Transcript security engineering - University of Sydney

ELEC5616
computer and network security
matt barrie
[email protected]
CNS2009
lecture 15 :: overview of network security
1
vendors will save you!
1995: Network Scanning Tools
1996: Firewalls
1997: Virtual Private Networks (VPNs)
1998: Intrusion Detection Systems (IDSs)
1999: Public Key Infrastructure (PKI)
2000: Biometrics
2001: Security Appliances
2002: Unified Threat Management (UTM) Appliances
2003, 2004, 2005, 2006, 2007, 2008, 2009…
CNS2009
lecture 15 :: overview of network security
2
… maybe not ...
•
•
•
•
•
•
Only hackers end up running network scanning tools.
Firewalls are walls with holes in them.
VPNs run over … the Internet!
Intrusion Detection Systems don’t detect new attacks, and
perform poorly at detecting old ones.
PKI requires a massive investment in complex infrastructure &
management.
Biometrics have lots of problems
–
–
–
–
•
•
They can be easily fooled
They incite violence against the user
What happens if the password file is compromised?
Fundamentally how do you revoke and issue new keys?
Appliances are pretty boxes running the same software.
Finally, no-one can configure any of this stuff properly anyway.
CNS2009
lecture 15 :: overview of network security
3
so what is going wrong?
•
We are building the digital world on foundations of mud:
–
–
–
–
–
–
–
–
–
operating systems like Microsoft Windows
the IP stack, 802.11/WEP
poor user protocols (e.g. telnet, ftp, http, rsh)
poor network protocols (e.g. DNS)
poor network management protocols (e.g. SNMP, etc)
bad (poor security) programming languages (e.g. C)
there is a lack of proper infrastructure
there is a lack of quality developers
poor design and programming practice
• e.g design choices, implementation, assumptions
CNS2009
lecture 15 :: overview of network security
4
A case study in real world threats
to network security (and digital business)
• With thanks to Joel de la Garza (Securify)
CNS2009
lecture 15 :: overview of network security
5
background chronology
July 1999:
The Computer Emergency Response Team (CERT)
issues an advisory on Denial-of-service attacks
Sep 1999:
Packet Storm receives copies of DDoS tools
Nov 1999:
CERT warns of new class of attacks (DDoS) and
tools in circulation at CISAC Information Warfare
conference
Dec 1999:
Packet Storm receives latest copies of TFN and
trinoo (DDoS attack tools)
Dec 1999:
Packet Storm release new tools and launches
Storm Chaser 2000: Next Generation
CyberDefence.
CNS2009
lecture 15 :: overview of network security
6
the packet monkeys attack
Feb 7 2000:
Yahoo - 3 hour outage
Feb 8 2000:
E-bay - 5 hour outage
Feb 8 2000:
buy.com - 4 hour outage - first day of IPO!
Feb 8 2000:
Amazon - 3:45 outage
Feb 8 2000:
CNN - 3:30 outage
Feb 9 2000:
ZDnet - 3:15 outage
Feb 9 2000:
E*trade - 2:45 outage
The attack:
•
An amplified denial-of-service attack on the routers connecting
these websites to the Internet
– Amplified Ping and SYN floods
CNS2009
lecture 15 :: overview of network security
7
the press respond
“Still no news on who is behind the concerted DoS attacks that so crippled
America’s ability to buy Pokemon trading cards earlier this week.” - Need to
Know www.ntk.net
“In a case like this, there is no Interpol, no Pinkerton’s that you can turn to
for help” - Wall Street Journal
“Like a distributed pizza attack where you call every pizza shop in town
and deliver them to your worst enemy” - Bruce Schneier
“A 16-year-old Montreal boy will be sentenced in April for his
admitted guilt in paralyzing the Web sites of several U.S.
companies, such as Yahoo, Amazon and eBay, while acting as the
hacker Mafiaboy in February 2000.
The unidentified boy, who quit school and works a menial job,
Thursday pleaded guilty to five counts of mischief, 51 counts of
illegal access to a computer and one count of breach of bail
conditions…” -- IDG
CNS2009
lecture 15 :: overview of network security
8
it’s all fun and games ...
• But to e-Businesses, denial of service of your website is denial of
service to your business
• Organisations need to understand that there in addition to
Economies of the Internet (EoI) there are diseconomies of the
Internet
– Information leakage
– Operationally exposing your internals to the world 24x7x365
– Increased risk associated with increase chance of compromise
– Ease at which attackers can execute and get away with crime
• There is no Internet Police
• Multiple barriers make it impossible to pursue
CNS2009
lecture 15 :: overview of network security
9
why did this happen?
• Lack of strong authentication
• The Internet Protocols are weak
– Packets are unmetered and unauthenticated
– Packets can flow any way to their destination
• This is why the network is resilient
• No audit trails
– They are based from a history of gentle behaviour
• Why would anyone want to forge email?
• Why would anyone want to spam the network?
– Network control protocols use in-band signaling
• Something the telephone company figured out was bad a long time ago
• A friend of a suspect dared him to do it
CNS2009
lecture 15 :: overview of network security
10
the fundamental problem
• The biggest problem with security architecture of the Internet is
lack of strong authentication
– You trust that I’m me because I tell you so
– You trust my packets as they say they come from my IP
– You trust my machine because I say it’s called “bullwinkle”
– You trust me to login because my password is “britney”
– You trust my email because it says it comes from [email protected]
– You trust my connection because someone other random machine on the
Internet tells you I’m from niceguy.com
– You trust my TCP connection because I tell you a sequence number (that I
probably could have guessed) that you sent across the network to me earlier (in
the clear)
CNS2009
lecture 15 :: overview of network security
11
… and ...
