Chapter 6 Network Security
Download
Report
Transcript Chapter 6 Network Security
CHAPTER 6
Security in Networks
1
Objectives
differentiate the security needs in the network and in
single ,stand alone application and environment
identify threats against network applications, including
denial of service, web site defacements, malicious code
and protocol attacks
explain various controls against network attacks such as
physical security, policies and procedures and range of
technical controls
Explain about design, capabilities and limitation of the
firewall
Define and describe the intrusion detection systems and
secure e-mails
2
(c) by Syed Ardi Syed Yahya
The Network Concepts
When studying the chapter, student should know:
3
The type of networks (LAN, MAN, etc)
The size and shape
Media (cable, wireless, optical cable, etc)
Protocol (OSI layers, TCP/IP, etc)
Topologies (star, ring, etc)
Advantages of computing networks (resource sharing,
distributing the workload, etc)
Threats in Networks
What makes a network vulnerable?
Cause
Explanation
Anonymity
An attacker can mount an attack from thousand of miles away and safe
behind electronic shield.
Many point of attack – both
targets and origins
File stored in a network host can be access remotely by any user.
Administrator can enforce many policies but one file being transferred
through network, the policies means nothing.
Sharing
Because networks enable resource and workload sharing, more user
have the potential to access networked systems.
Complexity of system
Operating System is a complicated piece of software but it is not
designed specifically for security.
Unknown perimeter
Network have no boundary. Resources on one network are accessible
to the other network as well.
Unknown path
Many paths can be used to accessed another host / computer.
4
Threats in Networks (cont)
We cannot list who attacks networks but we do know what
the motives of attacking.
Motives
Explanation
Challenge
Someone skilled in writing or using programs – the single
most significant motivation for a network attacker is the
intellectual challenge. “Can I defeat the network?”
Fame
Other attackers seek recognition for their activities. Enjoy the
personal thrill of seeing their attacks written up in the news
media.
Money and Espionage
Seeking information on company’s product, clients etc. for
financial reward
Ideology
Hactivism : operations that use hacking techniques against a
target’s (network) with the intent of disrupting normal
operations but not causing serious damage.
Cyberterrorism : politically motivated hacking operation
intended to cause grave harm such as loss of life or severe
economic damage.
5
Threats in Networks (cont)
Threat precursor:
Port scan
Program that give an information about three things:
Example:nmap scanner, netcat, Nessus, CyberCop Scanner
Social engineering
Involves using social skills and personal interaction to get someone to
reveal security-relevant information and perhaps even do something that
permits an attack.
6
Which standard ports or services are running and responding?
What operating system is installed?
What applications and versions of applications are present?
"Hello, this is John Davis from IT support. We need to test some connections
on the internal network. Could you please run the command ipconfig/all on
your workstation and read to me the addresses it displays?" The request
sounds innocuous . But unless you know John Davis and his job responsibilities
well, the caller could be an attacker gathering information on the inside
architecture.
Threats in Networks (cont)
Threat precursor (cont):
Reconnaissance
Gathering discrete bits of information from various sources and
then putting them together like the pieces of a puzzle.
Bulleting board and chats
Numerous underground bulleting boards and chat rooms support
exchange of information.
7
Eavesdropping – follow employees to lunch and listen in from nearby tables
as coworkers discuss security matters.
Attackers can post their latest exploits and techniques and read what
others have done.
Threats in Networks (cont)
Threat precursor (cont):
Availability of documentation
Vendor themselves sometimes distribute information that is useful to
an attacker.
Microsoft produces a resource kit by which application vendors can
investigate a Microsoft product in order to develop compatible,
complementary applications.
Operating System and Application Fingerprinting
can mark the manufacturer and version
attacker might use a Telnet application to send meaningless messages to
another application. Ports such as 80 (HTTP), 25 (SMTP), 110 (POP), and
21 (FTP) may respond with something like
Microsoft ESMTP MAIL Service,Version: 5.0.2195.3779
This reply tells the attacker which application and version are running.
8
Threats in Networks (cont)
Threats in transit:
Eavesdrop – implies overhearing without expending any extra
effort.
Attacker monitoring all traffic passing through a node.
Wiretap – intercepting communications through some effort.
Passive wiretapping is just "listening," much like eavesdropping
Active wiretapping means injecting something into the
communication
9
Someone could replace your communications with his own or create
communications purported to be you.
Works differently depending on communication medium used.
