Isit328 2019 PPT 05 Secure Networks

Download as pdf or txt
Download as pdf or txt
You are on page 1of 86

Chapter 4

© 2015 Pearson Education Ltd.


} Creating secure networks – the complexities
} LAN access controls keep foreign hosts out of the
internal network
} LAN access controls: why are they important for
organisations.
◦ ARP poisoning; ARP DOS Attack
} How do you secure Ethernet networks?
} Describe wireless (WLAN) security standards.
} What potential attacks can be staged against wireless
networks.
} Denial-of-service (DoS) attacks – how do they work work?
4-2 © 2015 Pearson Education Ltd.
4.1 Introduction

4.3 ARP Poisoning


4.4 Access Control for Networks
4.5 Ethernet Security
4.6 Wireless Security
4.2 Denial-of-Service (DoS) Attacks *(next week)

4-3 © 2015 Pearson Education Ltd.


} Cryptography provides confidentiality,
authenticity, and message integrity
} Modern Networks have additional vulnerabilities
◦ The means of delivering the messages could be
stopped, slowed, or altered
◦ The route the messages took could be altered
◦ Messages could be redirected to false recipients
◦ Attackers could gain access to communication
channels that were previously considered closed and
confidential

4-4 © 2015 Pearson Education Ltd.


Goals of Creating Secure Networks
1. Availability—users have access to information
services and network resources
2. Confidentiality—prevent unauthorized users from
gaining information about the network
3. Functionality—preventing attackers from altering
the capabilities or normal operation of the network
4. Access control—keep attackers or unauthorized
employees from accessing internal resources

4-5 © 2015 Pearson Education Ltd.


} The “castle” model
◦ Good guys on the inside, attackers on the outside,
and a well-guarded point of entry

} Death of the Perimeter


◦ It is impractical, if not impossible, to force all
information in an organization through a single point
in the network
◦ New means of attacking networks (e.g., smart
phones) are constantly emerging
– BYOD – bring your own device
◦ Line between “good guys” and “bad guys” has become
blurred
4-6 © 2015 Pearson Education Ltd.
} The “city” model
◦ No distinct perimeter, and there are multiple ways
of entering the network
◦ Like a real city, who you are will determine which
buildings you will be able to access
◦ Greater need for:
– Internal intrusion detection
– Virtual LANs
– Central authentication servers
– Encrypted internal traffic

4-7 © 2015 Pearson Education Ltd.


} Creating secure networks – the complexities
} LAN access controls keep foreign hosts out of the
internal network
} LAN access controls: why are they important for
organisations.
◦ ARP poisoning; ARP DOS Attack
} How do you secure Ethernet networks?
} Describe wireless (WLAN) security standards.
} What potential attacks can be staged against wireless
networks.
} Denial-of-service (DoS) attacks – how do they work work?
4-8 © 2015 Pearson Education Ltd.
4-9 © 2015 Pearson Education Ltd.
} Creating secure networks – the complexities
} LAN access controls keep foreign hosts out of the
internal network
} LAN access controls: why are they important for
organisations.
◦ ARP poisoning; ARP DOS Attack
} How do you secure Ethernet networks?
} Describe wireless (WLAN) security standards.
} What potential attacks can be staged against wireless
networks.
} Denial-of-service (DoS) attacks – how do they work work?
4-10 © 2015 Pearson Education Ltd.
4.1 Introduction

4.3 ARP Poisoning


4.4 Access Control for Networks
4.5 Ethernet Security
4.6 Wireless Security
4.2 Denial-of-Service (DoS) Attacks *(next week)

4-11 © 2015 Pearson Education Ltd.


} ARP Poisoning
◦ Network attack that manipulates host ARP tables
to reroute local-area network (LAN) traffic
◦ Possible man-in-the-middle attack
◦ Requires an attacker to have a computer on the
local network
◦ An attack on both the functionality and
confidentiality of a network

4-12 © 2015 Pearson Education Ltd.


