CIT 380: Securing Computer Systems. Network Security Concepts

Similar documents
Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Computer Networks Security: intro. CS Computer Systems Security

Network Security. CSC 482/582: Computer Security Slide #1

ENEE 457: Computer Systems Security 11/07/16. Lecture 18 Computer Networking Basics

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

ICS 351: Networking Protocols

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CSc 466/566. Computer Security. 18 : Network Security Introduction

Network Security. Thierry Sans

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Defining Networks with the OSI Model. Module 2

Lab Using Wireshark to Examine Ethernet Frames

Lab 1: Packet Sniffing and Wireshark

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Lab Using Wireshark to Examine Ethernet Frames

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

The OSI Model. Open Systems Interconnection (OSI). Developed by the International Organization for Standardization (ISO).

E&CE 358: Tutorial 1. Instructor: Sherman (Xuemin) Shen TA: Miao Wang

CCNP Switch Questions/Answers Securing Campus Infrastructure

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

MTA_98-366_Vindicator930

Assignment - 1 Chap. 1 Wired LAN s

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Man In The Middle Project completed by: John Ouimet and Kyle Newman

Chapter 7. Local Area Network Communications Protocols

ELEC5616 COMPUTER & NETWORK SECURITY

Interconnecting Cisco Networking Devices Part1 ( ICND1) Exam.

EITF25 Internet Techniques and Applications L7: Internet. Stefan Höst

20-CS Cyber Defense Overview Fall, Network Basics

B.Sc. (Hons.) Computer Science with Network Security B.Eng. (Hons) Telecommunications B.Sc. (Hons) Business Information Systems

network security s642 computer security adam everspaugh

Need For Protocol Architecture

Muhammad Farooq-i-Azam CHASE-2006 Lahore

Need For Protocol Architecture

Fundamentals of Computer Networking AE6382

Brief Contents. Acknowledgments... xv. Introduction...xvii. Chapter 1: Packet Analysis and Network Basics Chapter 2: Tapping into the Wire...

To see how ARP (Address Resolution Protocol) works. ARP is an essential glue protocol that is used to join Ethernet and IP.

Data and Computer Communications. Chapter 2 Protocol Architecture, TCP/IP, and Internet-Based Applications

CONTENTS IN DETAIL ACKNOWLEDGMENTS INTRODUCTION 1 PACKET ANALYSIS AND NETWORK BASICS 1 2 TAPPING INTO THE WIRE 17 3 INTRODUCTION TO WIRESHARK 35

CCNA MCQS with Answers Set-1

Switched environments security... A fairy tale.

1. Which OSI layers offers reliable, connection-oriented data communication services?

A Framework for Optimizing IP over Ethernet Naming System

Networking interview questions

Imi :... Data:... Nazwisko:... Stron:...

Lecture 17 Overview. Last Lecture. Wide Area Networking (2) This Lecture. Internet Protocol (1) Source: chapters 2.2, 2.3,18.4, 19.1, 9.

COMP2330 Data Communications and Networking

Objectives. Hexadecimal Numbering and Addressing. Ethernet / IEEE LAN Technology. Ethernet

Lab Assignment for Chapter 1

CCNA 1 Final Exam Answers UPDATE 2012 eg.1

n Describe sniffing concepts, including active and passive sniffing n Describe sniffing countermeasures n Describe signature analysis within Snort

COMS Introduction to Computers. Networking

ECE 650 Systems Programming & Engineering. Spring 2018

Exam : SCNS_EN. Title : SCNS SCNS Tactical Perimeter Defense. Version : Demo

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

TCP/IP THE TCP/IP ARCHITECTURE

Virtual Private Networks (VPN)

IP: Addressing, ARP, Routing

IPSec. Overview. Overview. Levente Buttyán

The Internet. 9.1 Introduction. The Internet is a global network that supports a variety of interpersonal and interactive multimedia applications.

Address Resolution Protocol (ARP), RFC 826

Introduction to Computer Security

Chapter 2 Communicating Over the Network

TCP/IP and the OSI Model

Switching & ARP Week 3

Digital forensics Technical Fundamentals. Saurabh Singh

Local Area Networks and the Network Protocol Stack

CSC 574 Computer and Network Security. TCP/IP Security

precise rules that govern communication between two parties TCP/IP: the basic Internet protocols IP: Internet protocol (bottom level)

Concept Questions Demonstrate your knowledge of these concepts by answering the following questions in the space that is provided.

