Objectives

Module 03: 1

•Introduction to Computer Securityand Information Assurance

Objectives• Recognize voice and

data systems use the same communications networks

• Describe the components of a typical network

• Describe countermeasures for network-related threats

Module 03: 2


Objectives• Describe the concept of “defense-in-depth”• Identify technologies used to apply

countermeasures for network-related threats• Identify components that comprise wireless

networks• Identify threats related to wireless

technologies• Identify countermeasures for wireless related

threats

Module 03: 3


Communication Networks• History

– Moving ideas– Electric communication– Circuit switching

Module 03: 4


Voice Communications• Public Switched Telephone Network (PSTN)

• Private Branch Exchange (PBX)– Acts as organization’s internal phone company– Cost savings

Module 03: 5


Voice Networks• History

– Introduction of packet-switched networks in 1960s

– Computers used for switching instead of relays

– Now voice communication is treated as data

Module 03: 6


The News

Module 03: 7


PBX Threats• Toll fraud

• Disclosure of information

• Unauthorized access

• Traffic analysis

• Denial of Service (DoS)

Module 03: 8


PBX ThreatCountermeasures

• Implement physical security

• Inhibit maintenance port access

• Enable alarm and audit trails

• Remove all default passwords

• Review the configuration of your PBX against known hacking techniques

Module 03: 9


Data Networks• International voice network already existed

– For computers to communicate, less expensive to use same network

– Modems designed to leverage this asset

Module 03: 10


Modem Threats

• Unauthorized and misconfigured modems

• Authorized but misconfigured modems

Module 03: 11


Wardialing Experiment

• Dialed 5.7 million phone numbers

• Area codes: 408, 415, 510, 650

• Carriers found: 46,192

• Experiment and results presented at DEFCON

Peter Shipley conducted a wardialing exercise in the San Francisco Bay area from April 1997 to January 2000, looking for unsecured modems.

Module 03: 12


Common Wardialers

• ToneLoc (DOS, Windows NT, 2000)

• ShokDial (UNIX/Linux)

• PhoneSweep (Commercial – Windows)

Module 03: 13


Modem Threat Countermeasures

• Policy

• Scanning

• Administrative action

• Passwords

• Elimination of modem connections

• Use a device to protect from telephony-based attacks and abuses

Module 03: 14


Voice Over Internet Protocol (VoIP)

• Transmission of voice conversations using traditional “data network” transmission methods

• Taking calls off the regular phone lines and sending them on a data network

Module 03: 15


VoIP Benefits• Less expensive

• Increased functionality

• Flexibility

• Mobility

Module 03: 16


VoIP Threats• Service theft• Eavesdropping• Spam/SPIT (SPam over Internet Telephony)• Denial of Service (DoS)• Vishing (VoIP Phishing)• Call tampering

Module 03: 17


VoIP Threat Countermeasures

• Physical control

• Authentication and encryption

• Develop appropriate network architecture

• Employ VoIP firewall and security devices

Module 03: 18


Data Networks: History Refresher• Modems put on voice network to carry

data– No need to build new, separate network– Early on most data networks used modems

over voice network

• 1960s, data networks include introduction of satellites and radios – Also packet switching

Module 03: 19


Data Networks• Computers linked together

• Components found in most networks– Hosts (computers)

• Workstations (desktops, laptops, etc.)• Servers (e-mail, web, database, etc.)

– Switches and hubs– Routers

Module 03: 20


Common Network Terms

• Local Area Network (LAN)

• Wide Area Network (WAN)

• Wireless LAN (WLAN)

Module 03: 21


Data Network Protocols• Common protocols

– Transmission Control Protocol (TCP)– User Datagram Protocol (UDP)– Internet Control Message Protocol (ICMP)– Hypertext Transfer Protocol (HTTP)

Module 03: 22


Common Protocols• TCP

– Moves data across networks with a connection- oriented approach

• UDP– Moves information across networks with a

connectionless-oriented approach

• ICMP– Often used by operating systems to send error

messages across networks

• HTTP– Transfers web pages, hypermedia, and other query

response communications

Module 03: 23


Data Network Threats• Information gathering: assessing targets to plan

attacks• Denial of Service (DoS): degrading or preventing

communication through or across specific network(s)

• Other exploitation/interception: – Disinformation: fooling users or network

components/services – Man-in-the-middle: getting between communicators– Session hijacking: illicitly assuming control of a

legitimate connection

Module 03: 24


Information Gathering Threats• Attackers want to determine nature of

targets– Reduce wasted effort– Formulate attack plans

• Pick specific tools• Select tactics

Module 03: 25


Network Scanning Finding Active Machines

• An organization has a range of IP addresses assigned to it– May not use them all

• Ping sweep finds IP addresses in use– Ping utility designed to determine whether

remote system is active

Module 03: 26


Ping Sweep• Using ping, attacker sends ICMP echo

request to range of addresses– Every functional system responds with echo

reply• Provides a list of potential targets

Module 03: 27


Ping Sweep

Echo Request

Unused Address10.1.1.9

Attacker

Target List

Echo Request

Echo Request

Unused Address10.1.1.11

10.1.1.10

10.1.1.910.1.1.1010.1.1.11

Echo Reply

Module 03: 28


Ping

Module 03: 29


Activity 03.1: Perform Ping Sweep Using nmap

• Purpose:– In this activity, you will perform a scan in the

form of a ping sweep. This will familiarize you with one of the most common techniques to gather information about a target environment.

