1 / 81

Ch 4: Securing Your Network

Ch 4: Securing Your Network. CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide Darril Gibson Updated 2-23-16. Understanding IDSs and IPSs. IDS v. IPS. IDS detects attacks but does not stop them Detective technical control Passive IDS merely logs attacks, and/or sends alerts

mjuan
Download Presentation

Ch 4: Securing Your Network

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ch 4: Securing Your Network CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide DarrilGibson Updated 2-23-16

  2. Understanding IDSs and IPSs

  3. IDS v. IPS • IDS detects attacks but does not stop them • Detective technical control • Passive IDS merely logs attacks, and/or sends alerts • Active IDS may send alerts and change environment • IPS stops attacks in progress • Preventive technical control • Similar to Active IDS

  4. HIDS v. NIDS • HIDS (Host-based IDS) • Installed on a server or workstation • NIDS (Network-based IDS) • Installed on a network device, such as a router or switch

  5. Packet Sniffing • Wireshark and other tools show packets one-by-one • Useful for debugging • Can steal passwords off the wire • Especially if they are sent without encryption

  6. Wall of Sheep • Displays passwords captured at Defcon

  7. Signatures v. Anomalies • Signature-based monitoring recognizes known attack patterns • Also called definition-based • Anomaly-based monitoring detects abnormal behavior based on a baseline • Also valled behavior-based or heuristics-based

  8. Active IDS v. IPS • Both react to an attack in some manner • IPS must be placed in line with the traffic to prevent the attack

  9. HIDS • Additional software on a workstation or server • Can detect attacks on the local system • Can monitor changes to operating system files • Protects only one host

  10. SYN Flood Demo Notes • On Mac OS X: • Preferences, click Sharing, turn on Printer Sharing • watch "netstat -anp tcp | grep 631" • On Kali Linux: • iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP • scapy • send(IP(dst="192.168.1.213")/TCP(dport=631, sport=(1000,1100))

  11. SYN Flood

  12. NIDS • Can only see network traffic, not OS files • Unable to decrypt encrypted traffic • Unless your network performs a man-in-the-middle SSL attack • Commonly done in modern corporations

  13. NIDS Configuration

  14. Detection Methods • Signature-based • Uses a database of predefined traffic patterns • Database requires frequent updates • Anomaly-based • Needs to measure a performance baseline • Baseline must be updated if network is changed

  15. Data Sources and Trends • IDS collects data from various sources • Firewall logs • System logs • Application logs • May monitor logs in real time

  16. Reporting • Alarms • Also called Alerts • Indicates that an interesting event was detected • Does not always indicate a real attack • Goal • Set threshold low enough to detect all real attacks, but • High enough to avoid too may false positives

  17. False Positives v. False Negatives • False positive • Alert on nonthreatening events • False negative • Real attack, but no alert

  18. IDS Threshold • Number of events required to cause an alert • Example: 50 incomplete TCP handshakes per minute from the same IP • There are no established rules for thresholds • Must be "tuned" by administrators • Untuned security devices tend to produce many false positives

  19. IDS Responses • Passive (Alerts personnel) • Pop-up window • Central monitor • E-mail • Page or text message • Active • Alerts personnel • Modify ACL on Firewall • Divert attack to a honeypot or other safe environment

  20. Honeypot • Appears to be a server worth hacking into • Has no valuable data • Often used to collect knowledge about attackers

  21. Link Ch 4a

  22. Link Ch 4b

  23. Link Ch 4c

  24. Microsoft Proposes Personal Honeypots

  25. Honeynet • A group of virtual servers appearing to be a live network

  26. Counterattacks • Some active IDS systems attack the attacker back • Legal problems • Likely that you are attacking another innocent victim

  27. Securing Wireless Networks

  28. Wireless Standards From Wikipedia

  29. Wireless Footprint • High power makes a large footprint • Easier for users to connect • Easier for attackers to snoop on • Careful antenna placement • Metal in walls • Directional antennas such as a Yagi increase range of reception

