Introduction to Network Security

First we have to understand the concept of SECURITY in general. SECURITY may be define as safe guarding of our assets or important good. The degree of security provide to our assets is based on nature of importance and its need for us.

SECURITY
Family Security Social Security Home/ Internal Security National Security International Security IT/Networking Security

IT/Network Security
The Computer Security Institute (CSI) has produced many reports on security. IT Security deals with every terms used in Information Technology including N/W Security. Network Security deals with only component utilized in networking (Internet/Intranet) including manipulation of Internet Protocols. Internet protocols (TCP/UDP/ICMP/IGMP) are customized by the Networking administrator as per the security policies of the company.

NETWORKING SECURITY
N/W Security involves securing the Network from internal or external threats. It also involves finding the balance between open and evolving network and protecting companys private data. In brief, we can say that Networking security is a process to counter any unauthorized access or illegal intrusion in to the network.

TO PROVIDE AN EFFECTIVE SECURITY, A COMPANY MUST DEAL WITH THREE THINGS

Adversaries :
An Adversaries is a person, interested in attacking your network. Some common adversaries : Disgruntled employees Skilled or unskilled hackers Criminal or Terrorist Other Countries Competing Companies

Motivation :

The Range of Adversarys motivation are : To gathering or stealing information (competing companies and criminals To Denial of Services (Terrorist, Other counties and criminals) To Challenge (Hackers)

Class of Attacks : Adversaries can employ five types of attacks : Passive Active Distributed Insider Close-in

Class of Attacks Passive:

In this Attackers gain access to the information or data without knowledge of users.
Capturing & monitoring unencrypted/ unprotected communication. Looking for Clear text password

A FIREWALL IS A SYSTEM OF HARDWARE OR SOFTWARE THAT CONTORLS ACCESS BETWEEN TWO OR MORE NETWORKS. THE PERFORMANCE OF THE FIREWALL IS SIMILAR TO THAT OF A PHYSICAL WALL THAT HELPS TO KEEP FIRE FROM SREADING. HERE WE CAN SAY FOR EASY OF UNDERSTANDING THAT : FIRE MEANS Illegal Intrusion or unauthorized access of system or network AND WALL MEANS Protection or Policies to counter unauthorized access

FUNCTION OF FIREWALL
The firewall has only two major functions : a. To permit the traffic b. To deny the traffic All firewalls perform above functions of examine the network traffic and directing that traffic based on the rules set (may be predefine in system or may be defined by Administrator as per the Companies network policies.

METHODE OR TYPES OF FIREWALL

There are methods of traffic control in the network and Firewall using one of these method. a Packet Filtering b Proxy Service C State-full Inspection

1. Packet Filtering :

- Oldest and most commonly used Firewall Technology. - Inspecting only the traffic occurs at L3 and L4 layer. - Analyze IP packets and compare them to the set of establish rules called ACL - Following elements are inspected for this method : a. Source & Destination IP Address b. Source & Destination Port. c. Protocols (Used by name or number)

2. Proxy Service:
When information from the Internet is retrieved by the Firewall and then it is sent to the system for the host who had requested the same. Proxy works on behalf of the host on the protected network segment. The protected host never actually make any connection with the out side world.

Inside or Protected Network

Proxy Server

3. State-full Inspection: In this method , certain parts of packet are compared to a database of trusted information. Firewall maintain state table for each traffic passing through the Firewall from Inside Network and allow response for traffic that generated from Inside. This arrangement is inbuilt in Firewall Algorithm.

Stateful packet filtering

They are more intelligent than simple packet filters in that they can block all incoming traffic and still can allow return traffic generated by the machines sitting behind them. These can keep track of a variety of information regarding the packets that are traversing them, including the following:

1. 2. 3. 4.

Source & destination TCP & UDP port nos. TCP sequence numbering TCP flags UDP traffic tracking based on timers

TYPES OF FIREWALL
a. Packet Filtering - Static Filtering - Dynamic Filtering - State full Inspection b. Circuit Gateway c. Application Proxy d. Hybrid PC Firewall, SOHO Firewall, F/W Application, Large Enterprise Firewall

COMPONENT OF FIREWALL
Consol : Logs :
Provides constant updates of Network traffic - contain Status of Security Level & Application Firewall maintain three types of logs

a) Security Logs It records potential threatening activities such as port scanning, DoS etc. The logged event consist date & time of event, No. of attacks, Severity, direction (Inbound/outbound) b) System Logs : It records operational changes such as S/w execution error, S/W modification, Start/ending services etc. Systems logs are useful for troubleshooting because they carry information about error & warnings.

c) Traffic & Packet Logs : It allow to capture & record all the data that enter or leave from computer or network. It gives information about traffic passes through the firewall , blocked traffic at F/W, Time/Date, Type of traffic, No. of event occur during certain period, IP address of attempted attacks, name of the host computer and IP address of user.

