ROSEdu Tech Talks Prezentarea 05: Network Security
Transcript of ROSEdu Tech Talks Prezentarea 05: Network Security
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
1/29
2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 1
Network Security
Bogdan Doinea
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
2/29
2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 2
Agend
Atacuri de reea
DoS
MiTM
atacuri noi
Echipamente de reea
routere ca echipamente de securitate
firewall-uri dedicate
IPS/IDS
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
3/29
2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 3
Atacuri de reea
Vechi (clasice)
DoS
la nivel de sistem de operare
la nivel de reea
Sniffing
MiTM
Brute force
Fizice
Noi
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
4/29
2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 4
Denial of Service
Ce fel de serviciu ?
orice
La nivel de reea
ping ping complex - smurf attack
La nivel de sistem de operare
Teardrop attack
TCP SYN flood
direct din shell: deschiderea named-pipes, f(){ f|f& };f etc.
buffer overflow
teardrop
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
5/29
2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 5
Ping
echivalentul Hello World n atacuri DoS
Ping of death
> 65536
buffer
overflow
Ping flood
1. DoS: compter 2 computer
2. DDoS: exploit
3. DDoS: no exploit
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
6/29
2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 6
Smurf attack
Tehnici folosite:
spoofing DHCP snooping pe switch
ip directed-broadcast
dezactivat pe ruter
Atacator Victim
192.168.1.0 /24
192.168.2.1 /24
192.168.2.1 | 192.168.1.255
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
7/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 7
Teardrop attack
Ce este fragmentarea ?
Transmiterea unui pachet de pe un mediu cu MTU mare pe
un mediu cu MTU mai mic
Wireless
MPLS
Se folosesc cmpuri n antetul IP: Don't Fragment (DF) More
Fragments (MF), Fragment Offset.
Teardrop = pointeri gresii n Fragment Offset -> KernelPanic
Windows 95
Linux 2.1.63
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
8/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 8
Teardrop attack
Ce este fragmentarea ?
Transmiterea unui pachet de pe un mediu cu MTU mare pe
un mediu cu MTU mai mic
Wireless
MPLS
Se folosesc cmpuri n antetul IP: Don't Fragment (DF) More
Fragments (MF), Fragment Offset.
Teardrop = pointeri gresii n Fragment Offset -> KernelPanic
Windows 95
Linux 2.1.63
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
9/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 9
.. de fapt Vista, dar i 7
SMB 2.0
Full Disclosure mailling list -> 8 September 2009
SRV2.SYS fails to handle malformed SMB headers for the
NEGOTIATE PROTOCOL REQUEST functionality. No useraction is required
Windows Teardrop Attack Detection Software via MS
sau firewall ?
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
10/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 10
TCP SYN flood
Denial of service la nivel de SO + reea
AtacatorServer
TCP SYN (IP x; port x)
TCP SYN (IP y; port x)
Tehnici folosite:
spoofing
DHCP snooping pe switch
No more open ports please
TCP SYN (IP x; port x)
TCP SYN (IP x; port y)
SYN + ACK
SYN + ACK
enough already
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
11/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 11
Prevenirea TCP SYN flood
TCP Intercept
Se folosete pe ruter
Stabilete o conexiune TCP din partea serverului spre client
Stabilete o conexiune TCP din partea clientului spre server
Stabilete sesiunea end-to-end doar dac primete ACK
1SYN
2
SYN + ACK
3ACK
4SYN
5
SYN + ACK
6ACK
Firewall
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
12/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 12
Buffer overflow
Stiva
creten
jos
Vrful stiveiCod ru
Adres de ntoarcere
Variabile locale
buffer
String-urile cresc
n sus
Prevenire i detecie PaX patch pentru kernel Linux
Memoria de date marcat non-executabil
Memoria de cod marcat non-writable
Stack Guard, Stack Smashing Protection, canary value
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
13/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 13
Atacuri fizice ?
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
14/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 14
Atacuri fizice ?
Disaster recovery and backups (GLB)
Cold site
Warm site
Hot site
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
15/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 15
Sniffing
!= captur
Aciunea de a captur trafic ce nu i este destinat ie
E legal ?
Cum se poate face ?
da
nu
da
nu
In the glorious days -> i :-x hubs!!
In the almost_as_glorious days ?-> MiTM
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
16/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 16
Man in the Middle
Cerere ARP valid
Bob Alice
AJ
FFFF:FFFF:
FFFFMAC Bob 0x0806 1 MAC Bob IP Bob 0000:0000:
0000IP Alice
Cod operaieMAC surs TypeMAC dest MAC surs IP surs MAC dest IP dest
FFFF:FFFF:
FFFFMAC AJ 0x0806 1 MAC AJ IP Gateway 0000:0000:
0000IP inexistent
Cod operaieMAC surs TypeMAC dest MAC surs IP surs MAC dest IP dest
Cerere ARP fcut de AJ
Uknown
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
17/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 17
Detecie/Prevenire MiTM
Cum putem detecta MiTM
uor: pachetul ARP ajunge la toat lumea
ARP Watch
Cum putem preveni MiTM
greu
criptarea traficului (n reea local ??)
