1 / 101

I C 3-2: Network security

I C 3-2: Network security. Part 1 - A general overview of network security. Outline. Network Topologies Network Addressing LANs MANs WANs. Ethernet. IEEE 802.3, technology originated from Xerox Corp. Data packaged into frames Network Interface Card (NIC) CSMA/CD Carrier Sense

necia
Download Presentation

I C 3-2: Network security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IC3-2: Network security Part 1 - A general overview of network security

  2. Outline • Network Topologies • Network Addressing • LANs • MANs • WANs

  3. Ethernet • IEEE 802.3, technology originated from Xerox Corp. • Data packaged into frames • Network Interface Card (NIC) • CSMA/CD • Carrier Sense • Multiple Access • Collision Detection

  4. Network Cabling • Cabling • Thick Ethernet – 10BASE-5 • Thin Ethernet – 10BASE-2 • Shielded & Unshielded Twisted Pair (STP, UTP) – 10BASE-T (Cat 3) 100BASE-T (Cat 5) • Fibre Optic – Gigabit Ethernet • Wireless LAN • TCP/IP Layer 1

  5. Cabling in OSI Protocol Stack 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 DataLink Cabling 1 Physical

  6. Cabling Issues • Physical Environment • Trunking • Network Closets • Risers • Physical Environment - Issues • Single or multi-occupancy • Access Control to floor building • Network passes through public areas • Network infrastructure easily accessible • Network infrastructure shares facilities • Electromagnetic environment

  7. Thin Ethernet • Short overall cable runs. • Vulnerability: information broadcast to all devices. • Threat: Information Leakage, Illegitimate Use • Vulnerability: One cable fault disables network • Threat: Denial of Service • Easy to install & attach additional devices • Vulnerability: Anyone can plug into hub. • Threat: Illegitimate Use. • Rarely seen now. Thin Ethernet

  8. UTP and Hub • Cable between hub and device is a single entity • Only connectors are at the cable ends • Additional devices can only be added at the hub • Disconnection/cable break rarely affects other devices • Easy to install UTP hub 10/100BASE-T

  9. Other Layer 1 options • Fibre Optic • Cable between hub and device is a single entity • Tapping or altering the cable is difficult • Installation is more difficult • Much higher speeds • Wireless LAN • Popular where building restrictions apply. • Several disadvantages • Radio signals are subject to interference, interception, and alteration. • Difficult to restrict to building perimeter. • Security must be built in from initial network design.

  10. Hubs • Data is broadcast to everyone on the hub • Vulnerability: information broadcast to all devices. • Threat: Information Leakage, Illegitimate Use • Vulnerability: Anyone can plug into hub. • Threat: Illegitimate Use. • TCP/IP Layer 1 • Intelligent Hubs • Signal regeneration. • Traffic monitoring. • Can be configured remotely.

  11. Hubs in OSI Protocol Stack 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 DataLink Cabling, Hubs 1 Physical

  12. Ethernet Addressing • Address of Network Interface Card • Unique 48 bit value • first 24 bits indicate vendor . • For example, 00:E0:81:10:19:FC • 00:E0:81 indicates Tyan Corporation • 10:19:FC indicates 1,055,228th NIC • Media Access Control (MAC) address

  13. IP Addressing • IP address is 32 bits long • Usually expressed as 4 octets separated by dots • 62.49.67.170 • RFC 1918 specifies reserved addresses for use on private networks. • 10.0.0.0 to 10.255.255.255 • 172.16.0.0 to 172.31.255.255 • 192.168.0.0 to 192.168.255.255 • Many large ranges assigned • 13.x.x.x Xerox, 18.x.x.x MIT, 54.x.x.x Merck

  14. IP address to Ethernet address • Address Resolution Protocol (ARP) • Layer 3 protocol • Maps IP address to MAC address • ARP Query • Who has 192.168.0.40? Tell 192.168.0.20 • ARP Reply • 192.168.0.40 is at 00:0e:81:10:19:FC • ARP caches for speed • Records previous ARP replies • Entries are aged and eventually discarded

