1 / 49

Hands-On Ethical Hacking and Network Defense Second Edition

Chapter 13 Network Protection Systems. Hands-On Ethical Hacking and Network Defense Second Edition. Objectives. After reading this chapter and completing the exercises, you will be able to: Explain how routers are used as network protection systems

emera
Download Presentation

Hands-On Ethical Hacking and Network Defense Second Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 13 Network Protection Systems Hands-On Ethical Hacking and Network DefenseSecond Edition

  2. Objectives • After reading this chapter and completing the exercises, you will be able to: • Explain how routers are used as network protection systems • Describe firewall technology and tools for configuring firewalls and routers • Describe intrusion detection and prevention systems and Web-filtering technology • Explain the purpose of honeypots Hands-On Ethical Hacking and Network Defense, Second Edition

  3. Understanding Routers • Network protection systems • Routers • Firewalls • Intrusion detection and prevention systems • Web filtering • Honeypots • Security appliance • Single device combining two or more protection functions Hands-On Ethical Hacking and Network Defense, Second Edition

  4. Understanding Routing Protocols • Routers are hardware devices • Used to send packets to different network segments • Operate at network layer of OSI model • Routing protocols • Link-state routing protocol • Router advertises link-state • Distance-vector routing protocol • Router passes routing table to all participating routers • Path-vector routing protocol • Uses dynamically updated paths or routing tables to transmit packets Hands-On Ethical Hacking and Network Defense, Second Edition

  5. Understanding Basic Hardware Routers • Cisco routers • Widely used in networking community • Millions used by companies around the world • Vulnerabilities exist • As they do in any OS • Security professionals must consider the router type when conducting a security test Hands-On Ethical Hacking and Network Defense, Second Edition

  6. Cisco Router Components • Random access memory (RAM) • Holds router’s running configuration, routing tables, and buffers • If turned off, contents stored in RAM are erased • Nonvolatile RAM (NVRAM) • Holds router’s configuration file • Information is not lost if the router is turned off • Flash memory • Holds IOS the router is using • Rewritable memory, so IOS can be upgraded Hands-On Ethical Hacking and Network Defense, Second Edition

  7. Cisco Router Components (cont’d.) • Read-only memory (ROM) • Contains a minimal version of IOS • Used to boot router if flash memory gets corrupted • Interfaces • Hardware connectivity points for components of most concern • Ethernet port is an interface that connects to a LAN Hands-On Ethical Hacking and Network Defense, Second Edition

  8. Cisco Router Configuration • Configuration modes: • User mode • Administrator can perform basic troubleshooting tests and list information stored on router • Indicated by router name followed by > • Default mode • Privileged mode • Administrator can perform full router configuration tasks • Indicated by router name followed by # Hands-On Ethical Hacking and Network Defense, Second Edition

  9. Cisco Router Configuration (cont’d.) • Modes to configure the router (in privileged mode) • Global configuration mode • Configure router settings affecting router operation • Interface configuration mode • Administrator can configure an interface on the router Hands-On Ethical Hacking and Network Defense, Second Edition

  10. Table 13-1 Cisco commands Hands-On Ethical Hacking and Network Defense, Second Edition

  11. Understanding Access Control Lists • Several types of access control lists • This section focuses on IP access lists • Lists IP addresses, subnets, or networks allowed or denied access through a router’s interface • Cisco router access lists • Standard IP access lists • Extended IP access lists Hands-On Ethical Hacking and Network Defense, Second Edition

  12. Standard IP Access Lists • Can restrict IP traffic entering or leaving a router’s interface based on source IP address • To restrict traffic from Network 3 from entering Network 1, access list looks like: access-list 1 deny 173.110.0.0 0.0.255.255 access-list permit any Figure 13-1 Applying access lists to router interfaces Hands-On Ethical Hacking and Network Defense, Second Edition

  13. Extended IP Access Lists • Restricts IP traffic entering or leaving based on: • Source IP address • Destination IP address • Protocol type • Application port number • Configuration • Similar to configuring a standard IP access list Hands-On Ethical Hacking and Network Defense, Second Edition

  14. Understanding Firewalls • Hardware devices with embedded OSs • Controls access to all traffic entering internal network • Controls traffic leaving internal network • Hardware firewall advantages: • Usually faster than software firewalls • Can handle larger throughput than software firewalls • Hardware firewall disadvantage: • Locked into firewall’s hardware Hands-On Ethical Hacking and Network Defense, Second Edition

  15. Understanding Firewalls (cont’d.) • Software firewalls advantage: • NICs are easily added to server running firewall software • Software firewalls disadvantage: • Configuration problems • Rely on running OS • Astaro Hands-On Ethical Hacking and Network Defense, Second Edition

  16. Understanding Firewall Technology • Technologies include: • Network address translation • Access lists • Packet filtering • Stateful packet inspection • Application layer inspection Hands-On Ethical Hacking and Network Defense, Second Edition

  17. Network Address Translation • Most basic security feature • Internal private IP addresses are mapped to public external IP addresses • Hiding internal infrastructure • Port Address Translation • Derived from NAT • Allows thousands of internal IP addresses to be mapped to one external IP address Hands-On Ethical Hacking and Network Defense, Second Edition

  18. Access Lists • Used to filter traffic based on: • Source IP address • Destination IP address • Ports or services • Firewalls also use this technology • Creating access lists in a firewall • Similar to creating them in a router Hands-On Ethical Hacking and Network Defense, Second Edition

  19. Packet Filtering • Packet filters • Screen packets based on information contained in packet header • Protocol type • IP address • TCP/UDP port Hands-On Ethical Hacking and Network Defense, Second Edition

  20. Stateful Packet Inspection • Record session-specific information about a network connection • Including state table • Port scans relying on spoofing or sending packets after a three-way handshake are made ineffective • Stateful packet filters • Recognize anomalies most routers ignore • Handle each packet on an individual basis • Not resistant to spoofing or DoS attacks Hands-On Ethical Hacking and Network Defense, Second Edition

  21. Table 13-2 State table example Hands-On Ethical Hacking and Network Defense, Second Edition

  22. Application Layer Inspection • Inspects network traffic at a higher level in OSI model • Makes sure network traffic’s application protocol is the type allowed by a rule • Some application-aware firewalls act as a proxy for all connections • Safety net for servers or clients (or both) • Depends on firewall Hands-On Ethical Hacking and Network Defense, Second Edition

  23. Implementing a Firewall • Placing a firewall between a company’s internal network and the Internet is dangerous • Leaves company open to attack if a hacker compromises the firewall • Use a demilitarized zone instead • Adds a layer of defense Hands-On Ethical Hacking and Network Defense, Second Edition

  24. Demilitarized Zone • Small network • Contains resources a company wants available to Internet users • Helps maintain security on internal network • Sits between Internet and internal network • Sometimes referred to as a “perimeter network” Hands-On Ethical Hacking and Network Defense, Second Edition

  25. Figure 13-2 A DMZ protecting an internal network Hands-On Ethical Hacking and Network Defense, Second Edition

  26. Figure 13-3 An additional firewall used to protect the DMZ Hands-On Ethical Hacking and Network Defense, Second Edition

  27. Understanding the Cisco Adaptive Security Appliance Firewall • Cisco Adaptive Security Appliance (ASA) firewall • One of the most widely used firewalls • Replaced PIX firewall • Added advanced modular features • Intrusion detection and prevention • More sophisticated application layer inspection Hands-On Ethical Hacking and Network Defense, Second Edition

  28. Configuring the ASA Firewall • Similar logon prompt as Cisco router • Prompt: If you are not authorized to be in this XYZ Hawaii network device, log out immediately! Username: admin Password: ******** • Serves a legal purpose • Prompt after successful log on: Type help or '?' for a list of available commands. ciscoasa> Hands-On Ethical Hacking and Network Defense, Second Edition

  29. Configuring the ASA Firewall (cont’d.) • After entering correct password • You are in privileged mode • To enter configuration mode • Use same command as on a Cisco router configure terminal or configure t • Access lists • Used to filter traffic Hands-On Ethical Hacking and Network Defense, Second Edition

  30. Using Configuration and Risk Analysis Tools for Firewalls and Routers • Center for Internet Security • One of the best Web sites for finding configuration benchmarks and configuration assessment tools • Benchmark • Industry consensus of best configuration practices • Cisco routers use CIS Cisco IOS Benchmark • Cisco ASA firewalls use CIS Benchmark for Cisco Firewall Devices • Router Audit Tool (RAT) • Faster and easier to use Hands-On Ethical Hacking and Network Defense, Second Edition

  31. Using Configuration and Risk Analysis Tools for Firewalls and Routers (cont’d.) • RedSeal • Unique network risk analysis and mapping tool • Identifies configuration vulnerabilities in routers or firewalls • Generates professional-looking reports • Analyzes IPSs and OS vulnerability scans • Shows a graphical representation of vulnerabilities discovered Hands-On Ethical Hacking and Network Defense, Second Edition

  32. Figure 13-4 The RedSeal network risk map Hands-On Ethical Hacking and Network Defense, Second Edition

  33. Understanding Intrusion Detection and Prevention Systems • Monitor network devices • Security administrators can identify attacks in progress and stop them • Intrusion detection system (IDS) • Examines traffic and compares it with known exploits • Similar to virus software using a signature file to identify viruses • Intrusion prevention systems (IPSs) • Similar to IDSs • Also performs an action to prevent the intrusion Hands-On Ethical Hacking and Network Defense, Second Edition

  34. Network-Based and Host-Based IDSs and IPSs • Network-based IDSs/IPSs • Monitor activity on network segments • Sniff traffic and alerts if something suspicious occurs • Host-based IDSs/IPSs • Used to protect a critical network server or database server • Software is installed on server you’re attempting to protect Hands-On Ethical Hacking and Network Defense, Second Edition

