Chapter 6 Network Security

Chapter 6 Network Security
Modified 9/11/2015-jw

Objectives List the different types of network security devices and explain how they can be used Define network address translation and network access control Explain how to enhance security through network design

Network Security Fundamentals
Once information security and network security were virtually synonymous The network was viewed as the protecting wall around which client computers could be kept safe But this approach is untenable: too many entry points that circumvent the network and allow malware to enter: Infected USB flash drive Malware take advantage of common network protocols (HTTP), and could not always be detected or blocked by network security devices Network Security Fundamentals Once information security and network security were virtually synonymous The network was viewed as the protecting wall around which client computers could be kept safe But this approach is untenable: too many entry points that circumvent the network and allow malware to enter: Infected USB flash drive Malware take advantage of common network protocols (HTTP), and could not always be detected or blocked by network security devices

Network Security Posture
Yet having secure network is essential to comprehensive information security posture: Not all applications are designed and written with security and reliability in mind, so falls to network to provide protection Network-delivered services can scale better for larger environments and can complement server and application functionality Attacker who can successfully penetrate computer network may have access to thousands of desktop systems, servers, and storage devices Network Security Posture Yet having secure network is essential to comprehensive information security posture: Not all applications are designed and written with security and reliability in mind, so falls to network to provide protection Network-delivered services can scale better for larger environments and can complement server and application functionality Attacker who can successfully penetrate computer network may have access to thousands of desktop systems, servers, and storage devices

Network Security Strategy
Secure network defense still remains critical element in any organization’s security plan Organizations should make network defenses one of first priorities in protecting information Network security strategy: Network devices Network technologies Design of the network Network Security Strategy Secure network defense still remains critical element in any organization’s security plan Organizations should make network defenses one of first priorities in protecting information Network security strategy: Network devices Network technologies Design of the network

Security Through Network Devices
Not all applications designed, written with security in mind Network must provide protection Networks with weak security invite attackers

Standard Network Devices
Aspects of building a secure network Network devices Network technologies Design of the network itself Security features found in network hardware only provide a basic level of security

Standard Network Devices
Open systems interconnection (OSI) reference model Network devices classified based on function Standards released in 1978, revised in 1983, still used today Illustrates: How network device prepares data for delivery How data is handled once received

Standard Network Devices (cont’d.)
OSI model breaks networking steps into seven layers Each layer has different networking tasks Each layer cooperates with adjacent layers

Security+ Guide to Network Security Fundamentals, Forth Edition
Table 6-1 OSI reference model Security+ Guide to Network Security Fundamentals, Forth Edition

Hubs Connect multiple Ethernet devices together: To function as a single network segment Use coaxial, twisted-pair copper or fiber-optic cables Operate at Layer 1 of the OSI model Do not read data passing through them Ignorant of data source and destination Rarely used today because of inherent security vulnerability

Switches Network switch connects network segments Operate at Data Link Layer (Layer 2) Determine which device is connected to each port Can forward frames sent to that specific device Or broadcast to all devices Use MAC address to identify devices Provide better security than hubs

Network administrator should be able to monitor network traffic Helps identify and troubleshoot network problems Traffic monitoring methods Use a switch with port mirroring Copies all traffic to a designated monitoring port on the switch Security Issue!

Traffic monitoring methods (cont’d) Install a network tap (test access point) A device that installed between two network devices, such as a switch, router, or firewall, to monitor traffic

Build your own for $14.99!

Network Attacks

Spoofing attacks (Discussed in CCNP)
DHCP starvation and DHCP spoofing An attacking device can exhaust the address space available to the DHCP servers for a period of time or establish itself as a DHCP server in man-in-the-middle attacks Solution DHCP snooping

Spanning tree compromises Attacking device spoofs the root bridge in the STP topology. If successful, the network attacker can see a variety of frames. Solution Proactively configure the primary and backup root devices. Enable root guard.

MAC spoofing Attacking device spoofs the MAC address of a valid host currently in the CAM table. Switch then forwards frames destined for the valid host to the attacking device. Solution DHCP snooping Port security

Address Resolution Protocol (ARP) spoofing Attacking device crafts ARP replies intended for valid hosts. The attacking device’s MAC address then becomes the destination address found in the Layer 2 frames sent by the valid network device. Solution Dynamic ARP Inspection DHCP snooping Port security

Attacks on switch devices
Cisco Discovery Protocol (CDP) manipulation Information sent through CDP is transmitted in clear text and unauthenticated, allowing it to be captured and divulge network topology information. Solution Disable CDP on all ports where it is not intentionally used.

