1 / 53

CHAPTER 6

CHAPTER 6. Security in Networks. Objectives. differentiate the security needs in the network and in single ,stand alone application and environment identify threats against network applications, including denial of service, web site defacements, malicious code and protocol attacks

oro
Download Presentation

CHAPTER 6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CHAPTER 6 Security in Networks

  2. Objectives • differentiate the security needs in the network and in single ,stand alone application and environment • identify threats against network applications, including denial of service, web site defacements, malicious code and protocol attacks • explain various controls against network attacks such as physical security, policies and procedures and range of technical controls • Explain about design, capabilities and limitation of the firewall • Define and describe the intrusion detection systems and secure e-mails (c) by Syed Ardi Syed Yahya Kamal, UTM 2004

  3. The Network Concepts • When studying the chapter, student should know: • The type of networks (LAN, MAN, etc) • The size and shape • Media (cable, wireless, optical cable, etc) • Protocol (OSI layers, TCP/IP, etc) • Topologies (star, ring, etc) • Advantages of computing networks (resource sharing, distributing the workload, etc)

  4. Threats in Networks • What makes a network vulnerable?

  5. Threats in Networks (cont) • We cannot list who attacks networks but we do know what the motives of attacking.

  6. Threats in Networks (cont) • Threat precursor: • Port scan • Program that give an information about three things: • Which standard ports or services are running and responding? • What operating system is installed? • What applications and versions of applications are present? • Example:nmap scanner, netcat, Nessus, CyberCop Scanner • Social engineering • Involves using social skills and personal interaction to get someone to reveal security-relevant information and perhaps even do something that permits an attack. • "Hello, this is John Davis from IT support. We need to test some connections on the internal network. Could you please run the command ipconfig/all on your workstation and read to me the addresses it displays?" The request sounds innocuous . But unless you know John Davis and his job responsibilities well, the caller could be an attacker gathering information on the inside architecture.

  7. Threats in Networks (cont) • Threat precursor (cont): • Reconnaissance • Gathering discrete bits of information from various sources and then putting them together like the pieces of a puzzle. • Eavesdropping – follow employees to lunch and listen in from nearby tables as coworkers discuss security matters. • Bulleting board and chats • Numerous underground bulleting boards and chat rooms support exchange of information. • Attackers can post their latest exploits and techniques and read what others have done.

  8. Threats in Networks (cont) • Threat precursor (cont): • Availability of documentation • Vendor themselves sometimes distribute information that is useful to an attacker. • Microsoft produces a resource kit by which application vendors can investigate a Microsoft product in order to develop compatible, complementary applications. • Operating System and Application Fingerprinting • can mark the manufacturer and version • attacker might use a Telnet application to send meaningless messages to another application. Ports such as 80 (HTTP), 25 (SMTP), 110 (POP), and 21 (FTP) may respond with something like Microsoft ESMTP MAIL Service, Version: 5.0.2195.3779 This reply tells the attacker which application and version are running.

  9. Threats in Networks (cont) • Threats in transit: • Eavesdrop – implies overhearing without expending any extra effort. • Attacker monitoring all traffic passing through a node. • Wiretap – intercepting communications through some effort. • Passive wiretapping is just "listening," much like eavesdropping • Active wiretapping means injecting something into the communication • Someone could replace your communications with his own or create communications purported to be you. • Works differently depending on communication medium used.

  10. Threats in Networks (cont) • Impersonation: • Impersonate another person or process • In an impersonation, an attacker has several choices • Guess the identity and authentication details of the target. • Pick up the identity and authentication details through eavesdropping or wiretapping. • Use the target that will not be authenticated. • Use a target whose authentication data are known.

  11. Spoofing • Guessing or otherwise obtaining the network authentication credentials of an entity • Examples of spoofing are: • masquerading, • session hijacking • man-in-the-middle attacks

  12. Masquerade • one host pretends to be another • A variation of this attack is called phishing • send an e-mail message, perhaps with the real logo of Blue Bank, and an enticement to click on a link, supposedly to take the victim to the Blue Bank web site. • The enticement might be that your victim's account has been suspended (and need the account number and PIN to activate it), or some other legitimate-sounding explanation. • The link might be to your domain Blue-Bank.com, the link might say click here to access your account (where the click here link connects to your fraudulent site), or other trick with the URL to fool your victim, like www.redirect.com/bluebank.com.

