024.2 Lesson 1
Certificate: |
Security Essentials |
---|---|
Version: |
1.0 |
Topic: |
024 Network and Service Security |
Objective: |
024.2 Network and Internet Security |
Lesson: |
1 of 1 |
Introduction
In today’s interconnected world, understanding the foundational aspects of network security is essential for safeguarding data and maintaining the integrity of communications. One crucial area to consider is the implications of link layer access, which can expose vulnerabilities at the lowest layer of the network, potentially allowing attackers to intercept or manipulate traffic. Similarly, the risks and secure use of Wi-Fi networks are of increasing importance as wireless connectivity becomes ubiquitous, with poorly configured or unprotected networks presenting opportunities for unauthorized access.
Another critical area of focus is traffic interception, where attackers eavesdrop on or alter network traffic, posing significant risks to data confidentiality and integrity. Finally, understanding common security threats on the internet, such as denial-of-service attacks, man-in-the-middle attacks, and botnets, along with the appropriate mitigation strategies, is vital for IT professionals to protect systems from evolving cyber threats. Together, these topics form the backbone of network security, helping to prevent unauthorized access and ensure safe communication across digital environments.
Link Layer Access
The link layer is the first layer in the OSI model of networking. It handles the physical and data link aspects of network communication. This layer is responsible for how data is transmitted over a local network segment, managing things like frame transmission, error detection, and flow control. Devices in a network communicate through the link layer using protocols such as Ethernet or Wi-Fi. Access to this layer is critical for controlling how data is transmitted between devices on the same local network.
However, unauthorized access to the link layer can pose significant security risks. An attacker who gains access to this layer can potentially intercept, manipulate, or inject traffic into the network. This could allow them to perform a variety of attacks, such as packet sniffing, where the attacker captures and analyzes data packets, or a man-in-the-middle attack, where they intercept and possibly alter communications between two devices without the parties being aware. These attacks can lead to data breaches, unauthorized access to sensitive information, or even the disruption of network services.
One of the key risks in link layer access is poisoning of the Address Resolution Protocol (ARP). ARP is used to map IP addresses to MAC addresses on a local network, and an attacker can exploit this by sending falsified ARP messages to associate their MAC address with another device’s IP address. This allows the attacker to intercept or alter traffic intended for that device.
Mitigating the risks associated with link layer access requires securing the physical network infrastructure, implementing strong authentication mechanisms, and using encryption. For example, port security can be enabled on switches to limit access to authorized devices, and network segmentation can be employed to limit the scope of potential attacks.
In Wi-Fi networks, the challenges of securing the link layer are even greater due to the physics of wireless communication, where data is transmitted over open airwaves.
Wi-Fi Networks
Wi-Fi networks offer convenience and flexibility, allowing devices to connect wirelessly to the internet. However, they also present significant security risks, especially when they are not properly secured. One of the primary concerns arises with unencrypted and public Wi-Fi networks, which are commonly found in public spaces like coffee shops, airports, and hotels. These networks often provide open access to anyone in range, and because they lack encryption, the data transmitted over them is vulnerable to interception. Attackers can easily monitor network traffic and capture sensitive information, such as login credentials, personal data, or financial details, using techniques like packet sniffing. Public Wi-Fi networks are a prime target for cybercriminals looking to exploit these vulnerabilities.
To mitigate these risks, Wi-Fi security and encryption must be implemented to ensure that data transmitted between devices and the network is protected. Encryption scrambles data so that even if it is intercepted, it cannot be read or understood without the correct decryption key. Over time, various encryption standards have been developed to improve the security of Wi-Fi networks. One of the earliest was Wired Equivalent Privacy (WEP), but it was quickly found to be insecure due to flaws that allowed attackers to crack its encryption easily. As a result, WEP is now considered obsolete and should not be used.
The introduction of Wi-Fi Protected Access (WPA) improved security by addressing many of WEP’s weaknesses. WPA used Temporal Key Integrity Protocol (TKIP) to dynamically change the encryption key with each packet, making it more difficult for attackers to crack. However, WPA still had vulnerabilities, which led to the development of WPA2, the most widely used encryption standard today. WPA2 uses Advanced Encryption Standard (AES), which offers a much stronger level of encryption than its predecessors and remains the industry standard for Wi-Fi security.
