Network Security Part I: Introduction General Overview of Network Security

Network SecurityNetwork SecurityPart I: IntroductionPart I: Introduction

General Overview of General Overview of Network SecurityNetwork Security

SECURITY INNOVATION ©20032

OutlineOutline

– Network TopologiesNetwork Topologies– Network AddressingNetwork Addressing– LANsLANs– MANsMANs– WANsWANs


OverviewOverview

• Network InfrastructureNetwork Infrastructure– The building blocks of a networkThe building blocks of a network

• basic network protocolsbasic network protocols• network managementnetwork management• authenticationauthentication• routingrouting• other random thingsother random things

– switches, hubsswitches, hubs– printersprinters– routersrouters


OverviewOverview

• Does this stuff matter?Does this stuff matter?– Absolutely - the network depends on theseAbsolutely - the network depends on these

• Basic protocols - obviousBasic protocols - obvious• network management & allocationnetwork management & allocation

– simplify network design and machine simplify network design and machine deploymentdeployment

• AuthenticationAuthentication– access controlaccess control

• RoutingRouting– Getting from A to BGetting from A to B

• Other stuffOther stuff– The network RUNS on theseThe network RUNS on these


OverviewOverview• ImpactsImpacts

– Attacking protocols can allow for hijacking, Attacking protocols can allow for hijacking, spoofing and impersonationspoofing and impersonation

– control network devicescontrol network devices– elevate accesselevate access– change network flowchange network flow– hide connectionshide connections– sniffingsniffing– ……and moreand more


EthernetEthernet

• IEEE 802.3, technology originated from IEEE 802.3, technology originated from Xerox Corp.Xerox Corp.

• Data packaged into framesData packaged into frames• Network Interface Card (NIC)Network Interface Card (NIC)• CSMA/CDCSMA/CD

– Carrier SenseCarrier Sense– Multiple AccessMultiple Access– Collision DetectionCollision Detection


Network Network CablingCabling

• CablingCabling– Thick EthernetThick Ethernet – 10BASE-5 – 10BASE-5– Thin EthernetThin Ethernet – 10BASE-2 – 10BASE-2– ShieldedShielded & Unshielded & Unshielded Twisted Pair (STP Twisted Pair (STP, ,

UTPUTP)) – 10BASE-T (Cat 3) 100BASE-T (Cat 5) – 10BASE-T (Cat 3) 100BASE-T (Cat 5)– Fiber OpticFiber Optic – Gigabit Ethernet – Gigabit Ethernet– Wireless LANWireless LAN

• TCP/IP Layer 1TCP/IP Layer 1


1 Physical

2 DataLink

3 Network

4 Transport

5 Session

6 Presentation

7 Application

Cabling in OSI Protocol Cabling in OSI Protocol StackStack

Cabling


Cabling IssuesCabling Issues

• Physical EnvironmentPhysical Environment– TrunkingTrunking– Network ClosetsNetwork Closets– RisersRisers

• Physical Environment - IssuesPhysical Environment - Issues– Single or multi-occupancySingle or multi-occupancy– Access Control to floor buildingAccess Control to floor building– Network passes through public areasNetwork passes through public areas– Network infrastructure easily accessible Network infrastructure easily accessible – Network infrastructure shares facilitiesNetwork infrastructure shares facilities– Electromagnetic environmentElectromagnetic environment


Thin EthernetThin Ethernet• Short overall cable runsShort overall cable runs..• Vulnerability: information broadcast to all Vulnerability: information broadcast to all

devicesdevices..– Threat: Information Leakage, Illegitimate UseThreat: Information Leakage, Illegitimate Use

• Vulnerability: One cable fault disables networkVulnerability: One cable fault disables network– Threat: Denial of ServiceThreat: Denial of Service

• Easy to installEasy to install & & attach additional devicesattach additional devices– Vulnerability: Anyone can plug into hub.Vulnerability: Anyone can plug into hub.

• Threat: Illegitimate Use.Threat: Illegitimate Use.

• Rarely seen now.Rarely seen now.

Thin Ethernet


UTP and HubUTP and Hub

• Cable between hub and device is a single Cable between hub and device is a single entityentity

• Only connectors are at the cable endsOnly connectors are at the cable ends• Additional devices can only be added at the Additional devices can only be added at the

hubhub• Disconnection/cable break rarely affects other Disconnection/cable break rarely affects other

devicesdevices• Easy to installEasy to install

hub

10/100BASE-T

UTPUTP


Other Layer 1 OptionsOther Layer 1 Options• Fiber OpticFiber Optic

– Cable between hub and device is a single entityCable between hub and device is a single entity– Tapping or altering the cable is difficultTapping or altering the cable is difficult– Installation is more difficultInstallation is more difficult– Much higher speedsMuch higher speeds

• Wireless LANWireless LAN– Popular where building restrictions apply.Popular where building restrictions apply.– Several disadvantagesSeveral disadvantages

• Radio signals are subject to interference, interception, Radio signals are subject to interference, interception, and alteration.and alteration.

• Difficult to restrict to building perimeter.Difficult to restrict to building perimeter.

– Security must be built in from initial network design.Security must be built in from initial network design.


HubsHubs• Data is broadcast to everyone on the hubData is broadcast to everyone on the hub

– Vulnerability: information broadcast to all Vulnerability: information broadcast to all devicesdevices..• Threat: Information Leakage, Illegitimate UseThreat: Information Leakage, Illegitimate Use

– Vulnerability: Anyone can plug into hub.Vulnerability: Anyone can plug into hub.• Threat: Illegitimate Use.Threat: Illegitimate Use.

• TCP/IP Layer 1TCP/IP Layer 1• Intelligent HubsIntelligent Hubs

– Signal regeneration.Signal regeneration.– Traffic monitoring.Traffic monitoring.– Can be configured remotely.Can be configured remotely.


1 Physical

2 DataLink

3 Network

4 Transport

5 Session

6 Presentation

7 Application

Hubs in OSI Protocol Hubs in OSI Protocol StackStack

Cabling, Hubs


Ethernet Addressing Ethernet Addressing

• Address of Network Interface CardAddress of Network Interface Card• Unique 48 bit valueUnique 48 bit value

– first 24 bits indicate vendor .first 24 bits indicate vendor .

• For example, 00:E0:81:10:19:FCFor example, 00:E0:81:10:19:FC– 00:E0:81 indicates Exten Corporation00:E0:81 indicates Exten Corporation– 10:19:FC indicates 1,055,228th NIC10:19:FC indicates 1,055,228th NIC

• Media Access Control (MAC) addressMedia Access Control (MAC) address


IP AddressingIP Addressing

• IP address is 32 bits long IP address is 32 bits long • Usually expressed as 4 octets separated Usually expressed as 4 octets separated

by dotsby dots• 62.49.67.17062.49.67.170

• RFC 1918 specifies reserved addresses RFC 1918 specifies reserved addresses for use on private networks.for use on private networks.

– 10.0.0.0 to 10.255.255.25510.0.0.0 to 10.255.255.255– 172.16.0.0 to 172.31.255.255172.16.0.0 to 172.31.255.255– 192.168.0.0 to 192.168.255.255192.168.0.0 to 192.168.255.255

• Many large ranges assignedMany large ranges assigned– 13.x.x.x Xerox, 18.x.x.x MIT, 54.x.x.x Merck13.x.x.x Xerox, 18.x.x.x MIT, 54.x.x.x Merck


IP Address to Ethernet IP Address to Ethernet AddressAddress

• Address Resolution Protocol (ARP)Address Resolution Protocol (ARP)– Layer 3 protocolLayer 3 protocol– Maps IP address to MAC addressMaps IP address to MAC address

• ARP QueryARP Query– Who has 192.168.0.40? Tell 192.168.0.20Who has 192.168.0.40? Tell 192.168.0.20

• ARP ReplyARP Reply– 192.168.0.40 is at 00:0e:81:10:19:FC192.168.0.40 is at 00:0e:81:10:19:FC

• ARP caches for speedARP caches for speed– Records previous ARP repliesRecords previous ARP replies– Entries are aged and eventually discardedEntries are aged and eventually discarded


ARP Query & ARP ReplyARP Query & ARP Reply

Web BrowserIP 192.168.0.20

MAC 00:0e:81:10:17:D1

Web ServerIP 192.168.0.40

MAC 00:0e:81:10:19:FC

(1) ARP Query(1) ARP QueryWho has Who has

192.168.0.40? 192.168.0.40?

(1) ARP Query(1) ARP QueryWho has Who has

192.168.0.40? 192.168.0.40?

(2) ARP Reply(2) ARP Reply192.168.0.40 is at192.168.0.40 is at 00:0e:81:10:19:FC00:0e:81:10:19:FC

(2) ARP Reply(2) ARP Reply192.168.0.40 is at192.168.0.40 is at 00:0e:81:10:19:FC00:0e:81:10:19:FC hub

10/100BASE-T


SwitchesSwitches• Switches only send data to the intended Switches only send data to the intended

receiver.receiver.• Builds an index of which device has Builds an index of which device has

which MAC address.which MAC address.

switch

10/100BASE-T

00:0e:81:10:19:FC

MAC address

2 00:0e:81:32:96:af

Device

1

3 00:0e:81:31:2f:d7

4 00:0e:81:97:03:05

8 00:0e:81:10:17:d1


Switch OperationSwitch Operation

• When a frame arrives at switchWhen a frame arrives at switch– Switch looks up destination MAC address in Switch looks up destination MAC address in

index.index.– Sends the frame to the device in the index Sends the frame to the device in the index

that owns that MAC address.that owns that MAC address.

• Switches are often intelligent:Switches are often intelligent:– Traffic monitoring, remotely configurable.Traffic monitoring, remotely configurable.

• Switches operate at Layer 2.Switches operate at Layer 2.


1 Physical

2 DataLink

3 Network

4 Transport

5 Session

6 Presentation

7 Application

Switches in OSI Protocol Switches in OSI Protocol StackStack

Cabling,Hubs

Switches


Basic ProtocolsBasic Protocols

• Security at the IP layer discussed over Security at the IP layer discussed over and overand over

• Security at the link layer ignoredSecurity at the link layer ignored


ARPARP

• Address Resolution ProtocolAddress Resolution Protocol– Used for mapping network IP addresses to Used for mapping network IP addresses to

physical (in the case of Ethernet, MAC) physical (in the case of Ethernet, MAC) interface addresses.interface addresses.

– Broadcast at the link layer.Broadcast at the link layer.


ARP Security FlawsARP Security Flaws

• Lack of AuthenticationLack of Authentication• Limited Table EntriesLimited Table Entries

– ARP caches can be overpopulated and ARP caches can be overpopulated and flushedflushed


ARP Authentication ARP Authentication FlawsFlaws

• Lack of AuthenticationLack of Authentication– ARP replies are typically accepted and ARP replies are typically accepted and

cached without concern for origin when cached without concern for origin when received.received.

– No method to distinguish between legitimate No method to distinguish between legitimate and illegitimate messagesand illegitimate messages


ARP Authentication FlawsARP Authentication Flaws

• Lack of AuthenticationLack of Authentication– Arp replies are typically accepted and cached Arp replies are typically accepted and cached

without concern for origin when received.without concern for origin when received.

– No method to distinguish between legitimate No method to distinguish between legitimate and illegitimate messagesand illegitimate messages


ARP Lack of ARP Lack of AuthenticationAuthentication

• Invalid ARP repliesInvalid ARP replies– When an ARP who-is is broadcast on the wire, When an ARP who-is is broadcast on the wire,

anyone can reply and be mapped to the anyone can reply and be mapped to the associated network address.associated network address.

• Gratuitous ARP repliesGratuitous ARP replies– ARP replies without requests can be sent out ARP replies without requests can be sent out

and cached, diverting traffic from the and cached, diverting traffic from the compromised network address to the compromised network address to the attacker.attacker.


ARP AttacksARP Attacks

• Replace entries in ARP caches for Replace entries in ARP caches for existing addressesexisting addresses– Denial of ServiceDenial of Service

– Reply to requests with compromised host Reply to requests with compromised host adress as router or nameserver. adress as router or nameserver.

– Non-blind traffic hijackingNon-blind traffic hijacking

– Exploitation of host-based trusts.Exploitation of host-based trusts.


ARP AttacksARP Attacks

• ARP Cache OverpopulationARP Cache Overpopulation– Sending too many gratuitous ARP replies Sending too many gratuitous ARP replies

flushing the target ARP cache in some flushing the target ARP cache in some implementations.implementations.

• Reach cache maximum, can cause devices like Reach cache maximum, can cause devices like switches to re-enter “learning mode”switches to re-enter “learning mode”


ARP VulnerabilityARP Vulnerability

• ARP spoofingARP spoofing– Masquerade threatMasquerade threat– Gratuitous ARPGratuitous ARP– ARP replies have no proof of originARP replies have no proof of origin– A malicious device can claim any MAC A malicious device can claim any MAC

addressaddress– Enables all fundamental threatsEnables all fundamental threats


Before ARP SpoofingBefore ARP Spoofing

IP 192.168.0.20IP 192.168.0.20MAC 00:0e:81:10:17:d1

IP 192.168.0.40IP 192.168.0.40MAC 00:0e:81:10:19:FC

AttackerIP 192.168.0.1IP 192.168.0.1

MAC 00:1f:42:12:04:72

switch

MAC addressIP address 00:0e:81:10:19:FC192.168.0.40192.168.0.40

192.168.0.1192.168.0.100:1f:42:12:04:72

MAC addressIP address 00:0e:81:10:17:d1192.168.0.20192.168.0.20

192.168.0.1192.168.0.100:1f:42:12:04:72


After ARP SpoofingAfter ARP Spoofing

(2) Gratuitious ARP192.168.0.20 is at00:1f:42:12:04:72




IP 192.168.0.20MAC 00:0e:81:10:17:d1

IP 192.168.0.40MAC 00:0e:81:10:19:FC

AttackerIP 192.168.0.1

MAC 00:1f:42:12:04:72

switch

MAC addressIP address 192.168.0.40192.168.0.40

192.168.0.1192.168.0.1 00:1f:42:12:04:72

MAC addressIP address 192.168.0.20192.168.0.20

192.168.0.1192.168.0.1 00:1f:42:12:04:72

00:1f:42:12:04:72

00:1f:42:12:04:72


Effect of ARP SpoofingEffect of ARP SpoofingIP datagramIP datagram

Dest: 192.168.0.40Dest: 192.168.0.40MAC: 00:1f:42:12:04:72MAC: 00:1f:42:12:04:72

IP datagramIP datagramDest: 192.168.0.40Dest: 192.168.0.40

MAC: 00:1f:42:12:04:72MAC: 00:1f:42:12:04:72

IP 192.168.0.20MAC 00:0e:81:10:17:d1

IP 192.168.0.40MAC 00:0e:81:10:19:FC

AttackerIP 192.168.0.1

MAC 00:1f:42:12:04:72

switch

MAC addressIP address 192.168.0.40

192.168.0.1 00:1f:42:12:04:72

MAC addressIP address 192.168.0.20

192.168.0.1 00:1f:42:12:04:72

00:1f:42:12:04:72

00:1f:42:12:04:72

MAC addressIP address

Attackers relay index Attackers relay index

00:0e:81:10:19:FC192.168.0.40

192.168.0.20 00:0e:81:10:17:d1


Switch VulnerabilitySwitch Vulnerability• MAC FloodingMAC Flooding

– Malicious device connected to switchMalicious device connected to switch– Sends multiple Gratuitous ARPsSends multiple Gratuitous ARPs– Each ARP claims a different MAC addressEach ARP claims a different MAC address– When index fills, some switches revert to hub When index fills, some switches revert to hub

behaviourbehaviour

switchswitch

… …

00:0e:81:10:19:FC

MAC address

4 00:0e:81:32:96:af

Device 1

00:0e:81:32:96:b1

4 00:0e:81:32:97:a4

11

22

44

99999999

4

00:0e:81:32:96:b033 4


Safeguards?Safeguards?

• Physically secure the switchPhysically secure the switch• Switches should failsafe when floodedSwitches should failsafe when flooded

– Threat: Denial of ServiceThreat: Denial of Service

• Arpwatch: monitors MAC to IP address Arpwatch: monitors MAC to IP address mappingsmappings

• Switch port locking of MAC addressesSwitch port locking of MAC addresses– Prevents ARP spoofingPrevents ARP spoofing– Reduces flexibilityReduces flexibility


IP RoutersIP Routers

• Routers support indirect delivery of ip Routers support indirect delivery of ip datagrams.datagrams.

• Employing routing tables.Employing routing tables.– Information about possible destinations and Information about possible destinations and

how to reach them.how to reach them.

• Three possible actions for a datagramThree possible actions for a datagram– Sent directly to destination host.Sent directly to destination host.– Sent to next router on way to known Sent to next router on way to known

destination.destination.– Sent to default router.Sent to default router.

• IP Routers operate at Layer 3.IP Routers operate at Layer 3.


Routers in OSI Protocol Routers in OSI Protocol StackStack

1 Physical

2 DataLink

3 Network

4 Transport

5 Session

6 Presentation

7 Application

Cabling,Hubs

Switches

Routers


192.168.1.254192.168.1.254

62.49.147.16962.49.147.169

RoutersRouters

switchswitch

RouterRouter

switchswitch

RouterRouter

192.168.1.10192.168.1.10192.168.1.11192.168.1.11

192.168.0.40192.168.0.40

192.168.0.254192.168.0.254

62.49.147.17062.49.147.170

IP address IP address 192.168.0.20192.168.0.20

Subnet Subnet 255.255.255.0255.255.255.0Default router Default router 192.168.0.254192.168.0.254

InterneInternett


RoutersRouters

switchswitch

RouteRouterr

switchswitch

RouterRouter

192.168.1.10192.168.1.10192.168.1.11192.168.1.11192.168.0.40192.168.0.40

192.168.0.192.168.0.254254

62.49.147.17062.49.147.170

62.49.147.16962.49.147.169





192.168.1.254192.168.1.254

InterneInternett


RoutersRouters

switchswitch

RouterRouter

switchswitch

RouterRouter

192.168.1.10192.168.1.10192.168.1.11192.168.1.11192.168.0.40192.168.0.4062.49.147.17062.49.147.170





InternetInternet

192.168.0.254192.168.0.254 192.168.1.254192.168.1.254

62.49.147.16962.49.147.169


RoutersRouters

switchswitch

Router

switchswitch

RouterRouter

192.168.1.10192.168.1.10192.168.1.11192.168.1.11192.168.0.40192.168.0.40

192.168.0.254192.168.0.254

62.49.147.17062.49.147.170

62.49.147.16962.49.147.169





192.168.1.254192.168.1.254


DHCPDHCP

• Dynamic Host Configuration ProtocolDynamic Host Configuration Protocol– Popular amongst pc users for ease of Popular amongst pc users for ease of

installation and configurationinstallation and configuration– UDP transportUDP transport– To broadcast, from 0.0.0.0To broadcast, from 0.0.0.0


DHCP Security ProblemsDHCP Security Problems

• UnauthenticatedUnauthenticated– Anyone can request an addressAnyone can request an address

• UndirectedUndirected– Anyone can respondAnyone can respond

• Limited ACL capabilitiesLimited ACL capabilities– Limit addresses per macLimit addresses per mac


DHCP AttacksDHCP Attacks

• Get all addressesGet all addresses– Denial Of ServiceDenial Of Service– Reply to requests with compromised host set Reply to requests with compromised host set

as router or nameserveras router or nameserver

• Deregister hostsDeregister hosts– hijack ip’s, connectionshijack ip’s, connections


DHCP FixesDHCP Fixes

• AuthenticationAuthentication– ISC is adding authentication in their 3.1 ISC is adding authentication in their 3.1

implementationimplementation– Others have implemented proprietary Others have implemented proprietary

authentication mechanismsauthentication mechanisms

• Don’t allow dynamic assignment of DNS Don’t allow dynamic assignment of DNS servers or routersservers or routers– Statically define theseStatically define these


Gateway ProtocolsGateway Protocols

• IGPIGP– RIPv1RIPv1

– RIPv2RIPv2

– OSPFOSPF


RIPRIP

• Routing Information ProtocolRouting Information Protocol– Widely used distance-vector IGP (Interior Widely used distance-vector IGP (Interior

Gateway Protocol) within autonomous Gateway Protocol) within autonomous systems. systems.

– Exists in two forms, Version 1 and the Exists in two forms, Version 1 and the backwards compatible Version 2.backwards compatible Version 2.

• RIPv1 is extremely vulnerable to serious RIPv1 is extremely vulnerable to serious attack.attack.


RIP Security FlawsRIP Security Flaws

• Transport Method Transport Method • Authentication Authentication


RIP Transport Method RIP Transport Method FlawsFlaws

• Based on UDP, utilizing port 520 for Based on UDP, utilizing port 520 for sending and receiving messages.sending and receiving messages.– UDP is unreliable, no sequencing of packets. UDP is unreliable, no sequencing of packets.

Easy to send arbitrary data to target .Easy to send arbitrary data to target .

– Since sequencing is not a concern, forging Since sequencing is not a concern, forging source address can be very effective.source address can be very effective.

– May be able to receive data from anywhere May be able to receive data from anywhere on the internet.on the internet.


RIP Authentication FlawsRIP Authentication Flaws

• Lack of any authentication in RIPv1Lack of any authentication in RIPv1

• Cleartext Authentication recommended in Cleartext Authentication recommended in RFC 2453 RIPv2 SpecificationsRFC 2453 RIPv2 Specifications

• MD5 Key/KeyID Digest Based MD5 Key/KeyID Digest Based Authentication described in RFC 2082. Authentication described in RFC 2082.


RIP AttacksRIP Attacks

• Forging RIP messagesForging RIP messages– Spoofing source address and sending invalid Spoofing source address and sending invalid

routes, altering traffic flow.routes, altering traffic flow.

