A1258607829VWyhQ - PowerPoint PPT Presentation

1 / 58

About This Presentation

Title:

A1258607829VWyhQ

Description:

What is the value to protect the system. Determine if the countermeasure should be implemented. ... Used to locate IP address, version, and model. ... – PowerPoint PPT presentation

Number of Views:51

Avg rating:3.0/5.0

Slides: 59

Provided by: Tri8186

Category:

more less

Transcript and Presenter's Notes

Title: A1258607829VWyhQ

1
Network Security
2
Objectives

Types of Attacks
Attacks on the OSI TCP/IP Model
Attack Methods
Prevention
Switch Vulnerabilities and Hacking
Cisco Routers
Interesting links

3
Types of Attacks

Dialog Attacks
Eavesdropping
Impersonation
Message Alteration

Physical Access Attacks
Wiretapping
Server Hacking
Vandalism

4
Types of Attacks (Cont.)

Social Engineering
Opening Attachments
Password Theft
Information Theft

Penetration Attacks
Scanning (Probing)
Break-in
Denial of Service
Malware
Viruses
Worms

5
Risk Analysis of the Attack

What is the cost if the attack succeeds?
What is the probability of occurrence?
What is the severity of the threat?
What is the countermeasure cost?
What is the value to protect the system
Determine if the countermeasure should be
implemented.
Finally determine its priority.

OSI TCP/IP Related Attacks

7
OSI Model Related Attacks

Session
Password theft
Unauthorized Access with Root permission
Transport Network
Forged TCP/IP addresses
DoS Attacks

Application layer
Attacks on web
Attacks are typically virus
Presentation
Cracking of encrypted transmissions by short
encryption key

8
OSI Model Related Attacks

Data Link Physical
Network Sniffers
Wire Taps
Trojan Horses
Malicious code

9
Attacks Related to TCP Packet

Port Number
Applications are identified by their Port numbers
Well-known ports (0-1023)
HTTP80, Telnet23, FTP21 for supervision, 20
for data transfer, SMTP25
Allows applications to be accessed by the root
user

10
Attacks Related to TCP Packet

IP address spoofing
Change the source IP address
To conceal identity of the attacker
To have the victim think the packet comes from a
trusted host
LAND attack

11
Attacks Related to TCP Packet

Port Number
Registered ports (1024-49152) for any application
Not all operating systems uses these port ranges,
although all use well-known ports

Attack Methods

13
Attack Methods

Host Scanning
Network Scanning
Port Scanning
Fingerprinting

14
Attack Methods (Cont.)

Host Scanning
Ping range of IP addresses or use alternative
scanning messages
Identifies victims
Types of Host scanning
Ping Scanning
TCP SYN/ACK attacks

15
Attack Methods (Cont.)

Network Scanning
Discovery of the network infrastructure
(switches, routers, subnets, etc.)
Tracert and applications similar identifies all
routers along the route to a destination host

16
Attack Methods (Cont.)

Port Scanning
Once a host is identified, scan all ports to find
out if it is a server and what type it is
Two types
Server Port Scanning
TCP
UDP
Client Port Scanning
NetBIOS
Ports 135 139 used for NetBIOS ports used for
file and print services.
GRC.com a free website that scan your pc for open
ports.

17
Attack Methods (Cont.)

Fingerprinting
Discovers the host operating system and
applications as well as the version
Active (sends)
Passive (listen)
Nmap does all major scanning methods

18
Attack Methods (Cont.)

Denial-of-Service (DoS) Attacks
Attacks on availability
SYN flooding attacks overload a host or network
with connection attempts
Stopping DoS attacks is very hard.

19
Attack Methods (Cont.)

The Break-In
Password guessing
Take advantage of unpatched vulnerabilities
Session hijacking

20
After the Compromise

Download rootkit via TFTP
Delete audit log files
Create backdoor account or Trojan backdoor
programs

21
After the Compromise (Cont.)

Weaken security
Access to steal information, do damage
Install malicious software (RAT, DoS zombie, spam
relay, etc.)

Prevention

23
Preventions

Stealth Scanning
Access Control
Firewalls
Proxy Servers

IPsec
Security Policies
DMZ
Host Security

24
Stealth Scanning

Noisiness of Attacks
Exposure of the Attackers IP Address
Reduce the rate of Attack below the IDS Threshold
Scan Selective Ports

25
Access Control

The goal of access control is to prevent
attackers from gaining access, and stops them if
they do.
The best way to accomplish this is by
Determine who needs access to the resources
located on the server.
Decide the access permissions for each resource.
Implement specific access control policies for
each resource.
Record mission critical resources.
Harden the server against attacks.
Disable invalid accounts and establish policies

26
Firewalls

Firewalls are designed to protect you from
outside attempts to access your computer, either
for the purpose of eavesdropping on your
activities, stealing data, sabotage, or using
your machine as a means to launch an attack on a
third party.

27
Firewalls (Cont.)

Hardware
Provides a strong degree of protection from the
outside world.
Can be effective with little or no setup
Can protect multiple systems

Software
Better suite to protect against Trojans and
worms.
Allows you to configure the ports you wish to
monitor. It gives you more fine control.
Protects a single system.

28
Firewalls

Can Prevent
Discovery
Network
Traceroute
Penetration
Synflood
Garbage
UDP Ping
TCP Ping
Ping of Death

29
Proxy

A proxy server is a buffer between your network
and the outside world.
Use an anonymous Proxy to prevent attacks.

30
IPSec

Provides various security services for traffic at
the IP layer
These security services include
Authentication
Integrity
Confidentiality

31
IPsec overview - how IPsec helps
Problem How IPsec helps Details
Unauthorized system access Authentication, tamperproofing Defense in depth by isolating trusted from untrusted systems
Targeted attacks of high-value servers Authentication, tamperproofing Locking down servers with IPsec. Examples HR servers, Outlook Web Access (OWA), DC replication
Eavesdropping Authentication, confidentiality Defense in depth against password or information gathering by untrusted systems
Government guideline compliance Authentication, confidentiality Example All communications between financial servers must be encrypted.
32
DMZ Image
33
Host Security

Hardening Servers
Cisco IOS
Upgrades and Patches
Unnecessary Services
Network Monitoring tools

Switch Vulnerabilities and Hacking

35
CDP Protocol

Used to locate IP address, version, and model.
Mass amounts of packets being sent can fake a
crash
Used to troubleshoot network, but should be
disabled.

36
ARP Poisoning

Give users data by poisoning ARP cache of end
node.
MAC address used to determine destination. Device
driver does not check.
User can forge ARP datagram for man in the middle
attack.

37
SNMP

SNMP manages the network.
Authentication is weak. Public and Private
community keys are clear text.
Uses UDP protocol which is prone to spoofing.
Enable SNMPv3 without backwards compatibility.

38
Spanning Tree Attacks

Standard STP takes 30-45 seconds to deal with a
failure or Root bridge change.
Purpose Spanning Tree Attack reviews the
traffic on the backbone.

39
Spanning Tree Attacks

Only devices affected by the failure notice the
change
The attacker can create DoS condition on the
network by sending BPDUs from the attacker.

40
Spanning Tree Attacks (Cont.)

STEP 1 MAC flood the access switch
STEP 2 Advertise as a priority zero bridge.

41
Spanning Tree Attacks (Cont.)
Spanning Tree Attacks (Cont.)

STEP 3 The attacker becomes the Root bridge!
Spanning Tree recalculates.
The backbone from the original network is now the
backbone from the attacking host to the other
switches on the network.

42
STP Attack Prevention

Disabling STP can introduce another attack.
BPDU Guard
Disables ports using portfast upon detection of a
BPDU message on the port.
Enabled on any ports running portfast

43
STP Attack Prevention

Root Guard
Prevents any ports that can become the root
bridge due to their BPDU

44
CSM and CSM-S

Cisco Content Switching Modules
Cisco Content Switching Module with SSL

45
CDM

Cisco Secure Desktop
3 major vulnerabilities
Maintains information after an Internet browsing
session. This occurs after an SSL VPN session
ends.
Evades the system via the system policies
preventing logoff, this will allow a VPN
connection to be activated.
Allow local users to elevate their privileges.

Prevention
Cisco has software to address the
vulnerabilities.
There are workarounds available to mitigate the
effects of some of these vulnerabilities.

Cisco Routers

48
Cisco Routers

Two potential issues with Cisco Routers
Problems with certain IOS software
SNMP

Devices running Cisco IOS versions 12.0S, 12.2,
12.3 or 12.4
Problem with the software
Confidential information can be leaked out
Software updates on the CISCO site can fix this
problem

Virtual Private Networks

Virtual connection 1
Virtual Connection 2
51

Virtual Private Networks

Error Connection
Information leak
52

Cisco uBR10012 series devices automatically
enable SNMP read/write access
Since there are no access restrictions on this
community string , attackers can exploit this to
gain complete control of the device

53
Attacking Computer
CISCO Router
By sending an SNMP set request with a spoofed
source IP address the attacker will be able to
get the Victim router to send him its
configuration file.
54
Attacking Computer
CISCO Router
With this information, the remote computer will
be able to have complete control over this router
55

Fixes- Software updates available on the CICSO
site that will fix the Read/Write problem

56
Links

http//sectools.org/tools2.html
http//insecure.org/sploits/l0phtcrack.lanman.prob
lems.html
http//www.grc.com/intro.htm
http//www.riskythinking.com
http//www.hidemyass.com/

57
References

http//www.bmighty.com/network/showArticle.jhtmlj
sessionid2YYDWJHHX3FL2QSNDLPSKHSCJUNN2JVN?article
ID202401432pgno2
http//www.juniper.net/security/auto/vulnerabiliti
es/vuln19998.html
http//www.blackhat.com/presentations/bh-usa-02/bh
-us-02-convery-switches.pdf
http//www.askapache.com/security/hacking-vlan-swi
tched-networks.html
http//marc.info/?lbugtraqm116300682804339w2
http//www.secureroot.com/security/advisories/9809
702147.html