500 likes | 779 Views
System and Network Security Overview. What is network security about ?. It is about secure communication What do we mean by secure communication? Everything is connected by the Internet We will often use Alice and Bob
E N D
What is network security about ? • It is about secure communication • What do we mean by secure communication? • Everything is connected by the Internet • We will often use Alice and Bob • Alice is on a vacation and wants to send a command to her assistant—Bob—or just a computer to control the nuclear power plant, how can she do that?
What is it about ? • There are eavesdroppers that can listen on the communication channels • Information needs to be forwarded through packet switches, and these switches can be reprogrammed to listen to or modify data in transit • Is it hopeless for Alice?
Other examples • Alice sends Bob some sensitive information via Internet • Network manager remotely changes some Access Control Lists (intercepts, impersonation) • On-line stock trading, customer denies that she has sent the order
Cryptography • Cryptography allows us to disguise data so that eavesdroppers gain no information from listening • Cryptography also allows us to create unforgettable message and detect if it has been modified in transit: a digital signature is often used for this purpose—a magic number
Network/System Security Overview • Cryptography • Secret key cryptography • Modes of operation • Hashes and message digest • Public key cryptography • Some number theory, AES and elliptic curve cryptography • Authentication • How can Alice prove that she is Alice on networks? • Standards • Kerberos, PKI, IPSec, SSL • The underlying philosophy for these standards, that is, intuition behind various choices, design decisions, and flaws in these standards • Email security • Firewalls and secure systems
Two kinds of security • Computer security • Network security
Vulnerabilities of comp sys • attacks on hardware • attacks on software • deletion, modification (Trojan horse, trapdoor/backdoor, covert channel), infection through computer virus, theft, copying • attacks on data • compromising secrecy & integrity • attacks on other resources • storage media, time, key people
Computer security • The goal is to protect data and resources • How to design security mechanisms? • Cost/benefits • Threat model • Trust model • Available tools • Where to use security tool • Security is not only about cryptography • Identify the weakest point
Failures of security mechanisms • Failure to understand the threat model • Failure to understand what a mechanism protects against and what it does not • Bad design • Implementation fault • Misconfiguration • Bad interaction with other parts • Bad user interface
Network security • Security of data in transit • Security of data at rest
Importance of network security • Increasing large deployment of networked computers • Sensitive information/resources are coming online • Personal information • Financial services • Military • Infrastructure • Large number of users, large amounts of money
Most mentioned network terms • IP, UDP, TCP • Directory services • Packet switching Alice Bob Trudy R4 R6 R1 R2 R5 Token ring R3
Differences from systems security • Attacks come from anywhere, at any time • Highly automated attacks (script kiddies) • Physical security measures are inadequate • Wide variety of applications, services, protocols • No single authority/administrator
Reactions to Information Security • Active research in security & privacy(numerous conferences each year) • New laws • Education • Collaborations between governments, industries & academia • Employment of computer security specialists
Methods of defence (1) • modern cryptography • encryption, authentication code, digital signature etc • software controls • standard development tools (design, code, test, maintain, etc) • operating system controls • internal program controls (eg. database) • fire-walls
Methods of defence (2) • hardware controls • security devices • smart cards, ... • SecureID • physical controls • locks, guards, backup of data & software, thick walls, ... • security policies & procedures • user education • law
Intro Network Security • To assess the security needs of an organization effectively and to evaluate and choose various security products and policies, the manager responsible for security needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. • One approach is to consider 3 aspects of information security: • Security attack: any action that compromises the security of informationowned by an organization • Security method: a mechanism that is designed to detect, prevent, orrecover from a security attack • Security service: a service that enhances the security of the dataprocessing systems and the information transfers of an organization • The services are intended to counter security attacks, and they make use of one or more security methods to provide the service
