MIS450 2

Information Security and Networking - MIS450

Corporate Computer Security, 4th Edition Randall J. Boyle & Raymond R. Panko

Chapter 4 Security Networks

(pages 209-254)

• Describe the goals of creating secure networks.

• Explain how denial-of-service (DoS) attacks work.

• Explain how ARP poisoning works.

• Know why access controls are important for networks.

• Explain how to secure Ethernet networks.

• Describe wireless (WLAN) security standards.

• Describe potential attacks against wireless networks.

Learning Objectives

3

What’s Next? 4.1 Introduction

4.2 Denial-of-Service (DoS) Attacks

4.3 ARP Poisoning

4.4 Access Control for Networks

4.5 Ethernet Security

4.6 Wireless Security

4

• Cryptography provides confidentiality, authenticity, and message integrity

• Modern Networks have additional vulnerabilities

• The means of delivering the messages could be stopped, slowed, or altered

• The route the messages took could be altered

• Messages could be redirected to false recipients

• Attackers could gain access to communication channels that were previously considered closed and confidential

4.1: Threats to Secure Networks (p. 210)

510/24/2020

Goals of Creating Secure Networks

1. Availability—users have access to information services and network resources

2. Confidentiality—prevent unauthorized users from gaining information about the network

3. Functionality—preventing attackers from altering the capabilities or normal operation of the network

4. Access control—keep attackers or unauthorized employees from accessing internal resources

4.1: Creating Secure Networks

6

• The “castle” model

• Good guys on the inside, attackers on the outside, and a well-guarded point of entry

• Death of the Perimeter

• It is impractical, if not impossible, to force all information in an organization through a single point in the network

• New means of attacking networks (e.g., smart phones) are constantly emerging

• Line between “good guys” and “bad guys” has become blurred

4.1: Death of the Perimeter

7

• The “city” model

• No distinct perimeter, and there are multiple ways of entering the network

• Like a real city, who you are will determine which buildings you will be able to access

• Greater need for:

• Internal intrusion detection

• Virtual LANs

• Central authentication servers

• Encrypted internal traffic

4.1: Death of the Perimeter

8

What’s Next? 4.1 Introduction

4.2 Denial-of-Service (DoS) Attacks

4.3 ARP Poisoning

4.4 Access Control for Networks

4.5 Ethernet Security

4.6 Wireless Security

9

• What is a DoS attack?

• An attempt to make a server or network unavailable to legitimate users by flooding it with attack packets

• What is NOT a DoS attack?

• Faulty coding that causes a system to fail

• Referrals from large websites that overwhelm smaller websites

4.2: Denial of Service (DoS) Attacks (p. 213)

10

• Ultimate goal of DoS attacks is to cause harm

• Harm includes: losses related to online sales, industry reputation, employee productivity, customer loyalty, etc.

• The two primary means of causing harm via DoS attacks include:

1. Stopping critical services

2. Slowly degrading services

4.2: Goals of DoS Attacks

11

• Direct DoS Attack

• An attacker tries to flood a victim with a stream of packets directly from the attacker’s computer

• Indirect DoS Attack

• The attacker’s IP address is spoofed (i.e., faked) and the attack appears to come from another computer

4.2: Methods of DoS Attacks

12

4.2: SYN Flood DoS Attack (p. 216)

13

• Bots

• Updatable attack programs

• Botmaster can update the software to change the type of attack the bot can perform

• May sell or lease the botnet to other criminals

• Botmaster can update the bot to fix bugs

• Botmaster can control bots via a handler

• Handlers are an additional layer of compromised hosts who are used to manage large groups of bots

4.2: Intermediaries (Bots)

14

4.2: Fixing and Updating Bots (p. 218)

15

• Types of packets sent:

4.2: Types of DoS Packets Sent (p. 217)

16

4.2: DDoS Attack (p. 219)

