Network Security

Attacks
Technical Solutions

Acknowledgments
Material is sourced from:
CISA Review Manual 2011, 2010, ISACA. All rights reserved. Used by
permission.
CISM Review Manual 2012, 2011, ISACA. All rights reserved. Used by
permission.
Many other Network Security sources
http://www.csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri, Kahili Cheng
Funded by National Science Foundation (NSF) Course, Curriculum and
Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit,
Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this
material are those of the author(s) and/or source(s) and do not necessarily
reflect the views of the National Science Foundation.

Objectives
The student should be able to:
Define attacks: script kiddy, social engineering, logic bomb, Trojan horse,
phishing, pharming, war driving, war dialing, man-in-the-middle attack, SQL
injection, virus, worm, root kit, dictionary attack, brute force attack, DOS,
DDOS, botnet, spoofing, packet reply.
Describe defenses: defense in depth, bastion host, content filter, packet filter,
stateful inspection, circuit-level firewall, application-level firewall, demilitarized zone, multi-homed firewall, IDS, IPS, NIDS, HIDS, signaturebased IDS, statistical-based IDS, neural network, VPN, network access
server (RADIUS/TACACS), honeypot, honeynet, hash, secret key encryption,
public key encryption, digital signature, PKI, vulnerability assessment
Identify techniques (what they do): SHA1/SHA2, MD2/MD4/MD5, DES, AES,
RSA, ECC.
Describe and define security goals: confidentiality, authenticity, integrity, nonrepudiation
Define services & servers data in the correct sensitivity class and roles with
access
Define services that can enter and leave a network
Draw network Diagram with proper zones and security equipment

The Problem of Network Security

The Internet allows an
attacker to attack from
anywhere in the world
from their home desk.
They just need to find one
vulnerability: a security
analyst need to close
every vulnerability.

Hacking Networks
Phase 1: Reconnaissance

Physical Break-In
Dumpster Diving
Google, Newsgroups,
Web sites
Social Engineering

Phishing: fake email

Pharming: fake web pages

WhoIs Database &

arin.net
Domain Name Server
Interrogations

Registrant:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
US
Domain name: MICROSOFT.COM
Administrative Contact:
Administrator, Domain domains@microsoft.com
One Microsoft Way
Redmond, WA 98052
US
+1.4258828080
Technical Contact:
Hostmaster, MSN msnhst@microsoft.com
One Microsoft Way
Redmond, WA 98052 US
+1.4258828080
Registration Service Provider:
DBMS VeriSign, dbms-support@verisign.com
800-579-2848 x4
Please contact DBMS VeriSign for domain updates,
DNS/Nameserver
changes, and general domain support questions.
Registrar of Record: TUCOWS, INC.
Record last updated on 27-Aug-2006.
Record expires on 03-May-2014.
Record created on 02-May-1991.
Domain servers in listed order:
NS3.MSFT.NET 213.199.144.151
NS1.MSFT.NET 207.68.160.190
NS4.MSFT.NET 207.46.66.126
NS2.MSFT.NET 65.54.240.126
NS5.MSFT.NET 65.55.238.126

Hacking Networks
Phase 2: Scanning
War Driving: Can I find a wireless network?
War Dialing: Can I find a modem to connect to?
Network Mapping: What IP addresses exist, and what
ports are open on them?
Vulnerability-Scanning Tools: What versions of software
are implemented on devices?

Passive Attacks
Eavesdropping: Listen to
packets from other
parties = Sniffing
Traffic Analysis: Learn
about network from
observing traffic patterns
Footprinting: Test to
determine software
installed on system =
Network Mapping

Carl

Bob

Jennie

Hacking Networks:
Phase 3: Gaining Access

Network Attacks:
Sniffing
(Eavesdropping)
IP Address Spoofing
Session Hijacking

Login: Ginger Password: Snap

System Attacks:
Buffer Overflow
Password Cracking
SQL Injection
Web Protocol Abuse
Denial of Service
Trap Door
Virus, Worm, Trojan
horse,

Bill

Some Active Attacks

Denial of Service: Message
did not make it; or service
could not run
Masquerading or Spoofing:
The actual sender is not
the claimed sender
Message Modification: The
message was modified in
transmission
Packet Replay: A past packet
is transmitted again in
order to gain access or
otherwise cause damage

