CS413Chapter7PowerPointsx

Download Report

Transcript CS413Chapter7PowerPointsx

Security in Computing
Chapter 7, Security in Networks
Summary created by
Kirk Scott
1
•
•
•
•
•
•
7.1, Network Concepts
7.2, Threats in Networks
7.3, Network Security Controls
7.4, Firewalls
7.5, Intrusion Detection Systems
7.6, Secure E-mail
2
7.1 Network Concepts
• No lecture on this
• No specific test questions on this
• If you haven’t had a networks course, you may
want to read this for background
3
7.2 Threats in Networks
4
What Makes a Network Vulnerable?
5
Anonymity
• The attacker is remote
• The attack may pass through multiple
intermediary systems
• Not only is there the question of verifying the
identity of the person involved (unlikely)
• There is the additional question of verifying
the software/data of computers along the way
6
Many points of attack
• The attacker is in a target rich environment
• The target is in a “threat rich” environment
• Once again, any given attack may pass
through multiple machines
• The potential target is dependent in part on
the security or lack of security of all other sites
7
Sharing
• Networks enable resource and workload
sharing
• By definition, more users have access to
resources which are intended to be shared
• This implies that more systems have access
• It is the security controls on the connected
systems that are a point of concern
• Non-networked systems are insulated from
the whole class of network attacks
8
Complexity of system
• Networks combine machines with varying
operating systems
• The network enables the offloading of attack
code onto multiple systems
• The victim may itself perform part of the attack
code
• Individual machines have become sufficiently
complex that users don’t know what their own
machines are doing at any given time
• (Just take a look at the task manager)
9
Unknown perimeter
• By definition, networked machines are
interconnected
• One machine may be the link or gateway
between different networks
• Where is the boundary between one network
and another?
• Who is responsible for different areas, and which
areas can be trusted?
• How does the addition of a machine in one place
affect the security of a machine in another place?
10
Unknown path
• This general idea has already come up
• An attack can come from a remote machine
through a path consisting of multiple steps
• There may also be multiple paths from one
machine to another
• Technical tools exist for tracing paths
• However, life is complicated by the fact that
for any given communication, the route is not
necessarily known/clear
11
Who Attacks Networks? (Reasons
Why)
• Challenge (individual actors)
• Fame (individual actors)
• Money and Espionage (organizational actors in
the interests of the organization)
• Organized Crime (group, possibly crossing
national boundaries, where the sole purpose
of the group is criminal profit from the Web)
12
Ideology
• Can be individuals or groups
• Can also be state actors
• “Hactivism” = online agitation and
propaganda
• This may be disruptive, but is not intended to
do lasting damage, except in a convenience or
PR sense
13
•
•
•
•
•
•
Cyberterrorism
Hacking that can lead to:
Economic damage
Military damage
Loss of life
And so on
14
Recent Articles (as of the fall of 2011)
• Within the last year outside parties have gained
temporary control of some U.S. satellites, like
LandSat
• The government asserts that these exploits
probably originated in China
• Likewise, a report has been circulated that the
control systems of 19 chemical plants worldwide
have been breached by outsiders
• Again, the claim has been made that the exploits
originated in China
15
Reconnaissance (for Attacks)
• The book’s attention now turns to how and what
• Reconnaissance is part of the how
• This has value beyond being an informative list of
some things attackers do
• You may detect reconnaissance and other things
happening on your system
• These may be precursors to attack, and their
presence should motivate you to try and protect
yourself
16
Port Scan
• Programs can query systems to find out the
following:
• What O/S is installed
• What applications are installed
• Which standard communication ports or
services are running
• The user id (implies privilege level) that the
service runs under
17
• See the book or the course Web site for links
to sites where port scanning code can be
downloaded
• Note that allowing outsiders to get this
information over the Internet is normal
• If you provide some services and not others,
potential clients need to know or will find out
by simply requesting
18
•
•
•
•
This is the two-edged nature of the Internet
Legitimate users have a need to know
Illegitimate users want to identify the following:
Are you running versions of software with known
security flaws?
• Have you mistakenly left services open on your
system which should have been removed or
closed?
• Do these services provide a security hole?
19
Social Engineering
• Network scans provide a view of the system
from the outside
• A view from the inside is very useful to the
attacker
• Social engineering basically means tricking
people to get this information
20
Intelligence
• General intelligence about system may help an
attacker
• Dumpster diving
• Simple eavesdropping
• Blackmail, coercion of employees
• Theft
• Combining information from various sources
can lead to the basis for a security attack
21
Operating System and Application
Fingerprinting
• This refers to one step beyond a simple port
scan
• The attacker would like to know the precise
version of things like the O/S, which vendor
provided software service, etc.
