1
Security in ComputingChapter 7, Security in Networks
Summary created byKirk Scott
2
• 7.1, Network Concepts• 7.2, Threats in Networks• 7.3, Network Security Controls• 7.4, Firewalls• 7.5, Intrusion Detection Systems• 7.6, Secure E-mail
3
7.1 Network Concepts
• No lecture on this• No specific test questions on this• If you haven’t had a networks course, you may
want to read this for background
4
7.2 Threats in Networks
5
What Makes a Network Vulnerable?
6
Anonymity
• The attacker is remote• The attack may pass through multiple
intermediary systems• Not only is there the question of verifying the
identity of the person involved (unlikely)• There is the additional question of verifying
the software/data of computers along the way
7
Many points of attack
• The attacker is in a target rich environment• The target is in a “threat rich” environment• Once again, any given attack may pass through
multiple machines• The potential target is dependent in part on
the security or lack of security of all other sites
8
Sharing
• Networks enable resource and workload sharing• By definition, more users have access to
resources which are intended to be shared• This implies that more systems have access• It is the security controls on the connected
systems that are a point of concern• Non-networked systems are insulated from the
whole class of network attacks
9
Complexity of system
• Networks combine machines with varying operating systems
• The network enables the offloading of attack code onto multiple systems
• The victim may itself perform part of the attack code• Individual machines have become sufficiently
complex that users don’t know what their own machines are doing at any given time
• (Just take a look at the task manager)
10
Unknown perimeter
• By definition, networked machines are interconnected• One machine may be the link or gateway between
different networks• Where is the boundary between one network and
another?• Who is responsible for different areas, and which
areas can be trusted?• How does the addition of a machine in one place
affect the security of a machine in another place?
11
Unknown path
• This general idea has already come up• An attack can come from a remote machine
through a path consisting of multiple steps• There may also be multiple paths from one
machine to another• Technical tools exist for tracing paths• However, life is complicated by the fact that for
any given communication, the route is not necessarily known/clear
12
Who Attacks Networks? (Reasons Why)
• Challenge (individual actors)• Fame (individual actors)• Money and Espionage (organizational actors in
the interests of the organization)• Organized Crime (group, possibly crossing
national boundaries, where the sole purpose of the group is criminal profit from the Web)
13
Ideology
• Can be individuals or groups• Can also be state actors• “Hactivism” = online agitation and propaganda• This may be disruptive, but is not intended to
do lasting damage, except in a convenience or PR sense
14
• Cyberterrorism• Hacking that can lead to:• Economic damage• Military damage• Loss of life• And so on
15
Recent Articles (as of the fall of 2011)
• Within the last year outside parties have gained temporary control of some U.S. satellites, like LandSat
• The government asserts that these exploits probably originated in China
• Likewise, a report has been circulated that the control systems of 19 chemical plants worldwide have been breached by outsiders
• Again, the claim has been made that the exploits originated in China
16
Reconnaissance (for Attacks)
• The book’s attention now turns to how and what• Reconnaissance is part of the how• This has value beyond being an informative list of
some things attackers do• You may detect reconnaissance and other things
happening on your system• These may be precursors to attack, and their
presence should motivate you to try and protect yourself
17
Port Scan
• Programs can query systems to find out the following:
• What O/S is installed• What applications are installed• Which standard communication ports or
services are running• The user id (implies privilege level) that the
service runs under
18
• See the book or the course Web site for links to sites where port scanning code can be downloaded
• Note that allowing outsiders to get this information over the Internet is normal
• If you provide some services and not others, potential clients need to know or will find out by simply requesting
19
• This is the two-edged nature of the Internet• Legitimate users have a need to know• Illegitimate users want to identify the following:• Are you running versions of software with known
security flaws?• Have you mistakenly left services open on your
system which should have been removed or closed?
• Do these services provide a security hole?
20
Social Engineering
• Network scans provide a view of the system from the outside
• A view from the inside is very useful to the attacker
• Social engineering basically means tricking people to get this information
21
Intelligence
• General intelligence about system may help an attacker
• Dumpster diving• Simple eavesdropping• Blackmail, coercion of employees• Theft• Combining information from various sources
can lead to the basis for a security attack
22
Operating System and Application Fingerprinting
• This refers to one step beyond a simple port scan
• The attacker would like to know the precise version of things like the O/S, which vendor provided software service, etc.
• A system may respond with a version number
23
• It may be possible to test for the presence of specific features and determine a vendor and version number
• Slight differences in performance or response to input point to different implementations
• This may indicate which vendor’s software and version is present
24
Bulletin Boards and Chats
• The course Web site contains links to some “legitimate” sources on the dark side of computing
• These Web sites give information on security that should be enough to frighten the legitimate user into taking the topic seriously
• There are other Web sites where the information is provided with the apparent intent of enabling security attacks
25
Availability of Documentation
• Openness, again, is two-edged• A system without any documentation is a black
box, and its usefulness is limited• A system that is fully documented is more
useful both to a legitimate user and an attacker• Technical documentation aimed at developers is
even more useful to an attacker than end user documentation
26
Reconnaissance: Concluding Remarks
• A serious attacker will gather information and lay the groundwork for an attack over time
• You might monitor for things like the occurrence of port scans
• Some attack may arise quickly afterwards• Some other attack may not come until much later, as
part of a larger, well-planned, coordinated attack• The book advises providing as little information about
systems to outsiders as possible as the best defense
27
Threats in Transit: Eavesdropping and Wiretapping
• The book now goes from planning an attack to the kinds of attacks that can occur
• Eavesdropping implies that communications are such that no effort is needed to intercept them
• Passive wiretapping means listening• Active wiretapping includes the possibility of
inserting, modifying, or deleting communications
28
Cable (wires)
• Every device on a network has potential access to every communication on the network
• A packet sniffer can copy all packets, whoever they might be addressed to
• Given access, an outsider might also physically tap a wire
• An alternative is to install a device which can detect the electromagnetic radiation from a wire
29
Microwave and Satellite Communications
• These are broadcast media• Therefore, transmissions are open to
interception• On the other hand, commercial carriers have
large amounts of traffic• Isolating only the messages of interest would
be a big challenge for an attacker
30
Optical Fiber
• This medium has two security advantages• Light doesn’t radiate electromagnetically
beyond the fiber• Also, due to its characteristics, any illegitimate
physical tap will be detected• On the other hand, legitimate taps, splices,
repeaters, and equipment connections may be points of vulnerability
31
Wireless
• Wireless technology is based on radio waves• By definition, this is a broadcast medium• It is available to any potential user, legitimate
or illegitimate, within its rated radius of service
• It is also available outside of this radius to someone using a specialized reception antenna
32
• The most obvious problem is simple interception
• Some wireless networks are not password protected
• Some have security that is easily circumvented• Some may have encryption• However, the encryption may not be as strong
as one might hope
33
• Less concretely dangerous, but probably more common than interception is illegitimate use of a network (theft of service)
• If the network doesn’t have good authentication (or any) anyone within range can use it
34
• The book points out that for networks not intentionally made freely available, this may be illegal
• I have mixed feelings about this• If you’re running an Internet café, you’d like everyone
who comes in to have access without doling out id’s• On the other hand, are you surprised when someone
next door turns on their computer and finds that they can log in and use your network without buying a cup of coffee?
