Internet: Global and Ubiquitous Infrastructure for Communication

Society

Security (1)
Internet Technology
Suguru Yamaguchi TCP/IP
TCP/IP
Nara Institute of Science and Technology CATV Ｓ
ａｔｅ
ｌｉｔ
ｅ
Cable Modem Optical Fiber
ATM Copper Cable
Ｗｉ
ｒｅｌ
ｅｓｓ WDM/SDH

ISDN
SOI Asia/Advanced Internet Technology Communication Technology
SOI Asia/Advanced Internet Technology

Why we need SECURITY?

l Protect your activities on your information systems as
well as network infrastructure
– Information asset
– Information processing environment Overview of technical trend observed as
recent Security incidents
l Any damages on information systems and network
infrastructure make impact directly on your “business”
activities
– Dependable infrastructure
– Earning profit directly through these systems

SOI Asia/Advanced Internet Technology SOI Asia/Advanced Internet Technology

Frequently Observed Statistics@JPCERT/CC

l Port Scanning & Probe
– Almost every hour. 3,000
– This can be considered as a prologue followed by other security incidents
such as intrusion, we have to watch port scanning and probe tria ls at least
at firewall. 2,500
l Intrusion
– Still intrusions by password cracking are observed frequently. 2,000
• However, one time password or other advanced method to protect lo gin session
makes them reduced.
1,500
– Normally, buffer overflow is a main course to make intrusions to systems
• Implanting “shell code” into network servers that have buffer overflow security
hole. 1,000
• Try to take whole control of the targeted system from the Interne t
• Many attack tools are using this method.
l Denial of Services (DoS) 500
– Send excessive amount of traffic to the target, then try to stop its service
– Distributed DoS is becoming more popular 0
1996Q4 1997 1998 1999 2000 2001 2002
l SPAM
l Computer Viruses via E-mail or other networking method
Number of Reports

SOI Asia/Advanced Internet Technology SOI Asia/Advanced Internet Technology

1
 Technical trend  Buffer Overflow Attack
l Advanced attack method are widely deployed l Recognized as the most dangerous security hole, especially
cases when we can find them in network service servers.
– Recently reported that only 48 hours duration when we can
get attack tool using a specific security hole from the time – Major course for intrusion
when the vulnerability was reported. – Anyone can stop the service servers from the Internet
• Try to make “process crash (core dump)”
– Attack tools are very popular and traded in the Internet
– Implanting “shell code”
• Many developers
• Obtain backdoor access with administrator privilege
• Traded in the Internet
l Reported buffer overflow found in many service servers
• Various kinds of information about security holes, attack
methods and attack tools are available and aggressively – wuftp, Netscape Enterprise Server, Microsoft IIS, ….
exchanged among the community – Caused by functions in standard library that do not make boundary
– E.g. “bugtraq” check of memory assignment.
– Through WWW and IRC – Internet Worm (1988) used this method, so quite classic but can’t
– Professionally developed be eliminated
• Give actual damage on the system

SOI Asia/Advanced Internet Technology SOI Asia/Advanced Internet Technology

Multiple OS involved DDoS

Solaris
Attacker Victim
① make intrusion using buffer ③ The worm tries to find
overflow bug in sadmind, then any Solaris machine to
implant Worm program implantits copy to the
target.

Stop its service

② The worm tries to find any Zombie

Windows machine on which IIS is
working. Once they found, they try 1. Make intrusion, then implant DoS agent
Windows to attack them to crash IIS process
2. With some trigger, the agent is activated

SOI Asia/Advanced Internet Technology SOI Asia/Advanced Internet Technology

Smurf Attack

SOI Asia/Advanced Internet Technology SOI Asia/Advanced Internet Technology

2
 DDoS Actual DoS traffic
l In Nov. 2002, root DNS servers were attacked by
DDoS
– 13 top level DNS server (serving TLD) for the whole Internet
– No major damage
• The design of DNS already concerns DoS attack

l For other application servers….

