NETWORK INFRASTRUCTURE SECURITY



Similar documents
NETWORK INFRASTRUCTURE SECURITY

Building Secure Network Infrastructure For LANs

Tools for Attacking Layer 2 Network Infrastructure

InfoSec Academy Pen Testing & Hacking Track

Track 2: Introductory Track PREREQUISITE: BASIC COMPUTER EXPERIENCE

Computer Network Engineering

How To Write An Fpa Programmable Gate Array

Computer Network Engineering

PHYSICAL TESTING OF RUBBER

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Effect of Windows XP Firewall on Network Simulation and Testing

Online Business Security Systems

Basics of Internet Security

The Neuropsychology Toolkit

CMPT 471 Networking II

ISOM3380 Advanced Network Management. Spring Course Description

Course Contents CCNP (CISco certified network professional)

Cisco Advanced Services for Network Security

COSC 472 Network Security

CCNA Security v1.0 Scope and Sequence

International Series on Consumer Science

Interconnecting Cisco Networking Devices: Accelerated (CCNAX) 2.0(80 Hs) 1-Interconnecting Cisco Networking Devices Part 1 (40 Hs)

Intro to Firewalls. Summary

Adult Attachment in Clinical Social Work

Own your LAN with Arp Poison Routing

CIS 4204 Ethical Hacking Fall, 2014

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Information Security Attack Tree Modeling for Enhancing Student Learning

Working knowledge of TCP/IP protocol Suite IPX/SPX protocols Suite, MCSE or CNE or experienced in supporting a LAN environment.

Directory and File Transfer Services. Chapter 7

VoIP Resilience and Security Jim Credland

LAN TCP/IP and DHCP Setup

Network Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media

8 Steps for Network Security Protection

CISCO IOS NETWORK SECURITY (IINS)

8 Steps For Network Security Protection

CCNA Security 2.0 Scope and Sequence

Allegany College of Maryland. 239 Cisco Networking 2 * Offered Fall semester and

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

FIRE-ROUTER: A NEW SECURE INTER-NETWORKING DEVICE

Voice Over IP (VoIP) Denial of Service (DoS)

Denial of Service Attacks

Technical Note. ForeScout CounterACT: Virtual Firewall

How To Pass The Information And Network Security Certificate

ICT Infrastructure & Network Management

Computer Networks I Introduction

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

Cisco Certified Network Expert (CCNE)

INFOCOMM & DIGITAL MEDIA (IT NETWORK AND SYSTEM ADMINISTRATION)

Recommended IP Telephony Architecture

Enabling NAT and Routing in DGW v2.0 June 6, 2012

SANE: A Protection Architecture For Enterprise Networks

167 th Air Wing Fast Track Cyber Program Blue Ridge Community and Technical College

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

CompTIA Network+ (Exam N10-005)

Packet Sniffing on Layer 2 Switched Local Area Networks

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

Chapter 1 Personal Computer Hardware hours

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

CMPSCI 453 Computer Networking. Professor V. Arun Department of Computer Science University of Massachusetts Amherst

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

New Frontiers in Entrepreneurship

Using a VPN with Niagara Systems. v0.3 6, July 2013

Cisco Certified Network Professional (CCNP Routing & Switching)

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Detailed Description about course module wise:

How To Configure A Vyatta As A Ds Internet Connection Router/Gateway With A Web Server On A Dspv.Net (Dspv) On A Network With A D

Security Considerations in IP Telephony Network Configuration

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

Virtual Private Networks Solutions for Secure Remote Access. White Paper

CCNA Cisco Associate- Level Certifications

The Key to Secure Online Financial Transactions

Cisco Certified Security Professional (CCSP)

Case Study for Layer 3 Authentication and Encryption

1. Firewall Configuration

Hackers are here. Where are you?

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

167 th Air Wing Fast Track Cyber Security Blue Ridge Community and Technical College

By David G. Holmberg, Ph.D., Member ASHRAE

CSET 4750 Computer Networks and Data Communications (4 semester credit hours) CSET Required IT Required

Raritan Valley Community College Academic Course Outline. CISY Advanced Computer Networking

EC Council Certified Ethical Hacker V8

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

CCNA Security v1.0 Scope and Sequence

OPC & Security Agenda

IT and Cyber Security Training Courses

Transcription:

NETWORK INFRASTRUCTURE SECURITY

Network Infrastructure Security Angus Wong Alan Yeung

Angus Wong Macao Polytechnic Institute Rua de Luis Gonzaga Gomes Macao Alan Yeung City University of Hong Kong 83 Tat Chee Avenue Kowloon Hong Kong, PR, China ISBN: 978-1-4419-0165-1 e-isbn: 978-1-4419-0166-8 DOI: 10.1007/978-1-4419-0166-8 Library of Congress Control Number: 2009921186 Springer Science+Business Media, LLC 2009 All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, to proprietary rights. is not to be taken as an expression of opinion as to whether or not they are subject Printed on acid-free paper springer.com

About the authors Angus Kin-Yeung Wong obtained his BSc and PhD degrees from City University of Hong Kong, and is currently an associate professor at Macao Polytechnic Institute. Angus is active in research activities, and has served as a reviewer and a technical program committee member in various journals and conferences. Angus is devoted to teaching in tertiary education. In the past, he has taught 11 different courses, ranging from the first year to forth years, and developed five new network related courses to keep students abreast of cutting-edge network technologies. Alan Kai-Hau Yeung obtained his BSc and PhD degrees from The Chinese University of Hong Kong in 1984 and 1995 respectively. He is currently an associate professor at City University of Hong Kong. Since his BSc graduation, he has spent more than 20 years in teaching, managing, designing and research on different areas of computer networks. In the early days of LANs in 1980s, he had the chance to involve in the design and set up of numerous networks. One of them was the largest LAN in Hong Kong at that time. He also frequently provides consultancy services to the networking industry. One notable project was the development of a GSM mobile handset in late 1990s. The team that Alan had involved successfully developed a handset prototype for a listed company in Hong Kong. Alan s extensive experience has helped him to earn professional qualifications like Cisco Certified Network Professional (CCNP), Cisco Certified Academy Instructor (CCAI), and Certified Ethical Hacker (CEH). Angus and Alan have been collaborating in doing network related research for over 10 years. They have successfully obtained grants from universities and governments, and published tens of technical papers. Besides research, they are fond of teaching and sharing with students. Commonly, they were awarded for their teaching contributions. Angus Wong obtained the Macao Polytechnic Insti-

tute s Best Teacher Awards in 2005-2006, whereas Alan Yeung obtained the City University of Hong Kong s Teaching Excellence Awards in 2000-2001. Another common point of Angus and Alan is that they are both responsible for the establishment and maintenance of Cisco switches and routers learning environment in their own universities. Students learning has proven to be enhanced significantly through their hand-on experience on networking devices.

Preface Unlike network information security which is concerned with data confidentiality and integrity by using techniques like cryptography, network infrastructure security is concerned with the protection of the network infrastructure itself, that is, to focus on how to detect and prevent routers or other network devices from being attacked or compromised. Although information assurance is important, it becomes meaningless if the data, no matter how secure its content is, cannot be delivered through the Internet infrastructure to the targeted destination correctly. Since the Internet, in the beginning, was assumed to work in a trustworthy environment, it was designed without much concern for security. As a result, the infrastructure is vulnerable to a variety of security threats and attacks, such as packet spoofing, routing table poisoning and routing loops. One of the reasons why network infrastructure security is important and has drawn much concern in recent years is that attacks to the infrastructure will affect a large portion of the Internet and create a large amount of service disruption. Since our daily operations highly depend on the availability and reliability of the Internet, the security of its infrastructure has become a high priority issue. We believe that the topic will draw much concern, and various countermeasure or solutions will be proposed to secure the infrastructure in the coming years.

Goal of writing This book aims to promote network infrastructure security by describing the vulnerabilities of some network infrastructure devices, particularly switches and routers, through various examples of network attack. The examples will be well illustrated in detail so that the operations and principles behind them are clearly revealed. To avoid serving as a hacking guide, the attack steps are described from the conceptual view. That is, we will write something like "If an attacker injects a packet with a fake source address, the server will believe the attacker is the right client Though some topics in this book have been covered in other books, the primary focus of them is information security or the ways of configuring the network devices. In writing this book, we attempt to emphasize on the network infrastructure security and draw the attention about it in the field. On the other hand, the network vulnerabilities and attacks mentioned in this book are mainly based on protocol exploitation, not on software bugs or computer viruses that are usually dependent on the particular platform, brand of router, operating system, version, etc.

