Computer Systems Security Security in Networks - PowerPoint PPT Presentation

1 / 65
About This Presentation
Title:

Computer Systems Security Security in Networks

Description:

Title: Computer Systems Security Security in Networks Author: cmtps Last modified by: ps1 Created Date: 11/1/2004 12:26:00 AM Document presentation format – PowerPoint PPT presentation

Number of Views:1216
Avg rating:3.0/5.0
Slides: 66
Provided by: cmt9
Category:

less

Transcript and Presenter's Notes

Title: Computer Systems Security Security in Networks


1
Computer Systems SecuritySecurity in Networks
  • Topic 1
  • Pirooz Saeidi
  • Source Pfleeger, Chapter 7

2
Security in Networks Agenda We will first
address
  • The Basics of networks design, development and
    usage
  • How networks differ from and are similar to
    stand-alone applications and environments
  • Threats against networked applications,
    including
  • Denial of service
  • Web site defacements
  • Malicious mobile code
  • Protocol attack

3
Security in Networks AgendaWe will then look at
  • Controls against attacks
  • Physical security
  • Policies procedures
  • A range of technical errors
  • Tools
  • Firewalls Design, capabilities limitations
  • Intrusion Detection Systems
  • Secure e-mail

4
Terminology
  • Single point of point of failure, fault tolerance
  • Topology
  • Media
  • Analog/digital
  • Protocols
  • LAN/WAN
  • Internet
  • Distributed System
  • APIs

5
Network Concepts
  • Networks involve pieces and connections among
    them
  • We can be vulnerable to single point of failure.
  • Redundancy provides resilience or fault tolerance
    and prevents single failures

6
Environment of Use
  • Parts of networks can be located in protected
    locations (LANs) but some parts can be exposed to
    total strangers (with different ownership or
    control).
  • Networks can be described by several
    characteristics
  • Anonymity, Automation, Distance, Opaqueness and
    Routing diversity

7
Environment of Use
  • Anonymity
  • Network removes clues such as appearance, voice..
  • Automation
  • Most intermediate points as well as end points
    may be machines with minimum human intervention.
  • Distance
  • human users can not usually say how far apart the
    sites are.

8
Environment of Use
  • Opaqueness
  • Location transparency
  • Routing Diversity
  • To improve reliability performance routing is
    usually dynamic. i.e. every time we may use a
    different path

9
Topologies Shape and Size
  • Two extremes
  • Two hosts connected by one path
  • A very complex network, such as the Internet.
  • These extremes highlight 3 aspects of networks
    that have strong influence on network security
  • Boundary Distinguishes an element of network
    from an element outside it. But-
  • listing all hosts connected to the Internet is
    impossible!
  • Ownership difficult to know who owns which host
    in a network
  • Control difficult to tell the control attributes
    of an arbitrary host in a network.

10
Media Types
  • Cable
  • UTP Low bandwidth(10 Mbs), signal degrades as it
    travels
  • Coaxial (100Mbs) widely used on Ethernet. Can be
    amplified using repeaters.
  • Optic Fibber up to 1000Mbs. A much better medium
    with less interference.
  • Wireless Used for short distance (home/office
    networks)
  • Microwave travel in straight line up to 30 miles

11
Media Types
  • Infrared
  • Short distance (up to 9 miles). Used by portable
    devices. It is a point-to-point signal so
    difficult to intercept. But subject to in the
    middle attacks in which the interceptor
    functions like a repeater.
  • Satellite
  • Placed in orbits.
  • Naïve transponder everything it receives will be
    broadcast out again, over a long path (several
    hundred miles long-footprint).
  • The smaller the footprint, the less risk of
    interception.

