Chapter 13Network Protection Systems
Objectives
After reading this chapter and completing the exercises, you will be able to: Explain how routers are used as network
protection systems Describe firewall technology and tools for
configuring firewalls and routers Describe intrusion detection and prevention
systems and Web-filtering technology Explain the purpose of honeypots
Hands-On Ethical Hacking and Network Defense, Second Edition 2
Understanding Routers
Network protection systems Routers Firewalls Intrusion detection and prevention systems Web filtering Honeypots
Security appliance Single device combining two or more
protection functions
Hands-On Ethical Hacking and Network Defense, Second Edition 3
Understanding Routing Protocols Routers are hardware devices
Used to send packets to different network segments Operate at network layer of OSI model
Routing protocols Link-state routing protocol
Router advertises link-state Distance-vector routing protocol
Router passes routing table to all participating routers
Path-vector routing protocol Uses dynamically updated paths or routing tables to
transmit packetsHands-On Ethical Hacking and Network Defense, Second Edition 4
Understanding Basic Hardware Routers Cisco routers
Widely used in networking community Millions used by companies around the
world Vulnerabilities exist
As they do in any OS Security professionals must consider the
router type when conducting a security test
Hands-On Ethical Hacking and Network Defense, Second Edition 5
Cisco Router Components
Random access memory (RAM) Holds router’s running configuration, routing
tables, and buffers If turned off, contents stored in RAM are erased
Nonvolatile RAM (NVRAM) Holds router’s configuration file
Information is not lost if the router is turned off Flash memory
Holds IOS the router is using Rewritable memory, so IOS can be upgraded
Hands-On Ethical Hacking and Network Defense, Second Edition 6
Cisco Router Components (cont’d.) Read-only memory (ROM)
Contains a minimal version of IOS Used to boot router if flash memory gets
corrupted Interfaces
Hardware connectivity points for components of most concern Ethernet port is an interface that connects
to a LAN
Hands-On Ethical Hacking and Network Defense, Second Edition 7
Cisco Router Configuration Configuration modes:
User mode Administrator can perform basic
troubleshooting tests and list information stored on router
Indicated by router name followed by > Default mode
Privileged mode Administrator can perform full router
configuration tasks Indicated by router name followed by #
Hands-On Ethical Hacking and Network Defense, Second Edition 8
Cisco Router Configuration (cont’d.) Modes to configure the router (in
privileged mode) Global configuration mode
Configure router settings affecting router operation
Interface configuration mode Administrator can configure an interface
on the router
Hands-On Ethical Hacking and Network Defense, Second Edition 9
Hands-On Ethical Hacking and Network Defense, Second Edition 10
Table 13-1 Cisco commands
Understanding Access Control Lists Several types of access control lists
This section focuses on IP access lists Lists IP addresses, subnets, or networks
allowed or denied access through a router’s interface
Cisco router access lists Standard IP access lists Extended IP access lists
Hands-On Ethical Hacking and Network Defense, Second Edition 11
Standard IP Access Lists
Can restrict IP traffic entering or leaving a router’s interface based on source IP address To restrict traffic from Network 3 from entering
Network 1, access list looks like:access-list 1 deny 173.110.0.0 0.0.255.255access-list permit any
Hands-On Ethical Hacking and Network Defense, Second Edition 12
Figure 13-1 Applying access lists to router interfaces
Extended IP Access Lists
Restricts IP traffic entering or leaving based on: Source IP address Destination IP address Protocol type Application port number
Configuration Similar to configuring a standard IP
access listHands-On Ethical Hacking and Network Defense, Second Edition 13
Understanding Firewalls
Hardware devices with embedded OSs Controls access to all traffic entering
internal network Controls traffic leaving internal network
Hardware firewall advantages: Usually faster than software firewalls Can handle larger throughput than
software firewalls Hardware firewall disadvantage:
Locked into firewall’s hardware
Hands-On Ethical Hacking and Network Defense, Second Edition 14
Understanding Firewalls (cont’d.) Software firewalls advantage:
NICs are easily added to server running firewall software
Software firewalls disadvantage: Configuration problems Rely on running OS
Astaro
Hands-On Ethical Hacking and Network Defense, Second Edition 15
Understanding Firewall Technology Technologies include:
Network address translation Access lists Packet filtering Stateful packet inspection Application layer inspection
Hands-On Ethical Hacking and Network Defense, Second Edition 16
Network Address Translation Most basic security feature
Internal private IP addresses are mapped to public external IP addresses Hiding internal infrastructure
Port Address Translation Derived from NAT Allows thousands of internal IP
