Network Security and Threats Power Point
Download
Report
Transcript Network Security and Threats Power Point
CHAPTERS 9-10 TJADEN
Computer Network Security
and Network Security Threats
Dr. Suzanne Buchele
(Most content borrowed from Ed Crowley at
The University of Houston)
OVERVIEW OF NETWORK SECURITY
ISSUES
Network security involves protecting a host (or a
group of hosts) connected to a network
Many of the same problems as with stand-alone
computer systems apply and are more difficult:
User authentication and authorization – determine the
identity and privileges of users accessing the system
Access control – policies that govern access privileges
and mechanisms limiting what actions are permitted
ADDITIONAL CHALLENGES OF NETWORK
SECURITY
Networking increases message vulnerability to:
Interception
Modification
Destruction
Delay
Reordering
Repetition
Networking implies cooperation, sharing, and trust
Networking also…
Exposes a system to a larger pool of potential attackers
Decreases the likelihood of intruders getting caught
AUTHENTICATION AND AUTHORIZATION
Issues:
For the Server:
Is the Client really who they say they are?
Is the request from the Client fresh?
Will an eavesdropper be able to read my response?
For the Client:
How do I know I’m really talking to the Server?
Will an eavesdropper be able to read my request?
Kerberos - Purpose
Needed in environments in which:
local distributed environment
users on one computer can access services on other
computers or servers in the network
not all users have the authorization to access all other
services or servers on the network
users need to be authenticated for particular services
users cannot be trusted to correctly identify themselves
a user could pretend to be another user
a user may alter the network address of their computer so
that requests appear to be coming from a different computer
a user may eavesdrop on exchanges and attempt attacks to
gain unauthorized access to a service or server
e.g. replay or man-in-the-middle attacks
KERBEROS - OVERVIEW
One approach – have a distributed authentication
protocol, so that each server can self-authorize all
attempted access from all users
Kerberos approach:
centralized authentication server on the local network
authenticates users to servers and servers to users
issues “tickets”
uses symmetric key cryptography only
reading says uses DES, latest version can use AES
since local network, can physically distribute keys
securely
KERBEROS – HOW IT WORKS
Central Authentication Server (AS) shares a secret key
with each user
Step 1:
Step 2:
User is authenticated to the Authentication Server (AS),
is issued a ticket to be used to request access to services
from the TGS
User uses ticket from AS as authentication, so it can
obtain tickets from the TGS for specific services it needs
Step 3:
User presents a ticket to a server and is granted the
service
KERBEROS - STEP 1: GETTING TICKET FOR
TICKET GRANTING SERVICE (TGS)
User enters username and password
Requests ticket for TGS from the AS
C => AS:(C, TGS)
AS generates a ticket:
Name of client; Name of TGS; IP address of client;
time of issue; lifetime of ticket; session key for client
and TGS
All encrypted with secret key shared by AS and TGS
client can’t read the ticket
AS replies to client with ticket and session key for
client and TGS, all encrypted with secret key
shared by AS and client
AS => C:(Encrypt((TicketAS, KC,TGS),KC,AS))
KERBEROS - STEP 2: GETTING A TICKET
FOR A SERVER
Client generates an authenticator for the TGS:
AuthC,TGS = Encrypt((C, IPC, Timestamp), KC, TGS)
Client contacts TGS and requests a ticket for Server,
using the ticket from the AS and the authenticator:
C => TGS:(S, TicketAS, AuthC,TGS)
If ticket and authenticator are both valid, TGS
generates random session key for Client and Server and
embeds in a ticket issued to the client:
TicketTGS: Encrypt((C, S, IPC, Time, Lifetime, KC,S),KS, TGS)
TGS sends generated ticket and session key to Client,
encrypted with key shared by Client and TGS
