Uploaded by Nilay

Attacks -

Network Devices - Attacks
Network Security Fundamentals
• Once information security and network security were virtually
• The network was viewed as the protecting wall around which
client computers could be kept safe
• But this approach is untenable: too many entry points that
circumvent the network and allow malware to enter:
• Infected USB flash drive
• Malware take advantage of common network protocols (HTTP), and
could not always be detected or blocked by network security devices
Network Security Posture
• Yet having secure network is essential to comprehensive
information security posture:
• Not all applications are designed and written with security and reliability
in mind, so falls to network to provide protection
• Network-delivered services can scale better for larger environments
and can complement server and application functionality
• Attacker who can successfully penetrate computer network may have
access to thousands of desktop systems, servers, and storage devices
Network Security Strategy
• Secure network defense still remains critical element in any
organization’s security plan
• Organizations should make network defenses one of first
priorities in protecting information
• Network security strategy:
• Network devices
• Network technologies
• Design of the network
Security Through Network Devices
• Not all applications
designed, written with
security in mind
• Network must provide
• Networks with weak security
invite attackers
Standard Network Devices
• Aspects of building a secure network
• Network devices
• Network technologies
• Design of the network itself
• Security features found in network hardware only provide a
basic level of security
Standard Network Devices
• Open systems interconnection (OSI) reference model
• Network devices classified based on function
• Standards released in 1978, revised in 1983, still used today
• Illustrates:
• How network device prepares data for delivery
• How data is handled once received
Standard Network Devices (cont’d.)
• OSI model breaks networking
steps into seven layers
• Each layer has different networking
• Each layer cooperates with adjacent
Table 6-1 OSI reference model
Security+ Guide to Network Security Fundamentals, Forth
Standard Network Devices (cont’d.)
• Hubs
• Connect multiple Ethernet devices together:
• To function as a single network segment
• Use coaxial, twisted-pair copper or fiber-optic
• Operate at Layer 1 of the OSI model
• Do not read data passing through them
• Ignorant of data source and destination
• Rarely used today because of inherent security
Standard Network Devices (cont’d.)
• Switches
• Network switch connects network
• Operate at Data Link Layer (Layer 2)
• Determine which device is connected to
each port
• Can forward frames sent to that specific
• Or broadcast to all devices
• Use MAC address to identify devices
• Provide better security than hubs
Standard Network Devices (cont’d.)
• Network administrator should
be able to monitor network
• Helps identify and
troubleshoot network
• Traffic monitoring methods
• Use a switch with port
• Copies all traffic to a designated
monitoring port on the switch
• Security Issue!
Standard Network Devices (cont’d.)
• Traffic monitoring
methods (cont’d)
• Install a network tap
(test access point)
• A device that installed
between two network
devices, such as a switch,
router, or firewall, to
monitor traffic
Network Attacks
Spoofing attacks (Discussed in CCNP)
• DHCP starvation and DHCP spoofing
• An attacking device can exhaust the address space available to the DHCP
servers for a period of time or establish itself as a DHCP server in man-in-themiddle attacks
• Solution
• DHCP snooping
Spoofing attacks (Discussed in CCNP)
• Spanning tree compromises
• Attacking device spoofs the root bridge in the STP topology.
• If successful, the network attacker can see a variety of frames.
• Solution
• Proactively configure the primary and backup root devices.
• Enable root guard.
Spoofing attacks (Discussed in CCNP)
• MAC spoofing
• Attacking device spoofs the MAC address of a valid host currently in the CAM
• Switch then forwards frames destined for the valid host to the attacking
• Solution
• DHCP snooping
• Port security
Spoofing attacks (Discussed in CCNP)
• Address Resolution Protocol (ARP) spoofing
• Attacking device crafts ARP replies intended for valid hosts.
• The attacking device’s MAC address then becomes the destination address
found in the Layer 2 frames sent by the valid network device.
• Solution
• Dynamic ARP Inspection
• DHCP snooping
• Port security
Attacks on switch devices
• Cisco Discovery Protocol (CDP) manipulation
• Information sent through CDP is transmitted in clear text and
unauthenticated, allowing it to be captured and divulge network
topology information.