  15. ARP Query & ARP Reply Web Browser IP 192.168.0.20 MAC 00:0e:81:10:17:D1 Web Server IP 192.168.0.40 MAC 00:0e:81:10:19:FC (2) ARP Reply 192.168.0.40 is at 00:0e:81:10:19:FC (1) ARP Query Who has 192.168.0.40? hub 10/100BASE-T

  16. Switches • Switches only send data to the intended receiver. • Builds an index of which device has which MAC address. Device MAC address 1 00:0e:81:10:19:FC 2 00:0e:81:32:96:af 3 00:0e:81:31:2f:d7 switch 4 00:0e:81:97:03:05 10/100BASE-T 8 00:0e:81:10:17:d1

  17. Switch Operation • When a frame arrives at switch • Switch looks up destination MAC address in index. • Sends the frame to the device in the index that owns that MAC address. • Switches are often intelligent: • Traffic monitoring, remotely configurable. • Switches operate at Layer 2.

  18. Switches in OSI Protocol Stack 7 Application 6 Presentation 5 Session 4 Transport 3 Network Switches 2 DataLink Cabling,Hubs 1 Physical

  19. ARP Vulnerability • ARP spoofing • Masquerade threat • Gratuitous ARP • ARP replies have no proof of origin • A malicious device can claim any MAC address • Enables all fundamental threats

  20. Before ARP spoofing IP 192.168.0.20 MAC 00:0e:81:10:17:d1 IP address MAC address Attacker IP 192.168.0.1 MAC 00:1f:42:12:04:72 192.168.0.40 00:0e:81:10:19:FC 192.168.0.1 00:1f:42:12:04:72 IP 192.168.0.40 MAC 00:0e:81:10:19:FC switch IP address MAC address 192.168.0.20 00:0e:81:10:17:d1 192.168.0.1 00:1f:42:12:04:72

  21. After ARP spoofing IP 192.168.0.20 MAC 00:0e:81:10:17:d1 IP address MAC address Attacker IP 192.168.0.1 MAC 00:1f:42:12:04:72 192.168.0.40 00:1f:42:12:04:72 192.168.0.1 00:1f:42:12:04:72 IP 192.168.0.40 MAC 00:0e:81:10:19:FC switch (1) Gratuitious ARP 192.168.0.40 is at 00:1f:42:12:04:72 IP address MAC address (2) Gratuitious ARP 192.168.0.20 is at 00:1f:42:12:04:72 192.168.0.20 00:1f:42:12:04:72 192.168.0.1 00:1f:42:12:04:72

  22. Effect of ARP spoofing IP datagram Dest: 192.168.0.40 MAC: 00:1f:42:12:04:72 IP 192.168.0.20 MAC 00:0e:81:10:17:d1 IP address MAC address Attacker IP 192.168.0.1 MAC 00:1f:42:12:04:72 192.168.0.40 00:1f:42:12:04:72 192.168.0.1 00:1f:42:12:04:72 IP 192.168.0.40 MAC 00:0e:81:10:19:FC switch Attackers relay index IP address MAC address IP address MAC address 192.168.0.20 00:1f:42:12:04:72 192.168.0.40 00:0e:81:10:19:FC 192.168.0.1 00:1f:42:12:04:72 192.168.0.20 00:0e:81:10:17:d1

  23. Switch Vulnerability • MAC Flooding • Malicious device connected to switch • Sends multiple Gratuitous ARPs • Each ARP claims a different MAC address • When index fills, some switches revert to hub behaviour Device MAC address 1 1 00:0e:81:10:19:FC 2 4 00:0e:81:32:96:af 3 4 4 00:0e:81:32:96:b0 4 4 4 00:0e:81:32:96:b1 … … 9999 4 00:0e:81:32:97:a4 switch

  24. Safeguards? • Physically secure the switch • Switches should failsafe when flooded • Threat: Denial of Service • Arpwatch: monitors MAC to IP address mappings • Switch port locking of MAC addresses • Prevents ARP spoofing • Reduces flexibility

  25. IP Routers • Routers support indirect delivery of ip datagrams. • Employing routing tables. • Information about possible destinations and how to reach them. • Three possible actions for a datagram • Sent directly to destination host. • Sent to next router on way to known destination. • Sent to default router. • IP Routers operate at Layer 3.