Attacks on switch devices
Secure Shell Protocol (SSH) and Telnet attacks Telnet packets can be read in clear text. SSH is an option but has security issues in version 1. Solution SSH version 2. Telnet with virtual type terminal (VTY) ACLs.

MAC layer attacks MAC address flooding Solution
Frames with unique, invalid source MAC addresses flood the switch, exhausting content addressable memory (CAM) table space, disallowing new entries from valid hosts. Traffic to valid hosts is subsequently flooded out all ports. Solution Port security (lock MAC Addresses to specific MAC address VLAN access maps

MAC Layer Attacks Common Layer 2 or switch attack (“as of this writing”) Launched for the malicious purpose of: Collecting a broad sample of traffic or Denial of Service (DoS) attack.

MAC Layer Attacks Many Switch’s CAM tables are limited in size (1,024 to over 16,000 entries). Tools such as dsniff can flood the CAM table in just over 1 minute.

dniff: http://www.monkey.org/~dugsong/dsniff/
“dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, , files, etc.).” “arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching).” “sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.” “I wrote these tools with honest intentions - to audit my own network, and to demonstrate the insecurity of most network application protocols. Please do not abuse this software.”

MAC Flooding switches with dsniff
dsniff-2.3]# ./macof > TCP D=55934 S=322 Syn Seq= Len=0 Win=512 > TCP D=44686 S=42409 Syn Seq= Len=0 Win=52 > TCP D=59038 S=21289 Syn Seq= Len=0 Win2 > TCP D=7519 S=34044 Syn Seq= Len=0 Win2 > TCP D=62807 S=53618 Syn Seq= Len=0 Win2 > TCP D=23929 S=51034 Syn Seq= Len=0 Wi2 > TCP D=1478 S=56820 Syn Seq= Len=0 Win=512 > TCP D=38433 S=31784 Syn Seq= Len=0 Win2 > TCP D=42232 S=31424 Syn Seq= Len=0 Win=52 > TCP D=56224 S=34492 Syn Seq= Len=0 Win=52 > TCP D=23840 S=45783 Syn Seq= Len=0 2 > TCP D=3453 S=4112 Syn Seq= Len=0 Win=512 > TCP D=12959 S=42911 Syn Seq= Len=0 W2 > TCP D=33377 S=31735 Syn Seq= Len=0 Win=2 > TCP D=26975 S=57485 Syn Seq= Len=0 Wi2 > TCP D=23135 S=55908 Syn Seq= Len=0 Wi2 > TCP D=54512 S=25534 Syn Seq= Len=0 Win=2 > TCP D=61311 S=43891 Syn Seq= Len=0 Win2 > TCP D=25959 S=956 Syn Seq= Len=0 Win=512 > TCP D=33931 S=1893 Syn Seq= Len=0 Win=52 > TCP D=43954 S=49355 Syn Seq= Len=0 Win2 > TCP D=61408 S=26921 Syn Seq= Len=0 Win=512 > TCP D=61968 S=53055 Syn Seq= Len=0 Win=512

MAC Flooding switches with dsniff
Dsniff can generate 150,000+ MAC entries on a switch per minute It takes about 60 seconds to fill the cam table Once table is full, traffic without a CAM entry floods on the VLAN.

MAC Flooding Once the CAM table is full, new valid entries will not be accepted. Switch must flood frames to that address out all ports. This has two adverse effects: The switch traffic forwarding is inefficient and voluminous. An intruding device can be connected to any switch port and capture traffic not normally seen on that port.

MAC Flooding Attack Example
If the attack is launched before the beginning of the day, the CAM table would be full as the majority of devices are powered on. Legitimate devices are unable to create CAM table entries as they power on. Large number of frames from a large number of devices will be high. If the initial, malicious flood of invalid CAM table entries is a one-time event; Eventually, the switch will age out older, invalid CAM table entries New, legitimate devices will be able to create an entry in the CAM Traffic flooding will cease Intruder may never be detected (network seems normal).

