UCCN 1213

Chapter 4 Network Security

Protocols
 A protocol defines the rules for communication
between computers
 Internet protocols are broadly classified as
connectionless and connection oriented
 Connectionless protocol
 Sends data out as soon as there is enough

data to be transmitted
 E.g., user datagram protocol (UDP)

04/23/24 Computer Networks 2

Protocols
 Connection-oriented protocol
 Provides a reliable connection stream
between two nodes
 Consists of set up, transmission, and tear
down phases
 Creates virtual circuit-switched network

 E.g., transmission control protocol (TCP)

04/23/24 Computer Networks 3

Network Layers
 Network models typically use a stack of layers
 Higher layers use the services of lower layers

via encapsulation
 A layer can be implemented in hardware or

software
 The bottommost layer must be in hardware

 A network device may implement several layers

04/23/24 Computer Networks 4

Internet Layers

Application Application

Transport Transport

Network Network Network Network

Link Link Link Link

Fiber
Ethernet Wi-Fi
Optics

Physical Layer
04/23/24 Computer Networks 5
Encapsulation
 A packet typically consists of
 Control information for addressing the packet:

header and footer or trailer

 Data in the network layer is called payload

Payload

Footer
or trailer
Header Header Payload

04/23/24 Computer Networks 6

TCP Header

7
Internet Packet Encapsulation
Application
Packet Application Layer

TCP
Header TCP Data Transport Layer

IP
Header IP Data Network Layer

Frame
Header Frame Data Frame
Footer Link Layer
04/23/24 Computer Networks 8
Internet Packet Encapsulation
Data link frame
IP packet
TCP or UDP packet
Application packet

04/23/24 Computer Networks 9

 The OSI Model
 The OSI (Open System
Interconnect) Reference
Model is a network model
consisting of seven layers
 Created in 1983, OSI is
promoted by the
International Standard
Organization (ISO)

04/23/24 Computer Networks 10

Network Interfaces
 Network interface: device connecting a
computer to a network
 Ethernet card
 WiFi adapter
 A computer may have multiple network
interfaces
 Packets transmitted between network interfaces

04/23/24 Computer Networks 11

Network Interfaces

Most local area networks, (including Ethernet and

WiFi) broadcast frames
In regular mode, each network interface gets the

frames intended for it

Traffic sniffing can be accomplished by

configuring the network interface to read all frames

(promiscuous mode)

04/23/24 Computer Networks 12

MAC Addresses
 Most network interfaces come with a predefined MAC
address
 A MAC address is a 48-bit number usually represented
in hex
 E.g., 00-1A-92-D4-BF-86
 The first three octets of any MAC address are IEEE-
assigned Organizationally Unique Identifiers
 E.g., Cisco 00-1A-A1, D-Link 00-1B-11, ASUSTek 00-
1A-92
 The next three can be assigned by organizations as they
please, with uniqueness being the only constraint

04/23/24 Computer Networks 13

MAC Addresses
 Organizations can utilize MAC addresses to
identify computers on their network
 MAC address can be reconfigured by network
interface driver software

04/23/24 Computer Networks 14

Switch
 A switch is a common network
device
 Operates at the link layer

 Has multiple ports, each

connected to a computer
 Operation of a switch
 Learn the MAC address of

each computer connected to

it
 Forward frames only to the

destination computer

04/23/24 Computer Networks 15

Combining Switches
 Switches can be arranged
into a tree
 Each port learns the MAC
addresses of the
machines in the segment
(subtree) connected to it
 Fragments to unknown
MAC addresses are
broadcast
 Frames to MAC
addresses in the same
segment as the sender
are ignored

04/23/24 Computer Networks 16

MAC Address Filtering
 A switch can be configured to provide service
only to machines with specific MAC addresses
 Allowed MAC addresses need to be registered
with a network administrator

04/23/24 Computer Networks 17

MAC Address Security
 A MAC spoofing attack is to impersonates
legitimate machine in a network.
 Find out MAC address of target machine
 Reconfigure MAC address of rogue machine
 Turn off or unplug target machine
 Countermeasures
 Block port of switch when machine is turned
off or unplugged
 Disable duplicate MAC addresses

04/23/24 Computer Networks 18

Port Security configuration
(Cisco Switch)
Switch(config-if)#switchport port-security ?
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
ARP
 The address resolution protocol (ARP) converts
IP addresses to MAC addresses
 ARP works by broadcasting requests and
caching responses for future use
 The protocol begins with a computer
broadcasting a message of the form
who has <IP address1> tell <IP address2>
 When the machine with <IP address1> or an
ARP server receives this message, its
broadcasts the response
<IP address1> is at <MAC address>
04/23/24 Computer Networks 20
ARP
 The requestor’s IP address <IP address2> is
contained in the ARP packet header
 The Linux and Windows command arp - a
displays the ARP table
Internet Address Physical Address Type
128.148.31.1 00-00-0c-07-ac-00 dynamic
128.148.31.15 00-0c-76-b2-d7-1d dynamic
128.148.31.71 00-0c-76-b2-d0-d2 dynamic
128.148.31.75 00-0c-76-b2-d7-1d dynamic
128.148.31.102 00-22-0c-a3-e4-00 dynamic
128.148.31.137 00-1d-92-b6-f1-a9 dynamic

04/23/24 Computer Networks 21

ARP Request (Wireshark Results)
ARP Spoofing
 The ARP table is updated whenever an ARP
response is received
 Requests are not tracked
 ARP announcements are not authenticated
 Machines trust each other
 A rogue machine can spoof other machines

04/23/24 Computer Networks 23

ARP Poisoning (ARP Spoofing)
 An ARP cache updates every time that it receives
an ARP reply… even if it did not send any ARP
request!
 It is possible to “poison” an ARP cache by sending
gratuitous ARP replies
 Using static ARP entries solves the problem but it is
almost impossible to manage!

04/23/24 Computer Networks 24

ARP Spoofing vs. ARP Poisoning

 ARP Spoofing: A hacker sends fake ARP

packets that link an attacker’s MAC address
with an IP of a computer already on the LAN.

 ARP Poisoning: After a successful ARP

spoofing, a hacker changes the company’s
ARP table, so it contains falsified MAC maps.
The contagion spreads
ARP Poisoning (ARP Spoofing)
 ARP Caches

IP: 192.168.1.1 IP: 192.168.1.105

MAC: 00:11:22:33:44:01 Data MAC: 00:11:22:33:44:02

192.168.1.1 is at
00:11:22:33:44:01
192.168.1.105 is at
00:11:22:33:44:02
ARP Cache ARP Cache
192.168.1.105 00:11:22:33:44:02 192.168.1.1 00:11:22:33:44:01

27
Poisoned ARP Caches
192.168.1.106
00:11:22:33:44:03

Data Data

192.168.1.105 is at 192.168.1.1 is at
00:11:22:33:44:03 00:11:22:33:44:03
192.168.1.1 192.168.1.105
00:11:22:33:44:01 00:11:22:33:44:02

Poisoned ARP Cache Poisoned ARP Cache

192.168.1.105 00:11:22:33:44:03 192.168.1.1 00:11:22:33:44:03

28
Telnet Protocol (RFC 854)
 Telnet is a protocol that provides a general, bi-
directional, not encrypted communication
 telnet is a generic TCP client
 Allows a computer to connect to another one
 Provides remote login capabilities to computers on the
Internet
 Sends whatever you type
 Prints whatever comes back

04/23/24 Computer Networks 29

Wireshark
 Wireshark is a packet sniffer and protocol analyzer
• Captures and analyzes frames
• Supports plugins
 Usually required to run with administrator privileges
 Setting the network interface in promiscuous mode
captures traffic across the entire LAN segment and not
just frames addressed to the machine
 Freely available on www.wireshark.org

04/23/24 Computer Networks 30

 menu
 main toolbar
 filter toolbar

 packet list pane

 packet details pane

 packet bytes pane

 status bar 31
Networks: IP and TCP

33
Internet Protocol

Data link frame

IP packet
TCP or UDP packet

34
IP Addresses and Packets
 IP addresses  IP header includes
 IPv4: 32-bit addresses  Source address
 IPv6: 128-bit addresses
 Destination address
 Packet length (up to 64KB)
 Address subdivided into  Time to live (up to 255)
network, subnet, and host  IP protocol version
 E.g., 128.148.32.110  Fragmentation information
 Broadcast addresses  Transport layer protocol
 E.g., 128.148.32.255 information (e.g., TCP)
 Private networks v length
 not routed outside of a LAN fragmentation info
 10.0.0.0/8 TTL prot.
 172.16.0.0/12 source
 192.168.0.0/16 destination
35
IP Address Space and ICANN
 Hosts on the internet must  Examples
003/8 May 94 General Electric
have unique IP addresses 009/8 Aug 92 IBM
 Internet Corporation for 012/8 Jun 95 AT&T Bell Labs
013/8 Sep 91 Xerox Corporation
Assigned Names and 015/8 Jul 94 Hewlett-Packard
Numbers 017/8 Jul 92 Apple Computer
 International nonprofit 018/8 Jan 94 MIT
019/8 May 95 Ford Motor
organization 040/8 Jun 94 Eli Lily
 Incorporated in the US 043/8 Jan 91 Japan Inet
 Allocates IP address space 044/8 Jul 92 Amateur Radio
Digital
 Manages top-level domains 047/8 Jan 91 Bell-Northern Res.
 Historical bias in favor of US 048/8 May 95 Prudential
corporations and nonprofit Securities
054/8 Mar 92 Merck
organizations 055/8 Apr 95 Boeing
056/8 Jun 94 U.S. Postal Service

36
IP Routing
 A router bridges two or more networks
 Operates at the network layer
 Maintains tables to forward packets to the
appropriate network
 Forwarding decisions based solely on the
destination address
 Routing table
 Maps ranges of addresses to LANs or other
gateway routers

37
Internet Routes
 Internet Control Message Protocol (ICMP)
 Works side-by-side with Internet Protocol
 Simple messages encapsulated in single IP packets
 Sending and responding to network layer messages
 Tools based on ICMP
 Ping: sends series of echo request messages and
provides statistics on roundtrip times and packet loss
 Traceroute: sends series ICMP packets with increasing
TTL value to discover routes

38
ICMP Attacks
 Ping of death
 ICMP specifies messages must fit a single IP
packet (64KB)
 Send a ping packet that exceeds maximum size
using IP fragmentation
 Reassembled packet caused several operating
systems to crash due to a buffer overflow
 Smurf
 A denial service attack using ping to spoofed IP
address

39
Smurf Attack

Amplifying
echo
Network response

echo
request
echo
response

Attacker echo
response
Victim

40
Denial of Service Attack
 Send large number of packets to
host providing service
 Slows down or crashes host Source:
M.T. Goodrich,
 Often executed by botnet Probabalistic Packet Marking for Large-S
cale IP Traceback
 Attack propagation , IEEE/ACM Transactions on Networking
 Starts at zombies 16:1, 2008.
 Travels through tree of internet
routers rooted
 Ends at victim
 IP source spoofing
 Hides attacker
 Scatters return traffic from victim
 Examples
 ping 10.10.10.1 -l (size) 70000
 ping to broadcast address
 ping from multiple sources

42
IP Vulnerabilities
 Unencrypted transmission
 Eavesdropping possible at any intermediate

host during routing

 No source authentication
 Sender can spoof source address, making it

difficult to trace packet back to attacker

43
IP Vulnerabilities
 No integrity checking
 Entire packet, header and payload, can be

modified while en route to destination,

enabling content forgeries, redirections, and
man-in-the-middle attacks
 No bandwidth constraints
 Large number of packets can be injected into

network to launch a denial-of-service attack

 Broadcast addresses provide additional

leverage
44
Packet Sniffers
 Packet sniffers “read” information traversing a network
 Packet sniffers intercept network packets, possibly
using ARP cache poisoning
 Can be used as legitimate tools to analyze a network
 Monitor network usage
 Filter network traffic
 Analyze network problems
 Can also be used maliciously
 Steal information (i.e. passwords, conversations,
etc.)
 Analyze network information to prepare an attack

45
Detecting Sniffers
 Sniffers are almost always passive
 They simply collect data
 They do not attempt “entry” to “steal” data
 This can make them extremely hard to detect
 Most detection methods require suspicion that
sniffing is occurring
 Then some sort of “ping” of the sniffer is
necessary
 It should be a broadcast that will cause a
response only from a sniffer

46
Detecting Sniffers
 Another solution on switched hubs is ARP watch
 An ARP watch monitors the ARP cache for
duplicate entries of a machine
 If such duplicates appear, raise an alarm
 Problem: false alarms

47
Stopping Packet Sniffing
 The best way is to encrypt packets securely
 Sniffers can capture the packets, but they are
meaningless
 SSH is also a much more secure method of connection
 Packets are encrypted with Private/Public key pairs
makes sniffing virtually useless
 On switched networks, almost all attacks will be via
ARP spoofing
 Add machines to a permanent store in the cache
 This store cannot be modified via a broadcast reply
 Thus, a sniffer cannot redirect an address to itself

48
Unencrypted Telnet Session
Telnet password not encrypted
SSH Session
Encrypted SSH Session
Stopping Packet Sniffing
 The best security is to not let them in in the first
place
 Sniffers need to be on your subnet in a
switched hub in the first place
 All sniffers need to somehow access root at
some point to start themselves up

53
 Firewalls, Tunnels, and
Network Intrusion Detection

54
Firewalls
 A firewall is an integrated collection of security
measures designed to prevent unauthorized
electronic access to a networked computer system.
 A network firewall is similar to firewalls in building
construction, because in both cases they are
intended to isolate one "network" or "compartment"
from another.

55
Firewall Policies
 To protect private networks and individual machines from
the dangers of the greater Internet, a firewall can be
employed to filter incoming or outgoing traffic based on a
predefined set of rules called firewall policies.

Trusted internal network

Firewall policies

Untrusted
Internet

56
Policy Actions
 Packets flowing through a firewall can have one of three outcomes:
 Accepted: permitted through the firewall
 Dropped: not allowed through with no indication of failure
 Rejected: not allowed through, accompanied by an attempt to
inform the source that the packet was rejected
 Policies used by the firewall to handle packets are based on several
properties of the packets being inspected, including the protocol used,
such as:
 TCP or UDP
 the source and destination IP addresses
 the source and destination ports
 the application-level payload of the packet (e.g., whether it
contains a virus).

57
Blacklists and White Lists
 There are two fundamental approaches to
creating firewall policies (or rulesets) to
effectively minimize vulnerability to the outside
world while maintaining the desired functionality
for the machines in the trusted internal network
(or individual computer).
 Whitelist approach
 A safer approach to defining a firewall ruleset
is the default-deny policy, in which packets are
dropped or rejected unless they are
specifically allowed by the firewall.

58
Blacklists and White Lists
 Blacklist approach
 All packets are allowed through except those
that fit the rules defined specifically in a
blacklist.
 This type of configuration is more flexible in
ensuring that service to the internal network is
not disrupted by the firewall, but is naïve from
a security perspective in that it assumes the
network administrator can enumerate all of the
properties of malicious traffic.

59
Configuring Standard and Extended IPv4 ACLs with CLI

Introduction to Access Control Lists

 Access Control Lists (ACLs) are widely used for
mitigating network attacks and controlling network
traffic
 Parameters used in security-related ACLs involve
IPv4, IPv6 addresses, and TCP and UDP port
numbers.
Standard and Extended Numbered IP ACLs Cont.
ACLs numbered 100–199 or 2000–2699 are
extended ACLs.
Extended ACLs filter IP packets based on:
Source and destination IP addresses

Source and destination TCP and UDP Ports

Protocol Type

Standard and Extended ACLs are:

Applied on an interface using the ip access-group

command.
Applied on a VTY port using the access-class

command.
 Configuring Standard and Extended IPv4 ACLs with CLI

Standard and Extended Named IP

Router(config)# ip access list [standard | extended] name_of_ACL
ACLs
Standard Named IP ACL example:

Extended Named IP ACL example:

Configuring Standard and Extended IPv4 ACLs with CLI

Standard ACL Example

All traffic from subnet 172.16.4.0 must be denied access to another
subnet, but all other traffic should be permitted
R1(config)# access-list 1 deny 172.16.4.0 0.0.0.255
R1(config)# access-list 1 permit any

R1(config)# interface FastEthernet 0/0

R1(config-if)# ip access-group 1 out

Always placed closer to the destination

Configuring Standard and Extended IPv4 ACLs with CLI

Extended ACL Example

FTP traffic from one subnet must be denied on another subnet.
R1(config)# access-list 101 deny tcp 172.16.4.0
0.0.0.255 172.16.3.0 0.0.0.255 eq 21
R1(config)# access-list 101 deny tcp 172.16.4.0

0.0.0.255 172.16.3.0 0.0.0.255 eq 20

R1(config)# access-list 101 permit ip any any

Always placed closer to the source

ACL for Security

Access control using ACL to block ICMP

:R3(config)# access-list 100 deny icmp any any

Access control using ACL to block http

:R3(config)# access-list 120 deny tcp 192.168.2.1
0.0.0.255 192.168.3.1 0.0.0.255 eq 80

Access control using ACL to block ftp

:R3(config)# access-list 120 deny tcp 192.168.2.1
0.0.0.255 192.168.3.1 0.0.0.255 eq 21
ACL for Security
 Mitigatiing Antispoofing with ACL
 R3(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any
 R3(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any
 R3(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any
 R3(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any
 R3(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any
 R3(config)# access-list 100 permit ip any any
 Permitting necessary traffic through a firewall
 R1(config)# access-list 120 permit udp any host 192.168.1.3 eq domain
 R1(config)# access-list 120 permit tcp any host 192.168.1.3 eq smtp
 R1(config)# access-list 120 permit tcp any host 192.168.1.3 eq ftp
 R1(config)# access-list 120 deny tcp any host 192.168.1.3 eq 443
 R1(config)# access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22
Firewall Types
 packet filters (stateless)
 If a packet matches the packet filter's set of
rules, the packet filter will drop or accept it
 "stateful" filters
 it maintains records of all connections passing
through it and can determine if a packet is
either the start of a new connection, a part of
an existing connection, or is an invalid packet.

67
Firewall Types
 application layer
 It works like a proxy it can “understand”
certain applications and protocols.
 It may inspect the contents of the traffic,
blocking what it views as inappropriate content
(i.e. websites, viruses, vulnerabilities, ...)

68
Stateless Firewalls
 A stateless firewall doesn’t maintain any remembered
context (or “state”) with respect to the packets it is
processing. Instead, it treats each packet attempting to
travel through it in isolation without considering packets
that it has processed previously.
SYN
Seq = x
Port=80

Client SYN-ACK
Seq = y
Ack = x + 1

ACK
Seq = x + 1
Ack = y + 1
Trusted internal Server
network
Firewall

Allow outbound SYN packets, destination port=80

Allow inbound SYN-ACK packets, source port=80 69
Stateless Restrictions
 Stateless firewalls may have to be fairly
restrictive in order to prevent most attacks.

Client (blocked)
SYN
Seq = y Attacker
Port=80

Trusted internal Firewall

network

Allow outbound SYN packets, destination port=80

Drop inbound SYN packets,
Allow inbound SYN-ACK packets, source port=80 70
Statefull Firewalls
 Stateful firewalls can tell when packets are part
of legitimate sessions originating within a trusted
network.
 Stateful firewalls maintain tables containing
information on each active connection, including
the IP addresses, ports, and sequence numbers
of packets.
 Using these tables, stateful firewalls can allow
only inbound TCP packets that are in response
to a connection initiated from within the internal
network.

71
Statefull Firewall Example
 Allow only requested TCP connections:
76.120.54.101

SYN
Seq = x Server
128.34.78.55 Port=80

Client SYN-ACK
Seq = y
Ack = x + 1

ACK
Seq = x + 1
Ack = y + 1
Trusted internal
SYN-ACK
network (blocked) Seq = y
Attacker
Port=80

Allow outbound TCP sessions,

destination port=80
Firewall

Established TCP session:

(128.34.78.55,
76.120.54.101)
72
Firewall state table
Configuring TCP Established and Reflexive ACLs
TCP Established in Action

R1(config)# access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255 established
R1(config)# access-list 100 deny ip any any
R1(config)# interface s0/0/0
R1(config-if)# ip access-group 100 in
 The first-generation IOS traffic filtering solution
to support the two-way nature of TCP virtual
circuits was the TCP established keyword for
extended IP ACLs.
 Stateful firewall allows a complete TCP
communication. When a https request goes out
to the server, then reply https is allowed to go
into the router. Request followed by Reply.
Another example would be a three way
handshake. SYN  SYN,ACK  ACK
 Block all traffic coming from the Internet except
for the TCP reply traffic associated with
established TCP traffic initiated from inside
network
 • https source port

n port
• https destinatio
Go to 192.168.3.1 server turn on the https service.
 Step 1 :Browse (https://192.168.3.1) the server 192.168.3.1 from
192.168.2.1 using browser at 192.168.2.1
 The browse (https) should work
 Now try to ping from 192.168.2.1 to 192.168.3.1
 The ping should work
 Step 2 : R2(config)# access-list 120 permit tcp any eq 443
192.168.3.0 0.0.0.255 established
 R2(config)# access-list 100 deny ip any any

Statefull Firewall Example

Test browsing from 192.168.2.1 to 192.168.3.1 (https://192.168.3.1)

The browsing should work
Test browsing from 192.168.2.1 to 192.168.3.1 (http://192.168.3.1)
The browsing should fail
Only port 443 (https) is allowed. http uses port 80
You can try to create a server at 192.168.2.0 network and try to access port
443 from outside. It will not work. Because only inbound packets going
out for https request, the reply is allowed in.

The established keyword forces the router to check whether the TCP ACK or
RST control flag is set.
If the ACK flag is set, the TCP traffic is allowed in. If not, it is assumed that the
traffic is associated with a new connection initiated from the outside.
Stateful vs. Stateless Firewall

 Stateful firewalls – are capable in monitoring

all aspects of network traffic, including their
communication channels and characteristic.
 Stateless firewalls – utilize clues from key
values like source, destination address, and
more to check whether any threat is present.
Stateful firewalls filter packets based on the
individual packets themselves.
Demilitarized zone (DMZ)

 A DMZ is created by providing a semi-protected

network zone.
 The DMZ is delineated with network access controls,
such as firewalls or heavily filtered routers.
 Any system that can be directly contacted by an

external user should be placed in a DMZ since they

can be attacked.
 External system’s access to sensitive systems must

be avoided.

78
Location of DMZ in isolating
internal network

79
Systems to place in DMZ

80
Systems to place in DMZ

 DMZ can have either both internal and external

mail servers or a single firewall mail server.
 Using Web server for receiving user’s input and
application server for processing it provides protection
to the database server.
 All externally accessible systems should be placed in
the DMZ.
 The organization’s ISP can provide alternate DNS
services.

81
DMZ architectures

Single firewall architecture:

 A single firewall can be used to create a DMZ
using a third interface.
 The single firewall becomes a single point of
failure and a potential bottleneck for traffic,
unless in fail-over configuration.
 Single firewall architecture is simple compared
to the router and firewall architecture.

82
DMZ architectures

Dual firewall architecture:

 Dual firewall architecture uses two firewalls to
separate DMZ from external and internal
networks.
 Dual firewalls increase cost of architecture and
require additional management and
configuration.

83
Single firewall architecture

84
Dual firewall architecture

85
IPSec
 IPSec defines a set of protocols to provide
confidentiality and authenticity for IP packets
 Each protocol can operate in one of two modes,
transport mode or tunnel mode.
 In transport mode, additional IPsec header information
is inserted before the data of the original packet, and
only the payload of the packet is encrypted or
authenticated.
 In tunnel mode, a new packet is constructed with IPsec
header information, and the entire original packet,
including its header, is encapsulated as the payload of
the new packet.

86
Virtual Private Networking (VPN)
 Virtual private networking (VPN) is a
technology that allows private networks to be
safely extended over long physical distances by
making use of a public network, such as the
Internet, as a means of transport.
 VPN provides guarantees of data confidentiality,
integrity, and authentication, despite the use of
an untrusted network for transmission.

87
Types of VPNs
 Hardware VPN:
 Hardware VPN appliances are network equipment dedicated only
to the purpose of VPN.
 Hardware VPN can offer the best performance for organizations
and companies relying heavily on VPN to communicate between
their different branches.
 Software VPN:
 A typical use of VPN service where the user access a corporate
data network from a home PC across the internet
 The employee installs VPN software on a home PC
 The software is already configured to communicate with the
corporate network’s VPN endpoint
 The user can then log into the corporate network by using an
appropriate authentication and authorization methodology
 Web based VPN
 Securely connects to the corporate network using a web-browser
over the Internet.
88
 A Virtual Private Network (VPN) is a private network that is created via tunneling
over a public network, usually the Internet.
 VPNs have multiple benefits, including:
• Compatibility with broadband technology
• Cost savings
• Security
• Scalability
VPN Topologies

Site-to-Site VPNs
 Created when connection devices on both sides of the VPN
connection are aware of the VPN configuration in advance.
 The VPN remains static and internal hosts have no knowledge
that a VPN exists.
VPN Topologies

Remote-Access VPNs
• Allows for dynamically changing connection information
and can be enabled and disabled when needed.
• Example – A telecommuter’s PC being responsible for
establishing the VPN.
Intrusion Detection Systems
 Intrusion
 Actions aimed at compromising the security of
the target (confidentiality, integrity, availability of
computing/networking resources)
 Intrusion detection
 The identification through intrusion signatures
and report of intrusion activities
 Intrusion prevention
 The process of both detecting intrusion activities
and managing automatic responsive actions
throughout the network

93
IDS Components
 The IDS manager compiles data from the IDS sensors to
determine if an intrusion has occurred.
 This determination is based on a set of site policies, which
are rules and conditions that define probable intrusions.
 If an IDS manager detects an intrusion, then it triggers an
alert.
IDS Manager
Untrusted
Internet

router

IDS Sensor IDS Sensor

Firewall

router router

94
Intrusions
 An IDS is designed to detect a number of
threats, including the following:
 masquerader: an attacker who is falsely
using the identity and/or credentials of a
legitimate user to gain access to a computer
system or network
 Misfeasor: a legitimate user who performs
actions he is not authorized to do
 Clandestine user: a user who tries to block
or cover up his actions by deleting audit files
and/or system logs

95
Intrusions
 IDS is designed to detect automated attacks and
threats, including the following:
 port scans: information gathering intended to
determine which ports on a host are open
 Denial-of-service attacks: network attacks
meant to overwhelm a host and shut out
legitimate accesses
 Malware attacks: replicating malicious
software attacks.
 ARP spoofing: an attempt to redirect IP
traffics in a local-area network
 DNS cache poisoning: a pharming attack
directed at changing a host’s DNS cache
97
Possible Alarm Outcomes
 Alarms can be sounded (positive) or not (negative)
Intrusion Attack No Intrusion Attack

Alarm
Sounded

True Positive False Positive

No
Alarm
Sounded

False Negative True Negative 98

Types of Intrusion Detection Systems
 Rule-Based Intrusion Detection
 Rules identify the types of actions that match certain

known profiles for an intrusion attack, in which case

the rule would encode a signature for such an attack.
Thus, if the IDS manager sees an event that matches
the signature for such a rule, it would immediately
sound an alarm, possibly even indicating the particular
type of attack that is suspected.

99
Types of Intrusion Detection Systems
 Statistical Intrusion Detection
 A profile is built, which is a statistical representation

of the typical ways that a user acts or a host is used;

hence, it can be used to determine when a user or
host is acting in highly unusual, anomalous ways.
 Once a user profile is in place, the IDS manager can

determine thresholds for anomalous behaviors and

then sound an alarm any time a user or host deviates
significantly from the stored profile for that person or
machine.

100
Network-Based IPS Implementations

Network IPS Sensors

 Implementation analyzes
network-wide activity
looking for malicious
activity.
 Configured to monitor
known signatures, but can
also detect abnormal traffic
patterns.
 Configured on:
• Dedicated IPS appliances
• ISR routers
• ASA firewall appliances
• Catalyst 6500 network
modules
Tuning IPS Signature Alarms

Tune Signature
 An administrator must balance the number of
incorrect alarms that can be tolerated with the
ability of the signature to detect actual intrusions.
 If IPS systems use untuned signatures, they
produce many false positive alarms.
IPS Alarm in Syslog File
Defense in Depth

 Defense in depth is the coordinated use of

multiple security countermeasures to protect
the integrity of the information assets in an
enterprise. The strategy is based on the
military principle that it is more difficult for an
enemy to defeat a complex and multi-layered
defense system than to penetrate a single
barrier
Wireless Networks
 Types of wireless networks
 Infrastructure
 Client machines establish a radio
connection to a special network
device, called access point
 Access points connected to a
wired network, which provides a
gateway to the internet
 Most common type of wireless
network
 Peer-to-peer
 Multiple peer machines connect to
each other
 Typically used in ad-hoc networks
and internet connection sharing

106
SSID
 Multiple wireless networks can coexist
 Each network is identified by a 32-character service set ID (SSID)

 Typical default SSID of access point is manufacturer’s name

 SSIDs often broadcasted to enable discovery of the network by

prospective clients
 SSIDs are not signed, thus enabling a simple spoofing attack
 Place a rogue access point in a public location (e.g., cafe, airport)

 Use the SSID of an ISP

 Set up a login page similar to the one of the ISP

 Wait for clients to connect to rogue access point and authenticate

 Possibly forward session to ISP network

 Facilitated by automatic connection defaults

107
WEP
 Wired Equivalent Privacy (WEP) is a security
algorithm for IEEE 802.11 wireless networks.
 Its intention was to provide data confidentiality
comparable to that of a traditional wired network
WEP, recognizable by the key of 10 or 26
hexadecimal digits, is widely in use and is often
the first security choice presented to users by
router configuration tools.
 Although its name implies that it is as secure as
a wired connection, WEP has been
demonstrated to have numerous flaws

108
Slow Attack: WEP Sniffing

 To crack a 64-bit WEP key you can capture:

 50,000 to 200,000 packets containing
Initialization Vectors (IVs)
 Only about ¼ of the packets contain IVs
 So you need 200,000 to 800,000 packets
 It can take a long time (typically several hours
or even days) to capture that many packets

109
Fast Attack: Packet Injection

 The hacker injects packets to create a more “interesting”

packet
 Special wireless card driver is necessary to perform
injection

110
Wi-Fi Protected Access (WPA)
 WEP became widely known as insecure
 In 2005, FBI publically cracked a WEP key in only 3 minutes!
 Wi-Fi Protected Access (WPA) proposed in 2003
 WPA uses Temporal Key Integrity Protocol (TKIP).
 TKIP attempts to address the cryptographic weaknesses of
WEP’s RC4 implementation
 WEP is especially weak because it simply concatenates
the IV with the encryption key to generate the RC4 seed.
 TKIP remedies this by increasing the IV length to 48 bits
and by incorporating a key-mixing algorithm that combines
the key with the IV in a more sophisticated way before
using it as an RC4 seed to generate a keystream

111
WPA2
 WPA2 uses the strong AES cipher for protecting
both integrity and confidentiality
 The AES cipher has not been broken so far
 The only disadvantage of WPA2 is in the
amount of processing power that it needs in
order to protect your network.
 This translates to a direct need for more
powerful hardware or suffer a reduction in
network performance for heavily used networks.

112
Steps to secure organization wireless
 Hiding the Network ID
 Using Encyption
 Using Firewall
 Sniffing Out Intruders
 Limiting the IP Addresses
 Filtering out MAC Addresses
END
Q&A
Attendance UCCN1223 Group 1
Attendance UCCN1213 Group 1