CompTIA Network + Week 11 Outcomes • Network Security • Confiden<ality • Integrity • Availability • Network ABacks • Firewalls • Access Controls Lists • Remote Access Security • Virtual Private Network • Intrusion, Detec<on & Preven<on Network Security •  Most if not all networks in use today are dependent on connec<vity with other networks through private connec<ons or increasingly and more prevalent the internet, while this connec<vity allows for flexibility in terms of business transac<ons and business opera<ons connec<ng to the internet increases external (or internal) security breach. •  Most of todays networks allows for customer contact and in many instances e-­‐
commerce, most corporate networks can be considered large and interconnected with other networks, the devices and applica<ons are also increasing in complexity with large amounts of stored informa<on. •  Three primary goals of network security as considered for corporate networks;-­‐ •  Confiden'ality – keeping informa<on private, access control •  Integrity – protec<ng data in transit, not being modified •  Availability – Availability of informa<on, ie server, network up<me Confiden<ality •  Data or informa<on can be kept confiden(al by restric<ng access to sensi<ve informa<on, this can be achieved by;-­‐ •  Encryp<on -­‐ encrypts traffic across the network – encoding data so informa<on can only be decoded by the intended recipient using a shared key. Most encryp<on algorithms use a key to encrypt and decrypt carrying out mathema<cal calcula<ons. Encryp<on is in two forms symmetric encryp'on and asymmetric encryp'on. •  Firewall or Access Control Lists (ACL’s) – seYng or configuring devices to access or deny certain types of traffic, denying or allowing access to specific servers or websites, denying or allowing ability to download or upload data. •  Enforcing user creden<als to access informa<on – forcing users to log-­‐on to network to access services and servers on the network, individual users or groups can be allocated certain rights based on func<on or job role, applica<ons can also record ac<vi<es ie change to informa<on. Confiden<ality -­‐ Symmetric Encryp<on •  In symmetric encryp<on, both sender and receiver use the same key by to encrypt the informa<on, symmetric encryp<on is faster than asymmetric encryp<on as keys are locally available, encryp<on methods used are;-­‐ • 
DES – Data Encryp<on (DES) using 56-­‐bit key for encryp<on, but note this is considered weak on present networks. • 
3DES – Triple DES uses three 56-­‐bits DES (168 bits) for encryp<on and is considered strong encryp<on, however implementa<on of 3DES can vary;-­‐ • 
1) All three 56-­‐bit keys are different • 
2) Two of the 56-­‐bit keys are same • 
3) All three 56-­‐bit keys are same • 
AES – Advanced Encryp<on Standard (AES) and considered the preferred method for symmetric encryp<on, AES can be 128, 192 or 256 bit key versions. Shared
Session
Key
Data Encrypted with Shared Session Key between server & client
Internet
Shared
Session
Key
Confiden<ality -­‐ Asymmetric Encryp<on •  Asymmetric encryp<on is slower than symmetric but security is higher, asymmetric uses different keys for the sender and receiver of informa<on. Asymmetric encryp<on is generally not used to encrypt large amounts of data but is used during the authen<ca<on or sharing or exchanging keys. •  RSA – derived from creators of RSA is used with Public Key Infrastructure (PKI) using digital cer<ficate and cer<ficate authority (CA) for secure communica<on across the internet. Cert Auth
Internet
Step 1
Step 2
Request for Servers Digital Cer<ficate Servers Digital Cer<ficate (signed by Cer(ficate Authority) Step 3
Server’s Public Extracted from Digital Certificate
Step 4
Client Generates Session Key & encrypts with Server’s Public Key
Step 5
Step 6
Client Session Key Encrypted with Server’s Public Key Server decrypts clients session key with server’s private key
Integrity •  Integrity for data sent and received in paramount on any network, viola<on of data integrity can include;-­‐ •  Modifying or replica<ng corporate web-­‐site •  Intercep<ng and modifying e-­‐commerce transac<ons •  Modifying informa<on stored electronically •  Using a hash algorithms can provide integrity to data transmiBed and received, the sender runs a hash algorithm on the data and also sends the hash digest the recipient receives the data and using the same hash algorithm calculates the digest. A hash algorithm produces hash digest of same length irrespec<ve of size of data, two most common types are ;-­‐ •  Message Digest (MD5) – 128-­‐bit hash digest •  Secure Hash Algorithm 1 (SHA-­‐1) – 160 bit hash digest •  To improve integrity further Hash-­‐Based Message Authen>ca>on Code (HMAC) is used this uses an addi<onal secret key in calcula<ng the