450 likes | 481 Views
Security. Computer Networks. Confidentiality snooping encryption Integrity deletion, changes backups Availability denial of service attacks. Authentication are who you say you are Nonrepudiation no denying it Access Control don’t touch that!. What to Protect. Most Importantly.
E N D
Security Computer Networks John Kristoff
Confidentiality snooping encryption Integrity deletion, changes backups Availability denial of service attacks Authentication are who you say you are Nonrepudiation no denying it Access Control don’t touch that! What to Protect John Kristoff
Most Importantly Protect your reputation John Kristoff
Good Books • Network Security: PRIVATE Communication in a PUBLIC World. Kaufman, Perlman and Speciner. • Cryptography and Network Security: Principles and Practice. Stallings. John Kristoff
Where to Put the Protection? John Kristoff
Host Based Security • Recall End-to-End Argument • Security is ultimately a host problem • Key idea: protect the DATA • End hosts are in control of data • Users are in control of end hosts • Users can and often will do dumb things • Result: very difficult to protect all hosts John Kristoff
Network Based Security • Should augment host based security • Useful for • Protecting groups of users from others • Prohibiting certain types of network usage • Controlling traffic flow • Difficult to inspect traffic • encryption can hide bad things • tunneling can mislead you John Kristoff
Perimeter Security • Boundary between a trusted internal network and a hostile external network John Kristoff
Internal Security • Most often ignored • Most likely the problem • Disgruntled employee • Curious, but dangerous employee • Clueless and dangerous employee John Kristoff
Security by Obscurity • Is no security at all. • However • It’s often best not to advertise unnecessarily • It’s often the only layer used (e.g. passwords) • Probably need more security John Kristoff
Layered Defenses • The belt and suspenders approach • Multiple layers make it harder to get through • Multiple layers take longer to get through • Basic statistics and probability apply • If Defense A stops 90% of all attacks and Defense B stops 90% of all attacks, you might be able to stop up to 99% of all attacks • Trade-off in time, money and convenience John Kristoff
Physical Security • Trash bins • Social engineering • It’s much easier to trust a face than a packet • Protect from the whoops • power • spills • the clumsy • software really can kill hardware John Kristoff
Packet Filtering Firewalls • Apply rules to incoming/outgoing packets • Based on • Addresses • Protocols • Ports • Application • Other pattern match John Kristoff
Packet Filtering Firewall Illustrated John Kristoff
Example Firewall: ipchains -A input -s 192.168.0.0/255.255.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -A input -s 172.0.0.0/255.240.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -A input -s 10.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -A input -s 224.0.0.0/224.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -A input -s 0.0.0.0/0.0.0.0 -d a.b.c.d/255.255.255.255 22:22 -p 6 -j ACCEPT -A input -s 0.0.0.0/0.0.0.0 -d a.b.c.d/255.255.255.255 1024:65535 -p 6 ! -y -j ACCEPT John Kristoff
Example Firewall: Cisco Router Filters access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip 172.0.0.0 0.15.255.255 any access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 0.0.0.0 0.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip 224.0.0.0 31.255.255.255 any access-list 100 deny ip 1.2.0.0 0.0.255.255 any access-list 100 permit tcp any host 1.2.3.4 eq domain access-list 100 permit udp any host 1.2.3.4 eq domain access-list 100 deny tcp any host 1.2.3.5 eq telnet log access-list 100 deny tcp any host 1.2.3.6 eq syn log access-list 100 deny ip any host 1.2.3.4 access-list 100 permit ip any 1.2.0.0 0.0.255.255 access-list 100 deny ip any any John Kristoff
Encryption • Make a readable message unreadable • Math intensive • Plain text versus cipher text • Algorithms and keys • public • private • key size John Kristoff
Encryption? #include<stdlib.h> #include<stdio.h> main(I,O,O0,OO,l) int I,O0,OO,l; char **O; { return !!I>=I?!I>=I?!!~I>=~I?!~I>=~I?!OO?!I:OO%2? OO=main(I,O,O0,OO>>!!OO,l), OO=main(I-!I-!!I,O,OO,OO,l), OO=main(I-!I-!!I,O,O0,OO,l), !(OO-!I||I)?l-1:OO :(OO=main(I,O,O0,OO>>!!OO,l), !(OO-l+!I||I)?l-1:main(I-!I-!!I,O,OO,OO,l)) :(O0+OO)%l :main(I-I/I-I/I,O,O0,OO+OO/OO, main(0,O,O0,OO,I-I-I)+I+1?1:printf("%d ",I-I-I)+fflush(stdout)) :main(I-I-I-I-I,O,I+I-I+I,I,0) :main(~!!I-!!I,O,atoi(1[O]),1,atoi(0[O])); } John Kristoff
Shared Secret Key • Each party knows a secret • The secret is used to decrypt the cipher text • Book: Ulysses • Page: 7 • Line: 23 • Word: 4 • Must know the book and keep it a secret John Kristoff