• Solution
• Disable CDP on all ports where it is not intentionally used.
Attacks on switch devices
• Secure Shell Protocol (SSH) and Telnet attacks
• Telnet packets can be read in clear text.
• SSH is an option but has security issues in version 1.
• Solution
• SSH version 2.
• Telnet with virtual type terminal (VTY) ACLs.
MAC layer attacks
• MAC address flooding
• Frames with unique, invalid source MAC addresses flood the switch,
exhausting content addressable memory (CAM) table space, disallowing new
entries from valid hosts.
• Traffic to valid hosts is subsequently flooded out all ports.
• Solution
• Port security (lock MAC Addresses to specific
• MAC address VLAN access maps
MAC Layer Attacks
• Common Layer 2 or switch attack (“as of this writing”)
• Launched for the malicious purpose of:
• Collecting a broad sample of traffic
• Denial of Service (DoS) attack.
MAC Layer Attacks
• Many Switch’s CAM tables are limited in size (1,024
to over 16,000 entries).
• Tools such as dsniff can flood the CAM table in just
over 1 minute.
dniff: http://www.monkey.org/~dugsong/dsniff/
• “dsniff is a collection of tools for network auditing and penetration testing.
dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor
a network for interesting data (passwords, e-mail, files, etc.).”
• “arpspoof, dnsspoof, and macof facilitate the interception of network traffic
normally unavailable to an attacker (e.g, due to layer-2 switching).”
• “sshmitm and webmitm implement active monkey-in-the-middle attacks
against redirected SSH and HTTPS sessions by exploiting weak bindings in
ad-hoc PKI.”
• “I wrote these tools with honest intentions - to audit my own network, and
to demonstrate the insecurity of most network application protocols. Please
do not abuse this software.”
MAC Flooding switches with dsniff
[root@sconvery-lnx dsniff-2.3]# ./macof -> TCP D=55934 S=322 Syn Seq=1210303300 Len=0 Win=512 -> TCP D=44686 S=42409 Syn Seq=1106243396 Len=0 Win=52 -> TCP D=59038 S=21289 Syn Seq=2039821840 Len=0 Win2 -> TCP D=7519 S=34044 Syn Seq=310542747 Len=0 Win2 -> TCP D=62807 S=53618 Syn Seq=2084851907 Len=0 Win2 -> TCP D=23929 S=51034 Syn Seq=1263121444 Len=0 Wi2 -> TCP D=1478 S=56820 Syn Seq=609596358 Len=0 Win=512 ->
TCP D=38433 S=31784 Syn Seq=410116516 Len=0 Win2 -> TCP D=42232 S=31424 Syn Seq=1070019027 Len=0 Win=52 -> TCP D=56224 S=34492 Syn Seq=937536798 Len=0 Win=52 -> TCP D=23840 S=45783 Syn Seq=1072699351 Len=0 2 -> TCP D=3453 S=4112 Syn Seq=1964543236 Len=0 Win=512 -> TCP D=12959 S=42911 Syn Seq=1028677526 Len=0 W2 -> TCP D=33377 S=31735 Syn Seq=1395858847 Len=0 Win=2 -> TCP D=26975 S=57485 Syn Seq=1783586857 Len=0 Wi2 -> TCP D=23135 S=55908 Syn Seq=852982595 Len=0 Wi2 -> TCP D=54512 S=25534 Syn Seq=1571701185 Len=0 Win=2 -> TCP D=61311 S=43891 Syn Seq=1443011876 Len=0 Win2 -> TCP D=25959 S=956 Syn Seq=6153014 Len=0 Win=512 -> TCP D=33931 S=1893 Syn Seq=116924142 Len=0 Win=52 -> TCP D=43954 S=49355 Syn Seq=1263650806 Len=0 Win2 -> TCP D=61408 S=26921 Syn Seq=464123137 Len=0 Win=512 -> TCP D=61968 S=53055 Syn Seq=682544782 Len=0 Win=512
MAC• Flooding
Dsniff can generate 150,000+ MAC entries on a switch
per minute
• It takes about 60 seconds to fill the cam table
• Once table is full, traffic without a CAM entry floods on
the VLAN.
