640-554 braindumps

Network Security

• Types of Attacks• Attacks on the OSI & TCP/IP Model• Attack Methods• Prevention• Switch Vulnerabilities and Hacking• Cisco Routers• Interesting links

Objectives

https://www.pass4sureexam.com/640-554.html



Trish Miller

• Physical Access Attacks– Wiretapping– Server Hacking– Vandalism

• Dialog Attacks– Eavesdropping– Impersonation– Message

Alteration

Types of Attacks




Trish Miller

• Social Engineering– Opening

Attachments– Password Theft– Information Theft

Types of Attacks (Cont.)

• Penetration Attacks– Scanning (Probing)– Break-in– Denial of Service– Malware

• Viruses• Worms




Risk Analysis of the Attack

• What is the cost if the attack succeeds?• What is the probability of occurrence?• What is the severity of the threat?• What is the countermeasure cost?• What is the value to protect the system• Determine if the countermeasure should be

implemented.• Finally determine its priority.

OSI & TCP/IP Related Attacks




• Session– Password theft– Unauthorized

Access with Root permission

• Transport & Network:– Forged TCP/IP

addresses– DoS Attacks

OSI Model Related Attacks

• Application layer:– Attacks on web– Attacks are

typically virus• Presentation:

– Cracking of encrypted transmissions by short encryption key

• Data Link & Physical– Network Sniffers– Wire Taps– Trojan Horses– Malicious code

OSI Model Related Attacks




Attacks Related to TCP Packet

• Port Number

– Applications are identified by their Port numbers

– Well-known ports (0-1023)

• HTTP=80, Telnet=23, FTP=21 for supervision, 20 for data transfer, SMTP=25

– Allows applications to be accessed by the root user

• IP address spoofing

– Change the source IP address

– To conceal identity of the attacker

– To have the victim think the packet comes from a trusted host

– LAND attack



• Port Number

– Registered ports (1024-49152) for any application

– Not all operating systems uses these port ranges, although all use well-known ports

Attack Methods




• Host Scanning• Network Scanning• Port Scanning• Fingerprinting

Attack Methods

• Host Scanning– Ping range of IP addresses or use

alternative scanning messages– Identifies victims– Types of Host scanning

• Ping Scanning• TCP SYN/ACK attacks

Attack Methods (Cont.)

• Network Scanning– Discovery of the network infrastructure

(switches, routers, subnets, etc.)

– Tracert and applications similar identifies all routers along the route to a destination host


• Port Scanning– Once a host is identified, scan all ports to find

out if it is a server and what type it is– Two types:

• Server Port Scanning– TCP– UDP

• Client Port Scanning– NetBIOS– Ports 135 – 139 used for NetBIOS ports used for file

and print services.– GRC.com a free website that scan your pc for open

ports.


• Fingerprinting– Discovers the host operating system and

applications as well as the version• Active (sends)• Passive (listen)

– Nmap does all major scanning methods


• Denial-of-Service (DoS) Attacks– Attacks on availability

– SYN flooding attacks overload a host or network with connection attempts

– Stopping DoS attacks is very hard.


• The Break-In

– Password guessing

– Take advantage of unpatched vulnerabilities

– Session hijacking


• Download rootkit via TFTP

• Delete audit log files

• Create backdoor account or Trojan backdoor programs

After the Compromise

• Weaken security

• Access to steal information, do damage

• Install malicious software (RAT, DoS zombie, spam relay, etc.)

After the Compromise (Cont.)

Prevention




Preventions

• Stealth Scanning• Access Control• Firewalls• Proxy Servers

• IPsec• Security Policies• DMZ• Host Security

• Noisiness of Attacks• Exposure of the Attacker’s IP Address• Reduce the rate of Attack below the IDS

Threshold• Scan Selective Ports

Stealth Scanning

• The goal of access control is to prevent attackers from gaining access, and stops them if they do.

• The best way to accomplish this is by: – Determine who needs access to the resources

located on the server.– Decide the access permissions for each resource. – Implement specific access control policies for each

resource. – Record mission critical resources.– Harden the server against attacks.– Disable invalid accounts and establish policies

Access Control

Firewalls

• Firewalls are designed to protect you from outside attempts to access your computer, either for the purpose of eavesdropping on your activities, stealing data, sabotage, or using your machine as a means to launch an attack on a third party.

Firewalls (Cont.)

• Hardware– Provides a strong degree of protection from the outside world.– Can be effective with little or no setup– Can protect multiple systems

• Software– Better suite to protect against Trojans and worms.– Allows you to configure the ports you wish to monitor. It gives

you more fine control.– Protects a single system.

Firewalls

• Can Prevent– Discovery

• Network • Traceroute

– Penetration• Synflood • Garbage • UDP Ping• TCP Ping• Ping of Death

Proxy

• A proxy server is a buffer between your network and the outside world.

• Use an anonymous Proxy to prevent attacks.