35
Summary of Wiretapping
• Assume that all network traffic is exposed• One solution to this is to encrypt all traffic• An intermediate solution is to encrypt all WAN
traffic• Since encryption impinges on performance, don’t
encrypt LAN traffic• Instead, maintain high physical and
administrative security for the LAN and attached devices
36
Protocol Flaws
• TCP connections are established through sequence numbers
• Guessing a client’s next protocol number would allow impersonation
• All protocols have had, do have, and will have weaknesses of one kind or another
• This type of thing will come up again under other headings
37
Impersonation
• Impersonation is based on flawed authentication:– Guess authentication information– “Lift” authentication information– Circumvent or disable authentication– Use a target that doesn’t have authentication– Make use of systems with known authentication
38
Authentication Foiled by Guessing
• Guess logins and passwords• Not that hard in lots of cases• Use default passwords for system supplied accounts• Administrators forget to remove or change these
when installing a system• Note that weak passwords may be OK in a trusted
environment• A problem arises when the system with weak
passwords is connected to the wider world
39
Authentication Thwarted by Eavesdropping or Wiretapping
• Users may have accounts on multiple networked machines
• Moving from one machine to the other may be transparent
• Authentication information is transmitted from one machine to the other
• If transmitted in the clear, this is a security problem• The book gives a nice example of a (MS) system that
hashed passwords, but transmitted them in such a way that the strength of the security was severely reduced
40
Authentication Foiled by Avoidance
• The book gives an example• Operating system login systems have been
implemented with this flaw:• If the password entered overflowed the
password buffer, authentication was not done…
• If sites are still running operating systems with flaws like these, this is candy for hackers
41
Nonexistent Authentication
• The book cites another example• Unix supports the concept of trusted users and
trusted hosts• The idea is that there is no need for authentication
when a userid requests access to another host• From a security standpoint, this is a bad idea• The userid might have been subverted on the first
host, or the remote user might simply be a guest login on the remote host
42
Well-Known Authentication
• This idea has already been mentioned• Operating systems and network operating systems may
ship with default passwords on the administrator account, guest accounts, etc.
• Application vendors may do similar things• System network management protocol (SNMP) devices
have a “community string” which is essentially a password
• Forgetting to change these things at installation time is a security breach
43
Trusted Authentication
• This is also essentially a repetition• If a system maintains a file of trusted
hosts/logins, authentication is effectively delegated to whoever or whatever is responsible for those files
• In particular, this may mean that security is offloaded to other machines
• This can be a convenience to some users, but it is a potential security problem
44
Attacks Based on Mis-Identifcation
• Spoofing is a general term for using a false identity
• Spoofing attacks include:• Phishing• Masquerade• Session hijacking• Man-in-the-Middle Attack
45
Phishing
• No one here needs an explanation of this• Any stories of the strangest phishing email
you’ve ever received?
46
Masquerade
• One host pretends to be another• For example, fake Web sites at deceptive Web
addresses• Traffic can be directed to the fakes with ads,
direct email, phishing email, and so on• The goal may be to obtain customer login
information• It may also be to intercept things like orders and
steal business
47
Session Hijacking
• An outsider replaces one end of a two-way communication
• Take an Internet purchase for example• An outsider may monitor the traffic between a
potential buyer and an e-commerce site• When the buyer is ready to buy, the outsider
intercepts the order, replacing the seller in the communication
• To the seller this just looks like a customer who “went away” without completing a purchase
48
Man-in-the-Middle
• Conceptually, this isn’t too different from session hijacking
• An outsider is able to intercept messages• The book gives an example of how this kind of
attack may work even in an environment with encryption
• Let S, M, and R stand for the sender, the man-in-the-middle and the receiver
49
• S and R want to set up secure communication with an asymmetric key based system
• S needs R’s public key• R sends a message to S containing R’s public
key• M intercepts R’s public key• M then sends M’s own public key to S instead
of R’s
50
• When S sends an encrypted message, M intercepts it and decrypts it with M’s own private key
• This is simple interception, or violation of confidentiality
• The message is now also open to modification or fabrication, a violation of integrity
• M may now send what it chooses to R, using R’s public key which it intercepted at the beginning
51
Message Confidentiality Threats
• This is just a short list of other things that can go wrong
• Mis-delivery:• A mail system can mis-deliver email• More likely, users simply mis-type email addresses• Mail can also just go missing• (Technically, the last isn’t a confidentiality
problem but an availability problem)
52
• Exposure is an endemic problem in a public network
• A message is effectively exposed everywhere in the communications pipeline
• Every piece of software or hardware that transmits the message may expose it
• This can happen at the source machine, on any machine in between, on the transmission medium, and on the destination machine
53
Traffic Flow Analysis (signals intelligence)
• The body of a message may be successfully encrypted• However the destination address has to be readable
in order to deliver the message• The header may also contain the source address, a
time stamp, etc.• The existence of communication between two parties
at a given time might be useful intelligence• Therefore, assuring the confidentiality of the header
information may be an issue
54
Message Integrity Threats
• Noise• Not malicious• Not a big problem• The book next goes into more detail on
message falsification• In other words, what approaches might an
interceptor use to affect the integrity of a message?
