COSC 316 COMPUTER HOSTS SECURITY

1
COSC 316 COMPUTER HOSTS SECURITY

• SOUNDARARAJAN EZEKIEL
• COMPUTER SCIENCE DEPARTMENT
• INDIANA UNIVERSITY OF PENNYLVANIA
• INDIANA, PA 15705

2
Part III Network and Internet Security Chapter
11 TCP/IP Networks

• We will talk about
• Networking Describe local and wide area network-
  how network service can be effectively secured so
  that you can take advantage of the opportunities
  while reducing exposure to the risks
• IP the Internet Protocol
• IP Security

3
Chapter 11 Networking

• Local and Wide area network have changed the
  landscape of computing forever
• Network allow people to communicate across a room
  or around the globe
• Share resource printer, disk drives
• Network is part of our life
• Also share security problem
• Network used to attack many organization/
  institutions/ gov.
• Every benefit network created and the same time
  it created risks

4
HISTORY

• http//www.zakon.org/robert/internet/timeline/
• 1967 ARPANET design discussions held by Larry
  Roberts at ARPA IPTO PI meeting in Ann Arbor,
  Michigan (April)
• ARPANET commissioned by DoD for research into
  networking
• Nodes are stood up as BBN builds each IMP
  Honeywell DDP-516 mini computer with 12K of
  memory ATT provides 50kbps lines
• Node 1 UCLA (30 August, hooked up 2 September)
• Function Network Measurement Center
• System,OS SDS SIGMA 7, SEX
• Diagram of the first host to IMP connection
• Node 2 Stanford Research Institute (SRI) (1
  October)
• Network Information Center (NIC)
• SDS940/Genie
• Doug Engelbart's project on "Augmentation of
  Human Intellect"
• Node 3 University of California Santa Barbara
  (UCSB) (1 November)
• Culler-Fried Interactive Mathematics
• IBM 360/75, OS/MVT
• Node 4 University of Utah (December)
• Graphics

5

First host
4 nodes
6
Continue

• Network divided into 2 types
• LAN Local Area Network uses Ethernet
• WAN Wide Area network
• MAN metropolitan area network
• Topology
• physical layout of resources
• how resources communicate
• allow for expansion
• meet security requirements
• Three basic connection topologies
• Bus - Single cable segment
• Star - Central connection point
• Ring - Forming a loop
• Three variations or combinations
• Mesh
• Star bus
• Star ring

7
Star
Bus
8
BUS

• Bus Topology
• Bus Communication
• How the signal is sent
• Signal bounce
• Cable termination to prevent bounce
• Bus Environment
• One computer sends at a time
• Passive topology
• only listen for data
• Adding computers slows network
• Cable failure downs entire network
• Signal Bounce
• Occurs when cable ends are not terminated
• Other computers cannot send data

9
BUS

• Cable Termination
• A terminator is attached to each end
• Prevents signals from bouncing
• Cable Failure
• Cable break
• Cable is physically cut
• One end becomes disconnected
• Halts all network activity
• Computers can still function standalone
• Bus Network Expansion
• Ethernet 10Base2 (thinnet)
• Expanded by BNC barrel connector
• Distance causes signal to weaken
• attenuation
• A repeater boost signal strength
• amplifies errors

10
STAR

• Star Topology
• Star Environment
• Central connection point
• hub or concentrator
• each device has separate wire
• home run
• More cable required
• Cable failure is device isolated
• except for hub
• Ring Topology
• Ring Environment
• Device connects to next in line
• Circle of cable
• Device receives signal
• acts on signal or
• passes signal along
• Signals travel in only one direction

11
RING

• Token Passing
• Active topology
• each device receives/sends
• Packet of data is passed around ring
• receipt of token is acknowledged
• Single ring/dual ring
• Fair sharing of network resources
• Hubs
•  Hub Environment
• Also known as concentrator
• Star network
• Central point of connection
• Active hubs
• Passive hubs