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

Operating Systems. 16. Networking. Paul Krzyzanowski. Rutgers University. Spring /6/ Paul Krzyzanowski

To make a difference between logical address (IP address), which is used at the network layer, and physical address (MAC address),which is used at

CompTIA Network+ Study Guide Table of Contents

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

Session Overview. ! Introduction! Layer 2 and 3 attack scenarios! CDP, STP & IEEE 802.1q! ARP attacks & ICMP abuse! Discovering & attacking IGPs

TCP/IP Overview. Basic Networking Concepts. 09/14/11 Basic TCP/IP Networking 1

OSI Reference Model. Computer Networks lab ECOM Prepared By : Eng. Motaz Murtaja Eng. Ola Abd Elatief

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

DDoS Testing with XM-2G. Step by Step Guide

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

Computer Communication & Networks / Data Communication & Computer Networks Week # 03

CSC Network Security

Lab - Using Wireshark to Examine a UDP DNS Capture

Component 4: Introduction to Information and Computer Science

Internet Protocols (chapter 18)

Copyleft 2005, Binnur Kurt. Objectives

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

Lab - Using Wireshark to Examine a UDP DNS Capture

IP Basics Unix/IP Preparation Course June 29, 2010 Pago Pago, American Samoa

Part VI. Appendixes. Appendix A OSI Model and Internet Protocols Appendix B About the CD

ET4254 Communications and Networking 1

OSI Model with Protocols. Layer Name PDU Address Protocols Device

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

THE OSI MODEL. Application Presentation Session Transport Network Data-Link Physical. OSI Model. Chapter 1 Review.

Transcription:

CIT 380: Securing Computer Systems Network Security Concepts

Topics 1. Protocols and Layers 2. Layer 2 Network Concepts 3. MAC Spoofing 4. ARP 5. ARP Spoofing 6. Network Sniffing

Protocols A protocol defines the rules for communication between computers. Two primary types of protocols: Connectionless protocol Sends data out as soon as there is enough data to be transmitted E.g., user datagram protocol (UDP) Connection-oriented protocol Provides a reliable connection stream between two nodes Consists of set up, transmission, and tear down phases Creates virtual circuit-switched network E.g., transmission control protocol (TCP)

Encapsulation A packet typically consists of Control information for addressing the packet: header and footer Data: payload A network protocol N1 can use the services of another network protocol N2 A packet p1 of N1 is encapsulated into a packet p2 of N2 The payload of p2 is p1 The control information of p2 is derived from that of p1 Header Header Payload Footer Footer Payload

Network Layers Network models typically use a stack of layers Higher layers use the services of lower layers via encapsulation A layer can be implemented in hardware or software The bottommost layer must be in hardware A network device may implement several layers A communication channel between two nodes is established for each layer Actual channel at the bottom layer Virtual channel at higher layers

Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi

Intermediate Layers Link layer Local area network: Ethernet, WiFi, optical fiber 48-bit media access control (MAC) addresses Packets called frames Network layer Internet-wide communication Best effort transmission 32-bit internet protocol (IP) addresses in IPv4 128-bit IP addresses in IPv6 Transport layer 16-bit addresses (ports) for classes of applications Connection-oriented transmission layer protocol (TCP) Connectionless user datagram protocol (UDP)

Internet Packet Encapsulation Application Packet Application Layer TCP Header TCP Data Transport Layer IP Header IP Data Network Layer Frame Header Frame Data Frame Footer Link Layer

Internet Packet Encapsulation Data link frame IP packet TCP or UDP packet Application packet Data link header IP header TCP or UDP header Application packet Data link footer

The OSI (Open System Interconnect) Reference Model is a network model consisting of seven layers The OSI Model

Network Interfaces Network interface: device connecting a computer to a network, such as an Ethernet or WiFi card. A computer may have multiple network interfaces. Most local area networks, including Ethernet and WiFi, broadcast frames, so all hosts on the LAN receive them. In regular mode, each network interface sends only packets destined for it to OS for processing. Network sniffing can be accomplished by configuring the network interface to send all frames (promiscuous mode) to OS for processing.

MAC Addresses Layer 2 protocols identify nodes by MAC addresses. A MAC address is a 48-bit number: E.g., 00-1A-92-D4-BF-86 The first three octets of any MAC address are IEEE-assigned Organizationally Unique Identifiers E.g., Cisco 00-1A-A1, D-Link 00-1B-11, ASUSTek 00-1A-92 The next three can be assigned by manufacturers as they please, with uniqueness being the only constraint. Note that uniqueness is not always the case in practice. Admins can set MAC addresses to any desired value.

Switch A switch Operates at the link layer. Has multiple ports, each connected to a computer. Operation of a switch Learn the MAC address of each connected device. Forward frames only to the destination device.

Combining Switches Switches can be arranged into a tree. Each port learns the MAC addresses of the machines in the segment (subtree) connected to it. Fragments to unknown MAC addresses are broadcast. Frames to MAC addresses in the same segment as the sender are ignored. 10/24/2013

MAC Address Filtering A switch can be configured to provide service only to machines with specific MAC addresses Users must register devices with network admin. A MAC spoofing attack impersonates another PC Find out MAC address of target machine. Threat sets MAC address of his PC to that of target. Turn off or unplug target machine. Countermeasures to MAC spoofing: Block switch port when machine is turned off. Disable duplicate MAC addresses.

