Network Attack & Defense: Difference between revisions
(22 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==overview== |
|||
==network attack & defense== |
|||
* introduction |
* introduction |
||
Line 8: | Line 8: | ||
* summary |
* summary |
||
* references |
* references |
||
==introduction== |
==introduction== |
||
Line 38: | Line 37: | ||
of serious safety gaps. They maintain the internet in a half |
of serious safety gaps. They maintain the internet in a half |
||
hour to paralyze to be able. |
hour to paralyze to be able. |
||
==network attacks== |
==network attacks== |
||
'''overview''' |
'''overview''' |
||
* term clarifying |
* '''term clarifying''' |
||
** the term network attack is legally problematic |
** the term network attack is legally problematic |
||
** The legal definition of an attack assumes this took place only if someone arrived into the network! |
** The legal definition of an attack assumes this took place only if someone arrived into the network! |
||
* possible aggressors |
|||
* |
* '''possible aggressors - hackers (private or professional)''' |
||
** classically |
** classically |
||
*** overcoming of entrance barriers |
*** overcoming of entrance barriers |
||
Line 59: | Line 55: | ||
*** destruction of data and systems |
*** destruction of data and systems |
||
* possible attack targets |
|||
* '''possible attack targets''' |
|||
** everyone is endangers |
** everyone is endangers |
||
** everyone is a goal |
** everyone is a goal |
||
** nearly everyone was already a goal |
** nearly everyone was already a goal |
||
* goals of the aggressor |
|||
* '''goals of the aggressor''' |
|||
* points of attack and weak points |
|||
** feigning a wrong identity |
|||
** seeing confidential enterprise data |
|||
** changing and falsifying data/messages |
|||
** transfer of dangerous programs into the system |
|||
** enterprises in discredit bring |
|||
* what can we do? |
|||
* '''motivation''' |
|||
* network analysis |
|||
** tests of the own abilities and borders |
|||
** monetary goals |
|||
** revenge of quit coworkers |
|||
* '''points of attack and weak points''' |
|||
'''port-scans''' |
|||
** a main cause for the multiplicity at safety problems in the InterNet represents the architecture in principle of the communication protocols TCP/IP and UDP |
|||
** to using the ignorance of users |
|||
** using safety gaps in programs, those on the attacked computer runs (e.g. Web Browser) |
|||
** weak passwords |
|||
'''nessus''' |
|||
* more in http://www.computec.ch/dokumente/allgemein/angriffsmoeglichkeiten_auf_netzwerke/angriffsmoeglichkeiten_auf_netzwerke.pdf |
|||
==summary== |
|||
* '''what can we do?''' |
|||
** own systems and of them (normal) behavior (very much) good know! |
|||
** on remarkablenesses concentrate, e.g.: |
|||
*** computer is unexpectedly slow |
|||
*** non removable disk is the being obvious for unexplainable reasons fully |
|||
*** first examines |
|||
** calm remains; Panic causes errors |
|||
** be prepared! |
|||
** do allways |
|||
*** uninstall |
|||
*** switching off |
|||
*** configuring |
|||
*** patching |
|||
*** virus protection |
|||
*** user behaviors: |
|||
**** optimal: users do not install software |
|||
**** for minimum requirement: training of the users: software from the internet saves risks |
|||
'''with attention of these measures is avoidable over 99% all "Hacks"!''' |
|||
==network analysis== |
|||
* data security consider! |
|||
* only within the own range permits! |
|||
* difficult with purposeful masking |
|||
* motivation: |
|||
** weak points recognize: |
|||
* missing Patches |
|||
* unsatisfactory configuration |
|||
* foreigner software (Filesharing Tools, Serv u) |
|||
** abuse/intruders recognize |
|||
* possibilities: |
|||
** port-scan |
|||
*** search for services, which are attainable over the net |
|||
** computer scan |
|||
*** attempt, over the net additional information about the configuration computers to |
|||
** network monitorings receive |
|||
*** monitoring and analysis of connections |
|||
==port-scans== |
|||
* in principle: each program on a computer, which is to accept connections from the outside, must open a haven before (status: Listening) |
|||
* open ones of haven can be recognized |
|||
* which be attainable should, are also visibly |
|||
* problem: Some haven under certain conditions are only activated |
|||
* which haven? (purposefully at particulars of haven, "waving Known" haven, haven rank (theoretical 1-65535)) |
|||
* with what? |
|||
** freeware haven scanner: NMAP http://www.nmap.org |
|||
** recognizing the haven status |
|||
** the behavior of the computer on detailed packages depends on the operating system, IP stack and the applications |
|||
* OS finger print (result can supply reference) |
|||
* Suspekte computer locally to examine |
|||
** opened port lists |
|||
** which process keeps which haven open? |
|||
** interesting are doubtful haven with status "LISTENING" |
|||
* local analysis potentially compromised computer |
|||
==computer analysis - nessus== |
|||
* reaction of a computer when responding a port |
|||
* OS finger prints |
|||
* analysis of weak points (missing Patches/unsatisfactory configuration) |
|||
* with what? |
|||
*'''freeware scanner NESSUS (http://www.nessus.org)''' |
|||
** two-piece: |
|||
*** server ("Daemon") on Unix |
|||
*** Client on Unix or Windows 32 |
|||
* NESSUS be based on Nmap, has however additional functions |
|||
** scanning on safety gaps |
|||
** contains many prefabricated "Plugins" |
|||
** script language for supplementing own Plugins |
|||
** NESSUS scans not only the system to open ports, it tries also, dependent on the selected scanmethod, to recognize existing weak points of the individual server services |
|||
** with the option "intensively" attacks on the target computer are implemented, which can lead also to system crashes |
|||
*'''evaluation of the Nessus results:''' |
|||
** doubtful |
|||
** knowledge about scanned computers is necessary |
|||
** often false alarm, results |
|||
** results can be stored in data base |
|||
** comparison to earlier results or same computer configuration verifies classification of importance possible and meaningfully |
|||
*'''Negative result does not mean that the computer is safe!''' |
|||
==summary== |
|||
*'''there is no chance to be save''' |
*'''there is no chance to be save''' |
||
Line 84: | Line 178: | ||
==references== |
==references== |
||
* http://www.computec.ch/dokumente/allgemein/angriffsmoeglichkeiten_auf_netzwerke/angriffsmoeglichkeiten_auf_netzwerke.pdf |
* http://www.computec.ch/dokumente/allgemein/angriffsmoeglichkeiten_auf_netzwerke/angriffsmoeglichkeiten_auf_netzwerke.pdf |
||
* http://www.telematik-institut.de/publikationen/online-vorlesungen/weitere_vorlesungen_und_skripte/SION-kap-3.4.pdf |
* http://www.telematik-institut.de/publikationen/online-vorlesungen/weitere_vorlesungen_und_skripte/SION-kap-3.4.pdf |
Latest revision as of 21:31, 28 January 2005
overview
- introduction
- network attacks
- overview
- port-scans
- nessus
- summary
- references
introduction
- IBM: increases of network attacks
number of the attacks on networks of state institutions between july and august last yearly around 55 % risen
- 80% of all network attacks are committed within the firewall
of protected range ComputerWorld, Januar 2002
historical outline
- 1971 John Draper find out that a toy whistle from a Muesli box
reproduces exactly the clay/tone that a free voice grade channel opens
- 1984 in the USA are discharged the Comprehensive Crime
control act, a law that more possibilities to the secret service gives to put to credit card cheats and hackers the handicraft
- 1986 in the USA two further laws, which concern themselves
with attacks on computer systems, are adopted: The computer Fraud and electronics Communications Privacy act
- 1988 Robert Morris bring 6.000 computers in the internet with
a virus to the crash and to a punishment of $10.000 are condemned
- 1994, summer Vladimir Levin, graduate of the pc. Petersburg
Universit, steal with a Russian group of hackers 10 millions $ of the Citibank. He is arrested 1995 in London.
- 1998, 19 May members of the group of hackers of L0pht warn
of serious safety gaps. They maintain the internet in a half hour to paralyze to be able.
network attacks
overview
- term clarifying
- the term network attack is legally problematic
- The legal definition of an attack assumes this took place only if someone arrived into the network!
