security - potaroo.net

1 1 2000, Cisco Systems, Inc. NTW 2000 network SecurityNetwork SecurityISOC NTW 2000 ISOC NTW 20002 2000, Cisco Systems, Inc. NTW 200022000, Cisco Systems, Inc. IntroductionIntroduction3 2000, Cisco Systems, Inc. NTW 2000 network security ComponentsNetwork security Components4 2000, Cisco Systems, Inc. NTW 2000 ISP ExampleISP Example..Customer SiteISP Management Plane..T1 WWW DNS1 Pub1 TFTPDNS2 Pub 2 ISP Service PlaneForeignSiteInternet5 2000, Cisco Systems, Inc. NTW 2000 Enterprise ExampleEnterprise ExampleProtectedNetworkEngineeringAdminF inanceDial-UpAccessBusinessPartnersDNSS erverWWWS erverInternet6 2000, Cisco Systems, Inc. NTW 2000 Current Threats and Current Threats and Attack MethodsAttack Methods62000, Cisco Systems, Inc. 7 2000, Cisco Systems, Inc.

2 NTW 2000 Attack TrendsAttack Trends Exploiting passwords and poor configurations Software bugs Trojan horses Sniffers IP address spoofing Toolkits Distributed attacks8 2000, Cisco Systems, Inc. NTW 2000 Attack TrendsAttack TrendsHighLow19882000 AttackSophisticationAttackerKnowledge9 2000, Cisco Systems, Inc. NTW 2000 Vulnerability Exploit CycleAdvancedIntrudersDiscoverVulnerabil ityCrude ExploitTools DistributedNovice IntrudersUse CrudeExploit ToolsAutomatedScanning/ExploitTools DevelopedWidespread Use of Automated Scanning/Exploit ToolsIntruders Begin Using New Types of ExploitsSource: CERT Coordination Center10 2000, Cisco Systems, Inc. NTW 2000 Increasingly Serious ImpactsIncreasingly Serious Impacts $10M transferred out of one banking system Loss of intellectual property - $2M in one case, the entire company in another Extensive compromise of operational systems - 15,000 hour recovery operation in one case Alteration of medical diagnostic test results Extortion - demanding payments to avoid operational problems11 2000, Cisco Systems, Inc.

3 NTW 2000 Evolving DependenceEvolving Dependence Networked appliances/homes Wireless stock transactions On-line banking Critical infrastructures Business processes12 2000, Cisco Systems, Inc. NTW 2000100% vulnerableInternalInternalExploitationEx ploitationExternalExternalExploitationEx ploitation75% vulnerableInternetThe Community s VulnerabilityThe Community s VulnerabilitySource: Cisco security Posture Assessments 1996-199913 2000, Cisco Systems, Inc. NTW 200001020304050607019961997199819992000 YesNoDon'tKnowUnauthorized UseUnauthorized UsePercentageofRespondentsSource: 2000 CSI/FBI Computer Crime and security Survey14 2000, Cisco Systems, Inc. NTW 2000 ConclusionConclusionSophisticated attacks+ Dependency+ Vulnerability 15 2000, Cisco Systems, Inc. NTW 2000 Classes of AttacksClasses of Attacks ReconnaisanceUnauthorized discovery and mapping of systems, services, or vulnerabilities AccessUnauthorized data manipulation, system access, or privilege escalation Denial of ServiceDisable or corrupt networks, systems, or services16 2000, Cisco Systems, Inc.

4 NTW 2000 Reconnaissance MethodsReconnaissance Methods Common commands and administrative utilitiesnslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, srvinfo, dumpacl Public toolsSniffers, SATAN, SAINT, NMAP, custom scripts17 2000, Cisco Systems, Inc. NTW 2000 network network telnet Router5 User Access VerificationUsername: squiggiepassword: Sq%*jkl[;TRouter5>enaPassword: jhervq5 Router5#Got It !!Router518 2000, Cisco Systems, Inc. NTW 2000 ISP ExampleISP Example..Customer SiteISP Management Plane..T1 WWW DNS1 Pub1 TFTPDNS2 Pub 2 ISP Service PlaneForeignSiteInternet19 2000, Cisco Systems, Inc. NTW 2000 Enterprise ExampleEnterprise ExampleProtectedNetworkEngineeringAdminF inanceDial-UpAccessBusinessPartnersDNSS erverWWWS erverInternet20 2000, Cisco Systems, Inc.]