Denial of Service
Joe
Bill

Spoofing
Joe (Actually Bill)

Ann
Message
Modification
Joe

Ann
Packet Replay
Joe

Bill

Bill

Ann
Ann

Man-in-the-Middle Attack
10.1.1.1

10.1.1.3

(2) Login
(1) Login
(4) Password

(3) Password

10.1.1.2

SQL Injection

Java Original: SELECT * FROM

users_table WHERE username= + +
username + + AND password = + +
password + ;
Inserted Password: Aa OR =
Java Result: SELECT * FROM
users_table WHERE username=anyname
AND password = Aa OR = ;
Inserted Password: foo;DELETE FROM
users_table WHERE username LIKE %
Java Result: SELECT * FROM
users_table WHERE username=anyname
AND password = foo; DELETE FROM
users_table WHERE username LIKE %
Inserted entry: |shell(cmd /c echo &
char(124) & format c:)|

Welcome to My System

Login:

Password:

Password Cracking:
Dictionary Attack & Brute Force
Pattern

Calculation

Result

Time to Guess
(2.6x1018/month)

Personal Info: interests, relatives

20

Manual 5 minutes

Social Engineering

Manual 2 minutes

80,000

< 1 second

American Dictionary
4 chars: lower case alpha

264

5x105

8 chars: lower case alpha

268

2x1011

8 chars: alpha

528

5x1013

8 chars: alphanumeric

628

2x1014

3.4 min.

8 chars alphanumeric +10

728

7x1014

12 min.

8 chars: all keyboard

958

7x1015

2 hours

12 chars: alphanumeric

6212

3x1021

96 years

12 chars: alphanumeric + 10

7212

2x1022

500 years

12 chars: all keyboard

9512

5x1023

16

5x1028

16 chars: alphanumeric

62 Draft
NIST SP 800-118

Hacking Networks:
Phase 4: Exploit/Maintain Access
Control system:
system commands,
log keystrokes, pswd

Backdoor

Trojan Horse

Useful utility actually

creates a backdoor.

Replaces system
User-Level Rootkit executables: e.g.
Login, ls, du
Bots

Spyware/Adware
Replaces OS kernel:
Kernel-Level Rootkit e.g. process or file
Slave forwards/performs Spyware: Collect info:
control to hide
commands; spreads,
keystroke logger,
list email addrs, DOS
collect credit card #s,
attacks
AdWare: insert ads,
filter search results

Botnets
Botnets: Bots

Attacker

China

Handler

Hungary
Bots: Host illegal movies,
music, pornography,
criminal web sites,
Forward Spam for
financial gain
Zombies

Distributed Denial of Service

Zombies

Attacker

Handler

Victim

Russia

Bulgaria

United
States

Can barrage a victim

server with requests,
causing the network
to fail to respond to anyone

Zombies

Question

1.
2.
3.
4.

An attack where multiple computers send

connection packets to a server simultaneously
to slow the firewall is known as:
Spoofing
DDOS
Worm
Rootkit

Question

1.
2.
3.

4.

A man in the middle attack is

implementing which additional type of
attack:
Spoofing
DoS
Phishing
Pharming

Network Security
Network Defense
Encryption

Security: Defense in Depth

Border Router
Perimeter firewall
Internal firewall
Intrusion Detection System
Policies & Procedures & Audits
Authentication
Access Controls

Bastion Host
Computer fortified
against attackers
Applications turned
off
Operating system
patched
Security configuration
tightened

Attacking the Network

What ways do you see of getting in?
Border Router/Firewall
The Internet
De-Militarized
Zone
Commercial Network
WLAN
Private Network

Private Network

Filters
The good, the bad &
the ugly

Filter

The Good

The bad &

the ugly

Route Filter: Verifies sources and destination of IP

addresses
Packet Filter: Scans headers of packets and discards if
ruleset failed (e.g., Firewall or router)
Content Filter: Scans contents of packets and discards if
ruleset failed (e.g., Intrusion Prevention System or
firewall)

Packet Filter Firewall

Web Response
Illegal Dest IP Address
Web Request
Email Response
SSH Connect Request

