lesson 4 network security and attacks
DESCRIPTION
Lesson 4 Network Security and Attacks. Computer Security Operational Model. Protection = Prevention. + (Detection + Response). Access Controls Encryption Firewalls. Intrusion Detection Incident Handling. Evaluate. Secure. Improve. Monitor. Security Operational Model. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/1.jpg)
Lesson 4Network Security
andAttacks
![Page 2: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/2.jpg)
Computer Security Operational Model
Protection = Prevention + (Detection + Response)
Access ControlsEncryptionFirewalls
Intrusion DetectionIncident Handling
![Page 3: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/3.jpg)
•Intrusion detection
•Firewalls
•Encryption
•Authentication
•Security Design Review
•Security Integration Services
•24 Hr Monitoring Services•Remote Firewall Monitoring
•Vulnerability Assessment Services•Vulnerability Scanners
Security Operational Model
Improve
Monitor
Secure
Evaluate
![Page 4: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/4.jpg)
Protocols
• A protocol is an agreed upon format for exchanging information.
• A protocol will define a number of parameters:–Type of error checking–Data compression method–Mechanisms to signal reception of a
transmission• There are a number of protocols that have
been established in the networking world.
![Page 5: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/5.jpg)
OSI Reference Model• ISO standard describing 7 layers of protocols
– Application: Program-level communication– Presentation: Data conversion functions, data format,
data encryption– Session: Coordinates communication between endpoints.
Session state maintained for security.– Transport: end-to-end transmission, controls data flow – Network: routes data from one system to the next– Data Link: Handles passing of data between nodes– Physical: Manages the transmission media/HW
connections• You only have to communicate with the layer
directly above and below
![Page 6: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/6.jpg)
The OSI Model
Application Layer
Physical Layer
Data-Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Each layer serves only its adjacent layers. Thus the software which implements the Transport Layer receives input from the Session Layer or the Network Layer.
Implemented By Hardware
These Layers Implemented By Software Such as an Operating
System
![Page 7: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/7.jpg)
TCP/IP Protocol Suite• TCP/IP refers to two network protocols
used on the Internet:– Transmission Control Protocol (TCP)– Internet Protocol (IP)
• TCP and IP are only two of a large group of protocols that make up the entire “suite”
• A “real-world” application of the layered concept.
• There is not a one-to-one relationship between the layers in the TCP/IP suite and the OSI Model.
![Page 8: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/8.jpg)
OSI and TCP/IP comparison
OSI Model
Application
Presentation
Session
Transport
Network
Data-link
Physical
TCP/IP Protocol Suite
NFSFTP, Telnet,SSH, SMTP SMBHTTP, NNTP
RPC
TCP,UDP
IP ICMPARP
Physical
Application-levelprotocols
Network-levelprotocols
![Page 9: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/9.jpg)
Communication Between Two Networks Via the Protocol Stack
Application
Physical
Data-Link
Network
Transport
Session
Presentation
Data
Data
Data
Data
Data
Data
DataH H
H
H
H
Data
Data
Data
Data
Data
Data
Data
H
H
H
H
H
Windows Machine on an Ethernet
Linux Machine on a FDDI Network
HH
A Windows Machine Sending data to a linux machine
1 2
1 The Windows machine adds headers as the packet traverses down the TCP/IP Stack from the sending application.
2 The Linux machine removes headers as the packet traverses up the TCP/IP Stack to the receiving application.
EmailPacket is Transmitted Via Network Media
Ethernet FDDI
![Page 10: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/10.jpg)
TCP/IP Protocol Suite
UserProcess
UserProcess
UserProcess
UserProcess
TCP UDP
IP
HWInterface
RARPARP
ICMP IGMP
Media
![Page 11: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/11.jpg)
TCP/IP EncapsulationUser Data
Application
EthernetDriver
IP
TCP or UDP
TCP Header
Application Header
User Data
IP Header
Application Layer
Transport Layer
Network Layer
Data Link Layer
Ethernet
Application Header
User Data
TCP Header
Application Header
User Data
Ethernet Trailer
IP Header
TCP Header
Application Header
User Data
Ethernet Header
Email1
2
3
4
5
![Page 12: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/12.jpg)
IPv4 Header Layout
Identification Flags Offset
TTL Protocol Header Checksum
Version Length TOS Total Length
Source IP Address
Destination IP Address
Options
Data
4 Bytes (32 Bits)
20 Bytes (160 Bits)
![Page 13: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/13.jpg)
IP Packet
Version Length Type of Srvc Total Length
Identification Flags Fragment Offset
Time to live Protocol Header Checksum
Source Address
Destination Address
Options
Data
4 8 16 19 32
![Page 14: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/14.jpg)
TCP Header Layout
Sequence Number
Header Info Window Size
Source Port Destination Port
TCP Checksum Urgent Pointer
Acknowledgement
Options
Data
4 Bytes (32 Bits)
20 Bytes (160 Bits)
![Page 15: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/15.jpg)
TCP packet
Dataoffset
Unused
U A P R S FR C S S Y IG K H T NN
Window
Source Port
Urgent Pointer
Sequence Number
Acknowledgement Number
Options Padding
Data
4 8 16 32
Destination Port
Checksum
![Page 16: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/16.jpg)
Establishment of a TCP connection(“3-way Handshake”)
client ServerSYN
Client sends connection request,Specifying a port to connect toOn the server.
client ServerSYN/ACK
Server responds with both anacknowledgement and a queuefor the connection.
client ServerACK
Client returns an acknowledgementand the circuit is opened.
![Page 17: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/17.jpg)
Ports
Data 1033 80Source Port
Destination Port
Packet One
Data801033Source PortDestination Port
Packet Two
![Page 18: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/18.jpg)
UDP Header Layout
Source Port Destination Port
Length Checksum
Data
4 Bytes (32 Bits)
8 Bytes (64 Bits)
![Page 19: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/19.jpg)
IP
Ethernet 802.5802.4802.3 X.25 Frame
Relay
SLIP
IPX ATM Arcnet Appletalk PPP
Telnet FTP SNMPSMTP NFS DNS TFTP NTP
RIPBGP
802.6
SMDS
Layer 6/7: Applications
Layer 5: Session
Layer 4: Transport
Layer 3: Network
Layer 2 & 1: Data Link &
Physical
RETAILBANKING B2B MEDICAL WHOLESALEl
WindowsX
IGP EGP TCP UDP IGMP ICMP
IP Centric Network... ...
![Page 20: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/20.jpg)
Twenty-six years after the Defense Department created the INTERNET as a means of maintaining vital communications needs in the event of nuclear war, that system has instead become the weak link in the nations defense” USA Today - 5 Jun 1996
True hackers don't give up. They explore every possible way into a network, not just the well known ones.
The hacker Jericho.
By failing to prepare, you are preparing to fail.
Benjamin Franklin
![Page 21: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/21.jpg)
• “Popular” and receive a great deal of media attention.
• Attempt to exploit vulnerabilities in order to:–Access sensitive data (e.g. credit card
#’s)–Deface the web page–Disrupt, delay, or crash the server–Redirect users to a different site
Typical Net-based Attacks -- Web
![Page 22: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/22.jpg)
Typical Net-based attacks -- Sniffing• Essentially eavesdropping on the network• Takes advantage of the shared nature of the
transmission media.• Passive in nature (i.e. just listening, not
broadcasting)• The increased use of switching has made
sniffing more difficult (less productive) but has not eliminated it (e.g. DNS poisoning will allow you to convince target hosts to send traffic to us intended for other systems)
![Page 23: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/23.jpg)
Defeating Sniffer Attacks
• Detecting and Eliminating Sniffers– Possible on a single box if you have control of the
system– Difficult (depending on OS) to impossible (if somebody
splices network and adds hardware) from network perspective
• Safer Topologies– Sniffers capture data from network segment they are
attached to, so – create segments• Encryption
– If you sniff encrypted packets, who cares?• (outside of traffic analysis, of course)
![Page 24: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/24.jpg)
Typical Net-Based Attacks –Spoofing, Hijacking, Replay
• Spoofing attacks involve the attacker pretending to be someone else.
