security - Geoff Huston

1 1 2000, Cisco Systems, Inc. NTW 2000 Network SecurityNetwork SecurityISOC NTW 2000 ISOC NTW 20002 2000, Cisco Systems, Inc. NTW 200022000, Cisco Systems, Inc. IntroductionIntroduction3 2000, Cisco Systems, Inc. NTW 2000 Network security ComponentsNetwork security Components4 2000, Cisco Systems, Inc. NTW 2000 ISP ExampleISP Example..Customer SiteISP Management Plane..T1 WWW DNS1 Pub1 TFTPDNS2 Pub 2 ISP Service PlaneForeignSiteInternet5 2000, Cisco Systems, Inc. NTW 2000 Enterprise ExampleEnterprise ExampleProtectedNetworkEngineeringAdminF inanceDial-UpAccessBusinessPartnersDNSS erverWWWS erverInternet6 2000, Cisco Systems, Inc.

2 NTW 2000 Current Threats and Current Threats and Attack MethodsAttack Methods62000, Cisco Systems, Inc. 7 2000, Cisco Systems, Inc. NTW 2000 Attack TrendsAttack Trends Exploiting passwords and poor configurations Software bugs Trojan horses Sniffers IP address spoofing Toolkits Distributed attacks8 2000, Cisco Systems, Inc. NTW 2000 Attack TrendsAttack TrendsHighLow19882000 AttackSophisticationAttackerKnowledge9 2000, Cisco Systems, Inc. NTW 2000 Vulnerability Exploit CycleAdvancedIntrudersDiscoverVulnerabil ityCrude ExploitTools DistributedNovice IntrudersUse CrudeExploit ToolsAutomatedScanning/ExploitTools DevelopedWidespread Use of Automated Scanning/Exploit ToolsIntruders Begin Using New Types of ExploitsSource: CERT Coordination Center10 2000, Cisco Systems, Inc.

3 NTW 2000 Increasingly Serious ImpactsIncreasingly Serious Impacts $10M transferred out of one banking system Loss of intellectual property - $2M in one case, the entire company in another Extensive compromise of operational systems - 15,000 hour recovery operation in one case Alteration of medical diagnostic test results Extortion - demanding payments to avoid operational problems11 2000, Cisco Systems, Inc. NTW 2000 Evolving DependenceEvolving Dependence Networked appliances/homes Wireless stock transactions On-line banking Critical infrastructures Business processes12 2000, Cisco Systems, Inc.

4 NTW 2000100% vulnerableInternalInternalExploitationEx ploitationExternalExternalExploitationEx ploitation75% vulnerableInternetThe Community s VulnerabilityThe Community s VulnerabilitySource: Cisco security Posture Assessments 1996-199913 2000, Cisco Systems, Inc. NTW 200001020304050607019961997199819992000 YesNoDon'tKnowUnauthorized UseUnauthorized UsePercentageofRespondentsSource: 2000 CSI/FBI Computer Crime and security Survey14 2000, Cisco Systems, Inc. NTW 2000 ConclusionConclusionSophisticated attacks+ Dependency+ Vulnerability 15 2000, Cisco Systems, Inc.

5 NTW 2000 Classes of AttacksClasses of Attacks ReconnaisanceUnauthorized discovery and mapping of systems, services, or vulnerabilities AccessUnauthorized data manipulation, system access, or privilege escalation Denial of ServiceDisable or corrupt networks, systems, or services16 2000, Cisco Systems, Inc. NTW 2000 Reconnaissance MethodsReconnaissance Methods Common commands and administrative utilitiesnslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, srvinfo, dumpacl Public toolsSniffers, SATAN, SAINT, NMAP, custom scripts17 2000, Cisco Systems, Inc.

6 NTW 2000 Network Network telnet Router5 User Access VerificationUsername: squiggiepassword: Sq%*jkl[;TRouter5>enaPassword: jhervq5 Router5#Got It !!Router518 2000, Cisco Systems, Inc. NTW 2000 ISP ExampleISP Example..Customer SiteISP Management Plane..T1 WWW DNS1 Pub1 TFTPDNS2 Pub 2 ISP Service PlaneForeignSiteInternet19 2000, Cisco Systems, Inc. NTW 2000 Enterprise ExampleEnterprise ExampleProtectedNetworkEngineeringAdminF inanceDial-UpAccessBusinessPartnersDNSS erverWWWS erverInternet20 2000, Cisco Systems, Inc.]

7 NTW 2000nmapnmap network mapper is a utility for port scanning large networks:TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep) TCP Ping scanning Direct (non portmapper) RPC scanning Remote OS Identification by TCP/IP Fingerprinting (nearly 500)Reverse-ident scanning.

8 21 2000, Cisco Systems, Inc. NTW 2000nmapnmap nmap {Scan Type(s)} [Options] <host or net list> Example:my-unix-host% nmap -sT my-routerStarting nmap V. by ( )Interesting ports on ( )(The 1521 ports scanned but not shown below are in state closed)Port State Service21/tcpopen ftp 22/tcpopenssh23/tcpopen telnet 25/tcpopensmtp37/tcpopen time 80/tcpopen http 110/tcp open pop-3 22 2000, Cisco Systems, Inc.

9 NTW 2000 Why Do You Care?Why Do You Care? The more information you have, the easier it will be to launch a successful attack:Map the networkProfile the devices on the networkExploit discovered vulnerabilitiesAchieve objective23 2000, Cisco Systems, Inc. NTW 2000 Exploiting passwordsBrute forceCracking tools Exploit poorly configured or managed servicesanonymous ftp, tftp, remote registry access, nis, ..Trust relationships: rlogin, rexec, ..IP source routingFile sharing: NFS, Windows File SharingAccess MethodsAccess Methods24 2000, Cisco Systems, Inc.

10 NTW 2000 Access Methods Access Methods cont dcont d Exploit application holesMishandled input data: access outside application domain, buffer overflows, race conditions Protocol weaknesses: fragmentation, TCP session hijacking Trojan horses: Programs that plant a backdoor into a host25 2000, Cisco Systems, Inc. NTW 2000IP PacketIP Packet Internet ProtocolIP = connectionless network layerSAP = 32 bits IP addressRFC 791, Sep 198126 2000, Cisco Systems, Inc. NTW 2000IP: Packet FormatIP: Packet Format0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+|Version| IHL |Type of Service| Total Length|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Identification |Flags| Fragment Offset|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Time to Live | Protocol | Header