Hands-On Ethical Hacking and Network Defense Chapter 13 Protecting Networks with Security Devices.
Hands-On Ethical Hacking and Network Defense 2 nd Edition Chapter 13 Protecting Networks with...
-
Upload
helen-horn -
Category
Documents
-
view
215 -
download
0
Transcript of Hands-On Ethical Hacking and Network Defense 2 nd Edition Chapter 13 Protecting Networks with...
Hands-On Ethical Hacking Hands-On Ethical Hacking and Network Defenseand Network Defense
22ndnd Edition Edition
Chapter 13Chapter 13Protecting Networks with Security DevicesProtecting Networks with Security Devices
Last modified 5-2-15
ObjectivesObjectives
Explain how routers are used to protect Explain how routers are used to protect networksnetworks
Describe firewall technologyDescribe firewall technology
Describe intrusion detection systemsDescribe intrusion detection systems
Describe honeypotsDescribe honeypots
Understanding RoutersUnderstanding Routers
RoutersRoutersRouters are like intersections; switches are like Routers are like intersections; switches are like streets streets – Image from Wikipedia (link Ch 13a)Image from Wikipedia (link Ch 13a)
Router
Understanding RoutersUnderstanding Routers
Routers are hardware devices used on a Routers are hardware devices used on a network to send packets to different network to send packets to different network segmentsnetwork segments– Operate at the network layer of the OSI modelOperate at the network layer of the OSI model
Routing ProtocolsRouting Protocols
Routers tell one another what paths are Routers tell one another what paths are available with Routing Protocolsavailable with Routing Protocols– Link-state routing protocolLink-state routing protocol
Each router has complete information about every Each router has complete information about every network linknetwork link
Example: Open Shortest Path First (OSPF)Example: Open Shortest Path First (OSPF)
– Distance-vector routing protocolDistance-vector routing protocolRouters only know which direction to send Routers only know which direction to send packets, and how farpackets, and how far
Example: Routing Information Protocol (RIP)Example: Routing Information Protocol (RIP)
Routing ProtocolsRouting Protocols
– Path-vector routing protocolPath-vector routing protocolUsed on the Internet BackboneUsed on the Internet Backbone
Example: Border Gateway Patrol (BGP)Example: Border Gateway Patrol (BGP)
China’s BGP Hijacking
Link Ch 13v
IP hijacking via BGPIP hijacking via BGP– Simply advertise routes to IP addresses Simply advertise routes to IP addresses
assigned to other companies, but unusedassigned to other companies, but unused– Like pirate radioLike pirate radio– Link Ch 13z4Link Ch 13z4
Cisco RoutersCisco Routers
Image from cisco.com (link Ch 13b)Image from cisco.com (link Ch 13b)
Understanding Basic Hardware Understanding Basic Hardware RoutersRouters
Cisco routers are widely used in the Cisco routers are widely used in the networking communitynetworking community– More than one million Cisco 2500 series More than one million Cisco 2500 series
routers are currently being used by companies routers are currently being used by companies around the worldaround the world
Vulnerabilities exist in Cisco as they do in Vulnerabilities exist in Cisco as they do in any operating systemany operating system– See link Ch 13cSee link Ch 13c
Cisco Router ComponentsCisco Router Components
Internetwork Operating System (IOS)Internetwork Operating System (IOS)
Random access memory (RAM)Random access memory (RAM)– Holds the routerHolds the router’’s running configuration, s running configuration,
routing tables, and buffersrouting tables, and buffers– If you turn off the router, the contents stored in If you turn off the router, the contents stored in
RAM are wiped outRAM are wiped out
Nonvolatile RAM (NVRAM)Nonvolatile RAM (NVRAM)– Holds the routerHolds the router’’s configuration file, but the s configuration file, but the
information is not lost if the router is turned offinformation is not lost if the router is turned off
Cisco Router ComponentsCisco Router Components
Flash memoryFlash memory– Holds the IOS the router is usingHolds the IOS the router is using– Is rewritable memory, so you can upgrade the Is rewritable memory, so you can upgrade the
