Network Security Chapter Eleven Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc....

Network Security

Chapter Eleven

Prepared by: Raval, Fichadia

Raval • FichadiaRaval • FichadiaJohn Wiley & Sons, Inc. 2007

2

Chapter Eleven Objectives Learn the basic concepts of networks and associated

terminology.

Understand the risks that impact networks and the controls to mitigate them.

Gain the skills to assess the security posture of a networks and make management recommendations.

Apply security principles and best practices to a network.

3

The Big PictureElements of a network.

Some risks that impact networks.

4

Network primer

Networks: A series of interconnected nodes that can communicate with each other.

Networks allow computers to talk to each other for functionality (e-mails, B2B), sharing work load (client-server), for specialization (printers print).

Communication occurs via agreed upon protocols such as TCP/IP, SNA, etc.

Internet is THE network – interconnecting millions of computers. Internal company networks are often called Intranets.

5

Network primer

Networks: OSI model defines the conceptual framework for putting together a network.

Open Systems Interconnect (OSI) proposes a network stack with seven layers.

The layers are: application, presentation, session, transport, network, datalink, and physical.

Layers numbering in descending order – i.e., application layer is layer 7 and physical layer is layer 1.

Each layer plays a specific task and is independent of the others.

6

Network primerNetworks: Seven layers of OSI model. Application layer: Provides different network services to

user applications. Presentation layer: Deals with the syntax and

semantics of transmitted data. It converts presentation format for incoming and outgoing data.

Session layer: Sets up, manages, and terminate conversations between the applications. Deals with session and connection coordination.

Transport layer: Manages complete data transfer by providing end-to-end communication control and error checking.

7

Network primerNetworks: Seven layers of OSI model contd. Network layer: Deals with addressing and routing data

on the network. Data link layer: Deals with proper framing of data bits

on the physical media and ensures error control between adjacent nodes.

Physical layer: Deals with transmission of bits over the physical media. Provides connectivity of the node to the transmission media.

Useful pneumonic: All People Seem To Need Data Processing.

8

Network primerNetworks: Encapsulation/decapsulation of data. Data has to be passed from application layer to

application layer on a network. Each layer adds a header and passes the data to the

lower layer. This process is called encapsulation. Physical layer, the lower most layer, sends the data

over the physical medium to the destination. Upon reaching destination physical layer, data is

passed up the stack. Each destination layer strips appropriate header off and

passes it on to upper layer. This process is called decapsulation.

9

Network primer

Networks: Encapsulation/decapsulation of data.

The headers contain information for corresponding layer on the receiving end.

10

Network primer

Networks: TCP/IP model defines specifications of network layers.

TCP/IP model is similar to the OSI model – however has only four layers.

The layers are: application, transport, internetwork, and network access.

Layers numbering in descending order – i.e., application layer is layer 4 and network layer is layer 1.

Each layer plays a specific task and is independent of the others.

11

Network primer

Networks: TCP/IP model defines specifications of network layers.

Model provides actual specifications via various protocol definitions (unlike OSI model).

Model specifies several dozen protocols, but is named after two of its most famous protocols – TCP and IP.

Similar to OSI model, TCP/IP model goes through the process of encapsulation and decapsulation.

12

Network primerNetworks: Four layers of TCP/IP model. Application layer: Corresponds to the first three layers

of the OSI model. Protocols at this layer include STMP (e-mails), HTTP (web), and FTP (file transfers).

Transport layer: Corresponds to layer 4 (Transport) of the OSI model. Protocols include TCP and UDP.

Internetwork layer: Corresponds to layer 3 (network) of the OSI model. Protocols include IP and ICMP.

Network access layer: Corresponds to layers 1 and 2 (physical and data link) of the OSI model. Works with Ethernet/token ring type of technologies.(Some refer to Internetwork layer as Network layer and Network access layer to Data link layer)

13

Network primerNetworks: Role of four layers of TCP/IP model. Application layer: End user applications use protocols

at this layer to communicate. For example, web browser uses the HTTP protocol.

Transport layer: Uses protocols like TCP to open connection with destination and to ensure data sent is indeed received.

Internetwork layer: Uses protocols like IP to route the data packets across the Internet to its destination IP address.

Network access layer: Deals with getting data from destination router to the appropriate computer on the network.

