Network Devices - Attacks Network Security Fundamentals • Once information security and network security were virtually synonymous • The network was viewed as the protecting wall around which client computers could be kept safe • But this approach is untenable: too many entry points that circumvent the network and allow malware to enter: • Infected USB flash drive • Malware take advantage of common network protocols (HTTP), and could not always be detected or blocked by network security devices 2 Network Security Posture • Yet having secure network is essential to comprehensive information security posture: • Not all applications are designed and written with security and reliability in mind, so falls to network to provide protection • Network-delivered services can scale better for larger environments and can complement server and application functionality • Attacker who can successfully penetrate computer network may have access to thousands of desktop systems, servers, and storage devices 3 Network Security Strategy • Secure network defense still remains critical element in any organization’s security plan • Organizations should make network defenses one of first priorities in protecting information • Network security strategy: • Network devices • Network technologies • Design of the network 4 Security Through Network Devices • Not all applications designed, written with security in mind • Network must provide protection • Networks with weak security invite attackers 5 Standard Network Devices • Aspects of building a secure network • Network devices • Network technologies • Design of the network itself • Security features found in network hardware only provide a basic level of security 6 Standard Network Devices • Open systems interconnection (OSI) reference model • Network devices classified based on function • Standards released in 1978, revised in 1983, still used today • Illustrates: • How network device prepares data for delivery • How data is handled once received 7 Standard Network Devices (cont’d.) • OSI model breaks networking steps into seven layers • Each layer has different networking tasks • Each layer cooperates with adjacent layers 8 Table 6-1 OSI reference model Security+ Guide to Network Security Fundamentals, Forth Edition 9 Standard Network Devices (cont’d.) • Hubs • Connect multiple Ethernet devices together: • To function as a single network segment • Use coaxial, twisted-pair copper or fiber-optic cables • Operate at Layer 1 of the OSI model • Do not read data passing through them • Ignorant of data source and destination • Rarely used today because of inherent security vulnerability 10 Standard Network Devices (cont’d.) • Switches • Network switch connects network segments • Operate at Data Link Layer (Layer 2) • Determine which device is connected to each port • Can forward frames sent to that specific device • Or broadcast to all devices • Use MAC address to identify devices • Provide better security than hubs 11 Standard Network Devices (cont’d.) • Network administrator should be able to monitor network traffic • Helps identify and troubleshoot network problems • Traffic monitoring methods • Use a switch with port mirroring • Copies all traffic to a designated monitoring port on the switch • Security Issue! 12 Standard Network Devices (cont’d.) • Traffic monitoring methods (cont’d) • Install a network tap (test access point) • A device that installed between two network devices, such as a switch, router, or firewall, to monitor traffic 13 Network Attacks 14 Spoofing attacks (Discussed in CCNP) • DHCP starvation and DHCP spoofing • An attacking device can exhaust the address space available to the DHCP servers for a period of time or establish itself as a DHCP server in man-in-themiddle attacks • Solution • DHCP snooping 15 Spoofing attacks (Discussed in CCNP) • Spanning tree compromises • Attacking device spoofs the root bridge in the STP topology. • If successful, the network attacker can see a variety of frames. • Solution • Proactively configure the primary and backup root devices. • Enable root guard. 