1/2014 Introduction to Network Security Presented by: Ted
Simpson
Slide 3
Security Threats Malware Virus Spyware Information Theft
Unauthorized Access Eavesdropping Denial of Service Attacks
Slide 4
The Target Story Just a few days before Christmas, Target
confirmed that the scenario had unfolded: Thieves stole account
information by installing malicious software on the retailers
checkout terminals. Security experts said the timing of the breach
corresponds with a recent surge of stolen credentials being offered
for sale on underground cybercrime forums. "We started to detect
that something was afoot on December 11th when [we] detected a
massive increase 10 - 20x -- in availability of high-value stolen
cards on black-market sites,. Hord Tipton, executive director of
(ISC)2, said in an emailed statement that attackers likely infected
massive numbers of POS terminals with malware. "It's one thing to
compromise or affect one machine, but to get all of them begs the
question of how this was plotted out in the first place," Tipton
said. "How were the hackers so efficient? From what I can tell, it
looks like an insider threat -- someone on the inside probably
helped."
Slide 5
Security Session Overview Security Threats and TCP/IP Protocols
and Addressing Security Protocols and Devices Routers, Firewalls,
and WAPs Break Software Security Measures Anti-virus options,
Wireless security, Windows, Email security Security Policies and
User Procedures
Slide 6
Introducing TCP/IP Designed in 1960s by DOD, NASA and research
centers. Originally called ARPA net. Provided a reliable and
flexible communication system. In todays Internet world, TCP/IP is
not a secure protocol. The TCP/IP model consists of 4 layers.
Application Transport Internet Network Interface Each layer
presents certain security risks.
Slide 7
TCP/IP and OSI Models
Slide 8
Application Layer Consists of Client and Server software Client
makes requests Internet Browsers Servers process requests Web
Server, FTP Server Each service and client is assigned a Port
number Web servers Port 80 Telenet Port 22 Email servers Port 25
FTP Ports 20-21 The underlying Transport layer uses either TCP or
UDP port number to deliver packets to the correct application. Many
application services send data and authentication information in
clear text no encyrption.
Slide 9
Application Layer Threats Hackers using packet sniffer software
can read packets. Spoofing fake sites Links embedded in Web sites
or Emails DNS poisoning Malware Virus may infect browser or email
client DNS modification may lead to spoof site Worms may spread
themselves using open ports and software security flaws Spyware may
send data to hacker sites
Slide 10
Transport or Host-to-Host layer UDP Connectionless Used in
streaming audio and video Can be used by hackers to create a Denial
of Service Attack that flood and overload a service by focusing
large streams of UDP packets at the server TCP Connection oriented
(no encryption) Used by HTTP, FTP, and EMail Acknowledges packet
delivery using sequence numbers and acknowledgment packets (more
overhead)
Slide 11
Transport Layer Security Risks Denial of Service Attacks Flood
Attacks. Hacker continuously sends ACK packets without actually
opening session. Brings down host through overloading. Hijacking
Attack Hacker intercepts packets and then responds to host using
sequence number of original client taking over the session. Best
defense is firewalls and recognizing symptoms of the attack.
Slide 12
Common Port Numbers One way to help secure the network is to
use a firewall to block insecure or unneeded port number called
packet filtering Port 3389 used with Remote Desktop on
Windows.
Slide 13
Network Layer - Internet Routers use IP Addresses to route
packets between networks Uses ICMP Protocols to exchange messages
Security Threats IP Spoofing IP address of packet is changed by
hacker to a valid or different address ICMP Tunneling Uses ICMP
packets to encapsulate transmission between hosts Smurf Attack Uses
ICMP to send packets and overload network. Ping of Death Use ICMP
to send extra large packets. Best defense is to use Firewalls to
block ICMP traffic
Slide 14
IPv4 Addressing
Slide 15
Public and Private Addresses Not directly routable on the
Internet Require some sort of Network Address Translation (NAT) to
connect private network devices to the Internet SNAT PAT Used on
private networks.
Slide 16
Network Address Translation Helps prevent hackers from gaining
access to machines on Internal Network. Machines are still
vulnerable if they are infected with some type of Spyware or zombie
software
IPv6 New Internet Layer Creates parallel network independent of
IPv4 Supports existing Transport and Application protocols
Advantages: Better network security Includes IPSec encryption
Improved prioritization Unlimited address range
Slide 19
5/6/2013 IPv6 Address Format Not compatible with IPv4 128-bit
address 8 16-bit fields specified as 4 hex digits (0 F) separated
by colons. Leading zeros unnecessary :: may be used to specify a
number of zero-value fields.
