"What shall it profit an admin to gain umpteen workstations, if he lose the entire network?"
Chapter 4 begins its discussion of network vulnerability by breaking the subject into two parts: media vulnerability and device vulnerability. It moves on to discuss network traffic as an aspect of the media part, although traffic concerns both parts.
The text seems to assume that students are familiar with basic network terminology: packet, switch, router, NIC, Ethernet, and port are all terms used in this section. In case you have forgotten (or do not know) some of these:
The text tells us that we could configure a managed switch (one that can run administration software) to mirror all traffic for one or more ports. Port mirroring sends that traffic to another specific port as well, where we would connect a workstation to monitor the packets for signs of trouble. We would run a protocol analyzer program on that workstation (such as Wireshark) to determine what might be significant about traffic flowing through that switch.
The text describes another method for monitoring traffic: using a network tap. Tap is an unusual acronym: by convention it is not capitalized. It stands for test access point which is what it is for: you install the tap between any two network devices to monitor the traffic that flows between them.
The information in the text about a vampire tap seems to be another misunderstanding. The vampire taps I have seen were simply connection devices: they were used to connect an adapter to thick (RG-8) coaxial cable (an older network medium). The adapter was connected by a patch cord to a NIC on a computer. This had nothing to do with testing the network, only with connecting devices to it. They were called vampire taps because they had two sizes of spikes (teeth) that bit into the thick cable to connect to its center wire and to its braided ground wire.
The author discusses attackers gaining access to a network's medium. He makes a point that an attacker could, for instance, get access to network cable through an acoustic tile ceiling. His point is that such tiles are not secure, and network cable may be run through that space. Another way would be to look for wire that is entering or leaving a building. In either of these cases, the attacker could wire their own connection jack. With standard Ethernet cable, however, this could be a problem for the attacker. A length of UTP cable is meant to run from one device directly to another. It is not like power cable, where you could break into the circuit and steal some electrons. If you break the cable, you make the connection to the switch, but you make the jack for the device unusable while you are tapped in. A better method would be the author's third idea: find an unused network jack. Actually use it, or wire your break in connection on that run of cable. (A wary administrator would make sure that the port that jack connects to is disabled while the jack is not assigned to a user. This is not always done.)
The network administrator was advised to set the managed switch to mirror traffic to a specific port. What will the attacker do, assuming they do not have access to manage the switch? The text presents several methods that could be used:
The text lists some methods to overcome the above exploits: set the switch to accept only one port assignment for each MAC address, set the switch to allow only one specific MAC address to use each port, set the switch to use configured lists (entered by the administrator, or from a server) instead of dynamically learning what MAC addresses are on each port.
Many devices are protected by a combination of user ID and password. The ID is generally less secure, often being a guessable combination of first and last name. The password presents an opportunity to set something hard to guess, but that also makes it hard to remember, which causes many users to write it down and leave it in an accessible location, such as on a Post-it note on their monitor.
The more passwords a person has, the less often each is used, the more likely it is that the password will be forgotten. Add the fact that many systems require changes in password on a regular schedule, and forbid the use of any of their last ten passwords as the next password. This leads to users trying to go through the entire list of ten to get back to their desired password on the change date. Administrators, in turn, can set a minimum age for password change, which prevents the user from running through a list in one day (or longer).
The text presents a lists of bad practices regarding passwords:
The text discusses default accounts. They exist on most systems, and most administrators have been told to rename them, but not all do. For example, how do you break into a router like the ones most people have at home? If you have access to it, first you check on the Internet to find the default administrator ID and password for that brand. Then you press the reset button. Then you simply take over the router. On a system where the administrator has never changed the default account, or changed the default password, you don't even need a reset button. (Do you suddenly want to make some changes to your wireless router?)
A back door is often a separate account that is used in case of emergency to get access to a system, usually as a user with administrator privileges. The text says that this is an account that is set up without the administrator's knowledge or permission. Yes, an attacker would do that, but the administrator might set up his own back door so that he could get into the system in case it is hacked.
The discussion in the text is mainly about the kind created for malicious purposes. It explains that some viruses and worms create back doors for an attacker (or a process) to use. It also mentions that some programmers create back doors to have a secret way into devices running their software. This could be used for troubleshooting purposes, but malicious use is also possible.Privilege escalation is possible on devices, through the use of exploits in the device's software or hardware. For instance, some devices are protected from changes by a BIOS setting, or a switch position on older devices. An attacker who could gain access to these could escalate his privileges.
Categories of Attacks
A Denial of Service (DoS) attack is like the one described in the introduction to the chapter. Multiple computers are typically used to tie up all available connections to a system, preventing real users from making a connection or receiving service. The text states that when a botnet is used, the attack can be called a Distributed Denial of Service (DDoS) attack.
One method is described in the text that takes advantage of typical connection behavior. The attacking computer sends a request to connect, a SYN signal. The victim system replies with an ACK (acknowledgement) and a SYN request to complete the connection. The victim waits for a return ACK from the attacker which is never sent. By itself, this is not a problem, as the connection is eventually dropped. However, imagine it happening thousands of times a second. A real requester stands little chance of getting into the system.
Another method described is to send ping signals to many devices, but to wrap them so they look like they are from the victim server. Ping is a flexible command. Among other things, you can tell it how many times to repeat. Send to lots of devices with lots of repeats, and you may flood the server with responses from other devices.
The text discusses a DoS attack against a wireless network that is carried out by jamming the frequencies the service uses. The text says this type of "attack" could happen accidentally, but it also says the equipment required to do it is expensive and sophisticated. This seems a little inconsistent. When in doubt, fear that the worst may happen.
The text talks about a second method of attacking a wireless system, but first it reviews how CSMA/CA and CSMA/CD work. CSMA/CA is often used in wireless systems, CSMA/CD is used in wired Ethernet systems.
In a CSMA/CD system (example: Ethernet), a signal collision is detected and the devices that caused it each wait a random number of seconds before sending again. This usually results in one device going ahead of the other.
In a CSMA/CA system, devices can be assigned time slices (slots) and can be required to wait a random number of them after a collision, like an Ethernet. Also, they can be required wait after each transmission, then to ask permission to send again, avoiding collisions. This does not mean there will never be collisions in the CSMA/CA system. CSMA/CA can also use explicit acknowledgement, which means that each data unit (frame) that is received intact must be acknowledged by an ACK sent by the receiver, like a permission to send again. If the sender does not get an ACK in a reasonable time, the data stream is sent again, but new data is not.
The text lists more methods an attacker might use against a wireless network:
On page 130, the text discusses a Man-in-the-Middle attack. Students should be able to find information about this kind of attack online with regard to voting machines. A passive attack intercepts messages, saves and transmits them to an attacker, and passes the messages on in the system right away. An active attack would intercept a message, change it, and then send the changed version along. You can see how this kind of attack on election data would have effective results.
A variation of the Man-in-the-Middle is a replay attack. Consider the example in the book, in which a man-in-the-middle device intercepts login traffic so that it can replay that traffic later to pretend to be the same user logging in at that later time.
Students should read this article on Wikipedia for more information on variants of DoS attacks.
Methods of Network Attacks
Protocol attacks are based on shortcomings in network protocols. The attack may be based on security flaws in older versions of particular protocols, such as SNMP. The original version of this protocol and the next two updates used simple, well known passwords nested in its commands to network devices. The third revision replaced this method with usernames and passwords in 1998. Really? He is afraid that a network is using a version of this protocol that was replaced over ten years ago? Historically interesting, but it does not seem relevant now.
DNS attacks are a more current topic. The text discusses two types, DNS Poisoning and DNS Transfer attacks. Before describing either, the text discusses some of the evolution of the Domain Name System, from host tables to the hierarchical service we have now. It stops short of actually explaining DNS. If you are not the type who likes to trust in magic, follow the link for some background on the system.
DNS Poisoning consists of lying to a workstation or a server. The domain name systems works by taking a domain name from a user (like www.cnn.com) and translating it into an IP address (like 220.127.116.11). The IP address is what the browser actually uses to read the page at the web site. (How did I get that address? I pinged the domain name.)
