Chapter 14 Network Security - Computer Network

TNW 2023COMPUTER NETWORK

CHAPTER 14NETWORK SECURITY

AididYa’kobSyahrizanSyakirNurul Huda

NETWORK SECURITY

Introduction Security Threats

Structured Threats Unstructured Threats Internal Threats External Threats

Example of Attacks Network Reconnaissance Packet Sniffing Man-in-the-Middle Attacks IP Spoofing DoS

Network Security Methodology

INTRODUCTION TO THREATS

“Possibility or potential to cause harm”

TECHNIQUES FOR DETECTING ATTACKS Device logs Intrusion Detection System - IDS Human diligence

This figure shows a log from a MikroTik Router via WinBox application.The router had experienced access attempts attacks.

Device logs

By analyzing device log we can learn the method of operation & also allowing us to identify the early sign of attack.

Device logs

These explain the type of attack is dictionary attack at ssh service

IDS

By using IDS, it will recognizes pattern of activity (signatures) that reflect known attacks.

Two type of IDS NIDS HIDS

NIDS

HIDS HOST BASED

INTRUSION DETECTION

SYSTEMUnlike NIDS, Host Based Intrusion System reside on the machine itself.

IDS

Reviewing Operating System logs is a scary thing to do. It may take youThe whole day to analyze it manually.

SYSTEM LOGS

Example of NIDS application ; viewing logs with summarize report is really easy.

NIDS

This is an example of subscription service with preprogrammed patterns To review logs with current pattern for HIDS by OSSEC.

HIDS

Log-based Intrusion Detection (LIDS), Host-based Intrusion Detection (HIDS), and Network-based Intrusion Detection (NIDS) combined with a Security Information Management (SIM) tool ; these combination of security information will really ease Security monitoring work.

COMBINATION OF IDS

EXAMPLE OF HIDS ALARM

HUMAN DILIGENCE

Human diligence also is necessary to thwart new attacks as well as technological efforts by IDSs. Subscribing to mailing lists and checking various security sites must be a daily routine. Common sources for security information are : Bugtraq http://www.securityfocus.com CERT http://www.cert.org SAN http://www.sans.org

SECURITY THREATS

Network are subjected to a wide variety of attacks. These attacks include privilege escalation, access attempts, and many others. All of these attacks are defined as network threats and can be categorized according to two classifications : Structured vs Unstructured Internal vs External

Using these classifications is helpful to better understand the threats themselves and how to deal with them.

STRUCTURED THREATS Hackers perform ST are highly motivated and technically

competent. Act alone or in small groups to understand, develop, and

use sophisticated hacking techniques to bypass all security measures to penetrate unsuspecting enterprises.

Involved with major fraud and theft cases reported to law enforcement agencies.

Hired by organized crime, industry competitors, or state-sponsored intelligence-collection organizations.

In IT world attackers who perform S.T. is also known as hacktivists; hackers who are motivated by seeking out a venue to express their political point of view.

Structured threats represent the greatest danger to an organization or enterprise.

UNSTRUCTURED THREATS

Unstructured threats consist primarily of random using various common tools such as malicious shell scripts , password crackers , credit number generators and dealer daemon

If the security of the network is too strong for them to gain access , they may fall back to using Dos as a last resort at saving face

Rarely are the individuals who fall into the category anything more than what is commonly termed a script kiddie

These types of attempts represent the bulk of internet-based attack

INTERNAL THREATS

Internal threats are typically from disgruntled former or current employees

Can be structured or unstructured Structured internal threats represent an

extreme danger to enterprise network because the attacker already has access to the network

Although internal threats may seem more ominous than threats from external source, security measures are available for mitigating the threats and responding when attack occur

EXTERNAL THREATS

Consists structured and unstructured threats originating from external source

Can have malicious and destructive intent such as denial of service(DoS) , data theft or distribute denial of service(DDoS)

Also can simply be errors that generate unexpected network behavior such as misconfiguration of the enterprise’s Domain Name System (DNS) which result of e-mail being delayed or returned to sender

EXAMPLE OF NETWORK ATTACK

Network Reconnaissance Packet Sniffing Man-In-The-Middle Attacks IP Spoofing DoS(Denial of Service)

NETWORK RECONNAISSANCE

Refers to learning information about a target network using publicly available information and application such Domain Name System(DNS) queries, ping sweeps and port scans.

IDSs at the network and host levels can usually notify an administrator when reconnaissance attack in underway

Allows the administrator to better prepare for coming attack or to notify the ISP that is hosting the system that is launching the reconnaissance attack

PACKET SNIFFING

Useful network tools can become threats in the hands of hacker

Provides an example of how someone can exploit a tool used to capture all packets on physical wire (promiscuous mode)

A packet sniffer application is common tool for traffic analysis and troubleshooting by capturing and decoding packets

You can use packet sniffers to capture and inspect all unencrypted data(clear text)

PACKET SNIFFING (CONTINUE…)

Some way to prevent packet sniffing attack :

Authentication – methods such as two factor authentication which is used in conjunction with a user which use one-time password

Cryptography – is the most common and effective method if securing data against sniffer because it scrambles the clear text

Segmenting – the network using switches can help to localize the sniffer activity

MAN-IN-THE-MIDDLE ATTACK

By using packet sniffers or type products , it is possible to captured information as it is transferred from one network to another network

Requires access to network media or devices between the source and destination

Wireless LAN are susceptible to this kind of attack

Attacker use the information captured to launch another attack, for example deny the service or corrupt data store

Use strong encryption so that if packets are sniffed , they are useless to attacker

IP SPOOFING

Technique in which the attacker sends packets with source IP address modified to match that of trusted host

Also disguise the source of packets launched as part of DoS attack

There are 2 way to prevent IP spoofing Authentication – Prevent access to systems based

solely on IP address Filtering – Preventing any outbound traffic on your

network that does not have a source address in your IP range

DOS (DENIAL OF SERVICE)

DoS attacks deny legitimate users access to services

DoS attacks can be characterized by• Disrupting connectivity between devices• Preventing access to specific services• Halting processes on devices by sending bad packets• Flooding networks

How to prevent DoS attack?• Configure firewall• Prevent spoofing• Prevent traffic rates from getting out of control

NETWORK SECURITY METHODOLOGY

SAFE BLUEPRINT OVERVIEW

Cisco developed a security methodology called SAFE SAFE use as guide to design and implement network

security Cisco describe SAFE as a defense-in-depth approach Defense-in-depth means that a system has multiple

security measures in place The SAFE blueprint discourage having only one

device performing a security function Security capabilities can be hosted on dedicated

appliances ,such as firewall The blueprint guidelines encourage you to make

security decisions based on the dangers to be avoided