Net work Management Tasks Prot ect ing t he net work (e.g. int - - PDF document

net work management tasks
SMART_READER_LITE
LIVE PREVIEW

Net work Management Tasks Prot ect ing t he net work (e.g. int - - PDF document

May 13, 2023 131 likes •222 views

Net work Management Tasks Prot ect ing t he net work (e.g. int rusion 17: det ect ion) Net work Management and Det ect ing f ailed component s (int erf aces, links, host s, rout ers) Monit oring Monit oring t raf f ic pat t erns

slide-1
SLIDE 1

1

8: Net wor k Management 1

17: Net work Management and Monit oring

Last Modif ied: 4/ 21/ 2003 2:46:25 PM

8: Net wor k Management 2

Net work Management Tasks

Prot ect ing t he net work (e.g. int rusion

det ect ion)

Det ect ing f ailed component s (int erf aces,

links, host s, rout ers)

Monit oring t raf f ic pat t erns (recommend

needed upgrades, cap cert ain t ypes of t r af f ic)

Det ect abnormal t raf f ic (rapid changes in

rout ing t ables, huge spikes in BW usage)

8: Net wor k Management 3

Snort

  • Det ect ion/ logging of packet s mat ching f ilt er s/ r ule

set s similar t o Et her eal capt ur e/ display f ilt er s

  • Thr ee pr imar y uses

Packet snif f er Packet logger I nt r usion Det ect ion Syst em

8: Net wor k Management 4

Snort I DS

  • Snort consist s of t hree subsyst ems:
  • packet decoder ( libpcap-based)
  • det ect ion engine
  • logging and aler t ing subsyst em
  • Det ect ion engine:
  • Rules f or m signat ur es
  • Modular det ect ion element s are combined t o f orm t hese

signat ur es

  • Anomalous act ivit y det ect ion is possible: st ealt h scans, OS

f inger pr int ing, invalid I CMP codes, et c.

  • Rules syst em is very f lexible, and creat ion of new rules is

relat ively simple

8: Net wor k Management 5

Snort Rules

  • Snor t r ules consist of t wo par t s

Rule header

Specif ies src/ dst host and por t Alert t cp !128.119.0.0/ 16 any -> 128.119.166.5 any Not ice: negat ion, any in net wor k 128.119.0.0

Rule opt ions

Specif ies f lags, cont ent , out put message (f lags: SFAPR; msg: “Xmas t r ee scan”)

8: Net wor k Management 6

Writ ing Snort Rules

  • Snort uses a simple rules language
  • ht t p:/ / www.snort .org/ writ ing_snort _rules.ht m
  • Rule header consist s of
  • Rule Act ions

Alert , Log, Pass Dynamic, act ivat e, et c…

  • Pr ot ocol

Tcp, udp, icmp, et c…

  • I P Addresses

Source, dest , CI DR mask

  • P
  • rt numbers

Source, dest , r ange

  • Dir ect ion
  • Negat ion
slide-2
SLIDE 2

2

8: Net wor k Management 7

Simple examples

log t cp any any ->

$SMTP 23 (msg: “t elnet t o t he mail server!”;)

alert t cp $HOME_NET 23 ->

$EXTERNAL_NET any (msg: “TELNET login incorrect ”; cont ent : “Login incorrect ”; f lags: A+;)

alert icmp any any ->

any any (msg:”I CMP Source Quench”; it ype: 4; icode: 0;)

8: Net wor k Management 8

P rewrit t en Ruleset s

Snor t comes packaged wit h a number of

pr ewr it t en r uleset s

  • include bad-t r af f ic.r ules
  • include exploit .r ules
  • include scan.r ules
  • include f inger .r ules
  • include f t p.r ules
  • include t elnet .r ules
  • include smt p .r ul es
  • include r pc.r ul es
  • include r ser vices

.r ul es

  • include dos.r ules
  • include ddos.r ules
  • include dns.r ul es
  • include tf tp .r ules
  • include web -cgi.r ul es
  • include web -coldf usion.r ules
  • include web -f r ont page.r ul es

… … . 8: Net wor k Management 9

Vulnerabilit y dat abases

Rules correlat ed t o common dat abases Bugt raq

ht t p:/ / www.secur it yf ocus.com/ cgi-bin/ vulns.pl

  • Ex. Bugt r aq id 2283: 23-01-2001: Lot us Domino

Mail Ser ver ' Policy' Buf f er Over f low Vulner abilit y Ar achNI DS

ht t p:/ / www.whit ehat s.com/ ids/ index.ht ml

Common Vulnerabilit ies and Exposures

ht t p:/ / cve.mit r e.or g

8: Net wor k Management 10

Firewalls

Gat eway machines t hrough which all t raf f ic

passes

Can *st op* rat her t han simply log t raf f ic

t hat mat ches rules/ f ilt ers

8: Net wor k Management 11

Types of f ir ewalls

  • P

acket Filt ering f irewall

Operat e on t ransport and net work layers of t he TCP

/ I P st ack

  • Applicat ion Gat eways/ P

roxies

Operat e on t he applicat ion prot ocol level

Internal Network External Network Packet Filtering Firewall Proxy Client Actual Server Proxy Firewall 8: Net wor k Management 12

Packet Filt ering Firewall

Operat e on t ransport and net work layers

  • f t he TCP

/ I P st ack

Decides what t o do wit h a packet

depending upon t he f ollowing crit eria:

Tr anspor t pr ot ocol (TCP,UDP,I CMP), Sour ce and dest inat ion I P addr ess The sour ce and dest inat ion por t s I CMP message t ype/ code Var ious TCP opt ions such as packet size,

f r agment at ion et c A lot like Et hereal capt ure/ display f ilt ers

slide-3
SLIDE 3

3

8: Net wor k Management 13

Packet Filt ering

Example 1: block incoming and out going dat agrams

wit h I P pr ot ocol f ield = 17 and wit h eit her sour ce

  • r dest por t = 23.

All incoming and out going UDP

f lows and t elnet connect ions are blocked. Example 2: Block inbound TCP segment s wit h

ACK=0 or wit h SYN bit set and ACK bit unset .

P

revent s ext ernal client s f rom making TCP connect ions wit h int ernal client s, but allows int ernal client s t o connect t o out side.

8: Net wor k Management 14

Packet Filt ering Firewall: Terminology

St at eless Fir ewall: The f ir ewall makes a decision

  • n a packet by packet basis.

St at ef ul Fir ewall : The f ir ewall keeps st at e

inf or mat ion about t r ansact ions (connect ions).

NAT - Net wor k Addr ess t r anslat ion

Tr anslat es public I P addr ess(es) t o pr ivat e I P

addr ess(es) on a pr ivat e LAN.

We looked at t his alr eady (must be st at ef ul)

8: Net wor k Management 15

Packet Filt ering Firewall: Funct ions

Forward t he packet (s) on t o t he int ended dest inat ion Rej ect t he packet (s) and not if y t he sender (I CMP

dest unreach/ admin prohibit ed)

Drop t he packet (s) wit hout not if ying t he sender. Log accept ed and/ or denied packet inf ormat ion NAT - Net work Address Translat ion

8: Net wor k Management 16

Applicat ion Gat eway (Pr oxy Ser ver )

  • Operat e at t he applicat ion prot ocol level. (Telnet , FTP

, HTTP )

  • Filt ers packet s on applicat ion dat a as well as on I P

/ TCP / UDP f ields

  • Applicat ion Gat eways “Underst and” t he prot ocol and can be

conf igured t o allow or deny specif ic prot ocol operat ions.

  • Typically, proxy servers sit bet ween t he client and act ual
  • service. Bot h t he client and server t alk t o t he proxy rat her

t han direct ly wit h each ot her.

8: Net wor k Management 17

Applicat ion gat eways

Example: allow select

int er nal user s t o t elnet

  • ut side.

host -to-gat eway t elnet session gat eway-to -r emot e host t elnet session applicat ion gat eway rout er and f ilt er

  • 1. Require all t elnet users t o t elnet t hrough gat eway.
  • 2. For aut horized users, gat eway set s up t elnet connect ion t o

dest host . Gat eway relays dat a bet ween 2 connect ions

  • 3. Firewall f ilt er blocks all t elnet connect ions not originat ing

f rom gat eway.

8: Net wor k Management 18

Firewall Hardware/ Sof t ware

Dedicat ed har dwar e/ sof t war e applicat ion such as

Cisco PI X Fir ewall which f ilt er s t r af f ic passing t hr ough t he mult iple net wor k int er f aces.

A Unix or Windows based host wit h mult iple

net wor k int er f aces, r unning a f ir ewall sof t war e package which f ilt er s incoming and out going t r af f ic acr oss t he int er f aces.

A Unix or Windows based host wit h a single

net wor k int er f ace, r unning a f ir ewall sof t war e package which f ilt er s t he incoming and out going t r af f ic t o t he individual int er f ace.

slide-4
SLIDE 4

4

8: Net wor k Management 19

Firewall Archit ect ure

I n t he r eal wor ld, designs ar e f ar mor e complex Internal Network External Network Border Router External Firewall Web Server IDS Internal Firewall

DMZ

Internal Router Core Switch Core Switch Core Switch

Modem

8: Net wor k Management 20

Limit at ions of f ir ewalls and gat eways

I P spoof ing: rout er

can’t know if dat a “really” comes f rom claimed sour ce

I f mult iple app’s. need

special t r eat ment , each has own app. gat eway.

Client sof t ware must

know how t o cont act gat eway.

e.g., must set I P

address

  • f proxy in Web

browser Filt er s of t en use all or

not hing policy f or UDP.

Tr adeof f : degr ee of

communicat ion wit h

  • ut side wor ld, level of

securit y

Many highly pr ot ect ed

sit es st ill suf f er f r om at t acks.

8: Net wor k Management 21

Managing t he net work?

aut onomous syst ems (net work under a single

administ rat ive cont rol): 100s or 1000s of int er act ing hw/ sw component s

Many complex pieces…

t hat can br eak

  • Hardware (end host s, rout ers, hubs, cabling)
  • Sof t war e

Somet hing is br oken – wher e?

  • What is normal? What is abnormal?

Planning f or t he f ut ure – wher e is t he bot t leneck?

Need inf ormat ion st ream f rom remot e

component s

8: Net wor k Management 22

Net work Management Archit ect ure

(1) a net work manager (2) a set of managed r emot e devices (3) management inf ormat ion bases (MI Bs) (4) remot e agent s t hat report MI B

inf ormat ion and t ake act ion under t he cont rol of t he net work manager

(5) a prot ocol f or communicat ing bet ween

t he net work manager and t he remot e devices Net work Operat ions Cent er (NOC) = cont rol cent er

8: Net wor k Management 23

I nf rast ruct ure f or net work management

agent dat a agent dat a agent dat a agent dat a managed device managed device managed device managed device managing ent it y dat a net work management pr ot ocol

def init ions:

managed devices cont ain managed obj ect s whose dat a is gat hered int o a Management I nf ormat ion Base (MI B)

managing ent it y

8: Net wor k Management 24

Net work Management st andards

OSI CMI P

Common Management

I nf or mat ion Pr ot ocol

designed 1980’s: t he

unif ying net management st andar d

t oo slowly

st andar dized SNMP: Simple Net wor k Management Pr ot ocol

I nt er net r oot s (Simple

Gat eway Monit or ing Pr ot ocol, SGMP)

st art ed simple deployed, adopt ed r apidly growt h: size, complexit y de f act o net wor k

management st andar d

slide-5
SLIDE 5

5

8: Net wor k Management 25

SNMP

  • verview: 4 key part s

SNMP pr ot ocol

convey manager <->

managed obj ect inf o, commands St ruct ure of Management I nf ormat ion (SMI ):

dat a def init ion language f or MI B obj ect s, f or mat of

dat a t o be exchanged

Pr ot ocol independent t ype language

Management inf ormat ion base (MI B):

dist r ibut ed inf or mat ion st or e of net wor k

management dat a, collect ion of MI B obj ect s securit y, administ rat ion capabilit ies

maj or addit ion in SNMPv3

8: Net wor k Management 26

SMI : dat a def init ion language

Pur pose: synt ax, semant ics of management dat a well- def ined, unambiguous

base dat a t ypes:

st r aight f or war d, bor ing

Higher level st ruct s

OBJ ECT- TYPE MODULE_I DENTI TY

SMI Basic Data Types

INTEGER Integer32 Unsigned32 OCTET STRING OBJECT IDENTIFIED IPaddress Counter32 Counter64 Guage32 Tie Ticks Opaque

8: Net wor k Management 27

OBJECT-TYP E

SYNTAX = basic t ype of

t his obj ect

MAX- ACCESS = operat ions

allowed on t he obj ect (read, writ e, creat e, not if y)

STATUS = current / valid,

  • bsolet e (should not be

implement ed), deprecat ed (implement ed f or backwards compat ibilit y)

DESCRI P

TI ON = comment , human readable descript ion ipInDelivers OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of input datagrams successfully delivered to IP user-protocols (including ICMP)." ::= { ip 9 }

8: Net wor k Management 28

MODULE-I DENTI TY

MODULE-I DENTI TY

const r uct allows r elat ed obj ect s t o be gr ouped t oget her wit hin a "module.“

Cont ains t he OBKECT-

TYPE const ruct s f or each obj ect in t he module

Plus cont act and

descr ipt ion inf or mat ion

ipMIB MODULE-IDENTITY LAST-UPDATED “941101000Z” ORGANZATION “IETF SNPv2 Working Group” CONTACT-INFO “ Keith McCloghrie ……” DESCRIPTION “The MIB module for managing IP and ICMP implementations, but excluding their management of IP routes.” REVISION “019331000Z” ……… ::= {mib-2 48}

8: Net wor k Management 29

SNMP MI B

OBJECT TYPE: OBJECT TYPE: OBJECT TYPE:

  • bj ect s specif ied via SMI

OBJ ECT- TYPE const r uct MI B module specif ied via SMI MODULE-I DENTI TY (100+ st andar ds-based MI Bs writ t en by I ETF, mor e vendor-specif ic) MODULE

8: Net wor k Management 30

SNMP Naming

quest ion: how do we keep t rack of / name every possible st andard obj ect (prot ocol, dat a, more..) in every possible net work st andard?? answer: I SO Obj ect I dent if ier t ree:

hier ar chical naming of all obj ect s each br anchpoint has name, number

1.3.6.1.2.1.7.1

I SO I SO-ident. Or g. US DoD I nt ernet udpI nDat agr ams UDP MI B2 management

slide-6
SLIDE 6

6

8: Net wor k Management 31

Check out www.alvest rand.no/ har ald/ obj ect id/ t op.ht ml

OSI Obj ect I dent if ier Tr ee

8: Net wor k Management 32

MI B example: UDP module

Obj ect I D Name Type Comment s

1.3.6.1.2.1.7.1 UDPI nDat agr ams Count er32 t ot al # dat agrams delivered at t his node 1.3.6.1.2.1.7.2 UDPNoPor t s Count er32 # underliverable dat agrams no app at port l 1.3.6.1.2.1.7.3 UDI nErrors Count er 32 # undeliver able dat agrams all ot her r easons 1.3.6.1.2.1.7.4 UDPOut Dat agr ams Count er32 # dat agrams sent 1.3.6.1.2.1.7.5 udpTable

SEQUENCE one ent r y f or each por t

in use by app, gives por t # and I P addr ess

8: Net wor k Management 33

SNMP prot ocol

Two ways t o convey MI B inf o, commands:

agent dat a Managed device managing ent it y

r esponse

agent dat a Managed device managing ent it y

t rap msg request r equest / r esponse mode: Give me your r egular r epor t t rap mode: Bet t er hear about t his now!

8: Net wor k Management 34

SNMP prot ocol: message t ypes

Get Request Get Next Request Get BulkRequest Mgr-to-agent : “get me dat a” (inst ance,next in list , block) Message t ype Funct ion I nf or mRequest Mgr-to-Mgr : her e’s MI B value Set Request Mgr-to-agent : set MI B value Response Agent-to- mgr : value, r esponse t o Request Tr ap Agent-to- mgr: inf orm manager

  • f except ional event

8: Net wor k Management 35

SNMP prot ocol: message f ormat s

8: Net wor k Management 36

SNMP securit y and administ rat ion

encr ypt ion: DES-encrypt SNMP message aut hent icat ion: comput e, send Message

I nt egrit y Code (MI C) MI C(m,k): comput e hash (MI C) over message (m), secret shared key (k)

prot ect ion against playback: use nonce view-based access cont rol

SNMP ent it y maint ains dat abase of access

r ight s, policies f or var ious user s

dat abase it self accessible as managed obj ect !

slide-7
SLIDE 7

7

8: Net wor k Management 37

Multi Router Traf f ic Grapher (MRTG)

SNMP client Will gat her dat a f rom remot e machines via

SNMP

Gr aphs changes in inf o over t ime

8: Net wor k Management 38

Out t akes

8: Net wor k Management 39

Packet Filt ering Firewall: Disadvant ages

Filt ers can be dif f icult t o conf igure. I t ’s not always easy t o

ant icipat e t raf f ic pat t erns and creat e f ilt ering rules t o f it .

Filt er rules are somet imes dif f icult t o t est P

acket f ilt ering can degrade rout er perf ormance

At t ackers can “t unnel” malicious t raf f ic t hrough allowed

port s on t he f ilt er.

8: Net wor k Management 40

Applicat ion Gat eway (Proxy Server): Disadvant ages

Requires modif icat ion t o client sof t ware applicat ion Some client sof t ware applicat ions don’t accommodat e t he

use of a proxy

Some prot ocols aren’t support ed by proxy servers Some proxy servers may be dif f icult t o conf igure and may

not provide all t he prot ect ion you need.

8: Net wor k Management 41

Snort : Sample I DS out put

  • Apr 12 01:56:21 ids snor t : EXPLOI T sparc set uid 0: 218.19.15.17:544

xxx.yyy.zzz.41:37987

  • Apr 12 01:56:21 ids snor t : EXPLOI T x86 NOOP: 23.91.17.7:544 xxx.yyy.zzz.41:37987
  • Apr 12 07:31:03 ids snor t : I CMP Nmap2.36BETA or HPI NG2 Echo : 63.26.255.221

xxx.yyy.zzz.34

  • Apr 12 09:59:38 ids snor t : RPC port map request r st at d: 28.11.67.132:1033

xxx.yyy.zzz.29:111

  • Apr 12 13:20:05 ids snor t : I CMP Nmap2.36BETA or HPI NG2 Echo : 12.13.1.67

xxx.yyy.zzz.126

  • Apr 12 14:13:22 ids snor t : RPC port map request r st at d: 134.1.5.12:3649

xxx.yyy.zzz.29:111

  • Apr 12 20:19:34 ids snor t : BACKDOOR back or r if ice at t empt : 209.255.213.130:1304

xxx.yyy.zzz.241:31337

  • Apr 12 22:53:52 ids snor t : DNS named iquery at t empt : 209.126.168.231:4410

xxx.yyy.zzz.23:53

8: Net wor k Management 42

Example: smtp.rules

alert t cp $EXTERNAL_NET any - >

$ SMTP 25 (msg:"SMTP RCP T TO overf low"; f lags:A+; cont ent :"rcpt t o| 3a| "; dsize:> 800; ref erence:cve,CAN- 2001- 0260; ref erence:bugt raq,2283; classt ype:at t empt ed- admin; sid:654; rev:1;)

alert t cp $EXTERNAL_NET 113

  • >

$SMTP 25 (msg:"SMTP sendmail 8.6.9 exploit ";f lags: A+; cont ent :"| 0a| D/ "; ref erence:arachnids,140; ref erence:cve,CVE- 1999-0204; classt ype:at t empt ed- admin; sid:655; rev:1;)

alert t cp $EXTERNAL_NET any - >

$ SMTP 25 (msg:"SMTP expn root ";f lags: A+; cont ent :"expn root "; nocase; ref erence:arachnids,31;classt ype:at t empt ed- recon; sid:660; rev:2;)

slide-8
SLIDE 8

8

8: Net wor k Management 43