16 Spoofing attacks (Discussed in CCNP) • MAC spoofing • Attacking device spoofs the MAC address of a valid host currently in the CAM table. • Switch then forwards frames destined for the valid host to the attacking device. • Solution • DHCP snooping • Port security 17 Spoofing attacks (Discussed in CCNP) • Address Resolution Protocol (ARP) spoofing • Attacking device crafts ARP replies intended for valid hosts. • The attacking device’s MAC address then becomes the destination address found in the Layer 2 frames sent by the valid network device. • Solution • Dynamic ARP Inspection • DHCP snooping • Port security 18 Attacks on switch devices • Cisco Discovery Protocol (CDP) manipulation • Information sent through CDP is transmitted in clear text and unauthenticated, allowing it to be captured and divulge network topology information. • Solution • Disable CDP on all ports where it is not intentionally used. 19 Attacks on switch devices • Secure Shell Protocol (SSH) and Telnet attacks • Telnet packets can be read in clear text. • SSH is an option but has security issues in version 1. • Solution • SSH version 2. • Telnet with virtual type terminal (VTY) ACLs. 20 MAC layer attacks • MAC address flooding • Frames with unique, invalid source MAC addresses flood the switch, exhausting content addressable memory (CAM) table space, disallowing new entries from valid hosts. • Traffic to valid hosts is subsequently flooded out all ports. • Solution • Port security (lock MAC Addresses to specific • MAC address VLAN access maps 21 MAC Layer Attacks • Common Layer 2 or switch attack (“as of this writing”) • Launched for the malicious purpose of: • Collecting a broad sample of traffic or • Denial of Service (DoS) attack. 22 MAC Layer Attacks • Many Switch’s CAM tables are limited in size (1,024 to over 16,000 entries). • Tools such as dsniff can flood the CAM table in just over 1 minute. 23 dniff: http://www.monkey.org/~dugsong/dsniff/ • “dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.).” • “arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching).” • “sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.” • “I wrote these tools with honest intentions - to audit my own network, and to demonstrate the insecurity of most network application protocols. Please do not abuse this software.” 24 MAC Flooding switches with dsniff [root@sconvery-lnx dsniff-2.3]# ./macof 101.59.29.36 -> 60.171.137.91 TCP D=55934 S=322 Syn Seq=1210303300 Len=0 Win=512 145.123.46.9 -> 57.11.96.103 TCP D=44686 S=42409 Syn Seq=1106243396 Len=0 Win=52 109.40.136.24 -> 51.158.227.98 TCP D=59038 S=21289 Syn Seq=2039821840 Len=0 Win2 126.121.183.80 -> 151.241.231.59 TCP D=7519 S=34044 Syn Seq=310542747 Len=0 Win2 211.28.168.72 -> 91.247.223.23 TCP D=62807 S=53618 Syn Seq=2084851907 Len=0 Win2 183.159.196.56 -> 133.10.138.87 TCP D=23929 S=51034 Syn Seq=1263121444 Len=0 Wi2 19.113.88.77 -> 16.189.146.61 TCP D=1478 S=56820 Syn Seq=609596358 Len=0 Win=512 237.162.172.114 -> 51.32.8.36 TCP D=38433 S=31784 Syn Seq=410116516 Len=0 Win2 118.34.90.6 -> 61.169.58.50 TCP D=42232 S=31424 Syn Seq=1070019027 Len=0 Win=52 46.205.246.13 -> 72.165.185.7 TCP D=56224 S=34492 Syn Seq=937536798 Len=0 Win=52 105.109.246.116 -> 252.233.209.72 TCP D=23840 S=45783 Syn Seq=1072699351 Len=0 2 60.244.56.84 -> 142.93.179.59 TCP D=3453 S=4112 Syn Seq=1964543236 Len=0 Win=512 151.126.212.86 -> 106.205.161.66 TCP D=12959 S=42911 Syn Seq=1028677526 Len=0 W2 9.121.248.84 -> 199.35.30.115 TCP D=33377 S=31735 Syn Seq=1395858847 Len=0 Win=2 226.216.132.20 -> 189.89.89.110 TCP D=26975 S=57485 Syn Seq=1783586857 Len=0 Wi2 124.54.134.104 -> 235.83.143.109 TCP D=23135 S=55908 Syn Seq=852982595 Len=0 Wi2 27.54.72.62 -> 207.73.65.108 TCP D=54512 S=25534 Syn Seq=1571701185 Len=0 Win=2 246.109.199.72 -> 1.131.122.89 TCP D=61311 S=43891 Syn Seq=1443011876 Len=0 Win2 251.49.6.89 -> 18.168.34.97 TCP D=25959 S=956 Syn Seq=6153014 Len=0 Win=512 51.105.154.55 -> 225.89.20.119 TCP D=33931 S=1893 Syn Seq=116924142 Len=0 Win=52 82.2.236.125 -> 210.40.246.122 TCP D=43954 S=49355 Syn Seq=1263650806 Len=0 Win2 21.221.14.15 -> 9.240.58.59 TCP D=61408 S=26921 Syn Seq=464123137 Len=0 Win=512 70.63.102.43 -> 69.88.108.26 TCP D=61968 S=53055 Syn Seq=682544782 Len=0 Win=512 25 MAC• Flooding switches with dsniff Dsniff can generate 150,000+ MAC entries on a switch per minute • It takes about 60 seconds to fill the cam table • Once table is full, traffic without a CAM entry floods on the VLAN. 26 MAC Flooding • Once the CAM table is full, new valid entries will not be accepted. • Switch must flood frames to that address out all ports. • This has two adverse effects: • The switch traffic forwarding is inefficient and voluminous. • An intruding device can be connected to any switch port and capture traffic not normally seen on that port. 27 MACAttack Flooding Example • If the attack is launched before the beginning of the day, the CAM table would be full as the majority of devices are powered on. • Legitimate devices are unable to create CAM table entries as they power on. • Large number of frames from a large number of devices will be high. • If the initial, malicious flood of invalid CAM table entries is a one-time event; • Eventually, the switch will age out older, invalid CAM table entries • New, legitimate devices will be able to create an entry in the CAM • Traffic flooding will cease • Intruder may never be detected (network seems normal). 