Network Security - Carnegie Mellon University
Download
Report
Transcript Network Security - Carnegie Mellon University
Network Security
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Outline
• Authentication
– Passwords
– Biometrics
• Network protection
– Firewalls, proxy servers
– Denial of service attacks
– Viruses
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Methods of User Authentication
• Something you know . . .
– Password, PIN, “mother’s maiden name”
“1059”
• Something you have . . .
– Physical key, token, magnetic card,
smartcard
• Something you are . . .
– Finger print, voice, retina, iris
• Someplace you are
– GPS information
• Best to use two or more of the above,
called two-factor authentication
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
SOURCE: SECURITY DYNAMICS
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Time-based Token Authentication
Login:
mcollings
Passcode: 2468 234836
PASSCODE
=
PIN
TOKENCODE
+
Token code:
Changes every
60 seconds
Clock
synchronized
to UCT
(UNIVERSAL
COORDINATED
TIME)
Unique seed
SOURCE: RSA
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Biometrics
• Use of an unalterable body part or feature to provide
identification
• History
– For 1,000,000 years we couldn’t identify people
– France used tattoos; abolished in 1832
– Uniqueness of fingerprints 1890
• Verification v. identification
• Weaknesses:
– Forgery
– Replay attack
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Fingerprints
MAIN SHAPES:
ARCH
LOOP
WHORL
MINUTIAE:
END
BIFURCATION
ISLAND
LAKE
DOT
EACH PERSON HAS A UNIQUE
ARRANGEMENT OF MINUTIAE:
SOURCE: C3i
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Fingerprint Capture
ST-Micro TOUCHCHIP
(Capacitative)
American Biometric Company
BioMouse (Optical)
Thompson-CSF FingerChip
(Thermal-sensed swipe)
DEMO1, DEMO2
Biometric Partners
Touchless Sensor
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Fingerprint Capture
BIOMETRIC ACCESS CORPORATION
DIGITAL PERSONA
VERITOUCH MULTI-FINGER
SCANNER
NOVUS HAND GEOMETRY SYSTEM
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Two-Factor Authentication Token
Fingerprint
“unlocks”
theUsed
authentication
From Authentication
© 2002.
by permission
token, e.g. a digital certificate
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Iris Scan
• Human iris patterns encode ~3.4 bits per sq. mm
• Can be stored in 512 bytes
• Patterns do not change after 1 year of life
• Patterns of identical twins are uncorrelated
• Chance of duplication < 1 in 1078
• Identification speed: 2 sec. per 100,000 people
PERSONAL IRIS IMAGER
Companies: British Telecom, Iriscan, Sensar
SOURCE: IRISCAN
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Signature Dynamics
• Examines formation of signature, not final appearance
• DSV (Dynamic signature verification)
• Parameters
• Total time
• Sign changes in x-y velocities
and accelerations
• Pen-up time
• Total path length
• Sampling 100 times/second
Companies: CyberSIgn, Quintet,
PenOp, SoftPro SignPlus,
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Web/Network Security
• Client Side
– What can the server do to the client?
• Fool it
• Install or run unauthorized software, inspect/alter files
• Server Side
– What can the client do to the server?
• Bring it down (denial of service)
• Gain access (break-in)
• Network
– Is anyone listening? (Sniffing)
– Is the information genuine? Are the parties genuine?
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Packet Sniffing
EVERY NETWORK INTERFACE CARD HAS A UNIQUE 48-BIT MEDIA
ACCESS CONTROL (MAC) ADDRESS, e.g. 00:0D:84:F6:3A:10
24 BITS ASSIGNED BY IEEE; 24 BY CARD VENDOR
Packet Sniffer
Server
Client
NETWORK INTERFACE CARD
ALLOWS ONLY PACKETS
FOR THIS MAC ADDRESS
20-751 ECOMMERCE TECHNOLOGY
PACKET SNIFFER SETS HIS CARD
TO PROMISCUOUS MODE TO
ALLOW ALL PACKETS THROUGH
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Network Security Problem
REMOVABLE
MEDIA
REMOTE
LOCATION
USER
MODEM +
TELEPHONE
RADIO
EMISSIONS
LOCAL AREA
NETWORK
“BACKDOOR”
INTERNET
CONNECTION
WIRELESS
USER
INTERNET
CONNECTION
ISP
REMOTE
USER
VENDORS AND
SUBCONTRACTORS
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Sophistication v. Intruder Knowledge
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Firewall
• A device placed between two networks or machines
– All traffic in and out must pass through the firewall
– Only authorized traffic is allowed to pass
– The firewall itself is immune to penetration
Company Network
Firewall
Internet
SOURCE: ADAM COLDWELL
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Firewall Architecture
SOURCE: CHAPMAN, BUILDING INTERNET FIREWALLS
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Firewall Architecture
Internet
WEB
SERVER
20-751 ECOMMERCE TECHNOLOGY
EMAIL
SERVER
SPRING 2003
Firewall
Firewall
DMZ
PROXY
SERVER
Intranet
