Chapter 4people.ysu.edu/~mawelton/CSIS3755/CSIS 3755 - Chapter 4.pdf · Network security...

FIREWALLS & NETWORK SECURITY with

Intrusion Detection and VPNs, 2nd ed.

Chapter 4 Finding Network Vulnerabilities

Learning Objectives

Name the common categories of vulnerabilities

Discuss common system and network vulnerabilities

Locate and access sources of information about emerging vulnerabilities

Identify the names and functions of the widely available scanning and analysis tools

Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 2

Introduction

To maintain secure networks, information security

professionals must be prepared to identify system

vulnerabilities, whether by hiring system

assessment experts or by conducting self-

assessments using scanning and penetration

tools

Network security vulnerability is defect in product,

process, or procedure that, if exploited, may

result in violation of security policy, which in turn

might lead to loss of revenue, loss of information,

or loss of value to the organization


Common Vulnerabilities

Common vulnerabilities fall into two broad

classes:

Defects in software or firmware

Weaknesses in processes and procedures


Defects in Software or Firmware

Buffer overruns (or buffer overflows) arise when

quantity of input data exceeds size of available

data area (buffer)

Injection attacks can occur when programmer

does not properly validate user input and allows

an attacker to include input that, when passed

to a database, can give rise to SQL injection

vulnerabilities

Network traffic is vulnerable to eavesdropping

because a network medium is essentially an

open channel


Defects in Software or Firmware

(continued)

How can security professionals remain abreast

of all the vulnerabilities?

First and perhaps foremost, they must know:

– Organization’s security policies

– Software and hardware the organization uses

Information security professionals should

regularly consult these public disclosure lists:

– Vendor announcements

– Full disclosure mailing lists

– CVE: the common vulnerabilities and exposures

database Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 6

Vendor Announcements


BugTraq


Weaknesses in Processes and

Procedures

Just as hazardous as software vulnerabilities

More difficult to detect and fix because they

typically involve the human element

Often arise when policy is violated or processes

and procedures that implement policy are

inadequate or fail

To ensure security policy is implemented,

organizations should hold regular security

awareness training and regularly review policies

and their implementation


Scanning and Analysis Tools

To truly assess risk within computing

environment, technical controls must be

deployed using strategy of defense in depth

Scanners and analysis tools can find

vulnerabilities in systems, holes in security

components, and unsecured aspects of the

network

Scanners, sniffers, and other such vulnerability

analysis tools are invaluable because they

enable administrators to see what attackers see


Scanning and Analysis Tools

(continued)

Scanning tools are typically used as part of an

attack protocol

Attack protocol is a series of steps or processes

used by attacker, in logical sequence, to launch

attack against target system or network

This may begin with a collection of publicly

available information about a potential target, a

process known as footprinting

Attacker uses public Internet data sources to

perform searches to identify network addresses

of the organization Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 11

Footprinting

Most important information for footprinting

purposes is IP address range

Another piece of useful information is name,

phone number, and e-mail address of the

technical contact

This research is augmented by browsing the

organization’s Web pages since Web pages

usually contain information about internal

systems, individuals developing Web pages,

and other tidbits, which can be used for social

engineering attacks


Footprinting (continued)

To assist in footprint intelligence collection

process, an enhanced Web scanner can be

used that, among other things, can scan entire

Web sites for valuable pieces of information,

such as server names and e-mail addresses


Sam Spade


Fingerprinting

Next phase of attack protocol is data-gathering

process called fingerprinting, a systematic

survey of all of the target organization’s Internet

addresses that is conducted to identify network

services offered by hosts in that range

Fingerprinting reveals useful information about

internal structure and operational nature of the

target system or network


Port Scanners

Port scanning utilities (port scanners) are tools

used by both attackers and defenders to identify

computers that are active on a network, as well

as ports and services active on those

computers, functions and roles the machines

are fulfilling, and other useful information

The more specific the scanner is, the better and

more useful the information it provides is, but a

generic, broad-based scanner can help locate

and identify rogue nodes on the network


Port Scanners (continued)

Port is a network channel or connection point in a

data communications system

Within TCP/IP, TCP and UDP port numbers

differentiate multiple communication channels

used to connect to network services being offered

on same device

In all, there are 65,536 port numbers in use for

TCP and another 65,536 port numbers for UDP

Ports greater than 1023 typically referred to as

ephemeral ports and may be randomly allocated

to server and client processes Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 17

Port Scanners (continued)

Why secure open ports?

