Transcript Network Security

CSE2500 SYSTEM SECURITY & PRIVACY
Introduction to Computer
Network Security
Layout



Network Security - what is different from
Computer Systems security?
Possible scenarios for network connections
and their implication for security concerns
What is the principal mode of attack in
networks and how you can defend them?
Which part of network structure can we enforce
security?
How can we do it efficiently?
CSE2500 System Security & Privacy
Srini & Nandita
2
What we have seen so far?
authentication
Access control
encryption
CSE2500 System Security & Privacy
Srini & Nandita
3
Internetwork Architecture?
Wired Stranger
Internet
Stranger
Server
Wireless Stranger
CSE2500 System Security & Privacy
Srini & Nandita
4
Services of the server are
Web servers
Email servers
FTP servers
Web and email servers
Web, email and FTP servers
Modem servers
Web, email, FTP and modem servers
Web, email, file servers
 Etc.
CSE2500 System Security & Privacy
Srini & Nandita
5
Consider web server
What is the authentication here?
 What is the access control here?
 If these does not apply, what is the
issue with respect to security?

CSE2500 System Security & Privacy
Srini & Nandita
6
Recap: Security Attacks - Taxonomy
Interruption – attack on availability
 Interception – attack on confidentiality
 Modification – attack on integrity
 Fabrication – attack on authenticity

The availability (and confidentiality)
property need to be preserved – how it
can be threatened?
CSE2500 System Security & Privacy
Srini & Nandita
7
Model for network security
Gate
Keeper Information channel
CSE2500 System Security & Privacy
Srini & Nandita
8
Attacks are

Snooping or sniffing- Attacker
observes network traffic without
disturbing the transmission (passive)
 e.g. snooping for passwords

Sniffing software works by placing a
system’s network interface into
promiscuous mode.
CSE2500 System Security & Privacy
Srini & Nandita
9
Attacks are

Denial of services – make the server
in-operative or inefficient
e.g: ping (of death) Attack by flooding
CSE2500 System Security & Privacy
Srini & Nandita
10
ICMP ECHO Flooding
Packet 4
Packet 2
Packet 5
Packet n
Packet 1
INTERNET
Packet n
Packet 3
Hacker
Server
128K Link
T-1 Link
Ping Attack
 The Hacker sends an ICMP Echo request to the
target expecting an ICMP echo reply to be returned
for each request.
 The hacker, because of the high bandwidth, can
send more requests then the target can handle.
Countermeasures
 No known defense
CSE2500 System Security & Privacy
Srini & Nandita
11
TCP SYN Flooding
Hacker
Target Host
Unreachable
IP Address
Legitimate
Client
CSE2500 System Security & Privacy
Srini & Nandita
12
SYN Attack
Attack Method:
 Most hosts will only support 8-16 simultaneous
communication channels.
 The Hacker sends a sequence of SYN packets.
Each SYN packet (about 120 /second) has a
different and unreachable IP address.
 This consumes all the communication channels
and results in a denial to any TCP based service.
Countermeasure: Expand the number of ports, reduce
the time-out period, validate TCP request packets.
CSE2500 System Security & Privacy
Srini & Nandita
13
Attacks are

Impersonation – stealing the identity of
someone
 other party thinks that you are the true
identity
CSE2500 System Security & Privacy
Srini & Nandita
14
Impersonation



Authentication at the IP layer is concerned
with the identity of computer systems.
IP addresses are software configurable and
the mere possession (or fraudulent use) of
one enables communication with other
systems.
Two such techniques to do this are
 address masquerading
 address spoofing
CSE2500 System Security & Privacy
Srini & Nandita
15
Address Masquerading
CSE2500 System Security & Privacy
Srini & Nandita
16
Address Spoofing


