CIT 480: Securing Computer Systems. Network Security Concepts

Transcription

1 CIT 480: Securing Computer Systems Network Security Concepts

2 Topics 1. Policies and Assurance 2. Protocols and Layers 3. Layer 2 Network Concepts 4. MAC Spoofing 5. ARP 6. ARP Spoofing 7. Network Sniffing

3 Network Security Policy Usage policies Define acceptable uses for organization members, partners, and other user classes. Risk analysis Identify assets. Evaluate importance. Determine security policy for each asset based on importance.

4 Detecting Problems Change management process Require security approval of network changes. Intrusion detection Automated network and/or host based intrusion detection systems. Network scans Scan network for rogue/missing machines. Verify security status of each network device. Log monitoring Monitor sensitive logs (e.g. firewall) in real time.

5 Network Mission Assurance 1. Asset identification 1. Systems and information assets. 2. Infrastructure model and control 1. Network diagrams and inventory database. 2. Change control. 3. Threat analysis and prediction 4. Response coordination 1. Attack identification. 2. Incident response team.

6 Network Hardening Network device integrity Firmware and OS patches. Password quality and change policies. Secure protocols Secure management protocols: SSH, SNMP3 + encrypt. Encrypt all sensitive data + use MACs for integrity. Network design Isolate sensitive/dangerous devices via firewalls, VLANs. Compartmentalize different information asset classes. Network access control Restrict access to Ethernet ports and wireless access.

7 Protocols A protocol defines the rules for communication between computers. Two primary types of protocols: Connectionless protocol Sends data out as soon as there is enough data to be transmitted E.g., user datagram protocol (UDP) Connection-oriented protocol Provides a reliable connection stream between two nodes Consists of set up, transmission, and tear down phases Creates virtual circuit-switched network E.g., transmission control protocol (TCP)

8 Encapsulation A packet typically consists of Control information for addressing the packet: header and footer Data: payload A network protocol N1 can use the services of another network protocol N2 A packet p1 of N1 is encapsulated into a packet p2 of N2 The payload of p2 is p1 The control information of p2 is derived from that of p1 Header Header Payload Footer Footer Payload

9 Network Layers Network models typically use a stack of layers Higher layers use the services of lower layers via encapsulation A layer can be implemented in hardware or software The bottommost layer must be in hardware A network device may implement several layers A communication channel between two nodes is established for each layer Actual channel at the bottom layer Virtual channel at higher layers

10 Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi

11 Intermediate Layers Link layer Local area network: Ethernet, WiFi, optical fiber 48-bit media access control (MAC) addresses Packets called frames Network layer Internet-wide communication Best effort transmission 32-bit internet protocol (IP) addresses in IPv4 128-bit IP addresses in IPv6 Transport layer 16-bit addresses (ports) for classes of applications Connection-oriented transmission layer protocol (TCP) Connectionless user datagram protocol (UDP)

12 Internet Packet Encapsulation Application Packet Application Layer TCP Header TCP Data Transport Layer IP Header IP Data Network Layer Frame Header Frame Data Frame Footer Link Layer

13 Data link header IP header TCP or UDP header Application packet Data link footer Internet Packet Encapsulation Data link frame IP packet TCP or UDP packet Application packet

14 The OSI (Open System Interconnect) Reference Model is a network model consisting of seven layers The OSI Model

15 Network Interfaces Network interface: device connecting a computer to a network, such as an Ethernet or WiFi card. A computer may have multiple network interfaces. Most local area networks, including Ethernet and WiFi, broadcast frames, so all hosts on the LAN receive them. In regular mode, each network interface sends only packets destined for it to OS for processing. Network sniffing can be accomplished by configuring the network interface to send all frames (promiscuous mode) to OS for processing.

16 MAC Addresses Layer 2 protocols identify nodes by MAC addresses. A MAC address is a 48-bit number: E.g., 00-1A-92-D4-BF-86 The first three octets of any MAC address are IEEE-assigned Organizationally Unique Identifiers E.g., Cisco 00-1A-A1, D-Link 00-1B-11, ASUSTek 00-1A-92 The next three can be assigned by manufacturers as they please, with uniqueness being the only constraint. Note that uniqueness is not always the case in practice. Admins can set MAC addresses to any desired value.

17 Switch A switch Operates at the link layer. Has multiple ports, each connected to a computer. Operation of a switch Learn the MAC address of each connected device. Forward frames only to the destination device.

18 Combining Switches Switches can be arranged into a tree. Each port learns the MAC addresses of the machines in the segment (subtree) connected to it. Fragments to unknown MAC addresses are broadcast. Frames to MAC addresses in the same segment as the sender are ignored. 3/23/2015

19 MAC Address Filtering A switch can be configured to provide service only to machines with specific MAC addresses Users must register devices with network admin. A MAC spoofing attack impersonates another PC Find out MAC address of target machine. Threat sets MAC address of his PC to that of target. Turn off or unplug target machine. Countermeasures to MAC spoofing: Block switch port when machine is turned off. Disable duplicate MAC addresses.

