Embed Size (px)
DESCRIPTION
Network Security
Citation preview
ZOOMTechnologies
Types of Network Attacks
ZOOMTechnologies
Reconnaissance Attacks
–Reconnaissance refers to the overall act of learning information about a target network by using readily available information and applications.
–Reconnaissance attacks include:• Internet information queries • Port scans• Ping sweeps• Packet sniffers
ZOOMTechnologies
Access Attacks
– Intruders use access attacks on networks or systems for these reasons:• Retrieve data• Gain access• Escalate their access privileges
– Access attacks include:• Password attacks• Trust exploitation• Port redirection • Man-in-the-middle attacks• Buffer overflow
ZOOMTechnologies
DoS Attacks and Mitigation
–A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services.
–Distributed DoS technique performs simultanous attacks from many distributed sources.
ZOOMTechnologies
Distributed DoS Attacks
–DoS and distributed DoS attacks focus on making a service unavailable for normal use.
–DoS and distributed DoS attacks have these characteristics:
• Generally not targeted at gaining access to your network or the information on your network
• Require very little effort to execute• Difficult to eliminate, but their damage can
be minimized
ZOOMTechnologies
Other Attack
ZOOMTechnologies
The primary vulnerabilities for end-user workstations are:– Worms – Viruses – Trojan horse attacks
ZOOMTechnologies
Application Layer Attacks
Application layer attacks have these characteristics:– Exploit well-known weaknesses,
such as those in protocols, that are intrinsic to an application or system (e.g., sendmail, HTTP, and FTP)
– Often use ports that are allowed through a firewall (e.g., TCP port 80 used in an attack against a web server behind a firewall)
– Can never be completely eliminated, because new vulnerabilities are always being discovered
ZOOMTechnologies
Management Protocols
These management protocols can be compromised:– SNMP: The community string information for
simple authentication is sent in plaintext.– syslog: Data is sent as plaintext between the
managed device and the management host.– TFTP: Data is sent as plaintext between the
requesting host and the TFTP server.– NTP: Many NTP servers on the Internet do not
require any authentication of peers.
ZOOMTechnologies
Cisco IOS Base Firewall
ZOOMTechnologies
Network Division
OutsideInside
DMZ
ZOOMTechnologies
DMZ
– A DMZ is established between security zones—DMZ's are buffer networks which are neither inside nor outside.
ZOOMTechnologies
Firewall Technologies
Firewalls use three technologies:– Packet filtering–Application layer gateway– Stateful Multilayer packet filtering
ZOOMTechnologies
Packet Filtering
– Router With Access Control List (ACL) can act like a packet filtering firewall.
– Packet filtering work based on the destination and source addresses, ports, and other flags compiled in an ACL.
ZOOMTechnologies
Application Layer Gateway
– Ex. Proxy Server – The ALG intercepts and establishes
connections to the Internet hosts on behalf of the client.
ZOOMTechnologies
Stateful Multilayer Packet Filtering
– Stateless ACLs filter traffic based on source and destination IP addresses, TCP and UDP port numbers, TCP flags, ICMP types and codes.
– Stateful inspection then remembers certain details, or the state of that request.
ZOOMTechnologies
Stateful Firewalls
– Also called “Stateful packet filters” and “Application-aware packet filters.”
– Stateful firewalls have two main improvements over packet filters:
• They maintain a session table (state table), where they track all connections.
• They recognize dynamic applications and know which additional connections will be initiated between the endpoints.
– Stateful firewalls inspect every packet, compare it against the state table, and may examine the packet for any special protocol negotiations.
– Stateful firewalls operate mainly at the connection (TCP and UDP) layer.
ZOOMTechnologies
Cisco IOS Firewall Feature Set
The Cisco IOS Firewall Feature Set contains three main features:–Cisco IOS Firewall– Authentication proxy *– IPS *
* Optional
ZOOMTechnologies
Cisco IOS Firewall
– Packets are inspected entering the Cisco IOS firewall if they are not specifically denied by an ACL.
– Cisco IOS Firewall permits or denies specified TCP and UDP traffic through a firewall.
– A state table is maintained with session information.
