Date post: | 20-Dec-2015 |
Category: |
Documents |
View: | 217 times |
Download: | 1 times |
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 1
Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 2
Lesson 2 – Module 5 – ‘Cisco Device Hardening’
Mitigating Network Attacks
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 3
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people.
Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.
Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 4
Objectives
At the completion of this second lesson, you will be able to:
Describe some of the more common network attacks, and explain what effect they have on the network
Explain how to mitigate the effects of these common attacks
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 5
Reconnaissance
Reconnaissance is the unauthorised discovery and mapping of systems, services, or vulnerabilities.
Reconnaissance is also known as information gathering, and in most cases, precedes an access or Denial of Service (DoS) attack.
The malicious intruder typically conducts a ping sweep of the target network to determine which IP addresses are alive and then determines which services or ports are active on the live IP addresses.
The intruder then queries the ports to determine the type and version of the application and operating system that is running on the target host.
Reconnaissance attacks can consist of the following:Packet sniffers
Port scans
Ping sweeps
Internet information queries
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 6
Attacks Based on Minimal Intelligence
Attacks that require little intelligence about the target network:
Reconnaissance
Access attacks
DoS and Distributed DoS (DDoS)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 7
Attacks Based on Intelligence or Insider Information
Attacks that typically require more intelligence or insider access:
Worms, viruses, and Trojan horses
Application layer attacks
Threats to management protocols
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 8
Packet Sniffing
A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN
Packet sniffers can only work in the same collision domain as the network being attacked
Promiscuous mode is a mode in which the network adapter card sends all packets that are received on the physical network wire to an application for processing
Some network applications distribute network packets in plaintext. Because the network packets are not encrypted, the packets can be processed and understood by any application that can pick them off the network and process them
Because the specifications for network protocols, such as TCP/IP, are widely published, a third party can easily interpret the network packets and develop a packet sniffer. Numerous freeware and shareware packet sniffers are available that do not require the user to understand anything about the underlying protocols
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 9
Packet Sniffers
A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets.
Packet sniffers:
Exploit information passed in plaintext. Protocols that pass information in plaintext are Telnet, FTP, SNMP, POP, and HTTP.
Must be on the same collision domain.
Can be used legitimately or can be designed specifically for attack.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 10
Packet Sniffer Mitigation The techniques and tools that can be used to mitigate packet sniffer
attacks include:
Authentication
Using strong authentication is a first option for defense against packet sniffers.
Cryptography
If a communication channel is cryptographically secure, the only data a packet sniffer detects is cipher text (a seemingly random string of bits) and not the original message
Anti-sniffer tools
Antisniffer tools detect changes in the response time of hosts to determine whether the hosts are processing more traffic than their own traffic loads would indicate.
Switched infrastructure
A switched infrastructure obviously does not eliminate the threat of packet sniffers but can greatly reduce the sniffers’ effectiveness.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 11
Port Scans and Ping Sweeps
As legitimate tools, port scan and ping sweep applications run a series of tests against hosts and devices to identify vulnerable services
The information is gathered by examining IP addressing and port or banner data from both TCP and UDP ports
Essentially, a port scan consists of sending a message to each port, one port at a time. The kind of response that the sender receives indicates whether the port is used and can therefore be probed for weakness
A ping sweep, or ICMP sweep, is a basic network scanning technique that determines which range of IP addresses map to live hosts
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 12
Port Scans and Ping Sweeps
Port scans and ping sweeps attempt to identify:
All services
All hosts and devices
The operating systems
Vulnerabilities
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 13
Port Scan and Ping Sweep Mitigation Port scanning and ping sweeping is not a crime and there is no way to
stop these scans and sweeps when a computer is connected to the Internet
There are ways to prevent damage to the system
Ping sweeps can be stopped if ICMP echo and echo-reply are turned off on edge routers
When these services are turned off, network diagnostic data is lost
Network-based IPS and host-based IPS (HIPS) can usually notify when a reconnaissance attack is under way
ISPs compare incoming traffic to the intrusion detection system (IDS) or the IPS signatures in the IPS database.