FF22:00FF:002D:0000:0000:0000:3012:CCE3 = FF22:FF:2D::3012:CCE3 The
substitution of :: for multiple zero-value fields can only be used
once.
Slide 20
IPv6 Addressing
Slide 21
5/6/2013 IPv6 Address Scopes Unicast address (link-local) FE80:
(link-local packet not routable) FEC0:... (site-local not routable
on public Internet) 01xx: through 03xx: (global Internet) Multicast
Send to all computers in a multi-cast group FF0x: (x represents the
multicast group) Anycast address Standard unicast address assigned
to multiple machines Used with routers to all nearest router to
accept the packet Packet can be accepted by first available
device
Slide 22
Link Scope 5/6/2013
Slide 23
Summary TCP/IP consists of 4 major Protocol layers. TCP/IP
protocols were not designed to deal with todays security needs.
IPv4 addresses consist of four dotted decimal numbers divided into
Public and Private address classes. IPv6 supports better security
and much large address ranges. Additional software and hardware
necessary to secure Internet Connections. Firewalls and
encryption
Switches vs Hubs Switches are more secure than older hubs. Hubs
send packets to all ports. Switches direct packets based on
destination MAC address Reduce access to network packets by
sniffers
Slide 26
Packet Sniffers and Port Scanners A packet sniffer connects to
a wired or wireless network and captures data packets as they
traverse the network. Packet sniffers are most effective on
wireless networks and simple hubs Best defense is using switches,
VLANS, and encryption. Port Scanners send packets to specific
network addresses in an attempt to communicate with an application
that is listening on an open port. Best defense: Keep the
applications and Windows up-to-date with the latest patches. Use
Firewalls to restrict access to known secure ports.
Slide 27
VLANs VLANs allow individual switch ports to be configured
independently. Ports on a single switch can belong to different
networks based on security and performance rather than physical
equipment. Increase security by separating network traffic into
different broadcast zones
Slide 28
Wireless Access Points Function as Switch, Router, and Firewall
Wireless transmissions are easily intercepted and must be encrypted
Encryption methods WEP Provides a password to prevent unauthorized
access Encryption is easily broken WPA and WPA2 Improved Encryption
WPA2 is the best if supported by the wireless devices
Slide 29
Wireless Configuration Set administrative Password Set a unique
SSID Pick a unused channel range Consider WAP location to reduce
outside access Set security encryption type to WPA2 when
possible
Slide 30
Firewalls Device or software that goes between the application
and Internet. Firewalls can block traffic by port number or
identify potentially malicious network activity. Can block traffic
by Protocol such as ICMP. A Wireless Access Point can serve as a
Firewall.
Slide 31
Types of Firewalls Packet-filtering firewall (screening
firewall) Simplest firewall Blocks traffic into LAN Check for IP
address, Port number, IP header flags Blocks traffic attempting to
exit LAN Stops spread of worms Stops Zombie programs/spyware Based
on TCP or UDP port numbers Prevents connection to and transmission
completion through ports Built into Wireless Access Points and
Windows
Slide 32
Advanced Firewall Functions Stateless firewall Block individual
packets Access Control Lists (ACL) Permit or deny traffic according
to variables: Network layer protocol (IP, ICMP) Transport layer
protocol (TCP, UDP) Source or destination IP address TCP, UDP port
number Stateful - Monitor data stream from end to end IDS
(intrusion detection system) Software monitoring traffic sends
alerts for suspicious traffic IPS (Intrusion Preventions System)
Block suspicious traffic Requires Port mirroring Port configured to
send copy of all traffic to another port for monitoring
purposes
Slide 33
Proxy Servers Proxy service Network host software application
Intermediary between external, internal networks Screens all
incoming and outgoing traffic Proxy server Network host running
proxy service Application layer gateway, application gateway, and
proxy Manages security at Application layer Provides caching
Slide 34
Creating a Demilitarized Zone Networks protective perimeter
created by firewall/router. IDS sensors installed at network edges
WAP port forwarding can be used to create a SOHO (Small Office Home
Office) DMZ. More later on WAP configurations