60
1 Modern Network Security Threats Source: CCNA Security Cisco Networking Academy
| Date post: | 12-Jan-2016 |
| Category: |
Documents |
| Upload: | charlotte-watts |
| View: | 225 times |
| Download: | 4 times |
1
Modern Network Security Threats
Source:CCNA SecurityCisco Networking Academy
2
Modern Network Security Threats 1.1 Fundamental Principles of a Secure
Network 1.2 Viruses, Worms, and Trojan Horses 1.3 Attack Methodologies
3
1.1 Fundamental Principles of a Secure Network
1.1.1 Evolution of Network Security
1.1.2 Drivers for Network Security
1.1.3 Network Security Organizations
4
1.1.1 Evolution of Network Security
In July 2001, the Code Red worm attacked web servers globally, infecting over 350,000 hosts.
Security of the network is ultimately the responsibility of everyone that uses it.
5
Evolution of Network Security
"Necessity is the mother of invention."
6
Evolution of Network Security
7
Evolution of Network Security
Internal threats can cause even greater damage than external threats.
8
Evolution of Network Security
Confidentiality Integrity Availability
9
Evolution of Network Security
Confidentiality Prevent the disclosure of sensitive information from
unauthorized people, resources, and processes Integrity
The protection of system information or processes from intentional or accidental modification
Availability The assurance that systems and data are
accessible by authorized users when needed
10
1.1.2 Drivers for Network Security
Hackers Negative Positive
Hacking is a driving force in network security.
11
Drivers for Network Security
Hacker: 1960s: Phreaking,
John Draper 1980s: Wardialing
1990s: Wardriving ……
12
Drivers for Network Security
13
Drivers for Network Security Network security professionals
14
1.1.3 Network Security Organizations
www.infosyssec.com
www.sans.org
www.cisecurity.org
www.cert.org
www.isc2.org
www.first.org
www.infragard.net
www.mitre.org
www.cnss.gov
15
1.2 Viruses, Worms, and Trojan Horses 1.2.1 Virus Malicious software which attaches to another program to
execute a specific unwanted function on a computer. 1.2.2 Worm
Executes arbitrary code and installs copies of itself in the memory of the infected computer, which then infects other hosts.
1.2.3 Trojan Horse An application written to look like something else. When a
Trojan Horse is downloaded and opened, it attacks the end-user computer from within.
1.2.4 Mitigating Virus, Worms, and Trojan Horse
16
1.2.1 Viruses
17
1.2.2 Worms
18
Worms Three major components to most worm attacks:
Enabling vulnerability - A worm installs itself using an exploit mechanism (email attachment, executable file, Trojan Horse) on a vulnerable system.
Propagation mechanism - After gaining access to a device, the worm replicates itself and locates new targets.
Payload - Any malicious code that results in some action. Most
often this is used to create a backdoor to the infected host.
19
Worms Five basic phases of attack of worm and virus:
20
1.2.3 Trojan Horses The term Trojan Horse originated from Greek mythology. A Trojan Horse in the world of computing is malware
software. It have to be “spread” via human engineering or by manually
emailing them. It does not replicate itself, and it does not infect other files.
21
Trojan Horses Classify of Trojan horse:
Remote-access Trojan Horse (enables unauthorized remote access)
Data sending Trojan Horse (provides the attacker with sensitive data such as passwords)
Destructive Trojan Horse (corrupts or deletes files) Proxy Trojan Horse (user's computer functions as a proxy
server) FTP Trojan Horse (opens port 21) Security software disabler Trojan Horse (stops anti-virus
programs or firewalls from functioning) Denial of Service Trojan Horse (slows or halts network
activity)
22
1.2.4 Mitigating Viruses, Worms, and Trojan Horses
Viruses and Trojan Horses tend to take advantage of local root buffer overflows. A root buffer overflow is a buffer
overflow intended to attain root privileges to a system.
Worms such as SQL Slammer and Code Red exploit remote root buffer overflows.
The primary means of mitigating virus and Trojan horse attacks is anti-virus software. Anti-virus products are host-based
and do not prevent viruses from entering the network.
Network security professional needs to be aware of the major viruses and keep track of security updates regarding emerging viruses.
23
Mitigating Viruses, Worms, and Trojan Horses
Worms are more network-based than viruses. The response to a worm infection can be
broken down into four phases: Containment Inoculation Quarantine Treatment
24
Mitigating Viruses, Worms, and Trojan Horses
Containment (抑制 ) Limiting the spread of a worm infection to areas of the
network that are already affected. Requires compartmentalization and segmentation of the
network to slow down or stop the worm and prevent currently infected hosts from targeting and infecting other systems.
Requires using both outgoing and incoming ACLs on routers and firewalls at control points within the network.
Inoculation (防疫注射 ) All uninfected systems are patched with the appropriate
vendor patch for the vulnerability. The process further deprives the worm of any available targets.
A network scanner can help identify potentially vulnerable hosts.
25
Mitigating Viruses, Worms, and Trojan Horses
Quarantine (隔離 ) Involves tracking down and identifying infected machines
within the contained areas and disconnecting, blocking, or removing them. This isolates these systems appropriately for the treatment phase.
