BUS-S 538 Communications and Network Security
Problems with IPv4
- Address Exhaustion - Even with the use of CIDR, routing tables—primarily in the IP backbone routers—are growing too large to be manageable - Traffic priority, or class of service, is vaguely defined, scarcely used, and not at all enforced in IPv4, but highly desirable for modern real-time applications - The number of mobile data applications and devices grow quickly; This protocol has difficulty in managing forwarding addresses and in realizing visitor-location network authentication - There is no direct security support in this protocol. Various open and proprietary security solutions cause interoperability concerns. As the internet becomes the fabric of every life in the new cyber space, security enhancement to the infrastructure should be placed in the basic IP protocol
What is the result of a bluejacking attack?
- First, the hacker scans his surroundings with a Bluetooth-enabled device, searching for other devices. The hacker then sends an unsolicited message to the detected devices. - When a message in this attack is sent with a harmful intent, it might entice users to respond with action to add the new contact to the device's address book. - Bluejacking exploits a basic Bluetooth feature that allows devices to send messages to contacts within range.
IPv6 improvements over IPv4
- Improved security - IPSec is required: communicating partners can authenticate with each other - More concise header - faster processing of packets - Much larger address space
Network Security Tools - Scanning tools
- Nessus: A vulnerability scanner - Nmap: A discovery scanner - NetFlow: Probes and collect records NW activities
ICMP Exploits
- Ping of Death - ICMP redirect Attacks - Ping scanning - Traceroute exploitation to map network
Examples of Intrusion
- Remote root compromise - Web server defacement - Guessing / cracking passwords - Copying, viewing sensitive data / databases - Running a packet sniffer - Distributing pirated software - Using an unsecured modem to access network - Impersonating a user to reset password - Using an unattended workstation
The Attackers Methodology
- Target Acquisition - Target Analysis - Target Access - Target Appropriation - Sustain Control
Fraggle attack
- Uses UDP instead of ICMP - Sends UDP packet on port 7 with spoofed IP address of victim to broadcast address of network - Victim will be overwhelmed with responses
Recursive (Domain Name Service) DNS resolution
- When a client cannot translate a domain name itself, it sends a DNS request to its local DNS server using UDP - The DNS server either responds by sending a UDP packet back to the client or, if it still doesn't know the IP address, it sends another UDP packet to the next highest name server in the DNS hierarchy - The higher level is usually the DNS server at the top level domain (such as the DNS server for all .edu domains)
Role of the Network in IT Security
- as the target of attack - as an enabler or a channel of attack - as a channel is of greater concern and is more common - as a bastion of defense The network is possibly the most valuable strategic asset in IT security
What is a Mac Flooding attack?
- takes advantage of the fixed size of the MAC address table by spoofing MAC addresses to the switch and overloading the table with fake addresses. - MAC address table is a table used by switches to direct traffic to the appropriate device based on MAC addresses
What is a bluetooth buffer overflow attack?
Common application development mistakes can lead to buffer overflow - include failing to allocate large enough buffers and neglecting to check for overflow problems. Problematic with C/C++ which does not have built-in protection against buffer overflows. Consequently, C/C++ applications are often targets of buffer overflow attacks.
How to mitigate/protect against Bluebug attacks(Bluebugging)?
Keeping your Bluetooth device in "non-discoverable" mode make the connection private so that hackers cannot break into your network. Tools such as BlueBugger and Bluediving exploit BlueBug vulnerabilities and allow for implementation of attacks for penetration testing. If a user suspects this attack, a factory reset of the device will remove the backdoor and unauthorized access by the attacker.
OSI Layers
Layer 1 - Physical Layer 2 - Data Link Layer 3 - Network Layer 4 - Transport Layer 5 - Session Layer 6 - Presentation Layer 7 - Application Acronym - Please Do Not Throw Sausage Pizza Away
4. Transport Layer
Links the session layer to the network layer Performs Packetization and Reassembly Establishes connection (virtual) - Connection Oriented (TCP) - Connectionless (UDP) - Quality of Service (QoS) TCP and UDP map data connections using port numbers - Well known ports - Ports 0 to 1023 assigned by IANA (Internet Assigned Numbers Authority) - Registered ports - Ports 1024 to 49151 can be registered by application developers with the IANA - Dynamic or private ports - Ports 49152 to 65535 can be freely used by applications
Transmission Control Protocol (TCP)
Links the session layer to the network layer Performs packetization and reassembly - Breaking up a large message into smaller packets - Numbering the packets and - Reassembling them at the destination end - Ensures reliable delivery of packets
Classes of intruders
Masquerader, misfeasor, clandestine user
A proxy server
Mediates communications between untrusted end points (servers/hosts/ clients) and trusted end points (servers/hosts/clients) This may forward traffic from internal client machines to untrusted hosts on the Internet, creating the illusion for the untrusted host that the traffic originated from here, thus hiding the trusted internal client from potential attacker
Mitigation/Defense for a buffer overflow attack
Need secure development practices, including regular testing to detect and fix buffer overflows. Practices include automatic protection at the language level and bounds-checking at run-time Developers of C/C++ applications should avoid standard library functions that are not bounds-checked, such as gets, scanf and strcpy.
