Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security.
Network Security
-
Upload
yasser-rabie -
Category
Education
-
view
272 -
download
0
description
Transcript of Network Security
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
1
Graduation Project
Integrated Computer Network
UNIFIED
Supervisor: Dr. Mohammed Abd- Elnaby
Prepared by: Yasser Rabie Mohammed
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
3
OUTLINE:
• Project Overview• Project Task• Security and Threats • How can you achieve Network Security?• Network Security Elements• LAB
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
4
A. Project Overview
Project Aim• Create an Integrated Computer Network which is satisfied with the most
important requirements needed for any network.
• The most important requirements of the Integrated Network:
Network Administration System Administration Network VoIPNetwork SecurityVirtualization and Cloud Computing
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
5
Network Security
B. Project Task
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
6
What is Network Security?National Security Telecommunications and Information Systems Security Committee (NSTISSC)
Network security is the protection of information and systems and hardware that use, store, and transmit that information.
Network security encompasses those steps that are taken to ensure the confidentiality, integrity, and availability of data or resources.
C. Security and Threats
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
7
Rationale for Network SecurityNetwork security initiatives and network security specialists can be found in private and public, large and small companies and organizations.
The need for network security and its growth are driven by many factors:
1. Internet connectivity is 24/7 and is worldwide2. Increase in cyber crime3. Impact on business and individuals4. Legislation & liabilities5. Proliferation of threats6. Sophistication of threats
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
8
Goals of an Information Security Program
• Confidentiality• Prevent the disclosure of sensitive information from unauthorized
people, resources, and processes
• Integrity• The protection of system information or processes from intentional or
accidental modification
• Availability• The assurance that systems and data are
accessible by authorized users when needed
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
9
Types of AttacksStructured attack
Come from hackers who are more highly motivated and technically competent.
Unstructured attack Consists of mostly inexperienced individuals using easily available hacking tools such as shell scripts and password crackers.
External attacksInitiated by individuals or groups working outside of a company.
They do not have authorized access to the computer systems or network.
Internal attacksMore common and dangerous. Internal attacks are initiated by someone who has authorized access to the network.
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
10
Types of Attacks• Passive Attack
• Listen to system passwords• Release of message content• Traffic analysis• Data capturing
• Active Attack• Attempt to log into someone else’s account• Wire taps• Denial of services• Message modifications
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
11
• Packet Sniffing• Internet traffic consists of data “packets”, and these can be “sniffed”• Leads to other attacks such as
password sniffing, cookie stealing session hijacking, information stealing
• Man in the Middle attack• Insert a router in the path between client and server, and change the
packets as they pass through
• DNS hijacking• Insert malicious routes into DNS tables to send traffic for genuine sites
to malicious sites
• Denial-of-Service attacks• DoS doesn’t result in information theft or any kind of
information loss, it can cost the target person a large amount of time and money. As it makes service is inoperable (buffer overflow)
Types of Attacks
1- Network Attack
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
2-Web Attacks
• Phishing• An evil website pretends to be a trusted website• Example:
• You type, by mistake, “mibank.com” instead of “mybank.com”
• mibank.com designs the site to look like mybank.com so the user types in their info as usual
• BAD! Now an evil person has your info!
• SQL Injection• Interesting Video showing an example
• Cross Site Scripting• Writing a complex JavaScript program that steals data
left by other sites that you have visited in same browsing session
12
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
13
3- OS, applications and software attacks
• Virus: Piece of code that automatically reproduces itself. It’s attached to other programs or files, but requires user intervention to propagate. Its targets Executable files and boot sectors.
• Worm: Piece of code that automatically reproduces itself over the network. It doesn’t need the user intervention to propagate (autonomous). Via buffer overflow, file sharing, configuration errors and other vulnerabilities.
• Backdoor: A backdoor is a program placed by a black-hacker that allows him to access a system. A backdoor have many functionalities such as keyboard-sniffer, display spying, etc.
• Trojan: A Trojan is a software that seems useful or benign, but is actually hiding a malicious functionality
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
14
D. How can you achieve security?
• Many techniques exist for ensuring computer and network security• Antivirus software• Secure networks• Firewalls• Cryptography
• In addition, users have to practice “safe computing”• Not downloading from unsafe websites• Not opening attachments• Not trusting what you see on websites• Avoiding Scams
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
15
Securing Network
Network Foundation Protection (NFP)
NFP is a framework used to break the infrastructure down into smaller components, and then systematically focusing on how to secure each of those components.
