Assessing network security

Abhinit Kr Sharma
Ravi Ranjan
Assessing Network Security
Appin

 Hands-on experience with Windows 7 or Linux
 Working knowledge of networking, including
basics of security and “Ethical Hacking”
 Basic knowledge of network security-assessment
strategies
Appin

 Planning Security Assessments
 Gathering Information About the Target
 Vulnerability Assessment and
Penetration Testing for Intrusive Attacks
 Case Study: Assessing Network Security
for that Target
Appin

Network security fails in several common areas,
including:
Human awareness
Policy factors
Hardware or software misconfigurations
Poor assumptions
Ignorance
Failure to stay up-to-date
Appin

Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Security policies, procedures, and
education
Policies, procedures, and awareness
Guards, locks, tracking devicesPhysical security
Application hardeningApplication
OS hardening, authentication,
security update management,
antivirus updates, auditing
Host
Network segments,Internal network
Firewalls, boarder routers, VPNs
with quarantine procedures
Perameter
Strong passwords,
backup and restore
strategy
Data
Appin

Security assessments can:
Answer the questions “Is our network secure?” and
“How do we know that our network is secure?”
Provide a baseline to help improve security
Find configuration mistakes or missing
security updates
Reveal unexpected weaknesses in your
organization’s security
Ensure regulatory compliance
Appin

Project phase Planning elements
Pre-assessment
Scope
Goals
Timelines
Ground rules
Assessment
Choose technologies
Perform assessment
Organize results
Preparing results
Estimate risk presented by discovered weaknesses
Create a plan for target
Identify vulnerabilities that have not been remediated
Determine improvement in network security over time
Reporting your
findings
Create final report
Present your findings
Appin

Components Example
Target
All servers running:
Windows 2005 Server
Windows Server 2008
Target area
All servers on the subnets:
192.168.0.0/24
192.168.1.0/24
Timeline
Scanning will take place from Jan 31st to Jan 3rd during non-
critical business hours
Vulnerabilities to
scan for
Anonymous SAM enumeration
Guest account enabled
Greater than 10 accounts in the local Administrator group
Appin

Vulnerability scanning:
Focuses on known weaknesses
Can be automated
Does not necessarily require expertise
Penetration testing:
Focuses on known and unknown weaknesses
Requires highly skilled testers
Carries tremendous legal burden in certain countries/organizations
IT security auditing:
Focuses on security policies and procedures
Used to provide evidence for industry regulations
Appin

Develop a process for vulnerability scanning that will do
the following:
Detect vulnerabilities
Assign risk levels to discovered vulnerabilities
Identify vulnerabilities that have not been remediated
Determine improvement in network security over time
FACT!!!!
99.9% secure = 100%vulnerable!
Appin

Steps to a successful penetration test include:
Determine how the attacker is most likely to go about attacking a
network or an application1
Determine how an attacker could exploit weaknesses3
Locate assets that could be accessed, altered, or destroyed4
Locate areas of weakness in network or application defenses2
Determine whether the attack was detected5
Determine what the attack footprint looks like6
Make recommendations7
Appin

Black Box
 zero-knowledge testing
 Tester need to acquire the knowledge and penetrate.
 Acquire knowledge using tools or Social
Engineering techniques
 Publicly available information may be given to
the penetration tester,
Benefits:
Black box testing is intended to closely replicate
the attack made by an outsider without any information of
the system. This kind of testing will give an insight of the
robustness of the security when under attack by script
kiddies
Appin

White Box
complete-knowledge testing
Testers are given full information about the target system
they are supposed to attack .
Information includes ,
Technology overviews,
Data flow diagrams
Code snippets
More…..
Benefits
reveals more vulnerabilities and may be faster.
compared to replicate an attack from a criminal hacker
that knows the company infrastructure very well. This
hacker may be an employee of the company itself,
doing an internal attack
Appin

Gray-box or crystal-box test
The tester simulates an inside employee. The tester is
given an account on the internal network and standard
access to the network. This test assesses internal threats
from employees within the company.
Appin

There are NO formal methods of
Penetration testing!!!!!!!!
 Typically has Seven Stages
 Scope/Goal Definition
 Information Gathering
 Vulnerability Detection
 Information Analysis and Planning.
 Attack& Penetration/Privilege Escalation.
 Result Analysis & Reporting.
 Cleanup.
Appin

Process
Technology
Implementation
Documentation
Operations
Start with policy
Build process
Apply technology
Security Policy Model
Policy
Appin

Compare each area to standards and best practices
Security policy
Documented
procedures
Operations
What you must do What you say you do What you really do
Appin

Organize information into the following
reporting framework:
Define the vulnerability
Document mitigation plans
Identify where changes should occur
Assign responsibility for implementing approved
recommendations
Recommend a time for the next security assessment
Appin

 Gathering Information About the Target
 Penetration Testing for Intrusive Attacks
 Case Study: Assessing Network Security
for Target
Appin

Examples of nonintrusive attacks include:
Information reconnaissance
Port scanning
Obtaining host information using
fingerprinting techniques
Network and host discovery
Nonintrusive attack: The intent to gain information about
an organization’s network in preparation for a more intrusive
attack at a later time
Appin

Common types of information sought by attackers include:
System configuration
Valid user accounts
Contact information
Extranet and remote access servers
Information about your network may be obtained by:
Querying registrar information
Determining IP address assignments
Organization Web pages
Search engines
Public discussion forums
Appin

Port scanning tips include:
Start by scanning slowly, a few ports at a time
To avoid detection, try the same port across
several hosts
Run scans from a number of different systems,
optimally from different networks
Typical results of a port scan include:
Discovery of ports that are listening or open
Determination of which ports refuse connections
Determination of connections that time out
Appin

Port scanning countermeasures include:
Implement defense-in-depth to use multiple layers
of filtering
Plan for misconfigurations or failures
Run only the required services
Implement an intrusion-detection system




Expose services through a reverse proxy
Appin

Types of information that can be collected using
fingerprinting techniques include:
IP and ICMP implementation
TCP responses
Listening ports
Banners
Service behavior
Remote operating system queries
Appin

Fingerprinting
source Countermeasures
IP, ICMP, and
TCP
Be conservative with the packets that you allow to reach
your system
Use a firewall or inline IDS device to normalize traffic
Assume that your attacker knows what version of
operating system is running, and make sure it is secure
Port scanning,
service behavior,
and remote
queries
Disable unnecessary services
Filter traffic coming to isolate specific ports on the host
Implement IPSec on all systems in the managed network
Appin

"… a firewall is a piece of hardware or software which functions in a
networked environment to prevent some communications forbidden by
the security policy, analogous to the function of firewalls in building
construction."
Types of Firewalls
• Packet filtering gateways
• Stateful inspection firewalls
• Application proxies
• Guards
• Personal firewalls
Appin

Appin
The first firewalls were application gateways, and are sometimes
known as proxy gateways. These are made up of bastion hosts that
run special software to act as a proxy server. This software runs at
the Application Layer of our old friend the ISO/OSI Reference
Model, hence the name.
Clients behind the firewall must be prioritized (that is, must know
how to use the proxy, and be configured to do so) in order to use
Internet services. Traditionally, these have been the most secure,
because they don't allow anything to pass by default, but need to
have the programs written and turned on in order to begin passing
traffic.

Appin
Packet filtering is a technique whereby routers have ACLs (Access
Control Lists) turned on. By default, a router will pass all traffic sent
it, and will do so without any sort of restrictions. Employing ACLs is
a method for enforcing your security policy with regard to what
sorts of access you allow the outside world to have to your internal
network, and vice versa.
There is less overhead in packet filtering than with an application
gateway, because the feature of access control is performed at a
lower ISO/OSI layer (typically, the transport or session layer). Due
to the lower overhead and the fact that packet filtering is done with
routers, which are specialized computers optimized for tasks
related to networking, a packet filtering gateway is often much
faster than its application layer cousins.

Appin
IDS and IPS work together to provide a network security solution.
An IDS captures packets in real time, processes them, and can
respond to threats, but works on copies of data traffic to detect
suspicious activity by using signatures. This is called promiscuous
mode. In the process of detecting malicious traffic, an IDS allows
some malicious traffic to pass before the IDS can respond to
protect the network. An IDS analyzes a copy of the monitored traffic
rather than the actual forwarded packet.
The advantage of operating on a copy of the traffic is that the IDS does not
affect the packet flow of the forwarded traffic. The disadvantage of operating
on a copy of the traffic is that the IDS cannot stop malicious traffic from
single-packet attacks from reaching the target system before the IDS can
apply a response to stop the attack. An IDS often requires assistance from
other networking devices, such as routers and firewalls, to respond to an
attack.

Appin
An IPS works inline in the data stream to provide protection from
malicious attacks in real time. This is called inline mode. Unlike an IDS,
an IPS does not allow packets to enter the trusted side of the network.
An IPS monitors traffic at Layer 3 and Layer 4 to ensure that their
headers, states, and so on are those specified in the protocol suite.
However, the IPS sensor analyzes at Layer 2 to Layer 7 the payload of
the packets for more sophisticated embedded attacks that might include
malicious data. This deeper analysis lets the IPS identify, stop, and
block attacks that would normally pass through a traditional firewall
device.
An IPS builds upon previous IDS technology; Cisco IPS platforms use a
blend of detection technologies, including profile-based intrusion
detection, signature-based intrusion detection, and protocol analysis
intrusion detection. The key to differentiating an IDS from an IPS is that
an IPS responds immediately and does not allow any malicious traffic to
pass, whereas an IDS allows malicious traffic to pass before it can
respond.

Appin
IDS
■ Analyzes copies of the traffic stream
■ Does not slow network traffic
■ Allows some malicious traffic into the network
IPS
■ Works inline in real time to monitor Layer 2 through Layer 7 traffic
and content
■ Needs to be able to handle network traffic
■ Prevents malicious traffic from entering the network
IDS and IPS technologies share several characteristics:

"… a honeypot is a trap set to detect or deflect attempts at unauthorized use of
information systems. Generally it consists of a computer, data or a network site
that appears to be part of a network but which is actually isolated and protected,
and which seems to contain information that would be of value to attackers.”
The term "honeypot" is often understood to refer to the British children's
character Winnie-the-Pooh, a stuffed bear who was lured into various
predicaments by his desire for pots of honey.
Uses of Honeypots
Preventing attacks
Detecting attacks
Responding to attacks
Research
HoneyPot
Appin

 Firewalls are a prevention technology; they are network or host
solutions that keep attackers out.
 IDSs are a detection technology; their purpose is to detect and
alert security professionals about unauthorized or malicious
activity.
 Honeypots are tougher to define because they can be involved
in aspects of prevention, detection, information gathering, and
much more.
Appin
External
DNS
IDS Web
Server
E-Commerce VPN
Server
Firewall
Hony
Pot

Examples of penetration testing for intrusive attack
methods include:
Automated vulnerability scanning
Network Attacks
Denial-of-service Attacks
Password Attacks
Network Sniffing
Intrusive attack: Performing specific tasks that result in a
compromise of system information, stability, or availability
Appin

Automated vulnerability scanning makes use of
scanning tools to automate the following tasks:
Banner grabbing and fingerprinting
Exploiting the vulnerability
Inference testing
Security update detection
Appin

Throughout the document, each vulnerability
or risk identified has been labeled as a Finding
and
Categorized as a High-Risk, Medium-Risk, or
Low-Risk. In addition, each supplemental
testing note.
Appin

DoS attacks can be divided into three categories:
Flooding attacks
Resource starvation attacks
Disruption of service
Denial-of-Service (DoS) attack: Any attempt by an
attacker to deny his victim’s access to a resource
Note: Denial-of-service attacks should not be launched
against your own live production network
Appin

DoS attack Countermeasures
Flooding attacks
Ensure that your routers have anti-spoofing rules in
place and rules that block directed broadcasts
Set rate limitations on devices to mitigate
flooding attacks
Consider blocking ICMP packets
Disruption of
service
Make sure that the latest update has been applied
to the operating system and applications
Test updates before applying to production
systems
Disable unneeded services
Appin

An attacker can perform network sniffing by performing
the following tasks:
Compromising the host
Installing a network sniffer
Using a network sniffer to capture sensitive data such
as network credentials
Using network credentials to compromise
additional hosts
Network sniffing: The ability of an attacker to eavesdrop
on communications between network hosts
1
2
3
4
Appin