28 Suggested Mitigation for MAC Flood Attacks Port Security • Port security restricts port access by MAC address. Rick Graziani graziani@cabrillo.edu 29 Table 6-2 Protecting the switch 30 Standard Network Devices (cont’d.) • Routers • Forward packets across computer networks • Operate at Network Layer (Layer 3) • Can be set to filter out specific types of network traffic 31 Network Security Hardware • Specifically designed security hardware devices • Greater protection than standard networking devices 32 Standard Network Devices (cont’d.) • Load balancers • Help evenly distribute work across a network • Allocate requests among multiple devices 33 Standard Network Devices (cont’d.) • Load balancers • Advantages of load-balancing technology • Reduces probability of overloading a single server • Optimizes bandwidth of network computers • Reduces network downtime • Load balancing is achieved through software or hardware device (load balancer) 34 Standard Network Devices (cont’d.) • Security advantages of load balancing • Can stop attacks directed at a server or application • Because load balancers generally are located between routers and servers, can detect and stop attacks directed at a server or application • Load balancer can be used detect and prevent denial-ofservice (DoS) and protocol attacks that could cripple a single server • Can detect and prevent denial-of-service attacks • Some can deny attackers information about the network • Hide HTTP error pages • Remove server identification headers from HTTP responses 35 Network Security Hardware • Firewalls • Hardware-based network firewall inspects packets • Can either accept or deny packet entry • Usually located outside network security perimeter 36 Firewall • • • • Typically used to inspect and filter packets Sometimes called a packet filter Designed to prevent malicious packets from entering the network A firewall can be software-based or hardware-based • Hardware firewalls usually are located outside the network security perimeter • As the first line of defense Example Firewall Network Diagram 38 Firewall (continued) • The basis of a firewall is a rule base • Establishes what action the firewall should take when it receives a packet (allow, block, and prompt) • Stateless packet filtering • Looks at the incoming packet and permits or denies it based strictly on the rule base • Stateful packet filtering • Keeps a record of the state of a connection between an internal computer and an external server • Then makes decisions based on the connection as well as the rule base Stateless Firewall Rules Table 6-3 Rule for Web page transmission 40 Stateful Firewall Rules State = Established Inbound and Outbound Traffic Filtering • Most personal software firewalls today also filter outbound traffic as well as inbound traffic • Filtering outbound traffic protects users by preventing malware from connecting to other computers and spreading • But it annoys them with these alerts Application-Aware Firewalls • Application-aware firewall (next-generation firewall or NGFW) • More “intelligent” firewall operates at higher level • Identifies applications that send packets through firewall and then make decisions about application (vs. granular rule settings like destination port or protocol) 43 Application-Aware Firewalls • Web application firewall • Special type of application-aware that looks at applications traffic such as HTTP • Can block specific sites or specific known attacks • Can block XSS and SQL injection attacks 44 Network Security Hardware (cont’d.) • Proxies • Devices that substitute for primary devices • Proxy server • Computer or application that intercepts and processes user requests • If a previous request has been fulfilled: • Copy of the Web page may reside in proxy server’s cache • If not, proxy server requests item from external Web server using its own IP address 45 Network Security Hardware (cont’d.) • Application-aware proxy • Special proxy server that “knows” the application protocols that it supports • Example - FTP proxy server implements the protocol FTP 46 Proxy Server I want to see yahoo.com Here is my copy of yahoo.com I will get yahoo.com and save a copy Internet Proxy Server • Clients never directly connect to the Internet • This saves