5 NTW 2000nmapnmap network mapper is a utility for port scanning large networks:TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep) TCP Ping scanning Direct (non portmapper) RPC scanning Remote OS Identification by TCP/IP Fingerprinting (nearly 500)Reverse-ident scanning. 21 2000, Cisco Systems, Inc. NTW 2000nmapnmap nmap {Scan Type(s)} [Options] <host or net list> Example:my-unix-host% nmap -sT my-routerStarting nmap V. by ( )Interesting ports on ( )(The 1521 ports scanned but not shown below are in state closed)Port State Service21/tcpopen ftp 22/tcpopenssh23/tcpopen telnet 25/tcpopensmtp37/tcpopen time 80/tcpopen http 110/tcp open pop-3 22 2000, Cisco Systems, Inc.

6 NTW 2000 Why Do You Care?Why Do You Care? The more information you have, the easier it will be to launch a successful attack:Map the networkProfile the devices on the networkExploit discovered vulnerabilitiesAchieve objective23 2000, Cisco Systems, Inc. NTW 2000 Exploiting passwordsBrute forceCracking tools Exploit poorly configured or managed servicesanonymous ftp, tftp, remote registry access, nis, ..Trust relationships: rlogin, rexec, ..IP source routingFile sharing: NFS, Windows File SharingAccess MethodsAccess Methods24 2000, Cisco Systems, Inc. NTW 2000 Access Methods Access Methods cont dcont d Exploit application holesMishandled input data: access outside application domain, buffer overflows, race conditions Protocol weaknesses: fragmentation, TCP session hijacking Trojan horses: Programs that plant a backdoor into a host25 2000, Cisco Systems, Inc.

7 NTW 2000IP PacketIP Packet Internet ProtocolIP = connectionless network layerSAP = 32 bits IP addressRFC 791, Sep 198126 2000, Cisco Systems, Inc. NTW 2000IP: Packet FormatIP: Packet Format0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+|Version| IHL |Type of Service| Total Length|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Identification |Flags| Fragment Offset|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Time to Live | Protocol | Header Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+| Source Address|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Destination

8 Address|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|Option s| Padding |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+Internet Datagram Header27 2000, Cisco Systems, Inc. NTW 2000IP SpoofingIP SpoofingABCA ttackerHi, my name is B28 2000, Cisco Systems, Inc. NTW 2000IP: Normal RoutingIP: Normal RoutingRaRbRcABCR outing based on routing tablesA -> BA -> BA -> BB via RbC via RcA, C via RaB via EthernetB,C via Ra29 2000, Cisco Systems, Inc. NTW 2000IP: Source RoutingIP: Source RoutingRaRbRcABCA -> B viaRa,RbB unknownC via RcRouting based on IP datagram optionA -> B viaRa,RbA -> Bvia Ra, Rb30 2000, Cisco Systems, Inc. NTW 2000IP Unwanted RoutingIP Unwanted RoutingDMZintranetInternetR1R2 CAC->A via R1,R2C->A via R1,R2C->A via R1, R2C->Avia R1,R2A unknownB via InternetA unknownB via R1A unknownB via DMZA via IntranetB via DMZC unknownB31 2000, Cisco Systems, Inc.

9 NTW 2000IP Unwanted Routing (IP Unwanted Routing (ContCont.).)B (acting as router)Internetdial-up PPPintranetACA unknownB via InternetA unknownB via PPPA via EthernetC via PPPC->A via BC->A via BC->Avia B32 2000, Cisco Systems, Inc. NTW 2000IP Spoofing Using Source IP Spoofing Using Source RoutingRoutingRaRbRcABCB->A via C,Rc,RaBack traffic uses the same source routeB->A via C,RcRaB->Avia C,Rc,RaA->B viaRa,Rc,CA->B viaRa,Rc,CA->B via Ra, Rc,CB is a friendallow access33 2000, Cisco Systems, Inc. NTW 2000 Transport Control ProtocolTransport Control Protocol TCP = connection oriented transport layer RFC 793, Sep 1981 SAP= 16 bits TCP ports34 2000, Cisco Systems, Inc. NTW 2000 TCP Packet FormatTCP Packet Format0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+| Source Port | Destination Port |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+| Sequence Number|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|Acknowl edgment Number|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Data | |U|A|P|R|S|F| || Offset| Reserved |R|C|S|S|Y|I| Window || | |G|K|H|T|N|N|

10 |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+| Checksum | Urgent Pointer |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+| Options | Padding |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+| data |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+-+-+-+-+TCP Header Format35 2000, Cisco Systems, Inc. NTW 2000 TCP connection establishmentTCP connection establishmentBAflags=SYN,seq=(Sb,?)flags =SYN+ACK,seq=(Sa,Sb)flags=ACK,seq=(Sb,Sa )flags=ACK,seq=(Sb,Sa+8)data= Username: 36 2000, Cisco Systems, Inc. NTW 2000 TCP blind spoofingTCP blind spoofingBAflags=SYN,seq=(Sb,?)