12
HUBS

• Active Hubs
• Majority of installed hubs today
• Receive, regenerate, pass on signals
• Have many ports (8 or more)
• Multiport repeaters
• Electrical power required
•  Passive Hubs
• Central connection point
• Wiring panel
• Punch down block
• Passes along signals
• No electrical power required
•  Hybrid Hubs Switches
• Connect different cable types
• Maximize network efficiency
• Utilize different topologies
• Enjoy the benefits of each topology

13
HYBRID

• Mesh Topology
• Every device interconnected
• Most expensive
• Most Fault tolerant
• Cable fault tolerant
• Device fault tolerant
• Star Bus Environment
• Star hubs
• Interconnected on a bus backbone
• Device failure minimized
• Hub failure affects only that star
• Star Ring Topology
• Network wired as star
• Network traffic handled as ring
• Failure limited to single device
• Individual machine backups
• Outer hubs can be connected to inner ring

14
MESH TOPOLOGY
STAR BUS
15
Who is on the internet

• Initially few researchers
• Now days no one knows attackers in Netherlands
  broken system in Australia, connected through
  Australian computer in South Africa, and
  connected through South African computer to New
  York University and use NY as a base to attack
  many places in US it is called network weaving
  or connection laundering
• You cannot do any thing some time that country
  will not consider it is a crime

16
Networking and Unix

• Unix both benefited and contributed to networking
• Berkeleys 4.2 in 1983 provided a straightforward
  and reasonably reliable implementation of the IP
• Unix has many network services
• Remote virtual terminals telnet
• Remote file services- ftp
• Information service http
• Electronic mail
• Electronic directory service finger, whois
• Date and time
• Remote procedure

17
IP The Internet Protocol

• IP is the glue that holds together modern
  computer network
• We will talk about IPv4 the fourth version of
  Internet Protocol which has been used for on the
  internet since 1982 now we have IPv6
• Data is sent in blocks of characters called
  datagram or packets each packet has a small
  block of bytes called the header which
  identifies the sender and intended destination
  on each computer
• Followed by header there is a huge data is
  called content

18
Modems and Security

19
IP

• Packet may take different path because Internet
  switch packets not circuits it is called packet
  switching network
• There are 4 distinct ways to directly connect two
  computers using IP
• 2 computers can all be connected to same LAN
• 2 computers can be directly connected to each
  other with a serial line
• 2 computers can be connected through router
• The IP packets can themselves be encapsulated
  within packets used by other network protocol by
  ATM Asynchronous Transfer Mode network

20
Internet Address

• IPv4 32 bit address set of four 8-bit numbers
  called octets
• Sample address 18. 70. 0. 224
• Each number is between 0-255 this notation is
  called dotted quad -- typically abbreviated
  ii.jj.kk.ll
• Theoretically 232 4, 294, 976, 296
• http//en.wikipedia.org/wiki/IPv6
• IPv6 supports 3.41038 addresses, or 51028(50
  octillion) for each of the roughly 6.5 billion
  people alive today.

21
IP networks

• Internet is a network of network
• Each network is given its own network number
• There are 2 methods of looking at network numbers
• Classical network addresses
• There are 5 primary kinds of IP address in the
  classical address scheme the first few bits of
  the address ( the msb ) define the class of
  network to which the address belongs the
  remaining bits are divided into a network part
  and host part
• Class A addresses
• Host on class A network have addresses in the
  form N.a.b.c -- N network address--- a.b.c.
  Is the host numbers the most significant bit of
  N must be 0
• Most of the class A network divide their internal
  network as class B, C network it is called
  subnetting

22
Classical network

• Class B addresses-N.M.a.b N.M is the network
  numbers and a.b is the host n umbers, MSB of N is
  10 major universities and major organizations
• Class C addresses- N.M.O.a , N.M.O is network
  number a is host numbers MSB of N is 110 max
  245 hosts most organization
• Class D addresses- N.M.O.a, most significant
  bit is 1110 not actually of networks but of
  multicast groups
• Class E addresses- N.M.O.P msb of N is 1111
  reserved for experimental use

