View
897
Download
6
Category
Tags:
Preview:
DESCRIPTION
StaridLabs CISSP Study slides for week 7
Citation preview
StaridLabs CISSP Training
Week 7 – Network SecurityPages 381-455
RADIUS
● Used to authenticate a user/machine to a network.
● Shared secret provided between client application and server.
● Once shared secret is accepted then username/password is sent
● Cheap to setup● Not all fields are encrypted
Radius Cont.
● Used for low risk authentication to prevent and locate unauthorized users (IE: An ISP detecting non-paying cable modem users)
● In a corporate environment radius can be used to authenticate to servers, applications, networks, vlans, switches, etc.
● For corporate: 2 factor authentication should be used:● EAP, Tokens, Smartcards
SNMP
● Used to receive (get) configuration/state data as well as to configure (set) configuration
● Uses “community strings” and pass phrases for V2 and above● Data can be sniffed easily and credentials can be stolen● V3 supports encryption, but isn't being used much yet.● Applicable devices: firewalls, routers, switches, OS (windows and
linux), applications,embedded devices, etc
SNMP Stupidities
● String/passphrase often the same for many like devices (switches, databases, etc) for easy management.
● A disastrous amount of companies have SNMP open externally.
● SNMP shouldn't be queried outside of your network, remote devices need some other method. V3 helps this but again isn't supported everywhere yet.
Remote Access Services
● Telnet, rlogin, x11● Plaintext sessions allow snooping of
session as well as credentials being sent plaintext
● All have an SSH encapsulated replacement
Telnet Servers
● Available on windows and linux/unix● More commonly seen on unix● Server runs as system (trusted application)● Encryption is not supported● Malicious user can easily escalate to root/admin● Telnet servers should be disabled or blocked unless
absolutely necessary. If necessary spend a good amount of time trying to find ways to mitigate risk
Rlogin/rsh/rcp
● Rlogin:● Remote shell to machine● If installed user can setup for other users and
subvert admin when providing server access
● Rsh/rcp● Allows file/console access based solely on
userid/ip. Userid is ignored.
Screen Scrapers
● Watches & captures a users screen. Can be legitimate or malicious.
● Legitimate users would be seeing what an employee in a bank call center looks at to make sure their not looking at things they shouldn't.
● Malicious would be an attacker adding a screenscraper to a bank call center machine to capture all of the data a user looks at, thus framing the employee.
Virtual Network Terminal Services
● Terminal Services is a server which allows a web based or Remote Desktop (RDP) session which displays the server's desktop to the client in an encrypted tunnel.
● Citrix, Remote desktop/TS (Microsoft)● Good for distributed employees and road
warriors who may have personal or dirty laptops.
Telecommuting
● Telecommuters should be required to VPN into the network when working. The end user machine should use full drive encryptiona nd should comply to security policies such as screen lockout.
● Network connection type & work location should be considered before access is granted.
Analog VS Digital Signals
● Analog singals are a wave and can represent a voice, etc.
● Digital is only 1's and 0's and data such as voice must be converted to binary before sending.
Network Topography: BUS Networks
● All hosts receive all traffic● Note failure doesn't affect network● Failure in the bus takes down the whole
network
Tree networks
● Uses cable splitters● All hosts receive all traffic● Cable failure creates outage for entire
downline
Ring (Token ring)
● Closed loop network● Data travels one way, passing data to one
neighbor and receiving from the other● Generally uses coaxial or fiber● Single point of failure unless dual ring setup
with secondary networking
Mesh
● All nodes have direct connection to each other
● Common for high availability network gear● High level of network reliability● Expensive due to cable costs● (Wireless mesh networks continue to gain
popularity)
Star
● “Normal” network topography● Switch is centralized and end points
connect to switches, and switches connect to each other
● Minnimal cables needed● Switch/hub is single point of failure for star
nodes
Unicast
● Normal packet data: A packet is sent from one host to another
Broadcast
● A single hosts sents to many hosts● Very noisy● Commonly seen with ARP and netbios● 192.168.1.255 will send the packet to every
host between 192.168.1.1 and 192.168.1.254
Multicast
● Isn't used as often as it should be (Tim comment)● Unreliable, best effort transmission● Uses IGMP to manage subscribers● Clients request to join specific multicast channel● Server only sends data once, and data is received by all
subscribed clients to that multicast channel● Used for streaming video, etc.