• A system may respond with a version number
22
• It may be possible to test for the presence of
specific features and determine a vendor and
version number
• Slight differences in performance or response
to input point to different implementations
• This may indicate which vendor’s software
and version is present
23
Bulletin Boards and Chats
• The course Web site contains links to some
“legitimate” sources on the dark side of
computing
• These Web sites give information on security
that should be enough to frighten the
legitimate user into taking the topic seriously
• There are other Web sites where the
information is provided with the apparent
intent of enabling security attacks
24
Availability of Documentation
• Openness, again, is two-edged
• A system without any documentation is a
black box, and its usefulness is limited
• A system that is fully documented is more
useful both to a legitimate user and an
attacker
• Technical documentation aimed at developers
is even more useful to an attacker than end
user documentation
25
Reconnaissance: Concluding Remarks
• A serious attacker will gather information and lay
the groundwork for an attack over time
• You might monitor for things like the occurrence
of port scans
• Some attack may arise quickly afterwards
• Some other attack may not come until much
later, as part of a larger, well-planned,
coordinated attack
• The book advises providing as little information
about systems to outsiders as possible as the best
defense
26
Threats in Transit: Eavesdropping and
Wiretapping
• The book now goes from planning an attack to
the kinds of attacks that can occur
• Eavesdropping implies that communications
are such that no effort is needed to intercept
them
• Passive wiretapping means listening
• Active wiretapping includes the possibility of
inserting, modifying, or deleting
communications
27
Cable (wires)
• Every device on a network has potential access to
every communication on the network
• A packet sniffer can copy all packets, whoever
they might be addressed to
• Given access, an outsider might also physically
tap a wire
• An alternative is to install a device which can
detect the electromagnetic radiation from a wire
28
Microwave and Satellite
Communications
• These are broadcast media
• Therefore, transmissions are open to
interception
• On the other hand, commercial carriers have
large amounts of traffic
• Isolating only the messages of interest would
be a big challenge for an attacker
29
Optical Fiber
• This medium has two security advantages
• Light doesn’t radiate electromagnetically
beyond the fiber
• Also, due to its characteristics, any illegitimate
physical tap will be detected
• On the other hand, legitimate taps, splices,
repeaters, and equipment connections may be
points of vulnerability
30
Wireless
• Wireless technology is based on radio waves
• By definition, this is a broadcast medium
• It is available to any potential user, legitimate
or illegitimate, within its rated radius of
service
• It is also available outside of this radius to
someone using a specialized reception
antenna
31
• The most obvious problem is simple
interception
• Some wireless networks are not password
protected
• Some have security that is easily circumvented
• Some may have encryption
• However, the encryption may not be as strong
as one might hope
32
• Less concretely dangerous, but probably more
common than interception is illegitimate use
of a network (theft of service)
• If the network doesn’t have good
authentication (or any) anyone within range
can use it
33
• The book points out that for networks not
intentionally made freely available, this may be
illegal
• I have mixed feelings about this
• If you’re running an Internet café, you’d like
everyone who comes in to have access without
doling out id’s
• On the other hand, are you surprised when
someone next door turns on their computer and
finds that they can log in and use your network
without buying a cup of coffee?
34
Summary of Wiretapping
• Assume that all network traffic is exposed
• One solution to this is to encrypt all traffic
• An intermediate solution is to encrypt all WAN
traffic
• Since encryption impinges on performance,
don’t encrypt LAN traffic
• Instead, maintain high physical and
administrative security for the LAN and
attached devices
35
Protocol Flaws
• TCP connections are established through
sequence numbers
• Guessing a client’s next protocol number
would allow impersonation
• All protocols have had, do have, and will have
weaknesses of one kind or another
• This type of thing will come up again under
other headings
36
Impersonation
• Impersonation is based on flawed
authentication:
– Guess authentication information
– “Lift” authentication information
– Circumvent or disable authentication
– Use a target that doesn’t have authentication
– Make use of systems with known authentication
37
Authentication Foiled by Guessing
• Guess logins and passwords
• Not that hard in lots of cases
• Use default passwords for system supplied
accounts
• Administrators forget to remove or change these
when installing a system
• Note that weak passwords may be OK in a trusted
environment
• A problem arises when the system with weak
passwords is connected to the wider world
38
Authentication Thwarted by
Eavesdropping or Wiretapping
• Users may have accounts on multiple networked
machines
• Moving from one machine to the other may be
transparent
• Authentication information is transmitted from one
machine to the other
• If transmitted in the clear, this is a security problem
• The book gives a nice example of a (MS) system that
hashed passwords, but transmitted them in such a way
that the strength of the security was severely reduced
39
Authentication Foiled by Avoidance
• The book gives an example
• Operating system login systems have been
implemented with this flaw:
• If the password entered overflowed the
password buffer, authentication was not
done…
• If sites are still running operating systems with
flaws like these, this is candy for hackers
40
Nonexistent Authentication
• The book cites another example
• Unix supports the concept of trusted users and
trusted hosts
• The idea is that there is no need for
authentication when a userid requests access to
another host
• From a security standpoint, this is a bad idea
• The userid might have been subverted on the first
host, or the remote user might simply be a guest
login on the remote host
41
Well-Known Authentication
• This idea has already been mentioned
• Operating systems and network operating
systems may ship with default passwords on the
administrator account, guest accounts, etc.
• Application vendors may do similar things
• System network management protocol (SNMP)
devices have a “community string” which is
essentially a password
• Forgetting to change these things at installation
time is a security breach
42
Trusted Authentication
• This is also essentially a repetition
• If a system maintains a file of trusted
hosts/logins, authentication is effectively
delegated to whoever or whatever is
responsible for those files
• In particular, this may mean that security is
offloaded to other machines
• This can be a convenience to some users, but
it is a potential security problem
43
Attacks Based on Mis-Identifcation
• Spoofing is a general term for using a false
identity
• Spoofing attacks include:
• Phishing
• Masquerade
• Session hijacking
• Man-in-the-Middle Attack
44
Phishing
• No one here needs an explanation of this
• Any stories of the strangest phishing email
you’ve ever received?
45
Masquerade
• One host pretends to be another
• For example, fake Web sites at deceptive Web
addresses
• Traffic can be directed to the fakes with ads,
direct email, phishing email, and so on
• The goal may be to obtain customer login
information
• It may also be to intercept things like orders and
steal business
46
Session Hijacking
• An outsider replaces one end of a two-way
communication
• Take an Internet purchase for example
• An outsider may monitor the traffic between a
potential buyer and an e-commerce site
• When the buyer is ready to buy, the outsider
intercepts the order, replacing the seller in the
communication
• To the seller this just looks like a customer who
“went away” without completing a purchase
47
Man-in-the-Middle
• Conceptually, this isn’t too different from
session hijacking
• An outsider is able to intercept messages
• The book gives an example of how this kind of
attack may work even in an environment with
encryption
• Let S, M, and R stand for the sender, the manin-the-middle and the receiver
48
• S and R want to set up secure communication
with an asymmetric key based system
• S needs R’s public key
• R sends a message to S containing R’s public
key
• M intercepts R’s public key
• M then sends M’s own public key to S instead
of R’s
49
• When S sends an encrypted message, M
intercepts it and decrypts it with M’s own private
key
• This is simple interception, or violation of
confidentiality
• The message is now also open to modification or
fabrication, a violation of integrity
• M may now send what it chooses to R, using R’s
public key which it intercepted at the beginning
50
Message Confidentiality Threats
• This is just a short list of other things that can go
wrong
• Mis-delivery:
• A mail system can mis-deliver email
• More likely, users simply mis-type email
addresses
• Mail can also just go missing
• (Technically, the last isn’t a confidentiality
problem but an availability problem)
51
• Exposure is an endemic problem in a public
network
• A message is effectively exposed everywhere
in the communications pipeline
• Every piece of software or hardware that
transmits the message may expose it
• This can happen at the source machine, on
any machine in between, on the transmission
medium, and on the destination machine
52
Traffic Flow Analysis (signals
intelligence)
• The body of a message may be successfully
encrypted
• However the destination address has to be
readable in order to deliver the message
• The header may also contain the source address,
a time stamp, etc.
