Module 10 Network Infrastructure Security MModified by :Ahmad Al Ghoul PPhiladelphia University FFaculty Of Administrative & Financial Sciences BBusiness Networking & System Management Department RRoom Number 32406 EE-mail Address: ahmad4_2_69@hotmail.com Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 1 Module Objectives Describe exploitation and choose appropriate security measures for hubs, bridges or switches, and routers Document ways in which a firewall could be compromised and select related security solutions List the potential for private branch exchange (PBX) exploitations and choose appropriate methods for securing a PBX Describe modem exploitations and select appropriate security measures Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 2 On a computer network, the network infrastructure includes the cables, connectivity devices, hosts, and connection points of the network. In this chapter you learn ways in which network infrastructure equipment might be exploited or attacked. This chapter also presents strategies and devices that can increase the security of your network. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 3 Infrastructure Security Overview You must control access to critical resources, protocols, and network access points. This includes protecting the physical security of equipment and the configuration of devices. Attacks against your network infrastructure can include physical attacks, such as destruction or theft of equipment, and the physical modification of equipment configurations. Attacks can also involve the logical modification of network infrastructure device configurations, such as changing a routing or switching table. You can protect your physical network infrastructure with security personnel, closed-circuit TV, alarms, access cards, locks, tamper-proof seals, backup electrical power, and similar measures. Restrict remote administration of network infrastructure equipment whenever possible. When you must allow remote administration, be sure to use the most secure authentication and encryption possible. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 4 Securing Network Cabling Network cabling is a vulnerable part of your network infrastructure. However, an attacker or spy must have physical access to your cable (or at least be able to get close to the cable) to exploit or attack your network cable infrastructure. Sabotage is a simple matter for a saboteur who is able to gain physical access to your network cable infrastructure. The saboteur could cut a coaxial or twisted-pair cable to disrupt network communications. Also, coaxial and twisted-pair cable are susceptible to EMI and RFI, so a source of EMI/RFI placed near a cable or wire bundle could be enough to disrupt communications. Fiber optic cable is impervious to EMI and RFI, but is easily broken. Use the following techniques to protect your cable infrastructure: Document your entire cable infrastructure. Keep that documentation current. Investigate all hosts and connectivity devices that are not documented. Protect your network cable as much as possible by burying it underground, placing it inside walls, and protecting it with tamper-proof containers. Check the physical integrity of your network infrastructure cabling on a regular basis. Verify your network infrastructure after power outages. Enable managed devices to alert you of the presence of disconnected cables or unauthorized connections. Investigate all alerts and outages. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 5 Securing Hubs Because hubs are physical devices, they should be physically protected. Try to lock hubs in wiring closets. If the hub cannot be locked in a room or closet, try to secure it in some other type of protective encasement. At a minimum, you should periodically check hubs to be sure that all cables are connected properly and that no rogue connections exist. Managed hubs can be used to detect physical configuration changes. Managed hubs report hub statistics and connection information to management software. You can configure a managed hub to send an alert when a configuration is modified. Of course, because a managed hub has a (software) configuration, an attacker could compromise the hub's configuration to disrupt network communication or mask evidence of another attack. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 6 Switches and Bridges switches and bridges maintain a table that contains MAC address mappings to each of their connection points. The table allows the switch or bridge to direct Layer 2 communications to the correct network segment or port, making it a potential target for attack. A central switch could also be the target of a saboteur. Destroying a central switch, disconnecting power, or disconnecting all of the network cables would disrupt all communications passing through the device. If an attacker can gain administrative access to the switch or bridge, he or she can reroute network communications. These communications can be redirected to a host on the network under the control of the attacker, which could be the attacker's system or a system the attacker was able to gain control over using some other technique. If the attacker decides to sabotage communications on the network, he or she can do so at any time once administrative access is obtained. Of course, the attacker must gain administrative access to the bridge or switch first. A skilled attacker can do this by trying default administrative passwords or running a password attack against the device Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 7 ARP Cache Poisoning Although switches and bridges segment the network, it might be possible for an attacker to use Address Resolution Protocol (ARP) cache poisoning (also known as ARP spoofing) to propagate traffic through a switch. as a method for placing incorrect information in computers' ARP caches to misroute packets. The ARP cache is used to store Internet Protocol (IP) to MAC address mappings. For an attacker to conduct ARP cache poisoning, he or she must typically gain physical connectivity to the local segment. The attacker must then compromise the ARP caches of the hosts on that segment. ARP cache poisoning involves overwriting entries in the ARP cache to cause a computer to send all network traffic directly to the attacker's computer. If an attacker is able to do this to all the computers on the segment, he or she could effectively listen to (and forward) data packets without network users realizing it. The attacker would then be able to listen to the network traffic sent on that network, most likely to steal trade secrets or obtain unencrypted passwords. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 8 Securing Switches and Bridges There are several measures you can take to prevent attacks against your switches and bridges. As with other network devices, you should physically secure them so they cannot be tampered with or destroyed. Here are other suggestions that can help to secure your switches and bridges: Secure all physical connections on your network segments. Be sure that no unauthorized connections can be made. Also, limit physical access to your switch locations and use security personnel and monitoring devices to ensure connectivity devices are secure. Set complex passwords for administrative consoles. Restrict device administration to as few people as possible from as few locations as possible. Also, be sure to change administrative passwords routinely and whenever an administrator leaves the company. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 9 Securing Switches and Bridges Manually enter ARP mappings on critical devices, such as central servers, switches, bridges, and so on. If you manually enter all necessary MAC addresses, prevent the switch or bridge from learning new addresses. Keep your switches and bridges current with the latest vendor security patches. Document your device configurations so you know for sure what is normal and authorized. Monitor your network with management tools that alert you to unauthorized connections. Tools such as ARPWATCH can monitor activity on your network and keep a database of MAC-to-IP address mappings. The tool can also alert you to changes in these ARP mappings. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 10 25070 Securing Routers A central router could also be the target of a saboteur. Destroying a central router, disconnecting power, or disconnecting all of the network cables would disrupt all communications passing through the device. To increase the security of your routers, consider the following suggestions: Ensure the routers are kept in locked rooms or containers. Check the security of all incoming and outgoing connections. Limit physical access to your network cable infrastructure, wiring closets, and server rooms. Use security personnel and monitoring equipment to protect connection points and devices. Utilize complex passwords for administrative consoles. Be sure to change administrative passwords routinely and whenever an administrator leaves your organization. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 11 Securing Routers Set access list entries to prevent inappropriate connections and routing of traffic. For example, packets with the IP address of your internal network should not be coming from the external interface on the router. If this happens, it is usually an indication that someone is trying to perform IP address spoofing Keep your routers current with the latest vendor security patches. Be sure to document and regularly review your network configuration. Disable RIPv1 and utilize only RIPv2 or other routing protocols that allow you to secure router updates with passwords. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 12 Firewalls The term firewall is used generically to describe any device that protects an internal network (or host) from malicious hackers or software on an external network (or network to which the host is connected). Firewalls perform a variety of tasks to filter out potentially harmful incoming or outgoing traffic or connections. They are often implemented between an organization's internal network and the Internet. However, this is not always the case. Some firewalls are used to subdivide internal networks or even to protect individual computers. The five main services that firewalls provide are packet filtering, application filtering, proxy server, circuit-level, and stateful inspection. These services are described in more detail in the following sections. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 13 Packet Filtering A packet filtering firewall or gateway checks each packet traversing the device. The firewall inspects the packet headers of all network packets going through the firewall. Packets are passed or rejected based on a set of predefined or administrator-defined rules. Packet filter rules can accept or reject network packets based on whether they are inbound or outbound, or due to the information contained in any of the following network data packet fields: Source IP Address. This field is used to identify the host that is sending the packet. Attackers could modify this field in an attempt to conduct IP spoofing. Firewalls are typically configured to reject packets that arrive at the external interface bearing a source address of the internal network because that is either an erroneous host configuration or an attempt at IP spoofing. Destination IP Address. This is the IP address that the packet is trying to reach. IP Protocol ID. Each IP header has a protocol ID that follows. For example, Transmission Control Protocol (TCP) is ID 6, User Datagram Protocol (UDP) is ID 17, and Internet Control Message Protocol (ICMP) is ID 1. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 14 Packet Filtering TCP or UDP Port Number. The port number that indicates the service this packet is destined for, such as TCP port 80 for Web services ICMP Message Type. ICMP supports several different functions that help to control and manage IP traffic. Some of these messages can be used to attack networks, so they are frequently blocked at the firewall. For example, ICMP echo requests can be exploited to cause a broadcast storm. You can read more about ICMP message types in Request for Comments (RFC) 793. Fragmentation Flags. Firewalls can examine and forward or reject fragmented packets. Some flawed implementations of TCP/IP allow for the reassembly of fragmented packets as whole packets (without receipt of the first packet, which contains the full header information). A successful fragmentation attack can allow an attacker to send packets that could compromise an internal host. IP Options Setting. This field is used for diagnostics. The firewall should be configured to drop network packets that use this field. Attackers could potentially use this field in conjunction with IP spoofing to redirect network packets to their systems. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 15 Application Filtering An application filtering firewall intercepts connections and performs security inspections. The firewall must be equipped with the appropriate applications to perform this task. In this way, the firewall acts as a proxy for connections between the internal and external network. The firewall can check and enforce access control rules specific to the application. Application filtering firewalls are used to check incoming e-mails for virus attachments; these firewalls are often called e-mail gateways. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 16 Proxy Server Like an application filtering firewall, a proxy server takes on responsibility for providing services between the internal and external network. However, the proxy server can actually be the server providing the services or it can create a separate connection to the requested server. In this way, a proxy server can be used to hide the addressing scheme of the internal network. Proxy servers can also be used to filter requests based on the protocol and address requested. For example, the proxy server could be configured to reject incoming connections to http://www.internal.local or outgoing connections to http://www.external.net. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 17 Circuit-Level A circuit-level firewall controls TCP and UDP ports, but doesn't watch the data transferred over them. Therefore, if a connection is established, the traffic is transferred without any further checking. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 18 Stateful Inspection A stateful inspection firewall works at the Network layer. The firewall evaluates the IP header information and monitors the state of each connection. Connections are rejected if they attempt any actions that are not standard for the given protocol. Any of these listed firewall features can be implemented in combination by a given firewall implementation. Placing multiple firewalls in series is a common practice to increase security at the network perimeter. If an attacker is able to breach the first firewall, the second offers additional protection. Using multiple firewalls in series (back-to-back) is one example of creating a defense-in-depth, as shown in Figure 4-1, which means that you are using multiple layers of protection to keep your network secure. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 19 Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 20 Exploiting Firewalls Poorly implemented firewall configuration is a common reason firewalls are compromised. For example, firewalls can be configured with a default-allow rule or a default-deny rule. The default-allow rule (also known as allow-all) means that a firewall permits all inbound network packets except those that are specifically prohibited. Network administrators and security personnel usually view this setting as too permissive. The other option is the default-deny rule, which rejects all inbound packets except those that are specifically permitted. This is the standard configuration of a secure firewall. Flaws in firewall software are another reason firewalls are compromised. Usually, vendors release software patches or temporary solutions quickly after they are made publicly known. The following list describes other ways in which firewalls might be compromised: Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 21 Securing Firewalls As described in the previous section, there are several ways an attacker might attempt to neutralize your firewall, so protecting it requires vigilance. To protect your firewall, follow this advice: Keep track of security bulletins concerning your firewall product. Apply all software patches as they are made available. Update virus definition files routinely. Physically protect the firewall. Document the firewall configuration and review that configuration regularly. Limit the methods for managing the firewall. If remote management is allowed, use the most secure authentication available. Use complex passwords. Be sure to change administrative passwords routinely, and always change them when an administrator leaves your organization. Know and test the firewall rules by trying to make connections to unauthorized ports or services from outside the firewall. Ensure that there are no network paths or connections that can be used to circumvent the firewall. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 22 Telecommunications Hacking Telecommunications systems provide internal phone services for many organizations. These private telecommunications systems are known as PBX systems. They usually offer a variety of features such as voice mail, multipleparty calling, long-distance access restrictions, and call tracking. PBX systems are potential targets for attackers. Attackers who gain unauthorized access to the PBX system could potentially use it to do the following: Make free long-distance calls by changing billing records. Compromise or shut down the organization's voice mail system. Reroute incoming, transferred, or outgoing calls. Compromise the rest of your organization's network, as PBX systems are part of your network infrastructure. For example, locate a modem-equipped PC. Use that PC to create an analog connection to the internal network, and then use the analog connection to access the internal network. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 23 Hacking PBX Systems PBX systems are frequently an organization's most valuable communication asset. If the PBX system is compromised, the organization could lose business. There are relatively few brands of PBX systems available, so an attacker could use knowledge of a few select systems to compromise a wide variety of businesses. Although PBX systems are complex, a skilled attacker could use the system to compromise your network infrastructure. There are a variety of methods that an attacker might use to compromise the PBX system: PBX systems come with default passwords for system maintenance. Attackers could run password attacks to guess these PBX maintenance passwords. Once an attacker acquires a management password, he or she can reconfigure the PBX system. PBX systems are often expensive and upgrades are difficult. Therefore, many businesses use older PBX systems that might have unencrypted databases with obvious data structures that could be manipulated. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 24 Hacking PBX Systems PBX security is not as popular a topic as computer security. Many businesses don't think to protect their PBX systems or know how to do so. Users might be tricked into giving up passwords for the telephone system because awareness of exploitation is not as high as it is with computer systems. Remote management and upgrades of PBX systems are commonplace. Remote connections could be used to install malicious software or reconfigure the PBX system. Many people use and have access to the PBX-connected telephones. These terminals could be used to attack or reconfigure the PBX system. Telecommunications infrastructure might extend into unused floors and offices, making it easier for someone to hide an unauthorized connection (or conceal hacking attempts). Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 25 Modems Modems connect computers to the Internet and to private networks, but those connections could be susceptible to compromise or attack. As explained earlier, modems can be used to circumvent the security provided by your organization's firewall and other security devices. Modems can provide direct access to a system on a network and potentially be used to access other systems on that network. Exploited modem dialing software can be used to erase hard drives or cause the modem to dial emergency services, for example. To protect your network from modem exploits, follow these procedures: Remove all unnecessary modems from computers on your network. Check for software updates for all computers that must have modems. Monitor security bulletins from modem vendors for newly discovered security gaps and apply software patches as soon as they are available. Isolate computers configured with modems to limit the damage that can be caused by those systems should the modem be compromised. Monitor computers with modems regularly to ensure they have not been compromised. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 26