Introduction

Netrwork Security

 The Internet is a packet switched network, meaning that the data is sent in discrete chunks known as packets. In contrast, the traditional telephone system is a circuit switched network. For each telephone call, a dedicated circuit-with dedicated bandwidth is established between the end points. Packet switched networks can make more efficient use of the available bandwidth, though there is some additional complexity involved, and things get particularly involved if circuit like behaviour is required.

 Protocols can be classified in many different ways, but one classification that is particularly relevant in security is stateless versus stateful. Stateless protocols dont remember anything, while stateful protocols do have some memory. Many security problems are related to state

: A small network

TCP/IP Model
The Internet is based on the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. TCP/IP protocol suite contains five main layers :
o o o o o application, transport, network (or Internet), data link and physical.

Unlike the protocol suite, there are no presentation and session layers in TCP/IP. The data unit initially created at the application layer (i.e. by an application, such as email, Web browser, etc.) is called as a message. A message is actually broken down into segments by the transport layer Note that the transport layer of TCP/IP contains two protocols : Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is often used.

Layers in the TCP/IP protocol suite Note that the presentation and session layers are not present in TCP/IP, but are shown for the comparison of TCP/IP with the OSI model.

 The transport layer then adds its own header to the segment and gives it to the network layer. The network layer adds the IP header to this block and gives the result to the data link layer. The data link layer adds the frame header and gives it to the physical layer for transmission. At the physical layer the actual bits are transmitted as voltage pulses. An opposite process happens at the destination end, where each layer removes the previous layers header and finally the application layer receives the original message.

Message transfer from the source to the destination at different TCP/IP layer

(1) Application Layer :

Typical network applications include Web browsing, e-mail, file transfer, P2P and so on. These are distributed applications that run on hosts. The hosts would prefer the network to be completely transparent. The application layer protocols include HTTP, SMTP, FTP, DNS and so on. These protocols only make up a small part of an application. For example, the e-mail application includes an e-mail client (such as Outlook), a sending host, a receiving host, e-mail servers and a few networking protocols such as SMTP and POP3. Most applications are designed for the client-server paradigm, where the client is the host that requests a service and the server is the host that responds to the request.

 First consider HTTP, the Hyper Text Transfer Protocol, which is used for communicating Web pages. Since HTTP is a stateless protocol, Web cookies were developed as a tasty way to maintain state. FTP is a File Transfer Protocol, which is used for receiving or sending files. SMTP is a simple Mail Transfer Protocol, which is used to transfer e-mail from the sender to the recipients email server. Telnet (Terminal Emulation Protocol), which is used for performing remote operations as if directly connected to the host from a terminal and others.

(2) Transport Layer :

The transport layer, ensures that the whole message arrives intact and in order, overseeing both error control and flow control at the source-to-destination level. The transport layer is represented in TCP/IP by two protocols : TCP and UDP. Note : The IP is a host-to-host protocol, meaning that it can deliver a packet from one physical device to another. UDP and TCP are transport level protocols responsible for delivery of a message from a process (running program) to another process. The Transmission Control Protocol (TCP) provides full transport layer services to applications. TCP is a reliable stream transport protocol. The term stream, in this context, means connection-oriented : a connection must be established between both ends of a transmission before either can transmit data.

 At the sending end of each transmission. TCP divides a stream of data into smaller units called segments. Each segment includes a sequence number for reordering after receipt, together with an acknowledgement number for the segments received. Segments are carried across the Internet inside of IP datagrams. At the receiving end, TCP collects each datagram as it comes in and reorders the transmission based on sequence numbers

TCP segment format

SYN : the client requests Synchronization with the server SYN-ACK : the server acknowledges receipt of the SYN request. ACK : the client acknowledges the SYN-ACK. This third message can also include data. Connections are terminated by FIN (finish) or RST (reset) packet.

TCP three-way handshake

User Datagram Protocol (UDP)

The transport layer includes another protocol, the User Datagram Protocol (UDP). It is a process-to-process protocol that adds only port addresses, checksum error control and length information to the data from the upper layer. UDP is more efficient since it has a smaller header, and by not providing flow control or congestion control, it consumes less bandwidth. The downside to UDP is that it provides no assurance that packets arrive, no assurance packets are in the proper order.

(3) Network Layer :

At the network layer (the Internetwork / Internet layer), TCP/IP supports the Internetworking Protocol (IP). IP, in turn, contains four supporting protocols : ARP, RARP, ICMP and IGMP. Internetworking Protocol (IP) is the transmission mechanism used by the TCP/IP protocols. It is an unreliable and connectionless datagram IP provides no error checking or tracking. IP assumes the unreliability of the underlying layers and does its best to get a transmission through to its destination, but with no guarantees. IP transports data in packets called datagrams, each of which is transported separately. Datagrams can travel along different routes and can arrive out of sequence or be duplicated. IP does not keep track of the routes and has no facility for reordering datagrams once they arrive at their destination.

IP datagram

 The Address Resolution Protocol (ARP) is used to associate an IP address with the physical address. On a typical physical network, such as a LAN, each device on a link is identified by a physical or station address usually imprinted on the network interface card (NIC). ARP is used to find the physical address of the node when its Internet address is known. The Reverse Address Resolution Protocol (RARP) allows a host to discover its Internet address when it knows only its physical address. It is used when a computer is connected to the network for the first time or when a diskless computer is booted. The Internet Control Message Protocol (ICMP) is a mechanism used by hosts and gateways to send notification of datagram problems back to the sender. ICMP sends query and error reporting messages. The Internet Group Message Protocol (IGMP) is used to facilitate the simultaneous transmission of a message to a group of recipients.

(4) Data Link Layer and Physical Layer :

The data link layer is responsible for getting the packet over each individual link in the network. That is, the data link layer deals with getting a packet from a host to a router, from a router to a router, from a router to a host, or, locally, from one host to another host. The data link layer and physical layer are implemented in a semi-autonomous adapter known as Network Interface Card, or NIC. Examples include Ethernet cards and Wireless 802.11 cards. The NIC is (mostly) out of the hosts control and thats why it is said to be semi-autonomous.

 One data link layer protocol of particular importance is Ethernet. Ethernet is a multiple access protocol, meaning that it is used when many hosts are competing for a shared resource. Ethernet is used on a local area network, or LAN. In Ethernet, if two packets are transmitted by different hosts at the same time, they can collide, in which case both packets are corrupted. The packets must then be resent. The challenge is to efficiently handle collisions in a distributed environment. There are many possible approaches, but Ethernet is by far the most popular method.

TCP/IP Vulnerability
The TCP and IP protocols were designed when the Internet was small, and users generally trusted one another. The protocols lack many features that are desirable, or needed, on an insecure networks.

vulnerabilities at each layer

(1) Layer 1 : Physical layer : The security attacks at the physical layer can include : (a) Fiber/cable cuts (b) Wireless link jamming. (c) Copper cables influenced by electromagnetic fields. (d) Application of high voltage on copper wire.

(2) Layer 2 : Data Link Layer : Layer 2 includes ATM, PPP, ethernet, and wireless LAN. Since ethernet is one of the most widely used protocols, the attacks with respect to it are MAC addresses used in etherent, wireless networks FDDI, bluetooth etc are unique identifiers attached to the networking equipment. It is a 48-bit long with initial 24 bit representing manufacturer code and remaining 24 bit assigned to interface produced by the manufacturer.

(a) CAM Table Overflows :

A security threat found at layer 2 is content addressable memory (CAM) table overflow that directly affects the switches in the network. CAM is a physical part of a switch that stores information about the MAC addresses available on each physical port and their associated parameters. Physically, CAM is limited in size and can hold information about a limited number of source MAC addresses. A tool known as macof, can flood the switches with invalid MAC addresses. The tool quickly fills up the CAM table of the switch to which a computer running the tool and the adjacent switches are interconnected. This results in abnormal behavior of the switch by flooding incoming traffic on all ports. This makes the attack possible on the man-in-the-middle, the attacker can now start sniffing network traffic.

(b) MAC Address Spoofing :

Here the attacker replaces the CAM table entry of a known MAC address on another port. This will redirect the packet destined for the port to another port. The attacker generally replaces the original port entry with his own port address. Thus, all traffic is redirected to the attacker PC. The attacker may spoof forge packets and resend them to the original destination.