Circuit Switched Network
● Client/Server keeps continuous session open
● POTS, ISDN, PPP● All data sent along same path, even if
shorter path opened later.
Packet Switched Network
● Data broken into packets● Each packet is routed through the best path
as determined by network rules● Packets re-oredered at destination endpoint
and are reassembled
Carrier Sense Multiple Access (CSMA)
● CSMA/CA● Collision Avoidance● Broadcasts a jamming signal and then sends
data. Other endpoitns wait once receiving the jamming signal.
● Used by 802.11 (wireless)
CSMA/CD
● Collision Detection● Client checks if line is clear, if clear it sends data● Collisions occur when both sides see the line as
clear and send at the same time causing data to become unusable.
● When collision occurs both sides wait a random amount of time and resend.
● Used by 802.3 Ethernet
Polling
● Client only talks when master device tells it to.
● Also used by 802.11(wireless)
Ethernet 802.3
● Full duplex mode (mostly) immune to collisions
● Half duplex uses CSMA/CD● 802.3 can use coaxil, unshielded twisted
pair (UTP), or fiber cable
Token Ring (802.5)
● Physically a star topography● Uses logical tokens to create ring● Dead technology
FDDI – Fiber distrubuted Data Interface
● Fiber networking using two fiber cables & 2 ring networks
● Second cable is standby in the event of primary ring failure
● Still in active use
Multiprotocol Label Switching (MPLS)
● Fast, pre-determined tunnel● Offers QoS● Called “IP VPN” - ISP Sets up route and data flows even if
path is not shortest● Not encrypted – but if ISP sets up right then data is only
seen by ISPs which is passes through.● (Tim Comment) I recommend at least minimal encryption
across tunnel to obscure data from prying eyes. Network glitches happen which could send data outside of expected route.
LAN – Local Area Network
● Collection of locally interconnected computers.
● Local being defined as a building or campus
Vlan – Virtual LAN
● Uses one set of network equipment● Allows “virtual” paths & lans to be created● Switch drops traffic if port is not configured
for the sending vlan● Known attacks against vlans, but still a
good way to segregate● Attack known as vlan hopping
ISDN
● A legacy model which is faster than dialup● Dead technology
Point to Point
● Uses continuous fiber cable to directly connect two points.
● Very expensive● Example is 2 datacenters owned by the
same company. If the company doesn't trust the data going through an ISP, it can setup a fiber Point to Point to connect the datacenters.
T1/T3
● Uses Time/Dvision Multiplexing (TDM)● T1 = 24 channels over a copper cable● Full T1 = 1.544 Mbps● Can purchase anywhere from 1-24 active channels to
decrease cost.● Can bundle T1's for more throughput:
● T2 = 4 X T1● T3 = 7 X T2● T4 = 6 X T3● All can be fractionally purchased
E1/E3
● Same as T1/T3 but for Europe. E1 has a slightly higher transmission rate.
● Make sure when buying equipment it's for E1 or T1, they must be build compatible or for the correct standard.
OC1/OC12
● Super High Throughput● OC1 = 51Mbps● OC3 = 155 Mbps● OC192 = 9954 Mbps
DSL
● Uses Cat-3 (Phone line) unfiltered● ADSL – Downstream faster than upstream● SDSL – Down and up are same speed● VDSL – Very Fast, most inner city DSL is
VDSL now.
Cable Modem
● Modem & Cable Company exchange crypto keys
● Data is encrypted in transit● (I know cableone turned this on at one
point, last I checked it had been turned off again. Midcontinent is not using encryption last I checked which was last fall)
Network Attacks!
Networks
● Everything is getting an IP nowadays – from TV's, Generators, Air Conditioners, Ice Machines, and light bulbs...