Open port is an open door and can be used by

attacker to send commands to a computer,

potentially gain access to a server, and possibly

exert control over a networking device

The general policy statement is to remove from

service or secure any port not absolutely

necessary to conducting business


Firewall Analysis Tools

Understanding exactly where organization’s

firewall is located and what existing rule sets do

are very important steps for any security

administrator

Several tools that automate remote discovery of

firewall rules and assist administrator (or

attacker) in analyzing rules to determine exactly

what they allow and what they reject


Firewall Analysis Tools (continued)

Administrators wary of using same tools

attackers use should remember:

– Regardless of the nature of the tool used to

validate or analyze firewall’s configuration, it is

the intent of the user that dictates how

information gathered will be used

– To defend a computer or network, it is necessary

to understand ways it can be attacked; thus, a

tool that can help close up an open or poorly

configured firewall helps network defender

minimize risk from attack


Operating System Detection Tools

Identifying target computer’s operating system is

very valuable to attacker

Once the operating system is known, it is easy to

determine all vulnerabilities to which it might be

susceptible


Vulnerability Scanners

Passive vulnerability scanner listens in on the

network and identifies vulnerable versions of

both server and client software

Active vulnerability scanners scan networks for

highly detailed information by initiating network

traffic in order to identify security holes

– These scanners identify exposed usernames and

groups, show open network shares, and expose

configuration problems and other vulnerabilities

in servers


Vulnerability Scanners (continued)


Vulnerability Validation

Often, an organization requires proof that

system is actually vulnerable to certain attacks

May require such proof to avoid having system

administrators attempt to repair systems that

are not broken or because they have not yet

built satisfactory relationship with vulnerability

assessment team

Class of scanners exists that exploit remote

machine and allow vulnerability analyst

(penetration tester) to create accounts, modify

Web pages, or view data


Vulnerability Validation (continued)


Packet Sniffers

Network tool that collects copies of packets from

network and analyzes them

Sometimes called a network protocol analyzer

Can provide network administrator with valuable

information for diagnosing and resolving

networking issues

In the wrong hands, sniffer can be used to

eavesdrop on network traffic


Packet Sniffers (continued)


Wireless Security Tools

Wireless connection, while convenient, has

many potential security holes

Security professional must assess risk of

wireless networks

Wireless security toolkit should include ability to

sniff wireless traffic, scan wireless hosts, and

assess level of privacy or confidentiality

afforded on wireless network


Wireless Security Tools (continued)


Penetration Testing

Penetration test involves using all techniques

and tools available to attacker in order to

attempt to compromise or penetrate an

organization’s defenses

Penetration testing can be performed by internal

group (so called “red teams”) or outsourced to

external organization

A variable of the penetration test, whether

performed internally or outsourced, is amount of

information provided to the red team


Penetration Testing (continued)

Three categories of testing:

– Black box: red team is given no information

whatsoever about the organization and

approaches the organization as external attacker

– Gray box: red team is given some general

information about the organization such as

general structure, network address ranges,

software and versions

– White box: red team has full information on the

organization and its structure


Chapter Summary

To maintain secure networks, information

security professionals must be prepared to

systematically identify system vulnerabilities

Often done by performing self-assessment

using scanning and penetration tools testing

Common vulnerabilities fall into two classes:

– Defects in software or firmware

– Weaknesses in processes and procedures


Chapter Summary (continued)

Information security professionals should

regularly consult vendor announcements, full

disclosure mailing lists, and the common

vulnerabilities and exposures (CVE) database

To assess risk within a computing environment,

network professionals must use tools such as

intrusion detection systems (IDPS), active

vulnerability scanners, passive vulnerability

scanners, automated log analyzers, and

protocol analyzers (sniffers)


Chapter Summary (continued)

Many organizations use penetration test to

assess their security posture on a regular basis

Penetration test team (red team) uses all

techniques and tools available to attackers in

order to attempt to compromise or penetrate an

organization’s defenses


Date post:	30-Mar-2018
Category:	Documents
Upload:	phamkhuong
View:	222 times
Download:	4 times

Chapter 4people.ysu.edu/~mawelton/CSIS3755/CSIS 3755 - Chapter 4.pdf · Network security...

Documents