Download Network Defense

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
page
79
page
80
page
81
page
82
page
83
page
84
page
85
page
86
page
87
page
88
page
89
page
90
page
91
page
92
page
93
page
94
page
95
page
96
page
97
page
98
page
99
page
100
page
101
page
102
page
103
page
104
page
105
page
106
page
107
page
108
page
109
page
110
page
111
page
112
page
113
page
114
page
115
page
116
page
117
page
118
page
119
page
120
page
121
page
122
page
123
page
124
page
125
page
126
page
127
page
128
page
129
page
130
page
131
page
132
page
133
page
134
page
135
page
136
page
137
page
138
page
139
page
140
page
141
page
142
page
143
page
144
page
145
page
146
page
147
page
148
page
149
page
150
page
151
page
152
page
153
page
154
page
155
page
156
page
157
page
158
page
159
page
160
page
161
page
162
page
163
page
164
page
165
page
166
page
167
page
168
page
169
page
170
page
171
page
172
page
173
page
174
page
175
page
176
page
177
page
178
page
179
page
180
page
181
page
182
page
183
page
184
page
185
page
186
page
187
page
188
page
189
page
190
page
191
page
192
page
193
page
194
page
195
page
196
page
197
page
198
page
199
page
200
page
201
page
202
page
203
Document related concepts

Asynchronous Transfer Mode wikipedia , lookup

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Net bias wikipedia , lookup

Point-to-Point Protocol over Ethernet wikipedia , lookup

RapidIO wikipedia , lookup

Parallel port wikipedia , lookup

Computer network wikipedia , lookup

Airborne Networking wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Network tap wikipedia , lookup

Wireless security wikipedia , lookup

AppleTalk wikipedia , lookup

Lag wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

IEEE 1355 wikipedia , lookup

Deep packet inspection wikipedia , lookup

TCP congestion control wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Distributed firewall wikipedia , lookup

Internet protocol suite wikipedia , lookup

Real-Time Messaging Protocol wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Network Defense
COEN 250
Network Protocols: Layering

Complexity of networking leads to layered
architectures.
 TCP/IP
stack has four levels.
 OSI has seven.
Network Protocols: Layering
Network Protocols: Layering

Each layer adds a header.
 Application
 TCP
 IP
 Link
Data Link Layer

Sits on top of physical layer, which provides

Hardware specification
 Encoding and signaling
 Data transmission and reception
 Topology and physical network design

Example Data Link Layers:





Ethernet
Token Ring
FDDI
Wi-Fi (802.11)
Divided into two sublayers


Logical Link Control
Media Access Control (MAC)
Link Layer Address Resolution

Network Interface Cards (NIC)
 Unique Medium Access Control (MAC) number
 Now typically changeable
 In order to accommodate device change when using
authentication through MAC address

Format 48b written as twelve hex bytes.
 First 6 identify vendor.
 Last 6 serial number.

NICs either select based on MAC address or are
in promiscuous mode (capture every packet).
Link Layer Address Resolution
Address Resolution Protocol (ARP)
 Resolves IP addresses to MAC addresses
 RFC 826

Link Layer:
ARP Resolution Protocol


Assume node A with IP address 10.10.10.100 and
MAC 00:01:02:03:04:05 wants to talk to IP address
10.10.10.101.
Sends out a broadcast who-has request:
00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has 10.10.10.101


All devices on the link capture the packet and pass it to
the IP layer.
10.10.10.101 is the only one to answer:
a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply
10.10.10.101 is-at a0:a0:a0:a0:a0:a0

A caches the value in its arp cache.
Link Layer:
ARP Resolution Protocol
ARP requests:
Link Layer:
ARP Resolution Protocol
Link Layer Intrusion Detection
Network
monitoring tools
such as Argus or
Ethereal log MAC
addresses.
Link Layer Forensics
Example:
Spike in network traffic comes from a computer with a
certain IP address.
However, Argus logs reveal that the traffic comes from a
computer with a different MAC then the computer
assigned that IP. (Spoofing)
Finally, intrusion response finds the computer with that
MAC, a Linux laptop that has been compromised and is
used for a Denial of Service attack.
Link Layer Intrusion Detection

ARP cache can be viewed on Windows
NT/2000/XP with arp –a command.
Link Layer Intrusion Detection
Some organizations log ARP information.
 Routers keep ARP tables.

 show
ip arp
All hosts keep ARP tables.
 DHCP often assigns addresses only to
computers with known MAC.

Link Layer Intrusion Detection
An employee received harassing e-mail from a host on
the employer’s network with IP address 192.168.1.65.
DHCP server database showed that this IP was assigned
to a computer with MAC address 00:00:48:5c:3a:6c.
This MAC belonged to a network printer.
The router’s ARP table showed that the IP address
192.168.1.65. was used by a computer with MAC
00:30:65:4b:2a:5c. (IP-spoofing)
Although this MAC was not on the organization’s list,
there were only a few Apple computers on the network
and the culprit was soon found.
Link Layer Intrusion Detection

Analyze and filter log files:
 Keyword
searches
E.g. for USER, PASS, login
 Nicknames, channel names

 Filters
 Reconstruction

E.g. contents of web-mail inbox.
Link Layer Intrusion Detection
NetIntercept Screenshot
An example for a Network Forensics /
Network Intrusion Detection
commercial tool that reveals link layer
evidence
ARP Package
RFC 826
 ARP package :










0-1: Hardware type (0x0001 – Ethernet)
2-3: Protocol type (0x0800 – IP)
4: Number of bytes in hardware address (6 for MAC)
5: Number of bytes in protocol address (4 for IP)
6-7: Opcode: 1 for ARP request, 2 for an ARP reply
8-13: Source MAC
14-17: Source IP
18-23: Target MAC
24-27: Target IP
ARP Package
Ethereal deassembly of ARP package
Monitoring Tools

Arpwatch
 monitors
ethernet activity and keeps a
database of ethernet/ip address pairings.
Attacks on ARP

