1 / 120

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW). Thinking Like a Hacker. Lesson 1 – Module 5 – ‘Cisco Device Hardening’. Module Introduction (1).

kirestin-battle
Download Presentation

Implementing Secure Converged Wide Area Networks (ISCW)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Secure Converged Wide Area Networks (ISCW)

  2. Thinking Like a Hacker Lesson 1 – Module 5 – ‘Cisco Device Hardening’

  3. Module Introduction (1) • The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. • Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. • Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.

  4. Module Introduction (2) • "If you know yourself but not your enemy, for every victory gained you will also suffer a defeat." Sun Tzu – The Art of War • Before learning how to defend against attack, you need to know how a potential attacker operates. The theme of the first few lessons in this module is therefore, “know thine enemy”. • This module will help you to understand how hackers operate and what attack strategies they can employ. Once you know the nature of the threat, you will be better able to implement the full set of security features contained in Cisco IOS software to provide security for your network.

  5. Module Introduction (3) • The module describes the best practices for securing router administrative access using mechanisms such as: • password security features, • failed login attempt handling, and • role-based command-line interface (CLI). • You will learn how to: • mitigate attacks using access lists; • how to design and implement a secure management system including secure protocols such as Secure Shell (SSH), Simple Network Management Protocol version 3 (SNMPv3), and authenticated Network Time Protocol (NTP). • Also discussed are the most ubiquitous authentication, authorisation, and accounting (AAA) protocols - RADIUS and TACACS+, and explanations of the differences between them.

  6. Objectives • At the completion of this first lesson, you will be able to: • Describe the steps taken by a potential network hacker to gain unauthorised access • Explain the detailed information that a hacker is looking to learn, and how this may be used to compromise network security • Describe the basic steps that need to be taken to mitigate network attacks

  7. Seven Steps to Hacking a Network • Seven steps for compromising targets and applications: • Step 1 — Perform footprint analysis (reconnaissance) • Step 2 — Detail the information • Step 3 — Manipulate users to gain access • Step 4 — Escalate privileges • Step 5 — Gather additional passwords and secrets • Step 6 — Install back doors • Step 7 — Leverage the compromised system

  8. Hacking a Network • The goal of any hacker is to compromise the intended target or application • Hackers begin with little or no information about the intended target, but by the end of their analysis, they will have accessed the network and will have begun to compromise their target • Their approach is always careful and methodical—never rushed and never reckless • The seven-step process outlined in the previous slide is a good representation of the method that hackers use – and a starting point for an analysis of how to defeat it

  9. Footprint Analysis (Reconnaissance) • Web pages, phone books, company brochures, subsidiaries, etc • Knowledge of acquisitions • nslookup command to reconcile domain names against IP addresses of the company’s servers and devices • Port scanning to find open ports and operating systems installed on hosts • traceroute command to help build topology • WHOIS queries

  10. How to Defeat Footprinting • Keep all sensitive data off-line (business plans, formulas, and proprietary documents) • Minimise the amount of information on your public website • Examine your own website for insecurities • Run a ping sweep on your network • Familiarise yourself with one or more of the five Regional Internet Registries – such as ARIN for North America – to determine network blocks.

  11. Detail the Information • Find your server applications and versions: • What are your web, FTP, and mail server versions? • Listen to TCP and UDP ports and send random data to each • Cross-reference information to vulnerability databases to look for potential exploits • Exploit selected TCP ports, for example: • Windows NT, 2000, and XP file sharing using SMB protocol which uses TCP port 445. • In Windows NT, SMB runs on top of NetBT using ports 137, 138 (UDP), and 139 (TCP).

  12. Software Tools • Hackers can use some of the tools listed here. All of these tools are readily available to download, and security staff should know how these tools work. • Netcat: Netcat is a featured networking utility that reads and writes data across network connections using the TCP/IP protocol. • Microsoft EPDump and Remote Procedure Call (RPC) Dump:These tools provide information about Microsoft RPC services on a server: • The MicrosoftEPDump application shows what is running and waiting on dynamically assigned ports. • The RPC Dump (rpcdump.exe) application is a command-line tool that queries RPC endpoints for status and other information on RPC.. • GetMAC:This application provides a quick way to find the MAC (Ethernet) layer address and binding order for a computer running Microsoft Windows 2000 locally or across a network.. • Software development kits (SDKs): SDKs provide hackers with the basic tools that they need to learn more about systems.

