1 / 125

網路安全 (Network Security)

網路安全 (Network Security). 黃能富教授 清華大學資訊工程學系 / 通訊工程研究所 E-mail: nfhuang@cs.nthu.edu.tw. Agenda. Introduction of Network Security Content Inspection Technologies Pattern Matching Algorithms Flow Classification by Stateful Mechanism

Download Presentation

網路安全 (Network Security)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 網路安全 (Network Security) 黃能富教授 清華大學資訊工程學系/通訊工程研究所 E-mail: nfhuang@cs.nthu.edu.tw

  2. Agenda • Introduction of Network Security • Content Inspection Technologies • Pattern Matching Algorithms • Flow Classification by Stateful Mechanism • Machine Learning Based Application Identification Technologies • Network Security Research Topics • Conclusions

  3. -- 駭客無所不在 -- • 2000/3:駭客利用DDos的網路攻擊方式,引起Yahoo、Amazon、CNN、eBay 等知名網站癱瘓 • 2001/7:Amazon.com 旗下的 Bibliofind 遭駭客盜走顧客的信用卡資料 • 2002 中美駭客大戰 • 2003/1 SQL Slammer 攻擊 • 2003/4 大陸「流光」後門程式 • 2003/8 Blaster 疾風病毒攻擊 • 2003/9 SoBig 老大病毒攻擊 • 2003/9 大陸網軍攻擊 • 2004/3 Netsky 天網病毒攻擊 • 2004/4 Sasser 殺手病毒攻擊 • 2005/5 國內大考中心遭駭客竄改資料 • 2005/6 外交部網站遭大陸網軍後門程式竊取外交機密

  4. 網路安全的隱憂 • 網路攻擊技術日新月異,攻擊工具易於取得,界面淺顯易懂,不需高深技巧,即可進行攻擊。 • 網路攻擊已不侷限於侵入動作,許多攻擊行為旨在阻斷網站之服務能力。 • 網路通訊設備安全性不足。路由器及交換器僅能檢視封包第三層資訊。 • 防火牆著重在封包第四層資訊檢查。 • 防毒軟體逐漸無法辨識網路攻擊。

  5. 網路攻擊工具範例

  6. 網路攻擊工具範例

  7. 網路攻擊工具範例

  8. 網路安全基本概念 • 資料的保密性 • 資訊的可信賴性 • 資訊的可取用性 Policy

  9. 網路攻擊種類 • Denial of Service (DoS), Distributed Denial of Service (DDoS) • Network Invasion • Network Scanning • Network Sniffing • Torjan Horse and Backdoors • Worm

  10. (1) DoS/DDoS • Prevent another user from using network connection, or disable server or services: e.g. “Smurf” and “Fraggle” attacks, “Land”, “Teardrop”, “NewTear”, “Bonk”, “Boink”, SYN flooding, “Ping of death”, IGMP Nuke, buffer overflow. • Caused by protocol fault or program fault. • It damages the “Availability”.

  11. 一般常見的 DoS 攻擊 • Ping Flooding • 藉由傳送大量的 ICMP echo封包至受害主機,以耗盡系統資源。 • Ping of Death • 攻擊者傳送夾帶 65,536位元組的 ICMP echo封包至受害主機,而受害主機將因此而當機 (TCP/IP 協定實作漏洞)。 • UDP flooding (Chargen) • 攻擊者傳送大量的 UDP封包至受害網路廣播位址的十九埠(Port 19, Character Generator),造成此網路的所有主機皆送出回應的UDP封包,耗盡網路的頻寬。

  12. 一般常見的 DoS 攻擊 • Smurf Attack • 借刀殺人計策。攻擊者對某網域的廣播位址傳送 ICMP echo封包,而來源位址填上欲加害之主機。這會造成此網域的每一台機器均會傳送 ICMP reply至被害主機,不但此網域頻寬受阻,被害主機也將因此而耗盡系統資源。 • SYN flooding • 攻擊者以每秒鐘送出數千個 SYN封包(用以建立TCP連線)的速度攻擊受害主機,並於來源位址填上假造或不存在的網址。造成受害主機回送 SYN-ACK給不存在的網址,而此假造網址當然不會回應。如此受害主機將無法再接受其他的 TCP 連線,也就無法讓合法的使用者登入。

  13. Smurf attack (DoS) • Dangerous attacks • Network-based, fills access pipes • Uses ICMP echo/reply (smurf) or UDP echo (fraggle) packets with broadcast networks to multiply traffic • Requires the ability to send spoofed packets • Abuses “bounce-sites” to attack victims • Traffic multiplied by a factor of 50 to 200 • Low-bandwidth source can kill high-bandwidth connections • Similar to ping flooding, UDP flooding but more dangerous due to traffic multiplication

  14. “Smurf” Attack (cont’d)

  15. SYN flooding Attack (DoS) • Goal is to deny access to a TCP service running on a host. • Creates a number of half-open TCP connections which fill up a host’s listen queue; host stops accepting connections. • Requires the TCP service be open to connections from the victim.

  16. SYN flooding (cont’d) SpoofedSYN ACK to spoofed address : : Attacker Victim The Innocents

  17. DDoS Attack Attacker Handler Handler Handler Agent Agent Agent Agent Agent Agent Agent Control message Maybe encrypted or hidden in normal packets. Victim Spoofed packets.

  18. DDoS Attack • 攻擊者從遠端控制多個傀儡機器同時對受害主機做大量的攻擊。 • 攻擊 Yahoo.com,Amazon.com,CNN.com,buy.com和 ebay.com的事件即採用DDoS攻擊

  19. DDoS 攻擊範例 • DDOS 攻擊攻擊程式範例: • Trin00 (會進行破壞) • Tribe Flood Network(TFN) (會進行破壞) • TFN2K • Stacheldraht • Trin00: • Trin00 可由某機器或某群機器發動,當攻擊發動後,每一台被暗藏 Trin00 Daemon 的電腦都向受害主機傳送 UDP封包(含四個位元組的資料),並一直改變目的地的埠號。這造成受害主機疲於奔命地回傳 ICMP port unreachable訊息,而無法順利地服務合法封包及連線。 • TFN: • 啟動模式和 Trin00 相同, 但 TFN的攻擊較具多樣化。它能傳送 SYN flood、UDP flood、ICMP flood、或Smurf攻擊。最新版本的 TFN 已能自行變動攻擊封包上的來源位址,使得安全機制更難以檢查過濾此型攻擊。

  20. (2) Network Invasion • Goal is to get into the target system and obtain information • Account usernames, passwords • Source code, business critical information • Usually caused by improper configurations or privilege setting, or program fault. • Network invasion is diverse and various, knowledge about attack pattern may help to detect, but it is quite hard to detect all attacks.

  21. Example of network invasion: IIS unicode buffer overflow For IIS 5.0 on windows 2000 without this security patch, a simple URL string: http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ will show the information of root directory.

  22. (3) Network Scanning • Goal is generally to obtain the chance, the topology of victim’s network. • The name and the address of hosts and network devices. • The opened services. • Usually uses technique of ICMP scanning, X’mas scan, SYN-FIN scan, SNMP scan. • There is an automatic and powerful tool: Nmap.

  23. (4) Sniffing • Goal is generally to obtain the content of communication • Account usernames, passwords, mail account • Network Topology • Usually a program placing an Ethernet adapter into promiscuous mode and saving information for retrieval later • Hosts running the sniffer program (e.g. NetBus) is often compromised using host attack methods.

  24. (5) Backdoor and Torjan horse • Usually, the backdoor and torjan horse is the consequences of invasion or hostile programs. • It may open a private communication channel and wait for remote commands. • Available toolkits: • Subseven, • BirdSpy, • Dragger • It can be detected by monitoring known control channel activities, but not with 100% precision.

  25. (6) Worm • The chief intention of worm is to propagate and survive. • It takes advantages of system vulnerabilities to infect and then tries to infect any possible targets. • It may decrease the production of system, leave back doors, steal confidential information and so on.

  26. P2P/IM 網安威脅 • P2P (Peer-to-Peer) 分享程式 • IM (Instant Messenger) 即時通 • Spyware 間諜軟體 • Adware 廣告軟體 • Tunneling 私人隧道

  27. P2P: A new paradigm • Bottleneck of Server • Powerful PC • Flexible, efficient information sharing • P2P changes the way of Web (Internet)

  28. P2P即將破壞現存的資安架構 • P2P 除了檔案分享與即時通訊,也逐漸發展出不同應用,例如 SoftEther 和 Skype。對個人用戶,利多於弊,但對企業,為資訊安全一大隱憂 • P2P 應用潛藏諸多風險,包括 • 洩漏企業內部機密資訊 • 成為病蟲擴散的管道 • 下載非法檔案 • 侵犯著作權 • 佔用大量網路頻寬 • 影響其他系統正常運作 • 造成員工分心,降低生產力

  29. Famous P2P Examples • BitTorrent • eZpeer • Kuro • eDonkey • eMule • MLdonkey • Gnutella • Kazaa/Morpheus • Shareaza • Direct-connect • Gnutella • Soulseek • Opennap • Worklink • Opennext • Jelawat • PP點點通 • SoftEther • iMESH • MIB • WinMix • WinMule • Skype

  30. Instant Messenger (IM) • MSN • Yahoo Messenger • ICQ • YamQQ • AIM (AOL IM)

  31. 網路安全技術演進 • Firewall (Layer-4) • VPN  SSL VPN • PKI • IDS/IPS • Defense-in-Depth • Application Firewall (Layer-7) • UTM (Unified Threat Management) • NAC (Network Access Control)

  32. 入侵偵測系統Intrusion Detection System (IDS) 入侵偵測防禦系統Intrusion Detection and Prevention System (IPS/IDP)

  33. Intrusion Detection System • Intrusion Detection System: a computer system that attempts to detect any set of actions that try to compromise the integrity, confidentiality, or availability of a resource. • An IDS has much more knowledge and many delicate detection functions than common firewalls. (Remember that, the main function of a firewall is to do access control).

  34. IDS Types • Host based vs. Network based. • Misused detection vs. Anomaly detection • Active vs. Passive • Centralized vs. Distributed

  35. Host based & Network based IDS • Host based IDS: installed on target host as a monitor service. It checks system activity, user privilege, user behavior. • Network based IDS: installed on network node, usually in promiscuous mode to listen all passing traffic. It checks network traffic, nodes interactions.

  36. Misused detection & Anomaly detection IDS • Misused detection (signature-based): based on the assumption that intrusion attempts can be characterized by the comparison of user activities against a database of known attacks. • Anomaly detection (statistical-based): identify abusive behavior by noting and analyzing audit data that deviates from a predicted norm.

  37. Active IDS vs. Passive IDS • Active IDS: an participate in the system. Not only observe the events, but also involve in the necessary operation. Also called IPS or IDP (Intrusion Detection and Prevention System) • Passive IDS: work on a monitor or bystander basis.

  38. ISP ISP 網路入 侵攻擊 被攔截 利用Port Mirror 收集封包分析 網路入 侵攻擊 可穿透 直接攔截 封包分析 Passive IDS Active IDS LAN LAN (a) Passive IDS (b) Active IDS Active IDS v.s. Passive IDS

  39. Centralized IDS v.s. Distributed IDS • Centralized: The sensors are managed by a single analyzer or manager. • Distributed: The sensors are managed by multiple automated analyzers or managers. And among analyzers and managers, they can communicate to each other.

  40. Comparison between Firewall and Network based active IDS • Same : • Can’t protect insider to insider attack. • Can’t protect against connections that don’t go through. • Can do ACL and filtering. (For Active IDS) • Different : • IDS has the ability to detect new threats. • IDS focuses on intrusion while Firewall focuses on access control and privacy. • Firewalls use address as the passport while IDS will do much more checks.

  41. The Challenge of IDS • Speed limitation: NIDS cannot keep pace with the network speed. (NIDS need to check more fields of a packet than a firewall does.) • The inability to see all the traffic: The “switched Ethernet” is getting largely deployed. • Fail-open/fail-close architecture: when a NIDS fails often without notification of the problem to the central console., leave the network as an “open” one. A “fail-closed” methodology means the network is out of service until the NIDS is brought back on-line.

  42. IDS False Alarms

  43. Content Inspection Technologies

  44. A Generic Layer-7 Engine • Packet Normalizer • Makes sure the integrity of incoming packets • Eliminates the ambiguity • Decodes URI strings if necessary • Pattern-Matching Engine • Policy Engine • Gather information from pattern-matching engine and issue the verdict to allow/drop the packets

  45. Packet Normalizer • Integrity Checking • IP Fragment Reassemble • TCP Segment Reassemble • TCP Segments may come out-of-order • SEQ out of window size • Segment Overlapping • URI Decode • URI hex code obfuscation (‘a’ = %61) • URI unicode/UTF-8 obfuscation • self-referential directories obfuscation (/././././ = /) • directories obfuscation (/abc/a/../a/../a/ = /abc/a)

  46. Pattern-Matching Engine • The most computation-intensive task in packet processing. Normally the PM engine needs to process every single byte in packet payload. • In Snort, the PM routine accounts for 31% of the total execution time

  47. Pattern Matching is Expensive! • ~50 Instructions/ 1500 Byte packet • ~30 Instructions/ Byte. 45K Instructions/1500 Byte packet Source: Intel Corp.

  48. Content Inspection Technologies • Pattern-Matching Algorithms • Software Based • Boyer-Moore • Aho-Corasick (AC) • Wu-Manber • Hardware Based • Bloom-Filter • Reconfigure Hardware (FSM) • TCAM-based

  49. Pattern Matching Problem Definition • Given an input text T = t0, t1, …, tn ,and a finite set of strings P = {P1, P2, …, Pr}, the string matching problem involves locating and identifying the substring of T which is identical to Pj = , 1 j r, where ts+i = , 0 i m-1. And this equation can be also denoted as ts…ts+m-1 = Text

  50. Aho-Corasick (AC) Algorithm • AC is a classic solution to exact set matching. It works in time O(n + m + z) where z is number of patterns occurrences in T. • AC is based on a refinement of a keyword tree. • AC is a deterministic algorithm. That is, the performance is independent of the number of patterns.

More Related