Application List :

It is the list of running Application and displays all application and services. User is able to make changes to the list by restricting access to some application and giving permission to others

Configuration Option : Advanced Rules:

It allows the user to set up configuration and contains log files, Network browsing rights, password protection and notification for attacks.

These rules are apply to all application. Administrator sets these rules as per Networks policies

Positioning of Firewall
Some of the basic guidelines for positioning of a firewall are as follows:1. Topological location of the firewall: It is often a good idea to place a firewall on the periphery of a private network, as close to the final exit and the initial entry point into the network.

In most cases firewalls shouldnt be placed in parallel to other network devices such as routers. This can cause firewall to be bypassed.

Positioning of Firewall
2. Accessibility & Security Zones: If there are servers that need to be accessed from the public network, such as Web servers, it is often a good idea to put them in demilitarized zone (DMZ) A DMZ allows publicly accessible servers to be placed in an area that is physically separate from the private network, forcing the attackers who have somehow gained control over these servers to go through the firewall again to gain access to the private network.

Positioning of Firewall
3. Layering Firewalls:
In networks where a high degree of security is desired, often two or more firewalls can be deployed in series. If the first firewalls fails, the second one can continue to function.

This technique is often used as a safeguard against network attacks that exploit bugs in a firewalls software, if one firewall software is vulnerable to an attack, hopefully the software of the second firewall sitting behind it will not be.
Firewalls from different vendors are often used in these setups.

Adaptive Security Algorithm

Flavors of ASA & Introduction to Security Appliances

PIX (Packet Internet Exchange) Using Finesse Operating System
ASA (Adaptive Security Appliance)- Cisco Proprietary used with Security Policy
SOHO PIX ASA PIX501 5505 ROBO PIX506E 5510 SMB 515E 5520 ENTERPRISE SP PIX525 5540 PIX535 5580-20 5580-40

SOHO Small Office Home Office ROBO-Remote office Branch Office SMB Small/ Medium Size Business SP Service provider

Adaptive Security Algorithm

ASA is the foundation on which a firewall is built. It defines how firewall examines traffic passing through it and applies various rules The basic concept behind ASA is to keep track of various connections being formed from networks behind the firewall to the public network. ASA also defines the information a firewall saves for any given connection made through it (this is called state information where TCP is used). The ASA algorithm also defines how the state and the other information is used to track the session passing through the firewall. To achieve this behavior, firewall keeps track of following information: 1. IP packet source and destination information. 2. TCP sequence nos & additional TCP flags. 3. UDP packet flow & timers.

 The Cisco Adaptive Security Appliances are purpose-built solutions that combine the most effective security and VPN services with the innovative Cisco Adaptive Identification and Mitigation (AIM) architecture. Additionally, the adaptive security appliance software supports Cisco Adaptive Security Device Manager (ASDM). ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the adaptive security appliance, ASDM accelerates adaptive security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the adaptive security appliance

ASA FIREWALL

Basic Features of ASA Firewall

This section discusses some of the basic features of ASA, these features are the fundamental building blocks of the firewall. 1. Secure and proprietary Operating System 2. State-full Inspection of Traffic 3. Sequence Number Randomization (SNR) to secure TCP connections 4. Cut through Proxy for authenticating telnet, HTTP and FTP 5. Default Security Policy to ensure maximum protection, as well as the ability to customize these policies and build your own policies 6. VPN abilities : IP Sec, SSL and L2TP 7. NAT and ACL 8. Multiple context/ Virtualization of Policies using context 9. Failover and redundancy. 10. IDS and IPS

SECURITY POLICY OVERVIEW

Security policy determines which traffic is allowed to pass through ASA to access another Network.
By default (a).Traffic from higher Security level to lower Security level is allowed. (b).Only TCP and UDP traffic are inspected, rest of the traffic are denied. ACL can be use to customize the default policies for permitting or denying the traffic. Applying NAT Applying HTTP, HTTPS or FTP filtering (By conjunction with separate Server running one of the following internet filtering product. i. Web Sense Enterprise ii. Secure computing Smart Filter Applying Application Inspection. Securing traffic to AIP-SSM (Advanced Inspection & Prevention Security Service Module) & CCS-SSM (Content Security & Control - Security Service Module) modules. Applying QoS Policies (for Voice , Video streaming traffic) Applying connection limits to prevent from DoS attacks and TCP Normalization (Advanced connection setting to drop abnormal packets. Enabling threat detection.

Assigning Varying Security Levels to Interfaces

ASA allows varying security levels to be assigned to its various interfaces. These segments are called Security Zones. Each interface can be assigned a level from 0 to 100. The interface connected to the public network has 0 level assigned to it i.e.,

Outside Int.
The interface sitting on the private network has a security level of 100, i.e., Inside int. (most secure).

