Day4
-
Upload
jai4uk -
Category
Technology
-
view
940 -
download
2
description
Transcript of Day4
Network Security
and Hacking Techniques
DAY-4
Network Security and Hacking Techniques – Day 4
Firewalls
Visible IP
Address
InternalNetwork
PC Servers
Linux and windows
HostApplication Servers
Like IDS,Sniffers
We are here
Network Security and Hacking Techniques – Day 4
What this paper covers?
Why you need a firewall?
What is firewall?
How does a network firewall interact with OSI and TCP/IP Network models?
Different types of firewall.
Different firewall architectures.
What kind of firewall is best for what infrastructure.
Network Security and Hacking Techniques – Day 4
Introduction
Benefits of Internet
Better Communication
Remote Access
Immense source of information
Boosting the efficiency of buisnesses
Network security a major concern.
Network Security and Hacking Techniques – Day 4
Why you need a firewall?
What happens when you connect to the Internet?
Your network becomes part of Internet.
Possibility of attack by thieves and vandals.
How do you protect confidential information from those who do not explicitly need to access it?
How do you protect your network and its resources from malicious users and accidents that originate outside of your network?
Network Security and Hacking Techniques – Day 4
Types of Attacks
Network Packet sniffers
IP Spoofing
Password Attacks
Distribution of sensitive information to external resources.
Man-in-the-middle attacks
Denial of Service Attacks
Application layer attacks
Network Security and Hacking Techniques – Day 4
What is Firewall?
Network Security and Hacking Techniques – Day 4
Computer with firewall software
Network Security and Hacking Techniques – Day 4
Basic Purpose of a Firewall
It blocks incoming data that might contain a hacker attack.
It hides information about the network by making it seem that all outgoing traffic originates from the firewall rather than the network. This is called Network Address Translation (NAT).
It screens outgoing traffic to limit Internet use and/or access to remote sites.
Network Security and Hacking Techniques – Day 4
Other Features of Firewall
Content Filtering
Virtual Private Networks
Antivirus Protection
Demilitarized Zone Firewalls
Network Security and Hacking Techniques – Day 4
What can't a firewall do?
They cannot provide complete security
They can do nothing to guard against insider threats.
Employee misconduct or carelessness cannot be controlled by firewalls.
Policies involving the use and misuse of passwords and user accounts must be strictly enforced.
Network Security and Hacking Techniques – Day 4
How does a network firewall interact with OSI and TCP/IP Network models?
Network Firewalls operate at different layers to use different criteria to restrict traffic.
The lowest layer at which a firewall can work is layer three.
The higher up in the stack layer at which an architecture examines packets, the greater the level of protection the architecture provides, since more information is available upon which to base decisions.
Network Security and Hacking Techniques – Day 4
Types of Firewall
Static Packet Filter
Dynamic (stateful) packet filter
Circuit level Gateway
Application level Gateway
Stateful Multilayer Inspection Firewall
Network Security and Hacking Techniques – Day 4
Static Packet Filter
Network Security and Hacking Techniques – Day 4
Static Packet Filter(contd.)
Advantages
Low cost – now included with many operating systems.
Disadvantages
Filters are difficult to configure
Static packet filter is not state aware.
Static packet filter does not examine the complete packet.
Network Security and Hacking Techniques – Day 4
Dynamic (stateful) packet filter
State awareness
Aware of the difference between a new and an established connection.
Advantage:
State awareness provides measurable performance benefit.
Disadvantage:
Susceptible to IP spoofing.
Only provides for a low level of protection.
Network Security and Hacking Techniques – Day 4
Circuit Level Gateway
Network Security and Hacking Techniques – Day 4
Circuit Level Gateway(contd.)
Advantages: Information passed to a remote computer
through a circuit level gateway appears to have originated from the gateway. This is useful for hiding information about protected networks.
Higher level of security than a static or dynamic (stateful) packet filter.
Disadvantage: A circuit level gateway cannot examine the
data content of the packets it relays between a trusted network and an untrusted network. The potential exists to slip harmful packets through a circuit level gateway to a server behind the firewall.
Network Security and Hacking Techniques – Day 4
Application Level Gateway
Network Security and Hacking Techniques – Day 4
Application Level Gateway(contd.)
Advantages:
Filter application specific commands such as http: post and get, etc.
Inspect the complete packet.
Highest level of security.
Disadvantages:
Vendors must keep up with new protocols. A common complaint of application level gateway users is lack of timely vendor support for new protocols.
Must be written securely.
Network Security and Hacking Techniques – Day 4
Stateful Multilayer Inspection Firewall
Network Security and Hacking Techniques – Day 4
Stateful Multilayer Inspection Firewall(contd.)
Advantages: Does not break the client server model.
Offer a high level of security.
Disadvantages: The failure to break the client server model creates
an unacceptable security risk as the hacker has a direct connection to the protected server.
They are expensive.
Due to their complexity are potentially less secure than simpler types of firewalls if not administered by highly competent personnel.
Network Security and Hacking Techniques – Day 4
Dual-Homed Host Architecture
Network Security and Hacking Techniques – Day 4
Screened Host Architecture
Network Security and Hacking Techniques – Day 4
Screened Subnet Architecture
Network Security and Hacking Techniques – Day 4
Conclusion
Keeping your software patched and running updated antivirus software are very important pieces, but having a firewall block incoming connections in the first place is definitely a wise idea as well.
No one security solution will solve everything.
The more lines of defense you have in place, the harder it is for hackers to get in and the safer you will be.
Network Security and Hacking Techniques – Day 4
Firewalls
Questions
Network Security and Hacking Techniques – Day 4
What is Intrusion Detection
Intrusion detection systems (IDSs) are designed for detecting, blocking and reporting unauthorized activity in computer networks.
“The life expectancy of a default installation of Linux Red Hat 6.2 server is estimated to be less than 72 hours.”
“The fastest compromise happened in 15 minutes (including scanning, probing and attacking)”
“Netbios scans affecting Windows computers were executed with the average of 17 per day”
(source: Honeynet Project)
Network Security and Hacking Techniques – Day 4
Motivation for Intrusion DetectionMotivation for Intrusion Detection
0
10
20
30
40
50
60
70
80
Yes No Don't Know
Percentage of Respondents
1996
1997
1998
1999
2000
2001
2002
Unauthorized Use of Computer Systems Within Last 12 Months (source Indian ISP’s Study)
Network Security and Hacking Techniques – Day 4
Definitions
Intrusion
A set of actions aimed to compromise the security goals, namely
• Integrity, confidentiality, or availability, of a computing and networking resource
Intrusion detection
The process of identifying and responding to intrusion activities
Network Security and Hacking Techniques – Day 4
Why Is Intrusion Detection Necessary?
Prevent Detect React/Survive
Security principles: layered mechanisms
Network Security and Hacking Techniques – Day 4
Different Types of IDSs
Application based
Host based
Network based.
Network Security and Hacking Techniques – Day 4
Different Types of IDSs
Application IDS
Watch application logs
Watch user actions
Stop attacks targeted against an application
• AdvantagesEncrypted data can be read
• ProblemsPositioned too high in the attack chain (the
attacks reach the application)
Network Security and Hacking Techniques – Day 4
Different Types of IDSs
Host IDS
Watch kernel operations
Watch network interface
Stop illegal system operations
Drop attack packets at network driver
• AdvantagesEncrypted data can be readEach host contributes to the detection process
• ProblemsPositioned too high in the attack chain (the
attacks reach the network driver)
Network Security and Hacking Techniques – Day 4
Different Types of IDSs
Network IDS Watch network traffic Watch active services and servers Report and possibly stop network level
attacks
• AdvantagesAttacks can be stopped early enough (before
they reach the hosts or applications)Attack information from different subnets can be
correlated• Problems
Encrypted data cannot be readAnnoyances to normal traffic if for some reason
normal traffic is dropped
Network Security and Hacking Techniques – Day 4
An Adaptive IDS Architecture
FWQuick and Quick and
dirtydirty
Real-time IDS
Best-effort Best-effort in real-timein real-time
Backend IDS
Thorough and Thorough and slow slow
(scenario/trend)(scenario/trend)
Dynamic Cost-sensitiveDecision Making
DetectionModels
Network Security and Hacking Techniques – Day 4
Different Ways to put IDS on network
HUB
Network Security and Hacking Techniques – Day 4
Different Ways to put IDS on network
TAP
Network Security and Hacking Techniques – Day 4
Circuit Diagrams of Taping 100Mb Ethernet Switch
100Mb Ethernet switch
100Mb 100Mb 100Mb
RX
Full Duplex100 Mb traffic
Port A TX trafficout on pins 1,2
Port B TX trafficout on pins 1,2
Transmit data f rom bothdirections is blended
together on single VLAN toenable capturing of f ullduplex traf f ic f or IDS.
Span port combinestransmit traf f ic f rom bothdirections and prov ides
buf f ering of data.Combined transmit dataresembles a f ull-duplex
Ethernet connection withtraf f ic f lowing in both
directions.
Tap prov ides passiv einsertion into data stream.Tap ports carry transmit
data f rom their respectiv eport.
Passiv e snif f inginterf ace has no IP
address and inspectsincoming traf f ic f orIntrusion ev ents.
Reporting interf ace hasa real IP address.
Transmits IDS alerts toIDS console f orprocessing and
aggregation.
