Review For Exam 1 notes
Download
Report
Transcript Review For Exam 1 notes
Review For Exam 1
(February 10, 2016)
© Abdou Illia – Spring 2016
Introduction to
Systems Security
Preventing Security Threats
Use anti-virus software
Use software firewall
Use hardware/appliance firewall
Use Intrusion Defense Systems
Use Intrusion Prevention Systems
Install OS updates
Install applications’ updates
Not open file attachments from unknown sources
Not click URL in emails from unknown sources
Social engineering tests/Mock phishing schemes
Awareness training
Acceptable computer use policy
Password policy
Etc.
3
The PTP framework
Any security system must have 3 key
elements
People (users and IT staff, customers, etc)
Technology (firewall, IDS, antivirus, etc.)
Policies (Safe-Use policy, password policy,
privacy policy, etc.)
People are usually the weakest link
4
Countermeasures
Tools used to thwart attacks
Also called safeguards, protections, and controls
Types of countermeasures
Preventative
Detective
Corrective
5
The Plan-Protect-Respond cycle
Figure 2-6
Dominates security management thinking
6
6
Access Control and Site
Security (Part 1)
Dialog attack: Eavesdropping
Intercepting confidential message being transmitted
over the network
Dialog
Hello
Client PC
Bob
Server
Alice
Hello
Attacker (Eve) intercepts
and reads messages
8
Dialog attack: Message Alteration
Intercepting confidential messages and modifying
their content
Dialog
Balance =
$1
Client PC
Bob
Balance =
$1,000,000
Balance =
$1
Server
Alice
Balance =
$1,000,000
Attacker (Eve) intercepts
and alters messages
9
Denial-of-Service (DoS) attack
Message Flood
Server
Overloaded By
Message Flood
Attacker
10
Break-in and Dialog attacks:
Security Goal
If eavesdropping, message alteration attacks
succeeded, in which of the following ways the
victims could be affected?
a) Data files stored on hard drives might be deleted
b) Data files stored on hard drives might be altered
c) Corporate trade secret could be stolen
d) Competitors might get the victim company’s licensed info
e) Users might not be able to get network services for a
certain period of time
f)
The network might slow down
Confidentiality = Main goal in implementing defense
systems against eavesdropping and message alteration.
11
Defense tool: encryption, hashing, etc.
Malware attacks: Security Goal
If virus attacks succeeded, in which of the
following ways the victims could be affected?
a)
Data files stored on hard drives might be deleted
b)
Data files stored on hard drives might be altered
c)
Corporate trade secret could be stolen
d)
Competitors might get the victim company’s licensed info
e)
Users might not be able to get network services for a
certain period of time
f)
The network might slow down
Integrity = Main goal of implementing defense systems
against malware attacks.
Defense tool: antivirus, IDS, IPS
12
DoS attack: Security Goal
If a DoS attack succeeded, in which of the following
ways the victims could be affected?
a)
Data files stored on hard drives might be deleted
b)
Data files stored on hard drives might be altered
c)
Corporate trade secret could be stolen
d)
Competitors might get the victim company’s licensed info
e)
Users might not be able to get network services for a
certain period of time
f)
The network might slow down
Availability = Main goal of implementing defense
systems against DoS attacks.
Defense tools: firewalls, IDS, IPS
13
Security Goals
Three main security goals:
Confidentiality of communications and
proprietary information
Integrity of corporate data
Availability of network services and
resources
CIA
Authenticity: ensuring that the data, transactions, communications or documents are genuine. Also
validating that both parties involved are who they claim to be.
Non-repudiation: Ensuring that one party of a transaction cannot deny having received a transaction nor
14
can the other party deny having sent a transaction.
Question
Which of the following action may be taken
in order to strengthen the confidentiality of
companies’ proprietary information?
a) Prevent employees from accessing files not needed
in their job
b) Limit the number of computers each employee could
use for logging in to the network
c) Encrypt any communications involving passwords
d) All of the above
15
What is Access Control?
Access control is the policy-driven limitation
of access to systems, data, and dialogs
Access control prevents attackers from
gaining access to systems’ resources, and
helps stop them if they do
16
What is Access Control?
AAA process
Authentication: supplicant sends credentials
to verifier to authenticate the supplicant
Authorization: what permissions the
authenticated user will have
What resources he or she can get to at all
What he or she can do with these resources
Auditing: recording what people do in log files
Detecting attacks
17
Three functions of Access Control
AAA process
Authentication: assessing the identity of
individual claiming to have permission for using
resources
Credentials for authentication
What you know (password, key, etc.)
What you have (smart card, physical key, etc.)
Who you are (fingerprint, etc.)
What you do (pronunciation, writing, etc.)
Supplicant sends credentials to verifier for authentication
Authorization: what permissions the
authenticated user has
What resources he/she can get access to
What he/she can do with these resources
Auditing: recording what people do in log files
Log files can be analyzed in real-time or later for detecting violations
18
to authentication/authorization. Can help detect attacks
Reusable Passwords
Used to repeatedly to get access to a
resource on multiple occasions
Bad because attacker could have time to
crack it
Difficult to crack by remote guessing
Usually cut off after a few attempts
However, if intruder steals the password file,
he/she can crack passwords at leisure
19
Password Cracking
With physical access or with password file in hand,
attacker can use password cracking programs
Program
Windows
L0phtcrack (now LC5)
√
Ophcrack
√
John The Ripper
√
√
RainbowCrack (uses lookup tables and hash functions)
√
√
√
Crack
Cain & Abel
Linux
√
Programs usually come with "dictionaries" with
thousands or even millions of entries of several kinds
Programs use brute-force cracking method
Used by network admins to locate users with weak
password, and by attackers.
20
Figure 2-3: Password Length
Password
Length In
Characters
Alphabetic,
No Case
(N=26)
Alphabetic,
Case
(N=52)
Alphanumeric:
Letters &
Digits (N=62)
All Keyboard
Characters
(N=~80)
1
26
52
62
80
2 (N2)
676
2,704
3,844
6,400
4 (N4)
456,976
7,311,616
14,776,336
40,960,000
6
308,915,776
19,770,609,664
56,800,235,584
2.62144E+11
8
2.08827E+11
5.34597E+13
2.1834E+14
1.67772E+15
10
1.41167E+14
1.44555E+17
8.39299E+17
1.07374E+19
Q: Your password policy is: (a) the password must be 6 character long, (b) the password should
include only decimal digits and lower case alphabetic characters. What is the maximum number of
passwords the attacker would try in order to crack a password in your system?
21
Cracking techniques
Dictionary attack
Fastest way to crack password. A “dictionary” file (a text file full of dictionary
words) is loaded into a cracking application, which is run against user
accounts located by the application.
Hybrid attack
Will add numbers or symbols to the search words to successfully crack a
password. Many people change their passwords by simply adding a number
to the end of their current password.
Brute force attack
More suitable for complex passwords. May take a long time to work
depending on the complexity of the password. Program will begin trying any
and every combination of numbers and letters and running them against the
hashed passwords on the computer. Passwords composed of random
letters numbers and characters are most vulnerable to this type of attack.22
Password Policy
Shared passwords
Not a good policy
Remove ability to learn who took actions; loses
accountability
Usually is not changed often or at all because of
need to inform all sharers
23
Summary Questions
What are the main security goals?
What security goal is jeopardized by a successful
eavesdropping attack?
What is the difference between dictionary cracking
and hybrid cracking?
What is a shared password?
24
Alternatives
to password
Access Cards
Magnetic stripe cards
Smart cards
Have a microprocessor and RAM
Can implement public key encryption for
challenge/response authentication
Token
Constantly changing password devices for
one-time passwords
USB plug-in tokens
25
Alternatives to password (cont.)
Proximity Access Tokens
Use Radio Frequency ID (RFID) technology
Supplicant only has to be near a door or
computer to be recognized
Two-Factor Authentication
◦
◦
Access card: 1st factor
PINs for the second factor
Short: 4 to 6 digits
Can be short because attempts are manual
Should not choose obvious combinations (1111,
1234) or important dates
26
Alternatives to password (cont.)
Biometric Authentication
Authentication based on biological (bio)
measurements (metrics).
Biometric authentication is based on something
you are (your fingerprint, iris pattern, face, hand
geometry, and so forth)
Or something you do (write, type, and so forth)
The major promise of biometrics is to make
reusable passwords obsolete
27
Alternatives to password (cont.)
28
Resources Access Control
Part 2
Wireless telecomm control
IEEE* is a professional association that
Is dedicated to advancing technological
innovations
Develops standards for wired LAN devices
Develops standards for Wireless LAN (WLAN)
devices
Wi-Fi Alliance is a trade association that
at promotes Wireless LAN technology
Certifies products if they conform to certain
standards
* Institute of Electrical and Electronics Engineers
30
IEEE 802.11 WLAN standards
Unlicensed Band
Rated Speed
# of channels
802.11b
802.11a
2.4 GHz
5 GHz
802.11g
2.4 GHz 2.4 GHz or 5 GHz
≤11 Mbps ≤ 54 Mbps ≤ 54 Mbps
3
802.11n 802.11ac*
12
≤ 150 Mbps
13
2.4/5 GHz?
≤866 Mbps
13
802.11n
Service band 2.4 - 2.4835 GHz divided into 13 channels
Each channel is 40 MHz wide
Channels spaced 5 MHz apart
Channel 1 centered on 2412 MHz. Channel 13 centered on 2472 MHz
Transmissions spread across multiple channels
802.11b and 802.11g devices use only Channel 1, 6, 11 to avoid transmission overlap.
AM radio channels have a 10KHz bandwidth
FM radio channels: 200KHz bandwidth
* Under development
31
802.11 Wireless LAN operation
802.11 refers to the IEEE Wireless LAN standards
Ethernet
Switch
(2)
802.3 Frame
Containing Packet
(3)
Access
Point
802.11 Frame
Containing Packet
(1)
Server
Notebook
with wireless NIC
Client PC
32
802.11 Wireless
LAN operation
Ethernet
Switch
1. If the AP is 802.11n-compliant, it could communicate
with the notebook even if the notebook has a 802.11a NIC.
T
F
2. Given what you know about WLAN operation, where (i.e. on which device)
security should be implemented to prevent unauthorized devices from
accessing network services?
(2)
802.3 Frame
Containing Packet
(1)
802.11 Frame
Containing Packet
Access
Point
(3)
Server
Client PC
Notebook
With PC Card
Wireless NIC
33
Summary Question (1)
Which of the following is among Wireless
Access Points’ functions?
a) Convert electric signal into radio wave
b) Convert radio wave into electric signal
c) Forward messages from wireless stations to
devices in a wired LAN
d) Forward messages from one wireless station to
another
e) All of the above
f) Only c and d
34
MAC Filtering
The Access Point could be configured to only allow
mobile devices with specific MAC addresses
Today, attack programs exist that could sniff MAC
addresses, and then spoof them to gain access
MAC Access Control List
O9-2X-98-Y6-12-TR
10-U1-7Y-2J-6R-11
U1-E2-13-6D-G1-90
01-23-11-23-H1-80
……………………..
Access
Point
35
IP Address Filtering
The Access Point could be configured to only allow
mobile devices with specific IP addresses
Attacker could
Get IP address by guessing based on companies
range of IP addresses
Sniff IP addresses, then spoof them to gain access
IP Address Access Control List
139.67.180.1/24-139.67.180.30/24
139.67.180.75
139.67.180.80
139.67.180.110
……………………..
Access
Point
36
Access control at EIU
What is used at EIU today to
control access to the WLAN?
37
SSID: Apparent 802.11 Security
Service Set Identifier (SSID)
It’s a “Network name” of up to 32 characters
Access Points come with default SSID. Example:
“tsunami” for Cisco or “linksys” for Linksys
All Access Points in a WLAN have same SSID
Mobile devices must know the SSID to “talk” to the
access points
SSID frequently broadcasted by the access point for
ease of discovery.
SSID in frame headers are transmitted in clear text
SSID broadcasting could be disabled but it’s a weak
security measure
Sniffer programs (e.g. Kismet, inSSIDer) can find SSIDs
easily
38
Wired Equivalent Privacy (WEP)
Standard originally intended to make wireless networks
as secure as wired networks
With WEP, mobile devices need to provide a shared
key to be authenticated and gain access
Typical WEP key length: 40-bit, 128-bit, 256-bit
If a hacker intercepts, decrypts, and compares two
messages encrypted with the same key, he/she will
know the key
Question: Besides through hacking, how can a WEP key be
leaked? What can be done to limit access by unauthorized
users?
