1 / 67

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense. Chapter 13 Protecting Networks with Security Devices. Objectives. Describe network security devices Describe firewall technology Describe intrusion detection systems Describe honeypots. Understanding Network Security Devices.

rico
Télécharger la présentation

Hands-On Ethical Hacking and Network Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hands-On Ethical Hacking and Network Defense Chapter 13 Protecting Networks with Security Devices

  2. Objectives • Describe network security devices • Describe firewall technology • Describe intrusion detection systems • Describe honeypots Hands-On Ethical Hacking and Network Defense

  3. Understanding Network Security Devices • Network security devices • Routers • Firewalls • Intrusion detection systems • Honeypots Hands-On Ethical Hacking and Network Defense

  4. Understanding Routers • Routers are hardware devices used on a network to send packets to different network segments • Operate at the network layer of the OSI model • Routing protocols used by routers • Link-state routing protocol • Router advertises link-state to identify network topology and any changes on paths • Distance-vector routing protocol • Router passes its routing table to all routers participating on the network Hands-On Ethical Hacking and Network Defense

  5. Understanding Basic Hardware Routers • Cisco routers are widely used in the networking community • More than one million Cisco 2500 series routers are currently being used by companies around the world • Vulnerabilities exist in Cisco as they do in any operating system • Security professionals must consider these vulnerabilities when conducting a security test Hands-On Ethical Hacking and Network Defense

  6. Cisco Router Components • A Cisco router uses the Cisco Internetwork Operating System (IOS) to function • Components • Random access memory (RAM) • Holds the router’s running configuration, routing tables, and buffers • If you turn off the router, the contents stored in RAM are wiped out • Nonvolatile RAM (NVRAM) • Holds the router’s configuration file, but the information is not lost if the router is turned off Hands-On Ethical Hacking and Network Defense

  7. Cisco Router Components (continued) • Components (continued) • Flash memory • Holds the IOS the router is using • Is rewritable memory, so you can upgrade the IOS • Read-only memory (ROM) • Contains a minimal version of the IOS used to boot the router if flash memory gets corrupted • Interfaces • Hardware connectivity points • Example: an Ethernet port is an interface that connects to a LAN Hands-On Ethical Hacking and Network Defense

  8. Hands-On Ethical Hacking and Network Defense

  9. Cisco Router Configuration • Configuration modes: • User mode • Administrator can perform basic troubleshooting tests and list information stored on the router • Router-name>, indicates that you are in user mode • Privileged mode • Administrator can perform full router configuration tasks • Router-name#, indicates that you are in privileged mode • By default, you are in user mode • Type “enable” or “en” to change to privileged mode Hands-On Ethical Hacking and Network Defense

  10. Cisco Router Configuration (continued) • Once in privileged mode, you can change to two more configuration modes • Global configuration mode • Administrator can configure router settings that affect overall router operation • To use this mode, you enter the command config t at the Router-name# prompt • Router-name (config)# tells the user she is in global configuration mode Hands-On Ethical Hacking and Network Defense

  11. Cisco Router Configuration (continued) • Once in privileged mode, you can change to two more configuration modes (continued) • Interface configuration mode • Administrator can configure an interface on the router • To use this mode, you enter global configuration mode first • Next, you enter the command for interface configuration mode and the interface name you want to configure • Router-name(config-if)# indicates you are in interface configuration mode Hands-On Ethical Hacking and Network Defense

  12. Hands-On Ethical Hacking and Network Defense

  13. Understanding Access Control Lists • There are several types of access control lists • We will focus on IP access lists • IP access lists • Lists of IP addresses, subnets, or networks that are allowed or denied access through a router’s interface • Two different types of access lists on Cisco router • Standard IP access lists • Extended IP access lists Hands-On Ethical Hacking and Network Defense

  14. Standard IP Access Lists • Can restrict IP traffic entering or leaving a router’s interface based on source IP address • The syntax of a standard access list is as follows: access-list [list #] [permit|deny] [source address] [source wildcard mask] • [list #] is a number in the range of 1 to 99 • permit | deny] are keywords to permit or deny traffic • [source address] specifies the IP address of the source host • [source wildcard mask] signifies which bits of the source address are significant Hands-On Ethical Hacking and Network Defense

  15. Hands-On Ethical Hacking and Network Defense

  16. Standard IP Access Lists (continued) • Example: access-list 1 deny 173.110.0.0 0.0.255.255 access-list permit any • A wildcard mask is similar to a subnet mask • Example: access-list 1 deny 10.10.1.112 0.0.0.0 • The 0s used after the IP address signify that every octet in the IP address must match the IP address being filtered • Another example: access-list 1 deny 192.168.10.0 0.0.0.255 access-list 1 permit any Hands-On Ethical Hacking and Network Defense

  17. Standard IP Access Lists (continued) • Cisco allows a shortcut for the mask 0.0.0.0 access-list 1 deny host 192.168.10.112 • Access lists always end with an implicit deny rule • To avoid this, you must add the “permit any” statement access-list 1 deny host 192.168.10.112 access-list 1 permit any • Steps for applying the access list to an interface • Enter global configuration mode • Create the access list • Enter interface configuration mode • Use the ip access-group command Hands-On Ethical Hacking and Network Defense

  18. Standard IP Access Lists (continued) • Example Router> en Password ****** Router# config t Router(config)# access-list 1 deny 172.16.5.0 0.0.0.255 Router(config)# access-list 1 permit any Router(config)# int e0 Router(config-if)# ip access-group 1 out Router(config-if) Ctrl+z [to save and exit global configuration mode] Router# Hands-On Ethical Hacking and Network Defense

  19. Extended IP Access Lists • Allow packet filtering based on • Source IP address • Destination IP address • Protocol type • Application port number • Syntax for extended IP access lists access-list [list #] [permit|deny] [protocol] [source IP address] [source wildcard mask] [destination IP address] [destination wildcard mask] [operator] [port] [log] • [list #] is a number in the range of 100 to 199 • [permit | deny] are keywords to permit or deny traffic Hands-On Ethical Hacking and Network Defense

  20. Extended IP Access Lists (continued) • Syntax for extended IP access lists (continued) • [protocol] can be IP, TCP, UDP, ICMP, and so on • [source IP address] is the IP address of the source • [source wildcard mask] determines significant bits of source IP address • [destination IP address] is the IP address of the destination • [destination wildcard mask] determines significant bits of destination IP address • [operator] can be lt, gt, eq, or neq Hands-On Ethical Hacking and Network Defense

  21. Extended IP Access Lists (continued) • Syntax for extended IP access lists (continued) • [port] port number of the protocol to be filtered • [log] logs all activity of the access list for the administrator • Example: access-list 100 deny tcp host 172.16.1.112 host 172.30.1.100 eq www Hands-On Ethical Hacking and Network Defense

  22. Extended IP Access Lists (continued) • Applying an access list to an interface Router> en Password ****** Router# config t Router(config)# access-list 100 deny tcp host 172.16.1.112 host 172.30.1.100 Router(config)# access-list 100 permit any Router(config)# int e0 Router(config-if)# ip access-group 100 in Router(config-if) Ctrl+z Router# Hands-On Ethical Hacking and Network Defense

  23. Understanding Firewalls • Firewalls are hardware devices or software installed on a system and have two purposes • Controlling access to all traffic that enters an internal network • Controlling all traffic that leaves an internal network • Advantages of hardware firewalls • They are usually faster than software firewalls • They can handle a larger throughput than software firewalls Hands-On Ethical Hacking and Network Defense

  24. Understanding Firewalls (continued) • Disadvantage of hardware firewalls • You are locked into the firewall’s hardware • Advantage of software firewalls • You can easily add NICs to the server running the firewall software • Disadvantage of software firewalls • You might have to worry about configuration problems • They rely on the OS on which they are running Hands-On Ethical Hacking and Network Defense

  25. Understanding Firewall Technology • Firewall technologies • Network address translation (NAT) • Access control lists • Packet filtering • Stateful packet inspection (SPI) Hands-On Ethical Hacking and Network Defense

  26. Network Address Translation (NAT) • The most basic security feature of a firewall • With NAT, internal private IP addresses are mapped to public external IP addresses • Hiding the internal infrastructure • Port Address Translation (PAT) • Technology derived from NAT • This allows thousands of internal IP addresses to be mapped to one external IP address Hands-On Ethical Hacking and Network Defense

  27. Access Control Lists • Access lists are used to filter traffic based on source IP address, destination IP address, and ports or services • Firewalls also use this technology • Creating access control lists in a firewall is a similar process to creating them in a router Hands-On Ethical Hacking and Network Defense

  28. Packet Filtering • Packet filters screen packets based on information contained in the packet header • Protocol type • IP address • TCP/UDP port Hands-On Ethical Hacking and Network Defense

  29. Stateful Packet Inspection (SPI) • Stateful packet filters record session-specific information about a network connection • Create a state table • Can help reduce port scans that rely on spoofing or sending packets after a three-way handshake • Stateful packet filters recognize types of anomalies that most routers ignore • Stateless packet filters handle each packet on an individual basis • Spoofing or DoS attacks are more prevalent Hands-On Ethical Hacking and Network Defense

  30. Hands-On Ethical Hacking and Network Defense

  31. Implementing a Firewall • Placing a firewall between a company’s internal network and the Internet is dangerous • It leaves the company open to attack if a hacker compromises the firewall • Use a demilitarized zone instead Hands-On Ethical Hacking and Network Defense

  32. Demilitarized Zone (DMZ) • DMZ is a small network containing resources available to Internet users • Helps maintain security on the company’s internal network • Sits between the Internet and the internal network • It is sometimes referred to as a “perimeter network” Hands-On Ethical Hacking and Network Defense

  33. Hands-On Ethical Hacking and Network Defense

  34. Hands-On Ethical Hacking and Network Defense

  35. Understanding the Private Internet Exchange (PIX) Firewall • Cisco PIX firewall • One of the most popular firewalls on the market Hands-On Ethical Hacking and Network Defense

  36. Configuration of the PIX Firewall • Working with a PIX firewall is similar to working with any other Cisco router • Login prompt If you are not authorized to be in this XYZ Hawaii network device, log out immediately! User Access Verification Password: • This banner serves a legal purpose • General prompt example: Type help or '?' for a list of available commands. xyz> Hands-On Ethical Hacking and Network Defense

  37. Configuration of the PIX Firewall (continued) • You should enter privileged mode to configure the PIX firewall • To enter configuration mode in PIX, you use the same command as on a Cisco router xyz# configure terminal xyz(config)# ? • Nameif is a PIX command to name an interface • PIX allows the administrator to assign values to an interface that designate its security level • Values can be from 0 to 100 Hands-On Ethical Hacking and Network Defense

  38. Configuration of the PIX Firewall (continued) • Access lists • PIX enables an administrator to use descriptive names for the access list instead of numbers • PIX also uses the implicit deny rule Hands-On Ethical Hacking and Network Defense

  39. Understanding Microsoft ISA • Microsoft’s software approach to firewalls • Microsoft Internet Security and Acceleration (ISA) Server • Functions as a software router, firewall, and IDS • ISA has the same functionality as any hardware router • Packet filtering to control incoming traffic • Application filtering through the examination of protocols • Intrusion detection filters • Access policies to control outgoing traffic Hands-On Ethical Hacking and Network Defense

  40. IP Packet Filters • ISA enables administrators to filter IP traffic based on the following: • Source and destination IP address • Network protocol, such as HTTP • Source port or destination port • ISA provides a GUI for these configurations • A network segment can be denied or allowed HTTP access in the Remote Computer tab Hands-On Ethical Hacking and Network Defense

  41. Hands-On Ethical Hacking and Network Defense

  42. Hands-On Ethical Hacking and Network Defense

  43. Application Filters • Can accept or deny data from specific applications or data containing specific content • SMTP filter can restrict • E-mail with specific attachments • E-mail from a specific user or domain • E-mail containing specific keywords • SMTP commands • SMTP Filter Properties dialog box • Administrator can filter a specific e-mail attachment based on a rule he or she configures Hands-On Ethical Hacking and Network Defense

  44. Hands-On Ethical Hacking and Network Defense

  45. Hands-On Ethical Hacking and Network Defense

  46. Hands-On Ethical Hacking and Network Defense

  47. Application Filters (continued) • Users/Domains tab in the SMTP Filter Properties dialog box • Administrator can filter e-mail messages sent from a user or from specific domains • As a security professional, you might be asked to restrict e-mails containing certain keywords • SMTP Commands tab • Administrator can prevent a user from running SMTP commands Hands-On Ethical Hacking and Network Defense

  48. Hands-On Ethical Hacking and Network Defense

  49. Hands-On Ethical Hacking and Network Defense

  50. Hands-On Ethical Hacking and Network Defense

More Related