IOSIOS
Read-only memory (ROM)Read-only memory (ROM)– Contains a minimal version of the IOS used to Contains a minimal version of the IOS used to
boot the router if flash memory gets corruptedboot the router if flash memory gets corrupted
Cisco Router ComponentsCisco Router Components
InterfacesInterfaces– Hardware connectivity pointsHardware connectivity points– Example: an Ethernet port is an interface that Example: an Ethernet port is an interface that
connects to a LANconnects to a LAN
Cisco IOS is Cisco IOS is controlled from the controlled from the command linecommand line
The details are not The details are not included in this included in this classclass
Skip pages 376-Skip pages 376-378378
Standard IP Access ListsCan restrict IP traffic entering or leaving a router’s interface based on source IP address– To restrict traffic from Network 3 from entering
Network 1, access list looks like:access-list 1 deny 173.110.0.0 0.0.255.255
access-list permit any
Extended IP Access Lists
Restricts IP traffic entering or leaving based on:– Source IP address– Destination IP address– Protocol type– Application port number
Michael LynnMichael Lynn
He presented a major He presented a major Cisco security Cisco security vulnerability at the vulnerability at the Black Hat security Black Hat security conference in 2005conference in 2005He lost his job, was He lost his job, was sued, conference sued, conference materials were materials were confiscated, etc.confiscated, etc.– See links Ch 13 d, e, f, gSee links Ch 13 d, e, f, g
Understanding FirewallsUnderstanding Firewalls
Understanding FirewallsUnderstanding Firewalls
Firewalls are hardware devices or software Firewalls are hardware devices or software installed on a system and have two installed on a system and have two purposespurposes– Controlling access to all traffic that enters an Controlling access to all traffic that enters an
internal networkinternal network– Controlling all traffic that leaves an internal Controlling all traffic that leaves an internal
networknetwork
Hardware FirewallsHardware Firewalls
Advantage of hardware firewallsAdvantage of hardware firewalls– Faster than software firewalls (more throughput)Faster than software firewalls (more throughput)
Disadvantages of hardware firewallsDisadvantages of hardware firewalls– You are limited by the firewallYou are limited by the firewall’’s hardwares hardware
Number of interfaces, etc.Number of interfaces, etc.
– Usually filter incoming traffic only (link Ch 13i)Usually filter incoming traffic only (link Ch 13i)
Software FirewallsSoftware Firewalls
Advantages of Advantages of software firewallssoftware firewalls– Customizable: can Customizable: can
interact with the user interact with the user to provide more to provide more protectionprotection
– You can easily add You can easily add NICs to the server NICs to the server running the firewall running the firewall softwaresoftware
Software FirewallsSoftware Firewalls
Disadvantages of software firewallsDisadvantages of software firewalls– You might have to worry about You might have to worry about
configuration problemsconfiguration problems– They rely on the OS on which they are They rely on the OS on which they are
runningrunning
Firewall TechnologiesFirewall Technologies
Network address translation (NAT)Network address translation (NAT)
Access listsAccess lists
Packet filteringPacket filtering
Stateful packet inspection (SPI)Stateful packet inspection (SPI)
Application layer inspectionApplication layer inspection
Network Address Translation Network Address Translation (NAT)(NAT)
Internal private IP addresses are mapped Internal private IP addresses are mapped to public external IP addressesto public external IP addresses– Hides the internal infrastructureHides the internal infrastructure
Port Address Translation (PAT)Port Address Translation (PAT)– This allows thousands of internal IP This allows thousands of internal IP
addresses to be mapped to one external IP addresses to be mapped to one external IP addressaddress
– Each connection from the private network is Each connection from the private network is mapped to a different public portmapped to a different public port
192.168.1.101:1100 192.168.1.102:1100
192.168.1.102:1103
