Section 1: Network Security Essentials Flashcards
1.1
Architecture: Conceptual Network Design
documents the network profile selected to meet the defined requirements for the network. It includes a network profile alternatives evaluation, with supporting risk assessment, and a preliminary configuration design expressed as a network generic level component schematic showing the technologies and standards selected.
Architecture: Logical Network Design
a virtual representation of a network that appears to the user as an entirely separate and self-contained network even though it might physically be only a portion of a larger network or a local area network. It might also be an entity that has been created out of multiple separate networks and made to appear as a single network.
Architecture: Physical Network Design
the interconnected structure of a local area network (LAN). The method employed to connect the physical devices on the network with the cables, and the type of cabling used, all constitute the physical topology. Should include OS, versions, any physical limitations or circumstances
Architecture: Communication flow
Every Data exchange, control message any thing should be diagramed regardless of its purpose
Architecture: Data location
diagram every last file of your valuable data resides
Threat Enumeration, and mapping
as a process which to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
Enumeration is used to gather the below Usernames, Group names Hostnames Network shares and services IP tables and routing tables Service settings and Audit configurations Application and banners SNMP and DNS Details
Defining Threat Agents
Defining network vulnderabilities
Identifying Critical data
identifying the greatest commonalities between all to focus network hardening
Threat agent
capable and motivated group capable of compromising the network.
- how active
- what motivates them
cyber criminals
cyber espionage
hacktivist
Router Attacks: Denial of Service
Ping flood, also known as ICMP flood, is a common Denial of Service (DoS) attack in which an attacker takes down a victim’s computer by overwhelming it with ICMP echo requests, also known as pings.
The attack involves flooding the victim’s network with request packets, knowing that the network will respond with an equal number of reply packets. Additional methods for bringing down a target with ICMP requests include the use of custom tools or code, such as hping and scapy.
This strains both the incoming and outgoing channels of the network, consuming significant bandwidth and resulting in a denial of service.
Router Attacks: distributed denial-of-service (DDoS)
uses a number of hosts to overwhelm a server, causing a website to experience a complete system crash. This type of denial-of-service attack is perpetrated by hackers to target large-scale, far-reaching and popular websites in an effort to disable them, either temporarily or permanently. This is often done by bombarding the targeted server with information requests, which disables the main system and prevents it from operating. This leaves the site’s users unable to access the targeted website.
DDoS differs from a denial-of-service (DoS) attack in that it uses several hosts to bombard a server, whereas in a DoS attack, a single host is used.
Router Attacks: Packet Sniffing
a utility that sniffs without modifying the network’s packets in any way. By comparison, a firewall sees all of a computer’s packet traffic as well, but it has the ability to block and drop any packets that its programming dictates. Packet sniffers merely watch, display, and log this traffic. Utilizes promiscuity setting in a network adapter.
Router Attacks: Packet Misrouting
kind of packet mistreatment attack. In such attack a malicious router misroute packets so that triangle routing is formed. This kind of attacks is very difficult to detect, and the problem is considered as an open problem. In this paper, how this kind of attacks can be launched by router configurations is discussed.
Router Attacks: Cross-Site Scripting
also known as XSS, is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Using MAC XXS and location services to locate someone
Router Attacks: Cross-site request forgery
also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.[2] There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user’s interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser. The script can also be used to take over a router, but resetting the system generally gets rid of the script unless it is saved to startup
Router Attacks: SYN Flood
Uses TCP 3way handshake as a vecter:. A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address - which will not send an ACK because it “knows” that it never sent a SYN.
The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK. However, in an attack, the half-open connections created by the malicious client bind resources on the server and may eventually exceed the resources available on the server. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service to legitimate clients. Some systems may also malfunction or crash when other operating system functions are starved of resources in this way. A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address - which will not send an ACK because it “knows” that it never sent a SYN.
The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK. However, in an attack, the half-open connections created by the malicious client bind resources on the server and may eventually exceed the resources available on the server. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service to legitimate clients. Some systems may also malfunction or crash when other operating system functions are starved of resources in this way.