• Traffic HijackingTraffic Hijacking

• Traffic MonitoringTraffic Monitoring

• Redirecting traffic from trusted to untrusted.Redirecting traffic from trusted to untrusted.

– Obtaining Cleartext RIPv2 "password" when Obtaining Cleartext RIPv2 "password" when sent across network.sent across network.

• Using retrieved password to send authenticated Using retrieved password to send authenticated updates to RIPv2 routers, altering traffic flow with updates to RIPv2 routers, altering traffic flow with consequences listed above. consequences listed above.


RIP SolutionsRIP Solutions

• Disabling RIPv1 and using RIPv2 with Disabling RIPv1 and using RIPv2 with MD5 authentication.MD5 authentication.

• Enabling MD5 based authentication for Enabling MD5 based authentication for RIPv2RIPv2

• Disabling RIP completely and using OSPF Disabling RIP completely and using OSPF with MD5 authentication as interior with MD5 authentication as interior gateway protocol. OSPF is the suggested gateway protocol. OSPF is the suggested IGP.IGP.


OSPFOSPF

• OSPF - Open Shortest Path FirstOSPF - Open Shortest Path First– Link-State Interior Gateway Protocol. In wide Link-State Interior Gateway Protocol. In wide

use within autonomous systems.use within autonomous systems.

– OSPF is the recommended IGP, intended as a OSPF is the recommended IGP, intended as a replacement for RIP.replacement for RIP.


OSPF Security FlawsOSPF Security Flaws

• AuthenticationAuthentication


OSPF Authentication OSPF Authentication FlawsFlaws

• Default Lack of AuthenticationDefault Lack of Authentication– By default in some implementations, OSPF By default in some implementations, OSPF

authentication may be off.authentication may be off.

• Cleartext "simple password" Cleartext "simple password" AuthenticationAuthentication– Commonly a default setting, clear-text Commonly a default setting, clear-text

password included in OSPF message used to password included in OSPF message used to authenticate peers.authenticate peers.

• Type of authentication determined by Type of authentication determined by "CODE" field in the OSPF message header."CODE" field in the OSPF message header.


OSPF AttacksOSPF Attacks

• Forging OSPF messages Forging OSPF messages – Can be somewhat difficult but theoretically Can be somewhat difficult but theoretically

possible if no authentication required or possible if no authentication required or cleartext password obtained.cleartext password obtained.


OSPF SolutionOSPF Solution

• Enable MD5 Authentication in OSPF Enable MD5 Authentication in OSPF implementation.implementation.


VLANsVLANs

• VLAN is a virtual LAN.VLAN is a virtual LAN.• Switch is configured to Switch is configured to

divide up devices into divide up devices into VLANs.VLANs.

• Device on one VLAN can’t Device on one VLAN can’t send to devices on send to devices on another VLAN.another VLAN.

switchswitch


VLANs & RoutersVLANs & Routers

• How to get from one VLAN to another?How to get from one VLAN to another?– Connect them with a router.Connect them with a router.

switchswitch

RouterRouterRouter


Secure?Secure?

Layer 3…Layer 3…

192.168.0.2192.168.0.2

Network Network 192.168.0.0192.168.0.0

Network Network 192.168.1.0192.168.1.0

192.168.1.1192.168.1.1

192.168.1.2192.168.1.2

192.168.0.1192.168.0.1

AA

CC

BB

DD


Secure?Secure?

switchswitch

Layer 2…Layer 2…

At Layer 3, the switch is “invisible”At Layer 3, the switch is “invisible”At Layer 2, the switch becomes “visibleAt Layer 2, the switch becomes “visible”

AA CCBB

DD


TCP HandshakingTCP Handshaking

• Each TCP connection begins with three Each TCP connection begins with three packets:packets:– A SYN packet from sender to receiver.A SYN packet from sender to receiver.

• ““Can we talk?”Can we talk?”

– An SYN/ACK packet from receiver to sender.An SYN/ACK packet from receiver to sender.• ““Fine – ready to start?”Fine – ready to start?”

– An ACK packet from sender to receiver.An ACK packet from sender to receiver.• ““OK, start”OK, start”


TCP HandshakingTCP HandshakingTCP PacketTCP Packet

SYN flagSYN flag

TCP PacketTCP PacketSYN flagSYN flag

IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20

Dest: Dest: 192.168.0.40192.168.0.40


Dest: Dest: 192.168.0.40192.168.0.40

TCP PacketTCP PacketSYN & ACK flagSYN & ACK flag



Dest: Dest: 192.168.0.20192.168.0.20


Dest: Dest: 192.168.0.20192.168.0.20

TCP PacketTCP PacketACK flagACK flag

TCP PacketTCP PacketACK flagACK flag


Dest: Dest: 192.168.0.40192.168.0.40


Dest: Dest: 192.168.0.40192.168.0.40

192.168.0.20192.168.0.20

192.168.0.40192.168.0.40

““Can we talk?”

Can we talk?”

““Fine, ready to start?”Fine, ready to start?”

““OK, start”

OK, start”


Tracking TCP Tracking TCP HandshakesHandshakes

• The destination machine has to track The destination machine has to track which machines it has sent a which machines it has sent a “SYN+ACK” to“SYN+ACK” to

• Keeps a list of TCP SYN packets that Keeps a list of TCP SYN packets that have had a SYN+ACK returned.have had a SYN+ACK returned.

• When ACK is received, packet removed When ACK is received, packet removed from list as connection is open.from list as connection is open.


TCP Denial Of ServiceTCP Denial Of Service

• What if the sender doesn’t answer with What if the sender doesn’t answer with an ACK?an ACK?– A SYN packet from sender to receiver.A SYN packet from sender to receiver.

• ““Can we talk?”Can we talk?”

– An SYN/ACK packet from receiver to sender.An SYN/ACK packet from receiver to sender.• ““Fine – ready to start?”Fine – ready to start?”

– ………………………………..nothing…………..……..nothing…………..……

• If the sender sends 100 SYN packets per If the sender sends 100 SYN packets per secondsecond– Eventually receiver runs out of room to Eventually receiver runs out of room to

track the SYN+ACK repliestrack the SYN+ACK replies– SYN flooding.SYN flooding.


IP SpoofingIP Spoofing

• A machine can place any IP address in A machine can place any IP address in the source address of an IP datagram.the source address of an IP datagram.

• Disadvantage: Any reply packet will Disadvantage: Any reply packet will return to the wrong place.return to the wrong place.

• Advantage (to an attacker): No-one Advantage (to an attacker): No-one knows who sent the packet.knows who sent the packet.

• If the sender sends 100 SYN packets per If the sender sends 100 SYN packets per second with spoofed source second with spoofed source addresses…. addresses….


TCP Denial of ServiceTCP Denial of Service

TCP PacketSYN flag

TCP PacketSYN flag

IP datagramSrc: 62.49.10.1

Dest: 192.168.0.40


Dest: 192.168.0.40

TCP PacketSYN & ACK flag


IP datagramSrc: 192.168.0.20Dest: 62.49.10.1


192.168.0.20192.168.0.20

192.168.0.40192.168.0.40

““Can we talk?”

Can we talk?”

““Fine, ready to sta

rt?”

Fine, ready to sta

rt?”

