ROSEdu Tech Talks Prezentarea 05: Network Security

8/14/2019 ROSEdu Tech Talks Prezentarea 05: Network Security

1/29

2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 1

Network Security

Bogdan Doinea

[email protected]


2/29


Agend

Atacuri de reea

DoS

MiTM

atacuri noi

Echipamente de reea

routere ca echipamente de securitate

firewall-uri dedicate

IPS/IDS


3/29


Atacuri de reea

Vechi (clasice)

DoS

la nivel de sistem de operare

la nivel de reea

Sniffing

MiTM

Brute force

Fizice

Noi


4/29


Denial of Service

Ce fel de serviciu ?

orice

La nivel de reea

ping ping complex - smurf attack

La nivel de sistem de operare

Teardrop attack

TCP SYN flood

direct din shell: deschiderea named-pipes, f(){ f|f& };f etc.

buffer overflow

teardrop


5/29


Ping

echivalentul Hello World n atacuri DoS

Ping of death

> 65536

buffer

overflow

Ping flood

1. DoS: compter 2 computer

2. DDoS: exploit

3. DDoS: no exploit


6/29


Smurf attack

Tehnici folosite:

spoofing DHCP snooping pe switch

ip directed-broadcast

dezactivat pe ruter

Atacator Victim

192.168.1.0 /24

192.168.2.1 /24

192.168.2.1 | 192.168.1.255


7/29 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicNew CCNA 307 7

Teardrop attack

Ce este fragmentarea ?

Transmiterea unui pachet de pe un mediu cu MTU mare pe

un mediu cu MTU mai mic

Wireless

MPLS

Se folosesc cmpuri n antetul IP: Don't Fragment (DF) More

Fragments (MF), Fragment Offset.

Teardrop = pointeri gresii n Fragment Offset -> KernelPanic

Windows 95

Linux 2.1.63



Teardrop attack

Ce este fragmentarea ?

Transmiterea unui pachet de pe un mediu cu MTU mare pe

un mediu cu MTU mai mic

Wireless

MPLS

Se folosesc cmpuri n antetul IP: Don't Fragment (DF) More

Fragments (MF), Fragment Offset.

Teardrop = pointeri gresii n Fragment Offset -> KernelPanic

Windows 95

Linux 2.1.63



.. de fapt Vista, dar i 7

SMB 2.0

Full Disclosure mailling list -> 8 September 2009

SRV2.SYS fails to handle malformed SMB headers for the

NEGOTIATE PROTOCOL REQUEST functionality. No useraction is required

Windows Teardrop Attack Detection Software via MS

sau firewall ?



TCP SYN flood

Denial of service la nivel de SO + reea

AtacatorServer

TCP SYN (IP x; port x)

TCP SYN (IP y; port x)

Tehnici folosite:

spoofing

DHCP snooping pe switch

No more open ports please

TCP SYN (IP x; port x)

TCP SYN (IP x; port y)

SYN + ACK

SYN + ACK

enough already



Prevenirea TCP SYN flood

TCP Intercept

Se folosete pe ruter

Stabilete o conexiune TCP din partea serverului spre client

Stabilete o conexiune TCP din partea clientului spre server

Stabilete sesiunea end-to-end doar dac primete ACK

1SYN

2

SYN + ACK

3ACK

4SYN

5

SYN + ACK

6ACK

Firewall



Buffer overflow

Stiva

creten

jos

Vrful stiveiCod ru

Adres de ntoarcere

Variabile locale

buffer

String-urile cresc

n sus

Prevenire i detecie PaX patch pentru kernel Linux

Memoria de date marcat non-executabil

Memoria de cod marcat non-writable

Stack Guard, Stack Smashing Protection, canary value



Atacuri fizice ?



Atacuri fizice ?

Disaster recovery and backups (GLB)

Cold site

Warm site

Hot site



Sniffing

!= captur

Aciunea de a captur trafic ce nu i este destinat ie

E legal ?

Cum se poate face ?

da

nu

da

nu

In the glorious days -> i :-x hubs!!

In the almost_as_glorious days ?-> MiTM



Man in the Middle

Cerere ARP valid

Bob Alice

AJ

FFFF:FFFF:

FFFFMAC Bob 0x0806 1 MAC Bob IP Bob 0000:0000:

0000IP Alice

Cod operaieMAC surs TypeMAC dest MAC surs IP surs MAC dest IP dest

FFFF:FFFF:

FFFFMAC AJ 0x0806 1 MAC AJ IP Gateway 0000:0000:

0000IP inexistent

Cod operaieMAC surs TypeMAC dest MAC surs IP surs MAC dest IP dest

Cerere ARP fcut de AJ

Uknown



Detecie/Prevenire MiTM

Cum putem detecta MiTM

uor: pachetul ARP ajunge la toat lumea

ARP Watch

Cum putem preveni MiTM

greu

criptarea traficului (n reea local ??)