Despite WPA2’s robustness, it is not entirely immune to attacks, and with the rise of more sophisticated cyber threats, newer standards like WPA3 have been introduced. WPA3 provides even stronger encryption and better protection against brute-force attacks. In secure environments, using the latest encryption standard and strong passwords is crucial to ensuring the confidentiality and integrity of data transmitted over Wi-Fi networks. Regularly updating routers and network equipment to support the latest security protocols also helps protect against emerging threats, ensuring that wireless networks remain secure from unauthorized access.
Traffic Interception
Traffic interception occurs when an unauthorized user, referred to as an attacker, gets in between the communication points of nodes on a network. This can also be called a man-in-the-middle attack. The forms of traffic interception could be either a passive or an active attack on the targeted hosts on the network.
Passive Traffic Interception
A passive attack or passive traffic interception happens when an attacker eavesdrops on the network transactions between hosts on a network. The attacker is likely to go undetected because the information between the hosts seem undisturbed, but it is being monitored and analysed by a man in the middle.
The motives of a passive traffic interceptor may vary, including information theft for sales or rival companies trying to gain a competitive edge on the internet. Passive traffic interception is relatively difficult to detect because it doesn’t alter the transmitted data across the network and the information is sent and received normally. A possible solution is not to detect but instead to prevent this type of attack by encrypting the information travelling across the network points. However, knowing communication patterns and what communication type is being transmitted can provide valuable information to an attacker in some situations.
Tip
|
The commands |
Active Traffic Interception
An interception of traffic can be said to be an active attack if it involves the modification of data in transit across a network. In essence, interception is not only eavesdropping, as with passive attacks, but could also involve attacks such as an ARP spoofing on a switched LAN connection or the replay of captured, valid authentication data through cross-site scripting (mainly to act as another user on the network and therefore usurp such user’s authorized privileges).
Active traffic interception is an active attack that could also involve the modification, redirection, or delay of messages in transit between the sending and receiving hosts on a network. An example is when a message sent was “Allow Jane Smith to edit profile account” but what was received was “Allow John Doe to edit profile account,” thereby altering the information’s integrity. The main idea is that the attacker modifies the message to suit their own intentions, which could be subtle attempts to gain higher privileges.
Passive and active traffic interception attacks to some extent require opposite protections. While administrators and users need to prevent the passive attack rather than detect it, they should detect an active attack and take actions as quickly as possible to remedy the situation and prevent further damage on the network.
Tip
|
The commands |
DoS and DDoS Attacks
Denial of service (DoS) is a form of an active attack that occurs when authorized users are denied access to a computer system, a network, or specific information. This is caused by an attack on the network or a particular system. To accomplish this attack, an attacker can exploit a known vulnerability in a specific application on the system or the operating system running on the host. The exploit often takes the form of the attacker flooding the system with so many requests that the machine is overwhelmed and crashes the system, thereby taking it offline or rendering it unusable for the authorized users.
When a denial of service attack is launched on a targeted host, the aim could be to hinder access to the host or, when combined with other actions, to compromise the computer system. It could also be used to gain unauthorized access to the computer system or the network. Examples of DoS attacks include SYN flooding and the Ping of Death.
In SYN flooding, an attack takes advantage of the 3-way handshake of the TCP/IP protocol used to communicate between two hosts. The attack basically involves flooding the host with requests so that it has no time to drop unreplied requests in the sequence of SYN, SYN/ACK, and ACK communication. The ACK request completes the 3-way handshake, but since the initial connection comes from a fake IP address, the host does not issue an ACK reply and continues to wait. Soon, more requests pile up until the host is no longer able to handle any more requests, thereby hindering genuine requests from authorized users to get processed on that host.
Ping of Death is another DoS attack that sends large Internet Control Message Protocol (ICMP) packets to a targeted host. Data packets should normally be less than 65,536 bytes (or 64 kilobytes), but when the packet size is larger than this and is sent to a host that is unable to handle such a large packet size, the system will freeze or crash and become unavailable to authorized users.