hash value, an aBacker aBemp<ng modify the informa<on would need to have the secret key. Availability •  Availability is measure of up<me for servers, network, applica<on, devices or systems it is measured as a percentage, for instance a server with 99.999% (5 nine’s) availability means the server will have a down<me of 5 minutes per year. •  Compromising network availability can consuming resources on the network or aBached devices, We can list network compromise into different aBacks; •  Confiden'ality AHack – aBempts to make confiden<al informa<on viewable by the aBacker, ogen a copy of the informa<on is made rather than manipula<ng informa<on. •  Integrity AHack – ABempts to alter informa<on by modifying informa<on before it reaches the sender or sever. •  Availability AHack – Limits the accessibility of a server or system, consuming system resources such as processor or memory. Confiden<ality ABack 1.  Attacker exploits known software vulnerability on web server ie
patches not applied to web server and is able to control server.
2.  Attacker uses trust relationship between web server and target
server to extract customer confidential information.
3.  Attacker uses stolen information (credit card details) to make
purchases from company B E-commerce server.
Company B
ECommerce
Step 3
Internet
Attack
er
Step 1
Step
2
Web
Server
Company A
Target
Server
Other Confiden<ality ABacks Method Descrip(on Packet Capture Placing the NIC card in promiscuous mode and using sogware such as Wireshark or a protocol analyser to capture packets and deciphering to capture sensi<ve informa<on Ping Sweep & Port Scan Pining a series of IP address to check response and then to con<nue to access device or server, Port scan a range of UDP and TCP ports to iden<fy which serves are running for exploita<on EMI As copper is the choice for most local connec<on (UTP) intercep<ng the EMI being emiBed can be used for confiden<ality aBacks Wire Tapping Accessing the MDF (main distribu<on frame) to eavesdrop on data cables to capture data packets for analysis Social Engineering Use or leverage other peoples desire to be helpful ie to access the communica<ons room, access to systems. FTP Bounce FTP client has a number of commands for seYng up and managing file transfers one of these commands is the PORT, the standard FTP port number is 21,an aBacker can violate this by using the IP address and an open port number, however most modern FTP servers will not accept a PORT command from a device that specifies a different IP address than the clients IP address. Integrity ABack Integrity attacks attempts to alter (compromise) information being sent. Consider the
diagram below, man-in-the-middle has been initiated by the
attacker, present similar looking web site ate the bank server,
Bank
Server
attacker is able to carry out fraudulent transaction.
TRANSACTION: Deposit £500 in Acc
#9876
Attacker
Acc #9876
Internet
TRANSACTION: Deposit £500 in Acc
#1234
Custome
r
Acc
#1234
Method Descrip(on Salami ABack A series of small aBacks resul<ng in larger aBack when combined, ie small fraudulent transac<on on credit cards Data Diddling Changing data before it is stored virus, Trojan horse or worm could intercept keyboard input and modify the informa<on Virus A piece of code that a end user executes Trojan horse A program that appears to for a purpose but performs another task, ie collec<ng informa<on Worm Can infect a system or propagate further without user interven<on Integrity ABack Method Descrip(on Salami ABack A series of small aBacks resul<ng in larger aBack when combined, ie small fraudulent transac<on on credit cards Data Diddling Changing data before it is stored virus, Trojan horse or worm could intercept keyboard input and modify the informa<on Virus A piece of code that a end user executes Trojan horse A program that appears to for a purpose but performs another task, ie collec<ng informa<on Worm Can infect a system or propagate further without user interven<on Password aBack ABempts to capture user password, though Trojan horse, Packet Capture – using applica<on such a Wireshark, Key Logger – using a device to log, store , and send key strokes, Brute force – <res password combina<ons Botnet A program that is installed on a computer through a Trojan Horse and then controlled remotely. Session High jacking High jacking a TCP session intercep<ng the three way TCP handshake process Availability ABack Availability attacks tries to limit usability of the system consuming system
resources such as processor and over loading memory, for example a Denial of
Service (DoS) attack floods the target system with data requests consuming
system resources and rendering the server as unusable. Distributed Denial of
Service (DDoS) uses multiple systems to compromise the target server.
