Transcript Network Security File - e

Network Security
The Problem of Network Security
2
 The Internet allows an attacker to attack from
anywhere in the world from their home desk.
 They just need to find one vulnerability: a security
analyst need to close every vulnerability.
Network characteristics
3
 Anonymity
 ‘On the Internet, nobody knows you are a dog’
 Automation
 Done by machines, sometimes only have minimal human
supervision
 Distance
 What is far really? Hard to tell.
 Opaqueness
 Are you in Skudai? KL? Bukit Kayu Hitam? USA?
 School? Company? Adam’s basement?
 Routing diversity
 >1 way to get a packet somewhere
Advantages of Computing Networks
4
 Several advantages over single-processor systems:




Resource sharing.
Distributing the workload.
Increased reliability.
Expandability.
 The network must ensure data integrity and
secrecy, and availability of service.
Threats In Networks
5
 Generic threats aimed to compromise confidentiality,
integrity, or availability,
 applied against data, software and hardware
 by nature, accidents, non-malicious humans and
malicious attackers.
What Makes a Network Vulnerable?
6
 Anonymity. (distributed authentication problems)
 Many points of attack – both targets and origins.




(attack can come from any host with unknown way)
Sharing. (access control for single system may be
inadequate in networks.)
Complexity of system. (diminish confidence in
network security)
Unknown perimeter. (unclear network boundaries)
Unknown path. (uncertain message routing in network)
Who Attacks Networks?
7
 3 necessary components of an attack

method, opportunity and motive.
 4 important motives:

challenge or power, fame, money and
ideology.
 What is an attackers’ profile? What is he/she like?
Motives
8
Challenge
 Can I defeat this network?
 What would happen if I
tried this approach or that
technique?
 Network attackers enjoy
the intellectual
stimulation of defeating
the supposedly
undefeatable.
Fame
 Some people enjoy the
personal thrill of seeing
their attacks written up in
the news media.
Motives
9
Money and
Espionage
 Financial reward
motivates attackers.
 Attack in industrial
espionage, seeking
information on a
company’s products,
clients, or long-range
plans.
Ideology
 Hacktivism
 Hacking activity to bring
attention to political and
social change  e.g. free
speech, wikileaks
 Cyberterrorism
 “politically motivated
hacking operations
intended to cause grave
harm or economic
damage.”
Threat Precursors: what to do b4
10

Port Scan
 Know standard
ports/services running &
responding
 Know OS is installed
 Know application type &
versions are present
 Social Engineering



Know certain internal
details.
Using social skills and
personal interaction to get
someone to reveal
security-relevant info
Persuade victim to be
helpful
 Reconnaissance


Gather discrete bits of info
from various sources and
putting them together like
the pieces of puzzle
Example : “dumpster
diving” , eavesdropping
 Bulletin Boards and Chats


exchange of info
Attackers post their latest
exploits and techniques,
read what others have
done and search for
additional info
Threats in Transit: from here to there
11
 Usual way: Listen
 Listening can be
 Effortless  eavesdrop


Eavesdrop just listens or monitor traffic
With some effort  wiretap
Passive and active
 Passive is much like eavesdropping
 Active means ‘doing’ something to the communication (add,
append, replace, delete)
 Depends on communication medium used : cable, microwave,
satellite, wireless etc

More threats
13
 Spoofing
 Message confidentiality threats
 Message integrity threats
 Website defacement
 Denial of service (DOS)
 Distributed DOS (DDOS)
 Threats to active and mobile code
Spoofing
14
 Falsely carries on one end of a networked
interchange
 Examples
Masquerading
 Session hijacking
 Man-in-the-middle attack

Masquerade
15
 One host pretends to be another
URL confusion
 Confused domain names
 xyz.com, xyz.org, xyz.net
 Names with or without hyphen
 Cola-cola.com vs cocacola.com
 Easily mistyped names
 10pht.com vs lopth.com
 Exploits flaw in victim’s web server
 overwrite web page
 Build false site that resemble real one (part of phishing)

Session Hijacking
16
 Intercepting and carrying a session begun by another
entity
 Example
Wiretap to intercept the packet between buyers and
eCommerce site
 Intrude in the telnet session to gain control over system

Man-in-the-Middle Attack
17
 Similar to session hijacking, but usually participates
from the start of the session
 Would be foiled with public keys
10.1.1.1
10.1.1.3
(2) Login
(1) Login
(4) Password
(3) Password
10.1.1.2
Denial of Service
21
 Transmission failure
 Due to line is cut, network noise, hw/ sw problem, electronic attacks
 Connection flooding
 Attackers sends you more data than the system can handle to
overload system
 Use Internet Control Message Protocols (ICMP) to attack system
 Eg Echo-Chargen, Ping of Death, Smurf
 Syn flood
 Traffic redirection
 Attacker corrupt the routing, all packets routes to a router, router
become flooded
 DNS attacks
Syn Flood
23
3 way TCP handshake
1. SYN
2. ACK + SYN
3. ACK
Source
Destination
Syn flood…
24
1. SYN
2. ACK + SYN
Source
Destination
maintains
a queue SYN_RECV
1. SYN
2. ACK + SYN
Tracking
items
and start
timer
3. ACK
Source
Destination
Syn flood…
25
SYN(1)
SYN(2)
SYN(n)
Attacker
Victim
 Send SYN request every few seconds
 Choose different and unique source
address
Threats to Active Code
26
 Is also called mobile code
 General name for code that is pushed to the client for
execution
Cookies
 Takes up disk space
 Scripts
 Eg. Escape-character attack
 Active code
 JavaScript, ActiveX, Auto Exec by Type

