how network security works and what is network security model and Explain model for network security
HalfoedGibbs,United Kingdom,Professional
Published Date:02-08-2017
Your Website URL(Optional)
Comment
11 network security
Get Defensive
Come on now, Sweetie,
open up the firewall and
let the cereal packets in...
The network’s a dangerous place to make a living.
Attackers lurk around every corner: rootkits, and script kiddies, and bots... oh my You’ve
got to buck up and harden your network, or the barbarians will crash the gates. In this
chapter, we expose you to the seedy underworld of the network, where attackers spoof
MAC addresses, poison your ARP cache, infiltrate your internets, sneak packets into your
network, and trick your co-workers into coughing up their passwords. Get defensive, dude
Let’s keep our precious data in and the interlopers out.
this is a new chapter 399
Download at atime to protect your assets
The bad guys are everywhere
You’ve put together crucial services like DNS, you’ve used
troubleshooting to keep your network free of bugs, and you’ve set
up a wireless network. The last thing you need now is someone
It is not unusual
infiltrating your network and messing up all the crucial data you
have flying back and forth at top speeds.
to have a new
As a network professional, you need to protect your networks
server attacked
from the bad guys and stop them from stealing information and
launching deadly attacks on your servers.
within minutes of
being turned on.
The evil impersonator
Hey, I’m in Now
where are those
documents marked
“Top Secret”?
Top Secret.doc
The evil attacker
I’m gonna bring this
whole network to its
knees and destroy the
business to boot.
400 Chapter 11
Download at a
A poisoned packetInnocent client
network security
And it’s not just the NETWORK that
gets hurt...
Eavesdroppers can be the worst. Not only are they trying to burn your
business, they can hurt some of your good customers too. A double hit.
If the eavesdropper is successful, he’ll swipe your client’s credit card
information and charge up a storm.
The evil eavesdropper
credit card information
Look Mummy We
got that lady’s credit
card number...
So how can we protect our networks
against bad guys like these?
you are here4 401
Download at a
Child geniusswitches, routers, firewall, policy
The big four in network security
Network security helps you—the network professional—foil the bad
guys. It basically boils down to four key areas:
1
Harden your switches.
Your switches are vulnerable to MAC address spoofing and ARP
poisoning.
2
Harden your routers.
Out of the box, your routers are not secure. Turn on Access Control
Lists and Port Security to keep attackers out.
3
Install a firewall.
A firewall is essential for keeping attackers out and crucial data in.
4
Write and enforce a security policy.
All the cool technology stuff you do to protect your network
Q:
means nothing if an attacker can get at your resources with So are we talking about
hackers?
“social engineering.” A good security policy will help to avoid this.
A: We prefer the term “attacker”
to “hacker.” The old school use of
the term hacker refers to ingenious
problem-solvers rather than the
creeps and criminals who infiltrate
networks.
402 Chapter 11
Download at a
To harden your network, you need
to analyze the devices that make
up your network and where those
devices sit in the network topology.Database
Server
File Server
network security
Below you’ll see our highly classified network diagram. Circle each of the devices that can be
fooled by a spoofed MAC address. Cross out ones that won’t be fooled.
Router 2
Switch 1
Router 1
Switch 2
Router 3
Switch 3
Hub 2
Hub 1
Why does MAC address spoofing pose a threat to network security?
you are here 4 403
Download at a
Application
Server
eMail Server
Authentication
ServerDatabase
Server
File Server
spoof-proof?
Below you’ll see our highly classified network diagram. Circle each of the devices that can be
fooled by a spoofed MAC address. Cross out ones that won’t be fooled.
Router 2
Switch 1
Router 1
Switch 2
Router 3
Switch 3
Hub 2
Hub 1
404 Chapter 11
Download at a
Application
Server
eMail Server
Authentication
ServerSwitches use ARP tables to
translate MAC addresses into
IP Addresses.
The top secret document goes
straight to the evil attacker.
network security
Defend your network against
MAC address spoofing
MAC address spoofing is what happens when an attacker changes
their MAC address so that it matches another device on the network.
It allows an attacker to pretend that the hardware they’re using
belongs to someone else—like the boss.
By spoofing a MAC address, an attacker can pose as an approved
network device and fool other devices into thinking that it’s okay to
send network traffic to, or receive traffic from, the spoofed device. So
if the boss’s computer has been spoofed, this means that the attacker
can con the switch into sending it information that only the boss
should see.
Here’s how it goes:
1
The attacker changes their MAC address to match that of
the boss and requests information across the network.
The hardware looks like it belongs to the boss, even though it doesn’t.
I’m the boss, and I
need something really
top secret and juicy.
2
The switch sees that a device with the boss’s MAC
address is requesting information and lets it through.
Hi Boss, top
secret document
coming right over.
So how can we harden a switch
against this sort of attack?
you are here 4 405
Download at a
Evil attackerDatabase
Server
File Server
The Mole
secure your network
Below is the vulnerable network. On the next page, redesign the network so that its resources
can be hardened against MAC address spoofing.
Router 2
Switch 1
Router 1
Switch 2
Router 3
Switch 3
Hub 2
Hub 1
406 Chapter 11
Download at a
Application
Server
eMail Server
Authentication
ServereMail Server
network security
Application
File Server
Server
Switch 1
Switch 2
Router 1
Router 2
Router 3
you are here 4 407
Download at a
Authentication
Database
Server
ServerDatabase
Server
File Server
The Mole
what did you do?
Below is the vulnerable network. On the next page, redesign the network so that its resources
can be hardened against MAC address spoofing.
Router 2
Switch 1
Router 1
Switch 2
Router 3
Switch 3
Hub 2
Hub 1
408 Chapter 11
Download at a
Application
Server
eMail Server
Authentication
ServerA switch-hardening tip:
On a smaller network like
this one, you can set your
arp tables to be static,
which will prevent some
MAC address spoofing.
Placing your servers (especially
your authentication server) behind
a router ensures that MAC
address spoofing will not work on
those servers.
eMail Server
network security
Application
File Server
Server
Switch 1
Router 1
Router 2
Switch 2
you are here 4 409
Download at a
Authentication
Database
Server
Serveravoid address thieves
So how do we defend against MAC
address spoofing?
Switches are susceptible to MAC address spoofing, while routers are
unaffected because they deal with IP addresses. Your key defense
against MAC address spoofing is to place your servers (especially
your authentication server) behind a router. This means that MAC
address spoofing will not work on these servers.
Another defense for a smaller network is to set the switch ARP
tables to be static. This will prevent some MAC address spoofing.
But there’s more to network attacks than MAC
address spoofing...
The Case of the Stolen Messages
At the offices of Yellow Pad Inc., manufacturers of fine legal pads,
Talula works in cubicle 4. During her lunch hour, Talula likes to send
instant messages to her sweetie, RJ, in cubicle 21. When she sends the
messages, she signs them with her secret nickname, “Kung-Fu Princess,”
whereas RJ signs his with his secret nickname, “Kid Rye.”
One morning, when Talula boots up her workstation, she sees
a message on her screen that says, “Another device with the
Five Minute
address 204.08.22.68 is connected to the network. Change your
IP address to join the network.”
Mystery
The same day, the office busybody, Dwight, walks past RJ and asks
him, “How’s the Kung-Fu Princess, Kid Rye?”
When RJ tells Talula the story, she thinks a while and says, “I think I
know how he did it, but we’ll fix his wagon.”
RJ asks, “How did Dwight find out our secret nicknames? And how are
we going to fix him?”
How were the messages intercepted?
410 Chapter 11
Download at anetwork security
Defend your network against
ARP poisoning attacks
Another sort of attack is the ARP (Address Resolution Protocol)
poisoning attack that bad guys can use to completely bring down your
network. Let’s see how this works.
The attacker sends a poisoned packet.
1
The attacker broadcasts a packet with an IP address, along with a MAC
address that’s either faked or simply doesn’t exist.
204.62.202.220
Attacker’s
machine
MAC address:
FA:DE:FA:DE:FA:DE
Network devices update their ARP tables, which poisons them.
2
Other workstations and network devices receive the broadcast packet and update
their ARP tables (aka caches) with the bad information. Those devices are now using
information that is poisoned, or intentionally corrupted.
Because the Address
Resolution Protocol
has no way of
verifying whether
a MAC address is
T he exploit proceeds.
3
valid, an intruder can
Now that the AR tables are poisoned, the attacker can use
one of three attack methods: Denial of Service, Man in the
“poison” a network
Middle, or MAC flooding.
device by giving it
false information.
you are here 4 411
Download at a
The packet’s poisoned.
This MAC address does not
exist, but it’s associated
with an IP that does.
All of these devices are
now “infected.”poison’s bad, too
So what can we do about ARP
poisoning attacks?
The key thing with this sort of attack is to harden your switch.
Most switches have port security features which let you assign
You say you’re
only one MAC address per port, and this is one of your best
the boss? No way
defences against this sort of attack. If the wrong MAC address
You’re through on the
comes into the wrong port, the switch won’t let it through.
wrong port.
Attacker’s
machine
Q: Q: Q:
Is there any way to find out if Why won’t MAC spoofing and ARP What about a Man in the Middle
someone is sending ARP poisoning poisoning affect a router? attack?
attacks on my network.
A: Good question. Remember that A: An attacker finds a way to intercept
A: An intrusion detection system (IDS), routers work at the IP Address level. traffic intended for the router, or another
like Snort, will monitor your network for ARP Routers can’t be fooled by these attacks workstation, and forwards it on to another
requests that seem out of the ordinary. the way switches can. device. It would be like changing your
mailbox number so that the mailman
believes your mailbox is actually your
Q: Q:
How does an attacker create a You mentioned a few different
neighbor’s. That way, you could get their
poisoned packet? types of ARP attacks. First off, what’s a
mail before they do. You can then deliver
Denial of Service attack?
the mail to your neighbor so that they never
A: Programs like “Dsniff” come
know what happened. However, you get
packaged with smaller apps like “arpspoof.” A: With an ARP-based DoS attack, you
a chance to filter through mail that was
Using arpspoof inside a switched network, trick other devices on the network into
intended for your neighbor. You become the
the attacker can create and send poisoned sending traffic to an IP address that is valid,
“man in the middle” between the mailman
ARP packets, which open up other exploit but you give it a MAC address that can’t be
and your neighbor.
possibilities. found on the network. Once all of the ARP
tables are poisoned, other machines on the
Q:
And a MAC flooding attack?
network start sending traffic intended for
the router to a device that doesn’t exist. In
effect, you isolate the local network from A: You can eat up the switch’s resources
getting beyond the router in question. by overwhelming it with tons of ARP
requests that ask for hardware (MAC
addresses) that don’t exist. You clobber the
switch’s memory.
412 Chapter 11
Download at a
Poisoned packetnetwork security
The Case of the Stolen Messages
So how were the messages intercepted?
Talula tells RJ, “Dwight used a ‘man-in-the-middle’ attack. He poisoned
the ARP tables of the Yellow Pad, Inc. network by
Five Minute
intercepting traffic that was supposed to go to my
workstation, RJ.”
Mystery
RJ says, “How did you figure it out, Talula?”
Solved
Talula says, “I noticed this morning that when I booted
up my machine, another machine on the network had the
same IP address as mine. Then, when you told me what Dwight said, I
realized that he had probably poisoned the ARP tables so that he could
associate his MAC address with my IP address.”
“Slow down,” RJ says. “You know I’m not a techie, Talula.”
Talula says, “Here’s how it works, RJ: An attacker finds a way to
intercept messages intended for another workstation, and forwards it
on to another device. The attacker gets a chance to read your messages
before you do. Then sends them on to you without your knowledge.
“I get it.” RJ says, “So how are you going to fix him?”
“I already did.” Talula says, “I performed a counter-attack by becoming
the ‘man-in-the-middle’ and sending all of Dwight’s network traffic
to the boss. Won’t the boss be surprised when she finds out how many
hours a day Dwight spends playing Warlocks of Worldcrash?”
