Types of Attacks (network) and Defenses (Windows)

Types of Attacks (network) and Defenses (Windows)

By ghost | 15677 Reads |

0     0

I didn't write this, and I take no credit for it. I found it knowledgeable and wanted to share it with you. This was a copy and paste from a few resources.

—–ATTACKS—– Security issues with IP Without security, both public and private networks are susceptible to unauthorized monitoring and access. Internal attacks might be a result of minimal or nonexistent intranet security. Risks from outside the private network originate from connections to the Internet and extranets. Password-based user access controls alone do not protect data transmitted across a network.

Common types of network attacks Without security measures and controls in place, your data might be subjected to an attack. Some attacks are passive in that information is only monitored. Other attacks are active and information is altered with intent to corrupt or destroy the data or the network itself. Your networks and data are vulnerable to any of the following types of attacks if you do not have a security plan in place.

-Eavesdropping- In general, the majority of network communications occur in a plaintext (unencrypted) format, which allows an attacker who has gained access to data paths in a network to monitor and interpret (read) the traffic. When an attacker is eavesdropping on communications, it is referred to as sniffing or snooping. The ability of an eavesdropper to monitor the network is generally the biggest security problem that administrators face in an enterprise. Without strong encryption services that are based on cryptography, data can be read by others as it traverses the network.

-Data modification- After an attacker has read data, the next logical step is often to modify it. An attacker can modify the data in the packet without the knowledge of the sender or receiver. Even if you do not require confidentiality for all communications, you do not want any of your messages to be modified in transit. For example, if you are exchanging purchase requisitions, you do not want the items, amounts, or billing information to be changed.

-Identity spoofing (IP address spoofing)- Most networks and operating systems use the IP address to identify a computer as being valid on a network. In some cases, it is possible for an IP address to be falsely used. This is known as identity spoofing. An attacker might use special programs to construct IP packets that appear to originate from valid addresses inside an organization intranet.

After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete data. The attacker can also conduct other types of attacks, as described in the following sections.

-Password-based attacks- A commonality among most operating systems and network security plans is password-based access control. Access to both a computer and network resources are determined by a user name and password.

Earlier versions of operating system components did not always protect identity information as it was passed through the network for validation. This might allow an eavesdropper to determine a valid user name and password and use it to gain access to the network by posing as a valid user.

When an attacker finds and accesses a valid user account, the attacker has the same rights as the actual user. For example, if the user has administrator rights, the attacker can create additional accounts for access at a later time.

After gaining access to a network with a valid account, an attacker can do any of the following:

Obtain lists of valid user and computer names and network information. Modify server and network configurations, including access controls and routing tables. Modify, reroute, or delete data. Denial-of-service attack Unlike a password-based attack, the denial-of-service attack prevents normal use of a computer or network by valid users.

After gaining access to a network, an attacker can do any of the following:

Distract information systems staff so that they do not immediately detect the intrusion. This gives an attacker the opportunity to make additional attacks. Send invalid data to applications or network services, causing applications or services to close or operate abnormally. Send a flood of traffic until a computer or an entire network is shut down. Block traffic, which results in a loss of access to network resources by authorized users. Man-in-the-middle attack As the name indicates, a man-in-the-middle attack occurs when someone between two users who are communicating is actively monitoring, capturing, and controlling the communication without the knowledge of the users. For example, an attacker can negotiate encryption keys with both users. Each user then sends encrypted data to the attacker, who can decrypt the data. When computers are communicating at low levels of the network layer, the computers might not be able to determine with which computers they are exchanging data.

-Compromised-key attack- A key is a secret code or number required to encrypt, decrypt, or validate secured information. Although determining a key is a difficult and resource-intensive process for an attacker, it is possible. After an attacker determines a key, that key is referred to as a compromised key.

An attacker uses the compromised key to gain access to a secured communication without the sender or receiver being aware of the attack. With the compromised key, the attacker can decrypt or modify data. The attacker can also attempt to use the compromised key to compute additional keys, which might allow access to other secured communications.

-Sniffer attack- A sniffer is an application or device that can read, monitor, and capture network data exchanges and packets. If the packets are not encrypted, a sniffer provides a full view of the data that is inside of the packet. Even encapsulated (tunneled) packets can be opened and read if they are not encrypted.

Using a sniffer, an attacker can do the following:

Analyze a network and access information, eventually causing the network to stop responding or become corrupted. Read private communications. Application-layer attack An application-layer attack targets application servers by causing a fault in a server's operating system or applications. This results in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of an application, system, or network, and can do any of the following:

Read, add, delete, or modify data or an operating system. Introduce a virus that uses computers and software applications to copy viruses throughout the network. Introduce a sniffer program to analyze the network and gain information that can eventually be used to cause the network to stop responding or become corrupted. Abnormally close data applications or operating systems. Disable other security controls to enable future attacks.

