How Network security can be achieved

how network security works and what is network security model and Explain model for network security

HalfoedGibbs,United Kingdom,Professional

Published Date:02-08-2017

Your Website URL(Optional)

Comment

11 network security Get Defensive Come on now, Sweetie, open up the firewall and let the cereal packets in... The network’s a dangerous place to make a living. Attackers lurk around every corner: rootkits, and script kiddies, and bots... oh my You’ve got to buck up and harden your network, or the barbarians will crash the gates. In this chapter, we expose you to the seedy underworld of the network, where attackers spoof MAC addresses, poison your ARP cache, infiltrate your internets, sneak packets into your network, and trick your co-workers into coughing up their passwords. Get defensive, dude Let’s keep our precious data in and the interlopers out. this is a new chapter 399 Download at atime to protect your assets The bad guys are everywhere You’ve put together crucial services like DNS, you’ve used troubleshooting to keep your network free of bugs, and you’ve set up a wireless network. The last thing you need now is someone It is not unusual infiltrating your network and messing up all the crucial data you have flying back and forth at top speeds. to have a new As a network professional, you need to protect your networks server attacked from the bad guys and stop them from stealing information and launching deadly attacks on your servers. within minutes of being turned on. The evil impersonator Hey, I’m in Now where are those documents marked “Top Secret”? Top Secret.doc The evil attacker I’m gonna bring this whole network to its knees and destroy the business to boot. 400 Chapter 11 Download at a A poisoned packetInnocent client network security And it’s not just the NETWORK that gets hurt... Eavesdroppers can be the worst. Not only are they trying to burn your business, they can hurt some of your good customers too. A double hit. If the eavesdropper is successful, he’ll swipe your client’s credit card information and charge up a storm. The evil eavesdropper credit card information Look Mummy We got that lady’s credit card number... So how can we protect our networks against bad guys like these? you are here4 401 Download at a Child geniusswitches, routers, firewall, policy The big four in network security Network security helps you—the network professional—foil the bad guys. It basically boils down to four key areas: 1 Harden your switches. Your switches are vulnerable to MAC address spoofing and ARP poisoning. 2 Harden your routers. Out of the box, your routers are not secure. Turn on Access Control Lists and Port Security to keep attackers out. 3 Install a firewall. A firewall is essential for keeping attackers out and crucial data in. 4 Write and enforce a security policy. All the cool technology stuff you do to protect your network Q: means nothing if an attacker can get at your resources with So are we talking about hackers? “social engineering.” A good security policy will help to avoid this. A: We prefer the term “attacker” to “hacker.” The old school use of the term hacker refers to ingenious problem-solvers rather than the creeps and criminals who infiltrate networks. 402 Chapter 11 Download at a To harden your network, you need to analyze the devices that make up your network and where those devices sit in the network topology.Database Server File Server network security Below you’ll see our highly classified network diagram. Circle each of the devices that can be fooled by a spoofed MAC address. Cross out ones that won’t be fooled. Router 2 Switch 1 Router 1 Switch 2 Router 3 Switch 3 Hub 2 Hub 1 Why does MAC address spoofing pose a threat to network security? you are here 4 403 Download at a Application Server eMail Server Authentication ServerDatabase Server File Server spoof-proof? Below you’ll see our highly classified network diagram. Circle each of the devices that can be fooled by a spoofed MAC address. Cross out ones that won’t be fooled. Router 2 Switch 1 Router 1 Switch 2 Router 3 Switch 3 Hub 2 Hub 1 404 Chapter 11 Download at a Application Server eMail Server Authentication ServerSwitches use ARP tables to translate MAC addresses into IP Addresses. The top secret document goes straight to the evil attacker. network security Defend your network against MAC address spoofing MAC address spoofing is what happens when an attacker changes their MAC address so that it matches another device on the network. It allows an attacker to pretend that the hardware they’re using belongs to someone else—like the boss. By spoofing a MAC address, an attacker can pose as an approved network device and fool other devices into thinking that it’s okay to send network traffic to, or receive traffic from, the spoofed device. So if the boss’s computer has been spoofed, this means that the attacker can con the switch into sending it information that only the boss should see. Here’s how it goes: 1 The attacker changes their MAC address to match that of the boss and requests information across the network. The hardware looks like it belongs to the boss, even though it doesn’t. I’m the boss, and I need something really top secret and juicy. 2 The switch sees that a device with the boss’s MAC address is requesting information and lets it through. Hi Boss, top secret document coming right over. So how can we harden a switch against this sort of attack? you are here 4 405 Download at a Evil attackerDatabase Server File Server The Mole secure your network Below is the vulnerable network. On the next page, redesign the network so that its resources can be hardened against MAC address spoofing. Router 2 Switch 1 Router 1 Switch 2 Router 3 Switch 3 Hub 2 Hub 1 406 Chapter 11 Download at a Application Server eMail Server Authentication ServereMail Server network security Application File Server Server Switch 1 Switch 2 Router 1 Router 2 Router 3 you are here 4 407 Download at a Authentication Database Server ServerDatabase Server File Server The Mole what did you do? Below is the vulnerable network. On the next page, redesign the network so that its resources can be hardened against MAC address spoofing. Router 2 Switch 1 Router 1 Switch 2 Router 3 Switch 3 Hub 2 Hub 1 408 Chapter 11 Download at a Application Server eMail Server Authentication ServerA switch-hardening tip: On a smaller network like this one, you can set your arp tables to be static, which will prevent some MAC address spoofing. Placing your servers (especially your authentication server) behind a router ensures that MAC address spoofing will not work on those servers. eMail Server network security Application File Server Server Switch 1 Router 1 Router 2 Switch 2 you are here 4 409 Download at a Authentication Database Server Serveravoid address thieves So how do we defend against MAC address spoofing? Switches are susceptible to MAC address spoofing, while routers are unaffected because they deal with IP addresses. Your key defense against MAC address spoofing is to place your servers (especially your authentication server) behind a router. This means that MAC address spoofing will not work on these servers. Another defense for a smaller network is to set the switch ARP tables to be static. This will prevent some MAC address spoofing. But there’s more to network attacks than MAC address spoofing... The Case of the Stolen Messages At the offices of Yellow Pad Inc., manufacturers of fine legal pads, Talula works in cubicle 4. During her lunch hour, Talula likes to send instant messages to her sweetie, RJ, in cubicle 21. When she sends the messages, she signs them with her secret nickname, “Kung-Fu Princess,” whereas RJ signs his with his secret nickname, “Kid Rye.” One morning, when Talula boots up her workstation, she sees a message on her screen that says, “Another device with the Five Minute address 204.08.22.68 is connected to the network. Change your IP address to join the network.” Mystery The same day, the office busybody, Dwight, walks past RJ and asks him, “How’s the Kung-Fu Princess, Kid Rye?” When RJ tells Talula the story, she thinks a while and says, “I think I know how he did it, but we’ll fix his wagon.” RJ asks, “How did Dwight find out our secret nicknames? And how are we going to fix him?” How were the messages intercepted? 410 Chapter 11 Download at anetwork security Defend your network against ARP poisoning attacks Another sort of attack is the ARP (Address Resolution Protocol) poisoning attack that bad guys can use to completely bring down your network. Let’s see how this works. The attacker sends a poisoned packet. 1 The attacker broadcasts a packet with an IP address, along with a MAC address that’s either faked or simply doesn’t exist. 204.62.202.220 Attacker’s machine MAC address: FA:DE:FA:DE:FA:DE Network devices update their ARP tables, which poisons them. 2 Other workstations and network devices receive the broadcast packet and update their ARP tables (aka caches) with the bad information. Those devices are now using information that is poisoned, or intentionally corrupted. Because the Address Resolution Protocol has no way of verifying whether a MAC address is T he exploit proceeds. 3 valid, an intruder can Now that the AR tables are poisoned, the attacker can use one of three attack methods: Denial of Service, Man in the “poison” a network Middle, or MAC flooding. device by giving it false information. you are here 4 411 Download at a The packet’s poisoned. This MAC address does not exist, but it’s associated with an IP that does. All of these devices are now “infected.”poison’s bad, too So what can we do about ARP poisoning attacks? The key thing with this sort of attack is to harden your switch. Most switches have port security features which let you assign You say you’re only one MAC address per port, and this is one of your best the boss? No way defences against this sort of attack. If the wrong MAC address You’re through on the comes into the wrong port, the switch won’t let it through. wrong port. Attacker’s machine Q: Q: Q: Is there any way to find out if Why won’t MAC spoofing and ARP What about a Man in the Middle someone is sending ARP poisoning poisoning affect a router? attack? attacks on my network. A: Good question. Remember that A: An attacker finds a way to intercept A: An intrusion detection system (IDS), routers work at the IP Address level. traffic intended for the router, or another like Snort, will monitor your network for ARP Routers can’t be fooled by these attacks workstation, and forwards it on to another requests that seem out of the ordinary. the way switches can. device. It would be like changing your mailbox number so that the mailman believes your mailbox is actually your Q: Q: How does an attacker create a You mentioned a few different neighbor’s. That way, you could get their poisoned packet? types of ARP attacks. First off, what’s a mail before they do. You can then deliver Denial of Service attack? the mail to your neighbor so that they never A: Programs like “Dsniff” come know what happened. However, you get packaged with smaller apps like “arpspoof.” A: With an ARP-based DoS attack, you a chance to filter through mail that was Using arpspoof inside a switched network, trick other devices on the network into intended for your neighbor. You become the the attacker can create and send poisoned sending traffic to an IP address that is valid, “man in the middle” between the mailman ARP packets, which open up other exploit but you give it a MAC address that can’t be and your neighbor. possibilities. found on the network. Once all of the ARP tables are poisoned, other machines on the Q: And a MAC flooding attack? network start sending traffic intended for the router to a device that doesn’t exist. In effect, you isolate the local network from A: You can eat up the switch’s resources getting beyond the router in question. by overwhelming it with tons of ARP requests that ask for hardware (MAC addresses) that don’t exist. You clobber the switch’s memory. 412 Chapter 11 Download at a Poisoned packetnetwork security The Case of the Stolen Messages So how were the messages intercepted? Talula tells RJ, “Dwight used a ‘man-in-the-middle’ attack. He poisoned the ARP tables of the Yellow Pad, Inc. network by Five Minute intercepting traffic that was supposed to go to my workstation, RJ.” Mystery RJ says, “How did you figure it out, Talula?” Solved Talula says, “I noticed this morning that when I booted up my machine, another machine on the network had the same IP address as mine. Then, when you told me what Dwight said, I realized that he had probably poisoned the ARP tables so that he could associate his MAC address with my IP address.” “Slow down,” RJ says. “You know I’m not a techie, Talula.” Talula says, “Here’s how it works, RJ: An attacker finds a way to intercept messages intended for another workstation, and forwards it on to another device. The attacker gets a chance to read your messages before you do. Then sends them on to you without your knowledge. “I get it.” RJ says, “So how are you going to fix him?” “I already did.” Talula says, “I performed a counter-attack by becoming the ‘man-in-the-middle’ and sending all of Dwight’s network traffic to the boss. Won’t the boss be surprised when she finds out how many hours a day Dwight spends playing Warlocks of Worldcrash?” RJ says, “Darn your smart, Talula” you are here 4 413 Download at aSwitch routers: your last line of defense It’s all about the access, baby So far we’ve dealt with switch hardening, but that’s not the only device we need to tighten security on. We need to tighten security on the router, too. The only thing between me and the network is Big Bad that sweet little router... Internet If an attacker can get past your router, then he’s on your network If you don’t have proper access controls in place on your router, then anyone can get into your network. They don’t eMail Server File Server even have to spoof anything to do it. 414 Chapter 11 Download at a RouterThis column tracks the port used by the router. network security Set up your router’s Access Control Lists to keep attackers out The meat-and-taters of hardening your router comes in the form of Access Control Lists (ACLs). An Access Control List is a simple table that a router uses to keep track of which IP Addresses are allowed to cross the router. You configure the table so that particular IP addresses are either allowed or denied access. Hey, I need access. Can you let me through? 1 A network device requests access to resources. 10.0.1.100 Access List ID IP Address Port Allow/Deny 0001 10.0.1.100 1 Allow 2 The router checks its Access Control List for the device IP address. If there’s an “Allow” entry, the device is allowed access. But if the entry for the IP address is “Deny,” the device is turned away. you are here 4 415 Download at a This column tracks IP Addresses. This column tells us whether a device can cross the router. An Access Control List (ACL) This column tracks the identifier for an access list. You can use names or numbers, but numbers keep things clear.access rules are critical Below are three clients that you want to have access to your network and two clients that you want to restrict Write in the access rules to do so. Keep these guys out. Let these guys in. 10.0.1.18 10.0.1.19 10.0.1.20 10.0.1.15 10.0.1.16 10.0.1.17 Router 1 Router 1’s Access List Access List ID IP Address Port Allow/Deny 20 10.0.1.15 1 Allow 416 Chapter 11 Download at aFinally, we tell the router that we want to apply the access-list to a group. The “in” part tells the router that we want to apply the access list to inbound packets. With “deny” we are telling the router to refuse packets from 10.0.1.18. network security So how do we configure the Access Control List? To set up permissions in the router Access Control List, you open up a terminal and use commands to configure the permissions. Here’s an example: File Edit Window Help TrustNoone RouterXconfigure terminal RouterX(config)access-list 42 RouterX(config)access-list 42 deny 10.0.1.18 RouterX(config)access-list 42 deny 10.0.1.19 RouterX(config)access-list 42 deny 10.0.1.20 RouterX(config)interface ethernet0 RouterX(config-if)ip access-group 42 in RouterX(config-if)exit RouterX(config)end RouterX you are here 4 417 Download at a The number “42” identifies the “access list ID” we want to use. Most Cisco r outers use a graphical user interface (GUI) app to control access lists. We like to show you the command line interface (CLI) so that you understand how the command works at its most basic level. With this command, we tell the router what interface we’ll configure for. The “access-list” command tells the router that we are creating an access list called “42.” RouterX is the name of the router we’re configuring Each of these lines is known as a filter statement.write the right rules Below are three clients that you want to have access to your network and two clients that you want to restrict Write in the access rules to do so. Keep these guys out. Let these guys in. 10.0,1,18 10.0,1,19 10.0,1,20 10.0,1,15 10.0,1,16 10.0,1,17 Router 1 Router 1’s Access List Access List ID IP Address Port Allow/Deny 20 10.0.1.15 1 Allow 20 10.0.1.16 2 Allow 20 10.0.1.17 3 Allow 20 10.0.1.18 4 Deny 20 10.0.1.19 5 Deny 20 10.0.1.20 6 Deny 418 Chapter 11 Download at a