Title: Computer Systems Security Security in Networks
1Computer Systems SecuritySecurity in Networks
- Topic 1
- Pirooz Saeidi
- Source Pfleeger, Chapter 7
2Security in Networks Agenda We will first
address
- The Basics of networks design, development and
usage - How networks differ from and are similar to
stand-alone applications and environments - Threats against networked applications,
including - Denial of service
- Web site defacements
- Malicious mobile code
- Protocol attack
3Security in Networks AgendaWe will then look at
- Controls against attacks
- Physical security
- Policies procedures
- A range of technical errors
- Tools
- Firewalls Design, capabilities limitations
- Intrusion Detection Systems
- Secure e-mail
4Terminology
- Single point of point of failure, fault tolerance
- Topology
- Media
- Analog/digital
- Protocols
- LAN/WAN
- Internet
- Distributed System
- APIs
5Network Concepts
- Networks involve pieces and connections among
them - We can be vulnerable to single point of failure.
- Redundancy provides resilience or fault tolerance
and prevents single failures
6Environment of Use
- Parts of networks can be located in protected
locations (LANs) but some parts can be exposed to
total strangers (with different ownership or
control). - Networks can be described by several
characteristics - Anonymity, Automation, Distance, Opaqueness and
Routing diversity
7Environment of Use
- Anonymity
- Network removes clues such as appearance, voice..
- Automation
- Most intermediate points as well as end points
may be machines with minimum human intervention. - Distance
- human users can not usually say how far apart the
sites are.
8Environment of Use
- Opaqueness
- Location transparency
- Routing Diversity
- To improve reliability performance routing is
usually dynamic. i.e. every time we may use a
different path
9Topologies Shape and Size
- Two extremes
- Two hosts connected by one path
- A very complex network, such as the Internet.
- These extremes highlight 3 aspects of networks
that have strong influence on network security - Boundary Distinguishes an element of network
from an element outside it. But- - listing all hosts connected to the Internet is
impossible! - Ownership difficult to know who owns which host
in a network - Control difficult to tell the control attributes
of an arbitrary host in a network.
10Media Types
- Cable
- UTP Low bandwidth(10 Mbs), signal degrades as it
travels - Coaxial (100Mbs) widely used on Ethernet. Can be
amplified using repeaters. - Optic Fibber up to 1000Mbs. A much better medium
with less interference. - Wireless Used for short distance (home/office
networks) - Microwave travel in straight line up to 30 miles
11Media Types
- Infrared
- Short distance (up to 9 miles). Used by portable
devices. It is a point-to-point signal so
difficult to intercept. But subject to in the
middle attacks in which the interceptor
functions like a repeater. - Satellite
- Placed in orbits.
- Naïve transponder everything it receives will be
broadcast out again, over a long path (several
hundred miles long-footprint). - The smaller the footprint, the less risk of
interception.
12Protocols OSI Protocol Layer
OSI Layer Name Activity
7 Application User-level data
6 Presentation Standardized data appearance
5 Session Logical connection among parts
4 Transport Flow control
3 Network Routing
2 Data Link Reliable data deliver6y
1 Physical Actual communication across physical medium
SourcePfleegerPfleeger
13Protocols TCP/IP
Layer Action Responsibilities
Application Prepare messages User interaction, addressing
Transport Convert messages to packets Sequencing, reliability, error connection
Internet Convert messages to datagrams Flow control, routing
Physical Transmit datagrams as bits Data communication
SourcePfleegerPfleeger
14TCP/IP
- TCP/IP defined by protocols not layers. But can
be thought of as a four layered structure. - TCP implements a connected communications session
on top of IP transport protocol. - UDP is also an essential transport protocol.
- UDP is less reliable than TCP but it is a much
faster and smaller protocol.
15Example of Protocols
Layer TCP Protocols UDP protocols
Application Protocol SMTP, HTTP, FTP Telnet SNMP simple Network Management Protocol Syslog system audit Log Time synchronise time
Transport TCP UDP
Internet IP IP
Physical Data Communication Data Communication
SourcePfleegerPfleeger
16IP addresses
- 32-bit expressed as four 8-bit groups
- Also known by names (e.g. www.staffs.ac.uk),
parsed from right to left. - To resolve names the system performs lookups.
Local hosts maintain a cache of domain name
records. - Later on we will notice that name resolution can
be used in network attacks.
17TCP/IP vs. ISO/OSI
- ISO/OSI Complex design, not very efficient
- TCP/IP More efficientOpen
- Results Internet uses TCP/IP But introduces
security issues
18Types of Networks
- LANs
- Small locally controlled and physically protected
- WANs
- Single control, covers large distance but
physically exposed - Internetworks (Internets)
- Many thousands of machines and millions of users
- Heterogeneous
- Physically and logically exposed.
19Other aspects of Networks
- Distributed Systems
- Computation spread across two or more computers
in one of the following forms - Client server architecture based on request
reply protocol - Peer-to-peer system a collection of equals
20Other aspects of Networks
- APIs (Application Programming Interfaces)
- Define interfaces to modules or systems. Examples
are - GSSAPI or Generic Security Services API
- Based on the notion that callers have credentials
to establish contexts to invoke security services
for implementing confidentiality or integrity. - CAPI or Cryptographic API
- A Microsoft API for cryptographic services
- User can invoke cryptographic algorithms of
different strengths - CAPI is a routine that calls for generic
services without specifying any particular
algorithm
21Threats in Networks
- Network vulnerabilities
- Who are the attackers
- Types of threats
- Precursors
- In transit
- Protocol flaws
- Impersonation
- Spoofing
- Message Confidentiality / Integrity threats
- Web Site Defacement
- Denial of Service (DOS)
- Distributed Denial of Service (DDOS)
- Active or Mobile Code Threats
- Complex Attacks
22What makes a Network Vulnerable?
- A network differs from a stand-alone environment
in the following ways - Anonymity
- Many points of attacks
- Sharing
- Complexity of system
- Unknown perimeter
- Unknown path
23What makes a Network Vulnerable?
- Anonymity
- The attacker can disguise its origin by passing
through many other hosts which do not necessarily
have a host to host authentication. - Many points of attacks
- Not all hosts administrators enforce the same
rigorous security policies - Sharing
- Access controls for single systems may be
inadequate.
24What makes a Network Vulnerable?
- Complexity of system
- A network control or operating system is more
complex than single one - Ordinary desktops are getting very powerful
- Most users do not know what their computers are
really doing at any moment. - The attacker takes advantage of this and makes
the victims computer to perform some of the
computation.
25What makes a Network Vulnerable?
- Unknown Perimeter
- One host may be shared between two networks.
- A user on a host in network D may be unaware of
- Potential connections from users of networks A
and B. - A host in the middle of A and B belongs also
- to A,B,C and E.
- These networks may have different security rules.
- So which rule is the for shared hosts?!
SourcePfleegerPfleeger
26What makes a Network Vulnerable?
- Unknown Path
- Network users usually do not have control over
the routing of their messages. - All these network characteristics increase
security risks.
SourcePfleegerPfleeger
27Who Attacks Networks?
- Earlier we have seen that the three components of
attack are method, opportunity, and motive. - The motives are varied and can give an idea who
might attack the network. Examples are - Challenge
- Fame
- Money and Espionage
- Ideology Cyberterrorism and hactivism (hacking
against network targets)
28Who Attacks Networks?Threat Precursors
- Methods of attack are varied. The attacker begins
perpetration by finding out as much as possible
about the target. Popular methods are - Port Scan
- Social Engineering
- Reconnaissance
- Operating system Application Fingerprinting
- Bulletin Boards Chats
- Open documentations
29Who Attacks Networks?Threat Precursors
- Port Scan
- A program that reports for a given IP address,
which ports respond to messages and which known
vulnerabilities are present. It tells the
attacker three things - Which standard services (ports) are running and
responding. - What OS is installed
- What applications and which versions are present.
- Port scanning tools are commercially available.
- In your tutorial you may look at
- nmap scanner (www.insecure.org/nmap), or
- netcat at http//netcat.sourceforge.net/
30Who Attacks Networks?Threat Precursors
- Social Engineering
- Port scan gives the outside view of the network.
Social skills can be used to learn about the
inside of networks. - For example the attacker can impersonate someone
in high position. Humans like to help if asked
politely!
31Who Attacks Networks?Threat Precursors
- Reconnaissance
- Is a general term for collecting information
- After finding out what is open (port scan) and
learning about internal details (SE) the attacker
wants to know more details. - Methods vary from dumpster diving (looking at
rubbish at discarded items) to eavesdropping.
32Who Attacks Networks?Threat Precursors
- Operating System Application Fingerprinting
- Obtain OS and application specific information.
Some Port scan software can achieve this. For
more information see - www.insecure.org/nmap/nmap-fingerprinting-article.
html - Sometimes the application identifies itself.
Ports such as 80(HTTP), 25(SMTP), 110(POP), and
21 (FTP) may respond to clients with a message
like - Server Netscape-Commerce/1.15
- Your browser sent a non-HTTP compliant message
- This reply tells the attacker which application
and version are running.