55
• Modification: Change part of the contents of a message
• Fabrication, or replacement: Change all of the contents of a message
• Note: More extensive modifications or fabrications would include the header information
56
• Reuse (replay) an old message (or modified old method)
• Combine parts of different messages in order to form a new message
• If you change the destination information in the header, you redirect messages
• Destroy or delete messages (technically an availability attack rather than an integrity attack)
57
Format Failures
• Subsection Headings:• Malformed Packets• Protocol Failures and Implementation Flaws– In short, protocols and their implementations may
not handle unexpected input well– Malformed packets may cause system failures– Or they may have “unexpected” effects, which an
attacker may take advantage of
58
Web Site Vulnerabilities
• Web sites have vulnerable characteristics:• Attackers can download their source code for
study• Attackers can potentially access Web contents
(pages) in the order of their choice• Attackers can essentially enter any input into
Web page fields that they want• The browser is a generic front-end, not one with
page specific validation included
59
• Subsection Headings:• Web Site Defacement• Buffer Overflows• Dot-Dot-Slash• Application Code Errors• Server-Side Include
60
Web Site Defacement
• This is a popular attack for publicity reasons• Defacement alone is not terribly destructive• The fact that defacement can be accomplished
suggests that worse things could be done• The fact that defacement is relatively common
suggests that there are a lot of security holes in common (MS) Web server software
• The Wikipedia article on this topic asserts that it is commonly accomplished through SQL injection
61
Buffer Overflows
• There is no difference between buffer overflows on Web pages and on stand alone programs
• Internet Information Server (MS) has historically been prone to problems like this
• Other Web software is also vulnerable to parameter values for passwords, URL’s, etc. being too long
62
Dot-Dot-Slash
• Ideally, a Web server is an independent machine with no other applications on it (like editors or other development tools)
• The idea is that even if an attacker succeeds in entering the system, there is nothing else that can be done there
• Much less desirably, Web applications run in a limited sub-tree of the directory structure
63
• Dot-dot-slash simply refers to the parent directory in a directory structure
• If the attacker can arrive at a point where it is possible to enter the CD command, the game is over
• The attacker escapes the limited sub-tree by entering CD ../
• A flaw in a version of MS Internet Information Server was found that allowed this kind of attack
64
Application Code Errors
• This subsection repeats the information on TOCTOU type errors, giving a bit more technical detail
• As a user browses a Web site, the browser and the server send information back and forth in the form of URL’s
• The service code has to be written securely so that fake URL information is not accepted from the user
65
Server-Side Include
• A server-side include is a statement in Web page code that inserts a file or an executable from a different location into the page and executes it
• You can think of this as kind of like a macro• The problem comes from the fact that the
include may take the form of a system call, “exec something”
66
• This provides a fat target for an attacker• The goal is to replace “something” with
“something malicious and delicious”• For example, it would be convenient to be
able to execute chmod (change access rights), cat (concatenate/write to a file) or any number of other system level commands
67
Denial of Service
• Denial of service is an availability attack, not a confidentiality or integrity attack
• Denial of service is a very fruitful line of attack in a network environment
• By its very nature, an open network is vulnerable to intentional denial of service
68
• Denial of service is essentially a transmission failure
• There are many accidental causes of transmission failure
• The book is interested in these particular examples of intentional causes:
• Connection Flooding• Traffic Redirection• DNS Attacks
69
Connection Flooding
• An attacker can simply send an excessive number of messages to a victim
• If the quantity of messages is at the maximum level that can be handled, few, if any, legitimate messages will get through
70
• Internet Control Message Control (ICMP) protocols exist for network management
• Attacks can also be orchestrated using these protocols
• Since such attacks are built on system tools, to the attacker, they have the benefit that they might be hard for the victim to detect or block
71
• Subsection Headings• Echo Chargen• Ping of Death• Smurf• Syn Flood• Teardrop
72
Echo Chargen
• Chargen is a system tool for testing network capacity
• Chargen can be set to generate a stream of packets from a source host to a destination host
• A stream of packets can be designated to be echoed from the destination back to the source
73
• If the attacker has access to host A, chargen can send stream of echo packets to host B
• In this case, the communication capacity of both A and B will be consumed
• If the attacker has access to host B, chargen can send a packet with B as both the source and the destination, with echoing
• This will consume the communication capacity of B alone
74
Ping of Death
• Ping is a network tool that establishes that one machine is reachable by another over a network
• Host A sends a ping to B• The protocol is that if B receives the ping, it
will send a reply• Incidentally, the tool can be used to trace and
time paths through the Internet
75
• The attack is based on flooding• If the attacker has access to A, a steady stream
of pings can be sent to B• If A has a higher communication capacity than
B, then A can overwhelm B with pings
76
Smurf
• The smurf attack is a reverse ping attack• The attacker sends a ping packet with a faked
source address, say host B• It sends this packet in broadcast mode to all of
the other hosts on a network• B will be overwhelmed when it receives the
replies to the ping from all of the other hosts on the network
77
Syn Flood
• A syn flood attack is based on an element of TCP rather than ICMP
• Under TCP, a connection between two hosts is established by the protocol:
• Host A sends host B: SYN• Host B replies with: SYN ACK• Host A concludes the handshake with: ACK
78
• Host B maintains a queue, SYN_RECV, holding its SYN ACK’s which are waiting for the concluding ACK from A
• In computer terms, the queue is not very big—maybe 10-20 entries
• Due to the potential for network delays, SYN ACK’s aren’t purged for up to minutes at a time
• If host A sends multiple SYN’s and no ACK’s, the queue can be filled
79
• A flooded queue interferes with the ability to start communication sessions with other, legitimate hosts
• An attacker will also generate random, false source addresses in the SYN packets
• That way the target doesn’t know the real source of the attack
• Also, unlike a flood of SYN’s from one address, this makes it hard for the target to determine that an attack is occurring and which packets are false
80
Teardrop
• In a packet based communication system, complete messages are sent in multiple discrete packets
