Difference between revisions of "Network Attack & Defense"

From
Jump to navigation Jump to search
 
(24 intermediate revisions by the same user not shown)
Line 1: Line 1:
  +
==overview==
==network attack & defense==
 
   
 
* introduction
 
* introduction
Line 8: Line 8:
 
* summary
 
* summary
 
* references
 
* references
 
   
 
==introduction==
 
==introduction==
Line 38: Line 37:
 
of serious safety gaps. They maintain the internet in a half
 
of serious safety gaps. They maintain the internet in a half
 
hour to paralyze to be able.
 
hour to paralyze to be able.
 
   
 
==network attacks==
 
==network attacks==
 
 
'''overview'''
 
'''overview'''
* term clarifying
+
* '''term clarifying'''
 
** the term network attack is legally problematic
 
** the term network attack is legally problematic
 
** The legal definition of an attack assumes this took place only if someone arrived into the network!
 
** The legal definition of an attack assumes this took place only if someone arrived into the network!
   
* possible aggressors
 
   
  +
* '''possible aggressors - hackers (private or professional)'''
* possible attack targets
 
  +
** classically
  +
*** overcoming of entrance barriers
  +
*** no destruction of data
  +
*** no change of data
  +
** criminal (Cracker)
  +
*** spying data
  +
*** manipulation of data
  +
*** destruction of data and systems
  +
  +
  +
* '''possible attack targets'''
 
** everyone is endangers
 
** everyone is endangers
 
** everyone is a goal
 
** everyone is a goal
 
** nearly everyone was already a goal
 
** nearly everyone was already a goal
   
* goals of the aggressor
 
   
  +
* '''goals of the aggressor'''
* points of attack and weak points
 
  +
** feigning a wrong identity
  +
** seeing confidential enterprise data
  +
** changing and falsifying data/messages
  +
** transfer of dangerous programs into the system
  +
** enterprises in discredit bring
   
* what can we do?
 
   
  +
* '''motivation'''
* network analysis
 
  +
** tests of the own abilities and borders
  +
** monetary goals
  +
** revenge of quit coworkers
   
   
  +
* '''points of attack and weak points'''
'''port-scans'''
 
  +
** a main cause for the multiplicity at safety problems in the InterNet represents the architecture in principle of the communication protocols TCP/IP and UDP
  +
** to using the ignorance of users
  +
** using safety gaps in programs, those on the attacked computer runs (e.g. Web Browser)
  +
** weak passwords
   
'''nessus'''
 
   
  +
* more in http://www.computec.ch/dokumente/allgemein/angriffsmoeglichkeiten_auf_netzwerke/angriffsmoeglichkeiten_auf_netzwerke.pdf
==summary==
 
   
  +
  +
* '''what can we do?'''
  +
** own systems and of them (normal) behavior (very much) good know!
  +
** on remarkablenesses concentrate, e.g.:
  +
*** computer is unexpectedly slow
  +
*** non removable disk is the being obvious for unexplainable reasons fully
  +
*** first examines
  +
** calm remains; Panic causes errors
  +
** be prepared!
  +
** do allways
  +
*** uninstall
  +
*** switching off
  +
*** configuring
  +
*** patching
  +
*** virus protection
  +
*** user behaviors:
  +
**** optimal: users do not install software
  +
**** for minimum requirement: training of the users: software from the internet saves risks
  +
  +
'''with attention of these measures is avoidable over 99% all "Hacks"!'''
  +
  +
==network analysis==
  +
* data security consider!
  +
* only within the own range permits!
  +
* difficult with purposeful masking
  +
* motivation:
  +
** weak points recognize:
  +
* missing Patches
  +
* unsatisfactory configuration
  +
* foreigner software (Filesharing Tools, Serv u)
  +
** abuse/intruders recognize
  +
* possibilities:
  +
** port-scan
  +
*** search for services, which are attainable over the net
  +
** computer scan
  +
*** attempt, over the net additional information about the configuration computers to
  +
** network monitorings receive
  +
*** monitoring and analysis of connections
  +
  +
==port-scans==
  +
* in principle: each program on a computer, which is to accept connections from the outside, must open a haven before (status: Listening)
  +
* open ones of haven can be recognized
  +
* which be attainable should, are also visibly
  +
* problem: Some haven under certain conditions are only activated
  +
* which haven? (purposefully at particulars of haven, "waving Known" haven, haven rank (theoretical 1-65535))
  +
* with what?
  +
** freeware haven scanner: NMAP http://www.nmap.org
  +
** recognizing the haven status
  +
** the behavior of the computer on detailed packages depends on the operating system, IP stack and the applications
  +
  +
  +
* OS finger print (result can supply reference)
  +
* Suspekte computer locally to examine
  +
** opened port lists
  +
** which process keeps which haven open?
  +
** interesting are doubtful haven with status "LISTENING"
  +
* local analysis potentially compromised computer
  +
  +
==computer analysis - nessus==
  +
* reaction of a computer when responding a port
  +
* OS finger prints
  +
* analysis of weak points (missing Patches/unsatisfactory configuration)
  +
* with what?
  +
  +
  +
*'''freeware scanner NESSUS (http://www.nessus.org)'''
  +
** two-piece:
  +
*** server ("Daemon") on Unix
  +
*** Client on Unix or Windows 32
  +
* NESSUS be based on Nmap, has however additional functions
  +
** scanning on safety gaps
  +
** contains many prefabricated "Plugins"
  +
** script language for supplementing own Plugins
  +
** NESSUS scans not only the system to open ports, it tries also, dependent on the selected scanmethod, to recognize existing weak points of the individual server services
  +
** with the option "intensively" attacks on the target computer are implemented, which can lead also to system crashes
  +
  +
  +
*'''evaluation of the Nessus results:'''
  +
** doubtful
  +
** knowledge about scanned computers is necessary
  +
** often false alarm, results
  +
** results can be stored in data base
  +
** comparison to earlier results or same computer configuration verifies classification of importance possible and meaningfully
  +
  +
  +
*'''Negative result does not mean that the computer is safe!'''
  +
  +
==summary==
 
*'''there is no chance to be save'''
 
*'''there is no chance to be save'''
   
Line 74: Line 178:
   
 
==references==
 
==references==
 
 
* http://www.computec.ch/dokumente/allgemein/angriffsmoeglichkeiten_auf_netzwerke/angriffsmoeglichkeiten_auf_netzwerke.pdf
 
* http://www.computec.ch/dokumente/allgemein/angriffsmoeglichkeiten_auf_netzwerke/angriffsmoeglichkeiten_auf_netzwerke.pdf
 
* http://www.telematik-institut.de/publikationen/online-vorlesungen/weitere_vorlesungen_und_skripte/SION-kap-3.4.pdf
 
* http://www.telematik-institut.de/publikationen/online-vorlesungen/weitere_vorlesungen_und_skripte/SION-kap-3.4.pdf
  +
* http://www1.logistik.fh-dortmund.de/IT-Sicherheit/50_AdministratorenTools.pdf
* AdministratorenTools.ppt/HMW/11.10.2004 Prof. Dr. Heinz-Michael Winkels, FH-Dortmund
 

Latest revision as of 23:31, 28 January 2005

overview

  • introduction
  • network attacks
    • overview
    • port-scans
    • nessus
  • summary
  • references

introduction

  • IBM: increases of network attacks

number of the attacks on networks of state institutions between july and august last yearly around 55 % risen

  • 80% of all network attacks are committed within the firewall

of protected range ComputerWorld, Januar 2002

historical outline

  • 1971 John Draper find out that a toy whistle from a Muesli box

reproduces exactly the clay/tone that a free voice grade channel opens

  • 1984 in the USA are discharged the Comprehensive Crime

control act, a law that more possibilities to the secret service gives to put to credit card cheats and hackers the handicraft

  • 1986 in the USA two further laws, which concern themselves

with attacks on computer systems, are adopted: The computer Fraud and electronics Communications Privacy act

  • 1988 Robert Morris bring 6.000 computers in the internet with

a virus to the crash and to a punishment of $10.000 are condemned

  • 1994, summer Vladimir Levin, graduate of the pc. Petersburg

Universit, steal with a Russian group of hackers 10 millions $ of the Citibank. He is arrested 1995 in London.

