CHAPTER 9: Security Standards and Services 426 Technologies and methodologies exist that can help safeguard against spoofing of these capability challenges. These include as follows: Using firewalls to guard against unauthorized transmissions Not relying on  security through obscurity, the expectation that using undocumented protocols will protect you Using various cryptographic algorithms to provide differing levels of  authentication Subtle attacks are far more effective than obvious ones. Spoofing has an advantage in this respect over a straight vulnerability exploit. The concept of spoofing includes pretending to be a trusted source, thereby increasing the chances that the attack will go unnoticed. If the attacks use just occasional induced failures as part of their sub- tlety, users will often chalk it up to normal problems that occur all the time. By careful application of this technique over time, users’ behavior can often be manipulated. ExErcisE 9.4 ArP spoofing Address Resolution Protocol (ARP) spoofing can be quickly and easily done with a variety of tools, most of which are designed to work on UNIX OSs. One of the best all-around suites is a package called dsniff. It contains an ARP spoofing utility and a number of other sniffing tools that can be benefi- cial when spoofing. To make the most of dsniff, you’ll need a Layer 2 switch into which all of your lab machines are plugged. It is also helpful to have various other machines doing routine activities such as Web surfing, checking POP mail, or using Instant Messenger software. To run dsniff for this exercise, you will need a UNIX-based 1. machine. To download the package and to check compatibility, visit the dsniff Web site at www.monkey.org/~dugsong/dsniff. Test Day Tip Knowledge of TCP/IP is really helpful when dealing with spoofing and sequence attacks. Having a good grasp of the fundamentals of TCP/IP will make the attacks seem less abstract. Additionally, knowledge of not only what these attacks are but also how they work will better prepare you to answer test questions. Network Ports, Services, and Threats 427 After you’ve downloaded and installed the software, you will see a 2. utility called arpspoof. This is the tool that we’ll be using to imper- sonate the gateway host. The gateway is the host that routes the traffic to other networks. You’ll also need to make sure that IP forwarding is turned on in 3. your kernel. If you’re using * BSD UNIX, you can enable this with the sysctl command (sysctl –w net.inet.ip.forwarding=1). After this has been done, you should be ready to spoof the gateway. 4. arpspoof is a really flexible tool. It will allow you to poison the ARP of the entire LAN or target a single host. Poisoning is the act of tricking the other computers into thinking that you are another host. The usage is as follows: home# arpspoof –i fxp0 10.10.0.1 This will start the attack using interface fxp0 and will intercept any packets bound for 10.10.0.1. The output will show you the current ARP traffic. Congratulations, you’ve just become your gateway.5. You can leave the arpspoof process running, and experiment in another window with some of the various sniffing tools which dsniff offers. Dsniff itself is a jack-of-all-trades password grabber. It will fetch passwords for Telnet, FTP, HTTP, Instant Messaging (IM), Oracle, and almost any other password that is transmitted in the clear. Another tool, mailsnarf, will grab any and all e-mail messages it sees and store them in a standard Berkeley mbox file for later viewing. Finally, one of the more visually impressive tools is WebSpy. This tool will grab URL strings sniffed from a specified host and display them on your local terminal, giving the appearance of surfing along with the victim. You should now have a good idea of the kind of damage an attacker can do with ARP spoofing and the right tools. This should also make clear the importance of using encryption to handle data. In addition, any misconcep- tions about the security or sniffing protection provided by switched net- works should now be alleviated thanks to the magic of ARP spoofing! Man-in-the-Middle Attacks As you have probably already begun to realize, the TCP/IP protocols were not designed with security in mind and contain a number of fundamental flaws that simply cannot be fixed due to the nature of the protocols. One issue that has resulted from IPv4’s lack of security is the MITM attack. To fully under- stand how a MITM attack works, let’s quickly review how TCP/IP works. CHAPTER 9: Security Standards and Services 428 TCP/IP was formally introduced in 1974 by Vinton Cerf. The original purpose of TCP/IP was not to provide security. Rather it was to provide a high-speed, reliable, communication network links. A TCP/IP connection is formed with a three-way handshake. As seen in Figure 9.9, a host (Host A) that wants to send data to another host (Host B) will initiate communications by sending a SYN packet. The SYN packet contains, among other things, the source and destination IP address as well as the source and destination port numbers. Host B will respond with a SYN/ACK. The SYN from Host B prompts Host A to send another ACK and the connection is established. If a malicious individual can place himself between Host A and Host B, for example compromising an upstream router belonging to the ISP of one of the hosts, he can then monitor the packets moving between the two hosts. It is then possible for the malicious individual to analyze and change packets coming and going to the host. It is quite easy for a malicious person to per- form this type of attack on Telnet sessions, but the attacker must first be able to predict the right TCP sequence number and properly modify the data for this type of attack to actually work – all before the session times out waiting for the response. Obviously, doing this manually is hard to pull off; however, tools designed to watch for and modify specific data have been written and work very well. There are a few ways in which you can prevent MITM attacks from happening, such as using a TCP/IP implementation that generates TCP sequence numbers that are as close to truly random as possible. Replay Attacks In a replay attack, a malicious person captures an amount of sensitive traf- fic and then simply replays it back to the host in an attempt to replicate the transaction. For example, consider an electronic money transfer. User A transfers a sum of money to Bank B. Malicious User C captures User A’s network traffic, and then replays the transaction in an attempt to cause the transaction to be repeated multiple times. Obviously, this attack has no benefit to User C but could result in User A losing money. Replay attacks, while possible in theory, are quite unlikely due to multiple factors such as the level of difficulty of predicting TCP sequence numbers. However, it has been proven that the formula for generating random TCP sequence num- bers, especially in older OSs, isn’t truly random or even difficult to predict, which makes this attack possible. FIGURE 9.9 A Standard TCP/IP Handshake. Host A Host B SYN SYN/ACK ACK Network Ports, Services, and Threats 429 Another potential scenario for a replay attack is this: an attacker replays the captured data with all potential sequence numbers, in hopes of getting lucky and hitting the right one, thus causing the user’s connection to drop, or in some cases, to insert arbitrary data into a session. As with MITM attacks, the use of random TCP sequence numbers and encryption like SSH or IPSec can help defend against this problem. The use of time stamps also helps defend against replay attacks. DoS Even with the most comprehensive filtering in place, all firewalls are still vulnerable to DoS attacks. These attacks attempt to render a network inac- cessible by flooding a device such as a firewall with packets to the point that it can no longer accept valid packets. This works by overloading the proces- sor of the firewall by forcing it to attempt to process a number of packets far past its limitations. By performing a DoS attack directly against a firewall, an attacker may be able to get the firewall to overload its buffers and start letting all traffic through without filtering it, or it may cause the firewall to shut down all together causing a disruption in normal network functions. If a technician is alerted to an attack of this type, one way to fend off the attack is to block the specific IP address that the attack is coming from at the router. Distributed DoS An alternative attack that is more difficult to defend against is the distrib- uted DoS (DDoS) attack. This attack is worse because it can come from a large number of computers at the same time. This is accomplished either by the attacker having a large distributed network of systems all over the world (unlikely) or by infecting normal users’ computers with a Trojan horse application, which allows the attacker to force the systems to attack spe- cific targets without the end user’s knowledge. These end-user computers are systems that have been attacked in the past and infected with a Trojan horse by the attacker. By doing this, the attacker is able to set up a large number of systems (called zombies) to perform a DoS attack at the same time. This type of attack constitutes a DDoS attack. Performing an attack in this manner is more effective due to the number of packets being sent. In addition, it introduces another layer of systems between the attacker and the target, making the attacker more difficult to trace. Domain Name Kiting Domain Name Kiting is when someone purchases a domain name, then soon after deletes the registration only to immediately reregister it. Because there is normally a five-day registration grace period offered by many domain CHAPTER 9: Security Standards and Services 430 name registrars, domain kiters will abuse this grace period by canceling the domain name registrations to avoid paying for them. This way they can use the domain names without cost. Because the grace period offered by registrars allows the registration of a domain name to be canceled without cost or penalty as long as the cancella- tion comes within five days of the registration, you can effectively own and use a domain name during this short timeframe without actually paying for it. It has become relatively easy to drop a domain name and claim the refund at the end of the grace period, and by taking advantage of this pro- cess, abusers are able to keep the registrations active on their most revenue- generating sites by cycling through cancellations and an endless refresh of their choice domain name registrations. Because no cost is involved in turning over the domain names, domain kiters make money out of domains they are not paying for. Domain Name Tasting Another concept that is very similar to Domain Name Kiting is called Domain Name Tasting. The two are similar in that they are both the abuse of domain names and the grace period associated with them. Domain Name Tasters register a domain name to exploit the Web site names for profit. Domain name investors will register groups of domain names to deter- mine which namespaces will generate revenue through search engine queries and pay-per-click advertising mechanisms. They will often register typos of legitimate business sites hoping for human error to land Internet travelers on their Web sites, which in turn increases their bottom line. If it is determined that a specific domain name is not returning profit for the tasters, then they will simply drop the domain name, claim a refund, and continue on to the next group of names. DNS Poisoning DNS poisoning or DNS cache poisoning occurs when a server is fed altered or spoofed records that are then retained in the DNS server cache. Once the DNS cache on a server has been “poisoned” in this fashion, since servers use their cache as the first mechanism to respond to incoming requests, all additional queries for the same record will be responded to with the falsified information. Attackers can use this method to redirect valid requests to malicious sites. The malicious sites may be controlled by the offender and contain viruses or worms that are distributed, or they may be simply be offensive sites already in existence on the Internet. For example, imagine if your child were to type Network Access Security 431 in www.barbie.com and instead of connecting to a pretty pink site with Bar- bie dolls and Barbie games ends up on an adult pornographic Web site. DNS poisoning is a real threat, which can be reduced by taking a few security precautions. First, by ensuring that your DNS server is up-to-date on patches and updates for known vulnerabilities, you will help to ensure the safety of your DNS cache. Also, by taking advantage of secure DNS whenever possible and using digital signatures, you will help to reduce the threat of DNS poisoning. ARP Poisoning ARP is a broadcast-based protocol that functions at Layer 2 of the OSI model. Its purpose is to map a known IP address to its corresponding Media Access Control (MAC) address in order for a packet to be properly addressed. A MAC address is a unique number assigned to network interface cards (NICs) by their manufactures. ARP poisoning occurs when a client machine sends out an ARP request for another machine’s MAC address information and is sent falsified information instead. The spoofed ARP message allows the attacker to associate a MAC address of their choosing to a particular IP address, which means any traffic meant for that IP address would be mistakenly sent to the attacker instead. This opens the door for many attack mechanisms to be used. Once the data has been intercepted, the attacker could choose to modify the data before forwarding it, which is called a MITM attack or even launch a denial-of-service attack against a victim by associating a nonexis- tent MAC address to the IP address of the victim’s default gateway. NETWORK ACCESS SECURITY No network security exam would be complete without discussing the concepts of Access Control, Authentication, and Auditing (AAA). These three components together make up the concept of Network Access Security. AAA comprises the most basic fundamentals of work in the IT security field and is critical to understand for any IT security practitioner. In this section, you will be introduced to Network Authentication and its finer details. Introduction to AAA AAA is a set of primary concepts that aid in understanding computer and network security as well as access control. These concepts are used daily to protect property, data, and systems from intentional or even unintentional damage. AAA is used to support the confidentiality, integrity, and availability CHAPTER 9: Security Standards and Services 432 (CIA) security concept, in addition to providing the framework for access to networks and equipment using Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS/TACACS+). A more detailed description of AAA is discussed in RFC 3127, which can be found at http://tools.ietf.org/html/rfc3127. This RFC contains an evaluation of various existing protocols against the AAA requirements and can help you understand the specific details of these protocols. The AAA requirements themselves can be found in RFC 2989 located at http://tools .ietf.org/html/rfc2989. What is AAA? AAA is a group of processes used to protect the data, equipment, and confi- dentiality of property and information. As mentioned earlier, one of the goals of AAA is to provide CIA. CIA can be briefly described as follows:  Confidentiality The contents or data are not revealed  Integrity The contents or data are intact and have not been modified  Availability The contents or data are accessible if allowed AAA consists of three separate areas that work together. These areas provide a level of basic security in controlling access to resources and equip- ment in networks. This control allows users to provide services that assist in the CIA process for further protection of systems and assets. Access Control Access control can be defined as a policy, software component, or hardware component that is used to grant or deny access to a resource. This can be an advanced component such as a Smart Card, a biometric device, or network HEAD OF THE CLASS… Clarification of Two Key Acronyms Two specific abbreviations need to be explained to avoid confusion. For general security study, AAA is defined as “Access Control, Authentication, and Auditing.” Do not confuse this with Cisco’s imple- mentation and description of AAA, which is “Authen- tication, Auditing, and Accounting.” The second abbreviation requiring clarification is CIA. For purposes of the Network+ exam, CIA is defined as “confidentiality, integrity, and availability.” Other lit- erature and resources such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountabil- ity Act of 1996 (HIPAA) guidelines may refer to CIA as “confidentiality, integrity, and authentication.” Network Access Security 433 access hardware such as routers, remote access points such as Remote Access Service (RAS), and VPNs, or even the use of wireless access points (WAPs). It can also be file or shared resource permissions assigned through the use of a network OS (NOS) such as Microsoft Windows with Active Directory or UNIX systems using Lightweight Directory Access Protocol (LDAP), Kerberos, or Sun Microsystem’s Network Information System (NIS) and Network Information System Plus (NIS+). Finally, it can be a rule set that defines the operation of a software component limiting entrance to a system or network. Authentication Authentication can be defined as the process used to verify that a machine or user attempting access to the networks or resources is, in fact, the entity being presented. For this chapter, nonrepudiation is the method used (time stamps, particular protocols, or authentication methods) to ensure that the presenter of the authentication request cannot later deny that they were the originator of the request. In the following sections, authentication meth- ods include presentation of credentials (such as a username and password, Smart Card, or personal identification number [PIN]) to a NOS (logging on to a machine or network), remote access authentication, and a discussion of certificate services and digital certificates. The authentication process uses the information presented to the NOS (such as username and password) to allow the NOS to verify the identity based on those credentials. Auditing Auditing is the process of tracking and reviewing events, errors, access, and authentication attempts on a system. Much like an accountant’s procedure for keeping track of the flow of funds, you need to be able to follow a trail NOTES FROM THE FIELD … Let’s Talk About Access and Authentication The difference between access control and authentica- tion is very important. Access control is used to control the access to a resource through some means. This could be thought of as a lock on a door or a guard in a build- ing. Authentication, on the other hand, is the process of verifying that the person trying to access whatever resource is being controlled is authorized to access the resource. In our analogy, this would be the equivalent of trying the key or having the guard check your name against a list of authorized people. So in summary, access control is the lock and authentication is the key. CHAPTER 9: Security Standards and Services 434 of access attempts, access grants or denials, machine problems or errors, and other events that are important to the systems being monitored and controlled. In the case of security auditing, you will learn about the policies and procedures that allow administrators to track access (authorized or unauthorized) to the network, local machine, or resources. Auditing is not enabled by default in many NOSs, and administrators must often specify the events or objects to be tracked. This becomes one of the basic lines of defense in the security and monitoring of network systems. Tracking is used along with regular reviewing and analysis of the log files generated by the auditing process to better understand whether the access controls are working. Authentication Methods Authentication, when looked at in its most basic form, is simply the process used to prove the identity of someone or something that wants access. This can involve highly complex and secure methods, which may involve higher costs and more time, or can be very simple. For example, if someone you personally know comes to your door, you visually recognize them, and if you want them to enter, you open the door. In this case, you have performed the authentication process through your visual recognition of the individual. All authentication processes follow this same basic premise; that we need to prove who we are or who the individual, service, or process is before we allow them to use our resources. Authentication allows a sender and receiver of information to validate each other as the appropriate entities with which they want to work. If entities wishing to communicate cannot properly authenticate each other, there can be no trust in the activities or information provided by either party. Only through a trusted and secure method of authentication can adminis- trators provide for a trusted and secure communication or activity. One-Factor One-Factor authentication, as simple as username and password combina- tions, has been used for authenticating uses for many years. Most OSs have had some form of local authentication that could be used if the OS was designed to be used by multiple users. Windows, Novell Netware, UNIX, and Linux have all had local authentication paths early in their development. Although this is the most common authentication method, it is not without its problems. From a security standpoint, it is important to understand that the first line of defense of a system is the creation and maintenance of a password policy that is enforced and workable. You need to both implement Network Access Security 435 and enforce the policy to ensure that this rudimentary protection is in place in your network. Most OSs have methods of using username/password policies. Password policies that require a user-created password that is less than six characters long are generally regarded as having a low (or no) security level. Password policies that require between 8 and 13 characters are regarded as a medium security level. Policies requiring 14 or more characters are regarded as a high security level. These security levels are based on the difficulty of discovering the password through the use of dictionary and brute force attacks. In addition, all password policies, regardless of password length, should require that an acceptable password contain a combination of the following: Uppercase and lowercase alphabetic characters Numbers Special characters No dictionary words No portion of the username in the password No personal identifiers should be used including birthdays, social  security number, pet’s name, and so forth To achieve the medium security level, implement the use of eight char- acters, including uppercase and lowercase, numbers, and special characters. For higher security, implement the medium security settings and enforce the previous settings plus no dictionary words and no use of the username in the password. Be aware that the higher the number of characters or letters in a password, the more chance exists that the user will record the password and leave it where it can be found. Most policies function well around the eight-character range and require periodic changes of the password as well as the use of special characters or numbers. The simplest form of authentication is the transmission of a shared pass- word between entities wishing to authenticate each other. This can be as simple as a secret handshake or a key. As with all simple forms of protection, once knowledge of the secret key or handshake is disclosed to nontrusted parties, there can no longer be trust in who is using the secrets. Many methods can be used by an unauthorized person to acquire a secret key, from tricking someone into disclosing it, to high-tech monitor- ing of communications between parties to intercept the key as it is passed between parties. However the code is acquired, once it is in a nontrusted . into disclosing it, to high-tech monitor- ing of communications between parties to intercept the key as it is passed between parties. However the code is acquired, once it is in a nontrusted . The spoofed ARP message allows the attacker to associate a MAC address of their choosing to a particular IP address, which means any traffic meant for that IP address would be mistakenly sent. Acronyms Two specific abbreviations need to be explained to avoid confusion. For general security study, AAA is defined as “Access Control, Authentication, and Auditing.” Do not confuse this with