Docstoc

lecture Philadelphia University

Document Sample
lecture Philadelphia University Powered By Docstoc
					                           Module 10
      Network Infrastructure Security
  MModified by :Ahmad Al Ghoul
  PPhiladelphia University
  FFaculty Of Administrative & Financial Sciences
  BBusiness Networking & System Management Department
  RRoom Number 32406
  EE-mail Address: ahmad4_2_69@hotmail.com




Network Security
Philadelphia University   Ahmad Al-Ghoul 2010-2011       1
 Module Objectives
  Describe exploitation and choose appropriate
   security measures for hubs, bridges or switches,
   and routers
  Document ways in which a firewall could be
   compromised and select related security solutions
  List the potential for private branch exchange
   (PBX) exploitations and choose appropriate
   methods for securing a PBX
  Describe modem exploitations and select
   appropriate security measures
                                                     

Network Security
Philadelphia University   Ahmad Al-Ghoul 2010-2011       2
    On a computer network, the network infrastructure includes the cables,
       connectivity devices, hosts, and connection points of the network. In
       this chapter you learn ways in which network infrastructure equipment
       might be exploited or attacked. This chapter also presents strategies
       and devices that can increase the security of your network.




Network Security
Philadelphia University     Ahmad Al-Ghoul 2010-2011                       3
   Infrastructure Security Overview
  You must control access to critical resources, protocols, and network
   access points. This includes protecting the physical security of
   equipment and the configuration of devices.
  Attacks against your network infrastructure can include physical
   attacks, such as destruction or theft of equipment, and the physical
   modification of equipment configurations. Attacks can also involve the
   logical modification of network infrastructure device configurations,
   such as changing a routing or switching table.
  You can protect your physical network infrastructure with security
   personnel, closed-circuit TV, alarms, access cards, locks, tamper-proof
   seals, backup electrical power, and similar measures.
  Restrict remote administration of network infrastructure equipment
   whenever possible. When you must allow remote administration, be
   sure to use the most secure authentication and encryption possible.


Network Security
Philadelphia University    Ahmad Al-Ghoul 2010-2011                          4
 Securing Network Cabling
    Network cabling is a vulnerable part of your network infrastructure. However,
     an attacker or spy must have physical access to your cable (or at least be able
     to get close to the cable) to exploit or attack your network cable infrastructure.
    Sabotage is a simple matter for a saboteur who is able to gain physical access
     to your network cable infrastructure. The saboteur could cut a coaxial or
     twisted-pair cable to disrupt network communications. Also, coaxial and
     twisted-pair cable are susceptible to EMI and RFI, so a source of EMI/RFI
     placed near a cable or wire bundle could be enough to disrupt
     communications. Fiber optic cable is impervious to EMI and RFI, but is easily
     broken.
    Use the following techniques to protect your cable infrastructure:
    Document your entire cable infrastructure. Keep that documentation current.
    Investigate all hosts and connectivity devices that are not documented.
    Protect your network cable as much as possible by burying it underground,
     placing it inside walls, and protecting it with tamper-proof containers.
    Check the physical integrity of your network infrastructure cabling on a
     regular basis. Verify your network infrastructure after power outages.
    Enable managed devices to alert you of the presence of disconnected cables or
     unauthorized connections. Investigate all alerts and outages.


Network Security
Philadelphia University        Ahmad Al-Ghoul 2010-2011                               5
  Securing Hubs
Because hubs are physical devices, they should be physically
  protected. Try to lock hubs in wiring closets. If the hub cannot be
  locked in a room or closet, try to secure it in some other type of
  protective encasement. At a minimum, you should periodically
  check hubs to be sure that all cables are connected properly and
  that no rogue connections exist.
Managed hubs can be used to detect physical configuration changes.
  Managed hubs report hub statistics and connection information to
  management software. You can configure a managed hub to send
  an alert when a configuration is modified. Of course, because a
  managed hub has a (software) configuration, an attacker could
  compromise the hub's configuration to disrupt network
  communication or mask evidence of another attack.




Network Security
Philadelphia University   Ahmad Al-Ghoul 2010-2011                      6
   Switches and Bridges
   switches and bridges maintain a table that contains MAC address mappings to
          each of their connection points. The table allows the switch or bridge to
          direct Layer 2 communications to the correct network segment or port,
          making it a potential target for attack. A central switch could also be the
          target of a saboteur. Destroying a central switch, disconnecting power, or
          disconnecting all of the network cables would disrupt all communications
          passing through the device.
   If an attacker can gain administrative access to the switch or bridge, he or she can
          reroute network communications. These communications can be redirected
          to a host on the network under the control of the attacker, which could be
          the attacker's system or a system the attacker was able to gain control over
          using some other technique. If the attacker decides to sabotage
          communications on the network, he or she can do so at any time once
          administrative access is obtained. Of course, the attacker must gain
          administrative access to the bridge or switch first. A skilled attacker can do
          this by trying default administrative passwords or running a password
          attack against the device