Treatment (治療 ) Actively infected systems are disinfected of the worm. This
can involve terminating the worm process, removing modified files or system settings that the worm introduced, and patching the vulnerability the worm used to exploit the system.
In more severe cases, can require completely reinstalling the system to ensure that the worm and its byproducts are removed.
26
Mitigating Viruses, Worms, and Trojan Horses
Example ( SQL Slammer worm): Malicious traffic was detected on UDP port 1434. Prevent the spreading:
Block this port on all devices throughout the internal network. In some cases, the port on which the worm is
spreading might be critical to business operation: Require to access the SQL Server for legitimate
business transactions. In such a situation, alternatives must be considered. If
the network devices using the service on the affected port are known, permitting selective access is an option.
27
1.3 Attack Methodologies Reconnaissance (偵察 ) Attacks
Reconnaissance attacks involve the unauthorized discovery and mapping of systems, services, or vulnerabilities.
Known as information gathering and, in most cases, precedes an access or DoS attack.
Access Attacks Access attacks exploit known vulnerabilities in authentication
services, FTP services, and web services. Denial of Service Attacks
Denial of service attacks send extremely large numbers of requests over a network or the Internet.
These excessive requests cause the target device to run suboptimally.
Consequently, the attacked device becomes unavailable for legitimate access and use.
Social Engineering Attacks Class of attacks that uses trickery (欺騙 ) on people instead of
computers.
28
1.3.1 Reconnaissance Attack Reconnaissance attacks use various tools to
gain access to a network: Packet sniffers Ping sweeps Port scans Internet information queries
29
Reconnaissance Attack A packet sniffer is a software application. Uses a network adapter card in promiscuous (混雜 )
mode to capture all network packets that are sent across a LAN.
Some network applications distribute network packets in unencrypted plaintext.
Numerous freeware and shareware packet sniffers.
30
Reconnaissance Attack
31
Reconnaissance Attack Keep in mind that reconnaissance attacks are typically the
precursor to further attacks. A network security professional can detect when a
reconnaissance attack is underway by configured alarms that are triggered when certain parameters are exceeded, such as ICMP requests per second.
Host-based intrusion prevention systems and standalone network-based intrusion detection systems can also be used to notify when a reconnaissance attack is occurring.
Cisco IOS security images running on ISRs
32
1.3.2 Access Attacks Hackers use access attacks on networks or systems
for three reasons: retrieve data, gain access, and escalate access privileges.
There are five types of access attacks: Password attack Trust exploitation Port redirection Man-in-the-middle attack Buffer overflow
33
Access Attacks Password attack
An attacker attempts to guess system passwords. Most password attacks refer to brute-force attacks,
which involve repeated attempts based on a built-in dictionary to identify a user account or password.
34
Access Attacks Password attack
Example A user can run the L0phtCrack, or LC5, application to
perform a brute-force attack to obtain a Windows server password.
When the password is obtained, the attacker can install a keylogger, which sends a copy of all keystrokes to a desired destination.
Or, a Trojan Horse can be installed to send a copy of all packets sent and received by the target to a particular destination, thus enabling the monitoring of all the traffic to and from that server.
35
Access Attacks Trust exploitation
An attacker uses privileges granted to a system in an unauthorized way, possibly leading to compromising the target.
36
Access Attacks Port redirection
A compromised system is used as a jump-off point for attacks against other targets. An intrusion tool is installed on the compromised system for session redirection.
37
Access Attacks Man-in-the-middle attack
An attacker is positioned in the middle of communications between two legitimate entities in order to read or modify the data that passes between the two parties.
A popular man-in-the-middle attack involves a laptop acting as a rogue access point (惡意存取點 ) to capture and copy all network traffic from a targeted user. Often the user is in a public location on a wireless hotspot.
38
Access Attacks Man-in-the-middle attack
39
Access Attacks Buffer overflow
A program writes data beyond the allocated buffer memory resulting in that valid data is overwritten or exploited to enable the execution of malicious code.
40
Access Attacks Detect the Access Attacks:
Reviewing logs Check the numbers of failed login attempts.
Bandwidth utilization Detect the Man-in-the-middle attacks.
Man-in-the-middle attacks often involve replicating data. An indication of such an attack is an unusual amount of network activity and bandwidth utilization.
Process loads Detect the buffer overflow attacks.
A compromised system would likely be revealed by sluggish activity due to ongoing buffer overflow attacks, as indicated by active process loads viewable on a Windows or UNIX system.
41
1.3.3 Denial of Service Attacks A DoS attack (阻斷服務攻擊 ) is a network attack. DoS attacks attempt to compromise the availability of a
network, host, or application. There are two major reasons a DoS attack occurs:
A host or application fails to handle an unexpected condition. A network, host, or application is unable to handle an
enormous quantity of data.
42
Denial of Service Attacks DDoS — Distribute DoS
A Distributed Denial of Service Attack (DDoS) is similar in intent to a DoS attack, except that a DDoS attack originates from multiple coordinated sources.
