NETworK ACCESS SECurITy No network security exam would be complete without discussing the concepts of Access Control, Authentication, and Auditing AAA.. Introduction to AAA AAA is a set
Trang 1Technologies and methodologies exist that can help safeguard against spoofing of these capability challenges These include as follows:
Using firewalls to guard against unauthorized transmissions
■
■ Not relying on
■
using undocumented protocols will protect you Using various cryptographic algorithms to provide differing levels of
■
■ authentication
Subtle attacks are far more effective than obvious ones Spoofing has an advantage in this respect over a straight vulnerability exploit The concept
of spoofing includes pretending to be a trusted source, thereby increasing the chances that the attack will go unnoticed
If the attacks use just occasional induced failures as part of their sub-tlety, users will often chalk it up to normal problems that occur all the time
By careful application of this technique over time, users’ behavior can often
be manipulated
ExErcisE 9.4 ArP spoofing
Address Resolution Protocol (ARP) spoofing can be quickly and easily done with a variety of tools, most of which are designed to work on UNIX OSs
One of the best all-around suites is a package called dsniff It contains an
ARP spoofing utility and a number of other sniffing tools that can be benefi-cial when spoofing
To make the most of dsniff, you’ll need a Layer 2 switch into which all
of your lab machines are plugged It is also helpful to have various other machines doing routine activities such as Web surfing, checking POP mail,
or using Instant Messenger software
To run dsniff for this exercise, you will need a UNIX-based
1
machine To download the package and to check compatibility, visit the dsniff Web site at www.monkey.org/~dugsong/dsniff
Test day Tip
Knowledge of TCP/IP is really helpful when dealing with spoofing and sequence attacks Having a good grasp of the fundamentals of TCP/IP will make the attacks seem less abstract Additionally, knowledge of not only what these attacks are but also how they work will better prepare you to answer test questions.
Trang 2After you’ve downloaded and installed the software, you will see a
2
utility called arpspoof This is the tool that we’ll be using to
imper-sonate the gateway host The gateway is the host that routes the
traffic to other networks
You’ll also need to make sure that IP forwarding is turned on in
3
your kernel If you’re using *BSD UNIX, you can enable this with
the sysctl command (sysctl –w net.inet.ip.forwarding=1) After
this has been done, you should be ready to spoof the gateway
4 arpspoof is a really flexible tool It will allow you to poison the
ARP of the entire LAN or target a single host Poisoning is the act
of tricking the other computers into thinking that you are another
host The usage is as follows:
home# arpspoof –i fxp0 10.10.0.1
This will start the attack using interface fxp0 and will intercept any
packets bound for 10.10.0.1 The output will show you the current
ARP traffic
Congratulations, you’ve just become your gateway
5
You can leave the arpspoof process running, and experiment in another
window with some of the various sniffing tools which dsniff offers Dsniff itself
is a jack-of-all-trades password grabber It will fetch passwords for Telnet, FTP,
HTTP, Instant Messaging (IM), Oracle, and almost any other password that is
transmitted in the clear Another tool, mailsnarf, will grab any and all e-mail
messages it sees and store them in a standard Berkeley mbox file for later
viewing Finally, one of the more visually impressive tools is WebSpy This tool
will grab URL strings sniffed from a specified host and display them on your
local terminal, giving the appearance of surfing along with the victim
You should now have a good idea of the kind of damage an attacker can
do with ARP spoofing and the right tools This should also make clear the
importance of using encryption to handle data In addition, any
misconcep-tions about the security or sniffing protection provided by switched
net-works should now be alleviated thanks to the magic of ARP spoofing!
