Chapter 4

 Describe the goals of creating secure networks.

 Explain how denial-of-service attacks work.
 Explain how ARP poisoning works.
 Know why access controls are important for
networks.
 Explain how to secure Ethernet networks.
 Describe wireless (WLAN) security standards.
 Describe potential attacks against wireless networks.

2
4.1 Introduction
4.2 Denial-of-Service (DoS) Attacks
4.3 ARP Poisoning
4.4 Access Control for Networks
4.5 Ethernet Security
4.6 Wireless Security

3
 Cryptography provides confidentiality,
authenticity, and message integrity
 Modern networks have additional vulnerabilities
◦ Means of delivering the messages could be stopped,
slowed, or altered
◦ The route the messages took could be altered
◦ Messages could be redirected to false recipients
◦ Attackers could gain access to communication
channels that were previously considered closed and
confidential

4
Goals of Creating Secure Networks
1. Availability—users have uninterrupted access to
information services and network resources
2. Confidentiality—prevent unauthorized users from
gaining information about the network
3. Functionality—preventing attackers from altering
the capabilities, or normal operation of the network
4. Access control—keep attackers, or unauthorized
employees, from accessing internal resources

5
 The “castle” model
◦ Good guys on the inside, attackers on the outside, and a
well-guarded point of entry
 Death of the Perimeter
◦ It is impractical, if not impossible, to force all information
in an organization through a single point in the network
◦ New means of attacking networks (i.e. smart phones) are
constantly emerging
◦ Lines between “good guys” and “bad guys” has become
blurred

7
 The “city” model
◦ No distinct perimeter, and there are multiple ways
of entering the network
◦ Like a real city, who you are will determine which
buildings you will be able to access
◦ Greater need for:
 Internal intrusion detection
 Virtual LANs
 Central authentication servers
 Encrypted internal traffic

9
 4.1 Introduction
4.2 Denial-of-Service (DoS) Attacks
4.3 ARP Poisoning
4.4 Access Control for Networks
4.5 Ethernet Security
4.6 Wireless Security

10
  What is a DoS attack?
◦ An attempt to make a server or network unavailable
to legitimate users by flooding it with attack
packets
 What is NOT a DoS attack?
◦ Faulty coding that causes a system to fail
◦ Referrals from large websites that overwhelm
smaller websites

11
Copyright Pearson Prentice-Hall 2013 12
  Ultimate goal of DoS attacks is to cause harm
◦ Harm includes: losses related to online sales,
industry reputation, employee productivity,
customer loyalty, etc.
 The two primary means of causing harm via
DoS attacks include:
1.Stopping critical services
2.Slowly degrading services

13
  Direct DoS Attack
◦ An attacker tries to flood a victim with a stream
of packets directly from the attacker’s computer
 Indirect DoS Attack
◦ The attacker’s IP address is spoofed (i.e., faked)
and the attack appears to come from another
computer

14
SYN FLOOD ATTACK

15
16
  Bots
◦ Updatable attack programs
◦ Botmaster can update the software to change the
type of attack the bot can do
 May sell or lease the botnet to other criminals
◦ Botmaster can update the bot to fix bugs
 Botmaster can control bots via a handler
◦ Handlers are an additional layer of compromised
hosts that are used to manage large groups of bots

17
Copyright Pearson Prentice-Hall 2013 18
19
  Types of packets sent:

20
21
  Peer-to-peer (P2P) redirect DoS attack
◦ Uses many hosts to overwhelm a victim using normal P2P
traffic
◦ Attacker doesn’t have to control the hosts, just redirect
their legitimate P2P traffic

22
23
  Reflected DoS attack
◦ Responses from legitimate services flood a victim
◦ The attacker sends spoofed requests to existing
legitimate servers (Step 1)
◦ Servers then send all responses to the victim (Step 2)
◦ There is no redirection of traffic

24
What is DrDoS?
DrDoS stands for Distributed Reflection Denial of Service attack. DrDoS
techniques usually involve multiple victim machines that unwittingly
participate in a DDoS attack on the attacker’s target. Requests to the victim
host machines are redirected, or reflected, from the victim hosts to the target.
Usually they also elicit an amplified amount of attack traffic.

Copyright Pearson Prentice-Hall 2013 25

26
 Smurf Flood
◦ The attacker sends a spoofed ICMP echo request to an incorrectly
configured network device (router)
◦ Broadcasting enabled to all internal hosts
◦ The network device forwards the echo request to all internal hosts
(multiplier effect)

27
28
  Black holing
◦ Drop all IP packets from an attacker
◦ We lead all of the criminal traffic to a so-called ‘black hole’
◦ Not a good long-term strategy because attackers can quickly
change source IP addresses
◦ An attacker may knowingly try to get a trusted corporate partner
black holed

29
  Validating the handshake
◦ Whenever a SYN segment arrives, the firewall itself
sends back a SYN/ACK segment, without passing the
SYN segment on to the target server (false opening)
◦ When the firewall gets back a legitimate ACK the
firewall send the original SYN segment on to the
intended server
 Rate limiting
◦ Used to reduce a certain type of traffic to a reasonable
amount
◦ Can frustrate attackers, and legitimate users

30
31
 4.1 Introduction
4.2 Denial-of-Service (DoS) Attacks
4.3 ARP Poisoning
4.4 Access Control for Networks
4.5 Ethernet Security
4.6 Wireless Security

32
  ARP Poisoning
◦ Network attack that manipulates host ARP tables
to reroute local-area network (LAN) traffic
◦ Possible man-in-the-middle attack
◦ Requires an attacker to have a computer on the
local network
◦ An attack on both the functionality and
confidentiality of a network

33
  Address Resolution Protocol (ARP)
◦ Used to resolve 32-bit IP addresses (e.g.,
55.91.56.21) into 48-bit local MAC addresses (e.g.,
01-1C-23-0E-1D-41)
◦ ARP tables store resolved addresses (below)

34
35
 The problem: ARP requests and replies do NOT
require authentication or verification
◦ All hosts trust all ARP replies
◦ ARP spoofing uses false ARP replies to map any IP address to
any MAC address
◦ An attacker can manipulate ARP tables on all LAN hosts
◦ The attacker must send a continuous stream of unsolicited ARP
replies

36
37
  ARP DoS Attack
◦ Attacker sends all internal hosts a continuous stream
of unsolicited spoofed ARP replies saying the
gateway (10.0.0.4) is at E5-E5-E5-E5-E5-E5 (Step 1)
◦ Hosts record the gateway’s IP address and
nonexistent MAC address (Step 2)
◦ The switch receives packets from internal hosts
addressed to E5-E5-E5-E5-E5-E5 but cannot deliver
them because the host does not exist
◦ Packets addressed to E5-E5-E5-E5-E5-E5 are
dropped

38
39
  Preventing ARP Poisoning
◦ Static ARP tables are manually set
 Most organizations are too large, change too
quickly, and lack the experience to effectively
manage static IP and ARP tables
◦ Limit Local Access
 Foreign hosts must be kept off the LAN

40
  Stateless Address Auto Configuration (SLAAC)
attack
◦ An attack on the functionality and confidentiality of
a network
◦ This attack occurs when a rogue IPv6 router is
introduced to an IPv4 network
◦ All traffic is automatically rerouted through the IPv6
router, creating the potential for a MITM attack

41
42
43
 4.1 Introduction
4.2 Denial-of-Service (DoS) Attacks
4.3 ARP Poisoning
4.4 Access Control for Networks
4.5 Ethernet Security
4.6 Wireless Security

44
45
 4.1 Introduction
4.2 Denial-of-Service (DoS) Attacks
4.3 ARP Poisoning
4.4 Access Control for Networks
4.5 Ethernet Security
4.6 Wireless Security

46
IEEE 802.1X is an IEEE Standard for port-based Network Access
Control (PNAC). It provides an authentication mechanism to devices wishing to
attach to a LAN or WLAN.

IEEE 802.1X defines the encapsulation of the Extensible Authentication

Protocol (EAP) over IEEE 802, which is known as "EAP over LAN" or EAPOL.

47
802.1X authentication involves three parties: a supplicant, an authenticator,
and an authentication server.

The supplicant is a client device (such as a laptop) that wishes to attach to

the LAN/WLAN. The term 'supplicant' is also used interchangeably to refer to
the software running on the client that provides credentials to the
authenticator.

The authenticator is a network device which provides a data link between

the client and the network and can allow or block network traffic between the
two, such as an Ethernet switch or wireless access point.

The authentication server is typically a trusted server that can receive

and respond to requests for network access, and can tell the authenticator if
the connection is to be allowed, and various settings that should apply to
that client's connection or setting. Authentication servers typically run
software supporting the RADIUS and EAP protocols.

48
49
50
 Challenge-Handshake
Authentication
Protocol, CHAP

51
52
 4.1 Introduction
4.2 Denial-of-Service (DoS) Attacks
4.3 ARP Poisoning
4.4 Access Control for Networks
4.5 Ethernet Security
4.6 Wireless Security

53