Security fundamentals

Topic 6Securing the network infrastructure

Agenda

• Security at the TCP/IP layers• Security at the physical layer• Securing network devices

Network layer attacks

• MAC address spoofing– Attackers can create packets with the MAC address of a different

computer and impersonate that computer

• Denial of Service (DoS)– Overloads a single system so that it cannot provide the service it is

configured to provide – Sends frames designed to use up all the resources of the target device

• ARP cache poisoning– Incorrect or spoofed entries are added to the ARP cache – messages

are sent to incorrect destinations

Internet layer attacks• IP address spoofing

– Source addresses of IP packets are spoofed to impersonate another computer

• Man-in-the-middle attack– Attacker intercepts and reads or modifies packet contents without the knowledge of the

source or destination computers

• Denial of Service– Attacker overloads the TCP/IP stack with a large number of invalid packets which

prevents processing of legitimate packets– Attacker changes entries in routing tables to prevent delivery of packets

• Incorrect reassembly of fragmented datagrams– Offset field used to reassemble fragments is changed so that they can’t be reassembled

correctly – datagram could pass through a firewall when it shouldn’t

• Avoiding detection by fragmenting datagrams– An attacker might fragment a packet to hide patterns (such as virus signatures) to avoid

detection

• Corrupting packets– Information in IP header fields is modified

Transport layer attacks

• Manipulation of UDP or TCP ports– Attacker can format packets so they appear to come from a port

allowed by the firewall

• Denial of service– SYN flood attack to leave sessions half open until router cannot accept

anymore connections

• Session hijacking– After the connection is established, attacker predicts TCP sequence

numbers and takes over the connection with his own segments

Application layer attacks

• Specific to the application layer protocol• Common attacks exploit:– Email protocols– Web protocols– DNS

Network cabling security• Coaxial cables

– Cutting or destroying cables– Noise from EMI or RFI– Removing a terminator

• Eavesdropping traffic by tapping into coaxial cable at any point on network

• Mitigation– Protect the Cable: bury it, inside walls, tamperproof containers– Document the cable infrastructure– Investigate all outages– Inspect your cables regularly– Investigate undocumented hosts and connections

Network cabling security• Twisted pair

– Cutting or destroying cables– Noise from EMI or RFI, STP mitigates the impact of EMI and RFI

• Mitigation– Protect the cables– Protect the switches and patch panels– Document the cable infrastructure– Investigate all outages– Inspect your cables and infrastructure regularly– Investigate undocumented hosts and connections

• Eavesdropping– Using a protocol analyser or packet sniffer (requires physical connection)– Splicing into a cable– Listening to electromagnetic signals from the signals passing through the

wire

Network cabling security• Fiber optic cables

– Bend or snap the cable– Any damage will disrupt the signal

• Eavesdropping– Virtually impossible – requires cutting cable and polishing ends and

connecting a device• Mitigation

– Protect the cables– Protect the switches and patch panels– Document the cable infrastructure– Investigate all outages– Inspect your cables and infrastructure regularly– Investigate undocumented hosts and connections

Device security• Compromising switches and bridges

– If an attacker has physical access, he can disable a switch– Attach a computer to a span port which receives all switch traffic– Transmit frames with spoofed MAC address to corrupt the MAC

address table– Flood the switch with frames to disrupt operations

• Gaining administrative access– Port mirroring: map the input and output of one or more ports to a

single port to eavesdrop on communications– Change the MAC address table to redirect traffic

• ARP cache poisoning– Attacker can overwrite entries in the ARP cache allowing attacker to

eavesdrop or hijack a session

Securing switches and bridges• Physical security

– Limit physical access, use security personnel and monitoring (cameras)• Protecting admin functions with passwords

– Set complex passwords and change routinely– Restrict access to few staff– Manually enter ARP mappings on critical devices: servers, switches

and bridges– Keep up to date with patches– Document configurations so you know what is normal and authorised

• Monitoring for security breaches– Monitor devices for unauthorised connections– ARPWATCH to monitor traffic and keep MAC-to-IP address mappings

Securing routers

• Compromising routers– Susceptible to ARP cache poisoning– Routing tables can be changed either administratively or with

incorrect routing updates– RIP spoofing – updating routing tables with bogus updates– ACLs can be changed if admin access is compromised– Insecure protocols, services could be enabled

Securing routers• Keep routers in secure locations: locked server rooms and

wiring closets• Secure all physical connections to network segments• Use security personnel and monitoring (cameras)• Set complex passwords and change regularly• Keep up to date with latest patches• Restrict staff with access and locations access can come from• Set ACLs to prevent inappropriate connections• Set passwords for routing updates• Disable insecure protocols and services• Document and regularly review the network

Securing telecommunications

• Compromised by– Free long distance calls by changing billing records– Compromise or shut down the organisation’s

voice mail system– Reroute incoming, transferred or outgoing calls– Gain access to voice mail boxes of employees

Securing PBX systems• Vulnerabilities

– Insecure or default passwords are used– Older PBX systems don’t implement latest security technology– Lack of knowledge and security procedures: social engineering– Remote management connections could be compromised– Unused floors and offices may have active connections

• Protecting PBX– Physically securing PBX equipment– Control access to PBX wiring room and switching equipment– Document– Routinely check unauthorised connections– Secure offsite transfers with passwords (for updates)– System exclusion lists to limit long distance calling– Shut down services not required during off days and hours– Educate users– Enforce PBX password change and audit policy– Secure maintenance ports, limit entry ports, log all system access

Securing modems

Compromising modems• Can be used to circumvent firewall security• Can be used to provide direct access to internal computers• War dialling to discover computers with modems attached

Mitigation• Remove all unnecessary modems• If modem is required for outgoing calls make sure it is configured

not to accept incoming calls• Software/security updates for computers with modems• Monitor security bulletins• Isolate computers with modems to limit the damage• Monitor computers with modems to ensure they have not been

compromised

Lesson summary

• What some TCP/IP layer attacks are, and security practices

• What some physical layer attacks are, and security practices

• Practices for securing network cabling and network devices and threats associated