DNS Request
Ping Request
Illegal Source IP Address

Email Response
FTP request
Microsoft NetBIOS Name Service
Email Connect Request

Telnet Request

Web
Response

Firewall
Configurations
terminal

host

firewall
A

terminal

host
firewall

A
A

Router Packet Filtering:

Packet header is inspected
Single packet attacks caught
Very little overhead in firewall: very quick
High volume filter

Stateful Inspection
State retained in firewall memory
Most multi-packet attacks caught
More fields in packet header inspected
Little overhead in firewall: quick

Firewall
Configurations
terminal

host

firewall
A

B
A

terminal

host
firewall

B
A

Circuit-Level Firewall:
Packet session terminated and recreated
via a Proxy Server
All multi-packet attacks caught
Packet header completely inspected
High overhead in firewall: slow

Application-Level Firewall
Packet session terminated and recreated
via a Proxy Server
Packet header completely inspected
Most or all of application inspected
Highest overhead: slow & low volume

Multi-Homed Firewall:
Separate Zones
Internet

Screening
Device
Screened
Host
With Proxy
Interface

Router
IDS

Firewall

Demilitarized Zone
External
DNS

IDS

Web
Server

E-Commerce

VPN
Server

Protected
Internal
Network
Zone

IDS
Database/File
Servers

The router serves as a screen for the

Firewall, preventing Denial of Service
attacks to the Firewall.

Writing Rules
Policies

Corrections

Network Filter Capabilities

Write Rules
Audit Failures

Protected Network

Services and Servers

Workbook
Service

Sensitivity

Roles

Server

Grades

Confidential For Graduates: Transcripts

For Current Students:
Advising, Students,
Faculty

StudentScholastic

Billing

Confidential, For Current Students:

Registration, Accounting,
Advising
Payment: Students

StudentBilling

Web Pages Public

Students, Employees,
Public

Web services

Path of Logical Access

How would access control be improved?
Border Router/
Firewall

The Internet

De-Militarized
Zone

WLAN

Private Network

Router/Firewall

Protecting the Network

Border Router: Packet Filter
The Internet
De-Militarized
Zone
Bastion Hosts
WLAN
Private Network

Proxy server firewall

Serviced Applications
Workbook
Applicatio
Sources of
ns
Entry
Grades University
Graduates Registration

Servers
Graduate
Scholastic

Required Controls (e.g.,

Encryption)
Confidentiality, Integrity,
Authentication

Grades
Current
Students

United States

Student
Scholastic

Confidentiality, Integrity,
Authentication

Billing

Payment:
International
Reports: Univ.

Student
Scholastic

Confidentiality,
Authentication, Integrity,
Non-repudiation

Web Pages International

DMZ:
PublicFace

Network Diagram
Workbook
Internet

Router

Demilitarized Zone
External
DNS

Email

Firewall

Public
Web
Server

E-Commerce

Zone 3:Student Data

Zone 1:
Student
Labs &
Files

Student
Scholastic

Zone 2:
Faculty
Labs &
Files

Student
Records

Student
Billing

Student
Billing

Student
History

Transcripts

Intrusion Detection Systems (IDS)

Intrusion Prevention Systems (IPS)
Router

IDS
Firewall

Network IDS=NIDS
Examines packets for attacks
Can find worms, viruses, orgdefined attacks
Warns administrator of attack
IPS=Packets are routed
through IPS

Host IDS=HIDS
Examines actions or resources
for attacks
Recognize unusual or
inappropriate behavior
E.g., Detect modification or
deletion of special files

NastyVirus

IDS Intelligence Systems

NIDS:
ALARM!!!
Attacks:

NastyVirus

Normal

BlastWorm

Signature-Based:
Specific patterns are recognized
as attacks

90
80
70
60
Sales
Personnel
Factory

50
40
30
20
10
0
Mon.

Tues.

Wed.

Thurs.

Statistical-Based:
The expected behavior of the
system is understood
If variations occur, they may be
attacks (or maybe not)
Neural Networks:
Statistical-Based with self-learning
(or artificial intelligence)
Recognizes patterns

Honeypot & Honeynet

Honeypot: A system with a special software application
which appears easy to break into
Honeynet: A network which appears easy to break into
Purpose: Catch attackers
All traffic going to honeypot/net is suspicious
If successfully penetrated, can launch further attacks
Must be carefully monitored

Firewall

Honey
Pot

External
DNS

IDS

Web
Server

E-Commerce

VPN
Server

Bill

Data Privacy

Confidentiality: Unauthorized
parties cannot access
information (->Secret Key
Encryption
Authenticity: Ensuring that
the actual sender is the
claimed sender. (->Public Key
Encryption)
Integrity: Ensuring that the
message was not modified in
transmission. (->Hashing)
Nonrepudiation: Ensuring
that sender cannot deny
sending a message at a later
time. (->Digital Signature)

Confidentiality
Joe
Bill
Authenticity
Joe (Actually Bill)
Ann
Ann
Integrity
Joe

Non-Repudiation
Joe

Bill
Ann
Ann

Encryption Secret Key

Examples: DES, AES

plaintext

Encrypt
Ksecret

ciphertext

Decrypt
Ksecret

P = D(Ksecret, E(Ksecret,P))

NIST Recommended: 3DES w. CBC

AES 128 Bit

plaintext

Public Key Encryption

Examples: RSA, ECC, Quantum
P = D(kPRIV, E(kPUB,P))

Joe

Joe

Encrypt
Kpublic

Encryption
(e.g., RCS)
Message,
private key

Decrypt
Kprivate

Authentication,
Non-repudiation

Decrypt
Kpublic

Digital
Signature

Encrypt
Kprivate

P = D(kPUB, E(kPRIV,P))

Key owner

Key
owner

NIST Recommended:
RSA 1024 bit
2011: RSA 2048 bit

Remote Access Security

Firewall

The Internet

VPN
Concentrator

Virtual Private Network (VPN) often implemented with

IPSec

Can authenticate and encrypt data through Internet (red line)

Easy to use and inexpensive
Difficult to troubleshoot, less reliable than dedicated lines
Susceptible to malicious software and unauthorized actions
Often router or firewall is the VPN endpoint

Secure Hash Functions

Examples: SHA1, SHA2, MD2, MD4, MD5
Ensures the message was not modified during transmission
Message

Message H

Message H

H
Compare

Message Authentication Code

Message
H

K
H

Message H

Message H

H
K

D
One Way Hash

H
Compare
H

NIST Recommended: SHA-1, SHA-2

2011: SHA-2

Digital Signature

Electronic Signature
Uses public key
algorithm
Verifies integrity of
data
Verifies identity of
sender: nonrepudiation

Message
Encrypted
K(Senders Private)
Msg Digest

Public Key Infrastructure (PKI)

7. Tom confirms
Sues DS
5. Tom requests Sues DC
6. CA sends Sues DC
Tom
4. Sue sends
Tom message
signed with
Digital Signature

Digital
Certificate
User: Sue
Public Key:
2456

Certificate Authority
(CA)
3. Send approved
Digital Certificates

1. Sue registers with

CA through RA
Sue

Register(Owner, Public Key)

2. Registration Authority
(RA) verifies owners

Network Access Server

1. Dial up and authenticate
2. Call back
3. Connect
RADIUS or
TACACS

NAS: Network Access Server

Handles user authentication, access control and accounting

Calls back to pre-stored number based on user ID
Prone to hackers, DOS, misconfigured or insecure devices

RADIUS: Remote Access Dial-in User Service

TACACS: Terminal Access Control Access

Web Page Security

SQL Filtering: Filtering of web input for SQL
Injection
Encryption/Authentication: Ensuring
Confidentiality, Integrity, Authenticity, Nonrepudiation
Web Protocol Protection: Protection of
State

Vulnerability Assessment

Scan servers, work stations, and control

devices for vulnerabilities
Open

services, patching, configuration

weaknesses

Testing controls for effectiveness

Adherence

to policy & standards

Penetration testing

Serviced Applications
Workbook
Applicatio
Sources of
ns
Entry
Grades
United States
Current
Students

Required Controls (e.g.,

Encryption)
Student
Confidentiality: Encryption
Scholastic Integrity: Hashing, IDS
Authentication: VPN/IPsec, secure
passwords

Billing

Student
Confidentiality: Encryption,
Scholastic HTTPs
Authentication: VPN/IPsec
Integrity, Hashing, IDS
Non-repudiation: Digital
Signature

Payment:
International
Reports: Univ.

