Objectives - PowerPoint PPT Presentation

objectives n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Objectives PowerPoint Presentation
play fullscreen
1 / 76
Objectives
76 Views
Download Presentation
yvonne-austin
Download Presentation

Objectives

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Objectives Recognize voice and data systems use the same communications networks Describe the components of a typical network Describe countermeasures for network-related threats Telecommunications and Network Physical and Personnel System Application and Individual Planning, Policies, and Procedures

  2. Objectives • Describe the concept of “defense-in-depth” • Identify technologies used to apply countermeasures for network-related threats • Identify components that comprise wireless networks • Identify threats related to wireless technologies • Identify countermeasures for wireless related threats

  3. Communication Networks History Moving ideas Electric communication Circuit switching

  4. Voice Communications • Public Switched Telephone Network (PSTN) • Private Branch Exchange (PBX) • Acts as organization’s internal phone company • Cost savings

  5. Voice Networks • History • Introduction of packet-switched networks in 1960s • Computers used for switching instead of relays • Now voice communication is treated as data

  6. The News

  7. PBX Threats • Toll fraud • Disclosure of information • Unauthorized access • Traffic analysis • Denial of Service (DoS)

  8. PBX ThreatCountermeasures • Implement physical security • Inhibit maintenance port access • Enable alarm and audit trails • Remove all default passwords • Review the configuration of your PBX against known hacking techniques

  9. Data Networks • International voice network already existed • For computers to communicate, less expensive to use same network • Modems designed to leverage this asset

  10. Modem Threats • Unauthorized and misconfigured modems • Authorized but misconfigured modems

  11. Wardialing Experiment Peter Shipley conducted a wardialing exercise in the San Francisco Bay area from April 1997 to January 2000, looking for unsecured modems. • Dialed 5.7 million phone numbers • Area codes: 408, 415, 510, 650 • Carriers found: 46,192 • Experiment and results presented at DEFCON

  12. Common Wardialers • ToneLoc (DOS, Windows NT, 2000) • ShokDial (UNIX/Linux) • PhoneSweep (Commercial – Windows)

  13. Modem Threat Countermeasures • Policy • Scanning • Administrative action • Passwords • Elimination of modem connections • Use a device to protect from telephony-based attacks and abuses

  14. Voice Over Internet Protocol (VoIP) • Transmission of voice conversations using traditional “data network” transmission methods • Taking calls off the regular phone lines and sending them on a data network

  15. VoIP Benefits • Less expensive • Increased functionality • Flexibility • Mobility

  16. Service theft Eavesdropping Spam/SPIT (SPam over Internet Telephony) Denial of Service (DoS) Vishing (VoIP Phishing) Call tampering VoIP Threats

  17. VoIP Threat Countermeasures • Physical control • Authentication and encryption • Develop appropriate network architecture • Employ VoIP firewall and security devices

  18. Data Networks: History Refresher • Modems put on voice network to carry data • No need to build new, separate network • Early on most data networks used modems over voice network • 1960s, data networks include introduction of satellites and radios • Also packet switching

  19. Data Networks Computers linked together Components found in most networks Hosts (computers) Workstations (desktops, laptops, etc.) Servers (e-mail, web, database, etc.) Switches and hubs Routers

  20. Common Network Terms • Local Area Network (LAN) • Wide Area Network (WAN) • Wireless LAN (WLAN)

  21. Data Network Protocols • Common protocols • Transmission Control Protocol (TCP) • User Datagram Protocol (UDP) • Internet Control Message Protocol (ICMP) • Hypertext Transfer Protocol (HTTP)

  22. Common Protocols • TCP • Moves data across networks with a connection- oriented approach • UDP • Moves information across networks with a connectionless-oriented approach • ICMP • Often used by operating systems to send error messages across networks • HTTP • Transfers web pages, hypermedia, and other query response communications

  23. Data Network Threats • Information gathering: assessing targets to plan attacks • Denial of Service (DoS): degrading or preventing communication through or across specific network(s) • Other exploitation/interception: • Disinformation: fooling users or network components/services • Man-in-the-middle: getting between communicators • Session hijacking: illicitly assuming control of a legitimate connection

  24. Information Gathering Threats • Attackers want to determine nature of targets • Reduce wasted effort • Formulate attack plans • Pick specific tools • Select tactics

  25. Network Scanning Finding Active Machines • An organization has a range of IP addresses assigned to it • May not use them all • Ping sweep finds IP addresses in use • Ping utility designed to determine whether remote system is active

  26. Ping Sweep • Using ping, attacker sends ICMP echo request to range of addresses • Every functional system responds with echo reply • Provides a list of potential targets

  27. Echo Request Echo Request Echo Reply Echo Request Ping Sweep Unused Address 10.1.1.9 Attacker 10.1.1.10 Target List 10.1.1.9 10.1.1.10 10.1.1.11 Unused Address 10.1.1.11