(c) DHCP Attacks :

1) DHCP Starvation attack : When a client requests a DHCP server for obtaining an IP address, it grants an IP address to the client on a lease basis i.e. the server waits for a specified interval before the client has to accept the IP address. During this time, the server will not grant that particular IP address to any other client in the network. The DHCP starvation attack takes the advantage of this waiting period. An attacker can broadcast a large number of DHCP requests using spoofed MAC address. The DHCP server will lease its IP address one by one until it runs out of available IP addresses for normal and legitimate clients. This leads to a denial of service attack in the network where a client is requesting for an IP address from the DHCP server.

(2) Fake DHCP Server : Here the attacker sets a forged DHCP server, serving clients in the network with false details. For example, the forged DHCP server might give its own IP address as default gateway. Thus, all traffic of the network passes through the attacker PC, allowing it to-easily sniff the network packets.

(d) ARP Attacks :

An Address resolution protocol (ARP) is used for mapping an IP address into a MAC address. If a particular host knows the IP address of a particular machine in the network, then with the help of the ARP request, it can find its MAC address. ARP is a stateless protocol and as a result, a node does not have a record of ARP requests that it has sent. As a consequence, a node will accept any ARP reply that it receives, even if it has made no corresponding ARP request. This opens the door for ARP cache poisoning attack.

(3) Layer 3 : Network Layer

(a) Packet Sniffing : Packet sniffing basically means capturing IP traffic of the network. Data from the upper layers is encapsulated into IP packets. Protocols like SMTP, POP3, SHMP etc. transmit password in the form of a plain text and so de-encapsulation of these IP packets may result in an access to the sensitive data.

(b) IP spoofing : IP spoofing is a method that attackers use when they wish to send packets with malicious content to a target machine and do not want to get identified. The victim is unaware that the packet is not from a trusted host and hence it accepts the packet and sends a response back to the source computer. The biggest challenge faced here is that the attacker must guess the proper sequence number to send the final ACK packet, as if it had come from a real source. If this step gets successful, the attacker may have a connection to the victims machine as long as the victims machine is active.

(c)

RIP Routing Attacks :

A Routing Information Protocol (RIP) is used to distribute routing information within networks such as advertising routes out from the local network, shortest paths. The original version of the RIP has no built-in authentication, and the information content in an RIP packet is used without verifying it. An attacker can forge an RIP packet, claiming that his host XYZ has the fastest path out of the network. All packets sent out from that network would then be routed through XYZ, where they could be modified or examined or even dropped.

(d) Fragmentation Attack : The fundamental problem is that the actual purpose of a packet is easily disguised by breaking it into fragments. The fragments can even overlap when reassembled, which further exacerbates this problem. The result is that the receiving host can only determine the purpose of a packet after it has received all of the fragments and reassembled the pieces.

(e)

ICMP Attacks :

The Internet Control Message Protocol (ICMP) is used to send the error messages. For example, a requested service is not available. The ICMP does not authenticate packets. Hence, it is easy to interpret them and transmit the spoofed ICMP packets. The denial of service attacks can be formulated using ICMP packets. ICMP packets that reset a connection between a source and a destination are :
Destination unreachable Time to live.

Destination unreachable ICMP packets specifies that because of a problem within a network, the packet cannot be transmitted to the destination computer. Time to live specifies for how much time the packet is active.

(4) Layer 4 : Transport Layer :

(a) TCP Land Attack : Here the attacker sends a SYNC packet to a host on an open TCP port with source IP address forged as the destination IP address. (b) UDP Flooding Attack : Since UDP is a connectionless protocol, the only way it can be affected is by flooding a machine with forged UDP requests. The attacked machine will try to determine the application that the packet is destined for. If no application listens to that particular request the packet is discarded. If a large number of packets are fired, then the attacked machine might be overloaded resulting in denial of the service attack or machine might crash.

(c) TCP and UDP Port Scanning Techniques : Attackers perform a port scanning using commands (nmap), or various tools of a host machine, to find the open ports on a machine. After identifying the open ports on a machine, the attacker can launch variety of attacks through these open ports.