DMZ interfaces have a security levels between 0 to 100.

NOTE:By default, traffic can flow freely from a high security level interface to a low security level interface. For traffic to flow from a low security level to a high security level, rules need to be explicitly defined.

Stateful Inspection of Traffic:

1. Outbound connections are allowed, except specifically denied by ACL. Inbound connections or states are denied, except those specifically allowed. All ICMP packets are denied unless they are specifically permitted, this includes echo replies to the pings originated from inside network.

2.

3.

CONNECTION TEBLE
Inside IP Add 192.168.1.1 IP Protocol Inside IP Port Outside IP Add TCP 11500 201.201.201.1 Outside Port 80

2 Internal Network
STATEFULL FIREWALL

Internet 3

PC- A 192.168.1.1
STATEFUL INSPECTION

WebServer 201.201.201.1

1. A user PC-A located in Inside Network perform HTML request to a Web Server Outside your network. 2. As the request reaches the Statefull Firewall, the Firewall store the user information (Src & Dst Address, Protocol and Port information) in State or Connection Table. 3. The Firewall forward the users HTTP request to the destination Web Server.

CONNECTION TEBLE
Inside IP Add 192.168.1.1 IP Protocol Inside IP Port Outside IP Add TCP 11500 201.201.201.1 Outside Port 80

2 Internal Network
STATEFULL FIREWALL

Internet 1

2A 2B

Web Server 201.201.201.1 1. The HTTP request received by Destination Web Server and it sends the corresponding web page to the user PC-A 2. The Firewall intercepts the connection response and compare with the entries that it had in its State table. A. If a match found in Connection Table, the returning packets are permitted. B. If match is not found in Connection Table , the returning packets are dropped.

PC- A 192.168.1.1

A State-full Firewall maintains this Connection Table. If it sees a connection teardown request between the source and destination, the state-full firewall removes the corresponding entry. If a connection entry is idle for a period, the entry will time out and the State-full Firewall will remove the entry from connection table.

STATEFULL INSPECTION

YES

If connection is new

NO

Session Mgmnt Path

1.Perform ACL Check 2.Route Look up 3.Allocate NAT (Xlate Table) Establish session in Fast Path

If connection is already established

NO YES

FAST PATH
1.IP Checksum Verification 2.Session look up 3.TCP Sequence No Check 4.NAT Based in existing Session 5.L3/L4 header adjustment
Some Packets that required L7 inspections are pass through Control Plane Path. L7 inspection Required for protocol that have Two or more channels -Data Channel Known ports -Control Channels- Unknown Ports

Connection Established

Connection Dropped

Sequence Number Randomization

The Security Appliances includes a security Feature called SNR, Which implemented by Security Algorithm. SNR used to protect you reconnaissance and TCP hijacking by hacker. TCP protocol The Most TCP/IP stacks use a fairly predictable method when using sequence number and that TCP segment indicates the number of bytes sent. In this case, Hacker can use this information to make predictions concerning the next set of data to be sent. Hacker can use this information to hijack the session.

The Security Appliances SNR feature address this problem by randomizing the TCP Sequence Number.

CONNECTION TEBLE
Inside TCP Sequence Number SNR Sequence Number

600

910

Internal Network

600

910 Internet

601
STATEFULL FIREWALL

911

PC- A 192.168.1.1

Web Server 201.201.201.1

TCP Segment passes through ASA where the Sequence Number is 600 in the segment. The SNR feature in ASA change this Sequence number to a random number 910 and place it in state table and forward the TCP segment to destination. Destination in not aware of this change and acknowledge to source the receipt of Segment, using ack number 911. The ASA receive the reply, compare with state table, undoes the SNR process by changing the 911 to 601, so that the source device is not confused.

CUT-THROUGH PROXY
CTP Feature of ASA is to enhance the Security

CTP allows the appliances to intercept incoming / outgoing connection and authenticate them before they are permitted.
CTP is used where the end-servers the user is connecting to can not perform authentication itself. The user connection are not typically authenticated by the ASA itself, but by an external security server, such as the CISCO Secure Access Control Server (CSACS). CISCO supports both , the TACACS+ and RADIUS protocols for Authentication. The CTP feature on an ASA can authenticate the following connection type : a. FTP b. HTTP and HTTPS c. Telnet

CUT-THROUGH PROXY
CISCO ACS Server

Authentication Table
Allowed User A B Allowed Application HTTP to 100.100.100.1 FTP to 100.100.100.2