• The existence of communication between two
parties at a given time might be useful
intelligence
• Therefore, assuring the confidentiality of the
header information may be an issue
53
Message Integrity Threats
•
•
•
•
Noise
Not malicious
Not a big problem
The book next goes into more detail on
message falsification
• In other words, what approaches might an
interceptor use to affect the integrity of a
message?
54
• Modification: Change part of the contents of
a message
• Fabrication, or replacement: Change all of the
contents of a message
• Note: More extensive modifications or
fabrications would include the header
information
55
• Reuse (replay) an old message (or modified
old method)
• Combine parts of different messages in order
to form a new message
• If you change the destination information in
the header, you redirect messages
• Destroy or delete messages (technically an
availability attack rather than an integrity
attack)
56
Format Failures
• Subsection Headings:
• Malformed Packets
• Protocol Failures and Implementation Flaws
– In short, protocols and their implementations may
not handle unexpected input well
– Malformed packets may cause system failures
– Or they may have “unexpected” effects, which an
attacker may take advantage of
57
Web Site Vulnerabilities
• Web sites have vulnerable characteristics:
• Attackers can download their source code for
study
• Attackers can potentially access Web contents
(pages) in the order of their choice
• Attackers can essentially enter any input into Web
page fields that they want
• The browser is a generic front-end, not one with
page specific validation included
58
•
•
•
•
•
•
Subsection Headings:
Web Site Defacement
Buffer Overflows
Dot-Dot-Slash
Application Code Errors
Server-Side Include
59
Web Site Defacement
• This is a popular attack for publicity reasons
• Defacement alone is not terribly destructive
• The fact that defacement can be accomplished
suggests that worse things could be done
• The fact that defacement is relatively common
suggests that there are a lot of security holes in
common (MS) Web server software
• The Wikipedia article on this topic asserts that it
is commonly accomplished through SQL injection
60
Buffer Overflows
• There is no difference between buffer
overflows on Web pages and on stand alone
programs
• Internet Information Server (MS) has
historically been prone to problems like this
• Other Web software is also vulnerable to
parameter values for passwords, URL’s, etc.
being too long
61
Dot-Dot-Slash
• Ideally, a Web server is an independent
machine with no other applications on it (like
editors or other development tools)
• The idea is that even if an attacker succeeds in
entering the system, there is nothing else that
can be done there
• Much less desirably, Web applications run in a
limited sub-tree of the directory structure
62
• Dot-dot-slash simply refers to the parent
directory in a directory structure
• If the attacker can arrive at a point where it is
possible to enter the CD command, the game is
over
• The attacker escapes the limited sub-tree by
entering CD ../
• A flaw in a version of MS Internet Information
Server was found that allowed this kind of attack
63
Application Code Errors
• This subsection repeats the information on
TOCTOU type errors, giving a bit more
technical detail
• As a user browses a Web site, the browser and
the server send information back and forth in
the form of URL’s
• The service code has to be written securely so
that fake URL information is not accepted
from the user
64
Server-Side Include
• A server-side include is a statement in Web
page code that inserts a file or an executable
from a different location into the page and
executes it
• You can think of this as kind of like a macro
• The problem comes from the fact that the
include may take the form of a system call,
“exec something”
65
• This provides a fat target for an attacker
• The goal is to replace “something” with
“something malicious and delicious”
• For example, it would be convenient to be
able to execute chmod (change access rights),
cat (concatenate/write to a file) or any
number of other system level commands
66
Denial of Service
• Denial of service is an availability attack, not a
confidentiality or integrity attack
• Denial of service is a very fruitful line of attack
in a network environment
• By its very nature, an open network is
vulnerable to intentional denial of service
67
• Denial of service is essentially a transmission
failure
• There are many accidental causes of transmission
failure
• The book is interested in these particular
examples of intentional causes:
• Connection Flooding
• Traffic Redirection
• DNS Attacks
68
Connection Flooding
• An attacker can simply send an excessive
number of messages to a victim
• If the quantity of messages is at the maximum
level that can be handled, few, if any,
legitimate messages will get through
69
• Internet Control Message Control (ICMP)
protocols exist for network management
• Attacks can also be orchestrated using these
protocols
• Since such attacks are built on system tools, to
the attacker, they have the benefit that they
might be hard for the victim to detect or block
70
•
•
•
•
•
•
Subsection Headings
Echo Chargen
Ping of Death
Smurf
Syn Flood
Teardrop
71
Echo Chargen
• Chargen is a system tool for testing network
capacity
• Chargen can be set to generate a stream of
packets from a source host to a destination
host
• A stream of packets can be designated to be
echoed from the destination back to the
source
72
• If the attacker has access to host A, chargen
can send stream of echo packets to host B
• In this case, the communication capacity of
both A and B will be consumed
• If the attacker has access to host B, chargen
can send a packet with B as both the source
and the destination, with echoing
• This will consume the communication capacity
of B alone
73
Ping of Death
• Ping is a network tool that establishes that
one machine is reachable by another over a
network
• Host A sends a ping to B
• The protocol is that if B receives the ping, it
will send a reply
• Incidentally, the tool can be used to trace and
time paths through the Internet
74
• The attack is based on flooding
• If the attacker has access to A, a steady stream
of pings can be sent to B
• If A has a higher communication capacity than
B, then A can overwhelm B with pings
75
Smurf
• The smurf attack is a reverse ping attack
• The attacker sends a ping packet with a faked
source address, say host B
• It sends this packet in broadcast mode to all of
the other hosts on a network
• B will be overwhelmed when it receives the
replies to the ping from all of the other hosts
on the network
76
Syn Flood
• A syn flood attack is based on an element of
TCP rather than ICMP
• Under TCP, a connection between two hosts is
established by the protocol:
• Host A sends host B: SYN
• Host B replies with: SYN ACK
• Host A concludes the handshake with: ACK
77
• Host B maintains a queue, SYN_RECV, holding its
SYN ACK’s which are waiting for the concluding
ACK from A
• In computer terms, the queue is not very big—
maybe 10-20 entries
• Due to the potential for network delays, SYN
ACK’s aren’t purged for up to minutes at a time
• If host A sends multiple SYN’s and no ACK’s, the
queue can be filled
78
• A flooded queue interferes with the ability to
start communication sessions with other,
legitimate hosts
• An attacker will also generate random, false
source addresses in the SYN packets
• That way the target doesn’t know the real source
of the attack
• Also, unlike a flood of SYN’s from one address,
this makes it hard for the target to determine that