Router Attacks: TCP Reset Attack
also known as “forged TCP resets”, “spoofed TCP reset packets” or “TCP reset attacks”, is a way to tamper and terminate the Internet connection by sending forged TCP reset packet. This tampering technique can be used by a firewall in goodwill, or abused by a malicious attacker to interrupt Internet connections.
The Great Firewall of China is known to use TCP reset attack to interfere with and block connections, as a major method to carry out Internet censorship.
In a stream of packets of a TCP connection, each packet contains a TCP header. Each of these headers contains a bit known as the “reset” (RST) flag. In most packets this bit is set to 0 and has no effect; however, if this bit is set to 1, it indicates to the receiving computer that the computer should immediately stop using the TCP connection; it should not send any more packets using the connection’s identifying numbers, called ports, and discard any further packets it receives with headers indicating they belong to that connection. A TCP reset basically kills a TCP connection instantly.
In the scenario above, the TCP reset bit was sent by a computer that was one of the connection endpoints. It is possible for a 3rd computer to monitor the TCP packets on the connection and then send a “forged” packet containing a TCP reset to one or both endpoints. The headers in the forged packet must indicate, falsely, that it came from an endpoint, not the forger. This information includes the endpoint IP addresses and port numbers. Every field in the IP and TCP headers must be set to a convincing forged value for the fake reset to trick the endpoint into closing the TCP connection. Properly formatted forged TCP resets can be a very effective way to disrupt any TCP connection that the forger can monitor.
Router Attacks: routing table poisonin
modification of routing tables. An attacker can do this by maliciously modifying the routing information update packets sent by routers. This is a challenging and important problem, as a routing table is the basis of routing in the Internet. Any false entry in a routing table could lead to significant consequences, such as congestion, an overwhelmed host, looping, illegal access to data, and network partition. Two types of routing table poisoning attacks are the link attack and the router attack. A link attack occurs when a hacker gets access to a link and thereby intercepts, interrupts, or modifies routing messages on packets. Link attacks act similarly on both the link-state and the distance-vector protocols. If an attacker succeeds in placing an attack in a link-state routing protocol, a router
may send incorrect updates about its neighbors or remain silent even if the link state of its neighbor has changed. The attack through a link can be so severe that the attacker can program a router to either drop packets from a victim or readdress packets to a victim, resulting in a lower throughput of the network. Sometimes, a router can stop an intended packet from being forwarded further. However, since more than one path to any destination exists, the packet ultimately reaches its destination. Router attacks may affect the link-state protocol or even the distance-vector protocol. If link-state protocol routers are attacked, they become malicious. They may add a nonexisting link to a routing table, delete an existing link, or even change the cost of a link. This attack may cause a router to simply ignore the updates sent by its neighbors, leading to a serious impact on the operability of the network traffic flow.
Switch Attacks: CDP Manipulation
CDP Manipulation attacks are a very common yet easily avoidable type of attack that is advanced solely because of the configuration of the switch itself. On Cisco switches, Cisco Discovery Protocol (CDP) is enabled by default. Any and all packet data that is transmitted via CDP is sent in clear text and is unauthenticated.
In the image below a packet sniffer has used a network protocol analyzer named wireshark to capture network traffic. It can be seen that this packet holds important device information and can be used to create a network topology that could aid in larger scale attacks that could potentially crash an entire network.
Switch Attacks: MAC Flooding
a switch is fed many Ethernet frames, each containing different source MAC addresses, by the attacker. The intention is to consume the limited memory set aside in the switch to store the MAC address table.[1]
The effect of this attack may vary across implementations, however the desired effect (by the attacker) is to force legitimate MAC addresses out of the MAC address table, causing significant quantities of incoming frames to be flooded out on all ports. It is from this flooding behavior that the MAC flooding attack gets its name.
After launching a successful MAC flooding attack, a malicious user can use a packet analyzer to capture sensitive data being transmitted between other computers, which would not be accessible were the switch operating normally. The attacker may also follow up with an ARP spoofing attack which will allow them to retain access to privileged data after switches recover from the initial MAC flooding attack.
MAC flooding can also be used as a rudimentary VLAN hopping attack.[2]