network security add on notes mmd © oct2012. implementation enable passwords on cisco routers via...
TRANSCRIPT
NETWORK SECURITY
ADD ON NOTES
MMD © Oct2012
IMPLEMENTATION Enable Passwords On Cisco Routers Via
Enable Password And Enable Secret Access Control Lists (ACLs) How to Prevent Denial of Service Attacks How Kerberos Authentication Works
Enable Passwords On Cisco Routers Via Enable Password And Enable Secret The two most basic of passwords a Cisco
router can provide support for is the enable password command enable secret command.
Depending on the IOS version, administrators will likely only need to setup the enable secret command.
ACLs Access Control Lists (ACLs) allow a router to
permit or deny packets based on a variety of criteria.
Three basic steps to configure Standard Access List 1. Use the access-list global configuration command
to create an entry in a standard ACL. 2. Use the interface configuration command to
select an interface to which to apply the ACL. 3. Use the ip access-group interface configuration
command to activate the existing ACL on an interface.
ACLs With Access Lists you will have a variety of
uses for the wild card masks: Match a specific host, Match an entire subnet, Match an IP range, or Match Everyone and anyone
How to Prevent Denial of Service Attacks The denial of service (DoS) attack is statistically the
most used malicious attack out of them all. Literally anyone can bring down a website with a
simple command prompt. The question is- how do you protect against an attack that can cripple your network or website in a matter of minutes?
If you are going to protect against an attack, you first have to know how it works.
You must familiarize yourself with the different variations, methods, and plans of attacks that hackers use.
There are at least seven different classifications of (DoS) attacks known today.
DoS: Ping Flood The most basic of attacks is the ping flood
attack. It relies on the ICMP echo command, more
popularly known as ping . In legitimate situations the ping command is
used by network administrators to test connectivity between two computers.
In the ping flood attack, it is used to flood large amounts of data packets to the victim’s computer in an attempt to overload it.
DoS: Ping Flood
Two Exploitable Commands Using Ping The –n command tells the prompt to send the
request a specified amount of times. The default is four packets, but we sent five.
The –l command tells the prompt how much data to send for each packet. The maximum is 65,500 bytes, while the default is just 32.
DoS: Ping Flood This type of attack is generally useless on
larger networks or websites. because only one computer is being used to flood
the victim’s resources. If we were to use a group of computers, then the
attack would become a distributed denial of service attack, or DDoS.
The most common cure to the ping flood attack is to simply ban the IP address from accessing your network.
DoS: Ping of Death The ping of death attack, or PoD, can cripple a
network based on a flaw in the TCP/IP system. The maximum size for a packet is 65,535 bytes.
If one were to send a packet larger than that, the receiving computer would ultimately crash from confusion.
DoS: Ping of Death Sending a ping of this size is against the rules
of the TCP/IP protocol, but hackers can bypass this by cleverly sending the packets in fragments.
When the fragments are assembled on the receiving computer, the overall packet size is too great.
This will cause a buffer over-flow and crash the device.
DoS: Ping of Death Luckily, most devices created after 1998 are
immune to this kind of attack. If you are running a network with outdated devices this will indeed be a possible threat to your network. In this case, upgrade your devices if possible.
DoS: Smurf Attack When conducting a smurf attack, attackers
will use spoof their IP address to be the same as the victim’s IP address.
This will cause great confusion on the victim’s network, and a massive flood of traffic will be sent to the victim’s networking device, if done correctly.
DoS: Smurf Attack Most firewalls protect against smurf attacks,
but there are several things you can do. If you have access to the router your network or website is on, simply tell it to not forward packets to broadcast addresses.
In a Cisco router, simply use the command: no ip directed-broadcast.
DoS: Fraggle A Fraggle attack is exactly the same as a
smurf attack, except that it uses the user datagram protocol, or UDP, rather than TCP.
Fraggle attacks, like smurf attacks, are starting to become outdated and are commonly stopped by most firewalls or routers.
This attack is generally less powerful than the smurf attack, since the TCP protocol is much more widely used than the UDP protocol.
DoS: SYN Flood Attack The SYN flood attack takes advantage of the
TCP three-way handshake. This method operates two separate ways. Both methods attempt to start a three-way
handshake, but not complete it.
DoS: SYN Flood Attack
DoS: SYN Flood Attack The first attack method can be achieved when
the attacker sends a synchronize request, or SYN, with a spoofed IP address.
When the server tries to send back a SYN-ACK request, or synchronize-acknowledge request, it will obviously not get a response.
This means that the server never obtains the client’s ACK request, and resources are left half-open.
DoS: SYN Flood Attack Alternatively, the attacker can just choose to
not send the acknowledgement request. Both of these methods stall the server, who is patiently waiting for the ACK request.
DoS: Teardrop In the teardrop attack, packet fragments are
sent in a jumbled and confused order. When the receiving device attempts to
reassemble them, it obviously won’t know how to handle the request.
Older versions of operating systems will simply just crash when this occurs.
Operating systems such as Windows NT, Windows 95, and even Linux versions prior to version 2.1.63 are vulnerable to the teardrop attack.
DoS: DDoS A distributed denial of service attack, or
DDoS, is much like the ping flood method, only multiple computers are being used.
The computers that are being used may or may not be aware of the fact that they are attacking a website or network.
Trojans and viruses commonly give the hacker control of a computer, and thus, the ability to use them for attack.
In this case the victim computers are called zombies.
DoS: DDoS
DoS: DDoS A DDoS attack is very tough to overcome. The first
thing to do is to contact your hosting provider or internet service provider, depending on what is under attack.
They will usually be able to filter out the bulk of the traffic based on where it’s coming from. For more large-scale attacks, you’ll have to become more creative.
DoS: DDoS If you have access to your router, and are
running a Cisco brand, enter the following command into your router command prompt: No ip verify unicast reverse-path.
This will ensure that attackers can’t spoof their IP address
Options in DDoS Prevention Hire a security company to assess and repair the
damage Buy an intrusion detection system (IDS)
How Kerberos Authentication Works If you are running Windows 2000 or later, you
are indeed running Kerberos by default. Advantage of Kerberos: to help combat
security concerns FTP and Telnet use plaintext passwords. These
passwords are easy to intercept with the right tools.
Anyone with a simple packet sniffer and packet analyzer can obtain an FTP or telnet logon with ease. With that kind of sensitive information being transmitted, the need for Kerberos is obvious.
Sure FTP and Telnet related logons are easy to intercept, but then again so is every other connection any of your applications has to the internet.
How Kerberos Authentication Works Kerberos operates by encrypting data with a
symmetric key. A symmetric key is a type of authentication
where both the client and server agree to use a single encryption/decryption key for sending or receiving data.
When working with the encryption key, the details are actually sent to a key distribution center, or KDC, instead of sending the details directly between each computer.
8 steps to do this:1. The authentication service, or AS, receives the
request by the client and verifies that the client is indeed the computer it claims to be
How Kerberos Authentication Works
2. Upon verification, a timestamp is created. This puts the current time in a user session, along with an expiration date. The default expiration date of a timestamp is 8 hours. The encryption key is then created. The timestamp ensures that when 8 hours is up, the encryption key is useless.
3. The key is sent back to the client in the form of a ticket-granting ticket, or TGT. This is a simple ticket that is issued by the authentication service. It is used for authenticating the client for future reference.
4. The client submits the ticket-granting ticket to the ticket-granting server, or TGS, to get authenticated.
5. The TGS creates an encrypted key with a timestamp, and grants the client a service ticket.
How Kerberos Authentication Works
6. The client decrypts the ticket, tells the TGS it has done so, and then sends its own encrypted key to the service.
7. The service decrypts the key, and makes sure the timestamp is still valid. If it is, the service contacts the key distribution center to receive a session that is returned to the client.
8. The client decrypts the ticket. If the keys are still valid, communication is initiated between client and server.
The client is authenticated until the session expires.