TCP PacketSYN flag

TCP PacketSYN flag


Dest: 192.168.0.40


Dest: 192.168.0.40

TCP PacketSYN flag

TCP PacketSYN flag


Dest: 192.168.0.40


Dest: 192.168.0.40




Dest: Dest: 192.168.0.40192.168.0.40


Dest: Dest: 192.168.0.40192.168.0.40











IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20Dest: Dest: 62.49.10.162.49.10.1

IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20Dest: Dest: 62.49.10.162.49.10.1


TCP/IP PortsTCP/IP Ports

• Many processes on a single machine may be Many processes on a single machine may be waiting for network traffic.waiting for network traffic.

• When a packet arrives, how does the When a packet arrives, how does the transport layer know which process it is for?transport layer know which process it is for?

• The port allows the transport layer to deliver The port allows the transport layer to deliver the packet to the application layer.the packet to the application layer.

• Packets have source and destination port.Packets have source and destination port.– Source port is used by receiver as destination of Source port is used by receiver as destination of

replies.replies.


Port AssignmentsPort Assignments

• Well known ports from 0 to 1023Well known ports from 0 to 1023– http=port 80http=port 80– smtp=port 25smtp=port 25– syslog=port 514syslog=port 514– telnet=23telnet=23– ssh=22ssh=22– ftp=21 + more…ftp=21 + more…

• Registered ports from 1024 to 49151Registered ports from 1024 to 49151• Dynamic or private ports from 49152 to Dynamic or private ports from 49152 to

6553565535


Port MultiplexingPort Multiplexing

putty

Transport Layer

Internet Layer

Network Layer

Physical Network

telnet

Transport Layer

Internet Layer

Network Layer

Message

Packet

Datagram

Frame

Host A Host B

ienet

scape apache

Port 80Port 23Port 2077

Port 2076 Port 2078


Ports in ActionPorts in Action

switchswitch

HTTP messageHTTP messageGET index.htmlGET index.html

www.localserver.orgwww.localserver.org

HTTP messageHTTP messageGET index.htmlGET index.html

www.localserver.orgwww.localserver.org

TCP PacketTCP PacketSrc Port: 2076Src Port: 2076Dest Port: 80Dest Port: 80



Dest: Dest: 192.168.0.40192.168.0.40


Dest: Dest: 192.168.0.40192.168.0.40

HTTP messageHTTP messageContents of Contents of index.htmlindex.html

HTTP messageHTTP messageContents of Contents of index.htmlindex.html

TCP PacketTCP PacketSrc Port: 80Src Port: 80

Dest Port: 2076Dest Port: 2076




Dest: Dest: 192.168.0.20192.168.0.20


Dest: Dest: 192.168.0.20192.168.0.20

192.168.0.20192.168.0.20 192.168.0.40192.168.0.40

TELNET messageTELNET messageTELNET messageTELNET message




Dest: Dest: 192.168.0.40192.168.0.40


Dest: Dest: 192.168.0.40192.168.0.40

TELNET messageTELNET messageTELNET messageTELNET message






Dest: Dest: 192.168.0.20192.168.0.20


Dest: Dest: 192.168.0.20192.168.0.20


Network SniffersNetwork Sniffers

• Network Interface Cards normally Network Interface Cards normally operating in non-promiscuous mode.operating in non-promiscuous mode.– Only listen for frames with their MAC Only listen for frames with their MAC

addressaddress

• A sniffer changes a NIC into promiscuous A sniffer changes a NIC into promiscuous mode.mode.– Reads frames regardless of MAC address.Reads frames regardless of MAC address.

• Many different sniffersMany different sniffers– tcpdumptcpdump– etherealethereal– SnortSnort


Network SniffersNetwork Sniffers


Sniffing LegitimatelySniffing Legitimately

• Do they have legitimate uses?Do they have legitimate uses?– Yes … when used in an authorized and Yes … when used in an authorized and

controlled mannercontrolled manner..– Network analyzers or protocol analyzers.Network analyzers or protocol analyzers.– With complex networks, they are used for With complex networks, they are used for

fault investigation and performance fault investigation and performance measurementmeasurement..

– Useful when understanding how a COTS Useful when understanding how a COTS product uses the network.product uses the network.


DetectingDetecting Sniffers Sniffers

• Detecting an Detecting an sniffing sniffing attackattack• Very difficultVery difficult, but sometimes possible, but sometimes possible

– Tough Tough to check remotely whether a device is to check remotely whether a device is sniffingsniffing. Approaches include:. Approaches include:• Sending large volumes of data, then sending ICMP Sending large volumes of data, then sending ICMP

ping requests.ping requests.• Sending data to unused IP addresses and Sending data to unused IP addresses and

watching for DNS requests for those IP addresses.watching for DNS requests for those IP addresses.• Exploiting operating system quirks.Exploiting operating system quirks.

– AntiSniff, Security Software TechnologiesAntiSniff, Security Software Technologies


SnifferSniffer Safeguards Safeguards

• Preventing attacksPreventing attacks or limiting their or limiting their effectseffects– Basically a matter of network and system Basically a matter of network and system

design securitydesign security– Examples of safeguards are:Examples of safeguards are:

• Use of non-promiscuous interfacesUse of non-promiscuous interfaces..• Encryption of network trafficEncryption of network traffic..• One-time passwordsOne-time passwords e.g. SecurId, skey. e.g. SecurId, skey.• Lock MAC addresses to switch ports – not Lock MAC addresses to switch ports – not

effective.effective.


Packet SniffingPacket Sniffing

• Recall how Ethernet works …Recall how Ethernet works …• When someone wants to send a packet When someone wants to send a packet

to some else …to some else …• They put the bits on the wire with the They put the bits on the wire with the

destination MAC address …destination MAC address …• And remember that other hosts are And remember that other hosts are

listening on the wire to detect for listening on the wire to detect for collisions …collisions …

• It couldn’t get any easier to figure out It couldn’t get any easier to figure out what data is being transmitted over the what data is being transmitted over the network!network!



• This works for wireless too!This works for wireless too!• In fact, it works for any broadcast-based In fact, it works for any broadcast-based

mediummedium



• What kinds of data can we get?What kinds of data can we get?• Asked another way, what kind of Asked another way, what kind of

information would be most useful to a information would be most useful to a malicious user?malicious user?

• Answer: Anything in plain textAnswer: Anything in plain text– Passwords are the most popularPasswords are the most popular



• How can we protect ourselves?How can we protect ourselves?• SSH, not TelnetSSH, not Telnet

– Many people at CMU still use Telnet and send their Many people at CMU still use Telnet and send their password in the clear (use PuTTY instead!)password in the clear (use PuTTY instead!)

– Now that I have told you this, please do not exploit this Now that I have told you this, please do not exploit this informationinformation

– Packet sniffing is, by the way, prohibited by Computing Packet sniffing is, by the way, prohibited by Computing ServicesServices

• HTTP over SSLHTTP over SSL– Especially when making purchases with credit cards!Especially when making purchases with credit cards!