  26. Routers in OSI Protocol Stack 7 Application 6 Presentation 5 Session 4 Transport Routers 3 Network Switches 2 DataLink Cabling,Hubs 1 Physical

  27. Internet Routers Router IP address 192.168.0.20 Subnet 255.255.255.0 Default router 192.168.0.254 62.49.147.169 192.168.1.10 62.49.147.170 Router 192.168.0.254 192.168.1.11 192.168.0.40 switch switch

  28. Internet Routers IP datagram Dest: 192.168.0.40 Router IP address 192.168.0.20 Subnet 255.255.255.0 Default router 192.168.0.254 62.49.147.169 192.168.1.10 62.49.147.170 Router 192.168.0.254 192.168.1.254 192.168.1.11 192.168.0.40 switch switch

  29. Internet Routers IP datagram Dest: 192.168.1.11 Router IP address 192.168.0.20 Subnet 255.255.255.0 Default router 192.168.0.254 62.49.147.169 192.168.1.10 62.49.147.170 Router 192.168.0.254 192.168.1.254 192.168.1.11 192.168.0.40 switch switch

  30. Internet Routers IP datagram Dest: 134.219.200.69 Router IP address 192.168.0.20 Subnet 255.255.255.0 Default router 192.168.0.254 62.49.147.169 192.168.1.10 62.49.147.170 Router 192.168.0.254 192.168.1.254 192.168.1.11 192.168.0.40 switch switch

  31. VLANs • VLAN is a virtual LAN. • Switch is configured to divide up devices into VLANs. • Device on one VLAN can’t send to deviceson another VLAN. switch

  32. VLANs & Routers • How to get from one VLAN to another? • Connect them with a router. Router switch

  33. Secure? 192.168.1.1 C Layer 3… Network 192.168.1.0 192.168.0.1 D A 192.168.1.2 Network 192.168.0.0 B 192.168.0.2

  34. Secure? Layer 2… C D A B switch At Layer 3, the switch is “invisible” At Layer 2, the switch becomes “visible”

  35. TCP handshaking • Each TCP connection begins with three packets: • A SYN packet from sender to receiver. • “Can we talk?” • An SYN/ACK packet from receiver to sender. • “Fine – ready to start?” • An ACK packet from sender to receiver. • “OK, start”

  36. TCP Handshaking TCP Packet SYN flag “Can we talk?” IP datagram Src: 192.168.0.20 Dest: 192.168.0.40 192.168.0.40 192.168.0.20 TCP Packet SYN & ACK flag “Fine, ready to start?” IP datagram Src: 192.168.0.40 Dest: 192.168.0.20 TCP Packet ACK flag “OK, start” IP datagram Src: 192.168.0.20 Dest: 192.168.0.40

  37. Tracking TCP handshakes • The destination machine has to track which machines it has sent a “SYN+ACK” to • Keeps a list of TCP SYN packets that have had a SYN+ACK returned. • When ACK is received, packet removed from list as connection is open.

  38. TCP Denial Of Service • What if the sender doesn’t answer with an ACK? • A SYN packet from sender to receiver. • “Can we talk?” • An SYN/ACK packet from receiver to sender. • “Fine – ready to start?” • ………………..nothing…………..…… • If the sender sends 100 SYN packets per second • Eventually receiver runs out of room to track the SYN+ACK replies • SYN flooding.

  39. IP Spoofing • A machine can place any IP address in the source address of an IP datagram. • Disadvantage: Any reply packet will return to the wrong place. • Advantage (to an attacker): No-one knows who sent the packet. • If the sender sends 100 SYN packets per second with spoofed source addresses….

