Beruflich Dokumente
Kultur Dokumente
p 7
Security in Networks
Ch l P.
Charles P Pfleeger
Pfl & Sh
Sharii LLawrence Pfl
Pfleeger, SSecurity
i ini Computing,
C i
4th Ed., Pearson Education, 2007 1
y In this chapter
y Networks
N k vs. stand-alone
d l applications
li i andd environments:
i differences
diff
and similarities
y Threats
Th t againsti t networked
t k d applications,
li ti iincluding
l di ddenial
i l off service,
i
web site defacements, malicious mobile code, and protocol attacks
y Controls
C t l against i t network
t k attacks:
tt k physical
h i l security,
it policies
li i andd
procedures, and a range of technical controls
y Firewalls:
Fi ll design,
d i capabilities,
biliti lilimitations
it ti
y Intrusion detection systems
y Private
P i t e-mail: il PGP andd S/MIME
2
p
7.1. Network Concepts
y The Network
y A network
t k iin itits simplest
i l t fform
6
y The network (Contd)
y Media
M di
y Cable
y Twisted pair or unshielded twisted pair (UTP).
(UTP)
y Coaxial (coax) cable
y Ethernet, carrying up to 100 Mbps over distances of up to 1500 feet.
y Coax cable also suffers from degradation of signal quality over
distance.
y Repeaters (for digital signals) or amplifiers (for analog signals)
y Optical Fiber
y Less interference,
interference less crossover between adjacent mediamedia, lower cost,
cost and
less weight than copper
7
8
y The network (Contd)
y Media
M di
y Infrared
y Carries signals for short distances (up to 9 miles)
y Satellite
y Geosynchronous orbits
y A rather narrow angle of dispersion from the
satellite's transmitter produces a fairly broad
pattern (called the footprint) on the surface of
the earth
7 Application Userleveldata
6 Presentation Standardizeddataappearance,blocking,textcompression
Sessionsorlogicalconnectionsbetweenpartsofanapplication;message
5 Session
sequencing,recovery
4 Transport Flowcontrol,endtoenderrordetectionandcorrection,priorityservice
3 N
Network
k R i
Routing,messageblockingintouniformlysizedpackets
bl ki i if l i d k
Reliabledatadeliveryoverphysicalmedium;transmissionerrorrecovery,
2 DataLink
separatingpacketsintouniformlysizedframes
1 Physical
y Actualcommunicationacrossphysicalmedium;individualbittransmission
p y ;
12
13
14
15
16
y The network (Contd)
y Protocols
P l (C
(Contd)d)
y Addressing (Contd)
y Every computer connected to a network has a network interface card
(NIC) with a unique physical address, called a MAC address (for Media
Access Control).
y At the data link level, two more headers are added, one for your
computer's NIC address (the source MAC) and one for your router's NIC
address.
y A data link layer structure with destination MAC, source MAC, and data is
called a frame.
frame
17
18
y The network (Contd)
y Protocols
P l (C
(Contd)d)
y Layering
y Each layer reformats the transmissions and exchanges information with its
peer layer. Let us summarize what each layer contributes.
19
20
y The network (Contd)
y Protocols
P l (C
(Contd)
d)
y TCP/IP
y TCP/IP is defined by protocols
protocols, not layers,
layers but we can think of it in terms
of four layers:
y Application
y Host-to-host (end-to-end) transport
y Internet
y Physical.
21
22
L
Layer A i
Action R
Responsibilities
ibili i
userinteractionsUser
Application
pp Preparemessagesfrom
p g
interaction addressing
interaction,addressing
Convertmessagesto Sequencing,reliability
Transport
packets (integrity),errorcorrection
Convertpacketsto
Internet Flowcontrol,routing
datagrams
Transmitdatagramsas
Physical Datacommunication
individualbits
23
26
y The network (Contd)
y Protocols
P l (C
(Contd)
d)
y Addressing Scheme (Contd)
y An IP address is expressed as four 8-bit groups in decimal notation,
notation
separated by periods, such as 100.24.48.6. (Note: The world's networks
are running out of unique addresses. This 32-bit standard address is being
increased to 128 bits in a scheme called IPv6.)
y People prefer speaking in words or pseudowords, so network addresses
are also known by domain names, such as ATT.COM
27
28
y The network (Contd)
y Types
T off Networks
N k
y Local Area Networks
y Small.