• SFTP, not FTPSFTP, not FTP– Unless you Unless you reallyreally don’t care about the password or data don’t care about the password or data– Can also use KerbFTP (download from MyAndrew)Can also use KerbFTP (download from MyAndrew)

• IPSecIPSec– Provides network-layer confidentialityProvides network-layer confidentiality


Example applicationsExample applications

• Defeat sniffingDefeat sniffing– Race hosts on ARP repliesRace hosts on ARP replies– reply to ARP’s with broadcast addressreply to ARP’s with broadcast address– overpopulate cachesoverpopulate caches

• some switches will flush their cachessome switches will flush their caches

– alter routing on the host you want to sniffalter routing on the host you want to sniff


Networks at the Building Networks at the Building LevelLevel

• New ThreatsNew Threats– Backbone which connects LANsBackbone which connects LANs– Interconnections between the LAN and the Interconnections between the LAN and the

backbonebackbone– Control of information flow within a larger Control of information flow within a larger

networknetwork– Network Management itself Network Management itself


BackboneBackbone

HumanHumanResourcesResources

FinanceFinance

SalesSales

DevelopmentDevelopment


Network Backbone Network Backbone Threats IThreats I

• Backbone carries all inter-Backbone carries all inter-LANLAN traffic traffic• ConfidentialityConfidentiality

– All data could be eavesdroppedAll data could be eavesdropped

• IntegrityIntegrity– Any errors could affect all the network trafficAny errors could affect all the network traffic

• AvailabilityAvailability– Loss of backbone means that workgroups Loss of backbone means that workgroups

would be unable to communicate with each would be unable to communicate with each otherother


Network Backbone Network Backbone Threats IIThreats II

• Overview of ThreatsOverview of Threats– Point of interconnection between workgroup Point of interconnection between workgroup

and backbone is a sensitive areaand backbone is a sensitive area– From security viewpoint it:From security viewpoint it:

• Provides a point of access to the backboneProvides a point of access to the backbone• Provides a point of access to all the data Provides a point of access to all the data

associated with a workgroupassociated with a workgroup• Damage at this point could affect both the Damage at this point could affect both the

workgroup and the backboneworkgroup and the backbone


Network ManagementNetwork Management

• An overviewAn overview– Management of complex networks is a Management of complex networks is a

difficult taskdifficult task– Specialised tools are available (including HP Specialised tools are available (including HP

OpenView, IBM Netview, Cabletron OpenView, IBM Netview, Cabletron Spectrum, Sun NetManager)Spectrum, Sun NetManager)


Fault HandlingFault Handling

• Without network management, faults will:Without network management, faults will:– Disrupt network operationDisrupt network operation– Require substantial effort to identifyRequire substantial effort to identify– Require a long time to repairRequire a long time to repair

• Network Management facilities combined Network Management facilities combined with intelligent devices allows:with intelligent devices allows:– Faults to be handled / identified locallyFaults to be handled / identified locally– Alert messages to be raised and gathered Alert messages to be raised and gathered

centrallycentrally– Appropriate actions to be takenAppropriate actions to be taken


Further IntegrationFurther Integration

• Physical NetworkPhysical Network– Cable Management SystemsCable Management Systems– Actual device locationsActual device locations

• Servers and WorkstationsServers and Workstations– Servers disk space monitoringServers disk space monitoring– Printer statusPrinter status


LAN Safeguards - ILAN Safeguards - I

• PartitioningPartitioning– With a building network there will be different types With a building network there will be different types

of information being processedof information being processed– Some types of data will require extra protection e.g.Some types of data will require extra protection e.g.

• FinanceFinance• Personnel / Human ResourcesPersonnel / Human Resources• Internal AuditInternal Audit• Divisional headsDivisional heads

– Two situations where extra controls are neededTwo situations where extra controls are needed• Physically separate group or teamPhysically separate group or team• Widely distributed group of staffWidely distributed group of staff


DHCPDHCP

• Dynamic Host Configuration ProtocolDynamic Host Configuration Protocol– Popular amongst pc users for ease of Popular amongst pc users for ease of

installation and configurationinstallation and configuration– UDP transportUDP transport– To broadcast, from 0.0.0.0To broadcast, from 0.0.0.0


DHCP Security ProblemsDHCP Security Problems

• UnauthenticatedUnauthenticated– Anyone can request an addressAnyone can request an address

• UndirectedUndirected– Anyone can respondAnyone can respond

• Limited ACL capabilitiesLimited ACL capabilities– Limit addresses per macLimit addresses per mac


DHCP AttacksDHCP Attacks

• Get all addressesGet all addresses– Denial Of ServiceDenial Of Service– Reply to requests with compromised host set Reply to requests with compromised host set

as router or nameserveras router or nameserver

• Deregister hostsDeregister hosts– hijack ip’s, connectionshijack ip’s, connections


DHCP FixesDHCP Fixes

• AuthenticationAuthentication– ISC is adding authentication in their 3.1 ISC is adding authentication in their 3.1

implementationimplementation– Others have implemented proprietary Others have implemented proprietary

authentication mechanismsauthentication mechanisms

• Don’t allow dynamic assignment of DNS Don’t allow dynamic assignment of DNS servers or routersservers or routers– Statically define theseStatically define these


LAN Safeguards - IILAN Safeguards - II

• PartitioningPartitioning– Network configured so that:Network configured so that:

• Group workstations cabled to their own Group workstations cabled to their own switchswitch• SwitchesSwitches programmed to restrict data flow onto programmed to restrict data flow onto

the backbonethe backbone

– Add a FirewallAdd a Firewall• Control use of any network servicesControl use of any network services• Control systems that can be contacted Control systems that can be contacted


LAN Safeguards – IIILAN Safeguards – III

• Other ConsiderationsOther Considerations– If workgroup users are not located in a single If workgroup users are not located in a single

area, different measures must be adoptedarea, different measures must be adopted– In most cases, addressing is used to control In most cases, addressing is used to control

traffic flow but does not prevent traffic being traffic flow but does not prevent traffic being read in transitread in transit

– Higher level of security can be provided by Higher level of security can be provided by encryption, but:encryption, but:

• Does encryption mechanism understand the network Does encryption mechanism understand the network protocol?protocol?

• What is the performance impact of encryption?What is the performance impact of encryption?• How are encryption keys generated, distributed, and How are encryption keys generated, distributed, and

stored?stored?• Will a workstation on the encrypted workgroup be able to Will a workstation on the encrypted workgroup be able to

communicate with an unencrypted server?communicate with an unencrypted server?


MMAN - IAN - I

• Metropolitan Area NetworkMetropolitan Area Network• New EnvironmentNew Environment

– A network which encompasses several A network which encompasses several closely located buildings (closely located buildings (sometimes also sometimes also called a campus network)called a campus network)

– Such expanded network environments bring Such expanded network environments bring additional security concerns:additional security concerns:• Network exposed to outside worldNetwork exposed to outside world• Problems of scaleProblems of scale


MAN ExampleMAN Example

Building ABuilding A

Building BBuilding B

Building CBuilding C


MAN MAN - II- II

• Exposure to outside worldExposure to outside world– Network has left the security of the buildingNetwork has left the security of the building– Small scale may rule out encryptionSmall scale may rule out encryption– New risks must be assessedNew risks must be assessed

• Private or public areasPrivate or public areas

– Investigate constraints on solutionInvestigate constraints on solution• e.g. buried or elevated linkse.g. buried or elevated links

– May need non-physical linksMay need non-physical links• e.g. Lasere.g. Laser, , infra-redinfra-red, microwave, microwave


MANMAN - III - III

• Problem of scaleProblem of scale– Information flow must be controlled, and Information flow must be controlled, and

faulty network components (in one building) faulty network components (in one building) must not affect other buildings, so:must not affect other buildings, so:• Filters / bridges / firewalls will be neededFilters / bridges / firewalls will be needed

– Network Information Centre (NIC) is requiredNetwork Information Centre (NIC) is required– Normally a second level backbone is usedNormally a second level backbone is used


WAN - IWAN - I

• Wide Area NetworkWide Area Network– National or International networkNational or International network

• Threats Become More Significant:Threats Become More Significant:– Sensitive data (including passwords) much Sensitive data (including passwords) much

more widely transmittedmore widely transmitted– Switched network rather than point-to-pointSwitched network rather than point-to-point– Change management errors Change management errors – Dark-room equipment sitesDark-room equipment sites– Unauthorised access to network linksUnauthorised access to network links– Traffic flow monitoring (is this an issue?)Traffic flow monitoring (is this an issue?)