} Address Resolution Protocol (ARP)
◦ Used to resolve 32-bit IP addresses (e.g.,
55.91.56.21) into 48-bit local MAC addresses (e.g.,
01-1C-23-0E-1D-41)
◦ ARP tables store resolved addresses (below)

4-13 © 2015 Pearson Education Ltd.


4-14 © 2015 Pearson Education Ltd.
} The problem: ARP requests and replies do NOT
require authentication or verification
◦ All hosts trust all ARP replies
◦ ARP spoofing uses false ARP replies to map any IP
address to any MAC address
◦ An attacker can manipulate ARP tables on all LAN
hosts
◦ The attacker must send a continuous stream of
unsolicited ARP replies
◦ Leads to man-n-the-middle (MITM) attacks

4-15 © 2015 Pearson Education Ltd.


4-16 © 2015 Pearson Education Ltd.
} ARP DoS Attack
◦ Attacker sends all internal hosts a continuous
stream of unsolicited spoofed ARP replies saying
the gateway (10.0.0.4) is at E5-E5-E5-E5-E5-E5
(Step 1)
◦ Hosts record the gateway’s IP address and
nonexistent MAC address (Step 2)
◦ The switch receives packets from internal hosts
addressed to E5-E5-E5-E5-E5-E5 but cannot
deliver them because the host does not exist
◦ Packets addressed to E5-E5-E5-E5-E5-E5 are
dropped

4-17 © 2015 Pearson Education Ltd.


4-18 © 2015 Pearson Education Ltd.
} The process whereby a Switch broadcasts an
ARP requests to all connected devices (except the
port on which the ARP request was received) is at
the heart of MAC address flooding

© 2015 Pearson Education Ltd.


FE0/1 Mac Address FE0/5
ARP request Table

FE0/2 FE0/6

FE0/3 FE0/7

FE0/4 FE0/8

© 2015 Pearson Education Ltd.


} MAC address flooding exploits the limited size of
the MAC address table

} False MAC addresses are sent via ARP requests


by a rogue machine to a Switch

} At some point the MAC address table overflows

© 2015 Pearson Education Ltd.


} When this occurs the Switch acts like a hub
forwarding all traffic out of all ports.

} As long as the attacker continues to flood the


network with false MAC addresses network
performance is compromised

© 2015 Pearson Education Ltd.


} Preventing ARP Poisoning
◦ Static ARP tables are manually set
– Most organizations are too large, change too
quickly, and lack the experience to effectively
manage static IP and ARP tables

4-23 © 2015 Pearson Education Ltd.


} Creating secure networks – the complexities
} LAN access controls keep foreign hosts out of the
internal network
} LAN access controls: why are they important for
organisations.
◦ ARP poisoning; ARP DOS Attack
} How do you secure Ethernet networks?
} Describe wireless (WLAN) security standards.
} What potential attacks can be staged against wireless
networks.
} Denial-of-service (DoS) attacks – how do they work work?
4-24 © 2015 Pearson Education Ltd.
4.1 Introduction

4.3 ARP Poisoning


4.4 Access Control for Networks
4.5 Ethernet Security
4.6 Wireless Security
4.2 Denial-of-Service (DoS) Attacks

4-25 © 2015 Pearson Education Ltd.


4-26 © 2015 Pearson Education Ltd.
} It is possible to control the way people connect to
your infrastructure.
} It is possible to apply security and management
measures to individual ports

© 2015 Pearson Education Ltd.


} Access to the LAN can be controlled by
configuring each switch interface.
} It is also good practice to shutdown all switch
interfaces that are not used
} Ports can also be configured to make specified
ports as trusted sources say for DHCP responses
(i.e. DHCP responses from non-designated ports
close the port down)

© 2015 Pearson Education Ltd.


} It is possible to control the way people connect to
your infrastructure.
} Its possible to apply security measures to
individual ports
} After setting ports to access you are able to apply
the following commands:

© 2015 Pearson Education Ltd.


S1(config-if)#interface fa0/18

} This command specifies port f0/18 as the port that you want to
S1(config-if)#switchport mode access

} This command sets this interface as an access port.