  13. Manipulate Users to Gain Access • Social engineering is a way to manipulate people inside the network to provide the information needed to access the network. A computer is not required!! • Social engineering by telephone • Dumpster diving • Reverse social engineering • Recommended reading: “The Art of Deception: Controlling the Human Element of Security” Mitnik, KD and Simon, WL; Wiley; New Ed edition (17 Oct 2003) • There is a great deal of anecdotal evidence that this is one of the most successful techniques……

  14. Password Cracking • Hackers use many tools and techniques to crack passwords: • Word lists • Brute force • Hybrids • The yellow Post-It stuck on the side of the monitor, or in top of desk drawer….. • Password cracking attacks any application or service that accepts user authentication, including those listed here: • NetBIOS over TCP (TCP 139) • Direct host (TCP 445) • FTP (TCP 21) • Telnet (TCP 23) • SNMP (UDP 161) • PPTP (TCP 1723) • Terminal services (TCP 3389)

  15. Escalate Privileges • After securing a password for a user account and user-level privileges to a host, hackers attempt to escalate their privileges. • The hacker will review all the information he or she can see on the host: • Files containing user names and passwords • Registry keys containing application or user passwords • Any available documentation (for example, e-mail) • If the host cannot be seen by the hacker, the hacker may launch a Trojan application such as W32/QAZ to provide it.

  16. Gather Additional Passwords and Secrets • Hackers target: • The local security accounts manager database • The active directory of a domain controller • Hackers can use legitimate tools including pwdumpand lsadumpapplications. • Hackers gain administrative access to all computers by cross-referencing user names and password combinations

  17. Install Back Doors and Port Redirectors • Back doors: • Back doors provide: • A way back into the system if the front door is locked • A way into the system that is not likely to be detected • Back doors may use reverse trafficking: • Example: Code Red • Port redirectors: • Port redirectors can help bypass port filters, routers, and firewalls and may even be encrypted over an SSL tunnel to evade intrusion detection devices.

  18. Leverage the Compromised System • Back doors and port redirectors let hackers attack other systems in the network • Reverse trafficking lets hackers bypass security mechanisms • Trojans let hackers execute commands undetected • Scanning and exploiting the network can be automated • The hacker remains behind the cover of a valid administrator account • The whole seven-step process is repeated as the hacker continues to penetrate the network

  19. Best Practices to Defeat Hackers • Keep patches up to date • Shut down unnecessary services and ports • Use strong passwords and change them often • Control physical access to systems • Curtail unexpected and unnecessary input • Perform system backups and test them on a regular basis • Warn everybody about social engineering • Encrypt and password-protect sensitive data • Use appropriate security hardware and software • Develop a written security policy for the company

  20. Implementing Secure Converged Wide Area Networks (ISCW)

  21. Mitigating Network Attacks Lesson 2 – Module 5 – ‘Cisco Device Hardening’

  22. Module Introduction • The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. • Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. • Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.

  23. Objectives • At the completion of this second lesson, you will be able to: • Describe some of the more common network attacks, and explain what effect they have on the network • Explain how to mitigate the effects of these common attacks

  24. Reconnaissance • Reconnaissance is the unauthorised discovery and mapping of systems, services, or vulnerabilities. • Reconnaissance is also known as information gathering, and in most cases, precedes an access or Denial of Service (DoS) attack. • The malicious intruder typically conducts a ping sweep of the target network to determine which IP addresses are alive and then determines which services or ports are active on the live IP addresses. • The intruder then queries the ports to determine the type and version of the application and operating system that is running on the target host. • Reconnaissance attacks can consist of the following: • Packet sniffers • Port scans • Ping sweeps • Internet information queries

  25. Attacks Based on Minimal Intelligence • Attacks that require little intelligence about the target network: • Reconnaissance • Access attacks • DoS and Distributed DoS (DDoS)

  26. Attacks Based on Intelligence or Insider Information • Attacks that typically require more intelligence or insider access: • Worms, viruses, and Trojan horses • Application layer attacks • Threats to management protocols

  27. Packet Sniffing • A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN • Packet sniffers can only work in the same collision domain as the network being attacked • Promiscuous mode is a mode in which the network adapter card sends all packets that are received on the physical network wire to an application for processing • Some network applications distribute network packets in plaintext. Because the network packets are not encrypted, the packets can be processed and understood by any application that can pick them off the network and process them • Because the specifications for network protocols, such as TCP/IP, are widely published, a third party can easily interpret the network packets and develop a packet sniffer. Numerous freeware and shareware packet sniffers are available that do not require the user to understand anything about the underlying protocols

  28. Packet Sniffers • A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. • Packet sniffers: • Exploit information passed in plaintext. Protocols that pass information in plaintext are Telnet, FTP, SNMP, POP, and HTTP. • Must be on the same collision domain. • Can be used legitimately or can be designed specifically for attack.

