Logo en.artbmxmagazine.com

Network security fundamentals

Table of contents:

Anonim

The three main goals of network security:

  • ConfidentialityIntegrityAvailability

Confidentiality

Confidentiality refers to the protection of data against unauthorized or third-party access.

Integrity

Integrity refers to the security that the data sent is not altered or destroyed in an unauthorized way. The message sent must be identical to the one received.

Availability

Availability is defined as the continuous operation of computer systems. All components of the system must provide their services continuously. This includes application and database servers, storage devices, and peer-to-peer networks.

Balance in security policy

Security policies must allow transparent and secure access while maintaining optimal performance.

  • Transparent access: connectivity, performance, ease of use and handling, availability. Security: Authentication, authorization, transaction log, transaction security, confidentiality and data integrity.

The first level of security

Entry-level security is providing physical mechanisms for protecting sensitive network and data elements, as well as backups. Security rules within policies must exist before the network connects to the corporate backbone. Here are some of the most important:

  • Provide good documentation on the corporate security policy Control software download Ensure good user training Provide good documentation on the disaster recovery plan.

User training is especially necessary regarding the use and control of passwords. The password should not be shared with anyone. The information on your computer and probably that of others depends on the strength of your password and how secret it is. Therefore, to create a passkey, the following criteria must be taken into account:

  • The key length in characters should never be less than 8 characters.Mix uppercase letters with lowercase letters, numbers and symbols.You can use the first letters of words of a song or a phrase, to remember it without resorting to dates, names or any dictionary word.Never share your password with anyone, not even a friend, family member or coworker you are no longer in control and they can relax by not being your own password.

A security criterion that is not taken into account is that laptops lead the ranking of the most stolen computer equipment and with them a large amount of information that usually includes pass codes. These parts can be prevented with special care and even padlocking the laptop to the workspace. These tips are also extensible for any hardware and especially storage media especially for the sensitive information they may contain.

Strangely enough, there are so-called Dumpters drivers, which are people who make very particular use of social engineering to look for weaknesses and possible clues. Garbage sniffers search recycling bins, fax baskets, regular bins, and sometimes in the trash for documents that reveal a user key or information that can help you guess. When you want to get rid of confidential information, be sure to destroy it first (including here also media such as CDs, floppy disks, etc.).

Vulnerability, threats and attacks

Vulnerability is an intrinsic weakness in networks and devices. This includes routers, switches, desktops, servers, and even the security systems themselves. Attackers are people with a certain level of qualification that allow them to take advantage of the weaknesses of a system. Finally they use a variety of tools, scripts, and programs that allow them to launch their attack. The security level of the system will determine the number and size of the possible threat.

The three primary vulnerabilities are:

  • Technological weaknesses Configuration weaknesses Security policy weaknesses

Technological weaknesses

Computers and networks have intrinsic security weaknesses including those of the TCP / IP protocol itself, operating systems, and networking equipment.

Configuration weaknesses

Operational configurations but that do not compensate for them with the weaknesses of the network devices. Example, do not configure the passkey of the administrator user of a network device such as a router, or do it without activating the encryption of the keys.

Weaknesses of the security policy

They usually come from non-compliance with security rules by users or ignorance of possible threats not contemplated in the design.

There are 4 primary classes of network security threats.

  1. Unstructured threats (Hakers): These are mainly attacks by inexperienced individuals using simple attack tools available on the Internet, as well as some shell scripts and password crackers. Structured threats (Crakers): They come from hackers who are more motivated and technologically more competent. This type of person knows the vulnerabilities of the system and can understand them and create exploit-code and scripts for a more refined attack. External threats: External attacks come from individuals or organizations external to the company. Internal threats:Internal attacks come from someone who has authorized access to our system, either with an account on our authentication server or physical access to our computers and our network.