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Proxy Server
• “DUAL-HOMED” MEANS HAS TWO IP ADDRESSES
• DOES NOT FORWARD IP PACKETS
SOURCE: CHAPMAN, BUILDING INTERNET FIREWALLS
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Enterprise Access Security
Enterprise Access
Internet Access
Authentication
Server
Web Server RSA
Internet
RSA
Agent
Firewall
Agent
RSA
Agents
Mainframe
Enterprise
Intranet
UNIX
RSA Agent
RAS
Remote Access
20-751 ECOMMERCE TECHNOLOGY
SOURCE: RSA
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Denial-of-Service Attacks
• Attack to disable a machine (server) by making it
unable to respond to requests
• Use up resources
– Bandwidth, swap space, RAM, hard disk
• Some attacks yield millions of service requests per
second
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Ping Flooding
Internet
Attacking System(s)
Victim System
SOURCE: PETER SHIPLEY
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Three-Way Handshake
SYN
SYN | ACK
ACK
Client
Server
1: Send SYN seq=x
2: Send SYN seq=y, ACK x+1
3: Send ACK y+1
SOURCE: PETER SHIPLEY
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
SMURF ATTACK
ICMP echo (spoofed source address of victim)
Sent to IP broadcast address
ICMP echo reply
ICMP = Internet Control
Message Protocol
INTERNET
1 SYN
PERPETRATOR
VICTIM
10,000 SYN/ACKs -- VICTIM IS DEAD
INNOCENT
REFLECTOR SITES
BANDWIDTH MULTIPLICATION:
A T1 (1.54 Mbps) can easily
yield 100 MBbps of attack
20-751 ECOMMERCE TECHNOLOGY
SOURCE: CISCO
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Distributed Denial of Service Attack
INTRUDER
INTRUDER SENDS
COMMANDS TO
HANDLERS
VICTIM
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
DDOS Attack
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
DDOS Attack
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Rate Limiting
• Allows network managers to set bandwidth limits for
users and by traffic type.
• Prevents deliberate or accidental flooding of the network
50 Mbps
Rate Limiting
for Different
Classes of
Users
Network
Manager
10 Mbps
Teachers
2 Mbps
Students
SOURCE: CISCO
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Code Attacks
• Virus
– executable code
– that attaches itself to other executable code
(infection)
– to reproduce itself (spread) replicator + concealer + payload
• Rabbit, Worm
– program that makes many copies of itself and spreads them.
Each copy makes copies, etc. Worm spreads via networks.
• Trojan Horse
– performs unauthorized activity while pretending to be
another program. Example: fake login program
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Viral Phenomena
• Invented ~1985
• More than 70,000 known viruses
– More than in nature
•
•
•
•
10-15 new viruses per day
35% are destructive (up from 10% in 1993)
Virus attacks per computer doubles every two years
Written mostly by men 14-24
– India, New Zealand, Australia, U.S.
• Symantec employs 45 people full-time, spread over
24 hours, to detect and neutralize viruses
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Exploiting System Bugs
• Buffer overflows
– Program allocates 255 bytes for input.
– Hacker sends 500 bytes.
BUFFER (255 BYTES)
PROGRAM CODE
INPUT IS 500 BYTES LONG
BUFFER (255 BYTES)
PROGRAM CODE
245 BYTES ARE OVERWRITTEN WITH HACKER’S DATA
NOW HACKER’S CODE CAN BE EXECUTED
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Viral Phenomena
• Stealth capability
– Virus “hides” from detection. Installs memory-resident code.
– Intercepts file accesses. If attempt is made to access its disk
sector, substitutes “clean” data instead.
• Mutation
– Accidental. Virus gets changed (corrupted) by system
– Deliberate. Creator inserts program modification code.
“Self-garbling” - unscrambles itself before use
– Result: virus becomes hard to detect
• Virus toolkits
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Virus Detection
• Some virus families have common characteristics
– Presence or absence of particular strings
• Antiviral software
– Only detects what it know how to detect.
– Must be upgraded regularly for new viruses.
– Symantec encyclopedia
• File virus
– Compare size with known backup copy.
– Presence of strings, like “.EXE”
• Retrovirus
– Attacks or disables antivirus software
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Network Attacks
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Key Takeaways
• Evaluate all risks, even internal ones
• People do bizarre things when they think no one will
find out
• Security is for professionals
• Unexplored future in biometrics
• Proxies give only thin protection
• There is no current defense to DOS attacks
• There is no defense to new viruses
(except Java for a while)
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS
Q&A
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003
COPYRIGHT © 2003 MICHAEL I. SHAMOS