Overview of Network Security

Budi Rahardjo

Types of network attack

• Interruption

– DoS attack, network flooding

• Interception

– Sniffed (password)

• Modification

– Trojan horse

• Fabrication

– Spoofed packets

Reality Check

• IP v.4 is unsecure. Spoofing is easy

• Tools (scripts) to exploit are available

• More home users are connected 24

hours/day with DSL, cable modem

• Need collaboration among network

providers

– Ingres filter @ border routers

Interruption Attack

• Denial of Service (DoS) attack

– Exhaust bandwidth, network flooding

– Possible to spoofed originating address

– Tools: ping broadcast, smurf, synk4, various flood

utilities

• Protection:

– Little we can do if we are under attacked

– Filter at router for outgoing packet, filter attack

orginiating from our site

More interruption attack

• Distributed Denial of Service (DDoS) attack

– Flood your network with spoofed packets from

many sources

– Based on SubSeven trojan, “phone home” via

IRC once installed on a machine. Attacker

knows how many agents ready to attack.

– Then, ready to exhaust your bandwidth

– See Steve Gibson’s paper http://grc.com

Interception Attack

• Sniffer to capture password and other

sensitive information

• Tools: tcpdump, ngrep, linux sniffer, dsniff,

trojan (BO, Netbus, Subseven)

• Protection: segmentation, switched hub

Modification Attack

• Modify, change information/programs

• Examples: Virus, Trojan, attached with

email or web sites

• Protection: anti virus, filter at mail server,

integrity checker (eg. tripwire)

Fabrication Attack

• Spoofing address is easy

• Examples:

– Fake mails, spoofed packets

• Tools: various packet construction kit

• Protection: filter outgoing packets at router

Protection

• Firewall

– Static vs Stateful Packet Filter

– Circuit gateway, application level gateway

• Intrusion Detection System (IDS)

– Host vs Network based

• Policy

– Privacy issues, AUP, cyberlaw, best practice,

what to do if your site is probed?

Firewall – Static Packet Filter

• Inspect packets based on rules

– Source, destination address, port

• Strength:

– fast, can be implemented with Linux box

• Weakness: can be fooled, changing order,

fragmentation, little information (for logging), IP

spoofing, does not inspect payload, difficult to

configure (lots of rules), stateless

Firewall - Stateful

• Remembers the state of packets

• Strength: better inspection, can be implemented

with Linux box

• Weaknesses: slower?/faster?, needs more

resources, IP spoofing, does not inspect payload,

still difficult to configure

Instrusion Detection System

• Monitor system for anomaly

• Monitor host or network? Hybrid

• Difficult to monitor if stealth and slow

• Tools example: snort

Policy

• The hardest thing to do is dealing with

people

• Policy, Standard Operating Procedure is

Overlooked