Transcript Network Security Slide File - e

Computer Security:
Chapter 8
Network Security
Network characteristics

Anonymity
 ‘On

the Internet, nobody knows you are a dog’
Automation
 Done
by machines, sometimes only have minimal
human supervision

Distance
 What

is far really? Hard to tell.
Opaqueness
 Are you in Skudai? KL? Bukit Kayu Hitam?
 School? Company? Adam’s basement?

USA?
Routing diversity
 >1
way to get a packet somewhere
2
Advantages of Computing Networks


Several advantages over single-processor
systems:
 Resource sharing.
 Distributing the workload.
 Increased reliability.
 Expandability.
The network must ensure data integrity and
secrecy, and availability of service.
3
Threats In Networks

Generic threats aimed to compromise
confidentiality, integrity, or availability,
 applied against data, software and
hardware
 by nature, accidents, non-malicious
humans. And malicious attackers.
4
What Makes a Network Vulnerable?






Anonymity. (distributed authentication problems)
Many points of attack – both targets and origins.
(attack can come from any host with unknown way)
Sharing. (access control for single system may be
inadequate in networks.)
Complexity of system. (diminish confidence in
network security)
Unknown perimeter. (unclear network boundaries)
Unknown path. (uncertain message routing in
network)
5
Who Attacks Networks?
3 necessary components of an attack
 method, opportunity and motive.
 4 important motives:
 challenge or power, fame, money and
ideology.
 What is an attackers’ profile? What is he/she
like?

6
Challenge

Question:
 Can I defeat this network?
 What would happen if I tried this
approach or that technique?

Network attackers enjoy the intellectual
stimulation of defeating the supposedly
undefeatable.
7
Fame

For those enjoy the personal thrill of seeing their
attacks written up in the news media.
Money and Espionage
Financial reward motivates attackers.
 Attack in industrial espionage, seeking
information on a company’s products,
clients, or long-range plans.

8
Ideology

Hactivism – involves “operations that use
hacking techniques against a target’s
network with disrupting normal operations
but not causing serious damage.”

Cyberterrorism – more dangerous than
hactivism – “politically motivated hacking
operations intended to cause grave harm
or economic damage.”
9
Threat Precursors: what to do b4

Port Scan
 Know standard ports/services running & responding
 Know OS is installed
 Know application type & versions are present

Social Engineering
 Know certain internal details.
 Using social skills and personal interaction to get someone to
reveal security-relevant info
 Persuade victim to be helpful

Reconnaissance
 Gather discrete bits of info from various sources and putting
them together like the pieces of puzzle
 Example : “dumpster diving” (Get info from recycling boxes) and
eavesdropping (what is the gossip?).
10

OS & Application Fingerprinting
 Consult
a list of specific software’s known
vulnerabilities to determine which particular weakness


try to exploit
Bulletin Boards and Chats
 exchange


of info
Attackers post their latest exploits and techniques, read what
others have done and search for additional info
Availability of Documentation
 Vendors
may distribute info that is useful to an
attacker

Example : Microsoft produces a resource kit and that toolkit
may use by attacker for investigate a product
11
Threats in Transit: from here to there


Usual way: Listen
Listening can be
 Effortless

Eavesdrop just listens or monitor traffic
 With




 eavesdrop
some effort  wiretap
Passive and active
Passive is much like eavesdropping
Active means ‘doing’ something to the communication (add,
append, replace, delete)
Depends on communication medium used : cable,
microwave, satellite, wireless etc
12

Cable





All signal in Ethernet or other LAN are available to intercept
Each LAN connector have a unique address and it takes packets
addressed to its host
A process called inductance can tap a wire and read radiated
signals without making physical contact with the cable
Attacker can direct cut cable, insert in a secondary cable and
receive a copy of all signal along the primary cable
Microwave



Broadcast through the air
Weakness : wide swath
Someone can pick up an entire transmission
13
More threats
Impersonation
 Spoofing
 Message confidentiality threats
 Message integrity threats
 Website defacement
 Denial of service (DOS)
 Distributed DOS (DDOS)
 Threats to active and mobile code