33Who Attacks Networks?Threat Precursors
- Bulletin Boards and chat rooms support exchange
of information (also between malicious hackers!). - During the 18 month FBI sting operation (1999)
a team led by W. Swallow befriended the
attackers in chat rooms and gathered critical
evidence on several attackers including 17 year
old Mafiaboy who pled guilty to 58 charges
related to denial of service attacks against
Amazon.com, eBay and Yahoo.
34Threats in Transit
- Eavesdropping
- Packet Sniffing
- Wiretapping
- Microwaves
- Satellites
- Fiber
- Wireless
35Threats in Transit Eavesdropping and Wiretapping
- Eavesdropping overhearing without putting extra
effort. E.g. monitoring all traffic passing
through a node. - Wiretapping intercepting communication with some
effort. E.g. by injecting something into
communication. - Wiretapping works differently depending on
communication medium used.
36Threats in Transit- Cable
- A device called packet sniffer can retrieve all
packets on a LAN. - Attackers can also tap wires by a process called
inductance to read radiated signals. - Data on a WAN can be heavily multiplexed and more
than 1 signal can be carried at a given time.
More difficult for wiretappings.
37Threats in Transit- Optical Fiber
- Difficult to tap
- However data may be available more easily at
places such as repeaters, splices or connections
from computing equipment to the fibre.
38Threats in Transit- Wireless
- Signals can be picked up easily from several
miles - Interception through active or passive
wiretapping. - Encryption is not always used for wireless
communication and those built in wireless devices
are not strong. - The encryption standard is Wired Equivalent
Privacy (WEP).
39Threats in Transit- Wireless
- WEP is a stream cipher using a 40- or 104-bit
key. - Surveys reveal that WEP has been disabled in 85
of installations due to difficulty in
configuration and encryption management. - Design of encryption makes it easy to crack WEP
cipher
40Threats in Transit- Wireless
- The second threat is the possibility of rouge use
of a connection. - With DHCP (Dynamic Host Control Protocol) a
client negotiates a one-time IP address and
connectivity with the host. - These IP addresses are shared among users.
- Authentication of hosts here is a major problem
and most networks that do not authenticate may
lead to Theft of Service.
41Wiretapping Summary
- Wiretap vulnerabilities
- Source PfleegerPfleeger
42Threats- Protocol Flaws
- TCP connections are established through sequence
numbers. - Client sends a sequence number to open
connection. - Sever responds with the servers sequence number
. - If someone guesses a clients next sequence
number then he/she could impersonate the client
in an interchange. - Sequence numbers are incremented regularly so
they are easy to predict!
43Threats- Impersonationtaking advantage of
vulnerabilities
- Guessing (default passwords GUST, ADMIN, etc)
- Stealing authentication when they are passed and
exposed in a network. - Wiretapping
- Eavesdropping
- Avoid authentication when a flaw can be exploited
(e.g. password buffer overflow) - Nonexistent authentication (e.g. anonymous or
guest password) - Well-Known authentication (e.g. SNMP uses a
community string password- a group name to which
multiple users belong) - Trusted authentication
- Delegation of identification to other trusted
sources - Unix .rhosts, .login, and etc/hosts/equiv
indicate hosts or users that are trusted to other
hosts - MSN Passport
44Threats Spoofing
- When attacker falsely carries on one end of
network interchange. Examples are - Masquerade
- One host pretends to be another-
- URL confusion, domain name confusion
- Session hijacking
- Intercepting and carrying on a session by another
entity. e.g. hijacking a remote telnet session
that was initiated by system administrator. - Man-in-the Middle attack
45Man-in-the Middle attack
- As seen in tutorials the perpetrator intercepts
requests to the key server and then asks for your
partners public key. He/she then passes his/her
own key to you. - He/she intercepts, decrypts, reads and
re-encrypts using that public key.
SourcePfleegerPfleeger
46Threats- Message Confidentialitycan be
compromised by
- Misdelivery
- Human errors in destination names
- Exposure
- In temporary buffers, routers , etc
- Traffic Flow Analysis
- The high volume traffic between two nodes may
infer speculations (politics, price fixing, etc.) - Both content and header information must be
protected.
47Threats Website Defacement
- Downloaded web site code (HTTP) enable attacker
to get the blueprints to a website - The common web site vulnerabilities are
- Buffer overflow
- Dot-dot problems
- Application code errors
- Server-side include problems
48Website Defacement-Buffer Overflow
- The attacker feeds a program far more data that
it expects to receive. - Buffer size exceeds and the excess data spill
over neighbouring code and data locations.