147.144.20.1:1201
147.144.20.1:1202
147.144.20.1:1203
Router providing NAT and PAT
Public Addresses
Private Addresses
Access ListsAccess Lists
A series of rules to control trafficA series of rules to control traffic
CriteriaCriteria– Source IP addressSource IP address– Destination IP addressDestination IP address– Ports or servicesPorts or services– Protocol (Usually UDP or TCP)Protocol (Usually UDP or TCP)
Packet FilteringPacket Filtering
Packet filters screen Packet filters screen traffic based on traffic based on information in the information in the header, such asheader, such as– Protocol typeProtocol type– IP addressIP address– TCP/UDP PortTCP/UDP Port– More possibilitiesMore possibilities
Stateful Packet Inspection (SPI)Stateful Packet Inspection (SPI)
Stateful packet filters examine the current Stateful packet filters examine the current state of the networkstate of the network– If you have sent a request to a server, If you have sent a request to a server,
packets from that server may be allowed inpackets from that server may be allowed in– Packets from the same server might be Packets from the same server might be
blocked if no request was sent firstblocked if no request was sent first
State TableState Table
Stateful firewalls maintain aStateful firewalls maintain a state table state table showing the current connectionsshowing the current connections
ACK Port scanACK Port scan
Used to get information about a firewallUsed to get information about a firewall
Stateful firewalls track connection and Stateful firewalls track connection and block unsolicited ACK packetsblock unsolicited ACK packets
Stateless firewalls only block incoming Stateless firewalls only block incoming SYN packets, so you get a RST responseSYN packets, so you get a RST response
We covered this in chapter 5We covered this in chapter 5
Stateful Packet Inspection (SPI)Stateful Packet Inspection (SPI)
Stateful packet filters recognize types of Stateful packet filters recognize types of anomalies that most routers ignoreanomalies that most routers ignore
Stateless packet filters handle each packet Stateless packet filters handle each packet on an individual basison an individual basis– This makes them less effective against some This makes them less effective against some
attacks, such as the "reverse shell"attacks, such as the "reverse shell"
Application Layer Inspection Application Layer Inspection
Application-layer firewall can detect Telnet Application-layer firewall can detect Telnet or SSH traffic masquerading as HTTP or SSH traffic masquerading as HTTP traffic on port 80traffic on port 80
Implementing a FirewallImplementing a Firewall
Using only one firewall between a Using only one firewall between a companycompany’’s internal network and the s internal network and the Internet is dangerousInternet is dangerous– It leaves the company open to attack if a It leaves the company open to attack if a
hacker compromises the firewallhacker compromises the firewall
Use a demilitarized zone insteadUse a demilitarized zone instead
Demilitarized Zone (DMZ)Demilitarized Zone (DMZ)
DMZ is a small network containing DMZ is a small network containing resources available to Internet usersresources available to Internet users– Helps maintain security on the companyHelps maintain security on the company’’s s
internal networkinternal network
Sits between the Internet and the internal Sits between the Internet and the internal networknetwork
It is sometimes referred to as a It is sometimes referred to as a ““perimeter perimeter networknetwork””
Understanding the Cisco ASA Understanding the Cisco ASA (Adaptive Security Appliance) (Adaptive Security Appliance)
FirewallFirewallReplaced the Cisco PIX firewallReplaced the Cisco PIX firewall– One of the most popular firewalls on the One of the most popular firewalls on the
marketmarket
Configuration of the ASA Configuration of the ASA FirewallFirewall
Working with a PIX firewall is similar to Working with a PIX firewall is similar to working with any other Cisco routerworking with any other Cisco router
Login promptLogin promptIf you are not authorized to be in this XYZ If you are not authorized to be in this XYZ Hawaii network device,Hawaii network device,
log out immediately!log out immediately!
