Network Attack & Defense: Difference between revisions

From
Jump to navigation Jump to search
No edit summary
 
 
(39 intermediate revisions by 2 users not shown)
Line 1: Line 1:
==overview==
'''Bold text'''network attack & defense


1. introduction
* introduction
2. network attacks
* network attacks
- overview
** overview
- port-scans
** port-scans
- nessus
** nessus
3. summary
* summary
4. references
* references


==introduction==
- IBM: increases of network attacks
* IBM: increases of network attacks
number of the attacks on networks of state institutions between
number of the attacks on networks of state institutions between
july and august last yearly around 55 % risen
july and august last yearly around 55 % risen
- 80% of all network attacks are committed within the firewall
* 80% of all network attacks are committed within the firewall
of protected range
of protected range
ComputerWorld, Januar 2002
ComputerWorld, Januar 2002


historical outline
'''historical outline'''

- 1971 John Draper find out that a toy whistle from a Muesli box
* 1971 John Draper find out that a toy whistle from a Muesli box
reproduces exactly the clay/tone that a free voice grade
reproduces exactly the clay/tone that a free voice grade
channel opens
channel opens
- 1984 in the USA are discharged the Comprehensive Crime
* 1984 in the USA are discharged the Comprehensive Crime
control act, a law that more possibilities to the secret service
control act, a law that more possibilities to the secret service
gives to put to credit card cheats and hackers the handicraft
gives to put to credit card cheats and hackers the handicraft
- 1986 in the USA two further laws, which concern themselves
* 1986 in the USA two further laws, which concern themselves
with attacks on computer systems, are adopted: The
with attacks on computer systems, are adopted: The
computer Fraud and electronics Communications Privacy act
computer Fraud and electronics Communications Privacy act
- 1988 Robert Morris bring 6.000 computers in the internet with
* 1988 Robert Morris bring 6.000 computers in the internet with
a virus to the crash and to a punishment of $10.000 are
a virus to the crash and to a punishment of $10.000 are
condemned
condemned
- 1994, summer Vladimir Levin, graduate of the pc. Petersburg
* 1994, summer Vladimir Levin, graduate of the pc. Petersburg
Universit, steal with a Russian group of hackers 10 millions $
Universit, steal with a Russian group of hackers 10 millions $
of the Citibank. He is arrested 1995 in London.
of the Citibank. He is arrested 1995 in London.
- 1998, 19 May members of the group of hackers of L0pht warn
* 1998, 19 May members of the group of hackers of L0pht warn
of serious safety gaps. They maintain the internet in a half
of serious safety gaps. They maintain the internet in a half
hour to paralyze to be able.
hour to paralyze to be able.

==network attacks==
'''overview'''
* '''term clarifying'''
** the term network attack is legally problematic
** The legal definition of an attack assumes this took place only if someone arrived into the network!


* '''possible aggressors - hackers (private or professional)'''
** classically
*** overcoming of entrance barriers
*** no destruction of data
*** no change of data
** criminal (Cracker)
*** spying data
*** manipulation of data
*** destruction of data and systems


* '''possible attack targets'''
** everyone is endangers
** everyone is a goal
** nearly everyone was already a goal


* '''goals of the aggressor'''
** feigning a wrong identity
** seeing confidential enterprise data
** changing and falsifying data/messages
** transfer of dangerous programs into the system
** enterprises in discredit bring


* '''motivation'''
** tests of the own abilities and borders
** monetary goals
** revenge of quit coworkers


* '''points of attack and weak points'''
** a main cause for the multiplicity at safety problems in the InterNet represents the architecture in principle of the communication protocols TCP/IP and UDP
** to using the ignorance of users
** using safety gaps in programs, those on the attacked computer runs (e.g. Web Browser)
** weak passwords


* more in http://www.computec.ch/dokumente/allgemein/angriffsmoeglichkeiten_auf_netzwerke/angriffsmoeglichkeiten_auf_netzwerke.pdf


* '''what can we do?'''
** own systems and of them (normal) behavior (very much) good know!
** on remarkablenesses concentrate, e.g.:
*** computer is unexpectedly slow
*** non removable disk is the being obvious for unexplainable reasons fully
*** first examines
** calm remains; Panic causes errors
** be prepared!
** do allways
*** uninstall
*** switching off
*** configuring
*** patching
*** virus protection
*** user behaviors:
**** optimal: users do not install software
**** for minimum requirement: training of the users: software from the internet saves risks

'''with attention of these measures is avoidable over 99% all "Hacks"!'''