Full Duplex100 Mb traffic
To sniffinginterface
To IDS console
TX
RX
TX
100Mb copper tap
A B
Tap A Tap B
Draw ing byJeff Nathan <jeff@w w ti.com>Brian Casw ell <[email protected]>
IDS Sensor
sniff ing interface
alerting interface
Network Security and Hacking Techniques – Day 4
Circuit Diagrams of Taping 1Gb Ethernet Switch
100Mb Ethernet switchwith one 1Gb port
100Mb 100Mb 1Gb
RX
Full Duplex100 Mb traffic
Port A TX trafficout on pins 1,2
Port B TX trafficout on pins 1,2
Transmit data f rom bothdirections is blended
together on single VLAN toenable capturing of f ullduplex traf f ic f or IDS.
Span port combines transmit traf f ic f romboth directions and prov ides buf f ering
of data. Combined transmit dataresembles a f ull-duplex Ethernet
connection with traf f ic f lowing in bothdirections.
When operating at f ull-duplex, a 100MbEthernet connection can hav e an
aggregate throughput of 200Mb to bespanned. Using a 1Gb port as a span
port can prev ent ov ersubscription.
Tap prov ides passiv einsertion into data stream.Tap ports carry transmit
data f rom their respectiv eport.
Passiv e snif f inginterf ace has no IP
address and inspectsincoming traf f ic f orIntrusion ev ents.
Reporting interf ace hasa real IP address.
Transmits IDS alerts toIDS console f orprocessing and
aggregation.
Full Duplex100 Mb traffic
To sniffinginterface
To IDS console
TX
RX
TX
100Mb copper tap
A B
Tap A Tap B
Draw ing byJeff Nathan <jeff@w w ti.com>Brian Casw ell <[email protected]>
IDS Sensor
sniff ing interface
alerting interface
Network Security and Hacking Techniques – Day 4
Circuit Diagrams of Taping 1Gb Ethernet Switch
IDS load balancer1Gb 1Gb
100Mb 100Mb 100Mb 100Mb 100Mb 100Mb
100Mb 100Mb 100Mb 100Mb 100Mb 100Mb
A IDS Sensor S
Full Duplex1Gb traffic
Tap prov ides passiv einsertion into data stream.Tap ports carry transmit
data f rom their respectiv eport.
Passiv e snif f inginterf aces hav e no
IP address andinspect incoming
traf f ic f or Intrusionev ents.
Reporting interf aceshav e real IP addressesand transmit IDS alerts
to IDS console f orprocessing and
aggregation.
To IDS console(s)
Full Duplex1Gb traffic
Analy zer "Y" cable allowsanaly zer port to be
connected to two switchports. Rx connection is
simulated.
A IDS Sensor S
A IDS Sensor S
A IDS Sensor S
A IDS Sensor S
A IDS Sensor S
A IDS Sensor S
To sniffinginterfaces
IDS load balancer distributes high-speed(1Gb) network traf f ic ov er 100Mb links to
IDS sensors. End-to-end connectionstates and TCP streams are maintained f orthe duration of the connection/stream to
only one sensor such that statef ulIntrusion Detection and TCP stream
reassembly are still possible
Gig fiber tap
A B Tap(A+B)
Draw ing byJeff Nathan <jeff@w w ti.com>Brian Casw ell <[email protected]>
Network Security and Hacking Techniques – Day 4
SNORT
Open Source
Just about any platform(Including windows)
Many plugins and external modules.
Frequent rules updates.
Network Security and Hacking Techniques – Day 4
Snort Plugins
Databases
mySQL
Oracle
Postgresql
unixODBC
Spade (Statistical Packet Anomaly Detection engine)
FlexResp (Session response/closing)
XML output
TCP streams (stream single-byte reassembly)
Network Security and Hacking Techniques – Day 4
Snort Add-ons
Acid(Analysis Console for Intrusion Detection) - PHP
Guardian – IPCHAINS rules modifier.(Girr – remover)
SnortSnarf - HTML
Snortlog – syslog
“Ruleset retreive” – automatic rules updater.
Snorticus – central multi-sensor manager – shell
LogSnorter – Syslog > snort SQL database information adder.
+ a few win32 bits and pieces.
Network Security and Hacking Techniques – Day 4
Acid + Snort
Acid is a Cert project.
Pretty simple PHP3 to mySQL
Quite customizable.
Simple GUI for casual browsing.
Network Security and Hacking Techniques – Day 4
Snort Web Access - ACID
•Main Console
Network Security and Hacking Techniques – Day 4
Snort Web Access - ACID
Network Security and Hacking Techniques – Day 4
Snort Web Access - ACID
•Securityfocus
•Whitehats
•CVE
Network Security and Hacking Techniques – Day 4
Snort Web Access - ACID
•Rule details
Network Security and Hacking Techniques – Day 4
Snort Web Access - ACID
•Incident details
Network Security and Hacking Techniques – Day 4
Snort Web Access - ACID
•Incident details
END