NETWORK INFRASTRUCTURE SECURITY Network Infrastructure Security Angus Wong Alan Yeung Angus Wong Alan Yeung Macao Polytechnic Institute City University of Hong Kong Rua de Luis Gonzaga Gomes 83 Tat Chee Avenue Macao Kowloon Hong Kong, PR, China ISBN: 978-1-4419-0165-1 e-ISBN: 978-1-4419-0166-8 DOI: 10.1007/978-1-4419-0166-8 L ibrary of Congress Control Number: 2009921186 © Springer Science+Business Media, LLC 2009 All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject . toproprietaryrights Printed on acid-free paper springer.com About the authors Angus Kin-Yeung Wong obtained his BSc and PhD degrees from City University of Hong Kong, and is currently an associate professor at Macao Polytechnic Insti- tute. Angus is active in research activities, and has served as a reviewer and a technical program committee member in various journals and conferences. Angus is devoted to teaching in tertiary education. In the past, he has taught 11 different courses, ranging from the first year to forth years, and developed five new net- work related courses to keep students abreast of cutting-edge network technolo- gies. Alan Kai-Hau Yeung obtained his BSc and PhD degrees from The Chinese University of Hong Kong in 1984 and 1995 respectively. He is currently an asso- ciate professor at City University of Hong Kong. Since his BSc graduation, he has spent more than 20 years in teaching, managing, designing and research on dif- ferent areas of computer networks. In the early days of LANs in 1980s, he had the chance to involve in the design and set up of numerous networks. One of them was the largest LAN in Hong Kong at that time. He also frequently provides con- sultancy services to the networking industry. One notable project was the devel- opment of a GSM mobile handset in late 1990s. The team that Alan had involved successfully developed a handset prototype for a listed company in Hong Kong. Alan’s extensive experience has helped him to earn professional qualifications like Cisco Certified Network Professional (CCNP), Cisco Certified Academy Instruc- tor (CCAI), and Certified Ethical Hacker (CEH). Angus and Alan have been collaborating in doing network related research for over 10 years. They have successfully obtained grants from universities and governments, and published tens of technical papers. Besides research, they are fond of teaching and sharing with students. Commonly, they were awarded for their teaching contributions. Angus Wong obtained the Macao Polytechnic Insti- tute’s Best Teacher Awards in 2005-2006, whereas Alan Yeung obtained the City University of Hong Kong’s Teaching Excellence Awards in 2000-2001. Another common point of Angus and Alan is that they are both responsible for the estab- lishment and maintenance of Cisco switches and routers learning environment in their own universities. Students’ learning has proven to be enhanced significantly through their hand-on experience on networking devices. Preface Unlike network information security which is concerned with data confidentiality and integrity by using techniques like cryptography, network infrastructure secu- rity is concerned with the protection of the network infrastructure itself, that is, to focus on how to detect and prevent routers or other network devices from being attacked or compromised. Although information assurance is important, it becomes meaningless if the data, no matter how secure its content is, cannot be delivered through the Internet infrastructure to the targeted destination correctly. Since the Internet, in the beginning, was assumed to work in a trustworthy environment, it was designed without much concern for security. As a result, the infrastructure is vulnerable to a variety of security threats and attacks, such as packet spoofing, routing table poisoning and routing loops. One of the reasons why network infrastructure security is important and has drawn much concern in recent years is that attacks to the infrastructure will affect a large portion of the Internet and create a large amount of service disruption. Since our daily operations highly depend on the availability and reliability of the Internet, the security of its infrastructure has become a high priority issue. We be- lieve that the topic will draw much concern, and various countermeasure or solu- tions will be proposed to secure the infrastructure in the coming years. Goal of writing This book aims to promote network infrastructure security by describing the vul- nerabilities of some network infrastructure devices, particularly switches and routers, through various examples of network attack. The examples will be well illustrated in detail so that the operations and principles behind them are clearly revealed. To avoid serving as a hacking guide, the attack steps are described from the conceptual view. That is, we will write something like "If an attacker injects a packet with a fake source address, the server will believe the attacker is the right client…” Though some topics in this book have been covered in other books, the pri- mary focus of them is information security or the ways of configuring the network devices. In writing this book, we attempt to emphasize on the network infrastruc- ture security and draw the attention about it in the field. On the other hand, the network vulnerabilities and attacks mentioned in this book are mainly based on protocol exploitation, not on software bugs or computer viruses that are usually dependent on the particular platform, brand of router, op- erating system, version, etc. Not goal of writing The purpose of this book is not to report new security flaws of network infra- structure devices. Most of the attacks discussed in this book have been already identified in the field, and the corresponding countermeasures have been pro- posed. If administrators are aware of the countermeasures, the attacks can be pre- vented. Security has a large scope, and so has network infrastructure security. This book does not attempt to provide an exhaustive list of attack methods of network infra- structure and their countermeasures. Actually, it is difficult, if not impossible to write a single book covering the vulnerabilities of all kinds of network protocols on network devices with different brands model running different versions of OSes. On the other hand, to make the book concise, it does not thoroughly explain TCP/IP or network protocols; nor does the book teach the full operations of switches or routers. Nonetheless, the basic idea of them will be covered to facili- tate the discussion of the topics. Assumptions The readers are assumed to have basic understanding on computer networks and TCP/IP, and would like to learn more about the security of the major part of a computer network – the network infrastructure. On the other hand, since IP is the most common protocol in the network layer, this book only covers IP routers (i.e., routing based on IP). Similarly, since Ethernet is the most popular media access protocol, the switches mentioned in this book refer to Ethernet switches. Audience The book can be used as a text for undergraduate courses at senior levels, or for postgraduate courses. It can also be used for engineer/practitioners for advancing their knowledge on network infrastructure security. In general, network infrastructure security is an area of great interest to IP service providers, network operators, IP equipment vendors, software developers, and university instruction at the both graduate and undergraduate levels. Specifi- cally, • The people in the information security field can benefit being acquainted with another aspect of security – network infrastructure security. • The people already in the field of network infrastructure security can benefit from having a resource exclusively for the topic. • The people in the network field can benefit from acquiring more information about the security of the devices (switches and routers) they are dealing with everyday. • The teachers in Universities can benefit from having the syllabuses of network related courses enriched with the topics of network infrastructure security. Since this book does not focus on a particular platform or brand of network de- vices but the general principle of network infrastructure security, it is suitable for a wide range of readership.
Description: