• No results found

NETWORK INFRASTRUCTURE SECURITY

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "NETWORK INFRASTRUCTURE SECURITY"

Copied!
11
0
0

Loading.... (view fulltext now)

Download now ( 11 Page )

Full text

(1)

NETWORK INFRASTRUCTURE

SECURITY

(2)

Network Infrastructure

Security

Angus Wong

Alan Yeung

(3)

© Springer Science+Business Media, LLC 2009

ISBN: 978-1-4419-0165-1 e-ISBN: 978-1-4419-0166-8

Library of Congress Control Number: 2009921186

DOI: 10.1007/978-1-4419-0166-8 Angus Wong

Rua de Luis Gonzaga Gomes Macao Polytechnic Institute Macao

Alan Yeung

City University of Hong Kong 83 Tat Chee Avenue

Kowloon

Hong Kong, PR, China

permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York, NY

to proprietary rights. Printed on acid-free paper springer.com

All rights reserved. This work may not be translated or copied in whole or in part without the written

or by similar or dissimilar methodology now known or hereafter developed is forbidden.

connection with any form of information storage and retrieval, electronic adaptation, computer software, The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in

(4)

About the authors

Angus Kin-Yeung Wong obtained his BSc and PhD degrees from City University of Hong Kong, and is currently an associate professor at Macao Polytechnic Insti-tute. Angus is active in research activities, and has served as a reviewer and a technical program committee member in various journals and conferences. Angus is devoted to teaching in tertiary education. In the past, he has taught 11 different courses, ranging from the first year to forth years, and developed five new net-work related courses to keep students abreast of cutting-edge netnet-work technolo-gies.

Alan Kai-Hau Yeung obtained his BSc and PhD degrees from The Chinese University of Hong Kong in 1984 and 1995 respectively. He is currently an asso-ciate professor at City University of Hong Kong. Since his BSc graduation, he has spent more than 20 years in teaching, managing, designing and research on dif-ferent areas of computer networks. In the early days of LANs in 1980s, he had the chance to involve in the design and set up of numerous networks. One of them was the largest LAN in Hong Kong at that time. He also frequently provides con-sultancy services to the networking industry. One notable project was the devel-opment of a GSM mobile handset in late 1990s. The team that Alan had involved successfully developed a handset prototype for a listed company in Hong Kong. Alan’s extensive experience has helped him to earn professional qualifications like Cisco Certified Network Professional (CCNP), Cisco Certified Academy Instruc-tor (CCAI), and Certified Ethical Hacker (CEH).

Angus and Alan have been collaborating in doing network related research for over 10 years. They have successfully obtained grants from universities and governments, and published tens of technical papers. Besides research, they are fond of teaching and sharing with students. Commonly, they were awarded for their teaching contributions. Angus Wong obtained the Macao Polytechnic

(5)

Insti-tute’s Best Teacher Awards in 2005-2006, whereas Alan Yeung obtained the City University of Hong Kong’s Teaching Excellence Awards in 2000-2001. Another common point of Angus and Alan is that they are both responsible for the estab-lishment and maintenance of Cisco switches and routers learning environment in their own universities. Students’ learning has proven to be enhanced significantly through their hand-on experience on networking devices.

(6)

Preface

Unlike network information security which is concerned with data confidentiality and integrity by using techniques like cryptography, network infrastructure secu-rity is concerned with the protection of the network infrastructure itself, that is, to focus on how to detect and prevent routers or other network devices from being attacked or compromised.

Although information assurance is important, it becomes meaningless if the data, no matter how secure its content is, cannot be delivered through the Internet infrastructure to the targeted destination correctly.

Since the Internet, in the beginning, was assumed to work in a trustworthy environment, it was designed without much concern for security. As a result, the infrastructure is vulnerable to a variety of security threats and attacks, such as packet spoofing, routing table poisoning and routing loops.

One of the reasons why network infrastructure security is important and has drawn much concern in recent years is that attacks to the infrastructure will affect a large portion of the Internet and create a large amount of service disruption. Since our daily operations highly depend on the availability and reliability of the Internet, the security of its infrastructure has become a high priority issue. We be-lieve that the topic will draw much concern, and various countermeasure or solu-tions will be proposed to secure the infrastructure in the coming years.

(7)

Goal of writing

This book aims to promote network infrastructure security by describing the vul-nerabilities of some network infrastructure devices, particularly switches and routers, through various examples of network attack.

The examples will be well illustrated in detail so that the operations and principles behind them are clearly revealed. To avoid serving as a hacking guide, the attack steps are described from the conceptual view. That is, we will write something like "If an attacker injects a packet with a fake source address, the server will believe the attacker is the right client…”

Though some topics in this book have been covered in other books, the pri-mary focus of them is information security or the ways of configuring the network devices. In writing this book, we attempt to emphasize on the network infrastruc-ture security and draw the attention about it in the field.

On the other hand, the network vulnerabilities and attacks mentioned in this book are mainly based on protocol exploitation, not on software bugs or computer viruses that are usually dependent on the particular platform, brand of router, op-erating system, version, etc.

(8)

Not goal of writing

The purpose of this book is not to report new security flaws of network infra-structure devices. Most of the attacks discussed in this book have been already identified in the field, and the corresponding countermeasures have been pro-posed. If administrators are aware of the countermeasures, the attacks canbe pre-vented.

