Network Security

April 8, 2023 Menofia University- Faculty of Electronic Engineering Prepared By E/ Yasser Rabie

1

Graduation Project

Integrated Computer Network

UNIFIED

Supervisor: Dr. Mohammed Abd- Elnaby

Prepared by: Yasser Rabie Mohammed


3

OUTLINE:

• Project Overview• Project Task• Security and Threats • How can you achieve Network Security?• Network Security Elements• LAB


4

A. Project Overview

Project Aim• Create an Integrated Computer Network which is satisfied with the most

important requirements needed for any network.

• The most important requirements of the Integrated Network:

Network Administration System Administration Network VoIPNetwork SecurityVirtualization and Cloud Computing


5

Network Security

B. Project Task


6

What is Network Security?National Security Telecommunications and Information Systems Security Committee (NSTISSC)

Network security is the protection of information and systems and hardware that use, store, and transmit that information.

Network security encompasses those steps that are taken to ensure the confidentiality, integrity, and availability of data or resources.

C. Security and Threats


7

Rationale for Network SecurityNetwork security initiatives and network security specialists can be found in private and public, large and small companies and organizations.

The need for network security and its growth are driven by many factors:

1. Internet connectivity is 24/7 and is worldwide2. Increase in cyber crime3. Impact on business and individuals4. Legislation & liabilities5. Proliferation of threats6. Sophistication of threats


8

Goals of an Information Security Program

• Confidentiality• Prevent the disclosure of sensitive information from unauthorized

people, resources, and processes

• Integrity• The protection of system information or processes from intentional or

accidental modification

• Availability• The assurance that systems and data are

accessible by authorized users when needed


9

Types of AttacksStructured attack

Come from hackers who are more highly motivated and technically competent.

Unstructured attack Consists of mostly inexperienced individuals using easily available hacking tools such as shell scripts and password crackers.

External attacksInitiated by individuals or groups working outside of a company.

They do not have authorized access to the computer systems or network.

Internal attacksMore common and dangerous. Internal attacks are initiated by someone who has authorized access to the network.


10

Types of Attacks• Passive Attack

• Listen to system passwords• Release of message content• Traffic analysis• Data capturing

• Active Attack• Attempt to log into someone else’s account• Wire taps• Denial of services• Message modifications


11

• Packet Sniffing• Internet traffic consists of data “packets”, and these can be “sniffed”• Leads to other attacks such as

password sniffing, cookie stealing session hijacking, information stealing

• Man in the Middle attack• Insert a router in the path between client and server, and change the

packets as they pass through

• DNS hijacking• Insert malicious routes into DNS tables to send traffic for genuine sites

to malicious sites

• Denial-of-Service attacks• DoS doesn’t result in information theft or any kind of

information loss, it can cost the target person a large amount of time and money. As it makes service is inoperable (buffer overflow)

Types of Attacks

1- Network Attack


2-Web Attacks

• Phishing• An evil website pretends to be a trusted website• Example:

• You type, by mistake, “mibank.com” instead of “mybank.com”

• mibank.com designs the site to look like mybank.com so the user types in their info as usual

• BAD! Now an evil person has your info!

• SQL Injection• Interesting Video showing an example

• Cross Site Scripting• Writing a complex JavaScript program that steals data

left by other sites that you have visited in same browsing session

12

http://www.youtube.com/watch?v=MJNJjh4jORY


13

3- OS, applications and software attacks

• Virus: Piece of code that automatically reproduces itself. It’s attached to other programs or files, but requires user intervention to propagate. Its targets Executable files and boot sectors.

• Worm: Piece of code that automatically reproduces itself over the network. It doesn’t need the user intervention to propagate (autonomous). Via buffer overflow, file sharing, configuration errors and other vulnerabilities.

• Backdoor: A backdoor is a program placed by a black-hacker that allows him to access a system. A backdoor have many functionalities such as keyboard-sniffer, display spying, etc.

• Trojan: A Trojan is a software that seems useful or benign, but is actually hiding a malicious functionality


14

D. How can you achieve security?

• Many techniques exist for ensuring computer and network security• Antivirus software• Secure networks• Firewalls• Cryptography

• In addition, users have to practice “safe computing”• Not downloading from unsafe websites• Not opening attachments• Not trusting what you see on websites• Avoiding Scams


15

Securing Network

Network Foundation Protection (NFP)

NFP is a framework used to break the infrastructure down into smaller components, and then systematically focusing on how to secure each of those components.

NFP is broken down into three basic planes (also called sections/areas):


16

• Router Security • Physical Security

• Place router in a secured, locked room• Install an uninterruptible power supply

• Operating System Security• Use the latest stable version that meets network requirements• Keep a copy of the O/S and configuration file as a backup

• Router Hardening• Secure administrative control• Disable unused ports and interfaces• Disable unnecessary services

1- Management Plane


17

• Configuring the Router for use SSH instead of Telnet.• Configuring for Privilege Levels By default:

User EXEC mode (privilege level 1) Privileged EXEC mode (privilege level 15)

Sixteen privilege levels available

Methods of providing privileged level access infrastructure access:• Privilege Levels• Role-Based CLI Access

• Using Syslog Syslog servers: Known as log hosts, these systems accept and process log messages from syslog clients.

• Auto Secure Command.

Methods of Securing the Router


18

• AAA Access Security

AccountingWhat did you spend it on?

AccountingWhat did you spend it on?

AuthenticationWho are you?

AuthenticationWho are you?

Authorizationwhich resources the user is allowed to access and which

operations the user is allowed to perform?

Authorizationwhich resources the user is allowed to access and which

operations the user is allowed to perform?

Authentication – Password-Only

• Uses a login and password combination on access lines• Easiest to implement, but most unsecure method• Vulnerable to brute-force attacks• Provides no accountability

R1(config)# line vty 0 4R1(config-line)# password ciscoR1(config-line)# login

Internet

User Access Verification

Password: ciscoPassword: cisco1Password: cisco12% Bad passwords

Password-Only Method

Authentication – Local Database

• Creates individual user account/password on each device• Provides accountability• User accounts must be configured locally on each device

R1(config)# username Admin secret Str0ng5rPa55w0rdR1(config)# line vty 0 4R1(config-line)# login local

Internet

User Access Verification

Username: AdminPassword: cisco1% Login invalid

Username: AdminPassword: cisco12% Login invalid

Local Database Method


21

AAARouter (AAA Client)

)

Remote Client1

24

Cisco Secure ACS Server

3

Server-Based AAA Authentication


22

2- Control Plane


23

3- Data Plane


24

MAC Address Spoofing Attack

MAC Address: AABBcc

AABBcc 12AbDdSwitch Port

1 2

MAC Address: AABBcc

Attacker

Port 1Port 2

MAC Address: 12AbDd

I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.

The switch keeps track of theendpoints by maintaining aMAC address table. In MAC spoofing, the attacker posesas another host—in this case,AABBcc

• Layer 2 Security

MAC Address Table Overflow Attack

The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.


26

STP Manipulation AttackRoot Bridge

Priority = 8192

Root Bridge

F F

F F

F BSTP

BP

DU

Priority = 0 S

TP B

PD

U P

riorit

y =

0

F B

FF

F F

Attacker

The attacking host broadcasts out STPconfiguration and topology change BPDUs.This is an attempt to force spanning treerecalculations.

Solution: Use BPDU Guard

VLAN Hopping Attack802.1Q

802.1Q

ServerAttacker sees traffic destined for servers

Server

Trunk

Trunk

VLAN 20

VLAN 10

A VLAN hopping attack can be launched by spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode.

Solution: Use Port Security


28

Layer 3 Security

• Access Control List (ACL) Applied as a Filters on Interfaces, can control which traffic is allowed and which is denied on the Data plane. Divided into:

• Standard ACL 1- Numbered IP ACL 2- Named IP ACL• Extended ACL 1- Numbered IP 2- Named IP ACL

• Intrusion Prevention Systems (IPSs)1. An attack is launched on a network

that has a sensor deployed in IPS mode (inline mode).

2. The IPS sensor analyzes the packets as they enter the IPS sensor interface. The IPS sensor matches the malicious traffic to a signature and the attack is stopped immediately.

3. The IPS sensor can also send an alarm to a management console for logging and other management purposes.

4. Traffic in violation of policy can be dropped by an IPS sensor.

Sensor

Management Console

1

2

3

Target

4

Bit Bucket

E. Network Security Elements

• Intrusion Detection Systems (IDSs)

1. An attack is launched on a network that has a sensor deployed in promiscuous IDS mode; therefore copies of all packets are sent to the IDS sensor for packet analysis. However, the target machine will experience the malicious attack.

2. The IDS sensor, matches the malicious traffic to a signature and sends the switch a command to deny access to the source of the malicious traffic.