17
Impersonation



Be someone else
Falsely represents a valid entity in a communication
Some attack methods
 Guess the identity and authentication
 Default passwords ADMIN, GUEST
details of target
 Pick
up the identity and authentication details of target
from previous communication/wiretapping
 Circumvent or disable authentication mechanism at
target computer  thru known weaknesses
 Use a target that will not be authenticated

check first time then lets user go on/’guest’ search for all, type
anything
 Use
a target whose authentication data is known
18
Guessing

How? Through
 Easy-to-guess
password
 Default password
 Dead account
19
Nonexistent Authentication
Computer-to-computer connection
exploited
 “Guest” or “anonymous” accounts
exploited

22
Well-known Authentication

Convenience of well-known authentication
scheme usurps the protection
 E.g.
same/default password use in remote
hardware maintenance
23
Trusted Authentication

Identification delegated to other trusted
source can be potential threat
 Useful
but great care is needed.
24
Spoofing
Falsely carries on one end of a networked
interchange
 Examples

 Masquerading
 Session
hijacking
 Man-in-the-middle attack
25
Masquerade

One host pretends to be another
 URL

Confused domain names


xyz.com, xyz.org, xyz.net
Names with or without hyphen


confusion
Cola-cola.com vs cocacola.com
Easily mistyped names

10pht.com vs lopth.com
 Exploits
flaw in victim’s web server
overwrite web page
 Build false site that resemble real one

26
Session Hijacking
Intercepting and carrying a session begun
by another entity
 Example

 Wiretap
to intercept the packet between
buyers and eCommerce site
 Intrude in the telnet session to gain control
over system
27
Man-in-the-Middle Attack
Similar to session hijacking, but usually
participates from the start of the session
 Would be foiled with public keys

Key
distributor
Malicious
interceptor
Key Interception
User 1
User 2
28
Denial of Service

Transmission failure


Connection flooding





Attackers sends you more data than the system can handle to
overload system
Use Internet Control Message Protocols (ICMP) to attack system
Eg Echo-Chargen, Ping of Death, Smurf
Syn flood
Traffic redirection


Due to line is cut, network noise, hw/ sw problem, electronic
attacks
Attacker corrupt the routing, all packets routes to a router, router
become flooded
DNS attacks
32
Connection Flooding


Eg. Echo-Chargen, Ping of Death
Echo-Chargen




Ping of Death



A sends a flood of echo packet to B
B returns data for every echo packet
An endless loop between A and B
A sends a flood of pings to B
B replies every ping request
Smurf


A broadcast echo packets to network, with B return address
All network hosts reply to B
33
Syn Flood
3 way TCP handshake
1. SYN
2. ACK + SYN
3. ACK
Source
Destination
34
Syn flood…
1. SYN
2. ACK + SYN
Source
Destination
maintains
a queue SYN_RECV
1. SYN
2. ACK + SYN
Tracking
items
and start
timer
3. ACK
Source
Destination
35
Syn flood…
SYN(1)
SYN(2)
SYN(n)
Attacker
Victim

Send SYN request every few seconds

Choose different and unique source
address
36
DNS Attacks
Domain name server – a table that
converts domain name into network
address
 Attacker redirect the routing of any traffic
to cause DOS

37
Threats to Active Code
Is also called mobile code
 General name for code that is pushed to
the client for execution
 Cookies

 Takes

Scripts
 Eg.

up disk space
Escape-character attack
Active code
 JavaScript,
ActiveX, Auto Exec by Type
38
Complex Attacks

Script kiddies
 Let
people perform attacks even if they do not
understand what the attack is or how it is
performed
 Download and run attack scripts

Building blocks
 Let
people combine components of an attack
39
Network security
controls
So what’s next?