Not goal of writing The purpose of this book is not to report new security flaws of network infrastructure devices. Most of the attacks discussed in this book have been already identified in the field, and the corresponding countermeasures have been proposed. If administrators are aware of the countermeasures, the attacks can be prevented. Security has a large scope, and so has network infrastructure security. This book does not attempt to provide an exhaustive list of attack methods of network infrastructure and their countermeasures. Actually, it is difficult, if not impossible to write a single book covering the vulnerabilities of all kinds of network protocols on network devices with different brands model running different versions of OSes. On the other hand, to make the book concise, it does not thoroughly explain TCP/IP or network protocols; nor does the book teach the full operations of switches or routers. Nonetheless, the basic idea of them will be covered to facilitate the discussion of the topics. Assumptions The readers are assumed to have basic understanding on computer networks and TCP/IP, and would like to learn more about the security of the major part of a computer network the network infrastructure. On the other hand, since IP is the most common protocol in the network layer, this book only covers IP routers (i.e., routing based on IP). Similarly, since Ethernet is the most popular media access protocol, the switches mentioned in this book refer to Ethernet switches.

Audience The book can be used as a text for undergraduate courses at senior levels, or for postgraduate courses. It can also be used for engineer/practitioners for advancing their knowledge on network infrastructure security. In general, network infrastructure security is an area of great interest to IP service providers, network operators, IP equipment vendors, software developers, and university instruction at the both graduate and undergraduate levels. Specifically, The people in the information security field can benefit being acquainted with another aspect of security network infrastructure security. The people already in the field of network infrastructure security can benefit from having a resource exclusively for the topic. The people in the network field can benefit from acquiring more information about the security of the devices (switches and routers) they are dealing with everyday. The teachers in Universities can benefit from having the syllabuses of network related courses enriched with the topics of network infrastructure security. Since this book does not focus on a particular platform or brand of network devices but the general principle of network infrastructure security, it is suitable for a wide range of readership.

Chapter design The organization of this book is straightforward -- from lower to higher layer, and from basic concept of network infrastructure security to the research solution to future network device design. Therefore, this book is recommended to be read from chapter to chapter. Firstly, we explain what is network infrastructure security in Chapter 1. Then, we discuss the vulnerabilities of network infrastructure devices starting from data link, network, to application layers in Chapters 2, 3 to 4 respectively. It is followed by Chapter 5 in which the proof-of-concept demonstrations (by practical step by step procedure) of the vulnerabilities are provided. Finally, to fundamentally protect the network infrastructure, a new approach in designing network devices is proposed in Chapter 6. The following gives the general description of each chapter.

Table of Content 1. Introduction to Network Infrastructure Security 1 1.1 Internet infrastructure 1 1.2 Key components in the Internet infrastructure 4 1.3 Internet infrastructure security 2. Network Infrastructure Security -- Switching 9 19 2.1 Introduction 19 2.2 How Switches can be Attacked 3. Network Infrastructure Security Routing 22 59 3.1 Introduction 59 3.2 Overview of Internet Routing 63 3.3 External and internal attacks 72 3.4 RIP Attacks and Countermeasures 84 3.5 OSPF Attacks and Countermeasures 94 3.6 BGP Attacks and Countermeasures 110 4. Network Infrastructure Security -- Address Configuration and Naming 137 4.1 Introduction 137 4.2 DHCP Attack 138 4.3 DNS Attack 5. Experiments for Illustrating Network Infrastructure Attacks 146 181 5.1 Purpose of the Chapter 181 5.2 Attack Experiments 187 6. Protecting Network Infrastructure A New Approach 6.1 Purpose of the Chapter 219 219 6.2 Analysis on Security Problems of Network Infrastructure 220 6.3 Steps in Hacking Network Infrastructure 228 6.4 Flat Network Design Model and Masquerading 236 6.5 A New Model to Protect Network Infrastructure 238 Index 263

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information