Network Security

1
Network Security

• EECE 542
• Fall 2003

2
Basics

• Apply security patches (Automated, Managed, or
  Otherwise)
• Vulnerability assessment tools (Remote, or Client
  based) Ex Saint, Nessus, Bindview, Langaurd,
  Nmap, TCPView Find out what you're running!
• Use antivirus on Clients, Servers, Email (update
  definitions AT LEAST daily)
• Turn off unnecessary services that listen on a
  network port
• Backups are your friend!

3
Password Issues

• Use/require good passwords
• Expire old passwords
• Change default passwords
• Set passwords for screen savers, BIOS, boot
  loaders, etc...
• Never send passwords (or any sensitive info) in
  clear text
• Beyond passwords biometrics, one time passwords,
  etc... (pluses and minus to these)

4
Email Issues

• Email system similar in many ways to postal
  system
• Headers can be forged
• Open mail relays
• Spam and Security
• Use encrypted forms of the services where
  possible (imaps, pops, etc...)
• Verify attachments before opening them (scan
  them, call/email sender)
• Hoaxes

5
Web (http) security

• Keep browsers patched
• Make sure sensitive info is sent over SSL
• Basic http auth
• SSL and certificates
• Make sure you have real time antivirus running
  (and updated)
• Spyware

6
Encryption

• Symmetric vs. Asymmetric (public key
  cryptography)
• Authentication or Encryption
• Digital Signatures
• What is encrypted (payload or payloadheaders,
  authentication or entire session)? VNC...
• How strong?
• Algorithms (DES, 3-DES, Blowfish, etc)

7
SNMP

• SNMP (Read, Read/Write, Defaults)
• Some uses for SNMP
• Monitoring network traffic
• Changing port operations on network equipment
• Finding a MAC address in a switch
• Problems SNMP
• Default community names and passwords
• May allow more access to the equipment than you
  want
• Some implementations require updates to fix
  security holes

8
Wireless Networks

• Packet sniffing a real problem shared medium
• WEP Keys and sniffing
• Service Hijacking
• MAC restrictions
• ALWAYS use encrypted services when doing anything
  remotely sensitive on a wireless network!
• VPN's can be used if encrypted services are not
  available

9
VPN

• Virtual Private Network
• Create encrypted tunnels to connect stations at
  remote sites over the Internet
• Several protocols exist PPTP, L2TP, IPSec
• Simple VPN with SSH (Tunneling)
• Get IP address from same subnet as VPN server
• Host to VPN gateway (example)
• VPN gateway to VPN gateway (example)
• Where is the traffic actually encrypted?

10
PPTP

• PPP (layer 2) over IP (RFC 2637).
• PAP Password Authentication Protocol
• Stored encrypted, sent in clear text
• CHAP NT Challenge response
• Store in clear text (or hash), but not sent out
  that way
• CHAPv2 More secure version of CHAP
• Easy to configure under Windows (Win9x/ME only
  support clear text passwords)
• RFC 1334 (PPP) defines auth. mechanisms

11
PAP

• Password Authentication Protocol
• 2 way handshake
• After link is established, LoginID/Password pair
  is repeatedly sent by the client until the
  authentication is acknowledged or the connection
  is dropped.

12
CHAP

• CHAP Challenge Handshake Authentication Protocol
• Periodically checks the identity of the remote
  client (3-way handshake)
• Server issues challenge the client responds
  with a value obtained from a hash
• Server compares the response to its own
  calculated value
• If they match, the authentication is acknowledged
• Periodic checks reduce risk of connection
  hijacking

13
L2TP

• Similar to PPTP
• Uses PPP with PAP CHAP
• Vendor driven, but IETF standard (RFC 2661)
• Gateway to Gateway or Client to Gateway
• Voluntary (mobile users) or Compulsory Modes (ISP
  must support it, no Internet access)
• No Encryption

14
IPSec

• IP security
• Set of protocols (part of Ipv6)
• Internet Key Exchange Protocol (IKE)
• SKIP and ISAKMP (more key management)
• Authentication Header (AH) (no encryption)
• Encapsulated Security Payload (ESP)
• IP Compression (IPCOMP)
• AH, ESP, and IPCOMP can be combined

15
IPSec (Cont.)

• Authentication
• Data Integrity
• Replay Protection
• Privacy
• Can be used to secure L2TP (works with NAT)

16
Firewalls

• Client/Host based Software Firewalls
• Iptables, ZoneAlarm, etc...
• Routers
• Typically block on IP addr or port
• Dedicated Firewall
• Appliance or PC configured with routing rules

17
NAT

• Network Address Translation
• External Interface has public IP address
• Internal interface can have private IP address
• Entire network masquerades as the single public
  address
• May allow port redirection
• May not work with all services
• Decent protection against automated attacks
• Sequence 's can be used to determine of
  internal hosts

18
Stateful Inspection

• Keeps track of sessions/connections
• Allows you to establish outbound connections
  without allowing inbound ones
• May operate at various levels of the OSI model
• Application level firewalls may even inspect
  payload (application aware) -- May be affected
  by encryption

19
Bridging Firewall

• Hardware firewalls typically act as routers
• Breaks up broadcast domains, requires subnetting,
  must be able to route all layer 3 protocols in
  use, may require configuration changes on the
  client (set gateway)
• Linux and BSD (and others) support bridging with
  firewall support
• Transparent (doesn't even require an IP), no
  subnetting, may just bridge frames containing
  unsupported layer 3 protocols, does not break up
  broadcast domains

20
Bastion Host

• A host and or firewall that is exposed to the
  Internet
• Provides public services
• May act as a firewall

21
Router/Rouing Firewall Config

• Can have multiple interfaces
• Each interface will need an IP
• IP for each interface must be on separate subnets
  (routing based on network/subnetwork number)
• May have more than 2 interfaces

22
Firewall Rules

• Default policies
• Typically rules applied in order
• Last rule may be catch all default policy
• Traffic Shaping (not really firewall function)

23
What can we filter on?

• Src, Dst IP
• Src, Dst port
• Src, Dst MAC
• Protocol (tcp, udp, icmp, etc)
• Time of day

24
Honey Pots

• Victim host
• Watch what kind of attacks take place
• May not run real services
• Draw attention away from other systems
• May alert when attacks take place so that other
  systems can be monitor or traffic blocks put in
  place

25
IDS

• Intrusion Detection Systems
• File based (Tripwire)
• Network based (Snort)
• Signature based vs. anomaly based
• Could be used to create dynamic firewall rules
• Use with caution, may make DOS attacks possible!

26
Attack Types

• Scans
• DOS
• DDOS
• Buffer Overflows
• Default passwords
• Brute Force
• Sniffing
• Social Engineering

27
Legal and Ethical Issues

• Should not allow your network to be a liability
  to others
• Honeypots may pose legal problems
• Temptation to return fire
• Notifying sites of abusive behavior from their
  network
• Log and record retention