Network Devices and FirewallsLesson 15

It applies to our class…

Network DevicesOur primary target up to this point has been the computer systems and servers connected to the network. These are not the only devices connected, however, and there are network vulnerabilities as well as network devices that can help us in or intrusion attempt.There are a number of tools useful in discovering information about the network as well as discovering some of these other network devices.

Traceroute RevisitedTraceroute provides a list of the systems between you and a target host on the network. Useful because you can often determine other network devices such as firewalls and routers.The last hop before our target is often a device that is simply forwarding traffic such as a router.Countermeasures to this type of probe consist of limiting the responses to this sort of packet.

traceroute

Autonomous System LookupAutonomous System (AS) is the term used to refer to a collection of gateways (routers) that fall under one administrative entity on the Internet.An Autonomous System Number (ASN) is a numeric identifier for networks participating in Border Gateway Protocol (BGP).

BGP is the protocol in which route paths are advertised throughout the world. Without BGP, Internet traffic would not leave local networks.

Traceroute originating from a BGP participating host shows the ASN information

Public NewsgroupsSearch for contact names discovered through ARIN (whois) queries in newsgroups (groups.google.com).Could be especially useful if person posts questions or answers to other people’s responses in groups dealing with network or security devices (you may discover what devices the organization is using).Having this type of information available to potential intruders is not a critical mistake, but it does allow them to cut down on the time they need for discovery. No possibility of “security through obscurity” if you participate in these types of newsgroups.

Service DetectionJust like your computer systems and servers will be listening on certain ports for certain services, so will your network devices.Cisco routers, for example, listen to ports 1-25, 80, 512-515, 2001, 4001, 6001, 9001

If we find a device that is listening in on these, or a specific subset, we may be able to determine by just this information that the system is a Cisco router.Use operating system identification tools to verify your suspicions.

One final method you can use is banner grabbing and response fingerprinting.

Certain devices will utilize certain banners or provide unique responses or challenges.

Network Vulnerabilities

Potential problems at several layers of the network.Phenoelit: www.phenoelit.de

Defcon 10: Talk by FX: “Attacking Embedded Systems”Defcon 11: Talk by FX: “More Embedded Systems”

Layer 1 exploitationRemember that layer 1 is the physical layer. So what can we do at this layer?

Fiber networks hard to tap into.Ethernet 10, 100, 1000BaseT easier and common at local sites.T1 links easy since they are just twisted pair

Textbook outlines a possible man-in-the-middle attack where a 1600 Cisco router is placed in between corporate router and systems (in, for example, a phone closet).

Allows you to grab all data that is flowing through without being noticed – unless somebody notices the device in the closet.

What does this mean for us? We will not be exploiting things at this layer but we need to understand the possibilities to explain to our clients why physical is so important.

Layer 2Data Link layerSwitches: some think the panacea for sniffing issues but…

Textbook describes an exploit that can be used that will allow you to sniff traffic even though you are using a switch.ARP Redirection

Address Resolution Protocol: IP addresses only make sense to the TCP/IP suite, physical network devices have their own addresses. ARP provides a dynamic mapping from an IP address to the corresponding hardware address.

Layer 3Network LayerIssues at this layer include

Sniffing (this is what it is all about)Tcpdump most popular traffic snifferDsniff (good for password grabbing, email reassembly, monitor web usage)

IPv4 and IPv6TCP sequence number prediction

Misconfigurations are a leading cause of vulnerabilities and something attackers rely on in order to penetrate a system/network.

Firewalls“A well-designed, -configured, and –maintained firewall is nearly impenetrable.”

So, we go around itExploit trust relationshipsLook for other weak links in the security chainAttempt to locate a dial-up connection

First step an attacker will take is to locate your firewall and learn what they can about it.

Firewalls, like other devices, have a signature that they provide.Port scanning the choice here as in other, similar situations.Traceroute also useful if ICMP not blockedBanner grabbing works for many proxy firewalls

Firewalls“Scanning through a firewall”, can be done, but easier said than done.Packet filtering firewalls

Depend on a set of rules (ACLs?) to determine whether traffic is authorized to pass or not. How well have these rules been set up?

ICMP tunneling is accomplished by wrapping real data in an ICMP header (if firewall allows ECHOs).

Assumes you have a compromised host on the inside you are trying to pass data to.

Application Proxy firewalls are generally pretty secure and hard to get around but they, too, can be misconfigured.

Summary

What is the importance and significance of this material?

Need to understand that computers and servers are not the only items connected to the network.

How does this topic fit into the subject of “Security Risk Analysis”?

Some of these other devices may be vulnerable and aid in attacking the network.