• Security is always catch-up
– Always a significant time delay between finding, reporting, advising and fixing
problems
• Security is usually reactive
– Security is perceived as a cost centre, not a profit centre
• Homogenous nature of the Internet (monocultures)
• Heterogeneous nature of the Internet (interoperability)
• Political issues, export restrictions
– The government really doesn’t want you to be that secure
• They want to raise the bar to their level
• Patents
• Humans use the Internet
CNS2009
lecture 15 :: overview of network security
12
CNS2009
lecture 15 :: overview of network security
13
the Internet is a monoculture
• Most hosts on the Internet run Windows
– With over 63,000 known bugs
• Most nameservers run Bind
– “Buggy Internet Name Daemon” or “300,000 lines of bad code” (Bernstein)
• Most mail servers run sendmail
– Historically the buggiest UNIX program (vying with bind)
• Most routers run Cisco IOS
– A proprietary operating system
• What can you say about the security of a program if you can’t look at the source?
• Most web servers run Apache (the exception - secure!)
– IIS at second place with ~20% has abysmal security
• Most applications are {outlook, hotmail/passport, MS office … }
– Email viruses would not have been a problem if Microsoft hadn’t decided html
emails were a good idea
• Most users have no clue about security
CNS2009
lecture 15 :: overview of network security
14
the result
• Attacks against any of {windows, bind, sendmail, IIS, IOS,
outlook, hotmail/passport or apache} will yield large numbers of
“0wn3d” machines.
• By “large” we mean significant percentages of the Internet
• In other words millions of machines
• Get ready for this soon to include your PDA, mobile phone, VoIP
communications, watch, pacemaker and stereo system.
CNS2009
lecture 15 :: overview of network security
15
common beliefs are wrong
• The common security philosophy is that if you secure the
perimeter, you can keep the insides soft and gooey (marshmallow)
• This has always been a very bad assumption.
• Nowadays it is even worse; your network is like Afghanistan:
– There is no border.
– You cannot trust anyone.
– There are simply too many ways into your network:
• Internet connections (T1, cable, ADSL, frame relay …)
• Dialup modems (not just those in the modem pool, all the others that employees
use for “testing”, “private access” etc.)
•
•
802.11 wireless networks (the record is well over 15 kilometres with a good
antenna and amplifier)
Third party connections (vendors, partners, clients … )
• Users are 90% of the problem and they are already inside!
CNS2009
lecture 15 :: overview of network security
16
hosts are weak
• When not weak due to bugs, are often weakly configured
• Default configurations are usually insecure
• Too many exposed services, exposed code
• Programs are written poorly in bad languages
• Programs run with too much privilege
• Hosts have users which further erode security
• In short there are too many ways to successfully attack hosts
that can then be used to attack others:
– Remote exploit to gain access to the system
– Subversion of system to gain privileges
– Leverage access to other systems across the whole network
• Through trust relationships, packet sniffing, keystroke logging etc.
CNS2009
lecture 15 :: overview of network security
17
same old problems, new themes
•
We’ve had fixes for most of these problems for 30 years…
•
SANS Top 20 (2003) www.sans.org
UNIX
1.
A multiple overflows in the remote procedure call (RPC) mechanism
2.
Vulnerable CGI programs on web servers
3.
Chunk handling bug in Apache and another in mod_ssl
4.
Protocol problem in SSH1 leading to session decryption and buggy/trojan OpenSSL
5.
Weak authentication in the simple network management protocol (SNMP)
6.
Cleartext password sniffing with FTP and multiple bugs in multiple distributions
7.
Trust problems with the r-* services
8.
Buffer overflow in printer (lpd) services
9.
Lots of bugs in sendmail
10. Lots of bugs in BIND
11. Accounts with no / default / poor passwords
CNS2009
lecture 15 :: overview of network security
18
the top 10 security problems
Windows
1. Three major bugs in IIS (poor handling of user data, buffer overflows)
2. Program flaws in MDAC components
3. Remote exploit in MSSQL
4. Unprotected NETBIOS shares (no passwords, poor passwords)
5. Anonymous login / null sessions
6. Weak hashing with LANMAN passwords
7. Accounts with no passwords / poor passwords
8. Multiple vulnerabilities in multiple classes with Internet Explorer
9. Poor security settings allowing remote registry access
10. Worm exploiting windows scripting facility
CNS2009
lecture 15 :: overview of network security
19
note
•
•
•
•
•
•
None of these
None of these
None of these
None of these
None of these
None of these
•
•
•
Some are a result of lack of strong authentication
Some are a result of bad programming
Some are a result of poor security administration
CNS2009
problems are stopped
problems are stopped
problems are stopped
problems are stopped
problems are stopped
problems are stopped
by encryption
by firewalls
by VPNs
by biometrics
by IDSs
by PKIs
lecture 15 :: overview of network security
20
moral of the story
CNS2009
lecture 15 :: overview of network security
21
references
•
SANS Top Twenty Vulnerabilities
– http://www.sans.org/top20.htm
•
Packetstorm
– www.packetstormsecurity.org
CNS2009
lecture 15 :: overview of network security
22