Hands-On Ethical Hacking and Network Defense Chapter 13 Protecting Networks with Security Devices.

Hands-On Ethical Hacking and Network Defense

Chapter 13Protecting Networks with Security Devices

Hands-On Ethical Hacking and Network Defense 2

Objectives

• Describe network security devices

• Describe firewall technology

• Describe intrusion detection systems

• Describe honeypots


Understanding Network Security Devices

• Network security devices• Routers• Firewalls• Intrusion detection systems• Honeypots


Understanding Routers

• Routers are hardware devices used on a network to send packets to different network segments• Operate at the network layer of the OSI model

• Routing protocols used by routers• Link-state routing protocol

• Router advertises link-state to identify network topology and any changes on paths

• Distance-vector routing protocol• Router passes its routing table to all routers

participating on the network


Understanding Basic Hardware Routers• Cisco routers are widely used in the

networking community• More than one million Cisco 2500 series

routers are currently being used by companies around the world

• Vulnerabilities exist in Cisco as they do in any operating system• Security professionals must consider these

vulnerabilities when conducting a security test


Cisco Router Components• A Cisco router uses the Cisco Internetwork

Operating System (IOS) to function• Components• Random access memory (RAM)

• Holds the router’s running configuration, routing tables, and buffers

• If you turn off the router, the contents stored in RAM are wiped out

• Nonvolatile RAM (NVRAM)• Holds the router’s configuration file, but the information

is not lost if the router is turned off


Cisco Router Components (continued)• Components (continued)• Flash memory

• Holds the IOS the router is using• Is rewritable memory, so you can upgrade the IOS

• Read-only memory (ROM)• Contains a minimal version of the IOS used to boot

the router if flash memory gets corrupted

• Interfaces• Hardware connectivity points• Example: an Ethernet port is an interface that

connects to a LAN



Cisco Router Configuration

• Configuration modes:• User mode

• Administrator can perform basic troubleshooting tests and list information stored on the router

• Router-name>, indicates that you are in user mode

• Privileged mode• Administrator can perform full router configuration tasks• Router-name#, indicates that you are in privileged mode

• By default, you are in user mode• Type “enable” or “en” to change to privileged mode


Cisco Router Configuration (continued)

• Once in privileged mode, you can change to two more configuration modes• Global configuration mode• Administrator can configure router settings that

affect overall router operation• To use this mode, you enter the command config t

at the Router-name# prompt• Router-name (config)# tells the user she is in global

configuration mode


Cisco Router Configuration (continued)

• Once in privileged mode, you can change to two more configuration modes (continued)• Interface configuration mode

• Administrator can configure an interface on the router

• To use this mode, you enter global configuration mode first

• Next, you enter the command for interface configuration mode and the interface name you want to configure

• Router-name(config-if)# indicates you are in interface configuration mode



Understanding Access Control Lists• There are several types of access control lists• We will focus on IP access lists

• IP access lists• Lists of IP addresses, subnets, or networks that

are allowed or denied access through a router’s interface

• Two different types of access lists on Cisco router• Standard IP access lists• Extended IP access lists


Standard IP Access Lists

• Can restrict IP traffic entering or leaving a router’s interface based on source IP address

• The syntax of a standard access list is as follows:access-list [list #] [permit|deny] [source address][source wildcard mask]

• [list #] is a number in the range of 1 to 99• permit | deny] are keywords to permit or deny traffic• [source address] specifies the IP address of the

source host• [source wildcard mask] signifies which bits of the

source address are significant



Standard IP Access Lists (continued)• Example:

access-list 1 deny 173.110.0.0 0.0.255.255access-list permit any

• A wildcard mask is similar to a subnet mask• Example: access-list 1 deny 10.10.1.112 0.0.0.0• The 0s used after the IP address signify that every

octet in the IP address must match the IP address being filtered

• Another example:access-list 1 deny 192.168.10.0 0.0.0.255access-list 1 permit any


Standard IP Access Lists (continued)• Cisco allows a shortcut for the mask 0.0.0.0

access-list 1 deny host 192.168.10.112

• Access lists always end with an implicit deny rule• To avoid this, you must add the “permit any” statementaccess-list 1 deny host 192.168.10.112access-list 1 permit any

• Steps for applying the access list to an interface• Enter global configuration mode• Create the access list• Enter interface configuration mode• Use the ip access-group command