Small
y Locally controlled.
y Physically protected.
y Limited scope.
y Wide Area Networks
y Single control.
y Covers a significant distance.
y Physically exposed (often,
(often but not always).
always)
29
30
y The network (Contd)
y Types
T off NNetworksk (C
(Contd)
d)
y Internetworks (Internets) (Contd)
y The characteristics of the Internet.
Internet
y Federation. Almost no general statements can be made about Internet
users or even network service providers.
y Enormous.
y Heterogeneous.
y Physically and logically exposed.
31
32
Uncertain Message Routing in a Network
34
y Reconnaissance
y A clever
l attacker
k iinvestigates
i andd plans
l bbefore
f acting.i
y A network attacker learns a lot about a potential target before
b i i th
beginning the attack.
tt k
35
y Reconnaissance (Contd)
y Port
P Scan
S
y A program that, for a particular IP address, reports which ports respond to
messages and which of several known vulnerabilities seem to be present.
present
y Port scanning tells an attacker three things:
y which standard ports or services are running and responding on the target
system,
y what operating system is installed on the target system
y what applications and versions of applications are present.
36
y Reconnaissance (Contd)
y Social
S i l EEngineering
i i
y The port scan gives an external picture of a networkwhere are the doors and
windows of what are they constructed
windows, constructed, to what kinds of rooms do they
open? The attacker also wants to know what is inside the building.
y Social engineering involves using social skills and personal interaction to get
someone to reveal security-relevant information and perhaps even to do
something that permits an attack.
y Because the victim has helped the attacker (and the attacker has profusely
thanked the victim), the victim will think nothing is wrong and not report the
incident.
incident
37
y Reconnaissance (Contd)
y Intelligence
I lli
y From a port scan the attacker knows what is open.
y From social engineering,
engineering the attacker knows certain internal details
details.
y But a more detailed floor plan would be nice.
y Intelligence is the general term for collecting information.
y In security it often refers to gathering discrete bits of information from
various sources and then putting them together
38
y Reconnaissance (Contd)
y Operating
O i SSystem andd AApplication
li i Fi Fingerprinting
i i
y The port scan supplies the attacker with very specific information.
y The attacker is likely to have many related questions,
questions such as which
commercial server application is running, what version, and what the
underlying operating system and version are.
y A new version will implement a new feature but an old version will reject
the request. All these peculiarities, sometimes called the operating system
or application fingerprint, can mark the manufacturer and version.
39
y Reconnaissance (Contd)
y Operating
O i SSystem andd Application
A li i Fingerprinting
Fi i i (Contd)
(C d)
y Ports such as 80 (HTTP), 25 (SMTP), 110 (POP), and 21 (FTP) may respond
with something like
Or
41
42
y Threats in Transit: Eavesdropping and Wiretapping (Contd)
y C
Cable
bl
y A packet sniffer can retrieve all packets on the LAN. Alternatively, one of
the interface cards can be reprogrammed to have the supposedly unique
address of another existing card on the LAN so that two different cards will
both fetch packets for one address.
y By a process called inductance an intruder can tap a wire and read radiated
signals without making physical contact with the cable.
y The easiest form of intercepting a cable is by direct cut. If a cable is severed,
all service on it stops. As part of the repair, an attacker can easily splice in a
secondary cable that then receives a copy of all signals along the primary
cable.
43
44
y Threats in Transit: Eavesdropping and Wiretapping (Contd)
y Satellite
S lli Communication
C i i
y Optical Fiber
y Optical
O ti l fiber
fib offers
ff two
t significant
i ifi t security
it advantages
d t over other
th
transmission media.
y First,, the entire optical
p network must be tuned carefullyy each time a new
connection is made.
y Second, optical fiber carries light energy, not electricity. Light does not
emanate a magnetic field as electricity does.
45
46
y Threats in Transit: Eavesdropping and Wiretapping (Contd)
y Summary
S off Wiretapping
Wi i
47
48
y Summary of Wiretapping (Contd)
y Impersonation
I i
y Guess the identity and authentication details of the target.
y Pick up the identity and authentication details of the target from a previous
communication or from wiretapping.
y Circumvent or disable the authentication mechanism at the target computer.
y Use a target that will not be authenticated.
y Use a target whose authentication data are known.
49
50
y Summary of Wiretapping (Contd)
y Impersonation
I i (Contd)
(C d)
y Nonexistent Authentication
y If two computers are used by the same users to store data and run
processes and if each has authenticated its users on first access, you
might assume that computer-to-computer or local user-to-remote
process authentication is unnecessary.
