User Tools

Site Tools


network_security_assesment

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision Both sides next revision
network_security_assesment [2009/06/08 03:37]
k2patel
network_security_assesment [2009/06/26 07:45]
k2patel
Line 442: Line 442:
 Thomas Lopatic et al. titled “A Stateful Inspection of Firewall-1” available as a Real\\ Thomas Lopatic et al. titled “A Stateful Inspection of Firewall-1” available as a Real\\
 Media video stream and PowerPoint presentation from [[ http://​www.blackhat.com/​html/​bh-usa-00/​bh-usa-00-speakers.html | Link]] Media video stream and PowerPoint presentation from [[ http://​www.blackhat.com/​html/​bh-usa-00/​bh-usa-00-speakers.html | Link]]
 +
 +=== Low-Level IP Assessment ===
 +Tools such as Nmap, Hping2, and Firewalk perform low-level IP assessment.
 +
 +Insight into the following areas of a network can be gleaned through low-level IP assessment:
 +
 +  * Uptime of target hosts (by analyzing the TCP timestamp option)
 +  * TCP services that are permitted through the firewall (by analyzing responses to TCP and ICMP probes)
 +  * TCP sequence and IP ID incrementation (by running predictability tests)
 +  * The operating system of the target host (using IP fingerprinting)
 +
 +The TCP timestamp option is defined in RFC 1323.
 +== Analyzing Responses to TCP Probes ==
 +A TCP probe always results in one of four responses. These responses potentially\\
 +allow an analyst to identify where a connection was accepted, or why and where it\\
 +was rejected, dropped, or lost:
 +  * TCP SYN/ACK
 +If a SYN/ACK packet is received, the port is considered open.
 +  * TCP RST/ACK
 +If an RST/ACK packet is received, the probe packet was rejected by either the\\
 +target host or an upstream security device (e.g., a firewall with a reject rule in its policy).
 +  * ICMP type 3 code 13
 +If an ICMP type 3 code 13 message is received, the host (or a device such as a\\
 +firewall) has administratively prohibited the connection according to an Access Control List (ACL) rule.
 +  * Nothing
 +If no packet is received, an intermediary security device silently dropped it.
  
 [[96]] [[96]]
network_security_assesment.txt · Last modified: 2017/03/31 21:58 by k2patel