Threats in Networks (cont)
Impersonation:
Impersonate another person or process
In an impersonation, an attacker has several choices
10
Guess the identity and authentication details of the target.
Pick up the identity and authentication details through eavesdropping
or wiretapping.
Use the target that will not be authenticated.
Use a target whose authentication data are known.
Spoofing
Guessing or otherwise obtaining the network authentication
credentials of an entity
Examples of spoofing are:
11
masquerading,
session hijacking
man-in-the-middle attacks
Masquerade
one host pretends to be another
A variation of this attack is called phishing
12
send an e-mail message, perhaps with the real logo of Blue Bank, and
an enticement to click on a link, supposedly to take the victim to the
Blue Bank web site.
The enticement might be that your victim's account has been
suspended (and need the account number and PIN to activate it), or
some other legitimate-sounding explanation.
The link might be to your domain Blue-Bank.com, the link might say
click here to access your account (where the click here link connects
to your fraudulent site), or other trick with the URL to fool your
victim, like www.redirect.com/bluebank.com.
Session Hijacking
intercepting and carrying on a session begun by another entity
Suppose two entities have entered into a session but then a
third entity intercepts the traffic and carries on the session in
the name of the other
The attacker steals a valid session ID which is used to get into
the system and snoop the data
*Tools:
Juggernaut
Hunt
IP Watcher
13
Man-in-the-Middle Attack
one entity intrudes between two others
difference between man-in-the-middle and hijacking is
that a man-in-the-middle usually participates from the
start of the session, whereas a session hijacking occurs
after a session has been established.
Tools:
PacketCreator
Ettercap
Dsniff
Cain e Abel
14
Message Confidentiality Threats
An attacker can easily violate message confidentiality (and
perhaps integrity) because of the public nature of
networks.
Eavesdropping and impersonation attacks can lead to a
confidentiality or integrity failure.
Several other vulnerabilities that can affect confidentiality.
15
Misdelivery
Exposure
Traffic Flow Analysis
Message Integrity Threats
the integrity or correctness of a communication is at least
as important as its confidentiality.
Threats based on failures of integrity in communication.
Falsification of Messages- an attacker can take advantage of
our trust in messages to mislead us
16
change some or all of the content of a message
replace a message entirely, including the date, time, and sender/receiver
identification
Noise -Signals sent over communications media are subject to
interference from other traffic on the same media, as well as
from natural sources
Fortunately, communications protocols have been intentionally
designed to overcome the negative effects of noise
Web Site Vulnerabilities
Web site is especially vulnerable because it is almost
completely exposed to the user
One of the most widely known attacks is the web site
defacement attack
Web site defacement attack
17
Buffer Overflows
Dot-Dot-Slash
Application Code Errors
Server-Side Include
Denial of Service
There are many accidental and malicious threats to
availability or continued service.
Transmission Failure
Connection Flooding
Traffic Redirection
DNS Attacks
18
Echo-Chargen
Ping of Death
Smurf
Syn Flood
Distributed Denial of Service
Smurf
19
Distributed Denial of Service
20
Threats in Active or Mobile Code
Active code or mobile code is a general name for
code that is pushed to the client for execution
related potential vulnerabilities:
Cookies
Scripts
Active Code
21
Java Code
ActiveX Controls
Network Security Controls
Design and Implementation
Architecture
Segmentation -Segmentation reduces the number of threats, and it
limits the amount of damage a single vulnerability can allow.
a web server, to handle users' HTTP sessions
application code, to present your goods and services for purchase
a database of goods, and perhaps an accompanying inventory to the count
of stock on hand and being requested from suppliers
a database of orders taken
Segmented Architecture.
22
Redundancy -allowing a function to be performed on
more than one node
failover mode -the servers communicate with each other
periodically, each determining if the other is still active
Single Points of Failure-architecture should at least
make sure that the system tolerates failure in an
acceptable way
23
Encryption
encryption is powerful for providing privacy, authenticity,
integrity, and limited access to data
Encryption in network applications :
24
either between two hosts (link encryption)
between two applications (end-to-end encryption)
link encryption -data are encrypted just before the system places them
on the physical communications link
encryption occurs at layer 1 or 2 in the OSI model
decryption occurs just as the communication arrives at and enters the
receiving computer
Encryption protects the message in transit between two computers, but
the message is in plaintext inside the hosts
the exposure occurs on the sender's or receiver's host or workstation,
protected by alarms or locked doors
Link encryption is especially appropriate when the transmission line is the
point of greatest vulnerability. If all hosts on a network are reasonably
secure but the communications medium is shared with other users or is
not secure, link encryption is an easy control to use
25
Link Encryption
Message Under Link Encryption.