Shared Secret Key Illustrated John Kristoff
Public Key Cryptography • Public Key • Everyone can use it to encrypt messages to you • Private Key • Only you know this key and only it decrypts messages encrypted with your public key • Keyring John Kristoff
Public Key Illustrated John Kristoff
Denial of Service (DoS) • Prevents or impairs standard service • SYN flooding • SMURF attacks • Distributed Denial of Service (DDoS) • Most effective when source address can be spoofed • Difficult problem to solve John Kristoff
Example Denial of Service Illustrated John Kristoff
Example Distributed Denial of Service Illustrated John Kristoff
Buffer Overflows and Weak Validation of Input • Key idea: overwriting the something on the stack • Popular exploits with CGI scripts • Regular users can gain root access • If exploit on TCP/UDP service, remote root can be accomplished John Kristoff
Session Hijacking If you can predict sequence numbers and spoof the source address, you might be able to pretend to be one end of the session. It helps if you can keep one end of the session busy while you’re hijacking. John Kristoff
Session Hijacking Illustrated John Kristoff
Password Cracking • Very common today • If attacker can get a hold of the password file, they can go offline and process it • Recall • passwords are a form of obscurity • multiple defenses may be needed • A good password selection strategy John Kristoff
Viruses and Worms • Programs written with the intent to spread • Worms are very common today • Often email based (e.g. ILOVEYOU) • Viruses infect other programs • Code copied to other programs (e.g. macros) • All require the code to be executed • Proves users continue to do dumb things • Sometimes software is at fault too John Kristoff
Example: Securing Routers ! version 12.0 service tcp-keepalives-in service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption clock timezone cst -6 clock summer-time cdst recurring no ip source-route no ip finger no ip bootp server ! interface FastEthernet1/0 description backbone router ip address a.b.c.d 255.255.255.0 ip access-group 100 in no ip unreachables no ip directed-broadcast no cdp enable John Kristoff
Example: Securing Routers [continued] router rip passive-interface Serial1/0 network a.b.0.0 distribute-list 1 in Serial2/0 logging history warnings logging trap debugging logging facility local7 logging source-interface Loopback0 logging a.b.c.d access-list 1 deny any access-list 10 permit a.b.c.0 0.0.0.255 access-list 10 deny any access-list 100 permit tcp a.b.0.0 0.0.255.255 any eq telnet log access-list 100 deny ip any any log John Kristoff
Example: Securing Routers [continued] snmp-server community password RO 10 snmp-server location computing center snmp-server contact Network Administrator banner motd^C This host is to be used by authorized personnel only!^C ! line vty 0 4 exec-timeout 0 5 access-class 100 in password 7 823442561E01034A12 login transport input telnet ssh ! ntp source Loopback0 ntp server a.b.c.d end John Kristoff
Example: Securing UNIX • Remove unnecessary UDP/TCP servers • Startup scripts in /etc/rc.d directories • /etc/inetd.conf • Use secure versions of servers • ssh • tcpwrappers • Many useful tools available • Tripwire, IP Filter, ipchains, lsof, tcpwrappers, etc... John Kristoff
Example: Securing Windows • Disable file/printer sharing • Use virus protection software • Keep current on latest service packs • Disable unnecessary protocols John Kristoff
Network Address Translation • NAT is a hack! • Provides some level of security, but with a great deal of cost • If security is the only goal, avoid NAT • NAT has been required for sites with IP address allocation problems • RSIP may get NAT users back on track John Kristoff
NAT Illustrated John Kristoff
Virtual Private Networks John Kristoff
Key Idea A session between two endpoints that is secured from eavesdroppers and all threats on the network in between, usually through the use of encryption technology. John Kristoff
Why Is This Worthwhile? • Cost, Cost, Cost! • Ability to make use of a public, insecure network, rather than building your own private, secure network John Kristoff
Challenges • Increased overhead • Complexity • Performance • Quality • Management John Kristoff
Oh, and One More Thing John Kristoff
Some Terms/Technology Thrown Around with VPNs • IPsec • PPP/PPTP/L2TP/L2F • CHAP, PAP • Encapsulation • Tunneling • AAA • RADIUS/TACACS/TACACS+ • Firewalls John Kristoff
ssh TripWire tcpwrappers IP Filter, ipchains nmap tcpdump, windump syslog ntp snort logcheck, swatch crack, l0pftcrack kerberos PGP kerberos S/MIME SSL Security Tools John Kristoff
Final Thoughts • Network Address Translation • Think about long term implications • Security as a end-to-end problem • Java, Javascript and ActiveX • Certificates • Intrusion Detection John Kristoff