Week 6 - Network Security
Last week we were deep down in memory. This week we will start to work our way back up to a more familiar space. Specifically we will discuss network security.
Why is network security important? First and foremost it can keep threats from the host machine. However it is also used to protect against threats from the network itself as well as threats coming in from the network (think DDoS attacks). There are many different protection strategies to try and prevent network attacks.
Positive Policy - This is also known as whitelisting. This is a list of expected behaviors from a network. By knowing what is expected, unexpected behaviors can be quickly identified.
Firewall - This is the machine that processes the list of expected vs. unexpected behaviors on the network. An analogy the lecturer used was an attack surface. The attack surface is the set of operations that the network is willing to respond to. Various zones of the network are created and identified (e.g. intranet, Internet, DMZ, etc) and the firewall is between the various zones ensuring positive policy is adhered to. The slide below is an illustration of what a network may look like.
source: lecture slides courtesy of Oregon State University CS373
Defense in Depth - this involves setting multiple layers of security on top of one another, that way if an attacker can get through one security layer they have to go through another (and another) before reaching the target.
Intrusion Protection Systems (or Intrusion Detection Systems) - uses signature detection to detect attacks. This is good at detecting known attacks and getting information about an attack, however it does not fare well against zero day attacks (when new code is first introduced to the public) or false positives.
Honeynets - this is a false network and content built to deceive attackers and slow them down while they believe they are acquiring valid information. Honeynets can be quite effective however they aren't deployed as much as one would think because they require a lot of setup and data input to appear valid.
Quarantine - hosts that have been infected are quarantined to prevent the attack from spreading to other machines on the network.
Reputation - data is collected and is then deployed on the cloud where other users can verify whether the data is associated with good/bad behavior. Data includes IP addresses of known botnets, malware, and spammers, URLs that are associated with scripted attacks and drive-by-downloads, and files that are generated by known viruses. Problems with reputation include the cloud data potentially being outdated and zero-day susceptibility.
The following slide shows how various products incorporate these types of security. Note: NGFW = next-gen firewall, NGIPS = next-gen intrusion protection systems
source: lecture slides courtesy of Oregon State University CS373
Why is network security important? First and foremost it can keep threats from the host machine. However it is also used to protect against threats from the network itself as well as threats coming in from the network (think DDoS attacks). There are many different protection strategies to try and prevent network attacks.
Positive Policy - This is also known as whitelisting. This is a list of expected behaviors from a network. By knowing what is expected, unexpected behaviors can be quickly identified.
Firewall - This is the machine that processes the list of expected vs. unexpected behaviors on the network. An analogy the lecturer used was an attack surface. The attack surface is the set of operations that the network is willing to respond to. Various zones of the network are created and identified (e.g. intranet, Internet, DMZ, etc) and the firewall is between the various zones ensuring positive policy is adhered to. The slide below is an illustration of what a network may look like.
Defense in Depth - this involves setting multiple layers of security on top of one another, that way if an attacker can get through one security layer they have to go through another (and another) before reaching the target.
Intrusion Protection Systems (or Intrusion Detection Systems) - uses signature detection to detect attacks. This is good at detecting known attacks and getting information about an attack, however it does not fare well against zero day attacks (when new code is first introduced to the public) or false positives.
Honeynets - this is a false network and content built to deceive attackers and slow them down while they believe they are acquiring valid information. Honeynets can be quite effective however they aren't deployed as much as one would think because they require a lot of setup and data input to appear valid.
Quarantine - hosts that have been infected are quarantined to prevent the attack from spreading to other machines on the network.
Reputation - data is collected and is then deployed on the cloud where other users can verify whether the data is associated with good/bad behavior. Data includes IP addresses of known botnets, malware, and spammers, URLs that are associated with scripted attacks and drive-by-downloads, and files that are generated by known viruses. Problems with reputation include the cloud data potentially being outdated and zero-day susceptibility.
The following slide shows how various products incorporate these types of security. Note: NGFW = next-gen firewall, NGIPS = next-gen intrusion protection systems
What are some various types of threats?
Man in the middle - a third party intercepts and potentially changes data that is exchanged from point A to point B. This can be done via ARP poisoning (flood the network with ARP responses to trick the host into thinking that the Internet gateway is at your MAC address rather than the real one) and TCP hijacking (inject/delete/change data into a TCP stream). Other examples include terminating TCP proxy (terminating the TCP proxy on one side and creating a completely new collection on the other side), HTTP proxy (intercept all HTTP traffic and validate the host and URL), mail proxy (blocks .exe files from being sent/received). How is man in the middle detected? By applying an HMAC (hash-based authentication code) to each packet. The receiver will verify the HMAC to determine if a man in the middle compromised the packet.
Reconnaissance - there are two types of recon, active and passive recon. Active recon involves needing to find addresses for services that can be attacked and the attacker wants to attack vulnerable machines on a network. Passive recon is when an attacker can see the data on the network and the attacker wants to gain information about people. For active recon, there are various ways to scan for machines, including pinging them (ICMP request), TCP port scans and UDP scans. For passive recon, one could get data by tapping ISPs, listening to radio signals, and hiding equipment in wiring closets.
How can recon be defended? Honeypots can slow down recon.
Spoofing - an attacker will disguise themselves as a legitimate network entity to get around the network defenses. IP/MAC/email addresses can all be spoofed, along with TCP sequence numbers and HTTP fields. Defenses against spoofing include ingress filtering, egress filtering, and reverse path filtering (retracing the path taken by the packet to ensure it is logical and legitimate).
A bug is a potential compromise that is unintentional. Common bugs include default/common passwords, buffer overflow, susceptibility to packet bombs, and legacy features that haven't been disabled.
Packet filtering - a policy driven whitelisting policy that only allows expected traffic through the network boundary.
DoS (denial of service) attacks - consumes a network's resources to the point where the service is degraded or even unusable.
DDoS (distributed denial of service) attacks - same as DoS except a large number of computers are used to perform resource exhaustion attacks against a service. Different types of DoS attacks include network exhaustion, CPU exhaustion, memory exhaustion, storage exhaustion, and application vulnerability exploitation (crash the application or operating system to make it unavailable). A way to defend against DoS attacks is network traffic validation and cleansing. A firewall proxy will cleanse the traffic. Another method of defense is traffic scrubbing centers which is a third party service that is built to sift through an incredibly high volume of traffic and pass only legitimate traffic to their customers.
Comments
Post a Comment