chapter 11 : network security defences by dr...
TRANSCRIPT
-
CHAPTER 11 : NETWORK SECURITY – DEFENCES
1
By
Dr Noormaizatul Akmar binti Ishak
School of Human Development and Technocommunication
-
CONTENT
11.1 Introduction11.2 Defense Requirements and Solutions11.3 Firewall11.4 Firewall Functions and Management11.5 Access Control List11.6 Cryptography11.7 Digital Signatures and Digital Certificates11.8 Security Protocols11.9 Other Solutions11.10 Malaysia’s Scenario
2
-
11.1 INTRODUCTION
3
-
The Meaning of Network Defense has Changed
1st Generation(Prevent Intrusions)
‘80s
2nd Generation(Detect Intrusions, Limit Damage)
‘90s
Some Attacks will Succeed
Intrusions will Occur
4th Generation in ‘10s(E.g.,prediction of vulnerabilities, cross-enterprise negotiation before attacks,
real-time reverse engineering of attacks and malware,planning methods to deal with expected attacks, automatic patch synthesis and distribution)
“Intel” Will Direct Defenses
3rd Generation(Operate Through Attacks)
‘00s
4
-
Computer Security Definition
• It is the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources.
• This includes :
– hardware
– software
– firmware
– information/data
– telecommunications
-
What is Security?
System correctness
• If user supplies expected input, system generates desired output
• Good input Good output
• More features: better
Security
• If attacker supplies unexpected input, system does not fail in certain ways
• Bad input Bad output
• More features: can be worse
6
-
What is Network Security?
• Confidentiality: only sender, intended receiver should “understand” message contents
– sender encrypts message
– receiver decrypts message
• Authentication: sender, receiver want to confirm identity of each other.
• Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection.
• Access and availability: Actions by an attacker do not prevent users from having access to use of the system.
7
-
System
AttackerChris
General Picture
• Security is about
– Honest user (e.g., Chris, Bob, …)
– Dishonest Attacker
– How the Attacker • Disrupts honest user’s use of the system (Integrity, Availability)
• Learns information intended for Chris only (Confidentiality)8
-
Network Attacker
Intercepts and
controls network
communication
Chris
System
Network Security
9
-
Web Attacker
Sets up malicious
site visited by victim;
no control of
network
Chris
System
Web Security
10
-
OS Attacker
Controls malicious
files and
applications
Chris
Operating System Security
11
-
System
AttackerChris
Confidentiality: Attacker does not learn Chris’s secrets
Integrity: Attacker does not undetectably corrupt system’s function for Chris
Availability: Attacker does not keep system from being useful to Chris
12
-
3 Levels of Impact from a Security Breach
Low Moderate High
result in minor damage to organizational assets
result in significant damage to organizational assets
result in major damage to organizational assets;
result in minor financial loss;
result in significant financial loss
result in major financial loss
result in minor harm to individuals.
result in significant harm to individuals that does not involve loss of life or serious, life-threatening injuries
result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries
13
-
Examples of Security Requirements
• Confidentiality – student grades
• Integrity – patient information
• Availability – authentication service authenticity – admission ticket
non-repudiation – stock sell order
-
Passive Attack - Interception
-
Passive Attack: Traffic Analysis
Observe traffic pattern
-
Active Attack: Interruption
Block delivery of message
-
Active Attack: Fabrication
Fabricate message
-
Active Attack: Replay
-
Active Attack: Modification
Modify message
-
Handling Attacks
–Passive attacks – focus on Prevention
• Easy to stop
• Hard to detect
–Active attacks – focus on Detection and Recovery
• Hard to stop
• Easy to detect
-
Model for Network Security
-
Model for Network Access Security
-
Historical hackers (prior to 2000)• Profile:
– Male
– Between 14 and 34 years of age
– Computer addicted
– No permanent girlfriend
No Commercial Interest !!!Source: Raimund Genes
24
-
Trends for 2010 (Texas CISO, Feb 2010)• Malware, worms, and Trojan horses
– spread by email, instant messaging, malicious or infected websites
• Botnets and zombies
– improving their encryption capabilities, more difficult to detect
• Scareware – fake/rogue security software
• Attacks on client-side software
– browsers, media players, PDF readers, etc.