In addition to increasing the amount of network traffic from multiple distributed attackers, a DDoS attack also presents the challenge of requiring the network defense to identify and stop each distributed attacker.
43
Denial of Service Attacks DDoS — Distribute DoS
Example A hacker scans for systems that
are accessible. After the hacker accesses several "handler" systems, the hacker installs zombie (殭屍 ) software on them.
Zombies then scan and infect agent systems. When the hacker accesses the agent systems, the hacker loads remote-control attack software to carry out the DDoS attack.
Source:Security+ Guide to Network Security Fundamentals, Thomson
44
Denial of Service Attacks Three common DoS attacks:
Ping of Death Smurf Attack TCP SYN Flood
45
Denial of Service Attacks Ping of Death
A hacker sends an echo request in an IP packet larger than the maximum packet size of 65,535 bytes.
Sending a ping of this size can crash the target computer.
A variant of this attack is to crash a system by sending ICMP fragments, which fill the reassembly buffers of the target.
ping -t -l 65550 192.168.1.1
46
Denial of Service Attacks Smurf Attack
In a smurf attack, a perpetrator (犯罪者 ) sends a large number of ICMP requests to directed broadcast addresses, all with spoofed source addresses.
If the routing device delivering traffic to those broadcast addresses forwards the directed broadcasts, all hosts on the destination networks send ICMP replies, multiplying the traffic by the number of hosts on the networks.
On a multi-access broadcast network, hundreds of machines might reply to each packet.
47
Denial of Service Attacks Smurf Attack
48
Denial of Service Attacks TCP SYN Flood
A flood of TCP SYN packets is sent, often with a forged sender address. Each packet is handled like a connection request, causing the server to spawn a half-open connection by sending back a TCP SYN-ACK packet and waiting for a packet in response from the sender address.
However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.
The three-way handshake is correctly performed
Source:http://en.wikipedia.org/wiki/SYN_flood
49
Denial of Service Attacks TCP SYN Flood
50
Denial of Service Attacks To date, hundreds of DoS attacks have been documented. There are five basic ways that DoS attacks can do harm:
Consumption of computational resources, such as bandwidth, disk space, or processor time
Disruption of configuration information, such as routing information Disruption of state information, such as unsolicited resetting of TCP
sessions Disruption of physical network components Obstruction of communication between the victim and others.
51
1.3.4 Social Engineering Attacks Social Engineering Attacks
Tricking a person into revealing some confidential information. An attack based on deceiving users or administrators at the
target site. Done to gain illicit (不法的 ) access to systems or useful
information. The goals of social engineering are fraud, network intrusion,
industrial espionage, identity theft, etc.
52
1.3.5 Mitigating Network Attacks
Reconnaissance attacks can be mitigated (緩解 ) in several ways: Using strong authentication such as a One-Time
Password (OTP). Encryption makes the captured data not readable. Antisniffer tools to determine whether the hosts are
processing more traffic than their own traffic loads would indicate.
A switched infrastructure which makes it difficult to capture any data except that on your immediate collision domain, which probably contains only one host.
Network-based IPS and host-based IPS can usually notify an administrator when a reconnaissance attack is under way.
53
Mitigating Network Attacks
54
Mitigating Network Attacks Techniques are available for
mitigating access attacks: Strong password policy:
Disabling accounts after a specific number of unsuccessful logins. This practice helps to prevent continuous password attempts.
Not using plaintext passwords. Use either a one-time password (OTP) or encrypted password.
Using strong passwords. Strong passwords are at least eight characters and contain uppercase letters, lowercase letters, numbers, and special characters.
55
Mitigating Network Attacks Techniques are available for mitigating access
attacks: Principle of minimum trust
The principle of minimum trust should also be designed into the network structure.
This means that systems should not use one another unnecessarily.
For example, if an organization has a server that is used by untrusted devices, such as web servers, the trusted device (server) should not trust the untrusted devices (web servers) unconditionally.
Cryptography Using encryption for remote access to a network is
recommended.
56
Mitigating Network Attacks
57
Mitigating Network Attacks Mitigating DDoS attacks requires careful diagnostics,
planning, and cooperation from ISPs. The most important elements for mitigating DoS attacks
are firewalls and IPSs.
58
Mitigating Network Attacks Social Engineering Countermeasures
Take proper care of trash and discarded items. Ensure that all system users have periodic
training about network security.
Source:Security+ Guide to Network Security Fundamentals, Thomson
59
Mitigating Network Attacks There are 10 best practices for your network:1. Keep patches up to date by installing them weekly or daily, if possible,
to prevent buffer overflow and privilege escalation attacks.
2. Shut down unnecessary services and ports.
3. Use strong passwords and change them often.
4. Control physical access to systems.
5. Avoid unnecessary web page inputs.
6. Perform backups and test the backed up files on a regular basis.
7. Educate employees about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person.
8. Encrypt and password-protect sensitive data.
9. Implement security hardware and software firewalls, IPSs, virtual private network (VPN) devices, anti-virus software, and content filtering.
10. Develop a written security policy for the company.
60
Mitigating Network Attacks
