Transcript Lecture #23
Lecture 23 Network Security CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose and Keith Ross; Michael Shamos; Vinnie Costa; Mark Stamp; Dave Hollinger by Peter Steiner, New York, July 5, 1993 Network Security 2 Early Hacking – Phreaking In1957, a blind seven-year old, Joe Engressia Joybubbles, discovered a whistling tone that resets trunk lines Blow into receiver – free phone calls Cap’n Crunch cereal prize Giveaway whistle produces 2600 MHz tone Network Security 3 The Seventies John Draper a.k.a. Captain Crunch “If I do what I do, it is only to explore a system” In 1971, built Bluebox with Steve Jobs and Steve Wozniak Network Security 4 The Eighties Robert Morris worm - 1988 Developed to measure the size of the Internet • However, a computer could be infected multiple times Brought down a large fraction of the Internet • ~ 6K computers Academic interest in network security Network Security 5 The Nineties Kevin Mitnick First hacker on FBI’s Most Wanted list Hacked into many networks • including FBI Stole intellectual property • including 20K credit card numbers In 1995, caught 2nd time • served five years in prison Network Security 6 Code-Red Worm On July 19, 2001, more than 359,000 computers connected to the Internet were infected in less than 14 hours Spread Network Security 7 Sapphire Worm was the fastest computer worm in history doubled in size every 8.5 seconds infected more than 90 percent of vulnerable hosts within 10 minutes. Network Security 8 DoS attack on SCO On Dec 11, 2003 Attack on web and FTP servers of SCO • a software company focusing on UNIX systems SYN flood of 50K packet-per-second SCO responded to more than 700 million attack packets over 32 hours Network Security 9 Witty Worm 25 March 2004 reached its peak activity after approximately 45 minutes at which point the majority of vulnerable hosts had been infected World USA Network Security 10 Nyxem Email Virus Jan 15, 2006: infected about 1M computers within two weeks At least 45K of the infected computers were also compromised by other forms of spyware or botware Spread Network Security 11 Security Trends www.cert.org (Computer Emergency Readiness Team) Network Security 12 Concern for Security Explosive growth of desktops started in ‘80s No emphasis on security • Who wants military security, I just want to run my spreadsheet! Internet was originally designed for a group of mutually trusting users By definition, no need for security Users can send a packet to any other user Identity (source IP address) taken by default to be true Explosive growth of Internet in mid ’90s Security was not a priority until recently • Only a research network, who will attack it? Network Security 13 The Cast of Characters Alice and Bob are the good guys Trudy is the bad guy Trudy is our generic “intruder” Who might Alice, Bob be? … well, real-life Alices and Bobs Web browser/server for electronic transactions on-line banking client/server DNS servers routers exchanging routing table updates Network Security 14 Alice’s Online Bank Alice opens Alice’s Online Bank (AOB) What are Alice’s security concerns? If Bob is a customer of AOB, what are his security concerns? How are Alice and Bob concerns similar? How are they different? How does Trudy view the situation? Network Security 15 Alice’s Online Bank AOB must prevent Trudy from learning Bob’s balance Confidentiality (prevent unauthorized reading of information) Trudy must not be able to change Bob’s balance Bob must not be able to improperly change his own account balance Integrity (prevent unauthorized writing of information) Network Security 16 Alice’s Online Bank AOB’s information must be available when needed Availability (data is available in a timely manner when needed) How does Bob’s computer know that “Bob” is really Bob and not Trudy? When Bob logs into AOB, how does AOB know that “Bob” is really Bob? Authentication (assurance that other party is the claimed one) Bob can’t view someone else’s account info Bob can’t install new software, etc. Authorization (allowing access only to permitted resources) Network Security 17 Think Like Trudy Good guys must think like bad guys! A police detective Must study and understand criminals In network security We must try to think like Trudy We must study Trudy’s methods We can admire Trudy’s cleverness Often, we can’t help but laugh at Alice and Bob’s carelessness But, we cannot act like Trudy Network Security 18 Aspects of Security Security Services Enhance the security of data processing systems and information transfers of an organization. Counter security attacks. Security Attack Action that compromises the security of information owned by an organization. Security Mechanisms Designed to prevent, detect or recover from a security attack. Network Security 19 Security Services Enhance security of data processing systems and information transfers Authentication Assurance that the communicating entity is the one claimed Authorization Prevention of the unauthorized use of a resource Availability Data is available in a timely manner when needed Network Security 20 Security Services Confidentiality Protection of data from unauthorized disclosure Integrity Assurance that data received is as sent by an authorized entity Non-Repudiation Protection against denial by one of the parties in a communication Network Security 21 Security Attacks Information source Information destination Normal Flow Network Security 22 Security Attacks Information source Information destination Interruption Attack on availability (ability to use desired information or resources) Network Security 23 Denial of Service Smurf Attack ICMP = Internet Control Message Protocol ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply Internet 1 SYN Perpetrator Victim 10,000 SYN/ACKs – Victim is dead Innocent reflector sites Network Security 24 Security Attacks Information source Information destination Interception Attack on confidentiality (concealment of information) Network Security 25 Packet Sniffing Every network interface card has a unique 48-bit Media Access Control (MAC) address, e.g. 00:0D:84:F6:3A:10 24 bits assigned by IEEE; 24 by card vendor Packet Sniffer Server Client Network Interface Card allows only packets for this MAC address Packet sniffer sets his card to promiscuous mode to allow all packets Network Security 26 Security Attacks Information source Information destination Fabrication Attack on authenticity (identification and assurance of origin of information) Network Security 27 IP Address Spoofing IP addresses are filled in by the originating host Using source address for authentication r-utilities (rlogin, rsh, rhosts etc..) 2.1.1.1 C Internet 1.1.1.3 S A 1.1.1.1 1.1.1.2 B • Can A claim it is B to the server S? • ARP Spoofing • Can C claim it is B to the server S? • Source Routing Network Security 28 Security Attacks Information source Information destination Modification Attack on integrity (prevention of unauthorized changes) Network Security 29 TCP Session Hijack When is a TCP packet valid? Address / Port / Sequence Number in window How to get sequence number? Sniff traffic Guess it • Many earlier systems had predictable Initial Sequence Number Inject arbitrary data to the connection Network Security 30 Security Attacks Passive attacks Traffic analysis Message interception eavesdropping, monitoring transmissions Active attacks Masquerade Replay Modification of message contents Denial of service some modification of the data stream Network Security 31 Model for Network Security Network Security 32 Security Mechanism Feature designed to Prevent attackers from violating security policy Detect attackers’ violation of security policy Recover, continue to function correctly even if attack succeeds. No single mechanism that will support all services Authentication, authorization, availability, confidentiality, integrity, non-repudiation Network Security 33 What is network security about ? It is about secure communication Everything is connected by the Internet There are eavesdroppers that can listen on the communication channels Information is forwarded through packet switches which can be reprogrammed to listen to or modify data in transit Tradeoff between security and performance Network Security 34 Unix Network Security Some basic approaches: 1. Do nothing and assume requesting system is secure. 2. Require host to identify itself and trust users on known hosts. 3. Require a password (authentication) every time a service is requested. Network Security 36 Traditional Unix Security (BSD) Based on option 2 – trust users on trusted hosts. if the user has been authenticated by a trusted host, we will trust the user. Authentication of hosts based on IP address! doesn’t deal with IP spoofing Network Security 37 Reserved Ports Trust only clients coming from trusted hosts with source port less than 1024. Only root can bind to these ports. We trust the host. The request is coming via a trusted service (a reserved port) on the host. Network Security 38 Potential Problem Anyone who knows the root password can replace trusted services. Not all Operating Systems have a notion of root or reserved ports! It’s easy to impersonate a host that is down. Network Security 39 Services that use the BSD security model lpd – line printing daemon. rshd – remote execution. rexec – another remote execution. rlogin – remote login. Network Security 40 BSD Config Files /etc/hosts.equiv list of trusted hosts. /etc/hosts.lpd trusted printing clients. ~/.rusers user defined trusted hosts and users. Network Security 41 lpd security check client's address for reserved port and check /etc/hosts.equiv for client IP or check /etc/hosts.lpd for client IP Network Security 42 rshd, rexecd, rlogind security As part of a request for service a username is sent by the client. The username must be valid on the server! Network Security 43 rshd security 1. check client’s address for reserved port if not a reserved port, reject request 2. Check password entry on server for specified user if not a valid username, reject request 3. check /etc/hosts.equiv for client’s IP address if found – process request 4. check users ~/.rhosts for client's IP address if found – process request, otherwise reject Network Security 44 rlogind security Just like rshd. If trusted host (user) not found prompts for a password. Network Security 45 rexecd security client sends username and password to server as part of the request plaintext 1. check for password entry on server for user name. 2. encrypt password and check for match. Network Security 46 Special Cases If username is root requests are treated as a special case: look at /.rhosts often disabled completely Network Security 47 TCP Wrapper TCP wrapper is a simple system that provides some firewall-like functionality A single host is isolated from the rest of the world really just a few services Functionality includes logging of requests for service and access control. Network Security 48 TCP Wrapper Picture TCP based Servers TCP wrapper (tcpd) TCP Ports The World Single Host Network Security 49 tcpd Tcpd checks out incoming TCP connections before the real server gets the connection tcpd can find out source IP address and port number (authentication) A log message can be generated indicating service name, client address and time of connection tcpd can use client addresses to authorize each service request. Network Security 50 Typical tcpd setup inetd (the SuperServer) is told to start tcpd instead of the real server tcpd checks out the client by calling getpeername on descriptor 0 tcpd decides whether or not to start the real server (by calling exec) Network Security 51 tcpd configuration The configuration files for tcpd specify which hosts are allowed/denied which services Entire domains or IP networks can be permitted or denied easily tcpd can be told to perform RFC931 lookup to get a username Network Security 52