Also known as TCP sequence number
attack.
First we need to understand how the threeway TCP handshake protocol works.
 handshake means- an assertion that indicates
one party’s readiness to send or receive data.
When two systems share a hardware connection,
two-way handshake is enough.
Since TCP rides on IP – an unreliable,
connectionless protocol – a three-way handshake
is required.
CSE2500 System Security & Privacy
Srini & Nandita
17
Handshake in TCP
SYN+ISN A
SYN+ISN B+ ACK(ISNA+1)
Machine A
Machine B
ACK(ISNB+)
Application
Data
SYN – synchronize request
ISN - Initial sequence number
ACK – acknowledgement for the ISN
CSE2500 System Security & Privacy
Srini & Nandita
18
TCP CONNECTION
CLIENT
SERVER
Segment 1
THREE-WAY
CONNECTION
Segment 2
Segment 3
THREE-WAY CONNECTION
 Segment 1 shows the client sending a SYN segment with an Initial Sequence
Number of 141521. The ISN is randomly generated. This is called an Active Open. The
field win 4096 shows the advertised window size of the sending station while the field <mss
1024> shows the receiving maximum segment size specified by the sender. SYN=1,
ACK=0.
 Segment 2 shows the server responding with a SYN segment of 181521 and
ACKnowledging the clients ISN with ISN + 1. This is called a Passive Open.
SYN=1,ACK=1
 Segment 3 shows the client responding by ACKnowledging the servers ISN with ISN + 1.
SYN=0,ACK=1.
 Data can now be transmitted.
CSE2500 System Security & Privacy
Srini & Nandita
19
Address Spoofing




Consider C (an intruder) want to impersonate
the sender (say A) – how?
Intruder C knows that B (receiver) trusts A’s
users and let them execute commands
through, say rsh (remote shell) service
without them requiring a password.
Although C will not receive a single datagram
in response from B – whose replies will be
routed to the real, but unavailable A.
C now somehow needs to predict the ISN of
B that B would tell A during the handshake.
CSE2500 System Security & Privacy
Srini & Nandita
20
How to get the ISN?
ISN is a 32 bit clock that increases
systematically with time.
 If the clock increment is predictable
and an attacker can see the value of
any one ISN, he can probably predict
the value of the next or a soon
subsequent ISN with accuracy.

CSE2500 System Security & Privacy
Srini & Nandita
21
Predictable ISN can lead to


After knowing the ISN, wait for A to go down (say for
maintenance) which is easy to detect (say by ping), then
C sends B a counterfeit IP datagram containing its
SYN and ISN; this B receives and believes to have
originated from A.
B replies with a SYN, its own ISN and an
acknowledgement of C’s ISN (This reply is routed
inconsequentially to A who is still unavailable to receive
it.)
C mean while predicts and acknowledges B’s ISN. It
follows with an rsh command that coaxes B to give the
attacker easier access from his true location.
C successfully opened a TCP connection and executed a
command on B, without ever having received a single byte
in return from B. It simply acted as if it had, enabled by
B’s predictable ISN.
CSE2500 System Security & Privacy
Srini & Nandita
22
Method of defense


Avoid reliance on address-based authentication and
trust mechanisms (like those used by rsh)
Use a screening router, a device that can
intelligently filter network packets based on
configurable rules. Although this cannot prevent
spoofing, but can prevent
Inbound attacks that originate from external
networks (by discarding incoming datagrams with
source address belonging to the internal address)
Outbound attacks that originate inside of your
own network (discarding outgoing datagrams with
a source address from an external network).
CSE2500 System Security & Privacy
Srini & Nandita
23
Attacks are

Relaying a message to another host
and it accepts as if it is trusted.
Example: transfer of password files in a
networked unix systems.
CSE2500 System Security & Privacy
Srini & Nandita
24
Message alteration


Message means the payload of the IP
datagram, the router performs routine
modifications to the IP datagram header,
and sometimes fragments a datagram into
several smaller ones (when the length
exceeds a limit allowed by the underlying
data link layer).
No need to suspect message alteration, but
techniques such as check sum are not
sufficient.
CSE2500 System Security & Privacy
Srini & Nandita
25
Message Delay and Denial

By gaining authorised control of a router or
routing host, then modifying executable
code or routing and screening rules used by
the code.
 need to apply proper authentication and access
mechanisms to the routing systems.

