THE NETWORK PROTOCOL STACK REVISITED Network Security Spyridon Dosis
Aug 08, 2015
RECAP
Ethernet TCP/IP Message Confidentiality
Symmetric Asymmetric
Message Integrity Digital Certificates – PKI User/Host Authentication
Kerberos SSL
NETWORK SECURITY ⊃ CRYPTOGRAPHY
Protocol Attacks Device Implementation Attacks Access Control Network Security Monitoring
Placement of security services At Higher Layers
Application-oriented protection Granular security services
At Lower Layers Transparent to users and applications Interoperability / Automation
L2 SECURITY
Problem : MAC Spoofing / CAM Flooding Port Security
Dynamically or statically learn MAC – Switch Port mappings switchport port-security
mac-address 685D.4356.C61A Maximum Number of MACs
per port Protect/Restrict/Shutdown Port Security Aging Sticky Ports
Port Unicast/Multicast Blocking
L2 SECURITY
Problem : Large Broadcast Domains / Network Isolation
Virtual LANs (VLANs) Logical Grouping of Ports
regardless physical location Static/Dynamic VLAN (VMPS) VLAN Trunking/Tagging 802.1q/ISL Protocols VLAN Hopping
Switch Spoofing (DTP) Double Tagging
Explicit Configuration
Images taken from B.Hartpence – Packet Guide to Switching and Routing
L2 SECURITY
Problem : ARP Spoofing Static IP-MAC Mappings
ArpWatch ARP ACLs
Dynamic ARP Inspection DHCP snooping Rate Limiting Incoming ARP packets
Trusted and Untrusted Ports Dropping and Logging
L2 SECURITY Port-based Network Access Control IEEE 802.1X 802.1X Port Access
Entity (Un-)Authorized
Port State EAP -> RADIUS RADIUS is a UDP-based
network protocol providing AAA
RADIUS clients can be VPN server, 802-1X switches, Network Access Server etc.
Support for authentication schemes such as CHAP, and EAP and integration with AD, Kerberos, RDBMS
Attribute-Value pairs (VSAs also)Images taken from http://en.wikipedia.org/wiki/IEEE_802.1X
L3 SECURITY Problem : IP Spoofing IP Spoofing is not used to hide your IP IP Spoofing is “mostly” a “blind” attack
MitM attacks DoS attacks Email Spam IP address authentication (rlogin, rsh etc.)
Source routing RFC 2827 – Defeating Dos Attacks which employ IP
Source Address Spoofing (Egress Filtering) Blackhole Filtering Network Scanning with Decoys DHCP Snooping TCP has implicit defense mechanism
L3 SECURITY
Problem : Predictable IP ID value IP header contains a “fragment identification”
number. Used to reassembly the fragments of a packet.
Many OS increment it sequentially The value difference of IP ID between two
probes reveals the number of sent packets Idlescan Traffic Analysis OS Detection Peer-specific IP IDs Zero IP ID when DF
Images taken from http://en.wikipedia.org/wiki/Idle_scan
L3 SECURITY
Problem : IP Fragmentation Handling Fragmentation Reassemble Timeout
Overlapping Fragments (Duplicate Fragments)
Overlapping Fragments (Malformed offsets) Teardrop AttackImage taken from http://jdecool.free.fr/modules.php?name=News&file=read_article&sid=34&mode=thread&order=0&thold=0
L3 SECURITY
Problem : IP TTL Handling Knowledge of the topology (“traceroute”)
Snort’s min_ttl configuration option
Image taken from http://jdecool.free.fr/modules.php?name=News&file=read_article&sid=34&mode=thread&order=0&thold=0
L3 SECURITY
Problem : ICMP Protocol Misuse ICMP Sweep ICMP Tunneling
Loki OS Fingerprinting ICMP Redirect Attacks Ping of Death Ping Flood Smurf Attack ICMP Nuke Attack
L3 SECURITY
Problem : Traffic Flow Control Standard Access Control Lists
Filtering based on source IP address Extended Access Control Lists
Filtering based on source and destination IP addresses, port numbers, upper-layer protocols
Implied Deny for not permitted traffic Time-based Access Control Lists Reflexive Access Control Lists
L3 SECURITY
Problem : IP Address Conversation, Private Networks
Private IP Address Spaces (e.g 192.168.0.0/16)
Network Address Translationtranslates the private addresses in the internal network into legal addresses forwarded to other networks
Static / Dynamic NAT 1:1 n:1, n:m (PAT)
Image taken from http://www.blindhog.net/cisco-how-to-configure-nat-overload-pat/
L3 SECURITY
NAT Port Forwarding / Mapping Packets received at a specific port at the
external link of the NAT gateway are forwarded to a particular port of a specific machine on the internal network
Image taken from http://www.simongoodier.com/home/smtp/smtp-firewall-ports-and-nat/
L4 SECURITY
Problem : TCP Handshake Misuse SYN Flood SYN Scan Other variations