• Hijacking involves the assumption of another systems role in a “conversation” already taking place.
• Replay occurs when the attacker retransmits a series of packets previously sent to a target host.
![Page 25: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/25.jpg)
Typical Net-Based Attacks –Denial of Service
• DOS and Distributed DOS (DDOS) attacks have received much attention in the media in the last year due to some high-profile attacks. Types:–Flooding – sending more data than the
target can process–Crashing – sending data, often
malformed, designed to disable the system or service
–Distributed – using multiple hosts in a coordinated attack effort against a target system.
![Page 26: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/26.jpg)
A Distributed DoS in ActionClient Hacker
BroadcastHost
BroadcastHost
MasterHost
MasterHost
BroadcastHost
BroadcastHost
BroadcastHost
Master ControlPrograms
BroadcastAgents
Registration Phase
*Hello* *Hello*
VerifyRegistration
PONG PONGpng
The Internet
![Page 27: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/27.jpg)
The Attack Phase
Target
Client Hacker
BroadcastHost
BroadcastHost
BroadcastHost
BroadcastHost
BroadcastHost
BroadcastAgents
The Internet
AttackTarget
AttackTarget
AttackTarget
UDP FloodAttack
UDP FloodAttack
UDP FloodAttack
UDP FloodAttack
![Page 28: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/28.jpg)
How CODE RED WorksFirst infected system
![Page 29: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/29.jpg)
How CODE RED WorksFirst infected system
100 system probes
Scans to find new victims
![Page 30: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/30.jpg)
How CODE RED WorksFirst infected system
100 system probes
Scans to find new victims
Each new victim scansthe same “random”
address space
![Page 31: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/31.jpg)
How CODE RED Works
- Each new victim starts scanning process over again
- From 20th to EOM, primary target is www.whitehouse.gov
![Page 32: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/32.jpg)
How NIMDA WorksFirst infected system
![Page 33: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/33.jpg)
How NIMDA WorksFirst infected system
Attacking system
tftp Admin.dll from attacking system(contains NIMDA payload)
![Page 34: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/34.jpg)
How NIMDA WorksFirst infected system
Sends infectedemail attachment
NIMDA attachesto web pages on infected server
Infected systemscans network for
vulnerable IIS web servers
NIMDA propagatesvia open file shares
![Page 35: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/35.jpg)
How NIMDA Works
- NIMDA prefers to target its neighbors
- Very rapid propagation
![Page 36: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/36.jpg)
Common Attacks
• IP Spoofing• Session Hijacking• WWW Cracking• DNS Cache Poisoning
![Page 37: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/37.jpg)
The TCP connection(“3-way Handshake”)
client ServerSYN
Client sends connection request,Specifying a port to connect toOn the server.
client ServerSYN/ACK
Server responds with both anacknowledgement and a queuefor the connection.
client ServerACK
Client returns an acknowledgementand the circuit is opened.