Suggested Mitigation for MAC Flood Attacks
Port Security Port security restricts port access by MAC address. Rick Graziani

Table 6-2 Protecting the switch

Routers Forward packets across computer networks Operate at Network Layer (Layer 3) Can be set to filter out specific types of network traffic

Network Security Hardware
Specifically designed security hardware devices Greater protection than standard networking devices

Load balancers Help evenly distribute work across a network Allocate requests among multiple devices

Load balancers Advantages of load-balancing technology Reduces probability of overloading a single server Optimizes bandwidth of network computers Reduces network downtime Load balancing is achieved through software or hardware device (load balancer)

Security advantages of load balancing Can stop attacks directed at a server or application Because load balancers generally are located between routers and servers, can detect and stop attacks directed at a server or application Load balancer can be used detect and prevent denial-of-service (DoS) and protocol attacks that could cripple a single server Can detect and prevent denial-of-service attacks Some can deny attackers information about the network Hide HTTP error pages Remove server identification headers from HTTP responses

Network Security Hardware
Firewalls Hardware-based network firewall inspects packets Can either accept or deny packet entry Usually located outside network security perimeter

Firewall Typically used to inspect and filter packets Sometimes called a packet filter Designed to prevent malicious packets from entering the network A firewall can be software-based or hardware-based Hardware firewalls usually are located outside the network security perimeter As the first line of defense

Example Firewall Network Diagram

Firewall (continued) The basis of a firewall is a rule base
Establishes what action the firewall should take when it receives a packet (allow, block, and prompt) Stateless packet filtering Looks at the incoming packet and permits or denies it based strictly on the rule base Stateful packet filtering Keeps a record of the state of a connection between an internal computer and an external server Then makes decisions based on the connection as well as the rule base

Stateless Firewall Rules
Table 6-3 Rule for Web page transmission

Stateful Firewall Rules
State = Established

Inbound and Outbound Traffic Filtering
Most personal software firewalls today also filter outbound traffic as well as inbound traffic Filtering outbound traffic protects users by preventing malware from connecting to other computers and spreading But it annoys them with these alerts

Application-Aware Firewalls
Application-aware firewall (next-generation firewall or NGFW) More “intelligent” firewall operates at higher level Identifies applications that send packets through firewall and then make decisions about application (vs. granular rule settings like destination port or protocol) Application-Aware Firewalls Application-aware firewall (next-generation firewall or NGFW) - More “intelligent” firewall operates at higher level Identifies applications that send packets through firewall and then make decisions about application (vs. granular rule settings like destination port or protocol) Web application firewall - Special type of application-aware that looks at applications using HTTP

Application-Aware Firewalls
Web application firewall Special type of application-aware that looks at applications traffic such as HTTP Can block specific sites or specific known attacks Can block XSS and SQL injection attacks Application-Aware Firewalls Application-aware firewall (next-generation firewall or NGFW) - More “intelligent” firewall operates at higher level Identifies applications that send packets through firewall and then make decisions about application (vs. granular rule settings like destination port or protocol) Web application firewall - Special type of application-aware that looks at applications using HTTP

Network Security Hardware (cont’d.)
Proxies Devices that substitute for primary devices Proxy server Computer or application that intercepts and processes user requests If a previous request has been fulfilled: Copy of the Web page may reside in proxy server’s cache If not, proxy server requests item from external Web server using its own IP address

Application-aware proxy Special proxy server that “knows” the application protocols that it supports Example - FTP proxy server implements the protocol FTP

Proxy Server I will get yahoo.com and save a copy
I want to see yahoo.com Internet Here is my copy of yahoo.com

Proxy Server Clients never directly connect to the Internet
This saves bandwidth, because one copy of a popular Web page can be used many times Allows a company to block forbidden Web sites It also prevents many attacks the same way NAT does Can also be used to hide your location and IP address – BAD?????? Reverse proxy Does not serve clients but instead routes incoming requests to the correct server

Configuring access to proxy servers

Web Based Proxies

Proxy server advantages Increased speed (requests served from the cache) Reduced costs (cache reduces bandwidth required) Improved management Block specific Web pages or sites Stronger security Intercept malware Hide client system’s IP address from the open Internet

Reverse proxy Does not serve clients Routes incoming requests to correct server Reverse proxy’s IP address is visible to outside users Internal server’s IP address hidden

Reverse Proxy Connect to Web server 1

Spam filters Enterprise-wide spam filters block spam before it reaches the host systems use three main protocols Simple Mail Transfer Protocol (SMTP) Handles transferring outgoing mail Post Office Protocol (POP) Handles incoming mail Internet Messaging Access Protocol (IMAP)

Spam filters installed with the SMTP server Filter configured to listen on port 25 Pass non-spam to SMTP server listening on another port Method prevents SMTP server from notifying spammer of failed message delivery

Spam filters installed on the servers All spam must first pass through SMTP server and be delivered to user’s mailbox Can result in increased costs Storage, transmission, backup, deletion

Third-party entity contracted to filter spam All directed to third-party’s remote spam filter cleansed before being redirected to organization

Internet Content Filters
Monitor Internet traffic and block access to preselected Web sites and files A requested Web page is only displayed if it complies with the specified filters Unapproved Web sites can be restricted based on the Uniform Resource Locator (URL Filtering) or by matching keywords Inspect traffic for malware (malware inspection)

