Posts
Actually, this is one of my post at CS, where one of the member was little confused with "how/where to start with Network security" and I posted him a reply, I hope it will be helpful to you poeple aswell.
When we are concern about network security, we have plenty of things to be consider like,
1) Physical Insecurity
2) Passive attacks
3) Active attacks
4) Management Protocols insecurity
5) Wireless Issues
6) Denial of service of attacks
There are more other things to be consider aswell, but mentioning/explaning them all in this post would be, beyound the scope of this post.
Let me give a little description, how it may help you start over understanding the security of Network infrastructure.
1) Physical Insecurity.
As I told you in my last post about "Port Security", as few of employees have physical access to devices ( small/medium size organizations), they bring there own devices and connect them right away and start using them. Port Security is like a way to set up what/how many devices can connect to a port, that is nothing but, a little bit of physical security.
Physical security concerns plenty of things like, for example, consider a server room physical security,
You may need to authenticate yourself first to enter into the server room, maybe some kind of smart card authentication. Even if you have authenticated, you are under video camera inside the server rooms which is monitoring your activities there. If you ask more, the security may concern about temperature of the server rooms which actually comes under maintenance but still have little concerns about physical security like say a hardware failure or say you have pix devices with no fail-over, bang and you will be literally screwd.
Network security does start with physical security, If a person is having physical access to a machine, he has pretty much more chances to get his work done.
For example,if someone has physical access to the router, as you know, use of the console or aux ports provides a path into the router. If the passwords are not known, it is possible to perform password recovery in an IOS device from the console port, reboot the router, accesses ROMMON mode, resets the configuration register, restores the configuration file and network connections and leaves the router at the privileged-mode prompt.
2) Passive attacks.
Passive attacks are not direct attacks, what I mean is its like gaining information of the target. More information or more you expand the target details you have better options to start using the active attacks or exploit the target. As a network security administrator you must consider these attacks in radar, because this may indicate a potential attempt to compromise the network at one point or the other. There are plenty of passive attacks like,
- Port scanning
- Ping sweeps
- Sniffers
- Using Internet to gain information about the target.
As these concepts are really wide and beyond the scope of this post, I did linked them appropriately, please follow the links for further details.
3) Active Attacks.
This is where the actual attack takes place, Its like direct/indirect connection made to the target.
By using the passive attack informations they start attacking the target, for example, after a port-scanning a target and he/she got few host up, now he/she try's to find what services are running on those host, try to find our if any older version of software are installed on those host which may lead him to get into the network. There are wide range of active attacks, few of the most common I would list them out:
and plenty of others....
In short, the active attacks are actually attacks to exploit/gain access to the target. You can always google for more types of attacks.
4) Management Protocol Insecurity.
This may be considered under active attacks, but I did categorized because its Little cool stuff and you learn plenty of things when considering protocol security, and there are wide range of protocol insecurities which should be concerns when securing the networks. The most common protocols used in network these day's are:
You can follow the links and get great details, still here is a little description about them, they are actually management protocols which we use in our networks. Telnet is very insecure management protocols and the reason is, it is plain-text, I mean, consider someone is sniffing the interfaces, if you are using telnet connection, the person who is sniffing get the complete details(your user-name and password) in clear text. Where as SSH is encrypted, even if someone is using sniffer in between the interfaces, he will get the details as the way he/she used to get when using telnet but the things is that this time every thing is encrypted. SNMP(Simple Network Management Protocol) has plenty of issues/vulnerabilities as it is as well clear-text, however SNMP-v3 uses cryptography, It as plenty of vulnerabilities. with community strings (Read/write), but, mostly SNMP is used with VPN as most of the applications don't use SNMP v3. NTP ( Network Time Protocol ), consider someone changes your time on the device, It will cause a Denial of service, because it may lead to expiration/failure of certificates, or crash the time base services like sys-log. Sys-log is used to log the communication details between devices on a external server, it is as well clear-text, but cryptography can be used.
