Introduction to Network Security © N. Ganesan, Ph.D.

Slides:



Advertisements
Similar presentations
IUT– Network Security Course 1 Network Security Firewalls.
Advertisements

CCNA – Network Fundamentals
BIOMETRICS Presented By Rickie Jackson.  Outline –Introduction –Biometrics techniques –Strengths, and weaknesses –FAR/FRR –Major Players –Summary.
Internet Hacking Presentation prepared by: Alex Epstein Asif Hussain Genci Seseri Group 2.
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Firewall Lalitha Jammalamadaka. Agenda 1. Introduction 2.Types of firewalls 3.How a software firewall works 4.Methods to control traffic 5.Making the.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Introduction to Network Security © N. Ganesan, Ph.D.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Wi-Fi Structures.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Introduction to Firewalls © N. Ganesan, Ph.D.. Overview.
Firewalls: General Principles & Configuration (in Linux)
Firewall Slides by John Rouda
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Introduction to Network Security © N. Ganesan, Ph.D.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
FIREWALL Mạng máy tính nâng cao-V1.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Chapter 6: Packet Filtering
By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.
Chapter 13 – Network Security
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
1 Version 3.0 Module 11 TCP Application and Transport.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Introduction to Network Security © N. Ganesan, Ph.D.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
1 Chapter 8 – TCP/IP Fundamentals TCP/IP Protocols IP Addressing.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
NETWORKING FUNDAMENTALS. Network+ Guide to Networks, 4e2.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
17 Establishing Dial-up Connection to the Internet Using Windows 9x 1.Install and configure the modem 2.Configure Dial-Up Adapter 3.Configure Dial-Up Networking.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Role Of Network IDS in Network Perimeter Defense.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
I NTRODUCTION TO F IREWALLS. O VERVIEW OF F IREWALLS As the name implies, a firewall acts to provide secured access between two networks A firewall may.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Defining Network Infrastructure and Network Security Lesson 8.
Security fundamentals
Introduction to Firewalls
CompTIA Security+ Study Guide (SY0-401)
Instructor Materials Chapter 7 Network Security
Network Security Marshall Leitem 11/30/04
Introduction to Networking
Firewalls.
Security in Networking
CompTIA Security+ Study Guide (SY0-401)
Firewalls Chapter 8.
Presentation transcript:

Introduction to Network Security © N. Ganesan, Ph.D.

Biometrics

Acknowledgements Who Are You Really?, by Tim Sigmon Director, Advanced Technology Group, Office of Information Technologies, University of Virginia Student project presentation by Rickie Johnson

Chapter Focus Definition of biometrics Biometrics techniques Strengths and weaknesses Major Products Summary

What is Biometrics? Access control based on unique human characteristics –Characteristics can be both physiological and behavioral Access in this case means access to computers and computing resources Examples –Fingerprints –Eye retina characteristics etc.

An Example Control access to a computer based on the fingerprint of the user –A fingerprint recognition unit attached to the computer via the USB port may be used for this purpose

Some Biometrics Techniques Eye Scanning Fingerprint scanning Hand scanning Face recognition Voice recognition Signature recognition (DSV) Keystroke recognition

More Human Characteristics for Biometrics Wrist veins Ear shape Body odor DNA

Excellent continue with the viriginia university article du/spring99/newtech/home.htmlhttp:// du/spring99/newtech/home.html

Eye Scanning Two major techniques –Iris scanning and retina scanning Offers the highest level of security

Fingerprints Generally considered as highly accurate Not as accurate as retinal scanning Varying fingerprints due to dirt, dry hands, cracked skin, gender may affect the fingerprints that in turn can affect the fingerprint recognition system Can be used for controlling access to computers

Hand Scanning Scanning may be based on the 3-Shape and size of the hand that may include lengths, widths, thickness, and surface areas Not as accurate as fingerprinting Not used for authorizing access to computers, in general –Used in general to give door entry access, tracking time, attendance etc.

Accuracy of Biometrics Systems False Acceptance Rate (FAR) False Rejection Rate (FRR) An equal error rate may be chosen to balance FAR against FRA

Retinal Scanning User Looks Into a Viewer and Focuses on a Point; Infrared Light Scans Retina Iris Scanning User looks at a camera (distance from camera increasing rapidly to 2-3 feet)

Finger Scanning User Places Finger on Scanning Device

Hand Scanning User Places Hand on Device

Facial Recognition User Looks at Camera

User speaks into a microphone or other device, such as a telephone handset Signature Recognition Keystroke Recognition User signs name on a device User types standard sample on keyboard Voice Recognition & DSV Other Techniques

Strengths, and Weakness Retina Iris Fingerprint Hand/Finger Geometry Face Recognition Voice Recognition Signature Recognition Keystroke Recognition

TechniqueStrengths RetinaHighly accurate IrisHighly accurate; works with eyeglasses; more acceptable to users than retina scan FingerprintMature technology; highly accurate; low cost; small size, becoming widely acceptable Hand/Finger Geometryaccurate and flexible; widely acceptable to users Face RecognitionWidely acceptable to users; low cost; no direct contact; passive monitoring possible Voice RecognitionUsable over existing telephone system; good for remote access and monitoring; Signature RecognitionWidely acceptable to users Keystroke RecognitionWidely acceptable to users; low cost; uses existing hardware

TechniqueWeaknesses RetinaInconvenient for persons with eyeglasses; dislike contact with device and light beam IrisNew technology, cost, although this is rapidly changing FingerprintUsers can create high FRR; some persons dislike contact with device Hand/Finger GeometryUser interface is bulky; dislike contact with device Face RecognitionFace recognition is less accurate than other methods Voice RecognitionLess accuracy; subject to background noise Signature RecognitionLess accuracy; not widely used yet, but has potential with PDAs Keystroke RecognitionLess accuracy;

FAR & FRR FAR(False Acceptance rate) – refers to how often the system accepts someone it should reject AND FRR(False Rejection Rate) is how often the system rejects someone it shouldn’t.

FAR Accept wrong person FRR Reject the correct person High Security Level Low Relation of FAR and FRR

Major Players Computer access Physical access Handheld devices Military/Govt. Agencies/DOD Financial services Hospitals Telecommunication

Summary As biometric technology advances, the cost of systems will decrease. At the same time, biometrics systems will become increasingly sophisticated and accurate. Scientist will physical and behavioral traits will increase the usefulness of biometrics. The general public will gradually come to accept biometric system.

References Fuller, Scott and Pagan, Kevin Intranet Firewalls “Planning and Implementing Your Network Security System.” Ventana Communications Group, Inc. Conry-Murray, Andrew. Network Magazine. Oct. 1, p28 Securing End Users from Attack. McCollum, T. Security concerns prompt new initiatives. The Internal Auditor. Oct Short, Bob. September Getting the 411 on Biometrics. Security Magazine. p48. Tocci, Salvatore High-Tech IDs: From Finger Scans To Voice Patterns. Grolier Publishing Mitnick, Kevin & Simon, William L. The Art of Deception: Controlling the Human Element of Security. Library Journal.

Notes Threats Hacking Firewalls Managing Security

Firewall © N. Ganesan

Acknowledgement

What is a Firewall?* A firewall isolates two networks from one another to enforce security A network in this case may consist of one or more computers The firewall inspects each individual “packet” of data as it arrives at either side of the firewall — inbound or outbound and determines whether the data packet should be allowed to pass or be blocked.

Types of Firewall Hardware based such as the Dlink firewall Software based such as Zone Alarm

Hardware Firewalls CISCO Dlink Linksys

General Firewall Features Port Control, Application Monitoring (Program Control) and Packet Filtering. Additional features: Data encryption, hiding presence, reporting/logging, e- mail virus protection, pop-up ad blocking, cookie digestion, spy ware protection, laptop protection.

Do Firewalls Prevent Viruses and Trojans?* NO!! A firewall can only prevent a virus or Trojan from accessing the internet while on your machine. 95% of all viruses and Trojans are received via , through file sharing (like Kazaa or Gnucleus) or through direct download of a malicious program. Firewalls can't prevent this - only a good anti- virus software program can.

Firewall Protection for Viruses and Trojans* However, once installed on your PC, many viruses and Trojans "call home" using the internet to the hacker that designed it. This lets the hacker activate the Trojan and he/she can now use your PC for his/her own purposes. A firewall can block the call home and can alert you if there is suspicious behavior taking place on your system.

Some Hardware Firewall Features* Offers IP security and internet key exchange network encryption. Integrated firewall functions. Network address translation. Encrypted SNMP management traffic.

Some Software Firewalls Zone Alarm Microsoft Mcafee Norton

Basic Types Network Layer Application Layer

Network Layer Makes decision based on the source, destination addresses, and ports in individual IP packets. Based on routers. Has the ability to perform static and dynamic packet filtering and stateful inspection.

Static & Dynamic Filtering Static Packet Filtering looks at minimal information in the packets to allow or block traffic between specific service ports. Offers little protection. Dynamic Packet Filtering maintains a connection table in order to monitor requests and replies.

Stateful inspection Compares certain key parts of the packet to a database of trusted information. Incoming information is compared to outgoing information characteristics. Information is allowed through only If comparison yields a reasonable match.

Application Layer They are generally, hosts running proxy servers which perform logging and auditing of traffic through the network. Logging and access control are done through software components.

Proxy Services Application that mediates traffic between a protected network and the internet. Able to understand the application protocol being utilized and implement protocol specific security. App. Protocols include: FTP, HTTP, Telnet etc.

1. Trojan horse programs 2. Back door and remote administration programs 3. Denial of service 4. Being an intermediary for another attack 5. Unprotected Windows shares 6. Mobile code (Java, JavaScript, and ActiveX) 7. Cross-site scripting 8. spoofing 9. -borne viruses 10. Hidden file extensions 11. Chat clients 12. Packet sniffing

Possible threats Port Scans Buffer overflow attacks Denial of Service (DoS) attacks Active Code: Trojan horse, worms Application / Operation system bugs or backdoor Remote login, SMTP session hijacking, E- mail bombs, Spam, Redirect bombs, Source routing:

Port Scans When hackers remotely spy on your computers to see what software and services they have. Port scans are common but with a properly configured and maintained firewall you can restrict access.

Buffer overflow attacks Involve sending data to a vulnerable program in such a way that the program crashes allowing a hacker to get remote control of the computer. Such an attack can be traced back.

Denial of Service Attacks Involves sending bogus traffic so that the company is unable to respond to legitimate service requests from employees and customers. A properly configured and maintained firewall can minimize the damage.

Active Code Attack Attack using active codes (ActiveX, Java, VB script) executed by browser, also known as Trojan horse, worm. Traditional firewall cannot protect against active code or virus very well.

Firewall Architecture Dial-up Architecture Single Router Architecture Firewall with Proxy Server Redundant Internet Configuration

1. Dial-up Architecture Internet Firewall System Workstation/s LAN (HUB) DMZ (HUB) Ex. ISDN Line

2. Single Router Architecture Firewall System Workstation/s LAN (HUB ) DMZ (HUB) Router or Cable Modem Outside Server Internet * Can setup filter rules in the router.

3. Firewall with Proxy Server(1) Internet Proxy/ Firewall System Workstation/s LAN (HUB ) * Integrate a proxy server into the firewall.

4. Firewall with Proxy Server(2) Internet Firewall System LAN (HUB ) Workstation/s Proxy Server 1.Proxy server on the LAN 2.Firewall have rules to only allow proxy server to connect to Internet

5. Redundant Internet Configuration LAN (HUB ) Firewall System Workstation/s Proxy Server Router (DMZ) (HUB) WS/s VPN Outside Server Shared Server (WAN) (HUB) Partners ISP #1 ISP #2 * Objective: 100 % Uptime service

Single Point of Failure An architecture whose security hinges upon one mechanism Redundant Rule on Host or Router

Using a Single Firewall Configuration Advantage ISP network is separated from other networks – limiting the intrusion One firewall to purchase and manage. Internal network is not dependent on the Web Site environment. Implemented easily in an existing architecture.

Using a Single Firewall Configuration Disadvantage An intruder who gains access to a server in the ISP network may gain access to other servers on the site. Additional security is necessary.

DMZ Demilitarized zone Neither part of the internal network nor part of the Internet Never offer attackers more to work with than is absolutely necessary

Critical Resources for Firewall Scenarios SERVICECRITICAL RESOURCE Disk I/O NetnewsDisk I/O WebHost OS Socket Performance IP RoutingHost OS Socket Performance Web CacheHost OS Socket Performance, Disk I/O

Firewall Scenario Microsoft Internet Security and Acceleration (ISA) Server as a Dedicated Server

Network Configuration Single Computer Small Office Network –Less than 250 Clients –IP Network Protocol –Demand Dial Connectivity Larger Organization –Array of ISA Server Internet ISA Server Local Area Network

Setting up Clients Firewall client software installed Firewall clients identified and fully authenticated by ISA Server Site and contents rule may limit access Secure Network Address Translation (NAT) – if not deploying client software to all its users

Web Proxy Clients Web browser configured that proxy Server is ISA Server Computer Proxy Server Port on Web browser set to 8080 Web Request on ISA are set to 8080

Do I really allow everything that users ask for? Entirely possible answer is “NO” Each site has its own policies. “Education” is needed – Accomplish their objective in a secure manner How to work thru the firewall for: Streaming Video, Real-time chat Web/HTTP, DNS, FTP, Telnet……

Software Firewall Windows –Zone Alarm –Winroute –Trojan Trap - Trojan Horse Firewall Linux –Iptables Firewall Mac –Netbarrier

Implementing Firewall – An Example Using Winroute as a software router for a small LAN. Using Trojan Trap as protection against active code attack. Software installation. Firewall configuration. Test and scan.

Firewall software comparison

Winroute Routing using NAT(Network Address Translation) Packet filtering Port mapping Anti-spoofing VPN support DNS, DHCP Remote adminstration

Configuration and Rule Sets

Setup Winroute for LAN Winroute-PC should at least have 2 NICs Check that all IP addresses are pingable Validate NAT on the Winroute-PC Deactivate NAT on the NIC connected to internal LAN

Setup Winroute for LAN No gateway configured on your local interface of the Winroute-PC Configure forwarding options On each internal PC configure the default gateway On each internal PC configure the DNS server

Scan and Test

Trojan Trap Resources protection – restrict access to system resources by unknown application Application control Content filtering IP ports monitoring

Hardware Firewall What is it? What it does. An example. Firewall use. What it protects you from.

Hardware Firewall (Cont.) What is it?  It is just a software firewall running on a dedicated piece of hardware or specialized device.  Basically, it is a barrier to keep destructive forces away from your property.  You can use a firewall to protect your home network and family from offensive Web sites and potential hackers.

Hardware Firewall (Cont.) What it does !  It is a hardware device that filters the information coming through the Internet connection into your private network or computer system.  An incoming packet of information is flagged by the filters, it is not allowed through.

Hardware Firewall (Cont.) An example !

Hardware Firewall (Cont.) Firewalls use:  Firewalls use one or more of three methods to control traffic flowing in and out of the network: –Packet filtering –Proxy service –State-full inspection

Hardware Firewall (Cont.) Packet filtering - Packets are analyzed against a set of filters. Proxy service - Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa. State-full inspection – It compares certain key parts of the packet to a database of trusted information. Information traveling from inside to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics.

Hardware Firewall (Cont.) What it protects you from: –Remote logins –Application backdoors –SMTP session hijacking – Addresses –Spam –Denial of service – bombs  sent 1000’s of times till mailbox is full  Macros  Viruses

Software Firewall What it is? –Also called Application Level Firewalls –It is firewall that operate at the Application Layer of the OSI –They filter packets at the network layer –It Operating between the Datalink Layer and the Network Layer –It monitor the communication type (TCP, UDP, ICMP, etc.) as well as the origination of the packet, destination port of the packet, and application (program) the packet is coming from or headed to.

Software Firewall (Cont.) How does software firewall works ?

Software Firewall (Cont.) Benefit of using application firewalls: –allow direct connection between client and host – ability to report to intrusion detection software –equipped with a certain level of logic –Make intelligent decisions –configured to check for a known Vulnerability –large amount of logging

Software Firewall (Cont.) Benefit of application firewalls (Cont.)  easier to track when a potential vulnerability happens  protect against new vulnerabilities before they are found and exploited  ability to "understand" applications specific information structure  Incoming or outgoing packets cannot access services for which there is no proxy

Software Firewall (Cont.) Disadvantage of Firewall:  slow down network access dramatically  more susceptible to distributed denial of service (DDOS) attacks.  not transparent to end users  require manual configuration of each client computer

Top Picks Personal Firewalls Norton Personal Firewall ZoneAlarm Free/Plus/Pro

Conclusion

Web References firewall.com firewall-net.com firewallguide.com msdn.microsoft.com winroute.com tinysoftware.com sunsite.unc.edu

Benefits of Firewall-Summary Prevent intrusion Choke point for security audit Reduce attacks by hackers Hide network behind a single IP address Part of total network security policy

References html ity/2.5.1http:// ity/

Hacking © N. Ganesan, Ph.D.

IP Spoofing IP spoofing is when an attacker captures the routing packets to redirect a file or transmission to a different destination. The technique is also effective in disguising an attacker's identity. Protocols that deal with inter-computer communication are most susceptible to spoofing,e.g., ICMP, IGMP and UDP. Solution is securing transmission packets and establishing screening policies, point to point encryption, configuring network to reject packets that claim to originate from a local address.

FTP Attacks  One of the most common FTP attacks is a buffer overflow caused by a malformed command.  A successful attack could either drop the attacker in a command shell or cause a denial of service.  Failure to apply the frequently released system upgrades and patches is the most common cause of FTP vulnerabilities.  FTP exploits are also useful in password guessing, FTP bounce attacks, and mining information (such as the machine's registry).

Unix Finger Exploits  The Unix OS finger utility was used as an efficient way to share user information in the early days of the Internet.  To an attacker, the Finger utility can yield valuable information, including user names, logons and contact information.  It also provides a pretty good indication of users' activities like how many times they are logged on.  The personal information it reveals can provide an attacker with enough of a framework to trick legitimate users into revealing passwords and access codes.

Flooding and Broadcasting  An attacker can significantly reduce the processing capacity of a network by sending more information requests than it can handle-a classic denial of service.  Sending a large amount of requests to a single port is Flooding. When the requests are sent to all network stations, it's called broadcasting.  Attackers will often use flood attacks to gain access to a system for use against other networks in distributed denial-of-service (DDoS) campaigns.  DDoS attacks are harder to stop because they come from multiple IP addresses simultaneously. The only solution is to trace the packets back to their source and shutdown the transmitting networks.

Fragmented Packet Attacks  Internet messages transmitted via TCP/IP can be divided into packets in such a way that only the first packet contains the TCP segment header information.  Some firewalls will allow the processing of subsequent packets that do not contain the same source address information as the first packet, which can cause any type of system to crash.  Fragmented packets can also create a flood-like situation because they are stored in the Kernel. The server will crash if the kernel memory absorbs too many fragmented packets.  Solution : Firewall Filters

Exploits  exploits come in five forms: mail floods, command manipulations, transport-level attacks, malicious code insertion and social engineering.  Mail-flood attacks occur when so much mail is sent to a target that communication programs destabilize and crash the system.  Command-manipulation attacks can cause a system to crash by subverting the mail transfer agent with a buffer overflow caused by entering a malformed command.

Exploits (Contd…)  Transport-level attacks exploit the SMTP. An attacker can cause a temporary error condition in the target system by overloading an SMTP buffer with more data than it can handle.  Malicious content is often propagated through e- mail systems. Some viruses and worms will be carried into a system appearing as a legitimate attachment  Social engineering s are an attacker's attempt to trick a legitimate user into revealing sensitive information or executing a task. E.g., posing as a network administrator to get your password for system upgrades.

Password Attacks  The most common password attacks are guessing, brute force, cracking and sniffing.  Password guessing involves entering common passwords either manually or through programmed scripts.  Brute-force logon attacks follow the same basic logic as password guessing, but are faster and more powerful.  Password cracking is a method for defeating the protection of encrypted passwords stored in a system's admin files.  Because an attacker needs a significant level of access to launch this kind of attack, the best defense is restricting and monitoring access privileges.

Selective Program Insertions  A selective program insertion is when an attacker places a destructive program—a virus, worm or Trojan horse--on a target system.  Some network administrators are augmenting their malware defenses with alternative technologies such as behavior blockers, which stop suspicious code based on behavior patterns, not signatures.  A time bomb, sometimes called a logic bomb, is an inserted program that executes its malicious payload on a predetermined time or date.

Port Scanning and Polling  Through port scanning and polling, an attacker can observe the functions and defenses of various system ports.  For example, scanning could be used to determine whether default SNMP community strings are open to the public, meaning information can be extracted for use in a remote command attack.

TCP/IP Sequence Stealing & Packet Interception  TCP/IP sequence stealing is the capturing of sequence numbers, which can be used to make an attacker's packets appear legitimate.  A successful TCP/IP attack could allow an attacker to intercept transactions between two organizations, providing an opportunity for a man-in-the-middle attack.  In some versions of Secured Shell Service Daemon (SSHD), only the public key is used for authentication. If an attacker learns the public key, he could create and insert forged packets.

Observations and Suggestions Various firms  Install firewall, but never upgrade them.  Do massive Website improvements without making parallel security improvements.  The best way to safeguard a website from attack is to approach security as the ongoing challenge rather than a one time effort.

Port Scanning Using PortQry What is port scanning? Using PortQry (the Portqry.exe command-line utility)

What Is Port Scanning? Network applications use TCP/UDP ports Clients connect to applications using ports Port scanning is the process of checking whether a port is open

TCP and UDP in TCP/IP protocol architecture

Port Numbers The Well Known Ports are those from 0 through The Registered Ports are those from 1024 through The Dynamic and/or Private Ports are those from through ftp://ftp.isi.edu/in-notes/rfc1700.txt

Well-know TCP / UDP ports TCP Port NumberDescription 20FTP (Data Channel) 21FTP (Control Channel) 23Telnet 80HyperText Transfer Protocol (HTTP) used for the World Wide Web 139NetBIOS session service UDP Port NumberDescription 53Domain Name System (DNS) Name Queries 69Trivial File Transfer Protocol (TFTP) 137NetBIOS name service 138NetBIOS datagram service 161Simple Network Management Protocol (SNMP)

Port Scanning for TCP TCP ports use "three-way handshake" Successful handshake means port is listening TCP Reset packet means port is not listening No response means port is filtered

Port Scanning for UDP UDP ports do not use "three-way handshake" Send UDP packet to port and wait for response Most applications will not respond to zero- length packets Formatted packet is necessary to get a response Most port scanners do not scan UDP ports

What Is Port Scanning used for? Use port scanning to: Test connectivity Test security

Using PortQry PortQry is designed as an application layer port scanner It checks whether TCP and UDP ports are open, closed, or filtered It determines if UDP ports are open using packets formatted for well known services Portqry is available for download on the Microsoft Web site at: /NT5/EN-US/portqry.exe

PortQry Supports: LDAP RPC DNS SMTP POP3 IMAP4 FTP NetBIOS Name Service

Status of a TCP/IP port Listening –A process is listening on the port on the computer you choose. Portqry.exe received a response from the port. Not Listening –No process is listening on the target port on the target system. Portqry.exe received an Internet Control Message Protocol (ICMP) "Destination Unreachable - Port Unreachable" message back from the target UDP port. Or if the target port is a TCP port, Portqry received a TCP acknowledgement packet with the Reset flag set. Filtered –The port on the computer you chose is being filtered. Portqry.exe did not receive a response from the port. A process may or may not be listening on the port. By default, TCP ports are queried three times and UDP ports are queried once before a report indicates that the port is filtered.

