370 likes | 472 Views
Network Security. Threat Model. Botnets are characteristics of the threats you are facing from the internet. A bot is a program that receive commands from a bot controller . Botnet is the generic name given to any collection of compromised PCs controlled by an attacker remotely.
E N D
Threat Model • Botnets are characteristics of the threats you are facing from the internet. A botis a program that receive commands from a bot controller. • Botnet is the generic name given to any collection of compromised PCs controlled by an attacker remotely. • Each such compromised device, known as a "bot“. • Bot controller may use Internet Relay Chat (IRC), or HTTP to launch spam or DoS attacks. • To take out a botnet , you have to take out the bot controller , e.g by blocking its IP address.
Threat Model • Botnets employ fast flux techniques to obfuscate the specific host involved in their phishing schemes, malware delivery or other criminal enterprises. • In fast flux networks , the bots know their controller by its domain name. A bot controller then just move to a new IP address when current address is block. • In fast domain flux networks, the domain name of a bot controller can be changed dynamically. The bot controller registers a new domain name when its current name is blacklisted. • A net adversary is a malicious network node which has the capacity to: • read messages directly addressed to it. • spoof arbitrary sender addresses. • try to guess fields sent in unseen messages.
TCP session Hijacking • The TCP handshake protocol: • A is client, B is a server. SYN and ACK indicates that respective bits have been set ,ISNa and ISNb are 32-bit sequence numbers. • A → B: SYN, ISNa • B → A: SYN|ACK, ISNb, ACK(ISNa) • A → B: ACK, ACK(ISNb) • ACK(ISNa) = ISNa+ 1. ACK(ISNb) = ISNb+ 1. • An attacker trying to impersonate A has to guess the sequence number ISNb sent to A. Then this protocol is secure as long as sequence numbers are random. • However, for ISN each TCP entity maintains 32 bits counter, which is supposed to be incremented by 1 at least every 4 microseconds. Even worse, Berkeley’s Unix kernels incremented the counters by 128 every second, and by 64 for each new connection.
TCP session Hijacking • An attack developed in 1985: * M is an attacker who tries to impersonate A. • The attacker M first opens a genuine connection to its target B and receives a sequence number ISNb. The attacker then impersonate A, sending a packet with A’s addres in the source field M(A) → B: SYN, ISNc • B replies to the legitimate A with B → A: SYN|ACK, ISNb’, ACK(ISNc) • M does not see this message buy uses ISNb to predict the current value ISSb’ and sends M(A) → B: ACK, ACK(ISSb’) • B now assumes it is communicating with A!
TCP session Hijacking • This is particularly dangerous in systems apply ‘address-based’ authentication (e.g. the Unix’s Remote Shell (RSH) service) which assume that user logging in from trusted host have already been authentication. • To defend against this attack, a firewall could block all TCP packets arrive from the Internet with a ‘local’ source address. This scheme works if all your trusted host are on the local network. If trusted host also exist on the internet, the firewall has to block all services based on address-based authentication. • Or, avoid address-based authentication at all! (cryptographic authentication is always preferable).
TCP SYN Flooding Attacks • In the TCP handshake protocol, and after responding to the first SYN packet, server B stores the sequence number ISSb so that it can verify its ACK from A. • An attacker M could initiate a large number of TCP open requests (or SYN packets) to B without completing the protocol runs, until B reaches its half-open-connection limit and cannot respond to new incoming requests. • How can we prevent this?
Domain Name System • Hosts on the Internet are usually known by their DNS name. • To connect to a host you need the IP address currently corresponding to its domain name. • The DNS is a distributed directory service for domain names (or host names). • It is used for looking-up IP addresses for host names, and hostnames for IP addresses (reverse look-up). • It is also used for a number of other services (e.g. SPF (Sender Policy Framework use DNS record to identify valid mail servers)).
Domain Name System • DNS knows various types of resource records. The binding of host names to IP addresses is given in A record. • Host names and IP addresses are collected in zones. • A zone is managed by its authoritative name server which provides mapping between host names and IP addresses for its zone. • Protocols such as BIND, MSDNS, PowerDNS, and DJBDNS are used to resolve host names to IP addresses.
Domain Name System • There are only 13 (logical) root servers on the Internet. • GTLD stands for Global Top-Level Domain (in charge of .com, .net, .org, .edu, .tv, .ws, .uk, etc.). • TTL stands for Time-to-Live for binding.
Lightweight Authentication • The resolver uses a ‘challenge-response’ protocol to authenticate the origin of the replies it receives. • A 16-bit query ID (or QID) and the UDP port that should receive the answer are included in each request. • The responding name server copies the QID into its answer and replies on the port indicated. • The resolver caches the first answer received for a given QID on the nominated port. • The only possible attack here is trying to guess the QID and its corresponding UDP port number. • The probability of an attacker guessing correctly the QID is 2 -16.