  13. Session Hijacking • intercepting and carrying on a session begun by another entity • Suppose two entities have entered into a session but then a third entity intercepts the traffic and carries on the session in the name of the other • The attacker steals a valid session ID which is used to get into the system and snoop the data *Tools:Juggernaut Hunt IP Watcher

  14. Man-in-the-Middle Attack • one entity intrudes between two others • difference between man-in-the-middle and hijacking is that a man-in-the-middle usually participates from the start of the session, whereas a session hijacking occurs after a session has been established. Tools: PacketCreator Ettercap Dsniff Cain e Abel

  15. Message Confidentiality Threats • An attacker can easily violate message confidentiality (and perhaps integrity) because of the public nature of networks. • Eavesdropping and impersonation attacks can lead to a confidentiality or integrity failure. • Several other vulnerabilities that can affect confidentiality. • Misdelivery • Exposure • Traffic Flow Analysis

  16. Message Integrity Threats • the integrity or correctness of a communication is at least as important as its confidentiality. • Threats based on failures of integrity in communication. • Falsification of Messages- an attacker can take advantage of our trust in messages to mislead us • change some or all of the content of a message • replace a message entirely, including the date, time, and sender/receiver identification • Noise -Signals sent over communications media are subject to interference from other traffic on the same media, as well as from natural sources • Fortunately, communications protocols have been intentionally designed to overcome the negative effects of noise

  17. Web Site Vulnerabilities • Web site is especially vulnerable because it is almost completely exposed to the user • One of the most widely known attacks is the web site defacement attack • Web site defacement attack • Buffer Overflows • Dot-Dot-Slash • Application Code Errors • Server-Side Include

  18. Denial of Service • There are many accidental and malicious threats to availability or continued service. • Transmission Failure • Connection Flooding • Echo-Chargen • Ping of Death • Smurf • Syn Flood • Traffic Redirection • DNS Attacks • Distributed Denial of Service

  19. Figure 7-16. Smurf Attack. Smurf

  20. Distributed Denial of Service

  21. Threats in Active or Mobile Code • Active code or mobile code is a general name for code that is pushed to the client for execution • related potential vulnerabilities: • Cookies • Scripts • Active Code • Java Code • ActiveX Controls

  22. Figure 7-19. Segmented Architecture. Network Security Controls • Design and Implementation • Architecture • Segmentation -Segmentation reduces the number of threats, and it limits the amount of damage a single vulnerability can allow. • a web server, to handle users' HTTP sessions • application code, to present your goods and services for purchase • a database of goods, and perhaps an accompanying inventory to the count of stock on hand and being requested from suppliers • a database of orders taken Segmented Architecture.

  23. Redundancy -allowing a function to be performed on more than one node • failover mode -the servers communicate with each other periodically, each determining if the other is still active • Single Points of Failure-architecture should at least make sure that the system tolerates failure in an acceptable way

  24. Encryption • encryption is powerful for providing privacy, authenticity, integrity, and limited access to data • Encryption in network applications : • either between two hosts (link encryption) • between two applications (end-to-end encryption)

  25. link encryption -data are encrypted just before the system places them on the physical communications link • encryption occurs at layer 1 or 2 in the OSI model • decryption occurs just as the communication arrives at and enters the receiving computer • Encryption protects the message in transit between two computers, but the message is in plaintext inside the hosts • the exposure occurs on the sender's or receiver's host or workstation, protected by alarms or locked doors • Link encryption is especially appropriate when the transmission line is the point of greatest vulnerability. If all hosts on a network are reasonably secure but the communications medium is shared with other users or is not secure, link encryption is an easy control to use

  26. Figure 7-20. Link Encryption. Figure 7-21. Message Under Link Encryption. Link Encryption Message Under Link Encryption.

  27. End-to-End Encryption • end-to-end encryption provides security from one end of a transmission to the other • encryption can be applied by a hardware device between the user and the host • the encryption can be done by software running on the host computer • encryption is performed at the highest levels (layer 7, application, or perhaps at layer 6, presentation) of the OSI model

  28. End-to-End Encryption

  29. Comparison of Link and End-to-End Encryption.

  30. Virtual Private Networks • Link encryption can be used to give a network's users the sense that they are on a private network, even when it is part of a public network • the communication passes through an encrypted tunnel or tunnel

  31. PKI and Certificates • A public key infrastructure, or PKI , is a process created to enable users to implement public key cryptography, usually in a large (and frequently, distributed) setting. • PKI offers each user a set of services, related to identification and access control, as follows : • Create certificates associating a user's identity with a (public) cryptographic key • Give out certificates from its database • Sign certificates, adding its credibility to the authenticity of the certificate • Confirm (or deny) that a certificate is valid • Invalidate certificates for users who no longer are allowed access or whose private key has been exposed