20 Viewing and Changing MAC Addresses Viewing the MAC addresses of the interfaces of a machine Linux: ifconfig Windows: ipconfig /all Changing a MAC address in Linux Stop the networking service: /etc/init.d/network stop Change the MAC address: ifconfig eth0 hw ether <MAC-address> Start the networking service: /etc/init.d/network start Changing a MAC address in Windows Open the Network Connections applet Access the properties for the network interface Click Configure In the advanced tab, change the network address to the desired value Changing a MAC address requires administrator privileges

21 ARP The address resolution protocol (ARP) connects the network layer to the data layer by translating IP addresses to MAC addresses. ARP broadcasts requests and caches responses for future use Protocol begins with a computer broadcasting a message of the form who has <IP address1> tell <IP address2> When the machine with <IP address1> or an ARP server receives this message, its broadcasts the response <IP address1> is <MAC address> Requestor s IP address <IP address2> contained in the link header The Linux and Windows command arp - a displays the ARP table Internet Address Physical Address Type c-07-ac-00 dynamic c-76-b2-d7-1d dynamic c-76-b2-d0-d2 dynamic

22 ARP Caches IP: MAC: 00:11:22:33:44:01 Data IP: MAC: 00:11:22:33:44:02 ARP Cache :11:22:33:44: is at 00:11:22:33:44: is at 00:11:22:33:44:02 ARP Cache :11:22:33:44:01

23 ARP Spoofing ARP table updated when ARP response is received Requests are not tracked ARP announcements are not authenticated, so A rogue machine can spoof other machines Rogue sends ARP redirecting IP to its MAC Network traffic destined for that IP sent to rogue machine by all hosts on subnet including switch. Countering ARP spoofing Use static ARP table. Requires admin to reconfigure each time a new host is added or a host is removed from the subnet.

24 Poisoned ARP Caches :11:22:33:44:03 Data Data :11:22:33:44: is at 00:11:22:33:44: is at 00:11:22:33:44: :11:22:33:44:02 Poisoned ARP Cache :11:22:33:44:03 Poisoned ARP Cache :11:22:33:44:03

25 ARP Spoofing CLIENT LAN: x Regular traffic SERVER switch Alice Using arp poisoning Bob MAC: 00:0A:E4:2E:9B:11 MAC: 00:0A:E4:3B:47:7E gratuitous arp reply Bob s IP Cracker s MAC arpspoof victim ip gateway ip MAC: 00:22:64:34:60:88 Cracker.1 gratuitous arp reply Alice s IP Cracker s MAC arpspoof victim ip gateway ip

26 Telnet Protocol (RFC 854) Telnet is a protocol that provides unencrypted communication to another machine to issue commands and receive output. Allows remote shell access like ssh. Sends whatever you type. Prints whatever comes back. Telnet client can connect to any TCP port Useful for testing TCP services (ASCII based protocols) like HTTP, SMTP, etc.

27 Packet Sniffing Packet sniffing is the process of intercepting and observing traffic on a network. If packets are not encrypted, attacker can read confidential data, such as passwords, etc. Wired networks Broadcast traffic is observable by all hosts. Hubs send all packets to all hosts on subnet. Switches send packets only to destination host, but ARP poisoning can let attacker see all packets. Wireless networks Sniffer can see all packets.

28 menu main toolbar filter toolbar packet list pane packet details pane packet bytes pane status bar

29 Packet Sniffer Applications Legitimate applications Debug network problems. Monitor network usage. Network intrusion detection. Attacker applications View confidential information. Gather data required for other attacks, especially spoofing attacks.

30 Defending against Sniffing Encrypt traffic Use application level encryption, e.g. HTTPS instead of HTTP, SSH instead of telnet. Use network level encryption, like WPA2 or IPsec, where possible. Traffic patterns can still be observed. Use wired networks with switches Use static ARP tables to avoid ARP spoofing. Limits attacker to broadcasts and packets directed to attacker controlled machines.

31 << link >> CLIENT Attempting to Sniff Telnet LAN: x << link >> << link >> switch Alice Add a user on server: Bob.10 adduser user.100 In a switched network, packets are sent only to the destination computer One would think that another computer plugged to the switch cannot sniff traffic Cracker.1 and then follow program instructions Ethernet UTP RJ 45 SERVER

32 Sniffing Telnet Passwords CLIENT LAN: x Regular traffic SERVER switch Alice Using arp Bob poisoning With dsniff, we catch the passwords used to log in to a telnet service: dsniff -n Cracker.1 Acts as a router

33 1. Layer 2 concepts Key Points Hosts identified by 48-bit MAC addresses. OS can spoof MACs by setting to any value. Switches manage layer 2 traffic. 2. ARP translates IPs to MACs so packets can be delivered on hosts on local subnet. There is no authentication. ARP spoofing can be used to receive frames destined for other hosts. 3. Network sniffing View confidential network traffic of other hosts. ARP spoofing can let attacker sniff even if switches used.

34 References 1. Cisco, Network Security Policies: Best Practices White Paper, ilability/high-availability/13601-secpol.html 2. Goodrich and Tammasia, Introduction to Computer Security, Pearson, NSA, Hardening Network Infrastructure, ng_network_infrastructure_fs.pdf