Standard IP Access Lists (continued)• Example

Router> en

Password ******

Router# config t

Router(config)# access-list 1 deny 172.16.5.0 0.0.0.255

Router(config)# access-list 1 permit any

Router(config)# int e0

Router(config-if)# ip access-group 1 out

Router(config-if) Ctrl+z [to save and exit global configuration mode]

Router#


Extended IP Access Lists

• Allow packet filtering based on• Source IP address• Destination IP address• Protocol type• Application port number

• Syntax for extended IP access listsaccess-list [list #] [permit|deny] [protocol] [source IP address] [source wildcard mask] [destination IP address] [destination wildcard mask] [operator] [port] [log]

• [list #] is a number in the range of 100 to 199• [permit | deny] are keywords to permit or deny

traffic


Extended IP Access Lists (continued)• Syntax for extended IP access lists (continued)• [protocol] can be IP, TCP, UDP, ICMP, and so on• [source IP address] is the IP address of the source• [source wildcard mask] determines significant bits of

source IP address• [destination IP address] is the IP address of the

destination• [destination wildcard mask] determines significant bits

of destination IP address• [operator] can be lt, gt, eq, or neq


Extended IP Access Lists (continued)

• Syntax for extended IP access lists (continued)• [port] port number of the protocol to be filtered• [log] logs all activity of the access list for the

administrator

• Example:access-list 100 deny tcp host 172.16.1.112 host

172.30.1.100 eq www


Extended IP Access Lists (continued)

• Applying an access list to an interfaceRouter> en

Password ******

Router# config t

Router(config)# access-list 100 deny tcp host 172.16.1.112 host 172.30.1.100

Router(config)# access-list 100 permit any

Router(config)# int e0

Router(config-if)# ip access-group 100 in

Router(config-if) Ctrl+z

Router#


Understanding Firewalls

• Firewalls are hardware devices or software installed on a system and have two purposes• Controlling access to all traffic that enters an

internal network• Controlling all traffic that leaves an internal

network

• Advantages of hardware firewalls• They are usually faster than software firewalls• They can handle a larger throughput than

software firewalls


Understanding Firewalls (continued)

• Disadvantage of hardware firewalls• You are locked into the firewall’s hardware

• Advantage of software firewalls• You can easily add NICs to the server running

the firewall software

• Disadvantage of software firewalls• You might have to worry about configuration

problems• They rely on the OS on which they are running


Understanding Firewall Technology

• Firewall technologies• Network address translation (NAT)• Access control lists• Packet filtering• Stateful packet inspection (SPI)


Network Address Translation (NAT)• The most basic security feature of a firewall

• With NAT, internal private IP addresses are mapped to public external IP addresses• Hiding the internal infrastructure

• Port Address Translation (PAT)• Technology derived from NAT• This allows thousands of internal IP addresses to

be mapped to one external IP address


Access Control Lists• Access lists are used to filter traffic based on

source IP address, destination IP address, and ports or services

• Firewalls also use this technology

• Creating access control lists in a firewall is a similar process to creating them in a router


Packet Filtering

• Packet filters screen packets based on information contained in the packet header• Protocol type• IP address• TCP/UDP port


Stateful Packet Inspection (SPI)• Stateful packet filters record session-specific

information about a network connection• Create a state table

• Can help reduce port scans that rely on spoofing or sending packets after a three-way handshake

• Stateful packet filters recognize types of anomalies that most routers ignore

• Stateless packet filters handle each packet on an individual basis• Spoofing or DoS attacks are more prevalent



Implementing a Firewall• Placing a firewall between a company’s internal

network and the Internet is dangerous• It leaves the company open to attack if a hacker

compromises the firewall

• Use a demilitarized zone instead


Demilitarized Zone (DMZ)• DMZ is a small network containing resources

available to Internet users• Helps maintain security on the company’s internal

network

• Sits between the Internet and the internal network

• It is sometimes referred to as a “perimeter network”




Understanding the Private Internet Exchange (PIX) Firewall

• Cisco PIX firewall• One of the most popular firewalls on the market


Configuration of the PIX Firewall• Working with a PIX firewall is similar to working

with any other Cisco router

• Login promptIf you are not authorized to be in this XYZ Hawaii network

device,

log out immediately!

User Access Verification

Password:

• This banner serves a legal purpose

• General prompt example:Type help or '?' for a list of available commands.

xyz>


Configuration of the PIX Firewall (continued)• You should enter privileged mode to configure

the PIX firewall

• To enter configuration mode in PIX, you use the same command as on a Cisco routerxyz# configure terminal

xyz(config)# ?

