Network Security

EECE 542
Fall 2003
 Basics
●
Apply security patches (Automated, Managed, or
Otherwise)
●
Vulnerability assessment tools (Remote, or Client
based) Ex: Saint, Nessus, Bindview, Langaurd,
Nmap, TCPView – Find out what you're running!
●
Use antivirus on Clients, Servers, Email (update
definitions AT LEAST daily)
●
Turn off unnecessary services that listen on a
network port
●
Backups are your friend!
 Password Issues
●
Use/require good passwords
●
Expire old passwords
●
Change default passwords
●
Set passwords for screen savers, BIOS, boot
loaders, etc...
●
Never send passwords (or any sensitive info) in
clear text
●
Beyond passwords: biometrics, one time
passwords, etc... (pluses and minus to these)
 Email Issues
●
Email system similar in many ways to postal
system
●
Headers can be forged
●
Open mail relays
●
Spam and Security
●
Use encrypted forms of the services where
possible (imaps, pops, etc...)
●
Verify attachments before opening them (scan
them, call/email sender)
●
Hoaxes
 Web (http) security
●
Keep browsers patched
●
Make sure sensitive info is sent over SSL
●
Basic http auth
●
SSL and certificates
●
Make sure you have real time antivirus running
(and updated)
●
Spyware
 Encryption
●
Symmetric vs. Asymmetric (public key
cryptography)
●
Authentication or Encryption
●
Digital Signatures
●
What is encrypted (payload or payload+headers,
authentication or entire session)? VNC...
●
How strong?
●
Algorithms (DES, 3-DES, Blowfish, etc)
 SNMP
●
SNMP (Read, Read/Write, Defaults)
●
Some uses for SNMP
– Monitoring network traffic
– Changing port operations on network equipment
– Finding a MAC address in a switch
●
Problems SNMP
– Default community names and passwords
– May allow more access to the equipment than you want
– Some implementations require updates to fix security
holes
 Wireless Networks
●
Packet sniffing a real problem – shared medium
●
WEP Keys and sniffing
●
Service “Hijacking”
●
MAC restrictions
●
ALWAYS use encrypted services when doing
anything remotely sensitive on a wireless network!
●
VPN's can be used if encrypted services are not
available
 VPN
●
Virtual Private Network
●
Create encrypted tunnels to connect stations at
remote sites over the Internet
●
Several protocols exist: PPTP, L2TP, IPSec
●
Simple VPN with SSH (Tunneling)
●
Get IP address from same subnet as VPN server
●
Host to VPN gateway (example)
●
VPN gateway to VPN gateway (example)
●
Where is the traffic actually encrypted?
 PPTP
●
PPP (layer 2) over IP (RFC 2637).
●
PAP: Password Authentication Protocol
– Stored encrypted, sent in clear text
●
CHAP: NT Challenge response
– Store in clear text (or hash), but not sent out that way
●
CHAPv2: More secure version of CHAP
●
Easy to configure under Windows (Win9x/ME
only support clear text passwords)
●
RFC 1334 (PPP) defines auth. mechanisms
 PAP
●
Password Authentication Protocol
●
2 way handshake
– After link is established, LoginID/Password pair is
repeatedly sent by the client until the authentication is
acknowledged or the connection is dropped.
 CHAP
●
CHAP: Challenge Handshake Authentication
Protocol
●
Periodically checks the identity of the remote
client (3-way handshake)
– Server issues challenge & the client responds with a
value obtained from a hash
– Server compares the response to its own calculated
value
– If they match, the authentication is acknowledged
●
Periodic checks reduce risk of connection
hijacking
 L2TP
●
Similar to PPTP
●
Uses PPP with PAP & CHAP
●
Vendor driven, but IETF standard (RFC 2661)
●
Gateway to Gateway or Client to Gateway
●
Voluntary (mobile users) or Compulsory Modes
(ISP must support it, no Internet access)
●
No Encryption
 IPSec
●
IP security
●
Set of protocols (part of Ipv6)
●
Internet Key Exchange Protocol (IKE)
●
SKIP and ISAKMP (more key management)
●
Authentication Header (AH) (no encryption)
●
Encapsulated Security Payload (ESP)
●
IP Compression (IPCOMP)
●
AH, ESP, and IPCOMP can be combined
 IPSec (Cont.)
●
Authentication
●
Data Integrity
●
Replay Protection
●
Privacy
●
Can be used to secure L2TP (works with NAT)
 Firewalls
●
Client/Host based “Software Firewalls”
– Iptables, ZoneAlarm, etc...
●
Routers
– Typically block on IP addr or port #
●
Dedicated Firewall
– Appliance or PC configured with routing rules
 NAT
●
Network Address Translation
●
External Interface has public IP address
●
Internal interface can have private IP address
●
Entire network “masquerades” as the single
public address
●
May allow port redirection
●
May not work with all services
●
Decent protection against automated attacks
●
Sequence #'s can be used to determine # of
internal hosts
 Stateful Inspection
●
Keeps track of sessions/connections
●
Allows you to establish outbound connections
without allowing inbound ones
●
May operate at various levels of the OSI model
●
Application level firewalls may even inspect
payload (application aware) -- May be affected
by encryption
 Bridging Firewall
●
Hardware firewalls typically act as routers
– Breaks up broadcast domains, requires subnetting, must
be able to route all layer 3 protocols in use, may require
configuration changes on the client (set gateway)
●
Linux and BSD (and others) support bridging with
firewall support
– Transparent (doesn't even require an IP), no subnetting,
may just bridge frames containing unsupported layer 3
protocols, does not break up broadcast domains
 Bastion Host
●
A host and or firewall that is exposed to the
Internet
●
Provides public services
●
May act as a firewall
 Router/Rouing Firewall Config
●
Can have multiple interfaces
●
Each interface will need an IP
– IP for each interface must be on separate subnets
(routing based on network/subnetwork number)
●
May have more than 2 interfaces
 Firewall Rules
●
Default policies
●
Typically rules applied in order
●
Last rule may be “catch all” default policy
●
Traffic Shaping (not really firewall function)
 What can we filter on?
●
Src, Dst IP
●
Src, Dst port
●
Src, Dst MAC
●
Protocol (tcp, udp, icmp, etc)
●
Time of day
 Honey Pots
●
“Victim” host
●
Watch what kind of attacks take place
●
May not run real services
●
Draw attention away from other systems
●
May alert when attacks take place so that other
systems can be monitor or traffic blocks put in
place
 IDS
●
Intrusion Detection Systems
●
File based (Tripwire)
●
Network based (Snort)
●
Signature based vs. anomaly based
●
Could be used to create dynamic firewall rules
– Use with caution, may make DOS attacks possible!
 Attack Types
●
Scans
●
DOS
●
DDOS
●
Buffer Overflows
●
Default passwords
●
Brute Force
●
Sniffing
●
Social Engineering
 Legal and Ethical Issues
●
Should not allow your network to be a liability to
others
●
Honeypots may pose legal problems
●
Temptation to “return fire”
●
Notifying sites of abusive behavior from their
network
●
Log and record retention