340 likes | 440 Views
Week 15: Chapter 7. Security in Networks. Week 15: Sec. 7.1 Network Concepts. Networks can be anything from a simple LAN to an WAN. The kinds of media used for communications is varied from copper to optical fiber to microwave/satellite and air.
E N D
Week 15: Chapter 7 • Security in Networks
Week 15: Sec. 7.1 Network Concepts • Networks can be anything from a simple LAN to an WAN. • The kinds of media used for communications is varied from copper to optical fiber to microwave/satellite and air. • The agreed on set of rules governing communications is called protocols. • The ISO has a architecture model composed of 7 layers. • The TCP/IP Protocol only has 5 layers (note I disagree with the author of our text who says 4 layers). They are:Application - Layer 5 (FTP, Telnet, E-mail, HTTP)Transport - Layer 4 (UDP or TCP contains port addresses)Internet - Layer 3 (logical addresses IP)Network Interface - Layer 2 (MAC addresses - hardware frame)Physical - Layer 1 (signaling of bits)
Week 15: Sec. 7.1 Network Concepts Continued • Addressing:The NIC (network interface card) 2 or 6 bytes - Network (Layer 2)The device IP address - 4 bytes (IPv4) 16 bytes (IPv6) - Internet (Layer 3)The port address - 2 bytes - Transport (Layer 4) • Why have a separate NIC and IP address?
application: supporting network applications FTP, SMTP, HTTP transport: host-host data transfer TCP, UDP internet: routing of datagrams from source to destination IP, routing protocols network: data transfer between neighboring network elements PPP, Ethernet physical: bits “on the wire” application transport internet network physical Internet protocol stack
Week 15: Sec. 7.2 Threats in Networks • Network Security Issues:Anonymity - attacker can be on the other side of the planetMany points of attackresource and workload sharingComplexity of operating systemunknown perimeter unknown path • Who attacks Networks? (motive may be the clue) • Threat Precursors • IP address scans • Port Scans
Week 15: Sec. 7.2 Threats in Networks Continued • Social EngineeringREFERENCES:THE ART OF DECEPTION – Kevin Mitnick, Wiley ISBN 0-471-23712-4 (Convicted Felon)HACKING EXPOSED – 4th ed. Page 589 - 590, 681-682, 173, 233. • Steps used by social engineers to study a target are similar to those used by spies working for intelligence agencies. These steps are: • (1) information gathering • (2) target selection • (3) target interdiction. • The social engineer starts by gathering as much information about the organization as available. Information comes in a variety of forms, which include: (1) white (a.k.a open source), (2) gray (such as conference materials) and (3) black (such as internal documents – dumpster diving).
Week 15: Sec. 7.2 Threats in Networks Continued • Social engineering attacks fall into one of four categories. These categories include: • (1) ego attack • (2) sympathy attack • (3) intimidation attack • (4) technical attack. The "ego attack" targets someone who is frustrated with their current job. The attacker normally pretends to be law enforcement officer who makes the victim feel honored to help. The "sympathy attack" normally plays on empathy and sympathy of the victim. The attacker pretends to be a fellow employee, contractor or vendor who needs some type of information urgently. The attacker usually suggests that he will lose his job or get into trouble if the victim does not provide assistance.
Week 15: Sec. 7.2 Threats in Networks Continued • Social engineering attacks continued • The "intimidation attack" normally uses authority to coerce the victim into cooperating with the attacker. The attacker pretends to be the CEO or law enforcement official. If the attacker pretends to be law enforcement official, he will inform the victim that they are conducting a secret investigation and they should not be discussed with anyone. • The "technical attack" usually the attacker doesn't have direct contact with the victim. The attacker uses forged e-mail, phony Web sites, forged fax or other items (for example, software CDs) to establish contact with the victim. Phony Web sites can lure a victim to download new screen savers, popup add blockers or utilities. The attacker can embed JavaScript in the Web page's source code, which can upload documents or install software on the victims machine. Social engineering attacks are the single greatest threat to enterprise security and the hardest to prevent.!!!
Week 15: Sec. 7.2 Threats in Networks Continued • Security Threat AnalysisInterception of dataunauthorized access to programs or data at remote hostmodifications to programs or data at remote host.communications impersonating a usercommunications repeating a previous communicationblocking of selected trafficblocking of all trafficrunning a program at remote host • Threat Categories: wiretapping impersonation
Week 15: Sec. 7.2 Threats in Networks Continued • Spoofing masquerade session hijacking man-in-the-middle attack • message confidentiality violations • message integrity violations • Hacking • code integrity violations
Week 15: Sec. 7.2 Threats in Networks Continued • DOS - Denial Of Service - Types of Attacks: • UDP flood - Hacker sends UDP packets with spoofed return address links one systems character-generating (chargen port 19) to another system's UDP echo service (port 7) (ECS typically disables UDP port 7). As the chargen keeps sending characters to the other system the echo service keeps sending it back to where UDP traffic bounces back and forth. 2. ICMP flood - Hacker sends ICMP packets as fast as possible to target system. 3. Ping of death – Hacker sends a ping packets with data that totals more than 65,535 bytes.
Week 15: Sec. 7.2 Threats in Networks Continued • DOS – Attacks continued 4. Smurf - Hacker send a ICMP echo ping request to a system with the return address spoofed. Or sends it to a large number of hosts i.e. like send it to the Engineering router (ecsrtr) with the request it send a broadcast request to all ECS systems to do a echo ping reply. The result is the spoofed address system is blasted off the Internet. 5. SYN flood - Hacker has a system send a TCP SYN (flag bit in connection packet) with a spoofed return address. The system responds to the spoofed address with a SYN-ACK (both flags bits set) now since the address is spoofed it never gets a ACK and so it waits and fills up its backlog queue. Possibility that it will allocate all its memory and crash.
Week 15: Sec. 7.2 Threats in Networks Continued • DOS – Attacks continued 6.Xmas Tree – Hacker sends a packet with all the flag bits on. 7. FIN flood – Hacker sends packets with FIN flag bit set and spoofed return address. Server replies with FIN-ACK to the spoofed address and then attempts to disconnect the non existent session. 8. DNS attacks – Hacker poisonscacheof DNS server
Week 15: Sec. 7.2 Threats in Networks Continued Now a more evil DOS. This one is called DDOSfor Distributed Denial Of Service. • The "trinoo" distributed denial of service. trinoo.analysis • The "TFN" distributed denial of service. tfn.html • The "TFN2" distributed denial of service released on December 21, 1999. tfn2k.htmlFor more on TFN2 see: cert.org TFN2 • The "stacheldraht" distributed denial of service. stacheldraht.analysis
Week 15: Sec. 7.3 Network Security Controls • Encryption is one of the best defenses to attacks of Security in Networks. • Link Encryption - data is encrypted just before it is placed on the physical media or at the physical layer. Message is in plaintext inside hosts and intermediate hosts. • End-to-End Encryption - data is encrypted at the highest layer, the application (best). • In some cases both forms can be applied. I use putty (SSH) and VPN from any place outside the campus. So data is doubly encrypted on the public Internet.
Week 15: Sec. 7.3 Network Security Controls • Virtual Private Networks (VPN) is a way to simulate a private network over a public network such as the Internet. • Virtual because it depends on use of virtual connections • Temporary connections that have no real physical presence, but consist of packets routed over various machines on the Internet on an ad hoc basis • Secure virtual connections are created between machines and networks as follows: • Two machines • A machine and a network • Two networks
Week 15: Sec. 7.3 Network Security Controls • PKI and Certificates • Often considered as a standard but in fact is set of policies, products and procedures • Services • Create certificates associating user’s identity with public key • Give out certificates from database • Sign certificates (adding credibility or CA) • Confirm or deny certificate valid • Invalidate certificates for users or those who private key is exposed • Registration authority which interfaces between user and CA • PKI underdevelopment in many countries.
Week 15: Sec. 7.3 Network Security Controls Average time required for exhaustive key search
Week 15: Sec. 7.3 Network Security Controls • SSH Encryption (version 1 obsolete) version 2 best. Intended to replace utilities such as Telnet, rlogin and rsh. • Defined for Unix also several commercial or shareware programs for Windows. • Protocol involves negotiation between local and remote sites for the encryption algorithm to use and authentication method. • Encryption algorithms AES, 3DES, IDEA, Blowfish and DES. • Authentication may be Kerberos or public key • Public key is asymmetric and slow so it is used only to agree on the session key (symmetric and fast).
Week 15: Sec. 7.3 Network Security Controls • SSL Encryption originally designed by Netscape and copied by others. • Now called TLS (transport layer security). Interfaces between applications and TCP/IP protocols to provide server authentication, optional client authentication, and encrypted communications channel between client and server. • Client and server negotiate encryption for session and hashing. • Protocol is simple but effective, widely used for secure communications on the Internet.
Week 15: Sec. 7.3 Network Security Controls • IPSec – Defined by RFC 2401, mandatory in IPV6 uses Internet Key Exchange (IKE) • Symmetric key cryptography is used for efficiency • To exchange keys securely, a negotiation protocol is used that allows users to agree on authentication methods, encryption methods and the keys to use. • It also specifies how long keys can be used before changing and how to accomplish key exchange. • Can protect upper layer protocols (transport mode) | IP Header | AH Header | Payload | • Can protect entire payload (tunnel mode) | New IP Header | AH Header | IP Header | Payload |
Week 15: Sec. 7.3 Network Security Controls • Authentication of Distributed Systems - MIT's Kerberos System, OSF's Distributed Computing Environment DCE, European SESAME, CORBA
Week 15: Sec. 7.3 Network Security Controls continued • Access Controls - prevent unauthorized users by port control (automatic call back or limit places where access is allowed) • ACLs on Routers • Firewalls • Alarms and Alerts • Honeypots & Honeynets Honeypots are they Legal? • Traffic Control - pad traffic on certain links or control routing of traffic on different links. • Data Integrity - detect duplicate data or missing data or errors in data. Error control methods, parity (poor), checksums (fair), cyclic redundancy check (best). Also MD5 checksum. Digital signatures and authenticated certificate.