51
52
y Summary of Wiretapping (Contd)
y Impersonation
I i (Contd)
(C d)
y Trusted Authentication
y Authentication can become a problem when identification is delegated to
other trusted sources.
y Spoofing
y an attacker falsely carries on one end of a networked interchange.
53
54
y Summary of Wiretapping (Contd)
y Impersonation
I i (Contd)
(C d)
y Session Hijacking
y Intercepting and carrying on a session begun by another entity.
entity
y Man-in-the-Middle Attack
y A man-in-the-middle attack is a similar form of attack, in which one
entity intrudes between two others.
55
58
y Web Site Vulnerabilities
y Web
W b Site
Si Defacement
Df
y Buffer Overflows
y Dot-Dot-Slash
D t D t Sl h
y E.g, http://yoursite.com/webhits.htw?CiWebHits&File=
y
../../../../../winnt/system32/autoexec.nt
y Application Code Errors
59
y Denial of Service
y Transmission
T i i FFailure
il
y Connection Flooding
y Echo-Chargen
E h Ch
y Chargen is a protocol that generates a stream of packets; it is used to test
the network
network'ss capacity.
capacity
y Ping of Death
60
y Denial of Service (Contd)
y Smurf
y First, the attacker chooses a network of unwitting victims.
y The attacker spoofs the source address in the ping packet so that it appears
to come from the victim.
victim
y Then, the attacker sends this request to the network in broadcast mode
61
62
y Denial of Service (Contd)
y Teardrop
T d
y The teardrop attack misuses a feature designed to improve network
communication.
communication
y The attacker sends a series of datagrams that cannot fit together properly.
y One datagram might say it is position 0 for length 60 bytes, another position
30 for 90 bytes, and another position 41 for 173 bytes.
y These three pieces overlap, so they cannot be reassembled properly.
y In an extreme case, the operating system locks up with these partial data
units it cannot reassemble, thus leading to denial of service.
63
64
y Denial of Service (Contd)
y DNS Attacks
A k
y By overtaking a name server or causing it to cache spurious entries
(called DNS cache poisoning),
poisoning) an attacker can redirect the routing of any
traffic, with an obvious implication for denial of service.
y .
65
66
y Threats in Active or Mobile Code
y Active
A i code
d or mobile
bil code
d isi a generall name ffor code
d that
h iis
pushed to the client for execution.
y Cookies
C ki
y A cookie is a data object that can be held in memory (a per-session cookie)
or stored on disk for future access (a persistent cookie).
cookie)
67
68
y Threats in Active or Mobile Code (Contd)
y Active
A i CodeC d
y Java Code
y A hostile applet is downloadable Java code that can cause harm on the
client's system.
y ActiveX Controls
y Using ActiveX controls, objects of arbitrary type can be downloaded to a
client. If the client has a viewer or handler for the object's type, that
viewer is invoked to present the object.
69
70
y Complex Attacks
y Script
S i Kiddies
Kiddi
y An underground establishment has written scripts for many of the popular
attacks.
attacks
y With a script, attackers need not understand the nature of the attack or
even the concept of a network.
y The attackers merely download the attack script and execute it.
y People who download and run attack scripts are called script kiddies.
71
72
y Security Threat Analysis (Contd)
y Individual
I di id l parts off a network:k
y local nodes connected via
y local communications links to a
y local area network, which also has
y local data storage,
y local processes, and
y local devices.
73
74
y Security Threat Analysis (Contd)
y Summarize
S i these
h threats
h with
i h a lilist:
y intercepting data in traffic
y accessing programs or data at remote hosts
y modifying programs or data at remote hosts
y modifying data in transit
y inserting communications
y impersonating a user
y inserting a repeat of a previous communication
y blocking selected traffic
y blocking all traffic
y running a program at a remote host
75
76
y Design and Implementation (Contd)
y Architecture
A hi (Contd)
(C d)
y Redundancy
y Another key architectural control is redundancy: allowing a function to be
performed on more than one node, to avoid "putting all the eggs in one
basket."
y In failover mode the servers communicate with each other periodically,
each determining if the other is still active. If one fails, the other takes
over processing for both of them.
77
78
y Design and Implementation (Contd)
y Encryption
E i
y Link Encryption
y Data are encrypted just before the system places them on the physical
communications link.
