Hands-On Ethical Hacking

and Network Defense, 3rd

Edition

Chapter 9
Network Protection Systems
 Objectives

After completing this chapter, you will be able to:

•Explain how routers are used as network protection
systems
•Describe firewall technology and tools for configuring
firewalls and routers
•Describe intrusion detection and prevention systems
and Web-filtering technology
•Explain the purpose of honeypots

Hands-On Ethical Hacking and Network Defense, 3rd 2

Edition
 Understanding Network Protection
Systems
• Network Protection System
– Any device or system designed to protect a network
• Unified Threat Management (UTM) device
– Term used to describe a single device that combines
many network protection functions
• Such as those performed by routers, firewalls,
intrusion detection and prevention systems, VPNs,
Web-filtering systems, and malware detection and
filtering systems
• Security appliance
– Both UTMS and network protection systems
Hands-On Ethical Hacking and Network Defense, 3rd 3
Edition
 UTM
• Disadvantages of Unified Threat Management
– Lower performance
– Single point of failure.
– Vendor lock-in.
– Difficult to scale in large environments.
– Limited feature set compared to point product
alternatives.

4
 Understanding Routers
• Routers are hardware devices
– Used to send packets to different network segments
• Operate at network layer of OSI model
• Routing protocols
– Link-state routing protocol
• Router advertises link-state
– Distance-vector routing protocol
• Router passes routing table to all participating routers
– Path-vector routing protocol
• Uses dynamically updated paths or routing tables to
transmit packets
Hands-On Ethical Hacking and Network Defense, 3rd 5
Edition
 Understanding Basic Hardware
Routers
• Cisco routers
– Widely used in the networking community
• Millions used by companies around the world
• Vendors offering competitive products often design
their configuration interface to be similar to Cisco’s
– So, if you see a product from a Cisco competitor
• Vulnerabilities exist
– As they do in any OS

Hands-On Ethical Hacking and Network Defense, 3rd 6

Edition
 Cisco Router Components
• Random access memory (RAM)
– Holds router’s running configuration, routing tables,
and buffers
• If turned off, contents stored in RAM are erased
• Nonvolatile RAM (NVRAM)
– Holds router’s configuration file
• Information is not lost if the router is turned off
• Flash memory
– Holds IOS the router is using
– Rewritable memory, so IOS can be upgraded

Hands-On Ethical Hacking and Network Defense, 3rd 7

Edition
 Cisco Router Components
• Read-only memory (ROM)
– Contains a minimal version of IOS
• Used to boot router if flash memory gets corrupted
• Interfaces
– Hardware connectivity points for components of
most concern
• Ethernet port is an interface that connects to a LAN

Hands-On Ethical Hacking and Network Defense, 3rd 8

Edition
 Cisco Router Configuration
• Configuration modes:
– User mode
• Administrator can perform basic troubleshooting tests
and list information stored on router
• Indicated by router name followed by >
• Default mode
– Privileged mode
• Administrator can perform full router configuration
tasks
• Indicated by router name followed by #

Hands-On Ethical Hacking and Network Defense, 3rd 9

Edition
 Cisco Router Configuration
• Modes to configure the router (in privileged mode)
– Global configuration mode
• Configure router settings affecting router operation
– Interface configuration mode
• Administrator can configure an interface on the router

Hands-On Ethical Hacking and Network Defense, 3rd 10

Edition
 Cisco Router Configuration

Hands-On Ethical Hacking and Network Defense, 3rd 11

Edition
 Understanding Access Control Lists
• Several types of access control lists
– This section focuses on IP access lists
• Lists IP addresses, subnets, or networks allowed or
denied access through a router’s interface
• Cisco router access lists
– Standard IP access lists
– Extended IP access lists

Hands-On Ethical Hacking and Network Defense, 3rd 12

Edition
 Standard IP Access Lists
• Can restrict IP traffic entering or leaving a router’s
interface based on source IP address
– To restrict traffic from Network 3 from entering
Network 1, access list looks like:
access-list 1 deny 173.110.0.0 0.0.255.255
access-list permit any

Hands-On Ethical Hacking and Network Defense, 3rd 13

Edition
 Extended IP Access Lists
• Restricts IP traffic entering or leaving based on:
– Source IP address
– Destination IP address
– Protocol type
– Application port number
• Configuration
– Similar to configuring a standard IP access list

Hands-On Ethical Hacking and Network Defense, 3rd 14

Edition
 Understanding Firewalls
• Hardware devices with embedded OSs
– Controls access to all traffic entering internal network
– Controls traffic leaving internal network
• Hardware firewall advantages:
– Usually faster than software firewalls
– Can handle larger throughput than software firewalls
• Hardware firewall disadvantage:
– Locked into firewall’s hardware

Hands-On Ethical Hacking and Network Defense, 3rd 15

Edition
 Understanding Firewalls
• Software firewalls advantage:
– NICs are easily added to server running firewall
software
• Software firewalls disadvantage:
– Configuration problems
– Rely on running OS !!