1.
2.
3.
4.
5.
WEP authentication process
Open Source WEP Cracking software
Wireless station sends authentication request to AP
AP sends back a 128 bits challenge text in plaintext
aircrack-ng
Wireless station uses the RC4 encryption scheme to encrypt the challenge text and
its WEP key and sends result to AP
weplab
AP regenerate the WEP key from received result, then compare WEP key to its
WEPCrack
39
own WEP key
AP sends a success or failure message
airsnort
Wired Equivalent Privacy (WEP)
Using a Initialization Vectors (IV)
To make the shared key hard to crack, WEP
uses a per-frame key that is the shared key plus
a 24-bit initialization vector (IV) that is different
for each frame/packet.
However, many frames “leak” a few bits of the
key
With high traffic, an attacker using readily
available software can crack a shared key in 2
or 3 minutes
40
Wi-Fi Protected Access (WPA)
WPA extends the security of WEP/RC4 primarily by:
increasing the IV from 24 bits to 48 bits
Implementing a system for automatic rekeying
called TKIP (Temporal Key Integrity Protocol)
Cryptographic
Characteristic
Cipher for
Confidentiality
Automatic Rekeying
Overall Cryptographic
Strength
WEP
WPA
802.11i (WPA2)
RC4 with a
flawed
implementation
None
RC4 with 48-bit
initialization vector (IV)
AES with 128bit keys
Temporal Key Integrity
Protocol (TKIP), which
has been partially
cracked
Weaker but no
complete crack to date
AES-CCMP
Mode
Negligible
Extremely
strong
41
Using Authentication server
2.
Pass on Request to
RADIUS Server
1.
Authentication
Request
Applicant
(Lee)
5. OK
Use
Key XYZ
Access
Point
4. Accept
Applicant Key=XYZ
Directory
Server or
Kerberos
Server
RADIUS Server /
WAP Gateway
3.
Get User Lee’s Data
(Optional; RADIUS
Server May Store
Authentication Data)
RADIUS is an AAA (Authentication, Authorization, Accounting) protocol
Once user authenticated, AP assigns user individual key, avoiding shared key.
42
TCP/IP
Internetworking
Layered Communications:
Encapsulation – De-encapsulation
Application programs on different computers cannot
communicate directly
There is no direct connection between them!
They need to use an indirect communication system
called layered communications or layer cooperation
Browser
HTTP Request
Web App
Transport
Transport
Internet
Internet
Data Link
Data Link
Physical
User PC
Physical
Webserver
44
Layer Cooperation on the User PC
Encapsulation on the sending machine
Embedding message received from upper layer in
HTTP
a new message
request
Encapsulation of HTTP
request in data field of
a TCP segment
Application
HTTP req.
Transport
HTTP req.
TCP-H
Internet
HTTP req.
TCP-H IP-H
HTTP req.
TCP-H IP-H PPP-H
Data Link
User PC
PPP-T
Physical
TCP
segment
IP Packet
Frame
45
Layer Cooperation on the Web server
De-encapsulation
Frame
Other layers pass successive data fields (containing next-lower
layer messages) up to the next-higher layer
HTTP
request
HTTP req.
TCP
segment
HTTP req.
TCP-H
IP Packet
HTTP req.
TCP-H IP-H
PPP-T
HTTP req.
TCP-H IP-H PPP-H
Application
Transmission media
Transport
Internet
Data Link
Webserver
46
Questions
1. What is encapsulation? On what machine does it
occur: sending or receiving machine?
2. If a layer creates a message, does that layer or the
layer below it encapsulate the message?
3. What layer creates frames? Segments? Packets?
47
IP Packet
Bit 0
0100
IP Version 4 Packet
Header
Version
Length
(4 bits)
(4 bits)
QoS
(8 bits)
Bit 31
Total Length
(16 bits)
Identification (16 bits)
Flags
Time To Live
Protocol (8 bits)
1=ICMP, 6=TCP,17=UDP
(8 bits)
Fragment Offset (13 bits)
Header Checksum (16 bits)
Source IP Address (32 bits)
Destination IP Address (32 bits)
Options (if any)
Padding
Data Field
QoS: Also called Type of Service, indicates the priority level the packet should have
Identification tag: to help reconstruct the packet from several fragments
Flags: indicates whether packet could be fragmented or not (DF: Don't fragment), indicates whether
more fragments of a packet follow (MF: More Fragments or NF: No More Fragments)
Fragment offset: identify which fragment this packet is attached to
TTL: Indicates maximum number of hops (or routers) the packet could pass before a hop discards it.