  35. Network-Based and Host-Based IDSs and IPSs (cont’d.) • IDSs are also categorized by how they react when they detect suspicious behavior • Passive systems • Don’t take preventative action • Send out an alert and log the activity • Active systems • Log events and send out alerts • Can also interoperate with routers and firewalls Hands-On Ethical Hacking and Network Defense, Second Edition

  36. Network-Based and Host-Based IDSs and IPSs (cont’d.) • Vendors have started focusing on IPSs • True network-based IPS are installed inline to network infrastructure • Traffic has to pass through IPS before going into or out of the network • More capable of stopping malicious traffic • Host-based IPSs operate at the OS (or kernel) level • Intercept traffic not allowed by host policy Hands-On Ethical Hacking and Network Defense, Second Edition

  37. Network-Based and Host-Based IDSs and IPSs (cont’d.) • Network-based IDSs and IPSs are further categorized by the way they detect attacks • Signature detectors • Detect malicious activity by using a database of known attack signatures • Anomaly detectors • Use a baseline of normal activity and send an alert if activity deviates significantly Hands-On Ethical Hacking and Network Defense, Second Edition

  38. Table 13-3 Intrusion detection and prevention systems Hands-On Ethical Hacking and Network Defense, Second Edition

  39. Web Filtering • Statistically, firewalls and IPSs do a good job of protecting a network from Internet attacks • Hackers know statistics • Now using least restricted pathway through a firewall • Target devices allowed access out of the network automatically: user workstations • Get internal user to visit a bogus Web site or install malicious code from an e-mail attachment • Don’t need to break through the firewall • Firewall application layer inspection might not detect this kind of attack Hands-On Ethical Hacking and Network Defense, Second Edition

  40. Web Filtering (cont’d.) • Web filtering is used to detect users’ attempts to access malicious Web sites and block tem • Some block malicious code • Before it gets to a user’s workstation • Before it connects to an attacker’s control system outside the network • Mass compromises are used to initiate drive-by downloads • Web site visitors download malicious code without their knowledge Hands-On Ethical Hacking and Network Defense, Second Edition

  41. Security Incident Response Teams • Large organizations with sensitive or critical data • Normal administrative expertise isn’t enough to do: • Follow up and damage assessment • Risk remediation and legal consultation • Security incident response team (SIRT) • Permanent team • Responsible solely for security-response functions • Ad hoc team • Members normally have other roles • Called in response to a specific incident Hands-On Ethical Hacking and Network Defense, Second Edition

  42. Understanding Honeypots • Honeypot • Computer placed on network perimeter • Contains information to lure and trap hackers • Configured to have vulnerabilities • Keeps hackers connected long enough so they can be traced back • Serves as an excellent data collector and early warning system • Honeyd.org Hands-On Ethical Hacking and Network Defense, Second Edition

  43. How Honeypots Work • Honeypot appears to have important data or sensitive information stored on it • Could store fake financial data • Hackers will spend time attacking the honeypot • Stop looking for real vulnerabilities • Enables security to collect data on attackers • Available honeypots • Commercial and open-source • Virtual honeypots • Created using programming language Hands-On Ethical Hacking and Network Defense, Second Edition

  44. Table 13-4 Commercial honeypots Hands-On Ethical Hacking and Network Defense, Second Edition

  45. Table 13-5 Open-source honeypots Hands-On Ethical Hacking and Network Defense, Second Edition

  46. Summary • Network protection systems • Routers, firewalls, IDSs, IPSs, Web filters, etc. • Routers • Use access lists to accept or deny traffic • Firewalls • Can be hardware devices or software installed on computer systems • Use NAT, packet filtering, access control lists, stateful packet inspection, and application layer inspection Hands-On Ethical Hacking and Network Defense, Second Edition

  47. Summary (cont’d.) • DMZ • Small network containing resources that sits between the Internet and internal network • Intrusion detection systems • Monitor network traffic • Network-based IDSs • Monitor activity on network segments • Host-based IDSs • Protect a critical network server or database server Hands-On Ethical Hacking and Network Defense, Second Edition

  48. Summary (cont’d.) • Passive IDSs • Don’t take any action or prevent an activity from continuing to occur • Active IDSs • Log, send alerts, and interoperate with routers and firewalls • Intrusion prevention systems (IPSs) • Detect malicious activity • Can block or prevent malicious activity Hands-On Ethical Hacking and Network Defense, Second Edition

  49. Summary (cont’d.) • Anomaly detectors • Detect activity varying from a set baseline • Configuring routers and firewalls securely • Easier with benchmark tools • Web filtering • Can block Web sites containing malicious code • Large organizations • Might need a security incident response team • Honeypots • Lure hackers away from legitimate resources Hands-On Ethical Hacking and Network Defense, Second Edition

More Related