Docstoc

1 INFO1200 – Hardening the Infrastructure Defending Routers and

Document Sample
1 INFO1200 – Hardening the Infrastructure Defending Routers and Powered By Docstoc
					 INFO1200 – Hardening the Infrastructure

Defending Routers and Switches
  •   Attacking and Defending Network Devices
  •   Cisco Ipv4 Denial of Service
  •   Cisco HTTP Get Buffer Overflow
  •   Cisco Discovery Protocol Denial of Service
  •   Confusing the Enemy – MAC Flooding & ARP
      Spoofing
  •   Breaking Out of Jail – VLAN Jumping
  •   Attacking SNMP
  •   Vulnerability Chaining                       1
 INFO1200 – Hardening the Infrastructure

Attacking and Defending Network Devices
  -Criteria for selecting attacks to demonstrate:
     •   Ease of Exploit ( how easy is it to accomplish?)
     •   Popularity (How common is it?)
     •   Impact (How dangerous is this exploit?)
  -Cisco devices chosen for examples
     - Why? - Because of their market dominance in Router and
       Switch market
     - Other vendors equipment also susceptible to these
       techniques

                                                            2
 INFO1200 – Hardening the Infrastructure

Cisco Ipv4 Denial of Service
  Attack Summary
     - By using a special sequence of packets, force router to believe that
       input queue is full and to stop accepting new traffic
  Defenses
     1. Use ACLs to prohibit unauthorized traffic from reaching router
     2. Filter out & disable unneeded & esoteric functionality
         ie.   IP Protocol 53 which is SWIPE
             IP Protocol 77 which is SUN-ND
     3. Stay updated on latest versions of IOS
     4. Use an IDS to look for suspicious traffic


                                                                              3
 INFO1200 – Hardening the Infrastructure

Cisco HTTP Get Buffer Overflow
  Attack Summary
    •   Specially crafted UDP packets can cause information disclosure of
        actual packet data
    •   Unusually large HTTP requests can cause built-in Web server to
        return shell prompt to attacker
  Defenses
    1. Disable UDP Small-Servers & HTTP services – not needed
    2. Use ACLs to limit access to the router's HTTP interface
    3. Stay updated on latest versions of IOS




                                                                            4
INFO1200 – Hardening the Infrastructure

Cisco Discovery Protocol Denial of Service
Attack Summary
   - If not configured properly (or disabled) CDP can provide valuable
      infrastructure info to attacker
Defenses
   1. Disable CDP on all routers where it is unnecessary
   2. Only enable CDP on interfaces that absolutely need it (ie. for
     management consoles such as CiscoWorks)
   3. Use ACLs to control CDP traffic coming in to and going out of
     internal network segment




                                                                         5
 INFO1200 – Hardening the Infrastructure

Confusing the Enemy – MAC Flooding & ARP
 Spoofing
  MAC Flooding
  Attack Summary
    - MAC flooding can happen by overloading switch's CAM table with
      enough phony MAC addresses appearing on all ports that it doesn't
      get chance to catch up
  Defenses
    1. Enable port security on all switches – should stop problem
    2. Move all critical assets to a secured VLAN
    3. Tune IDS system to look for irregular traffic

                                                                          6
 INFO1200 – Hardening the Infrastructure

Confusing the Enemy – MAC Flooding & ARP
 Spoofing
  ARP Spoofing
  Attack Summary
    - Simply involves taking over another node's identity & convincing
      surrounding network devices that you should receive all network
      traffic belonging to the other machine
  Defenses
    1. Apply static ARP entries on all critical devices
    2. Move all critical assets to a secured private VLAN
    3. Tune IDS systems to look for irregular traffic

                                                                         7
 INFO1200 – Hardening the Infrastructure

Breaking Out of Jail
  Attack Summary
     - Possible to jump from one VLAN to another although difficult to
       reproduce
  Defenses
     1. Turn off Dynamic Trunking Protocol on all ports on all switches
     2. Statically set all trunking ports
     3. Move all trunking ports to a single VLAN




                                                                          8
 INFO1200 – Hardening the Infrastructure

Attacking SNMP
  Attack Summary
    - Because SNMP versions prior to 3 did not support
      username/password authentication or encrypted tunnels, quite easy
      to sniff wire for important and damaging info about inner workings of
      company network
  Defenses
    1. Use SNMP v3 for encryption wherever possible
    2. Disable SNMP on unnecessary devices
    3. Use IPSec where SNMP v3 is not applicable




                                                                              9
 INFO1200 – Hardening the Infrastructure

Vulnerability Chaining
  Attack Summary
    - Medium and low-risk exploits can be used together to form a high-risk
      vulnerability
  Defenses
    1. Be conscious of low-risk vulnerabilities present on network &
      exposures they cause
    2. Deploy preventative technologies like IPSec or Host-based IDS to
      reduce exposure and lessen likelihood of successful attack
    3. Do not use common passwords on critical networking devices




                                                                          10
INFO1200 – Hardening the Infrastructure




                                          11

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:10/8/2012
language:English
pages:11