Network Security
Philadelphia University        Ahmad Al-Ghoul 2010-2011                                    7
 ARP Cache Poisoning
   Although switches and bridges segment the network, it might be possible
         for an attacker to use Address Resolution Protocol (ARP) cache
         poisoning (also known as ARP spoofing) to propagate traffic
         through a switch. as a method for placing incorrect information in
         computers' ARP caches to misroute packets. The ARP cache is used
         to store Internet Protocol (IP) to MAC address mappings.
   For an attacker to conduct ARP cache poisoning, he or she must typically
         gain physical connectivity to the local segment. The attacker must
         then compromise the ARP caches of the hosts on that segment. ARP
         cache poisoning involves overwriting entries in the ARP cache to
         cause a computer to send all network traffic directly to the attacker's
         computer. If an attacker is able to do this to all the computers on the
         segment, he or she could effectively listen to (and forward) data
         packets without network users realizing it. The attacker would then
         be able to listen to the network traffic sent on that network, most
         likely to steal trade secrets or obtain unencrypted passwords.



Network Security
Philadelphia University     Ahmad Al-Ghoul 2010-2011                           8
 Securing Switches and Bridges
    There are several measures you can take to prevent attacks against
     your switches and bridges. As with other network devices, you should
     physically secure them so they cannot be tampered with or destroyed.
     Here are other suggestions that can help to secure your switches and
     bridges:
    Secure all physical connections on your network segments. Be sure
     that no unauthorized connections can be made. Also, limit physical
     access to your switch locations and use security personnel and
     monitoring devices to ensure connectivity devices are secure.
    Set complex passwords for administrative consoles. Restrict device
     administration to as few people as possible from as few locations as
     possible. Also, be sure to change administrative passwords routinely
     and whenever an administrator leaves the company.




Network Security
Philadelphia University    Ahmad Al-Ghoul 2010-2011                         9
 Securing Switches and Bridges
  Manually enter ARP mappings on critical devices, such as central
   servers, switches, bridges, and so on. If you manually enter all
   necessary MAC addresses, prevent the switch or bridge from learning
   new addresses.
  Keep your switches and bridges current with the latest vendor
   security patches.
  Document your device configurations so you know for sure what is
   normal and authorized.
  Monitor your network with management tools that alert you to
   unauthorized connections. Tools such as ARPWATCH can monitor
   activity on your network and keep a database of MAC-to-IP address
   mappings. The tool can also alert you to changes in these ARP
   mappings.



Network Security
Philadelphia University   Ahmad Al-Ghoul 2010-2011                       10
25070
         Securing Routers
         A central router could also be the target of a saboteur. Destroying a central
            router, disconnecting power, or disconnecting all of the network cables
            would disrupt all communications passing through the device. To
            increase the security of your routers, consider the following
            suggestions:
          Ensure the routers are kept in locked rooms or containers.
          Check the security of all incoming and outgoing connections.
          Limit physical access to your network cable infrastructure, wiring
            closets, and server rooms.
          Use security personnel and monitoring equipment to protect
            connection points and devices.
          Utilize complex passwords for administrative consoles. Be sure to
            change administrative passwords routinely and whenever an
            administrator leaves your organization.




        Network Security
        Philadelphia University     Ahmad Al-Ghoul 2010-2011                         11
                          Securing Routers
    Set access list entries to prevent inappropriate connections and routing
     of traffic. For example, packets with the IP address of your internal
     network should not be coming from the external interface on the
     router. If this happens, it is usually an indication that someone is trying
     to perform IP address spoofing
    Keep your routers current with the latest vendor security patches.
    Be sure to document and regularly review your network configuration.
    Disable RIPv1 and utilize only RIPv2 or other routing protocols that
     allow you to secure router updates with passwords.




Network Security
Philadelphia University        Ahmad Al-Ghoul 2010-2011                       12
   Firewalls
  The term firewall is used generically to describe any device that
   protects an internal network (or host) from malicious hackers or
   software on an external network (or network to which the host is
   connected). Firewalls perform a variety of tasks to filter out
   potentially harmful incoming or outgoing traffic or connections.
   They are often implemented between an organization's internal
   network and the Internet. However, this is not always the case.
   Some firewalls are used to subdivide internal networks or even
   to protect individual computers.
  The five main services that firewalls provide are packet
   filtering, application filtering, proxy server, circuit-level, and
   stateful inspection. These services are described in more detail
   in the following sections.