MAC Flooding
• Once the CAM table is full, new valid entries will not be accepted.
• Switch must flood frames to that address out all ports.
• This has two adverse effects:
• The switch traffic forwarding is inefficient and voluminous.
• An intruding device can be connected to any switch port and capture
traffic not normally seen on that port.
• If the attack is launched before the beginning of the day, the CAM
table would be full as the majority of devices are powered on.
• Legitimate devices are unable to create CAM table entries as they
power on.
• Large number of frames from a large number of devices will be high.
• If the initial, malicious flood of invalid CAM table entries is a one-time
• Eventually, the switch will age out older, invalid CAM table entries
• New, legitimate devices will be able to create an entry in the CAM
• Traffic flooding will cease
• Intruder may never be detected (network seems normal).
Suggested Mitigation for MAC Flood Attacks
Port Security
• Port security restricts port
access by MAC address.
Rick Graziani graziani@cabrillo.edu
Table 6-2 Protecting the switch
Standard Network Devices (cont’d.)
• Routers
• Forward packets across computer networks
• Operate at Network Layer (Layer 3)
• Can be set to filter out specific types of network traffic
Network Security Hardware
• Specifically designed security hardware devices
• Greater protection than standard networking devices
Standard Network Devices (cont’d.)
• Load balancers
• Help evenly distribute work across a network
• Allocate requests among multiple devices
Standard Network Devices (cont’d.)
• Load balancers
• Advantages of load-balancing technology
• Reduces probability of overloading a single server
• Optimizes bandwidth of network computers
• Reduces network downtime
• Load balancing is achieved through software or
hardware device (load balancer)
Standard Network Devices (cont’d.)
• Security advantages of load balancing
• Can stop attacks directed at a server or application
• Because load balancers generally are located between
routers and servers, can detect and stop attacks directed at
a server or application
• Load balancer can be used detect and prevent denial-ofservice (DoS) and protocol attacks that could cripple a
single server
• Can detect and prevent denial-of-service attacks
• Some can deny attackers information about the network
• Hide HTTP error pages
• Remove server identification headers from HTTP responses
Network Security Hardware
• Firewalls
• Hardware-based network firewall inspects packets
• Can either accept or deny packet entry
• Usually located outside network security perimeter
Typically used to inspect and filter packets
Sometimes called a packet filter
Designed to prevent malicious packets from entering the network
A firewall can be software-based or hardware-based
• Hardware firewalls usually are located outside the network
security perimeter
• As the first line of defense
Example Firewall Network Diagram
Firewall (continued)
• The basis of a firewall is a rule base
• Establishes what action the firewall should take when it
receives a packet (allow, block, and prompt)
• Stateless packet filtering
• Looks at the incoming packet and permits or denies it based
strictly on the rule base
• Stateful packet filtering
• Keeps a record of the state of a connection between an
internal computer and an external server
• Then makes decisions based on the connection as well as
the rule base
Stateless Firewall Rules
Table 6-3 Rule for Web page transmission
Stateful Firewall Rules
State = Established
Inbound and Outbound Traffic Filtering
• Most personal software
firewalls today also filter
outbound traffic as well as
inbound traffic
• Filtering outbound traffic
protects users by preventing
malware from connecting to
other computers and
• But it annoys them with
these alerts
Application-Aware Firewalls
• Application-aware firewall (next-generation firewall
or NGFW)
• More “intelligent” firewall operates at higher level
• Identifies applications that send packets through firewall
and then make decisions about application (vs. granular
rule settings like destination port or protocol)
Application-Aware Firewalls
• Web application firewall
• Special type of application-aware that looks at applications
traffic such as HTTP
• Can block specific sites or specific known attacks
• Can block XSS and SQL injection attacks
Network Security Hardware (cont’d.)