  • 1998, 19 May members of the group of hackers of L0pht warn

of serious safety gaps. They maintain the internet in a half hour to paralyze to be able.

network attacks

overview

  • term clarifying
    • the term network attack is legally problematic
    • The legal definition of an attack assumes this took place only if someone arrived into the network!


  • possible aggressors - hackers (private or professional)
    • classically
      • overcoming of entrance barriers
      • no destruction of data
      • no change of data
    • criminal (Cracker)
      • spying data
      • manipulation of data
      • destruction of data and systems


  • possible attack targets
    • everyone is endangers
    • everyone is a goal
    • nearly everyone was already a goal


  • goals of the aggressor
    • feigning a wrong identity
    • seeing confidential enterprise data
    • changing and falsifying data/messages
    • transfer of dangerous programs into the system
    • enterprises in discredit bring


  • motivation
    • tests of the own abilities and borders
    • monetary goals
    • revenge of quit coworkers


  • points of attack and weak points
    • a main cause for the multiplicity at safety problems in the InterNet represents the architecture in principle of the communication protocols TCP/IP and UDP
    • to using the ignorance of users
    • using safety gaps in programs, those on the attacked computer runs (e.g. Web Browser)
    • weak passwords



  • what can we do?
    • own systems and of them (normal) behavior (very much) good know!
    • on remarkablenesses concentrate, e.g.:
      • computer is unexpectedly slow
      • non removable disk is the being obvious for unexplainable reasons fully
      • first examines
    • calm remains; Panic causes errors
    • be prepared!
    • do allways
      • uninstall
      • switching off
      • configuring
      • patching
      • virus protection
      • user behaviors:
        • optimal: users do not install software
        • for minimum requirement: training of the users: software from the internet saves risks

with attention of these measures is avoidable over 99% all "Hacks"!

network analysis

  • data security consider!
  • only within the own range permits!
  • difficult with purposeful masking
  • motivation:
    • weak points recognize:
  • missing Patches
  • unsatisfactory configuration
  • foreigner software (Filesharing Tools, Serv u)
    • abuse/intruders recognize
  • possibilities:
    • port-scan
      • search for services, which are attainable over the net
    • computer scan
      • attempt, over the net additional information about the configuration computers to
    • network monitorings receive
      • monitoring and analysis of connections

port-scans

  • in principle: each program on a computer, which is to accept connections from the outside, must open a haven before (status: Listening)
  • open ones of haven can be recognized
  • which be attainable should, are also visibly
  • problem: Some haven under certain conditions are only activated
  • which haven? (purposefully at particulars of haven, "waving Known" haven, haven rank (theoretical 1-65535))
  • with what?
    • freeware haven scanner: NMAP http://www.nmap.org
    • recognizing the haven status
    • the behavior of the computer on detailed packages depends on the operating system, IP stack and the applications


  • OS finger print (result can supply reference)
  • Suspekte computer locally to examine
    • opened port lists
    • which process keeps which haven open?
    • interesting are doubtful haven with status "LISTENING"
  • local analysis potentially compromised computer

computer analysis - nessus

  • reaction of a computer when responding a port
  • OS finger prints
  • analysis of weak points (missing Patches/unsatisfactory configuration)
  • with what?


  • freeware scanner NESSUS (http://www.nessus.org)
    • two-piece:
      • server ("Daemon") on Unix
      • Client on Unix or Windows 32
  • NESSUS be based on Nmap, has however additional functions
    • scanning on safety gaps
    • contains many prefabricated "Plugins"
    • script language for supplementing own Plugins
    • NESSUS scans not only the system to open ports, it tries also, dependent on the selected scanmethod, to recognize existing weak points of the individual server services
    • with the option "intensively" attacks on the target computer are implemented, which can lead also to system crashes


  • evaluation of the Nessus results:
    • doubtful
    • knowledge about scanned computers is necessary
    • often false alarm, results
    • results can be stored in data base
    • comparison to earlier results or same computer configuration verifies classification of importance possible and meaningfully


  • Negative result does not mean that the computer is safe!

summary

  • there is no chance to be save
  • but you can be close to

references