an attack is occurring and which packets are false
79
Teardrop
• In a packet based communication system,
complete messages are sent in multiple
discrete packets
• Packets may take different paths through a
network and arrive out of order
• They have to contain information about their
position in the message and their length
80
• An attacker can send a set of packets where the
relative positions and lengths don’t match
• The fragments overlap
• Some operating system/communication software
implementations were not designed to handle
such anomalies
• Mis-configured packets could cause such systems
to lock up
• Wikipedia does not reveal exactly how this attack
got its name
81
Traffic Redirection
• This is an attack on a network component
rather than a host
• Routers contain tables of addresses reachable
through them
• They also provide estimates of how “good”
those connections are
82
• A surgical attack could be mounted on a
router table
• A general, denial of service attack can take the
following form:
• Have that router advertise that it’s the best
route to all other points in the network
• It will be flooded with traffic
• Communications packets will be dropped or
slowed
83
DNS Attacks
• This is another attack on a network
component rather than a host
• Domain name servers translate from
alphanumeric Web domain names to numeric
network addresses
• They keep lists of known names and addresses
84
• When they receive traffic to an unknown
name, they pass it on to other servers
• When another server resolves the name, it
will inform the server that had to ask
• That server will store the information for
future reference
• This is known generically as caching the name
and address
85
• Causing false entries in the cache allows traffic to
be maliciously mis-routed
• This is known as poisoning the cache
• Berkeley Internet Name Domain (BIND), Unix
software for resolving names, has historically
been full of security holes, including buffer
overflow problems, making DNS attacks possible
• More recently, flawed Symantec firewall software
allowed DNS changes on Windows machines
86
Distributed Denial of Service
•
•
•
•
The steps go like this:
Scan systems for security flaws
Use the flaws to insert Trojan horses on systems
The Trojan horse contains a denial of service
attack
• Affected machines are known as zombies
• At some point in the future, signal the zombies to
mount the attack
87
• The victim has to deal with multiple simultaneous
attacks
• Various different kinds of attacks can be coded
into the Trojan horse(s)
• These kinds of attacks are so common that
“software suites” have been developed which
allow the attacker to put together an attack by
selecting scanning, Trojan horse, and attack
options
• For more information, look up Tribal Flood
Network (TFN), Trin00, and TFN2K
88
Threats in Active or Mobile Code
89
Cookies
• Cookies are data files rather than code files
• A cookie is stored at the request of a server, and
the contents of the cookie are sent to the server
on request
• Any information that a browser can determine
can be stored in a cookie
• A cookie may be “per-session”, stored in memory
for the time the browser is open
• A cookie may also be persistent, saved to disk
90
• Cookies provide a superficial convenience to
the user
• A web site can recognize a user and
personalize its response based on the
information it has about them
• The convenience is more to the server
• They now have information about the visitor
within their possession
91
• The contents of cookies are typically
encrypted
• You might think that this is a security benefit
to you
• However, you, the user, are primarily the one
who is prevented from seeing what
information about you the server is managing
for its own use on your machine
92
• From a security point of view, anyone in
possession of your cookie is able to impersonate
you to the relevant server
• From a personal privacy point of view, consider
the following:
• The server is able to place something on your
machine which you aren’t able to examine which
it can use to its heart’s content
• Does this increase or decrease your personal
security?
93
Scripts
• The book gives some detail concerning CGI
(common gateway interface) scripting
problems
• I’m not so interested in the details.
• I’m interested in the overall picture.
• It is possible to have servers pushing code
onto clients for execution
• This makes the clients insecure
94
• With scripts, it is the client that is able to
cause code to run on the server
• If the server side code was not carefully
written, it may be possible for the client to
request or run code that it shouldn’t
• This makes the server insecure
• Any time one host can cause another host to
run code, the possibility of security problems
is raised
95
Active Code
• The general idea is that a server sends code to
a client where it is run
• This is essentially the Java applet model
• Note that Java does include various security
features which reduce the danger of this
• A Java program can’t touch memory
• A Java program runs in a “sandbox” of limited
resources
96
• Originally the sandbox did not allow writing to
storage
• It also didn’t allow running arbitrary
procedures that had been included in the
sandbox
• In order to increase flexibility and capability,
these restrictions have been relaxed
97
• That means that Java is less secure than it was
before
• This means that it is now possible for
malicious programmers to write hostile
(harmful) applets
• To guard against them, the system has to
protect all of the following:
• System resources, memory, garbage collection
and communication between applets
98
ActiveX Controls
• ActiveX Controls are essentially Microsoft’s
answer to Java
• If you download a file of type .xyz, if there is a
handler on the system for files of that type, it
will be invoked
• If not, a handler can also be downloaded
99
• Security, such as it is, comes from a
cryptographic signature identifying the source
of the download
• This approach is far from failsafe
• There is no guarantee that code from
identified sources is safe
• It may also be the case that you do want to
use code from sources you “know”, but which
aren’t cryptographically identified
100
Auto Exec by Type
• This refers to features that are apparent in
Windows
• Files can have extensions indicating their type
• They can also have their type embedded in
them
• Depending on the context, a file of a given
type might be automatically opened
• Opening the file will trigger the application
corresponding to its type
101
• This is a “convenience” that we’ve all grown
accustomed to
• It can be an aggravation, when the extension
doesn’t match the embedded type
• It is also a possible source of security problems
• A malicious actor can embed harmful things, like
macros, in files that we tend to think of as data
files
• When the application opens the file, it will
execute the harmful macros
102
• The fault isn’t really in auto exec by type
• If the files didn’t open in this way, we would
simply start the application and then open them
• The problem is first of all, that people put
harmful things into files
• The second problem is simply that for full safety,
every file should have a known source and should
probably be scanned before being opened
103
Bots
• The term bot refers to an individual instance
of a Trojan horse resident on a machine
• In practice, an attacker will typically place a
botnet on a network, large number of bots on
different machines
• The code for the bots is written so that the
attacker can communicate with them, they
can communicate with each other, etc.