Net Defense Basics
● Define Security Domains (Public, Confidential, Restricted)● Segregate networks based on security domains● Thing ahead for incident response
● Have Logs● Known what systems you have/what they do● A methodology to contain incidents quickly and manage reaction
● See SANS Top 20 controls for recommendations
Defense in Depth
● Assumes attack will eventually succeed● Security layers employed: network
security, OS hardening, Antivirus, end user firwalls, user training, patching, detection, IPS, NAC
Confidentiality Attacks
● Purpose is to steal non-public data● User/passwords, computer code, designs,
business plans, emails, ebarrassing memos, alien files
● Example is wired/wireless data sniffing
Integrity Attacks
● Attempt to corrupt or change (destroy) data or systems
● Examples are stuxnet, defacing websites, SQL Injection
Availability Attacks
● Attacks make systems temporarily unavailable
● Denial Of Service
Domain Names
● Trademark your URL if your an IT company with a web presence
● Register misspellings of domain name to reduce risk of reputation loss
Opem Mail Relay Servers
● Allows email to be sent without authentication
● Sign of bad sysadmins (see staridlabs.org hosted by cheaplinuxhosting.com!)
Spam
● Spam email. Contains viruses, malicious URLs, etc
● Discuss DHL exploit
Scanning Techniques – Port Scanning
● Checks what ports are open/accessible on system
● Fingerprints system● OS type/version● Hardware manfacturer/version● App versions (banner grab)
Fin Scan
● Sends connection close signal to port● Receives rest/icmp packet if port is closed● Used against UNIX/Linux hosts
Null Scan/XMas Scan
● Null Scan:● No tcp flags are set
● XMAS Scan:● All tcp flags are set
● Generally useful to compare results of both scans
TCP Sequence Number Attack
● Can scan using a zombie legitimate host by predicting tcp sequence number and spoofing source address. When victim responds back to zombie host, you connect to zombie and count how many tcp numbers were incremented.
● Tcp sequence randomization can be turned on for all common operating systems.
Attack Trees
● Logical representation of what steps an attacker would need to take to attack a system
● Great for explaining to non-management what the risk is (or isn't)
Methods of attack
● Target Aquisition/Intel Gathering● Publically available data● Scans
● Target Analysis● Identify Vulnerabilities● Identify tools best to exploit vulnerability
Methods of Attack 2
● Target Access● Gain access to system (desktop, prompt, process)
● Target Appropriation● Elevate system access (if needed)● Steal all the things● Setup backdoors● Clean up tracks (if needed
Scanners (for good)
● Identifies vulnerabilities● Finds configuration mistakes/risks● Tests for compliance
● Example if the vuln scanner sees the 'games' user in Linux then I know the box didn't have STIGS applied
● Can have lots of false positives
Penetration Testing
● Verifies vulnerabilities and what risk comes with a successful attack
● Puts the “human eye” on systems, often finding things a scanner wont
Network Taps
● Copies all traffic across a path● Sometimes required for legal compliance
Malicious Packet Crafting
Teardrop attack
● Packets are fragmented erroneously so when reassembled the target calculates a negative fragment length. This is a denial of service attack.
● Fix by vendor patch
Overlapping Fragment Attack
● Packets are fragmented and first fragments are sent with legitimate dta. Following packets overwrite first legitimate packets and are malicious.
● This works because some IPS system sonly scann the first x bytes of a packet
Source Routing Exploit
● Attacker requests alternate path in packet header and bypasses firewall rules
Smurfs/Fraggles
● Broadcast denial of service attacks● Smurf – Spoofed source address to
broadcast using ICMP. All receiving clients respond and DOS victim
● Fraggle – Same as a smurf but using UDP
NFS Attacks
● Config can allow unintended access to filesystem● Potential for unauthorized clients by falsifying IP (the
only auth mechanism)● Faking userid (permissions)● Sniffing Connection (unencrypted by default)● Setuid allows priviledge escalation (disable nfs
setuid rendering)
NNTP (Newsservers)
● Disable & Block
Finger (port 79)
● Disable & Block
NTP – Time syncing
● Use trusted upline servers (and more than one)
● Network should have it's own timeserver
DDOS
● Attacks by thousands of machines against a host or device
● Only so much you can plan for● Network proxies exist● Configurations can ease congestion if
smaller DDOS
Syn Floods
● DOS attack – Overloads max connections a server can handle
Email Spoofing
● You too can be president for an email
DNS Spoofing
● Malicious Entries● Redirect to malicious hosts● Host file spoofing
Session Hijacking
● Adding packets to an authenticated, legitimate session
Syn Scan
● Only sending syn packets and waiting for responds
● Fast● Sometimes doesn't get logged (useful)
Recommended