Network Security and Forensics - PowerPoint PPT Presentation

1 / 59
About This Presentation
Title:

Network Security and Forensics

Description:

Network Security and Forensics Professor James L. Antonakos Computer Science Department Broome Community College Scenario #5: Watch the Traffic Here we have ICMP ... – PowerPoint PPT presentation

Number of Views:639
Avg rating:3.0/5.0
Slides: 60
Provided by: ReidJi
Category:

less

Transcript and Presenter's Notes

Title: Network Security and Forensics


1
Network Securityand Forensics
  • Professor James L. Antonakos
  • Computer Science Department
  • Broome Community College

2
Topics
  • My Teaching Goals
  • The Networking Lab We Use
  • Why Bother?
  • Scenario 1 Switched LANs
  • Scenario 2 DHCP Not Working
  • Scenario 3 Baselining Your Network
  • Scenario 4 Logs, Logs, Logs
  • Scenario 5 Watch the Traffic
  • Scenario 6 Wireless Freedom?
  • Scenario 7 Mystery Traffic
  • Scenario 8 Telnet DoS Attack
  • Scenario 9 Exploring Steganography
  • Final Comments

3
My Teaching Goals
  • Get students interested, excited, and curious
    about security and forensics.
  • Show students how to use different hardware and
    software tools.
  • Reinforce knowledge from other courses.
  • Show students how to learn.
  • Increase my own knowledge by learning from
    students.

4
The Networking Lab We Use
5
Networking Lab Details
  • Lab is fed from a Cisco ASA firewall in network
    closet.
  • Managed Asante switch is fed from Linksys router.
  • Thirteen desktop PCs running Windows XP (with
    Linux and Windows Server partitions also).
  • Networked Axis video camera.
  • Linksys wireless access point.
  • Local file server.
  • HP network printer.
  • Additional Linksys router feeds small test
    network.

6
Network Lab Details, Part 2
  • Internet connection for lab is through Time
    Warner RoadRunner.
  • This allows us to do things that are not possible
    on the campus network
  • Capture traffic
  • Add devices
  • Use Administrator privileges on the lab
    computers
  • Install / remove / test software

7
Why Bother?
  • What are we looking for?
  • Network policy violations
  • Compliance violations
  • Access violations
  • Security violations
  • Performance issues
  • Why Bother?
  • Justify IT existence and budget
  • Keep network running smoothly and in compliance
  • Better informed future planning

8
Scenario 1 Switched LANs
9
Scenario 1 Switched LANs
  • What has the SwitchSniffer application found?
  • IP and MAC addresses
  • Machine names
  • Operating systems
  • Network vendors
  • Questions to students
  • How did SwitchSniffer do all this?
  • Are we safe on a switched LAN?

10
Scenario 1 Switched LANs
11
Scenario 1 Switched LANs
  • Wireshark ran on the machine whose IP address was
    192.168.1.104.
  • SwitchSniffer was run on the same machine so that
    Wireshark could capture all traffic associated
    with the program.
  • Questions to students
  • Why is SwitchSniffer using ARP?
  • Where is the ARP for 192.168.1.1?

12
Scenario 1 Switched LANs
13
Scenario 1 Switched LANs
  • An ARP reply shows that an IP address is active
    and also returns the MAC address of the device.
  • Question to students
  • Does the time difference between the ARP request
    and ARP reply tell us something about the device
    (fast response means dedicated hardware, slow
    means operating system)?

14
Scenario 1 Switched LANs
15
Scenario 1 Switched LANs
16
Scenario 1 Switched LANs
  • SwitchSniffer has used SMBs with some discovered
    devices to learn more about them.
  • The Follow TCP Stream feature of Wireshark
    shows what SwitchSniffer learns via the SMB
    session.
  • Question to students
  • Why does SwitchSniffer use SMBs with some
    devices but not all?

17
Scenario 1 Switched LANs
18
Scenario 1 Switched LANs
  • We examined the SwitchSniffer program using the
    Strings utility.
  • We found a large list of NIC Vendor names and
    their associated 24-bit MAC address ID.
  • SwitchSniffer used the MAC address from the ARP
    reply to search its internal database. Flagged
    vendor IDs caused a SMB session to follow.