3. The IDS can also send an alarm to a management console for logging and other management purposes.

Switch

Management Console

1

2

3

Target

Sensor


31

• Firewalls• A firewall is a system that enforces an access control policy between

network. May be 1- Software.2-Hardware

• Common properties of firewalls:• Resistant to attacks• Is the only transit point between networks• Enforces the access control policy

Visible IP Address

InternalNetwork

PC Servers

Host


32

Types of Filtering Firewalls

• Packet-filtering firewall—is typically a router that has the capability to filter on some of the contents of packets (examines Layer 3 and sometimes Layer 4 information)

• Stateful firewall—keeps track of the state of a connection: whether the connection is in an initiation, data transfer, or termination state

• Application gateway firewall (proxy firewall) —filters information at Layers 3, 4, 5, and 7. Firewall control and filtering done in software.

• Address-translation firewall—expands the number of IP addresses available and hides network addressing design.

• Host-based (server and personal) firewall—a PC or server with firewall software running on it.

• Transparent firewall—filters IP traffic between a pair of bridged interfaces.

• Hybrid firewalls—some combination of the above firewalls. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall.


33

Design with DMZ

DMZ

UntrustedTrusted

Private-Public Policy

Public-DMZ Policy

DMZ-Private Policy

Private-DMZ Policy

Internet

• Demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet.

Actions Pass – This action is analogous to permit in an ACL Drop – This action is analogous to deny in an ACL Inspect – This action configures Cisco IOS stateful packet inspection

http://en.wikipedia.org/wiki/Subnetwork


34

• VPN

• Virtual: Information within a private network is transported over a public network.

• Private: The traffic is encrypted to keep the data confidential.

VPN

VPN

Firewall

CSA

Regional branch with a VPN enabled

Cisco ISR router

SOHO with a Cisco DSL Router

VPN

Mobile Worker with a Cisco VPN Client

Business Partnerwith a Cisco Router

Corporate NetworkWAN

Internet

What is Cisco ASA ?

• ASA in Cisco ASA stands for Adaptive Security Appliance.

• Cisco ASA is a security device that combines firewall, intrusion prevention, and virtual private network (VPN) capabilities.

• ASA is valuable and flexible in that it can be used as a security solution for both small and large networks.

• Cisco ASA can do the following and more:• Anti virus• Anti spam• IDS/IPS engine• VPN device• SSL device• Content inspection


36

• Cryptographic Systems• Simply – secret codes• Encryption

• Converting data to unreadable codes to prevent anyone form accessing this information • Need a “key” to find the original data.

Cryptographic Protocols

Symmetric Encryption Asymmetric Encryption


37

Hashing Basics

• Hashes are used for integrity assurance.

• Hashes are based on one-way functions.

• The hash function hashes arbitrary data into a fixed-length digest known as the hash value, message digest, digest, or fingerprint.

Data of ArbitraryLength

Fixed-LengthHash Value

e883aa0b24c09f

Hashing in Action• Vulnerable to man-in-the-middle attacks

• Hashing does not provide security to transmission.• Well-known hash functions

• MD5 with 128-bit hashes• SHA-1 with 160-bit hashes

Pay to Terry Smith $100.00

One Hundred and xx/100

Dollars

Pay to Alex Jones $1000.00

One Thousand and xx/100 Dollars

4ehIDx67NMop9 12ehqPx67NMoX

Match = No changesNo match = Alterations

Internet

I would like to cash this check.


39

F. LAB

Used Tools: VMware (Virtualization Program)GNS3 (Emulation Program)Cisco Configuration Professional (CCP-GUI Software)ASA Firewall Simulation


40

Zone- Based Firewall


41

Emulate ASA on GNS3


42

Security related URLs

• http://www.robertgraham.com/pubs/network-intrusion-detection.html

• http://online.securityfocus.com/infocus/1527• http://www.snort.org/• http://www.cert.org/• http://www.nmap.org/• http://grc.com/dos/grcdos.htm• http://lcamtuf.coredump.cx/newtcp/

http://www.robertgraham.com/pubs/network-intrusion-detection.html

http://www.robertgraham.com/pubs/network-intrusion-detection.html

http://online.securityfocus.com/infocus/1527

http://www.snort.org/

http://www.cert.org/

http://www.nmap.org/

http://grc.com/dos/grcdos.htm

http://lcamtuf.coredump.cx/newtcp/


43


44

Network Security

Education

Transcript of Network Security