Hands-On Ethical Hacking and Network Defense Chapter 13 Protecting Networks with Security Devices
Hands-On Ethical Hacking and Network Defense Objectives Describe network security devices Describe firewall technology Describe intrusion detection systems Describe honeypots Hands-On Ethical Hacking and Network Defense
Understanding Network Security Devices Routers Firewalls Intrusion detection systems Honeypots Hands-On Ethical Hacking and Network Defense
Understanding Routers Routers are hardware devices used on a network to send packets to different network segments Operate at the network layer of the OSI model Routing protocols used by routers Link-state routing protocol Router advertises link-state to identify network topology and any changes on paths Distance-vector routing protocol Router passes its routing table to all routers participating on the network Hands-On Ethical Hacking and Network Defense
Understanding Basic Hardware Routers Cisco routers are widely used in the networking community More than one million Cisco 2500 series routers are currently being used by companies around the world Vulnerabilities exist in Cisco as they do in any operating system Security professionals must consider these vulnerabilities when conducting a security test Hands-On Ethical Hacking and Network Defense
Cisco Router Components A Cisco router uses the Cisco Internetwork Operating System (IOS) to function Components Random access memory (RAM) Holds the router’s running configuration, routing tables, and buffers If you turn off the router, the contents stored in RAM are wiped out Nonvolatile RAM (NVRAM) Holds the router’s configuration file, but the information is not lost if the router is turned off Hands-On Ethical Hacking and Network Defense
Cisco Router Components (continued) Flash memory Holds the IOS the router is using Is rewritable memory, so you can upgrade the IOS Read-only memory (ROM) Contains a minimal version of the IOS used to boot the router if flash memory gets corrupted Interfaces Hardware connectivity points Example: an Ethernet port is an interface that connects to a LAN Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Cisco Router Configuration Configuration modes: User mode Administrator can perform basic troubleshooting tests and list information stored on the router Router-name>, indicates that you are in user mode Privileged mode Administrator can perform full router configuration tasks Router-name#, indicates that you are in privileged mode By default, you are in user mode Type “enable” or “en” to change to privileged mode Hands-On Ethical Hacking and Network Defense
Cisco Router Configuration (continued) Once in privileged mode, you can change to two more configuration modes Global configuration mode Administrator can configure router settings that affect overall router operation To use this mode, you enter the command config t at the Router-name# prompt Router-name (config)# tells the user she is in global configuration mode Hands-On Ethical Hacking and Network Defense
Cisco Router Configuration (continued) Once in privileged mode, you can change to two more configuration modes (continued) Interface configuration mode Administrator can configure an interface on the router To use this mode, you enter global configuration mode first Next, you enter the command for interface configuration mode and the interface name you want to configure Router-name(config-if)# indicates you are in interface configuration mode Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Understanding Access Control Lists There are several types of access control lists We will focus on IP access lists IP access lists Lists of IP addresses, subnets, or networks that are allowed or denied access through a router’s interface Two different types of access lists on Cisco router Standard IP access lists Extended IP access lists Hands-On Ethical Hacking and Network Defense
Standard IP Access Lists Can restrict IP traffic entering or leaving a router’s interface based on source IP address The syntax of a standard access list is as follows: access-list [list #] [permit|deny] [source address] [source wildcard mask] [list #] is a number in the range of 1 to 99 permit | deny] are keywords to permit or deny traffic [source address] specifies the IP address of the source host [source wildcard mask] signifies which bits of the source address are significant Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Standard IP Access Lists (continued) Example: access-list 1 deny 173.110.0.0 0.0.255.255 access-list permit any A wildcard mask is similar to a subnet mask Example: access-list 1 deny 10.10.1.112 0.0.0.0 The 0s used after the IP address signify that every octet in the IP address must match the IP address being filtered Another example: access-list 1 deny 192.168.10.0 0.0.0.255 access-list 1 permit any Hands-On Ethical Hacking and Network Defense
Standard IP Access Lists (continued) Cisco allows a shortcut for the mask 0.0.0.0 access-list 1 deny host 192.168.10.112 Access lists always end with an implicit deny rule To avoid this, you must add the “permit any” statement access-list 1 permit any Steps for applying the access list to an interface Enter global configuration mode Create the access list Enter interface configuration mode Use the ip access-group command Hands-On Ethical Hacking and Network Defense
Standard IP Access Lists (continued) Example Router> en Password ****** Router# config t Router(config)# access-list 1 deny 172.16.5.0 0.0.0.255 Router(config)# access-list 1 permit any Router(config)# int e0 Router(config-if)# ip access-group 1 out Router(config-if) Ctrl+z [to save and exit global configuration mode] Router# Hands-On Ethical Hacking and Network Defense
Extended IP Access Lists Allow packet filtering based on Source IP address Destination IP address Protocol type Application port number Syntax for extended IP access lists access-list [list #] [permit|deny] [protocol] [source IP address] [source wildcard mask] [destination IP address] [destination wildcard mask] [operator] [port] [log] [list #] is a number in the range of 100 to 199 [permit | deny] are keywords to permit or deny traffic Hands-On Ethical Hacking and Network Defense
Extended IP Access Lists (continued) Syntax for extended IP access lists (continued) [protocol] can be IP, TCP, UDP, ICMP, and so on [source IP address] is the IP address of the source [source wildcard mask] determines significant bits of source IP address [destination IP address] is the IP address of the destination [destination wildcard mask] determines significant bits of destination IP address [operator] can be lt, gt, eq, or neq Hands-On Ethical Hacking and Network Defense
Extended IP Access Lists (continued) Syntax for extended IP access lists (continued) [port] port number of the protocol to be filtered [log] logs all activity of the access list for the administrator Example: access-list 100 deny tcp host 172.16.1.112 host 172.30.1.100 eq www Hands-On Ethical Hacking and Network Defense
Extended IP Access Lists (continued) Applying an access list to an interface Router> en Password ****** Router# config t Router(config)# access-list 100 deny tcp host 172.16.1.112 host 172.30.1.100 Router(config)# access-list 100 permit any Router(config)# int e0 Router(config-if)# ip access-group 100 in Router(config-if) Ctrl+z Router# Hands-On Ethical Hacking and Network Defense
Understanding Firewalls Firewalls are hardware devices or software installed on a system and have two purposes Controlling access to all traffic that enters an internal network Controlling all traffic that leaves an internal network Advantages of hardware firewalls They are usually faster than software firewalls They can handle a larger throughput than software firewalls Hands-On Ethical Hacking and Network Defense
Understanding Firewalls (continued) Disadvantage of hardware firewalls You are locked into the firewall’s hardware Advantage of software firewalls You can easily add NICs to the server running the firewall software Disadvantage of software firewalls You might have to worry about configuration problems They rely on the OS on which they are running Hands-On Ethical Hacking and Network Defense
Understanding Firewall Technology Firewall technologies Network address translation (NAT) Access control lists Packet filtering Stateful packet inspection (SPI) Hands-On Ethical Hacking and Network Defense
Network Address Translation (NAT) The most basic security feature of a firewall With NAT, internal private IP addresses are mapped to public external IP addresses Hiding the internal infrastructure Port Address Translation (PAT) Technology derived from NAT This allows thousands of internal IP addresses to be mapped to one external IP address Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense Access Control Lists Access lists are used to filter traffic based on source IP address, destination IP address, and ports or services Firewalls also use this technology Creating access control lists in a firewall is a similar process to creating them in a router Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense Packet Filtering Packet filters screen packets based on information contained in the packet header Protocol type IP address TCP/UDP port Hands-On Ethical Hacking and Network Defense
Stateful Packet Inspection (SPI) Stateful packet filters record session-specific information about a network connection Create a state table Can help reduce port scans that rely on spoofing or sending packets after a three-way handshake Stateful packet filters recognize types of anomalies that most routers ignore Stateless packet filters handle each packet on an individual basis Spoofing or DoS attacks are more prevalent Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Implementing a Firewall Placing a firewall between a company’s internal network and the Internet is dangerous It leaves the company open to attack if a hacker compromises the firewall Use a demilitarized zone instead Hands-On Ethical Hacking and Network Defense
Demilitarized Zone (DMZ) DMZ is a small network containing resources available to Internet users Helps maintain security on the company’s internal network Sits between the Internet and the internal network It is sometimes referred to as a “perimeter network” Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Understanding the Private Internet Exchange (PIX) Firewall Cisco PIX firewall One of the most popular firewalls on the market Hands-On Ethical Hacking and Network Defense
Configuration of the PIX Firewall Working with a PIX firewall is similar to working with any other Cisco router Login prompt If you are not authorized to be in this XYZ Hawaii network device, log out immediately! User Access Verification Password: This banner serves a legal purpose General prompt example: Type help or '?' for a list of available commands. xyz> Hands-On Ethical Hacking and Network Defense
Configuration of the PIX Firewall (continued) You should enter privileged mode to configure the PIX firewall To enter configuration mode in PIX, you use the same command as on a Cisco router xyz# configure terminal xyz(config)# ? Nameif is a PIX command to name an interface PIX allows the administrator to assign values to an interface that designate its security level Values can be from 0 to 100 Hands-On Ethical Hacking and Network Defense
Configuration of the PIX Firewall (continued) Access lists PIX enables an administrator to use descriptive names for the access list instead of numbers PIX also uses the implicit deny rule Hands-On Ethical Hacking and Network Defense
Understanding Microsoft ISA Microsoft’s software approach to firewalls Microsoft Internet Security and Acceleration (ISA) Server Functions as a software router, firewall, and IDS ISA has the same functionality as any hardware router Packet filtering to control incoming traffic Application filtering through the examination of protocols Intrusion detection filters Access policies to control outgoing traffic Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense IP Packet Filters ISA enables administrators to filter IP traffic based on the following: Source and destination IP address Network protocol, such as HTTP Source port or destination port ISA provides a GUI for these configurations A network segment can be denied or allowed HTTP access in the Remote Computer tab Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense Application Filters Can accept or deny data from specific applications or data containing specific content SMTP filter can restrict E-mail with specific attachments E-mail from a specific user or domain E-mail containing specific keywords SMTP commands SMTP Filter Properties dialog box Administrator can filter a specific e-mail attachment based on a rule he or she configures Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Application Filters (continued) Users/Domains tab in the SMTP Filter Properties dialog box Administrator can filter e-mail messages sent from a user or from specific domains As a security professional, you might be asked to restrict e-mails containing certain keywords SMTP Commands tab Administrator can prevent a user from running SMTP commands Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Intrusion Detection Filters Analyze all traffic for possible known intrusions DNS intrusion detection filter POP intrusion detection filter FTP Access filter H.323 filter HTTP Redirector filter RPC filter SMTP filter SOCKSV4 filter Streaming Media filter Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense Access Policies Allow administrators to control outgoing traffic An access policy consists of the following Policy rules Site and content rules IP filter rules Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Understanding Intrusion Detection Systems (IDSs) Monitor network devices so that security administrators can identify attacks in progress and stop them An IDS look at the traffic and compare it with known exploits Similar to virus software using a signature file to identify viruses Types Network-based IDSs Host-based IDSs Hands-On Ethical Hacking and Network Defense
Network-Based and Host-Based IDSs Network-based IDSs Monitor activity on network segments They sniff traffic and alert a security administrator when something suspicious occurs Host-based IDSs Used to protect a critical network server or database server The software is installed on the server you’re attempting to protect Hands-On Ethical Hacking and Network Defense
Network-Based and Host-Based IDSs (continued) IDSs are categorized by how they react when they detect suspicious behavior Passive systems Send out an alert and log the activity Active systems Log events and send out alerts Can also interoperate with routers and firewalls Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Understanding Honeypots Computer placed on the perimeter of a network Contains information intended to lure and then trap hackers Computer is configured to have vulnerabilities Goal Keep hackers connected long enough so they can be traced back Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense How They Work A honeypot appears to have important data or sensitive information stored on it Could store fake financial data that tempts hackers to attempt browsing through the data Hackers will spend time attacking the honeypot And stop looking for real vulnerabilities in the company’s network Honeypots also enable security professionals to collect data on attackers Honeypots are available commercially and through open-source avenues Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense
How They Work (continued) Virtual honeypots Honeypots created using software solutions instead of hardware devices Example: Honeyd Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense Summary Security devices Routers Firewalls IDSs Routers use access lists to accept or deny traffic through their interfaces Firewalls can be hardware devices or software installed on computer systems Firewalls use NAT, IP filtering, and access control lists to filter incoming and outgoing network traffic Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense Summary (continued) Firewall examples Cisco PIX (hardware) Microsoft ISA (software) Stateful packet filters vs. stateless packet filters PGP is a free public key encryption program to encrypt e-mail messages Demilitarized zones (DMZs) Add a layer of defense between the Internet and a company’s internal network Hands-On Ethical Hacking and Network Defense
Hands-On Ethical Hacking and Network Defense Summary (continued) Intrusion detection systems (IDSs) Network-based IDSs Host-based IDSs Passive IDSs vs. active IDSs Honeypots Hands-On Ethical Hacking and Network Defense