==network analysis==
* data security consider!
* only within the own range permits!
* difficult with purposeful masking
* motivation:
** weak points recognize:
* missing Patches
* unsatisfactory configuration
* foreigner software (Filesharing Tools, Serv u)
** abuse/intruders recognize
* possibilities:
** port-scan
*** search for services, which are attainable over the net
** computer scan
*** attempt, over the net additional information about the configuration computers to
** network monitorings receive
*** monitoring and analysis of connections

==port-scans==
* in principle: each program on a computer, which is to accept connections from the outside, must open a haven before (status: Listening)
* open ones of haven can be recognized
* which be attainable should, are also visibly
* problem: Some haven under certain conditions are only activated
* which haven? (purposefully at particulars of haven, "waving Known" haven, haven rank (theoretical 1-65535))
* with what?
** freeware haven scanner: NMAP http://www.nmap.org
** recognizing the haven status
** the behavior of the computer on detailed packages depends on the operating system, IP stack and the applications


* OS finger print (result can supply reference)
* Suspekte computer locally to examine
** opened port lists
** which process keeps which haven open?
** interesting are doubtful haven with status "LISTENING"
* local analysis potentially compromised computer

==computer analysis - nessus==
* reaction of a computer when responding a port
* OS finger prints
* analysis of weak points (missing Patches/unsatisfactory configuration)
* with what?


*'''freeware scanner NESSUS (http://www.nessus.org)'''
** two-piece:
*** server ("Daemon") on Unix
*** Client on Unix or Windows 32
* NESSUS be based on Nmap, has however additional functions
** scanning on safety gaps
** contains many prefabricated "Plugins"
** script language for supplementing own Plugins
** NESSUS scans not only the system to open ports, it tries also, dependent on the selected scanmethod, to recognize existing weak points of the individual server services
** with the option "intensively" attacks on the target computer are implemented, which can lead also to system crashes


*'''evaluation of the Nessus results:'''
** doubtful
** knowledge about scanned computers is necessary
** often false alarm, results
** results can be stored in data base
** comparison to earlier results or same computer configuration verifies classification of importance possible and meaningfully


*'''Negative result does not mean that the computer is safe!'''

==summary==
*'''there is no chance to be save'''

*'''but you can be close to'''

==references==
* http://www.computec.ch/dokumente/allgemein/angriffsmoeglichkeiten_auf_netzwerke/angriffsmoeglichkeiten_auf_netzwerke.pdf
* http://www.telematik-institut.de/publikationen/online-vorlesungen/weitere_vorlesungen_und_skripte/SION-kap-3.4.pdf
* http://www1.logistik.fh-dortmund.de/IT-Sicherheit/50_AdministratorenTools.pdf

Latest revision as of 21:31, 28 January 2005

overview

  • introduction
  • network attacks
    • overview
    • port-scans
    • nessus
  • summary
  • references

introduction

  • IBM: increases of network attacks

number of the attacks on networks of state institutions between july and august last yearly around 55 % risen

  • 80% of all network attacks are committed within the firewall

of protected range ComputerWorld, Januar 2002

historical outline

  • 1971 John Draper find out that a toy whistle from a Muesli box

reproduces exactly the clay/tone that a free voice grade channel opens

  • 1984 in the USA are discharged the Comprehensive Crime

control act, a law that more possibilities to the secret service gives to put to credit card cheats and hackers the handicraft

  • 1986 in the USA two further laws, which concern themselves

with attacks on computer systems, are adopted: The computer Fraud and electronics Communications Privacy act

  • 1988 Robert Morris bring 6.000 computers in the internet with

a virus to the crash and to a punishment of $10.000 are condemned

  • 1994, summer Vladimir Levin, graduate of the pc. Petersburg

Universit, steal with a Russian group of hackers 10 millions $ of the Citibank. He is arrested 1995 in London.

