Introduction to Network Security Security Chapter 5 Physical Network Layer Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics • Lower Layer Security • Physical Layer Overview • Common attack methods • Ethernet • Ethernet • Wireless Security • General Mitigation Methods Dr. Doug Jacobson - Introduction to 2 Network Security - 2009
Upper Layer Digital Data in bytes Physical Network Service Access Data buffers Points Layer Software Drivers Software Digital Data in bytes Device Interface Medium Access Protocol Medium access Hardware Physical media specific signal Dr. Doug Jacobson - Introduction to 3 Network Security - 2009 Physical Media Common Attack Methods • Spoofing • Sniffing • Physical Attacks Dr. Doug Jacobson - Introduction to 4 Network Security - 2009
Hardware Addressing D2 D4 D6 HW-D2 HW-D4 HW-D6 HW-R1a HW-R1-b HW-R2a HW-R2b R1 R2 Packet Network N1 Network N2 Network N3 HW-D5 HW-D1 HW-D3 HW-D7 D1 D3 D5 D7 Dr. Doug Jacobson - Introduction to 5 Network Security - 2009 Hardware Address Spoofing Computer 1 Computer 2 Router 2 Router 1 HW = A1 HW = C2 HW = B3, C1 HW = A2, B1 Network B Network B Network C Network C Network A Network A Attacker 1 Attacker 2 Attacker 3 Dr. Doug Jacobson - Introduction to 6 Network Security - 2009
Network Sniffing Dr. Doug Jacobson - Introduction to 7 Network Security - 2009 Physical Attacks • Bad network cable • Network cable loop (both ends plugged into the same device) • Bad network controller • Bad network controller • Two network controllers with the same hardware address Dr. Doug Jacobson - Introduction to 8 Network Security - 2009
Wired Network Protocols • Many protocols • Local Area Networks (LAN) – Ethernet is the most common • Wide Area Networks (WAN) • Wide Area Networks (WAN) Dr. Doug Jacobson - Introduction to 9 Network Security - 2009 Ethernet • Developed in 1973 by Xerox • Speeds – 10 Mbps – 100 Mbps – 100 Mbps – 1000 Mbps (gigabit) – 10 Gigabit Dr. Doug Jacobson - Introduction to 10 Network Security - 2009
Ethernet Transmission media Name Cable type Speed Maximum Distance between devices 10Base2 Coax 10 Mbps 185 meters 10BaseF Fiber 10 Mbps 500 meters 10BaseT 10BaseT Twisted Pair Twisted Pair 10 Mbps 10 Mbps 100 meters 100 meters 100BaseT Twisted Pair 100 Mbps 100 meters 100BaseFX Fiber 100 Mbps 1000 meters 1000Base-X Fiber or coax 1000 Mbps Depends on cable type Dr. Doug Jacobson - Introduction to 11 Network Security - 2009 Coaxial Ethernet D4 D3 D2 D1 Packet D7 D5 D6 R1 Dr. Doug Jacobson - Introduction to 12 Network Security - 2009
Ethernet Access Method • CSMA/CD – Listen – Talk if no one else is talking – Back off if more than one talks at a time – Back off if more than one talks at a time – Minimum packet length is used to guarantee that a collision can be seen by all machines. This also puts a limit on the length of the cable Dr. Doug Jacobson - Introduction to 13 Network Security - 2009 Packet to send Listen No Error No quiet N > 16 Yes Yes Send and Wait Listen Increase N Send more data Yes Pick Random Collision Number Between 1 and N No No Done Yes Packet sent Figure 5.5 CSMA/CD Ethernet Protocol Dr. Doug Jacobson - Introduction to 14 Network Security - 2009
Ethernet Collision Domain • The range that is effected when a collision occurs. • 10Mbps Ethernet it is 2500 Meters • This can be changed by using switches • This can be changed by using switches and routers (more later) Dr. Doug Jacobson - Introduction to 15 Network Security - 2009 Connecting Devices • Repeater (physical layer only) • Hub (multi port repeater) • Bridge (layer 2 only) • Router (layer 3) • Router (layer 3) • Layer 2 switch • Layer 3 switch Dr. Doug Jacobson - Introduction to 16 Network Security - 2009
Ethernet Hubs Hub C1 Hub Hub C3 C4 C2 Hub C5 C6 C7 Dr. Doug Jacobson - Introduction to 17 Network Security - 2009 Ethernet switches • Collisions can slow the network down • Switches create multiple collision domains • Typically one machine per leg of the switch • Switches only pass traffic to the leg of the • Switches only pass traffic to the leg of the switch where the destination is located • Switches reduce the traffic on each leg – Problem with network monitoring Dr. Doug Jacobson - Introduction to 18 Network Security - 2009
Ethernet Router R1 P1 Switch Switch 1 P2 P3 P4 C1 P1 P1 Switch 2 Switch 3 P3 P2 P3 P2 P1 C3 C4 C2 Switch 4 Switch 4 P2 P3 P4 C5 C6 C7 Port table, switch 2 Port table, switch 4 Port HW Address Port HW Address P1 Uplink P1 Uplink P2 C5 P2 C2 P3 C6 P3 Multiple P4 C7 Dr. Doug Jacobson - Introduction to 19 Network Security - 2009 Ethernet Tap Points Router Router Hub OR Tap P1 Spanning or Monitoring mirrored port mirrored port Switch Switch Switch 1 Switch 1 Point Point P2 P3 P4 C1 P1 P1 Switch 2 Switch 3 P3 P2 P3 P2 C3 C4 C5 C2 Dr. Doug Jacobson - Introduction to 20 Network Security - 2009
Ethernet - Frame Preamble (on wire only) 7 bytes Start Frame Delimiter 1 bytes Destination Address Destination Address 6 Bytes 6 Bytes Source Address 6 Bytes Type or Length 2 Bytes Data 46-1500 Bytes FCS 4 Bytes Dr. Doug Jacobson - Introduction to 21 Network Security - 2009 Ethernet Addresses • Goal is to have all addresses globally unique • 6 bytes – Upper 3 bytes vendor code – Upper 3 bytes vendor code – Lower 3 bytes independent • All 1’s = broadcast address Dr. Doug Jacobson - Introduction to 22 Network Security - 2009
Ethernet Type/length • If value < 0x800 then it is a length field otherwise it is a protocol type field. Some common types are: Hex • 0800 DoD Internet Protocol (IP) • 0800 DoD Internet Protocol (IP) • 0805 X.25 level 3 • 0806 Address Resolution Protocol (ARP) • 6003 DECNET Phase IV • 6004 Dec LAT • 809B EtherTalk • 80F3 AppleTalk ARP Dr. Doug Jacobson - Introduction to 23 Network Security - 2009 Attacks and vulnerabilities • Header-based • Protocol-based • Authentication-based • Traffic-based • Traffic-based Dr. Doug Jacobson - Introduction to 24 Network Security - 2009
Header-Based • Attacks – Setting the destination address as a broadcast address can cause traffic problems problems – Setting the source can cause switches to get confused • Mitigation – Very difficult to mitigate Dr. Doug Jacobson - Introduction to 25 Network Security - 2009 Protocol-Based • Protocol is simple and is in hardware Dr. Doug Jacobson - Introduction to 26 Network Security - 2009
Authentication-Based • You can set the hardware address • Hardware address is used to authenticate in switches • Hardware addresses can be used to • Hardware addresses can be used to authenticate devices in a network Dr. Doug Jacobson - Introduction to 27 Network Security - 2009 Authentication-Based • Destination address spoofing • Destination address is obtained dynamically via a protocol • Trick a device into thinking you are the • Trick a device into thinking you are the destination (ARP Poisoning) • No good mitigation method Dr. Doug Jacobson - Introduction to 28 Network Security - 2009
ARP Poisoning D1 Attacker R2 Switch Dr. Doug Jacobson - Introduction to 29 Network Security - 2009 Authentication-Based • Source Address Spoofing • Source address if not used for authentication by default • New security and network management • New security and network management methods are starting to use the source methods are starting to use the source address to authenticate the device. (Network Access Control [NAC]) • More on NAC as a general countermeasure later Dr. Doug Jacobson - Introduction to 30 Network Security - 2009
Traffic-Based • Attack – Ethernet controllers can be set in promiscuous mode which enables them to sniff traffic • Mitigation • Mitigation – Encryption, VLAN (more later) • Broadcast traffic can cause flooding, hard to flood unless directly connected to the LAN • No good mitigation for flooding Dr. Doug Jacobson - Introduction to 31 Network Security - 2009 Wireless Security Topics • Standards • Devices • Protocol • Packet Format • Packet Format • Vulnerabilities • Mitigation Dr. Doug Jacobson - Introduction to 32 Network Security - 2009
Wireless Standards Name Frequency Data Rate Max Distance 802.11a 5 GHz 54Mbps 30 meters 802.11b 2.4 GHz 11Mbps 30 meters 802.11g 2.4 GHz 11-54 Mbps 30 meters 802.11n 2.4 GHz 200-500 Mbps 50 meters Dr. Doug Jacobson - Introduction to 33 Network Security - 2009 Signal Reflection Dr. Doug Jacobson - Introduction to 34 Network Security - 2009
Wireless Ethernet 802.11 • Two topologies – IBSS Independent Basic Service Set • Ad-hoc, all stations are peers – ESS Extended Service Set – ESS Extended Service Set • AP – Access points connected to a network • Station plus the AP form a BSS Dr. Doug Jacobson - Introduction to 35 Network Security - 2009 Wireless Network Environment A B C D E Access point A Access point B Access point C SSID = LAB SSID = OFFICE SSID = SERVER ROOM Switch Router Dr. Doug Jacobson - Introduction to 36 Network Security - 2009
Recommend
More recommend