• Ransom attacks
– malware encrypts hard drives, or DDOS attack
• Social network attacks
– Users’ trust in online friends makes these networks a prime target.
• Cloud Computing - growing use will make this a prime target for attack.
• Web Applications - developed with inadequate security controls
• Budget cuts - problem for security personnel and a boon to cyber criminals. 25
-
Web vs System vulnerabilities
XSS peak
26
-
Steal Cars With A Laptop
• NEW YORK - Security technology created to protect luxury vehicles may now make it easier for tech-savy thieves to drive away with them.
• In April ‘07, high-tech criminals made international headlines when they used a laptop and transmitter to open the locks and start the ignition of an armor-plated BMW X5 belonging to soccer player David Beckham, the second X5 stolen from him using this technology within six months.
• … Beckham's BMW X5s were stolen by thieves who hacked into the codes for the vehicles' RFID chips …
27
-
Why Are There Security Vulnerabilities?
• Lots of buggy software...
– Why do programmers write insecure code?
– Awareness is the main issue
• Some contributing factors
– Few courses in computer security
– Programming text books do not emphasize security
– Few security audits
– C is an unsafe language
– Programmers have many other things to worry about
– Legacy software (some solutions, e.g. Sandboxing)
– Consumers do not care about security
– Security is expensive and takes time28
-
Difficult Problem: Insider Threat
• Easy to hide code in large software packages– Virtually impossible to detect back doors
– Skill level needed to hide malicious code is much lower than needed to find it
– Anyone with access to development environment is capable
29
-
Compiler backdoor
• This is the basis of Thompson's attack
– Compiler looks for source code that looks like login program
– If found, insert login backdoor (allow special user to log in)
• How do we solve this?
– Inspect the compiler source
30
-
C compiler is written in C
• Change compiler source S
compiler(S) {
if (match(S, "login-pattern")) {
compile (login-backdoor)
return
}
if (match(S, "compiler-pattern")) {
compile (compiler-backdoor)
return
}
.... /* compile as usual */
}
31
-
Social Engineering
• Many attacks don't use computers
– Call system administrator
– Dive in the dumpster
• Online versions
– send trojan in email
– picture or movie with malicious code
32
http://www.amazon.com/gp/product/images/0761508406/ref=dp_image_0/002-1696255-4541651?%5Fencoding=UTF8&n=283155&s=books
-
11.2 DEFENCE REQUIREMENTS AND SOLUTIONS
33
-
Security Service
– enhance security of data processing systems and information transfers of an organization
– intended to counter security attacks
– using one or more security mechanisms
– often replicates functions normally associated with physical documents
• which, for example, have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed
-
35
Network Security
• understand principles of network security:
– cryptography and its many uses beyond “confidentiality”
– message integrity
– digital signature
– authentication
• wireless network security
– securing wireless LANs
– thwarting malicious behavior
– thwarting selfish behavior
-
36
-
Best Antivirus 2015 for Windows 8/8.1
37
-
11.3 FIREWALL
38
-
Best Practices for Combating Viruses, Worms, Trojans, and Bots
• Update your OS regularly recommended by the OS vendor.
• Install antivirus software on your system and download updates frequently to ensure that your software has the latest fixes for new viruses, worms, Trojans, and bots.
• Antivirus program can scan e-mail and files as they are downloaded from the Internet. This will help prevent malicious programs from reaching your computer.
• Install a firewall. 39
-
What is an Internet Firewall?
• An Internet firewall is one system or a group of several systems put in place to enforce a security policy between the Internet and an organization's network.
• In other words, an Internet firewall is an electronic `fence' around a network to protect it from unauthorized access.
• Firewall policies vary across organization, and there are a wide variety of bespoke and off-the-shelf firewall packages in use.
• A typical DMZ configuration comprises two firewalls:– A server-side firewall between the Internet and your public resources.
– An internal firewall between your public resources and your private resources.
40
-
A Typical Internet Connection With A Client-side And Server-side Firewall
41
• Firewall inspects traffic through it
• Allows traffic specified in the policy
• Drops everything else
-
A Typical Internet Connection With A Client-side And Server-side Firewall
• Typically, an organization using a Web Server machine that communicates across the Internet has a firewall between its HTTP Server machine and the Internet.