• Proxies
• Devices that substitute for primary devices
• Proxy server
• Computer or application that intercepts and processes user requests
• If a previous request has been fulfilled:
• Copy of the Web page may reside in proxy server’s cache
• If not, proxy server requests item from external Web server using its
own IP address
Network Security Hardware (cont’d.)
• Application-aware proxy
• Special proxy server that “knows” the application protocols that it
• Example - FTP proxy server implements the protocol FTP
Proxy Server
I want to see
Here is my
copy of
I will get
yahoo.com and
save a copy
Proxy Server
• Clients never directly connect to the Internet
• This saves bandwidth, because one copy of a popular Web
page can be used many times
• Allows a company to block forbidden Web sites
• It also prevents many attacks the same way NAT does
• Can also be used to hide your location and IP address – BAD??????
• Reverse proxy
• Does not serve clients but instead routes incoming requests to the
correct server
Configuring access to proxy servers
Web Based Proxies
Network Security Hardware (cont’d.)
• Proxy server advantages
• Increased speed (requests served from the cache)
• Reduced costs (cache reduces bandwidth required)
• Improved management
• Block specific Web pages or sites
• Stronger security
• Intercept malware
• Hide client system’s IP address from the open Internet
Network Security Hardware (cont’d.)
• Reverse proxy
• Does not serve clients
• Routes incoming requests to correct server
• Reverse proxy’s IP address is visible to outside users
• Internal server’s IP address hidden
Reverse Proxy
Connect to
Web server 1
Network Security Hardware (cont’d.)
• Spam filters
• Enterprise-wide spam filters block spam before it
reaches the host
• Email systems use three main protocols
• Simple Mail Transfer Protocol (SMTP)
• Handles transferring outgoing mail
• Post Office Protocol (POP)
• Handles incoming mail
• Internet Messaging Access Protocol (IMAP)
• Handles incoming mail
Network Security Hardware (cont’d.)
• Spam filters installed with the SMTP server
• Filter configured to listen on port 25
• Pass non-spam e-mail to SMTP server listening on another port
• Method prevents SMTP server from notifying spammer of failed
message delivery
Network Security Hardware (cont’d.)
• Spam filters installed on the Email servers
• All spam must first pass through SMTP server and be delivered to
user’s mailbox
• Can result in increased costs
• Storage, transmission, backup, deletion
Network Security Hardware (cont’d.)
• Third-party entity contracted to filter spam
• All email directed to third-party’s remote spam filter
• E-mail cleansed before being redirected to organization
Internet Content Filters
• Internet content filters
• Monitor Internet traffic and block access to preselected
Web sites and files
• A requested Web page is only displayed if it complies with
the specified filters
• Unapproved Web sites can be restricted based on the
Uniform Resource Locator (URL Filtering) or by matching
• Inspect traffic for malware (malware inspection)
Table 6-4 Internet content filter features
Network Security Hardware (cont’d.)
• Web security gateways
• Can block malicious content in real time
• Block content through application level filtering
• Examples of blocked Web traffic
ActiveX objects
Adware, spyware
Peer to peer file sharing
Script exploits
TCP/IP malicious code attacks
Network Security Hardware (cont’d.)
• Passive and active security can be used in a network
• Active measures provide higher level of security
• Passive measures
• Firewall
• Internet content filter
• Active measures
• Can detect and block attack as they occur
Network Security Hardware (cont’d.)
• Monitoring methodologies
• Anomaly-based monitoring
• Compares current detected behavior with baseline
• Signature-based monitoring
• Looks for well-known attack signature patterns
• Behavior-based monitoring
• Detects abnormal actions by processes or programs
• Alerts user who decides whether to allow or block activity
• Heuristic monitoring
• Uses experience-based techniques
Table 6-5 Methodology comparisons to trap port-scanning application
Network Security Hardware (cont’d.)
• Intrusion detection system (IDS)
• Active security measure
• Can detect attack as it occurs
Network Security Hardware (cont’d.)
• Host intrusion detection system (HIDS)
• Software-based application that can detect attacks as they occurs
• Installed on each system needing protection
• Monitors
System calls
File system access and modifications
Registry settings and modifications
Host input and output communications
Anomalous activity
Network Security Hardware (cont’d.)
