cybersecurity cyberlab2

48
Network Security Slides by Raymond Borges

Upload: rayborg

Post on 18-Nov-2014

296 views

Category:

Technology


2 download

DESCRIPTION

Intro to computer hacker and attacks and network security.

TRANSCRIPT

Page 1: Cybersecurity cyberlab2

Network SecuritySlides by Raymond Borges

Page 2: Cybersecurity cyberlab2

2

Outline

• In the NEWS (LOIS) DDoS attacks• Passive Network Attacks• Active Network Attacks• Designing a “Secure” Network• Web 2.0 • Summary

Page 3: Cybersecurity cyberlab2

3

IN THE NEWS

Page 4: Cybersecurity cyberlab2

4

Low Orbit Ion Cannon (LOIC)

• Primary tool being used by the script kiddies• Low Orbit Ion Cannon (LOIC) is a web app

performance tool• Denial of Service/testing tool• DoS operation using HTTP/TCP/UDP requests• DDoS voluntarily joining botnet Hive Mind

Page 5: Cybersecurity cyberlab2

5

How does LOIC work?

While IsFlooding is True{1. Create/Connect a TCP Socket to webserver2. Send standard GET request to the server3. Read the first 64 bytes returned4. Sleep for configured Delay}

Page 6: Cybersecurity cyberlab2

6

Low Orbit Ion Cannon Hive

Page 7: Cybersecurity cyberlab2

7

Low Orbit Ion Cannon New

Page 8: Cybersecurity cyberlab2

8

Hive Mind

• The automatic mode or Hive Mind, option to voluntarily join a botnet

• Using mode, all parameters of attack set up remotely via IRC, including target

• IRC is a network protocol designed to provide real-time group chat, often (miss)used to control botnets

Page 9: Cybersecurity cyberlab2

9

LOIC trail

• If an anonymization network (TOR) is not used traceable IP address records can be logged by its recipient

• Logs kept by the ISP used to identify users• Many users arrested using LOIC• LOIC not anonymous

Page 10: Cybersecurity cyberlab2

10

LOIC/ Wireshark Demo

1. Turn on VMware WinXP machine2. Turn on Wireshark3. Turn on LOIC4. Start packet capture in Wireshark5. Start LOIC

Page 11: Cybersecurity cyberlab2

11

LOIC Mitigation

Attack vector old as the HTTP protocol• Best approach is to use a good rule based

firewall, allow for rules on connection limits per IP per second

Legitimate uses for this tool:• Performance base lines • Measuring server performance

Page 12: Cybersecurity cyberlab2

12

PASSIVE NETWORK ATTACKS

Page 13: Cybersecurity cyberlab2

13

FTP Password Attack Setup

1. Install virtual machine or connect to network2. Install Internet Information Services (IIS) on

Windows and File Transfer Protocol (FTP)3. Setup FTP with a password4. Run Wireshark while attempting FTP

Page 14: Cybersecurity cyberlab2

14

FTP Password Attack

1. Run Wireshark on LAN in promiscuous mode2. Wait till someone connects to host with FTP

Page 15: Cybersecurity cyberlab2

15

Passive online attack

0.http://www.httprecipes.com/1/2/forms.php1.Run Wireshark 2.Filter http3.Find post method4.Follow TCP stream5.You have username and password in the clear if server isn’t using https SSL or other encryption

Page 16: Cybersecurity cyberlab2

16

ACTIVE NETWORK ATTACKS

Page 17: Cybersecurity cyberlab2

17

Replay and Man-in-the-middle

• When passwords can’t be caught in plaintext

Man-in-the-middle• ARP poisoning

Replay attackSession hijacking

Page 18: Cybersecurity cyberlab2

18

Cain and Abel (ARP poisoning)

1. Install Cain and Abel2. Connect to a network3. Select sniffer tab4. Start sniffer and select network interface5. Select hosts on bottom and press then ok6. Select bottom APR tab and click top window7. Press and select target IP then hit Ok8. Hit then select passwords tab, (http)

Page 19: Cybersecurity cyberlab2

19

NETWORK INFRASTRUCTURE

Page 20: Cybersecurity cyberlab2

20

Policy

• Network security

• Company goals lead to security policy

• Network infrastructure design policy

• Network design meets requirements

follows

Page 21: Cybersecurity cyberlab2

21

POLICY

So how do we go from?

here to here

Page 22: Cybersecurity cyberlab2

22

Data Classification

• Policy develops from information flow• Who can access what?

Common classifications:• Public• Secret• Confidential• Group based

Page 23: Cybersecurity cyberlab2

23

User Classifications

• Serves same purpose as data classification• Who can access what?

Common classifications:• Outsiders• Employees• Executives• Owners

Page 24: Cybersecurity cyberlab2

24

Access Control Matrix (ACM)

Page 25: Cybersecurity cyberlab2

25

Network Organization

• Network infrastructure design using ACM• Layered security measures • Separation of information• Fairly standard corporate network

Page 26: Cybersecurity cyberlab2

26

Network Organization

Public or External Network

Internal Network

Public network firewall

Internal network firewall

Demilitarized Zone (DMZ)

Page 27: Cybersecurity cyberlab2

27

Firewalls

Firewalls filter based on:• IP Addresses, destination• Ports

Filtering firewall based on:• Packet Headers• Source addresses

Proxy or application level firewalls based on message content:• Virus scanner• Key terms?