• Packets may take different paths through a network and arrive out of order
• They have to contain information about their position in the message and their length
81
• An attacker can send a set of packets where the relative positions and lengths don’t match
• The fragments overlap• Some operating system/communication software
implementations were not designed to handle such anomalies
• Mis-configured packets could cause such systems to lock up
• Wikipedia does not reveal exactly how this attack got its name
82
Traffic Redirection
• This is an attack on a network component rather than a host
• Routers contain tables of addresses reachable through them
• They also provide estimates of how “good” those connections are
83
• A surgical attack could be mounted on a router table
• A general, denial of service attack can take the following form:
• Have that router advertise that it’s the best route to all other points in the network
• It will be flooded with traffic• Communications packets will be dropped or
slowed
84
DNS Attacks
• This is another attack on a network component rather than a host
• Domain name servers translate from alphanumeric Web domain names to numeric network addresses
• They keep lists of known names and addresses
85
• When they receive traffic to an unknown name, they pass it on to other servers
• When another server resolves the name, it will inform the server that had to ask
• That server will store the information for future reference
• This is known generically as caching the name and address
86
• Causing false entries in the cache allows traffic to be maliciously mis-routed
• This is known as poisoning the cache• Berkeley Internet Name Domain (BIND), Unix
software for resolving names, has historically been full of security holes, including buffer overflow problems, making DNS attacks possible
• More recently, flawed Symantec firewall software allowed DNS changes on Windows machines
87
Distributed Denial of Service
• The steps go like this:• Scan systems for security flaws• Use the flaws to insert Trojan horses on systems• The Trojan horse contains a denial of service
attack• Affected machines are known as zombies• At some point in the future, signal the zombies
to mount the attack
88
• The victim has to deal with multiple simultaneous attacks
• Various different kinds of attacks can be coded into the Trojan horse(s)
• These kinds of attacks are so common that “software suites” have been developed which allow the attacker to put together an attack by selecting scanning, Trojan horse, and attack options
• For more information, look up Tribal Flood Network (TFN), Trin00, and TFN2K
89
Threats in Active or Mobile Code
90
Cookies
• Cookies are data files rather than code files• A cookie is stored at the request of a server, and
the contents of the cookie are sent to the server on request
• Any information that a browser can determine can be stored in a cookie
• A cookie may be “per-session”, stored in memory for the time the browser is open
• A cookie may also be persistent, saved to disk
91
• Cookies provide a superficial convenience to the user
• A web site can recognize a user and personalize its response based on the information it has about them
• The convenience is more to the server• They now have information about the visitor
within their possession
92
• The contents of cookies are typically encrypted
• You might think that this is a security benefit to you
• However, you, the user, are primarily the one who is prevented from seeing what information about you the server is managing for its own use on your machine
93
• From a security point of view, anyone in possession of your cookie is able to impersonate you to the relevant server
• From a personal privacy point of view, consider the following:
• The server is able to place something on your machine which you aren’t able to examine which it can use to its heart’s content
• Does this increase or decrease your personal security?
94
Scripts
• The book gives some detail concerning CGI (common gateway interface) scripting problems
• I’m not so interested in the details.• I’m interested in the overall picture.• It is possible to have servers pushing code
onto clients for execution• This makes the clients insecure
95
• With scripts, it is the client that is able to cause code to run on the server
• If the server side code was not carefully written, it may be possible for the client to request or run code that it shouldn’t
• This makes the server insecure• Any time one host can cause another host to run
code, the possibility of security problems is raised
96
Active Code
• The general idea is that a server sends code to a client where it is run
• This is essentially the Java applet model• Note that Java does include various security
features which reduce the danger of this• A Java program can’t touch memory• A Java program runs in a “sandbox” of limited
resources
97
• Originally the sandbox did not allow writing to storage
• It also didn’t allow running arbitrary procedures that had been included in the sandbox
• In order to increase flexibility and capability, these restrictions have been relaxed
98
• That means that Java is less secure than it was before
• This means that it is now possible for malicious programmers to write hostile (harmful) applets
• To guard against them, the system has to protect all of the following:
• System resources, memory, garbage collection and communication between applets
99
ActiveX Controls
• ActiveX Controls are essentially Microsoft’s answer to Java
• If you download a file of type .xyz, if there is a handler on the system for files of that type, it will be invoked
• If not, a handler can also be downloaded
100
• Security, such as it is, comes from a cryptographic signature identifying the source of the download
• This approach is far from failsafe• There is no guarantee that code from identified
sources is safe• It may also be the case that you do want to use
code from sources you “know”, but which aren’t cryptographically identified
101
Auto Exec by Type
• This refers to features that are apparent in Windows
• Files can have extensions indicating their type• They can also have their type embedded in them• Depending on the context, a file of a given type
might be automatically opened• Opening the file will trigger the application
corresponding to its type
102
• This is a “convenience” that we’ve all grown accustomed to
• It can be an aggravation, when the extension doesn’t match the embedded type
• It is also a possible source of security problems• A malicious actor can embed harmful things, like
macros, in files that we tend to think of as data files• When the application opens the file, it will execute
the harmful macros
103
• The fault isn’t really in auto exec by type• If the files didn’t open in this way, we would
simply start the application and then open them• The problem is first of all, that people put harmful
things into files• The second problem is simply that for full safety,
every file should have a known source and should probably be scanned before being opened
104
Bots
• The term bot refers to an individual instance of a Trojan horse resident on a machine
• In practice, an attacker will typically place a botnet on a network, large number of bots on different machines
• The code for the bots is written so that the attacker can communicate with them, they can communicate with each other, etc.