Connect Scan FIN Scan XMAS Scan ACK Scan Window Maimon
L4 SECURITY
Problem : TCP Session Hijacking Sequence Number Prediction Initial Sequence Number
Prediction TCP Reset Randomness of ISNs ISN rate of change
Image taken from http://www.techrust.info/2012/01/simple-tcp-spoofing-attack.html
L7 SECURITY
Problem : DHCP Protocol Misuse DHCP Starvation Attack
Port Security DHCP Rogue Server
Untrusted Switch Ports Client Hardware Address
(CHADDR) DHCP Snooping
DNS PROTOCOL
Distributed Hierarchical TLDs – ccTLDs Recursive Queries Iterative Queries Record Types
A NS CNAME, SRV, MX …
Question ID Bailiwick Checking
Image taken from http://davidwills.net/cmit265/tcpip.html
L7 SECURITY
Problem : DNS Protocol Misuse DNS Blocking (DNS-based Blackhole List /
Wikipedia against PIPA) DNS Spoofing / DNS Pharming DNS ID Hacking
Random Guessing Sequential values
DNS Kaminsky Cache Poisoning Spoof NS entry of target domain to attacker’s IP
Query : www.example.com (Attacker) Answer :
example.com. 86400 IN NS www.example.com.www.example.com. 604800 IN A 10.10.10.20
L7 SECURITY
DNS Amplification Attack
Image taken from http://securitytnt.com/dns-amplification-attack/
L7 SECURITY
Problem : Exploiting the DNS TTL value Fast Flux Networks Round-robin IP
addresses + Short TTL values + Proxy redirection = Hard to detect
Image taken from http://www.honeynet.org/papers/ff/
L7 SECURITY
Problem : Secure Email Communication SMTP / POP / IMAP No inherent support for confidentiality /
integrity / authentication / non-repudiation First proposal – Privacy Enhanced Email
(PEM) MIC-CLEAR MIC-ONLY ENCRYPTED
Assumed a single root PKI that never really happened.
L7 SECURITY
S/MIME (Secure Multipurpose Internet Mail Extensions)
Uses the Cryptographic Message Syntax (similar to PKCS#7)
Combines MIME support for non-text data (e.g. binary) multiple part e-mails with encrypted/signed message formatting
Separate keys for encryption and signing (key escrow and non-repudiation)
S/MIME and Web-mail clients
L7 SECURITY
PGP – Pretty Good Privacy OpenPGP (RFC 4880) GnuPG (and various graphical clients or
plugins) Web of Trust Key trust levels
Complete Marginal Untrusted
Trust signatures
Image taken from http://support.gpgtools.org
L7 SECURITY
STARTTLS Extension to plain text protocols Support for IMAP / POP3 / SMTP / XMPP / LDAP /
NNTP
FTPS Explicit – Implicit Mode
SSH – Secure Shell Public-Key Cryptography More secure option than telnet, rlogin, rsh SFTP / SCP
PROTOCOL TUNNELING
A delivery protocol encapsulates a payload protocol that operates at the same or higher layer.
Can be used to bypass network traffic access lists, authentication mechanisms, sniffing
PROTOCOL TUNNELING - SSH
Encrypted Tunnel between two hosts HTTP/SMTP/FTP etc. over SSH Local Port Forwarding
ssh [email protected] –L 25000:www.google.com:80
http://localhost:25000
PROTOCOL TUNNELING - SSH
Remote Port Forwarding ssh [email protected] -R
10000:192.168.1.10:25 Dynamic Port Forwarding
Send data to one/multiple destination server(s) via the SSH server
SSH server acts as a SOCKS proxy server ssh –D 10000 [email protected] In the case of HTTP use, DNS requests are still
submitted in clear. Solution: forward DNS requests also to the SSH server.
PROTOCOL TUNNELING – HTTP(S)
Network security policy commonly permit outgoing TCP 80(HTTP) and 443(HTTPS)
HTTP proxies (Squid) may use ACLs disallowing specific sites
Public HTTP Proxy (Apache mod_proxy)
PROTOCOL TUNNELING – DNS
Captive Portals A transparent proxy forces an HTTP client to
authenticate first (payment acceptable user policy)
DNS Server must though be accessible by unauthenticated users and may allow unrestricted DNS resolution
DNS tunnel server acting as authoritative for a sub-domain
PROTOCOL TUNNELING - DNS
Query similar tozi05aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ.home.inbroker.ax.lt
BOTNETS
A large set of compromised systems controlled by a Bot-Master
System compromise via malware distribution channels
Part of large-scale DDoS attacks or Spam distribution
IRC-based HTTP(S)-based P2P-based
HONEYPOTS
A computing resource with the goal of being probed, attacked, accessed in any possible unauthorized manner.
Attack monitoring and analysis purposes Server-side and client-side honeypots High-interaction and low-interaction
honeypots Physical and virtual honeypots Web application / SSH / VoIP / USB / Bluetooth
/ Generic honeypots