Gateway ProtocolsGateway Protocols

• IGPIGP– RIPv1RIPv1

– RIPv2RIPv2

– OSPFOSPF


RIPRIP

• Routing Information ProtocolRouting Information Protocol– Widely used distance-vector IGP (Interior Widely used distance-vector IGP (Interior

Gateway Protocol) within autonomous Gateway Protocol) within autonomous systems. systems.

– Exists in two forms, Version 1 and the Exists in two forms, Version 1 and the backwards compatible Version 2.backwards compatible Version 2.

• RIPv1 is extremely vulnerable to serious RIPv1 is extremely vulnerable to serious attack.attack.


RIP Security FlawsRIP Security Flaws

• Transport Method Transport Method • Authentication Authentication


RIP Transport Method RIP Transport Method FlawsFlaws

• Based on UDP, utilizing port 520 for Based on UDP, utilizing port 520 for sending and receiving messages.sending and receiving messages.– UDP is unreliable, no sequencing of packets. UDP is unreliable, no sequencing of packets.

Easy to send arbitrary data to target .Easy to send arbitrary data to target .

– Since sequencing is not a concern, forging Since sequencing is not a concern, forging source address can be very effective.source address can be very effective.

– May be able to receive data from anywhere May be able to receive data from anywhere on the internet.on the internet.


RIP Authentication FlawsRIP Authentication Flaws

• Lack of any authentication in RIPv1Lack of any authentication in RIPv1

• Cleartext Authentication recommended in Cleartext Authentication recommended in RFC 2453 RIPv2 SpecificationsRFC 2453 RIPv2 Specifications

• MD5 Key/KeyID Digest Based MD5 Key/KeyID Digest Based Authentication described in RFC 2082. Authentication described in RFC 2082.


RIP AttacksRIP Attacks

• Forging RIP messagesForging RIP messages– Spoofing source address and sending invalid Spoofing source address and sending invalid

routes, altering traffic flow.routes, altering traffic flow.

• Traffic HijackingTraffic Hijacking

• Traffic MonitoringTraffic Monitoring

• Redirecting traffic from trusted to untrusted.Redirecting traffic from trusted to untrusted.

– Obtaining Cleartext RIPv2 "password" when Obtaining Cleartext RIPv2 "password" when sent across network.sent across network.

• Using retrieved password to send authenticated Using retrieved password to send authenticated updates to RIPv2 routers, altering traffic flow with updates to RIPv2 routers, altering traffic flow with consequences listed above. consequences listed above.


RIP SolutionsRIP Solutions

• Disabling RIPv1 and using RIPv2 with Disabling RIPv1 and using RIPv2 with MD5 authentication.MD5 authentication.

• Enabling MD5 based authentication for Enabling MD5 based authentication for RIPv2RIPv2

• Disabling RIP completely and using OSPF Disabling RIP completely and using OSPF with MD5 authentication as interior with MD5 authentication as interior gateway protocol. OSPF is the suggested gateway protocol. OSPF is the suggested IGP.IGP.


OSPFOSPF

• OSPF - Open Shortest Path FirstOSPF - Open Shortest Path First– Link-State Interior Gateway Protocol. In wide Link-State Interior Gateway Protocol. In wide

use within autonomous systems.use within autonomous systems.

– OSPF is the recommended IGP, intended as a OSPF is the recommended IGP, intended as a replacement for RIP.replacement for RIP.


OSPF Security FlawsOSPF Security Flaws

• AuthenticationAuthentication


OSPF Authentication OSPF Authentication FlawsFlaws

• Default Lack of AuthenticationDefault Lack of Authentication– By default in some implementations, OSPF By default in some implementations, OSPF

authentication may be off.authentication may be off.

• Cleartext "simple password" Cleartext "simple password" AuthenticationAuthentication– Commonly a default setting, clear-text Commonly a default setting, clear-text

password included in OSPF message used to password included in OSPF message used to authenticate peers.authenticate peers.

• Type of authentication determined by Type of authentication determined by "CODE" field in the OSPF message header."CODE" field in the OSPF message header.


OSPF AttacksOSPF Attacks

• Forging OSPF messages Forging OSPF messages – Can be somewhat difficult but theoretically Can be somewhat difficult but theoretically

possible if no authentication required or possible if no authentication required or cleartext password obtained.cleartext password obtained.


OSPF SolutionOSPF Solution

• Enable MD5 Authentication in OSPF Enable MD5 Authentication in OSPF implementation.implementation.


Authentication Flaw Authentication Flaw OverviewOverview

• Authentication is a means for Authentication is a means for verification and granting of accessverification and granting of access

• Problems range from denial of service to Problems range from denial of service to active and passive attacks leading to active and passive attacks leading to total compromisetotal compromise– gain accessgain access– elevate accesselevate access


Global WANGlobal WAN

http://www.plcmc.org/forkids/mow/default.asp


WAN - IIWAN - II

• Impact of different mediaImpact of different media– FiberFiber

• Minimal external radiationMinimal external radiation• Special equipment required for tappingSpecial equipment required for tapping• Normally a tap causes disruption of serviceNormally a tap causes disruption of service

– Satellite, radio, or microwaveSatellite, radio, or microwave• Extensive external radiationExtensive external radiation• Special (but easily available) equipment needed Special (but easily available) equipment needed

for tappingfor tapping• Tapping does not disrupt servicesTapping does not disrupt services• Carrier MIGHT provide some encryptionCarrier MIGHT provide some encryption


WAN - IIIWAN - III

• Partitioning Networks - Physical Partitioning Networks - Physical SeparationSeparation– Provides good separationProvides good separation– Conceptually easy to understandConceptually easy to understand– Legacy approach - in the days when Legacy approach - in the days when

adequate logical separation was not possibleadequate logical separation was not possible• Still done in very secure networksStill done in very secure networks

– Sharing data is difficult and uncontrolledSharing data is difficult and uncontrolled– CostlyCostly


WAN - IVWAN - IV

• Partitioning Networks - Logical Partitioning Networks - Logical SeparationSeparation– Closed User GroupsClosed User Groups

• Multiple virtual networks on one physical oneMultiple virtual networks on one physical one• Based on network addressesBased on network addresses• Managed by the Network Management Centre Managed by the Network Management Centre

(NMC)(NMC)

– PVCs (Permanent Virtual Circuits)PVCs (Permanent Virtual Circuits)– CryptographyCryptography


WAN - VWAN - V

• Data ConfidentialityData Confidentiality– Choice of physical mediaChoice of physical media– Network PartitioningNetwork Partitioning– Link EncryptionLink Encryption (Layer 2) (Layer 2)– End-to-end EncryptionEnd-to-end Encryption (Layer 4) (Layer 4)– Key and equipment management issuesKey and equipment management issues


WAN - VIWAN - VI

• Link EncryptionLink Encryption– For individual linksFor individual links– Protocol IndependentProtocol Independent– Throughput is not normally an issueThroughput is not normally an issue– Moderate cost (£700-£1000 per unit)Moderate cost (£700-£1000 per unit)

• But Link Encryption for Larger NetworksBut Link Encryption for Larger Networks– Is expensiveIs expensive– Is a management burdenIs a management burden– Data is not protected inside switches Data is not protected inside switches


WAN – VIIWAN – VII

• Conditions of Connection (COC)Conditions of Connection (COC)– Very powerful tool for Network Services Very powerful tool for Network Services

Dept. when it does not have direct authorityDept. when it does not have direct authority– Details users’ responsibilitiesDetails users’ responsibilities

• Responsible for security of their end systemsResponsible for security of their end systems• Comply with COC’s standardsComply with COC’s standards• Control access to end-systems and equipmentControl access to end-systems and equipment• Protect user-ids, passwords etc.Protect user-ids, passwords etc.• Become security awareBecome security aware• Support tests investigations etc .Support tests investigations etc .