105
• Because its elements are distributed, semi-autonomous, and in communication with each other, a botnet is highly resilient
• The individual bots typically don’t harm the machine they’re on
• They simply steal its resources• A common use for a botnet is triggering a
denial of service attack
106
• A botnet might also be devised to manage the sending of spam
• If large quantities of unwanted mail can be traced to a single address/machine, the source can be blocked
• If each piece of unwanted mail comes from a different address it is harder to defend against
• Who do you block, how many do you block, are you blocking legitimate senders who are simply unlucky enough to have a bot on their machine?
107
Complex Attacks
• The general idea of this section is that some common attacks have been written up in scripts that are readily available
• The term “script kiddies” refers to people who aren’t programmers who can launch attacks using scripts
• Not only do they not need to understand how the scripts work
• It is possible that they don’t really understand what the scripts do—except for the satisfaction of knowing that they’re harmful to someone
108
Building Blocks
• The flip side of simple scripts is that they can be used as building blocks
• A more sophisticated, knowledgeable attacker can compose complicated attacks by running scripts in sequence or combining them in some way
109
Summary of Network Vulnerabilities
• Table 7-4• See the following overheads
110
111
112
7.3 Network Security Controls
• Security in networks, in general, is based on the same ideas as security in software or in other computer and data systems
• Analysis and planning are the foundation• Encryption remains one of the principle tools• And various aspects of authentication play a large role• Other specific factors can also be identified• Relative security results from a happy combination of
all of these things
113
Security Threat Analysis
• Security threat analysis consists of three basic steps:
• Identify and analyze each part of a system and its interactions with other parts
• Consider confidentiality, integrity, and availability issues in the system
• Hypothesize the kinds of attacks that might occur, the damage they might cause, and possible measures against them
114
Parts of a Network
• Local nodes connected via• Local communication links to a• Local area network, which also has• Local data storage,• Local processes, and• Local devices
115
• The local network is also connected to a• Network gateway which gives access via• Network communication links to• Network control resources• Network routers, and• Network resources, such as databases
116
Summary of Network Threats• Intercepting data in traffic• Accessing programs or data at remote hosts• Modifying programs or data at remote hosts• Modifying data in transit• Inserting communications• Impersonating a user• Inserting a repeat of a previous communication• Blocking selected traffic• Blocking all traffic• Running a program at a remote host
117
Design and Implementation
• This was the topic at the end of chapter 3• The first line of defense against possible
threats is the development of robust, secure software, to the extent that may be possible
• The details won’t be repeated here
118
Architecture
• Segmentation• Redundancy• Single Points of Failure• Mobile Agents
119
Segmentation
• Segmentation reduces the total number of vulnerabilities• What you have is the sum of the vulnerabilities of
simpler systems• A more monolithic system would mean that a
vulnerability to one part was also a vulnerability to another part
• Likewise, segmentation reduces the possible harm of a single vulnerability
• Only one segment may incur harm, rather than all parts of a monolithic system
120
An Example
• Suppose an e-commerce system consists of these components:
• A Web server to handle HTTP sessions• Application code to present goods and
services• A database of goods and inventory• A database of orders taken
121
• Putting all components on a single machine would be insecure
• Putting each component on a separate machine on a local area network behind a firewall would be better
• It is especially helpful to separate the Web front end from the data and applications back end
• The goal is to completely isolate Web visitors so they don’t have access to the internal data and applications
122
Redundancy
• The previous section assumed that you were running an operation large enough to justify multiple machines
• The ante goes up another step• If you can afford it, you should have redundant
systems for each component• If a component fails, performance will be
degraded, but service will not stop
123
• Notice that this isn’t just about security• This is also simple disaster planning• The follow-on security problem is that if one of a
pair of redundant systems fails for security reasons, the other one is likely to be equally vulnerable
• If there were no limit on resources, here’s a thought, for example:
• Run two Web servers, one Unix based and the other Windows based…
124
Single Points of Failure
• This is essentially the converse of redundancy• When determining which things to distribute
or duplicate, you identify single points of failure
• Note that in addition to doing things like RAID, you may distribute data on different machines
• There can be processing issues in keeping things synchronized
125
• Technically, the points of failure analysis also applies to the network infrastructure itself
• How secure is each segment of a network?• Do you have multiple machines at nodes in your
network, etc?• Clearly, these are questions for life-sized
operations• For most of us, our horizon is limited to a single
machine attached to the Internet
126
Mobile Agents
• Suppose you wrote snippets of code to scan for various bad security conditions
• Rather than tying them together, you implemented them as independent, semi-autonomous applications that could be run on various systems
• They would run in parallel, distributed fashion, ferreting out security weaknesses
127
• This might be a useful view or paradigm for future implementations of network security
• It’s sort of like turning the distributed denial of service attack on its head (a botnet on its head)
• Or it may be reminiscent of the concept of a “good” virus
• Some agents may fail, but in aggregate they may succeed in identifying and rectifying the large number of vulnerabilities in a complex system
128
Encryption
• The book reiterates the following ideas:• You probably can’t have a secure system
without encryption being in it somewhere• However, encryption is not a silver bullet• It is one security tool that has to be
supplemented by others• It also has its own security vulnerabilities
129
Link Encryption
• Link encryption refers to encryption that is part of the network infrastructure
• It is transparent to the user• When a message is sent, it is routed to a
particular destination host, which might not be the final destination
• The immediate destination decrypts, re-encrypts, and forwards the message
130
• The message is exposed on the sender’s machine, up until transmission