We have seen the possible threats to network,
what about control?
 Architecture
 Encryption
 Strong
authentication
 Access controls
 Alarms and alerts
 Honeypots
 Traffic flow security
41

Architecture
 Building-in
security into plan
 Some ways include

Segmentation





Redundancy



Reduces number of threats
Limits amount of damage from a single vulnerability
Don’t put all your eggs in one basket
Separate servers/segments  least privilege and
encapsulation
2 web servers are better than 1
Each checks the other is active (failover mode), if not, it carries
the burden
Single points of failure


System can tolerate failure in acceptable way
Eliminate all single points of failure  the ‘jugular’ of the
system, that would bring the whole system down
42

Encryption
 Used
in combination with controls
 Applied

Link encryption
Between 2 host
 All host in between must have cryptographic facility, else
message is still exposed
 Adv. : faster, easier for user, uses fewer keys


End-to-end encryption
Between applications
 Keys increase rapidly with increase in users, n * (n -1)/2
for n users [when single encryption used)
 Adv.: more flexible, can be used selectively, can be
integrated with the application

43
Link encryption
Sender
Receiver
message
exposed
Encrypted
message
44
End-to-end encryption
Sender
Receiver
Intermediate
Host
Encrypted
message
45

Strong authentication
 Knowing
and being assured of the accuracy of an
identity
 Ways include:



One-time password
Challenge-response systems
Kerberos



Ticket with user name and services he is allowed to obtain
Tickets are un-forgeable, non-replayable, authenticated, timestamped, encrypted
Access control

Router and firewall

provide layers of protection for the internal network
46
Alarms and alerts

Intrusion detection system (IDS)
 another layer of defense
 place inside the network to monitor events in the
network
 detect the attack



at the beginning
while in progress or
after it has occurred (when attacker able to pass through
the router and firewall)
 the
IDS activates alarm  defensive action taken
47
2
types: signature based and heuristic
Signature based IDS: does pattern matching and
reports pattern corresponding to known attack type
 Heuristic (anomaly based): flags behaviour not in
line with acceptable behaviour.
 http://www.stevespace.net/ids/types.html

 False
results
False positive: raising alarm when not really an
attack
 False negative: not raising alarm for real attack

48

Honeypot
A
computer system or network segment with
servers, devices and data; with the objective
of luring the attacker.
 Reasons
for it:

Watch attackers and learn about new attacks

Learn enough to identify and stop attacker

Provide a place where attackers can go, in hopes
they’ll leave the real systems alone
49

Check out control review: table 7-7
Pfleeger pg 454
50
Firewalls
Firewall
Primary
Routers
Examine the entire packet’s
content including data portion
Concern only source and
destination Address
Filtering
Addressing
function
52




Firewall is a device that filters all traffic between
a protected (‘inside’) network and a less
trustworthy (‘outside’) network.
Best practice: non-firewall functions should not
be done on the same machine
Firewalls know what is ‘bad’ by adhering to a
security policy
2 major school of thought regarding default
behavior:
 Default
deny
 Default allow/permit
53

Types of firewall
 Packet

filtering gateway (screening routers)
Simple policy
 Stateful
inspection firewalls
 Application proxies
Richer set of
choices for
 Guards
policy
 Personal firewalls

Which firewall?
 Depends
on what are the threats that need to
be countered?
54

Packet filtering gateway (screening routers)
 Controls


Packet address (source/destination)
Specific transport protocol (e.g. HTTP)
 Just

access to packets based on
see nametag but not ID
Only IP but not packet content
 Cannot
choose between allowable TELNET and nonallowable ones
 But it can block packets from ‘outside’ trying to
disguise to be one from ‘inside’ trying to forge an IP
address
55

Stateful inspection firewalls
 Maintains
state information between packets in an
input stream
 Can be used to thwart attacks that are split across 2
or more packets

Application proxies
 a.k.a.
bastion host
 It checks the content of a packet and only allows
actions that are in the given guidelines


Cannot use ‘put’ but ‘get’ is OK
Caching popular sites for easy retrieval
 Proxies
can be tailored to specific requirements, like
logging details of access
56

Guards
 Sort of a twin of proxy firewall
 Add functionality to a proxy firewall until it starts to look like a
guard
 Receives protocol data, interprets them and passes through

Personal firewalls
 An
application program that runs on a workstation to
block unwanted traffic
 A sensible approach to guarding 1 unit of w/station
 The user decides who to trust and who not to
 Firewall runs on same machine so vulnerable to
attack

**check out firewall types comparison Pfleeger
pg 465
57
What can firewall block?
Can protect environment if it controls
entire perimeter
 Do not protect outside the perimeter
 Prone to attacks  having different layers
help
 Must be correctly configured, kept updated
to succeed

58
Aside:
Network security is a large topic, but time
is of essence.
 Reading the book will help immensely.

59