104
• Because its elements are distributed, semiautonomous, and in communication with each
other, a botnet is highly resilient
• The individual bots typically don’t harm the
machine they’re on
• They simply steal its resources
• A common use for a botnet is triggering a
denial of service attack
105
• A botnet might also be devised to manage the
sending of spam
• If large quantities of unwanted mail can be traced
to a single address/machine, the source can be
blocked
• If each piece of unwanted mail comes from a
different address it is harder to defend against
• Who do you block, how many do you block, are
you blocking legitimate senders who are simply
unlucky enough to have a bot on their machine?
106
Complex Attacks
• The general idea of this section is that some
common attacks have been written up in scripts
that are readily available
• The term “script kiddies” refers to people who
aren’t programmers who can launch attacks using
scripts
• Not only do they not need to understand how the
scripts work
• It is possible that they don’t really understand
what the scripts do—except for the satisfaction of
knowing that they’re harmful to someone
107
Building Blocks
• The flip side of simple scripts is that they can
be used as building blocks
• A more sophisticated, knowledgeable attacker
can compose complicated attacks by running
scripts in sequence or combining them in
some way
108
Summary of Network Vulnerabilities
• Table 7-4
• See the following overheads
109
110
111
7.3 Network Security Controls
• Security in networks, in general, is based on the
same ideas as security in software or in other
computer and data systems
• Analysis and planning are the foundation
• Encryption remains one of the principle tools
• And various aspects of authentication play a large
role
• Other specific factors can also be identified
• Relative security results from a happy
combination of all of these things
112
Security Threat Analysis
• Security threat analysis consists of three basic
steps:
• Identify and analyze each part of a system and
its interactions with other parts
• Consider confidentiality, integrity, and
availability issues in the system
• Hypothesize the kinds of attacks that might
occur, the damage they might cause, and
possible measures against them
113
Parts of a Network
•
•
•
•
•
•
Local nodes connected via
Local communication links to a
Local area network, which also has
Local data storage,
Local processes, and
Local devices
114
•
•
•
•
•
•
The local network is also connected to a
Network gateway which gives access via
Network communication links to
Network control resources
Network routers, and
Network resources, such as databases
115
Summary of Network Threats
•
•
•
•
•
•
•
•
•
•
Intercepting data in traffic
Accessing programs or data at remote hosts
Modifying programs or data at remote hosts
Modifying data in transit
Inserting communications
Impersonating a user
Inserting a repeat of a previous communication
Blocking selected traffic
Blocking all traffic
Running a program at a remote host
116
Design and Implementation
• This was the topic at the end of chapter 3
• The first line of defense against possible
threats is the development of robust, secure
software, to the extent that may be possible
• The details won’t be repeated here
117
Architecture
•
•
•
•
Segmentation
Redundancy
Single Points of Failure
Mobile Agents
118
Segmentation
• Segmentation reduces the total number of
vulnerabilities
• What you have is the sum of the vulnerabilities of
simpler systems
• A more monolithic system would mean that a
vulnerability to one part was also a vulnerability
to another part
• Likewise, segmentation reduces the possible
harm of a single vulnerability
• Only one segment may incur harm, rather than all
parts of a monolithic system
119
An Example
• Suppose an e-commerce system consists of
these components:
• A Web server to handle HTTP sessions
• Application code to present goods and
services
• A database of goods and inventory
• A database of orders taken
120
• Putting all components on a single machine
would be insecure
• Putting each component on a separate machine
on a local area network behind a firewall would
be better
• It is especially helpful to separate the Web front
end from the data and applications back end
• The goal is to completely isolate Web visitors so
they don’t have access to the internal data and
applications
121
Redundancy
• The previous section assumed that you were
running an operation large enough to justify
multiple machines
• The ante goes up another step
• If you can afford it, you should have
redundant systems for each component
• If a component fails, performance will be
degraded, but service will not stop
122
• Notice that this isn’t just about security
• This is also simple disaster planning
• The follow-on security problem is that if one of a
pair of redundant systems fails for security
reasons, the other one is likely to be equally
vulnerable
• If there were no limit on resources, here’s a
thought, for example:
• Run two Web servers, one Unix based and the
other Windows based…
123
Single Points of Failure
• This is essentially the converse of redundancy
• When determining which things to distribute
or duplicate, you identify single points of
failure
• Note that in addition to doing things like RAID,
you may distribute data on different machines
• There can be processing issues in keeping
things synchronized
124
• Technically, the points of failure analysis also
applies to the network infrastructure itself
• How secure is each segment of a network?
• Do you have multiple machines at nodes in
your network, etc?