• Disadvantages of HIDS
• Cannot monitor network traffic that does not reach local system
• All log data is stored locally
• Resource-intensive and can slow system
Network Security Hardware (cont’d.)
• Network intrusion detection system (NIDS)
• Watches for attacks on the network
• NIDS sensors installed on firewalls and routers:
• Gather information and report back to central device
• Passive NIDS will sound an alarm
• Active NIDS will sound alarm and take action
• Actions may include filtering out intruder’s IP address or terminating TCP session
Table 6-6 NIDS evaluation techniques
Host Intrusion Prevention
Systems (HIPS)
• Installed on each system that needs to be
• Rely on agents installed directly on the system
being protected
• Work closely with the operating system, monitoring
and intercepting requests in order to prevent attacks
Network Security Hardware (cont’d.)
• Network intrusion prevention system (NIPS)
Similar to active NIDS
Monitors network traffic to immediately block a malicious attack
NIPS sensors located in line on firewall itself
A typical IPS response may be to block all incoming traffic on a specific
• Major differences between a NIDS and a NIPS is location:
• NIDS has sensors that monitor traffic entering and leaving firewall, and
reports back to central device for analysis
• NIPS would be located “in line” on firewall itself to allow NIPS to more
quickly take action to block attack
• Application-aware IPS - Knows information like applications
and operating systems so that can provide higher degree of
Unified Threat Management (UTM)
Security Appliances
• Because different types of network security hardware each
provide a different defense, network may require multiple
devices for comprehensive protection
• Makes cumbersome to manage multiple devices
• Unified Threat Management (UTM) - Security product that
combines several security functions
UTM Functions
• UTM functions:
Antispam and antiphishing
Antivirus and antispyware
Bandwidth optimization
Content filtering
Instant messaging control
Intrusion protection
Web filtering
Security Through Network Technologies
• Network technologies can also help to secure network
• Two technologies:
• Network address translation
• Network access control
Network Address Translation (NAT)
• Hides the IP addresses of network devices from attackers
• Private addresses
• IP addresses not assigned to any specific user or
• Function as regular IP addresses on an internal network
• Non-routable addresses--traffic addressed to private
addresses is discarded by Internet routers
Table 6-7 Private IP addresses
Network Address Translation (NAT)
• NAT removes the private IP address from the
sender’s packet
• And replaces it with an alias IP address
• When a packet is returned to NAT, the process is
• An attacker who captures the packet on the
Internet cannot determine the actual IP address of
the sender
Network Address Translation (NAT) cont’d
• Network address translation (NAT)
• Allows private IP addresses to be used on the public Internet
• Replaces private IP address with public address
• Port address translation (PAT)
• Variation of NAT
• Outgoing packets given same IP address but different TCP port number
Network Address Translation
Private IP Addresses
Public IP
192.168.1. 1
Address Translation -> -> -> ->
NAT with PAT
192.168.1. 1 Port 1100 Port 1102
Address Translation Port 1100 -> Port 2100 Port 1102 -> Port 2101
Web browser: Port 1100 Port 1100 -> Port 2102
Web browser:
Network Address Translation (NAT) cont’d
Figure 6-9 Network address translation (NAT)
© Cengage Learning 2012
Network Address Translation (NAT) cont’d
• Advantages of NAT
• Masks IP addresses of internal devices
• Allows multiple devices to share smaller number of public IP addresses
Network Access Control (NAC)
• Examines a computer before it is allowed to
connect to the network
• Each computer must meet security policy first,
such as
Windows patches up to date
Antivirus software
Antispyware software
• Any device that does not meet the policy is only
allowed to connect to a “quarantine” network
where the security deficiencies are corrected
Figure 6-10 Network access
control framework
© Cengage Learning 2012
NAC Environment
Security Through Network Design
• Elements of a secure network design
Demilitarized zones
Virtual LANs
Remote access
Demilitarized Zone (DMZ)
• Separate network located outside secure network perimeter
• Untrusted outside users can access DMZ but not secure
Figure 6-11 DMZ with one firewall
© Cengage Learning 2012
Figure 6-12 DMZ with two firewalls
© Cengage Learning 2012
• Subnetting or subnet addressing - Splits a large block of IP
addresses into smaller groups
• IP address may be split anywhere within its 32 bits
• Network can be divided into three parts
• Network
• Subnet
• Host
• Each network can contain several subnets
• Each subnet can contain multiple hosts
Subnetting (cont’d.)
