Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Similar documents
Introduction to Wireshark

Hands-On Ethical Hacking and Network Defense

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

TCP /IP Fundamentals Mr. Cantu

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

Basics of executing a penetration test

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Configuring attack detection and prevention 1

CIT 480: Securing Computer Systems

CSC 574 Computer and Network Security. TCP/IP Security

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

ch02 True/False Indicate whether the statement is true or false.

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Network Security. Thierry Sans

9. Security. Safeguard Engine. Safeguard Engine Settings

Network Security: Firewall, VPN, IDS/IPS, SIEM

TRANSMISSION CONTROL PROTOCOL. ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 7 November 2016

CyberP3i Course Module Series

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Configuring attack detection and prevention 1

Computer Security and Privacy

20-CS Cyber Defense Overview Fall, Network Basics

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

Networking By: Vince

OSI Transport Layer. objectives

Layered Networking and Port Scanning

CHAPTER-2 IP CONCEPTS

Hands-On TCP/IP Networking

Introduction to Network. Topics

Fundamentals of Computer Networking AE6382

Chapter 7. Local Area Network Communications Protocols

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Software Engineering 4C03 Answer Key

CSC 4900 Computer Networks: Security Protocols (2)

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Module 19 : Threats in Network What makes a Network Vulnerable?

Network Traffic Analysis - Course Outline

Guide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols

Chapter 8 roadmap. Network Security

CCNA Exploration Network Fundamentals. Chapter 04 OSI Transport Layer

CSE 565 Computer Security Fall 2018

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Chapter 9. Firewalls

Chapter 2 Advanced TCP/IP

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

VG422R. User s Manual. Rev , 5

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

TSIN02 - Internetworking

COMPUTER NETWORK SECURITY

Stateless Firewall Implementation

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Computer Network Vulnerabilities

K2289: Using advanced tcpdump filters

ELEC5616 COMPUTER & NETWORK SECURITY

Understanding Cisco Cybersecurity Fundamentals

Brief Contents. Acknowledgments... xv. Introduction...xvii. Chapter 1: Packet Analysis and Network Basics Chapter 2: Tapping into the Wire...

ECE 435 Network Engineering Lecture 23

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

A quick theorical introduction to network scanning. 23rd November 2005

CISCO CONTEXT-BASED ACCESS CONTROL

Broadcast Infrastructure Cybersecurity - Part 2

Exam Questions CEH-001

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

Network+ Guide to Networks 6 th Edition. Chapter 4 Introduction to TCP/IP Protocols

ASA/PIX Security Appliance

Ethical Hacking Basics Course

Fundamentals of Network Security v1.1 Scope and Sequence

network security s642 computer security adam everspaugh

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

TCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

n Understand EC-Council s scanning methodology n Describe scan types and the objectives of scanning

The ACK and NACK of Programming

Interconnecting Networks with TCP/IP

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

Unit 4: Firewalls (I)

NT1210 Introduction to Networking. Unit 10

EE 610 Part 2: Encapsulation and network utilities

CCNA 1 v3.11 Module 11 TCP/IP Transport and Application Layers

Applied Networks & Security

TCP/IP Transport Layer Protocols, TCP and UDP

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Lab - Using Wireshark to Examine TCP and UDP Captures

CONTENTS IN DETAIL ACKNOWLEDGMENTS INTRODUCTION 1 PACKET ANALYSIS AND NETWORK BASICS 1 2 TAPPING INTO THE WIRE 17 3 INTRODUCTION TO WIRESHARK 35

CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

CNBK Communications and Networks Lab Book: Purpose of Hardware and Protocols Associated with Networking Computer Systems

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

Transcription:

1 Network Security Kitisak Jirawannakool Electronics Government Agency (public organisation)

A Brief History of the World 2

OSI Model vs TCP/IP suite 3

TFTP & SMTP 4

ICMP 5

NAT/PAT 6

ARP/RARP 7

DHCP 8

Network Connection Devices 9

Hub Operation 10

Layer 2 Switch Operation 11

Layer 3 Switch Operation 12

Router & Routing Protocols 13

Wide Area Networking 14

15 Security Strategy For many years, protection was equated with prevention How well people with the prevention, still many could find ways around safeguards Thus, most practical model includes 2 more factors, detect & response

Application Layer Security 16

17 Secure Socket Layer (SSL) Secure Socket Layer (SSL)

18 Firewall Various types of Firewall Packet filtering Stateful packet inspection Deep Packet Inspection (DPI) Application proxy Circuit proxy

19 Firewall Configuration Firewall Configuration

20 Firewall Configuration Screened-Host Firewall Screened Subnet Firewall

21 IDS Component Traffic collector: collects information for the IDS to examine. host-based IDS this could be log files, audit logs, or traffic coming to or leaving a specific system. network-based IDS typically a mechanism for copying traffic off the network link basically functioning as a sniffer.

22 Analysis engine: IDS Component Examines the collected information and compares it to known patterns of suspicious or malicious activity stored in the signature database. Signature database: A collection of patterns and definitions of known suspicious or malicious activity. User interface and reporting: The component that interfaces with the human element, providing alerts when appropriate and giving the user a means to interact with and operate the IDS.

Syslog 23

Remote Access Server 24

Identification & Authentication Remote Users 25

VPN Concentrators 26

27 Virtual Private Network (VPN) Virtual Private Network (VPN)

AV Layered Defense-in-Depth 28

29 Multiple Zones of Defense & Defense-in-Depth Multiple Zones of Defense & Defense-in-Depth

IDS as Firewall Complement 30

Network IDS (NIDS) 31

NIDS Operation 32

Layered Defense - Network Access Control 33

Control Check - Intrusion Detection 34

Host Isolation 35

Wireless Technologies 36

37 Bluetooth (IEEE 802.15) Bluetooth (IEEE 802.15)

38 Bluetooth Threats & Security Issues Less security policies & implementation Third party software providers Security default configuration

Wireless LAN (IEEE 802.11) 39

Securing Wireless LAN 40

Rouge Access Point & Evil-twin Attack 41

42 IEEE 802.1x Standard Defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE802 which also know as EAPOL

43 TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

44 Objectives Review the OSI & DoD Models Review TCP, UDP, & ICMP Protocols & Packet Structures Learn about Packet Communication Processes TCP/IP Commands on Linux Open Discussion

45 OSI and TCP/IP Models Application Presentation Application Session Transport Host to Host Network Internet Data Link Physical Physical

46 IP Addressing Dotted Decimal 192.168.20.59 Binary 11000000.10101000.00010100.00111011 Decimal 3232240699 Hexadecimal 0xC0.0xA8.0x14.0x3B

47 Ports and Services A port is a memory address space n Ports are numbered between 0 and 65535 n UDP and TCP have separate spaces from 1-65535 n 0 is reserved and used only in IPv6 n Traffic on port 0 is never a good sign Each port may be assigned a specific service n Services wait and listen for specific requests n Ports from 1-1024 are reserved for specific services n Services using ports 1-1024 can only be assigned by root (see the list in Linux under directory /etc/services) n The requests are delivered to the service in the form of packets http://www.iana.org/assignments/port-numbers http://www.bekkoame.ne.jp/~s_ita/port/port1-99.html n IANA list with known exploits listed with port services

48 Popular Ports and Services 21 FTP UDP TCP 22 SSH UDP TCP 23 TELNET UDP TCP 25 SMTP UDP TCP 53 DNS UDP TCP 80 HTTP TCP 110 POP TCP 161 SNMP UDP TCP 162 SNMP TRAPS UDP TCP

49 How does this help us? Services are Identified by their responses All services exist in one of three states: open - responds with SYN/ACK, Connect(), or in some cases, nothing as opposed to a RST closed - responds with RST filtered - no response because the router or firewall will not allow for any response (only possible when using TCP Connect or SYN scans) Remember, the only GOOD service is a filtered service. (Except when there is a Business Justification for it)

50 IP Protocols IP Network Addressing Protocol TCP UDP ICMP Routing Protocols BGP,OPSF, etc. Others GRE, ISAKMP, IPSEC

51 TCP vs. UDP TCP Connection-Oriented Three Way Handshake Reliability more important than speed UDP Connectionless No Handshake Speed more important than Reliability

52 The TCP Packet Thanks to Skullbox.net

53 Flags SYN New connection ACK Acknowledging a connection or packet arrival. URG Urgent Data PSH Push the Data Thru (Don t buffer) FIN Finish the connection (Goodbye) RST Reset (I didn t want to talk to them anyway! [slam!])

54 The TCP Three Way Handshake 1. The Sending Host sends a SYN packet to the Receiving host. (Phone Rings) 2. The Receiving host response with a SYN-ACK. (Hello?) 3. The Sending Host then responds with an ACK. (HI!!) 4. The Connection is now up.

55 The TCP Three Way Handshake SYN SYN/ACK ACK

56 Hacker s Use of TCP Hackers will mangle packets to confuse target systems. A confused system can give up information, provide access or even stop responding. Some of the common Tricks: Setting no flags or all flags Attempt to connect using the handshake but not complete it. This will provide a fast way to enumerate ports. Setting strange combos of Flags may reveal what OS we are dealing with. (Fingerprinting) Send a packet with the ACK flag set can get past some simple firewall systems.

57 TCP Scans Name of Scan Flags Set During Scan SYN Scan S FIN Scan F Null Scan Nothing Xmas Scan UPF SYN-FIN Scan SF Nmap Fingerprint Attempt UPSF

58 SYN Scan If Port is Open SYN SYN/ACK RST If Port is Closed SYN RST No need to send back a RST

59 FIN Scan If Port is Open FIN No Answer If Port is Closed FIN RST No need to send back a RST

60 Nmap XMAS Scan If Port is Open URG/PSH/FIN No Answer If Port is Closed URG/PSH/FIN RST No need to send back a RST

61 Null Scan If Port is Open No Flags Sent No Answer If Port is Closed No Flags Sent RST No need to send back a RST

TCP Scan Comparison Type of Scan (Flags Set) Port is Open Port is Closed SYN -S SYN/ACK RST FIN - F (NOTHING) RST XMAS - UPF (NOTHING) RST NULL (None) (NOTHING) RST 62

63 The UDP Packet The sending host send the UDP packet The receiving host checks to see if the port is open and the protocol matches YES Service action begins (sometimes not visible) NO ICMP Type 3 error message is sent to the Sending Host.

64 UDP Packet Structure Thanks to Skullbox.net for use of the graphics. For more info on TCP/IP checkout this informative site.

65 Scanning UDP Protocols Scanning UDP can be Frustrating. A UDP packet that reaches a server port which is open replies with nothing A UDP packet that reaches a server port which is closed replies with an ICMP type 3 message that the service is not reachable A UDP packet that gets lost or dropped on the way to the server port (it happens) returns no response A UDP packet that reaches a server port which is open and the protocol matches, replies with service A UDP packet that reaches a server port which is closed and the firewall is configured to disallow ICMP replies, returns nothing or may return a packet which says this is not allowed by the administrator So Why scan UDP? It is a nice place to hide for attackers Most companies do not worry about UDP ports

66 The ICMP Packet Connectionless Protocol Used for finding the best route across a network or the Internet Influences routers Used for error control messages Process The sending computer sends an ICMP packet to a system The receiving computer evaluates what service the packet is requesting and sends the proper response NOTE: Sometimes the service action is not visible If the service request is not allowed, a message is returned

67 ICMP Packet Structure Type Code Checksum Data

ICMP Packet Types 68

69 ICMP Packet Codes Type 3 Destination Unreachable [RFC792] Codes 0 Net Unreachable 1 Host Unreachable 2 Protocol Unreachable 3 Port Unreachable 4 Fragmentation Needed and Don't Fragment was Set 5 Source Route Failed 6 Destination Network Unknown 7 Destination Host Unknown 9 Communication with Destination Network is Administratively Prohibited 10 Communication with Destination Host is Administratively Prohibited http://www.faqs.org/rfcs/rfc792.html

70 Linux Networking Commands Ifconfig Dhclient Ping Traceroute

71 ifconfig Command line configuration for interfaces ifconfig i eth0 address 192.168.1.1 netmask 255.255.255.0

72 dhclient Easy command used to configure your interface for use with DHCP. dhclient eth0 Next run ifconfig to view the interface configuration.

73 Other Commands Ping Detect if another host is reachable Traceroute Determine the path to another host Dig Utility for checking DNS resolution

74 Other Fun Networking Utils Nmap Network Port Scanner Nessus De Facto Standard in Network Vulnerability Scanning. Wireshark (a.k.a Ethereal) Network Sniffer Many other tools!

75 One Last Note A big part of using TCP/IP is subnetting. The best way to learn is to practice! Many books and Online sources for learning how to Subnet.

76 Network Monitoring Kitisak Jirawannakool Electronics Government Agency (public organisation)

77 Agenda What is Network monitoring? Why we need?

What is Network Monitoring? 78

Eavesdropping 79

Network Eavesdropping 80

81 Why we monitor? Network Capacity Design Do we have to purchase ADSL or Lease line? Performance Monitoring Fast enough? Too Slow? Packet losses? Maintain Security Malware (Bot, Key logger) Insider threat (Policy violation)

82 Network Monitoring methods Intrusion Detection: Intrusion detection monitors local area networks for unauthorized access by hackers. Packet Sniffing: A packet sniffer is a program that inspects every packet of information that passes through the network. Vulnerability Scanning: A vulnerability scanner will periodically scan the network for vulnerabilities and weaknesses which open up the potential for an exploit. Firewall Monitoring: Firewalls monitor the traffic that is coming in and out of the network. Penetration Testing: Penetration testing is carried out by IT professionals by using methods that hackers use to breach a network

83 How to monitor the network? Using monitoring agent software/tools port mirroring on network switch or router aggregate all traffic that are processed by a network switch into one single port. use shared hub Shared hub is more expensive than a switching hub!!! network tap Can be installed without modifying your network design.

Where to monitor? 84

85 Where to monitor? Out side of Firewall To understand what is going on the side of THE INTERNET. Research purpose. Since it s a chaotic world, you will see too many suspicious flow. DMZ To understand threat by external attack Local network Monitor traffic within your corporate network Prevent information leakage

86 What we can t do with network monitor? Monitor Encrypted traffic SSL, IPSec, SSH, HTTPS, and other Active protection Network monitoring is Not for protect, not for filter, just watching what s in and out Network monitoring system may not send any packet Monitor Huge traffic Difficult to monitor everything because of tons of traffic Finding Targeted Attacks

87 Legal and Privacy We should be sure if network monitoring is clear to do by aspect of Legal Checking only in your country is enough? Any branches in other countries Privacy Full traffic monitoring may contain privacy data E-mail contents Web history Password

88 Legal and Privacy Organizational Policy Advertise that you are monitoring network For users Ethic Some cases, we can monitor neighborhood wireless traffic Is hotel wireless/network

89 Challenges Network baselines Topology, locating the problem Visualization at scale Knowledge management Privacy Mixing and matching record types

Questions? 90

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback