Hands-On Ethical Hacking Hands-On Ethical Hacking and Network Defenseand Network Defense

22ndnd Edition Edition

Chapter 13Chapter 13Protecting Networks with Security DevicesProtecting Networks with Security Devices

Last modified 5-2-15

ObjectivesObjectives

Explain how routers are used to protect Explain how routers are used to protect networksnetworks

Describe firewall technologyDescribe firewall technology

Describe intrusion detection systemsDescribe intrusion detection systems

Describe honeypotsDescribe honeypots

Understanding RoutersUnderstanding Routers

RoutersRoutersRouters are like intersections; switches are like Routers are like intersections; switches are like streets streets – Image from Wikipedia (link Ch 13a)Image from Wikipedia (link Ch 13a)

Router

Understanding RoutersUnderstanding Routers

Routers are hardware devices used on a Routers are hardware devices used on a network to send packets to different network to send packets to different network segmentsnetwork segments– Operate at the network layer of the OSI modelOperate at the network layer of the OSI model

Routing ProtocolsRouting Protocols

Routers tell one another what paths are Routers tell one another what paths are available with Routing Protocolsavailable with Routing Protocols– Link-state routing protocolLink-state routing protocol

Each router has complete information about every Each router has complete information about every network linknetwork link

Example: Open Shortest Path First (OSPF)Example: Open Shortest Path First (OSPF)

– Distance-vector routing protocolDistance-vector routing protocolRouters only know which direction to send Routers only know which direction to send packets, and how farpackets, and how far

Example: Routing Information Protocol (RIP)Example: Routing Information Protocol (RIP)

Routing ProtocolsRouting Protocols

– Path-vector routing protocolPath-vector routing protocolUsed on the Internet BackboneUsed on the Internet Backbone

Example: Border Gateway Patrol (BGP)Example: Border Gateway Patrol (BGP)

China’s BGP Hijacking

Link Ch 13v

IP hijacking via BGPIP hijacking via BGP– Simply advertise routes to IP addresses Simply advertise routes to IP addresses

assigned to other companies, but unusedassigned to other companies, but unused– Like pirate radioLike pirate radio– Link Ch 13z4Link Ch 13z4

Cisco RoutersCisco Routers

Image from cisco.com (link Ch 13b)Image from cisco.com (link Ch 13b)

Understanding Basic Hardware Understanding Basic Hardware RoutersRouters

Cisco routers are widely used in the Cisco routers are widely used in the networking communitynetworking community– More than one million Cisco 2500 series More than one million Cisco 2500 series

routers are currently being used by companies routers are currently being used by companies around the worldaround the world

Vulnerabilities exist in Cisco as they do in Vulnerabilities exist in Cisco as they do in any operating systemany operating system– See link Ch 13cSee link Ch 13c

Cisco Router ComponentsCisco Router Components

Internetwork Operating System (IOS)Internetwork Operating System (IOS)

Random access memory (RAM)Random access memory (RAM)– Holds the routerHolds the router’’s running configuration, s running configuration,

routing tables, and buffersrouting tables, and buffers– If you turn off the router, the contents stored in If you turn off the router, the contents stored in

RAM are wiped outRAM are wiped out

Nonvolatile RAM (NVRAM)Nonvolatile RAM (NVRAM)– Holds the routerHolds the router’’s configuration file, but the s configuration file, but the

information is not lost if the router is turned offinformation is not lost if the router is turned off

Cisco Router ComponentsCisco Router Components

Flash memoryFlash memory– Holds the IOS the router is usingHolds the IOS the router is using– Is rewritable memory, so you can upgrade the Is rewritable memory, so you can upgrade the

IOSIOS

Read-only memory (ROM)Read-only memory (ROM)– Contains a minimal version of the IOS used to Contains a minimal version of the IOS used to

boot the router if flash memory gets corruptedboot the router if flash memory gets corrupted