Classification of Security Services • Confidentiality – Ensures that the information in a computer system and transmitted information are accessible only for reading by authorized parties • Authentication – Ensures that the origin of a message or electronic document is correctly identified, with an assurance that the identity is not false • Integrity – Ensures that only authorized parties are able to modify computer systems assets and transmitted information. • Nonrepudiation– Requires that neither the sender nor the receiver of a message be able to deny the transmission (nonrepudiation with proof of origin/delivery) • Access control (Authorization) – Requires that access to information resources may be controlled by or for the target system • Availability – Requires that computer system assets be available to authorized parties when needed
Threats • Passive attacks • Illegal interception (secrecy) • Traffic analysis • Active attacks • Denial of Service / Interruption (availability) • Un-authorised modification (integrity) • Fabrication (authenticity) • Replay • Man-in-the-middle attacks • Modification of messages
Illegal Interception • also called “un-authorised access” • difficult to detect • it leaves no traces • example: US military Tempest program measures how far away an intruder must be before eavesdropping is impossible. • The movement of electron can be measured from a surprising distance (control zone)
Traffic analysis • Military applications (spy identification) • Zeroknowledge Inc. http://www.zeroknowledge.com/ (anonymous web browsing and private, encrypted, untraceable email for customers stopped services) • AT&T Crowds project (system for protecting your anonymity while you browse the web) • Anonymizerhttp://www.anonymizer.com/ • Untraceable E-mails: Mix by David Chaum
Denial of Service • also called “Interruption”—recent example: DDoS, tool used in that DDoS trinoo http://staff.washington.edu/dittrich/misc/trinoo.analysis • information resources (hardware, software and data) are deliberately made unavailable, lost or unusable, usually through malicious destruction
Un-authorized Modification • un-authorised access & tampering with a resource (data, programs, hardware devices, copy of hand-written signature, etc.) • Ex. some portion of a legitimate message is altered, or that message is delayed or altered to produce an unauthorized effect
Fabrication and Impersonation • fabricate counterfeit objects (data, programs, devices, etc) • related examples: • counterfeit bank notes • fake cheques • impersonation/masquerading • to gain access to data, services etc • It takes place when one entity pretends to be a different entity. Example: by capturing authentication sequences and replaying them
Replay attacks • Passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.The attacker records a valid transaction and plays it back again later. • Most often when a same shared key is used between two peers • Defending against replay attacks is possible but painful as it requires maintenance of state
Man-in-the-middle attack • Is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims. • MITM attacks on SSL: Alice attackerreal site • Mafia in the Middle attack Alice coffee Jewelry
Modification of message • Some portion of a legitimate message is altered, or that message is delayed or altered to produce an unauthorized effect
How to defeat these attacks? illegal interception secrecy mix traffic analysis un-authorised modification integrity authentication impersonation authorization re-play man-in-the-middle other mechanisms denial of service
Key escrow for law enforcement • Law enforcement would like to preserve its ability to wiretap otherwise secure communication • Government wants to wiretap all the time, so it must prevent use of encryption, break the codes used for encryption, or somehow learn everyone’s cryptographic key • Clipper proposal attempted the 3rd option (encryption is done with Clipper chip—unique key) • At present, government is giving up the control of cryptography
Key escrow for careless users • It is prudent to keep your key in a safe place • Where? • Do you trust the unique key bank? • Split your keys and deposit in several independent places
Digital Pest: Virus, Worms, Trojan Horses No need to distinguish them.. But.. • Trojan horses: instructions hidden in a useful code • Virus: when executed, insert a copy in other codes • Worm: self-replicating code • Trap (back)-door: undocumented entry point • Logic bomb: malicious instruction which triggers on some event, such as a particular time occuring • Zombie: malicious code installed on a system that can be remotely triggered to do bad things
More on Digital Pest • Is it possible to detect a digital pest in a program?– One of the famous results in computer science is that it is impossible to be able to tell what an arbitrary program will do by looking at it!– In fact it is impossible in general to discern any nontrivial property of a program by looking at it (e.g. if the program will halt) • Anyway, nobody looks– Open source can help: maybe someone else will look! • A virus can be installed in any program as follows:– Replace any instruction, say the instruction at location x, by a jump to some free space in memory, say location y; then– Write the virus program starting at location y; then– Place the instruction that was originally at location x at the end of the virus program, followed by a jump to x+1 • Replication– Besides the delayed planned damage, the virus replicates itself silently.– If it did not wait before damaging the infected system, it would not spread as far!
Where do they come from ? • Commercial package: malicious employee? Infected before shipping?... • emails • Floppy disk boot • CDROM start-up execution • Spreading from machine to machine (scripts…guessing passwords automatically...)
Virus Checker • Check the instruction sequences for lots of types of viruses (virus patterns) • Smart virus changes its form each time (polymorphic virus), more work for virus checker to detect but still possible • Using snapshots of the files (not useful for some kinds of code)
Best practices • No perfect virus checker • Some precautions: • Do not run software from unknown sources • Frequently run virus checkers • Run code in the most restricted environments • When system tells you something is dangerous, do not try it • Do frequent backups • Do not boot off floppies, do not insert suspicious CDs into CDROM
Best Practices: How to protect a machine • Three key items would increase the security of a system and protect it from attacks: • Install critical security updates / patches for the Operating System and services / programs running on the machine as soon as they become available (with Microsoft platform, sign up for Automatic Windows Updates). Those will patch backdoors, and design flows/security vulnerabilities which can be exploit. • Install an Antivirus Software, and ensure it updates itself properly / constantly with latest virus definitions • Install a firewall: as most attacks will come from the network, closing unused ports would substantially decreases chances of successful attack.
Authentication and authorization • In a network application, the first question is “who you are?” then “what you are allowed to do?” • Authentication proves who you are and authorization defines what you can do • Access Control Lists (ACL)—database listing who can access a certain objects • Capability Model—database listing what each user can do
Discretionary and Nondiscretionary Access Controls (DAC & MAC) • Discretionary means that someone who owns a resource can make a decision as to who is allowed to use (access) it • Nondiscretionary (mandatory) access controls enforce a policy where users might be allowed to use information themselves but might not be allowed to make copy of it available to someone else (even the owner cannot change the attribute of a data file)
Philosophy behind these access controls • Discretionary controls: users and programs are good guys, OS decide how to protect each user’s data • Nondiscretionary: users are careless, programs may be infected. Careless users may type a wrong command and attach a secret file to an email sent to the public world. The information should be confined in a security perimeter
TOP SECRET SECRET CONFIDENTIAL OPEN Multi-level model of security • Security labels: • Both subjects and objects have security labels • Only subjects with the proper clearance (security label) can see the objects with the same or lower level of security labels
Information Flow control • Bell LaPadula (BLP) model • Simple security property: no read up • *-property: no write down
Covert channels • A covert channel is a method for a Trojan horse to circumvent the automatic confinement of information within a security perimeter (Assume the Trojan horse program has not enough privileges to directly send confidential data outside the system) • Example: OS enforce the multilevel security. A bad guy tricked a “TOP SECRET” guy to run a Trojan horse.
Covert channels (cont.) • The timing channel – The Trojan horse program alternately loops and waits, in cycles of, say one minute per bit (of the confidential data). When the bit is 1: the program loops for one minute. When the bit is 0: the program waits for a minute. Another program running on the same computer (but without access to the sensitive data) constantly tests the loading of the Trojan horse. • The storage channel – The Trojan horse program loads a (printer) queue to represent a 1, and delete its jobs to represent a 0. Easy to check the queue status and get the information. • The error channel – The Trojan horse program creates a file to represent a 1, and delete it to represent a 0. The external process tries to read the file: since different error messages are reported when the file exists (but its access is not permitted) or when the file does not exist, which are used to distinguish between the 0's and 1's.
The Orange Book • The National Computer Security Center (NCSC) published an official standard called “Trusted Computer System Evaluation Criteria” (the Orange Book) which defines a series of ratings a computer system can have based on its security features and the care that went into its design, documentation, and testing
Orange book (cont.) • System certification • D—minimal protection • C1—DAC • C2---per-user access control, auditing • B1---security label (MAC) • B2---trusted path, security kernel • B3---negative ACLs, secure crash recovery • A1---verified design