560 likes | 689 Views
Lesson 2 Network Security and Attacks. Computer Security Operational Model. Protection = Prevention. + (Detection + Response). Access Controls Encryption Firewalls. Intrusion Detection Incident Handling. Evaluate. Secure. Improve. Monitor. Security Operational Model.
E N D
Computer Security Operational Model Protection = Prevention + (Detection + Response) Access Controls Encryption Firewalls Intrusion Detection Incident Handling
Evaluate Secure Improve Monitor Security Operational Model • Vulnerability Assessment Services • Vulnerability Scanners • Intrusion detection • Firewalls • Encryption • Authentication • Security Design Review • Security Integration Services • 24 Hr Monitoring Services • Remote Firewall Monitoring
Protocols • A protocol is an agreed upon format for exchanging information. • A protocol will define a number of parameters: • Type of error checking • Data compression method • Mechanisms to signal reception of a transmission • There are a number of protocols that have been established in the networking world.
OSI Reference Model • ISO standard describing 7 layers of protocols • Application: Program-level communication • Presentation: Data conversion functions, data format, data encryption • Session: Coordinates communication between endpoints. Session state maintained for security. • Transport: end-to-end transmission, controls data flow • Network: routes data from one system to the next • Data Link: Handles passing of data between nodes • Physical: Manages the transmission media/HW connections • You only have to communicate with the layer directly above and below
The OSI Model Application Layer These Layers Implemented By Software Such as an Operating System Presentation Layer Session Layer Each layer serves only its adjacent layers. Thus the software which implements the Transport Layer receives input from the Session Layer or the Network Layer. Transport Layer Network Layer Data-Link Layer Implemented By Hardware Physical Layer
TCP/IP Protocol Suite • TCP/IP refers to two network protocols used on the Internet: • Transmission Control Protocol (TCP) • Internet Protocol (IP) • TCP and IP are only two of a large group of protocols that make up the entire “suite” • A “real-world” application of the layered concept. • There is not a one-to-one relationship between the layers in the TCP/IP suite and the OSI Model.
OSI and TCP/IP comparison OSI Model Application Presentation Session Transport Network Data-link Physical TCP/IP Protocol Suite NFS FTP, Telnet, SSH, SMTP SMB HTTP, NNTP RPC TCP,UDP IP ICMP ARP Physical Application-level protocols Network-level protocols
Data Data Application Presentation Data Data Data Data Session Data Data Transport Data Data Network Data Data Data-Link Data Data Physical Communication Between Two Networks Via the Protocol Stack A Windows Machine Sending data to a linux machine Windows Machine on an Ethernet Linux Machine on a FDDI Network H H E M A I L E M A I L H H 1 2 H H H H H H H H Ethernet Email FDDI Packet is Transmitted Via Network Media 1 The Windows machine adds headers as the packet traverses down the TCP/IP Stack from the sending application. 2 The Linux machine removes headers as the packet traverses up the TCP/IP Stack to the receiving application.
TCP/IP Protocol Suite User Process User Process User Process User Process TCP UDP ICMP IP IGMP HW Interface ARP RARP Media
Ethernet Header IP Header TCP Header Application Header User Data Ethernet Trailer TCP/IP Encapsulation User Data Email 1 Application Application Header User Data Application Layer 2 TCP or UDP TCP Header Application Header User Data Transport Layer Ethernet 3 IP IP Header TCP Header Application Header User Data Network Layer 4 Ethernet Driver Data Link Layer 5
IPv4 Header Layout 4 Bytes (32 Bits) Version Length TOS Total Length 20 Bytes (160 Bits) Identification Flags Offset TTL Protocol Header Checksum Source IP Address Destination IP Address Options Data
IP Packet 4 8 16 19 32 Version Length Type of Srvc Total Length Identification Flags Fragment Offset Time to live Protocol Header Checksum Source Address Destination Address Options Data
TCP Header Layout 4 Bytes (32 Bits) Source Port Destination Port 20 Bytes (160 Bits) Sequence Number Acknowledgement Header Info Window Size TCP Checksum Urgent Pointer Options Data
TCP packet 4 8 16 32 Source Port Destination Port Sequence Number Acknowledgement Number Unused U A P R S F R C S S Y I G K H T NN Window Data offset Checksum Urgent Pointer Options Padding Data
Client sends connection request, Specifying a port to connect to On the server. SYN Server client Server responds with both anacknowledgement and a queuefor the connection. SYN/ACK Server client Client returns an acknowledgementand the circuit is opened. ACK Server client Establishment of a TCP connection(“3-way Handshake”)
Packet One Packet Two Data Data 1033 80 80 1033 Source Port Source Port Destination Port Destination Port Ports
UDP Header Layout 4 Bytes (32 Bits) Source Port Destination Port 8 Bytes (64 Bits) Length Checksum Data
IP Centric Network ... Layer 6/7: Applications ... BANKING RETAIL MEDICAL WHOLESALEl B2B Layer 5: Session X FTP SMTP SNMP NFS DNS TFTP NTP Telnet Windows BGP RIP Layer 4: Transport IGP TCP UDP IGMP ICMP EGP Layer 3: Network IP Layer 2 & 1: Data Link & Ethernet 802.3 802.4 802.5 X.25 SLIP 802.6 Frame SMDS Relay Physical IPX ATM Arcnet PPP Appletalk
Twenty-six years after the Defense Department created the INTERNET as a means of maintaining vital communications needs in the event of nuclear war, that system has instead become the weak link in the nations defense” USA Today - 5 Jun 1996 True hackers don't give up. They explore every possible way into a network, not just the well known ones. The hacker Jericho. By failing to prepare, you are preparing to fail. Benjamin Franklin
Typical Net-based Attacks -- Web • “Popular” and receive a great deal of media attention. • Attempt to exploit vulnerabilities in order to: • Access sensitive data (e.g. credit card #’s) • Deface the web page • Disrupt, delay, or crash the server • Redirect users to a different site
Typical Net-based attacks -- Sniffing • Essentially eavesdropping on the network • Takes advantage of the shared nature of the transmission media. • Passive in nature (i.e. just listening, not broadcasting) • The increased use of switching has made sniffing more difficult (less productive) but has not eliminated it (e.g. DNS poisoning will allow you to convince target hosts to send traffic to us intended for other systems)
Defeating Sniffer Attacks • Detecting and Eliminating Sniffers • Possible on a single box if you have control of the system • Difficult (depending on OS) to impossible (if somebody splices network and adds hardware) from network perspective • Safer Topologies • Sniffers capture data from network segment they are attached to, so – create segments • Encryption • If you sniff encrypted packets, who cares? • (outside of traffic analysis, of course)
Typical Net-Based Attacks –Spoofing, Hijacking, Replay • Spoofing attacks involve the attacker pretending to be someone else. • Hijacking involves the assumption of another systems role in a “conversation” already taking place. • Replay occurs when the attacker retransmits a series of packets previously sent to a target host.