  40. TCP Denial of Service TCP Packet SYN flag TCP Packet SYN flag TCP Packet SYN flag “Can we talk?” TCP Packet SYN flag IP datagram Src: 62.49.10.1 Dest: 192.168.0.40 IP datagram Src: 62.49.10.1 Dest: 192.168.0.40 192.168.0.40 IP datagram Src: 62.49.10.1 Dest: 192.168.0.40 192.168.0.20 IP datagram Src: 62.49.10.1 Dest: 192.168.0.40 TCP Packet SYN & ACK flag TCP Packet SYN & ACK flag TCP Packet SYN & ACK flag TCP Packet SYN & ACK flag IP datagram Src: 192.168.0.20 Dest: 62.49.10.1 IP datagram Src: 192.168.0.20 Dest: 62.49.10.1 “Fine, ready to start?” IP datagram Src: 192.168.0.20 Dest: 62.49.10.1 IP datagram Src: 192.168.0.20 Dest: 62.49.10.1

  41. TCP/IP Ports • Many processes on a single machine may be waiting for network traffic. • When a packet arrives, how does the transport layer know which process it is for? • The port allows the transport layer to deliver the packet to the application layer. • Packets have source and destination port. • Source port is used by receiver as destination of replies.

  42. Port Assignments • Well known ports from 0 to 1023 • http=port 80 • smtp=port 25 • syslog=port 514 • telnet=23 • ssh=22 • ftp=21 + more… • Registered ports from 1024 to 49151 • Dynamic or private ports from 49152 to 65535

  43. Port Multiplexing Host A Host B putty ie net scape telnet apache Message Port 2077 Port 2076 Port 2078 Port 23 Port 80 Transport Layer Transport Layer Packet Internet Layer Internet Layer Datagram Network Layer Network Layer Frame Physical Network

  44. Ports in Action HTTP message GET index.html www.localserver.org HTTP message Contents of index.html 192.168.0.20 192.168.0.40 TCP Packet Src Port: 2076 Dest Port: 80 TCP Packet Src Port: 80 Dest Port: 2076 IP datagram Src: 192.168.0.20 Dest: 192.168.0.40 IP datagram Src: 192.168.0.40 Dest: 192.168.0.20 TELNET message TELNET message TCP Packet Src Port: 2077 Dest Port: 23 TCP Packet Src Port: 23 Dest Port: 2077 IP datagram Src: 192.168.0.20 Dest: 192.168.0.40 IP datagram Src: 192.168.0.40 Dest: 192.168.0.20 switch

  45. Network Sniffers • Network Interface Cards normally operating in non-promiscuous mode. • Only listen for frames with their MAC address • A sniffer changes a NIC into promiscuous mode. • Reads frames regardless of MAC address. • Many different sniffers • tcpdump • ethereal • Snort

  46. Sniffing legitimately • Do they have legitimate uses? • Yes … when used in an authorised and controlled manner. • Network analyzers or protocol analyzers. • With complex networks, they are used for fault investigation and performance measurement. • Useful when understanding how a COTS product uses the network.

  47. Detecting Sniffers • Detecting an sniffing attack • Very difficult, but sometimes possible • Tough to check remotely whether a device is sniffing. Approaches include: • Sending large volumes of data, then sending ICMP ping requests. • Sending data to unused IP addresses and watching for DNS requests for those IP addresses. • Exploiting operating system quirks. • AntiSniff, Security Software Technologies

  48. Sniffer Safeguards • Preventing attacks or limiting their effects • Basically a matter of network and system design security • Examples of safeguards are: • Use of non-promiscuous interfaces. • Encryption of network traffic. • One-time passwords e.g. SecurId, skey. • Lock MAC addresses to switch ports – not effective.

  49. Networks at the building level • New Threats • Backbone which connects LANs • Interconnections between the LAN and the backbone • Control of information flow within a larger network • Network Management itself

More Related