CITA 352 Chapter 13 Network Protection Systems

Understanding Routers Network protection systems –Routers –Firewalls –Intrusion detection and prevention systems –Web filtering –Honeypots Security appliance –Single device combining two or more protection functions

Understanding Routing Protocols Routers are hardware devices –Used to send packets to different network segments Operate at network layer of OSI model Routing protocols –Link-state routing protocol Router advertises link-state –Distance-vector routing protocol Router passes routing table to all participating routers –Path-vector routing protocol Uses dynamically updated paths or routing tables to transmit packets

Understanding Basic Hardware Routers Cisco routers –Widely used in networking community Millions used by companies around the world Vulnerabilities exist –As they do in any OS –Security professionals must consider the router type when conducting a security test

Cisco Router Components Random access memory (RAM) –Holds router’s running configuration, routing tables, and buffers If turned off, contents stored in RAM are erased Nonvolatile RAM (NVRAM) –Holds router’s configuration file Information is not lost if the router is turned off Flash memory –Holds IOS the router is using –Rewritable memory, so IOS can be upgraded

Cisco Router Components (cont’d.) Read-only memory (ROM) –Contains a minimal version of IOS Used to boot router if flash memory gets corrupted Interfaces –Hardware connectivity points for components of most concern Ethernet port is an interface that connects to a LAN

Cisco Router Configuration Configuration modes: –User mode Administrator can perform basic troubleshooting tests and list information stored on router Indicated by router name followed by > Default mode –Privileged mode Administrator can perform full router configuration tasks Indicated by router name followed by #

Cisco Router Configuration (cont’d.) Modes to configure the router (in privileged mode) –Global configuration mode Configure router settings affecting router operation –Interface configuration mode Administrator can configure an interface on the router

Table 13-1 Cisco commands

Understanding Access Control Lists Several types of access control lists –This section focuses on IP access lists Lists IP addresses, subnets, or networks allowed or denied access through a router’s interface Cisco router access lists –Standard IP access lists –Extended IP access lists

Standard IP Access Lists Can restrict IP traffic entering or leaving a router’s interface based on source IP address –To restrict traffic from Network 3 from entering Network 1, access list looks like: access-list 1 deny access-list permit any Figure 13-1 Applying access lists to router interfaces

Extended IP Access Lists Restricts IP traffic entering or leaving based on: –Source IP address –Destination IP address –Protocol type –Application port number Configuration –Similar to configuring a standard IP access list

Understanding Firewalls Hardware devices with embedded OSs –Controls access to all traffic entering internal network –Controls traffic leaving internal network Hardware firewall advantages: –Usually faster than software firewalls –Can handle larger throughput than software firewalls Hardware firewall disadvantage: –Locked into firewall’s hardware

Understanding Firewalls (cont’d.) Software firewalls advantage: –NICs are easily added to server running firewall software Software firewalls disadvantage: –Configuration problems –Rely on running OS

Understanding Firewall Technology Technologies include: –Network address translation –Access lists –Packet filtering –Stateful packet inspection –Application layer inspection

Network Address Translation Most basic security feature –Internal private IP addresses are mapped to public external IP addresses Hiding internal infrastructure Port Address Translation –Derived from NAT –Allows thousands of internal IP addresses to be mapped to one external IP address

Access Lists Used to filter traffic based on: –Source IP address –Destination IP address –Ports or services Firewalls also use this technology Creating access lists in a firewall –Similar to creating them in a router

Packet Filtering Packet filters –Screen packets based on information contained in packet header Protocol type IP address TCP/UDP port

Stateful Packet Inspection Record session-specific information about a network connection –Including state table Port scans relying on spoofing or sending packets after a three-way handshake are made ineffective Stateful packet filters –Recognize anomalies most routers ignore –Handle each packet on an individual basis Not resistant to spoofing or DoS attacks

Table 13-2 State table example

Application Layer Inspection Inspects network traffic at a higher level in OSI model –Makes sure network traffic’s application protocol is the type allowed by a rule Some application-aware firewalls act as a proxy for all connections –Safety net for servers or clients (or both) Depends on firewall

Implementing a Firewall Placing a firewall between a company’s internal network and the Internet is dangerous –Leaves company open to attack if a hacker compromises the firewall Use a demilitarized zone instead –Adds a layer of defense

Demilitarized Zone Small network –Contains resources a company wants available to Internet users Helps maintain security on internal network Sits between Internet and internal network –Sometimes referred to as a “perimeter network”

Figure 13-2 A DMZ protecting an internal network

Figure 13-3 An additional firewall used to protect the DMZ

Understanding the Cisco Adaptive Security Appliance Firewall Cisco Adaptive Security Appliance (ASA) firewall –One of the most widely used firewalls –Replaced PIX firewall –Added advanced modular features Intrusion detection and prevention More sophisticated application layer inspection

Configuring the ASA Firewall Similar logon prompt as Cisco router –Prompt: If you are not authorized to be in this XYZ Hawaii network device, log out immediately! Username: admin Password: ******** Serves a legal purpose –Prompt after successful log on: Type help or '?' for a list of available commands. ciscoasa>

Configuring the ASA Firewall (cont’d.) After entering correct password –You are in privileged mode To enter configuration mode –Use same command as on a Cisco router configure terminal or configure t Access lists –Used to filter traffic

Using Configuration and Risk Analysis Tools for Firewalls and Routers Center for Internet Security –One of the best Web sites for finding configuration benchmarks and configuration assessment tools Benchmark –Industry consensus of best configuration practices Cisco routers use CIS Cisco IOS Benchmark Cisco ASA firewalls use CIS Benchmark for Cisco Firewall Devices Router Audit Tool (RAT) –Faster and easier to use

Using Configuration and Risk Analysis Tools for Firewalls and Routers (cont’d.) RedSeal –Unique network risk analysis and mapping tool –Identifies configuration vulnerabilities in routers or firewalls –Generates professional-looking reports –Analyzes IPSs and OS vulnerability scans –Shows a graphical representation of vulnerabilities discovered

Figure 13-4 The RedSeal network risk map

Understanding Intrusion Detection and Prevention Systems Monitor network devices –Security administrators can identify attacks in progress and stop them Intrusion detection system (IDS) –Examines traffic and compares it with known exploits Similar to virus software using a signature file to identify viruses Intrusion prevention systems (IPSs) –Similar to IDSs –Also performs an action to prevent the intrusion

Network-Based and Host-Based IDSs and IPSs Network-based IDSs/IPSs –Monitor activity on network segments –Sniff traffic and alerts if something suspicious occurs Host-based IDSs/IPSs –Used to protect a critical network server or database server –Software is installed on server you’re attempting to protect

Network-Based and Host-Based IDSs and IPSs (cont’d.) IDSs are also categorized by how they react when they detect suspicious behavior –Passive systems Don’t take preventative action Send out an alert and log the activity –Active systems Log events and send out alerts Can also interoperate with routers and firewalls

Network-Based and Host-Based IDSs and IPSs (cont’d.) Vendors have started focusing on IPSs –True network-based IPS are installed inline to network infrastructure Traffic has to pass through IPS before going into or out of the network –More capable of stopping malicious traffic –Host-based IPSs operate at the OS (or kernel) level Intercept traffic not allowed by host policy

Network-Based and Host-Based IDSs and IPSs (cont’d.) Network-based IDSs and IPSs are further categorized by the way they detect attacks –Signature detectors Detect malicious activity by using a database of known attack signatures –Anomaly detectors Use a baseline of normal activity and send an alert if activity deviates significantly

Table 13-3 Intrusion detection and prevention systems

Web Filtering Statistically, firewalls and IPSs do a good job of protecting a network from Internet attacks –Hackers know statistics Now using least restricted pathway through a firewall –Target devices allowed access out of the network automatically: user workstations Get internal user to visit a bogus Web site or install malicious code from an attachment Don’t need to break through the firewall Firewall application layer inspection might not detect this kind of attack

Web Filtering (cont’d.) Web filtering is used to detect users’ attempts to access malicious Web sites and block tem –Some block malicious code Before it gets to a user’s workstation Before it connects to an attacker’s control system outside the network Mass compromises are used to initiate drive-by downloads –Web site visitors download malicious code without their knowledge

Security Incident Response Teams Large organizations with sensitive or critical data –Normal administrative expertise isn’t enough to do: Follow up and damage assessment Risk remediation and legal consultation Security incident response team (SIRT) –Permanent team –Responsible solely for security-response functions Ad hoc team –Members normally have other roles –Called in response to a specific incident

Understanding Honeypots Honeypot –Computer placed on network perimeter Contains information to lure and trap hackers Configured to have vulnerabilities –Keeps hackers connected long enough so they can be traced back –Serves as an excellent data collector and early warning system

How Honeypots Work Honeypot appears to have important data or sensitive information stored on it –Could store fake financial data –Hackers will spend time attacking the honeypot Stop looking for real vulnerabilities Enables security to collect data on attackers Available honeypots –Commercial and open-source Virtual honeypots –Created using programming language

Table 13-4 Commercial honeypots

Table 13-5 Open-source honeypots