Security fundamentals Topic 6 Securing the network infrastructure Agenda • Security at the TCP/IP layers • Security at the physical layer • Securing network devices Network layer attacks • MAC address spoofing – Attackers can create packets with the MAC address of a different computer and impersonate that computer • Denial of Service (DoS) – Overloads a single system so that it cannot provide the service it is configured to provide – Sends frames designed to use up all the resources of the target device • ARP cache poisoning – Incorrect or spoofed entries are added to the ARP cache – messages are sent to incorrect destinations Internet layer attacks • IP address spoofing – Source addresses of IP packets are spoofed to impersonate another computer • Man-in-the-middle attack – Attacker intercepts and reads or modifies packet contents without the knowledge of the source or destination computers • Denial of Service – Attacker overloads the TCP/IP stack with a large number of invalid packets which prevents processing of legitimate packets – Attacker changes entries in routing tables to prevent delivery of packets • Incorrect reassembly of fragmented datagrams – Offset field used to reassemble fragments is changed so that they can’t be reassembled correctly – datagram could pass through a firewall when it shouldn’t • Avoiding detection by fragmenting datagrams – An attacker might fragment a packet to hide patterns (such as virus signatures) to avoid detection • Corrupting packets – Information in IP header fields is modified Transport layer attacks • Manipulation of UDP or TCP ports – Attacker can format packets so they appear to come from a port allowed by the firewall • Denial of service – SYN flood attack to leave sessions half open until router cannot accept anymore connections • Session hijacking – After the connection is established, attacker predicts TCP sequence numbers and takes over the connection with his own segments Application layer attacks • Specific to the application layer protocol • Common attacks exploit: – Email protocols – Web protocols – DNS Network cabling security • Coaxial cables – Cutting or destroying cables – Noise from EMI or RFI – Removing a terminator • Eavesdropping traffic by tapping into coaxial cable at any point on network • Mitigation – – – – – Protect the Cable: bury it, inside walls, tamperproof containers Document the cable infrastructure Investigate all outages Inspect your cables regularly Investigate undocumented hosts and connections Network cabling security • Twisted pair – Cutting or destroying cables – Noise from EMI or RFI, STP mitigates the impact of EMI and RFI • Mitigation – – – – – – Protect the cables Protect the switches and patch panels Document the cable infrastructure Investigate all outages Inspect your cables and infrastructure regularly Investigate undocumented hosts and connections • Eavesdropping – Using a protocol analyser or packet sniffer (requires physical connection) – Splicing into a cable – Listening to electromagnetic signals from the signals passing through the wire Network cabling security • Fiber optic cables – Bend or snap the cable – Any damage will disrupt the signal • Eavesdropping – Virtually impossible – requires cutting cable and polishing ends and connecting a device • Mitigation – – – – – – Protect the cables Protect the switches and patch panels Document the cable infrastructure Investigate all outages Inspect your cables and infrastructure regularly Investigate undocumented hosts and connections Device security • Compromising switches and bridges – If an attacker has physical access, he can disable a switch – Attach a computer to a span port which receives all switch traffic – Transmit frames with spoofed MAC address to corrupt the MAC address table – Flood the switch with frames to disrupt operations • Gaining administrative access – Port mirroring: map the input and output of one or more ports to a single port to eavesdrop on communications – Change the MAC address table to redirect traffic • ARP cache poisoning – Attacker can overwrite entries in the ARP cache allowing attacker to eavesdrop or hijack a session Securing switches and bridges • Physical security – Limit physical access, use security personnel and monitoring (cameras) • Protecting admin functions with passwords – Set complex passwords and change routinely – Restrict access to few staff – Manually enter ARP mappings on critical devices: servers, switches and bridges – Keep up to date with patches – Document configurations so you know what is normal and authorised • Monitoring for security breaches – Monitor devices for unauthorised connections – ARPWATCH to monitor traffic and keep MAC-to-IP address mappings Securing routers • Compromising routers – Susceptible to ARP cache poisoning – Routing tables can be changed either administratively or with incorrect routing updates – RIP spoofing – updating routing tables with bogus updates – ACLs can be changed if admin access is compromised – Insecure protocols, services could be enabled Securing routers • Keep routers in secure locations: locked server rooms and wiring closets • Secure all physical connections to network segments • Use security personnel and monitoring (cameras) • Set complex passwords and change regularly • Keep up to date with latest patches • Restrict staff with access and locations access can come from • Set ACLs to prevent inappropriate connections • Set passwords for routing updates • Disable insecure protocols and services • Document and regularly review the network Securing telecommunications • Compromised by – Free long distance calls by changing billing records – Compromise or shut down the organisation’s voice mail system – Reroute incoming, transferred or outgoing calls – Gain access to voice mail boxes of employees Securing PBX systems • Vulnerabilities – – – – – Insecure or default passwords are used Older PBX systems don’t implement latest security technology Lack of knowledge and security procedures: social engineering Remote management connections could be compromised Unused floors and offices may have active connections • Protecting PBX – – – – – – – – – – Physically securing PBX equipment Control access to PBX wiring room and switching equipment Document Routinely check unauthorised connections Secure offsite transfers with passwords (for updates) System exclusion lists to limit long distance calling Shut down services not required during off days and hours Educate users Enforce PBX password change and audit policy Secure maintenance ports, limit entry ports, log all system access Securing modems Compromising modems • Can be used to circumvent firewall security • Can be used to provide direct access to internal computers • War dialling to discover computers with modems attached Mitigation • Remove all unnecessary modems • If modem is required for outgoing calls make sure it is configured not to accept incoming calls • Software/security updates for computers with modems • Monitor security bulletins • Isolate computers with modems to limit the damage • Monitor computers with modems to ensure they have not been compromised Lesson summary • What some TCP/IP layer attacks are, and security practices • What some physical layer attacks are, and security practices • Practices for securing network cabling and network devices and threats associated