Skip to main content

Network Security

Intrusion Detection & Prevention Systems

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are integral tools in network security. Both IDS and IPS analyze entire packets, including the header and payload, in search of recognized events.

  • IDS: When a known event is detected, a log message is generated. There may also be reports or optional alerts. IDS observes, logs, and optionally alerts. It doesn't take action.

  • IPS: When it detects a known event, it rejects the packet. IPS takes action! It rejects malicious packets.

Types of IDS Systems

  1. Behavior-based IDS
    • Forms a baseline of activity to establish what constitutes normal behavior.
    • Measures system performance against the baseline to spot abnormal behavior.
    • Can detect previously unknown attack methods.
  2. Knowledge-based IDS
    • Uses signatures, akin to the signature definitions adopted by anti-malware software.
    • Only effective against known attack methods.

Both host-based (HIDS) and network-based (NIDS) systems can be knowledge-based, behavior-based, or a mix of the two.

IDS/IPS Classification by Deployment

  1. Host-based (HIDS/HIPS)

    • Deployed in software form.
    • Often installed on a server.
    • HIDS observes and logs known events from whole packets.
    • HIPS rejects packets when a known event is detected.

  2. Network-based (NIDS/NIPS)

    • Typically in hardware form at the network level.

Modes of Operation for Network-based IDS and IPS

  1. Inline (In-band)
    • Positioned on or near the firewall to enhance security layers.
    • Might integrate with a switch close to the firewall.
  1. Passive (Out-of-band)
    • Traffic doesn't directly flow through the NIPS/NIDS.
    • Uses sensors and collectors to forward alerts to the NIDS.

Sensors and collectors can be strategically placed in a network. For instance, a sensor on the internet side can scan all inbound traffic. But remember that running all traffic through an inline setup can be resource-intensive. Position sensors where they best serve your network's needs.

Secure Network Design

Understanding and leveraging secure network designs can significantly enhance the overall protection of systems and data. Here's a concise breakdown:

Bastion Host

A Bastion Host is a computer or appliance with exposure to the internet. It undergoes hardening, which means all unnecessary elements, such as non-essential services, programs, protocols, and ports, are eliminated.

Key characteristics of a Bastion Host:

  • Only necessary ports are open.
  • Removal of non-essential elements.
  • Examples include hardened browsers like Librewolf or the Firefox community version.

Screened Host

A Screened Host is a system protected by a firewall and is logically located just inside a private network. This design is optimal for heightened security.

It's one of the most secure options due to its firewall protection and its location within a network

Screened Subnet

Conceptually akin to a Screened Host, a Screened Subnet is a subnet positioned between two routers or firewalls. A Bastion Host is typically situated within this subnet.

Proxy Server

A Proxy Server acts on behalf of the client, forwarding its service request and hiding the client's true origin. It's prevalent in corporate environments for internet browsing. A proxy server masks the true origin of the request, often caching content for performance enhancements.

Network Attacks

Denial-of-Service

  • Definition: A resource consumption attack designed to hinder or stop legitimate activities on a targeted system.
  • Method: Overwhelm the system/network with unwanted requests, rendering it unavailable for legitimate users.
  • Countermeasures:
    • Utilize firewalls.
    • Employ routers.
    • Deploy Intrusion Detection Systems (IDS).
    • Disable broadcast packets entering/leaving.
    • Disable echo replies.
    • Regular patching to close vulnerabilities.

Distributed-Denial-of-Service

 A type of DoS attack, but using multiple compromised computer systems to flood the target with attack traffic.

Botnets

A botnet is a collection of compromised computing devices, often referred to as bots or zombies. These devices are infected with malicious software that allows them to be controlled remotely by an attacker.

Bot Herder

The person or entity in charge of the botnet. They use a command and control server to remotely manage the compromised devices (zombies).

Botnets are frequently used to launch distributed denial-of-service (DDoS) attacks, spread malware, send spam emails, and conduct other malicious activities.

Teardrop Attack

  • Description: A DoS attack involving the sending of mangled IP fragments with overlapping, oversized payloads to a target machine. 

  • Effect: The target system tries, and fails, to reassemble these fragments, often leading to system crashes.

image.png

It

Fragglewould Attack

be
    like
  • Description:somebody Agiving DoS attack where an attacker sendsyou a largeintentionally volumewarped ofjicsaw spoofedpuzzle UDPwithout traffictelling you. You'd try to afit router'sthese broadcastincorrect addressor withinmalformed apieces network.into It'syour akinpuzzle, getting increasingly frustrated. Ultimately, you'd be unable to complete it, and might even damage the smurfcorrect attackpieces butin usesthe UDP instead of ICMP traffic.
process.

Land Attack

  • Description: Layer 4 DoS attack where both the source and destination addresses in a TCP segment are set to be the same.

  • Effect: Vulnerable machines might crash or freeze because the TCP stack keeps trying to process the confusing packet.

SYN Flood

  • Description: A DoS attack where attackers send multiple SYN requests (the initiation step in TCP handshake) to a target, overwhelming it.

  • Effect: Consumes server resources, rendering the system unresponsive to legitimate traffic.

TCP 3-way Handshake

The TCP 3-way handshake is the process used in a TCP/IP network to establish a connection between a client and a server.

  1. SYN: The client sends a SYN (synchronize) packet to the server.

  2. SYN-ACK: The server responds with a SYN-ACK (synchronize-acknowledge) packet.

  3. ACK: The client replies with an ACK (acknowledge), and the connection is established.

This handshake ensures both the client and server are ready for data transmission. Think of it as a polite introduction. Before two people (client and server) have a detailed conversation (data exchange), they introduce themselves and acknowledge each other.

Smurf Attack

  • Description:Definition: EmploysA specific kind of DDoS attack that exploits the vulnerabilities of ICMP and IP protocols.
  • Method: The attacker sends ICMP echo request packets (ping) to an amplificationIP networkbroadcast (address. These are then amplified across a network of host computers that sendrespond to the request. This results in a flood of ICMP echo reply packets directed towards the victim's IP address.
  • Example: Think of a person (attacker) standing in a stadium and shouting, "If you hear me, shout back!" Since the stadium (amplification network) is filled with people (host computers), they all shout back simultaneously, directing their voices at a single individual (victim). This individual becomes overwhelmed by the sheer volume of responses.
Fraggle Attack
  • Description: A DoS attack where an attacker sends a large volume of spoofed UDP traffic to a router's broadcast messages)address within a network. It's akin to inundatethe asmurf victimattack withbut numeroususes responseUDP packets.instead of ICMP traffic.

Ping of Death

  • Description: Involves sending an abnormally large ping packet. The max allowed packet size is 65,536 bytes. Ping of Death sends packets of size 65,537 bytes or larger.

Network Defense: Honeypot

A Honeypot is essentially a decoy system or network resource with intentional flaws and pseudo data. 

  • Purpose: To attract potential attackers, allowing you to monitor their activities and study their techniques.

  • Rules: Enticement, NOT entrapment. E.g., You can't let attackers download fake payroll files.

    Why? If legal or insurance matters arise, improper handling might jeopardize claims or cases.

  • Goal: Deflect attackers from genuine assets and keep them contained long enough to gather intelligence or for possible identification.

As long as attackers are in the honeypot, they are not in the live network, and our administrators can observe. For example, our intrusion detection system may be able to transfer attackers into a padded cell after detection. 

Honeynet

A Honeynet is an extension of the honeypot concept, but it involves a whole network set up for the same deceptive purpose.

Impersonation/Masquerading

  • Impersonation or Masquerading is when authentication credentials are stolen or falsified to bypass authentication systems.
  • Countermeasures:
    • One-time pads
    • Token authentication systems
    • Encrypt traffic
    • Employee awareness training
    • Zero Trust

Modification Attacks

  • In these attacks, captured packets are altered and then replayed against a system, designed to bypass improved authentication and session sequencing.
  • Countermeasures:
    • Digital signatures
    • Packet checksums
  • If you'd like to check a basic, real life example, check out my blog post where I performed a Modofication attack to gain an advantage on an online video game.

ARP Spoofing

  • ARP spoofing involves sending ARP packets over a LAN with the attacker's MAC address and the target's IP address, causing traffic for the target to be redirected to the attacker.
  • Countermeasures:
    • Packet filtering
    • ARP spoofing prevention software
    • Protocols like TLS, SSH, HTTPS
  • [info] ARP (Address Resolution Protocol) resolves IP addresses to MAC addresses on a local network.

DNS Attacks

  1. DNS Poisoning:

    • Attackers alter the domain-name-to-IP address mappings in a DNS (for example A records).
    • Traffic can be redirected to a rogue system or even cause a DoS if the original DNS handles significant traffic.

  2. DNS Spoofing:

    • Attackers send false replies to a requesting system before the valid DNS server's genuine response.

  • Countermeasures:

    • Only authorized DNS changes
    • Restrict zone transfers
    • Verify forwards
    • Log privileged DNS activity

Homograph Attack

  • Takes advantage of similarities in character sets to create deceptive international domain names (IDNs).
  • Client-side Countermeasures:
    • Modern browsers using punycode
    • Disallow all IDNA sites
  • Server-side Solutions: ICANN needs to implement appropriate policies.
  • [info] For example, a malicious site might use "аpple.com" (with a Cyrillic 'а') instead of "apple.com".
  • Can manifest as DNS spoofing or merely an alteration of hyperlink URLs. It's potent because users tend to click links without verifying.
  • Countermeasures:
    • Same precautions against DNS spoofing
    • Services that mask and test links in a detonation chamber (e.g., SafeLinks in Microsoft ATP).

Phreaking

  • A technique to exploit the telephone system for free long-distance calls, stealing services, or causing interruptions. The attacker is termed as a 'phreaker'.
  • Tools: Black, red, blue, white boxes
  • [info] Phreaking historically involved manipulating analog phone systems using tones produced by tools like the blue box.

PBX Threats, Abuse, and Fraud

  • IP phones can serve as business network entry points and are susceptible to attacks.
  • Countermeasures:
    • Use VoIP system's security features
    • Restrict access, call types, and hours
    • Delete sensitive voice mails once no longer needed
    • Implement standard network security controls

 

Back to top