addresses to be mapped to one external IP address
Hands-On Ethical Hacking and Network Defense, Second Edition 17
Access Lists
Used to filter traffic based on: Source IP address Destination IP address Ports or services
Firewalls also use this technology Creating access lists in a firewall
Similar to creating them in a router
Hands-On Ethical Hacking and Network Defense, Second Edition 18
Packet Filtering
Packet filters Screen packets based on information
contained in packet header Protocol type IP address TCP/UDP port
Hands-On Ethical Hacking and Network Defense, Second Edition 19
Stateful Packet Inspection Record session-specific information
about a network connection Including state table
Port scans relying on spoofing or sending packets after a three-way handshake are made ineffective
Stateful packet filters Recognize anomalies most routers ignore Handle each packet on an individual basis
Not resistant to spoofing or DoS attacksHands-On Ethical Hacking and Network Defense, Second Edition 20
Hands-On Ethical Hacking and Network Defense, Second Edition 21
Table 13-2 State table example
Application Layer Inspection Inspects network traffic at a higher
level in OSI model Makes sure network traffic’s application
protocol is the type allowed by a rule Some application-aware firewalls act
as a proxy for all connections Safety net for servers or clients (or both)
Depends on firewall
Hands-On Ethical Hacking and Network Defense, Second Edition 22
Implementing a Firewall
Placing a firewall between a company’s internal network and the Internet is dangerous Leaves company open to attack if a
hacker compromises the firewall Use a demilitarized zone instead
Adds a layer of defense
Hands-On Ethical Hacking and Network Defense, Second Edition 23
Demilitarized Zone
Small network Contains resources a company wants
available to Internet users Helps maintain security on internal
network Sits between Internet and internal
network Sometimes referred to as a “perimeter
network”
Hands-On Ethical Hacking and Network Defense, Second Edition 24
Hands-On Ethical Hacking and Network Defense, Second Edition 25
Figure 13-2 A DMZ protecting an internal network
Hands-On Ethical Hacking and Network Defense, Second Edition 26
Figure 13-3 An additional firewall used to protect the DMZ
Understanding the Cisco Adaptive Security Appliance Firewall Cisco Adaptive Security Appliance
(ASA) firewall One of the most widely used firewalls Replaced PIX firewall Added advanced modular features
Intrusion detection and prevention More sophisticated application layer
inspection
Hands-On Ethical Hacking and Network Defense, Second Edition 27
Configuring the ASA Firewall Similar logon prompt as Cisco router
Prompt:If you are not authorized to be in this XYZ Hawaii network device, log out immediately!Username: adminPassword: ********
Serves a legal purpose Prompt after successful log on:
Type help or '?' for a list of available commands.ciscoasa>
Hands-On Ethical Hacking and Network Defense, Second Edition 28
Configuring the ASA Firewall (cont’d.) After entering correct password
You are in privileged mode To enter configuration mode
Use same command as on a Cisco routerconfigure terminal or configure t
Access lists Used to filter traffic
Hands-On Ethical Hacking and Network Defense, Second Edition 29
Using Configuration and Risk Analysis Tools for Firewalls and Routers Center for Internet Security
One of the best Web sites for finding configuration benchmarks and configuration assessment tools
Benchmark Industry consensus of best configuration
practices Cisco routers use CIS Cisco IOS Benchmark Cisco ASA firewalls use CIS Benchmark for Cisco
Firewall Devices Router Audit Tool (RAT)
Faster and easier to useHands-On Ethical Hacking and Network Defense, Second Edition 30
Using Configuration and Risk Analysis Tools for Firewalls and Routers (cont’d.) RedSeal
Unique network risk analysis and mapping tool
Identifies configuration vulnerabilities in routers or firewalls
Generates professional-looking reports Analyzes IPSs and OS vulnerability scans Shows a graphical representation of
vulnerabilities discovered
Hands-On Ethical Hacking and Network Defense, Second Edition 31
Hands-On Ethical Hacking and Network Defense, Second Edition 32
Figure 13-4 The RedSeal network risk map
Understanding Intrusion Detection and Prevention Systems Monitor network devices
Security administrators can identify attacks in progress and stop them
Intrusion detection system (IDS) Examines traffic and compares it with known
exploits Similar to virus software using a signature file to
identify viruses Intrusion prevention systems (IPSs)
Similar to IDSs Also performs an action to prevent the intrusion
Hands-On Ethical Hacking and Network Defense, Second Edition 33
Network-Based and Host-Based IDSs and IPSs
Network-based IDSs/IPSs Monitor activity on network segments Sniff traffic and alerts if something
suspicious occurs Host-based IDSs/IPSs
Used to protect a critical network server or database server
Software is installed on server you’re attempting to protect
Hands-On Ethical Hacking and Network Defense, Second Edition 34