TGS => C:(Encrypt((TicketTGS, KC,S), KC, TGS)
KERBEROS – STEP 3: REQUESTING A
SERVICE FROM A SERVER
Client generates an authenticator for the server:
AuthC,S = Encrypt((C, IPC, Timestamp), KC, S)
Client contacts Server and requests a service using the
ticket from the TGS and the authenticator it generated:
C => S:(Request, TicketTGS, AuthC,S)
Server decrypts the Ticket to learn the session key (KC,S),
then uses the session key to decrypt the authenticator
If the Client has requested that the Server authenticates
itself to the Client, the Server returns to the Client the
Timestamp+1, encrypted with the session key:
S => C:(Encrypt((Timestamp+1),KC,S))
KERBEROS – OVERVIEW OF MESSAGES
Step 1:
a. Request for TGS ticket
b. Ticket for TGS
Step 2:
c. Request for Server Ticket
d. Ticket for Server
Step 3:
e. Request for service
f. Server authentication (optional)
TGS
AS
c
b
a
d
e
Client
Server
f
KERBEROS – SECURITY AND LIMITATIONS
Adding Kerberos typically significantly strengthens
security
authenticates all parties involved
uses cryptographic protocols
no information transmitted that could be used maliciously
Limitations:
Scalability
TGS could be a bottleneck
Cross-realm authentication needed for large networks
Single point of failure brings down system
AS and TGS
Prone to password-guessing attacks at initial
authentication
SESAME
Used in Europe, whereas
Kerberos more used in US
Very similar to Kerberos
TGS is PAS (Privilege Attribute
Server)
Tickets are Authentication
Certificate (AC) or Privilege
Attribute Certificate (PAC)
AS
PAS
Server
Client
CORBA OVERVIEW
Developed by the Object Management Group (OMG)
Standard that allows distributed applications,
running in heterogeneous distributed environments,
to interoperate
Objects are entities that provide services to requestors
through well-defined encapsulating interfaces
Hides “low-level” details from the objects
Object Request Broker (ORB) mediates the requests
between objects
FUNCTIONS OF THE ORB
Deliver A’s request to B and B’s reply to A
Hide “low-level” details from calling objects:
Location (local or remote)
Implementation details (language and platform)
Uses a universal Interface Definition Language (IDL) to communicate
with the ORB
Communication mechanisms (TCP/IP, shared memory, local
method invocation)
CORBA
The Common Object Request Broker Architecture
(CORBA) standard:
Defined by OMG
Allows different ORBs to interoperate
The CORBA Security specification:
Optional
If implemented, the ORB provides basic security
functionality to all objects:
Authentication
Communications security
Access control
Auditing
Also used for secure interoperability between ORBS
INTERACTION BETWEEN TWO SECURE ORBS
ACCESS CONTROL FOR NETWORKS
Problems:
Enforce an access control policy
Protect local internet from outsiders attempting to:
Obtain information, modify information, disrupt
communications
Solution: firewall
Allow trust relationships among machines
Forms a barrier that protects one network from dangers of
another
A firewall can:
Partition machines into those inside the organization and
those outside the organization
Enforce an access control policy about what types of traffic
are allowed in and out
IMPLEMENTING A FIREWALL WITH A
SCREENING ROUTER
Screening routers perform packet filtering:
Examine some fields in the packet header:
Source and destination IP address
Protocol
Source and destination port numbers
Allow a packet to pass if it meets the screening criteria
Filtering rules are stateless to increase speed
Doesn’t take into account what happened just before or is
happening right after
E.g. C => S (Nonce) for authentication
S => C (Nonce) - same one!
can get C to do authentication for S
FILTERING RULES
Administrator can specify rules regarding which
packets should not pass through the firewall
Can block:
Outgoing packets to certain addresses - restrict which
outside sites local users can access
Incoming packets from certain addresses – restrict access to
specific external sites
Incoming and outgoing requests to specific services
Etc.
SAMPLE FILTERING RULES
Row 1: Block incoming packets from any source to
any destination for the finger service (TCP port 79)
Row 2: Block incoming packets bound for the TFTP
service (UDP port 69)
Row 3: Block outgoing packets bound for any
machine on network 128.112
Incoming/ Source IP Destination Protocol Source
Outgoing Address
Address
Port
Destination
Port
Incoming
*
*
TCP
*
79
Incoming
*
*
UDP
*
69
Outgoing
*
128.112.*.*
*
*
*
SCREENING ROUTERS
Advantages:
Relatively cheap
Help improve security by blocking packets from/to
dangerous sites and services
Disadvantages:
Still vulnerable to attacks on enabled services
Potential services are large (and growing) requiring
frequent maintenance
Decisions must be made statelessly
PROXY GATEWAY
A Proxy gateway is more powerful than a screening
router and can do more/better checking:
Examine data (not just header) portion of packets
Remember the past behavior of a connection
Consider context – is this a response from the outside to
a request that originated on the inside?
Etc.
Uses two barriers:
Outer barrier: blocks all incoming/outgoing traffic not
to/from the proxy gateway
Inner barrier: blocks all incoming/outgoing traffic not
from/to the proxy gateway
PROXY GATEWAYS (CONT)
Global Internet
Bastion
Host
Organization’s Internet
Each barrier is implemented by a screening router:
Screening routers block all traffic not going to/from the proxy
gateway on the Bastion Host
Global Internet
Screening
Router
Organization’s Internet
Bastion
Host
Screening
Router
PROXY GATEWAYS (CONT)
The bastion host runs a set of application gateway
programs
Act as middlemen between hosts inside and outside
the firewall
Internal hosts communicate with the application
gateway program running on the proxy gateway
Application gateway program relays request to the
external host
The external host’s reply is sent to the application
gateway program
Application gateway program performs some checking
and then passes the reply on to the internal host
PROXY GATEWAY - EXAMPLE
An FTP server behind a proxy gateway firewall
An external client issues commands to establish a
connection and transfer files
Proxy gateway acts as a middleman between the client and
server
The proxy can check incoming commands:
Pass only valid FTP commands on to the server
Protects the server from malformed or dangerous input
If the external client attempts to upload a file to the
server:
The proxy may pass the file through virus-scanning software
PROXY GATEWAYS – ADVANTAGES AND
DISADVANTAGES
Advantages:
Provides better protection than a screening router
Disadvantages:
Additional cost
Proxy gateway could be a:
Bottleneck
Single point of failure
Tempting target for attackers
But, also generally secure
DYNAMIC FIREWALL TECHNIQUES
Screening routers and proxy gateways enforce
static security policies
Dynamic filters allow administrators to set up
triggers:
Provides additional flexibility:
Temporarily add, delete, or modify certain rules in
response to particular events
Permit or deny traffic in special circumstances
Provides additional security:
More stringent rules triggered when suspicious
traffic is observed
NETWORK ACCESS CONTROL - SUMMARY
Access Control – need to protect local
machines/networks from outsiders attempting to:
Obtain information
Modify information
Disrupt communications
Solution: firewalls (screening routers, proxy
gateways, etc.)
Form a barrier that protects one network from
dangers on another
Next… Chapter 10
NETWORK SECURITY THREATS - OVERVIEW
Network communications exposes one to many
different types of risks:
Sniffers used to intercept and store network traffic for
later analysis, or alter packets
privacy, integrity, and authentication issues
Traffic analysis - study communications patterns in
order to guess the likely contents of the messages
Who is communicating with whom
How much
How often
Exploitation of the TCP/IP suite of network protocols
Not originally designed with security in mind
OVERVIEW OF THE INTERNET PROTOCOL (IP)
The Internet Protocol (IP) provides an unreliable
packet delivery service
IP packets, called datagrams, contain a header and
data portion:
OVERVIEW OF THE INTERNET PROTOCOL (CONT)
Important header fields:
VERS (4 bits): version
HLEN (4 bits): length of header in 32-bit words
TOTAL LENGTH (16 bits): the length of the entire
datagram (header and data) in 8-bit octets
Max possible length of version 4 IP datagram is 65,536 bytes
IDENTIFICATION, FLAGS, and FRAGMENT OFFSET:
used to control datagram fragmentation
A datagram may be too large to travel whole over a network
IP specifies a way to divide a datagram into smaller pieces
At the final destination, fragments are reassembled into the
original datagram
SOURCE and DESTINATION IP ADDRESSES (32 bits)
ATTACKS ON THE INTERNET PROTOCOL TEARDROP
The Teardrop tool enabled attackers to crash
vulnerable remote systems by sending a certain type
of fragmented IP datagram
Normal datagram fragments do not overlap
Teardrop created fragments that did overlap
Some implementations of the TCP/IP IP fragmentation
reassembly code do not properly handle overlapping IP
fragments
Windows and some Linux kernels
Caused system crash
Later fixed by software patches
ATTACKS ON THE INTERNET PROTOCOL –
IP SPOOFING
DESTINATION ADDRESS field is used to route a
datagram to its final destination
SOURCE ADDRESS field identifies the sender so that
the receiver knows where to send a reply
IP spoofing – sender of a datagram inserts the
address of another machine (or a nonexistent machine)
in the source address field
Prevent the receiver from determining the host from which
an attack datagram originated
Reply sent to a another (victim) host
OVERVIEW OF THE INTERNET CONTROL
MESSAGE PROTOCOL (ICMP)
A sub protocol (part of IP) used to transmit error messages and
report other unusual situations
Different formats depending on type of error transmission
Composed of a header and optional data portion and are
encapsulated in the data portion of an IP datagram:
OVERVIEW OF THE ICMP (CONT)
Fields:
TYPE (8 bits): identifies the type of the message
e.g. 0 = echo reply
e.g. 8 = echo request
CODE (8 bits): identifies the subtype of the message
e.g. 0 = echo reply/request
CHECKSUM (16 bits): integrity check on header and
data portion of ICMP message
IDENTIFIER and SEQUENCE NUMBER: enable the
sender to match each reply to the proper request
DATA: any data included in an echo request is copied
into the data portion of the reply message
ATTACKS ON ICMP - PING OF DEATH
Attacker constructs an ICMP echo request message
containing 65,510 data octets and sends it to a victim
host
The total size of the
resulting datagram (65,538
octets) is larger than the
65,536 limit specified by IP
Several systems did not
handle this oversized IP
datagram properly
hang the system
crash the system
Fixed by software patches
ATTACKS ON ICMP - SMURF
Attacker sends ICMP echo request messages to a
broadcast address at an intermediate site
Broadcast address: a copy of the datagram is delivered to
every host connected to a specified network
For some broadcast address, a single request could
generate replies from dozens or hundreds of hosts
The source address in each request packet is spoofed so
that replies are sent to a victim machine
Result: the victim’s machine/network is flooded by
ICMP echo replies
Solution: Many sites have reconfigured their machines
so that their machines do not respond to ICMP echo
requests sent to a broadcast address
OVERVIEW OF THE USER DATAGRAM
PROTOCOL (UDP)
IP delivers data from one machine to another
UDP runs on top of IP and delivers data from one
application to another
A port (represented by a positive integer) is a unique
destination on a single machine
Standard services run on reserved ports:
ECHO (port 7)
DISCARD (port 9)
TIME (port 37)
TFTP (port 69)
NTP (port 123)
Etc.