• Estimated completion time: – 10 – 15 minutes

Module 03: 30


Activity 03.1: Perform Ping Sweep Using nmap

What did we detect?

Is this a useful tool?– From an attacker’s perspective– From an administrator’s perspective

Module 03: 31


Port Scanning• Checks a computer for open ports

– 65,535 possible ports• 1-1,023 are considered “well-known”• 1,024-49,151 are called “registered ports”• 49,152-65,535 are dynamic or private ports

Module 03: 32


Some Well-Known PortsPort # Network Service 20 File Transfer Protocol (FTP) Data21 File Transfer Protocol (FTP) Control23 Telnet25 Simple Mail Transfer Protocol (SMTP)53 Domain Name Server (DNS)79 Finger80 World Wide Web (HTTP)110 Post Office Protocol – Version 3443 HTTPS

Module 03: 33


How Port Scanning Works

Attacker

Web server

80

79

82

81

80

Services List

HTTP

Module 03: 34


Activity 03.2: Perform Port Scanning Using Different Tools

• Purposes:– In this activity, you will perform port scans

using different scanning tools. This will familiarize you with one of the most common techniques to gather information about a target environment, and learn the efficacy of various tools.

• Estimated completion time: – 50 – 55 minutes

Module 03: 35


Activity 03.2: Perform Port Scanning Using Different Tools

What were the results of our port scanning tests?

– What did they mean?

Would this be helpful for an attacker?

Would this be helpful for an administrator?

Module 03: 36


Sniffing• Monitoring traffic flow across a network

– Pull all packets– Be selective

• Only grab packets to and from certain addresses • Only grab packets carrying a certain type of traffic

• Needs to view all traffic on the network– On internal network – On main connection into/out of a network

Module 03: 37


Denial of Service (DoS)

• Degrade and prevent operations/functionality

• Distributed denial of service (DDoS) attack uses multiple attack machines simultaneously

Module 03: 38


Ping Flood / Ping Of Death • Ping flood

– Too much ping traffic drowns out all other communication

• Ping of Death– Oversized or malformed ICMP packets cause

target to reboot or crash• Hosts can’t handle packets over maximum 65,535

bytes• Causes a type of buffer overflow

Module 03: 39


Smurf Attack• Large stream of spoofed Ping packets sent to a

broadcast address• Source address listed as the target’s IP address

(spoofed)• Broadcast host relays request to all hosts on

network• Hosts reply to victim with Ping responses• If multiple requests sent to broadcast host,

target gets overloaded with replies

Module 03: 40


Smurf Attack (ICMP Flooding)

Attacker Ping Broadcast Request (Actual)

Multiple Ping Requests

Multiple Ping Replies

System or NetworkOverloaded

Ping Broadcast Request

(Spoofed)

Module 03: 41


SYN Flooding• Exploits synchronization protocol used to initiate

connections • Subverts the normal process

– In the customary “three-way handshake”:• Initiator sends synchronization (SYN) packet• Target replies with a SYN/ACK (acknowledgement)• Initiator sends ACK• Machines are now ready to communicate

– In SYN flooding, attacker sends SYN packets, but no ACK• Target replies with SYN/ACK• Target waits for ACK, eventually gives up• If enough SYNs are received, communication capacity will deplete

Module 03: 42


SYN FloodingHandshake

(Normal)Handshake(SYN Flood)

1. SYN

3. ACK

2. SYN-ACK

1. SYN

2. SYN-ACK

1. SYN

2. SYN-ACK

2. SYN-ACK

1. SYN

Module 03: 43


DDOS With Zombies/Botnet

Module 03: 44


Man-In-The-Middle Attacks• Instead of shutting down target networks,

attackers may want access

• Types of attacks– Eavesdropping– Session hijacking

Module 03: 45


Network Attack Countermeasures• Discussion: countering the threats

– Scans/Sniffing/Ping sweeps– DoS/DDoS

• Ping of Death• SYN flood• Smurf attack

– Others• Session hijacking• Eavesdropping

Module 03: 46


Ways To Recognize Scanning• System log file analysis

• Network traffic

• Firewall and router logs

• Intrusion Detection Systems (IDSs)

Module 03: 47


Defending Against Scanning• Block ports at routers and firewalls• Block ICMP, including echo• Segment your network properly• Hide private, internal IP addresses• Change default account settings and

remove or disable unnecessary services• Restrict permissions• Keep applications and operating systems

patched

Module 03: 48


Sniffing Countermeasures

• Strong physical security

• Proper network segmentation

• Communication encryption

Module 03: 49


DoS And DDoS Countermeasures

• Stop the attack before it happens

• Block “marching orders”

• Patch systems

• Implement IDS

• Harden TCP/IP

• Avoid putting “all eggs in one basket”

