Social engineering Cryptographic Assaults
2.4.3 Network Compromises and Attacks
Why would somebody want to hurt your site? If you have any public visibility, you could well attract unwanted attention from unsavory characters who are holding a grudge, nosy competition trying to ferret out new product information, or disgruntled employees out for a joyride.2.4.3.1 Denial of service attacks
These types of attacks are usually hate- or vendetta-driven, because they have only one aim: to prevent you or anyone else, for that matter from using your own equipment. A couple of strategies of this nature are: flooding a network interface with traffic, making use of the whole network impossible, or sending specific invalid packets to a computer that cause it to crash several times an hour. A good analogy for this type of attack would be someone wasting your whole afternoon by repeatedly calling you and hanging up. Although there is little you can do in this instance, once an attack is isolated, a system administrator can use a firewall to block inbound requests that would normally cripple the machine or the network. Unfortunately, there is only experimental work being done right now that would allow a scanning process or router to dynamically block such attacks when it notices them and verifies that they are valid threats.2.4.3.2 Address spoofing
TCPIP, because of its widespread use, large-scale deployment, and ongoing worldwide development, is definitely the lingua franca of the Internet and will continue to be so. Enhancements to the lower levels of the protocol such as IPSec will not only support IPs use in a worldwide environment to deliver data, but will do so securely. The strengths derived from using the current IP implementation, unfortunately, make the protocol unsecure. Because of how packet routing works and how header information is constructed, it becomes very difficult to conclusively prove the path a packet takes from point A to point B, and difficult to guarantee that some packet originated from A to begin with. Because of this, attackers can masquerade or spoof their targets routers and systems into thinking packets originated from someplace they did not. By doing this, all manner of mischief can be wrought.2.4.3.3 Session hijacking
By building a foundation of IP source spoofing in the above example, an attacker can effectively hijack an entire session between A and B. The parties need not be two individuals sending messages back and forth. More than likely, one of the parties involved will be a server of some sort, which the attacker will impersonate during the span of the communication. By posing as an organizations mail server or file server, he can collect a ton of private material and analyze it at his leisure.2.4.3.4 Man-in-the-middle attack
Also built on the foundation of IP address spoofing, an attacker can not only stage a session hijack, but can also mimic A and complete the original requests made to B directly. Imagine that we are M, and are able to convince A we are B, and B we are A. Traffic sent to B from A could be caught by M, analyzed, modified, stored or merely witnessed, and then sent on to B, no one at all the wiser. Traffic returning from B to A could be treated in a similar fashion. The 40 VPNs discussed in the book rely upon sophisticated techniques for combating the man-in-the- middle attack, sometimes relying upon per-packet or time-oriented authentication, or even the quick shifting of keys.2.4.3.5 Replay attack
A replay attack is essentially what would happen if an attacker were to record a transmission from A to B, even if the attacker is unable to read the message, then replay the message at a later time. Sometimes attacks of this nature can work if used in concert with an IP spoofing assault or even a man-in-the-middle one. Some VPNs combat this threat by serializing the packets, some by encapsulating the IP header as well as the datagram, and some by using synchronized timestamping. A combination of these techniques could also be used.2.4.3.6 Detection and cleanup
Computer break-in incidents are difficult to detect and more difficult to prosecute. According to the Computer Emergency Response Team CERT, a full 35 of all high-degree break-ins go completely undetected by the system administrators responsible for the equipment compromised; an even higher 85 of all incidents go unreported. Sometimes it is only by accident that an administrator notices the tell-tale symptoms of a break-in. Strange things found in the temporary directory, strange processes running, applications found that were not distributed with the operating system, and users reporting that they are having trouble logging in or have forgotten their passwords somehow are clues. When attackers are careful to clean up after themselves, the odds that someone will notice decrease dramatically. If they are careless or just joyriders, detection is much easier and cleanup is simpler. The biggest gut-wrenching feeling occurs when the attacker seems not to have changed anything. If only a minimal clue to their penetration is left, you can be assured that you need to sanitize—and quickly. For a whole host of security-related documents, including current advisories, check with CERT directly at http:www.cert.org . In closing, always try to be quick to respond to any threat or apparent break-in as soon as you are notified or as soon as you discover it. The faster you are at taking care of things, the less impact there is overall. Even though you are sure to have a restricted budget and inadequate resources for your security efforts, try to follow through with all measures you can take to pursue the attackers. If they think you are too busy or uncaring, they will come back, with better tricks and harsher consequences. Be attentive to what they were trying to do as well as what they did. If you can connect the dots, you may put yourself in front of them, and possibly even catch them. Dont just assume they will disappear or that they didnt really do anything anyway. Just to reiterate: keep good backups, change user accounts and passwords regularly, and develop a registry for access and authentication levels that can be deployed organization-wide.2.5 Patents and Legal Ramifications
Cryptographic routines are complex mathematical systems, and the people who have created them are experts who have spent a great deal of resources to create and protect their systems.Parts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more