Computer Network Security

1
Why Network Security Concerns arise?

2
Types of NS Threats

3
Types of NS Vuln: Technological

4
Types of NS Vuln: Configuration

5
Types of NS Attacks

6
Types of Network Security Attacks(1/2)
Reconnaissance Attacks
 The reconnaissance attack refers to a technique in which the attackers

gather information about the network and organization, helping them

gain access by using various exploitation techniques. These are the

7
Types of Network Security Attacks(2/2)
Denial-of-service
 In the denial-of-service attack, attackers attempt to deny certain services
available to customers, users and/or the organization. The DoS attack does
not lead to any loss or theft of any information, but can affect the
organization financially due to the downtime.
Malware attacks
 Malware attacks affect the system or network either directly or indirectly.
They cause an adverse impact on how the network functions. Malware is a
program or a file that poses a threat to a computer system. The different
types of malware include Trojans, Viruses and Worms.

8
Reconnaissance Attacks

9
Reconn. Attacks: Network Info extraction
using nmap scan

10
Reconn Attacks: Social Eng. Attacks

11
Password Attacks

12
Password Attack Techniques

13
Network Sniffing

14
Man-In-The-Middle Attacks

15
Replay Attacks

16
Syn Flooding attack
A SYN flood (half-open attack) is a type of denial-of-service (DDoS
) attack which aims to make a server unavailable to legitimate
traffic by consuming all available server resources. By repeatedly
sending initial connection request (SYN) packets, the attacker is
able to overwhelm all available ports on a targeted server
machine, causing the targeted device to respond to legitimate
traffic sluggishly or not at all.

17
Syn Flooding Attack
While the server waits for the final ACK packet, which never
arrives, the attacker continues to send more SYN packets. The
arrival of each new SYN packet causes the server to temporarily
maintain a new open port connection for a certain length of time,
and once all the available ports have been utilized the server is
unable to function normally.

18
Ack Flood Attack
TCP ACK flood, or ‘ACK Flood’ for short, is a network DDoS attack
comprising TCP ACK packets. The packets will not contain a
payload but may have the PSH flag enabled.
The attacker can easily generate a high rate of attacking traffic,
and it is very difficult to distinguish between a Legitimate ACK and
an attacking ACK, as they look the same.
ACK flood will typically affect stateful devices, such as a firewall
and web servers that must invest resources into processing the
ACK packet. Because these packets are not linked to any session
on the server’s connection list, the server spends more resources
on processing these requests. The result is a server that is
unavailable to process legitimate requests due to exhausted
resources while the attack is ongoing.

19
HTTP Flood Attack
HTTP Flood is a type of DDoS attack that belongs to the
application attacks family. During the attack, the attacker
sends an HTTP GET or POST requests to an application or
a web server.

20
HTTP Flood Attack
The requests sent seem legitimate containing a valid
header and a correct and complete message. However,
the message body sent at an extremely slow rate is what
causes the targeted server to try to obey it for a very long
time. Sending a large number of these requests, each
establishing a connection, makes other legitimate
incoming connections impossible.

21
Types of HTTP Flood Attacks
GET flood attack sends a high volume of GET requests to a web
server using multiple devices or a botnet. These attacks aim to
overwhelm the server by generating a large number of requests
to retrieve data. The GET requests typically don’t include any data
in the body and are used to retrieve data from the server, such as
a webpage or an image.
HTTP POST attack uses POST requests instead. A POST request
typically includes data in the body of the request that is sent to
the server for processing. This can be more effective as it can
potentially consume more server resources.
Slowloris attack keeps the HTTP connections open for as long as
possible, using minimal bandwidth. As a result, the attacker
prevents the web server from closing the connection and freeing
up resources, leading to an overload of the server.
22
Privilege Escalation Attack

23
Example: using Metasploit framework
Metasploit framework (msf) from Rapid7
Using some payloads such as tcp_revrese_ shell
Gain access to victim machine, as normal user,
Use privilege escalation to gain Root/Admin permission
Install Meterpreter Shell

24
ARP Poisoning /Spoofing

25
DNS Poisoning Attack

26
DNS Hijacking
DNS hijacking, also known as domain theft, is a type of attack that
involves maliciously gaining control of a domain name. The threat
actor achieves this by either stealing the owner's login credentials
or exploiting a vulnerability in the domain registrar's system.
Once the attacker gains control of the domain name, they can
redirect traffic to a fake website, steal sensitive information or use
the domain name to launch other types of attacks.

27
DNS Amplification
DNS amplification is a type of
distributed denial of service (DDoS)
attack that involves exploiting open
DNS resolvers to flood a target
server with traffic. The attacker
sends a DNS query to an open
resolver using a spoofed IP address.
The resolver then sends a response
far larger than the original query.
When the attacker uses multiple
open resolvers and spoofed IP
addresses, they can overwhelm the
target server with traffic so that it
becomes unavailable to legitimate
users.

28
DHCP Starvation Attack

29
DHCP Spoofing Attack

30
MAC Address Spoofing/Duplication/Cloning

31
MAC Address Spoofing/Duplication/Cloning
The attacker monitors network traffic to identify a legitimate device on the
network.
The attacker spoofs the MAC address of the legitimate device and connects
to the network. This allows the attacker to impersonate the legitimate device
and potentially gain access to its privileges or sensitive information.
The attacker can now intercept and modify network traffic sent to and from
the legitimate device.
The attacker can also use this access to launch further attacks on other devices
on the network such as injecting malicious code in the network

32
MAC Flooding Attack
The attacker connects to a switch port and
sends many fake Ethernet frames, each
containing a different source MAC address
but the same destination MAC address.
The goal of this step is to flood the switch’s
MAC address table with fake MAC
addresses in order to fill up the table and
force the switch into fail-open mode:
The switch learns the MAC addresses by
adding them to its MAC Address Table, but
since the attacker uses many different
fake addresses, the table quickly fills up.
This is why all the MAC addresses the
attacker sends must be different for the
attack to succeed because if only a set of
addresses were used, the MAC Address
Table might be able to hold them all
without overflowing:

33
MAC Flooding Attack

When the MAC address table is full, the switch enters a “fail-
open” mode, where it starts forwarding frames to all ports
instead of using the table to determine the correct port. Once
the MAC address table is full, the switch can no longer use to
determine the correct port to forward a frame to. Instead, it starts
forwarding all frames to all ports, which causes network congestion
and can disrupt network communication:
The attacker can now send information to any device on the
network, disrupting network communications and even
stealing information from outgoing or incoming frames. Now
that the attacker has forced the switch into a fail-open mode, they
can send frames to any device on the network. This can disrupt
network communication and potentially allow the attacker to steal 34
Ping of Death attack
Ping of Death: A Ping of death (PoD) attack is a
denial-of-service (DoS) attack, in which the attacker
aims to disrupt a targeted machine by sending a
packet larger than the maximum allowable size,
causing the target machine to freeze or crash. The
original ping of death attack is less common today. A
related attack known as an ICMP flood attack is more
prevalent.

35
Malware attacks

36
Network Security Controls
and Devices

37
Network Security Controls

38
Access Control

39
Access Control Principles

40
Physical access controls

41
Technical access control

42
User Identification, Authentication, Authorization and Accounting

43
Network security policy

44
NETWORK SECURITY DEVICES:

45
Firewalls

46
Firewalls and Concerns

47
Firewall Limitations

48
How does FW work?

49
Types of Firewall
Packet-Filtering Firewall
 Monitors and controls network traffic based on predefined rules for
source/destination IP addresses, ports, and protocols. Operates at the
network layer (Layer 3).
Stateful Inspection Firewall
 Tracks the state of active connections and determines which packets
to allow through by analyzing the entire packet flow. Operates at
multiple OSI layers.
Proxy Firewall (Application-Level Gateway)
 Acts as an intermediary between the client and server, filtering traffic
at the application layer (Layer 7). It inspects application-specific data.
Next-Generation Firewall (NGFW)
 Combines traditional firewall functions with advanced features like
intrusion prevention, deep packet inspection, and application control.
Operates across multiple OSI layers.
50
Packet Filtering Firewall

51
Packet Filtering (Cont’d)

52
Next-Generation Firewalls (NGFWs)
A Next-Generation Firewall (NGFW) is an advanced type of firewall
that goes beyond traditional packet filtering and stateful inspection by
integrating additional security features to provide comprehensive
protection against modern threats.
Key Features:
 Deep Packet Inspection (DPI): Examines the content of data packets to
identify and block malicious activity.
 Intrusion Prevention System (IPS): Detects and prevents network-based
attacks in real-time.
 Application Awareness and Control: Identifies and manages specific
applications, regardless of the port or protocol used.
 Advanced Threat Protection (ATP): Protects against malware, ransomware,
and zero-day attacks through integration with threat intelligence services.
 Encrypted Traffic Inspection: Analyzes SSL/TLS traffic for threats without
compromising security.
 Centralized Management: Provides a unified interface for monitoring,
configuration, and reporting.
53
Go live
Prepare yourself for Firewall
Check Fortinet/Fortigate Firewall Demo
Page:
https://fortigate.fortidemo.com/login?redir=%2Fng%2Finter
face
User/pass: demo/demo

54
Proxy Server

55
Advantages of using Proxy Server

56
Honeypots

57
Its Advantages

58
Intrusion Detection System (IDS)

59
Its Advantages
The IDS allows continuous monitoring and tracking of all
intrusions and attacks in the network.
The IDS provides an extra layer of security to the network.
The IDS can also provide a log or data regarding the attack
or intrusion that can be later used for investigation of the
incident.
The IDS requires more maintenance when compared to the
firewalls.
It is not always possible for the IDS to detect the intrusions.
IDS requires properly trained and experienced users to
maintain it.
IDS can raise false alarms to the network administrator.

60
Intrusion Prevention Systems (IPS)

61
Advantages of IPS over IDS
Unlike an IDS, the IPS systems can block as well as drop
illegal packets in the network.
An IPS can be used to monitor activities occurring in a single
organization.
An IPS prevents the occurrence of direct attacks in the
network by controlling the amount of network traffic.

62
Internet Content filters

63
Unified Threat Management

64
UTM Appliances

65
Security Zones

66
Demilitarized Zones (DMZ)

67
DMZ with two firewalls

68
Virtual Private Networks (VPNs)

69
Types of VPNs
1. Remote Access VPN
o Purpose: Allows individual users to securely connect to a private
network over the internet.
o Use Cases: Remote workers accessing company resources,
students connecting to a university network.
2. Site-to-Site VPN
o Purpose: Connects entire networks (e.g., two or more office
locations) over the internet securely.
o Use Cases: Businesses with multiple branch offices requiring
seamless communication between networks.
3. SSL VPN
o Purpose: Provides secure access to specific applications and
resources via a web browser.
o Use Cases: Employees accessing internal systems without
installing VPN clients. 70
Questions
?