• This is known as a Server-side firewall. Other organizations (or remote parts of the same organization) connecting to this Web Server machine typically have their own firewall, known as a Client-side firewall.
• Information that conforms to the organization's firewall policy is allowed to pass through the firewalls enabling server machines and client machines to communicate.
42
-
Demilitarized Zone (DMZ)
• In computer networking, a Demilitarized Zone (DMZ) is a firewall configuration for securing local area networks (LANs) and commonly-touted feature of home broadband routers.
• It is an extra network placed between a protected network and the Internet where most computers on the LAN run behind a firewall connected to a public network.
• The incoming requests must first pass through a DMZ computer before reaching the firewall.
• Those computers on the outside intercept traffic and broker requests for the rest of the LAN, adding an extra layer of protection for computers behind the firewall.
• DMZs typically hold servers that host a company's public web site, File Transfer Protocol (FTP) site, and Simple Mail Transfer Protocol (SMTP) server. 43
-
A Demilitarized Zone (DMZ)
44
-
Typical Firewall Configuration
• Internal hosts can access
DMZ and Internet
• External hosts can
access DMZ only, not
Intranet
• DMZ hosts can access
Internet only
• Advantages - If a service
gets compromised in DMZ
it cannot affect internal
hosts
Internet
Intranet
DMZ
XX
45
-
11.4 FIREWALL FUNCTIONS AND MANAGEMENT
46
-
All Firewalls Have One Very Important Thing In Common
• They receive, inspect and make decisions about all incoming data before it reaches other parts of the system or network.
• That means they handle packets and they are strategically placed at the entry point to the system or network the firewall is intended to protect. They usually regulate outgoing data as well. The types and capabilities of firewalls are defined essentially by:– Where they reside in the network hierarchy (stack);
– how they analyze and how they regulate the flow of data (packets);
– and additional security-related and utilitarian functions they may perform. Some of those additional functions:
• data may be encrypted/decrypted by the firewall for secure communication with a distant network
• Scripting may allow the operator to program-in any number of specialized capabilities
• The firewall may facilitate communications between otherwise incompatible networks.
47
-
Where To Put The Firewall?
• The most important aspect of a firewall is that it is at the entry point of the networked system it protects.
• In the case of Packet Filtering, it is at the lowest level, or "layer" in the hierarchy (stack) of network processes, called the Network Layer or the Internet Layer.
• This means essentially that the firewall is the first program or process that receives and handles incoming network traffic, and it is the last to handle outgoing traffic.
48
-
What Do Firewalls Do?
• The most basic type firewall performs Packet Filtering.
• A second type of firewall, which provides additional security, is called a Circuit Relay.
• Another and still more involved approach is the Application Level Gateway.
49
-
Packet Filtering
• Filtering consists of examining incoming or outgoing packets and allowing or disallowing their transmission or acceptance on the basis of a set of configurable rules, called policies.
• Packet filtering policies may be based upon any of the following:
– Allowing or disallowing packets on the basis of the source IP address
– Allowing or disallowing packets on the basis of their destination port
– Allowing or disallowing packets according to protocol.
• This is the original and most basic type of firewall.
50
-
A packet is a series of digital numbers basically, which conveys these things:
• The data, acknowledgment, request or command from the originating system
• The source IP address and port
• The destination IP address and port
• Information about the protocol (set of rules) by which the packet is to be handled
• Error checking information
• Usually, some sort of information about the type and status of the data being sent
• Often, a few other things too - which don't matter for our purposes here.
51
-
Packet Filters• Packet filter selectively passes packets from one
network interface to another
• Usually done within a router between external and internal networks
– screening router
• Can be done by a dedicated network element
– packet filtering bridge
– harder to detect and attack than screening routers
• Example filters
– Block all packets from outside except for SMTP servers
– Block all traffic to a list of domains
– Block all connections from a specified domain 52
-
Packet Filters
Advantages
• Transparent to application/user
• Simple packet filters can be efficient
Disadvantages
• Usually fail open
• Very hard to configure the rules
• Doesn’t have enough information to take actions• Does port 22 always
mean SSH?