Signatures are characteristics of particular traffic patterns. A signature, such as “several packets to different destination ports from the same source address within a short period of time,” can be used to detect port scans
A stealth scan is more difficult to detect, and many intrusion detection and prevention systems will not notice this scan taking place. Discovering stealth scans requires kernel-level work
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 14
Port Scan and Ping Sweep Mitigation
Port scans and ping sweeps cannot be prevented without compromising network capabilities.
However, damage can be mitigated using intrusion prevention systems at network and host levels.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 15
Internet Information queries
DNS queries can reveal information such as who owns a particular domain and what addresses have been assigned to that domain
Ping sweeps of addresses revealed by DNS queries can present a picture of the live hosts in a particular environment
After such a list is generated, port scanning tools can cycle through all well-known ports to provide a complete list of all services that are running on the hosts that the ping sweep discovered. Hackers can examine the characteristics of the applications that are running on the hosts, which can lead to specific information that is useful when the hacker attempts to compromise that service
IP address queries can reveal information such as who owns a particular IP address or range of addresses and which domain is associated with the addresses
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 16
Internet Information queries
Sample IP address query
• Attackers can use Internet tools such as “WHOIS” as weapons.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 17
Access Attacks and Mitigation
Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information for these reasons:
Retrieve data
Gain access
Escalate their access privileges
Access attacks can be performed in a number of different ways
Password attacks
Trust exploitation
Port redirection
Man-in-the-middle attacks
Buffer overflow
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 18
Password Attacks
Hackers implement password attacks using the following:
Brute-force attacks
Trojan horse programs
IP spoofing
Packet sniffers
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 19
Password Attacks
Password attacks can be implemented using several methods, including brute-force attacks, Trojan horse programs, IP spoofing, and packet sniffers.
One security risk is the fact that passwords can be stored as plaintext. To overcome this risk, passwords should be encrypted. On most systems, passwords are run through an encryption algorithm to generate a one-way hash.
In granting authorisation, the hashes are calculated and compared rather than using the plain password.
To use this encryption method, you supply an account and password during the login process, and the algorithm generates a one-way hash. This hash is compared to the hash stored on the system. If they are the same, the system assumes that the proper password was supplied.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 20
Password Attack Example
L0phtCrack takes the hashes of passwords and generates the plaintext passwords from them
Passwords are compromised using one of two methods:
1. Dictionary cracking
2. Brute-force computation
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 21
Password Attack Mitigation
Password attack mitigation techniques:
Do not allow users to use the same password on multiple systems
Disable accounts after a certain number of unsuccessful login attempts
Do not use plaintext passwords
For example “strong” passwords. (Use “mY8!Rthd8y” rather than “mybirthday”)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 22
Trust Exploitation
Trust exploitation refers to an individual taking advantage of a trust relationship within a network.
An example of when trust exploitation takes place is when a perimeter network is connected to a corporate network.
These network segments often contain DNS, SMTP, and HTTP servers. Because these servers all reside on the same segment, a compromise of one system can lead to the compromise of other systems if those other systems also trust systems that are attached to the same network.
Another example of trust exploitation is a Demilitarised Zone (DMZ) host that has a trust relationship with an inside host that is connected to the inside firewall interface. The inside host trusts the DMZ host. When the DMZ host is compromised, the attacker can leverage that trust relationship to attack the inside host.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 23
Trust Exploitation
A hacker leverages existing trust relationships.
Several trust models exist:
Windows:
Domains
Active directory
Linux and UNIX:
NIS
NIS+
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 24
Trust Exploitation
Trust exploitation-based attacks can be mitigated through tight constraints on trust levels within a network
Systems that are inside a firewall should never absolutely trust systems that are outside a firewall. Absolute trust should be limited to specific protocols and, where possible, should be validated by something other than an IP address
In the DMZ example, the hacker connected to the Internet has already exploited some vulnerability of the DMZ host connected to the DMZ interface of the firewall
The hacker’s next goal is to compromise the inside host that is connected to the inside (trusted) interface of the firewall
To attack the inside host from the DMZ host, the hacker needs to find the protocols that are permitted from the DMZ to the inside interface. Once the protocols are known, the attacker searches for vulnerabilities on the inside host. This attack can be stopped if the firewall allows only minimum or no connectivity from the DMZ to the inside interface
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 25
Trust Exploitation Attack Mitigation
Trust levels within a network are tightly restrained by ensuring that systems inside a firewall never absolutely trust systems outside the firewall.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 26
Port Redirection
A port redirection attack is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise have been dropped.
Port redirection bypasses the firewall rule sets by changing the normal source port for a type of network traffic.
You can mitigate port redirection by using proper trust models that are network-specific. Assuming a system is under attack, an IPS can help detect a hacker and prevent installation of such utilities on a host.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 27
Port Redirection
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 28
“Man-in-the-Middle” Attacks
Man-in-the-middle attacks have these purposes:
Theft of information
Hijacking of an ongoing session to gain access to your internal network resources
Traffic analysis to obtain information about your network and network users
DoS
Corruption of transmitted data
Introduction of new information into network sessions
An example of a man-in-the-middle attack is when someone working for your ISP gains access to all network packets that transfer between your network and any other network
Man-in-the-middle attacks can be mitigated by encrypting traffic in a VPN tunnel. Encryption allows the hacker to see only cipher text
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 29
Man-in-the-Middle Attacks and their Mitigation
A man-in-the-middle attack requires that the hacker has access to network packets that come across a network
A man-in-the-middle attack is implemented using the following:
Network packet sniffers
Routing and transport protocols
Man-in-the-middle attacks can be effectively mitigated only through the use of cryptographic encryption
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 30
DoS and DDoS Attacks and Mitigation
A DDoS attack and the simpler version of a DoS attack on a server, send extremely large numbers of requests over a network or the Internet
These many requests cause the target server to run well below optimum speeds. Consequently, the attacked server becomes unavailable for legitimate access and use
By overloading system resources, DoS and DDoS attacks crash applications and processes by executing exploits or a combination of exploits
DoS and DDoS attacks are the most publicised form of attack and are among the most difficult to completely eliminate
The hacker community regards DoS attacks as trivial and considers them unsophisticated because the attack requires so little effort to execute
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 31
DoS and DDoS Attack Characteristics
A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services
Distributed DoS technique performs simultanous attacks from many distributed sources
DoS and DDoS attacks have these characteristics:Generally not targeted to gain access or information
Require very little effort to execute
Difficult to eliminate, but their damage can be minimised
DoS and DDoS attacks can use IP spoofing
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 32
DDoS Attack Risks
DDoS attack risks include:Downtime and productivity loss
Revenue loss from sales and support services
Lost customer loyalty
Theft of information
Extortion
Stock price manipulation
Malicious competition
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 33
DDoS Attack Example
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 34
DoS and DDoS Attack Mitigation
The threat of DoS and DDoS attacks can be reduced using:
Anti-spoof features on routers and firewalls
Proper configuration of anti-spoof features on your routers and firewalls can reduce your risk of attack. These features include an appropriate filtering with access lists, unicast reverse path forwarding that looks up the routing table to identify spoofed packets, disabling of source route options, and others.
Anti-DoS features on routers and firewalls
Proper configuration of anti-DoS features on routers and firewalls can help limit the effectiveness of an attack. These features often involve limits on the amount of half-open TCP connections that a system allows at any given time.
Traffic rate limiting at the ISP level
An organization can implement traffic rate limiting with the organization’s ISP
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 35
IP Spoofing in DoS and DDoS
IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer.
IP spoofing can use either a trusted IP address in the network or a trusted external IP address.
Uses for IP spoofing include:
Injecting malicious data or commands into an existing data stream
Diverting all network packets to the hacker who can then reply as a trusted user by changing the routing tables
IP spoofing may only be one step in a larger attack.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 36
IP Spoofing Attack Mitigation
The threat of IP spoofing can be reduced, but not eliminated, using these measures:
Access control configuration
Encryption
RFC 3704 filtering
Additional authentication requirement that does not use IP address-based authentication; examples are:
Cryptographic (recommended)
Strong, two-factor, one-time passwords
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L2 37