Transcript Network Security

Network Security
Threat Model
•Botnets are characteristics of the threats you are facing from the internet. A bot
is a program that receive commands from a bot controller.
•Botnet is the generic name given to any collection of compromised PCs
controlled by an attacker remotely.
•Each such compromised device, known as a "bot“.
•Bot controller may use Internet Relay Chat (IRC), or HTTP to launch spam or DoS
attacks.
•To take out a botnet , you have to take out the bot controller , e.g by blocking its
IP address.
Threat Model
•Botnets employ fast flux techniques to obfuscate the specific host involved in their
phishing schemes, malware delivery or other criminal enterprises.
•In fast flux networks , the bots know their controller by its domain name. A bot
controller then just move to a new IP address when current address is block.
•In fast domain flux networks, the domain name of a bot controller can be changed
dynamically. The bot controller registers a new domain name when its current name is
blacklisted.
•A net adversary is a malicious network node which has the capacity to:
oread messages directly addressed to it.
ospoof arbitrary sender addresses.
otry to guess fields sent in unseen messages.
TCP session Hijacking
•The TCP handshake protocol:
•A is client, B is a server. SYN and ACK indicates that respective bits have been set ,ISNa and ISNb
are 32-bit sequence numbers.
•
•
•
A → B: SYN, ISNa
B → A: SYN|ACK, ISNb, ACK(ISNa)
A → B: ACK, ACK(ISNb)
•ACK(ISNa) = ISNa+ 1. ACK(ISNb) = ISNb+ 1.
•An attacker trying to impersonate A has to guess the sequence number ISNb sent to A. Then this
protocol is secure as long as sequence numbers are random.
•However, for ISN each TCP entity maintains 32 bits counter, which is supposed to be
incremented by 1 at least every 4 microseconds. Even worse, Berkeley’s Unix kernels
incremented the counters by 128 every second, and by 64 for each new connection.
TCP session Hijacking
•An attack developed in 1985:
* M is an attacker who tries to impersonate A.
•The attacker M first opens a genuine connection to its target B and receives a sequence number
ISNb. The attacker then impersonate A, sending a packet with A’s addres in the source field
M(A) → B: SYN, ISNc
•
B replies to the legitimate A with
B → A: SYN|ACK, ISNb’, ACK(ISNc)
• M does not see this message buy uses ISNb to predict the current value ISSb’ and sends
M(A) → B: ACK, ACK(ISSb’)
• B now assumes it is communicating with A!
TCP session Hijacking
•This is particularly dangerous in systems apply ‘address-based’ authentication
(e.g. the Unix’s Remote Shell (RSH) service) which assume that user logging in
from trusted host have already been authentication.
•To defend against this attack, a firewall could block all TCP packets arrive from
the Internet with a ‘local’ source address. This scheme works if all your trusted
host are on the local network. If trusted host also exist on the internet, the
firewall has to block all services based on address-based authentication.
•Or, avoid address-based authentication at all! (cryptographic authentication is
always preferable).
TCP SYN Flooding Attacks
•In the TCP handshake protocol, and after responding to the first SYN packet,
server B stores the sequence number ISSb so that it can verify its ACK from A.
•An attacker M could initiate a large number of TCP open requests (or SYN
packets) to B without completing the protocol runs, until B reaches its half-openconnection limit and cannot respond to new incoming requests.
•How can we prevent this?
Domain Name System
•Hosts on the Internet are usually known by their DNS name.
•To connect to a host you need the IP address currently
corresponding to its domain name.
•The DNS is a distributed directory service for domain names (or host
names).
•It is used for looking-up IP addresses for host names, and hostnames
for IP addresses (reverse look-up).
•It is also used for a number of other services (e.g. SPF (Sender Policy
Framework use DNS record to identify valid mail servers)).
Domain Name System
•DNS knows various types of resource records. The binding of host names to IP
addresses is given in A record.
•Host names and IP addresses are collected in zones.
•A zone is managed by its authoritative name server which provides mapping
between host names and IP addresses for its zone.
