1. Security in Network
CNC LAB
2013/10/04

2. Security level in network
Host level (Application Hacking)
Network level (VPN, BGP)
Application level (Firewall, IDS/IPS, Anti-virus)
Transmission level (ARP, RIP, OSPF, DNS Hiding, HTTPS, TLS/SSL, IPSec)

3. ARP – Address Resolution Protocol
Required TCP/IP standard defined in RFC 826
Resolved IP addresses used by TCP/IP-based software to Media
Access Control (MAC) addresses used by LAN hardware.
MAC addresses are obtained by using a network broadcast request
◦ What is the MAC address for a device that is configured with the enclosed IP
address?
When an ARP request is answered, both the sender of ARP reply and
the original ARP requesterrecord each other’s IP address and MAC
as an entry in local table called the ARP cachefor future reference.

4. ARP
An attacker sends a fake ARP messages onto
aLAN.
Aim is to associate the attacker’s MAC
address with the IP address of another host,
sothat any traffic meant from that IP address
are sent to the attacker instead.
ARP Spoofing allows attacker to intercept
data frames on a LAN.
Can only beused on the local network
segments.

5. RIP Attack
Forging RIP messages
Spoofing source address and sending invalid routes, altering traffic
flow.
◦ Traffic Hijacking
◦ Traffic Monitoring
◦ Redirecting traffic from trusted to untrusted.
Obtaining Clear text RIPv2 "password" when sent across network.
◦ Using retrieved password to send authenticated updates to RIPv2
routers, altering traffic flow with consequences listed above.

6. RIP Safeguards
Disabling RIPv1 and using RIPv2 with MD5 authentication.
EnablingMD5 based authentication for RIPv2
Disabling RIP completelyand using OSPF with MD5 authentication as
interior gateway protocol. OSPF is the suggested IGP

7. OSPF Attacks
Forging OSPF messages
◦ Can be some what difficult but theoreticallypossible if no
authenticationrequired or clear text password obtained.
Identified 4 ospf attacks
◦ Max Age attack
◦ Sequence++attack
◦ Max Sequence attack
◦ Bogus LSA attack
Fig: Sequence number attack

8. OSPF Safeguards
Do not use Dynamic Routing on hosts wherevernot required
ImplementMD5 authentication
◦ You need to deal with key expiration, changeover and coordination across
routers

9. DNS Hiding
Hiding DNS does not improvesecurity
 Easy to learn about a network once you’ve penetrated it
 Many other ways for host/address information to leak out
Hiding DNS may be necessaryif you do not havevalid IP addresses
 Or many unreachable nodes/networks

10. Typical DNS Environment

11. Hidden DNS Environment

12. Firewall->Internal Queries
Internal
queries
Firewall
Internal
queries

13. Firewall->External Queries
Firewall External
queries
External
queries

14. DNS Infrastructure is Vulnerable Example.com
App Servers
GSLB
LDNS
www.example.com? www.example.com?
123.123.123.123
Hacker
Spoofing with first
response
Cache poisoning
012.012.012.012
Problem
Need to secure DNS infrastructure
• Cache poisoning and spoofing can hijack DNS records
• Need a method for trusted responses
• Need to meet US Government mandate for DNSSEC
compliance
Spoofing and cache poisoning allow hijacking
of domains

15. Securing the DNS Infrastructure
Dynamic and secure DNS with
Global Traffic Manager
Example.com
App Servers
BIG-IP GTM
LDNS
www.example.com? www.example.com?
123.123.123.123
+ public key
Hacker
123.123.123.123
+ public key
Client gets signed,
trusted response
Solution
Secure and dynamic DNS
• Ensure users get trusted DNS queries with signed
responses
• Reduce management costs – Simple to implement and
maintain
• Meet mandates with DNSSEC compliant solution
BIG-IP Global Traffic
Manager with DNSSEC

16. TLS/SSL
TransportlayerSecure/SocketSecureLayers
Providecommunication securityovertheInternet
UseX.509certificatesandhenceasymmetric
cryptographytoassurethecounterparty whom
theyaretalkingwith,andexchange a
symmetrickey.
Thesession keyisthenusedtoencryptdata
flowingbetweentheparties.Allowsfor
data/message confidentiality, message
integrity.
TLS/SSLisinitializedatlayer5(sessionlayer)then
worksatlayer6(presentation layer).Itworkson
behalfoftheunderlyingtransportlayer.

17. HTTPS
Acommunicationprotocolforsecurecommunication
overacomputernetwork.
TheresultofsimplylayeringtheHTTPontopofthe
SSL/TLSprotocol,thusaddingthesecurity capabilities
ofSSL/TLStostandardHTTPcommunications..

18. Internet Protocol Security (IPsec)
IPsecisaprotocolsuiteforsecuringInternetProtocol(IP)
communicationsbyauthenticatingandencryptingeach
IPpacketsofacommunicationsession.
IPsecusesthefollowingprotocolstoperformvarious
functions:
◦ AuthenticationHeadersprovideconnectionless
integrityanddataoriginauthenticationforIPdatagrams
andprovidesprotectionagainstreplayattacks.
◦ EncapsulationSecurityPayloadsprovideconfidentially,
data-originauthentication,connectionintegrity,andanti-
replayservice,limitedtraffic-flowconfidentially.
◦ SecurityAssociationsprovidethebundleofalgorithms
anddatathatprovidetheparametersnecessarytoAH
and/orESPoperations.

19. Internet Protocol Security (IPsec)
TherearetwomodesofoperationinIPsec
Transportmode:OnlythepayloadofIPpacketis
usuallyencryptedand/orauthenticated.
Usingauthenticationheader,IPheadercannotbe
translated,asthiswillinvalidatethehashvalue.The
transportandapplicationlayersarealwayssecuredby
hash,sotheycannotbemodifiedinanyway.
Tunnelmode:EntireIPpacketisencryptedand/or
authenticated.Itis thenencapsulatedintoanewIP
packetwithanewIPheader.
Tunnelmodeisusedtocreatevirtualprivatenetworkfor
network-to-networkcommunications,host-to-network
communications,andhost-to-hostcommunications

20. Firewall
AFirewall is ahardware or software device which is configured to permit, deny or
proxy data through a computer network which has difference levels of trust.
Hardware firewall is a device located between Internet and end-terminals
Apply some “ruleset” filters in Control Plane, and Data Planeto prevent from
some attacks that enter an or some interfaces

21. Firewall types

22. Intrusion Detection System (IDS/IPS)
IDS is a device or software application thatmonitors network or system activities
for malicious activities or policy violations and procedures reports to a
management station.
Focus on identifying possible incidents, logging information about them, and
reporting attempts.

23. Intrusion Detection System (IDS/IPS)
Different from a firewall that a firewall looks outwardly for intrusions in order to stop
themfrom happening.
IDS evaluated a suspected intrusion once it has taken place and signals an alarm.
Usestatistical anomaly-based IDS to detect anomalous traffic and signature-based
IDS to monitor packets in the network, compare them with pre-configured and pre-
determined attack patterns.

24. Anti-virus protection
Therearetwotypesoftheanti-virusprotection:Host-basedantivirus(HAV)andNetwork-
basedantivirus(NAV)
Host-basedantivirussolutions
Bedeployedintheformofsoftwareprogramsthatrunonstandardhostcomputer
platforms.Beusedtoprovideprotectionsolelyforthehostonwhichitisinstalled
HAVarefile-based,theyalwaysworkinconjunctionwiththefilesysteminstalledonthehost.
HAVproductsoperateinanuncontrolledenvironment,requiresignificantadministration,only
operateonfilesthathavebeenwrittentothehost’sdiskfilesystem
HAVproductstypicallyreducestheoverallperformanceofthehostonwhichitruns,are
rarelyusedtoscanreal-timeapplications

25. Anti-virus protection
Network-basedAVsolutionsareinstalledona
networkgatewaybetweentwonetworks.
NAVsystemstypicallyemploydedicatedplatforms.
NAVsystemsprovideasinglebarrierbehindwhich
allhostsareprotected.
NAVsystemsstopvirusesatthenetworkedge.
NAVsystemsreducetheloadonserversby
eliminatinginfecteddatabeforetheyreachthe
servers.
NAVsystemsarewellpositionedinthenetworkto
scanWebandothertrafficthattendstobypass
conventionalHAVsystems.

26. Virtual Private Network (VPN)
Avirtualprivatenetworkallowstheprovisioningofprivatenetworkservicesforan
organizationororganizationsoverapublicorsharedinfrastructuresuchastheInternetor
serviceproviderbackbonenetwork.
AVPNisacombinationofsoftwareandhardwarethatallowsemployees,telecommuters,
businesspartners,andremotesitestouseapublicor“unsecured”mediumsuchastheInternet
toestablishasecure,privateconnectionwithahostnetwork
AVPNconnectionisapoint-to-pointconnectionbetweentheuser’scomputerandthe
company’sserver

27. Virtual Private Network (VPN)
AkeycomponentofaVPNsolutionisprovidingdataprivacy,userauthenticationandaccesscontrol.
Protocolsandtechnologiesusedtoenablesite-to-siteVPNsincludeIPsecurity(IPsec),Genericroutingencapsulation
(GRE),thelayer2tunnelingprotocol,IEEE802.1Q, MPLS.
ProtocolsusedtoenableremoteaccessVPNsincludedtheLayer2forwardingprotocol,Point-to-pointtunneling
protocol,thelayer2tunnelingprotocol,IPsecurity,theSecuresocketslayer

28. BGP Hijacking
 AS100 is advertising their owned route(10.0.0.0/8) : Victim AS
 AS400 is advertising invalid route(10.0.0.0/8) : Hijacking AS
 AS300 is infected by Hijacking : Infected AS
 AS200 is Influenced but not infected by Hijacking : Influenced AS
AS 200 AS 300
AS 400AS 100
10.0.0.0/8 10.0.0.0/8
10.0.0.0/8
10.0.0.0/8
> 10.0.0.0/8 100
10.0.0.0/8 300 400
10.0.0.0/8 200 100
> 10.0.0.0/8 400

29. Securing the Border Gateway Protocol
Fig: S-BGP Element Interactions
 S-BGPisanarchitecturalsolution
totheBGPsecurityproblems.
 DevelopedbyCisco
 S-BGPmakesuseof:
IPsec
PublicKeyInfrastructure
Attestations

30. BGP Threat Mitigations
MD5 carried in TCP
header
Fig: BGP MD5 Neighbor Authentication

31. Application Hacking
Security flaws in
application level
Un-validated Input
Broken Access Control
Broken authentication
and Session
management
Cross site scripting
Buffer overflows
Injection flaws
Improper error handling
Insecure storage
Denial of Service
Insecure configuration
Management

32. Application Hacking
Application shield: is referred to as an application-level firewall. In ensures that
incoming and outgoing requests are permissible for the given application. It is
common installed on Web servers, email servers, database servers, and similar
machines. It is transparent to the user but highly integrated with the device on the
backend.
Access control/authentication, only authorized users are able to access the
application.
Input validation verify that application input travelling across your network is safeto
process.