• It will be exposed on the final destination machine immediately after receipt and decryption
• It is also exposed on any intermediate host at the lower levels of the network protocol
131
• This is a useful network service if the transmission links themselves (wires, radio waves) are not secure, but the hosts are secure
• It has been implemented by the military, for example, where transmission nodes/hosts are secure
• Even the headers can be at least partially encrypted, so this may provide some protection against routing attacks
132
• This is not a service that could be implemented over the Internet
• You don’t know what path your packets will be routed through and you have no control over the intermediate hosts
133
End-to-End Encryption
• End-to-end encryption is done at the user application level
• It is performed by software before a message is submitted for transmission
• The message is not exposed on the source, destination, or intermediate hosts
134
• Just because the message is not exposed doesn’t mean there are no vulnerabilities
• Attacks may occur in the application to obtain the message before encryption
• Cryptanalytic attacks may occur after encryption
• Header information is not encrypted, so routing attacks may occur
135
Comparison of Encryption Methods
136
Virtual Private Networks (VPN’s)
• The scenario here is that there is a trusted (organizational) LAN
• There are some users who are not on site, and want to access the network and its resources remotely, over the Internet
• The Internet is inherently insecure, but VPN’s make a trusted connection possible
137
• This is the plan:• The remote user communicates initially with the
LAN firewall• The firewall sends authentication information to
whatever component of the LAN does authentication
• If authentication is approved, a link encryption session is established between the user and the firewall, which forwards communications to the LAN
138
• In other words, VPN’s are an application of link encryption
• This is in contrast to previous solutions to this problem
• Until recently, corporations maintained their own secure WAN by literally leasing telephone lines (circuits) from telephone service providers for their exclusive use
• Expensive, dedicated lines are no longer necessary when traffic can be securely encrypted
139
PKI and Certificates
• PKI = Public Key Infrastructure• The background for this topic came up when
discussing the uses of encryption• The general topic is the following:• What technology, software, and administrative
procedures are needed in order to manage security certificates?
• At this time standards are being developed, but this is not a mature area
140
• If it were mature, you might expect everybody who uses a computer to have a verifiable electronic identity which allowed authenticated, secure transactions with all other users with such an identity
• Such an infrastructure would ultimately be based on one or more certificate authorities
• Characteristics of these are given on the following overheads
141
• Creating/issuing certificates that bind a user’s id with a unique public key (with accompanying private key)
• Signing such certificates with the authority’s public key for verification (vouching)
• Maintaining a database of such certificates
142
• Keeping track of any certificates which have become invalid, either because they have expired or it is known that they are compromised
• Providing verification service by telling whether any given certificate is valid and publishing lists of invalidated certificates
• In short, managing all aspects of issuing and maintaining security certificates
143
Tour de Buzzwords
• Time is running out and there’s a lot left in the chapter
• I will continue just trying to do the once-over-lightly, and when I’m out of time, I’m out of time
144
SSH Encryption
• SSH = Secure Shell• This means secure access to a Unix command
prompt, in essence• The protocol supports authentication and
encryption• It includes features whereby local and remote
hosts negotiate which authentication and encryption techniques they both support so the user can login transparently
145
SSL Encryption
• SSL = Secure Sockets Layer• A.k.a. TLS = Transport Security Layer• This was protocol devised by Netscape to
protect (end-to-end) communication between a browser and a Web server
• Like SSH, the idea is that client and server negotiate which authentication and encryption tools they share and which ones they will use to protect a session
146
IPSec
• IPSec = IP Security Protocol Suite• This is part of version 6 of the IP protocol (IPv6)• As such, it is implemented as part of the TCP/IP
infrastructure• In addition to supporting authentication and
encryption (at the link level, in essence) it was designed to include features to address spoofing, eavesdropping, session hijacking, etc.
147
Signed Code
• Nothing radically new here:• If you download code, it can come with a
signed security certificate indicating the source
• It’s still up to you whether you trust the source…
• Any code you install, whether downloaded or from another source, is suspect to a degree…
148
Encrypted E-mail
• For some reason this subsection appears here• It is a complete section of its own later• Stay tuned
149
Content Integrity
• Basically a repetition of something that was mentioned in ch. 12
• Error correcting codes for transmission errors• Cryptographic checksum ~= message digest ~=
hashing for security related integrity problems
150
Strong Authentication• The book raises a very interesting point• Suppose you’re logging in to a remote host• You can have all the authentication you want and take all
the protective measures you want—the goal is to get your authentication to that remote host so it will accept you
• What if you aren’t actually in communication with that host?
• Then you will have sent your authentication information (login and password) to whoever or whatever was at the other end of the line
151
One-Time Password
• This is a technique to protect against stolen, eavesdropped, wiretapped passwords in a network environment
• There are several different kinds of systems• The book describes one• It is sort of like the electronic equivalent of a
one-time pad
152
• Users are given small devices, known as password tokens, which generate a new random number every minute
• These devices are all synchronized with a host• The random numbers are derived using an
algorithm based on the current time• During the one minute interval after a number
is generated, it can be used as a login password
153
• The host contains software which determines whether the password is the one that would have been computed for that time interval
• Even if someone intercepts a password, it will not be valid after the one minute window has passed
• If multiple logins are disallowed, once used by the legitimate user, the password wouldn’t be valid again during that minute
154
• Like with all things, there is a trade-off• The positive benefits are clear• And the effect is that you’ve shifted security
concerns elsewhere• What if the password token is lost or stolen?• What if someone obtains access to the
algorithms used?