![Page 38: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/38.jpg)
client Server
client Server
client Server
ACK (Client, ISN+1)
SYN (Server, ISNserver)
ACK (Server, ISN+1)
SYN (Client, ISNclient)
ISN--Initial Sequence Number
The TCP Connection in Depth
![Page 39: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/39.jpg)
The TCP Reset
Student Server
Evil hacker
RESET
ACK (Student, ISN+1)
SYN (Server, ISNserver)
SYN (Student, ISNstudent)
![Page 40: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/40.jpg)
IP Address Spoofing
Student Server
Evil hacker
ACK (Student, ISN+1)
SYN (Server, ISNserver)
SYN (Student, ISNstudent)
ACK (Server, ISNserver+1)
Guess Server ISN
DOSPING OF DEATH
![Page 41: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/41.jpg)
IP Address Spoofing
StudentServer
Evil hacker
ACK (Student, ISN+1)
SYN (Server, ISNserver)
SYN (Student, ISNstudent)
DOS
![Page 42: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/42.jpg)
Session Hijacking
StudentServer
Evil hacker
TCP Connection Established
Hey, I amThe Student
TCP RESET
![Page 43: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/43.jpg)
SMB
• Server Message Block (SMB)--an application
layer protocol that allows system resources to
be shared across networks• An old technology developed by MS and Intel• Several versions of authentication over network
– Plaintext: easy to sniff– LanMan: stronger than Plaintext, uses PW hash– NTLM: PW Hash Plus ciphertext
![Page 44: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/44.jpg)
SMB RelayMan-in-the Middle Attack
CLIENT SERVEREVIL HACKER
Session Request Session Request
Name OKName OK
Dialect Dialect w/o NT4 security
Dialect Selection, ChallengeDialect Selection, Challenge
Reply Reply
Session OK Session OK
Attacker forces weaker LANMAN authentication!
![Page 45: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/45.jpg)
Windows Authenticaion LANMAN vs NTLMv2
CLIENT SERVER
1Session Request
2Session Response--NETBIOS name OK
6 All OK--Connected
3 Negotiate Dialect
4Challenge, Dialect Selection
5 Username and Response
![Page 46: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/46.jpg)
WEB CRACKING
StudentServer
Evil hacker
![Page 47: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/47.jpg)
WEB CRACKING
StudentServer
Evil hacker
![Page 48: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/48.jpg)
SSL in ActionCLIENT SERVER
1ClientHello
2ServerHello
3ServerKey Exchange
4ServerHelloDone
5
ClientKey Exchange
6ChangeCiperSpec
7Finished
![Page 49: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/49.jpg)
SSL in ActionCLIENT SERVER
4ServerHelloDone
5
ClientKey Exchange
6ChangeCiperSpec
7Finished
8ChangeCipherSpec
9 Finished
![Page 50: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/50.jpg)
SSL WEB CRACKING
StudentServer
Evil hacker
![Page 51: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/51.jpg)
DNS Cache Poisoning
Ref: Check Point Diagram of the Hack (Check Point Security Software)
![Page 52: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/52.jpg)
DNS Cache Poisoning-Step 1
Dr. Evil GOOD DNS Rich Student
BankBank DNS
Where is Evil ?
Evil DNS
Where is Evil ?
Dr EvilStores Query ID
![Page 53: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/53.jpg)
DNS Cache Poisoning-Step 2
Dr. Evil
Evil DNS
GOOD DNS Rich Student
BankBank DNS
Where is Bank?
Are You Bank?
I am Bank
Dr EvilUses Stored Query IDto predict next query ID
![Page 54: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/54.jpg)
DNS Cache Poisoning-Step 3
Dr. Evil
Evil DNS
GOOD DNS
Rich Student
BankBank DNS
Where is Bank?
Dr. Evil is Bank
![Page 55: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/55.jpg)
DNS Cache Poisoning-Step 4
Dr. Evil
Evil DNS
GOOD DNS
Rich Student
BankBank DNS
Can I Bank With You?
![Page 56: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/56.jpg)
Recent Attacks• Conficker• Stuxnet• Flame
What makes each one unique….a real threat?
![Page 57: Lesson 4 Network Security and Attacks](https://reader036.vdocuments.mx/reader036/viewer/2022062422/56813248550346895d98bca4/html5/thumbnails/57.jpg)
Summary
• Threat is Real• Hard to Detect• A little understanding and
situational Awareness can goes a long way to preventing…and detecting