DoS attacks are usually executed by a single attacking system. However, when multiple systems have been employed to attack the target, it is referred to as Distributed Denial of Service (DDoS). In DDoS, the attacker infects several other systems and makes them perform nefarious functions on its behalf. This can happen when users may have been deceived into installing software on their computer that lies dormant for a while without their notice. The attack might also take advantage of systems that have not been patched or updated against the latest known vulnerabilities. As soon as enough hosts have been infected, the attack is launched. This attack could be a SYN flood, with several infected hosts sending fake communication requests to a targeted server until it gets worn down.
One of the ways to prevent a SYN flooding DoS attack is to modify the time a host waits before it drops unused requests. It is also good security practice to ensure that systems are patched with the latest security updates. There are tools that can detect and get rid of dormant “zombie” software, as part of some anti-spyware or antivirus packages. While blocking the ICMP protocol could help prevent Ping of Death, it could also be a hinderance to legitimate and useful troubleshooting tools.
Bots and Botnets
A bot is software that executes tasks under the control of another program. A group of bots that are operated and controlled across the network is called a botnet. A botnet could be used to perform legitimately required and lawful actions across the network — for example, when distributing computing workloads. However, a botnet could also be used for devious and harmful actions on the network, such as the DDoS attacks discussed in the previous section. Botnets could also be used as spyware to steal information using keyloggers across the network. Botnets could be used for email spamming, i.e. sending unsolicited messages to a target.
Usually, when a computer is infected by bot malware, the user is not aware of it and it could possibly spread the infection to other hosts on the network. This can create a large botnet that is then later used to launch a massive attack on a specific target. Bot developers are also capable of modifying their bots to evade security measures, such as IP blacklistings and access control measurements, by seizing IP addresses from residential areas and using them on different occasions in order to avoid detection. All internet users should install dedicated security software, such as antispyware and antivirus packages, and update them regularly. These tools should then perform routine checks to help prevent an infection or an attack. It is also a good security practice not to click on links or open email messages from unclear, unknown, or untrusted sources.
Packet Filters and Other Mitigation Strategies for Network Attacks
Packet filters can play a crucial role in mitigating various network attacks, such as SYN flood, Denial of Service (DoS), Distributed Denial of Service (DDoS), botnets, and man-in-the-middle attacks. A packet filter is a firewall mechanism that inspects incoming and outgoing packets at the network layer, analyzing their headers to determine whether they should be allowed or blocked based on predefined security rules.
Packet filters can mitigate SYN flood attacks, where an attacker overwhelms a server by sending a massive number of incomplete connection requests, by limiting the number of incoming SYN requests or by implementing SYN cookies, which allow the server to handle more connections without overloading resources. Packet filters can also detect and block the IP addresses of known attackers, preventing their traffic from reaching the server.
To prevent DoS and DDoS attacks, packet filters can identify abnormal traffic patterns — such as an unusually high number of requests from a single IP address or multiple sources in a DDoS scenario — and block or rate-limit that traffic. This prevents the server from becoming overwhelmed by malicious traffic, while legitimate requests continue to be processed.
When it comes to botnets, which are networks of compromised devices used to launch coordinated attacks, packet filters can detect traffic coming from known botnet IP addresses or block communications from devices that are behaving suspiciously. By blocking the command-and-control (C2) traffic used by botnet operators to manage the infected devices, packet filters can significantly reduce the effectiveness of botnet attacks.
Finally, packet filters can prevent man-in-the-middle attacks, where an attacker intercepts communications between two devices, by enforcing secure connections using protocols like HTTPS or SSL/TLS, which encrypt the traffic. Filters can also be configured to drop suspicious packets that appear to be part of a man-in-the-middle attack, such as those with altered headers or those originating from untrusted sources.
By properly configuring packet filters, organizations can significantly reduce the risk of various types of attacks, improving the security and integrity of their networks.
Guided Exercises
-
What is the difference between a DoS attack and a DDoS attack?