•Protocols such as BIND, MSDNS, PowerDNS, and DJBDNS are used to resolve
host names to IP addresses.
Domain Name System
There are only 13 (logical) root servers on the Internet.
GTLD stands for Global Top-Level Domain (in charge of .com, .net, .org, .edu, .tv, .ws, .uk, etc.).
TTL stands for Time-to-Live for binding.
Lightweight Authentication
•The resolver uses a ‘challenge-response’ protocol to authenticate the origin of the
replies it receives.
•A 16-bit query ID (or QID) and the UDP port that should receive the answer are
included in each request.
•The responding name server copies the QID into its answer and replies on the port
indicated.
•The resolver caches the first answer received for a given QID on the nominated
port.
•The only possible attack here is trying to guess the QID and its corresponding UDP
port number.
•The probability of an attacker guessing correctly the QID is 2 -16.
Cache Poisoning Attack
•The attacker asks a resolver to resolve a host name the attacker
wants to take over. (this host name must not have in entry in the
resolver cache)
•The attacker immediately floods the resolver with spoofed answers
that map the host name to an IP address of the attacker’s choice.
•The spoofed answers contain guessed QIDs with long TTL and are
sent on a guessed UDP port.
•If a spoofed answer with the correct QID arrives on the correct port
before the genuine answer, the attacker’s value is cashed in the
resolver cache and the correct answer is dropped.
Cache Poisoning Attack
•The probability of the attack succeeding depends on the following
factors:
1. The difficulty of guessing the QID. (easy if QID is generated by a counter)
2. The difficulty of guessing the port number.(easy if a fixed port number is used)
3. The width of the time window until the authoritative answer
arrives. (the attacker may perform a DoSattack against the authoritative name server)
•Good implementation of DNS will address the first two.
Additional Resource Records
•Authoritative name servers send additional resource records to
resolvers where these records are cached, just in case they might
prove useful in future.
•A malicious authoritative name server might provide source records
for other domains when being queried for a host in its domain.
•Therefore, the resolver performs bailiwick checking: additional
resource records that do not belong to the queried domain are not
accepted.
Dan Kaminsky’sAttack
•Such an attack succeeded in practice within 10 seconds!
•This is a very serious attack that could even be launched against TLDs!
Dan Kaminsky’sAttack
•Protecting countermeasures:
oRun queries on random ports. (why?)
oRestrict access to local resolvers. It is better to have two separate
resolvers; a zone should use a recursive name server for internal
queries to resolve external host names and non-recursive server
for resolving external queries foe host name in the zone.
oDo not use simple ‘challenge-response’ authentication! Using
cryptographic authentication apply digital signatures to via
DNSSec.
DNSSec
•DNSSec (short for DNS Security Extensions) protects the
authenticity and integrity of resource records with digital
signatures.
•It still not very widely used due to some obstacles such as
the complexity of the hierarchy of the signers, the
requirement to change the original DNS protocol, the
infeasibility of partial implementation.
Skip Section 17.2.6
Firewalls
•To control what traffic is allowed to enter your network (ingress filtering) or leave your network
(egress filtering) you need a firewall.
•A firewall is a network security device controlling traffic flow between two parts of a network.
•Firewalls are often installed between the network of an entire organization and the internet, but
could also be installed in an intranet to protect individual departments
•Host-based Vs. Network-based firewalls.
•A firewall blocks outside access to internal services, and restrict access from inside to external
services that are deemed dangerous.
•However, using a dial-up connection or USB 3G/4G sticks from inside the internal network puts
the whole network in a danger that a firewall cannot help to confront. It’s a unprotected entry
points into network behind a firewall.
Firewalls
•Firewall can route sensitive traffic vie virtual private network (VPN). A VPN establishes a
secure connection between the getaways of subnets of an organization that are not
directly connected. All traffic between subnets has to go through theses getaways where
cryptographic protection is added to extend the security.
•Firewalls are capable of performing NAT.