Page 28: Cybersecurity cyberlab2

28

Firewall Operation

Page 29: Cybersecurity cyberlab2

29

Outer Firewall

Can be used to:1. Restrict outside access to internal network2. Restrict internal access to internet while

allowing access to DMZ based on Access Control Lists (ACL’s)

3. ACL’s bind source address/port and destinations address/ports to access rights

Page 30: Cybersecurity cyberlab2

30

Outer Firewall

• Public needs Web server and mail server access, no other services

• Firewall interface allows connections to WWW services (HTTP and HTTPS) and electronic mail (SMTP)

• Internet sees addresses of Web and mail servers equal—that of the firewall, NAT

Page 31: Cybersecurity cyberlab2

31

Internal Firewall

• Sensitive data resides in internal network

• Block all traffic except authorized traffic (fail-safe defaults principle)

• Information comes only from DMZ, never directly from Internet

Page 32: Cybersecurity cyberlab2

32

Ports/Services

20-21 FTP22 SSH/SCP

23 Telnet25 SMTP53 DNS

67-68 DHCP/BOOTP80 HTTP

443 HTTP over SSL465 SMTP over SSL

Page 33: Cybersecurity cyberlab2

33

Proxies

Proxies - hosts that relay data• Hide identity and protect privacy• Can be used as firewalls

The Onion Routing network (TOR)• Proxy network made of volunteer hosts

Page 34: Cybersecurity cyberlab2

34

DMZ and Servers

Demilitarized Zone or DMZ - area outside internal firewall, some ports unblocked for inbound internet access to servers

Servers – hosts which serve webpages or store and process electronic mail for users

Web server and mail server contained in DMZ

Page 35: Cybersecurity cyberlab2

35

Domain Name System (DNS) Server

Knows directory name service information for:• DMZ mail, Web, and log hosts• Internal trusted administrative host• Outer firewall• Inner firewall

Page 36: Cybersecurity cyberlab2

36

DMZ Log Server

All other servers log messages by writing them to a local file and then to the log server

• The log server also writes them to a file and then to write-once media

• Confined to the DMZ

• Does not initiate transfer to inner network

Page 37: Cybersecurity cyberlab2

37

Internal Network

• Subnets may have firewall and servers, may filter traffic as inner firewall does

• Subnets may share servers

• Information flow constraints arrangement

• Firewalls impose confinement at interfaces

Page 38: Cybersecurity cyberlab2

38

Firewall Attacks

Attackers have 3 methods of firewall entry • Web server ports (HTTP) port proxy checks for invalid or illegal HTTP requests and rejects them

• SMTP portMail proxy will detect and reject such attempts

• Bypass the low-level firewall checks by exploiting firewall vulnerabilities

Page 39: Cybersecurity cyberlab2

39

Defense Practices

• Economy of mechanism (simple mechanisms)Making hosts or devices do only their job

• Separation of privilege (divided jobs)More than one host does a certain job

• Defense in depth (layered security defense)Multiple defenses to bypass

Page 40: Cybersecurity cyberlab2

40

Internet Attacks

Distributed Denial of Service (DDoS)SYN flood• Consumes bandwidth• Consumes memory resources

Remedies• TCP intercept mode• Synkill software

Page 41: Cybersecurity cyberlab2

41

Attacks

Focus on what we are most concerned about: • Successful attacks• Failed attacks in areas where attacks ought not

to be launched e.g. DMZ.

Efforts into where we can obtain useful results

Page 42: Cybersecurity cyberlab2

42

Summary

• Security requirements network infrastructure

• Security goals security policy network form• Internal firewall limits traffic to public servers• Outer firewall blocks external traffic from

internal • Public servers only provide one service• Application level firewalls check contents

Page 43: Cybersecurity cyberlab2

43

RECENT RESEARCH

Page 44: Cybersecurity cyberlab2

44

Quantification of Attackers Activities on Servers running Web 2.0 Applications

• Attackers use search-based strategies Google

• Easiest ways to attack servers dominate

• Password cracking attacks on SSH

Page 45: Cybersecurity cyberlab2

45

Quantification of Attackers Activities on Servers running Web 2.0 Applications

• Blog user accounts and vulnerability scans

• Spam attacks dominate Web 2.0 applications such as Blogs and Wikis

• Less activity use known vulnerabilities

Page 46: Cybersecurity cyberlab2

46

Possible Questions

1. Why is privilege separation so important?2. What is normally closed security? 3. What security model do you think Facebook

uses?4. How can DNS be used to censor websites?5. Is there another means of reaching a website

other than by URL?6. What makes the internet impossible to bring

down completely? (Discussion erupts…)

Page 47: Cybersecurity cyberlab2

47

References• Introduction to Computer Security, Matt Bishop• Attacks by “Anonymous” WikiLeaks Proponents not Anonymous

Pras et.al. Design and Analysis of Communication Systems Group University of Twente, Enschede, The Netherlands

• Quantification of Attackers Activities on Servers runningWeb 2.0 Applications, Katerina Goseva-Popstojanova, Risto Pantev, Ana Dimitrijevikj, and Brandon Miller, Lane Department of CS and EE WVU

• https://github.com/NewEraCracker/LOIC• http://wasntnate.com/2012/01/analysis-of-low-orbit-ion-cannon-

loic-web-stress-tool/• http://www.youtube.com/watch?v=F6_9i-aGAa0&feature=related

Page 48: Cybersecurity cyberlab2

Questions?