There are four classes of primary attacks

As shown in the following figure:

Classes of Primary Attacks in Network Security

  1. Reconnaissance: Reconnaissance is a discovery and mapping of our system, services and possible vulnerabilities. It is known as a pre-attack information count. And in most cases it precedes a Denialof Service (DoS) attack. Recognition is like the thief who studies a residence to see the weakest entry point to reach the target house. Access: Access is the intruder's ability to gain unauthorized access on a device that initially does not have an account or passkey. This implies that the intruder has previously obtained an account through the negligence of a user and possibly the password, or has run a script to break it, or has exploited a vulnerability in the system or an application that is normally attacking in the interest of gaining access as a user. root. Denial of service (DoS):In a Denial of service (DoS) attack the attacker manages to disable or corrupt network services with the intention that network users cannot use them. DoS attacks involve crashing the system or relenciting to the point of near-uselessness. Although some DoS attacks can be as simple as deleting or corrupting information, most of them consist of the unauthorized execution of a hackscript. The attacker does not need special privileges on the target device or service, although it is the goal they want to finally achieve. But they are usually so fierce. Worms, Viruses, and Trojan horses: Malicious software is inserted into a host for the sole purpose of damaging the system or the network, corrupting files, replicating and in many cases ending up denying access to the network and / or the system or a service of this. Today the attack tools are powerful and unfortunately cover new more sophisticated dangers such as worms like Slamer and 'Blaster and the new DoS attacks.

Recon attacks can consist of the following:

  • Packet sniffersPort scansPing sweepsInternet information queries

Examples get possible ip from attacking with nslookup, whois queries from agencies like ARIN Internet address registration agency

Network snooping and packet sniffing are common terms to describe eleavesdropping. Eavesdropping consists of listening to conversations (network sessions), spying and in many cases capturing data packets, the information obtained can be used as the basis for other more severe attacks on the network. An example of eavesdropping-capable data is the SNMP version1 community strings protocol, which is sent in plain text (clear). An intruder could spy on SNMP requests and obtain relevant information from the network and interconnected equipment. Another example is the capture of user accounts and passwords as they cross the network.

Types of eavesdropping

A common method of eavesdropping on communications is to capture TCP / IP or other packets and decode the content using a protocol analyzer of a similar utility. The two most frequent uses are:

  • Information gathering: Identification of users and passwords or information that transports credit card numbers or sensitive personal information. Information theft: Theft of etwork information, the spy can capture the information as it circulates on the intranet or on the Internet with the interest of stopping copying or even hiding it from its recipient. Its main objectives are financial institutions and credit card numbers. Another example is trying to capture and crack a key file

Tools used for bird dropping

The following tools are used for network espionage:

  • Network or protocol analyzers Packet capture in local network environments

Methods to counter these attacks

Two of the most effective methods for counteracting eavesdropping are as follows:

  1. Implement and enforce the use of security policies that prohibit the use of protocols with known weaknesses to suffer eavesdropping Use data encryption systems that ensure the minimum needs of the organization without imposing excessive use of system or user resources. switched networks

Encrypted data

Encryption secures data that is susceptible to eavesdropping, passwords, or simply tampering with information. Some benefits of encryption include the following:

  • Almost every company has transactions, which, if viewed by aneavesdropper, could have negative consequences. Encryption ensures that these sensitive data cross the network without being observed and even with the help of some digital signature techniques find out if they have been changed or altered. Decryption is necessary when the data reaches the recipient on the network where it resides, it is very important that the system decryption can only be done by the intended recipient.If the encryption is performed after the UDP or TCP datagram headers, it means that only this encryption, the transported data allows all intermediate routers and switches to route or forward the traffic as if it were any other packet, preserving the quality of service (QoS).) in network traffic and shifting the burden of the process only to the communication terminal equipment.

Password Attacks

Passkey attacks can be implemented using various methods including brute force. Trojan horses, IP spoofing, and packet sniffers. Although packet sniffers and IP spoofing can capture user accounts and their passwords; Attacks to obtain keys usually consist of repeated attempts to identify the possible user and their possible password using various combinations of characters. These attempts are called brute force attacks.

Normally, the brute force attack is carried out with a program that scans the network looking for shared resources, services and servers to try to pass the Login-in security level.

If the attacker is successful and gains access to the resource, they will have the same privileges as the user whose account has been compromised, and if it is an account with sufficient privileges, the security hole is proportional to these. Normally the attacker will try to create a back door for future accesses without changing the state or password of the captured account and not raising suspicions.

