Transcript Basic Concepts - Mahmoud Youssef

Security
Chapter 9
Copyright 2003 Prentice-Hall
Panko’s Business Data Networking and Telecommunications, 4th edition
Figure 9.1: Types of Attackers

Wizard Internet Hackers


Highly capable attackers
Amateurs (Script Kiddies)

Light skills, but numerous and armed with
automated attack programs (kiddie scripts) of
increasing potency
2
Figure 9.1: Types of Attackers

Criminals

Theft of credit card numbers, trade secrets, and
other sensitive information

Sell the information or attempt extortion to prevent
the release of the information

Individual criminals

Industrial and government espionage spies
3
Figure 9.1: Types of Attackers

Employees

Dangerous because of internal knowledge and
access

Often, large losses per incident due to theft, fraud,
or sabotage
4
Figure 9.1: Types of Attackers

Information Warfare and Cyberterrorism

Massive attack by a government or terrorist group
against a country’s IT infrastructure

Attacks by amateur cyberterrorists are already
starting to approach this level of threat
5
Figure 9.2: Types of Security Systems
Secure Communication System
Message Exchange
Client PC
Server
Attacker Taps into the Conversation:
Tries to Read Messages,
Alter Messages, Add New Messages
6
Figure 9.2: Types of Security Systems
Attack Prevention System
Attack
Message
Hardened
Client PC
Attack
Message
Firewall
Internet
Attacker
Hardened Server
With Permissions
Corporate Network
7
Figure 9.3: Attacks Requiring Protection


Hacking Servers

Access without permission or in excess of
permission

Attractive because of the data they store
Hacking Clients

Attractive because of their data or as a way to
attack other systems by using the hacked client as
an attack platform

Soft targets compared to servers; most users are
security novices
8
Figure 9.3: Attacks Requiring Protection

Denial-of-Service (DoS) Attacks

Make the system unusable (crash it or make it run
very slowly) by sending one message or a stream
of messages. Loss of availability
Single Message DOS Attack
(Crashes the Victim)
Server
Attacker
9
Figure 9.3: Attacks Requiring Protection

Denial-of-Service (DoS) Attacks

Make the system unusable (crash it or make it run
very slowly) by sending one message or a stream
of messages. Loss of availability.
Message Stream DOS Attack
(Overloads the Victim)
Server
Attacker
10
Figure 9.4: Denial-of-Service Attacks
Distributed DOS (DDoS) Attack:
Messages Come from Many Sources
Message Stream
Computer with
Zombie
Attack
Command
Attacker
Attack
Command
Server
Message Stream
Computer with
Zombie
11
Figure 9.3: Attacks Requiring Protection

Scanning Attacks

To identify victims and ways of attacking them

Attacker sends messages to select victims and
attack methods

Examines data that responses reveal

IP addresses of potential victims

What services victims are running; different
services have different weaknesses

Host’s operating system, version number, etc.
12
Figure 9.3: Attacks Requiring Protection

Malicious Content

Viruses
 Infect files; propagate by executing infected
program
 Payloads may be destructive

Worms; propagate by themselves

Trojan horses (appear to be one thing, such as a
game, but actually are malicious)

Snakes: combine worm with virus, Trojan horses,
and other attacks
13
Figure 9.3: Attacks Requiring Protection

Malicious Content

Illegal content: pornography, sexual or racial
harassment

Spam (unsolicited commercial e-mail)

Security group is often called upon to address
pornography, harassment, and spam
14
Figure 9.5: Packet Filter Firewall
Corporate Network
The Internet
Permit
Packet
Filter
Firewall
IP-H
TCP-H Application Message
IP-H
UDP-H Application Message
IP-H
ICMP Message
Arriving Packets
Examines Packets in Isolation
Fast but Misses Some Attacks
Deny
15
Figure 9.6: Access Control List Fragment

For Packets Containing TCP Segments:

Rule 1

IF Interface = Internal

AND (Source Port Number = 7056 OR Source Port
Number = 8002 through 8007)

THEN DENY

Remark: Used by a well-known Trojan horse
program.
16
Figure 9.6: Access Control List Fragment

Rule 2:

IF Interface = External

AND Destination Port Number = 80

AND Destination IP address = 172.16.210.22

THEN PERMIT

Remark: Going to a known webserver.
17
Figure 9.6: Access Control List Fragment

Rule 3:

IF Interface = External

AND Destination Port Number = 80

AND Destination IP Address = NOT 172.16.210.22

THEN DENY

Remark: Going to an unknown webserver.
18
Figure 9.6: Access Control List Fragment

Rule 4:

IF Interface = External

AND (SYN = AND FIN = Set)

THEN DENY

REMARK: Used in host scanning attacks and not in
real transactions.
19
Figure 9.6: Access Control List Fragment

Order

Rules are executed in order

If passed or denied by one rule, will not reach
subsequent rules

Mis-configuration is easy, opening the network to
attack

Always test a firewall by hitting it with attack
messages to see if they are handled properly
20
Stateful Firewall

Beyond what is
In the book
Does not examine packets in isolation

Examines each packet to see if it is part of an
ongoing conversation

Catches errors that packet filter firewalls cannot


Refuses a TCP acknowledgement if an internal
host has not opened a connection to that host
Usually does not examine a packet in detail if the
packet is part of an ongoing conversation

This can miss attack packets
21
Figure 9.7: Application (Proxy) Firewall
1. HTTP Request
Browser
FTP
Proxy
Client PC
Webserver
Application
HTTP
Proxy
SMTP
(E-Mail)
Proxy
Webserver
Application Firewall
22
Figure 9.7: Application (Proxy) Firewall
2. Examined
HTTP Request
Browser
FTP
Proxy
Client PC
Webserver
Application
HTTP
Proxy
SMTP
(E-Mail)
Proxy
Webserver
Application Firewall
23
Figure 9.7: Application (Proxy) Firewall
Browser
FTP
Proxy
Client PC
3. HTTP
Response
HTTP
Proxy
Webserver
Application
SMTP
(E-Mail)
Proxy
Webserver
Application Firewall
24
Figure 9.7: Application (Proxy) Firewall
Browser
4. Examined
HTTP Response
FTP
Proxy
Client PC
Webserver
Application
HTTP
Proxy
SMTP
(E-Mail)
Proxy
Webserver
Application Firewall
25
Figure 9.7: Application (Proxy) Firewall

Can examine the application message to filter packets
by application content

If hacker takes over the proxy firewall, has not taken
over the internal clients, with which it only has indirect
contact

Internal client’s IP address is hidden. All packets sent
back by the server have the address of the application
proxy server.

Need a separate proxy program for each application
26
Figure 9.8: Network Address Translation (NAT)
From 172.47.9.6,
Port 31789 From 192.168.34.2,
1
Port 13472
2
Internet
Client
NAT
Firewall
Translation Table
Server
Host
Internal
External
IP Addr
Port
IP Addr
Port
172.47.9.6 31789 192.168.34.2 13472
…
…
…
…27
Figure 9.8: Network Address Translation (NAT)
Internet
Client
NAT
4
Firewall
To 172.47.9.6,
Port 31789
3
To 192.168.34.2,
Port 13472
Translation Table
Server
Host
Internal
External
IP Addr
Port
IP Addr
Port
172.47.9.6 31789 192.168.34.2 13472
…
…
…
…28
Figure 9.9: Intrusion Detection
4. Analysis of Dump
Dump
2. All Packets
1. Attack
Packet
Attacker
Internal
Host
3.
Notification
of Possible
Attack
Network
Administrator
Intrusion
Detection
System
1. Legitimate
Packet
Legitimate
Host
29
Firewalls versus Intrusion Detection
New
Not in the book

Firewalls permit or deny traffic based on filtering rules

Intrusion detection systems (IDSs) only save and mark
certain packets as suspicious; do not take action

Some firewalls issue alterts when packets are dropped
and most firewalls log all drops

IDSs identify all suspicious packets, many of which
turn out to be acceptable; firewall drop rules are more
specific
30
Figure 9.10: Hardening Clients and Servers

Known Weaknesses




Known security weaknesses in operating systems
and application programs
Most download vendor patches to fix these known
weaknesses
Firms often fail to do so (vendors issue 30-50
patches per week); must be installed on each
server
Host Firewalls

