security lecture 4
TRANSCRIPT
1
Computer Security Computer Security
Lecture 4Security MechanismsSecurity Mechanisms
Syed NaqviSyed Naqvi
[email protected]@ieee.org
15 November 2010 Lecture 4: Security Mechanisms 2
Physical Security
♦ Physical Security
– keep the machine physically secure
– ensure its connections to other machines are secure
– ensure its environment is workablee.g. air conditioning is adequate
♦ Electromagnetic Threats
– consider computer system as a whole
– networking, peripherals, power supply
2
15 November 2010 Lecture 4: Security Mechanisms 3
Physical Security
♦ Computers Operate as Systems– only as strong as the weakest link
– highly dependent on networks
– all components in system must be functional
– power supply is an often overlooked weakness
♦ Must Deal with Threats Systemically– treat computer system as a whole
– include its environment and its users
15 November 2010 Lecture 4: Security Mechanisms 4
Physical Security
♦ Computer Room Security– Locks on doors
– Access lists and escort policy
– Maintenance personnel access and monitoring
♦ Workstation Security– Locks on workstations in public areas
– Positioning of viewable workstations screen in public areas
♦ Marking, storing, maintaining, and shipping electronic media
3
15 November 2010 Lecture 4: Security Mechanisms 5
Layering of Security Mechanisms
Application
Middleware
OS Services
Transport
Network
Datalink
Physical
OS Kernel
Hardware
Application
Middleware
OS Services
Transport
Network
Datalink
Physical
OS Kernel
Hardware
Network
Low-level protocols
High-level protocols
Machine A Machine B
15 November 2010 Lecture 4: Security Mechanisms 6
Malicious Code
♦ Set of instructions that causes a security policy to be violated
– Is an unintentional mistake that violates policy malicious code?(Tricked into doing that?)
– What about “unwanted” code that doesn’t cause a security breach?
♦ Generally relies on “legal” operations
– Authorized user could perform operations without violating policy
– Malicious code “mimics” authorized user
4
15 November 2010 Lecture 4: Security Mechanisms 7
Malicious Code
♦ Trojan Horse– Trick user into executing malicious code
♦ Virus– Spreads by making copies of itself from program to program or
disk to disk.
♦ Worm– A program that travels independently over computer networks,
seeking uninfected sites.
♦ Logic-Time Bomb– Set off when a specified condition is met.
15 November 2010 Lecture 4: Security Mechanisms 8
Trojan Horse
5
15 November 2010 Lecture 4: Security Mechanisms 9
Trojan Horse
♦ Program with an overt (expected) and covert (unexpected) effect– Appears normal/expected
– Covert effect violates security policy
♦ User tricked into executing Trojan horse– Expects (and sees) overt behavior
– Covert effect performed with user’s authorization
♦ Trojan horse may replicate– Create copy on execution
– Spread to other users/systems
15 November 2010 Lecture 4: Security Mechanisms 10
Virus
♦ Self-replicating code– A freely propagating Trojan horse
• some disagree that it is a Trojan horse
– Inserts itself into another file• Alters normal code with “infected” version
♦ Operates when infected code executed• If spread condition then
– For target files• if not infected then alter to include virus
• Perform malicious action
• Execute normal program
6
15 November 2010 Lecture 4: Security Mechanisms 11
Virus – Types
♦ Boot Sector Infectors– Problem: How to ensure virus “carrier” executed?– Solution: Place in boot sector of disk
• Run on any boot
– Propagate by altering boot disk creation• Less common with few boots off floppies
♦ Executable infector– Malicious code placed at beginning of legitimate program (.COM
.EXE files)– Runs when application run– Application then runs normally
♦ Multipartite virus : boot sector + executable infector
15 November 2010 Lecture 4: Security Mechanisms 12
Virus – Types/Properties♦ Terminate and Stay Resident
– Stays active in memory after application complete– Allows infection of previously unknown files
• Trap calls that execute a program– Can be boot sector infectors or executable infectors
♦ Stealth (an executable infector)– Conceal Infection
• Trap read to provide disinfected file• Let execute call infected file
♦ Encrypted virus• Prevents “signature” to detect virus• [Deciphering routine, Enciphered virus code, Deciphering Key]
♦ Polymorphism• Change virus code to something equivalent each time it propagates
7
15 November 2010 Lecture 4: Security Mechanisms 13
Virus – Types/Properties
♦ Macro Virus – Composed of a sequence of instructions that is interpreted rather
than executed directly– Infected “executable” isn’t machine code
• Relies on something “executed” inside application data
♦ Otherwise similar properties to other viruses– Architecture-independent– Application-dependent
15 November 2010 Lecture 4: Security Mechanisms 14
Worm
♦ Replicates from one computer to another
– Self-replicating: No user action required
– Virus: User performs “normal” action
– Trojan horse: User tricked into performing action
♦ Communicates/spreads using standard protocols
8
15 November 2010 Lecture 4: Security Mechanisms 15
Logic Time Bomb♦ Logic bombs are malicious codes that cause some
destructive activity when a specified condition is met
♦ Unlike viruses, logic bombs do their damage right away, then stop.