Week 15: Sec. 7.4 Firewalls • Traditionally, a firewall is a wall separating two areas, in a building, a car, etc., to prevent fire from propagating from one area to another. • By extension, it is used to separate two networks, to prevent hostile packets from one network from reaching the other. • The most common firewall configuration protects a company’s private network from the Internet. • Firewalling traditionally operates by inspecting packet headers and discarding packets with undesirable header info.
Week 15: Sec. 7.4 Firewalls Continued • Can be software or hardware device or both. • Two fundamental policies: • Block certain traffic - allow all other • Only permit certain traffic - block all other • Types - screening routers, proxy gateways and guards • Only will work if no other connections to the outside. • Firewalls are usually prime targets of hackers since they are most visible. • SP2 for WinXP has firewall but?
Week 15: Sec. 7.5 Intrusion Detection Systems (IDS) • Monitors activity to identify malicious or suspicious events. • Two types of IDSs: • Signature-based often called rule based. • Heuristic based or sometimes called anomaly based. • Ideally one should combine both types. • Host based IDS where it monitors a specific host. • Network based and monitors all or part of a network. • Which type should an installation have? Answer: BOTH! • Many devices are not a typical computer and don't support a host IDS (print servers, web cameras, switches and hubs).
Week 15: Sec. 7.5 (IDS) Continued • Best IDS is the "Stealth Mode" - attacker doesn't even know. • Responding to Alerts – requires human. • Problems with IDS are they are not perfect and they make mistakes. • Alerting on something not really an attack - "false positive". • Or not raising the alarm for a real attack - "false negative". • Recent announcement by 2 vendors for a combined firewall and IDS. The device is called Intrusion Prevention Device (IPD or IPS). Must be robust to handle all traffic and yet examine contents of packets. • Our Sonic Wall Pro model 300 firewall fails above 128,000 connections. And that's only looking at ports and IPs, NOT the packet contents. • Our ECS IDS only 950Mhz Pentium II and it only collects 85% of traffic.
Week 15: Sec. 7.5 (IDS) Continued ________________ _____________ | Campus Cisco | | Campus | | PIX Firewall |<----->| VPN Server |<---> INTERNET |_______________| |_____________| |------------- CSUS North Router ______|_______ | CSUS South | | Router | |_____________| | ______|_______ | ECS Switch | | HP Procurve | |_____________| | | |__________________
Week 15: Sec. 7.5 (IDS) Continued | | |________________ | | |<--- sensor #1 _____|________ _____|________ ______|_______ | ECSFire 1 | | ECSFire 2 | | OXUS (IDS) | | SonicWall | | SonicWall | | Linux/Snort | |_____________| |______________| |_____________| | | | | | | | ______________ | | | | | | | | | ECS Main | | | |__| Switch |_| | | |____________________| | | |______________| ________________ _____________
Week 15: Sec. 7.6 Secure E-mail • Threats to electronic mail • message interception (confidentiality) • message interception (blocked delivery) • message content modification • message origin modification (faked sender message origin) • message content forgery by outsider • message origin forgery by outsider • message content forgery by recipient • message origin forgery by recipient • denial of message transmission (repudiation) • Requirements and Solutions • Message confidentiality (message not exposed en route) • Message integrity (what receiver sees is what was sent) • Sender authenticity (receiver confident who sender was) • Nonrepudiation (sender cannot deny sending message)
Week 15: Sec. 7.6 Secure E-mail Continued • Design goal - encrypted e-mail would travel as ordinary messages so current Internet e-mail would not require changes. • PGP (pretty good privacy) one example of encrypted e-mail. • Say Bob and Alice want to exchange secure e-mail (algorithm uses public, private and session keys just like many other encryption programs) so they exchange public keys and agree on encryption algorithm. • Bob creates random session key Sk • Encrypts e-mail message with session key {M}Sk • Encrypts session key with Alice's public key {Sk}Apub • Generates digital signature MD5 of message and encrypts it with Bob’s private key {MD5}Bpri • Attach encrypted session key and encrypted hash to encrypted message. • Send message to Alice. {M}Sk + {Sk}Apub + {MD5}Bpri
Week 15: Sec. 7.7 Summary of Network Security • Encryption is most powerful tool. • Access control such as authentication or limited access points. • Firewalls or encryption gateways. • IDS is a must for any organization, both hosts and network. • To determine the most vulnerable points in a network put yourself in the place of a hacker and think of the easiest ways to access data. “Think outside of the box”