Network-Based and Host-Based IDSs and IPSs (cont’d.) IDSs are also categorized by how
they react when they detect suspicious behavior Passive systems
Don’t take preventative action Send out an alert and log the activity
Active systems Log events and send out alerts Can also interoperate with routers and
firewallsHands-On Ethical Hacking and Network Defense, Second Edition 35
Network-Based and Host-Based IDSs and IPSs (cont’d.) Vendors have started focusing on IPSs
True network-based IPS are installed inline to network infrastructure Traffic has to pass through IPS before going
into or out of the network More capable of stopping malicious traffic Host-based IPSs operate at the OS (or
kernel) level Intercept traffic not allowed by host policy
Hands-On Ethical Hacking and Network Defense, Second Edition 36
Network-Based and Host-Based IDSs and IPSs (cont’d.) Network-based IDSs and IPSs are
further categorized by the way they detect attacks Signature detectors
Detect malicious activity by using a database of known attack signatures
Anomaly detectors Use a baseline of normal activity and send
an alert if activity deviates significantly
Hands-On Ethical Hacking and Network Defense, Second Edition 37
Hands-On Ethical Hacking and Network Defense, Second Edition 38
Table 13-3 Intrusion detection and prevention systems
Web Filtering
Statistically, firewalls and IPSs do a good job of protecting a network from Internet attacks Hackers know statistics
Now using least restricted pathway through a firewall Target devices allowed access out of the network
automatically: user workstations Get internal user to visit a bogus Web site or install
malicious code from an e-mail attachment Don’t need to break through the firewall Firewall application layer inspection might not detect
this kind of attack
Hands-On Ethical Hacking and Network Defense, Second Edition 39
Web Filtering (cont’d.)
Web filtering is used to detect users’ attempts to access malicious Web sites and block tem Some block malicious code
Before it gets to a user’s workstation Before it connects to an attacker’s control
system outside the network Mass compromises are used to
initiate drive-by downloads Web site visitors download malicious
code without their knowledgeHands-On Ethical Hacking and Network Defense, Second Edition 40
Security Incident Response Teams Large organizations with sensitive or critical
data Normal administrative expertise isn’t enough to do:
Follow up and damage assessment Risk remediation and legal consultation
Security incident response team (SIRT) Permanent team Responsible solely for security-response functions
Ad hoc team Members normally have other roles Called in response to a specific incident
Hands-On Ethical Hacking and Network Defense, Second Edition 41
Understanding Honeypots
Honeypot Computer placed on network perimeter
Contains information to lure and trap hackers
Configured to have vulnerabilities Keeps hackers connected long enough
so they can be traced back Serves as an excellent data collector and
early warning system Honeyd.org
Hands-On Ethical Hacking and Network Defense, Second Edition 42
How Honeypots Work
Honeypot appears to have important data or sensitive information stored on it Could store fake financial data Hackers will spend time attacking the
honeypot Stop looking for real vulnerabilities Enables security to collect data on attackers
Available honeypots Commercial and open-source
Virtual honeypots Created using programming language
Hands-On Ethical Hacking and Network Defense, Second Edition 43
Hands-On Ethical Hacking and Network Defense, Second Edition 44
Table 13-4 Commercial honeypots
Hands-On Ethical Hacking and Network Defense, Second Edition 45
Table 13-5 Open-source honeypots
Summary
Network protection systems Routers, firewalls, IDSs, IPSs, Web filters,
etc. Routers
Use access lists to accept or deny traffic Firewalls
Can be hardware devices or software installed on computer systems
Use NAT, packet filtering, access control lists, stateful packet inspection, and application layer inspection
Hands-On Ethical Hacking and Network Defense, Second Edition 46
Summary (cont’d.)
DMZ Small network containing resources that
sits between the Internet and internal network
Intrusion detection systems Monitor network traffic
Network-based IDSs Monitor activity on network segments
Host-based IDSs Protect a critical network server or
database serverHands-On Ethical Hacking and Network Defense, Second Edition 47
Summary (cont’d.)
Passive IDSs Don’t take any action or prevent an
activity from continuing to occur Active IDSs
Log, send alerts, and interoperate with routers and firewalls
Intrusion prevention systems (IPSs) Detect malicious activity Can block or prevent malicious activity
Hands-On Ethical Hacking and Network Defense, Second Edition 48
Summary (cont’d.)
Anomaly detectors Detect activity varying from a set baseline
Configuring routers and firewalls securely Easier with benchmark tools
Web filtering Can block Web sites containing malicious code
Large organizations Might need a security incident response team
Honeypots Lure hackers away from legitimate resources
Hands-On Ethical Hacking and Network Defense, Second Edition 49