Header checksum: to check for errors in the headers only
48
Questions
What is the main version of the Internet
Protocol in use today? What is the other
version?
What does a router do with an IP packet if it
decrements its TTL value to zero?
Assume that a router received an IP packet
with the Protocol in header set to 6. What
Transport layer protocol is used in the
message: TCP, UDP, or ICMP?
49
Subnet
1
IP Fragmentation
Subnet
2
When a packet arrives at a router, the router selects the port and
subnet to forward the packet to
If packet too large for the subnet to handle, router fragments the
packet; ie.
Divides packet’s data field into fragments
Gives each fragment same Identification tag value, i.e. the
Identification tag of original packet
First fragment is given Fragment Offset value of 0
Subsequent fragments get Fragment Offset values consistent with their
data’s place in original packet
Last fragment’s Flag is set to “No More Fragments”
Destination host reassemble fragments based on the offsets.
Identification (16 bits)
Flags
Fragment Offset (13 bits)
50
Firewalls and Fragmented IP Packet
Fragmentation makes it hard for firewalls to filter individual packets
TCP or UDP header appears only in the first fragment
Firewall might drop the first fragment, but not subsequent fragments
Some firewalls drop all fragmented packets
Router
2. Second
Fragment
4. TCP Data
IP
Field
Header
Attacker
1.34.150.37
No
TCP Header
1. First
Fragment
TCP Data
Field
IP
Header
3. TCP Header
Only in First
Fragment
5. Firewall
60.168.47.47
Can Only
Filter TCP
Header in
First Fragment
51
TCP Segment
Bit 0
Bit 31
Source Port Number (16 bits)
Destination Port Number (16 bits)
Sequence Number (32 bits)
Acknowledgment Number (32 bits)
Header
Length
(4 bits)
Reserved
(6 bits)
Flag Fields:
ACK, SYN,…
(6 bits)
TCP Checksum (16 bits)
Window Size
(16 bits)
Urgent Pointer (16 bits)
Data
Port number: identifies sending and receiving application programs.
Sequence number: Identifies segment’s place in the sequence. Allows receiving
Transport layer to put arriving TCP segments in order.
Acknowledgement number: identifies which segment is being acknowledged
Flag fields: Six one-bit flags: ACK, SYN, FIN, RST, URG, PSH. Can be set to 0
(off) or 1 (on). e.g. SYN=1 means a request for connection/synchronization.
52
TCP and use of Flags
Flag Fields
(6 bits)
URG ACK
SYN FIN RST
PSH
TCP is a connection-oriented protocol
Sender and receiver need to establish connection
Sender and receiver need to agree to “talk”
Flags are used for establishing connection
Sender requests connection opening: SYN flag set to 1
If receiver is ready to “talk”, it responds by a SYN/ACK segment
Sender acknowledges the acknowledgment
If PC
sender does not get ACK, it resends the segment
Webserver
Transport Process
Transport Process
1. SYN (Open)
2. SYN, ACK (1) (Acknowledgment of 1)
3. ACK (2)
3-way
Handshake
Note: With connectionless protocols like UDP, there is no flags. Messages are 53
just sent. If part of sent messages not received, there is no retransmission.
Communication during a normal
TCP Session
Q1: How many segments are sent
in a normal TCP communication
opening? ____
Q2: How many segments are sent
in a normal TCP communication
closing? ____
Note: At any time, either
process can send a TCP RST
(reset) segment with RST bit
set to 1 to drop the connection
(i.e. to abruptly end the
connection).
54
SYN/ACK Probing Attack
1. Probe
60.168.47.47
2. No SYN (Open):
Makes No Sense!
SYN/ACK Segment
IP Hdr RST Segment
Attacker
1.34.150.37
5.
60.168.47.47
is Live!