14

Network primerNetworks: Encapsulation/decapsulation of data on TCP/IP

network. Data has to be passed from application layer to

application layer on a network. Each layer adds a header and passes the data to the

lower layer. This process is called encapsulation. Physical layer, the lower most layer, sends the data

over the physical medium to the destination. Upon reaching destination physical layer, data is

passed up the stack. Each destination layer strips appropriate header off and

passes it on to upper layer. This process is called decapsulation.

15

Network primer

Networks: Encapsulation/decapsulation of data on TCP/IP network.

The headers contain information for corresponding layer on the receiving end.

16

Network primerNetworks: End to end journey of data across TCP/IP

network. Internetwork layer needs IP addresses to route data to

destination network (not destination computer). IP addresses contain a network address and a host (computer

address). Routers use the network address portion for getting data

packets to the destination network.

Data reaches the right computer after reaching the destination network is typically via ARP protocol.

Port numbers are used to get the data to the right application on the destination computer.

Transport layer ensures data reaches destination – else retransmits it.

17

Network primerNetworks: IP address scheme. Current version of IP addresses is IP version 4. IPv4 defines IP address with 32 bits organized in four

octets (8 bits in each). IP version 6 has 128 bits. Decimal values of the bits in each octet are separated

by dots while writing an IP address. E.g. 69.58.201.25

Certain bits from the left correspond to the network address (69.58.201) and the remaining correspond to define the computer (host) on the network (25).

Subnet mask defines boundary between network portion and the host portion of the IP address.

18

Network primerNetworks: Ports. Ports define the unique application/service on a

computer that sends or receives the data. E.g. Port 80 is used by Web Server software to receive

requests from browsers.

Port numbers can range from 0 through 65,356. IANA designates “well-known” ports (0-1023) for

specific purposes. E.g. port 80 is for web traffic, port 25 is for e-mail traffic.

19

Management concerns

Concerns about operating system security typically include the following:

Ensuring the availability of the networks for web traffic, e-commerce/EDI EDI transactions, and e-mails.

Maintaining the confidentiality & integrity of data flowing over the networks (from home and within company).

Building networks with business partners to aid with B2B transactions without compromising security.

Having an effective backup, recovery, business resumption and a disaster recovery plan.

20

Risks and controls

Clear-text transmissions: Data that goes over the network in an unencrypted fashion.

Networks are shared by multiple computers.

These computers place nice and read only those packets on the network that are addressed to them. They ignore data packets that aren’t meant for them.

A “sniffer” computer can read packets that aren’t meant for it by putting its network card into “promiscuous” mode – thereby by accessing unauthorized data.

Intruders often user sniffers to capture user IDs, passwords, and other sensitive data.

21

Risks and controls

Clear-text transmissions: Data that goes over the network in an unencrypted fashion.

Sniffers can capture data belonging to others.

22

Risks and controls

Clear-text transmission risks:

Disclosure of sensitive information.

Controls:

Employ encryption for sensitive data.

Limit access to physical networks.

23

Risks and controls

Modems: Devices that allow users to connect to the Internet.

Modems can be dial-up modems or cable modems.

Dial-up modems installed in computers communicate via analog phone lines to modems within company networks or with the Internet Service Providers (ISP).

Cable-modems are highly popular now and connect over cable lines with the cable companies that provide Internet connectivity.

Cable-modems offer much faster speeds than dial-up modems.

24

Risks and controls

Modems: Devices that allow users to connect to the Internet.

Cable modems are lot more popular than dial-up modems.

25

Risks and controlsDial-up modem risks: Intruders use war-dialers to identify company modems

and crack the passwords to get in. A single insecure modem can undo the security offered by a million-dollar firewall.

Controls: Company should war-dial itself to identify unauthorized

modems and disable them. Authorized modems should offer no login banners or

information that helps intruders fingerprint the modem. Employ intruder lockouts and strong user ID and

password management routines.

26

Risks and controls

Controls contd.

Consider using modems with two-factor authentication (something you know and something you have).

Consider using callback modems that return calls to prespecified numbers upon a connection request.

27

Risks and controls

Cable modem risks:

Cable modems provide a static target to attackers often with the same IP address.

Cable modems may allow users to sniff neighbor’s data.

Controls:

Turn off cable-modems when not required.

