Network Security
Computer Security & Forensics
Security in Compu5ng, Chapter 7
Topics
l
Network AAacks
lReconnaissance
lAAacks
l
Spoofing
l
Web Site Vulnerabili5es
lDenial of Service
l
Network Defences
lFirewalls
l
Demilitarised Zones
lVirtual Private Networks
lHoney Pots
l
Vulnerability Scanners
lSecure Socket Layer
August 2015 Computer Security & Forensics
AAacks -‐ Reconnaissance
lReconnaissance
l Port Scan -‐ check ports of services with known bugs, looking for unpatched versions
Thu, 2010-‐07-‐15 14:23:03 -‐ UDP Packet -‐ Source:24.64.116.2,13915 Des5na5on:82.69.?.?,1028 -‐ [DOS] Fri, 2010-‐07-‐16 10:12:29 -‐ TCP Packet -‐ Source:91.121.120.137,3607 Des5na5on:82.69.?.?,5905 -‐ [DOS] Fri, 2010-‐07-‐16 10:12:29 -‐ TCP Packet -‐ Source:91.121.120.137,3611 Des5na5on:82.69.?.?,5906 -‐ [DOS] Fri, 2010-‐07-‐16 10:12:29 -‐ TCP Packet -‐ Source:91.121.120.137,3613 Des5na5on:82.69.?.?,5907 -‐ [DOS] Fri, 2010-‐07-‐16 10:12:29 -‐ TCP Packet -‐ Source:91.121.120.137,3615 Des5na5on:82.69.?.?,5908 -‐ [DOS] Fri, 2010-‐07-‐16 10:12:29 -‐ TCP Packet -‐ Source:91.121.120.137,3617 Des5na5on:82.69.?.?,5909 -‐ [DOS] Fri, 2010-‐07-‐16 10:12:29 -‐ TCP Packet -‐ Source:91.121.120.137,3619 Des5na5on:82.69.?.?,5910 -‐ [DOS] Fri, 2010-‐07-‐16 10:12:32 -‐ TCP Packet -‐ Source:91.121.120.137,3617 Des5na5on:82.69.?.?,5909 -‐ [DOS] Fri, 2010-‐07-‐16 10:12:32 -‐ TCP Packet -‐ Source:91.121.120.137,3593 Des5na5on:82.69.?.?,5901 -‐ [DOS] Fri, 2010-‐07-‐16 10:12:32 -‐ TCP Packet -‐ Source:91.121.120.137,3601 Des5na5on:82.69.?.?,5904 -‐ [DOS] Fri, 2010-‐07-‐16 10:12:32 -‐ TCP Packet -‐ Source:91.121.120.137,3597 Des5na5on:82.69.?.?,5902 -‐ [DOS] Fri, 2010-‐07-‐16 10:12:32 -‐ TCP Packet -‐ Source:91.121.120.137,3607 Des5na5on:82.69.?.?,5905 -‐ [DOS]
3
AAacks -‐ Reconnaissance
lReconnaissance
l Social Engineering
l Try to get users to reveal cri5cal informa5on about network structure and accounts -‐ e.g. ‘Help Desk’
l Intelligence
l ‘Scavenge’ any publicly available informa5on l Discussion of methods on forums
August 2015 Computer Security & Forensics
Spoofing
l Give the appearance of being a trusted en5ty
l Masquerade
l Appear to be a valid service, e.g. via URL confusion l www.paypal.com -‐ www.paypak.com
l User could mistype ‘l’ and press adjacent ‘k’ on keyboard l Site could then look exactly like PayPal...
l Note that above example is not real l Session Hijacking
l Intercept a session started by a user who does not ‘log-‐out’
l Could also block user’s ‘log-‐out’ communica5ons and con5nue session
l Wiretap + packet injec5on (or simply using public PC) enables an aAacker to con5nue a users session -‐ e.g. add a new delivery address and order away...
5
Spoofing
l
Man in the Middle
l
Interceptor eavesdrops on communica5on and obtains private keys used for
securing coms, able to monitor en5re process, undetected
l
Recent DNS flaw made it very easy to develop man in the middle aAacks via a
process called
DNS cache poisoning
l
Flaw enabled rogue DNS rou5ng informa5on to be injected into DNS tables
l
PC requests IP address of www.microsok.com and gets back a bogus machine
August 2015 Computer Security & Forensics
Web Site Threats
lBuffer Overflows
l This is as applicable to web apps as it is to standalone applica5ons l php or Java servlet code could be forced to crash
l Outcome of crash will depend on server configura5on l
Server configura5on issues -‐ the ../ problem...
l Web server environment and permissions need to be 5ghtly constrained
l No default applica5ons able to provide alterna5ve forms of remote access should be available e.g. telnet, ssh, xterm
l Web server permissions should not allow access to folders above document tree l hAp://www.weakserver.com/../../
l Web server rights should be restricted -‐ not run as ‘root’
7
Web Site Threats
lApplica5on Data Valida5on
l Improper use of session management and display of form requests leads to vulnerabili5es l Using the ‘GET’ method for sending user names and passwords (and con5nually using this
in subsequent forms -‐ see also mySQL injec5on)
l What might you think if you no5ced a web site that used the URL?
August 2015 Computer Security & Forensics
Denial of Service
l Ping aAack -‐ network tes5ng oken uses the Internet Control Message Protocol (ICMP) ping applica5on to check
that a computer is responding to network traffic. A single ping response has a very low overhead l An aAacker can send an avalanche of ping requests, overwhelming the computer
l Smurf -‐ a varia5on on the ping aAack
l A modified ping packet is sent to a network in broadcast mode with the IP address of a target machine set as the sender -‐ the real sender sets their machine to ignore ping traffic
l Due to the broadcast status of the packet, all computers on the network pick up the ping request and respond to it, however, they send it to the unfortunate ‘sender’ address, frequently taking it off-‐line
l Traffic Redirec5on
l Routers are responsible for rou5ng traffic and determining op5mal traffic paths
l If a router can be corrupted to adver5se a path it controls as being good, increased network traffic will be routed through it -‐ if it was ‘lying’, the local network grinds to a halt
9
Distributed Denial of Service
l A more common form uses a Trojan virus to install control sokware in a network of suscep5ble computers (their
users are usually the suscep5ble ones)
l The infected computer con5nues as though all is well -‐ it becomes a ‘zombie’, wai5ng for orders l Once the aAacker has built up a significant (10-‐20,000) number of ‘bots’, they can order this ‘bot-‐net’ to
aAack via a DDoS
l The order may come from the aAacker directly using a bot-‐net controller or more likely via some network
service the ‘zombie’ is listening on (e.g. IRC), the actual aAack message may look innocent
l The order can contain the type, dura5on and target for the aAack l The actual aAack method may vary, e.g. email, ping, web server request
August 2015 Computer Security & Forensics
Network Defenses
l
Firewalls
l
Demilitarized Zones (DMZ)
lVirtual Private Networks (VPN)
lIntrusion Detec5on Systems (IDS)
lHoney Pots
l
Vulnerability Scanners
11
l
Firewalls are designed to protect a user/organisa5on from harm
l Derived from the concept of a ‘firewall’ being used as a barrier between engine and occupants l Can user router or sokware to implement firewall
l A home network using NAT acts as a default firewall since services have to be enabled l
A more useful view is a castle with gatekeeper
l The gatekeeper checks for valid services before allowing requests to access server l The services are usually iden5fied by the ports they use
l
AAacks
l Sneak intruder through (tunnel, backdoor) l Subvert firewall (trojan) / masquerade as a
Firewalls
August 2015 Computer Security & Forensics
Demilitarized Zones (DMZ)
l
A business wishing to offer public services
(e.g. a web site or email) can place these
services inside a demilitarized zone
l
Two firewalls are used
l
The inner wall protects the private network
and is very strict
l
The outer wall allows public service requests
through
l
Separates private business network from
publicly accessible network
13
HTTP
SMTP Public Services
Private Services
Virtual Private Network (VPN)
l
What if a user requires access to private network services but is outside the
firewall(s)?
l
A virtual private network connec5on can be established
l
This creates a secure, encrypted connec5on through the firewall
l
Communica5on is then diverted via this connec5on and ‘appears’ inside the
internal network without having to validate against the other firewall checks
August 2015 Computer Security & Forensics
Honey Pots
l
When inves5ga5ng poten5al security weaknesses or trying to iden5fy
aAackers, it can be useful to create a ‘Honey Pot’
l
A Honey Pot is a vulnerable machine that is closely monitored and all access
to it is logged
l
Baited to tempt hacker to aAack where normal users would not use
lE.g. use interes5ng names and accounts
l
Can deliberately infect with a virus to trace communica5ons back to controller
lVery useful if you wish to determine if you are under aAack
l
Exploits network admins knowledge of what is good and what is not
lWater control plant example
15
Vulnerability Scanners
l
Checks computers and network architecture for known vulnerabili5es
lCan’t always fully test weaknesses since likely to break live system
l
Best to test on a system before it is deployed
lMetasploit is a well known vulnerability scanner
l
Available for common opera5ng systems
lhAp://www.metasploit.org/
August 2015 Computer Security & Forensics
Secure Socket Layer
l
Secure Socket Layer (SSL) is a common method of establishing a secure
connec5on across a network
•
SSL is flexible about the encryp5on methods used -‐ part of setng up the
connec5on is determining a common, shared encryp5on protocol between client
and server
•
Once established, the client and server switch to communica5ng via this protocol
l
HTTPS is Hypertext Transfer Protocol over Secure Socket Layer
lAlso known as Transport Layer Security (TLS)
l
Note that a secure connec5on to a hacker doesn’t help you much...
17
Summary
l
Network AAacks
lReconnaissance
lAAacks
l
Spoofing
l
Web Site Vulnerabili5es
lDenial of Service
l
Network Defences
lFirewalls
l
Demilitarised Zones
lVirtual Private Networks
lHoney Pots
l