Viewing and Changing MAC Addresses Viewing the MAC addresses of the interfaces of a machine Linux: ifconfig Windows: ipconfig /all Changing a MAC address in Linux Stop the networking service: /etc/init.d/network stop Change the MAC address: ifconfig eth0 hw ether <MAC-address> Start the networking service: /etc/init.d/network start Changing a MAC address in Windows Open the Network Connections applet Access the properties for the network interface Click Configure In the advanced tab, change the network address to the desired value Changing a MAC address requires administrator privileges

ARP The address resolution protocol (ARP) connects the network layer to the data layer by translating IP addresses to MAC addresses. ARP broadcasts requests and caches responses for future use Protocol begins with a computer broadcasting a message of the form who has <IP address1> tell <IP address2> When the machine with <IP address1> or an ARP server receives this message, its broadcasts the response <IP address1> is <MAC address> Requestor s IP address <IP address2> contained in the link header The Linux and Windows command arp - a displays the ARP table Internet Address Physical Address Type 128.148.31.1 00-00-0c-07-ac-00 dynamic 128.148.31.15 00-0c-76-b2-d7-1d dynamic 128.148.31.71 00-0c-76-b2-d0-d2 dynamic

ARP Caches IP: 192.168.1.1 MAC: 00:11:22:33:44:01 Data IP: 192.168.1.105 MAC: 00:11:22:33:44:02 ARP Cache 192.168.1.105 00:11:22:33:44:02 192.168.1.1 is at 00:11:22:33:44:01 192.168.1.105 is at 00:11:22:33:44:02 ARP Cache 192.168.1.1 00:11:22:33:44:01

ARP Spoofing ARP table updated when ARP response is received Requests are not tracked ARP announcements are not authenticated, so A rogue machine can spoof other machines Rogue sends ARP redirecting IP to its MAC Network traffic destined for that IP sent to rogue machine by all hosts on subnet including switch. Countering ARP spoofing Use static ARP table. Requires admin to reconfigure each time a new host is added or a host is removed from the subnet.

Poisoned ARP Caches 192.168.1.106 00:11:22:33:44:03 Data Data 192.168.1.1 00:11:22:33:44:01 192.168.1.105 is at 00:11:22:33:44:03 192.168.1.1 is at 00:11:22:33:44:03 192.168.1.105 00:11:22:33:44:02 Poisoned ARP Cache 192.168.1.105 00:11:22:33:44:03 Poisoned ARP Cache 192.168.1.1 00:11:22:33:44:03

ARP Spoofing CLIENT LAN: 192.168.1.x Regular traffic SERVER switch Alice Using arp poisoning Bob.10.100 MAC: 00:0A:E4:2E:9B:11 MAC: 00:0A:E4:3B:47:7E gratuitous arp reply Bob s IP Cracker s MAC arpspoof 192.168.1.10 192.168.1.100 victim ip gateway ip MAC: 00:22:64:34:60:88 Cracker.1 gratuitous arp reply Alice s IP Cracker s MAC arpspoof 192.168.1.100 192.168.1.10 victim ip gateway ip

Telnet Protocol (RFC 854) Telnet is a protocol that provides unencrypted communication to another machine to issue commands and receive output. Allows remote shell access like ssh. Sends whatever you type. Prints whatever comes back. Telnet client can connect to any TCP port Useful for testing TCP services (ASCII based protocols) like HTTP, SMTP, etc.

Packet Sniffing Packet sniffing is the process of intercepting and observing traffic on a network. If packets are not encrypted, attacker can read confidential data, such as passwords, etc. Wired networks Broadcast traffic is observable by all hosts. Hubs send all packets to all hosts on subnet. Switches send packets only to destination host, but ARP poisoning can let attacker see all packets. Wireless networks Sniffer can see all packets.

menu main toolbar filter toolbar packet list pane packet details pane packet bytes pane status bar

Packet Sniffer Applications Legitimate applications Debug network problems. Monitor network usage. Network intrusion detection. Attacker applications View confidential information. Gather data required for other attacks, especially spoofing attacks.

Defending against Sniffing Encrypt traffic Use application level encryption, e.g. HTTPS instead of HTTP, SSH instead of telnet. Use network level encryption, like WPA2 or IPsec, where possible. Traffic patterns can still be observed. Use wired networks with switches Use static ARP tables to avoid ARP spoofing. Limits attacker to broadcasts and packets directed to attacker controlled machines.

CLIENT Attempting to Sniff Telnet LAN: 192.168.1.x << link >> << link >> switch Alice Add a user on server: Bob.10 adduser user.100 In a switched network, packets are sent only to the destination computer One would think that another computer plugged to the switch cannot sniff traffic << link >> Cracker.1 and then follow program instructions Ethernet UTP RJ 45 SERVER

Sniffing Telnet Passwords CLIENT LAN: 192.168.1.x Regular traffic SERVER switch Alice Using arp Bob poisoning.10.100 With dsniff, we catch the passwords used to log in to a telnet service: dsniff -n Cracker.1 Acts as a router

1. Layer 2 concepts Key Points Hosts identified by 48-bit MAC addresses. OS can spoof MACs by setting to any value. Switches manage layer 2 traffic. 2. ARP translates IPs to MACs so packets can be delivered on hosts on local subnet. There is no authentication. ARP spoofing can be used to receive frames destined for other hosts. 3. Network sniffing View confidential network traffic of other hosts. ARP spoofing can let attacker sniff even if switches used.

References 1. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback