650 likes | 889 Views
Computer Systems Security Security in Networks. Topic 1 Pirooz Saeidi Source: Pfleeger, Chapter 7. Security in Networks Agenda We will first address:. The Basics of networks: design, development and usage
E N D
Computer Systems SecuritySecurity in Networks Topic 1 Pirooz Saeidi Source: Pfleeger, Chapter 7
Security in Networks Agenda We will first address: • The Basics of networks: design, development and usage • How networks differ from and are similar to stand-alone applications and environments • Threats against networked applications, including: • Denial of service • Web site defacements • Malicious mobile code • Protocol attack
Security in Networks Agenda:We will then look at • Controls against attacks • Physical security • Policies & procedures • A range of technical errors • Tools • Firewalls: Design, capabilities & limitations • Intrusion Detection Systems • Secure e-mail
Terminology • Single point of point of failure, fault tolerance • Topology • Media • Analog/digital • Protocols • LAN/WAN • Internet • Distributed System • API’s
Network Concepts • Networks involve pieces and connections among them • We can be vulnerable to single point of failure. • Redundancy provides resilience or fault tolerance and prevents single failures
Environment of Use • Parts of networks can be located in protected locations (LANs) but some parts can be exposed to total strangers (with different ownership or control). • Networks can be described by several characteristics: • Anonymity, Automation, Distance, Opaqueness and Routing diversity
Environment of Use • Anonymity • Network removes clues such as appearance, voice.. • Automation • Most intermediate points as well as end points may be machines with minimum human intervention. • Distance • human users can not usually say how far apart the sites are.
Environment of Use • Opaqueness • Location transparency • Routing Diversity • To improve reliability & performance routing is usually dynamic. i.e. every time we may use a different path
Topologies: Shape and Size • Two extremes: • Two hosts connected by one path • A very complex network, such as the Internet. • These extremes highlight 3 aspects of networks that have strong influence on network security: • Boundary: Distinguishes an element of network from an element outside it. But:- • listing all hosts connected to the Internet is impossible! • Ownership: difficult to know who owns which host in a network • Control: difficult to tell the control attributes of an arbitrary host in a network.
Media Types • Cable • UTP: Low bandwidth(10 Mbs), signal degrades as it travels • Coaxial (100Mbs) widely used on Ethernet. Can be amplified using repeaters. • Optic Fibber: up to 1000Mbs. A much better medium with less interference. • Wireless: Used for short distance (home/office networks) • Microwave: travel in straight line up to 30 miles
Media Types • Infrared • Short distance (up to 9 miles). Used by portable devices. It is a point-to-point signal so difficult to intercept. But subject to “in the middle attacks” in which the interceptor functions like a repeater. • Satellite • Placed in orbits. • Naïve transponder: everything it receives will be broadcast out again, over a long path (several hundred miles long:-footprint). • The smaller the footprint, the less risk of interception.
Protocols: OSI Protocol Layer Source:Pfleeger&Pfleeger
Protocols: TCP/IP Source:Pfleeger&Pfleeger
TCP/IP • TCP/IP defined by protocols not layers. But can be thought of as a four layered structure. • TCP implements a connected communications session on top of IP transport protocol. • UDP is also an essential transport protocol. • UDP is less reliable than TCP but it is a much faster and smaller protocol.
Example of Protocols Source:Pfleeger&Pfleeger
IP addresses • 32-bit expressed as four 8-bit groups • Also known by names (e.g. www.staffs.ac.uk), parsed from right to left. • To resolve names the system performs lookups. Local hosts maintain a cache of domain name records. • Later on we will notice that name resolution can be used in network attacks.
TCP/IP vs. ISO/OSI • ISO/OSI: Complex design, not very efficient • TCP/IP: More efficientOpen • Results: Internet uses TCP/IP But introduces security issues
Types of Networks • LANs: • Small locally controlled and physically protected • WANs: • Single control, covers large distance but physically exposed • Internetworks (Internets): • Many thousands of machines and millions of users • Heterogeneous • Physically and logically exposed.
Other aspects of Networks • Distributed Systems • Computation spread across two or more computers in one of the following forms: • Client server architecture: based on request reply protocol • Peer-to-peer system: a collection of equals
Other aspects of Networks • APIs (Application Programming Interfaces) • Define interfaces to modules or systems. Examples are: • GSSAPI or Generic Security Services API • Based on the notion that callers have credentials to establish contexts to invoke security services for implementing confidentiality or integrity. • CAPI or Cryptographic API • A Microsoft API for cryptographic services • User can invoke cryptographic algorithms of different strengths • CAPI is a routine that calls for generic services without specifying any particular algorithm
Threats in Networks • Network vulnerabilities • Who are the attackers • Types of threats • Precursors • In transit • Protocol flaws • Impersonation • Spoofing • Message Confidentiality / Integrity threats • Web Site Defacement • Denial of Service (DOS) • Distributed Denial of Service (DDOS) • Active or Mobile Code Threats • Complex Attacks
What makes a Network Vulnerable? • A network differs from a stand-alone environment in the following ways: • Anonymity • Many points of attacks • Sharing • Complexity of system • Unknown perimeter • Unknown path
What makes a Network Vulnerable? • Anonymity: • The attacker can disguise its origin by passing through many other hosts which do not necessarily have a host to host authentication. • Many points of attacks • Not all host’s administrators enforce the same rigorous security policies • Sharing • Access controls for single systems may be inadequate.
What makes a Network Vulnerable? • Complexity of system • A network control or operating system is more complex than single one • Ordinary desktops are getting very powerful • Most users do not know what their computers are really doing at any moment. • The attacker takes advantage of this and makes the victim’s computer to perform some of the computation.
Unknown Perimeter One host may be shared between two networks. What makes a Network Vulnerable? • A user on a host in network D may be unaware of • Potential connections from users of networks A and B. • A host in the middle of A and B belongs also • to A,B,C and E. • These networks may have different security rules. • So which rule is the for shared hosts?! Source:Pfleeger&Pfleeger
What makes a Network Vulnerable? • Unknown Path • Network users usually do not have control over the routing of their messages. • All these network characteristics increase security risks. Source:Pfleeger&Pfleeger
Who Attacks Networks? • Earlier we have seen that the three components of attack are: method, opportunity, and motive. • The motives are varied and can give an idea who might attack the network. Examples are: • Challenge • Fame • Money and Espionage • Ideology: Cyberterrorism and hactivism (hacking against network targets)
Who Attacks Networks?Threat Precursors • Methods of attack are varied. The attacker begins perpetration by finding out as much as possible about the target. Popular methods are: • Port Scan • Social Engineering • Reconnaissance • Operating system & Application Fingerprinting • Bulletin Boards & Chats • Open documentations
Who Attacks Networks?Threat Precursors • Port Scan • A program that reports for a given IP address, which ports respond to messages and which known vulnerabilities are present. It tells the attacker three things: • Which standard services (ports) are running and responding. • What OS is installed • What applications and which versions are present. • Port scanning tools are commercially available. • In your tutorial you may look at: • nmap scanner (www.insecure.org/nmap), or • netcat at http://netcat.sourceforge.net/
Who Attacks Networks?Threat Precursors • Social Engineering • Port scan gives the outside view of the network. Social skills can be used to learn about the inside of networks. • For example the attacker can impersonate someone in high position. Humans like to help if asked politely!
Who Attacks Networks?Threat Precursors • Reconnaissance • Is a general term for collecting information • After finding out what is open (port scan) and learning about internal details (SE) the attacker wants to know more details. • Methods vary from “dumpster diving” (looking at rubbish at discarded items) to eavesdropping.
Who Attacks Networks?Threat Precursors • Operating System & Application Fingerprinting • Obtain OS and application specific information. Some Port scan software can achieve this. For more information see • www.insecure.org/nmap/nmap-fingerprinting-article.html • Sometimes the application identifies itself. Ports such as 80(HTTP), 25(SMTP), 110(POP), and 21 (FTP) may respond to clients with a message like: Server: Netscape-Commerce/1.15 Your browser sent a non-HTTP compliant message • This reply tells the attacker which application and version are running.
Who Attacks Networks?Threat Precursors • Bulletin Boards and chat rooms support exchange of information (also between malicious hackers!). During the 18 month FBI sting operation (1999) a team led by W. Swallow befriended the attackers in chat rooms and gathered critical evidence on several attackers including 17 year old “Mafiaboy” who pled guilty to 58 charges related to denial of service attacks against Amazon.com, eBay and Yahoo.
Threats in Transit • Eavesdropping • Packet Sniffing • Wiretapping • Microwaves • Satellites • Fiber • Wireless
Threats in Transit: Eavesdropping and Wiretapping • Eavesdropping: overhearing without putting extra effort. E.g. monitoring all traffic passing through a node. • Wiretapping: intercepting communication with some effort. E.g. by injecting something into communication. • Wiretapping works differently depending on communication medium used.
Threats in Transit- Cable • A device called packet sniffer can retrieve all packets on a LAN. • Attackers can also tap wires by a process called inductance to read radiated signals. • Data on a WAN can be heavily multiplexed and more than 1 signal can be carried at a given time. More difficult for wiretappings.
Threats in Transit- Optical Fiber • Difficult to tap • However data may be available more easily at places such as repeaters, splices or connections from computing equipment to the fibre.
Threats in Transit- Wireless • Signals can be picked up easily from several miles • Interception through active or passive wiretapping. • Encryption is not always used for wireless communication and those built in wireless devices are not strong. • The encryption standard is Wired Equivalent Privacy (WEP).
Threats in Transit- Wireless • WEP is a stream cipher using a 40- or 104-bit key. • Surveys reveal that WEP has been disabled in 85% of installations due to difficulty in configuration and encryption management. • Design of encryption makes it easy to crack WEP cipher
Threats in Transit- Wireless • The second threat is the possibility of rouge use of a connection. • With DHCP (Dynamic Host Control Protocol) a client negotiates a one-time IP address and connectivity with the host. • These IP addresses are shared among users. • Authentication of hosts here is a major problem and most networks that do not authenticate may lead to Theft of Service.
Wiretapping Summary Wiretap vulnerabilities Source: Pfleeger&Pfleeger
Threats- Protocol Flaws • TCP connections are established through sequence numbers. • Client sends a sequence number to open connection. • Sever responds with the server’s sequence number . • If someone guesses a client’s next sequence number then he/she could impersonate the client in an interchange. • Sequence numbers are incremented regularly so they are easy to predict!
Threats- Impersonationtaking advantage of vulnerabilities: • Guessing (default passwords: GUST, ADMIN, etc) • Stealing authentication when they are passed and exposed in a network. • Wiretapping • Eavesdropping • Avoid authentication when a flaw can be exploited (e.g. password buffer overflow) • Nonexistent authentication (e.g. anonymous or guest password) • Well-Known authentication (e.g. SNMP uses a community string password- a group name to which multiple users belong) • Trusted authentication • Delegation of identification to other trusted sources • Unix .rhosts, .login, and etc/hosts/equiv indicate hosts or users that are trusted to other hosts • MSN Passport
Threats – Spoofing • When attacker falsely carries on one end of network interchange. Examples are: • Masquerade • One host pretends to be another:- • URL confusion, domain name confusion… • Session hijacking • Intercepting and carrying on a session by another entity. e.g. hijacking a remote telnet session that was initiated by system administrator. • Man-in-the Middle attack
Man-in-the Middle attack • As seen in tutorials the perpetrator intercepts requests to the key server and then asks for your partners public key. He/she then passes his/her own key to you. • He/she intercepts, decrypts, reads and re-encrypts using that public key. Source:Pfleeger&Pfleeger
Threats- Message Confidentialitycan be compromised by: • Misdelivery • Human errors in destination names… • Exposure • In temporary buffers, routers , etc • Traffic Flow Analysis • The high volume traffic between two nodes may infer speculations (politics, price fixing, etc.) • Both content and header information must be protected.
Threats: Website Defacement • Downloaded web site code (HTTP) enable attacker to get the blueprints to a website • The common web site vulnerabilities are: • Buffer overflow • Dot-dot problems • Application code errors • Server-side include problems
Website Defacement-Buffer Overflow • The attacker feeds a program far more data that it expects to receive. • Buffer size exceeds and the excess data spill over neighbouring code and data locations.
Website Defacement- Dot-Dot and Address Problems • ‘..’ is predecessor and ‘../..’ is grandparent of current location. • Someone entering file names can travel back up the directory one ‘..’ at a time. • Server may return private files if certain URLs are passed to it.
Dot-Dot and Address Problems(Example) • Passing the following URL causes the server to return requested file autoexec.nt, enabling attacker to modify or delete it. http://URL/null.htw?CiWebHitsFile= /../../../..winnt/system32/ autoexec.nt Source:Pfleeger&Pfleeger