Concepts in Network Security

LTC Ronald Dodge, Ph.D.United States Military Academy

Virtual Machine

X86 hardware

Red H

at

Win 2K

Win 2K

3

SuSE

Trends in Network SecurityAttackers

Increasing sophistication Increasing communication/collaboration

DefendersIncreasing complexityIncreasing dependency Increasing attritionDecreasing budgetsPersistent ignorance/ increasing awareness/ more knowledgeable sysadmin

Network systemsIncreasing connectivityIncreasing complexityIncreasing functionalityIncreasing “computrons”Increased application security

ActivityIncreased state and non-state sponsorshipIncreased patchingIncreasing probes and “Recon by Fire”

Trends: Another Picture

High

Low

Intruder Knowledge

Attack Sophistication

self-replicating codepassword guessing

password crackingexploiting known vulnerabilities

burglariessession high jacking

burglaries

BOTnets

www attackssweepers

automated probesGUI interfaces

network diagnosticsbackdoors

disabling audits

cross site scripting

distributed attacksdenial of service

packet spoofing

1980 1985 1990 1995 2000

Security Trade-offs

Functionality

Perf

orm

ance

Security1

2

Also Convenience Usability

Assumes Fixed Cost

Overview

MotivationVirtual Information Assurance Network (VIAN) introductionViruses, Worms and Trojans – Oh My!

(And don’t forget about SPAM)

USMA VIANVirtual network design presents students with two internal networks separated by a firewall

Red – contains machines that are used to launch exploitsBlue – contains target machines (running installations of Windows and Linux systems)

A second firewall acts as a gateway to the host machineVirtual Machines can connect to “physical network” by bridging through the host interface

The VMware virtualization layer sites between the hardware and software and allows users to create virtual machines

that are the full equivalent of a standard x86 machine

Intel Architecture with VMware

How Does VMware Workstation Work?

USMA VIAN ConfigurationVMware license: Academic $130 eachOS licenses

Solaris: $20MSDNAA: Deeply discounted

Applications: Most all open sourceHardware

P4 1.8GhZ, 1 GB RAM (512), 60 GB HD

USMA VIAN Operating SystemsWindows 2003 (all versions) Windows XP Pro Windows XP home Windows 2000 Server Windows 2000 Pro Windows NT Windows 98

Debian 3EngardeFedoraGentooIPcopNetwosixSentinixSlackwareSmoothwallTrustixvexlinuxMandrakeRed Hat LinuxFree BSD OpenBSDSolaris 9

USMA VIAN ModulesAttacking the Connection with Man in the MiddleDefending with Firewalls: BasicDefending with Firewalls: In-depthDefending: Network intrusion detection using SNORTDefending: Host based intrusion detection with monitorsForensics: IntroForensics: Advanced 1 Forensics: Advanced 2Cryptography: IntroCryptography: Advanced 1Cryptography: Advanced 2Sys Admin: Routing with ZebraSys Admin: ADSys Admin: Exchange

Introduction to the VIAN environment and using virtual machinesIntroduction to the VIAN environment and network fundamentals Reconnaissance: SpywareReconnaissance: SPAM/phishing Reconnaissance: Social engineering Reconnaissance: Port scanningReconnaissance: OS finger printingReconnaissance: Network enumeration Reconnaissance: Vulnerability scanningAttacking with Trojan horses using e-mailAttacking with buffer overflowsAttacking with ViriiAttacking passwords

Viruses, Worms and Trojans – Oh My!

HACKER Pre-testCan you read this?

T1hs iz da h0m3p4g3 0f d4 m0St l33T w4r3z gR0uP th3r3 iz, LWE! W3 f0cUs oN bRiNgIngj0 dA l4t3eSt 0-dAy 313373 w4r3z év3rydAy. J0 c4n f1nd aLl0ur r3l3ases 0n ThIs l33t p4ge!! Ph34r 0ur sKiLlz!!

H4x0r Language Homework

www.google.com

->preferences

Example Malicious Program TypesViruses WormsTrojan horsesBackdoors Buffer overflowsApplication misuse

Hacking, Step-by-StepWell, this ain't exactly for beginners, but it'll have to do. What all hackers have to know is that there are 4 steps in hacking...

Step 1: Getting access to siteStep 2: Hacking r00tStep 3: Covering your tracesStep 4: Keeping that account

http://forbidden.net-security.org/txt/beginner.txt

Hacking, Step-by-Step

More formally:ReconnaissanceExploitationConsolidateReorganize

ReconnaissancePassive recon

Web-based reconDNS recon

Active reconSocial engineering

Via e-mailVia telephoneVia casual conversationDumpster diving

ScanningFinger printing operating systems

ScanningScanning

A method for discovering exploitable communication channels. The idea is to probe as many listeners as possible, and keep track of the ones that are receptive or useful to your particular need

SuperScan – NMAP – NessusCORE Impact – Metasploit – WHAX 3.0 (a.k.a. WHOPPIX)

SniffingSniffing

A packet sniffer is a wire-tap devices that plugs into computer networks and eavesdrops on the network traffic. A “sniffing” program lets someone listen in on computer conversations

Ethereal FTP/SFTP Demo

ExploitationGain User Access to SystemElevate PrivilegesNetwork Based

Passive Sniffing Active SniffingWormsDenial Of Service

Operating System and Application BasedBuffer overflowsPasswords attacksVirusDenial of service

Exploits

IIS buffer overflowDCOM

ConsolidationCover tracks

Delete/modify log filesHide filesTunnel communicationsUse covert channels

Demo: PWdumpIISlogcleanVNC

Reorganization

Maintain accessPatchInstall backdoor

User SecurityE-mail security

E-mail worm / Trojan horse / back door Flip screenSub7Netbus

PhishingPassword security

Links

USMA IWAR and VIANWeb: http://www.itoc.usma.eduE-mail: itoc@usma.edu