Username: adminUsername: admin
Password: ********Password: ********
– This banner serves a legal purposeThis banner serves a legal purpose– A banner that says A banner that says ““welcomewelcome”” may prevent may prevent
prosecution of hackers who enterprosecution of hackers who enter
Access ListAccess List
ciscoasa( config)# show run access- list ciscoasa( config)# show run access- list
access- list PERMITTED_ TRAFFIC remark VPN- CONC1 TO access- list PERMITTED_ TRAFFIC remark VPN- CONC1 TO TERMINAL CLOSET1B TERMINAL CLOSET1B
access- list PERMITTED_ TRAFFIC extended permit ip access- list PERMITTED_ TRAFFIC extended permit ip host 10.13.61.98 host 10.13.61.18 host 10.13.61.98 host 10.13.61.18
access- list NONE extended deny ip any any log access- list NONE extended deny ip any any log access- list CAP- ACL extended permit ip any anyaccess- list CAP- ACL extended permit ip any any
ASA FeaturesASA Features
Can group objects, such as terminals and Can group objects, such as terminals and serves, and filter traffic to and from themserves, and filter traffic to and from them
High throughput, and many more featuresHigh throughput, and many more features– See link Ch 13wSee link Ch 13w
Using Configuration and Risk Analysis Using Configuration and Risk Analysis Tools for Firewalls and RoutersTools for Firewalls and Routers
Center for Internet Center for Internet SecuritySecurity– Cisecurity.orgCisecurity.org
Configuration Configuration benchmarks and risk benchmarks and risk assessment toolsassessment tools
Free "Router Audit Tool" Free "Router Audit Tool" and many other toolsand many other tools– Link Ch13xLink Ch13x
Red SealRed Seal
Commercial tool to assess network Commercial tool to assess network security and compliancesecurity and compliance
Diagram shows traffic flow between Diagram shows traffic flow between devicesdevices
Link Ch 13yLink Ch 13y
Understanding Intrusion Detection Understanding Intrusion Detection and Prevention Systemsand Prevention Systems
Intrusion Detection Systems Intrusion Detection Systems (IDSs)(IDSs)
Monitor network devices so that security Monitor network devices so that security administrators can identify attacks in progress administrators can identify attacks in progress and stop themand stop them
An IDS looks at the traffic and compares it with An IDS looks at the traffic and compares it with known exploitsknown exploits– Similar to virus software using a signature file to Similar to virus software using a signature file to
identify virusesidentify viruses
TypesTypes– Network-based IDSsNetwork-based IDSs
– Host-based IDSsHost-based IDSs
Network-Based and Host-Based Network-Based and Host-Based IDSsIDSs
Network-based IDSsNetwork-based IDSs– Monitor activity on network segmentsMonitor activity on network segments– They sniff traffic and alert a security They sniff traffic and alert a security
administrator when something suspicious administrator when something suspicious occursoccurs
See link Ch 13oSee link Ch 13o
Network-Based and Host-Based Network-Based and Host-Based IDSsIDSs
Host-based IDSsHost-based IDSs– The software is installed on the server youThe software is installed on the server you’’re re
attempting to protect, like antivirus softwareattempting to protect, like antivirus software– Used to protect a critical network server or Used to protect a critical network server or
database serverdatabase server
Passive and Active IDSsPassive and Active IDSs
IDSs are categorized by how they react IDSs are categorized by how they react when they detect suspicious behaviorwhen they detect suspicious behavior– Passive systemsPassive systems
Send out an alert and log the activitySend out an alert and log the activity
Don't try to stop itDon't try to stop it
– Active systemsActive systemsLog events and send out alertsLog events and send out alerts
Can also interoperate with routers and firewalls to Can also interoperate with routers and firewalls to block the activity automaticallyblock the activity automatically
Intrusion Detection and Intrusion Detection and Prevention SystemsPrevention Systems
Aurora AttackAurora AttackDecember 2009December 2009
(not in textbook)(not in textbook)
"Aurora" Attack on Google"Aurora" Attack on Google
In December, 2009, Google discovered In December, 2009, Google discovered that confidential materials were being sent that confidential materials were being sent out of their network to Chinaout of their network to China
Google hacked into the Chinese server Google hacked into the Chinese server and stole data back, discovering that and stole data back, discovering that dozens of other companies had also been dozens of other companies had also been exploited, including Adobe and Intelexploited, including Adobe and Intel
Aurora Attack SequenceAurora Attack Sequence
