3. ARP – Address Resolution Protocol
Required TCP/IP standard defined in RFC 826
Resolved IP addresses used by TCP/IP-based software to Media
Access Control (MAC) addresses used by LAN hardware.
MAC addresses are obtained by using a network broadcast request
◦ What is the MAC address for a device that is configured with the enclosed IP
address?
When an ARP request is answered, both the sender of ARP reply and
the original ARP requesterrecord each other’s IP address and MAC
as an entry in local table called the ARP cachefor future reference.
4. ARP
An attacker sends a fake ARP messages onto
aLAN.
Aim is to associate the attacker’s MAC
address with the IP address of another host,
sothat any traffic meant from that IP address
are sent to the attacker instead.
ARP Spoofing allows attacker to intercept
data frames on a LAN.
Can only beused on the local network
segments.
5. RIP Attack
Forging RIP messages
Spoofing source address and sending invalid routes, altering traffic
flow.
◦ Traffic Hijacking
◦ Traffic Monitoring
◦ Redirecting traffic from trusted to untrusted.
Obtaining Clear text RIPv2 "password" when sent across network.
◦ Using retrieved password to send authenticated updates to RIPv2
routers, altering traffic flow with consequences listed above.
6. RIP Safeguards
Disabling RIPv1 and using RIPv2 with MD5 authentication.
EnablingMD5 based authentication for RIPv2
Disabling RIP completelyand using OSPF with MD5 authentication as
interior gateway protocol. OSPF is the suggested IGP
7. OSPF Attacks
Forging OSPF messages
◦ Can be some what difficult but theoreticallypossible if no
authenticationrequired or clear text password obtained.
Identified 4 ospf attacks
◦ Max Age attack
◦ Sequence++attack
◦ Max Sequence attack
◦ Bogus LSA attack
Fig: Sequence number attack
8. OSPF Safeguards
Do not use Dynamic Routing on hosts wherevernot required
ImplementMD5 authentication
◦ You need to deal with key expiration, changeover and coordination across
routers
9. DNS Hiding
Hiding DNS does not improvesecurity
Easy to learn about a network once you’ve penetrated it
Many other ways for host/address information to leak out
Hiding DNS may be necessaryif you do not havevalid IP addresses
Or many unreachable nodes/networks
14. DNS Infrastructure is Vulnerable Example.com
App Servers
GSLB
LDNS
www.example.com? www.example.com?
123.123.123.123
Hacker
Spoofing with first
response
Cache poisoning
012.012.012.012
Problem
Need to secure DNS infrastructure
• Cache poisoning and spoofing can hijack DNS records
• Need a method for trusted responses
• Need to meet US Government mandate for DNSSEC
compliance
Spoofing and cache poisoning allow hijacking
of domains
15. Securing the DNS Infrastructure
Dynamic and secure DNS with
Global Traffic Manager
Example.com
App Servers
BIG-IP GTM
LDNS
www.example.com? www.example.com?
123.123.123.123
+ public key
Hacker
123.123.123.123
+ public key
Client gets signed,
trusted response
Solution
Secure and dynamic DNS
• Ensure users get trusted DNS queries with signed
responses
• Reduce management costs – Simple to implement and
maintain
• Meet mandates with DNSSEC compliant solution
BIG-IP Global Traffic
Manager with DNSSEC
20. Firewall
AFirewall is ahardware or software device which is configured to permit, deny or
proxy data through a computer network which has difference levels of trust.
Hardware firewall is a device located between Internet and end-terminals
Apply some “ruleset” filters in Control Plane, and Data Planeto prevent from
some attacks that enter an or some interfaces
22. Intrusion Detection System (IDS/IPS)
IDS is a device or software application thatmonitors network or system activities
for malicious activities or policy violations and procedures reports to a
management station.
Focus on identifying possible incidents, logging information about them, and
reporting attempts.
23. Intrusion Detection System (IDS/IPS)
Different from a firewall that a firewall looks outwardly for intrusions in order to stop
themfrom happening.
IDS evaluated a suspected intrusion once it has taken place and signals an alarm.
Usestatistical anomaly-based IDS to detect anomalous traffic and signature-based
IDS to monitor packets in the network, compare them with pre-configured and pre-
determined attack patterns.
28. BGP Hijacking
AS100 is advertising their owned route(10.0.0.0/8) : Victim AS
AS400 is advertising invalid route(10.0.0.0/8) : Hijacking AS
AS300 is infected by Hijacking : Infected AS
AS200 is Influenced but not infected by Hijacking : Influenced AS
AS 200 AS 300
AS 400AS 100
10.0.0.0/8 10.0.0.0/8
10.0.0.0/8
10.0.0.0/8
> 10.0.0.0/8 100
10.0.0.0/8 300 400
10.0.0.0/8 200 100
> 10.0.0.0/8 400
29. Securing the Border Gateway Protocol
Fig: S-BGP Element Interactions
S-BGPisanarchitecturalsolution
totheBGPsecurityproblems.
DevelopedbyCisco
S-BGPmakesuseof:
IPsec
PublicKeyInfrastructure
Attestations
31. Application Hacking
Security flaws in
application level
Un-validated Input
Broken Access Control
Broken authentication
and Session
management
Cross site scripting
Buffer overflows
Injection flaws
Improper error handling
Insecure storage
Denial of Service
Insecure configuration
Management
32. Application Hacking
Application shield: is referred to as an application-level firewall. In ensures that
incoming and outgoing requests are permissible for the given application. It is
common installed on Web servers, email servers, database servers, and similar
machines. It is transparent to the user but highly integrated with the device on the
backend.
Access control/authentication, only authorized users are able to access the
application.
Input validation verify that application input travelling across your network is safeto
process.
Hinweis der Redaktion
Global Server Load Balancing (GSLB)Local Domain Name Server (LDNS)Domain name server security(DNSSEC)
Global Server Load Balancing (GSLB)Local Domain Name Server (LDNS)Domain name server security(DNSSEC)BIG-IP Global Traffic Manager product
Invalid BGP route announcementTraffic diverting by BGP route hijacking, unreachable…Detection is not so easy…Recovery is very hard…Not frequently, but it occursEasy outbreak, but big impactNot only global, but localized outbreak
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-3/securing_bgp_s-bgp.htmlIPsec to secure point-to-point communication of BGP control trafficPublic Key Infrastructure to provide an authorization framework representing prefix holders and owners of AS #’s Attestations (digitally-signed data) to represent authorization informationS-BGP is an architectural solution to the BGP security problems described earlier by CiscoS-BGP represents an extension of BGPIt uses a standard BGP facility to carry additional data about paths in UPDATE messagesIt adds an additional set of checks to the BGP route selection algorithmS-BGP avoids the pitfalls of transitive trust that are common in today’s routing infrastructureS-BGP mechanisms exhibit the same dynamics as BGP, and they scale commensurately with BGP