What happens when a MAC flooding attack happens?
Once the attacker has flooded the MAC address table, the switch is forced to broadcast all traffic to all devices on the network. This effectively gives the attacker access to all traffic on the network.
IP Address Spoofing
Packets are sent with an incorrect source IP address forcing victim to send response to another host - E.g. SYN attack
How to detect and prevent a MAC flooding attack?
Port Security on Switches, MAC address authentication, Security measures to prevent ARP and IP spoofing.
3. Network Layer - IP
Protocal used here is an unreliable protocol - it does not guarantee packets arrive error free or in the correct order - Reliability is left to higher layers
5. Session Layer
Responsible for creating, managing, and tearing down sessions between peer hosts Transmission modes Simplex: -> Half duplex: -><- Full duplex: <-- -->
Network Security Objectives
Same basic principles apply here! Foundations (CIA) - Confidentiality - Integrity - Availability Access control - Accountability - Auditability
Network Architecture - Network Partitioning
Segmenting networks into isolated domains of trust
Tunneling
Simply put, encapsulation of one protocol inside another
Firewalls
Software or hardware that filter incoming traffic and then either blocks it or allows it to pass through, based on a set of rules Filtering is generally done based on the address and/or the service (port) They should be placed between entities that have different trust domains
Intrusion detection types
Statistical: Unlikely access time, unlikely location, etc. Protocol: Unusual protocol and/or usage Traffic: Really high fluctuation
TCP Sequence number attacks
TCP Attack - Introduce fake packets into TCP data stream by finding out sequence numbers through eavesdropping. Used for session hijacking
SYN Scanning
TCP Attack - Only the initial steps of the TCP handshake is performed. Makes the scan harder to detect
FIN Scanning
TCP Attack - send a request to close a connection to a specific port. If there is no application at that port, there is no response. If there is an app, it will respond - Null and XMAS scanning are variants - XMAS: Many flags turned on; Can launch DoS attack
Denial of Service (DOS) attack
TCP Attacks - SYN flooding
Transport Layer Addressing
TCP may serve several Application Layer protocols at the same time - Problem: Which application layer program to send a message to? - Solution: Port numbers located in TCP header fields; 2-byte each (source, destination) Standard port numbers - Usual practice numbers Nonstandard port numbers - Possible, but requires configuration of TCP - 16 bit numbers (range from 0 to 65535)
Methodology of an Attack
The attack tree model (A defenders view of an attack)
What is a VLAN leaking attack?
The attacker forces a switch to redirect traffic from one VLAN to another by tricking the switch into acting as a trunk and broadcasting traffic.
What is the result of a VLAN leaking attack?
The attacker will have access to the traffic on a VLAN outside of the VLAN the attacker's device is on.
How do you protect/prevent a SNARF attack?
The easiest way to mitigate the effects of this attack is to disable Bluetooth on devices in public places and when it is not needed. Other than disabling Bluetooth, there is no foolproof way of preventing this attack. However, deactivating mobile discovery mode removes some level of susceptibility. Anti-SNARF tools may be configured to detect unauthorized Bluetooth connection between your device and others nearby. These can be found on SNARF resource websites.
How to detect and prevent a VLAN Leaking attack?
The predominant method to mitigate this attack is through proper configuration of switch's.
WEP (IEEE 802.11)
Wireless Auth/Encryption Two methods - Open System Authentication Provides identification based on wireless adapter's MAC address only; not really authentication - Shared Key Authentication -> Coming soon! -- Uses standard challenge and response mechanism and shared secret key -- Flawed technique: Intercepting the challenge and response can be used to recover the key stream Considered insecure and deprecated
WPA (WiFi Protected Access)
Wireless Authentication/ Encryption - Uses Temporal Key Identity Protocol (TKIP) for data encryption that provides higher level of assurance than WEP (AES) - Vulnerability: Small packets can be decrypted and arbitrary data can be injected
WPA2 (IEEE 802.11i)
Wireless Authentication/ Encryption Allows only authorized users to access a wireless network and supports stronger cryptography and authentication control like Extensible Authentication protocol (EAP)
Address Resolution Protocol (ARP)
a low-level network protocol for translating network layer addresses into data link layer addresses
Dynamic Domain Name System (DDNS)
a protocol that defines extensions to the Domain Name System to enable DNS servers to accept requests to add, update, and delete entries in the DNS database dynamically
OSI Reference Model
a reference model for how applications communicate over a network. - a conceptual framework for understanding relationships. - The purpose is to guide vendors and developers so the digital communication products and software programs they create can inter-operate, and to facilitate a clear framework that describes the functions of a networking or telecommunication system.