Network security controls
So what’s next?
28
 We have seen the possible threats to network, what
about control?
Architecture
 Encryption
 Strong authentication
 Access controls
 Alarms and alerts
 Honeypots
 Traffic flow security

Architecture
29
 Building-in security into plan
 Some ways include
 Segmentation
 Reduces number of threats
 Limits amount of damage from a single vulnerability
 Don’t put all your eggs in one basket
 Separate servers/segments  least privilege and encapsulation
 Redundancy
 2 web servers are better than 1
 Each checks the other is active (failover mode), if not, it carries the
burden
 Single points of failure
 System can tolerate failure in acceptable way
 Eliminate all single points of failure  the ‘jugular’ of the system,
that would bring the whole system down
Strong authentication
33
 Knowing and being assured of the accuracy of an identity
 Ways include:
One-time password
 Challenge-response systems
 Kerberos
 Ticket with user name and services he is allowed to
obtain
 Tickets are un-forgeable, non-replayable,
authenticated, time-stamped, encrypted

Intrusion detection
system (IDS)
Access control
34
 Router and firewall
 provide layers of
protection for the internal
network
 place inside the network
to monitor events in the
network
 detect the attack
 at the beginning
 while in progress or
 after it has occurred
(when attacker able to
pass through the router
and firewall)
 the IDS activates alarm 
defensive action taken
Honeypot
35
 A computer system or network segment with
servers, devices and data; with the objective of
luring the attacker.
 Reasons for it:
 Watch
 Learn
attackers and learn about new attacks
enough to identify and stop attacker
 Provide
a place where attackers can go, in hopes
they’ll leave the real systems alone
Firewalls
Firewall
38
 Firewall is a device that filters all traffic between a
protected (‘inside’) network and a less trustworthy
(‘outside’) network.
 inserted between the premises network and the Internet
 Best practice: non-firewall functions should not be
done on the same machine
 Firewalls know what is ‘bad’ by adhering to a security
policy
 2 major school of thought regarding default behavior:


Default deny
Default allow/permit
Firewall: Aim
 to protect the premises network from Internet-based
attacks and
 to provide a single choke point where security and audit
can be imposed.
Firewall: Capabilities & Limits
 Capabilities:
 defines a single choke point
 provides a location for monitoring security events
 Limitations:
 cannot protect against attacks bypassing firewall
 may not protect fully against internal threats
 laptop, PDA, portable storage device infected outside
then used inside
Types of
Firewalls
Types of firewall
42
 Packet filtering gateway (screening routers)
 Stateful inspection firewalls
 Application level Firewall
 Circuit level firewall
 Which firewall?
 Depends on what are the threats that need to be countered?
terminal
host
firewall
A
A
terminal
host
firewall
A
A
A
Router Packet Filtering:
Packet header is inspected
Single packet attacks caught
Very little overhead in firewall: very quick
High volume filter
Stateful Inspection
State retained in firewall memory
Most multi-packet attacks caught
More fields in packet header inspected
Little overhead in firewall: quick
terminal
host
firewall
A
B
A B
terminal
host
firewall
A
B
A B
Circuit-Level Firewall:
Packet session terminated and recreated
via a Proxy Server
All multi-packet attacks caught
Packet header completely inspected
High overhead in firewall: slow
Application-Level Firewall
Packet session terminated and recreated
via a Proxy Server
Packet header completely inspected
Most or all of application inspected
Highest overhead: slow & low volume
What can firewall block?
47
 Can protect environment if it controls entire
perimeter
 Do not protect outside the perimeter
 Prone to attacks  having different layers help
 Must be correctly configured, kept updated to
succeed
Intrusion Detection System
(IDS)
48
Security Intrusion & Detection
Security Intrusion
a security event, or combination of multiple security
events, that constitutes a security incident in which an
intruder gains, or attempts to gain, access to a system
(or system resource) without having authorization to do
so.
Intrusion Detection
a security service that monitors and analyzes system
events for the purpose of finding, and providing realtime or near real-time warning of attempts to access
system resources in an unauthorized manner.
IDS
 Classification:
 Host-based
IDS: monitor single host activity
 Network-based IDS: monitor network traffic
 logical components:
 sensors - collect data
 analyzers - determine if intrusion has occurred
 user interface - manage / direct / view IDS
IDS
 2 types of approaches: signature based and heuristic
Signature based IDS: does pattern matching and reports
pattern corresponding to known attack type
 Heuristic (anomaly based): flags behaviour not in line
with acceptable behaviour.
 False results
 False positive: raising alarm when not really an attack
 False negative: not raising alarm for real attack

IDS vs IPS
52
 The difference between and IDS and IPS is that :
The IDS reports on something but does not filter it.
 An IDS may react to an attack by sending disconnect
packets for a connection.
 The IPS filters and prevents attacks.
 While IPS definitely sounds better, the implementation
may be difficult.

Summary
53
 We have looked at:
 Threats
 Possible controls
 But this is NOT exhaustive  there are MORE.
 Please do more exploring on your own
Class Assignment
54
 In your usual groups:
 Part 1 : Where best to place firewall(s) (in an
organization) to provide maximum security?
 Part 2: Research and review
Unified Threat Management
 Find out:



What it is
How it is implemented – what are the services provided
What are the issues