Network Security: Lecture 8 Flashcards
Defence - Firewall policies and rule sets
Usually, the rules create vulnerabilities for the firewalls and not the policies.
Defence - Firewall
+ Packet filter
+ Stateless vs Stateful
- Stateless follows access control list to filter does not keep a connection profile, just look at packets itself. Lower security.
- Stateful keeps a connection profile knowing which IP address is connected to it etc. Higher security but higher overhead and resources as need to keep state tables.
Defence - Intrusion Detection Systems
- Detection device, when it spot something suspicious it will only generate alert.
- Hub-based network in promiscuous mode, any sender that sends to any receiver, everybody receives it because hub is a broadcast device, if NIDS is hooked to this it will hear everything that is transpiring across the network and monitor it.
- Switch-based network is not a broadcast device but a point to point device, so it will based on routing table, the NIDS will do port-mirroring instead listen in the port and make a copy of the in and out.
- NIDs monitoring can be extended via Host-based IDS (HIDS) or agents to cover a larger network scope.
- Can be implemented as a Edge-IDS as well.
Defence - Intrusion Protection Systems
- IDS is connect to the switch and does port-mirroring but the IPS is connected inline, as it has a protection round when it detect something suspicious in the flow it will block it or quarantine it for further analysis.
- Resources needed for IPS is greater as it requires to store suspicious packets.
Defence - Proxies
- Somewhere in between a firewall and an IPS, does DPI deep packet inspection inspects packets itself and help to connect the packet to the real flow or redirect it if suspicious.
- Compute intensive, cater separately for each protocol.
- High requirements, slower, can’t really use for real-time services, more for business enterprise domain where network flow not so high.
Defence - VPNs
- Supports encryption and authentication
- Contains Authentication, Tunneling, Encryption
Defence - Honeypots
- Acts as decoy, usually set up in VM or cloud and connected to network, has a lot of deliberately open ports, no anti-virus etc.
- Must not be static, change configuration over time when volume of traffic changes, change IP etc, sometime come with machine learning.
Exploit - Port Spoofing
- Not only need to inspect header but the body of packets as well, as it might contain malicious ssh (port 22) commands
Port Scanning & Enumeration
- Goal is to find the port status and applications running behind the port, if the port is open (can do something), close (cannot do anything) or filtered (might be able to do something).
- Use zenmap the GUI version of nmap
Basic Scan
+ TCP Connect() Scan
- SYN -> SYN ACK / RST ACK / No response -> (If receives SYN ACK) ACK
+ Half-Open Scan
- More stealthy, as don’t seek to establish connection.
- SYN -> SYN ACK / RST ACK / No response -> (If receives SYN ACK) RST
Advanced Scan
+ Random Scan
- Randomize sequence of scan
+ Slow Scan
- Don’t scan too long
+ Fragmentation Scan
- Break packets up
+ Decoy Scan
- Use many scanners, one of them is real
+ Coordinated Scan
- Strategy, have a team to do the scanning, break up the group and organise the scan in coordinated way.
Routers
- Wardriving
- Set up evil twin access point with virtual wifi routers.
Denial of Service (DoS)
- High orbit ion cannon
- Low orbit ion cannon
DDoS
- Malicious sender send a request to the server that has a spoof address to make it think that the request came from the victim, and so the server will response by sending the response to the victim. When there is many server that does this to the victim it will cause DDoS.
Sniffing
Passive
- Hub-based network
Active
- Switch-based network (uses MAC address), poisoning the routing table using Address Resolution Protocol (ARP) poisoning.
ARP Spoofing (ARP Poisoning)
- Spoof as one of the endpoints (host)
- Spoof as the network switch (gateway)
+ ARP Poisoning via Broadcast Request
+ ARP Poisoning via Request Response
+ ARP Poisoning via Unsolicited Response
