m



m m


 m
m
 
m





!!" !
NETWORK SECURITY
@ Introduction
@ Security Threats
J Structured Threats
J Unstructured Threats

J Internal Threats

J External Threats

@ Example of Attacks
J Network Reconnaissance
J Packet Sniffing

J Man-in-the-Middle Attacks

J IP Spoofing

J DoS

@ Network Security Methodology

INTRODUCTION TO THREATS

´Possibility or potential to cause harmµ

TECHNIQUES FOR DETECTING ATTACKS
J Device logs
J Intrusion Detection System - IDS

J Human diligence
 Device logs

This figure shows a log from a MikroTik Router via WinBox application.
The router had experienced access attempts attacks.
Device logs
J By analyzing device log we can learn the method
of operation & also allowing us to identify the
early sign of attack.

These explain the type of attack is dictionary attack at ssh service

IDS
J By using IDS, it will recognizes pattern of activity
(signatures) that reflect known attacks.
J Two type of IDS
@ NIDS
@ HIDS
IDS
@ NIDS

@ HIDS
Unlike NIDS, Host Based
Intrusion System reside on
the machine itself.
 SYSTEM LOGS

Reviewing Operating System logs is a scary thing to do. It may take you
The whole day to analyze it manually.
 a4

NIDS

Example of NIDS application ; viewing logs with summarize report is really easy.
à


 Ô
Ô

akob, 10/9/2010
 HIDS

This is an example of subscription service with preprogrammed patterns

To review logs with current pattern for HIDS by OSSEC.
 COMBINATION OF IDS

Log-based Intrusion Detection (LIDS), Host-based Intrusion Detection (HIDS),

and Network-based Intrusion Detection (NIDS) combined with a Security
Information Management (SIM) tool ; these combination of security information
will really ease Security monitoring work.
EXAMPLE OF HIDS ALARM
HUMAN DILIGENCE
J Human diligence also is necessary to thwart new
attacks as well as technological efforts by IDSs.
Subscribing to mailing lists and checking various
security sites must be a daily routine. Common
sources for security information are :
@ Bugtraq [Link]
@ CERT [Link]
@ SAN [Link]
SECURITY THREATS
J Network are subjected to a wide variety of
attacks. These attacks include privilege
escalation, access attempts, and many others. All
of these attacks are defined as network threats
and can be categorized according to two
classifications :
@ Structured vs Unstructured
@ Internal vs External

J Using these classifications is helpful to better

understand the threats themselves and how to
deal with them.
STRUCTURED THREATS
J Hackers perform ST are highly motivated and
technically competent.
J Act alone or in small groups to understand, develop,
and use sophisticated hacking techniques to bypass
all security measures to penetrate unsuspecting
enterprises.
J Involved with major fraud and theft cases reported to
law enforcement agencies.
J Hired by organized crime, industry competitors, or
state-sponsored intelligence-collection organizations.
J In IT world attackers who perform S.T. is also known
as hacktivists; hackers who are motivated by seeking
out a venue to express their political point of view.
J Structured threats represent the greatest danger to
an organization or enterprise.
UNSTRUCTURED THREATS
J Unstructured threats consist primarily of random
using various common tools such as malicious
shell scripts , password crackers , credit number
generators and dealer daemon
J If the security of the network is too strong for
them to gain access , they may fall back to using
Dos as a last resort at saving face
J Rarely are the individuals who fall into the
category anything more than what is commonly
termed a script kiddie
J These types of attempts represent the bulk of
internet-based attack
INTERNAL THREATS
J Internal threats are typically from disgruntled
former or current employees
J Can be structured or unstructured

J Structured internal threats represent an extreme

danger to enterprise network because the
attacker already has access to the network
J Although internal threats may seem more
ominous than threats from external source,
security measures are available for mitigating
the threats and responding when attack occur
EXTERNAL THREATS
J Consists structured and unstructured threats
originating from external source
J Can have malicious and destructive intent such
as denial of service(DoS) , data theft or distribute
denial of service(DDoS)
J Also can simply be errors that generate
unexpected network behavior such as
misconfiguration of the enterprise·s Domain
Name System (DNS) which result of e-mail being
delayed or returned to sender
EXAMPLE OF NETWORK ATTACK
J Network Reconnaissance
J Packet Sniffing

J Man-In-The-Middle Attacks

J IP Spoofing

J DoS(Denial of Service)
NETWORK RECONNAISSANCE
J Refers to learning information about a target
network using publicly available information and
application such Domain Name System(DNS)
queries, ping sweeps and port scans.
J IDSs at the network and host levels can usually
notify an administrator when reconnaissance
attack in underway
J Allows the administrator to better prepare for
coming attack or to notify the ISP that is hosting
the system that is launching the reconnaissance
attack
PACKET SNIFFING
J Useful network tools can become threats in the
hands of hacker
J Provides an example of how someone can exploit
a tool used to capture all packets on physical wire
(promiscuous mode)
J A packet sniffer application is common tool for
traffic analysis and troubleshooting by capturing
and decoding packets
J You can use packet sniffers to capture and
inspect all unencrypted data(clear text)
PACKET SNIFFING (CONTINUE«)
J Some way to prevent packet sniffing attack :

!#$ #%# ü methods such as two factor

authentication which is used in conjunction with a user
which use one-time password
&#'& ü is the most common and effective method
if securing data against sniffer because it scrambles the
clear text
$'($ # ' ü the network using switches can help to
localize the sniffer activity
MAN-IN-THE-MIDDLE ATTACK
J By using packet sniffers or type products , it is
possible to captured information as it is
transferred from one network to another network
J Requires access to network media or devices
between the source and destination
J
$"$))* $)!)%$&#"$to this kind
of attack
J Attacker use the information captured to launch
another attack, for example deny the service or
corrupt data store
J
)$)# '$ %&# so that if packets are
sniffed , they are useless to attacker
IP SPOOFING
J Technique in which the attacker sends packets
with source IP address modified to match that of
trusted host
J Also disguise the source of packets launched as
part of DoS attack
J There are +to prevent IP spoofing
Authentication ü Prevent access to systems based solely on
IP address
Filtering ü Preventing any outbound traffic on your
network that does not have a source address in your IP
range
DOS (DENIAL OF SERVICE)
J DoS attacks deny legitimate users access to
services

J DoS attacks can be characterized by

A Disrupting connectivity between devices
A Preventing access to specific services
A Halting processes on devices by sending bad packets
A Flooding networks

J How to prevent DoS attack?

A Configure firewall
A Prevent spoofing
A Prevent traffic rates from getting out of control
NETWORK SECURITY METHODOLOGY

SAFE BLUEPRINT OVERVIEW

J Cisco developed a security methodology called SAFE
J SAFE use as guide to design and implement network
security
J Cisco describe SAFE as a defense-in-depth approach
J Defense-in-depth means that a system has multiple
security measures in place
J The SAFE blueprint discourage having only one
device performing a security function
J Security capabilities can be hosted on dedicated
appliances ,such as firewall
J The blueprint guidelines encourage you to make
security decisions based on the dangers to be avoided