Security fundamentals Topic 6 Securing the network infrastructure

Agenda Security at the TCP/IP layers Security at the physical layer Securing network devices

Network layer attacks MAC address spoofing – Attackers can create packets with the MAC address of a different computer and impersonate that computer Denial of Service (DoS) – Overloads a single system so that it cannot provide the service it is configured to provide – Sends frames designed to use up all the resources of the target device ARP cache poisoning – Incorrect or spoofed entries are added to the ARP cache – messages are sent to incorrect destinations

Internet layer attacks IP address spoofing – Source addresses of IP packets are spoofed to impersonate another computer Man-in-the-middle attack – Attacker intercepts and reads or modifies packet contents without the knowledge of the source or destination computers Denial of Service – Attacker overloads the TCP/IP stack with a large number of invalid packets which prevents processing of legitimate packets – Attacker changes entries in routing tables to prevent delivery of packets Incorrect reassembly of fragmented datagrams – Offset field used to reassemble fragments is changed so that they can’t be reassembled correctly – datagram could pass through a firewall when it shouldn’t Avoiding detection by fragmenting datagrams – An attacker might fragment a packet to hide patterns (such as virus signatures) to avoid detection Corrupting packets – Information in IP header fields is modified

Transport layer attacks Manipulation of UDP or TCP ports – Attacker can format packets so they appear to come from a port allowed by the firewall Denial of service – SYN flood attack to leave sessions half open until router cannot accept anymore connections Session hijacking – After the connection is established, attacker predicts TCP sequence numbers and takes over the connection with his own segments

Application layer attacks Specific to the application layer protocol Common attacks exploit: – protocols – Web protocols – DNS

Network cabling security Coaxial cables – Cutting or destroying cables – Noise from EMI or RFI – Removing a terminator Eavesdropping traffic by tapping into coaxial cable at any point on network Mitigation – Protect the Cable: bury it, inside walls, tamperproof containers – Document the cable infrastructure – Investigate all outages – Inspect your cables regularly – Investigate undocumented hosts and connections

Network cabling security Twisted pair – Cutting or destroying cables – Noise from EMI or RFI, STP mitigates the impact of EMI and RFI Mitigation – Protect the cables – Protect the switches and patch panels – Document the cable infrastructure – Investigate all outages – Inspect your cables and infrastructure regularly – Investigate undocumented hosts and connections Eavesdropping – Using a protocol analyser or packet sniffer (requires physical connection) – Splicing into a cable – Listening to electromagnetic signals from the signals passing through the wire

Network cabling security Fiber optic cables – Bend or snap the cable – Any damage will disrupt the signal Eavesdropping – Virtually impossible – requires cutting cable and polishing ends and connecting a device Mitigation – Protect the cables – Protect the switches and patch panels – Document the cable infrastructure – Investigate all outages – Inspect your cables and infrastructure regularly – Investigate undocumented hosts and connections

Device security Compromising switches and bridges – If an attacker has physical access, he can disable a switch – Attach a computer to a span port which receives all switch traffic – Transmit frames with spoofed MAC address to corrupt the MAC address table – Flood the switch with frames to disrupt operations Gaining administrative access – Port mirroring: map the input and output of one or more ports to a single port to eavesdrop on communications – Change the MAC address table to redirect traffic ARP cache poisoning – Attacker can overwrite entries in the ARP cache allowing attacker to eavesdrop or hijack a session

Securing switches and bridges Physical security – Limit physical access, use security personnel and monitoring (cameras) Protecting admin functions with passwords – Set complex passwords and change routinely – Restrict access to few staff – Manually enter ARP mappings on critical devices: servers, switches and bridges – Keep up to date with patches – Document configurations so you know what is normal and authorised Monitoring for security breaches – Monitor devices for unauthorised connections – ARPWATCH to monitor traffic and keep MAC-to-IP address mappings

Securing routers Compromising routers – Susceptible to ARP cache poisoning – Routing tables can be changed either administratively or with incorrect routing updates – RIP spoofing – updating routing tables with bogus updates – ACLs can be changed if admin access is compromised – Insecure protocols, services could be enabled

Securing routers Keep routers in secure locations: locked server rooms and wiring closets Secure all physical connections to network segments Use security personnel and monitoring (cameras) Set complex passwords and change regularly Keep up to date with latest patches Restrict staff with access and locations access can come from Set ACLs to prevent inappropriate connections Set passwords for routing updates Disable insecure protocols and services Document and regularly review the network

Securing telecommunications Compromised by – Free long distance calls by changing billing records – Compromise or shut down the organisation’s voice mail system – Reroute incoming, transferred or outgoing calls – Gain access to voice mail boxes of employees

Securing PBX systems Vulnerabilities – Insecure or default passwords are used – Older PBX systems don’t implement latest security technology – Lack of knowledge and security procedures: social engineering – Remote management connections could be compromised – Unused floors and offices may have active connections Protecting PBX – Physically securing PBX equipment – Control access to PBX wiring room and switching equipment – Document – Routinely check unauthorised connections – Secure offsite transfers with passwords (for updates) – System exclusion lists to limit long distance calling – Shut down services not required during off days and hours – Educate users – Enforce PBX password change and audit policy – Secure maintenance ports, limit entry ports, log all system access

Securing modems Compromising modems Can be used to circumvent firewall security Can be used to provide direct access to internal computers War dialling to discover computers with modems attached Mitigation Remove all unnecessary modems If modem is required for outgoing calls make sure it is configured not to accept incoming calls Software/security updates for computers with modems Monitor security bulletins Isolate computers with modems to limit the damage Monitor computers with modems to ensure they have not been compromised

Lesson summary What some TCP/IP layer attacks are, and security practices What some physical layer attacks are, and security practices Practices for securing network cabling and network devices and threats associated