Embed Size (px)
Citation preview
Lesson 7: Network Securityand
Attacks
Computer Security Operational Model
Protection = Prevention + (Detection + Response)
Access ControlsEncryptionFirewalls
Intrusion DetectionIncident Handling
•Intrusion detection
•Firewalls
•Encryption
•Authentication
•Security Design Review
•Security Integration Services
•24 Hr Monitoring Services•Remote Firewall Monitoring
•Vulnerability Assessment Services•Vulnerability Scanners
Security Operational Model
Improve
Monitor
Secure
Evaluate
Protocols
• A protocol is an agreed upon format for exchanging information.
• A protocol will define a number of parameters:– Type of error checking– Data compression method– Mechanisms to signal reception of a transmission
• There are a number of protocols that have been established in the networking world.
OSI Reference Model• ISO standard describing 7 layers of protocols
– Application: Program-level communication– Presentation: Data conversion functions, data format, data
encryption– Session: Coordinates communication between endpoints.
Session state maintained for security.– Transport: end-to-end transmission, controls data flow – Network: routes data from one system to the next– Data Link: Handles passing of data between nodes– Physical: Manages the transmission media/HW connections
• You only have to communicate with the layer directly above and below
TCP/IP Protocol Suite• TCP/IP refers to two network protocols used on
the Internet:– Transmission Control Protocol (TCP)– Internet Protocol (IP)
• TCP and IP are only two of a large group of protocols that make up the entire “suite”
• A “real-world” application of the layered concept. • There is not a one-to-one relationship between the
layers in the TCP/IP suite and the OSI Model.
OSI and TCP/IP comparison
OSI Model
Application
Presentation
Session
Transport
Network
Data-link
Physical
TCP/IP Protocol Suite
NFSFTP, Telnet,SSH, SMTP SMBHTTP, NNTP
RPC
TCP,UDP
IP ICMPARP
Physical
Application-levelprotocols
Network-levelprotocols
TCP/IP Protocol Suite
UserProcess
UserProcess
UserProcess
UserProcess
TCP UDP
IP
HWInterface
RARPARP
ICMP IGMP
Media
Encapsulation of data
User Data
User DataAppl
header
Application dataTCP
header
Application dataTCP
headerIP
header
Application dataTCP
headerIP
headerEthernetheader
Ethernettrailer
Ethernet Frame
IP Datagram
TCP segment
application
TCP
IP
Ethernetdriver
Ethernet
Establishment of a TCP connection(“3-way Handshake”)
client ServerSYN
Client sends connection request,Specifying a port to connect toOn the server.
client ServerSYN/ACK
Server responds with both anacknowledgement and a queuefor the connection.
client ServerACK
Client returns an acknowledgementand the circuit is opened.
IP
Ethernet 802.5802.4802.3 X.25 Frame
Relay
SLIP
IPX ATM Arcnet Appletalk PPP
Telnet FTP SNMPSMTP NFS DNS TFTP NTP
RIPBGP
802.6
SMDS
Layer 6/7: Applications
Layer 5: Session
Layer 4: Transport
Layer 3: Network
Layer 2 & 1: Data Link & Physical
RETAILBANKING B2B MEDICAL WHOLESALEl
WindowsX
IGP EGP TCP UDP IGMP ICMP
IP Centric Network... ...
Twenty-six years after the Defense Department created the INTERNET as a means of maintaining vital communications needs in the event of nuclear war, that system has instead become the weak link in the nations defense” USA Today - 5 Jun 1996
True hackers don't give up. They explore every possible way into a network, not just the well known ones.
The hacker Jericho.
By failing to prepare, you are preparing to fail.
Benjamin Franklin
• “Popular” and receive a great deal of media attention.
• Attempt to exploit vulnerabilities in order to:– Access sensitive data (e.g. credit card #’s)
– Deface the web page
– Disrupt, delay, or crash the server
– Redirect users to a different site
Typical Net-based Attacks -- Web
Typical Net-based attacks -- Sniffing• Essentially eavesdropping on the network• Takes advantage of the shared nature of the
transmission media.• Passive in nature (i.e. just listening, not
broadcasting)• The increased use of switching has made
sniffing more difficult (less productive) but has not eliminated it (e.g. DNS poisoning will allow you to convince target hosts to send traffic to us intended for other systems)
Typical Net-Based Attacks –Spoofing, Hijacking, Replay
• Spoofing attacks involve the attacker pretending to be someone else.
• Hijacking involves the assumption of another systems role in a “conversation” already taking place.
• Replay occurs when the attacker retransmits a series of packets previously sent to a target host.
Typical Net-Based Attacks –Denial of Service
• DOS and Distributed DOS (DDOS) attacks have received much attention in the media in the last year due to some high-profile attacks. Types:– Flooding – sending more data than the
target can process– Crashing – sending data, often
malformed, designed to disable the system or service
– Distributed – using multiple hosts in a coordinated attack effort against a target system.
A Distributed DoS in ActionClient Hacker
BroadcastHost
BroadcastHost
MasterHost
MasterHost
BroadcastHost
BroadcastHost
BroadcastHost
Master ControlPrograms
BroadcastAgents
Registration PhaseRegistration Phase
*Hello**Hello* *Hello**Hello*
VerifyVerifyRegistrationRegistration
PONGPONG PONGPONGpngpng
The Internet
The Attack Phase
Target
Client Hacker
BroadcastHost
BroadcastHost
BroadcastHost
BroadcastHost
BroadcastHost
BroadcastAgents
The Internet
AttackAttackTargetTarget
AttackAttackTargetTarget
AttackAttackTargetTarget
UDP FloodUDP FloodAttackAttack
UDP FloodUDP FloodAttackAttack
UDP FloodUDP FloodAttackAttack
UDP FloodUDP FloodAttackAttack
