Guide to Network Defense and Countermeasures Second Edition

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Chapter 7 – Transport Layer Protocols
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Lecture 15 Denial of Service Attacks
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Port Scanning.
Forensic and Investigative Accounting
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
1 Guide to Network Defense and Countermeasures Chapter 2.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Chapter 6: Packet Filtering
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Guide to Network Defense and Countermeasures
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 Guide to Network Defense and Countermeasures Chapter 9.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Routers and Routing Basics CCNA 2 Chapter 10.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Linux Networking and Security
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Intrusion Detection Karthikeyan Mahadevan. Intrusion Detection What is Intrusion? Simply put, an intrusion is someone attempting to break into or misuse.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
CHAPTER 9 Sniffing.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
DoS/DDoS attack and defense
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.
Role Of Network IDS in Network Perimeter Defense.
© 2002, Cisco Systems, Inc. All rights reserved..
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
CITA 352 Chapter 5 Port Scanning.
Domain 4 – Communication and Network Security
Principles of Computer Security
Intrusion Detection Systems
Transport Layer 9/22/2019.
Presentation transcript:

Guide to Network Defense and Countermeasures Second Edition Chapter 4 Network Traffic Signatures

Objectives Describe the concepts of signature analysis Detect normal and suspicious traffic signatures Identify suspicious events Explain the Common Vulnerabilities and Exposures (CVE) standard Guide to Network Defense and Countermeasures, Second Edition

Understanding Signature Analysis Signature – set of characteristics used to define a type of network activity Intrusion detection devices Some devices assemble databases of “normal” traffic signatures Deviations from normal signatures trigger an alarm Other devices refer to a database of well-known attack signatures Traffic that matches stored signatures triggers an alarm They deal with false positives and false negatives Guide to Network Defense and Countermeasures, Second Edition

Understanding Signature Analysis (continued) Analyzes and understands TCP/IP communications Determines whether they are legitimate or suspicious Bad header information Common way in which packets are altered Suspicious signatures can include malformed Source and destination IP address Source and destination port number IP options, protocol and checksums IP fragmentation flags, offset, or identification Guide to Network Defense and Countermeasures, Second Edition

Understanding Signature Analysis (continued) Bad header information Checksum Simple error-checking procedure Determines whether a message has been damaged or tampered with while in transit Uses a mathematical formula Suspicious data payload Payload Actual data sent from an application on one computer to an application on another Some IDSs check for specific strings in the payload Guide to Network Defense and Countermeasures, Second Edition

Understanding Signature Analysis (continued) Suspicious data payload Known attacks Hack’a’Tack Trojan program Flaw in the UNIX Sendmail program Single-Packet Attacks Also called “atomic attacks” Completed by sending a single network packet from client to host Does not need a connection to be established Changes to IP option settings can cause a server to freeze up Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Understanding Signature Analysis (continued) Multiple-Packet Attacks Also called “composite attacks” Require a series of packets to be received and executed for the attack to be completed Especially difficult to detect Denial-of-service (DoS) attacks are obvious examples ICMP flood Guide to Network Defense and Countermeasures, Second Edition

Capturing Packets Packet sniffer Software or hardware that monitors traffic going into or out of a network device Captures information about each TCP/IP packet it detects Capturing packets and studying them can help you better understand what makes up a signature Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Capturing Packets (continued) Packet sniffer Examples Snort Ethereal Tcpdump Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Detecting Traffic Signatures Need to detect whether traffic is normal or suspicious Network baselining Process of determining what is normal for your network before you can identify anomalies Guide to Network Defense and Countermeasures, Second Edition

Normal Traffic Signatures TCP flags SYN (0x2) ACK (0x10) PSH (0x8) URG (0x20) RST (0x4) FIN (0x1) Numbers 1 and 2 Placement and use of these flags are definite Deviations from normal use mean that the communication is suspicious Guide to Network Defense and Countermeasures, Second Edition

Normal Traffic Signatures (continued) Ping signatures The sequence of packets is shown in the next slides Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Normal Traffic Signatures (continued) FTP signatures The sequence of packets is shown in the next slides Normal connection signature includes a three-way handshake Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Normal Traffic Signatures (continued) Web signatures Most of the signatures in log files are Web related Normal communication consists of a sequence of packets distinguished by their TCP flags Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Suspicious traffic signatures Categories Informational Traffic might not be malicious Reconnaissance Attacker’s attempt to gain information Unauthorized access Traffic caused by someone who has gained unauthorized access Denial of service Traffic might be part of a more complex attack Guide to Network Defense and Countermeasures, Second Edition