NFP is broken down into three basic planes (also called sections/areas):
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
16
• Router Security • Physical Security
• Place router in a secured, locked room• Install an uninterruptible power supply
• Operating System Security• Use the latest stable version that meets network requirements• Keep a copy of the O/S and configuration file as a backup
• Router Hardening• Secure administrative control• Disable unused ports and interfaces• Disable unnecessary services
1- Management Plane
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
17
• Configuring the Router for use SSH instead of Telnet.• Configuring for Privilege Levels By default:
User EXEC mode (privilege level 1) Privileged EXEC mode (privilege level 15)
Sixteen privilege levels available
Methods of providing privileged level access infrastructure access:• Privilege Levels• Role-Based CLI Access
• Using Syslog Syslog servers: Known as log hosts, these systems accept and process log messages from syslog clients.
• Auto Secure Command.
Methods of Securing the Router
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
18
• AAA Access Security
AccountingWhat did you spend it on?
AccountingWhat did you spend it on?
AuthenticationWho are you?
AuthenticationWho are you?
Authorizationwhich resources the user is allowed to access and which
operations the user is allowed to perform?
Authorizationwhich resources the user is allowed to access and which
operations the user is allowed to perform?
Authentication – Password-Only
• Uses a login and password combination on access lines• Easiest to implement, but most unsecure method• Vulnerable to brute-force attacks• Provides no accountability
R1(config)# line vty 0 4R1(config-line)# password ciscoR1(config-line)# login
Internet
User Access Verification
Password: ciscoPassword: cisco1Password: cisco12% Bad passwords
Password-Only Method
Authentication – Local Database
• Creates individual user account/password on each device• Provides accountability• User accounts must be configured locally on each device
R1(config)# username Admin secret Str0ng5rPa55w0rdR1(config)# line vty 0 4R1(config-line)# login local
Internet
User Access Verification
Username: AdminPassword: cisco1% Login invalid
Username: AdminPassword: cisco12% Login invalid
Local Database Method
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
21
AAARouter (AAA Client)
)
Remote Client1
24
Cisco Secure ACS Server
3
Server-Based AAA Authentication
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
22
2- Control Plane
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
23
3- Data Plane
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
24
MAC Address Spoofing Attack
MAC Address: AABBcc
AABBcc 12AbDdSwitch Port
1 2
MAC Address: AABBcc
Attacker
Port 1Port 2
MAC Address: 12AbDd
I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.
The switch keeps track of theendpoints by maintaining aMAC address table. In MAC spoofing, the attacker posesas another host—in this case,AABBcc
• Layer 2 Security
MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
26
STP Manipulation AttackRoot Bridge
Priority = 8192
Root Bridge
F F
F F
F BSTP
BP
DU
Priority = 0 S
TP B
PD
U P
riorit
y =
0
F B
FF
F F
Attacker
The attacking host broadcasts out STPconfiguration and topology change BPDUs.This is an attempt to force spanning treerecalculations.
Solution: Use BPDU Guard
VLAN Hopping Attack802.1Q
802.1Q
ServerAttacker sees traffic destined for servers
Server
Trunk
Trunk
VLAN 20
VLAN 10
A VLAN hopping attack can be launched by spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode.
Solution: Use Port Security
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
28
Layer 3 Security
• Access Control List (ACL) Applied as a Filters on Interfaces, can control which traffic is allowed and which is denied on the Data plane. Divided into:
• Standard ACL 1- Numbered IP ACL 2- Named IP ACL• Extended ACL 1- Numbered IP 2- Named IP ACL
• Intrusion Prevention Systems (IPSs)1. An attack is launched on a network
that has a sensor deployed in IPS mode (inline mode).
2. The IPS sensor analyzes the packets as they enter the IPS sensor interface. The IPS sensor matches the malicious traffic to a signature and the attack is stopped immediately.
3. The IPS sensor can also send an alarm to a management console for logging and other management purposes.
4. Traffic in violation of policy can be dropped by an IPS sensor.
Sensor
Management Console
1
2
3
Target
4
Bit Bucket
E. Network Security Elements
• Intrusion Detection Systems (IDSs)
1. An attack is launched on a network that has a sensor deployed in promiscuous IDS mode; therefore copies of all packets are sent to the IDS sensor for packet analysis. However, the target machine will experience the malicious attack.