49Website Defacement- Dot-Dot and Address Problems
- .. is predecessor and ../.. is grandparent
of current location. - Someone entering file names can travel back up
the directory one .. at a time. - Server may return private files if certain URLs
are passed to it.
50Dot-Dot and Address Problems(Example)
- Passing the following URL causes the server to
return requested file autoexec.nt, enabling
attacker to modify or delete it.
http//URL/null.htw?CiWebHitsFile /../../../..wi
nnt/system32/ autoexec.nt
SourcePfleegerPfleeger
51Website Defacement- Application Code Errors
- Server passes context strings to the client (e.g.
price of an online purchase), - making the users browser reply with the full
context. - Client (attacker) can modify this string (e.g.
reduce the price)
52Website Defacement- Server side Include (SSI)
- Web pages can be organized to invoke a certain
function automatically - SSI is an HTTP comment that directs the web
server to dynamically generate data for the web
page. - Attacker can remotely execute commands to change
permissions, etc. - Example the SSI command exec
- lt!-exec cmd/usr/bin/telnet -gt will open a
Telnet session from the server running in the
name of the server.
53Threats- Denial of Service (DOS)- Availability
Attacks
- So far we addressed confidentiality or integrity
problems. - Availability attacks are often called Denial of
Service and are significant in networks. DOS
takes many forms such as - Transmission Failure
- Connection Flooding
- Syn Flood
- Traffic Redirection
- DNS Attacks
54DOS Connection Flooding
- Send as much data as connection can handle.
- More complex attacks can exploit Internet
protocol ICMP or Internet Control Message
Protocols. - ICMP protocols normally are used for system
diagnostics and include - ping, tests reachability
- echo, requires destination to return data sent
- destination unreachable, indicates a destination
address can not be accessed - source quench, when the destination is getting
saturated it requests the sender to decrease the
traffic rate of messages to a router or host and
source may suspend sending packets for a while.
55Connection Flooding Echo-Chargen example
- Chargen is a protocol that generates a stream of
packets and is used to test network capacity. - Attacker sets up a chargen process on host A that
generates packets as echo packets with a
destination of host B. - Host B replies by echoing them back to host A.
- These interactions between A and B can be put
into endless loops on both sides. - The attacker can make B both the source and
destination address of the first packet
resulting in B hanging in a loop constantly
creating and replying to its own messages!
56Connection Flooding Ping of Death example
- Attacker sends a flood of pings to the intended
victim. - Attacks are limited by smallest bandwidth on the
attack route - The attacker needs to be on higher bandwidth
connection. - The ping packets will saturate the victims
bandwidth.
57Connection FloodingSmurf example
- Smurf attack is a variation of ping attack
- The attacker chooses a network of unwitting
victims - Attacker broadcasts echo request to network with
victims return address. - Victim is saturated with echo replies.
58Connection FloodingSmurf example
Source PfleegerPfleeger
59DOSSyn Flood Attack
- Sessions in TCP protocols use three-way TCP
handshake. - Each TCP packet has flag bits such as SYN and
ACK bits.
SourcePfleegerPfleeger
60Syn Flood Attack
- The destination maintains a SYN_RECV queue to
track those items a SYN-ACK has been sent but no
corresponding ACK has yet been received. - The attacker can deny service to the target by
sending many SYN requests and never responding
with ACK, resulting overflow in the SYN_RECV
queue.
61Traffic redirection
- Compromised router may advertise the best path
to every other address in the network. - All traffic redirected to it, flooding it,
disrupting communication.
62DNS Attacks
- Overtaking a name server
- Causing it to cache spurious entries and
- redirecting the routing of any traffic to result
in denial of service.
63Distributed Denial of Service(DDoS)
- Attack takes place in these steps
- Attacker chooses a convenient attack (e.g.
exploiting buffer overflow, e-mail attachment,..)
to plant a a trojan horse on a target machine. - The attacker repeats this process with many
targets which will then become what is known as a
zombie. - At some point the attacker choose a victim and
sends a signal to all zombies launch an attack.
64Distributed Denial of Service(DDoS)
- Now the victim, instead of trying to defend
against one DoS must try to counter n attacks
from n zombies at once. - Zombies can use different attacks. e,.g syn
flood, smurf
Source FleegerPfleeger)
65Threats to Active or Mobile Code
- Code can be pushed to client for execution.
- A cookie is a data object (not code) that can
store clients details such as IP address,
connection details and provides context to
servers. - Most of the time the client can not tell what
does a cookie contain. - Attackers (impersonating as a server) can
intercept and retrieve cookies.