Employ personal firewalls on machines behind a cable modem.

Secure the machines via operating system security practices.

28

Risks and controls

Virtual Private Networks: Allows for securing traffic sent via the Internet to company networks.

Remote users often dialed into company modems via toll-free numbers to connect to company networks.

Dedicated modems lines and toll-free numbers was expensive for companies.

VPNs solved the problem by encrypting and sending data over the public network (Internet).

Remote users just needed a connection to their ISP and a VPN client that connected to a VPN server on the company end.

29

Risks and controls

Virtual Private Networks: Devices that allow users to connect to the Internet.

Modem banks and dedicated toll-free lines were required for remote connectivity before VPNs.

30

Risks and controls

Virtual Private Networks: Devices that allow users to connect to the Internet.

VPNs allowed companies to lower cost by securely tunneling data to company network via the Internet.

31

Risks and controls

Virtual Private Networks: There are three popular tunneling protocols used for VPNs.

Point-to-Point Tunneling protocol (PPTP) by Microsoft works at layer 2 of OSI model and is natively supported by Windows.

Layer 2 Tunneling Protocol (L2TP) by Cisco also works at layer 2 of OSI model and combines features of L2F and PPTP.

IPSec protocol by IETF works at layer 3 of the OSI model and generally provides for stronger encryption and data integrity via digital certificates.

32

Risks and controls

VPN risks:

VPN may employ weak authentication mechanisms (when compared against the risk of sending traffic over the Internet).

Insecure end user machine may allow intruders to bridge into the company network.

Encryption protocols may be weak.

Controls:

Use stronger authentication means such as digital certificates or two-factor authentications.

33

Risks and controls

Controls contd:

Ensure VPN solution uses strong encryption means.

Employ personal firewalls on machines behind a cable modem.

Secure the machines via operating system security practices.

34

Risks and controlsFirewalls (FWs): Devices that control traffic entering and

exiting a company network. Firewalls act as perimeter sentries for a network. All incoming & outgoing traffic goes through the firewall. Firewalls has rulesets (policies) that decide what type of

passes and what doesn’t. For example: Outsiders can access Company web pages and can send e-

mails, but can’t connect to other company servers. Inside employees can connect to external servers, but can’t to

peer-to-peer networks.

In addition to filtering, some firewalls can provide additional functionality like authentication, virus scanning, intrusion detection, spam filtering etc.

35

Risks and controls

Firewalls: There are three main types of firewalls.

Packet filter (PF) FWs filter based on source & destination IP addresses and/or source & destination port numbers.

36

Risks and controls


Stateful packet inspection (SPI) FWs build on packet-filtering FWs by looking at the content of the packet.

In addition, SPI FWs look at the state of the packet. This ensures that packet that is incoming, but wasn’t a response to a previous outgoing request will be dropped.

37

Risks and controls


Application-level/proxy FWs are conceptually different in that they broker all transactions between the sender and receiver by providing a proxy service to both sides.

No other traffic can pass since proxy software for that traffic isn’t present on the FW.

38

Risks and controls

Firewalls: Firewall placement in network has security ramifications. Some sample placements include:

Screening router setup wherein packet filter/SPI firewalls separate trusted networks from the untrusted networks (Internet).

39

Risks and controls


Dual-homed host setup wherein a “bastion” host with proxy FW separates trusted networks from the untrusted networks (Internet).

40

Risks and controls


Screened host setup is a combination of a screening router setup (with packet fitler/SPI FW) and a “bastion” host inside the trusted network with a proxy FW.

41

Risks and controls


Screened subnet setup wherein an extra screening router (with packet filter/SPI FW) is added and a “bastion” host (with proxy FW) is moved outside the company network in the DeMilitarized Zone (DMZ).

42

Risks and controls

Firewall risks:

Properly configured FW has no risk. However, the rulesets can get complicated fast.

Firewalls don’t protect against malicious internal users.

Firewalls can be undone by rogue modems/wireless APs.

Controls:

Audit FW rulesets to ensure policies are correctly implemented.

Use anti-virus, intrusion detection, etc. in addition to firewalls.

Prevent rogue modems and/or wireless APs.

43

Risks and controls

Denial of Service (DoS): Attacks on a network aimed at disrupting service to users of a network.

Attack not aimed at steal data or compromising security, rather denying legitimate users access to a resource.