The most common methods of brute force programs are:

  • Dictionary cracking-Dictionary attacks The hashes of all the keys are compared with the hashes of all the words in a dictionary for each of the users. This method is extremely fast and allows you to find all the simple keys.Brute-force computation-Character computation This method uses a particular set of characters such as from AZ or AZ plus 0-9 and computes the hash for each possible combination of N of those characters with the possible password, its drawback is the time required to complete the attack. This method uses a particular character set, such as AZ or AZ plus 09, and calculates the hash for each possible password made up of those characters. It will always calculate the password if that password is made up of the character set you have selected to test.The downside is that it takes time to complete this type of attack.

Trust exploitation

Although it is more of a technique than an attack in itself, trust exploitation refers to an attack in which an individual takes advantage of a trust relationship in a network. A classic example is a perimeter connection to a network from another corporate one. These network segments often host DNS domains, SMTP and HTTP servers. Since these servers are usually in the same segment, the commitment of one usually implies the possible commitment of the others because the systems normally maintain trust between them.

Another example is a system outside the firewall that maintains a trust with another inside the firewall. When the external system is compromised through it, you can obtain advantages to attack the internal one. Another form of access involves a scale of privileges, this occurs when a user gains special privileges or rights that have not been directly assigned to the user by the administrator but have been unduly inherited in accessing objects. These objects can be files, commands, programs or on components and network devices. His intention is to gain administrative privileges that allow him to install sniffers, create back doors and be able to delete the Log files to eliminate traces.

Trust exploits can be mitigated through tight security level constraints without going beyond the functions that trust in a network must cover. For external firebreak systems to never assign absolute privileges to a system inside, such trusts should be limited to specific protocols and should be severely authenticated by more than just the IP whenever possible

Port Redirection

Port forwarding attack is a type of trusted exploit attack that uses a compromised security host to pass traffic through the firewall which would otherwise have been removed. Consider a firewall with three interfaces and one host on each interface. The external host can reach another one in the segment where the public services are (commonly known as DMZ demilitarized zone; but not an internal host. The host in the DMZ zone, however, can reach the internal hos, if a hacker were able to compromise the equipment of the DMZ zone, it could try to install traffic redirector software from the external host to the internal one, in this way none of the communications (external host to intermediate, and intermediate to internal) would fail. the firewall rules,now the external host through the port forwarding process on the public server has a tunnel to the internal one. An example program that can perform this type of task is NETCAT. As previously indicated to minimize this type of attack, the use of a specific trust relationship model in each network, with a system under attack assuming a host based on IDS detector software it can detect a hacker and prevent the installation of this type of utilities on the intermediate computer.Assuming a system under attack, a host based on IDS detector software can detect a hacker and prevent the installation of this type of utilities on the intermediate computer.Assuming a system under attack, a host based on IDS detector software can detect a hacker and prevent the installation of this type of utilities on the intermediate computer.

Man-in-the-middle attack

The so-called man-in-the-middle attack requires the hacker to have access to packets that cross through the network where it is located.

An example could be someone who is working in an ISP and has access to the packets that are transferred between the networks of the users and that of the PSI (Internet Service Provider) itself.

These attacks are typically implemented using Sniffers and routing and transport protocols. The possible use of this attack is information theft, hijacking of a session to gain access to a private network, traffic analysis to derive information about a network, its users and their preferences, search for a possible DoS, corruption of data and impersonation of information and sessions.

The Man-in-the-middle attack can be mitigated by encrypting in an IPSec tunnel that would only allow you to view encrypted data.

Social engineering

It is the simplest system and does not require a high level of computer knowledge, it should only be able to obtain information of a certain value such as the location of servers, important files, existing users and possibly also through key tricks. Then the hacking process is simpler.

Two

The following are some of the most common DoS threats (tricks):

  • Ping of death - Ping of death. This attack modifies the IP header to indicate that there is more data in the packet than is actually transported causing the receiving system to crash. SYN flood attack - SYN flood attack. This attack randomly opens many ports and many TCP connections, trying to establish as many dummy connections as possible to deny possible access to other users. This attack is usually carried out with specific and more effective protocol analyzers. Packet fragmentation and reassembly - This attack exploits the buffer overrun bug on a PC or network interconnect. E-mail bombs- Bomba E-Mail is a program capable of sending E-Mail to individuals, mailing lists or domains monopolizing the mail server. CPU hogging - This attack consists of programs such as Trojans or viruses that choke the CPU consuming as many clock cycles, memory or other resources as possible. Malicious applets - This attack comes from Java, JavaScript, or ActiveX codes that act as Trojans or viruses. to achieve destruction of data or capture of system resources. Misconfiguring routers - Deconfiguring routers to create a routing loop disabling traffic especially the web. The chargen attack- This attack establishes connections between UDP services, producing an intense exchange of data. The data exchange host is connected to the Echo service on the same or on a different system causing network congestion with echo traffic. Out-of-band attacks such as WinNuke - This attack sends out-of-range data to Port 139 on a computer with Widows 95 or NT 4. The victim's IP address is required before launching the attack. Denial of Service - DoS can happen accidentally caused by a bad configuration or misuse coming from a user legitimized by the system or an administrator. c- Programs that send TCP SYN packets in which both the recipient and the source are the same IP address. They also typically use the same source and destination port (such as 113 or 139) on the destination host causing the system to crash. c - In this attack, a process of fragmentation of IP packages is caused in such a way that its reassembly causes problems at the destination and aborts the communication. c - Multiplatform DoS Attack that integrates attacks called bonk, jolt, land, nestea, netear, syndrop, teardrop, and winnuke in a single exploit.

Masquerade / IP spoofing

With this attack, the attacker is able to manipulate TCP / IP packets by spoofing the source IP address, pretending to be another user. The intruder thus assumes the identity of a valid user, obtaining their privileges on systems that only validate their IP. During an attack.

IP Spoofing the external network attacker pretends to look like a valid computer by taking a valid IP in the range of the network or using an authorized external IP to access certain network resources.

Normally spoofing only seeks to insert malicious data or commands into a data stream passed between a client and a server or a peer-topeer communication. The attacker does not wait for a response from the attacked applications does not care. It is the typical attack on known weaknesses of DNS servers.

If it wants to get a response, the attacker should change the routing tables so that they point to a spoofed IP.

This would imply receiving all the traffic destined for that IP network and trying to respond as another user would. Unfortunately, this technique is not only used by external attackers, it is even more common in internal attackers.

Some of the tools that are usually used with this technique are the following:

  • Protocol analyzers and password sniffers Sequence number modification Scan tools that test TCP ports for specific services, networks or system architectures or certain OS

After obtaining information from the scanning tools, the intruder searches for vulnerabilities associated with them.

Distributed DoS (DDoS)

This attack tries to saturate the network with spurious data.

DDoS uses an attack system similar to the DoS standard but operates on a larger scale. Typically hundreds or thousands of attack points to saturate or bring down the target team.

Examples of DDoS attacks:

  • SmurfTribe Flood Network (TFN) Stacheldraht

SMURF attack: The Smurf attack is initiated by perpetrating a massive sending of ICMP echo request packets, i.e. ping, with a spoofed IP towards a broadcast address in the hope that the response to the forged IP will be magnified, which is the objective of the attack. If the routing device also executes Layer 3 broadcast towards Layer 2 broadcast, the traffic will be multiplied by the host number with response to the echo packets.

Example assuming a network of 100 hosts and that the attacker uses a T1 link. The attacker sends 768 kbps stream of ICMP echo or PING packets with the forged victim's IP and destined for the broadcast IP of the bounce site. The ping hits the bounce site with a broadcast that 100 computers respond to the computer falsified by the source IP a total of 76.8 Mbs of bandwidth are used in the responses to the ping from the bounce site once the traffic is multiplied.

Disabling the targeted broadcast capability on the network infrastructure prevents it from being used as a bounce site.

Tribe Flood Network (TFN): Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K) are distributed tools used to launch coordinated DoS attacks from many Sources against one or more destinations. A TFN attack has the ability to generate packets with counterfeit source IPs, the attacking attacker sends instructions to a computer with master software to forward them to the list of TFN servers or daemons or resident programs that generate the specific attack on the target's IP. source and port can be random and packet size altered. Fortunately, the use of a TFN Master within the source network of the magnified attack implies easily obtaining the list of the computers infected with the TFN Server.

Stacheldraht attack: Stacheldraht, barbed wire Germanism, combines characteristics of various DoS attacks, including Tribe FloodNetwork (TFN). It also adds special features like encryption of the communication between the attacker and the stacheldraht masters, and the automatic update of the agents. There is an initial phase of maximum instruction in which an automatic tool is used to compromise a large number of computers controlled remotely as root (RootKit) and then be used in the DoS attack against other systems.

Malware (Malicious Software): Worm, virus, and Trojan horse, Spayware, SpanWorm, virus, and Trojan horse

Worms

The anatomy of the worm software attack consists of: The worm installs itself by taking advantage of a system weakness or an exploit that causes it.

  • Propagation mechanism-After gaining access to a computer the worm replicates and selects new victims Payload-After having infected a device with a worm the attacker has access to it with user privileges and can use other exploits premises to escalate privileges to the administrator level.

Typically, a worm is a self-contained program that replicates itself by copying itself to the target, exploiting vulnerabilities in the systems, starting the cycle again. While a virus requires a vector to transport its code from one system to another. A vector can be a word processor document, spreadsheet, etc. with embedded macros or scripts, an E-mail or an executable with the embedded virus, the oldest ones did it in the boot sector of removable media. The differential key between a virus and a worm is that the first requires human interaction to facilitate its spread. Mitigating worm attacks requires rapid intervention to isolate the infected part of the system. For this, proper coordination between system administrators is necessary,network engineers and security operators for rapid detection and response to a worm incident. Below are the recommended steps to mitigate a worm attack:

  1. Containment Vaccination Quarantine Treatment

Viruses and Trojan Horses

Viruses are malicious software that are attached to another program and that perform an unwanted function on the user's workstation. A Trojan differs only in that the entire program is made to look like a utility when in fact it is a tool that an attacker has within our system and that is normally introduced via E-Mail.

Network security is a constant process built on security policies.

To start the security round, the security policy is first developed together with the weighting criteria and fulfilling the following tasks:

  • Identify objectives for organizational security Document the resources to protect Identify network infrastructure with updated network maps and inventories Identify critical resources that need to be protected, such as finance, human resources, development departments. This is called

Risk analysis

After developing the safety policy, take a safety test run with the 4 steps of the safety wheel. These steps of the safety wheel are 1st ensure, 2nd Monitor, 3rd Test and 4th Improve and start again

Secure

Secure your network by applying security policies that include antivirus on all computers and their constant updating and implementing the following Threat Defense security solutions: Allow only valid and necessary traffic and services. IntrusionPrevention Systems (IPS), and also an Inline intrusion detection systems (IDS), Control system vulnerabilities with the latest patchesVulnerability patchingUse secure connections: VPNs, SSH, SSL Trust and Identity

  • AuthenticationPolicy enforcement

Monitor

Monitoring security involves two simultaneous active and passive methods. The most common active method is the audit of LOG files.

Passive methods include the use of intrusion detection system (IDS) devices to automatically detect intrusions. This method requires a small group of network administrators to keep monitoring current. These systems can detect security breaches in real time and can be configured to offer an automatic response before the intruder causes damage.

Test

In the testing phase of the security wheel, network security is proactively checked.

Improve

The enhancement phase of the security wheel involves analyzing the data collected during monitoring and testing and subsequently implementing improvement mechanisms that are documented in the security policies and will be implemented in the network assurance phase. In order to keep the network as secure as possible, this cycle must be repeated permanently since new risks and vulnerabilities appear every day.

Download the original file

Network security fundamentals
Technology

Editor's choice

Fundamental problems in the financing of higher education in the world

Fundamental problems in the financing of higher education in the world

Environmental problems, economic growth and technological advance. origin, current debate and consequences

Environmental problems, economic growth and technological advance. origin, current debate and consequences

Garbage collection problem in a municipality of Mexico. test

Garbage collection problem in a municipality of Mexico. test

The problem of urban transport in Venezuela

The problem of urban transport in Venezuela

Problems of adolescents in Mexico

Problems of adolescents in Mexico

National problems and presidential disapproval in Peru 2015

National problems and presidential disapproval in Peru 2015

© Copyright en.artbmxmagazine.com, 2024 October | About site | Contacts | Privacy policy.