IPSec

• Provides various security services for traffic at the IP layer

• These security services include– Authentication – Integrity– Confidentiality




IPsec overview - how IPsec helpsProblem How IPsec

helpsDetails

Unauthorized system access

Authentication, tamperproofing

Defense in depth by isolating trusted from untrusted systems

Targeted attacks of high-value servers

Authentication, tamperproofing

Locking down servers with IPsec. Examples: HR servers, Outlook® Web Access (OWA), DC replication

Eavesdropping Authentication, confidentiality

Defense in depth against password or information gathering by untrusted systems

Government guideline compliance

Authentication, confidentiality

Example: “All communications between financial servers must be encrypted.”

DMZ Image




• Hardening Servers• Cisco IOS• Upgrades and Patches• Unnecessary Services• Network Monitoring tools

Host Security

Switch Vulnerabilities and Hacking




• Used to locate IP address, version, and model.

• Mass amounts of packets being sent can fake a crash

• Used to troubleshoot network, but should be disabled.

CDP Protocol

• Give users data by poisoning ARP cache of end node.

• MAC address used to determine destination. Device driver does not check.

• User can forge ARP datagram for man in the middle attack.

ARP Poisoning

• SNMP manages the network.• Authentication is weak. Public and

Private community keys are clear text.• Uses UDP protocol which is prone to

spoofing.• Enable SNMPv3 without backwards

compatibility.

SNMP

• Standard STP takes 30-45 seconds to deal with a failure or Root bridge change.

• Purpose: Spanning Tree Attack reviews the traffic on the backbone.

Spanning Tree Attacks

Trish Miller

• Only devices affected by the failure notice the change

• The attacker can create DoS condition on the network by sending BPDUs from the attacker.

Spanning Tree Attacks

• STEP 1: MAC flood the access switch• STEP 2: Advertise as a priority zero

bridge.

Spanning Tree Attacks (Cont.)


• STEP 3: The attacker becomes the Root bridge!– Spanning Tree recalculates.– The backbone from the original network is

now the backbone from the attacking host to the other switches on the network.


• Disabling STP can introduce another attack.

• BPDU Guard– Disables ports using portfast upon

detection of a BPDU message on the port.

– Enabled on any ports running portfast

STP Attack Prevention

• Root Guard– Prevents any ports that can become the

root bridge due to their BPDU

STP Attack Prevention

• Cisco Content Switching Modules• Cisco Content Switching Module with

SSL

CSM and CSM-S




• Cisco Secure Desktop– 3 major vulnerabilities

• Maintains information after an Internet browsing session. This occurs after an SSL VPN session ends.

• Evades the system via the system policies preventing logoff, this will allow a VPN connection to be activated.

• Allow local users to elevate their privileges.

CDM

Trish Miller

• Prevention– Cisco has software to address the

vulnerabilities.– There are workarounds available to mitigate

the effects of some of these vulnerabilities.

Cisco Routers




• Two potential issues with Cisco Routers– Problems with certain IOS software– SNMP

Cisco Routers




• Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4– Problem with the software – Confidential information can be leaked out – Software updates on the CISCO site can fix

this problem

• Virtual Private Networks

Virtual connection 1

Virtual Connection 2

Trish Miller

• Virtual Private Networks

Information leak

ErrorConnection

• Cisco uBR10012 series devices automatically enable SNMP read/write access

• Since there are no access restrictions on this community string , attackers can exploit this to gain complete control of the device




CISCO Router

AttackingComputer

By sending an SNMP set request with a spoofed source IP address the attacker will be able to get the Victim router to send him its configuration file.

CISCO Router

AttackingComputer

With this information, the remote computer will be able to have complete control over this router

• Fixes- Software updates available on the CICSO site that will fix the Read/Write problem




Links• http://sectools.org/tools2.html• http://insecure.org/sploits/l0phtcrack.lanman.problems.html• http://www.testbells.com/• http://www.examcollectionvce.com/• http://www.hidemyass.com/

http://sectools.org/tools2.html

http://insecure.org/sploits/l0phtcrack.lanman.problems.html

http://www.testbells.com/

http://www.examcollectionvce.com/

http://www.hidemyass.com/

References• http://www.bmighty.com/network/showArticle.jhtml;jsessionid=2YYDWJHHX3

FL2QSNDLPSKHSCJUNN2JVN?articleID=202401432&pgno=2

• http://www.juniper.net/security/auto/vulnerabilities/vuln19998.html

• http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf

• http://www.askapache.com/security/hacking-vlan-switched-networks.html

• http://marc.info/?l=bugtraq&m=116300682804339&w=2

• http://www.secureroot.com/security/advisories/9809702147.html

http://www.bmighty.com/network/showArticle.jhtml;jsessionid=2YYDWJHHX3FL2QSNDLPSKHSCJUNN2JVN?articleID=202401432&pgno=2

http://www.bmighty.com/network/showArticle.jhtml;jsessionid=2YYDWJHHX3FL2QSNDLPSKHSCJUNN2JVN?articleID=202401432&pgno=2

http://www.juniper.net/security/auto/vulnerabilities/vuln19998.html

http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf

http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf

http://www.askapache.com/security/hacking-vlan-switched-networks.html

http://marc.info/?l=bugtraq&m=116300682804339&w=2

http://www.secureroot.com/security/advisories/9809702147.html

640-554 braindumps

Documents