Cisco Router ComponentsCisco Router Components

InterfacesInterfaces– Hardware connectivity pointsHardware connectivity points– Example: an Ethernet port is an interface that Example: an Ethernet port is an interface that

connects to a LANconnects to a LAN

Cisco IOS is Cisco IOS is controlled from the controlled from the command linecommand line

The details are not The details are not included in this included in this classclass

Skip pages 376-Skip pages 376-378378

Standard IP Access ListsCan restrict IP traffic entering or leaving a router’s interface based on source IP address– To restrict traffic from Network 3 from entering

Network 1, access list looks like:access-list 1 deny 173.110.0.0 0.0.255.255

access-list permit any

Extended IP Access Lists

Restricts IP traffic entering or leaving based on:– Source IP address– Destination IP address– Protocol type– Application port number

Michael LynnMichael Lynn

He presented a major He presented a major Cisco security Cisco security vulnerability at the vulnerability at the Black Hat security Black Hat security conference in 2005conference in 2005He lost his job, was He lost his job, was sued, conference sued, conference materials were materials were confiscated, etc.confiscated, etc.– See links Ch 13 d, e, f, gSee links Ch 13 d, e, f, g

Understanding FirewallsUnderstanding Firewalls

Understanding FirewallsUnderstanding Firewalls

Firewalls are hardware devices or software Firewalls are hardware devices or software installed on a system and have two installed on a system and have two purposespurposes– Controlling access to all traffic that enters an Controlling access to all traffic that enters an

internal networkinternal network– Controlling all traffic that leaves an internal Controlling all traffic that leaves an internal

networknetwork

Hardware FirewallsHardware Firewalls

Advantage of hardware firewallsAdvantage of hardware firewalls– Faster than software firewalls (more throughput)Faster than software firewalls (more throughput)

Disadvantages of hardware firewallsDisadvantages of hardware firewalls– You are limited by the firewallYou are limited by the firewall’’s hardwares hardware

Number of interfaces, etc.Number of interfaces, etc.

– Usually filter incoming traffic only (link Ch 13i)Usually filter incoming traffic only (link Ch 13i)

Software FirewallsSoftware Firewalls

Advantages of Advantages of software firewallssoftware firewalls– Customizable: can Customizable: can

interact with the user interact with the user to provide more to provide more protectionprotection

– You can easily add You can easily add NICs to the server NICs to the server running the firewall running the firewall softwaresoftware

Software FirewallsSoftware Firewalls

Disadvantages of software firewallsDisadvantages of software firewalls– You might have to worry about You might have to worry about

configuration problemsconfiguration problems– They rely on the OS on which they are They rely on the OS on which they are

runningrunning

Firewall TechnologiesFirewall Technologies

Network address translation (NAT)Network address translation (NAT)

Access listsAccess lists

Packet filteringPacket filtering

Stateful packet inspection (SPI)Stateful packet inspection (SPI)

Application layer inspectionApplication layer inspection

Network Address Translation Network Address Translation (NAT)(NAT)

Internal private IP addresses are mapped Internal private IP addresses are mapped to public external IP addressesto public external IP addresses– Hides the internal infrastructureHides the internal infrastructure

Port Address Translation (PAT)Port Address Translation (PAT)– This allows thousands of internal IP This allows thousands of internal IP

addresses to be mapped to one external IP addresses to be mapped to one external IP addressaddress

– Each connection from the private network is Each connection from the private network is mapped to a different public portmapped to a different public port

192.168.1.101:1100 192.168.1.102:1100

192.168.1.102:1103

147.144.20.1:1201

147.144.20.1:1202

147.144.20.1:1203

Router providing NAT and PAT

Public Addresses

Private Addresses

Access ListsAccess Lists

A series of rules to control trafficA series of rules to control traffic

CriteriaCriteria– Source IP addressSource IP address– Destination IP addressDestination IP address– Ports or servicesPorts or services– Protocol (Usually UDP or TCP)Protocol (Usually UDP or TCP)

Packet FilteringPacket Filtering

Packet filters screen Packet filters screen traffic based on traffic based on information in the information in the header, such asheader, such as– Protocol typeProtocol type– IP addressIP address– TCP/UDP PortTCP/UDP Port– More possibilitiesMore possibilities

Stateful Packet Inspection (SPI)Stateful Packet Inspection (SPI)

Stateful packet filters examine the current Stateful packet filters examine the current state of the networkstate of the network– If you have sent a request to a server, If you have sent a request to a server,

packets from that server may be allowed inpackets from that server may be allowed in– Packets from the same server might be Packets from the same server might be

blocked if no request was sent firstblocked if no request was sent first

State TableState Table

Stateful firewalls maintain aStateful firewalls maintain a state table state table showing the current connectionsshowing the current connections

ACK Port scanACK Port scan

Used to get information about a firewallUsed to get information about a firewall

Stateful firewalls track connection and Stateful firewalls track connection and block unsolicited ACK packetsblock unsolicited ACK packets

Stateless firewalls only block incoming Stateless firewalls only block incoming SYN packets, so you get a RST responseSYN packets, so you get a RST response

We covered this in chapter 5We covered this in chapter 5

Stateful Packet Inspection (SPI)Stateful Packet Inspection (SPI)

Stateful packet filters recognize types of Stateful packet filters recognize types of anomalies that most routers ignoreanomalies that most routers ignore

Stateless packet filters handle each packet Stateless packet filters handle each packet on an individual basison an individual basis– This makes them less effective against some This makes them less effective against some

attacks, such as the "reverse shell"attacks, such as the "reverse shell"

Application Layer Inspection Application Layer Inspection

Application-layer firewall can detect Telnet Application-layer firewall can detect Telnet or SSH traffic masquerading as HTTP or SSH traffic masquerading as HTTP traffic on port 80traffic on port 80

Implementing a FirewallImplementing a Firewall

Using only one firewall between a Using only one firewall between a companycompany’’s internal network and the s internal network and the Internet is dangerousInternet is dangerous– It leaves the company open to attack if a It leaves the company open to attack if a

hacker compromises the firewallhacker compromises the firewall

Use a demilitarized zone insteadUse a demilitarized zone instead

Demilitarized Zone (DMZ)Demilitarized Zone (DMZ)

DMZ is a small network containing DMZ is a small network containing resources available to Internet usersresources available to Internet users– Helps maintain security on the companyHelps maintain security on the company’’s s

internal networkinternal network

Sits between the Internet and the internal Sits between the Internet and the internal networknetwork

It is sometimes referred to as a It is sometimes referred to as a ““perimeter perimeter networknetwork””

Understanding the Cisco ASA Understanding the Cisco ASA (Adaptive Security Appliance) (Adaptive Security Appliance)

FirewallFirewallReplaced the Cisco PIX firewallReplaced the Cisco PIX firewall– One of the most popular firewalls on the One of the most popular firewalls on the

marketmarket

Configuration of the ASA Configuration of the ASA FirewallFirewall

Working with a PIX firewall is similar to Working with a PIX firewall is similar to working with any other Cisco routerworking with any other Cisco router

Login promptLogin promptIf you are not authorized to be in this XYZ If you are not authorized to be in this XYZ Hawaii network device,Hawaii network device,

log out immediately!log out immediately!

Username: adminUsername: admin

Password: ********Password: ********

– This banner serves a legal purposeThis banner serves a legal purpose– A banner that says A banner that says ““welcomewelcome”” may prevent may prevent

prosecution of hackers who enterprosecution of hackers who enter

Access ListAccess List

ciscoasa( config)# show run access- list ciscoasa( config)# show run access- list

access- list PERMITTED_ TRAFFIC remark VPN- CONC1 TO access- list PERMITTED_ TRAFFIC remark VPN- CONC1 TO TERMINAL CLOSET1B TERMINAL CLOSET1B

access- list PERMITTED_ TRAFFIC extended permit ip access- list PERMITTED_ TRAFFIC extended permit ip host 10.13.61.98 host 10.13.61.18 host 10.13.61.98 host 10.13.61.18

access- list NONE extended deny ip any any log access- list NONE extended deny ip any any log access- list CAP- ACL extended permit ip any anyaccess- list CAP- ACL extended permit ip any any