• Who is the user accessing the SSH?
53
-
11.5 ACCESS CONTROL LIST
54
-
Access Control List (ACL)
• An access control list (ACL) is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file.
• Each object has a security attribute that identifies its access control list. The list has an entry for each system user with access privileges.
• The most common privileges include the ability to read a file (or all the files in a directory), to write to the file or files, and to execute the file (if it is an executable file, or program).
• Microsoft Windows NT/2000, Novell's NetWare, Digital'sOpenVMS, and UNIX-based systems are among the operating systems that use access control lists.
55
http://searchcio-midmarket.techtarget.com/definition/operating-systemhttp://whatis.techtarget.com/definition/accesshttp://searchwinit.techtarget.com/definition/directoryhttp://searchexchange.techtarget.com/definition/filehttp://searchnetworking.techtarget.com/definition/NetWarehttp://whatis.techtarget.com/definition/OpenVMShttp://searchenterpriselinux.techtarget.com/definition/Unix
-
Have you noticed how your hand luggage is being scanned at the airport?
• ACL is similar to such scanner only used on the router. It can look at the content of the packet traversing it and check the content of the packet up to the layer 4 (extended ACL).
• An administrator gets to decide what the action is going to be if the packet matches your criteria.
• A few applications of ACLs are as follows:– ACLs can filter the packets that traverse the router in order to drop the
unwanted traffic.
– ACLs can deny SSH or Telnet traffic to vty lines (router/switch remote management).
– ACLs are used as to match an interesting traffic to trigger VPN tunnel establishment and encrypt data.
– ACLs are commonly used in Quality of Service to prioritize certain applications or traffic flows over others or provide different treatment to a certain stream of packets. 56
-
How Many ACLs?
• Access control lists (ACLs) enable you to permit or deny packets based on source and destination IP address, IP protocol information, or TCP or UDP protocol information.
• You can configure the following types of ACLs: • Standard – Permits or denies packets based on source IP address.
Valid standard ACL IDs are 1 – 99 or a string.
• Extended – Permits or denies packets based on source and destination IP address and also based on IP protocol information. Valid extended ACL IDs are a number from 100 – 199 or a string.
57
-
11.6 Cryptography
58
-
Two kinds of Cryptography
Symmetric1) Alice and Bob agree on a
cryptosystem
2) Alice and Bob agree on a key
3) Alice takes her plaintext message and encrypts it using the encryption algorithm and the key. This creates a ciphertext message
4) Alice sends the ciphertext message to Bob
5) Bob decrypts the ciphertext message with the same algorithm and key and reads it
Asymmetric1) Alice and Bob agree on a public-
key cryptosystem
2) Bob sends Alice his public key
3) Alice encrypts her message using Bob’s public key and sends it to Bob
4) Bob decrypts Alice’s message using his private key
-
Problems
Symmetric• Keys must be distributed in
secret
• If a key is compromised, Eve (eavesdropper) can decrypt any message
pretend to be one of the parties
• A network requires a great number of keys
Asymmetric• slow (~1000 times slower
than the symmetric)
• vulnerable to chosen-plaintext attacks
• No perfect method each has its own weaknesses
be aware of being attacked
• Good to combine different methods
-
7-61
Friends and enemies: Alice, Bob, Trudy
• well-known in network security world
• Bob, Alice (lovers!) want to communicate “securely”
• Eve (or Trudy, intruder) may intercept, delete, add messages
securesender
securereceiver
channel data, control messages
data data
Alice Bob
Eve
-
Network Security 7-62
The language of cryptography
symmetric key crypto: sender, receiver keys identical
public-key crypto: encryption key public, decryption key secret (private)
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alice’s encryptionkey
Bob’s decryptionkey
KB
-
11.7 DIGITAL SIGNATURES AND DIGITAL CERTIFICATES
63
-
Digital Certificates
• A digital certificate is an ID that is carried with a file. To validate a signature, a certifying authority validates information about the software developers and then issues them digital certificates.
• The digital certificate contains information about the person to whom the certificate was issued, as well as information about the certifying authority that issued it.