26
End-to-End Encryption
end-to-end encryption provides security from one end
of a transmission to the other
encryption can be applied by a hardware device between
the user and the host
the encryption can be done by software running on the
host computer
encryption is performed at the highest levels (layer 7,
application, or perhaps at layer 6, presentation) of the OSI
model
27
End-to-End Encryption
28
Comparison of Link and End-to-End Encryption.
Link Encryption
End-to-End Encryption
Security within hosts
Data exposed in sending host
Data encrypted in sending host
Data exposed in intermediate
nodes
Data encrypted in intermediate
nodes
Role of user
Applied by sending host
Applied by sending process
Invisible to user
User applies encryption
Host maintains encryption
User must find algorithm
One facility for all users
User selects encryption
Typically done in hardware
Either software or hardware
implementation
All or no data encrypted
User chooses to encrypt or not,
for each data item
Implementation concerns
29
Requires one key per host pair
Requires one key per user pair
Provides node authentication
Provides user authentication
Virtual Private Networks
Link encryption can be used to give a network's users the
sense that they are on a private network, even when it is part
of a public network
the communication passes through an encrypted tunnel or
tunnel
30
PKI and Certificates
A public key infrastructure, or PKI , is a process
created to enable users to implement public key
cryptography, usually in a large (and frequently,
distributed) setting.
PKI offers each user a set of services, related to
identification and access control, as follows :
31
Create certificates associating a user's identity with a (public)
cryptographic key
Give out certificates from its database
Sign certificates, adding its credibility to the authenticity of the
certificate
Confirm (or deny) that a certificate is valid
Invalidate certificates for users who no longer are allowed
access or whose private key has been exposed
PKI sets up entities, called certificate authorities , that
implement the PKI policy on certificates.
The specific actions of a certificate authority include the
following:
32
managing public key certificates for their whole life cycle
issuing certificates by binding a user's or system's identity to a
public key with a digital signature
scheduling expiration dates for certificates
ensuring that certificates are revoked when necessary by
publishing certificate revocation lists
SSH Encryption
SSH (secure shell) is a pair of protocols (versions 1 and
2), originally defined for Unix but also available under
Windows 2000, that provides an authenticated and
encrypted path to the shell or operating system
command interpreter
The SSH protocol involves negotiation between local and
remote sites for encryption algorithm (for example, DES,
IDEA, AES) and authentication (including public key and
Kerberos ).
33
SSL Encryption
The SSL (Secure Sockets Layer ) protocol was
originally designed by Netscape to protect
communication between a web browser and server
SSL interfaces between applications (such as browsers)
and the TCP/IP protocols to provide server
authentication, optional client authentication, and an
encrypted communications channel between client and
server.
To use SSL, the client requests an SSL session. The server
responds with its public key certificate so that the client
can determine the authenticity of the server
34
IPSec
IPSec is implemented at the IP layer
IPSec is somewhat similar to SSL, in that it supports
authentication and confidentiality (in applications) or
below it (in the TCP protocols).
it was designed to be independent of specific
cryptographic protocols and to allow the two
communicating parties to agree on a mutually supported
set of protocols.
35
Packets: (a) Conventional Packet; (b) IPSec Packet.
36
signed code .
A trustworthy third party appends a digital signature to a piece
of code, supposedly connoting more trustworthy code. A
signature structure in a PKI helps to validate the signature.
Encrypted E-mail
37
To protect the privacy of the message and routing information,
we can use encryption to protect the confidentiality of the
message and perhaps its integrity.
Strong Authentication
One-Time Password
ChallengeResponse Systems
Digital Distributed Authentication
Kerberos
38
Access Controls
Authentication deals with the who of security policy
enforcement; access controls enforce the what and how
39
ACLs on Routers
Firewalls
Honeypots
40
(c) by Syed Ardi Syed Yahya
Summary of Network Vulnerabilities
Target
Vulnerability
Precursors to attack
•Port scan
•Social engineering
•Reconnaissance
•OS and application fingerprinting
Authentication failures
•Impersonation
•Guessing
•Eavesdropping
•Spoofing
•Session hijacking
•Man-in-the-middle attack
Programming flaws
•Buffer overflow
•Addressing errors
•Parameter modification, time-of-check to
time-of-use errors
•Server-side include
•Cookie
•Malicious active code: Java, ActiveX
•Malicious code: virus, worm, Trojan horse
•Malicious typed code
41
Summary of Network Vulnerabilities
Target
Vulnerability
Confidentiality
•Protocol flaw
•Eavesdropping
•Passive wiretap
•Misdelivery
•Exposure within the network
•Traffic flow analysis
•Cookie
Integrity
•Protocol flaw
•Active wiretap
•Impersonation
•Falsification of message
•Noise
•Web site defacement
•DNS attack
Availability
42
•Protocol flaw
•Transmission or component failure
•Connection flooding, e.g., echo-chargen, ping
of death, smurf, syn flood
•DNS attack
•Traffic redirection
•Distributed denial of service
Firewalls
Firewall is a device that filters all traffic between a
protected or “inside” network and a less trustworthy or
“outside” network.