12
Protocols OSI Protocol Layer
OSI Layer Name Activity
7 Application User-level data
6 Presentation Standardized data appearance
5 Session Logical connection among parts
4 Transport Flow control
3 Network Routing
2 Data Link Reliable data deliver6y
1 Physical Actual communication across physical medium
SourcePfleegerPfleeger
13
Protocols TCP/IP
Layer Action Responsibilities
Application Prepare messages User interaction, addressing
Transport Convert messages to packets Sequencing, reliability, error connection
Internet Convert messages to datagrams Flow control, routing
Physical Transmit datagrams as bits Data communication
SourcePfleegerPfleeger
14
TCP/IP
  • TCP/IP defined by protocols not layers. But can
    be thought of as a four layered structure.
  • TCP implements a connected communications session
    on top of IP transport protocol.
  • UDP is also an essential transport protocol.
  • UDP is less reliable than TCP but it is a much
    faster and smaller protocol.

15
Example of Protocols
Layer TCP Protocols UDP protocols
Application Protocol SMTP, HTTP, FTP Telnet SNMP simple Network Management Protocol Syslog system audit Log Time synchronise time
Transport TCP UDP
Internet IP IP
Physical Data Communication Data Communication
SourcePfleegerPfleeger
16
IP addresses
  • 32-bit expressed as four 8-bit groups
  • Also known by names (e.g. www.staffs.ac.uk),
    parsed from right to left.
  • To resolve names the system performs lookups.
    Local hosts maintain a cache of domain name
    records.
  • Later on we will notice that name resolution can
    be used in network attacks.

17
TCP/IP vs. ISO/OSI
  • ISO/OSI Complex design, not very efficient
  • TCP/IP More efficientOpen
  • Results Internet uses TCP/IP But introduces
    security issues

18
Types of Networks
  • LANs
  • Small locally controlled and physically protected
  • WANs
  • Single control, covers large distance but
    physically exposed
  • Internetworks (Internets)
  • Many thousands of machines and millions of users
  • Heterogeneous
  • Physically and logically exposed.

19
Other aspects of Networks
  • Distributed Systems
  • Computation spread across two or more computers
    in one of the following forms
  • Client server architecture based on request
    reply protocol
  • Peer-to-peer system a collection of equals

20
Other aspects of Networks
  • APIs (Application Programming Interfaces)
  • Define interfaces to modules or systems. Examples
    are
  • GSSAPI or Generic Security Services API
  • Based on the notion that callers have credentials
    to establish contexts to invoke security services
    for implementing confidentiality or integrity.
  • CAPI or Cryptographic API
  • A Microsoft API for cryptographic services
  • User can invoke cryptographic algorithms of
    different strengths
  • CAPI is a routine that calls for generic
    services without specifying any particular
    algorithm

21
Threats in Networks
  • Network vulnerabilities
  • Who are the attackers
  • Types of threats
  • Precursors
  • In transit
  • Protocol flaws
  • Impersonation
  • Spoofing
  • Message Confidentiality / Integrity threats
  • Web Site Defacement
  • Denial of Service (DOS)
  • Distributed Denial of Service (DDOS)
  • Active or Mobile Code Threats
  • Complex Attacks

22
What makes a Network Vulnerable?
  • A network differs from a stand-alone environment
    in the following ways
  • Anonymity
  • Many points of attacks
  • Sharing
  • Complexity of system
  • Unknown perimeter
  • Unknown path

23
What makes a Network Vulnerable?
  • Anonymity
  • The attacker can disguise its origin by passing
    through many other hosts which do not necessarily
    have a host to host authentication.
  • Many points of attacks
  • Not all hosts administrators enforce the same
    rigorous security policies
  • Sharing
  • Access controls for single systems may be
    inadequate.

24
What makes a Network Vulnerable?
  • Complexity of system
  • A network control or operating system is more
    complex than single one
  • Ordinary desktops are getting very powerful
  • Most users do not know what their computers are
    really doing at any moment.
  • The attacker takes advantage of this and makes
    the victims computer to perform some of the
    computation.