DHCP snooping + ARP Guard
DHCPlease
MiTM ARP Request
Creeaz asocieri MAC-IP folosind tabela CAMi sniffing-ul DHCP
Asocierea MAC surs IP surs NU ESTE VALID
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
18/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 18
Atacuri noi
Social engineering
Kevin Mitnick
Side-channel attacks
timing attacks -> ct dureaz calculul unei operaii
TEMPEST attacks -> bazate pe unde electromagnetice
Transmitted Electro-Magnetic Pulse
Transient ElectroMagnetic Pulse Emanation Standard
Tiny ElectroMagnetic Particles Emitting Secret Things
acoustics attacks -> folosit nc din anii 80
observation attacks -> urmrirea micrilor oculare a unui utilizator
prin telescop
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
19/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 19
Agend
Atacuri de reea
DoS
MiTM
atacuri noi
Echipamente de reea
routere ca echipamente de securitate
firewall-uri dedicate
IPS/IDS
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
20/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 20
Un ruter -> ce poate face el ?
Poate un ruter s modifice nivelul 4 n antetul IP ?
Poate un ruter s fac filtrare la nivel 3 n hardware ?
Poate un ruter s fac criptare n hardware ?
Poate un ruter s aib rol de firewall?
Poate un ruter s fac inspecia pachetelor la nivel 7?
Better than Chuck Norris right :D ?
Poate un ruter s fac intrusion prevention/detection ?
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
21/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 21
Ce este un firewall ?
Cuvntul cheie conexiuni
3 funcii importante
traficul iniiat din Internet n DMZ este permis
traficul iniiat din Internet n LAN nu este permis
traficul iniiat din DMZ n LAN nu este permis
DMZ
UntrustedTrusted
Private-PublicPolicy
Public-DMZPolicy
DMZ-PrivatePolicy
Private-DMZPolicy
Internet
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
22/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 22
Stateless firewall
ACL-uri stateless packet firewall
deschiderea permanent de guri n firewall
Ex: access-list 101 permit tcp host 192.168.1.2 any eq www
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
23/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 23
Stateful firewall
reine toate strile conexiunilor sale
n mod implicit nu este permis nici o conexiune din exterior
n Interior dar se permite return traffic
Dezavantaje:
FTP
Internet
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
24/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 24
Implementri de statefull firewallCisco
CBAC Cisco
Context-based access control
programat s fac inspecie la nivel 7 n mesajele de control al unor
protocoale
permite FTP
ZBF Cisco
Zone based firewall
Poate face NBAR (Network Based Application recognition)
msn, bittorrent
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
25/29
2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 25
Intrusion Detection/Prevention
IDS/IPS vs firewall ?
un firewall trateaz conexiuni
un IDS/IPS poate:
opri accesarea unui URL care duce spre un cod maliios
opri descrcarea unei resurse infectate
ping scan/port scan
opri descrcarea unei resurse care conine irul i can haz
cheeseburger
n general: folosete o baz de date + nvare adaptiv pentru arecunoate diferite atacuri de reea
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
26/29
2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 26
Plasarea unui IDS/IPS n reea
Switch
Management
Console
1
2
3
Target
Sensor
Sensor
Management
Console
1
2
3
Target
4
Bit Bucket
IPSIDS
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
27/29
2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 27
IDS-initiated shunning
Vor funciona doar atacurilecontruite dintr-un singur pachet
IDS-ul transmite comanda
shun firewall-ului
shun ip_source ip_destination
Switch
Management
Console
Target
Sensinginterface
Controlinterface
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
28/29
2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 28
Overview
Atacuri DoS
ping flood
smurf
teardrop, tcp SYN flood (TCP Intercept)
side-channel & social engineering
Sniffing & MiTM
routerul ca dispozitiv de securitate
firewall
IDS/IPS
-
8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security
29/29
Referine
www.infosyssec.com
www.sans.org
www.cisecurity.org
www.cert.org
www.isc2.org
www.first.org
www.infragard.net
www.mitre.org
www.cnss.gov
http://www.infosyssec.com/http://www.sans.org/http://www.cisecurity.org/http://www.cert.org/http://www.isc2.org/http://www.first.org/http://www.infragard.org/http://www.mitre.org/http://www.cnss.gov/http://www.cnss.gov/http://www.mitre.org/http://www.infragard.org/http://www.first.org/http://www.isc2.org/http://www.cert.org/http://www.cisecurity.org/http://www.sans.org/http://www.infosyssec.com/