S1(config-if)#switchport port-security

} This command enables port security


S1(config-if)#switchport port-security maximum 1

} To configure the port to learn only one MAC address, set


the maximum to 1
S1(config-if)#switchport port-security mac-address sticky

} The MAC address learned on the port can be added to ("stuck" to) the
running configuration for that port.
© 2015 Pearson Education Ltd.
} What would you like the port to do when sensing a
security violation. You have these choices

Violation Forwards Sends Sends Displays Increases Shuts


Mode traffic SNMP SysLog Error Violation Down
Trap Message Message Counter Port
Protect No No No No No No

Restrict No Yes Yes No Yes No

Shutdown No Yes Yes No Yes Yes

© 2015 Pearson Education Ltd.


S1(config-if)#switchport port-security violation shutdown

} If you do not configure this command, S1 only logs the


violation in syslog but does not shut down the port.
} (syslog is a standard for computer message logging
for the purpose of network management)

© 2015 Pearson Education Ltd.


Security Management
NW Management

Violation Forwards Sends Sends Displays Increases Shuts


Mode traffic SNMP SysLog Error Violation Down
Trap Message Message Counter Port

Protect No No No No No No

Restrict No Yes Yes No Yes No

Shutdown No Yes Yes No Yes Yes

© 2015 Pearson Education Ltd.


4.1 Introduction

4.3 ARP Poisoning


4.4 Access Control for Networks
4.5 Ethernet Security
4.6 Wireless Security
4.2 Denial-of-Service (DoS) Attacks

4-34 © 2015 Pearson Education Ltd.


4-35 © 2015 Pearson Education Ltd.
4-36 © 2015 Pearson Education Ltd.
4-37 © 2015 Pearson Education Ltd.
RADIUS Functionality
Authentication Authorizations Auditing
Uses EAP Uses RADIUS Uses RADIUS
authorization auditing
functionality functionality

4-38 © 2015 Pearson Education Ltd.


} Creating secure networks – the complexities
} LAN access controls keep foreign hosts out of the
internal network
} LAN access controls: why are they important for
organisations.
◦ ARP poisoning; ARP DOS Attack
} How do you secure Ethernet networks?
} Describe wireless (WLAN) security standards.
} What potential attacks can be staged against wireless
networks.
} Denial-of-service (DoS) attacks – how do they work work?
4-39 © 2015 Pearson Education Ltd.
4.1 Introduction

4.3 ARP Poisoning


4.4 Access Control for Networks
4.5 Ethernet Security
4.6 Wireless Security
4.2 Denial-of-Service (DoS) Attacks

4-40 © 2015 Pearson Education Ltd.


4-41 © 2015 Pearson Education Ltd.
} Open networks can be legally accessed by
anyone
◦ Found in public places like cafés, coffee shops,
universities, etc.

} Private networks that do not allow access


unless specifically authorized
} Secured networks have security protocols
enabled
◦ Users are authenticated and wireless traffic is
encrypted

4-42 © 2015 Pearson Education Ltd.


4-43 © 2015 Pearson Education Ltd.
4-44 © 2015 Pearson Education Ltd.
4-45 © 2015 Pearson Education Ltd.
4-46 © 2015 Pearson Education Ltd.
4-47 © 2015 Pearson Education Ltd.
4-48 © 2015 Pearson Education Ltd.
4-49 © 2015 Pearson Education Ltd.
} Origin of WEP
◦ Original core security standard 802.11, created in
1997

} Uses a Shared Key


◦ Each station using the access point uses the same
(shared) key
◦ The key is supposed to be secret, so knowing it
“authenticates” the user
◦ All encryption uses this key

4-50 © 2015 Pearson Education Ltd.


} Problem with Shared Keys
◦ If the shared key is learned, an attacker near an
access point can read all traffic
◦ Shared keys should be changed frequently
– WEP had no way to do automatic rekeying
– Manual rekeying is expensive if there are many
users
– Manual rekeying is operationally next to
impossible if many or all stations use the same
shared key, because of the work involved in
rekeying many or all corporate clients

4-51 © 2015 Pearson Education Ltd.