ASA FeaturesASA Features

Can group objects, such as terminals and Can group objects, such as terminals and serves, and filter traffic to and from themserves, and filter traffic to and from them

High throughput, and many more featuresHigh throughput, and many more features– See link Ch 13wSee link Ch 13w

Using Configuration and Risk Analysis Using Configuration and Risk Analysis Tools for Firewalls and RoutersTools for Firewalls and Routers

Center for Internet Center for Internet SecuritySecurity– Cisecurity.orgCisecurity.org

Configuration Configuration benchmarks and risk benchmarks and risk assessment toolsassessment tools

Free "Router Audit Tool" Free "Router Audit Tool" and many other toolsand many other tools– Link Ch13xLink Ch13x

Red SealRed Seal

Commercial tool to assess network Commercial tool to assess network security and compliancesecurity and compliance

Diagram shows traffic flow between Diagram shows traffic flow between devicesdevices

Link Ch 13yLink Ch 13y

Understanding Intrusion Detection Understanding Intrusion Detection and Prevention Systemsand Prevention Systems

Intrusion Detection Systems Intrusion Detection Systems (IDSs)(IDSs)

Monitor network devices so that security Monitor network devices so that security administrators can identify attacks in progress administrators can identify attacks in progress and stop themand stop them

An IDS looks at the traffic and compares it with An IDS looks at the traffic and compares it with known exploitsknown exploits– Similar to virus software using a signature file to Similar to virus software using a signature file to

identify virusesidentify viruses

TypesTypes– Network-based IDSsNetwork-based IDSs

– Host-based IDSsHost-based IDSs

Network-Based and Host-Based Network-Based and Host-Based IDSsIDSs

Network-based IDSsNetwork-based IDSs– Monitor activity on network segmentsMonitor activity on network segments– They sniff traffic and alert a security They sniff traffic and alert a security

administrator when something suspicious administrator when something suspicious occursoccurs

See link Ch 13oSee link Ch 13o

Network-Based and Host-Based Network-Based and Host-Based IDSsIDSs

Host-based IDSsHost-based IDSs– The software is installed on the server youThe software is installed on the server you’’re re

attempting to protect, like antivirus softwareattempting to protect, like antivirus software– Used to protect a critical network server or Used to protect a critical network server or

database serverdatabase server

Passive and Active IDSsPassive and Active IDSs

IDSs are categorized by how they react IDSs are categorized by how they react when they detect suspicious behaviorwhen they detect suspicious behavior– Passive systemsPassive systems

Send out an alert and log the activitySend out an alert and log the activity

Don't try to stop itDon't try to stop it

– Active systemsActive systemsLog events and send out alertsLog events and send out alerts

Can also interoperate with routers and firewalls to Can also interoperate with routers and firewalls to block the activity automaticallyblock the activity automatically

Intrusion Detection and Intrusion Detection and Prevention SystemsPrevention Systems

Aurora AttackAurora AttackDecember 2009December 2009

(not in textbook)(not in textbook)

"Aurora" Attack on Google"Aurora" Attack on Google

In December, 2009, Google discovered In December, 2009, Google discovered that confidential materials were being sent that confidential materials were being sent out of their network to Chinaout of their network to China

Google hacked into the Chinese server Google hacked into the Chinese server and stole data back, discovering that and stole data back, discovering that dozens of other companies had also been dozens of other companies had also been exploited, including Adobe and Intelexploited, including Adobe and Intel