25
What makes a Network Vulnerable?
  • Unknown Perimeter
  • One host may be shared between two networks.
  • A user on a host in network D may be unaware of
  • Potential connections from users of networks A
    and B.
  • A host in the middle of A and B belongs also
  • to A,B,C and E.
  • These networks may have different security rules.
  • So which rule is the for shared hosts?!

SourcePfleegerPfleeger
26
What makes a Network Vulnerable?
  • Unknown Path
  • Network users usually do not have control over
    the routing of their messages.
  • All these network characteristics increase
    security risks.

SourcePfleegerPfleeger
27
Who Attacks Networks?
  • Earlier we have seen that the three components of
    attack are method, opportunity, and motive.
  • The motives are varied and can give an idea who
    might attack the network. Examples are
  • Challenge
  • Fame
  • Money and Espionage
  • Ideology Cyberterrorism and hactivism (hacking
    against network targets)

28
Who Attacks Networks?Threat Precursors
  • Methods of attack are varied. The attacker begins
    perpetration by finding out as much as possible
    about the target. Popular methods are
  • Port Scan
  • Social Engineering
  • Reconnaissance
  • Operating system Application Fingerprinting
  • Bulletin Boards Chats
  • Open documentations

29
Who Attacks Networks?Threat Precursors
  • Port Scan
  • A program that reports for a given IP address,
    which ports respond to messages and which known
    vulnerabilities are present. It tells the
    attacker three things
  • Which standard services (ports) are running and
    responding.
  • What OS is installed
  • What applications and which versions are present.
  • Port scanning tools are commercially available.
  • In your tutorial you may look at
  • nmap scanner (www.insecure.org/nmap), or
  • netcat at http//netcat.sourceforge.net/

30
Who Attacks Networks?Threat Precursors
  • Social Engineering
  • Port scan gives the outside view of the network.
    Social skills can be used to learn about the
    inside of networks.
  • For example the attacker can impersonate someone
    in high position. Humans like to help if asked
    politely!

31
Who Attacks Networks?Threat Precursors
  • Reconnaissance
  • Is a general term for collecting information
  • After finding out what is open (port scan) and
    learning about internal details (SE) the attacker
    wants to know more details.
  • Methods vary from dumpster diving (looking at
    rubbish at discarded items) to eavesdropping.

32
Who Attacks Networks?Threat Precursors
  • Operating System Application Fingerprinting
  • Obtain OS and application specific information.
    Some Port scan software can achieve this. For
    more information see
  • www.insecure.org/nmap/nmap-fingerprinting-article.
    html
  • Sometimes the application identifies itself.
    Ports such as 80(HTTP), 25(SMTP), 110(POP), and
    21 (FTP) may respond to clients with a message
    like
  • Server Netscape-Commerce/1.15
  • Your browser sent a non-HTTP compliant message
  • This reply tells the attacker which application
    and version are running.

33
Who Attacks Networks?Threat Precursors
  • Bulletin Boards and chat rooms support exchange
    of information (also between malicious hackers!).
  • During the 18 month FBI sting operation (1999)
    a team led by W. Swallow befriended the
    attackers in chat rooms and gathered critical
    evidence on several attackers including 17 year
    old Mafiaboy who pled guilty to 58 charges
    related to denial of service attacks against
    Amazon.com, eBay and Yahoo.

34
Threats in Transit
  • Eavesdropping
  • Packet Sniffing
  • Wiretapping
  • Microwaves
  • Satellites
  • Fiber
  • Wireless

35
Threats in Transit Eavesdropping and Wiretapping
  • Eavesdropping overhearing without putting extra
    effort. E.g. monitoring all traffic passing
    through a node.
  • Wiretapping intercepting communication with some
    effort. E.g. by injecting something into
    communication.
  • Wiretapping works differently depending on
    communication medium used.

36
Threats in Transit- Cable
  • A device called packet sniffer can retrieve all
    packets on a LAN.
  • Attackers can also tap wires by a process called
    inductance to read radiated signals.
  • Data on a WAN can be heavily multiplexed and more
    than 1 signal can be carried at a given time.
    More difficult for wiretappings.