– ACLs are dynamically created or deleted.– Cisco IOS Firewall protects against DoS attacks.
ZOOMTechnologies
Cisco IOS Authentication Proxy
– HTTP, HTTPS, FTP, and Telnet authentication– Provides dynamic, per-user authentication and
authorization via TACACS+ and RADIUS protocols
ZOOMTechnologies
Cisco IOS IPS
– Acts as an inline intrusion prevention sensor—traffic goes through the sensor
– When an attack is detected, the sensor can perform any of these actions:
• Alarm: Send an alarm to SDM or syslog server.• Drop: Drop the packet.• Reset: Send TCP resets to terminate the session.• Block: Block an attacker IP address or session for a
specified time.
– Identifies 700+ common attacks
ZOOMTechnologies
Cisco IOS Firewall Functions
ZOOMTechnologies
Cisco IOS ACLs Revisited
–ACLs provide traffic filtering by these criteria:
• Source and destination IP addresses• Source and destination ports
– ACLs can be used to implement a filtering firewall leading to these security shortcomings:
• Ports opened permanently to allow traffic, creating a security vulnerability
• Do not work with applications that negotiate ports dynamically
–Cisco IOS Firewall addresses these shortcomings of ACLs.
ZOOMTechnologies
Cisco IOS Firewall TCP Handling
ZOOMTechnologies
Cisco IOS Firewall UDP Handling
ZOOMTechnologies
How Cisco IOS Firewall Works
ZOOMTechnologies
Configuring Cisco IOS Firewall from the CLI
ZOOMTechnologies
Cisco IOS Firewall ConfigurationTasks Using the CLI
1.Pick an interface: internal or external.2.Configure IP ACLs at the interface.3.Define inspection rules.4.Apply inspection rules and ACLs to
interfaces.5.Test and verify.
ZOOMTechnologies
Guidelines for Applying InspectionRules and ACLs to Interfaces
–On the interface where traffic initiates:• Apply ACL on the inward direction that
permits only wanted traffic.• Apply rule on the inward direction that
inspects wanted traffic.
–On all other interfaces, apply ACL on the inward direction that denies all unwanted traffic.
ZOOMTechnologies
Example: Two-Interface Firewall
ip inspect name OUTBOUND tcp ip inspect name OUTBOUND udpip inspect name OUTBOUND icmp!interface FastEthernet0/0ip access-group OUTSIDEACL in
!interface FastEthernet0/1ip inspect OUTBOUND inip access-group INSIDEACL in
!ip access-list extended OUTSIDEACLpermit icmp any any packet-too-bigdeny ip any any log
!ip access-list extended INSIDEACLpermit tcp any anypermit udp any anypermit icmp any any
ZOOMTechnologies
Example: Three-Interface Firewall
interface FastEthernet0/0ip inspect OUTSIDE inip access-group OUTSIDEACL in
!interface FastEthernet0/1ip inspect INSIDE inip access-group INSIDEACL in
! interface FastEthernet0/2ip access-group DMZACL in
!ip inspect name INSIDE tcp ip inspect name OUTSIDE tcp!ip access-list extended OUTSIDEACLpermit tcp any host 200.1.2.1 eq 25permit tcp any host 200.1.2.2 eq 80permit icmp any any packet-too-bigdeny ip any any log
!ip access-list extended INSIDEACLpermit tcp any any eq 80permit icmp any any packet-too-bigdeny ip any any log
!ip access-list extended DMZACLpermit icmp any any packet-too-bigdeny ip any any log
ZOOMTechnologies
Verifying Cisco IOS Firewall
show ip inspect name inspection-nameshow ip inspect configshow ip inspect interfacesshow ip inspect session [detail]show ip inspect statisticsshow ip inspect all
• Displays inspections, interface configurations, sessions, and statistics
Router#show ip inspect sessionEstablished SessionsSession 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233) tcp SIS_OPENSession 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234) tcp SIS_OPENSession 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp SIS_OPEN
Router#
ZOOMTechnologies
Troubleshooting Cisco IOS Firewall
debug ip inspect protocol
• Protocol-specific debug
Router#
