Hands-On Ethical Hacking and Network Defense Second Edition

Chapter 13Network Protection Systems

Objectives

After reading this chapter and completing the exercises, you will be able to: Explain how routers are used as network

protection systems Describe firewall technology and tools for

configuring firewalls and routers Describe intrusion detection and prevention

systems and Web-filtering technology Explain the purpose of honeypots

Hands-On Ethical Hacking and Network Defense, Second Edition 2

Understanding Routers

Network protection systems Routers Firewalls Intrusion detection and prevention systems Web filtering Honeypots

Security appliance Single device combining two or more

protection functions


Understanding Routing Protocols Routers are hardware devices

Used to send packets to different network segments Operate at network layer of OSI model

Routing protocols Link-state routing protocol

Router advertises link-state Distance-vector routing protocol

Router passes routing table to all participating routers

Path-vector routing protocol Uses dynamically updated paths or routing tables to

transmit packetsHands-On Ethical Hacking and Network Defense, Second Edition 4

Understanding Basic Hardware Routers Cisco routers

Widely used in networking community Millions used by companies around the

world Vulnerabilities exist

As they do in any OS Security professionals must consider the

router type when conducting a security test


Cisco Router Components

Random access memory (RAM) Holds router’s running configuration, routing

tables, and buffers If turned off, contents stored in RAM are erased

Nonvolatile RAM (NVRAM) Holds router’s configuration file

Information is not lost if the router is turned off Flash memory

Holds IOS the router is using Rewritable memory, so IOS can be upgraded


Cisco Router Components (cont’d.) Read-only memory (ROM)

Contains a minimal version of IOS Used to boot router if flash memory gets

corrupted Interfaces

Hardware connectivity points for components of most concern Ethernet port is an interface that connects

to a LAN


Cisco Router Configuration Configuration modes:

User mode Administrator can perform basic

troubleshooting tests and list information stored on router

Indicated by router name followed by > Default mode

Privileged mode Administrator can perform full router

configuration tasks Indicated by router name followed by #


Cisco Router Configuration (cont’d.) Modes to configure the router (in

privileged mode) Global configuration mode

Configure router settings affecting router operation

Interface configuration mode Administrator can configure an interface

on the router



Table 13-1 Cisco commands

Understanding Access Control Lists Several types of access control lists

This section focuses on IP access lists Lists IP addresses, subnets, or networks

allowed or denied access through a router’s interface

Cisco router access lists Standard IP access lists Extended IP access lists


Standard IP Access Lists

Can restrict IP traffic entering or leaving a router’s interface based on source IP address To restrict traffic from Network 3 from entering

Network 1, access list looks like:access-list 1 deny 173.110.0.0 0.0.255.255access-list permit any


Figure 13-1 Applying access lists to router interfaces

Extended IP Access Lists

Restricts IP traffic entering or leaving based on: Source IP address Destination IP address Protocol type Application port number

Configuration Similar to configuring a standard IP

access listHands-On Ethical Hacking and Network Defense, Second Edition 13

Understanding Firewalls

Hardware devices with embedded OSs Controls access to all traffic entering

internal network Controls traffic leaving internal network

Hardware firewall advantages: Usually faster than software firewalls Can handle larger throughput than

software firewalls Hardware firewall disadvantage:

Locked into firewall’s hardware


Understanding Firewalls (cont’d.) Software firewalls advantage:

NICs are easily added to server running firewall software

Software firewalls disadvantage: Configuration problems Rely on running OS

Astaro


http://www.astaro.com/

Understanding Firewall Technology Technologies include:

Network address translation Access lists Packet filtering Stateful packet inspection Application layer inspection


Network Address Translation Most basic security feature

Internal private IP addresses are mapped to public external IP addresses Hiding internal infrastructure

Port Address Translation Derived from NAT Allows thousands of internal IP

addresses to be mapped to one external IP address


Access Lists

Used to filter traffic based on: Source IP address Destination IP address Ports or services

Firewalls also use this technology Creating access lists in a firewall

Similar to creating them in a router


Packet Filtering

Packet filters Screen packets based on information

contained in packet header Protocol type IP address TCP/UDP port


Stateful Packet Inspection Record session-specific information

about a network connection Including state table

Port scans relying on spoofing or sending packets after a three-way handshake are made ineffective

Stateful packet filters Recognize anomalies most routers ignore Handle each packet on an individual basis

Not resistant to spoofing or DoS attacksHands-On Ethical Hacking and Network Defense, Second Edition 20


Table 13-2 State table example

Application Layer Inspection Inspects network traffic at a higher

level in OSI model Makes sure network traffic’s application

protocol is the type allowed by a rule Some application-aware firewalls act

as a proxy for all connections Safety net for servers or clients (or both)

Depends on firewall


Implementing a Firewall

Placing a firewall between a company’s internal network and the Internet is dangerous Leaves company open to attack if a

hacker compromises the firewall Use a demilitarized zone instead

Adds a layer of defense


Demilitarized Zone

Small network Contains resources a company wants

available to Internet users Helps maintain security on internal

network Sits between Internet and internal

network Sometimes referred to as a “perimeter

network”



Figure 13-2 A DMZ protecting an internal network


Figure 13-3 An additional firewall used to protect the DMZ

Understanding the Cisco Adaptive Security Appliance Firewall Cisco Adaptive Security Appliance

(ASA) firewall One of the most widely used firewalls Replaced PIX firewall Added advanced modular features

Intrusion detection and prevention More sophisticated application layer

inspection


Configuring the ASA Firewall Similar logon prompt as Cisco router

Prompt:If you are not authorized to be in this XYZ Hawaii network device, log out immediately!Username: adminPassword: ********

Serves a legal purpose Prompt after successful log on:

Type help or '?' for a list of available commands.ciscoasa>


Configuring the ASA Firewall (cont’d.) After entering correct password

You are in privileged mode To enter configuration mode

Use same command as on a Cisco routerconfigure terminal or configure t

Access lists Used to filter traffic


Using Configuration and Risk Analysis Tools for Firewalls and Routers Center for Internet Security

One of the best Web sites for finding configuration benchmarks and configuration assessment tools

Benchmark Industry consensus of best configuration

practices Cisco routers use CIS Cisco IOS Benchmark Cisco ASA firewalls use CIS Benchmark for Cisco

Firewall Devices Router Audit Tool (RAT)

Faster and easier to useHands-On Ethical Hacking and Network Defense, Second Edition 30

http://www.cisecurity.org/

Using Configuration and Risk Analysis Tools for Firewalls and Routers (cont’d.) RedSeal

Unique network risk analysis and mapping tool

Identifies configuration vulnerabilities in routers or firewalls

Generates professional-looking reports Analyzes IPSs and OS vulnerability scans Shows a graphical representation of

vulnerabilities discovered



Figure 13-4 The RedSeal network risk map

Understanding Intrusion Detection and Prevention Systems Monitor network devices

Security administrators can identify attacks in progress and stop them

Intrusion detection system (IDS) Examines traffic and compares it with known

exploits Similar to virus software using a signature file to

identify viruses Intrusion prevention systems (IPSs)

Similar to IDSs Also performs an action to prevent the intrusion


Network-Based and Host-Based IDSs and IPSs

Network-based IDSs/IPSs Monitor activity on network segments Sniff traffic and alerts if something

suspicious occurs Host-based IDSs/IPSs

Used to protect a critical network server or database server

Software is installed on server you’re attempting to protect


Network-Based and Host-Based IDSs and IPSs (cont’d.) IDSs are also categorized by how

they react when they detect suspicious behavior Passive systems

Don’t take preventative action Send out an alert and log the activity

Active systems Log events and send out alerts Can also interoperate with routers and

firewallsHands-On Ethical Hacking and Network Defense, Second Edition 35

Network-Based and Host-Based IDSs and IPSs (cont’d.) Vendors have started focusing on IPSs

True network-based IPS are installed inline to network infrastructure Traffic has to pass through IPS before going

into or out of the network More capable of stopping malicious traffic Host-based IPSs operate at the OS (or

kernel) level Intercept traffic not allowed by host policy


Network-Based and Host-Based IDSs and IPSs (cont’d.) Network-based IDSs and IPSs are

further categorized by the way they detect attacks Signature detectors

Detect malicious activity by using a database of known attack signatures

Anomaly detectors Use a baseline of normal activity and send

an alert if activity deviates significantly



Table 13-3 Intrusion detection and prevention systems

Web Filtering

Statistically, firewalls and IPSs do a good job of protecting a network from Internet attacks Hackers know statistics

Now using least restricted pathway through a firewall Target devices allowed access out of the network

automatically: user workstations Get internal user to visit a bogus Web site or install

malicious code from an e-mail attachment Don’t need to break through the firewall Firewall application layer inspection might not detect

this kind of attack


Web Filtering (cont’d.)

Web filtering is used to detect users’ attempts to access malicious Web sites and block tem Some block malicious code

Before it gets to a user’s workstation Before it connects to an attacker’s control

system outside the network Mass compromises are used to

initiate drive-by downloads Web site visitors download malicious

code without their knowledgeHands-On Ethical Hacking and Network Defense, Second Edition 40

Security Incident Response Teams Large organizations with sensitive or critical

data Normal administrative expertise isn’t enough to do:

Follow up and damage assessment Risk remediation and legal consultation

Security incident response team (SIRT) Permanent team Responsible solely for security-response functions

Ad hoc team Members normally have other roles Called in response to a specific incident


Understanding Honeypots

Honeypot Computer placed on network perimeter

Contains information to lure and trap hackers

Configured to have vulnerabilities Keeps hackers connected long enough

so they can be traced back Serves as an excellent data collector and

early warning system Honeyd.org


http://www.honeyd.org/index.php

How Honeypots Work

Honeypot appears to have important data or sensitive information stored on it Could store fake financial data Hackers will spend time attacking the

honeypot Stop looking for real vulnerabilities Enables security to collect data on attackers

Available honeypots Commercial and open-source

Virtual honeypots Created using programming language



Table 13-4 Commercial honeypots


Table 13-5 Open-source honeypots

Summary

Network protection systems Routers, firewalls, IDSs, IPSs, Web filters,

etc. Routers

Use access lists to accept or deny traffic Firewalls

Can be hardware devices or software installed on computer systems

Use NAT, packet filtering, access control lists, stateful packet inspection, and application layer inspection


Summary (cont’d.)

DMZ Small network containing resources that

sits between the Internet and internal network

Intrusion detection systems Monitor network traffic

Network-based IDSs Monitor activity on network segments

Host-based IDSs Protect a critical network server or

database serverHands-On Ethical Hacking and Network Defense, Second Edition 47

Summary (cont’d.)

Passive IDSs Don’t take any action or prevent an

activity from continuing to occur Active IDSs

Log, send alerts, and interoperate with routers and firewalls

Intrusion prevention systems (IPSs) Detect malicious activity Can block or prevent malicious activity


Summary (cont’d.)

Anomaly detectors Detect activity varying from a set baseline

Configuring routers and firewalls securely Easier with benchmark tools

Web filtering Can block Web sites containing malicious code

Large organizations Might need a security incident response team

Honeypots Lure hackers away from legitimate resources


Date post:	19-Mar-2016
Category:	Documents
Upload:	emera
View:	27 times
Download:	1 times

Hands-On Ethical Hacking and Network Defense Second Edition

Documents