An attacker would find a way to feed the browser a false IP address, taking it to a web page of the attacker's choice. One way to do that is to put a false entry in the host table that is probably saved on the user's computer. Probably? Well, yes. In my work environment, we store host tables on our network and configure the computers to read those tables on boot. In our case, that would be the target, not the file on the user's PC which is replaced on boot with the network version. The same principle is involved. The DNS resolver (the device making the request) is satisfied with an answer at the first hierarchical level where one is found. A request only goes up the hierarchy until it is answered, so if the answer is on the user's PC it would look no further. An example of a hosts (yes, that is really its whole name) file is shown on page 134. Common locations for such files are in the tip that appears on page 133.
Another way to accomplish this takes advantage of zone transfers. DNS servers contact each other regularly to request updates to DNS entries. Copying data from one server to another is called a zone transfer. Copies of the database for any domain are given version numbers when they are updated. A server with an older version number on its data would copy the data from a server with a newer version, overwriting its own older copy.
If the attacker can pose as a DNS server providing updated data to a real DNS server, the real server may be tricked into copying the "updated" entry into its own tables (along with any other lies in the table), which would then be shared to other servers and to DNS requests. This method of poisoning is also called DNS spoofing.
A DNS Transfer attack happens when the attacker poses as a DNS server with older data than the copy held by the victim's DNS server. The zone transfer flows to the attacker in this case. The attacker then mines the DNS data for information about the structure of the victim's network, since there will be DNS data for their network in the file as well.
Most networks (Ethernets) work internally on MAC addresses as well as IP addresses. IP addresses are used for traffic that crosses from one LAN to another (or farther), but MAC addresses are used within a LAN. Address Resolution Protocol (ARP) pairs IP addresses with MAC addresses. As your computer learns about IP/MAC address pairs, they are stored in an ARP table (cache) in memory. ARP Poisoning means changing the information in that cache so traffic meant for one device is sent to another.
The text outlines a simple attack scheme on page 136, which involves sending two ARP messages to two specific devices. The attacker tells the router that his MAC address is associated with another user's IP address. The attacker also tells the victim that his MAC address is associated with the router's IP address. The victim will send traffic meant for the router to the attacker, and the router will send traffic meant for the victim to the attacker. The attacker forwards traffic to the correct MAC addresses, and the packets look like they arrived normally, without interception. This makes the attacker a man-in-the-middle, intercepting any traffic to and from this workstation that is not internal to the LAN.
The next subject is TCP/IP hijacking. The goal of the attacker is to take over a communication session between a server and a LAN device (like a workstation). Look over the example on pages 136 and 137. The essence of the exploit is that packets sent through some protocols (like FTP and Telnet) contain two numbers that increment each time a packet is exchanged between two devices. The attacker sends a packet to the server with a higher sequence number than has been used in the conversation so far. It must also have a valid acknowledgement number. This makes the server think that it is just getting a higher numbered packet out of sequence, and it sends out a response with the next ACK number. The real victim rejects the server's response, since the sequence number is a response to a number it did not send. The attacker continues to send and receive packets. It has taken over the victim's place in the session.
The text notes that the attack types already discussed apply to wireless networks as well, the the attacks in this section only apply to wireless networks.
A Rogue Access Point, in the example in the text, is a wireless access point (AP) that a user has added to the network because she wanted to have wireless access to the company network. The label "rogue" means that it is unauthorized. The problem is that it is unprotected, unsecured, and provides access to the network like an open network jack would. Unlike an open network jack, the access point can be used by anyone within range of it. The text is incorrect when it says the rogue access point "bypasses all of the network security". It has bypassed the network firewall, but login IDs, passwords, privileges and more still exist. This is a security breach that should not exist, but it is not the only hurdle the attacker has to clear.
The next concept is war driving, which is a terrible phrase. As the book explains, it is a reference to the phone number dialing software used in the movie War Games. A war dialer is a program that tests phone numbers to determine whether they are access points to a network. War driving is what a person is doing when they drive around, looking for access points that are broadcasting their availability. The text lists five elements that are required to conduct war dialing, but the list is outdated. Every one of the required elements can be found in most cell phones and wifi-enabled laptops and tablets.
Bluetooth technology is used for very short range temporary wireless connection to devices. It is not meant to work over distances greater than 10 meters, but the text explains that this can be extended with a scatternet.