} Problem with Shared Keys
◦ Because “everybody knows” the key, employees
often give it out to strangers
◦ If a dangerous employee is fired, the necessary
rekeying may be impossible or close to it

4-52 © 2015 Pearson Education Ltd.


} RC4 Initialization Vectors (IV)
◦ WEP uses RC4 for fast and therefore cheap encryption
◦ If two frames encrypted with the same RC4 key are
compared, the attacker can learn the key
◦ To solve this, WEP encrypts with a per-frame key, which
is the shared WEP key plus an initialization vector (IV)
◦ However, many frames “leak” a few bits of the key
◦ With high traffic, an attacker using readily available
software can crack a shared key in two or three minutes
◦ (WPA uses RC4 but with a 48-bit IV that makes key bit
leakage negligible)

4-53 © 2015 Pearson Education Ltd.


} Conclusion
◦ Corporations should never use WEP for security

4-54 © 2015 Pearson Education Ltd.


} WPA
◦ WPA extends the security of RC4 primarily by
increasing the IV from 24 bits to 48 bits
◦ This extension vastly reduces leakage and so
makes RC4 much harder to crack

} WPA2 (802.11i)
◦ 802.11 Working Group completed the 802.11i
standard (WPA2) in 2002
◦ Uses stronger security methods

4-55 © 2015 Pearson Education Ltd.


Cryptographic WEP WPA 802.11i
Characteristic (WPA2)
Cipher for RC4 with a RC4 with 48-bit AES with 128-
Confidentiality flawed initialization vector bit keys
implementation (IV)
Automatic None Temporal Key AES-CCMP
Rekeying Integrity Protocol Mode
(TKIP), which has
been partially
cracked
Overall Negligible Weaker, but no Extremely
Cryptographic complete crack to strong
Strength date

4-56 © 2015 Pearson Education Ltd.


Cryptographic WEP WPA 802.11i
Characteristic (WPA2)
Operates in 802.1X No Yes Yes
(Enterprise) Mode?
Operates in Pre- No Yes Yes
Shared
Key (Personal)
Mode?

4-57 © 2015 Pearson Education Ltd.


4-58 © 2015 Pearson Education Ltd.
4-59 © 2015 Pearson Education Ltd.
} Spread Spectrum Operation and Security
◦ Signal is spread over a wide range of frequencies
◦ NOT done for security, as in military spread
spectrum transmission

4-60 © 2015 Pearson Education Ltd.


} Turning Off SSID Broadcasting
◦ Service set identifier (SSID) is an identifier for an
access point
◦ Users must know the SSID to use the access point
◦ Drive-by hacker needs to know the SSID to break in
◦ Access points frequently broadcast their SSIDs

4-61 © 2015 Pearson Education Ltd.


} Turning off SSID Broadcasting
◦ Some writers favor turning off of this broadcasting
◦ Turning off SSID broadcasting can make access
more difficult for ordinary users
◦ Will not deter the attacker because he or she can
read the SSID.
– Transmitted in the clear in each transmitted
frame

4-62 © 2015 Pearson Education Ltd.


} MAC Access Control Lists
◦ Access points can be configured with MAC access
control lists
◦ Only permit access by stations with NICs having
MAC addresses on the list

◦ However, MAC addresses are sent in the clear in


frames, so attackers can learn them
◦ Attacker can then spoof one of these addresses

4-63 © 2015 Pearson Education Ltd.


} Perspective
◦ These “false” methods, however, may be sufficient
to keep out nosy neighbors
◦ Drive-by hackers hit even residential users
◦ Simply applying WPA or 802.11i provides much
stronger security and is easier to do

4-64 © 2015 Pearson Education Ltd.


4.1 Introduction

4.3 ARP Poisoning


4.4 Access Control for Networks
4.5 Ethernet Security
4.6 Wireless Security
4.2 Denial-of-Service (DoS) Attacks

4-65 © 2015 Pearson Education Ltd.


} What is a DoS attack?
◦ An attempt to make a server or network unavailable
to legitimate users by flooding it with attack
packets

} What is NOT a DoS attack?