– Major risk/threat we have to protect
Nimda
CodeRed

SOI Asia/Advanced Internet Technology SOI Asia/Advanced Internet Technology

Computer Viruses CodeRed

http://www.ipa.go.jp/
SOI Asia/Advanced Internet Technology SOI Asia/Advanced Internet Technology

High tech crime

The number of arrested suspects by “high tech crime”

2001 delta (2001 / 2000 1999 delta (2000 /

200) 1999)
Computer crime 63 19 44 110 ▲ 66
flaud 48 15 33 98 ▲ 65
interferences 4 2 2 7 ▲5
modify data
Ordinary crime using network
11
712 228
2 9
484
5
247 237
4
Recent research for Security
pornography 103 ▲ 51 154 147 7
child porn / juveniles prostitutions 245 124 121 9 112
flaud 103 50 53 23 30
defamation 42 12 30 12 18
IP infrengement 28 ▲1 29 21 8
Threat 40 23 17
35 62
misc. 151 71 80
Unauthorized access 35 4 31 31
合計 810 251 559 357 202

http://www.npa.go.jp/hightech/arrest_repo/kenkyo_2000.htm

SOI Asia/Advanced Internet Technology SOI Asia/Advanced Internet Technology

3
Threats (1) Threats (2)
l passive attack l In systems
– eavesdropping, wire tapping – File and data modifications
– traffic analysis – Unauthorized account creation
– Virus
l active attack – Unauthorized copy of information
– packet stream modification – ……
– Denial of Service
– masquerading
– unauthorized access
– Packet spoofing
– Replay attack
– Others….

SOI Asia/Advanced Internet Technology SOI Asia/Advanced Internet Technology

Components we have to look into Ordinary method to protect systems

l Information Processing Systems l Drop “evil” traffic l Cheating
– Computers and attached devices (hardware) – Packet filtering – Honeypot
– SPAM filtering
– OS and application programs (software)
– Firewall l Load balancing
– Load splitting
l Communication System / Computer network l Re-route traffic – Anti-DoS configuration
– routers, switches, several datalinktechnologies (hardware) – Add resiliency against DoS
– Communication protocols – Check the content of the l Network re-configuration
– Implementation of protocols (software) traffic – Out-band management

l Inspection
– IDS, virus check, ….
– Monitoring & analysis

SOI Asia/Advanced Internet Technology SOI Asia/Advanced Internet Technology

Firewall High performance FW (1)

l Configuration Internet
Quarantine zone
– "Choke & Gate" style
– Choke
• Filtering Choke
– Gate firewall-segment
• Services
L2 LB L2 SW
• Access Control
– Firewall-segment
• DMZ (choke)
DNS
(Demilitarized Zone)
httpd Gate (10G bb)
sendmail L3 Routing
(traffic marking)
Internal Networks

SOI Asia/Advanced Internet Technology

4
High performance FW (2) Multifunctional FW
Honey pot
Firewall
Quarantine Quarantine Quarantine Intranet

VPN/SSH gateway

SMTP forwarder

Other App. gateway

Management Center
SOI Asia/Advanced Internet Technology SOI Asia/Advanced Internet Technology

Ex: functional distribution at firewall Out--band Management

Out
IDS

SMTP virus check

Service traffic
WWW contents filtering

Management traffic for L3SW/router

monitoring

(10G bb)
Management Center

SOI Asia/Advanced Internet Technology SOI Asia/Advanced Internet Technology

Research area (1) Research Areas (2)

l Technology and engineering for network operation as l Technologies against attackers
well as operations of service servers l AAA
– Adding more capacity – Authentication, authorization, accounting
– Adding more sophisticated functions – PKI
– Adding more manageability – Secure operating system and service servers
– Adding more rich functionality
l Confidentiality management
– Cipher (data encryption technology)
– IPsec, PGP, SSH, SSL, ….
– VPN, NAT, secure gateway, ….

SOI Asia/Advanced Internet Technology SOI Asia/Advanced Internet Technology

5
Research Area (3)
l Digital Forensics
– IP Traceback
– Monitoring and recording
– Data mining from huge information repositories
– Logging

SOI Asia/Advanced Internet Technology