Bluesnarfing (stealing over Bluetooth) is accessing data without permission. This begs the question, how do you get or give permission when the connection is made automatically? The attacker gets more than the Bluetooth sharing application is meant to give out. (The Wikipedia article has a little more information as well as related links.)
Blue jacking flows the other way: sending unrequested information to Bluetooth devices.
The text discusses two more topics in this chapter. Null Sessions refers to an unprotected command line interface to a Windows 2000 or NT computer. Even Microsoft hopes all workstations running those operating system go away soon, as neither OS has been supported for years.
The discussion of Domain Name Kiting has a typo in it. Domain registrars are allowed to cancel a domain name registration within five days. The five day span is called an Add Grace Period (Grace, not Grade). The text also seems to have the month and year wrong in its story. This is a link to a posting from Bob Parsons who coined the phrase. The essence of the scam is the same: someone can collect some ad revenue from a domain name that they change their mind about owning.
Chapter 5 is about Network Defenses.
The text begins its discussion of network design with a brief introduction to subnetting. Its discussion leaves a lot to be desired. It makes little sense to say you should learn binary arithmetic and subnetting then choose not to teach it to you. For those of you who do not know the subject matter, the following lesson may help.
The book explains that subnets can be used to separate machine users into logical groups, using one subnet address for each location, user type, other grouping that is useful to the administrator. Subnets limit the scope of broadcasts since they are limited to the LAN they occur on, unless routers are instructed to pass them to other LANs.
Virtual LANs (VLANs)
Page 157 illustrates the concept of using two (or more) layers of switches to connect devices to your network. Workgroup switches connect to hosts and to core switches. Core switches connect to each other and to routers (not shown in the illustration), This is complicated by the fact that some devices can be a switch and a router, somewhat like the consumer versions of routers at electronics stores. By using the switches as described, it is possible to create a virtual LAN that consists of several ports on separate switches. This allows the administrator to put users who need common resources and messaging on the same virtual LAN regardless of what floor they are on or what building they are in. If the devices are located on multiple switches, there needs to be a VLAN tag added to packets to note the VLAN membership of the devices. If the devices connected to a VLAN are on a single switch, the switch itself can manage the VLAN traffic.
Since the text does not provide much information about this, please look at my notes about VLANs for another class.
This word is used several ways in networking. The meaning for this section of the text is using the network and connected devices for multiple purposes. The text is specifically talking about using TCP/IP networks for voice services as well as data services, which should be not surprise to cell phone users. Be aware of the terms in this section related to this subject: Voice over IP (VoIP), multiplexing, IP telephony. The recommendations at the end of the section are the same ones recommended elsewhere, adding only the idea to securely configure your VoIP applications. This should be a recommendation for any application on the network.
Demilitarized Zone (DMZ)
The phrase demilitarized zone has a strange meaning in IT. It refers to a portion of your network that is more accessible to the public, but provides less access to your sensitive data. Two examples are illustrated on page 161. Both involve placing your web server and public facing email server on a switch that is separated from your main network by a firewall. The public facing network is typically hardened, allowing only those transactions that are approved for public users, and operating separately from the rest of the network.
In the second example, security is enhanced by placing a second firewall between the Internet connection and the DMZ network. This method would be recommended over the first for enhanced security (two layers of firewall protection) and for better throughput, since traffic for the DMZ network only has to pass through the outermost firewall.
Security through Network Technologies
The text discusses two features that can be used to enhance security. The first is Network Address Translation (NAT). This is a standard feature on any network that uses private addressing internally. This is the default setup for any home network that uses a router: the router (or another server) provides DHCP service to assign private IP addresses to each device attached to the network. A registered address is assigned to the Internet connection point by the Internet Service Provider (ISP). The text discusses two methods used by NAT at that point for outgoing packets:
The second service discussed is Network Access Control (NAC). This has nothing to do with access control lists. This service examines a device that is trying to connect to a network, and allows full or partial access to the network depending on what the examination shows. Medical metaphors are used to describe this service and its features: System Health Agent, Statement of Health, Health Registration Authority, Health Certificate, and Quarantine VLAN are terms you should review from this section.