—–DEFENSE—– In-depth defense Data must be protected from unauthorized interception, modification, or access. Network attacks can result in system downtime and public exposure to confidential information.

Network protection strategies generally focus only on preventing attacks from outside the private network by using firewalls, secure routers (security gateways), and user authentication for dial-up access. This is referred to as perimeter security, and it does not protect against attacks from within the network.

User access control security methods (for example, Kerberos V5 authentication), are not adequate to protect against most network-level attacks, because they rely solely on user names and passwords. Many computers are shared by multiple users. As a result, computers are often left in a state where the user name and password have already been validated. If a user name and password or a computer that has already been validated have been acquired by an attacker, user access security cannot stop the attacker's access to network resources.

Physical-level protection strategies, which are not commonly used, protect the physical network wires from being accessed and the network access points from being used. However, this rarely guarantees protection of the entire path that the data must travel through the network from source to destination.

The best level of protection is provided with the IPSec end-to-end model. In this model, the sending computer secures the data prior to transmission (before it reaches the network wires), and the receiving computer verifies the security of the data only after it has been received. For this reason, IPSec should be one of the components in a layered enterprise security plan. It protects your private data in a public environment by providing a strong, cryptography-based defense against attacks. All network traffic is secured at the packet level rather than for an entire communication (that is, a flow of packets). Used in combination with strong user access control, perimeter security, and physical level security, IPSec ensures an in-depth defense for your data.

Introducing IPSec IPSec is the long-term direction for secure networking. It provides a key line of defense against private network and Internet attacks, balancing security with ease of use.

IPSec has two goals:

To protect the contents of IP packets. To provide a defense against network attacks through packet filtering and the enforcement of trusted communication. Both goals are met through the use of cryptography-based protection services, security protocols, and dynamic key management. This foundation provides both the strength and flexibility to protect communications between private network computers, domains, sites, remote sites, extranets, and dial-up clients. It can even be used to block receipt or transmission of specific traffic types.

IPSec is based on an end-to-end security model, establishing trust and security from a source IP to a destination IP address. The IP address itself does not necessarily have to be considered an identity, rather the system behind the IP address has an identity that is validated through an authentication process. The only computers that must know about the traffic being secured are the sending and receiving computers. Each computer handles security at its respective end, with the assumption that the medium over which the communication takes place is not secure. Any computers that only route data from source to destination are not required to support IPSec, unless firewall-type packet filtering or network address translation is being done between the two computers. This model allows IPSec to be successfully deployed for the following enterprise scenarios:

Local area network (LAN): client/server and peer-to-peer Wide area network (WAN): router-to-router and gateway-to-gateway Remote access: dial-up clients and Internet access from private networks Typically both sides require IPSec configuration (called an IPSec policy), to set options and security settings that will allow two systems to agree on how to secure traffic between them. The Windows XP implementation of IPSec is based on industry standards developed by the Internet Engineering Task Force (IETF) IPSec working group. Portions of IPSec-related services were jointly developed by Microsoft and Cisco Systems, Inc.

Protection against attacks IPSec protects data so that an attacker finds it extremely difficult or impossible to interpret it. The level of protection provided is determined by the strength of the security levels specified in your IPSec policy structure.

IPSec has a number of features that significantly reduce or prevent the attacks discussed in Security issues with IP:

-Sniffers (lack of confidentiality)- The Encapsulating Security Payload (ESP) protocol in IPSec provides data confidentiality by encrypting the payload of IP packets.

-Data modification- IPSec uses cryptography-based keys, shared only by the sending and receiving computers, to create a cryptographic checksum for each IP packet. Any modification to the packet data alters the checksum, which indicates to the receiving computer that the packet was modified in transit.

-Identity spoofing, password-based, application-layer, and denial-of-service attacks- IPSec allows the exchange and verification of identities without exposing that information to interpretation by an attacker. Mutual verification (authentication) is used to establish trust between the communicating systems and only trusted systems can communicate with each other. After identities are established, IPSec uses cryptography-based keys, shared only by the sending and receiving computers, to create a cryptographic checksum for each IP packet. The cryptographic checksum ensures that only the computers that have knowledge of the keys could have sent each packet.

-Man-in-the-middle attacks- IPSec combines mutual authentication with shared, cryptography-based keys.

-Denial-of-service attacks- IPSec uses IP packet filtering methodology as the basis for determining whether communication is allowed, secured, or blocked, according to the IP address ranges, IP protocols, or even specific TCP and UDP ports.