Target
Server
Internet
Attacker with
spoofed IP address
to conceal identity
Flood of requests
TCP SYN Flood – initiates multiple TCP sessions by sending SYN segments
using spoofed IP address but never completes the 3-way handshake, eventually
compromising server connection
SYN from spoofed 10.1.2.3
SYN from spoofed 171.16.2.3
Internet
SYN & ACK to 10.1.2.3
SYN & ACK to 172.16.2.3
Targe
t
Serve
r
Availability ABack Availability attacks also attempt to compromise memory buffer causing buffer
overflow and can lead to program crash as memory storage spills into other parts
of the system.
A form of network attack is ICMP attack where continuous pings are sent to target
server flooding the buffers, another form of ICMP ping of death is where the
attacker spoofs the destination address (target server) and sends a ping request
to a sub-net, devices on the subnet reply to the spoofed address rendering the
server unable to communicate.
Availability ABack • 
On a physical level an aBacker can render a network or servers unusable by interfering with electrical supply feeds causing;-­‐ •  Power Fault – electrical outage •  Electrical surges – excess power for extended periods, damaging equipment •  Power Spikes – excess power for brief period, damaging equipment •  Brownout – extended reduc<on in voltage or power •  Power Sag – brief reduc<on in power •  Blackout – extended reduc<on in power rendering equipment to be inoperable • 
To combat electrical power issues Uninterrup<ble Power Supplies (UPS) are used, other physical environments crea<ng cause for concerns are room temprature, humidity and gas used to protect the room. Availability ABack -­‐ Mi<ga<on Availability attacks start with basics, availability attacks need user intervention to
be successful, so educating users to follow good practices are important such as
never giving out passwords or storing them, using a range of letters upper, lowers
case and numbers, forcing password change regularly, not opening e-mail
attachments from unknown sources.
Applying patches to operating systems and applications and having a Acceptable
User Policy (AUP) is considered good practice
Incident Response Technical Policy Du<es of IT staff for ;-­‐ Servers E-­‐Mail Wireless networks Remote access End User Policy User AUP Consequences for non-­‐compliance Governing Policy Issues address by policy Security concepts Compliance to policies Consequences for non-­‐compliance Relevance to work environment Reac<on to security viola<on considering ; -­‐ •  Mo<ve •  Means •  Opportunity Documenta(on Standards OS, applica<ons, configura<ons Guidelines – Mandatory prac<ces Procedures – configura<on guides Vulnerability Scanners Once a network has been installed, configured & tested, the network is
periodically tested for vulnerabilities or weakness using applications such as
Nessus or Nmap.
Nessus – a comprehensive vulnerability scanner which is developed by Tenable
Network Security. Can perform audit on a system without any agents being
installed, can perform;• System configuration for compliance to organisational policies
• Perform continuous scanning
• Configure to run once, daily,
weekly or monthly basis
Firewalls •  All corporate networks will have some form of protec<on between the internal network and external networks, this can include Internet or other networks. •  A firewall has a set for defined rules for types of traffic allowed and disallowed, these firewall scan be;-­‐ •  Sogware Based – Generally a computer running firewall sogware with more than one NIC, with good GUI interface fro configura<on •  Hardware Based – a router can be configured as a firewall but requires a lot more work in terms of crea<ng filters Router based
Firewall
Serial 1/0/1
Internet
HTTP request Access-list 100 deny any any
!
Interface Serial 1/0/1
Ip access-group 100 in
Packet-Filtering Firewall
HTTP reply Firewalls – State full •  State full firewall inspects traffic leaving the inside netwrok and allows the traffic to return using unique sessions but only ini<ated from the internal network. Traffic or aBempts form the internet are blocked. Telnet Session allowed Telnet Session allowed State
Full
Firewall
Internet
Telnet Session ini(ated from internet State Full Firewall
Firewall with DMZ •  Most applica<on based firewalls are built around a Demilitarised Zone (DMZ) separa<ng internal network with the external network – effec<vely add a “no mans lands” in between the internal and external network. All traffic allowed EMail
Serv
er
Only return traffic allowed Web
Serv
er
All traffic allowed E-­‐Mail, Web & return traffic allowed Internet
Internal Zone
Demilitarised Zone
External Zone
Access Control Lists •  Access Control Lists (ACL) are list of rules that a system or netwrok device such as a router will execute and take ac<on. For instance a router can filter traffic based on the source to des<na<on IP address and or the port address ie HTTP, FTP or other well defined ports. Web
Serve
r
Unix
Host
10.1.1.0 /24
Serial 1/0/1
192.168.1.0 /24
Internet
HTTP Telnet Source
Dest Add
Mask
Port
Access-list 100 permit tcp any 10.1.1.0 0.0.0.255 eq www
Access-list 100 permit tcp any 10.1.1.0 0.0.0.255 eq telnet
!
!
Interface Serial 1/0/1
Ip access-group 100 in
ACL No.
Data Flow
Other • 
Remote A
ccess S
ecurity ACL can be used to limit traffic at a very granular level, however todays organisa<on have systems in place for staff to work remotely accessing servers on the main site, various security methods are used Method Descrip(on RAS Microsog Remote Access Server RDP Remote Desktop Protocol (Microsog) PPPoE Point-­‐to-­‐Point over Ethernet protocol for ADSL (PPPoE encapsulates PPP frames within Ethernet frames) PPP Point-­‐to-­‐Point-­‐ Protocol ICA Citrix systems propriety protocol for common applica<on control SSH Secure Shell protocol for security Kerberos Authen<ca<on protocol for client-­‐sever (does not use username & password) AAA Authen<ca<on, Authorisa<on & Accoun<ng used with RADIUS & TACACS servers RADIUS Remote Authen<ca<on Dial In Users Service uses UDP to communicate with AAA server TACACS+ Terminal Access Control Access-­‐Control System, Csco propriety protocol that encrypts data NAC Network Admission Control permit or deny access to netwrok based on device characteris<cs IEEE 802.1X A standard used for wireless or wired system to permit or deny LAN access to a network CHAP Challenge Handshake Authen<ca<on Protocol using three way handshake Single, Two-­‐Factor & Mul<factor authen<ca<on Single sign-­‐on authen<cates user only once Two-­‐Factor requires two types of authen<ca<on password & biometric check Mul<factor authen<ca<on similar to two factor with two or more authen<ca<on Virtual Private Network -­‐ VPN •  VPN’s allows secure communica<on for remote workers, encryp<ng informa<on over the network, generally the internet is used for connec<on to corporate netwrok and therefore addi<onal security is necessary. •  VPN’s can be categorised into site-­‐to-­‐site and client-­‐to-­‐site Remote
VPN
VPN
Concentrato
r
Branch
Office A
Remote
VPN
Internet
Branch
Office B
Head
Offic
e
Remote
VPN
Branch
Office C
Site-to-site
VPN
client on
PC
VPN
Concentrato
r
Home
Worker
Internet
Hotel
Head
Offic
e
VPN
client on
PC
Mobile
Worker
Client-to-site
VPN IPsec • 
Site-­‐to-­‐Site VPN using IPsec to secure data over untrusted internet using 5 steps Internet
Step 1 – Client send traffic to server router defines traffic as interes(ng ini(a(ng Ipsec tunnel Step 2 – IKE Phase 1 tunnel , the two routers nego(ate to form a ISAKMP tunnel Step 3 – IKE Phase 2 tunnel –IPSec tunnel Step 4 – Interes(ng traffic flows through protected IPsec tunnel Step 5 – If no interes(ng traffic is detected IPsec is deleted and tunnel is torn down VPN Security •  As VPN’s use the untrusted internet a primary concern is security for informa<on. •  Although different VPN technologies like L2TP and L2F are used Ipsec offers strong security features for VPN traffic. Ipsec operates at Layer 3 of the OSI model and is transparent to applica<ons or upper layers of the OSI model. •  Ipsec uses a number of protocols to provide features like Internet Key Exchange (IKE) providing encryp<on between authen<cated devices, this encryp<on key is periodically changed during the data exchange. Method Descrip(on Main Method Main method uses 3 exchanges of informa<on between Ipsec devices – ini>ator & responder. #1 Exchange – responder selects a proposal from ini<ator #2 Exchange – Establishes secure shared key over the internet #3 Exchange – ISAKMP (Internet Security Associa>on & Key Management Protocol) is established, secure session is used to nego<ate Ipsec session Aggressive Mode Quicker to set-­‐up achieving same result as main mode, Ini<ator sends 1st packet containing all informa<on to set up Ipsec, Responder sends 2nd packet containing security parameters to authen<cate session, 3rd packet finalises authen<ca<on of ISAKMP session. Quick Mode Mode nego<ates parameters (security associa<on) for Ipsec session and nego<a<on occurs using ISAKMP Other VPN Technologies •  Whilst IPsec VPN’s are popular for connec<ng remote clients to corporate netwrok other VPN protocols are in use. Protocol Descrip(on SSL Secure Socket Layer encrypts data at Layers 5-­‐7 of the OSI model but over the years has been largely replaced by TLS (see below) however SSL has been enhanced to version 3.3 that is more compa<ble to TLS. Both protocols provide secure browsing using the Hypertext Transfer Protocol Secure (HTTPS) L2TP Layer 2 Tunnelling Protocol is an early version of VPN but lacks encryp<on security features, but can be used with another protocol that provides encryp<on L2F Layer 2 Forwarding a Cisco propriety protocol for point to point communica<on, like L2TP lacks encryp<on security features PPTP Point to Point Tunnelling Protocol an older VPN protocol supported for Microsog Windows, but like L2TP & L2F lacks encryp<on security features TLS Transport Layer Security has largely replaces earlier version of SSL and increasingly is the choice for websites using HTTPs Intrusion Detec<on & Preven<on •  Intrusion detec<on systems (IDS) and Intrusion Preven<on Systems (IPS) are placed within the network to detect and prevent aBacks and respond appropriately. ABacks are recognisable by comparing data streams against a database of well-­‐
known aBacks signatures. Attacker
Ac(ve IPS Deployment – IPS system in line with traffic and considered ac<ve Internet
Firewall
System
IPS
Corporat
e
Network
Attacker
Passive IPS Deployment – IDS system not in line with traffic, detec<ng offending traffic sending updates to management sta<on Internet
Firewall
Corporat
e
Network
Intrusion Detec<on & Preven<on •  Although it would seem IPS systems would be preferable, the use of both systems complement one another providing improved protec<on. •  IDS and IPS devices are categorised based on how offending traffic is detected Detec(on Descrip(on Signature based Primary method used to detect and prevent IDS or IPS using signature based detec<on Policy based In this type of detec<on a policy is wriBen for which networks can communicate Anomaly based Final approach is anomaly based but this is prone to false detec<on as normal condi<on can be difficult to measure and define so two op<ons are used;-­‐ Sta's'cal Anomaly Detec'on -­‐ monitors traffic paBern over a period of <me to dynamically build a baseline, and using this baseline for alarm triggers. Non-­‐Sta's'cal Anomaly Detec'on – Allows administrator to define what traffic paBerns are allowed for instance download service packs, but this can lead to false alarms. Rather than single IDS or IPS being deployed mul<ple IDS and IPS are deployed detect and defend internal network devices and systems Mul<ple Intrusion Detec<on & Preven<on Network
Management
station
Network
IPS
Firewall
Internet
Violations
notified
Network
IPS
protecting
servers
Network
IDS
WEB
HIPS
E-Mail
HIPS
DNS
HIPS