Servers

Summary of Network Controls

Network Security Techniques
Encryption: Public and Private
key, Wireless WPA2
Virtual Private Network (VPN):
Secure communications tunnel
Secure Hashing
Digital Signature
Bastion Host Configuration
Certificate Authority: PKI

Network Protection Devices

Firewall: Packet, Stateful,
Circuit, Application-Level
Proxy server
Demilitarized Zone (DMZ)
Intrusion Detection System
Intrusion Prevention System
Network access server
(RADIUS or TACACS)
Honeypot, honeynet
Secure Protocols
SSL: Secure web
SSH: Secure telnet/rlogin or
file transfer
S/MIME: Secure email
Secure Information Mgmt: Log
mgmt

Question
A map of the network that shows where service
requests enter and are processed
1. Is called the Path of Physical Access
2. Is primarily used in developing security policies
3. Can be used to determine whether sufficient
Defense in Depth is implemented
4. Helps to determine where antivirus software
should be installed

Question

1.
2.
3.
4.

The filter with the most extensive filtering

capability is the
Packet filter
Application-level firewall
Circuit-level firewall
State Inspection

Question

1.
2.
3.
4.

The technique which implements nonrepudiation is:

Hash
Secret Key Encryption
Digital Signature
IDS

Question

1.
2.
3.
4.

Anti-virus software typically implements

which type of defensive software:
Neural Network
Statistical-based
Signature-based
Packet filter

Question

1.
2.
3.
4.

MD5 is an example of what type of

software:
Public Key Encryption
Secret Key Encryption
Message Authentication
PKI

Question

1.
2.
3.

4.

A personal firewall implemented as part

of the OS or antivirus software qualifies
as a:
Dual-homed firewall
Packet filter
Screened host
Bastion host

Jamie Ramon MD
Doctor

Chris Ramon RD
Dietician

Terry
Pat
Licensed
Software Consultant
Practicing Nurse

HEALTH FIRST CASE STUDY

Designing Network Security

Define Services & Servers

Which data can be grouped together by

role and sensitivity/criticality?
Confidential
Management

Service
Name

Privileged
Contracts

Sensitivity
Class.

Roles
Access

Public
Web Pages

with Server Name

Defining Services which can

Enter and Leave the Network

Service

Source

Destination

(e.g., home,
world, local
computer)

(local server,
home, world,
etc.)

Defining Zones and Controls

Compartmentalization:
Zone = Region (E.g., DMZ, wireless,
internet)
Servers can be physical or virtual
Zone

Service

Server

Required Controls
(Conf., Integrity, Auth., Nonrepud.,
with tools: e.g., Encryption/VPN)

Draw the Network Diagram

Internet

Router

Demilitarized Zone
External
DNS

Email

Firewall

Public
Web
Server

E-Commerce

Zone 3:Student Data

Zone 1:
Student
Labs &
Files

Student
Scholastic

Zone 2:
Faculty
Labs &
Files

Student
Records

Student
Billing

Student
Billing

Student
History

Transcripts

Reference
Slide #

Slide Title

Source of Information

Passive Attacks

CISA: page 331,333, 352

Some Active Attacks

CISA: page 330, 332, 352

10

Man-in-the Middle Attack

CISA: page 331

12

Password Cracking: dictionary Attack & Brute Force

CISA: page 330

14

Botnets

CISA: page 330

15

Distributed Denial of Service

CISA: page 330

23

Packet Filter Firewall

CISA: page 353, 354

24

Firewall Configurations

CISA: page 353 355

25

Firewall Configurations

CISA: page 354

26

Multi-Homed Firewall: Separate Zones

CISA: page 355

33

Intrusion Detection Systems (IDS)

Intrusion Prevention System (IPS)

CISA: page 355, 356

34

IDS Intelligence Systems

CISA: page 356

35

Honeypot & Honeynet

CISA: page 356, 357

37

Encryption Secret Key

CISA: page 357

38

Public Key Encryption

CISA: page 357, 358

39

Remote Access Security

CISA: page 361

40

Secure Hash Functions

CISA: page 359, 361, 362

41

Digital Signature

CISA: page 359

42

Public Key Infrastructure (PKI)

CISA: page 359, 360