  28. Ping

  29. Activity 03.1: Perform Ping Sweep Using nmap • Purpose: • In this activity, you will perform a scan in the form of a ping sweep. This will familiarize you with one of the most common techniques to gather information about a target environment. • Estimated completion time: • 10 – 15 minutes

  30. Activity 03.1: Perform Ping Sweep Using nmap What did we detect? Is this a useful tool? • From an attacker’s perspective • From an administrator’s perspective

  31. Port Scanning • Checks a computer for open ports • 65,535 possible ports • 1-1,023 are considered “well-known” • 1,024-49,151 are called “registered ports” • 49,152-65,535 are dynamic or private ports

  32. Some Well-Known Ports Port # Network Service 20 File Transfer Protocol (FTP) Data 21 File Transfer Protocol (FTP) Control 23 Telnet 25 Simple Mail Transfer Protocol (SMTP) 53 Domain Name Server (DNS) 79 Finger 80 World Wide Web (HTTP) 110 Post Office Protocol – Version 3 443 HTTPS

  33. 79 80 80 81 82 How Port Scanning Works Attacker Web server Services List HTTP

  34. Activity 03.2: Perform Port Scanning Using Different Tools • Purposes: • In this activity, you will perform port scans using different scanning tools. This will familiarize you with one of the most common techniques to gather information about a target environment, and learn the efficacy of various tools. • Estimated completion time: • 50 – 55 minutes

  35. Activity 03.2: Perform Port Scanning Using Different Tools What were the results of our port scanning tests? • What did they mean? Would this be helpful for an attacker? Would this be helpful for an administrator?

  36. Sniffing • Monitoring traffic flow across a network • Pull all packets • Be selective • Only grab packets to and from certain addresses • Only grab packets carrying a certain type of traffic • Needs to view all traffic on the network • On internal network • On main connection into/out of a network

  37. Denial of Service (DoS) • Degrade and prevent operations/functionality • Distributed denial of service (DDoS) attack uses multiple attack machines simultaneously

  38. Ping Flood / Ping Of Death • Ping flood • Too much ping traffic drowns out all other communication • Ping of Death • Oversized or malformed ICMP packets cause target to reboot or crash • Hosts can’t handle packets over maximum 65,535 bytes • Causes a type of buffer overflow

  39. Smurf Attack • Large stream of spoofed Ping packets sent to a broadcast address • Source address listed as the target’s IP address (spoofed) • Broadcast host relays request to all hosts on network • Hosts reply to victim with Ping responses • If multiple requests sent to broadcast host, target gets overloaded with replies

  40. Smurf Attack (ICMP Flooding) Multiple Ping Replies Multiple Ping Requests System or Network Overloaded Ping Broadcast Request (Spoofed) Ping Broadcast Request (Actual) Attacker

  41. SYN Flooding • Exploits synchronization protocol used to initiate connections • Subverts the normal process • In the customary “three-way handshake”: • Initiator sends synchronization (SYN) packet • Target replies with a SYN/ACK (acknowledgement) • Initiator sends ACK • Machines are now ready to communicate • In SYN flooding, attacker sends SYN packets, but no ACK • Target replies with SYN/ACK • Target waits for ACK, eventually gives up • If enough SYNs are received, communication capacity will deplete

  42. SYN Flooding Handshake (Normal) Handshake (SYN Flood) 1. SYN 1. SYN 1. SYN 2. SYN-ACK 1. SYN 3. ACK 2. SYN-ACK 2. SYN-ACK 2. SYN-ACK X

  43. DDOS With Zombies/Botnet

  44. Man-In-The-Middle Attacks • Instead of shutting down target networks, attackers may want access • Types of attacks • Eavesdropping • Session hijacking

  45. Network Attack Countermeasures • Discussion: countering the threats • Scans/Sniffing/Ping sweeps • DoS/DDoS • Ping of Death • SYN flood • Smurf attack • Others • Session hijacking • Eavesdropping

  46. Ways To Recognize Scanning • System log file analysis • Network traffic • Firewall and router logs • Intrusion Detection Systems (IDSs)

  47. Defending Against Scanning Block ports at routers and firewalls Block ICMP, including echo Segment your network properly Hide private, internal IP addresses Change default account settings and remove or disable unnecessary services Restrict permissions Keep applications and operating systems patched

  48. Sniffing Countermeasures • Strong physical security • Proper network segmentation • Communication encryption

  49. DoS And DDoS Countermeasures • Stop the attack before it happens • Block “marching orders” • Patch systems • Implement IDS • Harden TCP/IP • Avoid putting “all eggs in one basket” • Adjust state limits

  50. Other Countermeasures • All countermeasures already mentioned • Encrypted session negotiation • Repeating credential verification during session • User training