79
80
81
82
83
84
85
LinkEncryption EndtoEndEncryption
Securitywithinhosts
Dataexposedinsendinghost
p g Dataencryptedinsendinghost
yp g
Dataexposedinintermediatenodes Dataencryptedinintermediatenodes
Roleofuser
A li db di h t
Appliedbysendinghost A li db di
Appliedbysendingprocess
Invisibletouser Userappliesencryption
Hostmaintainsencryption Usermustfindalgorithm
Onefacilityforallusers Userselectsencryption
Typicallydoneinhardware Eithersoftwareorhardware
implementation
Allornodataencrypted Userchoosestoencryptornot,foreach
dataitem
Implementationconcerns
Requiresonekeyperhostpair Requiresonekeyperuserpair
Providesnodeauthentication Providesuserauthentication
86
y Design and Implementation (Contd)
y Encryption
E i
y Virtual Private Networks
y With the VPN,
VPN we say that the communication passes through
an encrypted tunnel or tunnel.
87
88
89
90
y Design and Implementation (Contd)
y Encryption
E i
y PKI and Certificates
y PKI offers each user a set of services,
services related to identification and access
control, as follows: Create certificates associating a user's identity with a
(public) cryptographic key :
y Give out certificates from its database,
y Sign certificates, adding its credibility to the authenticity of the
certificate,
y Confirm (or deny) that a certificate is valid,
y Invalidate certificates for users who no longer are allowed access or
whose private key has been exposed
91
93
95
96
y Design and Implementation (Contd)
y Encryption
E i
y IPSec
y A security association includes
y lifespan of the association, to permit long-running sessions to select a
new cryptographic key as often as needed
y address of the opposite end of association
y sensitivity level of protected data (usable for classified data)
97
100
y Design and Implementation (Contd)
y Encryption
E i
y Encrypted E-mail
y Content Integrity - as a bonus with cryptography.
cryptography No one can change
encrypted data in a meaningful way without breaking the encryption.
y Error Correcting Codes
y Cryptographic Checksum - (sometimes called a message digest) is a
cryptographic function that produces a checksum.
101
102
103
104
Access to Services and Servers in Kerberos.
105
106
y Design and Implementation (Contd)
y Wireless
Wi l Security
S i
y SSID (Service Set Identifier)
y WEP (Wired equivalent privacy)
y WEP uses an encryption key shared between the client and the access
point.
y To authenticate a user, the access point sends a random number to the
client, which the client encrypts using the shared key and returns to the
access point.
y From that point on, the client and access point are authenticated and
can communicate using their shared encryption key.
key
107
108
y Alarms and Alerts
Layered
y Network Protection.
109
110
y Honeypots
y You
Y put up a honeypot
h for
f severall reasons:
y to watch what attackers do, in order to learn about new attacks (so that you
can strengthen your defenses against these new attacks)
y to lure an attacker to a place in which you may be able to learn enough to
identify and stop the attacker
y to provide an attractive but diversionary playground, hoping that the
attacker will leave your real system alone
111
7.4. Firewalls
y What Is a Firewall?
y A device
d i that
h filters
fil allll traffic
ffi between
b a protectedd or "inside"
"i id "
network and a less trustworthy or "outside" network.
y The
Th purpose off a firewall
fi ll isi to
t keep
k "bad"
"b d" thi
things outside
t id a protected
t td
environment.
112
y Types of Firewalls
y packet
k filtering
fil i gateways or screening
i routers
y stateful inspection firewalls
y application
li ti proxiesi
y guards
y personall firewalls
fi ll
113
114
In this example, the router has two sides:
inside and outside.
We say that the local LAN is on the inside
Three Connected LANs
of the router, and the two connections to
distant LANs through wide area networks
are on the outside.
115
116
y Stateful Inspection Firewall
y A stateful
f l inspection
i i firewall
fi ll maintains
i i state iinformation
f i ffrom one
packet to another in the input stream.
y Application
A li ti Proxy P
y An application proxy gateway, also called a bastion host, is a
fi ll that
firewall th t simulates
i l t the th (proper)
( ) effects
ff t off an application
li ti so that
th t
the application receives only requests to act properly.
y A proxy gateway
t iis a ttwo-headed
h d d device:
d i It llooksk tto th
the iinside
id as if it
is the outside (destination) connection, while to the outside it
respondsd just
j t as th
the insider
i id would.ld
117
118
y Guard
y A sophisticated
hi ti t d fifirewall.
ll
y Like a proxy firewall, it receives protocol data units, interprets them, and passes
g the same or different protocol
through p data units that achieve either the same
result or a modified result.
y The guard decides what services to perform on the user's behalf in accordance
with its available knowledge, such as whatever it can reliably know of the
(outside) user's identity, previous interactions, and so forth.
y The
Th degree
d off control
t l a guardd can provide
id iis lilimited
it d only
l bby what
h t iis
computable.
y But gguards and proxy
p y firewalls are similar enough g that the distinction between
them is sometimes fuzzy.