23
CIDR addresses

• CIDR- Classless InterDomain Routing- Address of
  the form k.j.l.( m..n) no classes networks
  are defined as being the most significant k bits
  of each address, with remaining 32-k given a
  range of addresses whereby the first 14 bit of
  the address are fixed at a particular value,
  and the remaining 18 bits represent the portion
  of the address available to allocate to hosts
• CIDR scheme is compatible with the classical
  address format with class A, with 8 bit, B with
  16 bit . Ex. 10.0.0.0/8, 192.168.0.0/16

24
Routing

• Despite the complexity of the internet and IP
  addressing, computers can easily send each other
  messages across the global network.
• To send packet most computers simply set the
  packets destination address and then send the
  packet to a computer on their local network
  called gateway. -- if the gateway makes a
  determination of where to send the packet next,
  the gateway is router. The router takes care of
  sending the packet to its final destination by
  forwarding the packet to a directly connected
  gateway that is one step closer to the
  destination host.

25
Host Name

• Hostname is the name of a computer on the
  internet.
• Host names make life easier for user - they are
  easier to remember than IP address.
• A single hostname can have more than one IP
  address, and a single IP address can be
  associated with more than one host name.
• Sample host name cosc.iup.edu
• Internet adopted a distributed system for
  hostname resolution known as the Domain Name
  System (DNS)

26
Packets and protocols

• Protocols rules
• ICMP- Internet Control message protocol-- used
  for low level operations of the IP protocol
• TCP- Transmission Control Protocol creates 2 way
  connection between 2 computers
• UDP- User Datagram Protocol- send packet to host
  to host
• IGMP- Internet Group Management Protocol- control
  multicasting
• For more details read the enclosed chapter

27
ICMP

• Internet Control Message protocol (ICMP) is used
  to send messages between gateways and hosts
  regarding the low-level operations of the
  internet.
• Example ping command uses ICMP echo packets to
  test for network connectivity, the response to an
  echo packet is usually either can ICMP Echo reply
  or an ICMP destination unreachable message type
• Each ICMP packet contains a header that include
  the following information
• Host address of the packets source- 32 bit
• Host address of packet destination-32 bits
• Packet type 8 bit

28
ICMP

• Typical ICMP packet types
• 0 - for echo reply
• 3 destination unreachable
• 4 source quench
• 5 redirect
• 8,9,10,11,12,13,14,15,16,17,18.
• Most important types are 3,4 and 5
• An attacker can use this to redirect, denial of
  service
• Other types present less risk
• If you use firewall, you can safely block
  incoming packet types 5, 13, 14, 17 18 and
  outgoing types 5, 11, 12, 13, 14, 17 18

29
TCP

• TCP provides a reliable, ordered, 2-way
  transmission stream between 2 programs that are
  running on the same or different computers
• Reliable means guaranteed to reach its
  destination
• Each TCP connection is attached at each end to a
  port ports are identified by 16-bit numbers
• Some well known port 80 for HTTP servers and port
  25 for SMTP
• TCP packets are IP packets that include an
  additional TCP header. This header contains among
  other things
• TCP port number of the packets source
• TCP number of the packets destination
• Sequence information, so that the receiver can
  correctly assemble the information in this TCP
  packets to its correct point in the TCP stream
• Flow control information
• TCP checksum

30
TCP

• At any instant , every IPv4 connection on the
  internet can be identified by a set of two 32-bit
  numbers and two 16- bit numbers
• Host address of the connections originator( from
  the IP header)
• Port number of the connections originator ( from
  the TCP header)
• Host address of the connections target ( from IP
  header)
• Port number of the connections target ( from the
  TCP header)
• TCP protocol uses 2 special bits in the packet
  header SYN and ACK

31
TCP

• TCP 3-way handshake - to open TCP connection,
  the requesting host sends a packet that has the
  SYN bit set but not have ACK bit set- the
  receiving host acknowledge the request by sending
  back a packet that has both the aSYN and the ACK
  bit set. Finally, the originating host send a
  third packet, again with the ACK bit set, but
  this time with the SYN bit unset
• TCP is used for HTTP ( hypertext transfer
  protocol) , remote terminal service, file
  transfer, and electronic mail. Also used for
  sending commands to display using the X window
  system