The text shows an illustration of the technique on page 164. A system that is connecting is required to perform a health analysis with a System Health Agent. In this case, if the system fails, it is connected to a Quarantine VLAN, where it has limited access to network resources. This connection could be accomplished through DHCP or through modification of the requester's ARP table.
Applying Network Security Devices
The text has been using the names of several security devices since the book began. It is time it took a moment to discuss them.
The text discusses Firewalls for three pages. It has mentioned before that a firewall can be software or hardware based. It explains that a software firewall is a packet filtering program that could be run on a local computer (or all of them), and a hardware firewall is a device that is typically put "outside the network security perimeter". It might be more accurate to say that the hardware firewall is the network security perimeter.
Firewalls operate on rules set by default, or by a system administrator. The text lists three actions that can be taken by a firewall for different types of packets: allow (to pass), block (also called drop), and prompt (ask the user what to do). Note that these are described as typical options, not the only options.
The text also explains that packets could be processed by stateless filtering (depends on rules), or by stateful filtering (depends on rules and on state of connection, such as "in response to a request").
The book briefly discusses the greater protection that has been historically available through hardware firewalls, but it also notes that software firewalls are have improved greatly. The author is mainly talking about software firewalls that are included with operating systems. Some examples of configuration options for Windows Vista's firewall appear on page 168. Students should also consider third party software available from vendors, such as those from antivirus product vendors.
On page 169, the text discusses Proxy servers. Proxy servers perform actions on behalf of clients. One purpose of doing this is to hide the address of the requester from the entity that would provide the requested service, such as hiding our internal address from a web server on the Internet. This is the same method used by NAT servers to hide addresses and provide the service of passing on requests with new address labels.
The text notes that a proxy server can run filtering software that can be used to prevent access to web sites that are forbidden by your organization. Proxy servers can be used for bad purposes as well, such as selecting a different proxy to bypass firewalls (or filtering).
The text also mentions the use of a reverse proxy server, which serves as a front end to your network services. The reverse proxy would be the designated entry point for requests, which would then be routed to the server that would actually provide the service requested.
On page 170, the text discusses the use of Honeypots. The pleasantly named device is meant as a trap or distraction for attackers. It is meant to look like a soft target that holds some prizes like user accounts with default names and passwords, and accessible data files. It is placed on the network to attract attackers, and to provide nothing of real value to them. Note the three purposes of a honeypot listed in the text:
Host/Network Intrusion Detection Systems
As the text has already observed, an NIDS works by watching for differences from baseline behavior in what is happening on the network. For example, it will watch for TCP packets directed at ports that do not normally receive such packets. It may detect botnet behavior by the change in the number of packets being sent by a host. Students should examine the list of possible actions an NIDS can take that appears on page 172. Although the concept of a Host Intrusion Detection System is mentioned, it is not discussed separately.
Host/Network Intrusion Prevention Systems
An Intrusion Prevention System is discussed on pages 172 and 173. Host versions are discussed first. The text is very positive about the idea of watching for changes that take place and acting on them immediately. This is contrasted with the "alert the administrator" nature of many actions available to detection systems. HIPS implementation is typically software installed on network hosts. NIPS implementation is typically a hardware device added to the network.
The text first explains that networks are often protected, as noted repeatedly, by taking baseline behavior and watching for differences. A problem (not mentioned in the text) with this is that you must monitor for a while to determine what is normal for your network. It also observes that systems can monitor the network for activity that matches known attack exploits, but this kind of monitoring can miss an attack that is different enough to not match a known pattern.
The discussion continues to explain that a protocol analyzer can decode the content of what the text refers to as "application-layer network protocols". The text does not list what these protocols are, probably because there are so many. Follow the link in this paragraph to get an idea of what they can be. The point is that adding this capability to a network intrusion detection or prevention system can add to the ability of such a system to secure the network.
Internet Content Filters
There are several products that will scan for specific words used on web sites (usually keywords) that will prevent users on your network from accessing those sites or pages. For example, users could be prevented from accessing pages that have "sports" as a keyword. This is an example, of course, and other selected filters can be engaged as well. Such a content filter might prevent access, might prevent downloading files, or might do both.
Integrated Network Security Hardware
The author ends the chapter with a catch all category of products that meet multiple needs.