BUS-S 538 Communications and Network Security

Problems with IPv4

- Address Exhaustion - Even with the use of CIDR, routing tables—primarily in the IP backbone routers—are growing too large to be manageable - Traffic priority, or class of service, is vaguely defined, scarcely used, and not at all enforced in IPv4, but highly desirable for modern real-time applications - The number of mobile data applications and devices grow quickly; This protocol has difficulty in managing forwarding addresses and in realizing visitor-location network authentication - There is no direct security support in this protocol. Various open and proprietary security solutions cause interoperability concerns. As the internet becomes the fabric of every life in the new cyber space, security enhancement to the infrastructure should be placed in the basic IP protocol

What is the result of a bluejacking attack?

- First, the hacker scans his surroundings with a Bluetooth-enabled device, searching for other devices. The hacker then sends an unsolicited message to the detected devices. - When a message in this attack is sent with a harmful intent, it might entice users to respond with action to add the new contact to the device's address book. - Bluejacking exploits a basic Bluetooth feature that allows devices to send messages to contacts within range.

IPv6 improvements over IPv4

- Improved security - IPSec is required: communicating partners can authenticate with each other - More concise header - faster processing of packets - Much larger address space

Network Security Tools - Scanning tools

- Nessus: A vulnerability scanner - Nmap: A discovery scanner - NetFlow: Probes and collect records NW activities

ICMP Exploits

- Ping of Death - ICMP redirect Attacks - Ping scanning - Traceroute exploitation to map network

Examples of Intrusion

- Remote root compromise - Web server defacement - Guessing / cracking passwords - Copying, viewing sensitive data / databases - Running a packet sniffer - Distributing pirated software - Using an unsecured modem to access network - Impersonating a user to reset password - Using an unattended workstation

The Attackers Methodology

- Target Acquisition - Target Analysis - Target Access - Target Appropriation - Sustain Control

Fraggle attack

- Uses UDP instead of ICMP - Sends UDP packet on port 7 with spoofed IP address of victim to broadcast address of network - Victim will be overwhelmed with responses

Recursive (Domain Name Service) DNS resolution

- When a client cannot translate a domain name itself, it sends a DNS request to its local DNS server using UDP - The DNS server either responds by sending a UDP packet back to the client or, if it still doesn't know the IP address, it sends another UDP packet to the next highest name server in the DNS hierarchy - The higher level is usually the DNS server at the top level domain (such as the DNS server for all .edu domains)

Role of the Network in IT Security

- as the target of attack - as an enabler or a channel of attack - as a channel is of greater concern and is more common - as a bastion of defense The network is possibly the most valuable strategic asset in IT security

What is a Mac Flooding attack?

- takes advantage of the fixed size of the MAC address table by spoofing MAC addresses to the switch and overloading the table with fake addresses. - MAC address table is a table used by switches to direct traffic to the appropriate device based on MAC addresses

What is a bluetooth buffer overflow attack?

Common application development mistakes can lead to buffer overflow - include failing to allocate large enough buffers and neglecting to check for overflow problems. Problematic with C/C++ which does not have built-in protection against buffer overflows. Consequently, C/C++ applications are often targets of buffer overflow attacks.

How to mitigate/protect against Bluebug attacks(Bluebugging)?

Keeping your Bluetooth device in "non-discoverable" mode make the connection private so that hackers cannot break into your network. Tools such as BlueBugger and Bluediving exploit BlueBug vulnerabilities and allow for implementation of attacks for penetration testing. If a user suspects this attack, a factory reset of the device will remove the backdoor and unauthorized access by the attacker.

OSI Layers

Layer 1 - Physical Layer 2 - Data Link Layer 3 - Network Layer 4 - Transport Layer 5 - Session Layer 6 - Presentation Layer 7 - Application Acronym - Please Do Not Throw Sausage Pizza Away

4. Transport Layer

Links the session layer to the network layer Performs Packetization and Reassembly Establishes connection (virtual) - Connection Oriented (TCP) - Connectionless (UDP) - Quality of Service (QoS) TCP and UDP map data connections using port numbers - Well known ports - Ports 0 to 1023 assigned by IANA (Internet Assigned Numbers Authority) - Registered ports - Ports 1024 to 49151 can be registered by application developers with the IANA - Dynamic or private ports - Ports 49152 to 65535 can be freely used by applications

Transmission Control Protocol (TCP)

Links the session layer to the network layer Performs packetization and reassembly - Breaking up a large message into smaller packets - Numbering the packets and - Reassembling them at the destination end - Ensures reliable delivery of packets

Classes of intruders

Masquerader, misfeasor, clandestine user

A proxy server

Mediates communications between untrusted end points (servers/hosts/ clients) and trusted end points (servers/hosts/clients) This may forward traffic from internal client machines to untrusted hosts on the Internet, creating the illusion for the untrusted host that the traffic originated from here, thus hiding the trusted internal client from potential attacker

Mitigation/Defense for a buffer overflow attack

Need secure development practices, including regular testing to detect and fix buffer overflows. Practices include automatic protection at the language level and bounds-checking at run-time Developers of C/C++ applications should avoid standard library functions that are not bounds-checked, such as gets, scanf and strcpy.