32
TCP

• Some Common TCP services and ports

79, 80, 110, 111, 113, 119, 143, 443, 512, 513,
514, 515, 1080, 2049, 6000-6010
33
UDP

• UDP
• The user datagram protocol provides simple,
  unreliable system for sending packets of data
  between two or more programs running on the same
  or different computer
• Unreliable means the OS does not guarantee that
  every packet sent will be delivered or that
  packets will be delivered in order.
• Client and Servers Internet is based on the
  client/server models programs called clients
  initiate connection over the network to other
  program called servers, which wait for the
  connections to be made.

34
Name Service

• Early days of internet, a single /etc/hosts file
  contained the address and name of each computer
  on the internet.
• But as the file grew to contained thousands of
  lines and as changes to the list of names ( name
  space) started being made on a daily basis, a
  single /etc/hosts file soon become impossible to
  main.
• Instead, the internet developed a distributed
  network-based naming service called the Domain
  Name Service (DNS).

35
DNS under Unix

• DNS under Unix
• The reference Unix implementation of DNS is named
  BIND
• It was originally written at the University of
  California at Berkeley and now maintained by the
  internet Software Consortium (ISC)
• This implementation is based on 3 parts- a
  library for the client side and 2 programs for
  the server
• Resolver client server
• Named ( in.named)
• Named-xfer

36
Other Naming Services

• In addition to DNS, there are at least 4
  vendor-specific system for providing name
  service and other information to networked
  workstations
• NIS and NIS -- Sun Microsystems originally
  called yellow pages it is like data base
  NIS totally rewritten of NIS
• NetInfo ( Apple Inc) similar to NIS
• DCE ( Open Software Foundations)
• Another system used to provide information is
  the LDAP directory service.
• Some of these will be described in chapter 14

37
IP Security

• Computer on the Internet have been subject to
  many different attackers
• Password-guessing attacks
• Social Engineering Attack
• Server vulnerability attack
• Network sniffers
• IP spoofing attacks
• Connection hijacking
• Data spoofing
• Denial of service attacks
• Distributed denial of service attacks

38
Reasons

• There are several reasons for this apparent
  failure
• IP is not sufficiently resilient to attack
• IP was not designed to provide security
• IP is an evolving protocol
• Several techniques for IP security
• Using encryption to protect against eavesdropping
• There are several places to encrypt
• Link-level-encryption
• End-to-end encryption
• Application-level encryption

39
Reasons

• Hardening OS and application against attacks
• This process involves inspecting, testing and
  frequently modifying the network stack, clients,
  and serves
• Some attacks
• X window attack
• Ping of death
• SYN flood attack
• Physically isolating vulnerable system from
  attackers
• Isolate with no firewall, modems or other forms
  of remote access allowed

40
Continue

• Employing system in the path of potentially
  hostile network traffic to screen connections to
  deny or redirect malicious traffic these are
  known as firewalls
• Developing advanced systems for authentication
  that do not rely on IP address or hostnames
• Some attacks-
• Client flooding
• Bogus nameserver cache poisoning
• Rouge DNS server

41
Continue

• Deploying decoy system to detect attacks that are
  in progress and to distract attackers from more
  valuable system
• Often these systems are build with known
  vulnerabilities to increase their likelihood of
  attacks
• Decoy system, sometime called honeypots have 2
  primary advantages
• Because they are closely monitored, decoy system
  can be used to learn about attackers. can
  reveal attackers location, techniques,
  motivations, skill level, objectives, etc
• If a decoy system is sufficiently rich and
  compelling, exploring that system might consume
  so much of the attackers time that the attacker
  will not have the time to attack system that you
  actually care about

42
Conclusion

• Connecting to a network opens up a whole new set
  of security considerations above and beyond those
  of protecting accounts and files
• Various forms of network protocols, servers,
  clients, routers and other network components
  complicate the picture.