Typical Net-Based Attacks –Denial of Service • DOS and Distributed DOS (DDOS) attacks have received much attention in the media in the last year due to some high-profile attacks. Types: • Flooding – sending more data than the target can process • Crashing – sending data, often malformed, designed to disable the system or service • Distributed – using multiple hosts in a coordinated attack effort against a target system.
Registration Phase Client Hacker Verify Registration Master Control Programs *Hello* PONG png *Hello* PONG Master Host Master Host Broadcast Agents Broadcast Host Broadcast Host Broadcast Host Broadcast Host Broadcast Host A Distributed DoS in Action The Internet
Client Hacker Attack Target Attack Target Attack Target Broadcast Agents Broadcast Host Broadcast Host Broadcast Host Broadcast Host Broadcast Host UDP Flood Attack UDP Flood Attack Target The Attack Phase The Internet
First infected system How CODE RED Works
First infected system Scans to find new victims 100 system probes How CODE RED Works
First infected system Scans to find new victims Each new victim scans the same “random” address space 100 system probes How CODE RED Works
How CODE RED Works - Each new victim starts scanning process over again - From 20th to EOM, primary target is www.whitehouse.gov
First infected system How NIMDA Works
First infected system Attacking system How NIMDA Works tftp Admin.dll from attacking system (contains NIMDA payload)
First infected system How NIMDA Works Sends infected email attachment NIMDA propagates via open file shares Infected system scans network for vulnerable IIS web servers NIMDA attaches to web pages on infected server
How NIMDA Works - NIMDA prefers to target its neighbors - Very rapid propagation
Common Attacks • IP Spoofing • Session Hijacking • WWW Cracking • DNS Cache Poisoning
The TCP connection(“3-way Handshake”) Client sends connection request, Specifying a port to connect to On the server. SYN Server client Server responds with both anacknowledgement and a queuefor the connection. SYN/ACK Server client Client returns an acknowledgementand the circuit is opened. ACK Server client
SYN (Client, ISNclient) client ACK (Client, ISN+1) SYN (Server, ISNserver) ACK (Server, ISN+1) ISN--Initial Sequence Number The TCP Connection in Depth Server Server client Server client
Student Server Evil hacker ACK (Student, ISN+1) SYN (Server, ISNserver) SYN (Student, ISNstudent) RESET The TCP Reset
Student Server SYN (Student, ISNstudent) ACK (Student, ISN+1) SYN (Server, ISNserver) DOS PING OF DEATH ACK (Server, ISNserver+1) Evil hacker Guess Server ISN IP Address Spoofing
Student Server Evil hacker ACK (Student, ISN+1) SYN (Server, ISNserver) SYN (Student, ISNstudent) IP Address Spoofing DOS
TCP Connection Established Student Server Evil hacker Hey, I am The Student TCP RESET Session Hijacking
SMB Server Message Block (SMB)--an application layer protocol that allows system resources to be shared across networks An old technology developed by MS and Intel Several versions of authentication over network Plaintext: easy to sniff LanMan: stronger than Plaintext, uses PW hash NTLM: PW Hash Plus ciphertext
EVIL HACKER CLIENT SERVER SMB RelayMan-in-the Middle Attack Session Request Session Request Name OK Name OK Dialect Dialect w/o NT4 security Dialect Selection, Challenge Dialect Selection, Challenge Reply Reply Session OK Session OK Attacker forces weaker LANMAN authentication!
Session Request CLIENT SERVER Session Response--NETBIOS name OK Negotiate Dialect 2 4 3 Challenge, Dialect Selection 1 Username and Response 5 All OK--Connected 6 Windows Authenticaion LANMAN vs NTLMv2
Student Server Evil hacker WEB CRACKING
Student Server Evil hacker WEB CRACKING
SSL in Action ClientHello 1 ServerHello CLIENT SERVER 2 ServerKey Exchange 3 ServerHelloDone 4 ClientKey Exchange 5 ChangeCiperSpec 6 Finished 7
SSL in Action ServerHelloDone CLIENT SERVER ClientKey Exchange ChangeCiperSpec 4 8 9 Finished 5 ChangeCipherSpec 6 Finished 7
Student Server Evil hacker SSL WEB CRACKING