Professional Documents
Culture Documents
S
Securitatea
it t Reelei
R l i
curs 11
14.12.2009
16 12 2009
16.12.2009
"More people are killed every year by pigs than by sharks, which shows you
how ggood we are at evaluatingg risk."
k
Bruce Schneier
Scenariu:
angajator intervieveaz potenial angajat
: ct de sigur poi s-mi faci reeaua/sistemul/infrastructura?
R: perfect sigur (impenetrabil) he/she
he/she's
s out
R: ct de sigur se poate he/she's out
R: ct de sigur dorii? - rspuns corect
Criterii de baz
Securitate fizic
Securitatea sistemului
Securitatea reelei
Securitatea personalului
Aciuni n cazul unui atac reuit
vlan 10
sw 1 sw 2 vlan 20
trunk
A B C D
Metode de protectie:
Dezactivarea DTP
B C D
A
Metode de protectie:
Precizarea explicita a VLAN-ului nativ (trebuie evitata folosirea VLAN 1 ca
VLAN nativ)
Porturile care nu sunt folosite este bine sa fie plasate intr-un VLAN
nefolosit
Bob Alice
Unknown
Trudy
Cerere ARP valid
MACdest MACsurs Type Codoperaie MACsurs IPsurs MACdest IPdest
FFFF:FFFF: 0000:0000:
MAC Bob 0x0806 1 MAC Bob IP Bob IP Alice
FFFF 0000
Bob Alice
MAC Alice MAC Bob 0x0806 2 MAC Bob IP Bob MAC Alice IP Alice
MiTMARPRequest
AsociereaMACsurs IPsursNUESTEVALID
Reele Locale de Calculatoare 21
Atacuri de nivel 2 - O alternativa...MITE
sw 1 sw 2
X A Z
Metode
M t d d de protectie:
t ti
Definirea explicita a porturilor radacina la nivelul fiecarui switch din
retea
Fazele sunt p
prezentate din p
punct de vedere tehnic
nu includ factorul uman
usingg encryption
yp on the Internet is the equivalent
q of arranging
g g an
armored car to deliver credit-card information from someone living
in a cardboard box to someone living on a park bench. (Gene
Spafford)
ping
p
ping
g sweep
p ((nmap
p -sP))
filtrare ICMP
tcp ping scans (nmap -PT)
PT)
filtrare ACK pentru conexiuni non-established
port scanning (nmap -sS)
sS)
OS fingerprinting (nmap -O)
Nessus
N scanare de
d vulnerabilitati
l bilit ti
Brute forcing
hydra
Sniffing
dsniff
ettercap
Remote exploit
p
http:/www.milw0rm.com
Metasploit
p
hydra
asgard:/home/razvan# hydra -l rctest -p rctest anaconda.cs.pub.ro ftp
Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2008-01-08 12:13:19
[DATA] 1 tasks, 1 servers, 1 login tries (l:1/p:1), ~1 tries per task
[DATA] attacking
i service
i ftp on port 2
21
[STATUS] attack finished for anaconda.cs.pub.ro (waiting for childs to finish)
[21][ftp] host: 141.85.37.25 login: rctest password: rctest
Hydra (http://www
(http://www.thc.org)
thc org) finished at 2008-01-08 12:13:20
Politici de securitate
parole, drepturi, limitri
Monitorizare & jurnalizare
securitatea nu este o finalitate
finalitate, este un proces
Filtrare trafic
firewall
Securizarea informaiei
criptarea
i t se foloseste
f l t pentru
t protejarea
t j continutului
ti t l i ddatelor
t l
folosire rezumate de de mesaje (MD5, SHA-1), pentru asigurarea
integritatii datelor
Network sniffing
wireshark
tcpdump
kismet
Meninerea de jurnale
Utilitare de monitorizare a sistemului
netstat
ps
lsof
Firewall
hardware (dedicat)
software
cu suport n kernel: iptables, OpenBSD ip filter
personal: ZoneAlarm
iptables
tabela filter
lanuri de filtrare: INPUT, OUTPUT, FORWARD