119
y Personal Firewalls
y An
A application
li i program that
h runs on a workstation
k i to block
bl k
unwanted traffic, usually from the network.
120
y Example Firewall Configurations
122
y
7.5. Intrusion Detection Systems
y An intrusion detection system (IDS) is a device, typically another
separate computer, that
h monitors
i activity
i i to id
identify
if malicious
li i or
suspicious events.
123
124
y Types of IDSs
y The
Th two generall types off intrusion
i i detection
d i systems
y Signature-based intrusion detection systems perform simple pattern-
matching and report situations that match a pattern corresponding to a
known attack type.
y Heuristic intrusion detection systems, also known as anomaly based, build
a model of acceptable behavior and flag exceptions to that model
y Intrusion detection devices
y A network-based IDS is a stand-alone device attached to the network to
monitor traffic throughout that network;
y A host-based
host based IDS runs on a single workstation or client or host
host, to protect
that one host.
125
126
y Heuristic Intrusion Detection
y Instead
I d off llooking
ki for
f matches,
h heuristic
h i i iintrusion
i detection
d i looks
l k for
f
behavior that is out of the ordinary.
y The
Th iinference
f engine
i off an iintrusion
t i detection
d t ti system t performs
f
continuous analysis of the system, raising an alert when the system's
di ti
dirtiness exceeds
d a th
threshold.
h ld
127
128
y Stealth Mode
y most IDSs
IDS run iin stealth
l h mode,
d whereby
h b an IDS has
h two networkk
interfaces:
y one for
f ththe network
t k ((or network
t k segment)t) bbeing
i monitored
it d andd
y the other to generate alerts and perhaps other administrative needs.
129
St lth Mode
Stealth M d IDS Connected
C t d tto TTwo NNetworks
t k
130
y Goals for Intrusion Detection Systems
y Filter
Fil on packet k headers
h d
y Filter on packet content
y Maintain
M i t i connectionti state
tt
y Use complex, multipacket signatures
y Use
U minimali i l number
b off signatures
i t with ith maximum
i effect
ff t
y Filter in real time, online
y Hide
Hid itsit presence
y Use optimal sliding time window size to match signatures
131
y Responding to Alarms
y Whatever
Wh the
h type, an iintrusion
i ddetection
i system raises
i an alarm
l
when it finds a match
y In
I general,l responses fall
f ll into
i t three
th major
j categories
t i (any ( or allll off
which can be used in a single response):
y Monitor,
M it collect
ll t ddata,
t perhaps
h iincrease amountt off data
d t collected
ll t d
y Protect, act to reduce exposure
y Call a human
132
y False Results
y Although
Al h h an IDS might
i h ddetect an iintruder
d correctly
l most off the
h time,
i
it may stumble in two different ways:
y RRaising
i i an alarm
l for f something
thi ththatt iis nott really
ll an attack
tt k ((called
ll d a false
fl
positive, or type I error in the statistical community)
y Not raisingg an alarm for a real attack (a ( false negative,
g , or type
yp II error).)
y Too many false positives means the administrator will be less confident of
the IDS's warnings, perhaps leading to a real alarm's being ignored.
y But false negatives mean that real attacks are passing the IDS without action.
y We say that the degree of false positives and false negatives represents the
sensitivity of the system.
system
133
134
y Requirements and Solutions
y If we were to make
k a lilist off the
h requirements
i ffor secure e-mail,
il our
wish list would include the following protections.
y Message confidentiality
M fid ti lit (the
(th message isi nott exposedd en route
t tto th
the
receiver)
y Messageg integrity
g y ((what the receiver sees is what was sent))
y Sender authenticity (the receiver is confident who the sender was)
y Non-repudiation (the sender cannot deny having sent the message)
135
y Designs
136
Encrypted E-mail Secured Message
137
139