220 likes | 342 Views
ELEC5616 computer and network security. matt barrie mattb@ee.usyd.edu.au. vendors will save you!. 1995: Network Scanning Tools 1996: Firewalls 1997: Virtual Private Networks (VPNs) 1998: Intrusion Detection Systems (IDSs) 1999: Public Key Infrastructure (PKI) 2000: Biometrics
E N D
ELEC5616computer and network security matt barrie mattb@ee.usyd.edu.au lecture 15 :: overview of network security
vendors will save you! 1995: Network Scanning Tools 1996: Firewalls 1997: Virtual Private Networks (VPNs) 1998: Intrusion Detection Systems (IDSs) 1999: Public Key Infrastructure (PKI) 2000: Biometrics 2001: Security Appliances 2002: Unified Threat Management (UTM) Appliances 2003, 2004, 2005, 2006, 2007, 2008, 2009… lecture 15 :: overview of network security
… maybe not ... • Only hackers end up running network scanning tools. • Firewalls are walls with holes in them. • VPNs run over … the Internet! • Intrusion Detection Systems don’t detect new attacks, and perform poorly at detecting old ones. • PKI requires a massive investment in complex infrastructure & management. • Biometrics have lots of problems • They can be easily fooled • They incite violence against the user • What happens if the password file is compromised? • Fundamentally how do you revoke and issue new keys? • Appliances are pretty boxes running the same software. • Finally, no-one can configure any of this stuff properly anyway. lecture 15 :: overview of network security
so what is going wrong? • We are building the digital world on foundations of mud: • operating systems like Microsoft Windows • the IP stack, 802.11/WEP • poor user protocols (e.g. telnet, ftp, http, rsh) • poor network protocols (e.g. DNS) • poor network management protocols (e.g. SNMP, etc) • bad (poor security) programming languages (e.g. C) • there is a lack of proper infrastructure • there is a lack of quality developers • poor design and programming practice • e.g design choices, implementation, assumptions lecture 15 :: overview of network security
A case study in real world threatsto network security (and digital business) With thanks to Joel de la Garza (Securify) lecture 15 :: overview of network security
background chronology July 1999: The Computer Emergency Response Team (CERT) issues an advisory on Denial-of-service attacks Sep 1999: Packet Storm receives copies of DDoS tools Nov 1999: CERT warns of new class of attacks (DDoS) and tools in circulation at CISAC Information Warfare conference Dec 1999: Packet Storm receives latest copies of TFN and trinoo (DDoS attack tools) Dec 1999: Packet Storm release new tools and launches Storm Chaser 2000: Next Generation CyberDefence. lecture 15 :: overview of network security
the packet monkeys attack Feb 7 2000: Yahoo - 3 hour outage Feb 8 2000: E-bay - 5 hour outage Feb 8 2000: buy.com - 4 hour outage - first day of IPO! Feb 8 2000: Amazon - 3:45 outage Feb 8 2000: CNN - 3:30 outage Feb 9 2000: ZDnet - 3:15 outage Feb 9 2000: E*trade - 2:45 outage The attack: • An amplified denial-of-service attack on the routers connecting these websites to the Internet • Amplified Ping and SYN floods lecture 15 :: overview of network security
the press respond “Still no news on who is behind the concerted DoS attacks that so crippled America’s ability to buy Pokemon trading cards earlier this week.” - Need to Know www.ntk.net “In a case like this, there is no Interpol, no Pinkerton’s that you can turn to for help” - Wall Street Journal “Like a distributed pizza attack where you call every pizza shop in town and deliver them to your worst enemy” - Bruce Schneier “A 16-year-old Montreal boy will be sentenced in April for his admitted guilt in paralyzing the Web sites of several U.S. companies, such as Yahoo, Amazon and eBay, while acting as the hacker Mafiaboy in February 2000. The unidentified boy, who quit school and works a menial job, Thursday pleaded guilty to five counts of mischief, 51 counts of illegal access to a computer and one count of breach of bail conditions…” -- IDG lecture 15 :: overview of network security
it’s all fun and games ... • But to e-Businesses, denial of service of your website is denial of service to your business • Organisations need to understand that there in addition to Economies of the Internet (EoI) there are diseconomies of the Internet • Information leakage • Operationally exposing your internals to the world 24x7x365 • Increased risk associated with increase chance of compromise • Ease at which attackers can execute and get away with crime • There is no Internet Police • Multiple barriers make it impossible to pursue lecture 15 :: overview of network security
why did this happen? • Lack of strong authentication • The Internet Protocols are weak • Packets are unmetered and unauthenticated • Packets can flow any way to their destination • This is why the network is resilient • No audit trails • They are based from a history of gentle behaviour • Why would anyone want to forge email? • Why would anyone want to spam the network? • Network control protocols use in-band signaling • Something the telephone company figured out was bad a long time ago • A friend of a suspect dared him to do it lecture 15 :: overview of network security
the fundamental problem • The biggest problem with security architecture of the Internet is lack of strong authentication • You trust that I’m me because I tell you so • You trust my packets as they say they come from my IP • You trust my machine because I say it’s called “bullwinkle” • You trust me to login because my password is “britney” • You trust my email because it says it comes from mattb@ee.usyd.edu.au • You trust my connection because someone other random machine on the Internet tells you I’m from niceguy.com • You trust my TCP connection because I tell you a sequence number (that I probably could have guessed) that you sent across the network to me earlier (in the clear) lecture 15 :: overview of network security
… and ... • Security is always catch-up • Always a significant time delay between finding, reporting, advising and fixing problems • Security is usually reactive • Security is perceived as a cost centre, not a profit centre • Homogenous nature of the Internet (monocultures) • Heterogeneous nature of the Internet (interoperability) • Political issues, export restrictions • The government really doesn’t want you to be that secure • They want to raise the bar to their level • Patents • Humans use the Internet lecture 15 :: overview of network security
the Internet is a monoculture • Most hosts on the Internet run Windows • With over 63,000 known bugs • Most nameservers run Bind • “Buggy Internet Name Daemon” or “300,000 lines of bad code” (Bernstein) • Most mail servers run sendmail • Historically the buggiest UNIX program (vying with bind) • Most routers run Cisco IOS • A proprietary operating system • What can you say about the security of a program if you can’t look at the source? • Most web servers run Apache (the exception - secure!) • IIS at second place with ~20% has abysmal security • Most applications are {outlook, hotmail/passport, MS office … } • Email viruses would not have been a problem if Microsoft hadn’t decided html emails were a good idea • Most users have no clue about security lecture 15 :: overview of network security
the result • Attacks against any of {windows, bind, sendmail, IIS, IOS, outlook, hotmail/passport or apache} will yield large numbers of “0wn3d” machines. • By “large” we mean significant percentages of the Internet • In other words millions of machines • Get ready for this soon to include your PDA, mobile phone, VoIP communications, watch, pacemaker and stereo system. lecture 15 :: overview of network security
common beliefs are wrong • The common security philosophy is that if you secure the perimeter, you can keep the insides soft and gooey (marshmallow) • This has always been a very bad assumption. • Nowadays it is even worse; your network is like Afghanistan: • There is no border. • You cannot trust anyone. • There are simply too many ways into your network: • Internet connections (T1, cable, ADSL, frame relay …) • Dialup modems (not just those in the modem pool, all the others that employees use for “testing”, “private access” etc.) • 802.11 wireless networks (the record is well over 15 kilometres with a good antenna and amplifier) • Third party connections (vendors, partners, clients … ) • Users are 90% of the problem and they are already inside! lecture 15 :: overview of network security
hosts are weak • When not weak due to bugs, are often weakly configured • Default configurations are usually insecure • Too many exposed services, exposed code • Programs are written poorly in bad languages • Programs run with too much privilege • Hosts have users which further erode security • In short there are too many ways to successfully attack hosts that can then be used to attack others: • Remote exploit to gain access to the system • Subversion of system to gain privileges • Leverage access to other systems across the whole network • Through trust relationships, packet sniffing, keystroke logging etc. lecture 15 :: overview of network security
same old problems, new themes • We’ve had fixes for most of these problems for 30 years… • SANS Top 20 (2003) www.sans.org UNIX • A multiple overflows in the remote procedure call (RPC) mechanism • Vulnerable CGI programs on web servers • Chunk handling bug in Apache and another in mod_ssl • Protocol problem in SSH1 leading to session decryption and buggy/trojan OpenSSL • Weak authentication in the simple network management protocol (SNMP) • Cleartext password sniffing with FTP and multiple bugs in multiple distributions • Trust problems with the r-* services • Buffer overflow in printer (lpd) services • Lots of bugs in sendmail • Lots of bugs in BIND • Accounts with no / default / poor passwords lecture 15 :: overview of network security
the top 10 security problems Windows • Three major bugs in IIS (poor handling of user data, buffer overflows) • Program flaws in MDAC components • Remote exploit in MSSQL • Unprotected NETBIOS shares (no passwords, poor passwords) • Anonymous login / null sessions • Weak hashing with LANMAN passwords • Accounts with no passwords / poor passwords • Multiple vulnerabilities in multiple classes with Internet Explorer • Poor security settings allowing remote registry access • Worm exploiting windows scripting facility lecture 15 :: overview of network security
note • None of these problems are stopped by encryption • None of these problems are stopped by firewalls • None of these problems are stopped by VPNs • None of these problems are stopped by biometrics • None of these problems are stopped by IDSs • None of these problems are stopped by PKIs • Some are a result of lack of strong authentication • Some are a result of bad programming • Some are a result of poor security administration lecture 15 :: overview of network security
moral of the story lecture 15 :: overview of network security
references • SANS Top Twenty Vulnerabilities • http://www.sans.org/top20.htm • Packetstorm • www.packetstormsecurity.org lecture 15 :: overview of network security