19
Scenario 1 Switched LANs
  • What did the students learn?
  • Not really safe even on a switched LAN.
  • How to use Wireshark.
  • The power of the ARP protocol.
  • How to use the Strings utility.
  • Overall, one way to investigate the operation of
    a network-based program.

20
Scenario 2 DHCP Not Working
  • A student in the lab indicated he could not get
    to the Internet.
  • I used IPCONFIG to examine the IP address of the
    students computer. It was 169.12.75.4.
  • Seeing the 169, I assumed there was a connection
    problem and checked the network cable, and
    restarted the laboratory switch and router. No
    luck.

21
Scenario 2 DHCP Not Working
  • Then the student told me something interesting.
  • He said We did a router lab in Advanced
    Networking today.
  • Being familiar with the router lab experiment, I
    immediately checked the TCP/IP Properties of the
    network connection.

22
Scenario 2 DHCP Not Working
23
Scenario 2 DHCP Not Working
  • The router lab instructor used a static IP
    address similar to the auto-IP address assigned
    when DHCP is not working.
  • The student forgot to re-enable DHCP at the end
    of the lab experiment.
  • What the students learned
  • Users will make changes to their system if they
    are able.
  • Do not make assumptions about system properties.
    Check settings whenever possible.

24
Scenario 3 Baselining Your Network
  • A baseline provides a picture of your network
    under normal conditions.
  • Depending on your network, the baseline may need
    to be established over a long period of time.
  • Deviations from the baseline indicate incidents
    that may require further attention.

25
Scenario 3 Baselining Your Network
26
Scenario 3 Baselining Your Network
27
Scenario 3 Baselining Your Network
28
Scenario 3 Baselining Your Network
29
Scenario 4 Logs, Logs, Logs
  • Logging should be enabled on firewalls, routers,
    computers, and other loggable network devices.
  • Logs must also be examined or reviewed on a
    timely basis.
  • Depending on the log, it may not be easy to
    locate suspicious information.

30
Scenario 4 Logs, Logs, Logs
31
Scenario 4 Logs, Logs, Logs
32
Scenario 4 Logs, Logs, Logs
  • What the students learned
  • The right software makes log analysis easier.
  • Even with the right software, reviewing the log
    results requires time and patience.

33
Scenario 5 Watch the Traffic
  • Here is captured Skype traffic even with no phone
    conversation taking place.
  • Once the conversation begins, there will be 25
    messages/second in each direction carrying 320
    bytes of digital voice information.
  • Adding Skype video to the call increases the
    required bandwidth.
  • Multiple users engaging in Skype can quickly eat
    up a significant portion of available network
    bandwidth.

34
Scenario 5 Watch the Traffic
  • Here we have ICMP messages flooding the network
    from a computer infected with Nachi.

35
Scenario 5 Watch the Traffic
  • Here we have ARP traffic using some interesting
    Destination addresses.

36
Scenario 5 Watch the Traffic
  • These strange Destination MAC addresses are
    designed to locate computers whose network
    adapters are running in Promiscuous mode (ie
    they are sniffing traffic).

37
Scenario 5 Watch the Traffic
  • What the students learned
  • Network traffic needs to be examined.
  • Even legal traffic can cause problems on the
    network.
  • ARP traffic can be used for malicious purposes.
  • Malicious code may use simple messages (ICMP,
    ARP) to locate victims.
  • It is possible to discover network adapters
    running in Promiscuous mode.

38
Scenario 6 Wireless Freedom?
  • There are plenty of tools available that will
    locate and identify wireless networks.

39
Scenario 6 Wireless Freedom?
  • Finding wireless networks is now a built-in tool.

40
Scenario 6 Wireless Freedom?
  • I take my students on a war driving exercise each
    year. We take note of the number of wireless
    networks discovered and how many are secured.
  • We compare the results with the previous years
    results to gain appreciation for the yearly
    growth.
  • We also war-walk around campus, looking for
    rouge access points to report to the Computer
    Center.