RJ says, “Darn your smart, Talula”
you are here 4 413
Download at aSwitch
routers: your last line of defense
It’s all about the access, baby
So far we’ve dealt with switch hardening, but that’s
not the only device we need to tighten security on. We
need to tighten security on the router, too.
The only thing between
me and the network is
Big Bad that sweet little router...
Internet
If an attacker can get past your router,
then he’s on your network
If you don’t have proper access controls in place on your
router, then anyone can get into your network. They don’t
eMail Server File Server
even have to spoof anything to do it.
414 Chapter 11
Download at a
RouterThis column tracks
the port used by
the router.
network security
Set up your router’s Access Control Lists
to keep attackers out
The meat-and-taters of hardening your router comes in the
form of Access Control Lists (ACLs). An Access Control List is a
simple table that a router uses to keep track of which IP Addresses
are allowed to cross the router. You configure the table so that
particular IP addresses are either allowed or denied access.
Hey, I need
access. Can you
let me through?
1
A network device requests access to resources.
10.0.1.100
Access List ID IP Address Port Allow/Deny
0001 10.0.1.100 1 Allow
2
The router checks its Access Control
List for the device IP address.
If there’s an “Allow” entry, the device is allowed
access. But if the entry for the IP address is
“Deny,” the device is turned away.
you are here 4 415
Download at a
This column tracks
IP Addresses.
This column tells us
whether a device can
cross the router.
An Access
Control List
(ACL)
This column tracks
the identifier for an
access list. You can use
names or numbers, but
numbers keep things
clear.access rules are critical
Below are three clients that you want to have access to your
network and two clients that you want to restrict Write in the
access rules to do so.
Keep these guys out.
Let these guys in.
10.0.1.18 10.0.1.19 10.0.1.20
10.0.1.15
10.0.1.16 10.0.1.17
Router 1
Router 1’s Access List
Access List ID IP Address Port Allow/Deny
20 10.0.1.15 1 Allow
416 Chapter 11
Download at aFinally, we tell the router that we want to apply
the access-list to a group. The “in” part tells the
router that we want to apply the access list to
inbound packets.
With “deny” we are
telling the router to
refuse packets from
10.0.1.18.
network security
So how do we configure the Access
Control List?
To set up permissions in the router Access Control List, you
open up a terminal and use commands to configure the
permissions. Here’s an example:
File Edit Window Help TrustNoone
RouterXconfigure terminal
RouterX(config)access-list 42
RouterX(config)access-list 42 deny 10.0.1.18
RouterX(config)access-list 42 deny 10.0.1.19
RouterX(config)access-list 42 deny 10.0.1.20
RouterX(config)interface ethernet0
RouterX(config-if)ip access-group 42 in
RouterX(config-if)exit
RouterX(config)end
RouterX
you are here 4 417
Download at a
The number “42”
identifies the
“access list ID” we
want to use.
Most Cisco r outers
use a graphical user
interface (GUI) app
to control access lists.
We like to show you the command line
interface (CLI) so that you understand how
the command works at its most basic level.
With this command, we tell
the router what interface
we’ll configure for.
The “access-list”
command tells the router
that we are creating an
access list called “42.”
RouterX is the name
of the router we’re
configuring
Each of these lines
is known as a filter
statement.write the right rules
Below are three clients that you want to have access to your
network and two clients that you want to restrict Write in the
access rules to do so.
Keep these guys out.
Let these guys in.
10.0,1,18 10.0,1,19 10.0,1,20
10.0,1,15
10.0,1,16 10.0,1,17
Router 1
Router 1’s Access List
Access List ID IP Address Port Allow/Deny
20 10.0.1.15 1 Allow
20 10.0.1.16 2 Allow
20 10.0.1.17 3 Allow
20 10.0.1.18 4 Deny
20 10.0.1.19 5 Deny
20 10.0.1.20 6 Deny
418 Chapter 11
Download at a
Advise:Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.