Prez2 Sec
Prez2 Sec
Prez2 Sec
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 DataLink
1 Physical Cabling
11/2/2009 Vasile Dadarlat Retele de 7
Calculatoare, An I Master
Cabling Security Issues
UTP
hub
11/2/2009
10/100BASE-T
Vasile Dadarlat Retele de 10
Calculatoare, An I Master
Hub Security Issues
• Data is broadcast to all devices on the hub.
– Threat: Information Leakage.
• Easy to install and attach additional devices.
– Good from a network management perspective.
– But, unless hub physically secured, anyone can plug
into hub.
– Even if hub secured, attacker can unplug existing
device or make use of currently unused cable end.
– Threats: All four fundamental threats are enabled.
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 DataLink
Article at:
http://www.packetwatch.net/documents/papers/snifferdetection.pdf
(2)
(2)ARP
ARPReply
Reply (1)
192.168.0.40 (1)ARP
ARPQuery
Query
192.168.0.40isisat
at Who has
Who has
00:0e:81:10:19:FC
00:0e:81:10:19:FC 192.168.0.40?
192.168.0.40?
hub
10/100BASE-T
11/2/2009 Vasile Dadarlat Retele de 22
Calculatoare, An I Master
Switches
• Switches only send data to the intended receiver (an
improvement on hubs).
• Builds an index of which device has which MAC address.
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 DataLink Switches
1 Physical Cabling,Hubs
11/2/2009 Vasile Dadarlat Retele de 25
Calculatoare, An I Master
ARP Vulnerability
• Gratuitous ARPs:
– Sent by legitimate hosts on joining network or
changing IP address.
– Not in response to any ARP request.
– Associates MAC address and IP address.
• ARP spoofing:
– Masquerade threat can be realised by issuing
gratuitous ARPs.
– ARP replies have no proof of origin, so a malicious
device can claim any MAC address.
– Enables all fundamental threats!
11/2/2009 Vasile Dadarlat Retele de 26
Calculatoare, An I Master
Before ARP Spoofing
IP 192.168.0.20
MAC 00:0e:81:10:17:d1
IP 192.168.0.40
MAC 00:0e:81:10:19:FC
switch
IP 192.168.0.40
MAC 00:0e:81:10:19:FC
switch
(1)
(1)Gratuitious
GratuitiousARP
ARP
192.168.0.40
192.168.0.40 isat
is at
00:1f:42:12:04:72
00:1f:42:12:04:72
IP address MAC address
192.168.0.20 00:1f:42:12:04:72 (2)
(2)Gratuitious
GratuitiousARP
ARP
192.168.0.20
192.168.0.20 isat
is at
192.168.0.1 00:1f:42:12:04:72
11/2/2009 Vasile Dadarlat Retele de 00:1f:42:12:04:72
00:1f:42:12:04:7228
Calculatoare, An I Master
Effect of ARP Spoofing
IP 192.168.0.20 IP
IPdatagram
datagram
MAC 00:0e:81:10:17:d1 Dest: 192.168.0.40
Dest: 192.168.0.40
MAC:
MAC:00:1f:42:12:04:72
00:1f:42:12:04:72
IP 192.168.0.40
MAC 00:0e:81:10:19:FC
switch
7 Application
6 Presentation
5 Session
4 Transport
3 Network Routers
2 DataLink Switches
1 Physical Cabling,Hubs
11/2/2009 Vasile Dadarlat Retele de 35
Calculatoare, An I Master
More on IP Addressing
• IP addresses logically split into two parts.
• First part identifies network.
• Second part identifies host on that network.
• Example: the IP address 192.168.0.20:
– 192.168.0.x identifies network.
– y.y.y.20 identifies host on network.
– We have a network with up to 256 (in fact 254) hosts
(.0 and .255 are reserved).
– The network mask 255.255.255.0 identifies the size of
the network and the addresses of all hosts that are
locally reachable.
– This mask can be fetched from network’s default
router using ICMP Address Mask Request message.
11/2/2009 Vasile Dadarlat Retele de 36
Calculatoare, An I Master
Routers Internet
Internet
Router
IP address 62.49.147.169
192.168.0.20
Network mask
255.255.255.0
Default router
192.168.0.254 192.168.1.11 192.168.1.10
192.168.0.40 62.49.147.170
Router
192.168.0.254 192.168.1.254
switch switch
Router
IP
IPdatagram
datagram
Dest: 192.168.0.40
Dest: 192.168.0.40
IP address 62.49.147.169
192.168.0.20
Network mask
255.255.255.0
Default router
192.168.0.254 192.168.1.10
62.49.147.170
Router
switch switch
Router
IP
IPdatagram
datagram
Dest: 192.168.1.11
Dest: 192.168.1.11
IP address 62.49.147.169
192.168.0.20
Network mask
255.255.255.0
Default router
192.168.0.254 192.168.1.10
62.49.147.170
Router
switch switch
11/2/2009 Default
Vasilerouter + direct
Dadarlat Retele de delivery 39
Calculatoare, An I Master
Protocol Layering Equivalent
Router
Internet Layer Internet Layer Internet Layer
IP Datagram IP Datagram
Router
IPIPdatagram
datagram
Dest: 134.219.200.69
Dest: 134.219.200.69
IP address 62.49.147.169
192.168.0.20
Network mask
255.255.255.0
Default router
192.168.0.254 192.168.1.10
62.49.147.170
Router
switch switch
Router Router
Internet Layer Internet Internet Internet Layer
IP Datagram IP Datagram IP Datagram
Physical Network
11/2/2009 Vasile Dadarlat Retele de 55
Calculatoare, An I Master
Ports in Action
HTTP
HTTPmessage
message HTTP
HTTPmessage
message
GET index.html
GET index.html Contents
Contentsof
of
192.168.0.20 www.localserver.org
www.localserver.org index.html
index.html 192.168.0.40
TCP
TCPPacket
Packet TCP
TCPPacket
Packet
Src
Src Port:2076
Port: 2076 Src
Src Port:80
Port: 80
Dest
DestPort:
Port:80
80 Dest
DestPort:
Port:2076
2076
IP
IPdatagram
datagram IP
IPdatagram
datagram
Src: 192.168.0.20
Src: 192.168.0.20 Src: 192.168.0.40
Src: 192.168.0.40
Dest:
Dest:192.168.0.40
192.168.0.40 Dest:
Dest:192.168.0.20
192.168.0.20
TELNET
TELNETmessage
message TELNET
TELNETmessage
message
TCP
TCPPacket
Packet TCP
TCPPacket
Packet
Src
Src Port:2077
Port: 2077 Src
Src Port:23
Port: 23
Dest
DestPort:
Port:23
23 Dest
DestPort:
Port:2077
2077
IP
IPdatagram
datagram IP
IPdatagram
datagram
Src: 192.168.0.20
Src: 192.168.0.20 switch Src: 192.168.0.40
Src: 192.168.0.40
Dest:
Dest:192.168.0.40
11/2/2009 192.168.0.40 Vasile Dadarlat Retele de Dest:
Dest:192.168.0.20
192.168.0.2056
Calculatoare, An I Master
Broadcast Addressing
• Broadcast IP addresses:
– Any packet with destination IP address ending
.255 in a network with network mask
255.255.255.0 gets sent to all hosts on that
network.
– Similarly for other sizes of networks.
– A handy feature for network management,
fault diagnosis and some applications.
– Security?
11/2/2009 Vasile Dadarlat Retele de 57
Calculatoare, An I Master
ICMP
• ICMP = Internet Control Message Protocol.
• Layer 4 protocol (like TCP) carried over IP, mandatory
part of IP implementations.
• Carries IP error and control messages.
• ICMP Echo Request: test route to a particular host.
• Live host should reply with ICMP Echo Reply packet.
ICMP
ICMPPacket
Packet
Echo
Echo
IP
IPdatagram
datagram
Src: 192.168.0.20
Src: 192.168.0.20
Dest:
Dest:192.168.0.40
192.168.0.40
ICMP
ICMPPacket
Packet
Echo
EchoReply
Reply 192.168.0.40
192.168.0.20 IP
IPdatagram
datagram
Src: 192.168.0.40
Src: 192.168.0.40
11/2/2009 Dest:
Dest: 192.168.0.20
Vasile Dadarlat Retele de
192.168.0.20 58
Calculatoare, An I Master
ICMP ‘SMURF’ Denial of Service
ICMP
ICMPPacket
Packet
Attacker 192.168.0.1
Echo
EchoRequest
Request
IP
IPdatagram
datagram
Src: 192.168.1.30
Src: 192.168.1.30 192.168.0.2
192.168.0.20 Dest:
Dest:192.168.0.255
192.168.0.255
Network Types
Human
Resources
Backbone:
typically
Finance routed via
risers or
under
Sales floors.
Development
Overview of threats:
• Backbone carries all inter-LAN traffic.
• Confidentiality:
– All data could be eavesdropped.
• Integrity:
– Any corruption of data could affect all the network
traffic.
• Availability:
– Loss of backbone means that workgroups would be
unable to communicate with each other.
Building A
11/2/2009 Building
Vasile Dadarlat B
Retele de 73
Calculatoare, An I Master
MAN Threats
• Problem of scale
– Information flow must be controlled, and faulty network
components (in one building) must not affect other buildings.
– Network Information Centre (NIC) may be required.
– Specialized network management tools become essential
(manual approach no longer feasible).
• Possibility for greater integration – cable management
systems, device location maps, server disk space monitoring,
printer status,…
– Normally a second level backbone is used.
• Link encryption:
– Offers data confidentiality for individual links,
– Protocol independent (operates at layer 1/2),
– Throughput is not normally an issue,
– Moderate cost (£700-£1000 per unit).
• But link encryption for larger networks has problems:
– Expense,
– Management burden,
– Does not scale well to large distributed networks,
– Data may not be protected at intermediate sites, in
switches, etc.