(d) Connection Hijacking : An attacker can allow normal authentication to proceed between the two hosts, and then seize control of the connection. There are two possible ways to do this : During the TCP, three-way handshake. In the middle of an established connection. Connection hijacking exploits a desynchronized state of TCP communication. When two hosts are desynchronized enough, they will ignore packets from each other. An attacker can then inject forged packets with the correct sequence numbers. The attacker might also modify, or add commands, to the communication. This requires the attacker to be located on the communication path between the two hosts, so that he may eavesdrop in order to replicate packets being sent.

(e) TCP SYN Attack : the TCP three-way handshake. While waiting for the ACK to the SYN ACK, a connection queue of finite size is maintained on the destination host that keeps a track of connections waiting to be completed. This queue typically empties quickly, because the ACK packet generally arrives a few milliseconds after the SYN ACK. The TCP SYN attack exploits this design flaw. An attacking source host generates TCP SYN packets with random source addresses towards a victim host. The victim destination host sends a SYN ACK back to the random source address and adds an entry to the connection queue. Since the SYN ACK is destined for a non-existent or incorrect host, the last part of the three-way handshake is never completed, and the entry remains in the connection queue until the timer expires, typically for about one minute. By generating a number of fake TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services to legitimate the users.

Port Scanning
some well-know TCP ports.
Port Number 7 18 Description ECHO Message Send Protocol (MSP)

20 21 23 25

FTP-Data FTP-Control Telnet Simple Mail Transfer Protocol (SMTP)

37 53

time Domain Name System (DNS)

69

Trivial File Transfer protocol (TFTP)

80 :

HTTP

 This is often used by network administrators to check the security of their networks and by hackers (attacker) to compromise it. Port scanning tells an attacker three things : which standard ports or services are running and responding on the target system, what operating system is installed on the target system, and what applications and versions of applications are present. This information is readily available for the asking from a networked system; it can be obtained quietly, anonymously, without identification or authentication, drawing little or no attention to the scan. To portscan a host is to scan for listening ports on a single target host. To portsweep is to scan multiple hosts for a specific listening port. The latter is typically used in searching for a specific service.

Types of port scan :

(a) TCP Connect (Not Secretive) : This type of scanning uses the TCP open system call provided by the operating system kernel to connect to specified ports on the target host.

(b) TCP SYN/Half-Open (Secretive) : This type of scanning causes the scanner to send out a SYN packet to the target host. If the target host is listening on a particular port, it will respond with a SYN + ACK. If the target host is alive but not listening on a particular port, an RST packet will be received.

(c) FIN : In this method, a FIN packet is sent to a target host. If the target host is alive but not listening on a particular port, it will respond with an RST packet. However, if the target host is listening on a particular port, it will not respond. Note that Microsoft Windows hosts will send RST packets in all cases. This is of interest, because it helps identify the target hosts as Microsoft Windows host.

Protocol Flaws
Internet protocols are publicly posted for scrutiny by the entire Internet community. Each accepted protocol is known by its Request For Comment (RFC) number. Many problems with protocols have been identified by sharp reviewers and corrected before the protocol was established as a standard. But protocol definitions are made and reviewed by fallible humans. Likewise protocols are implemented by fallible humans. For example, TCP connections are established through sequence numbers. The client (initiator) sends a sequence number to open a connection, the server responds with that number and a sequence number of its own, and the client responds with the servers sequence number. Suppose someone can guess a clients next sequence numbers. That person could impersonate the client in an interchange. Sequence numbers are incremented regularly, so it can be easy to predict the next number.

Enterprise Wide Network

1. What Makes a Network Vulnerable 2. Who Attacks Networks 3. Enterprise-Wide Network Vulnerabilities Very IMP : Make note of 10 marks

Who Attacks Networks

The four important motives of the attackers are challenge or power, fame, money and ideology. (1) Challenge : (2) Fame : (3) Money and Espionage : Financial reward also motivates attackers. Some attacker perform industrial espionage, seeking information on a companys products, clients or long-range plans. Industrial espionage is illegal, but it occurs, in part because of the high potential gain. Its existence and consequences can be embarrassing for the target companies. (4) Ideology : Attacks are also perpetrated to advance ideological ends. For example, many security analysts believe that the Code Red Worm 2001 was launched by a group motivated by the tension in U.S.-China relations.