bandwidth, because one copy of a popular Web page can be used many times • Allows a company to block forbidden Web sites • It also prevents many attacks the same way NAT does • Can also be used to hide your location and IP address – BAD?????? • Reverse proxy • Does not serve clients but instead routes incoming requests to the correct server Configuring access to proxy servers 49 Web Based Proxies 50 Network Security Hardware (cont’d.) • Proxy server advantages • Increased speed (requests served from the cache) • Reduced costs (cache reduces bandwidth required) • Improved management • Block specific Web pages or sites • Stronger security • Intercept malware • Hide client system’s IP address from the open Internet 51 Network Security Hardware (cont’d.) • Reverse proxy • Does not serve clients • Routes incoming requests to correct server • Reverse proxy’s IP address is visible to outside users • Internal server’s IP address hidden 52 Reverse Proxy Connect to Web server 1 Network Security Hardware (cont’d.) • Spam filters • Enterprise-wide spam filters block spam before it reaches the host • Email systems use three main protocols • Simple Mail Transfer Protocol (SMTP) • Handles transferring outgoing mail • Post Office Protocol (POP) • Handles incoming mail • Internet Messaging Access Protocol (IMAP) • Handles incoming mail 54 Network Security Hardware (cont’d.) • Spam filters installed with the SMTP server • Filter configured to listen on port 25 • Pass non-spam e-mail to SMTP server listening on another port • Method prevents SMTP server from notifying spammer of failed message delivery 55 Network Security Hardware (cont’d.) • Spam filters installed on the Email servers • All spam must first pass through SMTP server and be delivered to user’s mailbox • Can result in increased costs • Storage, transmission, backup, deletion 56 Network Security Hardware (cont’d.) • Third-party entity contracted to filter spam • All email directed to third-party’s remote spam filter • E-mail cleansed before being redirected to organization 57 58 Internet Content Filters • Internet content filters • Monitor Internet traffic and block access to preselected Web sites and files • A requested Web page is only displayed if it complies with the specified filters • Unapproved Web sites can be restricted based on the Uniform Resource Locator (URL Filtering) or by matching keywords • Inspect traffic for malware (malware inspection) Table 6-4 Internet content filter features 60 Network Security Hardware (cont’d.) • Web security gateways • Can block malicious content in real time • Block content through application level filtering • Examples of blocked Web traffic • • • • • ActiveX objects Adware, spyware Peer to peer file sharing Script exploits TCP/IP malicious code attacks 61 Network Security Hardware (cont’d.) • Passive and active security can be used in a network • Active measures provide higher level of security • Passive measures • Firewall • Internet content filter • Active measures • Can detect and block attack as they occur 62 Network Security Hardware (cont’d.) • Monitoring methodologies • Anomaly-based monitoring • Compares current detected behavior with baseline • Signature-based monitoring • Looks for well-known attack signature patterns • Behavior-based monitoring • Detects abnormal actions by processes or programs • Alerts user who decides whether to allow or block activity • Heuristic monitoring • Uses experience-based techniques 63 Table 6-5 Methodology comparisons to trap port-scanning application 64 Network Security Hardware (cont’d.) • Intrusion detection system (IDS) • Active security measure • Can detect attack as it occurs 65 Network Security Hardware (cont’d.) • Host intrusion detection system (HIDS) • Software-based application that can detect attacks as they occurs • Installed on each system needing protection • Monitors • • • • • System calls File system access and modifications Registry settings and modifications Host input and output communications Anomalous activity 66 Network Security Hardware (cont’d.) • Disadvantages of HIDS • Cannot monitor network traffic that does not reach local system • All log data is stored locally • Resource-intensive and can slow system 67 Network Security Hardware (cont’d.) • Network intrusion detection system (NIDS) • Watches for attacks on the network • NIDS sensors installed on firewalls and routers: • Gather information and report back to central device • Passive NIDS will sound an alarm • Active NIDS will sound alarm and take action • Actions may include filtering out intruder’s IP address or