• Clearly, these are questions for life-sized
operations
• For most of us, our horizon is limited to a
single machine attached to the Internet
125
Mobile Agents
• Suppose you wrote snippets of code to scan
for various bad security conditions
• Rather than tying them together, you
implemented them as independent, semiautonomous applications that could be run on
various systems
• They would run in parallel, distributed fashion,
ferreting out security weaknesses
126
• This might be a useful view or paradigm for
future implementations of network security
• It’s sort of like turning the distributed denial of
service attack on its head (a botnet on its head)
• Or it may be reminiscent of the concept of a
“good” virus
• Some agents may fail, but in aggregate they may
succeed in identifying and rectifying the large
number of vulnerabilities in a complex system
127
Encryption
• The book reiterates the following ideas:
• You probably can’t have a secure system
without encryption being in it somewhere
• However, encryption is not a silver bullet
• It is one security tool that has to be
supplemented by others
• It also has its own security vulnerabilities
128
Link Encryption
• Link encryption refers to encryption that is
part of the network infrastructure
• It is transparent to the user
• When a message is sent, it is routed to a
particular destination host, which might not
be the final destination
• The immediate destination decrypts, reencrypts, and forwards the message
129
• The message is exposed on the sender’s
machine, up until transmission
• It will be exposed on the final destination
machine immediately after receipt and
decryption
• It is also exposed on any intermediate host at
the lower levels of the network protocol
130
• This is a useful network service if the
transmission links themselves (wires, radio
waves) are not secure, but the hosts are secure
• It has been implemented by the military, for
example, where transmission nodes/hosts are
secure
• Even the headers can be at least partially
encrypted, so this may provide some protection
against routing attacks
131
• This is not a service that could be
implemented over the Internet
• You don’t know what path your packets will be
routed through and you have no control over
the intermediate hosts
132
End-to-End Encryption
• End-to-end encryption is done at the user
application level
• It is performed by software before a message
is submitted for transmission
• The message is not exposed on the source,
destination, or intermediate hosts
133
• Just because the message is not exposed
doesn’t mean there are no vulnerabilities
• Attacks may occur in the application to obtain
the message before encryption
• Cryptanalytic attacks may occur after
encryption
• Header information is not encrypted, so
routing attacks may occur
134
Comparison of Encryption Methods
135
Virtual Private Networks (VPN’s)
• The scenario here is that there is a trusted
(organizational) LAN
• There are some users who are not on site, and
want to access the network and its resources
remotely, over the Internet
• The Internet is inherently insecure, but VPN’s
make a trusted connection possible
136
• This is the plan:
• The remote user communicates initially with the
LAN firewall
• The firewall sends authentication information to
whatever component of the LAN does
authentication
• If authentication is approved, a link encryption
session is established between the user and the
firewall, which forwards communications to the
LAN
137
• In other words, VPN’s are an application of link
encryption
• This is in contrast to previous solutions to this
problem
• Until recently, corporations maintained their own
secure WAN by literally leasing telephone lines
(circuits) from telephone service providers for
their exclusive use
• Expensive, dedicated lines are no longer
necessary when traffic can be securely encrypted
138
PKI and Certificates
• PKI = Public Key Infrastructure
• The background for this topic came up when
discussing the uses of encryption
• The general topic is the following:
• What technology, software, and
administrative procedures are needed in order
to manage security certificates?
• At this time standards are being developed,
but this is not a mature area
139
• If it were mature, you might expect everybody
who uses a computer to have a verifiable
electronic identity which allowed
authenticated, secure transactions with all
other users with such an identity
• Such an infrastructure would ultimately be
based on one or more certificate authorities
• Characteristics of these are given on the
following overheads
140
• Creating/issuing certificates that bind a user’s
id with a unique public key (with
accompanying private key)
• Signing such certificates with the authority’s
public key for verification (vouching)
• Maintaining a database of such certificates
141
• Keeping track of any certificates which have
become invalid, either because they have
expired or it is known that they are
compromised
• Providing verification service by telling
whether any given certificate is valid and
publishing lists of invalidated certificates
• In short, managing all aspects of issuing and
maintaining security certificates
142
Tour de Buzzwords
• Time is running out and there’s a lot left in the
chapter
• I will continue just trying to do the once-overlightly, and when I’m out of time, I’m out of
time
143
SSH Encryption
• SSH = Secure Shell
• This means secure access to a Unix command
prompt, in essence
• The protocol supports authentication and
encryption
• It includes features whereby local and remote
hosts negotiate which authentication and
encryption techniques they both support so
the user can login transparently
144
SSL Encryption
• SSL = Secure Sockets Layer
• A.k.a. TLS = Transport Security Layer
• This was protocol devised by Netscape to
protect (end-to-end) communication between
a browser and a Web server
• Like SSH, the idea is that client and server
negotiate which authentication and
encryption tools they share and which ones
they will use to protect a session
145
IPSec
• IPSec = IP Security Protocol Suite
• This is part of version 6 of the IP protocol (IPv6)
• As such, it is implemented as part of the TCP/IP
infrastructure
• In addition to supporting authentication and
encryption (at the link level, in essence) it was
designed to include features to address spoofing,
eavesdropping, session hijacking, etc.
146
Signed Code
• Nothing radically new here:
• If you download code, it can come with a
signed security certificate indicating the
source
• It’s still up to you whether you trust the
source…
• Any code you install, whether downloaded or
from another source, is suspect to a degree…
147
Encrypted E-mail
• For some reason this subsection appears here
• It is a complete section of its own later
• Stay tuned
148
Content Integrity
• Basically a repetition of something that was
mentioned in ch. 12
• Error correcting codes for transmission errors
• Cryptographic checksum ~= message digest ~=
hashing for security related integrity problems
149
Strong Authentication
• The book raises a very interesting point
• Suppose you’re logging in to a remote host
• You can have all the authentication you want and
take all the protective measures you want—the
goal is to get your authentication to that remote
host so it will accept you
• What if you aren’t actually in communication
with that host?
• Then you will have sent your authentication
information (login and password) to whoever or
whatever was at the other end of the line
150
One-Time Password
• This is a technique to protect against stolen,
eavesdropped, wiretapped passwords in a
network environment
• There are several different kinds of systems
• The book describes one
• It is sort of like the electronic equivalent of a
one-time pad
151
• Users are given small devices, known as
password tokens, which generate a new
random number every minute
• These devices are all synchronized with a host
• The random numbers are derived using an
algorithm based on the current time
• During the one minute interval after a number
is generated, it can be used as a login
password
152
• The host contains software which determines
whether the password is the one that would
have been computed for that time interval
• Even if someone intercepts a password, it will
not be valid after the one minute window has
passed
• If multiple logins are disallowed, once used by
the legitimate user, the password wouldn’t be
valid again during that minute
153
• Like with all things, there is a trade-off
• The positive benefits are clear
• And the effect is that you’ve shifted security
concerns elsewhere
• What if the password token is lost or stolen?