5) Wireless Issues.
Wireless LANs are mostly deployed in an access layer role, I mean they are used an an entry point into a wired network. In the past, access has been defined as dial-up, ADSL, cable, cellular, Ethernet, Token Ring, Frame Relay, ATM, etc. Wireless is simply another method for users to access the network.
Wireless LANs are Data-link layer networks, but due to lack of speed and resiliency wireless networks are not typically implemented into core networks.
Wireless networks can serve as an extension to a wired network. There may be cases where extending the network would require installing additional cabling that is cost prohibitive. You may discover that hiring cable installers and electricians to build out a new section of office space for network is going to cost ten's of thousands of dollars. Or in the case of large warehouse, the distances may be too great to use Cat5 cable for the Ethernet network. Fiber might have to be installed requiring an even greater investment of time and resources, Installing fiber might involve upgrades to existing edge switches. Wireless LANs may over come this issue.
By having this advantages, wireless networks open up a security Issues, like eavesdropping, yes it is still effective type of wireless LAN attacks. Passive attacks like eavesdropping leave no trace of the attacks presence on or near the network since the attacker does not have to actually connect to the LAN access point to listen to packets traversing the wireless segment. Wireless LAN protocol analyzers or custom applications are typically used to gather information about the wireless network from distance with a directional antenna.
Few of the security issues with wireless's networks to be consider about are:
WEP insecurity, WEP is a simple algorithm that utilizes a pseudo-random number generator and the RC4 stream cipher and MAC Filtering, the issue is, MAC Addresses of wireless LAN clients are broad-casted in the clear by access points and bridges, even when WEP is implemented. If someone is listening the traffic on your network can quickly find our the most MAC addresses that are allowed on your wireless network.
So, when considering the security of wireless we have to think about:
- WEP
- User Authentication
- Monitoring for rogue Hardware
- wireless DMZ
- Mutual Authentication.
I can't eat the ice cream, why not melt it down so that no-one could eat it too?
DoS -- where one device overloads the network access to or CPU utilization of a target system. A very simple example, consider you are using a Cisco IOS software releases prior to 12.0, where the service call IP directed broadcast is enabled by default, A direct broadcast can be used to probe or deny service(by using DoS attack ) an entire subnet. The directed broadcast packet is unicast until it reaches the router that is responsible for the segment. At that time, the packet becomes a broadcast for the specified segment, however IOS software release 12.0 and later this service is Disabled by default or you can manually disable it by no ip directed-broadcast command. Most commonly DoS is used by some sort of Spoofing.
For another example:
Consider Cisco catalyst switch feature DHCP snooping. with this Cisco catalyst switch ports are configured in either the trusted or untrusted state. If a port is trusted, it is allowed to receive DHCP responses ( for example, DHCPOFFER, DHCPACK, or DHCPNAK). Conversely, if a port is untrusted, it is not allowed to receive DHCP responses, and if a DHCP responses attempts to enter an untrusted port, the port is disabled. Consider this con-fig on a switch
YourSwitch(config)# ip dhcp snooping
YourSwitch(config)# ip dhcp snooping vlan 1,100,200-210
YourSwitch(config)# interface gigabitethernet 0/4
YourSwitch(config-if)# ip dhcp snooping trust
What an attacker will do is repeatedly request IP address assignments from the DHCP server, thus depleting the pool of addresses available from the DHCP server, he/she can accomplish this by making the DHCP requests appear to come from different MAC addresses ( MAC spoofing )
However the issue can over come by single command, I mean by limiting the number of DHCP messages on a port per second.
There are plenty of DoS attacks I care to remember, like SYN-FLOOD, smurf, snork, ping of death( oldest one ) and many more. A decent firewall will definitely prevent this type of attacks if configured correctly.
I guess, this might have helped you out for starting with network security.
0 comments:
Post a Comment