  • 1998, 19 May members of the group of hackers of L0pht warn

of serious safety gaps. They maintain the internet in a half hour to paralyze to be able.

network attacks

overview

  • term clarifying
    • the term network attack is legally problematic
    • The legal definition of an attack assumes this took place only if someone arrived into the network!


  • possible aggressors - hackers (private or professional)
    • classically
      • overcoming of entrance barriers
      • no destruction of data
      • no change of data
    • criminal (Cracker)
      • spying data
      • manipulation of data
      • destruction of data and systems


  • possible attack targets
    • everyone is endangers
    • everyone is a goal
    • nearly everyone was already a goal


  • goals of the aggressor
    • feigning a wrong identity
    • seeing confidential enterprise data
    • changing and falsifying data/messages
    • transfer of dangerous programs into the system
    • enterprises in discredit bring


  • motivation
    • tests of the own abilities and borders
    • monetary goals
    • revenge of quit coworkers


  • points of attack and weak points
    • a main cause for the multiplicity at safety problems in the InterNet represents the architecture in principle of the communication protocols TCP/IP and UDP
    • to using the ignorance of users
    • using safety gaps in programs, those on the attacked computer runs (e.g. Web Browser)
    • weak passwords



  • what can we do?
    • own systems and of them (normal) behavior (very much) good know!
    • on remarkablenesses concentrate, e.g.:
      • computer is unexpectedly slow
      • non removable disk is the being obvious for unexplainable reasons fully
      • first examines
    • calm remains; Panic causes errors
    • be prepared!
    • do allways
      • uninstall
      • switching off
      • configuring
      • patching
      • virus protection
      • user behaviors:
        • optimal: users do not install software
        • for minimum requirement: training of the users: software from the internet saves risks

with attention of these measures is avoidable over 99% all "Hacks"!

network analysis

  • data security consider!
  • only within the own range permits!
  • difficult with purposeful masking
  • motivation:
    • weak points recognize:
  • missing Patches
  • unsatisfactory configuration
  • foreigner software (Filesharing Tools, Serv u)
    • abuse/intruders recognize
  • possibilities:
    • port-scan
      • search for services, which are attainable over the net
    • computer scan
      • attempt, over the net additional information about the configuration computers to
    • network monitorings receive
      • monitoring and analysis of connections

port-scans

  • in principle: each program on a computer, which is to accept connections from the outside, must open a haven before (status: Listening)
  • open ones of haven can be recognized
  • which be attainable should, are also visibly
  • problem: Some haven under certain conditions are only activated
  • which haven? (purposefully at particulars of haven, "waving Known" haven, haven rank (theoretical 1-65535))
  • with what?
    • freeware haven scanner: NMAP http://www.nmap.org
    • recognizing the haven status
    • the behavior of the computer on detailed packages depends on the operating system, IP stack and the applications


  • OS finger print (result can supply reference)
  • Suspekte computer locally to examine
    • opened port lists
    • which process keeps which haven open?
    • interesting are doubtful haven with status "LISTENING"
  • local analysis potentially compromised computer

computer analysis - nessus

  • reaction of a computer when responding a port
  • OS finger prints
  • analysis of weak points (missing Patches/unsatisfactory configuration)
  • with what?


  • freeware scanner NESSUS (http://www.nessus.org)
    • two-piece:
      • server ("Daemon") on Unix
      • Client on Unix or Windows 32
  • NESSUS be based on Nmap, has however additional functions
    • scanning on safety gaps
    • contains many prefabricated "Plugins"
    • script language for supplementing own Plugins
    • NESSUS scans not only the system to open ports, it tries also, dependent on the selected scanmethod, to recognize existing weak points of the individual server services
    • with the option "intensively" attacks on the target computer are implemented, which can lead also to system crashes


  • evaluation of the Nessus results:
    • doubtful
    • knowledge about scanned computers is necessary
    • often false alarm, results
    • results can be stored in data base
    • comparison to earlier results or same computer configuration verifies classification of importance possible and meaningfully


  • Negative result does not mean that the computer is safe!

summary

  • there is no chance to be save
  • but you can be close to

references