– User management signs up to it before User management signs up to it before getting the network servicegetting the network service


InternetInternet• Internet connection prerequisite for most Internet connection prerequisite for most

corporationscorporations• Web browsing, email, file transferWeb browsing, email, file transfer• Increasingly used for business critical Increasingly used for business critical

applicationsapplications• Possible to replace expensive WAN link with Possible to replace expensive WAN link with

Internet VPN linkInternet VPN link• Threats Become CriticalThreats Become Critical

– Route of sensitive data not guaranteedRoute of sensitive data not guaranteed– Availability not guaranteedAvailability not guaranteed

• Denial of service attacks are real riskDenial of service attacks are real risk

– Any Internet host can probe any other host Any Internet host can probe any other host – Plenty of malicious content (viruses, Trojans, Plenty of malicious content (viruses, Trojans,

pornographypornography))


Internet SafeguardsInternet Safeguards

• Firewalls to filter IP trafficFirewalls to filter IP traffic• DeMilitarized Zones to isolate Internet-DeMilitarized Zones to isolate Internet-

facing machines from internal networksfacing machines from internal networks• Content filters to filter email & web Content filters to filter email & web

traffic contenttraffic content• VPNs to protect critical applicationsVPNs to protect critical applications• Vital to understand how applications Vital to understand how applications

communicate, to understand whether communicate, to understand whether risk exists.risk exists.


Printers FlawsPrinters Flaws

• Actually a very large potential problemActually a very large potential problem• Laundering of hacking spoilsLaundering of hacking spoils• bounce attacksbounce attacks• Denial of serviceDenial of service


Printer flaws...Printer flaws...

• Many printers have FTP serversMany printers have FTP servers– Allow anonymous accessAllow anonymous access

• store as much data as memory or disk space in store as much data as memory or disk space in the printer - great place to store hacking tools, the printer - great place to store hacking tools, sniffer logs, and other stolen thingssniffer logs, and other stolen things

– Most are poor implementationsMost are poor implementations• easily used in more complex attackseasily used in more complex attacks

– ftp bounceftp bounce– Berkeley lpd flawsBerkeley lpd flaws


Printer flaws...Printer flaws...

• Denial of ServiceDenial of Service– Used as a tool to conduct DoSUsed as a tool to conduct DoS

• most love to respond to broadcast pingsmost love to respond to broadcast pings– smurfsmurf

– Service deniedService denied• poor tcp/ip implementationspoor tcp/ip implementations

– crash easilycrash easily• poor service implementationpoor service implementation

– SNMPSNMP– ftpftp


Printer fixes?Printer fixes?

• Disable everything you canDisable everything you can


What to do?What to do?

• Maintain good perimeter defensesMaintain good perimeter defenses– At least you only have to trust your At least you only have to trust your

employees…employees…

• Use cryptographically secure transportsUse cryptographically secure transports– Crypto is goodCrypto is good

• But crypto fails without good policyBut crypto fails without good policy

• Disable unneeded servicesDisable unneeded services– Not using SNMP?Not using SNMP?


What to do...What to do...

• Disable things like routed on hostsDisable things like routed on hosts– 99% of the time, static routes work fine on 99% of the time, static routes work fine on

end machinesend machines

• Use the strongest authentication Use the strongest authentication methods possiblemethods possible– Long keys, strong cryptoLong keys, strong crypto


Social ProblemsSocial Problems

• People can be just as dangerous as People can be just as dangerous as unprotected computer systemsunprotected computer systems– People can be lied to, manipulated, bribed, People can be lied to, manipulated, bribed,

threatened, harmed, tortured, etc. to give up threatened, harmed, tortured, etc. to give up valuable informationvaluable information

– Most humans will breakdown once they are Most humans will breakdown once they are at the “harmed” stage, unless they have at the “harmed” stage, unless they have been specially trainedbeen specially trained• Think government here…Think government here…



• Fun Example 1:Fun Example 1:– ““Hi, I’m your AT&T rep, I’m stuck on a pole. Hi, I’m your AT&T rep, I’m stuck on a pole.

I need you to punch a bunch of buttons for I need you to punch a bunch of buttons for me”me”



• Fun Example 2:Fun Example 2:– Someone calls you in the middle of the nightSomeone calls you in the middle of the night

• ““Have you been calling Egypt for the last six Have you been calling Egypt for the last six hours?”hours?”

• ““No”No”• ““Well, we have a call that’s actually active right Well, we have a call that’s actually active right

now, it’s on your calling card and it’s to Egypt and now, it’s on your calling card and it’s to Egypt and as a matter of fact, you’ve got about $2000 worth as a matter of fact, you’ve got about $2000 worth of charges on your card and … read off your AT&T of charges on your card and … read off your AT&T card number and PIN and then I’ll get rid of the card number and PIN and then I’ll get rid of the charge for you”charge for you”



• Fun Example 3:Fun Example 3:– Who saw Office Space?Who saw Office Space?– In the movie, the three disgruntled In the movie, the three disgruntled

employees installed a money-stealing worm employees installed a money-stealing worm onto the companies systemsonto the companies systems

– They did this from They did this from insideinside the company, the company, where they had where they had full accessfull access to the to the companies systemscompanies systems• What security techniques can we use to prevent What security techniques can we use to prevent

this type of access?this type of access?



• There aren’t always solutions to all of these problemsThere aren’t always solutions to all of these problems– Humans will continue to be tricked into giving out Humans will continue to be tricked into giving out

information they shouldn’tinformation they shouldn’t– Educating them may help a little here, but, depending on Educating them may help a little here, but, depending on

how bad you want the information, there are a lot of bad how bad you want the information, there are a lot of bad things you can do to get itthings you can do to get it

• So, the best that can be done is to implement a wide So, the best that can be done is to implement a wide variety of solutions and more closely monitor who has variety of solutions and more closely monitor who has access to what network resources and informationaccess to what network resources and information– But, this solution is still not perfectBut, this solution is still not perfect


ConclusionsConclusions

• The Internet works only because we The Internet works only because we implicitly trust one anotherimplicitly trust one another

• It is very easy to exploit this trustIt is very easy to exploit this trust• The same holds true for softwareThe same holds true for software• It is important to stay on top of the It is important to stay on top of the

latest CERT security advisories to know latest CERT security advisories to know how to patch any security holeshow to patch any security holes

Documents

Network Security Part I: Introduction General Overview of Network Security