Cache Poisoning Attack • The attacker asks a resolver to resolve a host name the attacker wants to take over. (this host name must not have in entry in the resolver cache) • The attacker immediately floods the resolver with spoofed answers that map the host name to an IP address of the attacker’s choice. • The spoofed answers contain guessed QIDs with long TTL and are sent on a guessed UDP port. • If a spoofed answer with the correct QID arrives on the correct port before the genuine answer, the attacker’s value is cashed in the resolver cache and the correct answer is dropped.
Cache Poisoning Attack • The probability of the attack succeeding depends on the following factors: • The difficulty of guessing the QID. (easy if QID is generated by a counter) • The difficulty of guessing the port number.(easy if a fixed port number is used) • The width of the time window until the authoritative answer arrives. (the attacker may perform a DoSattack against the authoritative name server) • Good implementation of DNS will address the first two.
Additional Resource Records • Authoritative name servers send additional resource records to resolvers where these records are cached, just in case they might prove useful in future. • A malicious authoritative name server might provide source records for other domains when being queried for a host in its domain. • Therefore, the resolver performs bailiwick checking: additional resource records that do not belong to the queried domain are not accepted.
Dan Kaminsky’sAttack • Such an attack succeeded in practice within 10 seconds! • This is a very serious attack that could even be launched against TLDs!
Dan Kaminsky’sAttack • Protecting countermeasures: • Run queries on random ports. (why?) • Restrict access to local resolvers. It is better to have two separate resolvers; a zone should use a recursive name server for internal queries to resolve external host names and non-recursive server for resolving external queries foe host name in the zone. • Do not use simple ‘challenge-response’ authentication! Using cryptographic authentication apply digital signatures to via DNSSec.
DNSSec • DNSSec (short for DNS Security Extensions) protects the authenticity and integrity of resource records with digital signatures. • It still not very widely used due to some obstacles such as the complexity of the hierarchy of the signers, the requirement to change the original DNS protocol, the infeasibility of partial implementation. Skip Section 17.2.6
Firewalls • To control what traffic is allowed to enter your network (ingress filtering) or leave your network (egress filtering) you need a firewall. • A firewall is a network security device controlling traffic flow between two parts of a network. • Firewalls are often installed between the network of an entire organization and the internet, but could also be installed in an intranet to protect individual departments • Host-based Vs. Network-based firewalls. • A firewall blocks outside access to internal services, and restrict access from inside to external services that are deemed dangerous. • However, using a dial-up connection or USB 3G/4G sticks from inside the internal network puts the whole network in a danger that a firewall cannot help to confront. It’s a unprotected entry points into network behind a firewall.
Firewalls • Firewall can route sensitive traffic vie virtual private network (VPN). A VPN establishes a secure connection between the getaways of subnets of an organization that are not directly connected. All traffic between subnets has to go through theses getaways where cryptographic protection is added to extend the security. • Firewalls are capable of performing NAT. • Firewalls implement access control on ISO/OSI layers 2, 3, 4, 5 and/or 7. Parameters that could be used for access control can be found at each layer. At layer 3 you have source and destination IP address. At layer 4 you have TCP and UDP port numbers.
Packet Filters • Packet filtering firewalls work at OSI layers 3 (network)and 4(transport). • Rules specifying which packets are allowed through the firewall and which are dropped are applied to packets individually. • Rules for traffic in both directions can be defined. • Example of information that can be filtered by a Packet filtering firewalls.
Packet Filters • Only static rules can be enforced. For example, when a client sends an FTP request to an FTP server, the firewall cannot link the data packets coming back from the server to this request. • Example of a packet filtering firewall policy (or ACL). • Practical firewall ACLs are not written this way! • They are mostly written in (drop all; except..) or (allow all; except..) basis.
Stateful Packet Filters • Stateful packet filtering firewalls can understand requests and replies (i.e. they are dynamic). work at OSI layers 3 (network),4(transport) and 5(session). • For example, they can understand how the TCP session open handshake works (i.e. SYN, SYN-ACK, ACK). • Rules are only specified for the first packet in one direction, and then new rules are created ‘dynamically’ in real-time. • Very useful when using protocols such as FTP, IRC, etc. • Packet filtering can be done by routers , giving high performance at lower cost.
Application-Level Proxies • For each application protocol the firewall should police, a proxy implements client/server service on the firewall. • Application-level proxies firewalls are capable of inspecting the content of the data • When a client connects to the firewall, the proxy acts as the server and validates the request. A mail proxy , for example, could filter out viruses, worms and spam. If the client request is allowed , the proxy acts as a client and connect to the destination server. Response come back through the firewall and are again processed and checked by the proxy. • An application-level proxy firewall must be the only entity seen by the outside world, and must appear transparent to the internal users except for filtering.
Application-Level Proxies • Application-level proxies firewalls can provide a good control over the content of incoming and outgoing traffic which should lead to better security level. • However, they process a large amount of data per connection, and their configuration is somewhat complicated. This makes them less secure and slow down their performance. • Finally, you need a firewall for each service you want to protect. This reduce their scalability level with the growing number of internet service on offer. • Application-level proxies Vs. Packet filters. (the telephone example)
Firewall Policies • There are two type of firewall policies: • Permissive policies: allow all traffic but block certain services. • Restrictive policies: block all traffic but allow certain services. • Which one is more secure? • A policy is usually represented as an Access Control List (ACL). Like for example: • Allow from internal network to Internet: HTTP, FTP, SSH, DNS. • Allow from anywhere to mail server: SMTP only. • Allow from mail server to Internet: SMTP, DNS. • Allow from internal network to mail server: SMTP, POP3. • Allow reply packets. • Block everything else.
Perimeter Networks • Where should mail server be placed in relation to the firewall? • A mail server requires external access to receive mail from outside, so it should be on the inside of firewall, then the firewall can protect access to mail serve from outside. • A mail server also requires internal access to receive mail from internal network, so it should be outside the firewall, that to stop worms an viruses spreading from internal network or prevent confidential document leaving internal network. • Solution create perimeter network , also known as a demilitarized zone (DMZ) for server requires access from both inside and outside of firewall.
Limitations and Problems • Firewalls do not protect against insider threat. • Blocking services may create inconveniences for users. • Network diagnostics may be harder. • Some protocols are hard to support. • Packet filtering firewalls do not provide content-based filtering. • Protocol tunnelling can overpass firewalls. (e.g. MSN/HTTP) • Encrypted traffic cannot be filtered. (e.g. SSL/TLS (HTTPS), SSH, and IPSec (tunnel mode VPN))
Intrusion Detection • Firewalls cannot prevent all attacks! • Firewalls prevent attacks; but, what about the attacks that bypassed or deceived the firewall? They should be detected! • To detect network attacks an Intrusion Detection System (IDS) should be deployed. • An IDS consists of a set of sensorsgathering data, either located on the hosts or on the network. • The sensor network is managed from a central console. • Data are analyzed, intrusions reported and possibly reactions triggered. • The communication between sensors and console should be protected. • Two approaches for detecting intrusions: • Misuse Detection • Anomaly Detection
Vulnerability Assessment • Vulnerability assessment examines the security state of a network. • Information about open ports, software packages running (e.g. which version?, when was the last time the have been updated?, which service pack?, which patches are installed?, etc.), network topology, and more, is collected. A prioritized list of vulnerabilities is then checked. • This can be done manually or automatically. • The assessment is as good as the knowledge based that has been built for it.
Misuse Detection • Misuse detection looks for attack signature. • Attack signature are patterns of network traffic or activity in log files that indicate suspicious behavior. • Examples: number of failed login attempts, pattern of bits in an IP packet indicating a buffer overflow attack, or certain types of TCP SYN packets that indicate a SYN flooding attack. • These systems are only good as the information in the database of attack signature (knowledge-based IDS). • New vulnerabilities are constantly being discovered and explored. Vendors need to keep up to date with the latest attacks and issue database updates. Customers need to install updates.
Anomaly Detection • Also known as Behaviour-based Detection. • Statistical anomaly detection uses statistical techniques to detect potential intrusions. • First the ‘normal’ behavior is established as a baseline. • During operation , a statistical analysis is perform and the deviation from the baseline is measured. If a threshold is exceeded , an alarm is raised. • The baseline define normality, so there is a chance of detecting novel attacks without having to update a knowledge base. • Attacks are not necessarily anomalies. A carful attacker might just ‘fly under the radar’ of the IDS and remain undetected. • Many of such IDSs suffer from high false-positive and/or false-negative issues.
Network-Based IDS • Based in the network • NIDS looks for attack signature in network traffic. • Monitors and analyses the traffic in real time. • Three common techniques for recognizing attacks: • Patterns. • Frequency. • Correlation of events. (not widely used) • Snort is a popular NIDS developed in the open source community.
Host-Based IDS • HIDS looks for attack signature in log files of hosts. • It can also verify the checksum of system files. • Some HIDSs listen to port activity and generate alert when specific ports are accessed. • There is a trend towards HIDS, yet it is always better to have both HIDS and NIDS. • An attacker might trick the IDS into responding, with response aimed at an innocent target ( by spoofing source IP address). Users can be locked out of their accounts because of false positive.
Honeypots • A honeypot is a trap set to detect, consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers. • Honeypots mimic real systems but do not contain real operational data. • Aims to learn about novel attack techniques. • Honeypots can generally be divided into different categories: • Low-interaction honeypots offer basic emulation of some services and the operating system. There is not much an attacker can do on so there is a limit to the adversarial behavior the honeypot can log. • High-interaction honeypots offer real services , with fake data.
Reading • “Computer Security ”, 3rd edition by Dieter Gollmann. Wiley, March, 2011. • Chapter 17