NetworkNetwork SecuritySecurity ISOCISOC NTWNTW 20002000 NTW 2000 © 2000, Cisco Systems, Inc. 1 IntroductionIntroduction NTW 2000 ©2000, 2000, Cisco Cisco Systems, Systems, Inc. Inc. 2 NetworkNetwork SecuritySecurity ComponentsComponents NTW 2000 © 2000, Cisco Systems, Inc. 3 ISPISP ExampleExample Internet Foreign Site . ISP Service Plane Customer Site T1 WWW DNS1 Pub 2 DNS2 TFTP Pub1 ISP Management Plane . NTW 2000 © 2000, Cisco Systems, Inc. 4 EnterpriseEnterprise ExampleExample Protected Network Engineering Finance Internet Admin WWW Server DNS Server Dial-Up Business Access Partners NTW 2000 © 2000, Cisco Systems, Inc. 5 CurrentCurrent ThreatsThreats andand AttackAttack MethodsMethods NTW 2000 ©2000, 2000, Cisco Cisco Systems, Systems, Inc. Inc. 6 AttackAttack TrendsTrends • Exploiting passwords and poor configurations • Software bugs • Trojan horses • Sniffers • IP address spoofing • Toolkits • Distributed attacks NTW 2000 © 2000, Cisco Systems, Inc. 7 AttackAttack TrendsTrends High Attacker Knowledge Attack Sophistication Low 1988 2000 NTW 2000 © 2000, Cisco Systems, Inc. 8 Vulnerability Exploit Cycle Novice Intruders Automated Use Crude Scanning/Exploit Exploit Tools Tools Developed Crude Exploit Widespread Use Intruders Begin Tools Distributed of Automated Using New Types Scanning/Exploit of Exploits Tools Advanced Intruders Discover Vulnerability Source: CERT Coordination Center NTW 2000 © 2000, Cisco Systems, Inc. 9 IncreasinglyIncreasingly SeriousSerious ImpactsImpacts • $10M transferred out of one banking system • Loss of intellectual property - $2M in one case, the entire company in another • Extensive compromise of operational systems - 15,000 hour recovery operation in one case • Alteration of medical diagnostic test results • Extortion - demanding payments to avoid operational problems NTW 2000 © 2000, Cisco Systems, Inc. 10 EvolvingEvolving DependenceDependence • Networked appliances/homes • Wireless stock transactions • On-line banking • Critical infrastructures • Business processes NTW 2000 © 2000, Cisco Systems, Inc. 11 TheThe Community’sCommunity’s VulnerabilityVulnerability Internal Exploitation Internet External Exploitation 100% vulnerable 75% vulnerable Source: Cisco Security Posture Assessments 1996-1999 NTW 2000 © 2000, Cisco Systems, Inc. 12 UnauthorizedUnauthorized UseUse 70 Yes 60 Percentage No of 50 Respondents Don't 40 Know 30 20 10 0 1996 1997 1998 1999 2000 Source: 2000 CSI/FBI Computer Crime and Security Survey NTW 2000 © 2000, Cisco Systems, Inc. 13 ConclusionConclusion Sophisticated attacks + Dependency + Vulnerability NTW 2000 © 2000, Cisco Systems, Inc. 14 ClassesClasses ofof AttacksAttacks • Reconnaisance Unauthorized discovery and mapping of systems, services, or vulnerabilities • Access Unauthorized data manipulation, system access, or privilege escalation • Denial of Service Disable or corrupt networks, systems, or services NTW 2000 © 2000, Cisco Systems, Inc. 15 ReconnaissanceReconnaissance MethodsMethods • Common commands and administrative utilities nslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, srvinfo, dumpacl • Public tools Sniffers, SATAN, SAINT, NMAP, custom scripts NTW 2000 © 2000, Cisco Systems, Inc. 16 NetworkNetwork SniffersSniffers Router5 … telnet Router5 Got It !! User Access Verification Username: squiggie password: Sq%*jkl[;T Router5>ena Password: jhervq5 Router5# NTW 2000 © 2000, Cisco Systems, Inc. 17 ISPISP ExampleExample Internet Foreign Site . ISP Service Plane Customer Site T1 WWW DNS1 Pub 2 DNS2 TFTP Pub1 ISP Management Plane. NTW 2000 © 2000, Cisco Systems, Inc. 18 EnterpriseEnterprise ExampleExample Engineering Finance Internet Admin WWW Server DNS Protected Server Network Dial-Up Business Access Partners NTW 2000 © 2000, Cisco Systems, Inc. 19 nmapnmap • network mapper is a utility for port scanning large networks: TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep) TCP Ping scanning Direct (non portmapper) RPC scanning Remote OS Identification by TCP/IP Fingerprinting (nearly 500) Reverse-ident scanning. NTW 2000 © 2000, Cisco Systems, Inc. 20 nmapnmap • nmap {Scan Type(s)} [Options] <host or net list> • Example: my-unix-host% nmap -sT my-router Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ ) Interesting ports on my-router.example.com (10.12.192.1) (The 1521 ports scanned but not shown below are in state closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 80/tcp open http 110/tcp open pop-3 NTW 2000 © 2000, Cisco Systems, Inc. 21 WhyWhy DoDo YouYou Care?Care? • The more information you have, the easier it will be to launch a successful attack: Map the network Profile the devices on the network Exploit discovered vulnerabilities Achieve objective NTW 2000 © 2000, Cisco Systems, Inc. 22 AccessAccess MethodsMethods • Exploiting passwords Brute force Cracking tools • Exploit poorly configured or managed services anonymous ftp, tftp, remote registry access, nis, … Trust relationships: rlogin, rexec, … IP source routing File sharing: NFS, Windows File Sharing NTW 2000 © 2000, Cisco Systems, Inc. 23 AccessAccess MethodsMethods cont’dcont’d • Exploit application holes Mishandled input data: access outside application domain, buffer overflows, race conditions • Protocol weaknesses: fragmentation, TCP session hijacking • Trojan horses: Programs that plant a backdoor into a host NTW 2000 © 2000, Cisco Systems, Inc. 24 IPIP PacketPacket • Internet Protocol IP = connectionless network layer SAP = 32 bits IP address RFC 791, Sep 1981 NTW 2000 © 2000, Cisco Systems, Inc. 25 IP:IP: PacketPacket FormatFormat 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Internet Datagram Header NTW 2000 © 2000, Cisco Systems, Inc. 26 IP Spoofing A Hi, my name is B C Attacker NTW 2000 © 2000, Cisco Systems, Inc. B 27 IP:IP: NormalNormal RoutingRouting A, C via Ra B via Ethernet Rb B B -> B,C via Ra B via Rb A C via Rc A -> B A Ra A -> B Rc C Routing based on routing tables NTW 2000 © 2000, Cisco Systems, Inc. 28 IP:IP: SourceSource RoutingRouting b R a, R Rb B ia v B unknown B -> C via Rc A A -> B via Ra, Rb A Ra A -> B via Ra, Rb Rc C Routing based on IP datagram option NTW 2000 © 2000, Cisco Systems, Inc. 29 IPIP UnwantedUnwanted RoutingRouting , R2 ia R1 C ->A v C A unknown B via Internet Internet C-> A unknown A v ia R B via R1 1, R2 A unknown B via DMZ R1 B C->A via R1, R2 DMZ A via Intranet A intranet R2 B via DMZ C unknown C->A via R1,R2 NTW 2000 © 2000, Cisco Systems, Inc. 30 IPIP UnwantedUnwanted RoutingRouting ((ContCont.).) C-> A v C ia B A unknown B via Internet Internet P PP -up A unknown A via Ethernet dial ia B B via PPP C via PPP A v C-> A intranet B (acting as router) C->A via B NTW 2000 © 2000, Cisco Systems, Inc. 31 IPIP SpoofingSpoofing UsingUsing SourceSource RoutingRouting B is a friend allow access Rb B B-> A v ia C A Ra A ,Rc ->B Ra via Ra , Rc B->A via C,Rc,Ra ,C Rc C A->B via Ra,Rc,C B->A via C, Rc,Ra A->B via Ra, Rc,C Back traffic uses the same source route NTW 2000 © 2000, Cisco Systems, Inc. 32 TransportTransport ControlControl ProtocolProtocol • TCP = connection oriented transport layer • RFC 793, Sep 1981 • SAP= 16 bits TCP ports NTW 2000 © 2000, Cisco Systems, Inc. 33 TCPTCP PacketPacket FormatFormat 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TCP Header Format NTW 2000 © 2000, Cisco Systems, Inc. 34 TCPTCP connectionconnection establishmentestablishment B A flags= SYN, seq=( Sb,?) flags=SYN+ACK, seq=(Sa,Sb) fl ags=A CK, s eq=(S b,Sa) flags=ACK, seq=(Sb,Sa+8) data=“Username:” NTW 2000 © 2000, Cisco Systems, Inc. 35 TCPTCP blindblind spoofingspoofing BA C masquerading as B flags=SYN, seq=(Sb,?) flags=SYN+ACK, seq=(Sa,Sb) flags=ACK, seq=(Sb,Sa) flags=ACK, seq=(Sb,Sa+8) data=“Username:” CC guessesguesses SaSa AA believesbelieves thethe connectionconnection comescomes
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages169 Page
-
File Size-