999 NTW 2000 © 2000, Cisco Systems, Inc. 12 UnauthorizedUnauthorized UseUse 70 Yes 60 Percentage No of 50 Respondents Don't 40 Know 30 20 10 0 1996 1997 1998 1999 2000 Source: 2000 CSI/FBI Computer Crime and Security Survey NTW 2000 © 2000, Cisco Systems, Inc. 13 ConclusionConclusion Sophisticated attacks + Dependency + Vulnerability NTW 2000 © 2000, Cisco Systems, Inc. 14 ClassesClasses ofof AttacksAttacks • Reconnaisance Unauthorized discovery and mapping of systems, services, or vulnerabilities • Access Unauthorized data manipulation, system access, or privilege escalation • Denial of Service Disable or corrupt networks, systems, or services NTW 2000 © 2000, Cisco Systems, Inc. 15 ReconnaissanceReconnaissance MethodsMethods • Common commands and administrative utilities nslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, srvinfo, dumpacl • Public tools Sniffers, SATAN, SAINT, NMAP, custom scripts NTW 2000 © 2000, Cisco Systems, Inc. 16 NetworkNetwork SniffersSniffers Router5 … telnet Router5 Got It !! User Access Verification Username: squiggie password: Sq%*jkl[;T Router5>ena Password: jhervq5 Router5# NTW 2000 © 2000, Cisco Systems, Inc. 17 ISPISP ExampleExample Internet Foreign Site . ISP Service Plane Customer Site T1 WWW DNS1 Pub 2 DNS2 TFTP Pub1 ISP Management Plane. NTW 2000 © 2000, Cisco Systems, Inc. 18 EnterpriseEnterprise ExampleExample Engineering Finance Internet Admin WWW Server DNS Protected Server Network Dial-Up Business Access Partners NTW 2000 © 2000, Cisco Systems, Inc. 19 nmapnmap • network mapper is a utility for port scanning large networks: TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep) TCP Ping scanning Direct (non portmapper) RPC scanning Remote OS Identification by TCP/IP Fingerprinting (nearly 500) Reverse-ident scanning. NTW 2000 © 2000, Cisco Systems, Inc. 20 nmapnmap • nmap {Scan Type(s)} [Options] <host or net list> • Example: my-unix-host% nmap -sT my-router Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ ) Interesting ports on my-router.example.com (10.12.192.1) (The 1521 ports scanned but not shown below are in state closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 80/tcp open http 110/tcp open pop-3 NTW 2000 © 2000, Cisco Systems, Inc. 21 WhyWhy DoDo YouYou Care?Care? • The more information you have, the easier it will be to launch a successful attack: Map the network Profile the devices on the network Exploit discovered vulnerabilities Achieve objective NTW 2000 © 2000, Cisco Systems, Inc. 22 AccessAccess MethodsMethods • Exploiting passwords Brute force Cracking tools • Exploit poorly configured or managed services anonymous ftp, tftp, remote registry access, nis, … Trust relationships: rlogin, rexec, … IP source routing File sharing: NFS, Windows File Sharing NTW 2000 © 2000, Cisco Systems, Inc. 23 AccessAccess MethodsMethods cont’dcont’d • Exploit application holes Mishandled input data: access outside application domain, buffer overflows, race conditions • Protocol weaknesses: fragmentation, TCP session hijacking • Trojan horses: Programs that plant a backdoor into a host NTW 2000 © 2000, Cisco Systems, Inc. 24 IPIP PacketPacket • Internet Protocol IP = connectionless network layer SAP = 32 bits IP address RFC 791, Sep 1981 NTW 2000 © 2000, Cisco Systems, Inc. 25 IP:IP: PacketPacket FormatFormat 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Internet Datagram Header NTW 2000 © 2000, Cisco Systems, Inc. 26 IP Spoofing A Hi, my name is B C Attacker NTW 2000 © 2000, Cisco Systems, Inc. B 27 IP:IP: NormalNormal RoutingRouting A, C via Ra B via Ethernet Rb B B -> B,C via Ra B via Rb A C via Rc A -> B A Ra A -> B Rc C Routing based on routing tables NTW 2000 © 2000, Cisco Systems, Inc. 28 IP:IP: SourceSource RoutingRouting b R a, R Rb B ia v B unknown B -> C via Rc A A -> B via Ra, Rb A Ra A -> B via Ra, Rb Rc C Routing based on IP datagram option NTW 2000 © 2000, Cisco Systems, Inc. 29 IPIP UnwantedUnwanted RoutingRouting , R2 ia R1 C ->A v C A unknown B via Internet Internet C-> A unknown A v ia R B via R1 1, R2 A unknown B via DMZ R1 B C->A via R1, R2 DMZ A via Intranet A intranet R2 B via DMZ C unknown C->A via R1,R2 NTW 2000 © 2000, Cisco Systems, Inc. 30 IPIP UnwantedUnwanted RoutingRouting ((ContCont.).) C-> A v C ia B A unknown B via Internet Internet P PP -up A unknown A via Ethernet dial ia B B via PPP C via PPP A v C-> A intranet B (acting as router) C->A via B NTW 2000 © 2000, Cisco Systems, Inc. 31 IPIP SpoofingSpoofing UsingUsing SourceSource RoutingRouting B is a friend allow access Rb B B-> A v ia C A Ra A ,Rc ->B Ra via Ra , Rc B->A via C,Rc,Ra ,C Rc C A->B via Ra,Rc,C B->A via C, Rc,Ra A->B via Ra, Rc,C Back traffic uses the same source route NTW 2000 © 2000, Cisco Systems, Inc. 32 TransportTransport ControlControl ProtocolProtocol • TCP = connection oriented transport layer • RFC 793, Sep 1981 • SAP= 16 bits TCP ports NTW 2000 © 2000, Cisco Systems, Inc. 33 TCPTCP PacketPacket FormatFormat 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TCP Header Format NTW 2000 © 2000, Cisco Systems, Inc. 34 TCPTCP connectionconnection establishmentestablishment B A flags= SYN, seq=( Sb,?) flags=SYN+ACK, seq=(Sa,Sb) fl ags=A CK, s eq=(S b,Sa) flags=ACK, seq=(Sb,Sa+8) data=“Username:” NTW 2000 © 2000, Cisco Systems, Inc. 35 TCPTCP blindblind spoofingspoofing BA C masquerading as B flags=SYN, seq=(Sb,?) flags=SYN+ACK, seq=(Sa,Sb) flags=ACK, seq=(Sb,Sa) flags=ACK, seq=(Sb,Sa+8) data=“Username:” CC guessesguesses SaSa AA believesbelieves thethe connectionconnection comescomes

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    169 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us