  29. Packet Sniffer Mitigation • The techniques and tools that can be used to mitigate packet sniffer attacks include: • Authentication • Using strong authentication is a first option for defense against packet sniffers. • Cryptography • If a communication channel is cryptographically secure, the only data a packet sniffer detects is cipher text (a seemingly random string of bits) and not the original message • Anti-sniffer tools • Antisniffer tools detect changes in the response time of hosts to determine whether the hosts are processing more traffic than their own traffic loads would indicate. • Switched infrastructure • A switched infrastructure obviously does not eliminate the threat of packet sniffers but can greatly reduce the sniffers’ effectiveness.

  30. Port Scans and Ping Sweeps • As legitimate tools, port scan and ping sweep applications run a series of tests against hosts and devices to identify vulnerable services • The information is gathered by examining IP addressing and port or banner data from both TCP and UDP ports • Essentially, a port scan consists of sending a message to each port, one port at a time. The kind of response that the sender receives indicates whether the port is used and can therefore be probed for weakness • A ping sweep, or ICMP sweep, is a basic network scanning technique that determines which range of IP addresses map to live hosts

  31. Port Scans and Ping Sweeps • Port scans and ping sweeps attempt to identify: • All services • All hosts and devices • The operating systems • Vulnerabilities

  32. Port Scan and Ping Sweep Mitigation • Port scanning and ping sweeping is not a crime and there is no way to stop these scans and sweeps when a computer is connected to the Internet • There are ways to prevent damage to the system • Ping sweeps can be stopped if ICMP echo and echo-reply are turned off on edge routers • When these services are turned off, network diagnostic data is lost • Network-based IPS and host-based IPS (HIPS) can usually notify when a reconnaissance attack is under way • ISPs compare incoming traffic to the intrusion detection system (IDS) or the IPS signatures in the IPS database. • Signatures are characteristics of particular traffic patterns. A signature, such as “several packets to different destination ports from the same source address within a short period of time,” can be used to detect port scans • A stealth scan is more difficult to detect, and many intrusion detection and prevention systems will not notice this scan taking place. Discovering stealth scans requires kernel-level work

  33. Port Scan and Ping Sweep Mitigation • Port scans and ping sweeps cannot be prevented without compromising network capabilities. • However, damage can be mitigated using intrusion prevention systems at network and host levels.

  34. Internet Information queries • DNS queries can reveal information such as who owns a particular domain and what addresses have been assigned to that domain • Ping sweeps of addresses revealed by DNS queries can present a picture of the live hosts in a particular environment • After such a list is generated, port scanning tools can cycle through all well-known ports to provide a complete list of all services that are running on the hosts that the ping sweep discovered. Hackers can examine the characteristics of the applications that are running on the hosts, which can lead to specific information that is useful when the hacker attempts to compromise that service • IP address queries can reveal information such as who owns a particular IP address or range of addresses and which domain is associated with the addresses

  35. Sample IP address query Internet Information queries • Attackers can use Internet tools such as “WHOIS” as weapons.

  36. Access Attacks and Mitigation • Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information for these reasons: • Retrieve data • Gain access • Escalate their access privileges • Access attacks can be performed in a number of different ways • Password attacks • Trust exploitation • Port redirection • Man-in-the-middle attacks • Buffer overflow

  37. Password Attacks • Hackers implement password attacks using the following: • Brute-force attacks • Trojan horse programs • IP spoofing • Packet sniffers

  38. Password Attacks • Password attacks can be implemented using several methods, including brute-force attacks, Trojan horse programs, IP spoofing, and packet sniffers. • One security risk is the fact that passwords can be stored as plaintext. To overcome this risk, passwords should be encrypted. On most systems, passwords are run through an encryption algorithm to generate a one-way hash. • In granting authorisation, the hashes are calculated and compared rather than using the plain password. • To use this encryption method, you supply an account and password during the login process, and the algorithm generates a one-way hash. This hash is compared to the hash stored on the system. If they are the same, the system assumes that the proper password was supplied.