terminating TCP session 68 Table 6-6 NIDS evaluation techniques 69 Host Intrusion Prevention Systems (HIPS) • Installed on each system that needs to be protected • Rely on agents installed directly on the system being protected • Work closely with the operating system, monitoring and intercepting requests in order to prevent attacks Network Security Hardware (cont’d.) • Network intrusion prevention system (NIPS) • • • • Similar to active NIDS Monitors network traffic to immediately block a malicious attack NIPS sensors located in line on firewall itself A typical IPS response may be to block all incoming traffic on a specific port 71 NIDS vs. NIPS • Major differences between a NIDS and a NIPS is location: • NIDS has sensors that monitor traffic entering and leaving firewall, and reports back to central device for analysis • NIPS would be located “in line” on firewall itself to allow NIPS to more quickly take action to block attack • Application-aware IPS - Knows information like applications and operating systems so that can provide higher degree of accuracy 72 Unified Threat Management (UTM) Security Appliances • Because different types of network security hardware each provide a different defense, network may require multiple devices for comprehensive protection • Makes cumbersome to manage multiple devices • Unified Threat Management (UTM) - Security product that combines several security functions 73 UTM Functions • UTM functions: • • • • • • • • • Antispam and antiphishing Antivirus and antispyware Bandwidth optimization Content filtering Encryption Firewall Instant messaging control Intrusion protection Web filtering 74 Security Through Network Technologies • Network technologies can also help to secure network • Two technologies: • Network address translation • Network access control 75 Network Address Translation (NAT) • Hides the IP addresses of network devices from attackers • Private addresses • IP addresses not assigned to any specific user or organization • Function as regular IP addresses on an internal network • Non-routable addresses--traffic addressed to private addresses is discarded by Internet routers Table 6-7 Private IP addresses Network Address Translation (NAT) • NAT removes the private IP address from the sender’s packet • And replaces it with an alias IP address • When a packet is returned to NAT, the process is reversed • An attacker who captures the packet on the Internet cannot determine the actual IP address of the sender Network Address Translation (NAT) cont’d • Network address translation (NAT) • Allows private IP addresses to be used on the public Internet • Replaces private IP address with public address • Port address translation (PAT) • Variation of NAT • Outgoing packets given same IP address but different TCP port number 78 Network Address Translation (NAT) Private IP Addresses Public IP Addresses 192.168.1. 1 192.168.1.51 192.168.1.103 192.168.1.102 192.168.1.101 Address Translation 192.168.1.101 -> 147.144.1.101 192.168.1.102 -> 147.144.1.102 192.168.1.103 -> 147.144.1.103 192.168.1.151 -> 147.144.1.104 NAT with PAT 147.144.1.1 192.168.1. 1 192.168.1.51 192.168.1.103 192.168.1.102 192.168.1.101 Port 1100 192.168.1.101 Port 1102 Address Translation 192.168.1.101 Port 1100 -> 147.144.1.1 Port 2100 192.168.1.101 Port 1102 -> 147.144.1.1 Port 2101 Web browser: 192.168.1.103 Port 1100 192.168.1.103 Port 1100 -> 147.144.1.1 Port 2102 192.168.1.101 Web browser: Email: Network Address Translation (NAT) cont’d Figure 6-9 Network address translation (NAT) © Cengage Learning 2012 81 Network Address Translation (NAT) cont’d • Advantages of NAT • Masks IP addresses of internal devices • Allows multiple devices to share smaller number of public IP addresses 82 Network Access Control (NAC) • Examines a computer before it is allowed to connect to the network • Each computer must meet security policy first, such as • • • • Windows patches up to date Antivirus software Antispyware software Etc. • Any device that does not meet the policy is only allowed to connect to a “quarantine” network where the security deficiencies are corrected Figure 6-10 Network access control framework © Cengage Learning 2012 84 NAC Environment Security Through Network Design Elements • Elements of a secure network design • • • • Demilitarized zones Subnetting Virtual LANs Remote access 86 Demilitarized Zone (DMZ) • Separate network located outside secure network perimeter • Untrusted outside users can access DMZ but not secure network 87 Figure 6-11 DMZ with one firewall © Cengage Learning 2012 88 Figure 6-12 DMZ with two firewalls © Cengage Learning 2012 89 Subnetting • Subnetting or subnet addressing - Splits a large block of IP addresses into smaller groups • IP address may be split anywhere within its 32 bits • Network can be divided into three parts • Network • Subnet • Host • Each network can contain several subnets • Each subnet can contain multiple hosts 90 Subnetting (cont’d.) • Improves network security by isolating groups of hosts • Allows administrators to hide internal network layout 91 • Image from Cisco CCNA Class 1 Subnetting Example Whole Company: 157.154.0.0 /16 157.154.0.1 through 157.154.255.254 Remote Site: 157.154.20.0 /24 157.154.20.1 through 157.154.20.254 • Image from Cisco CCNA class 1, modified Main Office 157.154.51.0 /24 157.154.51.1 through 157.154.51.254 Figure 6-13 Subnets © Cengage Learning 2012 94 Table 6-8 Advantages of subnetting 95 Subnets Improve Security • Each subnet can be isolated from the rest of the network • Traffic between subnets can be monitored and restricted at the routers • Subnets also allow network administrators to hide the internal network layout • Outsiders only see your public servers, not your private subnets Virtual LANs (VLAN) • VLANs segment a network with switches, not routers • Allow scattered users to be logically grouped together even if attached to different switches • VLANs can be isolated so that sensitive data is transmitted only to members of the VLAN Image from Cisco CCNA Switching class 97 VLAN Security • VLAN communication can take place in two ways • All devices are connected to the same switch • Traffic is handled by the switch itself • Devices are connected to different switches • A special “tagging” protocol must be used, such as the IEEE 802.1q (aka dot1q) • A VLAN is heavily dependent upon the switch for correctly directing packets • Attackers could take control of the switch itself, if it has a default or weak password • Specially crafted traffic can also "hop" from one VLAN to another Separation of machines into their own unique VLAN with trunks VLAN attacks (Discussed in CCNP) • VLAN hopping • By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing Layer 3 security measures. • Solution • Tighten up trunk configurations and the negotiation state of unused ports. • Limit VLANs across trunk ports • Place unused ports in a common VLAN. 100 VLAN attacks (Discussed in CCNP) • Attacks between devices on a common VLAN • Devices may need protection from one another, even though they are on a common VLAN. • This is especially true on service provider segments supporting devices from multiple customers. • Solution • Private VLANs (PVLANs). 101 Remote Workers • Working away from the office commonplace today: • Telecommuters • Traveling sales representatives • Traveling workers • Strong security for remote workers must be maintained • Transmissions are routed through networks not managed by the organization 102 Remote Access • Remote access - Any combination of hardware and software that enables remote users to access local internal network • Remote access provides remote users with same access and functionality as local users through VPN or dial-up connection • Service includes support for remote connection and logon and then displays the same network interface as the normal network 103 VPN • Virtual private network (VPN) • Uses unsecured network as if it were secure • All data transmitted between remote device and network is encrypted • Types of VPNs • Remote-access • User to LAN connection • Site-to-site • Multiple sites can connect to other sites over the Internet 104 VPN cont’d • Endpoints – devices used in communicating VPN transmissions • software on local computer • VPN concentrator (hardware device) • Integrated into another networking device • VPNs can be software-based or hardware-based • Hardware-based generally have better security • Software-based have more flexibility in managing network traffic 105 VPN cont’d Summary • Standard network security devices provide a degree of security • Hubs, switches, router, load balancer • Hardware devices specifically designed for security give higher protection level • Hardware-based firewall, Web application firewall • Proxy server intercepts and processes user requests • Virtual private network uses unsecured public network and encryption to provide security 107 Summary (cont’d.) • Intrusion detection system designed to detect attack as it occurs • Network technologies can help secure a network • Network address translation • Network access control • Methods for designing a secure network • Demilitarized zones • Virtual LANs 108
