Rodan + Fields Physician Partnership presentation updated 6.2015
Network Security - University of...
Transcript of Network Security - University of...
Network Security
Dr. Ihsan Ullah
Department of Computer Science & ITUniversity of Balochistan, Quetta
Pakistan
June 18, 2015
1 / 19
ARP (Address resolution protocol) poisoning
ARP is used to resolve 32-bit IP addresses (e.g., 55.91.56.21)into 48-bit local MAC addresses (e.g., 01-1C-23-0E-1D-41)
Hosts on the same network must know each other’s MACaddresses before they can send and receive packets using IPaddresses
Hosts build ARP tables by sending ARP requests and repliesto each other
2 / 19
Normal ARP operation
Every hosts on a network builds an ARP table
Entry of 10.0.0.1 into ARP table at gateway router
3 / 19
Normal ARP operation
Suppose the gateway (router) receives a packet addressed toan internal host (10.0.0.1)
It sends an ARP request to every host on the LAN asking ifthey have that IP address
Only the host that has the requested IP address responds. Allother hosts ignore the request
Here, host A responds with an ARP reply that contains itsphysical/MAC address (A1-A1-A1-A1-A1-A1)
The switch records the MAC addresses of the gateway andHost A, as well as their respective port numbers
The gateway receives the ARP reply and records Host A’s IPaddress and corresponding MAC address
4 / 19
Normal ARP operation
After adding the MAC address entry into its ARP table forhost A, the gateway can forward all packets addressed to10.0.0.1
The switch looks only at the MAC address as the packet ispassed from the gateway to Host A
Other hosts on the LAN cannot see any packets addressed toHost A
5 / 19
ARP Spoofing
ARP requests and replies do not require authentication orverification
All hosts trust all ARP replies
ARP spoofing uses false ARP replies to map any IP address toany MAC address
Spoofed ARP replies are broadcast to other hosts on the LAN
This allows an attacker to manipulate ARP tables on all LANhosts
6 / 19
ARP poisoning
ARP poisoning can be used to reroute traffic for a MITM(Man-in-the-Middle) attackThe attacker begins the attack by sending a continuousstream of unsolicited ARP replies to all hosts on the LANexcept the gatewayTells other hosts on the LAN that the gateway (10.0.0.4) isnow at C3-C3-C3-C3-C3-C3Hosts on the LAN record the false ARP reply in their ARPtablesAny packets they wish to send to the gateway will beaddressed to 10.0.0.4 at C3-C3-C3-C3-C3-C3Since the switch only looks at MAC addresses, it cannotidentify the incorrect ARP resolution being pushed out to allother hostsAfter intercepting the message, the attacker reroutes traffic tothe gateway 7 / 19
ARP poisoning
8 / 19
ARP poisoning
To poison the gateway. The attacker sends a continuousstream of spoofed ARP replies to the gateway telling it thatall other internal hosts are at C3-C3-C3-C3-C3-C3
The gateway records all internal IP addresses (10.0.0.1,10.0.0.2, and 10.0.0.3) and the same MAC address(C3-C3-C3-C3-C3-C3) in its ARP table
Any packet the gateway receives will be forwarded to theattacker
The attacker redirects the traffic it intercepts
To launch this attack, the attacker must have access to thelocal network and must also send a continuous stream ofspoofed ARP replies to keep the other hosts’ ARP tables fromself-correcting
9 / 19
ARP DoS attack
A minor modification in the attack stops all traffic on thelocal network
The attacker sends all internal hosts a continuous stream ofunsolicited spoofed ARP replies saying the gateway (10.0.0.4)is at E5-E5-E5-E5-E5-E5
Hosts record the gateway’s IP address and nonexistent MACaddress
Packets addressed to E5-E5-E5-E5-E5-E5 are dropped byswitch since the MAC address does not exist
10 / 19
ARP DoS attack
11 / 19
Preventing ARP poisoning
Static tables
ARP poisoning can be prevented by using static IP tables andstatic ARP tables
Static ARP tables are manually set and cannot be dynamicallyupdated using the ARP
Difficult to manage
Limit local access
Another way of preventing ARP poisoning is to limit access tothe local network
Controlling network access
12 / 19
Network access control
LAN can be both wired and wireless where most oftenwireless LANs are connected to wired LANs
The wireless client communicates by radio with a wirelessaccess point, which in turn connects via 4-pair UTP to anEthernet switch
13 / 19
Network access control
14 / 19
Access control threats
Traditionally, Ethernet LANs offered no access control security
Any intruder who entered a corporate building could walk upto any wall jack and plug in a notebook computer
The intruder would then have unrestricted access to theLAN’s computers, bypassing the site’s border firewall
A complete breakdown in access control
Even deeper access threats in wireless LANs
Once intruders gain access, they can use a packet sniffer tointercept and read legitimate traffic
15 / 19
Ethernet security
802.1X security
802.1X makes the Ethernet workgroup switch the gateway tothe network
The user’s computer connects to a specific port on theworkgroup switch
That port is the real point of access control
The name of the 802.1X standard is Port-Based AccessControl
16 / 19
802.1X security
17 / 19
802.1X security
When the computer first connects, the port is in anunauthorized state
It will not permit the user to communicate over the network
The port remains unauthorized until the computerauthenticates itself
After authentication, the port changes to authorized state,and the computer gets access to the network
Not to burden up the switch, the switches rely on a centralauthentication server
This server has credentials-checking authentication data andthe processing power
18 / 19
RADIUS and EAP
Remote Authentication Dial In User Service (RADIUS) is anetworking protocol that provides centralized Authentication,Authorization, and Accounting (AAA) management for userswho connect and use a network service
802.1X relies on Extensible Authentication Protocol (EAP), togovern the specifics of authentication interactions
19 / 19