To reduce the threat of network sniffing attacks on your
network consider the following:
Use encryption to protect data
Use switches instead of hubs
Secure core network devices
Use crossover cables
Develop policy
Conduct regular scans
Appin

Common ways that attackers avoid detection include:
Flooding log files
Using logging mechanisms
Attacking detection mechanisms
Using canonicalization attacks
Using decoys
Appin

Common ways that attackers avoid detection after an
attack include:
Installing rootkits
Tampering with log files
Appin

Avoidance Technique Countermeasures
Flooding log files Back up log files before they are overwritten
Using logging
mechanisms
Ensure that your logging mechanism is using the most
updated version of software and all updates
Using canonicalization
attacks
Ensure that applications normalize data to its
canonical form
Using decoys Secure the end systems and networks being attacked
Using rootkits Implement defense-in-depth strategies
Appin

 Gathering Information About the
Target
 Penetration Testing for Intrusive
Attacks
 Case Study: Assessing Network
Security for Target
Appin

Project goal
LON-SRV1 will be scanned for the following vulnerabilities and will be
remediated as stated
Vulnerability Remediation
Network Scan
Require developers to fix Network
based applications
Guest account enabled Disable guest account
RPC-over-DCOM vulnerability Network Vulnerability Scan
Appin

The tools that will be used for the Target security
assessment include the following:
Nmap
GFI Lan Guard
Nessus
Wireshark
Netcut
Metasploit
Hydra
Ettercap-NG, etc
Appin

 Significant, timely, and relevant vulnerability
checks available.
 It’s easy to write your own checks that are not
available.
 Engine requires a Linux server, client can be
Linux or Microsoft Windows based Intelligent,
assumes little, but uses what it learns as it scans.
 Vendor neutral, so nothing is “sugar coated” and
recommended fixes don’t point you towards
their products.
49Appin

50
Nmap is a free, open source tool that quickly and efficiently performs ping
sweeps, port scanning, service identification, IP address detection, and operating
system detection. Nmap has the benefit of scanning a large number of machines in
a single session. It’s supported by many operating systems, including Unix,
Windows, and Linux. The state of the port as determined by an nmap scan can be
open, filtered, or unfiltered. Open means that the target machine accepts incoming
request on that port. Filtered means a firewall or network filter is screening the
port and preventing nmap from discovering whether it’s open. Unfiltered mean the
port is determined to be closed, and no firewall or filter is interfering with the nmap
requests. Nmap supports several types of scans. Table 3.2 details some of the
common scan methods.
Appin

51
 Simple Netcat connection between a Linux and Microsoft
Windows machine.
Appin

52
Similar to dsniff, Ettercap seems to be a little bit
moreversatile and up to date.
Appin

 Perform port scanning using Nmap
 Use Nmap and nessus to perform a
vulnerability scan
 Determine buffer overflow
vulnerabilities
 Use the Microsoft Baseline Security
Analyzer to perform a vulnerability
scan
 Hydra can perform rapid dictionary
attack against more then 30
protocols, including telnet, FTP, http,
https and much more
Appin

Answer the following questions to complete the report:
What risk does the vulnerability present?
What is the source of the vulnerability?
What is the potential impact of the vulnerability?
What is the likelihood of the vulnerability being
exploited?
What should be done to mitigate the vulnerability?
Where should the mitigation be done?
Who should be responsible for implementing the
mitigations?
Appin

Plan your security assessment to determine scope and goals
Educate users to use strong passwords or pass-phrases
Assume that the attacker already knows the exact operating
system and version and take as many steps as possible to
secure those systems



Keep systems up-to-date on security updates and
service packs

Appin

 Find additional security training events:
http://www.microsoft.com/ireland/events/default.asp
 Sign up for security communications:
http://www.microsoft.com/technet/security/signup/d
efault.mspx
 Find additional e-learning clinics
https://www.microsoftelearning.com/security/
 Refer to Assessing Network Security
Appin

Assessing network security

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Assessing network security

Similaire à Assessing network security (20)

Dernier

Dernier (20)

Assessing network security