• Nameif is a PIX command to name an interface• PIX allows the administrator to assign values to an

interface that designate its security level• Values can be from 0 to 100


Configuration of the PIX Firewall (continued)

• Access lists• PIX enables an administrator to use descriptive

names for the access list instead of numbers

• PIX also uses the implicit deny rule


Understanding Microsoft ISA

• Microsoft’s software approach to firewalls• Microsoft Internet Security and Acceleration

(ISA) Server• Functions as a software router, firewall, and IDS

• ISA has the same functionality as any hardware router• Packet filtering to control incoming traffic• Application filtering through the examination of

protocols• Intrusion detection filters• Access policies to control outgoing traffic


IP Packet Filters• ISA enables administrators to filter IP

traffic based on the following:• Source and destination IP address• Network protocol, such as HTTP• Source port or destination port

• ISA provides a GUI for these configurations• A network segment can be denied or allowed

HTTP access in the Remote Computer tab




Application Filters• Can accept or deny data from specific

applications or data containing specific content

• SMTP filter can restrict• E-mail with specific attachments• E-mail from a specific user or domain• E-mail containing specific keywords• SMTP commands

• SMTP Filter Properties dialog box• Administrator can filter a specific e-mail attachment

based on a rule he or she configures





Application Filters (continued)• Users/Domains tab in the SMTP Filter

Properties dialog box• Administrator can filter e-mail messages sent from a

user or from specific domains

• As a security professional, you might be asked to restrict e-mails containing certain keywords

• SMTP Commands tab• Administrator can prevent a user from running

SMTP commands





Intrusion Detection Filters• Analyze all traffic for possible known intrusions• DNS intrusion detection filter• POP intrusion detection filter• FTP Access filter• H.323 filter• HTTP Redirector filter• RPC filter• SMTP filter• SOCKSV4 filter• Streaming Media filter




Access Policies• Allow administrators to control outgoing traffic

• An access policy consists of the following• Policy rules• Site and content rules• IP filter rules



Understanding Intrusion Detection Systems (IDSs)• Monitor network devices so that security

administrators can identify attacks in progress and stop them

• An IDS look at the traffic and compare it with known exploits• Similar to virus software using a signature file to

identify viruses

• Types• Network-based IDSs• Host-based IDSs


Network-Based and Host-Based IDSs• Network-based IDSs• Monitor activity on network segments• They sniff traffic and alert a security administrator

when something suspicious occurs

• Host-based IDSs• Used to protect a critical network server or

database server• The software is installed on the server you’re

attempting to protect


Network-Based and Host-Based IDSs (continued)• IDSs are categorized by how they react when

they detect suspicious behavior• Passive systems• Send out an alert and log the activity

• Active systems• Log events and send out alerts• Can also interoperate with routers and firewalls



Understanding Honeypots• Honeypot• Computer placed on the perimeter of a network• Contains information intended to lure and then trap

hackers

• Computer is configured to have vulnerabilities

• Goal• Keep hackers connected long enough so they can

be traced back


How They Work• A honeypot appears to have important data

or sensitive information stored on it• Could store fake financial data that tempts

hackers to attempt browsing through the data

• Hackers will spend time attacking the honeypot• And stop looking for real vulnerabilities in the

company’s network

• Honeypots also enable security professionals to collect data on attackers

• Honeypots are available commercially and through open-source avenues




How They Work (continued)• Virtual honeypots• Honeypots created using software solutions instead

of hardware devices• Example: Honeyd


Summary• Security devices• Routers• Firewalls• IDSs

• Routers use access lists to accept or deny traffic through their interfaces

• Firewalls can be hardware devices or software installed on computer systems• Firewalls use NAT, IP filtering, and access

control lists to filter incoming and outgoing network traffic


Summary (continued)• Firewall examples• Cisco PIX (hardware)• Microsoft ISA (software)

• Stateful packet filters vs. stateless packet filters

• PGP is a free public key encryption program to encrypt e-mail messages

• Demilitarized zones (DMZs)• Add a layer of defense between the Internet

and a company’s internal network


Summary (continued)

• Intrusion detection systems (IDSs)• Network-based IDSs• Host-based IDSs• Passive IDSs vs. active IDSs

• Honeypots

Hands-On Ethical Hacking and Network Defense Chapter 13 Protecting Networks with Security Devices.

Documents

router router

network slide

router settings

prompt router

handson ethical hacking

routers routers

network defense8 slide

network defense5