Network Security

Firewalls

Network applications and protocols have security issues that are fixed over time. A solution to this is to limit access to end hosts by using a firewall. It acts as a single entry point into the network. It can be hardware or software.

Firewall rules - allow or block applications and/or ports. Exceptions and exclusions can be created on top of this.

Intrusion Detection

Used to monitor suspicious activity on a network. Protects against known software exploits such as buffer overflows.

It detects suspicious activity using "intrusion signatures", which can be described as well known patterns of behaviour. EG, ping sweeps, port scanning, web server indexing, OS fingerprinting, DoS attempts, etc.

IDS (Intrusion detection software) is only useful if contingency plans are in place to stop attacks as they are occuring.

Dictionary Attack

Passwords are generally encrypted with a one-way hash. In other words, when they are encrypted, they can not be unencrypted by the same method. A dictionary attack is when a list of values (words, numbers, common passwords etc) is taken, hashed using the same method as the passwords are hashed, and then comparing hashed values with the hashed passwords. If there is a match, then the hashed password is whatever the value of the hashed dictionary word was.

Denial Of Service (DOS)

The goal of a DoS attack is to make a network service unusuable, usually done by overloading the server or network.

Types of DoS attack

  • SYN flodding
    • Sending SYN packets with a faked source address
    • The server responds with SYN ACK and keeps a half open TCP connection state
    • This is repeated until server memory is exhausted
    • Solution: SYN cookies
      • In response to SYN, create a special cookie for the connection and forget everything else about it
      • The forgotten information can be recreated when the ACK comes from a legitimate connection
  • SMURF
    • Source IP address of a broadcast ping is forged
    • A large number of machines respond back to the victim, overloading it
  • Distributed attacks
    • Same techniques, but on a much larger scale using a large number of machines

Ingress filtering

If the source IP of a packet comes in on an interface which does not have a route to the packet, then drop it.

TCP Attacks

If an attacker learns the associated TCP state for a connection, the connection can become hijacked. The attacker can insert malicious data into the TCP stream, and the recipient host will believe it came from the original, trusted source.

Encryption

Encryption is the process of encoding information so only those with information on how to decrypt it can access it.

Two types: Symmetrical and Asymmetrical

Password Hashing

Password is stored after being hashed. The use of a salt can further reduce the chance of unintended decryption. Hashing is one way. When authenticating, the entered password attempt will be hashed, and this value is compared with the stored hashed password. Authentication only suceeds if the two hashed passwords match.

OWASP

An online community which creates freely-available articles, documentation, tools and technology in the field of web app security.

SQL Injection

SELECT * FROM users
WHERE username = "john"
AND password = "1234"

Application may check these credentials with a database. If there is a result, then login

SELECT * FROM users
WHERE username = "admin"
AND password = "" OR 1="1"