User B

4
Internal Network 4A

3 2 Internet ASA
4B

1
User A

HTTP Server 100.100.100.1

FTP Server 100.100.100.2

1.User A initiate an FTP request to 100.100.100.2 2. The ASA intercept the connection and compare for an entry in its connection table. If entry exist , the ASA permits the connection (4A). In this case, the user is previously authenticated. 3. If ASA does not found an entry in Connection Table, it will prompt the User A for a username and password and forward the information to Security Server for authentication. 4. The Security Server examine its internal authentication table for the username and password and what service this user is allowed access to the Security Server sends an allow or deny message to ASA - If Security Server sends allow message after checking user credentials, It add the users connection information to the connection table and permit the connection. - If the ASA receives deny message, it drops the users connection, or possibly, re -prompt the user for another username/password combination

Security or Multiple Context

This feature of ASA, a device can partitioned into multiple virtual devices know as Security Context
Each context is an independent device with own Security Policies, interfaces & administrator
G 0/0

Internal Context

Shared Interface In VLAN 10

G 0/1.10

Admin Context G 0/1.20 VLAN 20

CTX-1 Context G 0/1.30 VLAN 30

How to access the ASA ?

CISCO offers three main methods for configuring your Security Appliances (ASA) 1. Command Line Interface (CLI) - To gain access to CLI, you can use one of the following access method : a. Console Port - Cisco Ribbon Serial Cable is used. On PC Hyper Terminal, Putty, or Tera Term S/W may be used

b. Auxiliary Post (On certain ASA models)

c. Telnet and SSH : For Security reason CISCO is not recommending these type of remote access

2. Adaptive Security Device Manager (ADSM) : GUI Based Interface 3. CISCO Security Manager (CSM) : GUI Based Interface with more mgmt tools

BOOT SEQUENCE OF ASA

1. 2. 3. ASA first load its BIOS Perform diagnostic checks on its hardware componants Load the Operating System LEVEL OF ACCESS TO THE ASA Level of Access User EXEC Mode Privilege EXEC Mode Configuration Mode User Prompt ciscoasa> ciscoasa# Capabilities This mode allows only limited basic mgmt & T/shooting commands One step above to User EXEC Mode & it gives complete access to ASA

Ciscoasa(config)# For configuration implementation and changes

Monitor or ROMMON Mode

Rommon>

Used for password recovery, low level T/shooting and to recover from a lost or corrupt Operating system

ASA FIREWALL MODE

ASA functioning under two different modes

a. Routed Mode : ASA considered to be next hope in Network

b. Transparent Mode : ASA not considered as next hop. It act as stealth firewall or Bump in the wire

____________________________________________________________
Two create virtual device (Security Context), ASA has two mode. a. Single Mode - Act as single device b. Multiple Mode Act as multiple device (Based on the license)

BASIC ASA INITIALIZATION

Inside Security Level-100 10.1.1.0/24 10.1.1.4 f0/0

ASA
e1 e2 e0

Outside Security Level-0 20.1.1.0/24 20.1.1.5 f0/0

DMZ Security Level-50 30.1.1.0/24

f0/0

30.1.1.6

ASA Interfaces are classified by two names to distinguish them : 1. Physical Name : It is used when we configure the physical properties of an interface. They begin with the name ethernet . ethernet 0 in PIX and ethernet 0/number (e0/0,e0/1) in ASA

2. Logical Name : Two common names used are Inside (connected to Internal N/W) & outside (connected to external or public N/W). Security Levels : Ranging from 0 to 100. 0 is least secure and 100 is most secure. The Security Algorithm uses the Security level to enforce its security policy. The rules that SA used are as under : Traffic from higher to lower Security level is permitted by-default unless restricted with an ACL. This is called an outbound connection. Traffic from lower to higher Security level is denied by-default unless explicitly permitted it by ACL. This is called inbound connection Traffic from same security level to same level is denied by-default.

BASIC ASA INITIALIZATION

Inside Security Level-100 10.1.1.0/24 10.1.1.4 f0/0

ASA
e1 e2 e0

Outside Security Level-0 20.1.1.0/24 20.1.1.5 f0/0

DMZ Security Level-50 30.1.1.0/24

f0/0

30.1.1.6

ciscoasa (config) # interface e0 ciscoasa (config-if)# nameif <inside/outside/dmz> ciscoasa (config-if)# ip address < ip address & subnet mask> ciscoasa (config-if)#security-level <number 0-100> ciscoasa (config-if)#speed <10/100/1000/auto/nonnegotiate> ciscoasa (config-if)#dulpex <auto/full/half> ciscoasa (config-if)#no shutdown ciscoasa# show interface ip brief ciscoasa (config)# same-security-traffic permit inter-interface

- physical interface - to assign logical name to the interface - to assign the IP Address - to assign security level as required - to set the speed - to set type - to enable the interface - to see the configuration of interfaces - to allow the traffic between interface with same security level

Method of assigning IP Address to ASA i. Mannually ii. By DHCP iii. PPP over Ethernet (PPPoE)

Routing Protocol Supported by ASA : a. b. c. d. Static & Dynamic RIP EIGRP OSPF