Suspicious traffic signatures (continued) Ping sweeps Also called an ICMP sweep Used by attackers to determine the location of a host Attacker sends a series of ICMP echo request packets in a range of IP addresses Ping sweep alone does not cause harm Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Suspicious traffic signatures (continued) Port scans Attempt to connect to a computer’s ports to see whether any are active and listening Signature typically includes a SYN packet sent to each port Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Suspicious traffic signatures (continued) Random back door scan Probes a computer to see if any ports are open and listening that are used by well-known Trojan programs Trojan programs Applications that seem to be harmless but can cause harm to a computer or its files Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Suspicious traffic signatures (continued) Specific Trojan scans Port scans can be performed in several ways Vanilla scan Probes all ports from 0 to 65,535 Strobe scan Probes only ports commonly used by specific programs Can be used to detect whether a Trojan program is already installed and running Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Suspicious traffic signatures (continued) Nmap scans Network mapper (Nmap) Popular software tool for scanning networks Nmap scans can circumvent IDSs monitoring Examples of Nmap scans SYN scan FIN scan ACK scan Null scan Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Identifying Suspicious Events Attackers avoid launching well-known attacks Use waiting intervals to fool detection systems Reviewing log files manually can be overwhelming Must check them and identify potential attacks You can use IDSs to help you with this task IDSs depend on extensive databases of attack signatures Guide to Network Defense and Countermeasures, Second Edition

Packet Header Discrepancies Falsified IP address Attacker can insert a false address into the IP header Make the packet more difficult to trace back Also known as IP spoofing Falsified port number or protocol Protocol numbers can also be altered Illegal TCP flags Look at the TCP flags for violations of normal usage Examples of SYN and FIN flags misuse SYN/FIN SYN/FIN/PSH,SYN/FIN/RST,SYN/FIN/RST/PSH Guide to Network Defense and Countermeasures, Second Edition

Packet Header Discrepancies (continued) TCP or IP options TCP options can alert you of an attack Only one MSS option should appear in a packet MSS, NOP, and SackOK should appear only in packets that have the SYN and/or ACK flag set TCP packets have two “reserved bits” IP options Originally intended as ways to insert special handling instructions into packets Attackers mostly use IP options now for attack attempts Guide to Network Defense and Countermeasures, Second Edition

Packet Header Discrepancies (continued) Fragmentation abuses Maximum transmit unit (MTU) Maximum packet size that can be transmitted over a network Packets larger than the MTU must be fragmented Broken into multiple segments small enough for the network to handle Overlapping fragments Fragments that are too long or too small Fragments overwriting data Guide to Network Defense and Countermeasures, Second Edition

Advanced Attacks Advanced IDS evasion techniques Polymorphic buffer overflow attack Uses a tool called ADMutate Alter an attack’s shell code to differ from the known signature many IDSs use Once packets reach the target, they reassemble into original form Path obfuscation Directory path in payload is obfuscated by using multiple forward slashes Alternatively, it can use the Unicode equivalent of a forward slash, %co%af Guide to Network Defense and Countermeasures, Second Edition

Advanced Attacks (continued) Advanced IDS evasion techniques Common Gateway Interface (CGI) scripts Scripts used to process data submitted over the Internet Examples Count.cgi FormMail AnyForm Php.cgi TextCounter GuestBook Guide to Network Defense and Countermeasures, Second Edition

Remote Procedure Calls Remote Procedure Call (RPC) Standard set of communication rules Allows one computer to request a service from another computer on a network Portmapper Maintains a record of each remotely accessible program and the port it uses Converts RPC program numbers into TCP/IP port numbers Guide to Network Defense and Countermeasures, Second Edition

Remote Procedure Calls (continued) RPC-related security events RPC dump Targeted host receives an RPC dump request RPC set spoof Targeted host receives an RPC set request from a source IP address of 127.x.x.x RPC NFS sweep Targeted host receives series of requests for the Network File System (NFS) on different ports Guide to Network Defense and Countermeasures, Second Edition

Using the Common Vulnerabilities and Exposures (CVE) Standard Make sure your security devices share information and coordinate with one another Each devices uses its own “language” Common Vulnerabilities and Exposures (CVE) Enables devices to share information using the same standard Guide to Network Defense and Countermeasures, Second Edition

How the CVE Works CVE enables hardware and devices to draw from the same database of vulnerabilities Benefits Stronger security Better performance Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Scanning CVE Vulnerabilities Descriptions Can view current CVE vulnerabilities online And even download the list The CVE list is not a vulnerability database that can be used with an IDS Information in a CVE reference Name of the vulnerability Short description References to the event in other databases Such as BUGTRAQ Guide to Network Defense and Countermeasures, Second Edition

Guide to Network Defense and Countermeasures, Second Edition

Summary Interpreting network traffic signatures Can help prevent network intrusions Analysis of traffic signatures Integral aspect of intrusion prevention Possible intrusions are marked by invalid settings Packet sniffers Capture packets Learn what normal traffic signatures look like Help identify signatures of suspicious connection attempts Guide to Network Defense and Countermeasures, Second Edition

Summary (continued) Suspicious network events Advanced attacks “Orphaned” packets Land attacks Localhost source spoof Falsified protocol numbers Illegal combinations of TCP flags Advanced attacks Difficult to detect without a database of intrusion signatures or user behaviors Guide to Network Defense and Countermeasures, Second Edition

Summary (continued) Advanced attack methods include Exploiting CGI vulnerabilities Misusing Remote Procedure Calls Common Vulnerabilities and Exposures (CVE) Enables security devices to share attack signatures and information about network vulnerabilities Guide to Network Defense and Countermeasures, Second Edition

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.