• Adjust state limits

Module 03: 50


Other Countermeasures

• All countermeasures already mentioned

• Encrypted session negotiation

• Repeating credential verification during session

• User training

Module 03: 51


Defense-In-Depth

Module 03: 52


• Router• “Demilitarized” Zone (DMZ)• Bastion host• Firewalls• Intrusion Detection Systems (IDSs)• Intrusion Prevention Systems (IPSs)• Virtual Private Network (VPN)

Perimeter Defense Countermeasures

Module 03: 53


Routers• First line of perimeter defense

– Connects external environment to internal network

• Securely configured

• Audit regularly

• Keep patched and updated

Module 03: 54


Demilitarized Zone (DMZ)• Machine or machines accessible by the

Internet, but not located on the internal network or the Internet– Web server– E-mail server

• Should not contain much valuable data

Module 03: 55


Network With DMZ

Web MailFirewall Firewall

DNS

Internet

Router

Internal Network

Module 03: 56


Bastion Host• Highly exposed to attacks

– Web server– E-mail server

• Locked down/hardened system– Unnecessary services disabled– No unnecessary applications– Fully patched– Unnecessary ports closed– Unnecessary accounts disabled

Module 03: 57


Firewalls• Control connections from one network (or

portion of a network) to another – Usually between an organization’s network

and Internet

• Enforce security policy

• Hardware or software

Module 03: 58


A Firewall Will Not

• Monitor connections not passing directly through it

• Prevent physical access to the network

Module 03: 59


Common Types Of Firewalls• Packet filtering

• Proxies

• Stateful inspection

Module 03: 60


Common Firewall Configurations• Dual-homed

• Multi-homed

Module 03: 61


Intrusion Detection System (IDS)• Detects suspicious activity

• Alerts upon discovery of possible compromise attempts

• Comprised of several components– Sensors– Analyzers– Administrator interfaces

Module 03: 62


Common Types Of IDS• Host-based (HIDS): monitors activity within

a particular computer system• Network-based (NIDS): monitors network

communications– Usually works with a central console/database– To function correctly, must see ALL monitored

network traffic– Reactive NIDS also known as Network Intrusion

Prevention Systems (NIPS)

Module 03: 63


Virtual Private Network (VPN)• A secure, private data connection through

a non-secure public network– Often, through the Internet

• Uses encryption and tunneling protocols – PPTP, L2TP, IPSec

Module 03: 64


Router

Firewall

Users

IntrusionDetection

Internet

WebServer

PBX

PSTN

Dial-in Servers

Attacker

X

Rogue Modem Threats

Module 03: 65


DefendedAny other ways to attack your information without coming through the Internet?

Module 03: 66


Wireless Technology• Allows communications between multiple

systems/devices without physical connection• Complexity ranges from simple devices to

enterprise networks• Much less expensive than wired solutions• Wireless LAN (WLAN)

– Wireless client: system with wireless capability– Access point (AP): device that connects different

wireless stations

Module 03: 67


Wireless Threats And Countermeasures

• Access point mapping

• Service Set Identifier (SSID) broadcasting

• Default SSID

• Radio frequency management

• Default settings

• Authentication

• Bluetooth security

Module 03: 68


Access Point (AP) Mapping • WLAN version of wardialing

– Wardriving/warwalking/warflying/warchalking– Software

• Net Stumbler• Air Snort• Void11

Module 03: 69


Service Set Identifier (SSID) Broadcasting

SS

ID SSID

Module 03: 70


Default SSID

SSID

SSID = tsunami

SSID = tsunami

SS

ID

Default SSIDCisco = tsunami

3COM = 101Agere = WaveLANLinksys = Linksys

Dlink = default

Module 03: 71


Radio Frequency Management

Building I

Parking Lot

Module 03: 72


Default SettingsMany access points arrive with no security mechanisms in place.

Module 03: 73


Authentication IssuesOpen System Authentication• SSID• Negotiation in clear text• Subject to sniffing

Shared Key Authentication• SSID and WEP Encrypted key

required• Subject to man-in-the-middle

attack

Request (SSID)

Accepted (SSID)

Challenge Text (WEP)

Challenge Response (WEP)

Accepted (SSID)

Request SSID

Module 03: 74


Authentication Issues• WEP standard proven insufficient

– Mathematical weakness entailed relatively fast repeat of key transmission

• Automated exploits followed identification of flaw• Used in massive criminal activity

– Replaced with Wi-Fi Protected Access (WPA)– WPA demonstrates its own weaknesses– Replaced by WPA2, which is viewed as more

secure

Module 03: 75


Bluetooth Security• Popular short-range technology

– Used for many personal electronic devices, such as phones, music players, etc.

• Threats– Bluejacking– Bluesnarfing– Bluebugging

Module 03: 76


Networking / Internet• History of communication• PBX security threats and countermeasures• Modem security threats and countermeasures• VoIP security threats and countermeasures• Network components• Common protocols• Network security threats and countermeasures

– Scanning / sniffing / DoS / DDoS

• Wireless security threats and countermeasures– WLAN / Bluetooth

Objectives

Documents