Hands-On Ethical Hacking and Network Defense, 3rd 16

Edition
 Understanding Firewall Technology
• Technologies include:
– Network address translation
– Access lists
– Packet filtering
– Stateful packet inspection
– Application layer inspection

Hands-On Ethical Hacking and Network Defense, 3rd 17

Edition
 Network Address Translation
• Most basic security feature of a firewall
– Internal private IP addresses are mapped to public
external IP addresses
• Hiding internal infrastructure
• Port Address Translation
– Derived from NAT
– Allows thousands of internal IP addresses to be
mapped to one external IP address

Hands-On Ethical Hacking and Network Defense, 3rd 18

Edition
 Access Lists
• Used to filter traffic based on:
– Source IP address
– Destination IP address
– Ports or services
• Firewalls also use this technology
• Creating access lists in a firewall
– Similar to creating them in a router

Hands-On Ethical Hacking and Network Defense, 3rd 19

Edition
 Packet Filtering
• Packet filters
– Screen packets based on information contained in
packet header
• Protocol type
• IP address
• TCP/UDP port

Hands-On Ethical Hacking and Network Defense, 3rd 20

Edition
 Stateful Packet Inspection
• Record session-specific information about a
network connection
– Including state table
• Port scans relying on spoofing or sending packets
after a three-way handshake are made ineffective
• Stateful packet filters
– Recognize anomalies most routers ignore
• Stateless packet filters
– Handle each packet on an individual basis
• Not resistant to spoofing or DoS attacks

Hands-On Ethical Hacking and Network Defense, 3rd 21

Edition
 Stateful Packet Inspection

Hands-On Ethical Hacking and Network Defense, 3rd 22

Edition
 Application Layer Inspection
• Inspects network traffic at a higher level in OSI
model
– Makes sure network traffic’s application protocol is
the type allowed by a rule
• Some application-aware firewalls act as a proxy for
all connections
– Safety net for servers or clients (or both)
• Depends on firewall

Hands-On Ethical Hacking and Network Defense, 3rd 23

Edition
 Implementing a Firewall
• Placing a firewall between a company’s internal
network and the Internet is dangerous
– Leaves company open to attack if a hacker
compromises the firewall
• Use a demilitarized zone instead
– Adds a layer of defense

Hands-On Ethical Hacking and Network Defense, 3rd 24

Edition
 Demilitarized Zone
• Small network
– Contains resources a company wants available to
Internet users
• Helps maintain security on internal network
• Sits between Internet and internal network
– Sometimes referred to as a “perimeter network”

Hands-On Ethical Hacking and Network Defense, 3rd 25

Edition
 Demilitarized Zone

Hands-On Ethical Hacking and Network Defense, 3rd 26

Edition
 Demilitarized Zone

Hands-On Ethical Hacking and Network Defense, 3rd 27

Edition
 Understanding the Cisco Adaptive
Security Appliance Firewall
• Cisco Adaptive Security Appliance (ASA) firewall
– One of the most widely used firewalls
– Replaced PIX firewall
– Added advanced modular features
• Intrusion detection and prevention
• More sophisticated application layer inspection

Hands-On Ethical Hacking and Network Defense, 3rd 28

Edition
 Configuring the ASA Firewall
• Similar logon prompt as Cisco router
– Prompt:
If you are not authorized to be in this XYZ Hawaii
network device, log out immediately!
Username: admin
Password: ********
• Serves a legal purpose
– Prompt after successful log on:
Type help or '?' for a list of available commands.
ciscoasa>

Hands-On Ethical Hacking and Network Defense, 3rd 29

Edition
 Configuring the ASA Firewall
• After entering correct password
– You are in privileged mode
• To enter configuration mode
– Use same command as on a Cisco router
configure terminal or configure t
• Access lists
– Used to filter traffic
– To view access list type:
show run access-list

Hands-On Ethical Hacking and Network Defense, 3rd 30

Edition
Using Configuration and Risk Analysis
Tools for Firewalls and Routers
• Center for Internet Security
– One of the best Web sites for finding configuration
benchmarks and configuration assessment tools
• Benchmark
– Industry consensus of best configuration practices
• Cisco routers use CIS Cisco IOS Benchmark
• CIS offers a useful tool called Configuration
Assessment Tool (CAT)
– Available for both *nix and Windows systems

Hands-On Ethical Hacking and Network Defense, 3rd 31

Edition
Using Configuration and Risk Analysis
Tools for Firewalls and Routers
• RedSeal
– Unique network risk analysis and mapping tool
– Identifies configuration vulnerabilities in routers or
firewalls
– Generates professional-looking reports
– Analyzes IPSs and OS vulnerability scans
– Shows a graphical representation of vulnerabilities
discovered

Hands-On Ethical Hacking and Network Defense, 3rd 32

Edition
Using Configuration and Risk Analysis
Tools for Firewalls and Routers

Hands-On Ethical Hacking and Network Defense, 3rd 33

Edition
Understanding Intrusion Detection and
Prevention Systems
• Monitor network devices
– Security administrators can identify attacks in
progress and stop them
• Intrusion detection system (IDS)
– Examines traffic and compares it with known exploits
• Similar to virus software using a signature file to
identify viruses
• Intrusion prevention systems (IPSs)
– Similar to IDSs
– Also performs an action to prevent the intrusion

Hands-On Ethical Hacking and Network Defense, 3rd 34

Edition
 Network-Based and Host-Based IDSs
and IPSs
• Network-based IDSs/IPSs
– Monitor activity on network segments
– Sniff traffic and alerts if something suspicious occurs
• Host-based IDSs/IPSs
– Used to protect a critical network server or database
server
– Software is installed on server you’re attempting to
protect

Hands-On Ethical Hacking and Network Defense, 3rd 35

Edition
 Network-Based and Host-Based IDSs
and IPSs
• IDSs are also categorized by how they react when
they detect suspicious behavior
– Passive systems
• Don’t take preventative action
• Send out an alert and log the activity
– Active systems
• Log events and send out alerts
• Can also interoperate with routers and firewalls

Hands-On Ethical Hacking and Network Defense, 3rd 36

Edition
 Network-Based and Host-Based IDSs
and IPSs
• Vendors have started focusing on IPSs
– True network-based IPS are installed inline to
network infrastructure
• Traffic has to pass through IPS before going into or
out of the network
– More capable of stopping malicious traffic
– Host-based IPSs operate at the OS (or kernel) level
• Intercept traffic not allowed by host policy

Hands-On Ethical Hacking and Network Defense, 3rd 37

Edition
 Network-Based and Host-Based IDSs
and IPSs
• Anomaly-based IDS
– Uses a baseline of normal activity and send an alert
if activity deviates significantly
– Most IDS/IPS solutions have anomaly-detection
capabilities built in

Hands-On Ethical Hacking and Network Defense, 3rd 38

Edition
 Web Filtering
• Attackers commonly target devices allowed access
out of the network automatically: user workstations
– Get internal user to visit a bogus Web site or install
malicious code from an e-mail attachment
– Don’t need to break through the firewall
– After code is installed, they can control the Trojan
remotely with commands that might seem to be
normal traffic
• Can run network scans from the compromised
workstation

Hands-On Ethical Hacking and Network Defense, 3rd 39

Edition
 Web Filtering
• Web filtering is used to detect users’ attempts to
access malicious Web sites and block tem
– Some block malicious code
• Before it gets to a user’s workstation
• Before it connects to an attacker’s control system
outside the network
• Mass compromises are used to initiate drive-by
downloads
– Web site visitors download malicious code without
their knowledge

Hands-On Ethical Hacking and Network Defense, 3rd 40

Edition
 Security Operations Center (SOC)
• Security Operations Center (SOC)
– Permanent team whose members are responsible
solely for security-response functions
• Indicators of compromise
– Artifacts left behind by attackers, which indicate that
a system or network has been compromised
• Security Information and Event Management
(SIEM) tools
– Help SOC teams identify attacks and indicators of
compromise by collecting, aggregating, and
correlating log and alert data
Hands-On Ethical Hacking and Network Defense, 3rd 41
Edition
 Understanding Honeypots
• Honeypot
– Computer placed on the network perimeter
• Contains information to lure and trap hackers
• Configured to have vulnerabilities
– Main goal is to distract hackers from attacking
legitimate network resources
– Keeps hackers connected long enough so they can
be traced back
– Serves as an excellent data collector and early
warning system

Hands-On Ethical Hacking and Network Defense, 3rd 42

Edition
 How Honeypots Work
• Honeypot appears to have important data or
sensitive information stored on it
– Could store fake financial data
– Hackers will spend time attacking the honeypot
• Stop looking for real vulnerabilities
• Enables security to collect data on attackers
• Virtual honeypots
– Created using programming language rather than
configuring a physical device

Hands-On Ethical Hacking and Network Defense, 3rd 43

Edition
 Summary
• Network protection systems
– Routers, firewalls, IDSs, IPSs, Web filters, etc.
• Routers
– Use access lists to accept or deny traffic
• Firewalls
– Can be hardware devices or software installed on
computer systems
– Use NAT, packet filtering, access control lists,
stateful packet inspection, and application layer
inspection

Hands-On Ethical Hacking and Network Defense, 3rd 44

Edition
 Summary
• DMZ
– Small network containing resources that sits
between the Internet and internal network
• Intrusion detection systems
– Monitor network traffic
• Network-based IDSs
– Monitor activity on network segments
• Host-based IDSs
– Protect a critical network server or database server

Hands-On Ethical Hacking and Network Defense, 3rd 45

Edition
 Summary
• Passive IDSs
– Don’t take any action or prevent an activity from
continuing to occur
• Active IDSs
– Log, send alerts, and interoperate with routers and
firewalls
• Intrusion prevention systems (IPSs)
– Detect malicious activity
– Can block or prevent malicious activity

Hands-On Ethical Hacking and Network Defense, 3rd 46

Edition
 Summary
• Configuring routers and firewalls securely
– Easier with benchmark tools
• Web filtering
– Can block Web sites containing malicious code
• Large organizations
– Might need a security incident response team
• Honeypots
– Lure hackers away from legitimate resources

Hands-On Ethical Hacking and Network Defense, 3rd 47

Edition