17

• Peer-to-peer (P2P) redirect DoS attack

• Uses many hosts to overwhelm a victim using normal P2P traffic

• Attacker doesn’t have to control the hosts, just redirect their legitimate P2P traffic

4.2: P2P DoS Attacks

18

4.2: Peer-to-Peer Redirect Attack (p. 220)

19

• Reflected DoS attack

• Responses from legitimate services flood a victim

• The attacker sends spoofed requests to existing legitimate servers (Step 1)

• Servers then send all responses to the victim (Step 2)

• There is no redirection of traffic

4.2: Reflected DoS Attacks

20

4.2: Reflected DRDoS Attack (p. 221)

21

• Smurf Flood

• The attacker sends a spoofed ICMP echo request to an incorrectly configured network device (router)

• Broadcasting enabled to all internal hosts

• The network device forwards the echo request to all internal hosts (multiplier effect)

4.2: Reflected DoS Attacks

22

4.2: Smurf Flood (p. 222)

23

• Black holing

• Drop all IP packets from an attacker

• Not a good long-term strategy because attackers can quickly change source IP addresses

• An attacker may knowingly try to get a trusted corporate partner black holed

4.2: Defending Against DoS Attacks

24

• Validating the handshake

• Whenever a SYN segment arrives, the firewall itself sends back a SYN/ACK segment, without passing the SYN segment on to the target server (false opening)

• When the firewall gets a legitimate ACK back, the firewall sends the original SYN segment on to the intended server

• Rate limiting

• Used to reduce a certain type of traffic to a reasonable amount

• Can frustrate attackers and legitimate users

4.2: Defending Against DoS Attacks

25

4.2: Stopping DoS Attacks (p. 224)

26

What’s Next? 4.1 Introduction

4.2 Denial-of-Service (DoS) Attacks

4.3 ARP Poisoning

4.4 Access Control for Networks

4.5 Ethernet Security

4.6 Wireless Security

27

• ARP (Address Resolution Protocol) Poisoning

• Network attack that manipulates host ARP tables to reroute local-area network (LAN) traffic

• Possible man-in-the-middle attack

• Requires an attacker to have a computer on the local network

• An attack on both the functionality and confidentiality of a network

4.3: ARP Poisoning (p. 225)

28

• Address Resolution Protocol (ARP)

• Used to resolve 32-bit IP addresses (e.g., 55.91.56.21) into 48-bit local MAC (Media Access Control) addresses (e.g., 01-1C-23-0E-1D-41)

• ARP tables store resolved addresses (below)

4.3: ARP Poisoning

29

4.3: Normal ARP Operation (p. 227)

30

• The problem: ARP requests and replies do NOT require authentication or verification

• All hosts trust all ARP replies

• ARP spoofing uses false ARP replies to map any IP address to any MAC address

• An attacker can manipulate ARP tables on all LAN hosts

• The attacker must send a continuous stream of unsolicited ARP replies

4.3: ARP Poisoning

31

4.3: ARP Poisoning (p. 228)

32

• ARP DoS Attack

• Attacker sends all internal hosts a continuous stream of unsolicited spoofed ARP replies saying the gateway (10.0.0.4) is at E5-E5-E5-E5-E5-E5 (Step 1)

• Hosts record the gateway’s IP address and nonexistent MAC address (Step 2)

• The switch receives packets from internal hosts addressed to E5-E5-E5-E5-E5- E5 but cannot deliver them because the host does not exist

• Packets addressed to E5-E5-E5-E5-E5-E5 are dropped

4.3: ARP Poisoning

33

4.3: ARP DoS Attack (p. 229)

34

• Preventing ARP Poisoning

• Static ARP tables are manually set

• Most organizations are too large, change too quickly, and lack the experience to effectively manage static IP and ARP tables

• Limit Local Access

• Foreign hosts must be kept off the LAN

4.3: ARP Poisoning

35

• Stateless Address Auto Configuration (SLAAC) attack

• An attack on the functionality and confidentiality of a network

• This attack occurs when a rogue IPv6 router is introduced to an IPv4 network

• All traffic is automatically rerouted through the IPv6 router, creating the potential for a Man in the Middle Attack (MITM) attack