Server firewalls and personal (client) firewalls
31
Figure 9.10: Hardening Clients and Servers

Server Authentication

Passwords

Cracking with exhaustive search and dictionary
attacks

Strong passwords

Super accounts
32
Figure 9.10: Hardening Clients and Servers

Server Authentication

Rules for Strong Passwords

At least 8 characters long

At least one change of case

At least one digit (0-9) not at the end

At least one non-alphanumeric character
(#@%^&*!) not at the end
33
Figure 9.11: Kerberos Authentication
(Simplified)
1.
Initial
Sign On
Kerberos
Server
3. Ticket
Applicant
4. Ticket
Verifier
34
Figure 9.10: Hardening Clients and Servers

Server Authentication


Biometric authentication

Fingerprint: least expensive

Iris: most accurate

Face recognition: controversial in public places
for mass identification

Other forms of biometric identification
Smart cards (ID card with microprocessor and data)
35
Figure 9.10: Hardening Clients and Servers

Limiting Permissions on Servers (Ch. 10)

Only permit access to some directories

Limit permissions (what the user can do) there

Like controlling access to a building; not allowed to
go anywhere and remove items, etc.
36
Figure 9.12: Secure Communication System
1. Initial Negotiation of Security Parameters
2. Mutual Authentication
Client PC
3. Key Exchange or Key Agreement
Server
4. Subsequent Communication with
Message-by-Message
Confidentiality, Authentication,
and Message Integrity
37
Figure 9.13: Symmetric Key Encryption for
Confidentiality
Symmetric Key
Plaintext
“Hello”
Encryption
Method &
Key
Ciphertext “11011101”
Network
Interceptor
Party A
Same
Symmetric
Key
Party B
38
Figure 9.13: Symmetric Key Encryption for
Confidentiality
Symmetric Key
Ciphertext “11011101”
Network
Party A
Interceptor
Same
Symmetric
Key
Ciphertext “11011101”
Party B
39
Figure 9.13: Symmetric Key Encryption for
Confidentiality
Symmetric Key
Same
Symmetric
Key
Network
Party A
Interceptor
Ciphertext “11011101”
Decryption
Method &
Key
Plaintext
“Hello”
Party B
40
Figure 9.14: Public Key Encryption for
Confidentiality
Encrypt with
Party B’s Public Key
Party A
Decrypt with
Party B’s Private Key
Party B
41
Figure 9.14: Public Key Encryption for
Confidentiality
Party A
Decrypt with
Party A’s Private Key
Party B
Encrypt with
Party A’s Public Key
42
Quiz

1. In two-way conversations encrypted with
symmetric key encryption, how many keys are
used?

2. In two-way conversations encrypted with
Public key encryption, how many keys are
used?
43
Quiz

3. In public key encryption for confidentiality,
the sender always encrypts with the _____ key
of the _____.
44
Figure 9.15: Public Key Distribution for
Symmetric Keys
1. Create
Symmetric
Session Key
Party A
2. Encrypt
Session Key with
Party B’s Public Key
Party B
3. Send the Symmetric
Session Key
Encrypted With
Party B’s Public Key
4. Decrypt
Session Key with
Party B’s Private Key
45
Figure 9.15: Public Key Distribution for
Symmetric Keys
Party A
Party B
5. Subsequent Bulk Encryption with
Symmetric Session Key
For All Messages
46
Figure 9.16: MS-CHAP Challenge-Response
Authentication Protocol
Note: Both the Client and the Server
Know the Client’s Password
1.
Creates
Challenge
Message
Challenge
2.
Sends Challenge Message
Applicant
Verifier
47
Figure 9.16: MS-CHAP Challenge-Response
Authentication Protocol
3. Applicant Creates the Response Message:
a) Adds Password to
Challenge Message
b) Hashes the Resultant
Bit String
Password
Challenge
Hashing
Response
c) This Gives the
Response Message
48
Figure 9.16: MS-CHAP Challenge-Response
Authentication Protocol
4. Applicant Sends Response Message
Transmitted Response
Password
Challenge
Hashing
Expected Response
5.
Verifier
Adds password to the
challenge message it sent.
Hashes the combination.
This should be the expected
response message.
49
Figure 9.16: MS-CHAP Challenge-Response
Authentication Protocol
Transmitted Response
=?
Expected Response
6.
If the Two are Equal,
The Client Knows the
Password and is
Authenticated
50
Figure 9.17: Digital Signature
DS
Plaintext
Sender
Receiver
Add Digital Signature to Each Message
Provides Message-by-Message Authentication
51
Figure 9.17: Digital Signature: Sender
To Create the Digital Signature:
1. Hash the plaintext to create
a brief message digest; This is
NOT the digital signature
2. Sign (encrypt) the message
digest with the sender’s private
key to create the digital
Signature
Plaintext
Hash
MD
Sign (Encrypt) MD with
Sender’s Private Key
DS
52
Figure 9.17: Digital Signature
Send Plaintext plus Digital Signature
Encrypted with Symmetric Session Key
DS
Sender
Encrypts
Plaintext
Transmission
Receiver
Decrypts
53
Figure 9.17: Digital Signature: Receiver
1.
2.
Received Plaintext
DS
Hash
Decrypt with
True Party’s
Public Key
MD
3.
Are they Equal?
MD
Hash the received
plaintext with the same
hashing algorithm the
sender used. This gives
the message digest
2. Decrypt the digital
signature with the sender’s
public key. This also should
give the message digest.
3. If the two match, the
message is authenticated;
The sender has the true
Party’s private key
54
Figure 9.18: Public Key Deception
Impostor
Verifier
“I am the True Person.”
Must authenticate True Person.
“Here is TP’s public key.”
(Sends Impostor’s public key)
Critical
Deception
Believes now has
TP’s public key
“Here is authentication
based on TP’s private key.”
(Really Impostor’s private key)
Believes True Person
is authenticated
based on Impostor’s public key
Decryption of message from Verifier
encrypted with Impostor’s public key,
so Impostor can decrypt it
“True Person,
here is a message encrypted
with your public key.”
55
Digital Certificates

Digital certificates are electronic documents
that give the true party’s name and public key

Applicants claiming to be the true party have
their authentication methods tested by this
public key

If they are not the true party, they cannot use
the true party’s private key and so will not be
authenticated
56
Figure 9.19: Public Key Infrastructure (PKI)
Certificate Authority
PKI Server
Verifier
(Brown)
Verifier
(Cheng)
Create &
Distribute
(1) Private
Key and
(2) Digital
Certificate
Applicant (Lee)
57
Figure 9.19: Public Key Infrastructure (PKI)
Certificate Authority
PKI Server
3. Request
Certificate
for Brown
Verifier
(Cheng)
4.
Certificate
for Brown
Verifier
(Brown)
Applicant (Lee)
58
Figure 9.19: Public Key Infrastructure (PKI)
Certificate Authority
PKI Server
6. Check Certificate
Revocation List (CRL)
For Lee’s Digital Certificate
7. Revoked or OK
Verifier
(Cheng)
Verifier
(Brown)
5.
Certificate
for Lee
Applicant (Lee)
59
Figure 9.20: Security at Multiple Layers
Layer
Example
Application
Application-specific (for instance, passwords for a
database program); Application (Proxy) Firewalls
Transport
SSL (TLS), Packet Filter Firewalls
Internet
IPsec, Packet Filter Firewalls
Point-to-Point Tunneling Protocol (PPTP), Layer 2
Tunneling Protocol (L2TP)
Physical locks on computers, Notebook Encryption
Data Link
Physical
60
Figure 9.20: Security at Multiple Layers

Having security at multiple layers provides
protection if one layer’s security fails

Having security at multiple layers also slows
processing on the device

So provide protection in at least two layers but
not in all layers
61
Figure 9.21: Creating Appropriate Security


Understanding Needs

Need to make security proportional to risks

Organizations face different risks
Policies and Enforcement

Policies bring consistency

Training in the importance of security and in
protection techniques

Social engineering prevention training
62
Figure 9.21: Creating Appropriate Security

Policies and Enforcement

Security audits: attack your system proactively
 You must really be able to trust your testers

Incident handling
Restoring the system
 Prosecution
 Planning and practicing


Privacy

Need to protect employee & customer privacy
63