Table 6-4 Internet content filter features

Web security gateways Can block malicious content in real time Block content through application level filtering Examples of blocked Web traffic ActiveX objects Adware, spyware Peer to peer file sharing Script exploits TCP/IP malicious code attacks

Passive and active security can be used in a network Active measures provide higher level of security Passive measures Firewall Internet content filter Active measures Can detect and block attack as they occur

Monitoring methodologies Anomaly-based monitoring Compares current detected behavior with baseline Signature-based monitoring Looks for well-known attack signature patterns Behavior-based monitoring Detects abnormal actions by processes or programs Alerts user who decides whether to allow or block activity Heuristic monitoring Uses experience-based techniques

Table 6-5 Methodology comparisons to trap port-scanning application

Intrusion detection system (IDS) Active security measure Can detect attack as it occurs

Host intrusion detection system (HIDS) Software-based application that can detect attacks as they occurs Installed on each system needing protection Monitors System calls File system access and modifications Registry settings and modifications Host input and output communications Anomalous activity

Disadvantages of HIDS Cannot monitor network traffic that does not reach local system All log data is stored locally Resource-intensive and can slow system

Network intrusion detection system (NIDS) Watches for attacks on the network NIDS sensors installed on firewalls and routers: Gather information and report back to central device Passive NIDS will sound an alarm Active NIDS will sound alarm and take action Actions may include filtering out intruder’s IP address or terminating TCP session

Table 6-6 NIDS evaluation techniques

Host Intrusion Prevention Systems (HIPS)
Installed on each system that needs to be protected Rely on agents installed directly on the system being protected Work closely with the operating system, monitoring and intercepting requests in order to prevent attacks

Network intrusion prevention system (NIPS) Similar to active NIDS Monitors network traffic to immediately block a malicious attack NIPS sensors located in line on firewall itself A typical IPS response may be to block all incoming traffic on a specific port

NIDS vs. NIPS Major differences between a NIDS and a NIPS is location:
NIDS has sensors that monitor traffic entering and leaving firewall, and reports back to central device for analysis NIPS would be located “in line” on firewall itself to allow NIPS to more quickly take action to block attack Application-aware IPS - Knows information like applications and operating systems so that can provide higher degree of accuracy NIDS vs. NIPS Major differences between a NIDS and a NIPS is location: NIDS has sensors that monitor traffic entering and leaving firewall, and reports back to central device for analysis NIPS would be located “in line” on firewall itself to allow NIPS to more quickly take action to block attack Application-aware IPS - Knows information like applications and operating systems so that can provide higher degree of accuracy

Unified Threat Management (UTM) Security Appliances
Because different types of network security hardware each provide a different defense, network may require multiple devices for comprehensive protection Makes cumbersome to manage multiple devices Unified Threat Management (UTM) - Security product that combines several security functions Unified Threat Management (UTM) Security Appliances Because different types of network security hardware each provide a different defense, network may require multiple devices for comprehensive protection Makes cumbersome to manage multiple devices Unified Threat Management (UTM) - Security product that combines several security functions

UTM Functions UTM functions: Antispam and antiphishing
Antivirus and antispyware Bandwidth optimization Content filtering Encryption Firewall Instant messaging control Intrusion protection Web filtering UTM Functions UTM functions: Antispam and antiphishing Antivirus and antispyware Bandwidth optimization Content filtering Encryption Firewall Instant messaging control Intrusion protection Web filtering

Security Through Network Technologies
Network technologies can also help to secure network Two technologies: Network address translation Network access control Security Through Network Technologies Network technologies can also help to secure network Two technologies: Network address translation Network access control

Network Address Translation (NAT)
Hides the IP addresses of network devices from attackers Private addresses IP addresses not assigned to any specific user or organization Function as regular IP addresses on an internal network Non-routable addresses--traffic addressed to private addresses is discarded by Internet routers Table 6-7 Private IP addresses

NAT removes the private IP address from the sender’s packet And replaces it with an alias IP address When a packet is returned to NAT, the process is reversed An attacker who captures the packet on the Internet cannot determine the actual IP address of the sender

Network Address Translation (NAT) cont’d
Allows private IP addresses to be used on the public Internet Replaces private IP address with public address Port address translation (PAT) Variation of NAT Outgoing packets given same IP address but different TCP port number

Private IP Addresses Public IP Addresses Address Translation > > > >

NAT with PAT Web browser: 192.168.1.101 Port 1100
Port 1102 Address Translation Port > Port 2100 Port > Port 2101 Port > Port 2102 Web browser: Port 1100

Advantages of NAT Masks IP addresses of internal devices Allows multiple devices to share smaller number of public IP addresses

Network Access Control (NAC)
Examines a computer before it is allowed to connect to the network Each computer must meet security policy first, such as Windows patches up to date Antivirus software Antispyware software Etc. Any device that does not meet the policy is only allowed to connect to a “quarantine” network where the security deficiencies are corrected

NAC Environment

Security Through Network Design Elements
Elements of a secure network design Demilitarized zones Subnetting Virtual LANs Remote access

Demilitarized Zone (DMZ)
Separate network located outside secure network perimeter Untrusted outside users can access DMZ but not secure network

Figure 6-11 DMZ with one firewall

Figure 6-12 DMZ with two firewalls

Subnetting Subnetting or subnet addressing - Splits a large block of IP addresses into smaller groups IP address may be split anywhere within its 32 bits Network can be divided into three parts Network Subnet Host Each network can contain several subnets Each subnet can contain multiple hosts

Subnetting (cont’d.) Improves network security by isolating groups of hosts Allows administrators to hide internal network layout

Image from Cisco CCNA Class 1

Subnetting Example Image from Cisco CCNA class 1, modified
Whole Company: /16 through Main Office /24 through Remote Site: /24 through Image from Cisco CCNA class 1, modified

Table 6-8 Advantages of subnetting

Subnets Improve Security
Each subnet can be isolated from the rest of the network Traffic between subnets can be monitored and restricted at the routers Subnets also allow network administrators to hide the internal network layout Outsiders only see your public servers, not your private subnets

Virtual LANs (VLAN) VLANs segment a network with switches, not routers
Allow scattered users to be logically grouped together even if attached to different switches VLANs can be isolated so that sensitive data is transmitted only to members of the VLAN Image from Cisco CCNA Switching class

VLAN Security VLAN communication can take place in two ways
All devices are connected to the same switch Traffic is handled by the switch itself Devices are connected to different switches A special “tagging” protocol must be used, such as the IEEE 802.1q (aka dot1q) A VLAN is heavily dependent upon the switch for correctly directing packets Attackers could take control of the switch itself, if it has a default or weak password Specially crafted traffic can also "hop" from one VLAN to another

Separation of machines into their own unique VLAN with trunks

VLAN attacks (Discussed in CCNP)
VLAN hopping By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing Layer 3 security measures. Solution Tighten up trunk configurations and the negotiation state of unused ports. Limit VLANs across trunk ports Place unused ports in a common VLAN.

VLAN attacks (Discussed in CCNP)
Attacks between devices on a common VLAN Devices may need protection from one another, even though they are on a common VLAN. This is especially true on service provider segments supporting devices from multiple customers. Solution Private VLANs (PVLANs).

Remote Workers Working away from the office commonplace today:
Telecommuters Traveling sales representatives Traveling workers Strong security for remote workers must be maintained Transmissions are routed through networks not managed by the organization Remote Workers Working away from the office commonplace today: Telecommuters Traveling sales representatives Traveling workers Strong security for remote workers must be maintained Transmissions are routed through networks not managed by the organization

Remote Access Remote access - Any combination of hardware and software that enables remote users to access local internal network Remote access provides remote users with same access and functionality as local users through VPN or dial-up connection Service includes support for remote connection and logon and then displays the same network interface as the normal network

VPN Virtual private network (VPN) Types of VPNs
Uses unsecured network as if it were secure All data transmitted between remote device and network is encrypted Types of VPNs Remote-access User to LAN connection Site-to-site Multiple sites can connect to other sites over the Internet

VPN cont’d Endpoints – devices used in communicating VPN transmissions
software on local computer VPN concentrator (hardware device) Integrated into another networking device VPNs can be software-based or hardware-based Hardware-based generally have better security Software-based have more flexibility in managing network traffic

VPN cont’d

Summary Standard network security devices provide a degree of security
Hubs, switches, router, load balancer Hardware devices specifically designed for security give higher protection level Hardware-based firewall, Web application firewall Proxy server intercepts and processes user requests Virtual private network uses unsecured public network and encryption to provide security

Summary (cont’d.) Intrusion detection system designed to detect attack as it occurs Network technologies can help secure a network Network address translation Network access control Methods for designing a secure network Demilitarized zones Virtual LANs

Chapter 6 Network Security

Similar presentations

Presentation on theme: "Chapter 6 Network Security"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Chapter 6 Network Security

Similar presentations

Presentation on theme: "Chapter 6 Network Security"— Presentation transcript:

Similar presentations

About project

Feedback