Attacks were customized for each target Attacks were customized for each target based on vulnerable software and based on vulnerable software and antivirus protectionantivirus protection1.1. A user is tricked into visiting a malicious A user is tricked into visiting a malicious
websitewebsite
2.2. Browser exploited to load malware on target Browser exploited to load malware on target PCPC
3.3. Malware calls home to a control serverMalware calls home to a control server
4.4. Local privilege escalationLocal privilege escalation
Aurora Attack SequenceAurora Attack Sequence
5.5. Active Directory password database stolen Active Directory password database stolen and cracked and cracked
6.6. Cracked credentials used to gain VPN Cracked credentials used to gain VPN AccessAccess
7.7. Valuable data is sent to ChinaValuable data is sent to China
New RecommendationsNew Recommendations
Links Ch Links Ch 13z1, 13z213z1, 13z2
Understanding HoneypotsUnderstanding Honeypots
Understanding HoneypotsUnderstanding Honeypots
HoneypotHoneypot– Computer placed on the perimeter of a networkComputer placed on the perimeter of a network– Contains information intended to lure and then Contains information intended to lure and then
trap hackerstrap hackers
Computer is configured to have Computer is configured to have vulnerabilitiesvulnerabilities
GoalGoal– Keep hackers connected long enough so they Keep hackers connected long enough so they
can be traced backcan be traced back
How They WorkHow They Work
A honeypot appears to have important data A honeypot appears to have important data or sensitive information stored on itor sensitive information stored on it– Could store fake financial data that tempts Could store fake financial data that tempts
hackers to attempt browsing through the datahackers to attempt browsing through the data
Hackers will spend time attacking the Hackers will spend time attacking the honeypothoneypot– And stop looking for real vulnerabilities in the And stop looking for real vulnerabilities in the
companycompany’’s networks network
Honeypots also enable security professionals Honeypots also enable security professionals to collect data on attackersto collect data on attackers
Commercial HoneypotsCommercial Honeypots
Open-Source HoneypotsOpen-Source Honeypots
How They Work (continued)How They Work (continued)
Virtual honeypotsVirtual honeypots– Honeypots created using software solutions Honeypots created using software solutions
instead of hardware devicesinstead of hardware devices– Example: HoneydExample: Honeyd
Project Honey PotProject Honey Pot
Web masters install Web masters install software on their software on their websiteswebsitesWhen spammers When spammers harvest email addresses harvest email addresses from sites, HoneyNet's from sites, HoneyNet's servers record the IP of servers record the IP of the harvesterthe harvester– Can help prosecute the Can help prosecute the
spammers and block the spammers and block the spamspam
Link Ch 13pLink Ch 13p
Uses a Capture Server and one or more Uses a Capture Server and one or more Capture ClientsCapture Clients– The clients run in virtual machinesThe clients run in virtual machines– Clients connect to suspect Web serversClients connect to suspect Web servers– If the client detects an infection, it alerts the If the client detects an infection, it alerts the
Capture Server and restores itself to a clean Capture Server and restores itself to a clean statestate
– The server gathers data about malicious The server gathers data about malicious websiteswebsites
See link Ch 13qSee link Ch 13q
Web Application FirewallsWeb Application Firewalls
(not in textbook)(not in textbook)
Web Application AttacksWeb Application Attacks
Normal firewall Normal firewall must allow Web must allow Web traffictraffic
Doesn't stop Doesn't stop attacks like SQL attacks like SQL InjectionInjection
Figure from Figure from Imperva, link Ch Imperva, link Ch 13u13u
Web Application FirewallsWeb Application Firewalls
There are many There are many WAFs availableWAFs available
See link Ch 13tSee link Ch 13t
How a WAF WorksHow a WAF Works
Constantly-updated list of attack signaturesConstantly-updated list of attack signatures
Protects a vulnerable applicationProtects a vulnerable application
CloudFlareCloudFlare
(not in textbook)(not in textbook)
Reverse ProxiesReverse Proxies
Cloudflare protects Web servers by Cloudflare protects Web servers by intercepting requests and caching intercepting requests and caching contentcontent
Makes a Website faster and much Makes a Website faster and much more securemore secure
Used in real combat—LulzSec hid Used in real combat—LulzSec hid their site behind CloudFlare in their site behind CloudFlare in Summer 2011 and th3j35t3r could not Summer 2011 and th3j35t3r could not find themfind them