Occurs mostly at the network, although DoS against operating systems and applications are also possible.

There are several types of DoS/DDoS attacks.

44

Risks and controls

Denial of Service (DoS): Types of DoS attacks on networks.

Network connectivity resource consumption attack Attacker consumes network connectivity resources denying users the

ability to connect to the network.

Example includes SYN flood attack that exploits TCP handshake for establishing connection as shown below.

45

Risks and controls


Network connectivity resource consumption attack contd. Attacker sends spoofed SYN packets asking for a connection,

however, the victim never receives ACK packets back and keeps waiting. As spoofed SYN packets increase, the victim runs out of resources for valid users to connect.

46

Risks and controlsDenial of Service (DoS): Types of DoS attacks on networks.

Bandwidth consumption attack Attacker consumes all network bandwidth denying users a place on the network. Attackers magnify their traffic

multiple-fold to flood the victim’s network via “magnification attacks.”

Example includes smurf attack that exploits ICMP broadcast feature to generate loads of traffic.

Attacker finds susceptible routers on the web that allow broadcast pings (one ping to the router causes ping responses to all computers on the network). These are the “amplifiers” sites.

Attacker sends spoofed ICMP pings purporting itself to be the victim to these amplifiers sites, who all respond back to the victim, flooding the victim’s network.

47

Risks and controls


Bandwidth consumption attack contd. Attacker thus leverages unsuspecting routers on the Internet to

attack a victim.

48

Risks and controls


Distributed DoS attack. Single sources of attack can be often be filtered out. Hence

attacker leverage several compromised machines – “zombies” – to generate a distributed victim. These “zombies” come alive by a single command from attacker and attack the victim.

49

Risks and controls

DoS risks: Risks include loss of revenue, decline in customer faith.

Controls: Increase number of connections & decrease ACK time-outs to

mitigate network resource consumption attacks.

Disable ICMP broadcasts for routers. DDoS attacks are difficult to prevent.

Receiving routers can’t easily identify spoofed packets coming in. Plus, they are bogged down under attack.

However, sending routers can detect spoofed packets being generated. Also, them may not be bogged down.

Hence, it is easier to prevent DDoS attack at closer to source than at a victim’s site.

50

Risks and controls

Wireless networks: Popular networking wherein data is passed over the air instead of a physical (wired) media.

Bluetooth/IEEE 802.11 networks are being rapidly adopted because of the convenience it offers.

Bluetooth works over small distances (few feet) where-as 802.11 networks work over several hundred feet.

Chapter focuses on 802.11 based wireless networks.

While 802.11(b) is the most widely adopted Wireless LAN (WLAN) standard, 802.11(a) and (g) are gaining popularity because of higher transmission speeds.

51

Risks and controls

Wireless networks: Popular networking wherein data is passed over the air instead of a physical (wired) media.

Access points (AP) and wireless cards are required.

52

Risks and controls

Wireless networks: Security mechanisms for wireless networks include the following.

Shared secret: Devices needs to know the AP’s Service Set identifier (SSID) to join the network.

Address based restrictions: APs point can be configured to accept transmissions only from network cards with predefined MAC addresses.

Encryption: 802.11b networks allow the option of encrypting all transmissions using the wired equivalent privacy (WEP) encryption scheme.

53

Risks and controls

Wireless network risks:

Transmissions can’t be limited to company premises.

Security mechanisms aren’t strong enough SSID is often broadcast in the clear for anyone to read.

MAC addresses can be changed/spoofed.

WEP encryption scheme is flawed and hence can be cracked.

Default password may not be changed.

SNMP services may be enabled.

Unauthorized APs can undo firewall security and compromise a company network.

54

Risks and controls

Controls:

Don’t use wireless networks if not required.

Change default passwords, disable SNMP.

Disable SSID broadcast.

Adopt newer APs that support 802.11i security standard (marketed was WiFi Protected Access – WPA) instead of WEP if possible. If not, use 128-bit WEP encryption.

Consider using digital-certificate-based authentication.

Scan internal network to identify unauthorized APs.

Don’t consider wireless clients trusted. Force them to use techniques like VPN to join company network.

55

Risks and controlsIntrusion Detection System (IDS): System that provides

warning and/or takes actions against intrusion attempts on networks and/or computers.

Two key types of IDS: Network and Host-based Network IDS

Sniffs data on network segments via special sensors Sends it to a centralized console for identifying attacks

Host-based IDS. Resides on individual computers (hosts) Monitors files and process activity to identify attacks (similar to

anti-virus solutions on PCs)

Responses can be active (e.g. close ports, stop service) or passive (send alerts via pagers, e-mails).

56

Risks and controls

Intrusion Detection System (IDS): Network IDS

Advantages: Can monitor vast expanses of networks

Has global view of attacks (alerts on “doorknob rattling”)

Don’t need any changes to individual computers

NIDS devices can be made extremely secure

Disadvantages: Can’t work in encrypted environments

May not work in a switched network topology

May not be able to handle all traffic on a busy network

57

Risks and controls

Intrusion Detection System (IDS): Host IDS

Advantages: Fewer false positives in assessment

May work in encrypted environments

Works in all network topologies

Better at impact assessment

Disadvantages: More intrusive to the computer

Has only local view of attacks

More administrative overhead since installed on all machines

58

Risks and controls

Intrusion Detection System (IDS): Analysis methods.

Two key methods are used for analyzing data: attack signature-based analysis and baseline-based analysis.

Attack-signature-based analysis Analysis involves matching network data against a bank of

known attack patterns (signatures) (similar to virus definition signatures used by anti-virus software)

Provides fairly reliable means of attack identification.

Can’t assess new unknown attacks

Baseline-based analysis (anomaly detection) Compares network data against established baselines.

May detect newer attacks, but higher degree of false positives.

59

Risks and controls

Simple Network Management Protocol (SNMP): Allows reading or altering of configuration of network devices.

Popular protocol that is very lightweight and versatile.

Allows users to remotely administer network devices (routers, printers, computers) by reading and/or modifying their configurations. Can poll devices too.

Client-server architecture. SNMP software on devices report to a (typically centralized) SNMP manager.

Clients and managers exchange messages called Protocol Data Units (PDUs).

60

Risks and controls


PDU exchange requires authentication via “community strings” – which essentially act as passphrases.

Two types of community strings exist – a read-only string and one that allows reads and writes.

Four types of PDUs exist: get request

get-next request

set request

trap message

61

Risks and controls


“get request” PDU for getting a specific value from device’s information table (called MIB – management information base)

“get next request” PDU for getting value of the next MIB variable subsequent to previous get/get next request.

“set request” PDU to set a particular MIB variable. Allows for changing of device configuration.

“trap message” PDU to send messages/alerts (“traps”) to SNMP managers.

62

Risks and controls


Four types of PDUs are used to exchange messages.

63

Risks and controls

SNMP risks:

SNMP version 1 (most common) sends community strings in clear-text and hence can be sniffed.

Default community names (“public” and “private”) are often unchanged.

Often installed, but ignored by administrators.

Preferred tool by intruders to footprint an environment. Reveals OS, patches, administrator names, etc.

Can be used by intruders to cause DoS attacks.

Controls:

Disable SNMP if not required.

64

Risks and controls

Controls contd.:

Filter incoming SNMP traffic via firewalls.

Change default community names to stronger values. Periodically change the values.

Use SNMP version 2, if possible since it allow for some encryption.

Define trusted hosts only which can receive SNMP messages.

Apply SNMP patches.

65

Assurance considerationsAn audit to assess network security should include the

following:

Ensure the company’s network perimeter is well-defined and documented.

Determine the legitimacy and the business needs for of trust relationships among networks.

Review the use of firewalls to segregate networks and to protect the computers within a network.

Audit the firewall rules for filtering traffic and the use of layered topology for protecting the network.

Ensure that the network security is not undone by use of unauthorized modems and/or wireless access points.

66

Assurance considerations Evaluate the use of encryption to protect data in transit.

Determine if controls like personal firewalls are used to protect remote users’ machines.

Determine if an intrusion detection system is in place.

Ensure insecure network services such as SNMP, tftp, telnet, etc. are either not used or have been secured.

Determine if network devices and software are patched.

Evaluate the security of wireless networks.

Ensure that functional plans for backup and recovery, business resumption, disaster recovery are in place.

67

Recap

Network Security Chapter Eleven Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc....

Documents

Transcript of Network Security Chapter Eleven Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc....