1 © 2000, Cisco Systems, Inc. NTW 2000 Network Security Network Security ISOC NTW 2000 ISOC NTW 2000 2 © 2000, Cisco Systems, Inc. NTW 2000 2 2000, Cisco Systems, Inc. Introduction Introduction 3 © 2000, Cisco Systems, Inc. NTW 2000 Network Security Components Network Security Components 4 © 2000, Cisco Systems, Inc. NTW 2000 ISP Example ISP Example . . . Customer Site ISP Management Plane . . . T1 WWW DNS1 Pub1TFTPDNS2Pub 2 ISP Service Plane Foreign Site Internet 5 © 2000, Cisco Systems, Inc. NTW 2000 Enterprise Example Enterprise Example Protected Network Engineering Admin Finance Dial-Up Access Business Partners DNS Server WWW Server Internet 6 © 2000, Cisco Systems, Inc. NTW 2000 Current Threats and Current Threats and Attack Methods Attack Methods 6 2000, Cisco Systems, Inc. 7 © 2000, Cisco Systems, Inc. NTW 2000 Attack Trends Attack Trends • Exploiting passwords and poor configurations • Software bugs • Trojan horses • Sniffers • IP address spoofing • Toolkits • Distributed attacks 8 © 2000, Cisco Systems, Inc. NTW 2000 Attack Trends Attack Trends High Low 1988 2000 Attack Sophistication Attacker Knowledge 9 © 2000, Cisco Systems, Inc. NTW 2000 Vulnerability Exploit Cycle Advanced Intruders Discover Vulnerability Crude Exploit Tools Distributed Novice Intruders Use Crude Exploit Tools Automated Scanning/Exploit Tools Developed Widespread Use of Automated Scanning/Exploit Tools Intruders Begin Using New Types of Exploits Source: CERT Coordination Center 10 © 2000, Cisco Systems, Inc. NTW 2000 Increasingly Serious Impacts Increasingly Serious Impacts • $10M transferred out of one banking system • Loss of intellectual property - $2M in one case, the entire company in another • Extensive compromise of operational systems - 15,000 hour recovery operation in one case • Alteration of medical diagnostic test results • Extortion - demanding payments to avoid operational problems [...]... jhervq5 Router5# NTW 2000 © 2000, Cisco Systems, Inc 17 ISP Example Internet Foreign Site ISP Service Plane T1 Customer Site WWW DNS1 ISP Management Plane NTW 2000 © 2000, Cisco Systems, Inc Pub 2 DNS2 TFTP Pub1 18 Enterprise Example Engineering Finance Internet Admin WWW Server Protected Network Dial-Up Access NTW 2000 © 2000, Cisco Systems, Inc DNS Server Business Partners 19 nmap • network mapper... 1996-1999 12 Unauthorized Use 70 Percentage of Respondents Yes 60 No 50 Don't Know 40 30 20 10 0 1996 1997 1998 1999 2000 Source: 2000 CSI/FBI Computer Crime and Security Survey NTW 2000 © 2000, Cisco Systems, Inc 13 Conclusion Sophisticated attacks + Dependency + Vulnerability NTW 2000 © 2000, Cisco Systems, Inc 14 Classes of Attacks • Reconnaisance Unauthorized discovery and mapping of systems, services,... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Internet Datagram Header NTW 2000 © 2000, Cisco Systems, Inc 26 IP Spoofing C is am e n my Hi, A B Attacker B NTW 2000 © 2000, Cisco Systems, Inc 27 IP: Normal Routing A, C via Ra B via Ethernet B,C via Ra B via Rb C via Rc A A - >B Rb B A -> B Ra A -> B Rc C Routing based on routing tables NTW 2000 © 2000, Cisco Systems, Inc 28 IP: Source Routing B B unknown ->...Evolving Dependence • Networked appliances/homes • Wireless stock transactions • On-line banking • Critical infrastructures • Business processes NTW 2000 © 2000, Cisco Systems, Inc 11 The Community’s Vulnerability Internal Exploitation Internet External Exploitation 75% vulnerable NTW 2000 © 2000, Cisco Systems, Inc 100% vulnerable Source: Cisco Security Posture Assessments 1996-1999... telnet 25/tcp open smtp 37/tcp open time 80/tcp open http 110/tcp open pop-3 NTW 2000 © 2000, Cisco Systems, Inc 21 Why Do You Care? • The more information you have, the easier it will be to launch a successful attack: Map the network Profile the devices on the network Exploit discovered vulnerabilities Achieve objective NTW 2000 © 2000, Cisco Systems, Inc 22 Access Methods • Exploiting passwords Brute... escalation • Denial of Service Disable or corrupt networks, systems, or services NTW 2000 © 2000, Cisco Systems, Inc 15 Reconnaissance Methods • Common commands and administrative utilities nslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, srvinfo, dumpacl • Public tools Sniffers, SATAN, SAINT, NMAP, custom scripts NTW 2000 © 2000, Cisco Systems, Inc 16 Network Sniffers Router5 Got It !! … telnet... Sharing NTW 2000 © 2000, Cisco Systems, Inc 23 Access Methods cont’d • Exploit application holes Mishandled input data: access outside application domain, buffer overflows, race conditions • Protocol weaknesses: fragmentation, TCP session hijacking • Trojan horses: Programs that plant a backdoor into a host NTW 2000 © 2000, Cisco Systems, Inc 24 IP Packet • Internet Protocol IP = connectionless network. .. A A -> B via Ra, Rb via R b ,R a Rb B A -> B via Ra, Rb Ra Rc C Routing based on IP datagram option NTW 2000 © 2000, Cisco Systems, Inc 29 IP Unwanted Routing R1, >A via C- R2 Internet C -> Av ia R A unknown B via R1 1, R 2 A unknown B via DMZ R1 C->A via R1, R2 A intranet R2 C->A via R1,R2 NTW 2000 © 2000, Cisco Systems, Inc C A unknown B via Internet B DMZ A via Intranet B via DMZ C unknown 30 IP... via A C-> A unknown B via PPP B (acting as router) C->A via B NTW 2000 © 2000, Cisco Systems, Inc 31 IP Spoofing Using Source Routing B is a friend allow access A Ra B->A via C,Rc,Ra Rb B Rc C B-> Av ia C ,Rc A -> Ra Bv ia R a, R c,C A->B via Ra, Rc,C B->A via C, Rc,Ra A->B via Ra, Rc,C Back traffic uses the same source route NTW 2000 © 2000, Cisco Systems, Inc 32 Transport Control Protocol • TCP =... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TCP Header Format NTW 2000 © 2000, Cisco Systems, Inc 34 TCP connection establishment B A flags=SYN , seq=(Sb,? ) b) , seq=(Sa,S +A C K flags=SYN flags=ACK , seq=(Sb,S a ) +8) eq=(Sb,Sa ,s flags=ACK :” “Username data= NTW 2000 © 2000, Cisco Systems, Inc 35 TCP blind spoofing B C masquerading as B b,?) YN, seq=(S flags=S A . 1 © 2000, Cisco Systems, Inc. NTW 2000 Network Security Network Security ISOC NTW 2000 ISOC NTW 2000 2 © 2000, Cisco Systems, Inc. NTW 2000 2 2000, Cisco Systems, Inc Inc. Introduction Introduction 3 © 2000, Cisco Systems, Inc. NTW 2000 Network Security Components Network Security Components 4 © 2000, Cisco Systems, Inc. NTW 2000 ISP Example ISP Example . Distributed attacks 8 © 2000, Cisco Systems, Inc. NTW 2000 Attack Trends Attack Trends High Low 1988 2000 Attack Sophistication Attacker Knowledge 9 © 2000, Cisco Systems, Inc. NTW 2000 Vulnerability