What happens when a MAC flooding attack happens?

Once the attacker has flooded the MAC address table, the switch is forced to broadcast all traffic to all devices on the network. This effectively gives the attacker access to all traffic on the network.

IP Address Spoofing

Packets are sent with an incorrect source IP address forcing victim to send response to another host - E.g. SYN attack

How to detect and prevent a MAC flooding attack?

Port Security on Switches, MAC address authentication, Security measures to prevent ARP and IP spoofing.

3. Network Layer - IP

Protocal used here is an unreliable protocol - it does not guarantee packets arrive error free or in the correct order - Reliability is left to higher layers

5. Session Layer

Responsible for creating, managing, and tearing down sessions between peer hosts Transmission modes Simplex: -> Half duplex: -><- Full duplex: <-- -->

Network Security Objectives

Same basic principles apply here! Foundations (CIA) - Confidentiality - Integrity - Availability Access control - Accountability - Auditability

Network Architecture - Network Partitioning

Segmenting networks into isolated domains of trust

Tunneling

Simply put, encapsulation of one protocol inside another

Firewalls

Software or hardware that filter incoming traffic and then either blocks it or allows it to pass through, based on a set of rules Filtering is generally done based on the address and/or the service (port) They should be placed between entities that have different trust domains

Intrusion detection types

Statistical: Unlikely access time, unlikely location, etc. Protocol: Unusual protocol and/or usage Traffic: Really high fluctuation

TCP Sequence number attacks

TCP Attack - Introduce fake packets into TCP data stream by finding out sequence numbers through eavesdropping. Used for session hijacking

SYN Scanning

TCP Attack - Only the initial steps of the TCP handshake is performed. Makes the scan harder to detect

FIN Scanning

TCP Attack - send a request to close a connection to a specific port. If there is no application at that port, there is no response. If there is an app, it will respond - Null and XMAS scanning are variants - XMAS: Many flags turned on; Can launch DoS attack

Denial of Service (DOS) attack

TCP Attacks - SYN flooding

Transport Layer Addressing

TCP may serve several Application Layer protocols at the same time - Problem: Which application layer program to send a message to? - Solution: Port numbers located in TCP header fields; 2-byte each (source, destination) Standard port numbers - Usual practice numbers Nonstandard port numbers - Possible, but requires configuration of TCP - 16 bit numbers (range from 0 to 65535)

Methodology of an Attack

The attack tree model (A defenders view of an attack)

What is a VLAN leaking attack?

The attacker forces a switch to redirect traffic from one VLAN to another by tricking the switch into acting as a trunk and broadcasting traffic.

What is the result of a VLAN leaking attack?

The attacker will have access to the traffic on a VLAN outside of the VLAN the attacker's device is on.

How do you protect/prevent a SNARF attack?

The easiest way to mitigate the effects of this attack is to disable Bluetooth on devices in public places and when it is not needed. Other than disabling Bluetooth, there is no foolproof way of preventing this attack. However, deactivating mobile discovery mode removes some level of susceptibility. Anti-SNARF tools may be configured to detect unauthorized Bluetooth connection between your device and others nearby. These can be found on SNARF resource websites.

How to detect and prevent a VLAN Leaking attack?

The predominant method to mitigate this attack is through proper configuration of switch's.

WEP (IEEE 802.11)

Wireless Auth/Encryption Two methods - Open System Authentication Provides identification based on wireless adapter's MAC address only; not really authentication - Shared Key Authentication -> Coming soon! -- Uses standard challenge and response mechanism and shared secret key -- Flawed technique: Intercepting the challenge and response can be used to recover the key stream Considered insecure and deprecated

WPA (WiFi Protected Access)

Wireless Authentication/ Encryption - Uses Temporal Key Identity Protocol (TKIP) for data encryption that provides higher level of assurance than WEP (AES) - Vulnerability: Small packets can be decrypted and arbitrary data can be injected

WPA2 (IEEE 802.11i)

Wireless Authentication/ Encryption Allows only authorized users to access a wireless network and supports stronger cryptography and authentication control like Extensible Authentication protocol (EAP)

Address Resolution Protocol (ARP)

a low-level network protocol for translating network layer addresses into data link layer addresses

Dynamic Domain Name System (DDNS)

a protocol that defines extensions to the Domain Name System to enable DNS servers to accept requests to add, update, and delete entries in the DNS database dynamically

OSI Reference Model

a reference model for how applications communicate over a network. - a conceptual framework for understanding relationships. - The purpose is to guide vendors and developers so the digital communication products and software programs they create can inter-operate, and to facilitate a clear framework that describes the functions of a networking or telecommunication system.

