Sie sind auf Seite 1von 37

Prasad Kularatne

Apply the knowledge of TCP/IP stack to understand basic network security architectures
We will start by understanding the types of basic network

security vulnerabilities exist at each layer of the TCP/IP stack

We will discuss common defences available for those

We will end up with a discussion of how defence mechanisms

are typically deployed in a network

Networked systems have high degree of exposure and

threat than non-networked systems.

Risk = [Threat * Exposure * Vulnerability ] * [Cost of consequence]

Exposure: Probability a vulnerability is exposed to an attack Threat: Probability of an attack Vulnerability: Probability of an exploitable vulnerability Consequence: Cost of a successful attack

Some terms
Spoofing: act of impersonating a trusted user Flooding: act of continuously sending packets to a target with a
objective of bringing down one or more of its critical services

Masquerading: Act of concealing the network addresses to where

it is not need to be known

Sniffing: Act of passively intercepting network traffic that is not

intended to you

Snooping: Unauthorized access to another persona or companys


Layered approach
As we learnt, OSI layered

architecture is the cornerstone of understanding networked systems

In the same way securing the

networked systems can be better understood in relation to the OSI model

We will examine the vulnerabilities

posed at each layer and how to defend from them

Physical Layer
Physical theft or damage of data and Hardware High-jacking into video surveillance systems Undetectable Interception of data Detection of typing patterns

Social engineering
Use of psychological weaknesses of human beings to get at

the credentials

Signal disruption for wireless Networks Through deliberate EM interference, e.g. a microwave oven and Wireless LAN operates at 2.4 GHz

Defending the Physical Layer

Electronic lock mechanisms for logging & detailed

PIN & Password secured locks Biometric Authentication Schemes

Video & Audio Surveillance With necessary intrusion prevention Electromagnetic shielding Prevent interference Prevent Use EM radiation for intrusion Analysis of wireless environment for possible


Data Link Layer

ARP Vulnerabilities (MAC based vulnerabilities) ARP Spoofing (ARP cache poisining) MAC flooding

VLAN Attacks: VLAN Hopping Attacker spoofs a legitimate switch Switch Spoofing and Double tagging
Spanning Tree Attacks Attacker become the root bridge by exposing a lower Bridge ID

ARP Spoofing

What is Gratuitous ARP? A request by a network node that caused other Nodes to update an ARP cache entry in their table
Source: Cisco Presentation Network attacks and mitigation by Krzysztof Zygis

MAC Flooding attacks

What is a CAM table? A table maintained by a L2 Ethernet switch that maintains the MAC addresses and VLAN parameters for each switch port
Source: Cisco Presentation Network attacks and mitigation by Krzysztof Zygis

VLAN Hopping attacks

Hacker will spoof himself as a switch by emulating the trunk

port Hacker will then become a member of all VLANs

Trunk port carries traffic belonging to all VLANs

Hacker can access a devices in any VLAN!

Source: Cisco Presentation Hacking the L-2: Fun with Ethernet switches by Sean Convery

STP attacks

Hacker will take control of the spanning tree by becoming the

root bridge

Defending the Data Link Layer

Countering ARP attacks
Use static ARP Caches Bind MAC Addresses to the port of the Switch

VLANs should not be ideal to enforce security

Different security segments should be protected using firewalls

or least switch or router-level access lists

Disable the feature that allows a switch to automatically trunk itself

with another without any security control

Enable Spanning-Tree Protocol attack mitigation

BPDU Guard, Root Guard

Network Layer
Most IP Routers have only elementary level security Two peers may exchange routing information securely No means to validate routes that may have propagated from untrusted parts of the network.

Attacks to Routers
Password Attacks Buffer overflow & Denial of Service

IP Spoofing Attacks Attacker forwards packets to a computer with a source address of a trusted system Many network services uses IP address based authentication

If the IP address is spoofed the services are vulnerable

IP Spoofing

Attacker generates packets with source address of the Victim X Victim V will send responses and they will reach the actual source

address as per network which is Victim X Victim X knowing that it didnt initiate such connection will discard packets By continuously doing this attacker can keep both Victim X and Y buys may lead to Denial of Service
Diagram Source: TCP/IP Security attacks by Raj Jain, 2007

IP Spoofing + Guessing SN
Spoofing the IP and successfully guessing the TCP

sequence number of an ongoing communication may allow attacker to communicate with a secure host unauthenticated
Acquire a target Acquire an IP address of a trusted machine Disable communication of the trusted machine (e.g. SYN flooding) Sample a communication between the target and trusted hosts Guess the sequence numbers of the trusted machine Modify the packet headers so that it appears that the packets are coming from the trusted host with an acceptable sequence number Establish the connection to the target.

Defending Network Layer

Route Policy Filters : use strict anti-spoofing and route

filters at network edges Firewalls with strong filter

We will discuss this in detail later

Good password policy on routers

Install the last security fixes Shutdown unused services in Routers

Restricting access to routers

Authenticity and confidentiality and Network Layer IPSec Protocol

Transport Layer: Attacks

Mostly tries to exploit the known behavior of transport layer


TCP connection establishment and sequence numbering TCP connection reset TCP options and their behavior

TCP Port scanning Almost always done by a hacker as a preparation for attack What services can I exploit on my attack target? OS fingerprinting There are slight variations of TCP implementations between OSs Detect these variations through TCP interactions and deduce OS

TCP Port Scanning

Transport Layer: Attacks

TCP Session Hijacking (Connection Spoofing) First spoof an trusted IP (victim) IP Spoofing Determine the TCP sequence number of the ongoing interaction (victim and attack target) Flood the victim Enjoy a TCP session with your attack target DoS Attacks : Syn Flood, ACK Flood, RST attacks etc.

TCP Session Hijacking

Attacker may include malicious commands in the DATA to the Server, may be causing it to crash or send out sensitive information

Diagram Source: Introduction to Network Security, Dr. Doug Jacobson, 2009

SYN Flood

For each SYN received by Victim V from the attacker (he thinks it

comes from trusted Victim X)

It will allocate buffer space and entry in the connection table

Continuously sending these bogus SYN packets may compromise

Victim V

Diagram Source: TCP/IP Security attacks by Raj Jain, 2007

RST Attack

Source: Introduction to Network Security, Dr. Doug Jacobson, 2009

Defending Transport Layer

SYN Flood attacks Using SYN Proxy

Before committing resources for the received SYN let a proxy decide whether the connection will actually establish Most OSs support this today and can be enabled as a network option

Clean up of half open connections

TCP Session high-jacking Generate the TCP Initial Sequence Number (ISN) in an unpredictable way Confidentiality at transport layer SSL and TLS

Defending Transport Layer Cntd

Strict Firewall rules Limit access to specific transmission protocols an subprotocol information

TCP/UDP port number or ICMP Type

Stateful inspections at firewall layer, preventing out-

of-state packets, illegal flags from entering the perimeter.

What is a Firewall?
A wall that stops or effect slow progress of fire

providing protection at the boundary A security boundary between networks of differing trust and security levels by enforcing network level access control policy
Un-bypassable, tamperproof, analyzable Make decisions to allow or disallow passage of packets

according to a specified Firewall policy

Control point where security/audit can be imposed Limit exposure Partition the network (security domains) Minimize damage

Firewall policies
Firewall policy is defined in line with you security

How should I control Specify a set of rules the firewall should apply to

incoming and outgoing traffic

Types of firewalls
Packet Filters Packet-by-packet inspection (Stateless)

Source/Dest. IP, Protocol, if TCP/UDP Source/Dest. Port

Stateful inspection firewalls Inspects TCP flags to determine the connection state Application proxies Terminates and re-established the connection Examines beyond TCP and IP header information

Filters the content sent in the payload

Personal Firewalls Protection for end points

Firewall configuration
Determine trust zones Determine ports that need opening Determine packet type (tcp/udp) Determines direction of packet flow Determine any limitations you can set on src/dst

Advanced Firewall capabilities

Authentication & Access Control Deep Packet Inspection Network Address Translation Load Balancing (among Internet servers) Redundancy and fail-over Virtual Private Networks Uses traffic encryption to obtain services equivalent to a dedicated link over the Internet Requires high levels of confidentiality, integrity, and authentication of communicating parties May use IPSec, PPTP, L2TP or other methods

Firewall Challenges
Firewalls are not the ultimate solution Attacks/Intrusions through legitimate traffic Software bugs and misconfiguration Insider threats Phishing attacks, browser exploits Threats from compromised Mobile devices (laptops) Social engineering Exploit ignorance, insecurity and fear of people Increasingly common psychological technique

Network Security design practices

Segmenting the Network Different network segments/zones for different apps Threats may not grow to unmanageable proportions Good defense at the Perimeter Powerful defense at the entrance to each segment HIPS Intrusion Prevention at each desktop and Server Network containment Keep the network simple and within known extents Wireless environments

Network Segmentation example

Source: Practical Network Security, Linkoping University, 2007

Network Containment

Source: Practical Network Security, Linkoping University, 2007