Man-in-the-Middle Attacks
As you have probably already begun to realize, the TCP/IP protocols were not
designed with security in mind and contain a number of fundamental flaws
that simply cannot be fixed due to the nature of the protocols One issue that
has resulted from IPv4’s lack of security is the MITM attack To fully
under-stand how a MITM attack works, let’s quickly review how TCP/IP works
Trang 3TCP/IP was formally introduced
in 1974 by Vinton Cerf The original purpose of TCP/IP was not to provide security Rather it was to provide a high-speed, reliable, communication network links
A TCP/IP connection is formed with a three-way handshake As seen in Figure 9.9, a host (Host A) that wants to send data to another host (Host B) will initiate communications by sending a SYN packet The SYN packet contains, among other things, the source and destination IP address as well
as the source and destination port numbers Host B will respond with a SYN/ACK The SYN from Host B prompts Host A to send another ACK and the connection is established
If a malicious individual can place himself between Host A and Host B, for example compromising an upstream router belonging to the ISP of one of the hosts, he can then monitor the packets moving between the two hosts
It is then possible for the malicious individual to analyze and change packets coming and going to the host It is quite easy for a malicious person to per-form this type of attack on Telnet sessions, but the attacker must first be able
to predict the right TCP sequence number and properly modify the data for this type of attack to actually work – all before the session times out waiting for the response Obviously, doing this manually is hard to pull off; however, tools designed to watch for and modify specific data have been written and work very well
There are a few ways in which you can prevent MITM attacks from happening, such as using a TCP/IP implementation that generates TCP sequence numbers that are as close to truly random as possible
Replay Attacks
In a replay attack, a malicious person captures an amount of sensitive traf-fic and then simply replays it back to the host in an attempt to replicate the transaction For example, consider an electronic money transfer User
A transfers a sum of money to Bank B Malicious User C captures User A’s network traffic, and then replays the transaction in an attempt to cause the transaction to be repeated multiple times Obviously, this attack has no benefit to User C but could result in User A losing money Replay attacks, while possible in theory, are quite unlikely due to multiple factors such as the level of difficulty of predicting TCP sequence numbers However, it has been proven that the formula for generating random TCP sequence num-bers, especially in older OSs, isn’t truly random or even difficult to predict, which makes this attack possible
FIGurE 9.9 A Standard TCP/IP Handshake.
SYN SYN/ACK ACK
Trang 4Another potential scenario for a replay attack is this: an attacker replays
the captured data with all potential sequence numbers, in hopes of getting
lucky and hitting the right one, thus causing the user’s connection to drop,
or in some cases, to insert arbitrary data into a session
As with MITM attacks, the use of random TCP sequence numbers and
encryption like SSH or IPSec can help defend against this problem The use
of time stamps also helps defend against replay attacks
DoS
Even with the most comprehensive filtering in place, all firewalls are still
vulnerable to DoS attacks These attacks attempt to render a network
inac-cessible by flooding a device such as a firewall with packets to the point that
it can no longer accept valid packets This works by overloading the
proces-sor of the firewall by forcing it to attempt to process a number of packets far
past its limitations By performing a DoS attack directly against a firewall,
an attacker may be able to get the firewall to overload its buffers and start
letting all traffic through without filtering it, or it may cause the firewall to
shut down all together causing a disruption in normal network functions If a
technician is alerted to an attack of this type, one way to fend off the attack is
to block the specific IP address that the attack is coming from at the router
Distributed Dos
An alternative attack that is more difficult to defend against is the
distrib-uted DoS (DDoS) attack This attack is worse because it can come from a
large number of computers at the same time This is accomplished either
by the attacker having a large distributed network of systems all over the
world (unlikely) or by infecting normal users’ computers with a Trojan horse
application, which allows the attacker to force the systems to attack
spe-cific targets without the end user’s knowledge These end-user computers
are systems that have been attacked in the past and infected with a Trojan
horse by the attacker By doing this, the attacker is able to set up a large
number of systems (called zombies) to perform a DoS attack at the same
time This type of attack constitutes a DDoS attack Performing an attack
in this manner is more effective due to the number of packets being sent In
addition, it introduces another layer of systems between the attacker and the
target, making the attacker more difficult to trace
Domain Name Kiting
Domain Name Kiting is when someone purchases a domain name, then
soon after deletes the registration only to immediately reregister it Because
there is normally a five-day registration grace period offered by many domain
Trang 5name registrars, domain kiters will abuse this grace period by canceling the domain name registrations to avoid paying for them This way they can use the domain names without cost
Because the grace period offered by registrars allows the registration of a domain name to be canceled without cost or penalty as long as the cancella-tion comes within five days of the registracancella-tion, you can effectively own and use a domain name during this short timeframe without actually paying for it
It has become relatively easy to drop a domain name and claim the refund at the end of the grace period, and by taking advantage of this pro-cess, abusers are able to keep the registrations active on their most revenue-generating sites by cycling through cancellations and an endless refresh