♦ The trigger can be:– a specific data
– number of times the program is executed
– a predefined event such as a deletion of a certain record.
♦ May exist in the system for weeks or even months before it is detected/detonated.
♦ The damage is not caused, until a specified date or until the system has been booted a certain number of times.
15 November 2010 Lecture 4: Security Mechanisms 16
Operating System Security
♦ For an operating system to perform its intended tasks consistently and reliably, it must
– protect itself from tampering from users
– be able to prevent users from tampering with the programs of other users
– be able to safeguard users’ applications from accidental corruption
– be able to safeguard its own programs from accidental corruption
– be able to protect itself from power failures or other disasters
9
15 November 2010 Lecture 4: Security Mechanisms 17
Operating System Security
♦ Formalized procedures for software acquisition
♦ Security clearances of prospective employees
♦ Formal acknowledgment by users of their responsibilities to the company
♦ Security group to monitor security violations
♦ Formal policy for taking disciplinary action against security violators
♦ Use of one-time passwords
15 November 2010 Lecture 4: Security Mechanisms 18
UNIX Security: Best Practices
♦ pick password carefully, avoid– dictionary words
– names
– simple modifications of above
♦ change password periodically
♦ don't let people watch login
♦ lock display when unattended
♦ log off when leaving
♦ never ever give out password– even sys-admin should never need it
10
15 November 2010 Lecture 4: Security Mechanisms 19
UNIX Security: Best Practices
♦ Remote access needs username/password
♦ Potential vulnerability depends on network path connection flows through
♦ Many connections pass plain text
– telnet particularly bad, rlogin/ftp bad too
♦ SSH encrypts data on network
– slogin for logins
– scp for file transfer
15 November 2010 Lecture 4: Security Mechanisms 20
Windows Security: Best Practices♦ Perform real-world risk assessment♦ Develop a security policy♦ Plan an incident response♦ Block or disable everything that is not explicitly allowed♦ Always set a strong password and change it often♦ Install patches in a timely manner♦ Use least privilege when authorizing access♦ Limit trust♦ Monitor, log, and audit♦ Formulate and implement a security policy throughout the
organization♦ Users need to understand and follow the policy♦ Educate users of responsibilities
11
15 November 2010 Lecture 4: Security Mechanisms 21
Windows Security: Best Practices
♦ Limit access of unauthorized personnel
♦ Use key-card access systems
♦ Monitor computers, files can be modified or hardware tampered with
♦ Keep servers in a locked location
♦ Disable floppy and CD-ROM based boot
♦ Remove unneeded network cards
♦ Remove unneeded modems
♦ Lock computer case and store key separately
15 November 2010 Lecture 4: Security Mechanisms 22
Web Services
♦ Web designed for application to human interactions
♦ Web services is an effort to build a distributed computing platform for the Web.