IPSsec
a suite of protocols for communicating securely with IP by providing mechanisms for authentication and encryption - Mandatory with IPv6; optional in IPv4
What are known Wireless Security Issues?
'Parking lot' attack SSID Flaw Denial of Service (DoS) attack on target access points Man-in-the-middle de-authentication attacks through soft access points Hotspots
What is ARP Poisoning?
- (also called Spoofing) is an attack in which a malicious user sends falsified ARP messages over a LAN resulting in the linking of an attacker's MAC address with the IP address of a legitimate host on the network.
Vulnerabilities in DNS
A DNS server can respond to a recursive query with information that was not requested DNS server does not authenticate information received There is no fully successful solution to these vulnerabilities - New versions of DNS servers ignore responses that are not the result of a query - Efforts to introduce stronger authentication into DNS have not been very successful So, higher level layers will have to take care of these issues
WPA2 with ____ encryption is currently the preferred encryption mode
AES
Secure Shell (SSH)
Allows users to login to a remote computer over an encrypted tunnel The ___ tunnel protects integrity of communications preventing session hijacking Provides for strong authentication
What is a SNARF Attack?
Also known as BlueSnarfing, involve the theft of data from a wireless device having a Bluetooth connection. This theft typically occurs without the victim's knowledge and may continue on indefinitely if left undiscovered.
What is a Bluejacking attack?
An attacker initiates this attack by sending unsolicited messages to the user of a Bluetooth- enabled device. The actual messages do not cause harm to the user's device, but they may entice the user to respond in some fashion or add the new contact to the device's address book. - resembles spam and phishing attacks conducted against e-mail users. - in order for this attack to work; the sending and receiving devices must be within 10 meters distance.
Virtual Private Network (VPN)
An encrypted tunnel between two hosts that allows them to securely communicate over an untrusted network Uses IPSec for Authentication and Confidentiality Once connected, the user has all privileges as though s/he were physically on the network to which the connection is made - So access through this tunnel is compromised, attacker will have full access to network
1. Physical Layer
Analog vs. Digital communications Network topologies - Bus, Tree, Mesh and Star Cabling - UTP/STP Wiring - Fiber Optic Wireless transmission Mobile Telephony
Active attacks
Attack that modifies/ fakes data -Masquerade -Replay -Modification (falsification) -Denial of service -Hard to prevent, so aim to detect
Man-in-the-middle attacks
Attacker sniffs or intercepts packets and replaces them with his own - Both sides of the communication would now be communicating with the attacker - Countermeasures have to be executed at layer 3
How does a SNARF attack occur?
Bluetooth devices communicate with each other using protocol called OBEX. Bluesnarfing takes advantage of security vulnerabilities in that protocol. The attacker scans for Bluetooth devices in public areas. They pair with devices without user consent via SNARF software. Once the OBEX protocol is compromised, the attacker can sync their system with the victim's device. They then gain access to files and other services available to the victim.
Network Security Tools - Scanners
Discovery scanning Compliance scanning Vulnerability scanning
2. Data Link Layer
Ethernet - Hubs - Repeaters - Bridges - Switches VLAN Wireless LANs
_________________________ is the driving force behind the design of most network protocols
Fast access, not secure access
Network Architecture - Security Perimeter
First line of protection; generally includes firewalls, proxies, and IDS
How does a BlueBug Attack occur?
First, attackers make a Bluetooth pairing with the target device. The connection is then used to install a back door onto the device that allows for remote access to the system. Access through the backdoor can exploit vulnerabilities of the device. There are software readily available that can assist attackers in making this hack. This allows attackers to gain complete control over the data, voice, and messaging channels of mobile devices.
Network Architecture - Bastion Host
Gateway between trusted and untrusted network that gives limited authorized access to untrusted hosts
Network Architecture - Dual-Homed Hosts
Have two NICs, each on a separate network
Intruders
Hostile/unwanted trespass - From benign to serious User trespass - Unauthorized logon, privilege abuse Software trespass - Virus, worm, or trojan horse
Source Routing Exploitation
IP allows the sender to specify the routing instead of leaving it to the router - Can use multi-homed systems to make packets move from one network to another without authorization
IP Spoofing
Insert packets with a fake sender IP and guessed sequence number. Attacker will not see response to any inserted commands
ICMP
Internet Control Message Protocol - Used for exchange of control messages between hosts and gateways and is used by commands such as ping and tracert
Demilitarized Zone (DMZ)
Isolated subnet that allows an organization to give external hosts limited access to public resources, without granting them access to the internal network
What are the results of ARP Poisoning?
It allows a malicious attacker to intercept data frames, modify the traffic, or stop all flow of traffic on a local area network. Once the attacker begins receiving the packets meant for the victim, more attacks on the victim can begin such as Denial of Service attacks, Man in the Middle attacks, or Service hijacking attacks.
SSL VPNs advantages over IPSec
The use of a proxy server allows restrictions on user access based on security policies Does not require VPN client software to be installed on client system
IPv6 Security
There are two optional headers defined for security purposes: - Authentication Header (AH) - Encapsulated Security Payload (ESP) AH and ESP in this protocol support authentication, data integrity, and optionally confidentiality. AH conveys the authentication information in an IP package, while ESP carries the encrypted data of the IP package.
(Domain Name Service) DNS Weaknesses
This is a popular target of attack. By manipulating this service it is possible to divert intercept or prevent end user communication without having to attack any end devices This service does not enforce data consistency and integrity Has weak authentication mechanisms Management of the globally distributed infrastructure is difficult
What is a BlueBug attack?
This is the most serious type of Bluetooth attack due to its advanced level of hacking and goes beyond bluejacking or bluesnarfing. If a hacker successfully infiltrates a device through this attack, the hacker then has the ability to access all information on the device. In addition, the hacker then possess total control of the device as well.
IPv6
This protocol offers the following significant features: - A dramatically larger address space, which is said to be sufficient for at least the next 30 years - Globally unique and hierarchical addressing based on prefixes: Keeps routing tables small and backbone routing efficient - Class of service that distinguishes types of data Improved multicast routing support (in preference to broadcasting) - Built-in authentication and encryption
Layer 2 Tunneling Protocol (L2TP)
This tunneling protocol does not prove encryption - depends on IPSec to do that
ICMPv6
This updated protocol performs error reporting, route discovery, and diagnostics as well as conveying multicast group membership information and ARP - IGMP and ARP are thus not separate protocols/functions in IPv6 Neighbor discovery - Neighbor discovery is a function in this protocol that enables a node to identify other hosts and routers on its links
What is the result of a bluetooth buffer overflow attack and what can happen?
This vulnerability can cause a system crash or create an entry point for a cyberattack Can alter the execution path of the application by overwriting parts of its memory. The malicious extra data may contain code designed to trigger specific actions — in effect sending new instructions to the attacked application that could result in unauthorized access to the system.
SSL/TLS VPN
Traditional VPN cannot work with proxy servers (or very difficult to make it work...) Uses SSL/TLS to create a tunnel to organization network SSL/TLS is actually at the presentation layer Remote users use a web browser to access applications on the organization network
Session hijacking
Unauthorized insertion of packets into data stream
Dynamic Host Configuration Protocol (DHCP)
Used to issue IP addresses in a dynamic fashion There is no authentication - User can plug computer into network and get an IP address - Intruder can give out IP address and other credentials (including DNS address) by masquerading as a - This server on the network However, this protocol makes network administration easy and is hence popular
SMURF Attack
Uses ICMP Echo requests to create DoS attacks - Send an ICMP echo request with spoofed source IP (IP of victim) to networks' broadcast address which will forward packet to every host on the network - Victim will be overwhelmed with responses
How to detect and prevent ARP Poisoning?
Using Anti-ARP tools Authentication & Data Encoding, Packet Filters, Using Static ARP, Using VPNs.
Lightweight Directory Access Protocol(LDAP)
Usually a front end to a directory service like Active Directory - uses weak authentication based on host name resolution - communication on this protocol is transferred in clear text Solution: Use over SSL
Point to Point Tunneling Protocol (PPTP)
VPN uses this protocol running over other protocols (IPSec or SSL/TLS) to build the tunnel between end points - derives its encryption key from the user password and is thus weak - v2 addresses some of the issues However, it is still susceptible to password guessing attacks
VRRP
Virtual Router Redundancy Protocol - If you want five 9 availability, critical routers cannot be single point of failures - is a protocol that allows automatic failover for routers - A virtual router is configured and presented to the network - The virtual router will have one primary router and at least one secondary router - The primary router performs all of the routing on behalf of the virtual router - If primary router fails, secondary router takes over - Primary and secondary routers are often in separate data centers
Two types of WPA
WPA2 Personal - uses pre-shared key (PSK) where every user is given the same passphrase WPA2 Enterprise - uses 802.1X authentication server which distributes different keys to each user
RADIUS
an authentication protocol used for services requiring single sign-on for layer 3 network access. SSO support for IP level access. Can be used for VPN.
Passive attacks
attacks that are eavesdropping - Release of message contents - Traffic analysis - Hard to detect, so aim to prevent
A buffer overflow
occurs when more data is put into a fixed-length buffer than the buffer can handle. The extra information, which has to go somewhere, can overflow into adjacent memory space, corrupting or overwriting the data held in that space.
Port scanning
probing for TCP services on a machine