Aurora Attack SequenceAurora Attack Sequence

Attacks were customized for each target Attacks were customized for each target based on vulnerable software and based on vulnerable software and antivirus protectionantivirus protection1.1. A user is tricked into visiting a malicious A user is tricked into visiting a malicious

websitewebsite

2.2. Browser exploited to load malware on target Browser exploited to load malware on target PCPC

3.3. Malware calls home to a control serverMalware calls home to a control server

4.4. Local privilege escalationLocal privilege escalation

Aurora Attack SequenceAurora Attack Sequence

5.5. Active Directory password database stolen Active Directory password database stolen and cracked and cracked

6.6. Cracked credentials used to gain VPN Cracked credentials used to gain VPN AccessAccess

7.7. Valuable data is sent to ChinaValuable data is sent to China

New RecommendationsNew Recommendations

Links Ch Links Ch 13z1, 13z213z1, 13z2

Understanding HoneypotsUnderstanding Honeypots

Understanding HoneypotsUnderstanding Honeypots

HoneypotHoneypot– Computer placed on the perimeter of a networkComputer placed on the perimeter of a network– Contains information intended to lure and then Contains information intended to lure and then

trap hackerstrap hackers

Computer is configured to have Computer is configured to have vulnerabilitiesvulnerabilities

GoalGoal– Keep hackers connected long enough so they Keep hackers connected long enough so they

can be traced backcan be traced back

How They WorkHow They Work

A honeypot appears to have important data A honeypot appears to have important data or sensitive information stored on itor sensitive information stored on it– Could store fake financial data that tempts Could store fake financial data that tempts

hackers to attempt browsing through the datahackers to attempt browsing through the data

Hackers will spend time attacking the Hackers will spend time attacking the honeypothoneypot– And stop looking for real vulnerabilities in the And stop looking for real vulnerabilities in the

companycompany’’s networks network

Honeypots also enable security professionals Honeypots also enable security professionals to collect data on attackersto collect data on attackers

Commercial HoneypotsCommercial Honeypots

Open-Source HoneypotsOpen-Source Honeypots

How They Work (continued)How They Work (continued)

Virtual honeypotsVirtual honeypots– Honeypots created using software solutions Honeypots created using software solutions

instead of hardware devicesinstead of hardware devices– Example: HoneydExample: Honeyd

Project Honey PotProject Honey Pot

Web masters install Web masters install software on their software on their websiteswebsitesWhen spammers When spammers harvest email addresses harvest email addresses from sites, HoneyNet's from sites, HoneyNet's servers record the IP of servers record the IP of the harvesterthe harvester– Can help prosecute the Can help prosecute the

spammers and block the spammers and block the spamspam

Link Ch 13pLink Ch 13p

Uses a Capture Server and one or more Uses a Capture Server and one or more Capture ClientsCapture Clients– The clients run in virtual machinesThe clients run in virtual machines– Clients connect to suspect Web serversClients connect to suspect Web servers– If the client detects an infection, it alerts the If the client detects an infection, it alerts the

Capture Server and restores itself to a clean Capture Server and restores itself to a clean statestate

– The server gathers data about malicious The server gathers data about malicious websiteswebsites

See link Ch 13qSee link Ch 13q

Web Application FirewallsWeb Application Firewalls

(not in textbook)(not in textbook)

Web Application AttacksWeb Application Attacks

Normal firewall Normal firewall must allow Web must allow Web traffictraffic

Doesn't stop Doesn't stop attacks like SQL attacks like SQL InjectionInjection

Figure from Figure from Imperva, link Ch Imperva, link Ch 13u13u

Web Application FirewallsWeb Application Firewalls

There are many There are many WAFs availableWAFs available

See link Ch 13tSee link Ch 13t

How a WAF WorksHow a WAF Works

Constantly-updated list of attack signaturesConstantly-updated list of attack signatures

Protects a vulnerable applicationProtects a vulnerable application

CloudFlareCloudFlare

(not in textbook)(not in textbook)

Reverse ProxiesReverse Proxies

Cloudflare protects Web servers by Cloudflare protects Web servers by intercepting requests and caching intercepting requests and caching contentcontent

Makes a Website faster and much Makes a Website faster and much more securemore secure

Used in real combat—LulzSec hid Used in real combat—LulzSec hid their site behind CloudFlare in their site behind CloudFlare in Summer 2011 and th3j35t3r could not Summer 2011 and th3j35t3r could not find themfind them