By overwhelming a routing device, or one of
the communication end systems, with an
inordinate amount of network traffic.
 easy to detect but difficult to prevent!
CSE2500 System Security & Privacy
Srini & Nandita
26
By Blocking (or Screening)
External network
Source: 108.3.54.92
Destination:130.194.225.92
Source: 130.194.225.52
Destination:130.194.225.92
CSE2500 System Security & Privacy
Internal network
130.194.225.xxxx
Accepted
Blocked
Accepted
Source: 130.194.225.92
Destination:121.5.92.1
blocked
Source: 108.3.54.92
Destination:121.92.5.52
Srini & Nandita
27
Network Communication
OSI Reference Model
Application
related
services
Application (7)
Application programs
that use the network
Presentation(6)
Standardise data rep.
to application layer
Session(5)
Transport(4)
Network
related
services
Network(3)
Data Link(2)
Physical(1)
CSE2500 System Security & Privacy
Srini & Nandita
Manage sessions
between applications
Provide end-to-end
error detection and correction
Manage connections
across network
Provide reliable delivery
across physical links
Define characteristics
of media
28
Generic Message Format
Sender
Identify
Recipient
Identity
Message
Length
Message
Data
CSE2500 System Security & Privacy
Srini & Nandita
29
Internet TCP/IP Model
Programs: X window, mobile
agents, Web applications, Email …
Application
Table of addresses, data and
algorithms to perform reliable check
Transport
(TCP, UDP)
Table of addresses and algorithms
for handling the routing of data
Network (IP)
Digital signal (0,1)
CSE2500 System Security & Privacy
Sockets
Physical
Srini & Nandita
30
Network Layer – IP Datagram format
(for reference)
4-bit
4-bit
8 bit
Version header length type of service
16 bit
3 bit
Identification
flags
8-bit
8-bit
time to live
protocol
16-bit
Total Length
13 –bit
fragment offset
16-bit
header checksum
32-bit Source address
32-bit Destination address
Options(if any) and padding
Data (variable length)
CSE2500 System Security & Privacy
Srini & Nandita
31
TCP segment (for reference)
16-bit
Source port number
16-bit
Destination port number
32-bit Sequence number
32 bit acknowledgement number
4-bit
Header length
6-bit
Reserved
6-bit
Flags
16-bit
TCP Checksum
16-bit
Window Size
16-bit
Urgent pointer
Options(if any) and padding
Data (variable length)
CSE2500 System Security & Privacy
Srini & Nandita
32
UDP datagram (for reference)
16- bit
Source Port Number
16-bit
Length
16-bit
Destination Port Number
16-bit
Checksum
Data (variable length, if any)
CSE2500 System Security & Privacy
Srini & Nandita
33
Possible methods

Simple denial of requests – though
firewall
 useful to prevent address spoofing,
masquerading

Tailored software to each of the
network services – called wrappers
 application oriented functionality can be
implemented
CSE2500 System Security & Privacy
Srini & Nandita
34
Firewalls
Screening router (also called as packet
filtering) is an example of a firewall.
 We will look at the firewalls in more
detail in another subject.