Package Generators for various OS.
 Allow
an attacker to subvert a chosen protocol
hping2 for Windows.
 *NIX, XWindows:

packit
 http://sourceforge.net/projects/packitgui/
 IP Sorcery


and many, many more.
 Use
to create arbitrary packages
Attacks on ARP

Switch Flooding
 Switches contain a switch address table.
 Switch address table associates ports with MAC addresses.
 Switch flooding creates many false entries.
 Switches fail in two different modes:
 Fail open:


Switch converts into a hub.
 This allows to monitor traffic through the switch from any
port.
Fail closed:

Switch stops functioning.
 Denial of Service (DoS) attack
Attacks on ARP

ARP Poisoning:
attacker
victim
switch
Outside
world
router
Attacks on ARP

ARP Poisoning: Attacker configures IP forwarding to
send packets to the default router for the LAN
attacker
victim
switch
Outside
world
router
Attacks on ARP

ARP Poisoning: Attacker sends fake ARP to
remap default router IP address to his MAC
address
attacker
victim
switch
Outside
world
router
Attacks on ARP

ARP Poisoning: Switch now takes packet
from victim and forwards it to attacker.
attacker
victim
switch
Outside
world
router
Attacks on ARP

ARP Poisoning: Attackers machine intercepts
message for sniffing and sends it back to the switch
with the MAC address of router.
attacker
victim
switch
Outside
world
router
Attacks on ARP
http://www.watchguard.com/
RARP


RARP (Reverse Address Resolution Protocol)
Used to allow diskless systems to obtain a static
IP address.
 System
requests an IP address from another machine
(with its MAC-address).
 Responder either uses DNS with name-to-Ethernet
address or looks up a MAC to IP ARP table.

Administrator needs to place table in a gateway.
 RARP-daemon
requests.
(RARP-d) responds to RARP
RARP

RARP vulnerability
 Use
RARP together with ARP spoofing to
request an IP address and take part in
communications over the network.
RARP Package

Package Format as in ARP:









0-1: Hardware type (0x0001 – Ethernet)
2-3: Protocol type (0x0800 – IP)
4: Number of bytes in hardware address (6 for MAC)
5: Number of bytes in protocol address (4 for IP)
6-7: Opcode: 1 for ARP request, 2 for an ARP reply
8-13: Source MAC
14-17: Source IP
18-23: Target MAC
24-27: Target IP
IP
Uses IP addresses of source and
destination.
 IP datagrams are moved from hop to hop.
 “Best Effort” service.
 Corrupted datagrams are detected and
dropped.

IP
Addresses contain IP address and port
number.
 IPv4 addresses are 32 bit longs
 IPv6 addresses are 8*16 bits long.

DHCP


Dynamic Host Configuration Protocol
Evolved from TCP/IP Boot Protocol BOOTP

Solves problem of disk-less workstations

Boot process:





BOOTP client sends broadcast to UDP port 67
(BOOTREQUEST)
BOOTP server listens on that port
Replies to client by either



First obtain IP address
Then download OS etc.
Use client’s hardware address to create ARP entry
Use broadcast
Client downloads OS (using e.g. TFTP)
DHCP

Assigns addresses

Manual allocation (just as BOOTP)


Automatic Allocation


Single point of administration
DHCP assigns address to a given device automatically from a pool
of addresses
Dynamic Allocation

DHCP assigns an address from a pool of addresses for the length
of a lease





Addresses are reused and shared
Clients need to renew a lease periodically
If clients are rebooting, but still have an active lease, they reconfirm
their lease during reboot.
If renewal fails, clients will rebind to any active DHCP server
Clients can release a DHCP assigned IP address
DHCP

Attacks
 Denial
of Service
Attacker sends DHCP requests, using up all IP
address in pool
 Attacker uses random MAC addresses
 Switches can limit the number of MAC addresses
used on a given link and prevent this attack

DHCP

Attacks
 Man

in the Middle Attack: Default Gateway
Attacker assigns DHCP addresses by
Attacker disables DHCP server and then operates own
DHCP server
 Attacker runs faster DHCP server

Attacker specifies itself as default gateway
 Attacker redirects traffic from victim through itself

DHCP

Attacks
 Man
in the Middle Attack: DNS Redirection
Attacker assigns DHCP addresses
 Attacker specifies itself as the DNS server
 Attacker only redirects traffic to selected IP
addresses


Banking, Shopping, …
IP: ICMP


Internet Control Message Protocol
Created to deal with non-transient problems. For
example



Fragmentation is necessary, but the No Frag flag is set.
UPD datagram sent to a non-listening port.
Ping.




Used to detect network connectivity before it became too useful for
attack reconnaissance.
Does not use ports.
Allows broadcasting.
More on ICMP later
IP: ICMP

ICMP error messages should not be sent:
 For
any but the first fragment.
 A source address of broadcast or loopback
address.

Are probably malicious, anyway.
 Otherwise:
ICMP messages could proliferate
and throttle a network
IP: ICMP

ICMP errors are not sent:
 In

response to an ICMP error message.
Otherwise, craft a message with invalid UDP
source and destination port. Then watch ICMP
ping-pong.
 A destination

broadcast address.
Don’t answer with destination unreachable for a
broadcast. Otherwise, this makes it trivial to scan
a network.
Transport Layer: TCP and UDP

Transmission Control Protocol (TCP)
 Reliable
 Connection-Oriented.
 Slow

User Datagram Protocol (UDP)
 Unreliable
 Connectionless.
 Fast.
TCP
Only supports unicasting.
 Full duplex connection.
 Message numbers to prevent loss of
messages.

TCP:
Three Way Handshake
Initiator to responder: Syns
 Responder to initator: Acks, Synt
 Initiator to responder: Ackt


Sets up two connections with initial
message numbers s and t.
TCP:
Three Way Handshake



20:13:34.972069 IP Bobadilla.scu.edu.1316 >
server8.engr.scu.edu.23: S 2882650416:2882650416(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
20:13:34.972487 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack
2882650417 win 32768 <mss 1460> (DF)
20:13:34.972500 IP Bobadilla.scu.edu.1316 >
server8.engr.scu.edu.23: . ack 1 win 17520 (DF)
Sequence number
Flag
Window: number of bytes accepted
TCP:
Terminating Connections

Graceful shutdown
 Party
1 to Party 2: Fin
 Party 2 to Party 1: Ack
 Party 2 to Party 1: Fin
 Party 1 to Party 2: Ack

Abrupt shutdown
 Party
1 to Party 2: Res
TCP:
Shutting down a connection








20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win
16958 (DF)
20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win
32768 (DF)
20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5
win 32768 (DF)
20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win
16940 (DF)
20:48:45.235303 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5
win 32768 (DF)
20:48:45.235331 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 24 win
16940 (DF)
20:48:45.235494 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24
win 16940 (DF)
20:48:45.236027 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: . ack 6 win 32767
(DF)
TCP
Exchanging Data

Each packet has a sequence number.
 (One

for each direction.)
Initial sequence numbers are created
during initial three way handshake.
 NMap
uses the creation of these sequence
numbers to determine the OS.
 OS are now much better with truly random
sequence numbers.
TCP
Exchanging Data
Party that receives packet sends an
acknowledgement.
 Acknowledgement consists in

 Ack
flag.
 Sequence number of the next package to be
expected.
 (TCPDump shows number of bytes
acknowledged).
TCP
Exchanging Data

If a package is lost, then the ack sequence
number will not change:
 “Duplicate
acknowledgement”
Depending on settings, sender will resend,
after at most three stationary ack
numbers.
 Also, senders resend after timeout.

TCP
Exchanging Data







20:48:45.087563 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: . ack 4 win 16959 (DF)
20:48:45.087583 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: P 3:4(1) ack 4 win 16959 (DF)
20:48:45.096443 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1570: P 4:5(1) ack 4 win 32768 (DF)
20:48:45.221851 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF)
20:48:45.226300 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF)
20:48:45.231650 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF)
20:48:45.231666 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: . ack 23 win 16940 (DF)
TCP flags

Part of TCP header
F
: FIN - Finish; end of session
 S : SYN - Synchronize; indicates request to start
session
 R : RST - Reset; drop a connection
 P : PUSH - Push; packet is sent immediately
 A : ACK - Acknowledgement
 U : URG - Urgent
 E : ECE - Explicit Congestion Notification Echo
 W : CWR - Congestion Window Reduced
TCP Example with Ethereal
TCP Example with Ethereal
First Syn message
TCP Example with Ethereal
This is the Syn-ack
packet with sequence
number 68 8d 5c ad and
ack number 10 3f 21 1e
TCP Example with Ethereal
Syn number 10 3f 21 1e
Ack number 68 8d 5c ae
TCP Example with Ethereal
TCP Example with Ethereal
UDP
“Send and pray”
 No connection.
 No special header like TCP.
 Protocol field in the IP header is 0x11
 Another field in the IP header contains
UDP specific header information

Fragmentation
IP datagram can come across smaller
maximum transmission units than its own
size.
 Resender chops up the IP datagram into
many IP datagrams, the fragments.

Fragmentation
Fragments are reassembled at the
destination.
 Fragments carry:

 Fragment
identifier
 Offset in original data portion
 Length of data payload in fragment
 Flag that indicates whether or not this is the
final fragment.
Fragmentation
Example
 Large Echo Request
 ping -l 1480 129.218.19.198
 Assume MTU is 1500
Fragmentation
Fragmentation:
First Fragment
Fragmentation:
Second Fragment
Fragmentation:
Last Fragment
Fragmentation
ping –l 65500 129.218.19.198
12:02:18.256066 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp 1472: echo request seq 6400
(frag 10712:1472@0+)
12:02:18.257282 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@1472+)
12:02:18.258498 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@2944+)
12:02:18.258502 IP dhcp-19-115.engr.scu.edu.137 > 129.210.19.255.137: udp 50
12:02:18.259714 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@4416+)
12:02:18.261177 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@5888+)
12:02:18.262389 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@7360+)
12:02:18.263604 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@8832+)
12:02:18.264820 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@10304+)
12:02:18.266037 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@11776+)
12:02:18.267495 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@13248+)
12:02:18.268712 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@14720+)
Fragmentation
DF (Don’t Fragment) Flag
 If forwarding node finds that the datagram
needs to be fragmented but that the DF
flag is set, it should respond with ICMP
host unreachable – need to fragment.
 Useful to find minimum MTU on a link.

Fragmentation

Fragmentation has security implications
 Stateless
firewalls look only at individual
packages.
 Protocol header is only in the first fragment.
 “Stealth attacks / scans” have evil payload
only in the second and following fragments.
Fragments:
Teardrop and Friends

Teardrop (1997)
 Fragments
with overlapping offset fields.
 Many contemporary OS crashed, hang,
rebooted.

Jolt2
 Single
fragment with non-zero offset.
 Receiving system allocates resources to
reconstruct a datagram that never arrives.
Fragments:
Teardrop and Friends

Create fragments that seem to come from
a GB datagram.
 Trusting

OS tries to allocate memory and dies.
Ping of Death
 Win95
allowed to send a ping that was just a
tad too long. Receiving host would crash.

Unnamed Attacks
 Missing
fragments lead to resource allocation.
ICMP



Protocols like TCP can send error
messages themselves.
Stateless protocols like UDP need another
mechanism to send error messages.
Host uses ICMP for
 Simple
replies and requests
 Inform other hosts of some kind of error
condition.


E.g.: To throttle delivery rate, receiving host can use
the ICMP source quench message.
E.g.: Router can send “admin prohibited” ICMP
message.
ICMP






ICMP has no port numbers.
No acks, no message delivery guarantee
Allows broadcasting
ICMP types at http://www.iana.org/
assignments/icmp-parameters
First Byte of package is Type
Second Byte of package is Code
ICMP

Attackers can use ICMP for scanning:
 Mapping
a network.
 Detect availability of target.
 Detect OS through the way that host
responds.
ICMP
Tireless Mapper
 Sends
ICMP echo requests messages to all possible
IP addresses
 Many IDS might not capture this scan if the number of
packages per hour is small.

Therefore: Firewalls should filter incoming ping
requests.
ICMP
Efficient Mapper
 Use the ICMP echo request with a broadcast
address.
 Ping 129.210.19.255
ICMP
Clever Mapper
 Use a different ICMP message such as
ICMP address mask.
 Determines the class of the network
ICMP: Normal activity
Normal messages:
 Host unreachable
 Port unreachable
 Admin prohibited
 Need to fragment
 Time exceeded in transit
ICMP: Normal activity
Host unreachable
 Router at target host’s network sends such
a message.
 This gives out info to an attacker.
 Some
routers (Cisco) allow an access control
list entry:

no ip unreachable
ICMP: Normal activity
Port unreachable
 target.host > sending.host: icmp:
target.host udp port ntp unreachable (DF)
 Used for UDP
 TCP has the RESET message to inform
sender.
ICMP: Normal activity
Unreachable - Admin Prohibited
 Router informs sender that this type of
message cannot be forwarded.
 Router
decision based on access control list.
 Message leaks information to outside
scanner.
ICMP: Normal activity
Need to Frag
 Router informs sender that DF is set, but
that the package is larger than the MTU.
ICMP: Normal activity
Time Exceeded In-Transit
 Packages contain Time To Live (TTL)
value.
 Each router handling a package
decrements the TTL value.
 If TTL is zero, router discards package and
sends the Time Exceeded In-Transit
message to the sender.
ICMP: Normal activity

ICMP messages contain additional date
in the package.
 In
particular: IP header followed by eight
bytes of protocol header and data of the
original datagram.
 Not all OS implementations do this in
exactly the same way.
Nmap used this for OS fingerprinting.
 Lately, all TCP/IP stack implementations have
been fixed to remove OS idiosyncracies.

Malicious ICMP: Smurf Attack
Smurf attack on victim 129.219.19.198
 Step 1: Send ICMP echo request to a broadcast
address with spoofed IP of 129.219.19.198
 Step 2: Router allows in ICMP echo request to
broadcast address
 Step 3: All live hosts respond with ICMP echo
reply to real machine with source IP
129.219.19.198
Malicious ICMP: Smurf Attack

ISMP Smurf Attack
 Denial
of Service Attack.
 Effort of Attacker << Effort of Victim.
 Uses ICMP replies from network as an
amplifier.
 Works well if victim has a slow connection.
Malicious ICMP:
Tribal Flood Network
Based on Smurf
 Creates zombies out of compromised
machines
 Compromised machines use a trigger to
start bombarding a victim with requests
 Many variations on this theme

Malicious ICMP:
Winfreeze (obsolete)
Uses the ICMP redirect message.
 Legal use is to update routing information.
 Flood of redirect message causes the
victim (Win95 / Win98) to redirect traffic to
itself via random hosts.
 Victim spends too much time updating
routing table.

Malicious ICMP: Loki
Uses ICMP packages for covert channel
 A compromised host with a Loki server
responds to requests from a Loki client.
 Requests are sent via ping messages with
data embedded in ICMP pings.
 Originally used bytes 6 and 7.

 http://sourceforge.net/projects/loki-lib/
Malicious ICMP:
Simple Counter-Measures
Limit ICMP messages at the firewall.
 Leads to inefficiencies, such as trying a
TCP connection to a host that is down.
 Need to admit path MTU discovery.
 Log those that are let through.

Harmless Behavior: TCP

Destination Host not Listening on
Requested Port
 Receiver
acknowledges and resets at the
same time.

Destination Host does not Exist
 Router
sends with the ICMP: Host xxx.yyy
unreachable
Harmless Behavior: TCP

Destination Port Blocked
 Router

icmp: xxx.yyy unreachable – admin prohibited filter
 Router

responds with an icmp message:
does not respond.
Sender retries up to a protocol dependent
maximum number of retries time
Harmless Behavior: UDP

Destination Host not Listening on
Requested Port
 Destination

icmp: xxx.yyy port domain unreachable
 Or:

host sends icmp message:
destination host does not respond.
Sender will possibly retry several times
Harmless Behavior: Windows
Tracert

tracert (traceroute) uses ICMP pings
 Tracing
host sends ICMP echo request with TTL = 1.
 Then tracing host sends ICMP echo request with TTL
= 2, etc.
 First router responds to first request.

If not destination, then with icmp: time exceeded in transit
message
 Second
router responds to second request, etc.
Harmless Behavior: Unix Tracert

traceroute uses UDP to random ephemeral port.
 Tracing host sends UDP package with TTL = 1.
 Then tracing host sends UDP package with TTL
= 2,
etc.
 First router responds to first request.

If not destination, then with icmp: time exceeded in transit
message
 Second
 Target
router responds to second request, etc.
responds with a port unreachable message.
FTP
Uses TCP
 Active / Passive FTP
 Both use port 21 to issue FTP commands.
 Active FTP:

 Uses
port 20 for data.
 FTP server establishes connection to client
FTP: Active FTP Example:


Command channel between server8.engr.scu.edu.21 and
Bobadilla.1628
Dir command creates a new connection between
server9.engr.scu.edu.20 and Bobadilla.5001
FTP
The opening of a connection from the
outside to an ephemeral port is
dangerous.
 Passive FTP: The client initiates the data
connection to port 20.

Malicious TCP Use:
Mitnick Attack (obsolete)

SYN flood
 Goal
is to disconnect victim from the net.
 Throws hundreds / thousands of SYN packets
 Return address is spoofed.
 Recipient’s stack of connections waiting to be
established is flooded.
 Still works with DDoS attack.
Malicious TCP Use:
Mitnick Attack (obsolete)

Identify Trust Relationships
 Extensive
network mapping.
 Nbtstat/finger, showmount, rpcinfo -r, …
 Rpcinfo provides information about the
remote procedure call services and their ports
Malicious TCP Use:
Mitnick Attack (obsolete)

Initiate a number of TCP connections to
the host.
 Send
SYN packet. Receive SYN/ACK packet.
Send RES so that victim is not flooded.
 Observe the sequence number values
between different connections.
 Can they be predicted?
Malicious TCP Use:
Mitnick Attack (obsolete)
B
Victim trusts B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)

Attacker can predict the sequence number
that victim expects.
B
Victim trusts B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)
Attacker SYN floods B.
 B cannot respond.

B
Victim trusts B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)
Attacker takes over B’s identity.
 Spoofs packet from B to Victim.

B
SYN
Victim trusts B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)
Victim responds with SYN / ACK to B.
 B cannot respond.

ACK / SYN
Victim trusts B
B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)

Attacker sends the ACK with the guessed
sequence number to victim
B
ACK
Victim trusts B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)

Attacker sends another TCP packet with
payload: rsh victim “echo ++ >> .rhosts”
B
Bad stuff
Victim trusts B
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)

Now victim trusts everyone.
B
Victim trusts
everyone.
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)

Attacker terminates connection with a FIN
exchange
B
FIN ACK FIN ACK
Victim trusts
everyone
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)

To wake up B, attacker sends it a bunch of
RES to free B from the SYN flood.
B
RES
RES
RES
Victim trusts
everyone
Attacker
Malicious TCP Use:
Mitnick Attack (obsolete)

Attacker now starts a new connection with
the victim.
B
Yak yak yak
Victim trusts
everyone
Attacker
Malicious TCP Use:
Mitnick Attack Detection


Network based intrusion detection (NID) can find
the original site mapping.
NID can find the reconnaissance by finding
“finger” “showmount” etc. commands.
 Directed
to the same port (111).
 This is a dangerous port.
 Frequent.
Malicious TCP Use:
Mitnick Attack Detection
Host scans log instances where a single
system accesses multiple hosts at the
same time.
 Host-based Intrusion Detection (HID) can
find access to a single port.
 HID / Tripwire could find changes to
.rhosts.

Malicious TCP Use:
Mitnick Attack Detection
Computer Forensics can detect the attack
by
 Logging network traffic.
 Examining MAC of important files (.rhosts)
Malicious TCP Use:
Mitnick Attack Prevention

Router-based Firewall blocks certain type of
traffic.
 Network mapping.
 SYN flooding.
 Access to dangerous

Host-based firewall blocks
 Access

ports.
to dangerous ports.
Security policy
 Disallows reconnaissance tools.
 Enforces better authentication.
Domain Name Servers
Provide mapping from host names to IP
addresses.
 DNS resolution process

 Client
sends a gethostbyname message to
the local domain name server.
 Local domain name server sends back ip
address.

Uses UDP (almost exclusively)
DNS: Resolution protocol
1.
2.
3.
4.
5.
6.
Client to local DNS server gethostbyname
Local DNS server sends forwards request to root server.
Root server returns with name of remote DNS server.
Local DNS server queries remote DNS server.
Remote DNS server answers with IP address.
Local DNS server gives data to client.
DNS
Use caching to prevent overload by root
servers.
 DNS records have a TTL

 Responding
DNS server sets TTL.
 Receiving DNS server caches record for TTL
time.
DNS: Reverse Lookup
IP-address to host-name
 Query for 1.2.3.4 send to 4.3.2.1.inaddr.arpa

DNS:
Master - Slave Name Servers
Each domain has a single master DNS
server.
 Add slaves for redundancy.
 Slave server periodically contacts
master to see whether there are
changes.
 Older BIND download all data from
domain, even if only one record has
changed.

DNS
Zone Transfer
Slave server restarts  zone transfer from
master to slave
 Uses TCP, port 53.
 Attackers like zone transfer

 Gives
all IP addresses and names in subnet.
 Newer versions of BIND limit transfers based
on IP address.
DNS:
Abuse for Reconnaissance

nslookup: Get name servers.
DNS:
Abuse for Reconnaissance

HINFO: host information.
DNS:
Abuse for Reconnaissance


List the zone map information.
> ls –d engr.scu.edu in nslookup
DNS:
Abuses and Problems
DNS cache poisoning
 Affects BIND versions before 8.1.1.
 Based on lack of authentication
 Some BIND versions cache every DNS
data they see.

DNS Cache Poisoning
Attack on Hillary Clinton’s Run for Senate
Website
 Traffic to www.hillary2000.org (IP address
206.245.150.74) redirected to
www.hillaryno.com (IP address
206.245.150.74.)

DNS Cache Poisoning

Step 1: Evil sends a bogus query to the victim’s
name server that contains data www.hillary2000.org
at 206.245.150.74
DNS Cache Poisoning



Step 2: Name server accepts the bogus
information (even though it is contained in a
query).
Step 3: Victim requests IP address of
hillary2000.org and is directed to
hillaryno.com.
Vulnerability arises from lack of
authentication and of using queries to
update entries at the queried server.
DNS Cache Poisoning

Birthday Attack
 Attacker
sends large number of queries to a
vulnerable name server asking for hillary2000.
 Attacker sends an equal number of phony replies
(with the poisoned data).
 Name server will generate requests to resolve
hillary2000.
 With high probability, one of the phony answers will
have the same transaction number as the name
server’s query.
DNS: The Bind Birthday Attack
DNS Cache Poisoning



Redirect traffic to a fake Pay-Pal or other ecommerce site.
Set-up Man in the Middle Attacks
Defenses:
 Domain
Owner has to rely on the DNS system.
 ISP name server admin needs to protect by


Updating BIND or replacing it with djbdns
Two name servers, one for the public domain information to
the outside, another for internal use.
 End
user has to rely on the DNS system.
Routing

Local Routing Table: netstat -r
Static Routing

IP Layer searches the routing table in the
following order
 Search
for a matching destination host
address
 Search for a matching destination network
address
 Search for a default entry
Routing
Static routes are typically added during the
boot process.
 Administrative changes with a “routing”
command.
 ICMP routing discovery messages

Routing Changes
A host might have inefficient entries in the
routing table.
 ICMP Router Discovery Protocol (IRDP)

 ICMP
redirect messages
 ICMP routing discovery messages

IRDP needs to be enabled.
Routing Changes

ICMP Redirect Message
 A sends
message to D.
 Routing table says to send to B first.
Routing Changes

ICMP Redirect Message
B
forwards to C
 B informs A that there is a direct route to C

ICMP Redirect Message
Routing Changes

ICMP Redirect Message
C
forwards package to target.
 A updates routing table.
IRDP DoS Exploit



Attacker (E) sends spoofed IRDP message to A
A updates routing table to reflect bogus default value.
A looses connectivity
IRDP Windows Exploit





Windows (95, 98, 2000) and some Solaris systems are
vulnerable.
If a Windows hosts runs a Dynamic Host Configuration
Protocol (DHCP) client, it obtains its default route from
the DHCP server.
ICMP router advertisement can be spoofed.
First router advertisement is checked for correct IP
address.
Second router advertisement is erroneously not.
IRDP Windows Exploit
Attacker sends two ICMP router
advertisements to victim.
 Victim updates its default gateway to IP
determined by attacker.
 Use for man in the middle attacks or DoS.

IP Options

IP options enhance the IP protocol.
 Security
 Stream
Identification
 Internet Timestamp
 Loose Source Routing
 Strict Source Routing
 Record Route
These are
security risks
IP Route Options
Loose Source Routing specifies a route
that includes a list of required nodes.
 Strict Source Routing specifies the
beginning of a route (up to 9 nodes)
completely.
 Record Route: does not alter the routing
but requires that all nodes are recorded.

Detecting IP Source Routing
IP header is larger than 20B
 IP option field has a hex value of

 83:
loose source routing
 89: strict source routing

ip[0] & 0x0f > 5 and (ip[20] = 0x83 or ip[20]
= 89)
Source Route Exploit
Spoofing host requires source routing
through a host trusted by the victim.
 Victim decides that the traffic comes from
a trusted host.
 Therefore: firewalls need to disable
source-routing or network admin needs to
disable trust relationships.

Network Address Translation



Allows many internal IP addresses
appearing to be few external IP addresses
Local hosts have typically non-routable
addresses
Function:

Local machine connects to NAT box as
gateway
 NAT box assigns connection a routable IP
address and port
 Outside host answers to latter address.
 NAT box forwards requests to local
machine
From: http://www.californiasw.com/Knowledge-center
/whitepaper/vxworks.html
Internet Group Management
Protocol (IGMP)
Defined by RFC 1112.
 IGMP messages use IP Protocol 2
 IGMP are used to join and leave multicast
groups.

IPSec

Security layer based on IPv6
 Implemented
as Bump In The Stack
Architecture





Upper layer protocols
TCP/UDP
IP
IPSec
Data link layer
 Implemented
in the IP layer
IPSec
Provides authentication of source IP
address
 Provides message integrity and encryption


Take COEN 350
SNMP: Simple Network
Management Protocol

Allows remote managing and managing
TCP/IP devices
 Example
Vulnerability
SNMP default accounts public and private
 When queried, will return SNMP information

Can be used for network mapping
 Might spell out passwords

Network Authentication
Threats

Passive Sniffing
 Malicious
Mallory can read messages between Alice
and Bob.

Spoofing
 Malicious
Mallory can create messages that seem to
come from either Alice or Bob.

Standard Attack Modes:
 Breaking Cryptography
 Man-in-the-Middle
 Replay Attacks
 Reflection Attack
(Open several connections)
Man In the Middle Attack
Bucket Brigade Attack
Attacker reroutes traffic through itself.
 Example:

 Victim
connects to attacker:80, thinking that
attacker is bank.com:80
 Attacker displays login screen from bank.com
to victim
 Attacker goes to bank.com
Man In the Middle Attack
Bucket Brigade Attack
Black
victim
Victimhat
to to
black
hat
Hat
to
Bank.com
Victim
Victim: Login sue user
Login
Please
Password
is by
“fiddlesticks”
Password
(intercepted
Please
black
hat)
Bank
Black
toHat
Black
hat
toBank.com
Hat
bank
Black
Hat
toblack
Bank
Bank.com
toto
hat
Black
Password
Login
sue
Please
Password
isuser
“fiddlesticks”
Login
Please
Man In the Middle Attack
Bucket Brigade Attack

Could be prevented with SSL
 But
only if victim’s browser ascertains
certificate of bank
Replay Attack
Remote authentication protocol
 Instead of sending password, user sends
password encrypted
 Attacker sniffs password exchange and
now knows what to send.

Reflection Attack

Simple, mutual authentication protocol
based on capability to encrypt a challenge
Session 1 Trudy: I am Alice. RA.
Session 1 Bob: RB. EK(RA).
Session 2 Trudy: I am Alice. RB.
Alice: ISession
am Alice.
RA R . E (R ).
2 Bob:
B’
K
B
Bob:Session
RB. EK(R
1 Trudy:
Hi Bob. EK(RB).
A).
Alice:
Hi Bob.
EK(RHiB).Alice.
Session
1 Bob:
Reflection Attack

Reflection Attack:
Session 1 Trudy: I am Alice. RA.
Session 1 Bob: RB. EK(RA).
Session 2 Trudy: I am Alice. RB.
Session 2 Bob: RB’. EK(RB).
Session 1 Trudy: Hi Bob. EK(RB).
Session 1 Bob: Hi Alice.
Protecting Networks
Terms of Trade

Border Router


DMZ



First / last router under control
of system administration.
Demilitarized zone.
Security is low, since not
protected by firewall. Locate
webservers and other services
there that generate potentially
unsafe traffic.
Firewall

Filters packages based on a
variety of rules.
Protecting Networks
Terms of Trade

IDS

Intrusion Detection System.



VPN


NIDS: glean intrusion signatures
from traffic.
HIDS: monitor activity at a host on
which they are located.
Virtual private network
Screened subnet

Area protected by an internal
firewall.
Protecting Networks
Terms of Trade

Configuration Management

Known vulnerabilities account for
most of actually perpetrated
exploits.
 For most of them, patches were
available, but not installed.
 CM tries to enforce uniform
security policies.

Backdoors

An entrance into the system that
avoids perimeter defenses.
Defense in Depth
 Rule
Do
1: Multitude of security measures.
not relay on one security mechanism.
Defense in Depth

Example: External tcp packet passes:
 Internet
Perimeter Router
 Internet perimeter firewall
 DMZ firewall
 Network IPS
 NetFlow

Analyzes connections on network
 Antivirus
 Host
IPS
Scanner on host
Firewalls

Firewalls are perimeter defense:
 Keep
the bad stuff outside, enjoy life inside.
Filtering

Signature
 Any
distinctive characteristic that identifies
something (with a high degree of
probability)
 Signature Types

Atomic Signatures


Single packet, single event, single activity is
examined.
Stateful Signatures

State: Needed when analyzing multiple pieces of
information that are not available at the same time.
Filtering

Atomic vs. Stateful Signatures
 LAND

Attacker sends TCP-SYN packet with same source and
destination address.


attack
Caused TCP stacks to crash.
Can be discovered looking at a single packet.
 Search


for string “etc/password” in a URL
Attacker fragments the packet so that the string is not in
either fragment.
State is needed in order to recognize the attack.
Filtering

Signature Triggers
 Pattern Detection
 Simple string search


Search for string “etc/passwords” ARP
Protocol decoders search for string only in protocol fields.

ARP request with source address FF:FF:FF:FF:FF:FF
 Anomaly


Traffic going to an unusual port.
Protocol compliance for http traffic
 Behavior


Detection
Detection
Abnormally large / small fragmented packets
Search for RPC requests that do not initially utilize the
PortMapper
Filtering

Signature Actions
 Generating
an alert
 Dropping / preventing an activity
 Logging the activity
 Resetting a TCP connection
 Blocking future activity
 Allow activity
Packet Filtering

Static Packet Filtering
 Allow
or deny access to packets based on
internal characteristics.
access list 111 deny ip host 205.205.205.205.1 any
access list 111 permit tcp host 205.205.205.205.1 any
access list 111 deny icmp any any echo-request
access list 111 permit icmp any any packet-to-big
access list 111 deny icmp any any
Cisco extended ACL
Static Packet Filtering
Difficult to design efficient rules.
 Easy
to get the rules tables wrong and allow bad
traffic.

Security risks
 People
can piggy-back bad messages in harmless
ones.


http traffic is known to be used as a backdoor.
Loki uses unused fields in normal TCP packets.
 Fragmentation
allows the filter to look only at a
fragment

Most only look at the first fragment
Static Packet Filtering

Configuring a packet filter:
 Security
Policy: what is allowed, what is not
allowed.
 Allowable types of packets must be specified
logically, in terms of logical expression on
packet fields.
 Expressions need to be rewritten in the
firewall vendor’s language.
Static Packet Filtering

Example
 Security


Policy:
Allow inbound mail messages (SMTP, port 25), but only to
gateway.
Block host faucet.
action
Our host
port
Their host
port
comment
block
*
*
faucet
*
We don’t trust
these people.
allow
OUR-GW
25
*
*
Connection to our
SMTP server
Static Packet Filtering

Example

If no rule applies, then the packet is dropped.



Without additional rules, our rule set would drop all non-mail
packets. There would also be no replies.
Beware of a rule like this (intended to allow acks)
action
Our host
port
Their host
port
comment
allow
*
*
*
25
Connection to
their SMTP port
Based solely on outside host’s port number.


Port 25 is usually the mail port.
But there is no guarantee.
Static Packet Filtering

Example
 Expand
rule set to allow connection with the outside:
action
Our host
port
Their host
port
block
*
*
faucet
*
allow
OUR-GW
25
*
*
allow
(our host)
*
*
25
allow
*
25
*
*
Flag
comment
Our packets to their port
ACK
Their replies
Specify the names of all machines allowed to send mail to the outside here.
Static Packet Filtering

Combating Address Spoofing
 At
a minimum:
Don’t allow inside source addresses coming in.
 Don’t allow outside source addresses going out.
 Block source routing at the border routers.

Static Packet Filtering

Routing Information



If a node is unreachable from the outside then the node is almost
(but not quite) as safe as a node disconnected from the net.
Internal routers should not advertise paths to such nodes to the
outside.
Filter routes learned from the outside:


Protects against subversion by route confusion.
Route squatting:



Use internal addresses that belong to a different domain.
The nodes are de facto unreachable from the outside.
Use non-announced addresses. (e.g. 10.x.x.x)
 But beware, when companies merge, these addresses tend to be
incompatible.
 So pick addresses in unpopular address ranges.
Static Packet Filtering

Performance
 Packet

filtering is done at the border.
No degradation for the internal network.
 Typically,
connection to ISP is the bottleneck.
 However:
Degradation depends on the number of rules
applied.
 Can be mitigated by careful ordering of rules.

Application Level Filtering

Packet filters only look at





The source address
The destination address
TCP / UDP port numbers
TCP / UDP flags.
Application filters deals with the details of the
service they are checking.
 E.g.
a mail application filter looks at
 RFC 822 headers.
 MIME attachments.
 Might identify virus infected attachments.
Application Level Filtering

Snort:
 Allows
to set up rules that pass a packet on to
another service.

Commercial firewalls
 Include
application level filters for many
products.
 Use non-disclosure agreement to obtain
proprietary protocols
Dynamic Packet Filtering



Stateful Firewall
Still look at each packet.
Maintains a state of each connection.
 Implements
connection filtering.
 Dynamically adjust a filtering table of current
connections.
 Implementation

Adjust the filtering rules dynamically.



E.g.: We started an HTTP connection to a given host.
Now HTTP packages from that host are allowed.
OR: Terminate the connection at the firewall and then have
the firewall call the ultimate destination (proxying).
Proxy Firewalls


Proxies act on behalf of a client.
Proxy firewall

Reverse Proxy




Receives packages on one card.
Processes requests.
Translates them into internal requests on other card.
Receives answers from inside and translates to the outside.
Proxy Firewalls

Proxy firewall

Forward Proxy





Receives requests from the inside.
Processes requests.
Translates them into requests to
the outside on other card.
Receives answers from outside
and translates to the inside.
Acts on behalf of inside machine
that is protected from the vagaries
of the internet.
Proxy Firewalls
Application level proxies work at the level
of application.
 Circuit-level proxies

 does
not understand the application
 makes filtering decisions by validating and
monitoring sessions.
Possible Configurations
Dual Homed Host
Internet
Dual-homed host
acting as firewall
Internal Network
Possible Configurations
Screened Host Architecture
Internet
Router only allows
traffic to bastion host
(screening router)
Bastion host sits
on internal
network
Bastion host
works as proxy
Internal Network
Possible Configurations
Screened Subnet
Internet
Bastion host sits
on perimeter
network
Exterior Router
a.k.a. access router
Perimeter Network
Interior Router
a.k.a. choke router
Internal Network
Possible Configurations
Attach bastion host(s) to perimeter
network (DMZ)
 Two possibilities to allow access to
internet for internal hosts

 Use
exterior and interior router to filter
packages
 Use bastion host as proxy
Possible Configurations



O.K. to have many bastion hosts
O.K. to merge interior and exterior router
O.K. to merge bastion host and exterior router





O.K. to have many interior subnetworks.
O.K. to have many exterior routers
O.K. to have multiple perimeter networks
NOT O.K. to merge bastion host and interior router


Performance of bastion host might not be sufficient
Bastion host becomes single point of failure
NOT O.K. to use multiple interior routers

Need to maintain same policy on all interior routers
Securing Public Web Servers

Isolate the web server
internet
firewall
internal network
Only SQL Protocol permitted
SQL server
firewall
webserver
Firewall Settings for DNS

Use a bastion host to host fake DNS server
 True
DNS server on the interior network
 DNS query proceeds with DNS proxying:






Local DNS client goes to local DNS server (interior network)
Local DNS server sends query to bastion host (perimeter
network)
Bastion host forwards query to internet DNS system
Internet DNS system answers question to bastion host
Bastion host forwards to real DNS server
Real DNS server forwards to local DNS client
Hiding DNS Server
Internet
Fake DNS server
Exterior Router
a.k.a. access router
Perimeter Network
Interior Router
a.k.a. choke router
True DNS server
Internal Network
Local
DNS client
Firewall Settings for DNS

Fake DNS server provides basic
hostname and IP addresses for
 Machines
in the perimeter network
 Machines in the interior network that someone
on the outside needs to connect to.
 Fake information on machines that can
contact the outside world directly.
Firewall Settings for DNS

Packet filtering on internal router needs to allow:

DNS queries from the internal server to the bastion host server



Responses from bastion host to the internal server



UDP packets from port 53 on bastion host to port 53 on internal
server
TCP packets with ACK bit set from port 53 on the bastion host to
ephemeral ports on internal server
DNS queries from bastion host DNS clients to internal server


USP packets from port 53 from an internal host to port 53 bastion
host
TCP packets from ephemeral port on internal host to port 53 on
bastion host
UDP and TCP packets from ephemeral ports on bastion host to port
53 on internal server
Responses from internal server to bastion host DNS clients

UDP and TCP packets with ACK bit from port 53 on the internal
server to ephemeral ports on bastion host
Hiding DNS Server
Internet
Fake DNS server
Exterior Router
a.k.a. access router
Perimeter Network
Interior Router
a.k.a. choke router
True DNS server
Internal Network
Local
DNS client
Application Inspection

Dynamic Firewalls allow selective
inspection of applications:
 http
 ftp
 dns
 icmp
…
Application Inspection

DNS example (Cisco ASA DNS inspection)
 Guarantees
that the ID of the DNS machine
matches the ID of the DNS query
 Allows translation of DNS packets using NAT
 Reassembles DNS packets to verify its length.
Application Inspection

SMTP (Cisco ASA protection)
 Protects
against SMTP-based attacks by
restricting the types of SMTP commands.
Illegal command is modified and forwarded.
 Typically, receiver replies with an SMTP error 500
(command not recognized)

 Checks
size, …
Virtual Private Networks
Virtual Private Networks
VPN uses connections over an existing
public network
 Connection secured with encryption

 Host
to Host
 Host to Gateway
 Gateway to Gateway
Virtual Private Networks
Virtual Private Networks

Encryption can be done at
 Application
level.
 Transport level.
 Network level.
 Data link level.
Virtual Private Networks
VPN Technologies

Application Level



Pretty Good Privacy
Secure Shell (SSH)
Transport Level

Secure Socket Layer



Does not protect the package, but its content.
Typically runs at the application level of the OS, so OS does not need to be
changed.
Network Level

IPSec


Encrypts package itself.
Encrypted package receives a new package header.



IPSec protects port address, but not destination address.
OS need to be changed (but only once: Win2000, WinXP)
Data Link

Layer 2 Tunneling Protocol addition to Point-to-Point protocol (PPP)

Encrypts packets on the data layer.

L2TP (Layer 2 Tunneling)
Virtual Private Networks

Alternatives are dedicated point-to-point
connections such as a private T1 line.
 Most
secure.
 Most expensive.
 Takes time to set-up.
Related documents
Northeastern Illinois University Department of Computer
Northeastern Illinois University Department of Computer
Network Protocols
Network Protocols
IST 201 - York Technical College
IST 201 - York Technical College
OSI Reference Model - Long Island University
OSI Reference Model - Long Island University
Introduction to Whole Numbers and Integers
Introduction to Whole Numbers and Integers
CLIENT SERVER ARCHITECTURE
CLIENT SERVER ARCHITECTURE
common network terms - Amazon Web Services
common network terms - Amazon Web Services
The TCP/IP reference model and OSI reference model IPv4 vs. IPv6
The TCP/IP reference model and OSI reference model IPv4 vs. IPv6
ReviewSheet Midterm2 Last modified January 7
ReviewSheet Midterm2 Last modified January 7
CSCI6268L25
CSCI6268L25
Ch14
Ch14
9-0 Internet Protocol Attacks and some Defenses
9-0 Internet Protocol Attacks and some Defenses