Programs can request an unused (dynamic) port and
receive messages that arrive on that port
OVERVIEW OF UDP (CONT)
The basic unit of communication in UDP is the user
datagram: UDP header and UDP data
Entire datagram is transported in the data portion of IP
datagrams
Header = 8 octets
Maximum length of
data portion = 65,536-8
= 65,528 octets
ATTACKS ON UDP - FRAGGLE
Similar to Smurf attack
except uses UDP instead of ICMP
UDP port seven is an echo service
Attacker sends user datagrams to port seven of a
broadcast address at an intermediate site
Spoofed source addresses pointing to victim
Random source ports (or port 7 for more effective attack)
Each request generates replies from many machines
Result: flood victim’s machine/network with UDP
replies
Solution: filtering out UDP echo requests (or anything
else that might generate a response) sent to a broadcast
addresses
ATTACKS ON UDP - TRINOO
Trinoo is a distributed denial of service attack tool that
enables an attacker to inundate a victim with UDP
traffic from many different hosts simultaneously
Daemon program
Setup:
Search for machines and attempt to break into them using
a number of different exploits
Install the Trinoo daemon and root kit on as many of these
hosts as possible, add to list of “owned” hosts
Attack:
When given a victim by a master server, sends a large
number of UDP packets to random ports on the victim
ATTACKS ON UDP – TRINOO (CONT)
Master servers
Each master server controls many daemons on different hosts
An attacker normally controls a number of master servers (on
different hosts)
Commands (password protected):
Start/stop it running
Test that it is alive/listening
Ask for a list of all the daemons that it controls
Instruct it to order its daemons to attack a given victim
Attacks:
In August 1999 trinoo daemons from over 200 different
machines flooded a Univ of Minnesota host for several days
In February 2000 trinoo used to attack several major
e-commerce sites on the Web
OVERVIEW OF THE TRANSMISSION
CONTROL PROTOCOL (TCP)
TCP runs on top of IP and provides reliable delivery
of a stream of data between two applications
Like UDP, TCP messages are sent inside IP
datagrams
TCP:
Divides a stream of data into chunks that will fit inside
IP datagrams
Insures that each datagram arrives at its destination
Uses an acknowledgement and retransmission scheme as
necessary
Reassembles the stream at the destination
OVERVIEW OF TCP (CONT)
TCP messages that carry data and acknowledgements
are called segments
OVERVIEW OF TCP (CONT)
Important fields:
SOURCE and DESTINATION PORT (16 bits) = port identifiers
SEQUENCE NUMBER (32 bits) = identifies the position of the
data in the segment in the data stream
ACKNOWLEDGEMENT (32 bits) = acknowledge the receipt of all
data up to given point
CODE BITS (6 bits) = URG, ACK, PSH, RST, SYN, and FIN
OVERVIEW OF TCP (CONT)
Establishing a TCP connection using the three-way
handshake:
Two parties exchange messages to ensure each is
ready to communicate and to agree on initial sequence
numbers for the conversation
Message 1 (SYN + SEQ)
Host A
Message 2 (SYN + SEQ + ACK)
Message 3 (ACK)
Host B
OVERVIEW OF TCP (CONT)
Closing a TCP connection (one-way):
Connection is closed from A to B
B may continue sending data to A before fully closing
the connection
When B has sent all remaining data, then B performs the
same closing protocol to close the connection from B to A
Message 1 (FIN + SEQ)
Host A
Message 2 (ACK)
Host B
ATTACKS ON TCP – SYN FLOOD
Recall the three-way handshake to establish a TCP
connection
After the second message has been sent but before the third
message has been received the connection is half opened
Most hosts store these half-opened connections in a fixedsize table while they await the third message
Half-opened connections are timed out after after half a
minute or so
Message 1 (SYN + SEQ)
Host A
Message 2 (SYN + SEQ + ACK)
Message 3 (ACK)
Host B
ATTACKS ON TCP – SYN FLOOD (CONT)
Attacker attempts to fill up the half-opened connection
table
Attacker sends the victim machine a large number of SYN
segments with spoofed source addresses
Produces a large number of half-opened connections at the
victim’s machine that will never become fully open
The half-opened connection table fills and no new
connections can be accepted until space is available
Attacker attempts to keep it full
Continue sending SYN segments to replace half-open
connections as they time out
Result: the victim host cannot accept any other,
legitimate attempts to open a connection
ATTACKS ON TCP - LAND
Attack tool exploits a vulnerability in certain TCP
implementations
Attacker creates an invalid TCP SYN segment:
Spoofed source address is identical to the destination
address
Source port is identical to the destination port
Causes some TCP implementations to freeze or crash
Fixed with software patches
ATTACKS ON TCP – TRIBE FLOOD NETWORK
Tribe Flood Network (TFN) is a distributed denial of
service attack tool
Used in February, 2000 to attack several major ecommerce sites on the Web
Similar to trinoo:
Daemon programs: listen for and execute commands from a
master
Master programs
Control a number of daemons
Communicate with an attacker and pass his/her commands
on to daemons
ATTACKS ON TCP – TFN
“Improvements” over trinoo:
Random protocol (TCP, UDP, or ICMP) for
communication between master and daemons
Can send out “decoy” packets to random IP addresses to
obscure the true target of the attack
Daemons spoof the source IP address in the attack
packets they send
Daemons can attack multiple targets
Wider variety of attacks:
UDP flood (like with trinoo)
TCP SYN flood
ICMP ping flood
ICMP directed broadcast flood (smurf)
All of the above
SCANS AND PROBES
Attackers typically engage in a variety of
reconnaissance activities before attacking:
To identify important/interesting hosts
To identify potential vulnerabilities that could be
exploited
A port scanner is a program that tries to determine
which ports have programs listening on them
Example:
Attempts to open a TCP connection to each port in order
If a connection is made then immediately close it and
record the fact that the port opened
If the connection fails then the port is closed
PORT SCANNING (CONT)
Using fully-open connections to scan is likely to draw
a lot of attention to the scan
Most hosts log:
Each attempt to connect to a closed port
Each time a newly-opened connection is closed with little
or no data having been sent
Clandestine scanning methods:
SYN scan:
A SYN segment is sent to each port, and any port that
responds with a SYN+ACK segment is opened
Instead of completing the handshake, a RST (reset)
segment is sent to close the connection before it fully opens
Some hosts do not log half-opened connections
PORT SCANNING (CONT)
Clandestine scanning methods (cont):
FIN scanning:
A FIN segment is sent to each port
opened ports will ignore (since no connection has been
established)
Closed ports are required to respond to a FIN with a RST
segment
so ports that do not answer are opened
Again, many hosts do not log responses to FINs, so detection
is less likely
TRACEROUTE FOR NETWORK SCANNING
The traceroute program discovers the path that an IP
datagram follows to reach a target host
Start by sending a probe message with a TTL value of 1
bound for the target host
If the target host cannot be reached in one hop then:
The datagram is dropped
Machine that drops it returns an ICMP TTL-exceeded message
Traceroute records the name and address of the machine and
the round trip time
The TTL value is incremented by 1, probe is sent again
This process continues until the target is reached, and
traceroute generates a report of its findings
Can be used to gain info about the topology of a network
REMOTE OPERATING SYSTEM
FINGERPRINTING
Certain attacks only work on certain operating systems
(and certain versions of those operating systems)
Techniques enable attackers to try to determine what
operating system is running on a host
Typically, specially crafted (and usually invalid) IP,
ICMP, UDP, or TCP packets are sent to a host
Different operating systems (and sometimes different
versions of the same operating system) are known to
respond to these packets in certain ways
Examples:
FIN segments for closed connections
TCP options field
SECURITY ASSESSMENT TOOLS
Tools that allow system administrators to
scrutinize their sites for vulnerabilities
Examples:
SAINT (http://www.wwdsi.com/saint)
SARA (http://www-arc.com/sara)
SATAN (http://www.fish.com/satan)
Many others
Some automate the fixing of vulnerabilities that
are identified
NETWORK SECURITY THREATS - SUMMARY
Network communications exposes one to many
different types of risks:
Attacks on the privacy, integrity, or authenticity of
messages
Traffic analysis
Exploitation of the TCP/IP suite of network protocols
Attacks on IP (Teardrop, IP Spoofing)
Attacks on ICMP (Ping of Death, Smurf)
Attacks on UDP (Fraggle, Trinoo)
Attacks on TCP (SYN Flood, Land, TFN)
Probes and scans
NEXT…
5 minute break, then Lab