4.3: SLAAC Attack

36

4.3: Normal IPv4 LAN (p. 230)

37

4.3: SLAAC Attack (p. 231)

38

What’s Next? 4.1 Introduction

4.2 Denial-of-Service (DoS) Attacks

4.3 ARP Poisoning

4.4 Access Control for Networks

4.5 Ethernet Security

4.6 Wireless Security

39

4.4: Corporate LAN (p. 232)

40

What’s Next? 4.1 Introduction

4.2 Denial-of-Service (DoS) Attacks

4.3 ARP Poisoning

4.4 Access Control for Networks

4.5 Ethernet Security

4.6 Wireless Security

41

4.5: Ethernet and 802.1X (p. 234)

42

4.5: Extensible Authentication Protocol (EAP) (p. 235)

43

4.5: EAPOL and EAP over RADIUS (Remote Authentication Dial-In User Service) (p. 237)

44

4.5: RADIUS and EAP (p. 237)

RADIUS Functionality

Authentication Authorizations Auditing

Uses EAP Uses RADIUS

authorization

functionality

Uses RADIUS

auditing

functionality

45

What’s Next? 4.1 Introduction

4.2 Denial-of-Service (DoS) Attacks

4.3 ARP Poisoning

4.4 Access Control for Networks

4.5 Ethernet Security

4.6 Wireless Security

46

4.6: Wireless Network Access (p. 238)

47

• Open networks can be legally accessed by anyone

• Found in public places like cafés, coffee shops, universities, etc.

• Private networks that do not allow access unless specifically authorized

• Secured networks have security protocols enabled

• Users are authenticated and wireless traffic is encrypted

4.6: Unauthorized Network Access

48

4.6: Unauthorized Wireless Access (p. 239)

49

4.6: Evil Twin Access Point (p. 241)

50

4.6: VPN Protection Against Evil Twin (p. 242)

51

4.6: Wireless DoS − Disassociation & Jamming (p. 243)

52

4.6: 802.11i or WPA Wireless LAN Access Control in 802.1X Mode (p. 245)

53

4.6: Extended EAP Protocols (p. 246)

54

4.6: 802.11 Core Security Protocol (p. 247)

55

• Origin of WEP

• Original core security standard 802.11, created in 1997

• Uses a Shared Key

• Each station using the access point uses the same (shared) key

• The key is supposed to be secret, so knowing it “authenticates” the user

• All encryption uses this key

4.6: Wired Equivalent Privacy (WEP) (p. 247)

56

• Problem with Shared Keys

• If the shared key is learned, an attacker near an access point can read all traffic

• Shared keys should be changed frequently

• WEP had no way to do automatic rekeying

• Manual rekeying is expensive if there are many users

• Manual rekeying is operationally next to impossible if many or all stations use the same shared key, because of the work involved in rekeying many or all corporate clients

4.6: Wired Equivalent Privacy (WEP)

57

• Problem with Shared Keys

• Because “everybody knows” the key, employees often give it out to strangers

• If a dangerous employee is fired, the necessary rekeying may be impossible or close to it

4.6: Wired Equivalent Privacy (WEP)

58

• RC4 Initialization Vectors (IV)

• WEP uses RC4 for fast and therefore cheap encryption

• If two frames encrypted with the same RC4 key are compared, the attacker can learn the key

• To solve this, WEP encrypts with a per-frame key, which is the shared WEP key plus an initialization vector (IV)

• However, many frames “leak” a few bits of the key

• With high traffic, an attacker using readily available software can crack a shared key in two or three minutes

• (WPA uses RC4 but with a 48-bit IV that makes key bit leakage negligible)

4.6: Wired Equivalent Privacy (WEP)

59

• Conclusion

• Corporations should never use WEP for security

4.6: Wired Equivalent Privacy (WEP)

60

61