41
Scenario 6 Wireless Freedom?
  • At the same time, we take note of the signal
    strength as we move from room to room and
    building to building to gain an understanding of
    how the buildings construction affects signal
    strength.
  • Our campus provides unsecured wireless access in
    all buildings.
  • All wireless traffic is pushed onto VLAN-10
    where it is connected directly to the Internet
    with no access to college servers or other
    networked devices or services.

42
Scenario 7 Mystery Traffic
43
Scenario 7 Mystery Traffic
  • Things the students picked up on
  • The source port number keeps increasing by 1.
  • The destination port number bounces around
    seemingly at random, but all in the 7000 range.
  • The data area of the UDP datagrams contain an
    increasing integer sequence (100, 101, 102,
    etc).
  • Why all the ICMP messages?

44
Scenario 7 Mystery Traffic
7099
7100
7032
7047
7117
7115
7114
7047
7098
7105
7110
7013
  • Taking a closer look at the destination port
    numbers, we have

45
Scenario 7 Mystery Traffic
  • First we remove the 7000 bias on the port
    numbers.
  • The Value numbers are actually decimal values for
    ASCII codes.
  • The network traffic represents the command cd
    /usr/bin

Port Value ASCII
7099 99 c
7100 100 d
7032 32
7047 47 /
7117 117 u
7115 115 s
7114 114 r
7047 47 /
7098 98 b
7105 105 i
7110 110 n
7013 13 ltcrgt
46
Scenario 7 Mystery Traffic
  • I explain to the students that this is one way to
    hide commands sent from one computer to another.
  • Question to students
  • What is required on the destination computer in
    order to be able to receive commands in this way?

47
Scenario 8 Telnet DoS Attack
  • During registration week, faculty were not able
    to Telnet to the registration server, or were
    disconnected during a session, or experienced
    slow response from the server.
  • The cause of the trouble was an external DoS
    attack against the Telnet server.
  • The short term solution involved turning off
    access to the Telnet port from the outside.
  • The long term solution involved switching to
    secure Telnet and FTP from off campus.

48
Scenario 9 Exploring Steganography
  • Steganography is a way of hiding one form of
    information inside another.
  • In Greek, the word stegos means covered
    writing.
  • It is not obvious that anything is hidden.

49
Scenario 9 Exploring Steganography
  • What can you hide?
  • Practically any type of digital file can be
    hidden inside another digital file.
  • Example 1 A Word document can be hidden inside
    a JPG image. The image looks normal to the naked
    eye.
  • Example 2 A text file is hidden inside a WAV
    file. The WAV file sounds fine when it is played.

50
Scenario 9 Exploring Steganography
  • Do you see anything?

51
Scenario 9 Exploring Steganography
  • Where is the information?

52
Scenario 9 Exploring Steganography
  • Here are the results after adjusting the pixel
    color.
  • This is not a very difficult process to crack.

53
Scenario 9 Exploring Steganography
  • Do you see any differences? The JPG image on the
    right contains a hidden file which was put there
    using a program called JPHS (JPG Hide and Seek).

54
Scenario 9 Exploring Steganography
  • If every pixel was the same the result of
    subtracting the images would be an all-black
    image.

55
Scenario 9 Exploring Steganography
  • The second image actually contains a 1400-line C
    program for a video game.

56
Scenario 9 Exploring Steganography
  • What the students have seen
  • You must know where to look in a file to find
    hidden information.
  • You must know the process used to hide the
    information.
  • You must know some strange math to understand
    how some steganography techniques work.
  • You need to know a lot about computers and file
    types to be able to investigate steganography
    techniques.

57
Final Comments
  • To perform true incident response and network
    forensics, it may be necessary to have access to
    all network traffic, or at least all traffic
    concentrated in the problem area.
  • The amount of traffic exchanged on a business or
    educational network may be difficult to store due
    to lack of resources (ie several TB each day).

58
Final Comments
  • Some intrusions are not discovered until days,
    weeks, or even months after they have taken
    place.
  • Some questions to answer
  • Where do you tap into the network to capture
    traffic?
  • How long do you store the captured traffic?
  • How often do you review the captured traffic?
  • What changes should be made to prevent future
    problems?

59
Thank you!
  • Professor James L. Antonakos
  • antonakos_j_at_sunybroome.edu
  • (607) 778-5122
Write a Comment
User Comments (0)
About PowerShow.com