155
Challenge-Response Systems
• These are fancier versions of one-time password systems
• The user needs a PIN to use the device• When a user wants to use a remote host, the
host sends a value, a challenge• The user enters the challenge into the device,
which produces the valid response• The user enters the response as a password
156
• What have you accomplished?• There is no one minute window during which
purloined password might be used• A password is generated only on demand• What have you lost?• Now your security is actually protected only
be a PIN
157
• In other words, this is simple password security at the device level
• Have you ever heard of a PIN that was longer than 4 characters and consisted of anything but digits?
• What would the average system do if you tried to use passwords with that strength?
158
• The book raises another interesting point• These systems seem to be designed to protect hosts
from unauthorized users• What about spoofing the other end of the
communication?• What is protecting users from logging into false hosts,
assuming that the devices/software/algorithms have been compromised?
• It’s the same old problem of who is on the other end of the line
159
Digital Distributed Authentication
• The key idea here is the following:• In systems consisting of multiple components,
you need security and authentication between hosts as well as between people
• In network communications between devices/servers/hosts you can accomplish this with an infrastructure for asymmetric keys between machines
160
Kerberos
• Kerberos is essentially an example of a current digital distributed authentication system
• It accomplishes authentication using public keys• It can then be used for the distribution of secret
keys• There is no need to go over the details of the
protocol• We got a general discussion of how such
protocols are devised in earlier chapters
161
Access Controls
• ACL = Access Control List• Authentication controls who• ACL’s record what the resources and
permission are• In a networked environment, routers can
contain ACL’s which control which (authenticated) users can access which network resources
162
Wireless Security
• Wireless security is based on identifiers for access points and encryption
• SSID = Service Set Identifier = id of wireless access point
• Users request access to such points• WEP = Wired Equivalent Privacy =
authentication/encryption for individual communication with an access point
• WPA = WiFi Protected Access is an alternative to WEP with the same purpose
163
Alarms and Alerts
• This little subsection is just a preview of a coming section:
• Intrusion Detection Systems
164
Honeypots
• Idea: Put up a system on your network with security weak enough that attackers will be drawn there
• This can serve several different purposes:• Allow you to study attacker behavior in general• Lure an attacker to a particular location where by
monitoring you will be able to identify the attacker• Divert an attacker to someplace harmless so that serious
systems aren’t compromised• This is turning the principle of easiest penetration
against the attacker
165
Traffic Flow Security
• This has to do with signals intelligence• A crude way to thwart listeners is to always
send the same amount of traffic between sites• Onion routing is a way of anonymizing traffic
so that attackers are unlikely to be able to identify the source and the destination
166
• The idea is this: A wants to sent a message to D• A wraps the message to D in an encrypted message to C• A wraps the message to D/C in an encrypted message
to B• A sends the result to B• At each step, each intermediate host only knows the
most immediate source and the most immediate destination
• The rest of the routing information is encrypted
167
Controls Review
• Table 7-7• This is simply too long to insert.• It is a comprehensive list of all of the different
topics raised so far
168
7.4 Firewalls
• A firewall filters traffic between an outside, untrusted network, and an inside, trusted network
• A firewall should typically be a stand-alone machine
• This supports good performance• It also supports security• If a firewall hosts other functions, it may be more
easily subverted by an attacker
169
• Firewalls intercept and inspect communications packets or actions
• They implement a policy about what communications or actions are allowed
• They may only allow communication in one direction, from the inside to the outside
• The may also restrict or allow various types of communications in both directions
170
• Policies can fall into two categories:• Default permit: That which isn’t forbidden is
permitted• Default deny: That which isn’t permitted is
forbidden• Users tend to favor “default permit”• Good security favors “default deny”
171
Types of Firewalls
• Packet filtering gateways or screening routers• Stateful inspection firewalls• Application proxies• Guards• Personal firewalls
172
Packet Filtering Gateways
• Packet filtering gateways inspect the header information on communications
• They can permit or deny communications between the inside and the outside based on the addresses involved
• They can do the same based on the communication protocol (http, telnet, etc.) of the packet
173
• Header information can be forged, so this level of protection isn’t absolute
• However, consider this approach to securing the inside network:
• Block all packets from outside that show source addresses from within the trusted network
• These are clearly forgeries
174
• Packet filtering is useful and such a firewall is probably a large part of a network’s security
• However, it has its shortcomings• It is simple to set straightforward policies• It becomes more complex to do things like
allow protocol x for address y, and cover all of the possible individual combinations
175
Stateful Inspection Firewall
• The previous discussion covered a firewall that inspected packets in isolation
• Stateful inspection refers to trying to consider all packets that might belong together in a single message
• Attackers may try and mount an attack that is spread over several packets
• For example, it might be possible to foil a teardrop attack with stateful inspection
176
Application Proxy
• An application proxy runs code which is in effect a pseudo-application
• The pseudo-application stands between an outside user and an inside service application
• To the user, the proxy looks like the service• To the service, the proxy looks like the user• The situation is analogous to a man-in-the-
middle
177
• The proxy intercepts all traffic between the two
• It can inspect the content as well as the header
• It can implement policies on what is allowed based on the content of the communication
• It will transmit actions which are allowed and not transmit actions which are not allowed
178
• File access illustrates the idea• Locally, an operating system assigns rwx attributes
to users• On a network, suppose all (remote) users may be
allowed to read, but not write to a file• A proxy could monitor all communication for read
and write actions• Reads would be passed to the inside file system• Writes would be discarded
179
Guards
• A guard is essentially a proxy with added features
• Examples of guarding functions include limiting communication traffic based on type or based on quantity associated with a given user, scanning certain kinds of traffic, etc.