•Firewalls implement access control on ISO/OSI layers 2, 3, 4, 5 and/or 7. Parameters that
could be used for access control can be found at each layer. At layer 3 you have source and
destination IP address. At layer 4 you have TCP and UDP port numbers.
Packet Filters
•Packet filtering firewalls work at OSI layers 3 (network)and 4(transport).
•Rules specifying which packets are allowed through the firewall and which are dropped are
applied to packets individually.
•Rules for traffic in both directions can be defined.
•Example of information that can be filtered by a Packet filtering firewalls.
Layer
Filtered Information
3
IP addresses (source and destination)
3
protocols(e.g.IP, ICMP, etc.)
4
TCP and UDP port numbers
4
protocols(e.g.TCP, UDP etc.)
Packet Filters
•Only static rules can be enforced. For example, when a client sends an FTP request to an FTP
server, the firewall cannot link the data packets coming back from the server to this request.
•Example of a packet filtering firewall policy (or ACL).
Rule
Source Address
Destination Address
Protocol
Port Number
Action
1
Any
192.168.x.x
Any
Any
Drop
2
Any
218.11.23.45
TCP
25
Allow
3
Any
218.11.23.45
TCP
110
Allow
4
Any
218.11.23.45
UDP
Any
Drop
5
210.22.x.x
218.11.23.44
TCP
80
Allow
•Practical firewall ACLs are not written this way!
•They are mostly written in (drop all; except..) or (allow all; except..) basis.
Stateful Packet Filters
•Stateful packet filtering firewalls can understand requests and replies (i.e. they
are dynamic). work at OSI layers 3 (network), 4(transport) and 5(session).
•For example, they can understand how the TCP session open handshake works
(i.e. SYN, SYN-ACK, ACK).
•Rules are only specified for the first packet in one direction, and then new rules
are created ‘dynamically’ in real-time.
•Very useful when using protocols such as FTP, IRC, etc.
•Packet filtering can be done by routers , giving high performance at lower cost.
Stateful Packet Filters
Application-Level Proxies
•For each application protocol the firewall should police, a proxy implements
client/server service on the firewall.
•Application-level proxies firewalls are capable of inspecting the content of the
data
•When a client connects to the firewall, the proxy acts as the server and validates
the request. A mail proxy , for example, could filter out viruses, worms and
spam. If the client request is allowed , the proxy acts as a client and connect to
the destination server. Response come back through the firewall and are again
processed and checked by the proxy.
•An application-level proxy firewall must be the only entity seen by the outside
world, and must appear transparent to the internal users except for filtering.
Application-Level Proxies
Application-Level Proxies
•Application-level proxies firewalls can provide a good control over
the content of incoming and outgoing traffic which should lead to
better security level.
•However, they process a large amount of data per connection, and
their configuration is somewhat complicated. This makes them less
secure and slow down their performance.
•Finally, you need a firewall for each service you want to protect. This
reduce their scalability level with the growing number of internet
service on offer.
•Application-level proxies Vs. Packet filters. (the telephone example)
Firewall Policies
•There are two type of firewall policies:
oPermissive policies: allow all traffic but block certain services.
oRestrictive policies: block all traffic but allow certain services.
•Which one is more secure?
•A policy is usually represented as an Access Control List (ACL). Like for example:
oAllow from internal network to Internet: HTTP, FTP, SSH, DNS.
oAllow from anywhere to mail server: SMTP only.
oAllow from mail server to Internet: SMTP, DNS.
oAllow from internal network to mail server: SMTP, POP3.
oAllow reply packets.
oBlock everything else.
Perimeter Networks
•Where should mail server be placed in relation to the firewall?
1.
A mail server requires external access to receive mail from
outside, so it should be on the inside of firewall, then the
firewall can protect access to mail serve from outside.
2.
A mail server also requires internal access to receive mail from
internal network, so it should be outside the firewall, that to
stop worms an viruses spreading from internal network or
prevent confidential document leaving internal network.
•Solution create perimeter network , also known as a demilitarized
zone (DMZ) for server requires access from both inside and outside
of firewall.