• When a digital certificate is used to sign programs, ActiveX controls, and documents, this ID is stored with the signed item in a secure and verifiable form so that it can be displayed to a user to establish a trust relationship.
64
-
Digital Signature
• A public certificate plus the value of the signed data encrypted by a private key.
• The value is a number generated by a cryptographic algorithm for any data that you want to sign.
• This algorithm makes it nearly impossible to change the data without changing the resulting value.
• So, by encrypting the value instead of the data, a digital signature allows the end user to verify the data was not changed.
65
-
11.8 WIFI SECURITY PROTOCOLS
66
-
What is Wi-Fi?
• Short for wireless fidelity.
• It is a wireless technology that uses radio frequency to transmit data through the air.
• Wi-Fi is based on the 802.11 standard:
– 802.11a
– 802.11b
– 802.11g
-
Wi-Fi Alliance
• Non-profit standards organization.
• Global organization that created the Wi-Fi brand name.
• Formerly the Wireless Ethernet Compatibility Alliance.
-
Wi-Fi Certification• The Wi-Fi CERTIFIED logo from the Wi-Fi
Alliance.
– Rigorous interoperability testing requirements.
– Certifies the interoperability of 802.11 products from the many different vendors.
-
Wi-Fi
Advantages• Freedom – You can work
from any location that you can get a signal.
• Setup Cost – No cabling required.
• Flexibility – Quick and easy to setup in temp or permanent space.
• Scaleable – Can be expanded with growth.
• Mobile Access – Can access the network on the move.
Disadvantages• Speed – Slower than cable.
• Range – Affected by various medium.– Travels best through open
space.
– Reduced by walls, glass, water, etc
• Security – Greater exposure to risks.– Unauthorized access.
– Compromising data.
– Denial of service.
70
-
11.9 OTHER SOLUTIONS
71
-
Solution: Password Cracking -Captcha codes example
72
Completely Automated Public Turing Test to Tell Computers and Humans Aparts – 2000, Luis von Ahn, Manuel Blum
-
Solutions:
Spam
• Spam filters are an effective way to stop Spam.
• These filters come with most of the e-mail providers online.
• We can buy a variety of Spam filters that work effectively.
Phishing
• Similar to Spam, use Phishing filters to filter out this unwanted mail and to prevent threat.
73
-
Solutions:
Malicious Code
• The best protection from malware continues to be the usual advice: –be careful about what email
attachments you open,
– be cautious when surfing and stay away from suspicious websites, and
–install and maintain an updated, quality antivirus program.
Port Scanning
• Most Internet sites get a dozen or more port scans per day.
• As long as you harden your firewall and minimize the service allowed through it, these attack should not worry you.
74
-
Solutions: Packet Sniffers
• When strong encryption is used, all packets are unreadable to any but the destination address, making packet sniffers useless.
• So one solution is to obtain strong encryption.
WiFi Threats
• When connecting to a network, you are exposing your device and all your traffic to all other users of that network.
• In an open WiFi, this includes the girl sat across the street in the back of a car with a Kali laptop and a GPU array: –Update your software.
–Do not log into anything sensitive without using a VPN
75
-
76
-
Solution: Speed Hashing
77
-
Solution: Protecting Your Data From Brute-Force Attacks
• Keep your encrypted data safe where attackers can’t get access to it. Once they have your data copied to their hardware, they can try brute-force attacks against it at their leisure.
• If login over the Internet, limit login attempts and blocks people who attempt to log in with many different passwords in a short period of time.
• Use strong encryption algorithms, such as SHA-512. Ensure you’re not using old encryption algorithms with known weaknesses that are easy to crack.
• Use long, secure passwords. 78
-
Solution: Denial of Service (DoS)• There are no effective ways to prevent being the victim of DoS
attack, but you can reduce the likelihood that an attacker will use your computer to attack other computers: –Install and maintain anti-virus software
–Install a firewall, and configure it to restrict traffic coming into and leaving your computer
–Follow good security practices for distributing your email address. Applying email filters may help you manage unwanted traffic.
• If you think you are experiencing an attack: –you cannot access your own files or reach any external websites from your
work computer, then contact your network administrators. This may indicate that your computer or your organization’s network is being attacked.