♦ Web service applications are encapsulated, loosely coupled Web “components” that can bind dynamically to each other
12
15 November 2010 Lecture 4: Security Mechanisms 23
Web Services Security – 1G
Transport Control Protocol (TCP)
Hypertext Transfer Protocol (HTTPS)
Secure Socket Layer Protocol (SSL)
symmetric crypto algorithms
key-exchange algorithm
♦ The TCP protocol provides a reliable communication between the requestor and the WS-provider supporting
♦ The SSL protocol provides a secure communication between the requestor and the WS-provider supporting
15 November 2010 Lecture 4: Security Mechanisms 24
Web Services Security – 2G
Simple Object Access Protocol (SOAP)
WS-SecureConversation
WS-Security
13
15 November 2010 Lecture 4: Security Mechanisms 25
Web Services Security – 2G♦ The SOAP protocol provides a loosely-coupled, language-neutral,
platform-independent way of linking applications across the Internet– Remote Procedure calls (RPC SOAP)
– Messaging between applications (Document-based SOAP)
♦ The WS-Security Specification protect sensitive data by– encrypting and signing them
– enclosing them in an XML form in SOAP messages
♦ The WS-SecureConversation specification is a security message-level protocol (similar to SSL)– use WS-Security to achieve confidentiality, authenticity, integrity
– use WS-Policy and WS-Trust specifications to achieve authorization and access control
15 November 2010 Lecture 4: Security Mechanisms 26
Domain Name System (DNS)
♦ Virtually every application uses the
Domain Name System (DNS).
♦ DNS database maps:
– Name to IP address
www.darpa.mil = 128.9.176.20
– And many other mappings
(mail servers, IPv6, reverse…)
♦ Data organized as tree structure.
– Each zone is authoritative
for its local data.
RootRoot
eduedu milmil comcom
darpadarpaisiisi ciscociscousmcusmc
ngenge quanticoquantico
14
15 November 2010 Lecture 4: Security Mechanisms 27
DNS Query & Response
Caching DNS Server
End-user
www.darpa.mil A?
www.darpa.mil A 128.9.128.127
Root DNS Server
Actually www.darpa.mil = 192.5.18.195. But how this could be determined?
mil DNS Server
darpa.mil DNS Server
15 November 2010 Lecture 4: Security Mechanisms 28
DNS Vulnerabilities
♦ Original DNS design focused on data availability
– DNS zone data is replicated at multiple servers.
– A DNS zone works as long as one server is available.
• DDoS attacks against the root must take out 13 root servers.
♦ But the DNS design included no authentication.
– Any DNS response is generally believed.
– No attempt to distinguish valid data from invalid.
• Just one false root server could disrupt the entire DNS.
15
15 November 2010 Lecture 4: Security Mechanisms 29
A Simple DNS Attack
Caching DNS Server
Doug’s Laptop
www.darpa.mil A?
www.darpa.mil A 128.9.128.127
Root DNS Server
mil DNS Server
darpa.mil DNS Server
Dan’s Laptop
Easy to observe UDP DNS query sent to well known server on well known port.
www.darpa.mil A 192.5.18.19
First response wins. Second response is silently dropped on the floor.
15 November 2010 Lecture 4: Security Mechanisms 30
A more Complex Attack
ns.attacker.com
DARPA Caching Server
Remote attacker
Query www.attacker.com
Response www.attacker.com A 128.9.128.127attacker.com NS ns.attacker.comattacker.com NS www.google.comns.attacker.com A 128.9.128.2www.google.com A 128.9.128.127
Any DARPA Computer
Query www.google.com
www.google.com= 128.9.128.127
16
15 November 2010 Lecture 4: Security Mechanisms 31
The Problem with DNS …
♦ Resolver can not distinguish between valid and invaliddata in a response.
♦ The idea is to add source authentication
– Verify the data received in a response is equal to the data entered by the zone administrator.
– Must work across caches and views.
– Must maintain a working DNS for old clients.
15 November 2010 Lecture 4: Security Mechanisms 32
A Solution …
♦ Each DNS zone signs its data using a private key.– Recommend signing done offline in advance
♦ Query for a particular record returns:– The requested resource record set.
– A signature (SIG) of the requested resource record set.
♦ Resolver authenticates response using public key.– Public key is pre-configured or learned via a sequence of key
records in the DNS hierarchy.
17
15 November 2010 Lecture 4: Security Mechanisms 33
Secure DNS Query & Response
Caching DNS Server
End-user
www.darpa.mil
www.darpa.mil = 192.5.18.195
Plus (RSA) signature by darpa.milAttacker can not forge this answer without the darpa.mil private key.
Authoritative DNS Servers
IETF DNS Security Extensions define the process for including signatures and keys in DNS
15 November 2010 Lecture 4: Security Mechanisms 34
Firewalls♦ Firewalls are used to prevent intruders on the Internet from
making unauthorized access and denial of service attacks to your network.