- possible aggressors - hackers (private or professional)
- classically
- overcoming of entrance barriers
- no destruction of data
- no change of data
- criminal (Cracker)
- spying data
- manipulation of data
- destruction of data and systems
- classically
- possible attack targets
- everyone is endangers
- everyone is a goal
- nearly everyone was already a goal
- goals of the aggressor
- feigning a wrong identity
- seeing confidential enterprise data
- changing and falsifying data/messages
- transfer of dangerous programs into the system
- enterprises in discredit bring
- motivation
- tests of the own abilities and borders
- monetary goals
- revenge of quit coworkers
- points of attack and weak points
- a main cause for the multiplicity at safety problems in the InterNet represents the architecture in principle of the communication protocols TCP/IP and UDP
- to using the ignorance of users
- using safety gaps in programs, those on the attacked computer runs (e.g. Web Browser)
- weak passwords
- what can we do?
- own systems and of them (normal) behavior (very much) good know!
- on remarkablenesses concentrate, e.g.:
- computer is unexpectedly slow
- non removable disk is the being obvious for unexplainable reasons fully
- first examines
- calm remains; Panic causes errors
- be prepared!
- do allways
- uninstall
- switching off
- configuring
- patching
- virus protection
- user behaviors:
- optimal: users do not install software
- for minimum requirement: training of the users: software from the internet saves risks
with attention of these measures is avoidable over 99% all "Hacks"!
network analysis
- data security consider!
- only within the own range permits!
- difficult with purposeful masking
- motivation:
- weak points recognize:
- missing Patches
- unsatisfactory configuration
- foreigner software (Filesharing Tools, Serv u)
- abuse/intruders recognize
- possibilities:
- port-scan
- search for services, which are attainable over the net
- computer scan
- attempt, over the net additional information about the configuration computers to
- network monitorings receive
- monitoring and analysis of connections
- port-scan
port-scans
- in principle: each program on a computer, which is to accept connections from the outside, must open a haven before (status: Listening)
- open ones of haven can be recognized
- which be attainable should, are also visibly
- problem: Some haven under certain conditions are only activated
- which haven? (purposefully at particulars of haven, "waving Known" haven, haven rank (theoretical 1-65535))
- with what?
- freeware haven scanner: NMAP http://www.nmap.org
- recognizing the haven status
- the behavior of the computer on detailed packages depends on the operating system, IP stack and the applications
- OS finger print (result can supply reference)
- Suspekte computer locally to examine
- opened port lists
- which process keeps which haven open?
- interesting are doubtful haven with status "LISTENING"
- local analysis potentially compromised computer
computer analysis - nessus
- reaction of a computer when responding a port
- OS finger prints
- analysis of weak points (missing Patches/unsatisfactory configuration)
- with what?
- freeware scanner NESSUS (http://www.nessus.org)
- two-piece:
- server ("Daemon") on Unix
- Client on Unix or Windows 32
- two-piece:
- NESSUS be based on Nmap, has however additional functions
- scanning on safety gaps
- contains many prefabricated "Plugins"
- script language for supplementing own Plugins
- NESSUS scans not only the system to open ports, it tries also, dependent on the selected scanmethod, to recognize existing weak points of the individual server services
- with the option "intensively" attacks on the target computer are implemented, which can lead also to system crashes
- evaluation of the Nessus results:
- doubtful
- knowledge about scanned computers is necessary
- often false alarm, results
- results can be stored in data base
- comparison to earlier results or same computer configuration verifies classification of importance possible and meaningfully
- Negative result does not mean that the computer is safe!
summary
- there is no chance to be save
- but you can be close to
references
- http://www.computec.ch/dokumente/allgemein/angriffsmoeglichkeiten_auf_netzwerke/angriffsmoeglichkeiten_auf_netzwerke.pdf
- http://www.telematik-institut.de/publikationen/online-vorlesungen/weitere_vorlesungen_und_skripte/SION-kap-3.4.pdf
- http://www1.logistik.fh-dortmund.de/IT-Sicherheit/50_AdministratorenTools.pdf