◦ Faulty coding that causes a system to fail
◦ Referrals from large websites that overwhelm
smaller websites

4-66 © 2015 Pearson Education Ltd.


} Ultimate goal of DoS attacks is to cause harm
◦ Harm includes: losses related to online sales,
industry reputation, employee productivity,
customer loyalty, etc.

} The two primary means of causing harm via


DoS attacks include:
1. Stopping critical services
2. Slowly degrading services

4-67 © 2015 Pearson Education Ltd.


} Direct DoS Attack
◦ An attacker tries to flood a victim with a stream
of packets directly from the attacker’s computer

} Indirect DoS Attack


◦ The attacker’s IP address is spoofed (i.e., faked)
and the attack appears to come from another
computer

4-68 © 2015 Pearson Education Ltd.


} Three-way handshaking: Each party must initialise
communication and get approval from the other party
before any segments are transferred.
Step 1 (SYN), client host sends TCP
SYN segment to server
• set S=1
• specifies initial seq #
• no data
Step 2 (SYN+ACK), server host
receives SYN, replies with SYNACK
segment
• set s=1;ack=clientseq+1;
• server allocates buffers
• specifies server initial seq. #
• no data
Step 3 (ACK), client receives
SYN+ACK, replies with ACK segment
• S=0, ack=serverseq+1
A client application program wants to • client allocates buffers,
make connection with the server • may contain data
application program 69 © 2015 Pearson Education Ltd.
When a segment is lost (or never sent!)..

RTO: Retransmission timeout


(see Forouzan, pp. 769-770)
70 © 2015 Pearson Education Ltd.
4-71 © 2015 Pearson Education Ltd.
} Bots
◦ Updatable attack programs
◦ Botmaster can update the software to change the
type of attack the bot can perform
– May sell or lease the botnet to other criminals
◦ Botmaster can update the bot to fix bugs

} Botmaster can control bots via a handler


◦ Handlers are an additional layer of compromised
hosts who are used to manage large groups of bots

4-72 © 2015 Pearson Education Ltd.


4-73 © 2015 Pearson Education Ltd.
} Types of packets sent:

4-74 © 2015 Pearson Education Ltd.


4-75 © 2015 Pearson Education Ltd.
} Peer-to-peer (P2P) redirect DoS attack
◦ Uses many hosts to overwhelm a victim using
normal P2P traffic
◦ Attacker doesn’t have to control the hosts, just
redirect their legitimate P2P traffic

4-76 © 2015 Pearson Education Ltd.


4-77 © 2015 Pearson Education Ltd.
} Reflected DoS attack
◦ Responses from legitimate services flood a victim
◦ The attacker sends spoofed requests to existing
legitimate servers (Step 1)
◦ Servers then send all responses to the victim (Step 2)
◦ There is no redirection of traffic

4-78 © 2015 Pearson Education Ltd.


4-79 © 2015 Pearson Education Ltd.
} Smurf Flood
◦ The attacker sends a spoofed ICMP echo request to
an incorrectly configured network device (router)
◦ Broadcasting enabled to all internal hosts
◦ The network device forwards the echo request to all
internal hosts (multiplier effect)

4-80 © 2015 Pearson Education Ltd.


4-81 © 2015 Pearson Education Ltd.
} Black holing
◦ Drop all IP packets from an attacker
◦ Not a good long-term strategy because attackers
can quickly change source IP addresses
◦ An attacker may knowingly try to get a trusted
corporate partner black holed

4-82 © 2015 Pearson Education Ltd.


} Validating the handshake
◦ Whenever a SYN segment arrives, the firewall itself
sends back a SYN/ACK segment, without passing the
SYN segment on to the target server (false opening)
◦ When the firewall gets a legitimate ACK back, the
firewall sends the original SYN segment on to the
intended server

} Rate limiting
◦ Used to reduce a certain type of traffic to a
reasonable amount
◦ Can frustrate attackers and legitimate users

4-83 © 2015 Pearson Education Ltd.


4-84 © 2015 Pearson Education Ltd.
All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise without the prior written
permission of the publisher.

© 2015 Pearson Education Ltd.

You might also like