  30. Site Surveys and Antenna Placement • Site Survey • Examine wireless environment to identify potential problems • Set up a WAP and measure signal strength from various locations • Also performed to detect • Rogue access points • Jamming • Evil twins • Interference

  31. Security Protocols • WEP – Broken and unsafe to use • WPA – Much safer, stronger with AES than TKIP • WPA2 – Best security currently available, especially in Enterprise mode with 802.1x or RADIUS server

  32. WEP (Wired Equivalent Privacy) • Mathematically insecure • Can be broken with no knowledge of the key 100% of the time • Attacker needs 50,000 packets or so

  33. WPA (Wi-Fi Protected Access) • Designed to run on hardware designed for WEP with only a software upgrade • Weakest form of WPA uses TKIP (Temporal Key Integrity Protocol) and RC4 encryption • Stronger form of WPA uses AES encryption

  34. WPA-2 • Stronger cryptography than WEP or WPA • Uses CCMP mode of AES

  35. Personal and Enterprise Modes • Both WPA and WPA-2 have Personal and Enterprise modes • Personal • Pre-Shared Key (PSK) must be entered in each device • Key is the same for all users

  36. Personal and Enterprise Modes • Enterprise mode • Each user has individual credentials • Username and password • Extensible protocols like LEAP and PEAP which can use certificates • Credentials stored on a RADIUS server

  37. Attacking WPS (Wi-Fi Protected Setup) • Link Ch 4g

  38. EAP, PEAP, and LEAP • EAP (Extensible Authentication Protocol) • A framework that provides general guidance for authentication • PEAP (Protected EAP) • Encapsulates EAP conversation in a TLS tunnel • Requires a digital certificate for the server, but not the clients

  39. EAP-TTLS and EAP-TLS • EAP-Tunneled TLS (EAP-TTLS) • An extension of PEAP • Allows some older authentication methods, such as PAP within a TLS tunnel • Requires a certificate on the 802.1x server but not on the clients • EAP-TLS • Most secure, widely implemented • Requires a certificate on both the server and the clients (link Ch 4o)

  40. LEAP (Lightweight EAP • Cisco's attempt to improve WEP • Uses CHAP • Not secure, subject to offline dictionary attack • Cisco recommends using PEAP instead

  41. ASLEAP • Lightweight Extensible Authentication Protocol (LEAP) • A Cisco product • Vulnerable, but Cisco didn’t care • Joshua Wright wrote the ASLEAP hacking tool to crack LEAP, and forced Cisco to develop a better protocol • See link Ch 4f

  42. Reaction to ASLEAP • “Within months, some "helpful" person invested their time into generating a cracker tool. Publicizing the threat was a service to everyone, but I leave it as an exercise for readers to determine what satisfaction is obtained by the authors of tools that turn threat into reality and lay waste to millions of dollars of investments.” • --"Real 802.11 Security", William Arbaugh and Jon Edney, as quoted in link Ch 4f

  43. WTLS and ECC • WTLS (Wireless Transport Layer Security) • Used by many smaller wireless devices • ECC (Elliptic Curve Cryptography) • A more efficient cryptography method than the RSA algorithm used on the Internet • Used on small wireless devices to save power

  44. Free SSL for Everyone • Cloudflare uses ECC • This made certificates so cheap, they offer it free to everyone • Link Ch 4p

  45. Captive Portal • Users connect to wireless network, but then must login to a Web page to get to the Internet

  46. Common Captive Portals • Free Internet access • Users agree to Terms of Service • Paid Internet access • Users must enter a credit card number or log in to a prepaid account • Alternative to 802.1x • Require users to authenticate • Can be simpler than configuring 802.1x

  47. Hot Spots and Isolation Mode • Each client is on a separate VLAN, in effect • Isolates clients better • Protects clients from each other • Done at Starbuck's • Does not protect against • Evil twin • Sniffing unencrypted wireless traffic directly in Monitor mode

  48. Other Security Concerns • Change default administrator password • MAC filtering • Allows only approved MAC addresses to connect • Easily sniffed & spoofed

  49. CCSF Wardriving • Sat., April 25, 2015, 9 am, SCIE 200

More Related