The purpose of a firewall is to keep “bad” things outside a
protected environment.
To accomplish that, firewalls implement a security policy.
43
Firewalls (cont)
The design of firewall should maintain below qualities:
44
Always invoked.
Tamperproof.
Small and simple enough for rigorous analysis.
Firewalls (cont)
Type of firewalls are depends on their capabilities. The
type are:
Packet filtering gateways or screening routers.
Stateful inspection firewalls.
Maintains state infomation from one packet to another in the
input stream.
Application proxies.
45
Most effective. Control packet from source to destination.
Simulate the (proper) effects of an application so that the
application will receive only requests to act properly.
Firewalls (cont)
Type of firewalls (cont):
Guards.
Personal firewall.
46
Sophisticated firewall. Decide what services to perform on the user’s
behalf in accordance with its available knowledge.
An application program that runs on a workstation to block unwanted
traffic, usually from the network.
Comparison of Firewall Types
Packet Filtering
Stateful Inspection
Application Proxy
Guard
Personal Firewall
Simplest
More complex
Even more complex
Most complex
Similar to packet
filtering firewall
Sees only addresses
and service protocol
type
Can see either
addresses or data
Sees full data portion
of packet
Sees full text of
communication
Can see full data
portion of packet
Auditing difficult
Auditing possible
Can audit activity
Can audit activity
Can and usually does
audit activity
Screens based on
connection rules
Screens based on
information across
packetsin either
header or data field
Screens based on
behavior of proxies
Screens based on
interpretation of
message content
Typically, screens
based on information
in a single packet,
using header or data
Complex addressing Usually preconfigured Simple proxies can
Complex guard
Usually starts in "deny
rules can make
to detect certain
substitute for
functionality can limit all inbound" mode, to
configuration tricky
attack signatures
complex addressing
assurance
which user adds
rules
trusted addresses as
they appear
47
Intrusion Detection Systems
An intrusion detection system (IDS ) is a device, typically another
separate computer, that monitors activity to identify malicious or suspicious
events
IDSs perform a variety of functions:
monitoring users and system activity
auditing system configuration for vulnerabilities and misconfigurations
assessing the integrity of critical system and data files
recognizing known attack patterns in system activity
identifying abnormal activity through statistical analysis
managing audit trails and highlighting user violation of policy or normal
activity
correcting system configuration errors
installing and operating traps to record information about intruders
48
Types of IDSs
Signature-based intrusion detection systems perform simple
pattern-matching and report situations that match a pattern
corresponding to a known attack type
Heuristic intrusion detection systems, also known as anomaly
based
Intrusion detection devices can be network based or host
based
49
A network-based IDS is a stand-alone device attached to the
network to monitor traffic throughout that network;
a host-based IDS runs on a single workstation or client or host, to
protect that one host.
Stealth Mode
50
most IDSs run in stealth mode , whereby an IDS has two
network interfaces: one for the network (or network segment)
being monitored and the other to generate alerts and perhaps
other administrative needs
Goals for Intrusion Detection Systems
An IDS could use someor allof the following design
approaches:
51
Filter on packet headers
Filter on packet content
Maintain connection state
Use complex, multipacket signatures
Use minimal number of signatures with maximum effect
Filter in real time, online
Hide its presence
Use optimal sliding time window size to match signatures
IDS Strengths and Limitations
52
Intrusion detection systems are evolving products
detect an ever-growing number of serious problems.
its sensitivity which is difficult to measure and adjust
someone has to monitor its track record and respond to its
alarms
EXERCISE
Discuss six reasons that makes network vulnerable.
One way an attacker can do to investigate and plan the
attack is through reconnaissance. Explain about it.
What firewalls can and cannot block?
Explain detail about Kerberos?
53