2. The IDS sensor, matches the malicious traffic to a signature and sends the switch a command to deny access to the source of the malicious traffic.
3. The IDS can also send an alarm to a management console for logging and other management purposes.
Switch
Management Console
1
2
3
Target
Sensor
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
31
• Firewalls• A firewall is a system that enforces an access control policy between
network. May be 1- Software.2-Hardware
• Common properties of firewalls:• Resistant to attacks• Is the only transit point between networks• Enforces the access control policy
Visible IP Address
InternalNetwork
PC Servers
Host
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
32
Types of Filtering Firewalls
• Packet-filtering firewall—is typically a router that has the capability to filter on some of the contents of packets (examines Layer 3 and sometimes Layer 4 information)
• Stateful firewall—keeps track of the state of a connection: whether the connection is in an initiation, data transfer, or termination state
• Application gateway firewall (proxy firewall) —filters information at Layers 3, 4, 5, and 7. Firewall control and filtering done in software.
• Address-translation firewall—expands the number of IP addresses available and hides network addressing design.
• Host-based (server and personal) firewall—a PC or server with firewall software running on it.
• Transparent firewall—filters IP traffic between a pair of bridged interfaces.
• Hybrid firewalls—some combination of the above firewalls. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall.
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
33
Design with DMZ
DMZ
UntrustedTrusted
Private-Public Policy
Public-DMZ Policy
DMZ-Private Policy
Private-DMZ Policy
Internet
• Demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet.
Actions Pass – This action is analogous to permit in an ACL Drop – This action is analogous to deny in an ACL Inspect – This action configures Cisco IOS stateful packet inspection
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
34
• VPN
• Virtual: Information within a private network is transported over a public network.
• Private: The traffic is encrypted to keep the data confidential.
VPN
VPN
Firewall
CSA
Regional branch with a VPN enabled
Cisco ISR router
SOHO with a Cisco DSL Router
VPN
Mobile Worker with a Cisco VPN Client
Business Partnerwith a Cisco Router
Corporate NetworkWAN
Internet
What is Cisco ASA ?
• ASA in Cisco ASA stands for Adaptive Security Appliance.
• Cisco ASA is a security device that combines firewall, intrusion prevention, and virtual private network (VPN) capabilities.
• ASA is valuable and flexible in that it can be used as a security solution for both small and large networks.
• Cisco ASA can do the following and more:• Anti virus• Anti spam• IDS/IPS engine• VPN device• SSL device• Content inspection
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
36
• Cryptographic Systems• Simply – secret codes• Encryption
• Converting data to unreadable codes to prevent anyone form accessing this information • Need a “key” to find the original data.
Cryptographic Protocols
Symmetric Encryption Asymmetric Encryption
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
37
Hashing Basics
• Hashes are used for integrity assurance.
• Hashes are based on one-way functions.
• The hash function hashes arbitrary data into a fixed-length digest known as the hash value, message digest, digest, or fingerprint.
Data of ArbitraryLength
Fixed-LengthHash Value
e883aa0b24c09f
Hashing in Action• Vulnerable to man-in-the-middle attacks
• Hashing does not provide security to transmission.• Well-known hash functions
• MD5 with 128-bit hashes• SHA-1 with 160-bit hashes
Pay to Terry Smith $100.00
One Hundred and xx/100
Dollars
Pay to Alex Jones $1000.00
One Thousand and xx/100 Dollars
4ehIDx67NMop9 12ehqPx67NMoX
Match = No changesNo match = Alterations
Internet
I would like to cash this check.
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
39
F. LAB
Used Tools: VMware (Virtualization Program)GNS3 (Emulation Program)Cisco Configuration Professional (CCP-GUI Software)ASA Firewall Simulation
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
40
Zone- Based Firewall
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
41
Emulate ASA on GNS3
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
42
Security related URLs
• http://www.robertgraham.com/pubs/network-intrusion-detection.html
• http://online.securityfocus.com/infocus/1527• http://www.snort.org/• http://www.cert.org/• http://www.nmap.org/• http://grc.com/dos/grcdos.htm• http://lcamtuf.coredump.cx/newtcp/
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
43
April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie
44