Network Security

1
Network Security

• A General Introduction

2
Outline

• Network Gatekeepers
• Identifying network threats and countermeasures
• Using secure router, firewall, and switch
  configurations

3
Network Gatekeepers

• Network is the entry point to application and
  control access to the various servers in the
  enterprise environment
• The basic components of a network, which act as
  the front-line gatekeepers, are the
• router,
• firewall, and
• switch.

4
Threats and Countermeasures

• An attacker looks for poorly configured network
  devices to exploit.
• The following are high-level network threats
• Information gathering
• Sniffing
• Spoofing
• Session hijacking
• Denial of service

5
Information Gathering

• Information gathering can reveal detailed
  information about network topology, system
  configuration, and network devices.
• Attacks
• Using Tracert (Traceroute) to detect network
  topology
• Using Telnet to open ports for banner grabbing
• Using port scans to detect open ports
• Using broadcast requests to enumerate hosts on a
  subnet

6
Countermeasures- Information gathering

• Use generic service banners that do not give
  away configuration information such as software
  versions or names.
• Use firewalls to mask services that should not be
  publicly exposed

7
Sniffing

• Sniffing, also called eavesdropping, is the act
  of monitoring network traffic for data, such as
  clear-text passwords or configuration
  information.
• Vulnerabilities
• Weak physical security
• Lack of encryption when sending sensitive data
• With a simple packet sniffer, all plaintext
  traffic can be read easily

8
Countermeasures

• Some of the countermeasures
• Strong physical security that prevents rogue
  devices from being placed on the network
• Encrypted credentials and application traffic
  over the network

9
Spoofing

• Spoofing, is a means to hide one's true identity
  on the network.
• A fake source address is used that does not
  represent the actual packet originator's address
• Vulnerabilities
• Lack of ingress and egress filtering.
• Ingress filtering is the filtering of any IP
  packets with un-trusted source addresses before
  they have a chance to enter and affect your
  system or network.
• Egress filtering is the process of filtering
  outbound traffic from your network.

10
Countermeasures

• Countermeasures
• Use of ingress and egress filtering on perimeter
  routers using Access Control Lists (ACLs)

11
Denial of Service

• Network-layer denial of service attacks usually
  try to deny service by flooding the network with
  traffic, which consumes the available bandwidth
  and resources.
• Vulnerabilities
• Weak router and switch configuration
• Unencrypted communication

12
Countermeasures denial of service

• Filtering broadcast requests
• Filtering Internet Control Message Protocol
  (ICMP) requests
• Patching and updating of service software

13
Router Considerations

• The router is the very first line of defense.
• It provides packet routing,
• It can also be configured to block or filter the
  forwarding of packet types that are known to be
  vulnerable or used maliciously, such as ICMP

14
Router Considerations - Protocol

• Protocols
• Denial of service attacks take advantage of
  protocol-level vulnerabilities, for example, by
  flooding the network
• Prevent attack
• Use ingress and egress filtering.
• Incoming packets with an internal address can
  indicate an intrusion attempt or probe and should
  be denied entry to the perimeter network
• set up router to route outgoing packets only if
  they have a valid internal IP address
• Screen ICMP traffic from the internal network
• Blocking ICMP traffic at the outer perimeter
  router protects you from attacks such as
  cascading ping floods
• ICMP can be used for troubleshooting, it can
  also be used for network discovery and mapping
• Enable ICMP in echo-reply mode only

15
Router Considerations - Protocol

• Protocols
• Do Not Receive or Forward Directed Broadcast
  Traffic
• Directed broadcast traffic can be used as a
  vehicle for a denial of service attack
• Example
• 10.0.0.0/8
• 127.0.0.0/8
• 169.254.0.0/16 link local network
• Prevent Traceroute packets
• Trace routing is a means to collect network
  topology information. By blocking packets of this
  type, you prevent an attacker from learning
  details about your network from trace routes.

16
Router Considerations

• Patches and updates
• stay current with both security issues and
  service patch
• Disable unused interfaces.
• Apply strong password policies.
• Use static routing.
• An attacker might try to change routes to cause
  denial of service or to forward requests to a
  rogue server
• Audit Web facing administration interfaces

17
Router Considerations- Services

• Services
• To reduce the attack surface area, default
  services that are not required should be shut
  down.
• Examples include bootps and Finger, which are
  rarely required. You should also scan your router
  to detect which ports are open.

18
Firewall - 1

• The role of the firewall is to block all
  unnecessary ports and to allow traffic only from
  known ports.
• A firewall should exist anywhere you interact
  with an untrusted network, especially the
  Internet.
• Separate your Web servers from downstream
  application and database servers with an internal
  firewall
• The firewall should be configured to monitor and
  prevent attacks and detecting intrusion attempts.
• Firewall may runs on an operating system , hosted
  by a router or on a specialist hardware.

19
Firewall -2

• The configuration categories for the firewall
  include
• Patches and updates
• Filters
• Auditing and logging
• Perimeter networks
• Intrusion detection

20
Switch

• Switches are designed to improve network
  performance to ease administration
• Traffic is not shared between switched segments.
  T
• This is a preventive measure against packet
  sniffing between networks.
• An attacker can circumvent this security by
• reconfiguring switching rules
• using easily accessed administrative interfaces,
  I
• known account names and passwords

21
Considerations - Secure switching

• Install latest patches and updates
• Virtual Local Area Networks (VLANs)
• Virtual LANs separate network segments and allow
  application of access control lists based on
  security rules.
• Insecure defaults
• change all factory default passwords and to
  prevent network enumeration or total control of
  the switch
• Services
• all unused services are disabled.

22
Configure router passwords and banners

• Complete the task given in the lab sheet