of their choice domain name registrations Because no cost is involved in turning over the domain names, domain kiters make money out of domains they are not paying for
Domain Name tasting Another concept that is very similar to Domain Name Kiting is called
Domain Name Tasting The two are similar in that they are both the abuse
of domain names and the grace period associated with them Domain Name Tasters register a domain name to exploit the Web site names for profit Domain name investors will register groups of domain names to deter-mine which namespaces will generate revenue through search engine queries and pay-per-click advertising mechanisms They will often register typos of legitimate business sites hoping for human error to land Internet travelers
on their Web sites, which in turn increases their bottom line
If it is determined that a specific domain name is not returning profit for the tasters, then they will simply drop the domain name, claim a refund, and continue on to the next group of names
DNS Poisoning
DNS poisoning or DNS cache poisoning occurs when a server is fed altered
or spoofed records that are then retained in the DNS server cache Once the DNS cache on a server has been “poisoned” in this fashion, since servers use their cache as the first mechanism to respond to incoming requests, all additional queries for the same record will be responded to with the falsified information
Attackers can use this method to redirect valid requests to malicious sites The malicious sites may be controlled by the offender and contain viruses or worms that are distributed, or they may be simply be offensive sites already
in existence on the Internet For example, imagine if your child were to type
Trang 6in www.barbie.com and instead of connecting to a pretty pink site with
Bar-bie dolls and BarBar-bie games ends up on an adult pornographic Web site
DNS poisoning is a real threat, which can be reduced by taking a few
security precautions First, by ensuring that your DNS server is up-to-date
on patches and updates for known vulnerabilities, you will help to ensure
the safety of your DNS cache Also, by taking advantage of secure DNS
whenever possible and using digital signatures, you will help to reduce the
threat of DNS poisoning
ARP Poisoning
ARP is a broadcast-based protocol that functions at Layer 2 of the OSI model
Its purpose is to map a known IP address to its corresponding Media Access
Control (MAC) address in order for a packet to be properly addressed A MAC
address is a unique number assigned to network interface cards (NICs) by
their manufactures ARP poisoning occurs when a client machine sends out
an ARP request for another machine’s MAC address information and is sent
falsified information instead The spoofed ARP message allows the attacker
to associate a MAC address of their choosing to a particular IP address,
which means any traffic meant for that IP address would be mistakenly sent
to the attacker instead This opens the door for many attack mechanisms
to be used Once the data has been intercepted, the attacker could choose to
modify the data before forwarding it, which is called a MITM attack or even
launch a denial-of-service attack against a victim by associating a
nonexis-tent MAC address to the IP address of the victim’s default gateway
NETworK ACCESS SECurITy
No network security exam would be complete without discussing the
concepts of Access Control, Authentication, and Auditing (AAA) These
three components together make up the concept of Network Access
Security AAA comprises the most basic fundamentals of work in the IT
security field and is critical to understand for any IT security practitioner
In this section, you will be introduced to Network Authentication and its
finer details
Introduction to AAA
AAA is a set of primary concepts that aid in understanding computer and
network security as well as access control These concepts are used daily to
protect property, data, and systems from intentional or even unintentional
damage AAA is used to support the confidentiality, integrity, and availability
Trang 7(CIA) security concept, in addition to providing the framework for access
to networks and equipment using Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS/TACACS+)
A more detailed description of AAA is discussed in RFC 3127, which can be found at http://tools.ietf.org/html/rfc3127 This RFC contains an evaluation of various existing protocols against the AAA requirements and can help you understand the specific details of these protocols The AAA requirements themselves can be found in RFC 2989 located at http://tools .ietf.org/html/rfc2989
What is AAA?
AAA is a group of processes used to protect the data, equipment, and confi-dentiality of property and information As mentioned earlier, one of the goals
of AAA is to provide CIA CIA can be briefly described as follows:
■
■ Confidentiality The contents or data are not revealed
■
■ Integrity The contents or data are intact and have not been modified
■
■ Availability The contents or data are accessible if allowed
AAA consists of three separate areas that work together These areas provide a level of basic security in controlling access to resources and equip-ment in networks This control allows users to provide services that assist
in the CIA process for further protection of systems and assets
Access Control
Access control can be defined as a policy, software component, or hardware
component that is used to grant or deny access to a resource This can be an advanced component such as a Smart Card, a biometric device, or network
hEAd oF ThE ClASS…
Clarification of Two Key Acronyms
Two specific abbreviations need to be explained to
avoid confusion For general security study, AAA
is defined as “Access Control, Authentication, and
Auditing.” Do not confuse this with Cisco’s
imple-mentation and description of AAA, which is
“Authen-tication, Auditing, and Accounting.”
The second abbreviation requiring clarification is CIA For purposes of the Network+ exam, CIA is defined
as “confidentiality, integrity, and availability.” Other lit-erature and resources such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountabil-ity Act of 1996 (HIPAA) guidelines may refer to CIA as
“confidentiality, integrity, and authentication.”
Trang 8access hardware such as routers, remote access points such as Remote
Access Service (RAS), and VPNs, or even the use of wireless access points
(WAPs) It can also be file or shared resource permissions assigned through
the use of a network OS (NOS) such as Microsoft Windows with Active
Directory or UNIX systems using Lightweight Directory Access Protocol
(LDAP), Kerberos, or Sun Microsystem’s Network Information System (NIS)
and Network Information System Plus (NIS+) Finally, it can be a rule set
that defines the operation of a software component limiting entrance to a
system or network
Authentication
Authentication can be defined as the process used to verify that a machine
or user attempting access to the networks or resources is, in fact, the entity
being presented For this chapter, nonrepudiation is the method used (time
stamps, particular protocols, or authentication methods) to ensure that
the presenter of the authentication request cannot later deny that they were
the originator of the request In the following sections, authentication
meth-ods include presentation of credentials (such as a username and password,
Smart Card, or personal identification number [PIN]) to a NOS (logging on
to a machine or network), remote access authentication, and a discussion of
certificate services and digital certificates The authentication process uses
the information presented to the NOS (such as username and password) to
allow the NOS to verify the identity based on those credentials
Auditing
Auditing is the process of tracking and reviewing events, errors, access, and
authentication attempts on a system Much like an accountant’s procedure
for keeping track of the flow of funds, you need to be able to follow a trail
NoTES FroM ThE FIEld …
let’s Talk About Access and Authentication
The difference between access control and
authentica-tion is very important Access control is used to control
the access to a resource through some means This could
be thought of as a lock on a door or a guard in a
build-ing Authentication, on the other hand, is the process
of verifying that the person trying to access whatever resource is being controlled is authorized to access the resource In our analogy, this would be the equivalent
of trying the key or having the guard check your name against a list of authorized people So in summary, access control is the lock and authentication is the key.
Trang 9of access attempts, access grants or denials, machine problems or errors, and other events that are important to the systems being monitored and controlled In the case of security auditing, you will learn about the policies and procedures that allow administrators to track access (authorized or unauthorized) to the network, local machine, or resources Auditing is not enabled by default in many NOSs, and administrators must often specify the events or objects to be tracked This becomes one of the basic lines
of defense in the security and monitoring of network systems Tracking is used along with regular reviewing and analysis of the log files generated by the auditing process to better understand whether the access controls are working
Authentication Methods
Authentication, when looked at in its most basic form, is simply the process used to prove the identity of someone or something that wants access This can involve highly complex and secure methods, which may involve higher costs and more time, or can be very simple For example, if someone you personally know comes to your door, you visually recognize them, and if you want them to enter, you open the door In this case, you have performed the authentication process through your visual recognition of the individual All authentication processes follow this same basic premise; that we need to prove who we are or who the individual, service, or process is before we allow them to use our resources
Authentication allows a sender and receiver of information to validate each other as the appropriate entities with which they want to work If entities wishing to communicate cannot properly authenticate each other, there can be no trust in the activities or information provided by either party Only through a trusted and secure method of authentication can adminis-trators provide for a trusted and secure communication or activity
One-Factor
One-Factor authentication, as simple as username and password combina-tions, has been used for authenticating uses for many years Most OSs have had some form of local authentication that could be used if the OS was designed to be used by multiple users Windows, Novell Netware, UNIX, and Linux have all had local authentication paths early in their development Although this is the most common authentication method, it is not without its problems From a security standpoint, it is important to understand that the first line of defense of a system is the creation and maintenance of a password policy that is enforced and workable You need to both implement
Trang 10and enforce the policy to ensure that this rudimentary protection is in place
in your network Most OSs have methods of using username/password
policies
Password policies that require a user-created password that is less than six
characters long are generally regarded as having a low (or no) security level
Password policies that require between 8 and 13 characters are regarded as a
medium security level Policies requiring 14 or more characters are regarded
as a high security level These security levels are based on the difficulty
of discovering the password through the use of dictionary and brute force
attacks In addition, all password policies, regardless of password length,
should require that an acceptable password contain a combination of the
following:
Uppercase and lowercase alphabetic characters
■
■
Numbers
■
■
Special characters
■
■
No dictionary words
■
■
No portion of the username in the password
■
■
No personal identifiers should be used including birthdays, social
■
■
security number, pet’s name, and so forth
To achieve the medium security level, implement the use of eight
char-acters, including uppercase and lowercase, numbers, and special characters
For higher security, implement the medium security settings and enforce
the previous settings plus no dictionary words and no use of the username
in the password Be aware that the higher the number of characters or letters
in a password, the more chance exists that the user will record the password
and leave it where it can be found Most policies function well around the
eight-character range and require periodic changes of the password as well
as the use of special characters or numbers
The simplest form of authentication is the transmission of a shared
pass-word between entities wishing to authenticate each other This can be as
simple as a secret handshake or a key As with all simple forms of protection,
once knowledge of the secret key or handshake is disclosed to nontrusted
parties, there can no longer be trust in who is using the secrets
Many methods can be used by an unauthorized person to acquire a
secret key, from tricking someone into disclosing it, to high-tech
monitor-ing of communications between parties to intercept the key as it is passed
between parties However the code is acquired, once it is in a nontrusted