IPSsec

a suite of protocols for communicating securely with IP by providing mechanisms for authentication and encryption - Mandatory with IPv6; optional in IPv4

What are known Wireless Security Issues?

'Parking lot' attack SSID Flaw Denial of Service (DoS) attack on target access points Man-in-the-middle de-authentication attacks through soft access points Hotspots

What is ARP Poisoning?

- (also called Spoofing) is an attack in which a malicious user sends falsified ARP messages over a LAN resulting in the linking of an attacker's MAC address with the IP address of a legitimate host on the network.

Vulnerabilities in DNS

A DNS server can respond to a recursive query with information that was not requested DNS server does not authenticate information received There is no fully successful solution to these vulnerabilities - New versions of DNS servers ignore responses that are not the result of a query - Efforts to introduce stronger authentication into DNS have not been very successful So, higher level layers will have to take care of these issues

WPA2 with ____ encryption is currently the preferred encryption mode

AES

Secure Shell (SSH)

Allows users to login to a remote computer over an encrypted tunnel The ___ tunnel protects integrity of communications preventing session hijacking Provides for strong authentication

What is a SNARF Attack?

Also known as BlueSnarfing, involve the theft of data from a wireless device having a Bluetooth connection. This theft typically occurs without the victim's knowledge and may continue on indefinitely if left undiscovered.

What is a Bluejacking attack?

An attacker initiates this attack by sending unsolicited messages to the user of a Bluetooth- enabled device. The actual messages do not cause harm to the user's device, but they may entice the user to respond in some fashion or add the new contact to the device's address book. - resembles spam and phishing attacks conducted against e-mail users. - in order for this attack to work; the sending and receiving devices must be within 10 meters distance.

Virtual Private Network (VPN)

An encrypted tunnel between two hosts that allows them to securely communicate over an untrusted network Uses IPSec for Authentication and Confidentiality Once connected, the user has all privileges as though s/he were physically on the network to which the connection is made - So access through this tunnel is compromised, attacker will have full access to network

1. Physical Layer

Analog vs. Digital communications Network topologies - Bus, Tree, Mesh and Star Cabling - UTP/STP Wiring - Fiber Optic Wireless transmission Mobile Telephony

Active attacks

Attack that modifies/ fakes data -Masquerade -Replay -Modification (falsification) -Denial of service -Hard to prevent, so aim to detect

Man-in-the-middle attacks

Attacker sniffs or intercepts packets and replaces them with his own - Both sides of the communication would now be communicating with the attacker - Countermeasures have to be executed at layer 3

How does a SNARF attack occur?

Bluetooth devices communicate with each other using protocol called OBEX. Bluesnarfing takes advantage of security vulnerabilities in that protocol. The attacker scans for Bluetooth devices in public areas. They pair with devices without user consent via SNARF software. Once the OBEX protocol is compromised, the attacker can sync their system with the victim's device. They then gain access to files and other services available to the victim.

Network Security Tools - Scanners

Discovery scanning Compliance scanning Vulnerability scanning

2. Data Link Layer

Ethernet - Hubs - Repeaters - Bridges - Switches VLAN Wireless LANs

_________________________ is the driving force behind the design of most network protocols

Fast access, not secure access

Network Architecture - Security Perimeter

First line of protection; generally includes firewalls, proxies, and IDS

How does a BlueBug Attack occur?

First, attackers make a Bluetooth pairing with the target device. The connection is then used to install a back door onto the device that allows for remote access to the system. Access through the backdoor can exploit vulnerabilities of the device. There are software readily available that can assist attackers in making this hack. This allows attackers to gain complete control over the data, voice, and messaging channels of mobile devices.

Network Architecture - Bastion Host

Gateway between trusted and untrusted network that gives limited authorized access to untrusted hosts

Network Architecture - Dual-Homed Hosts

Have two NICs, each on a separate network

Intruders

Hostile/unwanted trespass - From benign to serious User trespass - Unauthorized logon, privilege abuse Software trespass - Virus, worm, or trojan horse

Source Routing Exploitation

IP allows the sender to specify the routing instead of leaving it to the router - Can use multi-homed systems to make packets move from one network to another without authorization

IP Spoofing

Insert packets with a fake sender IP and guessed sequence number. Attacker will not see response to any inserted commands

ICMP

Internet Control Message Protocol - Used for exchange of control messages between hosts and gateways and is used by commands such as ping and tracert

Demilitarized Zone (DMZ)

Isolated subnet that allows an organization to give external hosts limited access to public resources, without granting them access to the internal network

What are the results of ARP Poisoning?

It allows a malicious attacker to intercept data frames, modify the traffic, or stop all flow of traffic on a local area network. Once the attacker begins receiving the packets meant for the victim, more attacks on the victim can begin such as Denial of Service attacks, Man in the Middle attacks, or Service hijacking attacks.

SSL VPNs advantages over IPSec

The use of a proxy server allows restrictions on user access based on security policies Does not require VPN client software to be installed on client system

IPv6 Security

There are two optional headers defined for security purposes: - Authentication Header (AH) - Encapsulated Security Payload (ESP) AH and ESP in this protocol support authentication, data integrity, and optionally confidentiality. AH conveys the authentication information in an IP package, while ESP carries the encrypted data of the IP package.

(Domain Name Service) DNS Weaknesses

This is a popular target of attack. By manipulating this service it is possible to divert intercept or prevent end user communication without having to attack any end devices This service does not enforce data consistency and integrity Has weak authentication mechanisms Management of the globally distributed infrastructure is difficult

What is a BlueBug attack?

This is the most serious type of Bluetooth attack due to its advanced level of hacking and goes beyond bluejacking or bluesnarfing. If a hacker successfully infiltrates a device through this attack, the hacker then has the ability to access all information on the device. In addition, the hacker then possess total control of the device as well.

IPv6

This protocol offers the following significant features: - A dramatically larger address space, which is said to be sufficient for at least the next 30 years - Globally unique and hierarchical addressing based on prefixes: Keeps routing tables small and backbone routing efficient - Class of service that distinguishes types of data Improved multicast routing support (in preference to broadcasting) - Built-in authentication and encryption

Layer 2 Tunneling Protocol (L2TP)

This tunneling protocol does not prove encryption - depends on IPSec to do that

ICMPv6

This updated protocol performs error reporting, route discovery, and diagnostics as well as conveying multicast group membership information and ARP - IGMP and ARP are thus not separate protocols/functions in IPv6 Neighbor discovery - Neighbor discovery is a function in this protocol that enables a node to identify other hosts and routers on its links

What is the result of a bluetooth buffer overflow attack and what can happen?

This vulnerability can cause a system crash or create an entry point for a cyberattack Can alter the execution path of the application by overwriting parts of its memory. The malicious extra data may contain code designed to trigger specific actions — in effect sending new instructions to the attacked application that could result in unauthorized access to the system.

SSL/TLS VPN

Traditional VPN cannot work with proxy servers (or very difficult to make it work...) Uses SSL/TLS to create a tunnel to organization network SSL/TLS is actually at the presentation layer Remote users use a web browser to access applications on the organization network

Session hijacking

Unauthorized insertion of packets into data stream

Dynamic Host Configuration Protocol (DHCP)

Used to issue IP addresses in a dynamic fashion There is no authentication - User can plug computer into network and get an IP address - Intruder can give out IP address and other credentials (including DNS address) by masquerading as a - This server on the network However, this protocol makes network administration easy and is hence popular

SMURF Attack

Uses ICMP Echo requests to create DoS attacks - Send an ICMP echo request with spoofed source IP (IP of victim) to networks' broadcast address which will forward packet to every host on the network - Victim will be overwhelmed with responses

How to detect and prevent ARP Poisoning?

Using Anti-ARP tools Authentication & Data Encoding, Packet Filters, Using Static ARP, Using VPNs.

Lightweight Directory Access Protocol(LDAP)

Usually a front end to a directory service like Active Directory - uses weak authentication based on host name resolution - communication on this protocol is transferred in clear text Solution: Use over SSL

Point to Point Tunneling Protocol (PPTP)

VPN uses this protocol running over other protocols (IPSec or SSL/TLS) to build the tunnel between end points - derives its encryption key from the user password and is thus weak - v2 addresses some of the issues However, it is still susceptible to password guessing attacks

VRRP

Virtual Router Redundancy Protocol - If you want five 9 availability, critical routers cannot be single point of failures - is a protocol that allows automatic failover for routers - A virtual router is configured and presented to the network - The virtual router will have one primary router and at least one secondary router - The primary router performs all of the routing on behalf of the virtual router - If primary router fails, secondary router takes over - Primary and secondary routers are often in separate data centers

Two types of WPA

WPA2 Personal - uses pre-shared key (PSK) where every user is given the same passphrase WPA2 Enterprise - uses 802.1X authentication server which distributes different keys to each user

RADIUS

an authentication protocol used for services requiring single sign-on for layer 3 network access. SSO support for IP level access. Can be used for VPN.

Passive attacks

attacks that are eavesdropping - Release of message contents - Traffic analysis - Hard to detect, so aim to prevent

A buffer overflow

occurs when more data is put into a fixed-length buffer than the buffer can handle. The extra information, which has to go somewhere, can overflow into adjacent memory space, corrupting or overwriting the data held in that space.

Port scanning

probing for TCP services on a machine