8/2/2019 Lecture9 - Network Security
1/37
Prasad Kularatne
8/2/2019 Lecture9 - Network Security
2/37
ObjectivesApply the knowledge of TCP/IP stack to understand basic
network security architectures
We will start by understanding the types of basic networksecurity vulnerabilities exist at each layer of the TCP/IP stack
We will discuss common defences available for thosevulnerabilities
We will end up with a discussion of how defence mechanismsare typically deployed in a network
8/2/2019 Lecture9 - Network Security
3/37
Motivation
Networked systems have high degree ofexposure andthreat than non-networked systems.
Risk = [Threat * Exposure * Vulnerability ] * [Cost of consequence]
Exposure: Probability a vulnerability is exposed to an attack
Threat: Probability of an attack
Vulnerability: Probability of an exploitable vulnerability
Consequence: Cost of a successful attack
8/2/2019 Lecture9 - Network Security
4/37
Some terms
Spoofing: act of impersonating a trusted user
Flooding: act of continuously sending packets to a target with aobjective of bringing down one or more of its critical services
Masquerading:Act of concealing the network addresses to whereit is not need to be known
Sniffing: Act of passively intercepting network traffic that is notintended to you
Snooping: Unauthorized access to another persona or companysdata
8/2/2019 Lecture9 - Network Security
5/37
Layered approach
As we learnt, OSI layeredarchitecture is the cornerstone ofunderstanding networked systems
In the same way securing thenetworked systems can be betterunderstood in relation to the OSI
model
We will examine the vulnerabilitiesposed at each layer and how to
defend from them
8/2/2019 Lecture9 - Network Security
6/37
Physical Layer
Physical theft or damage of data and Hardware
High-jacking into video surveillance systems
Undetectable Interception of data
Detection of typing patterns Social engineering
Use of psychological weaknesses of human beings to get atthe credentials
Signal disruption for wireless Networks Through deliberate EM interference, e.g. a microwave oven
and Wireless LAN operates at 2.4 GHz
8/2/2019 Lecture9 - Network Security
7/37
Defending the Physical Layer
Electronic lock mechanisms for logging & detailedauthorization
PIN & Password secured locks
Biometric Authentication SchemesVideo & Audio Surveillance
With necessary intrusion prevention
Electromagnetic shielding
Prevent interference
Prevent Use EM radiation for intrusion
Analysis of wireless environment for possible
interceptions
8/2/2019 Lecture9 - Network Security
8/37
Data Link Layer
ARP Vulnerabilities (MAC based vulnerabilities) ARP Spoofing (ARP cache poisining)
MAC flooding
VLAN Attacks: VLAN Hopping Attacker spoofs a legitimate switch
Switch Spoofing and Double tagging
Spanning Tree Attacks Attacker become the root bridge by exposing a lower
Bridge ID
8/2/2019 Lecture9 - Network Security
9/37
ARP Spoofing
Source: Cisco Presentation Network attacks and mitigation by Krzysztof Zygis
What is Gratuitous ARP?A request by a network node that caused other
Nodes to update an ARP cache entry in their table
8/2/2019 Lecture9 - Network Security
10/37
MAC Flooding attacks
What is a CAM table?A table maintained by a L2 Ethernet switch that
maintains the MAC addresses and VLAN parameters for each switch portSource: Cisco Presentation Network attacks and mitigation by Krzysztof Zygis
8/2/2019 Lecture9 - Network Security
11/37
VLAN Hopping attacks
Hacker will spoof himself as a switch by emulating the trunkport
Hacker will then become a member of all VLANs
Trunk port carries traffic belonging to all VLANs
Hacker can access a devices in any VLAN!Source: Cisco Presentation Hacking the L-2: Fun with Ethernet switches by Sean Convery
8/2/2019 Lecture9 - Network Security
12/37
STP attacks
Hacker will take control of the spanning tree by becoming theroot bridge
8/2/2019 Lecture9 - Network Security
13/37
Defending the Data Link Layer
Countering ARP attacks Use static ARP Caches
Bind MAC Addresses to the port of the Switch
VLANs should not be idealto enforce securityboundaries Different security segments should be protected using firewalls
or least switch or router-level access lists Disable the feature that allows a switch to automatically trunk itself
with another without any security control
Enable Spanning-Tree Protocol attack mitigation
BPDU Guard, Root Guard
8/2/2019 Lecture9 - Network Security
14/37
Network Layer
Most IP Routers have only elementary level security Two peers may exchange routing information securely No means to validate routes that may have propagated from
untrusted parts of the network.
Attacks to Routers Password Attacks Buffer overflow & Denial of Service
IP Spoofing Attacks Attacker forwards packets to a computer with a source
address of a trusted system Many network services uses IP address based authentication
If the IP address is spoofed the services are vulnerable
8/2/2019 Lecture9 - Network Security
15/37
IP Spoofing
Attacker generates packets with source address of the Victim X
Victim V will send responses and they will reach the actual source
address as per network which is Victim X Victim X knowing that it didnt initiate such connection will discard
packets
By continuously doing this attacker can keep both Victim X and Y buys may lead to Denial of Service
Diagram Source: TCP/IP Security attacks by Raj Jain, 2007
8/2/2019 Lecture9 - Network Security
16/37
IP Spoofing + Guessing SN
Spoofing the IP and successfully guessing the TCPsequence number of an ongoing communication may allowattacker to communicate with a secure hostunauthenticated
Acquire a target Acquire an IP address of a trusted machine Disable communication of the trusted machine (e.g. SYN flooding) Sample a communication between the target and trusted hosts Guess the sequence numbers of the trusted machine Modify the packet headers so that it appears that the packets are
coming from the trusted host with an acceptable sequence number Establish the connection to the target.