Network Security
Philadelphia University   Ahmad Al-Ghoul 2010-2011                     13
 Packet Filtering
    A packet filtering firewall or gateway checks each packet traversing the
       device. The firewall inspects the packet headers of all network packets going
       through the firewall. Packets are passed or rejected based on a set of
       predefined or administrator-defined rules. Packet filter rules can accept or
       reject network packets based on whether they are inbound or outbound, or due
       to the information contained in any of the following network data packet
       fields:
      Source IP Address.
      This field is used to identify the host that is sending the packet. Attackers
       could modify this field in an attempt to conduct IP spoofing. Firewalls are
       typically configured to reject packets that arrive at the external interface
       bearing a source address of the internal network because that is either an
       erroneous host configuration or an attempt at IP spoofing.
      Destination IP Address.
      This is the IP address that the packet is trying to reach.
      IP Protocol ID.
      Each IP header has a protocol ID that follows. For example, Transmission
       Control Protocol (TCP) is ID 6, User Datagram Protocol (UDP) is ID 17, and
       Internet Control Message Protocol (ICMP) is ID 1.
                                                                                   
Network Security
Philadelphia University       Ahmad Al-Ghoul 2010-2011                            14
                           Packet Filtering

    TCP or UDP Port Number.
    The port number that indicates the service this packet is destined for, such as
       TCP port 80 for Web services
      ICMP Message Type.
      ICMP supports several different functions that help to control and manage IP
       traffic. Some of these messages can be used to attack networks, so they are
       frequently blocked at the firewall. For example, ICMP echo requests can be
       exploited to cause a broadcast storm. You can read more about ICMP message
       types in Request for Comments (RFC) 793.
      Fragmentation Flags.
       Firewalls can examine and forward or reject fragmented packets. Some
       flawed implementations of TCP/IP allow for the reassembly of fragmented
       packets as whole packets (without receipt of the first packet, which contains
       the full header information). A successful fragmentation attack can allow an
       attacker to send packets that could compromise an internal host.
      IP Options Setting.
      This field is used for diagnostics. The firewall should be configured to drop
       network packets that use this field. Attackers could potentially use this field in
       conjunction with IP spoofing to redirect network packets to their systems.
Network Security
Philadelphia University         Ahmad Al-Ghoul 2010-2011                               15
 Application Filtering


  An application filtering firewall intercepts connections and
     performs security inspections. The firewall must be
     equipped with the appropriate applications to perform this
     task. In this way, the firewall acts as a proxy for
     connections between the internal and external network.
     The firewall can check and enforce access control rules
     specific to the application. Application filtering firewalls
     are used to check incoming e-mails for virus attachments;
     these firewalls are often called e-mail gateways.
                                                                

Network Security
Philadelphia University   Ahmad Al-Ghoul 2010-2011                  16
 Proxy Server
    Like an application filtering firewall, a proxy server takes
       on responsibility for providing services between the
       internal and external network. However, the proxy server
       can actually be the server providing the services or it can
       create a separate connection to the requested server. In this
       way, a proxy server can be used to hide the addressing
       scheme of the internal network. Proxy servers can also be
       used to filter requests based on the protocol and address
       requested. For example, the proxy server could be
       configured to reject incoming connections to
       http://www.internal.local or outgoing connections to
       http://www.external.net.


Network Security
Philadelphia University   Ahmad Al-Ghoul 2010-2011                  17
 Circuit-Level

  A circuit-level firewall controls TCP and
     UDP ports, but doesn't watch the data
     transferred over them. Therefore, if a
     connection is established, the traffic is
     transferred without any further checking.




Network Security
Philadelphia University   Ahmad Al-Ghoul 2010-2011   18
 Stateful Inspection
  A stateful inspection firewall works at the Network layer. The firewall
   evaluates the IP header information and monitors the state of each
   connection. Connections are rejected if they attempt any actions that
   are not standard for the given protocol.
  Any of these listed firewall features can be implemented in
   combination by a given firewall implementation. Placing multiple
   firewalls in series is a common practice to increase security at the
   network perimeter. If an attacker is able to breach the first firewall, the
   second offers additional protection. Using multiple firewalls in series
   (back-to-back) is one example of creating a defense-in-depth, as shown
   in Figure 4-1, which means that you are using multiple layers of
   protection to keep your network secure.
                                                                            


Network Security
Philadelphia University     Ahmad Al-Ghoul 2010-2011                         19
Network Security
Philadelphia University   Ahmad Al-Ghoul 2010-2011   20
 Exploiting Firewalls
  Poorly implemented firewall configuration is a common reason
   firewalls are compromised. For example, firewalls can be configured
   with a default-allow rule or a default-deny rule. The default-allow rule
   (also known as allow-all) means that a firewall permits all inbound
   network packets except those that are specifically prohibited. Network
   administrators and security personnel usually view this setting as too
   permissive. The other option is the default-deny rule, which rejects all
   inbound packets except those that are specifically permitted. This is the
   standard configuration of a secure firewall.
  Flaws in firewall software are another reason firewalls are
   compromised. Usually, vendors release software patches or temporary
   solutions quickly after they are made publicly known. The following
   list describes other ways in which firewalls might be compromised:
                                                                          

