StaridLabs CISSP Training

Week 7 – Network SecurityPages 381-455

RADIUS

● Used to authenticate a user/machine to a network.

● Shared secret provided between client application and server.

● Once shared secret is accepted then username/password is sent

● Cheap to setup● Not all fields are encrypted

Radius Cont.

● Used for low risk authentication to prevent and locate unauthorized users (IE: An ISP detecting non-paying cable modem users)

● In a corporate environment radius can be used to authenticate to servers, applications, networks, vlans, switches, etc.

● For corporate: 2 factor authentication should be used:● EAP, Tokens, Smartcards

SNMP

● Used to receive (get) configuration/state data as well as to configure (set) configuration

● Uses “community strings” and pass phrases for V2 and above● Data can be sniffed easily and credentials can be stolen● V3 supports encryption, but isn't being used much yet.● Applicable devices: firewalls, routers, switches, OS (windows and

linux), applications,embedded devices, etc

SNMP Stupidities

● String/passphrase often the same for many like devices (switches, databases, etc) for easy management.

● A disastrous amount of companies have SNMP open externally.

● SNMP shouldn't be queried outside of your network, remote devices need some other method. V3 helps this but again isn't supported everywhere yet.

Remote Access Services

● Telnet, rlogin, x11● Plaintext sessions allow snooping of

session as well as credentials being sent plaintext

● All have an SSH encapsulated replacement

Telnet Servers

● Available on windows and linux/unix● More commonly seen on unix● Server runs as system (trusted application)● Encryption is not supported● Malicious user can easily escalate to root/admin● Telnet servers should be disabled or blocked unless

absolutely necessary. If necessary spend a good amount of time trying to find ways to mitigate risk

Rlogin/rsh/rcp

● Rlogin:● Remote shell to machine● If installed user can setup for other users and

subvert admin when providing server access

● Rsh/rcp● Allows file/console access based solely on

userid/ip. Userid is ignored.

Screen Scrapers

● Watches & captures a users screen. Can be legitimate or malicious.

● Legitimate users would be seeing what an employee in a bank call center looks at to make sure their not looking at things they shouldn't.

● Malicious would be an attacker adding a screenscraper to a bank call center machine to capture all of the data a user looks at, thus framing the employee.

Virtual Network Terminal Services

● Terminal Services is a server which allows a web based or Remote Desktop (RDP) session which displays the server's desktop to the client in an encrypted tunnel.

● Citrix, Remote desktop/TS (Microsoft)● Good for distributed employees and road

warriors who may have personal or dirty laptops.

Telecommuting

● Telecommuters should be required to VPN into the network when working. The end user machine should use full drive encryptiona nd should comply to security policies such as screen lockout.

● Network connection type & work location should be considered before access is granted.

Analog VS Digital Signals

● Analog singals are a wave and can represent a voice, etc.

● Digital is only 1's and 0's and data such as voice must be converted to binary before sending.

Network Topography: BUS Networks

● All hosts receive all traffic● Note failure doesn't affect network● Failure in the bus takes down the whole

network

Tree networks

● Uses cable splitters● All hosts receive all traffic● Cable failure creates outage for entire

downline

Ring (Token ring)

● Closed loop network● Data travels one way, passing data to one

neighbor and receiving from the other● Generally uses coaxial or fiber● Single point of failure unless dual ring setup

with secondary networking

Mesh

● All nodes have direct connection to each other

● Common for high availability network gear● High level of network reliability● Expensive due to cable costs● (Wireless mesh networks continue to gain

popularity)

Star

● “Normal” network topography● Switch is centralized and end points

connect to switches, and switches connect to each other

● Minnimal cables needed● Switch/hub is single point of failure for star

nodes

Unicast

● Normal packet data: A packet is sent from one host to another

Broadcast

● A single hosts sents to many hosts● Very noisy● Commonly seen with ARP and netbios● 192.168.1.255 will send the packet to every

host between 192.168.1.1 and 192.168.1.254

Multicast

● Isn't used as often as it should be (Tim comment)● Unreliable, best effort transmission● Uses IGMP to manage subscribers● Clients request to join specific multicast channel● Server only sends data once, and data is received by all

subscribed clients to that multicast channel● Used for streaming video, etc.

Circuit Switched Network

● Client/Server keeps continuous session open

● POTS, ISDN, PPP● All data sent along same path, even if

shorter path opened later.

Packet Switched Network

● Data broken into packets● Each packet is routed through the best path

as determined by network rules● Packets re-oredered at destination endpoint

and are reassembled

Carrier Sense Multiple Access (CSMA)

● CSMA/CA● Collision Avoidance● Broadcasts a jamming signal and then sends

data. Other endpoitns wait once receiving the jamming signal.

● Used by 802.11 (wireless)

CSMA/CD

● Collision Detection● Client checks if line is clear, if clear it sends data● Collisions occur when both sides see the line as

clear and send at the same time causing data to become unusable.

● When collision occurs both sides wait a random amount of time and resend.

● Used by 802.3 Ethernet

Polling

● Client only talks when master device tells it to.

● Also used by 802.11(wireless)

Ethernet 802.3

● Full duplex mode (mostly) immune to collisions

● Half duplex uses CSMA/CD● 802.3 can use coaxil, unshielded twisted

pair (UTP), or fiber cable

Token Ring (802.5)

● Physically a star topography● Uses logical tokens to create ring● Dead technology

FDDI – Fiber distrubuted Data Interface

● Fiber networking using two fiber cables & 2 ring networks

● Second cable is standby in the event of primary ring failure

● Still in active use

Multiprotocol Label Switching (MPLS)

● Fast, pre-determined tunnel● Offers QoS● Called “IP VPN” - ISP Sets up route and data flows even if

path is not shortest● Not encrypted – but if ISP sets up right then data is only

seen by ISPs which is passes through.● (Tim Comment) I recommend at least minimal encryption

across tunnel to obscure data from prying eyes. Network glitches happen which could send data outside of expected route.

LAN – Local Area Network

● Collection of locally interconnected computers.

● Local being defined as a building or campus

Vlan – Virtual LAN

● Uses one set of network equipment● Allows “virtual” paths & lans to be created● Switch drops traffic if port is not configured

for the sending vlan● Known attacks against vlans, but still a

good way to segregate● Attack known as vlan hopping

ISDN

● A legacy model which is faster than dialup● Dead technology

Point to Point

● Uses continuous fiber cable to directly connect two points.

● Very expensive● Example is 2 datacenters owned by the

same company. If the company doesn't trust the data going through an ISP, it can setup a fiber Point to Point to connect the datacenters.

T1/T3

● Uses Time/Dvision Multiplexing (TDM)● T1 = 24 channels over a copper cable● Full T1 = 1.544 Mbps● Can purchase anywhere from 1-24 active channels to

decrease cost.● Can bundle T1's for more throughput:

● T2 = 4 X T1● T3 = 7 X T2● T4 = 6 X T3● All can be fractionally purchased

E1/E3

● Same as T1/T3 but for Europe. E1 has a slightly higher transmission rate.

● Make sure when buying equipment it's for E1 or T1, they must be build compatible or for the correct standard.

OC1/OC12

● Super High Throughput● OC1 = 51Mbps● OC3 = 155 Mbps● OC192 = 9954 Mbps

DSL

● Uses Cat-3 (Phone line) unfiltered● ADSL – Downstream faster than upstream● SDSL – Down and up are same speed● VDSL – Very Fast, most inner city DSL is

VDSL now.

Cable Modem

● Modem & Cable Company exchange crypto keys

● Data is encrypted in transit● (I know cableone turned this on at one

point, last I checked it had been turned off again. Midcontinent is not using encryption last I checked which was last fall)

Network Attacks!

Networks

● Everything is getting an IP nowadays – from TV's, Generators, Air Conditioners, Ice Machines, and light bulbs...

Net Defense Basics

● Define Security Domains (Public, Confidential, Restricted)● Segregate networks based on security domains● Thing ahead for incident response

● Have Logs● Known what systems you have/what they do● A methodology to contain incidents quickly and manage reaction

● See SANS Top 20 controls for recommendations

Defense in Depth

● Assumes attack will eventually succeed● Security layers employed: network

security, OS hardening, Antivirus, end user firwalls, user training, patching, detection, IPS, NAC

Confidentiality Attacks

● Purpose is to steal non-public data● User/passwords, computer code, designs,

business plans, emails, ebarrassing memos, alien files

● Example is wired/wireless data sniffing

Integrity Attacks

● Attempt to corrupt or change (destroy) data or systems

● Examples are stuxnet, defacing websites, SQL Injection

Availability Attacks

● Attacks make systems temporarily unavailable

● Denial Of Service

Domain Names

● Trademark your URL if your an IT company with a web presence

● Register misspellings of domain name to reduce risk of reputation loss

Opem Mail Relay Servers

● Allows email to be sent without authentication

● Sign of bad sysadmins (see staridlabs.org hosted by cheaplinuxhosting.com!)

Spam

● Spam email. Contains viruses, malicious URLs, etc

● Discuss DHL exploit

Scanning Techniques – Port Scanning

● Checks what ports are open/accessible on system

● Fingerprints system● OS type/version● Hardware manfacturer/version● App versions (banner grab)

Fin Scan

● Sends connection close signal to port● Receives rest/icmp packet if port is closed● Used against UNIX/Linux hosts

Null Scan/XMas Scan

● Null Scan:● No tcp flags are set

● XMAS Scan:● All tcp flags are set

● Generally useful to compare results of both scans

TCP Sequence Number Attack

● Can scan using a zombie legitimate host by predicting tcp sequence number and spoofing source address. When victim responds back to zombie host, you connect to zombie and count how many tcp numbers were incremented.

● Tcp sequence randomization can be turned on for all common operating systems.

Attack Trees

● Logical representation of what steps an attacker would need to take to attack a system

● Great for explaining to non-management what the risk is (or isn't)

Methods of attack

● Target Aquisition/Intel Gathering● Publically available data● Scans

● Target Analysis● Identify Vulnerabilities● Identify tools best to exploit vulnerability

Methods of Attack 2

● Target Access● Gain access to system (desktop, prompt, process)

● Target Appropriation● Elevate system access (if needed)● Steal all the things● Setup backdoors● Clean up tracks (if needed

Scanners (for good)

● Identifies vulnerabilities● Finds configuration mistakes/risks● Tests for compliance

● Example if the vuln scanner sees the 'games' user in Linux then I know the box didn't have STIGS applied

● Can have lots of false positives

Penetration Testing

● Verifies vulnerabilities and what risk comes with a successful attack

● Puts the “human eye” on systems, often finding things a scanner wont

Network Taps

● Copies all traffic across a path● Sometimes required for legal compliance

Malicious Packet Crafting

Teardrop attack

● Packets are fragmented erroneously so when reassembled the target calculates a negative fragment length. This is a denial of service attack.

● Fix by vendor patch

Overlapping Fragment Attack

● Packets are fragmented and first fragments are sent with legitimate dta. Following packets overwrite first legitimate packets and are malicious.

● This works because some IPS system sonly scann the first x bytes of a packet

Source Routing Exploit

● Attacker requests alternate path in packet header and bypasses firewall rules

Smurfs/Fraggles

● Broadcast denial of service attacks● Smurf – Spoofed source address to

broadcast using ICMP. All receiving clients respond and DOS victim

● Fraggle – Same as a smurf but using UDP

NFS Attacks

● Config can allow unintended access to filesystem● Potential for unauthorized clients by falsifying IP (the

only auth mechanism)● Faking userid (permissions)● Sniffing Connection (unencrypted by default)● Setuid allows priviledge escalation (disable nfs

setuid rendering)

NNTP (Newsservers)

● Disable & Block

Finger (port 79)

● Disable & Block

NTP – Time syncing

● Use trusted upline servers (and more than one)

● Network should have it's own timeserver

DDOS

● Attacks by thousands of machines against a host or device

● Only so much you can plan for● Network proxies exist● Configurations can ease congestion if

smaller DDOS

Syn Floods

● DOS attack – Overloads max connections a server can handle

Email Spoofing

● You too can be president for an email

DNS Spoofing

● Malicious Entries● Redirect to malicious hosts● Host file spoofing

Session Hijacking

● Adding packets to an authenticated, legitimate session

Syn Scan

● Only sending syn packets and waiting for responds

● Fast● Sometimes doesn't get logged (useful)