Limitations and Problems
•Firewalls do not protect against insider threat.
•Blocking services may create inconveniences for users.
•Network diagnostics may be harder.
•Some protocols are hard to support.
•Packet filtering firewalls do not provide content-based filtering.
•Protocol tunnelling can overpass firewalls. (e.g. MSN/HTTP)
•Encrypted traffic cannot be filtered. (e.g. SSL/TLS (HTTPS), SSH, and
IPSec (tunnel mode VPN))
Intrusion Detection
•Firewalls cannot prevent all attacks!
•Firewalls prevent attacks; but, what about the attacks that bypassed or deceived the firewall?
They should be detected!
•To detect network attacks an Intrusion Detection System (IDS) should be deployed.
•An IDS consists of a set of sensors gathering data, either located on the hosts or on the network.
•The sensor network is managed from a central console.
•Data are analyzed, intrusions reported and possibly reactions triggered.
•The communication between sensors and console should be protected.
•Two approaches for detecting intrusions:
o Misuse Detection
o Anomaly Detection
Vulnerability Assessment
•Vulnerability assessment examines the security state of a network.
•Information about open ports, software packages running (e.g.
which version?, when was the last time the have been updated?,
which service pack?, which patches are installed?, etc.), network
topology, and more, is collected. A prioritized list of vulnerabilities is
then checked.
•This can be done manually or automatically.
•The assessment is as good as the knowledge based that has been
built for it.
Misuse Detection
•Misuse detection looks for attack signature.
•Attack signature are patterns of network traffic or activity in log files that
indicate suspicious behavior.
•Examples: number of failed login attempts, pattern of bits in an IP packet
indicating a buffer overflow attack, or certain types of TCP SYN packets that
indicate a SYN flooding attack.
•These systems are only good as the information in the database of attack
signature (knowledge-based IDS).
•New vulnerabilities are constantly being discovered and explored. Vendors need
to keep up to date with the latest attacks and issue database updates.
Customers need to install updates.
Anomaly Detection
•Also known as Behaviour-based Detection.
•Statistical anomaly detection uses statistical techniques to detect potential intrusions.
•First the ‘normal’ behavior is established as a baseline.
•During operation , a statistical analysis is perform and the deviation from the baseline is
measured. If a threshold is exceeded , an alarm is raised.
•The baseline define normality, so there is a chance of detecting novel attacks without
having to update a knowledge base.
•Attacks are not necessarily anomalies. A carful attacker might just ‘fly under the radar’
of the IDS and remain undetected.
•Many of such IDSs suffer from high false-positive and/or false-negative issues.
Network-Based IDS
•Based in the network
•NIDS looks for attack signature in network traffic.
•Monitors and analyses the traffic in real time.
•Three common techniques for recognizing attacks:
1. Patterns.
2. Frequency.
3. Correlation of events. (not widely used)
•Snort is a popular NIDS developed in the open source community.
Host-Based IDS
•HIDS looks for attack signature in log files of hosts.
•It can also verify the checksum of system files.
•Some HIDSs listen to port activity and generate alert when specific
ports are accessed.
•There is a trend towards HIDS, yet it is always better to have both
HIDS and NIDS.
•An attacker might trick the IDS into responding, with response aimed
at an innocent target ( by spoofing source IP address). Users can be
locked out of their accounts because of false positive.
Honeypots
•A honeypot is a trap set to detect, consists of a computer, data, or a network site
that appears to be part of a network, but is actually isolated and monitored, and
which seems to contain information or a resource of value to attackers.
•Honeypots mimic real systems but do not contain real operational data.
•Aims to learn about novel attack techniques.
•Honeypots can generally be divided into different categories:
◦ Low-interaction honeypots offer basic emulation of some services and the operating system.
There is not much an attacker can do on so there is a limit to the adversarial behavior the
honeypot can log.
◦ High-interaction honeypots offer real services , with fake data.
Reading
“Computer Security ”, 3rd edition by Dieter Gollmann. Wiley, March, 2011.
Chapter 17