-
What are the potential risks of unauthorized access to the link layer in a network, and what specific attack methods can be used at this layer?
-
What is the difference between WEP, WPA, and WPA2 encryption standards, and why is it important to use the latest encryption protocols in Wi-Fi networks?
-
How can packet filters help mitigate DoS and DDoS attacks, and what specific techniques do they use to prevent these types of attacks?
Explorational Exercises
-
While Henry is working on his computer, he sees a quick pop-up display of the command prompt and it disappears, after which everything else appears to be normal on the computer. But while checking the processes running on the computer, he sees a strange process running as well. What is this likely to be, and what can he do immediately?
-
Henry tries to eavesdrop on the network traffic between Dave and Carol, although their communication is encrypted. Is that possible?
-
What kind of traffic interception is the attack described in the previous exercise?
Summary
This lesson discusses network security, starting with the risks of link layer access and highlighting attacks such as packet sniffing, man-in-the-middle attacks, and ARP poisoning. It emphasizes securing the physical infrastructure and using strong authentication.
The lesson also addresses the security risks of unencrypted public Wi-Fi and the evolution of Wi-Fi encryption standards, from WEP to WPA2 and WPA3. It further explains traffic interception, distinguishing between passive and active attacks. Lastly, it covers DoS, DDoS, and botnet attacks, and how packet filters can help mitigate these threats by blocking suspicious traffic.
Answers to Guided Exercises
-
What is the difference between a DoS attack and a DDoS attack?
While a Denial of Service uses a single system to attack a target, the Distributed Denial of Service uses multiple computers to perform the attack.
-
What are the potential risks of unauthorized access to the link layer in a network, and what specific attack methods can be used at this layer?
Unauthorized access to the link layer poses significant security risks, because attackers can intercept, manipulate, or inject traffic into the network. Specific attack methods include packet sniffing, where the attacker captures and analyzes data transmitted over the network, and man-in-the-middle attacks, where the attacker intercepts and possibly alters communications between devices. ARP poisoning is another common attack, where the attacker falsifies ARP messages to associate their MAC address with the IP address of another device, allowing them to intercept or modify traffic intended for that device.
-
What is the difference between WEP, WPA, and WPA2 encryption standards, and why is it important to use the latest encryption protocols in Wi-Fi networks?
WEP is the oldest Wi-Fi encryption standard and is now considered insecure due to flaws that allow easy cracking of its encryption. WPA improved security by using TKIP to dynamically change encryption keys, but it still had vulnerabilities. WPA2 is the most widely used standard today and provides stronger security by using AES encryption. It is important to use the latest encryption protocols, like WPA3, because they offer enhanced protection against brute-force attacks and other advanced threats, ensuring the confidentiality and integrity of data on Wi-Fi networks.
-
How can packet filters help mitigate DoS and DDoS attacks, and what specific techniques do they use to prevent these types of attacks?
Packet filters mitigate DoS and DDoS attacks by analyzing incoming and outgoing packets at the network layer and blocking or limiting traffic that matches suspicious patterns, such as a high volume of requests from a single IP address or multiple sources. To mitigate against SYN flooding attacks, packet filters can limit the number of SYN requests or use SYN cookies to handle more connections without overloading the server. To deal with DDoS attacks, packet filters help by identifying abnormal traffic patterns and rate-limiting or blocking malicious traffic while allowing legitimate traffic to pass through.
Answers to Explorational Exercises
-
While Henry is working on his computer he saw quick pop-up display of the command prompt and it disappears after which everything else appears to be normal on the computer. But while checking the processes running on the computer, he saw a strange process running as well. What is this likely to be and what can he do immediately?
This is likely to be a bot. The computer should be scanned with antivirus software.
-
Henry tries to eavesdrop on the network traffic between Dave and Carol although their communication is encrypted. Is that possible?
Yes, it is possible to obtain information from the pattern of the message, the protocol type, and the timing of the traffic even though the message content is encrypted.
-
What kind of traffic interception is the attack described in the previous exercise?
Eavesdropping on the network traffic is a passive traffic interception attack.