• What if someone obtains access to the
algorithms used?
154
Challenge-Response Systems
• These are fancier versions of one-time
password systems
• The user needs a PIN to use the device
• When a user wants to use a remote host, the
host sends a value, a challenge
• The user enters the challenge into the device,
which produces the valid response
• The user enters the response as a password
155
• What have you accomplished?
• There is no one minute window during which
purloined password might be used
• A password is generated only on demand
• What have you lost?
• Now your security is actually protected only
be a PIN
156
• In other words, this is simple password
security at the device level
• Have you ever heard of a PIN that was longer
than 4 characters and consisted of anything
but digits?
• What would the average system do if you tried
to use passwords with that strength?
157
• The book raises another interesting point
• These systems seem to be designed to protect
hosts from unauthorized users
• What about spoofing the other end of the
communication?
• What is protecting users from logging into false
hosts, assuming that the
devices/software/algorithms have been
compromised?
• It’s the same old problem of who is on the other
end of the line
158
Digital Distributed Authentication
• The key idea here is the following:
• In systems consisting of multiple components,
you need security and authentication between
hosts as well as between people
• In network communications between
devices/servers/hosts you can accomplish this
with an infrastructure for asymmetric keys
between machines
159
Kerberos
• Kerberos is essentially an example of a current
digital distributed authentication system
• It accomplishes authentication using public keys
• It can then be used for the distribution of secret
keys
• There is no need to go over the details of the
protocol
• We got a general discussion of how such
protocols are devised in earlier chapters
160
Access Controls
• ACL = Access Control List
• Authentication controls who
• ACL’s record what the resources and
permission are
• In a networked environment, routers can
contain ACL’s which control which
(authenticated) users can access which
network resources
161
Wireless Security
• Wireless security is based on identifiers for access
points and encryption
• SSID = Service Set Identifier = id of wireless access
point
• Users request access to such points
• WEP = Wired Equivalent Privacy =
authentication/encryption for individual
communication with an access point
• WPA = WiFi Protected Access is an alternative to
WEP with the same purpose
162
Alarms and Alerts
• This little subsection is just a preview of a
coming section:
• Intrusion Detection Systems
163
Honeypots
• Idea: Put up a system on your network with security
weak enough that attackers will be drawn there
• This can serve several different purposes:
• Allow you to study attacker behavior in general
• Lure an attacker to a particular location where by
monitoring you will be able to identify the attacker
• Divert an attacker to someplace harmless so that
serious systems aren’t compromised
• This is turning the principle of easiest penetration
against the attacker
164
Traffic Flow Security
• This has to do with signals intelligence
• A crude way to thwart listeners is to always
send the same amount of traffic between sites
• Onion routing is a way of anonymizing traffic
so that attackers are unlikely to be able to
identify the source and the destination
165
• The idea is this: A wants to sent a message to D
• A wraps the message to D in an encrypted
message to C
• A wraps the message to D/C in an encrypted
message to B
• A sends the result to B
• At each step, each intermediate host only knows
the most immediate source and the most
immediate destination
• The rest of the routing information is encrypted
166
Controls Review
• Table 7-7
• This is simply too long to insert.
• It is a comprehensive list of all of the different
topics raised so far
167
7.4 Firewalls
• A firewall filters traffic between an outside,
untrusted network, and an inside, trusted
network
• A firewall should typically be a stand-alone
machine
• This supports good performance
• It also supports security
• If a firewall hosts other functions, it may be
more easily subverted by an attacker
168
• Firewalls intercept and inspect
communications packets or actions
• They implement a policy about what
communications or actions are allowed
• They may only allow communication in one
direction, from the inside to the outside
• The may also restrict or allow various types of
communications in both directions
169
• Policies can fall into two categories:
• Default permit: That which isn’t forbidden is
permitted
• Default deny: That which isn’t permitted is
forbidden
• Users tend to favor “default permit”
• Good security favors “default deny”
170
Types of Firewalls
•
•
•
•
•
Packet filtering gateways or screening routers
Stateful inspection firewalls
Application proxies
Guards
Personal firewalls
171
Packet Filtering Gateways
• Packet filtering gateways inspect the header
information on communications
• They can permit or deny communications
between the inside and the outside based on
the addresses involved
• They can do the same based on the
communication protocol (http, telnet, etc.) of
the packet
172
• Header information can be forged, so this
level of protection isn’t absolute
• However, consider this approach to securing
the inside network:
• Block all packets from outside that show
source addresses from within the trusted
network
• These are clearly forgeries
173
• Packet filtering is useful and such a firewall is
probably a large part of a network’s security
• However, it has its shortcomings
• It is simple to set straightforward policies
• It becomes more complex to do things like
allow protocol x for address y, and cover all of
the possible individual combinations
174
Stateful Inspection Firewall
• The previous discussion covered a firewall that
inspected packets in isolation
• Stateful inspection refers to trying to consider
all packets that might belong together in a
single message
• Attackers may try and mount an attack that is
spread over several packets
• For example, it might be possible to foil a
teardrop attack with stateful inspection
175
Application Proxy
• An application proxy runs code which is in
effect a pseudo-application
• The pseudo-application stands between an
outside user and an inside service application
• To the user, the proxy looks like the service
• To the service, the proxy looks like the user
• The situation is analogous to a man-in-themiddle
176
• The proxy intercepts all traffic between the
two
• It can inspect the content as well as the
header
• It can implement policies on what is allowed
based on the content of the communication
• It will transmit actions which are allowed and
not transmit actions which are not allowed
177
• File access illustrates the idea
• Locally, an operating system assigns rwx
attributes to users
• On a network, suppose all (remote) users may be
allowed to read, but not write to a file
• A proxy could monitor all communication for read
and write actions
• Reads would be passed to the inside file system
• Writes would be discarded
178
Guards
• A guard is essentially a proxy with added
features
• Examples of guarding functions include
limiting communication traffic based on type
or based on quantity associated with a given
user, scanning certain kinds of traffic, etc.