8/2/2019 Lecture9 - Network Security
17/37
Defending Network Layer
Route Policy Filters : use strict anti-spoofing and routefilters at network edges
Firewallswith strong filter
We will discuss this in detail later Good password policy on routers
Install the last security fixes
Shutdown unused services in Routers Restricting access to routers
Authenticity and confidentiality and Network Layer
IPSec Protocol
8/2/2019 Lecture9 - Network Security
18/37
Transport Layer: Attacks
Mostly tries to exploit the known behavior of transport layerprotocols TCP connection establishment and sequence numbering TCP connection reset
TCP options and their behavior
TCP Port scanning Almost always done by a hacker as a preparation for attack What services can I exploit on my attack target?
OS fingerprinting There are slight variations of TCP implementations between
OSs Detect these variations through TCP interactions and deduce OS
8/2/2019 Lecture9 - Network Security
19/37
TCP Port Scanning
8/2/2019 Lecture9 - Network Security
20/37
Transport Layer: Attacks
TCP Session Hijacking (Connection Spoofing) First spoof an trusted IP (victim) IP Spoofing Determine the TCP sequence number of the ongoing
interaction (victim and attack target)
Flood the victim Enjoy a TCP session with your attack target
DoS Attacks : Syn Flood, ACK Flood, RST attacks etc.
8/2/2019 Lecture9 - Network Security
21/37
TCP Session Hijacking
Diagram Source: Introduction to Network Security, Dr. Doug Jacobson, 2009
Attacker may includemalicious commandsin the DATA to the
Server, may be causingit to crash or send out
sensitive information
8/2/2019 Lecture9 - Network Security
22/37
SYN Flood
For each SYN received by Victim V from the attacker (he thinks itcomes from trusted Victim X)
It will allocate buffer space and entry in the connection table Continuously sending these bogus SYN packets may compromise
Victim V
Diagram Source: TCP/IP Security attacks by Raj Jain, 2007
8/2/2019 Lecture9 - Network Security
23/37
RST Attack
Source: Introduction to Network Security, Dr. Doug Jacobson, 2009
8/2/2019 Lecture9 - Network Security
24/37
Defending Transport Layer
SYN Flood attacks
Using SYN Proxy
Before committing resources for the received SYN let a proxy
decide whether the connection will actually establish Clean up of half open connections
Most OSs support this today and can be enabled as a networkoption
TCP Session high-jacking Generate the TCP Initial Sequence Number (ISN) in an
unpredictable way
Confidentiality at transport layer
SSL and TLS
8/2/2019 Lecture9 - Network Security
25/37
Defending Transport Layer Cntd
Strict Firewall rules Limit access to specific transmission protocols an
subprotocol information TCP/UDP port number or ICMP Type
Stateful inspections at firewall layer, preventing out-of-state packets, illegal flags from entering theperimeter.
8/2/2019 Lecture9 - Network Security
26/37
8/2/2019 Lecture9 - Network Security
27/37
What is a Firewall?
A wall that stops or effect slow progress offireproviding protection at the boundary
A security boundary between networks of differing
trust and security levels by enforcing network levelaccess control policy
Un-bypassable, tamperproof, analyzable
Make decisions to allow or disallow passage of packets
according to a specified Firewall policy Control point where security/audit can be imposed
Limit exposure
Partition the network (security domains)
Minimize damage
8/2/2019 Lecture9 - Network Security
28/37
Firewall policies
Firewall policy is defined in line with you securitypolicy
How should I control
Specify a set of rules the firewall should apply toincoming and outgoing traffic
8/2/2019 Lecture9 - Network Security
29/37
Types of firewalls
Packet Filters
Packet-by-packet inspection (Stateless)
Source/Dest. IP, Protocol, if TCP/UDP Source/Dest. Port
Stateful inspection firewalls Inspects TCP flags to determine the connection state
Application proxies
Terminates and re-established the connection
Examines beyond TCP and IP header information
Filters the content sent in the payload
Personal Firewalls
Protection for end points
8/2/2019 Lecture9 - Network Security
30/37
Firewall configuration
Determine trust zones
Determine ports that need opening
Determine packet type (tcp/udp)
Determines direction of packet flow
Determine any limitations you can set on src/dst
8/2/2019 Lecture9 - Network Security
31/37
Advanced Firewall capabilities
Authentication & Access Control
Deep Packet Inspection
Network Address Translation
Load Balancing (among Internet servers) Redundancy and fail-over
Virtual Private Networks
Uses traffic encryption to obtain services equivalent to adedicated link over the Internet
Requires high levels of confidentiality, integrity, andauthentication of communicating parties
May use IPSec, PPTP, L2TP or other methods
8/2/2019 Lecture9 - Network Security
32/37
Firewall Challenges
Firewalls are not the ultimate solution
Attacks/Intrusions through legitimate traffic
Software bugs and misconfiguration
Insider threats Phishing attacks, browser exploits
Threats from compromised Mobile devices (laptops)
Social engineering
Exploit ignorance, insecurity and fear of people
Increasingly common psychological technique
8/2/2019 Lecture9 - Network Security
33/37
8/2/2019 Lecture9 - Network Security
34/37
Network Security design practices
Segmenting the Network
Different network segments/zones for different apps
Threats may not grow to unmanageable proportions
Good defense at the Perimeter Powerful defense at the entrance to each segment
HIPS
Intrusion Prevention at each desktop and Server
Network containment
Keep the network simple and within known extents
Wireless environments
8/2/2019 Lecture9 - Network Security
35/37
Network Segmentation example
Source: Practical Network Security, Linkoping University, 2007
8/2/2019 Lecture9 - Network Security
36/37
Network Containment
Source: Practical Network Security, Linkoping University, 2007
8/2/2019 Lecture9 - Network Security
37/37