CSE2500 System Security & Privacy
Srini & Nandita
35
SMTP ROUTING
External
SMTP Server
SMTP Routing
1. Route incoming/outgoing mail to bastion Host.
2. Use Exterior Router to restrict connections from
external hosts to Bastion Host.
3. Use Interior Router to restrict connections from
Bastion Host to specific internal servers.
4. Internal systems send mail to Bastion Host.
INTERNET
SMTP Sender/Recipient
SMTP Server
Bastion Host
Exterior Router
Perimeter Network
FIREWALL
Interior Router
Internal Network
SMTP Client
CSE2500 System Security & Privacy
Inside SMTP Server
Srini & Nandita
36
TCP Wrapper
 The TCPWrapper is a utility program that can be "wrapped" around
existing servers connected to the Internet.
 A Firewall can be placed between your internal network and the
Internet to protect the entire internal network.
 The TCPWrapper is placed on an internal server and protects
the services of that machine.
 The combination of firewall and TCPWrapper provides defense
in-depth.
 The TCPWRapper was written by Wietse Venema and is used for:
 Logging request for service made through /etc/inetd.conf
And intercepting and controlling TCP services that are started by
/etc/inetd.conf.
CSE2500 System Security & Privacy
Srini & Nandita
37
TCP Wrapper
Firewall
TCP Wrapper
INTERNET
Router
External User
CSE2500 System Security & Privacy
Srini & Nandita
Bastion Host
Internal Server38
TCP Wrapper Operation
 The TCPWrapper is installed on the internal server and inetd is
configured to run TCPwrapper, tcpd, instead of the the real server.
 inetd is the internet protocol starter program that, upon
detecting a service request, forks a process directly to the
requested service.
 tcpd is is the TCPWrapper program that receives control from
inetd when an internal server has been "wrapped". tcpd
evaluates the request against two TCPWrapper configuration
files
 /etc/hosts.allow tells tcpd which host to allow connections
from.
/etc/hosts.deny tells tcpd to deny all connections from
that host.
 If no match is found the connection is allowed.
 tcpd completes its function then transfers control to the requested
service.
CSE2500 System Security & Privacy
Srini & Nandita
39
TCP Wrapper Operation
inetd
TCP Wrapper
/etc/hosts.allow
inetd.conf
Firewall
Requested
Service
INTERNET
Router
tcpd
tcpd
Bastion Host
telnet
ftp
rlogin
udp, etc
/etc/hosts.deny
network services
External User
CSE2500 System Security & Privacy
Srini & Nandita
40
TCP Wrapper Functions
 The TCPWrapper performs the following functions upon assuming control
from inetd.
Compares the incoming hostname and requested service with
previously created host.allow an hosts.deny files.
Performs a double-reverse lookup of the IP address to make sure
the DNS entries for the IP address match the hostname.
Logs the result with syslog. This provides a way to log services that
are normally not logged, e.g., finger and systat.
Optionally run a command, e.g., run finger to get a list of users on
the connecting client computer.
Optionally substitute a different version of the requested service
daemon, e.g., the calling host may require a special extended service.
Optionally send a banner to the connecting client.
Passes control of the connection to the real network daemon.
Reject the connection without providing a service.
CSE2500 System Security & Privacy
Srini & Nandita
41
Possible connections: Security?
Wired Stranger
Your PC
Internet
Stranger
Firewall
(optional)
ISP server
Wireless Stranger
CSE2500 System Security & Privacy
Srini & Nandita
42
Possible connections: Security?
Your systems
Wired stranger
Web server
Internet
ftp server
Stranger
firewall
Production
Servers
Wireless stranger
CSE2500 System Security & Privacy
Srini & Nandita
43
Possible connections: Security?
Your systems
Wired stranger
Web server
Internet
stranger
ftp server
firewall
Production
Servers
Wireless stranger
CSE2500 System Security & Privacy
Srini & Nandita
44
Possible connections: Security?
Lan/
Wan
Lan/
Wan
Web Servers
Internet
firewall
Lan/
Wan
Back end
Data Servers
Lan/
Wan
CSE2500 System Security & Privacy
Srini & Nandita
45
Possible connections: Security?
Lan/
Wan
Web Servers
Internet
Lan
/Wan
Intranet
Extranet
Business
Integration
systems
firewall
Business
Applications
Back end
Data Servers
Call
Centre
Mobile users
CSE2500 System Security & Privacy
Srini & Nandita
46