• Filtering is based on the contents of the packets, but on criteria beyond those of a simple application proxy
180
Personal Firewalls
• The previous discussion was based on the idea of a firewall machine on a network
• A personal firewall is a piece of software protecting an individual machine from the network it’s attached to
• This is a good thing for an individual user connected to an untrusted network, like the Internet, for example
181
• A personal firewall can be configured to do all of the same kinds of things as a network firewall mentioned previously
• Unfortunately, because the firewall works on the same machine it’s protecting, the firewal is vulnerable to subversion by an attacker through that machine
182
Example Firewall Configurations
• A network firewall installation can be made even more secure
• The firewall can be on its own LAN or LAN segment, so that inside network machines are not exposed to breaches that only reveal the network the firewall is on
183
• This can be taken a step further• The inside network may be connected to an
application proxy firewall on its own network segment• The application proxy may be connected to a packet
filtering gateway on its own network segment• The packet filtering gateway may then connect to the
outside network• An attacker would have to successfully breach several
layers to get to the inside network
184
What Firewalls Can and Cannot Block
• A firewall defense is a perimeter defense• If the inside network has any other
connections to the outside, then it is vulnerable
• Also, any data transmitted outside of the perimeter has to be treated as suspect as soon as it leaves the perimeter
185
• As the window to the outside, firewalls are the first line of defense and the first point of attack on a system
• Firewalls have to be monitored and kept up to date just like any other security tool
• Firewall logs may provide information on attack precursors or unsuccessful (or successful) attacks on a system
186
• Even the most elaborate firewall has little effect on the content of communications
• If a communication comes from an authorized user under an accepted protocol, bad data or code may enter the system
• This is the result of successful subversion of authentication (a stolen password, for example) and the firewall can’t control for this
187
7.5 Intrusion Detection Systems
• Firewalls protect the perimeter of a system• Intrusion detection systems monitor activities
within a system• Outsiders can penetrate the perimeter defenses• Insiders can also engage in inappropriate
behavior• The goal is to identify those cases when they
have (and do something about it)
188
• IDS’s may do one or more of the following:• Audit system configuration for vulnerabilities
and misconfigurations• Correct system configuration errors• Assess the integrity of critical system and data
files
189
• Monitor users and system activity• Identify abnormal activity through statistical
analysis• Recognize known attack patterns in system
activity• Manage audit trails and highlight user violation
of policy or normal activity• Install and operate traps to record information
about intruders
190
Types of IDS’s
• Signature based: This relies on matching pre-established patterns of known attacks
• Heuristic: This is a more flexible system based on identifying anomalies in behavior
• The IDS administrator builds a model of accepted behavior in which certain anomalies may be allowed or disallowed
191
• IDS’s are clearly more complex than virus scanners
• However, there is a similarity in concept• In real time the IDS is monitoring system
activity looking for a signature of an attack• The heuristic approach is not so different• In real time the IDS is looking for signatures of
behavior which are anomalous
192
• IDS’s can be network based or host based• This is similar to the distinction between a
network firewall and a personal firewall• Networks, individual systems, or both may
have IDS’s installed on them
193
Stealth Mode
• Just like all security devices, something to worry about is whether the IDS can be compromised
• For a network IDS, the ideal setup is for the IDS to monitor one network and report results on another
• The IDS never sends packets on the network it monitors, it only listens
194
• It is also possible to put the IDS device on the network without publishing its address
• No traffic can be routed to it• Just like a firewall is like a man-in-the-middle,
the IDS functions as a sniffer• Attackers cannot know for sure that it’s there
and they have no way of getting at it
195
• Note the following idea:• If the IDS were able to receive traffic, its
performance could be degraded by a denial of service attack
• Also note the following:• Nothing is perfect• The IDS would be vulnerable through the
other network where it reports alarms
196
Other IDS Types
• The tripwire program has characteristics of intrusion detection
• Tripwire computes a hash for all installed software
• If an intrusion is suspected, tripwire can be run again to see if the hashes come out differently
197
• Scanners such as ISS and Nessus can be run against a network to check for known vulnerabilities
• Honeypots are dual-purpose• They divert attackers away from valuable
systems• They also provide an environment where
intruders can be found
198
Goals for Intrusion Detection Systems
• The main point of interest in this subsection is the following:
• In addition to other techniques they may employ, IDS’s may filter and inspect packets
• In part, the IDS contains functionality like a firewall’s functionality, except that it’s internal
• It is trying to analyze what’s going on inside the system after users, both legitimate and possibly illegitimate start doing things
199
Responding to Alarms
• There is an escalating scale of responses• For minor events, they may simply be noted in
a log• For more significant, but not harmful events,
the activity of the intruder may be actively monitored
• For significant attacks, protective action may be taken to restrict access to an attacker
200
• This can range from blocking traffic from that source to taking a resource or system offline
• Such actions will notify attackers that you have discovered them
• In all cases, unless you’re the CIO, the option exists to notify higher authority and let them decide what to do
201
False Results
• Failures of systems of this type fall into two categories:
• Type I: False positives• Type II: False negatives• An administrator has be aware of how the
system works and try to tune it to give acceptable performance
202
7.6 Secure Email
• In general, secure email would be a good thing• You would like to be assured of message
confidentiality, message integrity, sender authenticity, and non-repudiation
• In general, email doesn’t have any of these characteristics
• On the other hand, the use of symmetric or asymmetric encryption can provide some of them
203
• There are two main problem areas:• As soon as you start encrypting, you have to
be able to exchange certificates/keys• Also, you can encrypt the bodies of messages,
but not the headers• There are still security problems inherent in
unprotected headers
204
Existing Standards/Systems
• If you want secure email then you will probably need to adopt a system
• For further information you could do research on PGP (Pretty Good Privacy) or S/MIME (Secure Multi-purpose Internet Mail Extensions)
205
7.7, 7.8, 7.9
• 7.7, Summary of Network Security• 7.8, Terms and Concepts• 7.9, Where the Field is Headed
206
The End