• Filtering is based on the contents of the
packets, but on criteria beyond those of a
simple application proxy
179
Personal Firewalls
• The previous discussion was based on the idea
of a firewall machine on a network
• A personal firewall is a piece of software
protecting an individual machine from the
network it’s attached to
• This is a good thing for an individual user
connected to an untrusted network, like the
Internet, for example
180
• A personal firewall can be configured to do all
of the same kinds of things as a network
firewall mentioned previously
• Unfortunately, because the firewall works on
the same machine it’s protecting, the firewal
is vulnerable to subversion by an attacker
through that machine
181
Example Firewall Configurations
• A network firewall installation can be made
even more secure
• The firewall can be on its own LAN or LAN
segment, so that inside network machines are
not exposed to breaches that only reveal the
network the firewall is on
182
• This can be taken a step further
• The inside network may be connected to an
application proxy firewall on its own network
segment
• The application proxy may be connected to a
packet filtering gateway on its own network
segment
• The packet filtering gateway may then connect to
the outside network
• An attacker would have to successfully breach
several layers to get to the inside network
183
What Firewalls Can and Cannot Block
• A firewall defense is a perimeter defense
• If the inside network has any other
connections to the outside, then it is
vulnerable
• Also, any data transmitted outside of the
perimeter has to be treated as suspect as soon
as it leaves the perimeter
184
• As the window to the outside, firewalls are the
first line of defense and the first point of
attack on a system
• Firewalls have to be monitored and kept up to
date just like any other security tool
• Firewall logs may provide information on
attack precursors or unsuccessful (or
successful) attacks on a system
185
• Even the most elaborate firewall has little
effect on the content of communications
• If a communication comes from an authorized
user under an accepted protocol, bad data or
code may enter the system
• This is the result of successful subversion of
authentication (a stolen password, for
example) and the firewall can’t control for this
186
7.5 Intrusion Detection Systems
• Firewalls protect the perimeter of a system
• Intrusion detection systems monitor activities
within a system
• Outsiders can penetrate the perimeter
defenses
• Insiders can also engage in inappropriate
behavior
• The goal is to identify those cases when they
have (and do something about it)
187
• IDS’s may do one or more of the following:
• Audit system configuration for vulnerabilities
and misconfigurations
• Correct system configuration errors
• Assess the integrity of critical system and data
files
188
• Monitor users and system activity
• Identify abnormal activity through statistical
analysis
• Recognize known attack patterns in system
activity
• Manage audit trails and highlight user violation of
policy or normal activity
• Install and operate traps to record information
about intruders
189
Types of IDS’s
• Signature based: This relies on matching preestablished patterns of known attacks
• Heuristic: This is a more flexible system based
on identifying anomalies in behavior
• The IDS administrator builds a model of
accepted behavior in which certain anomalies
may be allowed or disallowed
190
• IDS’s are clearly more complex than virus
scanners
• However, there is a similarity in concept
• In real time the IDS is monitoring system
activity looking for a signature of an attack
• The heuristic approach is not so different
• In real time the IDS is looking for signatures of
behavior which are anomalous
191
• IDS’s can be network based or host based
• This is similar to the distinction between a
network firewall and a personal firewall
• Networks, individual systems, or both may
have IDS’s installed on them
192
Stealth Mode
• Just like all security devices, something to
worry about is whether the IDS can be
compromised
• For a network IDS, the ideal setup is for the
IDS to monitor one network and report results
on another
• The IDS never sends packets on the network it
monitors, it only listens
193
• It is also possible to put the IDS device on the
network without publishing its address
• No traffic can be routed to it
• Just like a firewall is like a man-in-the-middle,
the IDS functions as a sniffer
• Attackers cannot know for sure that it’s there
and they have no way of getting at it
194
• Note the following idea:
• If the IDS were able to receive traffic, its
performance could be degraded by a denial of
service attack
• Also note the following:
• Nothing is perfect
• The IDS would be vulnerable through the
other network where it reports alarms
195
Other IDS Types
• The tripwire program has characteristics of
intrusion detection
• Tripwire computes a hash for all installed
software
• If an intrusion is suspected, tripwire can be
run again to see if the hashes come out
differently
196
• Scanners such as ISS and Nessus can be run
against a network to check for known
vulnerabilities
• Honeypots are dual-purpose
• They divert attackers away from valuable
systems
• They also provide an environment where
intruders can be found
197
Goals for Intrusion Detection Systems
• The main point of interest in this subsection is
the following:
• In addition to other techniques they may
employ, IDS’s may filter and inspect packets
• In part, the IDS contains functionality like a
firewall’s functionality, except that it’s internal
• It is trying to analyze what’s going on inside
the system after users, both legitimate and
possibly illegitimate start doing things
198
Responding to Alarms
• There is an escalating scale of responses
• For minor events, they may simply be noted in
a log
• For more significant, but not harmful events,
the activity of the intruder may be actively
monitored
• For significant attacks, protective action may
be taken to restrict access to an attacker
199
• This can range from blocking traffic from that
source to taking a resource or system offline
• Such actions will notify attackers that you
have discovered them
• In all cases, unless you’re the CIO, the option
exists to notify higher authority and let them
decide what to do
200
False Results
• Failures of systems of this type fall into two
categories:
• Type I: False positives
• Type II: False negatives
• An administrator has be aware of how the
system works and try to tune it to give
acceptable performance
201
7.6 Secure Email
• In general, secure email would be a good thing
• You would like to be assured of message
confidentiality, message integrity, sender
authenticity, and non-repudiation
• In general, email doesn’t have any of these
characteristics
• On the other hand, the use of symmetric or
asymmetric encryption can provide some of
them
202
• There are two main problem areas:
• As soon as you start encrypting, you have to
be able to exchange certificates/keys
• Also, you can encrypt the bodies of messages,
but not the headers
• There are still security problems inherent in
unprotected headers
203
Existing Standards/Systems
• If you want secure email then you will
probably need to adopt a system
• For further information you could do research
on PGP (Pretty Good Privacy) or S/MIME
(Secure Multi-purpose Internet Mail
Extensions)
204
7.7, 7.8, 7.9
• 7.7, Summary of Network Security
• 7.8, Terms and Concepts
• 7.9, Where the Field is Headed
205
The End
206