4. Source IP
Addr=
60.168.47.47
Victim
60.168.47.47
3. Go Away!
Sending SYN/ACK segments helps attackers locate “live” targets
Older Windows OS could crash when they receive a SYN/ACK probe
55
Source Port Number (16 bits)
Destination Port Number (16 bits)
TCP and use of Port numbers
Port Number identify applications
Well-known ports (0-1023): used by major server
applications running at root authority.
HTTP web service=80, Telnet=23, FTP=21, SMTP email =25
Registered ports (1024-49151): Used by client and server
applications.
Ephemeral/dynamic/private ports (49152-65535) Not
permanently assigned by ICANN.
Web server applications
www:80 FTP:21 SMTP:25
Operating System
Socket notation:
IP address:Port #
Computer hardware
RAM chip
HD
Processor
56
Questions
A host sends a TCP segment with source port
number 25 and destination port number
49562.
1)
Is the source host a server or a client? Why?
2)
If the host is a server, what kind of service
does it provide?
3)
Is the destination host a server or a client ?
Why?
57
TCP and Port spoofing
Attackers set their application to use well-known port despite not being
the service associated with the port
Most companies set their firewall to accept packet to and from port 80
Attackers set their client program to use well-know port 80
58
Questions
1. What is IP Fragmentation? Does IP fragmentation
make it easier for firewall to filter incoming packets?
Why?
2. What is SYN/ACK probing attack?
3. What kind of port numbers do major server
applications, such as email service, use?
4. What kind of port numbers do client applications
usually use?
5. What is socket notation?
6. What is port spoofing?
7. How many well-known TCP ports are vulnerable to
being scanned, exploited, or attacked?
59
IP Routing
Router
RoutingA
Router A
Interface
1
Router B
IP Routing
Packet to 60.3.47.129 Interface
2
Network
60.x.x.x
Routing Table for Router A
Matches
IP Address
Next-Hop
Route
Range Metric Router
Router C
Network
1
60.3.x.x
9
B
60.3.x.x
2 128.171.x.x 2
B
3
60.3.47.x
8
C
Host
Host
4
10.5.3.x
6
B
60.3.45.129
60.3.47.129
5 128.171.17.x 2
Local
6 of10.4.3.x
2
C
Because
multiple alternative
routes in router meshes,
routers may have several rows that match an IP address.
Routers must find All matches and then select the BEST ONE.
This is slow and therefore expensive compared to switching.
60
Vertical Communication on Routers
Router 1
A
Packet
Decapsulation
Frame
Internet Layer Process
Port 1
DL
Port 2
DL
Port 3
DL
Port 4
DL
PHY
PHY
PHY
PHY
Notes:
A. Router R1 receives frame in Port 1.
Port 1 Data Link decapsulates the IP packet.
Port 1 Data Link passes packet to internet Layer.
61
Vertical Communication on Routers
Router 1
B
Internet Layer Process
Port 1
DL
Port 2
DL
Port 3
DL
Port 4
DL
PHY
PHY
PHY
PHY
Packet
Encapsulation
Frame
Router 2
B. Internet layer sends packet out on Port 4.
Data Link process on Port 4 encapsulates packet in a DL frame.
Data Link process passes frame to Port 4 PHY.
62
Summary Questions
How many layers are there in a router? A: 3
Can a router be a software program? A: Yes
Suppose that Computer 1 sends a message to
Computer 2. Assume that there are two routers (R1
and R2) along the route that leads to Computer 2.
Assume that a frame from the message is received
by R2 in Port 2. Which of the following will happen
next?
a)
b)
c)
d)
The Data Link layer process in Port 1 will de-encapsulate
the IP packet from the frame
The Physical layer will pass the frame to the Data Link
layer process in Port 2
The Data Link layer process in Port 2 will deencapsulate the IP packet from the frame
None of the above
63
IP Address Spoofing
IP address spoofing is sending a message with a false IP address
with the intent to mislead the receiving device and gain access
1. Trust Relationship
Trusted Server
60.168.4.6
Victim Server
60.168.47.47
From: 60.168.4.6
To: 60.168.47.47
2.
Spoofed Source IP Address
60.168.4.6 is used.
Attacker’s Client PC
1.34.150.37
Reasons for IP spoofing:
Anonymity
Exploiting trust relationship
64