♦ A firewall is a router, gateway, or special purpose computer that examines packets flowing into and out of the organization’s network (usually via the Internet or corporate Intranet), restricting access to that network.
♦ The two main types of firewalls are packet level firewallsand application-level firewalls.
18
15 November 2010 Lecture 4: Security Mechanisms 35
Packet Level Firewalls♦ A packet-level firewall (or packet filter) examines the
source and destination address of packets that pass through it, only allowing packets that have acceptable addresses to pass.
♦ Since each packet is examined separately, the firewall can’t understand what the sender’s goal is.
♦ Packet filters may be vulnerable to IP spoofing, accomplished by changing the source address on incoming packets from their real address to an address inside the organization’s network.
♦ While packet filters have strengthened their security since the first cases of IP spoofing, IP spoofing remains a problem.
15 November 2010 Lecture 4: Security Mechanisms 36
Application Level Firewalls
♦ An application level firewall or application gatewayacts as an intermediate host computer, separating a private network from the rest of the Internet, but it works on specific applications, such as Web site access.
♦ The application gateway acts as an intermediary between the outside client making the request and the destination server responding to that request, hiding individual computers on the network behind the firewall.
♦ Because of the increased complexity of what they do, application level firewalls require more processing power than packet filters which can impact network performance.
19
15 November 2010 Lecture 4: Security Mechanisms 37
Demilitarized Zone (DMZ)♦ DMZ (demilitarized zone) sits between perimeter network
and internal network. It is separated by firewalls on both sides. It contains:– InternetInformation Server (IIS)
It provides the core Web services and communicates to Internet clients by using HTTP and HTTPS.
– DNS(Domain Naming System) services.– All servers in the DMZ can also communicate with internal
network.
♦ DMZ and firewall control the access to internal network segments, this can increase security of internal network when a hacker compromises a Web server.
15 November 2010 Lecture 4: Security Mechanisms 38
DMZ in a Network …
20
15 November 2010 Lecture 4: Security Mechanisms 39
Virtual Private Network (VPN)
Virtual private networks (VPN) provide an encrypted connection between a user's distributed sites over a public network (e.g., the Internet). By contrast, a private network uses dedicated circuits and possibly encryption.
15 November 2010 Lecture 4: Security Mechanisms 40
Virtual Private Network (VPN)
21
15 November 2010 Lecture 4: Security Mechanisms 41
Virtual Private Network (VPN)
15 November 2010 Lecture 4: Security Mechanisms 42
Benefits of VPN
Traditional Private Networks:
♦ High fixed cost
♦ Low variable costs
(with respect to varying capacity)
♦ Collection of VPNs sharing a common communication channel are cheaper to build than the equivalent collection of smaller physically discrete networks.
22
15 November 2010 Lecture 4: Security Mechanisms 43
Requirements for VPN
♦ Opaque packet transport– VPN traffic no relation to rest of IP backbone traffic– VPN may use private IP address
♦ Data security– By customer ( firewall + encryption)– Secure managed VPN service by providers
♦ Quality of service– Leased and dial-up lines provide guarantee on the bandwidth
and latency
♦ Tunneling mechanism– A way to implement opaque transport and security
15 November 2010 Lecture 4: Security Mechanisms 44
VPN Types
♦ Remote Access VPN
♦ Intranet VPN
♦ Extranet VPN
23
15 November 2010 Lecture 4: Security Mechanisms 45
Remote Access VPN
15 November 2010 Lecture 4: Security Mechanisms 46
Intranet VPN
24
15 November 2010 Lecture 4: Security Mechanisms 47
Extranet VPN
15 November 2010 Lecture 4: Security Mechanisms 48
VPN – Pros & Cons
♦ Advantages:– Greater scalability– Easy to add/remove users– Reduced long-distance telecommunications costs– Mobility– Security
♦ Disadvantages – Lack of standards– Understanding of security issues– Unpredictable Internet traffic– Difficult to accommodate products from different
vendors
25
15 November 2010 Lecture 4: Security Mechanisms 49
Now some practice …
♦ Divide yourself into 2 groups.
♦ Each group is required to prepare a set of security mechanisms for a newly established SME of 10 persons:– 1 General Manager
– 1 Administrative Secretary
– 1 Business Manager
– 2 IT Managers
– 5 Developers
♦ Each group has to present their solutions
♦ Other group will identify the short comings and critics to the plans