Network Security
Philadelphia University    Ahmad Al-Ghoul 2010-2011                        21
 Securing Firewalls
    As described in the previous section, there are several ways an attacker
       might attempt to neutralize your firewall, so protecting it requires
       vigilance. To protect your firewall, follow this advice:
      Keep track of security bulletins concerning your firewall product. Apply
       all software patches as they are made available.
      Update virus definition files routinely.
      Physically protect the firewall.
      Document the firewall configuration and review that configuration
       regularly.
      Limit the methods for managing the firewall. If remote management is
       allowed, use the most secure authentication available.
      Use complex passwords. Be sure to change administrative passwords
       routinely, and always change them when an administrator leaves your
       organization.
      Know and test the firewall rules by trying to make connections to
       unauthorized ports or services from outside the firewall.
      Ensure that there are no network paths or connections that can be used to
       circumvent the firewall.
                                                                                   
Network Security
Philadelphia University      Ahmad Al-Ghoul 2010-2011                              22
 Telecommunications Hacking
  Telecommunications systems provide internal phone services for many
     organizations. These private telecommunications systems are known as PBX
     systems. They usually offer a variety of features such as voice mail, multiple-
     party calling, long-distance access restrictions, and call tracking. PBX systems
     are potential targets for attackers. Attackers who gain unauthorized access to
     the PBX system could potentially use it to do the following:
    Make free long-distance calls by changing billing records.
    Compromise or shut down the organization's voice mail system.
    Reroute incoming, transferred, or outgoing calls.
    Compromise the rest of your organization's network, as PBX systems are part
     of your network infrastructure. For example, locate a modem-equipped PC.
     Use that PC to create an analog connection to the internal network, and then
     use the analog connection to access the internal network.
                                                                                   



Network Security
Philadelphia University        Ahmad Al-Ghoul 2010-2011                                 23
 Hacking PBX Systems

    PBX systems are frequently an organization's most valuable communication
     asset. If the PBX system is compromised, the organization could lose business.
     There are relatively few brands of PBX systems available, so an attacker could
     use knowledge of a few select systems to compromise a wide variety of
     businesses. Although PBX systems are complex, a skilled attacker could use
     the system to compromise your network infrastructure. There are a variety of
     methods that an attacker might use to compromise the PBX system:
    PBX systems come with default passwords for system maintenance. Attackers
     could run password attacks to guess these PBX maintenance passwords. Once
     an attacker acquires a management password, he or she can reconfigure the
     PBX system.
    PBX systems are often expensive and upgrades are difficult. Therefore, many
     businesses use older PBX systems that might have unencrypted databases with
     obvious data structures that could be manipulated.




Network Security
Philadelphia University      Ahmad Al-Ghoul 2010-2011                            24
 Hacking PBX Systems
  PBX security is not as popular a topic as computer security. Many
   businesses don't think to protect their PBX systems or know how to do
   so. Users might be tricked into giving up passwords for the telephone
   system because awareness of exploitation is not as high as it is with
   computer systems.
  Remote management and upgrades of PBX systems are commonplace.
   Remote connections could be used to install malicious software or
   reconfigure the PBX system.
  Many people use and have access to the PBX-connected telephones.
   These terminals could be used to attack or reconfigure the PBX
   system.
  Telecommunications infrastructure might extend into unused floors
   and offices, making it easier for someone to hide an unauthorized
   connection (or conceal hacking attempts).
                                                                       

Network Security
Philadelphia University   Ahmad Al-Ghoul 2010-2011                         25
 Modems
   
    Modems connect computers to the Internet and to private networks, but those
       connections could be susceptible to compromise or attack. As explained
       earlier, modems can be used to circumvent the security provided by your
       organization's firewall and other security devices. Modems can provide direct
       access to a system on a network and potentially be used to access other
       systems on that network. Exploited modem dialing software can be used to
       erase hard drives or cause the modem to dial emergency services, for example.
      To protect your network from modem exploits, follow these procedures:
      Remove all unnecessary modems from computers on your network.
      Check for software updates for all computers that must have modems.
      Monitor security bulletins from modem vendors for newly discovered security
       gaps and apply software patches as soon as they are available.
      Isolate computers configured with modems to limit the damage that can be
       caused by those systems should the modem be compromised.
      Monitor computers with modems regularly to ensure they have not been
       compromised.
                                                                                   



Network Security
Philadelphia University       Ahmad Al-Ghoul 2010-2011                            26

				
DOCUMENT INFO
Categories:
Tags:
Stats:
views:4
posted:6/26/2012
language:
pages:26
jolinmilioncherie jolinmilioncherie http://
About