Enterprise-Wide Network Vulnerabilities

(1) Router Vulnerabilities : (Very IMP) (a) Unauthenticated Cross-Site Scripting : Cross-site scripting (or XSS) attacks are usually associated with online Web applications. (b) Domain Name Hijacking : Domain Name hijacking is a host name related vector attack that involves DHCP. (c) UPNP Exploitation : UPNP is an unauthenticated protocol that, by definition, provides control over a routers configuration.

(2) Firewall Vulnerabilities : (Very IMP)

A firewall vulnerability is an error, weakness or invalid assumption made during the firewall design, implementation, or configuration that can be exploited to attack the trusted network the firewall is supposed to protect.

roles of firewall
(a) Firewall has the ability to check HTML data for script tags and render scripts unexecutable by the browsers. (b) Firewalls forward external packets that claim to come from the internal network. (c) When dealing with fragments, the firewall has the ability to cache the forwarding decision that was made on the initial fragment and later apply it to the other fragments.

(3) Remote Access Server Exploits : Remote PC Access Server using authorization code, in order to verify if
Remote PC Access Client has been connected to the local server. The authorization code is 12 bytes long filled with next bytes order : Authorization code (Hex) : - 27 00 00 00 04 00 00 00 00 00 00 00 = 12 bytes An attacker can build a spoofed client program and use DoS attack to crash the remote server or remote system. If a local client sends authorization code to remote server, the remote server sends acknowledgement code back to the local client, after this process, by sending received packets from the remote server, the local client overflows the remote server. Thus, untrustworthy remote access servers provide one of the simplest means of access to the internal network. Users often connect to the Internet with little protection, thus exposing sensitive data to attack.

(4) Web Server Exploits :

Web server are built to provide files without authentication that has high potential for exploitation. As Web servers expand functionality, they are more likely to have vulnerabilities. Modern Web servers also execute codes which are often insecure. e.g. ASP, PHP, Cold Fusion etc.

(5) DNS Server Exploits :

DNS cache poisoning is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources. This can happen through improper software design, misconfiguration of name servers, and maliciouslydesigned scenarios, exploiting the traditionally openarchitecture of the DNS system. Once a DNS server has received such non-authentic data, and caches it for the future performance increase, it is considered poisoned, supplying the non-authentic data to the clients of the server.

Reconnaissance of Network
(i) Port scan : (ii) Pinging : (iii) Social Engineering : (iv) Intelligence : (v) Operating System and Application Fingerprinting : (vi) Bulletin Boards and Chats : (vii) Availability of Documentation :

Packet Sniffing (IMP)

1. MAC Flooding 2. ARP Spoofing 3. Session Hijacking 4. IP spoofing
Types of IP spoofing Defending Against IP Spoofing

Web Site and Web Server Vulnerabilities

1. Web Site Vulnerabilities 2. Web Server Vulnerabilities
Insecure Network Unsecured Hardware Coding Vulnerabilities Unauthorized Access Authentication

Denial of Service (DoS) (VERY VERY IMP)

Denial of service attack involves flooding of computer resources with more requests that it can handle. denying authorized users the services offered by the resources. Availability attacks, sometimes called denialof-service or DoS attacks are significant in networks than in other contexts.

The accidental and malicious threats to availability or continued service are as follows :
(1) Transmission failure : Communications can fail for many reasons. For instance, a line is cut, or network noise makes a packet unrecognisable or undeliverable. A machine along the transmission path fails for hardware or software reasons. However, some failures cannot be easily repaired. A break in the single communications line to your computer (For example, from the network to your network interface card or telephone line to your modem) can be fixed only by establishment of an alternative link or repair of the damaged one. Anyone who can server, interrupts or overloads capacity to, can cause the denial of the service.

The electronic attacks that can cause a denial of service are as follows : (a) Connection flooding : If an attacker sends you as much data as your communications system can handle, you are prevented from receiving any other data. Even if an occasional packet reaches you from someone else, communication to you will be seriously degraded. ICMP or Internet Control Message Protocol. These protocols do not have associated user applications and are only used for the system diagnostics.

ICMP protocols include :

Ping, which requests a destination to return a reply, intended to show that the destination system is reachable and functioning. Echo, which requests a destination to return the data sent to it, intended to show that the connection like is reliable (ping is actually a version of echo). Destination unreachable, which indicates that a destination address cannot be accessed. Source quench, which means that the destination is becoming saturated and the source should suspend sending packets for a while.

(i)

Echo-Chargen : Echo-chargen attack works between two hosts. Chargen is a protocol that generates a stream of packets, it is used to test the networks capacity. (ii) Ping of Death : A ping of death is a simple attack. Since ping requires the recipient to respond to the ping request, all the attacker needs to do is send a flood of pings to the intended victim

(iii)Smurf : (IMP) The smurf attack is a variation of a ping attack the attacker chooses a network of unwitting victims. The attacker spoofs the source address in the ping packet so that it appears to come from the victim Then, the attacker sends this request to the network in broadcast mode by setting the last byte of the address to all 1s; broadcast mode packets are distributed to all hosts on the network.

Smurf Attack

(iv) Syn Flood : Syn flood is a popular denial-of-service attack. This attack uses the TCP protocol suite, making the session-oriented nature of these protocols work against the victim

(2) Traffic Redirection :

Router is a device that forwards traffic on its way through intermediate networks between a source hosts network and a destinations. So if an attacker can corrupt the routing, traffic can be disappeared

(3) DNS Attacks :

A domain name server (DNS) is a table that converts domain names like ATT.com into network addresses like 211.217.74.130; this process is called resolving the domain name. A domain name server queries other servers to resolve domain name in case it does not know; also it sometime cathes the answers to resolve the name more rapidly in future. By overtaking a name server or causing it to cache false entries, an attacker can redirect the routing of any traffic resulting into denial of service.

Distributed Denial of Service

 In the first stage, the attacker uses any convenient attack (such as exploiting a buffer overflow or tricking the victim of open and install unknown code from an e-mail attachment) to plant a Trojan horse on a target machine. The Trojan horse file may be named for a popular editor or utility, bound to a standard operating system service, or entered into the list of processes (daemons) activated at startup. It will not attract any attention, irrespective of its situation within the system.

 The attacker repeats this process with many targets. Each of these target systems then becomes what is known as a zombie. The target systems carry out their normal work, unaware of the resident zombie.

SSL and IPsec Protocol

Make a short note for this

Firewall / Types of firewall

1. 2. 3. 4. 5. Packet Filtering Gateway Stateful Inspection Firewall Application Proxy Guard Personal Firewalls

Intrusion Detection System (IMP)

1. Signature-Based Intrusion Detection 2. Heuristic Intrusion Detection 3. Stealth Mode

Honey-Pots
A honeypot is a computer system or a network segment, loaded with server and devices and data. Honeypots may be protected with a firewall with some access. It has monitoring. Capability which is not made evident to the attacker.

Tyeps of honeypots :
i) low interaction or production honeypots are easy to use and install, captures only limited amount of information, and are used primarily by companies or corporations. ii) high interaction or research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military or government organizations.

Installing Honeypot : Honeypots can be set up inside or outside a firewall, although most are set up inside the firewall to magnetize the attackers. Setting up honeypots inside a firewall also gives a better control over the traffic to the Internet.

Honeypot solutions :
(i) Creating a Honeypot There are number of communities, tools, softwares and Websites available, which help you, guide you to create a honeypot. For creating our own honeypot, we need the following components and considerable configuration time : (a) A workstation or PC running UNIX or windows NT. (b) User accounts with network services like telent, ftp, sendmail, www, ssh etc. (c) Snort for Network Intrusion Detection. (d) Tripwire to monitor critical system files. (e) Regmon to monitor real time access to windows registry. (f) Any keystroke logging utility.

(ii) Commercial Honeypot Systems : There are a number of commercial honeypot systems available. Some of the commercial honeypot systems available are : (a) ManTrap by Resource Technologies (b) Tripwire (c) Specter by NETSEC (d) Deception Tool kit by Fred Cohen and Associates (Free).

Uses of honeypot :
Uses of honeypot : Honeypot can be used for the following reasons : (i) To watch what attackers do, inorder to learn about new attacks. (ii) To lure an attacker to a place in which you may be able to learn enough to identify and stop the attacker. (iii) To provide an alternative but diversionary playground, hoping that the attacker will leave your system alone.