  32. PKI sets up entities, called certificate authorities , that implement the PKI policy on certificates. • The specific actions of a certificate authority include the following: • managing public key certificates for their whole life cycle • issuing certificates by binding a user's or system's identity to a public key with a digital signature • scheduling expiration dates for certificates • ensuring that certificates are revoked when necessary by publishing certificate revocation lists

  33. SSH Encryption • SSH (secure shell) is a pair of protocols (versions 1 and 2), originally defined for Unix but also available under Windows 2000, that provides an authenticated and encrypted path to the shell or operating system command interpreter • The SSH protocol involves negotiation between local and remote sites for encryption algorithm (for example, DES, IDEA, AES) and authentication (including public key and Kerberos ).

  34. SSL Encryption • The SSL (Secure Sockets Layer ) protocol was originally designed by Netscape to protect communication between a web browser and server • SSL interfaces between applications (such as browsers) and the TCP/IP protocols to provide server authentication, optional client authentication, and an encrypted communications channel between client and server. • To use SSL, the client requests an SSL session. The server responds with its public key certificate so that the client can determine the authenticity of the server

  35. IPSec • IPSec is implemented at the IP layer • IPSec is somewhat similar to SSL, in that it supports authentication and confidentiality (in applications) or below it (in the TCP protocols). • it was designed to be independent of specific cryptographic protocols and to allow the two communicating parties to agree on a mutually supported set of protocols.

  36. Figure 7-27. Packets: (a) Conventional Packet; (b) IPSec Packet. Packets: (a) Conventional Packet; (b) IPSec Packet.

  37. signed code . • A trustworthy third party appends a digital signature to a piece of code, supposedly connoting more trustworthy code. A signature structure in a PKI helps to validate the signature. • Encrypted E-mail • To protect the privacy of the message and routing information, we can use encryption to protect the confidentiality of the message and perhaps its integrity.

  38. Strong Authentication • One-Time Password • ChallengeResponse Systems • Digital Distributed Authentication • Kerberos

  39. Access Controls • Authentication deals with the who of security policy enforcement; access controls enforce the what and how • ACLs on Routers • Firewalls • Honeypots

  40. (c) by Syed Ardi Syed Yahya Kamal, UTM 2004

  41. Summary of Network Vulnerabilities

  42. Summary of Network Vulnerabilities

  43. Firewalls • Firewall is a device that filters all traffic between a protected or “inside” network and a less trustworthy or “outside” network. • The purpose of a firewall is to keep “bad” things outside a protected environment. • To accomplish that, firewalls implement a security policy.

  44. Firewalls (cont) • The design of firewall should maintain below qualities: • Always invoked. • Tamperproof. • Small and simple enough for rigorous analysis.

  45. Firewalls (cont) • Type of firewalls are depends on their capabilities. The type are: • Packet filtering gateways or screening routers. • Most effective. Control packet from source to destination. • Stateful inspection firewalls. • Maintains state infomation from one packet to another in the input stream. • Application proxies. • Simulate the (proper) effects of an application so that the application will receive only requests to act properly.

  46. Firewalls (cont) • Type of firewalls (cont): • Guards. • Sophisticated firewall. Decide what services to perform on the user’s behalf in accordance with its available knowledge. • Personal firewall. • An application program that runs on a workstation to block unwanted traffic, usually from the network.

  47. Comparison of Firewall Types

  48. Intrusion Detection Systems • An intrusion detection system (IDS ) is a device, typically another separate computer, that monitors activity to identify malicious or suspicious events • IDSs perform a variety of functions: • monitoring users and system activity • auditing system configuration for vulnerabilities and misconfigurations • assessing the integrity of critical system and data files • recognizing known attack patterns in system activity • identifying abnormal activity through statistical analysis • managing audit trails and highlighting user violation of policy or normal activity • correcting system configuration errors • installing and operating traps to record information about intruders

  49. Types of IDSs • Signature-based intrusion detection systems perform simple pattern-matching and report situations that match a pattern corresponding to a known attack type • Heuristic intrusion detection systems, also known as anomaly based • Intrusion detection devices can be network based or host based • A network-based IDS is a stand-alone device attached to the network to monitor traffic throughout that network; • a host-based IDS runs on a single workstation or client or host, to protect that one host.

  50. Stealth Mode • most IDSs run in stealth mode , whereby an IDS has two network interfaces: one for the network (or network segment) being monitored and the other to generate alerts and perhaps other administrative needs

More Related