• Improves network security by isolating groups of hosts
• Allows administrators to hide internal network layout
• Image from Cisco CCNA Class 1
Subnetting Example
Whole Company: /16 through
Remote Site: /24 through
• Image from Cisco CCNA class 1, modified
Main Office /24 through
Figure 6-13 Subnets
© Cengage Learning 2012
Table 6-8 Advantages of subnetting
Subnets Improve Security
• Each subnet can be isolated from the rest of the
• Traffic between subnets can be monitored and restricted
at the routers
• Subnets also allow network administrators to hide
the internal network layout
• Outsiders only see your public servers, not your private
Virtual LANs (VLAN)
• VLANs segment a network with switches, not
• Allow scattered users to be logically grouped
together even if attached to different switches
• VLANs can be isolated so that sensitive data is
transmitted only to members of the VLAN
Image from Cisco CCNA Switching class
VLAN Security
• VLAN communication can take place in two ways
• All devices are connected to the same switch
• Traffic is handled by the switch itself
• Devices are connected to different switches
• A special “tagging” protocol must be used, such as the IEEE
802.1q (aka dot1q)
• A VLAN is heavily dependent upon the switch for
correctly directing packets
• Attackers could take control of the switch itself, if it has
a default or weak password
• Specially crafted traffic can also "hop" from one VLAN
to another
Separation of machines into their own unique VLAN
with trunks
VLAN attacks (Discussed in CCNP)
• VLAN hopping
• By altering the VLAN ID on packets encapsulated for trunking, an attacking
device can send or receive packets on various VLANs, bypassing Layer 3
security measures.
• Solution
• Tighten up trunk configurations and the negotiation state of unused ports.
• Limit VLANs across trunk ports
• Place unused ports in a common VLAN.
VLAN attacks (Discussed in CCNP)
• Attacks between devices on a common VLAN
• Devices may need protection from one another, even though they are on a
common VLAN.
• This is especially true on service provider segments supporting devices from
multiple customers.
• Solution
• Private VLANs (PVLANs).
Remote Workers
• Working away from the office commonplace today:
• Telecommuters
• Traveling sales representatives
• Traveling workers
• Strong security for remote workers must be maintained
• Transmissions are routed through networks not managed by the
Remote Access
• Remote access - Any combination of hardware and software
that enables remote users to access local internal network
• Remote access provides remote users with same access and
functionality as local users through VPN or dial-up connection
• Service includes support for remote connection and logon and
then displays the same network interface as the normal network
• Virtual private network (VPN)
• Uses unsecured network as if it were secure
• All data transmitted between remote device and network is encrypted
• Types of VPNs
• Remote-access
• User to LAN connection
• Site-to-site
• Multiple sites can connect to other sites over the Internet
VPN cont’d
• Endpoints – devices used in communicating VPN transmissions
• software on local computer
• VPN concentrator (hardware device)
• Integrated into another networking device
• VPNs can be software-based or hardware-based
• Hardware-based generally have better security
• Software-based have more flexibility in managing network traffic
VPN cont’d
• Standard network security devices provide a degree of security
• Hubs, switches, router, load balancer
• Hardware devices specifically designed for security give higher
protection level
• Hardware-based firewall, Web application firewall
• Proxy server intercepts and processes user requests
• Virtual private network uses unsecured public network and
encryption to provide security
Summary (cont’d.)
• Intrusion detection system designed to detect attack as it occurs
• Network technologies can help secure a network
• Network address translation
• Network access control
• Methods for designing a secure network
• Demilitarized zones
• Virtual LANs