Upload
viren-rao
View
636
Download
4
Tags:
Embed Size (px)
DESCRIPTION
This slideshow shows the threat ARP poisoning poses by allowing Packet sniffing attacks using Wireshark on a college network and provides possible mitigation action for the vulnerability
Citation preview
Packet sniffing is a term used to describe
Capturing of packets that are transmitted
over a network
Wireshark is a free and open-source
packet analyser. It is used for network
troubleshooting, analysis, software and
communications protocol development,
and education.
The SICSR network is susceptible to ARP
spoofing which is a technique whereby an
attacker sends fake (“spoofed”)Address
resolution protocol(ARP) messages onto a
LAN.
Generally, the aim is to associate the
attacker's Mac address with the IP of another
host (such as the default gateway), causing
any traffic meant for that IP address to be
sent to the attacker instead.
After downloading and installing Wireshark,
you can launch it and click the name of
an interface under Interface List to start
capturing packets on that interface. For
example, if you want to capture traffic on
the wireless network, click your wireless
interface. You can configure advanced
features by clicking Capture Options, but
this isn’t necessary for now.
As soon as you click the interface’s
name, you’ll see the packets start to
appear in real time. Wireshark captures
each packet sent to or from your system.
If you’re capturing on a wireless
interface and have promiscuous mode
enabled in your capture options, you’ll
also see other the other packets on the
network.
The captured packets can be filtered
according to protocol , IP, method and
various other parameters.
Wireshark was a tool used to analyze the
network and identify that ARP poisoning is
possible on the network.
The sniffer would not give any result if the
poisoning failed.
Audit Plan
Auditor Name: Viren Rao Date of Auditing :24/8/2014
Scope Plan Audit Selection area
Selection
criteria for auditors
Training plan for auditors
Audit goal Audit status Reporting
Audit
archival location
To evaluate whether ARP poisoning is
possible
Check for new needs for improvement, Start Date: 24/8/2014 ,
Closure Date: 7/9/2014.
Last audit results: ARP poisining is still possible
hence enabling packet sniffing
Selection of auditors: risk analyst, project
manager and system admin
The system admins will be needed to trained to take
appropriate actions
Is packet sniffing possible ?
Level of risk is HIGH
SICSR network
FMEA is a disciplined procedure, which allows anticipating failures and preventing their occurrence in implementation/development. FMEA Process in Packet sniffing : Select the design for FMEA team. Identify critical areas Analyse network Identified associated failure mode and effects.
Are the Analysis tools giving any output ? Just avoid that risk. Assign severity, occurrence and detection rating to each cause. Severity :High Occurrence: 1/10
Calculate Risk Priority Number (PRN) for each cause RPN : 8/10 Determine recommended action to reduce all RPN Take appropriate actions. Recalculate all RPN;’s with actual results.
RISK mitigation PLAN
TITLE:Packet sniffing analyst:Viren Rao
Date:10/8/2014
Risk id Date identified risk Source Catgory Severity probability index impact in $
Exposure to risk identified
Response
Mitigation plan
Contengency plan
Threshold trigger for contengency plan
ownership
Risk status Progress
1 10-08-
2014 Packet sniffing SICSR Technical Risk High
least likely No $ harm less
Accepted
Risk Avoidance
Configure and purchace appropriate firewalls SICSR
Yet to be mitigated
Packet sniffing is still possible
Security is something that most
organizations try to work upon .
However it is observed that most
organizations seldom look into an
untouched area which is the Layer 2 of the
OSI which can open the network to a
variety of attacks and compromises.
Currently this vulnerability has not been
exploited. If at all this vulnerability is
exploited this could be a major security
breach as all packets moving around a
single subnet on the network can be
intercepted .
To allocate resources and implement cost-effective controls,
organizations, after identifying all possible controls and
evaluating their feasibility and effectiveness, should conduct a
cost-benefit analysis for each proposed control to determine
which controls are required and appropriate for their
circumstances.
Benefits could be:
Tangible: Quantitative
Intangible: Qualitative
Cost factor New in Rs. Enhancements in Rs.
Hardware 90,000 30,000
Software -- --
Policies and
procedures
50,000 20,000
Efforts 100000 50000
Training 50000 10000
Maintenance 50000
Man In The Middle attacks(MITM) which
are done using ARP poisoning can be
prevented in numerous ways.
However all methods are not suitable in all
scenarios .
To prevent ARP spoofing you need to add
a static ARP on the LAN.
This method become troublesome if your
router changed frequently, so if you use
this prevention method you need to delete
the old one and add the new one if it
change.
Configuration of existing switches to use
Private VLANS where one port can only
speak with the gateway.
Even things on the same subnet must go
through the gateway to talk.
According to a white paper ,Cisco Catalyst
6500 Series Switches have an mechanism to
prevent such attacks .It provides a feature
called Dynamic ARP Inspection (DAI) which
helps prevent ARP poisoning and other ARP-
based attacks by intercepting all ARP
requests and responses, and by verifying their
authenticity before updating the switch's
local ARP cache or forwarding the packets to
the intended destinations
The first method is This method is strictly not suitable for the SICSR network as it is a temporary solution for small networks.
Considering the fact that we have Webservers running on our network, the second method will significantly hamper the performance of the network ,and therefore is not suitable for the network infrastructure.
The third method is the best solution for this vulnerability and should be implemented on priority basis.
• Purpose: To assess the risk involved in
packet sniffing.
• Scope of this risk assessment:
Components are SICSR network.
Briefly describe the approach used to
conduct the risk assessment,
such as—
Risk Assessment Team Members
Check whether PR poisoning is possible
Server, Network, Interface.
The mission is to avoid sniffing.
Packets on network can be intercepted.
List the observations:
Identification of existing mitigating
security controls: Implementing use of
tools to detect poisoning.
Likelihood and evaluation: low likelihood
Impact analysis and evaluation: High
impact
Risk rating based on the risk-level matrix:
Medium
Packet sniffing is a technical risk, Risk
level is high, we can use features in new
switches or configure existing switches for
patching the risk