Security has a large scope, and so has network infrastructure security. This book does not attempt to provide an exhaustive list of attack methods of network infra-structure and their countermeasures. Actually, it is difficult, if not impossible to write a single book covering the vulnerabilities of all kinds of network protocols on network devices with different brands model running different versions of OSes.

On the other hand, to make the book concise, it does not thoroughly explain TCP/IP or network protocols; nor does the book teach the full operations of switches or routers. Nonetheless, the basic idea of them will be covered to facili-tate the discussion of the topics.

Assumptions

The readers are assumed to have basic understanding on computer networks and TCP/IP, and would like to learn more about the security of the major part of a computer network – the network infrastructure. On the other hand, since IP is the most common protocol in the network layer, this book only covers IP routers (i.e., routing based on IP). Similarly, since Ethernet is the most popular media access protocol, the switches mentioned in this book refer to Ethernet switches.

(9)

Audience

The book can be used as a text for undergraduate courses at senior levels, or for postgraduate courses. It can also be used for engineer/practitioners for advancing their knowledge on network infrastructure security.

In general, network infrastructure security is an area of great interest to IP service providers, network operators, IP equipment vendors, software developers, and university instruction at the both graduate and undergraduate levels. Specifi-cally,

• The people in the information security field can benefit being acquainted with another aspect of security – network infrastructure security.

• The people already in the field of network infrastructure security can benefit from having a resource exclusively for the topic.

• The people in the network field can benefit from acquiring more information about the security of the devices (switches and routers) they are dealing with everyday.

• The teachers in Universities can benefit from having the syllabuses of network related courses enriched with the topics of network infrastructure security. Since this book does not focus on a particular platform or brand of network de-vices but the general principle of network infrastructure security, it is suitable for a wide range of readership.

(10)

Chapter design

The organization of this book is straightforward -- from lower to higher layer, and from basic concept of network infrastructure security to the research solution to future network device design. Therefore, this book is recommended to be read from chapter to chapter.

Firstly, we explain what is network infrastructure security in Chapter 1. Then, we discuss the vulnerabilities of network infrastructure devices starting from data link, network, to application layers in Chapters 2, 3 to 4 respectively. It is followed by Chapter 5 in which the proof-of-concept demonstrations (by prac-tical step by step procedure) of the vulnerabilities are provided. Finally, to funda-mentally protect the network infrastructure, a new approach in designing network devices is proposed in Chapter 6. The following gives the general description of each chapter.

(11)

Table of Content

1. Introduction to Network Infrastructure Security 1

1.1 Internet infrastructure 1 1.2 Key components in the Internet infrastructure 4 1.3 Internet infrastructure security 9

19

2.1 Introduction 19 2.2 How Switches can be Attacked 22

59

3.1 Introduction 59 3.2 Overview of Internet Routing 63 3.3 External and internal attacks 72 3.4 RIP Attacks and Countermeasures 84 3.5 OSPF Attacks and Countermeasures 94 3.6 BGP Attacks and Countermeasures 110

4.1 Introduction 137 4.2 DHCP Attack 138 4.3 DNS Attack 146

181

5.1 Purpose of the Chapter 181 5.2 Attack Experiments 187

219

219 6.2 Analysis on Security Problems of Network Infrastructure 220 6.3 Steps in Hacking Network Infrastructure 228 6.4 Flat Network Design Model and Masquerading 236 6.5 A New Model to Protect Network Infrastructure 238

2. Network Infrastructure Security -- Switching

3. Network Infrastructure Security – Routing

5. Experiments for Illustrating Network Infrastructure Attacks

6. Protecting Network Infrastructure – A New Approach

6.1 Purpose of the Chapter

4. Network Infrastructure Security -- Address Configuration and Naming 137

References

Download now ( PDF - 11 Page - 679.31 KB )

Related documents

Repeated Changes in Reported Sexual Orientation Identity Linked to Substance Use Behaviors in Youth

Results from multivariable sex-stratified GEE models, controlling for concurrent sexual orientation identity, age group, race/ethnicity, and number of missing waves, and including

Determination of changes in process management within industry

This method has four step – plan (planning the intended improvement), do (implementation of plan), check (verification of the result of the implementation compared to the

Complex transactions under uncertainty : Brazil's machine tool industry

VII. Conclusions: As in the case of the garment study, we find evidence contradicting the prediction of legal formalism that formal institutions centrally constrain private

Postgraduate Prospectus 2014/2015. Going further with The Open University

You can study an individual module for continuing professional development purposes, or combine modules to gain a postgraduate certificate, postgraduate diploma or masters degree.

How wind became a four-letter word: Lessons for community engagement from a wind energy conflict in King Island, Australia

In spite of this, the King Island experience was one of con fl ict, with strain on interpersonal relationships, damage to local institutions, the formation of a local opposition

Advanced Integration Method (AIM) Card-Not-Present Transactions

You can specify the period (“window”) of time after a transaction is submitted during which the payment gateway checks for a duplicate transaction (based on credit card number,

Task Complexity and Different Decision Criteria for Online Service Acceptance: A Comparison of Two e-government Compliance Service Domains 1

Perceived website quality has been found to lead to trusting beliefs in the online vendor and to risk taking behavior with the vendor in the e-commerce environment [37], and to