–If you are having a similar experience on your home computer, contact your Internet Service Provider (ISP). The ISP might be able to advise you of an appropriate course of action.
79
-
11.10 MALAYSIA’S SCENARIO
80
-
Malaysian Institute of Defence and Security (MiDAS)
• MiDAS was established in April 2010 under the purview of Ministry of Defence, Malaysia.
• It is a centre of excellence for the Ministry of Defence as well as Government of Malaysia in defence and security through comprehensive research and sharing of knowledge.
• MiDAS is aimed to generate new ideas through forums, debates, seminars and publishing of journal on defence and security.
• It is located at the Ministry of Defence in Kuala Lumpur, Malaysia.
81
-
Cyber Planning Structure
(1) identifying all devices and connections on the network;
(2) set boundaries between the organization’s systems and others;
(3) enforcing controls to ensure that unauthorized access, misuse or denial of service events can be thwarted or rapidly contained and recovered from if they do occur;
(4) in the event of an “active” attack, determine the patterns of the attack, i.e. multiple breaches, gaps on the time of the attack, etc.; and
(5) reanalyzing other possible intrusion and/or other probable vulnerabilities.
82
-
Cyber Defense: The Malaysian Experience
• In June 2011, there were cyber attacks on Malaysian websites by the hacker known as “Anonymous”.
• According to the report from Malaysia’s Communications and Multimedia Commissions (MCMC), 51 of websites in the “gov.my” domain were attacked , where 41 of them suffered various levels of disruption.
• The cause: a distributed denial of service (DDoS).
83
-
Cyber Defense: The Malaysian Experience
• The effect: inaccessibility of the “gov.my” websites for the public.
• The Malaysia Computer Emergency Response Team (MyCERT) acted promptly to mitigate the damage caused by “Anonymous”. The affected “gov.my” websites were quickly put back online within 24 hours prior to the attack.
• It was evident to have Cyber Security Malaysia (CSM) established as the national cyber security specialist for us.
• This agency, under the purview of the Ministry of Science, Technology and Innovation(MOSTI) was earlier known as the National ICT Security and Emergency Response Centre (NISER) in 1997, to monitor Malaysia’s e-security aspect.
84
-
Cyber Defense: The Malaysian Experience
• CSM also acts as the national cyber security policy implementer, the national technical coordination centre and the cyber threat research and risk assessment centre.
• Based on this experience, Malaysia’s cyberspace underlying infrastructure and networks must be reliable and governments should adopt a holistic approach to protect itself against any offensive actions.
• To build an effective national cyber defence capability, dynamic collaboration among the private sector, the government law enforcement community and the national security community is essential.
• The supply chain has become so globalized that it contains scores of vulnerabilities, some of which could cause catastrophic damage.
85
-
Digital Warfare• Cyber attack is to seek personal gain through criminal
means and should be punished.
• In the past, a very high level of skill was required if an individual or a nation wanted to attack an individual , another nation, organization or part of some infrastructure that could cripple the daily operation or any critical security foundation.
• Today, an individual does not need to have a high level of skill for a complex attack, because he or she can simply download a hacking tool, enter the target’s information and the automated tool will initiate the attack.
86
-
Contingencies• Protecting vital information is more important than attempting to
protect all relevant information that relevant to any operation of an organization.
• Proper contingencies would include:– identifying critical information,
– analyze threat to that critical information,
– analyzing vulnerabilities to that critical information,
– assessing the risk if the vulnerabilities are to be exploited and
– applying appropriate measures to mitigate risk factors.
• Questions:– who might be the cyber criminal,
– what are their goals or objectives,
– what actions might they take
– what critical information does the criminal want
– what critical information does the cyber criminal already have on your operations
87
-
Conclusion
• No perfect method - each has its own weaknesses, and be aware of being attacked.
• The threat of any cyber attack is real. It becomes worst with the rapid proliferation of information technology and know-how.
• More computers are connected to networks due to connectivity demand, the possibility of vulnerability is also increasing.
• Together we should prepare ourselves for the impending new forms and competently factor cyber warfare into all stages of national security planning.
88
-
END OF CHAPTER 11
89