DHCP snooping + ARP Guard

DHCPlease

MiTM ARP Request

Creeaz asocieri MAC-IP folosind tabela CAMi sniffing-ul DHCP

Asocierea MAC surs IP surs NU ESTE VALID



Atacuri noi

Social engineering

Kevin Mitnick

Side-channel attacks

timing attacks -> ct dureaz calculul unei operaii

TEMPEST attacks -> bazate pe unde electromagnetice

Transmitted Electro-Magnetic Pulse

Transient ElectroMagnetic Pulse Emanation Standard

Tiny ElectroMagnetic Particles Emitting Secret Things

acoustics attacks -> folosit nc din anii 80

observation attacks -> urmrirea micrilor oculare a unui utilizator

prin telescop



Agend

Atacuri de reea

DoS

MiTM

atacuri noi

Echipamente de reea

routere ca echipamente de securitate

firewall-uri dedicate

IPS/IDS



Un ruter -> ce poate face el ?

Poate un ruter s modifice nivelul 4 n antetul IP ?

Poate un ruter s fac filtrare la nivel 3 n hardware ?

Poate un ruter s fac criptare n hardware ?

Poate un ruter s aib rol de firewall?

Poate un ruter s fac inspecia pachetelor la nivel 7?

Better than Chuck Norris right :D ?

Poate un ruter s fac intrusion prevention/detection ?



Ce este un firewall ?

Cuvntul cheie conexiuni

3 funcii importante

traficul iniiat din Internet n DMZ este permis

traficul iniiat din Internet n LAN nu este permis

traficul iniiat din DMZ n LAN nu este permis

DMZ

UntrustedTrusted

Private-PublicPolicy

Public-DMZPolicy

DMZ-PrivatePolicy

Private-DMZPolicy

Internet



Stateless firewall

ACL-uri stateless packet firewall

deschiderea permanent de guri n firewall

Ex: access-list 101 permit tcp host 192.168.1.2 any eq www



Stateful firewall

reine toate strile conexiunilor sale

n mod implicit nu este permis nici o conexiune din exterior

n Interior dar se permite return traffic

Dezavantaje:

FTP

Internet



Implementri de statefull firewallCisco

CBAC Cisco

Context-based access control

programat s fac inspecie la nivel 7 n mesajele de control al unor

protocoale

permite FTP

ZBF Cisco

Zone based firewall

Poate face NBAR (Network Based Application recognition)

msn, bittorrent


25/29


Intrusion Detection/Prevention

IDS/IPS vs firewall ?

un firewall trateaz conexiuni

un IDS/IPS poate:

opri accesarea unui URL care duce spre un cod maliios

opri descrcarea unei resurse infectate

ping scan/port scan

opri descrcarea unei resurse care conine irul i can haz

cheeseburger

n general: folosete o baz de date + nvare adaptiv pentru arecunoate diferite atacuri de reea


26/29


Plasarea unui IDS/IPS n reea

Switch

Management

Console

1

2

3

Target

Sensor

Sensor

Management

Console

1

2

3

Target

4

Bit Bucket

IPSIDS


27/29


IDS-initiated shunning

Vor funciona doar atacurilecontruite dintr-un singur pachet

IDS-ul transmite comanda

shun firewall-ului

shun ip_source ip_destination

Switch

Management

Console

Target

Sensinginterface

Controlinterface


28/29


Overview

Atacuri DoS

ping flood

smurf

teardrop, tcp SYN flood (TCP Intercept)

side-channel & social engineering

Sniffing & MiTM

routerul ca dispozitiv de securitate

firewall

IDS/IPS


29/29

Referine

www.infosyssec.com

www.sans.org

www.cisecurity.org

www.cert.org

www.isc2.org

www.first.org

www.infragard.net

www.mitre.org

www.cnss.gov
http://www.infosyssec.com/http://www.sans.org/http://www.cisecurity.org/http://www.cert.org/http://www.isc2.org/http://www.first.org/http://www.infragard.org/http://www.mitre.org/http://www.cnss.gov/http://www.cnss.gov/http://www.mitre.org/http://www.infragard.org/http://www.first.org/http://www.isc2.org/http://www.cert.org/http://www.cisecurity.org/http://www.sans.org/http://www.infosyssec.com/

ROSEdu Tech Talks Prezentarea 05: Network Security

Documents

Transcript of ROSEdu Tech Talks Prezentarea 05: Network Security