  39. Password Attack Example • L0phtCrack takes the hashes of passwords and generates the plaintext passwords from them • Passwords are compromised using one of two methods: • Dictionary cracking • Brute-force computation

  40. Password Attack Mitigation • Password attack mitigation techniques: • Do not allow users to use the same password on multiple systems • Disable accounts after a certain number of unsuccessful login attempts • Do not use plaintext passwords • For example “strong” passwords. (Use “mY8!Rthd8y” rather than “mybirthday”)

  41. Trust Exploitation • Trust exploitation refers to an individual taking advantage of a trust relationship within a network. • An example of when trust exploitation takes place is when a perimeter network is connected to a corporate network. • These network segments often contain DNS, SMTP, and HTTP servers. Because these servers all reside on the same segment, a compromise of one system can lead to the compromise of other systems if those other systems also trust systems that are attached to the same network. • Another example of trust exploitation is a Demilitarised Zone (DMZ) host that has a trust relationship with an inside host that is connected to the inside firewall interface. The inside host trusts the DMZ host. When the DMZ host is compromised, the attacker can leverage that trust relationship to attack the inside host.

  42. Trust Exploitation • A hacker leverages existing trust relationships. • Several trust models exist: • Windows: • Domains • Active directory • Linux and UNIX: • NIS • NIS+

  43. Trust Exploitation • Trust exploitation-based attacks can be mitigated through tight constraints on trust levels within a network • Systems that are inside a firewall should never absolutely trust systems that are outside a firewall. Absolute trust should be limited to specific protocols and, where possible, should be validated by something other than an IP address • In the DMZ example, the hacker connected to the Internet has already exploited some vulnerability of the DMZ host connected to the DMZ interface of the firewall • The hacker’s next goal is to compromise the inside host that is connected to the inside (trusted) interface of the firewall • To attack the inside host from the DMZ host, the hacker needs to find the protocols that are permitted from the DMZ to the inside interface. Once the protocols are known, the attacker searches for vulnerabilities on the inside host. This attack can be stopped if the firewall allows only minimum or no connectivity from the DMZ to the inside interface

  44. Trust Exploitation Attack Mitigation • Trust levels within a network are tightly restrained by ensuring that systems inside a firewall never absolutely trust systems outside the firewall.

  45. Port Redirection • A port redirection attack is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise have been dropped. • Port redirection bypasses the firewall rule sets by changing the normal source port for a type of network traffic. • You can mitigate port redirection by using proper trust models that are network-specific. Assuming a system is under attack, an IPS can help detect a hacker and prevent installation of such utilities on a host.

  46. Port Redirection

  47. “Man-in-the-Middle” Attacks • Man-in-the-middle attacks have these purposes: • Theft of information • Hijacking of an ongoing session to gain access to your internal network resources • Traffic analysis to obtain information about your network and network users • DoS • Corruption of transmitted data • Introduction of new information into network sessions • An example of a man-in-the-middle attack is when someone working for your ISP gains access to all network packets that transfer between your network and any other network • Man-in-the-middle attacks can be mitigated by encrypting traffic in a VPN tunnel. Encryption allows the hacker to see only cipher text

  48. Man-in-the-Middle Attacks and their Mitigation • A man-in-the-middle attack requires that the hacker has access to network packets that come across a network • A man-in-the-middle attack is implemented using the following: • Network packet sniffers • Routing and transport protocols • Man-in-the-middle attacks can be effectively mitigated only through the use of cryptographic encryption

  49. DoS and DDoS Attacks and Mitigation • A DDoS attack and the simpler version of a DoS attack on a server, send extremely large numbers of requests over a network or the Internet • These many requests cause the target server to run well below optimum speeds. Consequently, the attacked server becomes unavailable for legitimate access and use • By overloading system resources, DoS and DDoS attacks crash applications and processes by executing exploits or a combination of exploits • DoS and DDoS attacks are the most publicised form of attack and are among the most difficult to completely eliminate • The hacker community regards DoS attacks as trivial and considers them unsophisticated because the attack requires so little effort to execute

  50. DoS and DDoS Attack Characteristics • A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services • Distributed DoS technique performs simultanous attacks from many distributed sources • DoS and DDoS attacks have these characteristics: • Generally not targeted to gain access or information • Require very little effort to execute • Difficult to eliminate, but their damage can be minimised • DoS and DDoS attacks can use IP spoofing

More Related