PortQry Usage portqry -n server [-p protocol] [-e || -r || -o endpoint(s)] [-l logfile] [- s] [-q] Where: -n [server] IP address or name of server to query -p [protocol] TCP or UDP or BOTH (default is TCP) -e [endpoint] single port to query (valid range: ) -r [end point range] range of ports to query (start:end) -o [end point order] range of ports to query in an order (x,y,z) -l [logfile] name of log file to create -s 'slow link delay' waits longer for UDP replies from remote systems -q 'quiet' operation runs with no output returns 0 if port is listening returns 1 if port is not listening returns 2 if port is listening or filtered

portqry -n myserver -p UDP -e 389 Returns LDAP base query information UDP port 389 (unknown service): LISTENING or FILTERED Sending LDAP query to UDP port LDAP query response: currentdate: 09/03/ :42:40 (unadjusted GMT) subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=eu,DC=reskit,DC=com dsServiceName: CN=NTDS Settings,CN=RED-DC-11,CN=Servers,CN=NA-WA- RED,CN=Sites,CN=Configuration,DC=eu,DC=reskit,DC=com namingContexts: DC=redmond,DC=eu,DC=reskit,DC=com defaultNamingContext: DC=redmond,DC=eu,DC=reskit,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=eu,DC=reskit,DC=com configurationNamingContext: CN=Configuration,DC=eu,DC=reskit,DC=com rootDomainNamingContext: DC=eu,DC=reskit,DC=com supportedControl: supportedLDAPVersion: 3 supportedLDAPPolicies: MaxPoolThreads highestCommittedUSN: supportedSASLMechanisms: GSSAPI dnsHostName: myserver.eu.reskit.com ldapServiceName: serverName: CN=MYSERVER,CN=Servers,CN=Sites,CN=Configuration,DC=eu,DC=reskit,DC=com supportedCapabilities: isSynchronized: TRUE isGlobalCatalogReady: TRUE ======== End of LDAP query response ======== UDP port 389 is LISTENING

portqry -n myserver -p UDP -e 135 Dumps RPC EndPoint Mapper database UDP port 135 (epmap service): LISTENING or FILTERED Querying Endpoint Mapper Database... Server's response: UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076 ncacn_ip_tcp: [4144] UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30 NTDS Backup Interface ncacn_np:\\\\MYSERVER[\\PIPE\\lsass] UUID: e b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncacn_ip_tcp: [1030] UUID: e b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface ncadg_ip_udp: [1032] UUID: abcd-ef cffb ncacn_np:\\\\MYSERVER[\\PIPE\\lsass] UUID: abcd-ef cffb ncacn_np:\\\\MYSERVER[\\PIPE\\POLICYAGENT] Total endpoints found: 6 ==== End of RPC Endpoint Mapper query response ==== UDP port 135 is LISTENING

portqry -n myserver -p UDP -e 53 Verifies DNS query and response operation UDP port 53 (domain service): LISTENING or FILTERED Sending DNS query to UDP port UDP port 53 (domain service): LISTENING

portqry -n MyMailServer -p TCP -e 25 Returns SMTP, POP3, IMAP4 status messages TCP port 25 (SMTP service): LISTENING Data returned from the port: 220 MyMailServer.eu.reskit.com Microsoft ESMTP MAIL Service, Version: ready at Sun, 2 Sep :24:

portqry -n MyFtpServer -p TCP -e 21 Returns FTP status message and tests for anonymous account access 220 MyFtpServer Microsoft FTP Service (Version 5.0). 331 Anonymous access allowed, send identity (e- mail name) as password.

portqry -n myserver -p UDP -e 137 Verifies NetBIOS Name Service functionality and returns MAC address UDP port 137 (netbios-ns service): LISTENING or FILTERED Attempting NETBIOS adapter status query to UDP port Server's response: MAC address 00c04f7946f0 UDP port: LISTENING

Query behavior configurable using local service file Located in %systemroot%/system32/drivers/etc/servic e Resolves service name using this file Decides what type of query to send to port using this file

References s/hackers.htmlhttp:// s/hackers.html howto.htmlhttp:// howto.html round/Hacking/Methods/Technical/ round/Hacking/Methods/Technical/ /features4_battle_plans.shtmlhttp:// /features4_battle_plans.shtml Tim Rains Technical Lead Networking Teamhttp:// Tim Rains Technical Lead Networking Teamhttp:// Q310099, "Description of the Portqry.exe Command- Line Utility"Q310099