Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 480: Securing Computer Systems

Published byDominic Quinn Modified over 6 years ago

Similar presentations

Presentation on theme: "CIT 480: Securing Computer Systems"— Presentation transcript:

1 CIT 480: Securing Computer Systems
Network Security Concepts

2 Topics Policies and Assurance Protocols and Layers
Layer 2 Network Concepts MAC Spoofing ARP ARP Spoofing Network Sniffing

3 Network Security Policy
Usage policies Define acceptable uses for organization members, partners, and other user classes. Risk analysis Identify assets. Evaluate importance. Determine security policy for each asset based on importance.

4 Detecting Problems Change management process Intrusion detection
Require security approval of network changes. Intrusion detection Automated network and/or host based intrusion detection systems. Network scans Scan network for rogue/missing machines. Verify security status of each network device. Log monitoring Monitor sensitive logs (e.g. firewall) in real time.

5 Network Mission Assurance
Asset identification Systems and information assets. Infrastructure model and control Network diagrams and inventory database. Change control. Threat analysis and prediction Response coordination Attack identification. Incident response team.

6 Network Hardening Network device integrity Secure protocols
Firmware and OS patches. Password quality and change policies. Secure protocols Secure management protocols: SSH, SNMP3 + encrypt. Encrypt all sensitive data + use MACs for integrity. Network design Isolate sensitive/dangerous devices via firewalls, VLANs. Compartmentalize different information asset classes. Network access control Restrict access to Ethernet ports and wireless access.

7 Protocols A protocol defines the rules for communication between computers. Two primary types of protocols: Connectionless protocol Sends data out as soon as there is enough data to be transmitted E.g., user datagram protocol (UDP) Connection-oriented protocol Provides a reliable connection stream between two nodes Consists of set up, transmission, and tear down phases Creates virtual circuit-switched network E.g., transmission control protocol (TCP)

8 Encapsulation A packet typically consists of
Control information for addressing the packet: header and footer Data: payload A network protocol N1 can use the services of another network protocol N2 A packet p1 of N1 is encapsulated into a packet p2 of N2 The payload of p2 is p1 The control information of p2 is derived from that of p1 Header Header Payload Footer Footer Payload

9 Network Layers Network models typically use a stack of layers
Higher layers use the services of lower layers via encapsulation A layer can be implemented in hardware or software The bottommost layer must be in hardware A network device may implement several layers A communication channel between two nodes is established for each layer Actual channel at the bottom layer Virtual channel at higher layers

10 Internet Layers Physical Layer Application Transport Network Link
Ethernet Fiber Optics Wi-Fi Physical Layer

11 Intermediate Layers Link layer Network layer Transport layer
Local area network: Ethernet, WiFi, optical fiber 48-bit media access control (MAC) addresses Packets called frames Network layer Internet-wide communication Best effort transmission 32-bit internet protocol (IP) addresses in IPv4 128-bit IP addresses in IPv6 Transport layer 16-bit addresses (ports) for classes of applications Connection-oriented transmission layer protocol (TCP) Connectionless user datagram protocol (UDP)

12 Internet Packet Encapsulation
Application Packet TCP Data TCP Header IP Frame Footer Link Layer Network Layer Transport Layer IP Data Frame Data Application Layer

13 Internet Packet Encapsulation
Data link frame IP packet TCP or UDP packet Application packet Data link header IP header TCP or UDP header Application packet Data link footer

14 The OSI Model The OSI (Open System Interconnect) Reference Model is a network model consisting of seven layers

15 Network Interfaces Network interface: device connecting a computer to a network, such as an Ethernet or WiFi card. A computer may have multiple network interfaces. Most local area networks, including Ethernet and WiFi, broadcast frames, so all hosts on the LAN receive them. In regular mode, each network interface sends only packets destined for it to OS for processing. Network sniffing can be accomplished by configuring the network interface to send all frames (promiscuous mode) to OS for processing.

16 MAC Addresses Layer 2 protocols identify nodes by MAC addresses.
A MAC address is a 48-bit number: E.g., 00-1A-92-D4-BF-86 The first three octets of any MAC address are IEEE-assigned Organizationally Unique Identifiers E.g., Cisco 00-1A-A1, D-Link 00-1B-11, ASUSTek 00-1A-92 The next three can be assigned by manufacturers as they please, with uniqueness being the only constraint. Note that uniqueness is not always the case in practice. Admins can set MAC addresses to any desired value. MAC addresses can be permanently burned in (BIA), or be a locally administered address (LAA) set by an administrator. A MAC address starting out with for instance is assigned by Dell, while one starting out with 00-0a- 95 is assigned by Apple. Despite the IEEE limitations on LAAs, most OSs allow you to specify an arbitrary MAC for an interface.

17 Switch A switch Operation of a switch Operates at the link layer.
Has multiple ports, each connected to a computer. Operation of a switch Learn the MAC address of each connected device. Forward frames only to the destination device.

18 Combining Switches Switches can be arranged into a tree.
Each port learns the MAC addresses of the machines in the segment (subtree) connected to it. Fragments to unknown MAC addresses are broadcast. Frames to MAC addresses in the same segment as the sender are ignored. 10/13/2018

19 MAC Address Filtering A switch can be configured to provide service only to machines with specific MAC addresses Users must register devices with network admin. A MAC spoofing attack impersonates another PC Find out MAC address of target machine. Threat sets MAC address of his PC to that of target. Turn off or unplug target machine. Countermeasures to MAC spoofing: Block switch port when machine is turned off. Disable duplicate MAC addresses.

20 Viewing and Changing MAC Addresses
Viewing the MAC addresses of the interfaces of a machine Linux: ifconfig Windows: ipconfig /all Changing a MAC address in Linux Stop the networking service: /etc/init.d/network stop Change the MAC address: ifconfig eth0 hw ether <MAC-address> Start the networking service: /etc/init.d/network start Changing a MAC address in Windows Open the Network Connections applet Access the properties for the network interface Click “Configure …” In the advanced tab, change the network address to the desired value Changing a MAC address requires administrator privileges In other derivatives like FreeBSD, MacOSX and others stopping the network service is not required, and the hw flag is dropped, leading to a single command ifconfig eth0 ether <MAC-address>

21 CS166: Computer Networks ARP The address resolution protocol (ARP) connects the network layer to the data layer by translating IP addresses to MAC addresses. ARP broadcasts requests and caches responses for future use Protocol begins with a computer broadcasting a message of the form who has <IP address1> tell <IP address2> When the machine with <IP address1> or an ARP server receives this message, its broadcasts the response <IP address1> is <MAC address> Requestor’s IP address <IP address2> contained in the link header The Linux and Windows command arp - a displays the ARP table Internet Address Physical Address Type c-07-ac dynamic c-76-b2-d7-1d dynamic c-76-b2-d0-d2 dynamic IPv6 does not use ARP, and ARP is instead replaced by Neighbor Discovery Protocol.

22 ARP Caches IP: MAC: 00:11:22:33:44:02 IP: MAC: 00:11:22:33:44:01 Data is at 00:11:22:33:44:01 is at 00:11:22:33:44:02 ARP Cache 00:11:22:33:44:02 ARP Cache 00:11:22:33:44:01

23 ARP Spoofing ARP table updated when ARP response is received
Requests are not tracked ARP announcements are not authenticated, so A rogue machine can spoof other machines Rogue sends ARP redirecting IP to its MAC Network traffic destined for that IP sent to rogue machine by all hosts on subnet including switch. Countering ARP spoofing Use static ARP table. Requires admin to reconfigure each time a new host is added or a host is removed from the subnet.

24 Poisoned ARP Caches Data Data 192.168.1.106 00:11:22:33:44:03
is at 00:11:22:33:44:03 is at 00:11:22:33:44:03 00:11:22:33:44:01 00:11:22:33:44:02 Poisoned ARP Cache 00:11:22:33:44:03 Poisoned ARP Cache 00:11:22:33:44:03

25 ARP Spoofing Cracker .1 LAN: 192.168.1.x CLIENT SERVER Regular traffic
switch Alice Using arp poisoning Bob .10 .100 MAC: 00:0A:E4:2E:9B:11 MAC: 00:0A:E4:3B:47:7E gratuitous arp reply Bob’s IP→ Cracker’s MAC arpspoof gratuitous arp reply Alice’s IP→ Cracker’s MAC arpspoof victim ip gateway ip victim ip gateway ip Cracker MAC: 00:22:64:34:60:88 .1

26 Telnet Protocol (RFC 854) Telnet is a protocol that provides unencrypted communication to another machine to issue commands and receive output. Allows remote shell access like ssh. Sends whatever you type. Prints whatever comes back. Telnet client can connect to any TCP port Useful for testing TCP services (ASCII based protocols) like HTTP, SMTP, etc. One computer can connect to another to use its services

27 Packet Sniffing Packet sniffing is the process of intercepting and observing traffic on a network. If packets are not encrypted, attacker can read confidential data, such as passwords, etc. Wired networks Broadcast traffic is observable by all hosts. Hubs send all packets to all hosts on subnet. Switches send packets only to destination host, but ARP poisoning can let attacker see all packets. Wireless networks Sniffer can see all packets.

28  menu  main toolbar  filter toolbar  packet list pane  packet details pane  packet bytes pane  status bar

29 Packet Sniffer Applications
Legitimate applications Debug network problems. Monitor network usage. Network intrusion detection. Attacker applications View confidential information. Gather data required for other attacks, especially spoofing attacks.

30 Defending against Sniffing
Encrypt traffic Use application level encryption, e.g. HTTPS instead of HTTP, SSH instead of telnet. Use network level encryption, like WPA2 or IPsec, where possible. Traffic patterns can still be observed. Use wired networks with switches Use static ARP tables to avoid ARP spoofing. Limits attacker to broadcasts and packets directed to attacker controlled machines.

31 Attempting to Sniff Telnet
CLIENT LAN: x SERVER << link >> << link >> switch Alice Bob Add a user on server: adduser user and then follow program instructions .10 .100 In a switched network, packets are sent only to the destination computer One would think that another computer plugged to the switch cannot sniff traffic << link >> Cracker Ethernet UTP .1 RJ 45

32 Sniffing Telnet Passwords
LAN: x CLIENT SERVER Regular traffic switch Alice Using arp poisoning Bob .10 .100 With dsniff, we catch the passwords used to log in to a telnet service: dsniff -n Acts as a router Cracker .1

33 Key Points Layer 2 concepts
Hosts identified by 48-bit MAC addresses. OS can spoof MACs by setting to any value. Switches manage layer 2 traffic. ARP translates IPs to MACs so packets can be delivered on hosts on local subnet. There is no authentication. ARP spoofing can be used to receive frames destined for other hosts. Network sniffing View confidential network traffic of other hosts. ARP spoofing can let attacker sniff even if switches used.

34 References Cisco, Network Security Policies: Best Practices White Paper, Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. NSA, Hardening Network Infrastructure,

Download ppt "CIT 480: Securing Computer Systems"

Similar presentations

1 ICS 156: Lecture 2 (part 2) Data link layer protocols Address resolution protocol Notes on lab 2.

1 ICS 156: Lecture 2 (part 2) Data link layer protocols Address resolution protocol Notes on lab 2.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Introduction To Networking

Introduction To Networking
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
 The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization.

 The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CS 356 Systems Security Spring 2015 Dr. Indrajit Ray

CS 356 Systems Security Spring Dr. Indrajit Ray
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Common Devices Used In Computer Networks

Common Devices Used In Computer Networks
Network Admin Course Plan Accede Institute Of Science & Technology.

Network Admin Course Plan Accede Institute Of Science & Technology.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.
Operating Systems Lesson 10. Networking Communications protocol is the set of standard rules for ◦ Data representation ◦ Signaling ◦ Authentication ◦

Operating Systems Lesson 10. Networking Communications protocol is the set of standard rules for ◦ Data representation ◦ Signaling ◦ Authentication ◦
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CMPT 471 Networking II Address Resolution IPv4 ARP RARP 1© Janice Regan, 2012.

CMPT 471 Networking II Address Resolution IPv4 ARP RARP 1© Janice Regan, 2012.
OV 12 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Similar presentations

Ads by Google