37
Threats in Transit- Optical Fiber
  • Difficult to tap
  • However data may be available more easily at
    places such as repeaters, splices or connections
    from computing equipment to the fibre.

38
Threats in Transit- Wireless
  • Signals can be picked up easily from several
    miles
  • Interception through active or passive
    wiretapping.
  • Encryption is not always used for wireless
    communication and those built in wireless devices
    are not strong.
  • The encryption standard is Wired Equivalent
    Privacy (WEP).

39
Threats in Transit- Wireless
  • WEP is a stream cipher using a 40- or 104-bit
    key.
  • Surveys reveal that WEP has been disabled in 85
    of installations due to difficulty in
    configuration and encryption management.
  • Design of encryption makes it easy to crack WEP
    cipher

40
Threats in Transit- Wireless
  • The second threat is the possibility of rouge use
    of a connection.
  • With DHCP (Dynamic Host Control Protocol) a
    client negotiates a one-time IP address and
    connectivity with the host.
  • These IP addresses are shared among users.
  • Authentication of hosts here is a major problem
    and most networks that do not authenticate may
    lead to Theft of Service.

41
Wiretapping Summary
  • Wiretap vulnerabilities
  • Source PfleegerPfleeger

42
Threats- Protocol Flaws
  • TCP connections are established through sequence
    numbers.
  • Client sends a sequence number to open
    connection.
  • Sever responds with the servers sequence number
    .
  • If someone guesses a clients next sequence
    number then he/she could impersonate the client
    in an interchange.
  • Sequence numbers are incremented regularly so
    they are easy to predict!

43
Threats- Impersonationtaking advantage of
vulnerabilities
  • Guessing (default passwords GUST, ADMIN, etc)
  • Stealing authentication when they are passed and
    exposed in a network.
  • Wiretapping
  • Eavesdropping
  • Avoid authentication when a flaw can be exploited
    (e.g. password buffer overflow)
  • Nonexistent authentication (e.g. anonymous or
    guest password)
  • Well-Known authentication (e.g. SNMP uses a
    community string password- a group name to which
    multiple users belong)
  • Trusted authentication
  • Delegation of identification to other trusted
    sources
  • Unix .rhosts, .login, and etc/hosts/equiv
    indicate hosts or users that are trusted to other
    hosts
  • MSN Passport

44
Threats Spoofing
  • When attacker falsely carries on one end of
    network interchange. Examples are
  • Masquerade
  • One host pretends to be another-
  • URL confusion, domain name confusion
  • Session hijacking
  • Intercepting and carrying on a session by another
    entity. e.g. hijacking a remote telnet session
    that was initiated by system administrator.
  • Man-in-the Middle attack

45
Man-in-the Middle attack
  • As seen in tutorials the perpetrator intercepts
    requests to the key server and then asks for your
    partners public key. He/she then passes his/her
    own key to you.
  • He/she intercepts, decrypts, reads and
    re-encrypts using that public key.

SourcePfleegerPfleeger
46
Threats- Message Confidentialitycan be
compromised by
  • Misdelivery
  • Human errors in destination names
  • Exposure
  • In temporary buffers, routers , etc
  • Traffic Flow Analysis
  • The high volume traffic between two nodes may
    infer speculations (politics, price fixing, etc.)
  • Both content and header information must be
    protected.

47
Threats Website Defacement
  • Downloaded web site code (HTTP) enable attacker
    to get the blueprints to a website
  • The common web site vulnerabilities are
  • Buffer overflow
  • Dot-dot problems
  • Application code errors
  • Server-side include problems

48
Website Defacement-Buffer Overflow
  • The attacker feeds a program far more data that
    it expects to receive.
  • Buffer size exceeds and the excess data spill
    over neighbouring code and data locations.

49
Website Defacement- Dot-Dot and Address Problems
  • .. is predecessor and ../.. is grandparent
    of current location.
  • Someone entering file names can travel back up
    the directory one .. at a time.
  • Server may return private files if certain URLs
    are passed to it.

50
Dot-Dot and Address Problems(Example)
  • Passing the following URL causes the server to
    return requested file autoexec.nt, enabling
    attacker to modify or delete it.

http//URL/null.htw?CiWebHitsFile /../../../..wi
nnt/system32/ autoexec.nt
SourcePfleegerPfleeger
51
Website Defacement- Application Code Errors
  • Server passes context strings to the client (e.g.
    price of an online purchase),
  • making the users browser reply with the full
    context.
  • Client (attacker) can modify this string (e.g.
    reduce the price)

52
Website Defacement- Server side Include (SSI)
  • Web pages can be organized to invoke a certain
    function automatically
  • SSI is an HTTP comment that directs the web
    server to dynamically generate data for the web
    page.
  • Attacker can remotely execute commands to change
    permissions, etc.
  • Example the SSI command exec
  • lt!-exec cmd/usr/bin/telnet -gt will open a
    Telnet session from the server running in the
    name of the server.

53
Threats- Denial of Service (DOS)- Availability
Attacks
  • So far we addressed confidentiality or integrity
    problems.
  • Availability attacks are often called Denial of
    Service and are significant in networks. DOS
    takes many forms such as
  • Transmission Failure
  • Connection Flooding
  • Syn Flood
  • Traffic Redirection
  • DNS Attacks

54
DOS Connection Flooding
  • Send as much data as connection can handle.
  • More complex attacks can exploit Internet
    protocol ICMP or Internet Control Message
    Protocols.
  • ICMP protocols normally are used for system
    diagnostics and include
  • ping, tests reachability
  • echo, requires destination to return data sent
  • destination unreachable, indicates a destination
    address can not be accessed
  • source quench, when the destination is getting
    saturated it requests the sender to decrease the
    traffic rate of messages to a router or host and
    source may suspend sending packets for a while.

55
Connection Flooding Echo-Chargen example
  • Chargen is a protocol that generates a stream of
    packets and is used to test network capacity.
  • Attacker sets up a chargen process on host A that
    generates packets as echo packets with a
    destination of host B.
  • Host B replies by echoing them back to host A.
  • These interactions between A and B can be put
    into endless loops on both sides.
  • The attacker can make B both the source and
    destination address of the first packet
    resulting in B hanging in a loop constantly
    creating and replying to its own messages!

56
Connection Flooding Ping of Death example
  • Attacker sends a flood of pings to the intended
    victim.
  • Attacks are limited by smallest bandwidth on the
    attack route
  • The attacker needs to be on higher bandwidth
    connection.
  • The ping packets will saturate the victims
    bandwidth.

57
Connection FloodingSmurf example
  • Smurf attack is a variation of ping attack
  • The attacker chooses a network of unwitting
    victims
  • Attacker broadcasts echo request to network with
    victims return address.
  • Victim is saturated with echo replies.

58
Connection FloodingSmurf example
  • Smurf Attack

Source PfleegerPfleeger
59
DOSSyn Flood Attack
  • Sessions in TCP protocols use three-way TCP
    handshake.
  • Each TCP packet has flag bits such as SYN and
    ACK bits.

SourcePfleegerPfleeger
60
Syn Flood Attack
  • The destination maintains a SYN_RECV queue to
    track those items a SYN-ACK has been sent but no
    corresponding ACK has yet been received.
  • The attacker can deny service to the target by
    sending many SYN requests and never responding
    with ACK, resulting overflow in the SYN_RECV
    queue.

61
Traffic redirection
  • Compromised router may advertise the best path
    to every other address in the network.
  • All traffic redirected to it, flooding it,
    disrupting communication.

62
DNS Attacks
  • Overtaking a name server
  • Causing it to cache spurious entries and
  • redirecting the routing of any traffic to result
    in denial of service.

63
Distributed Denial of Service(DDoS)
  • Attack takes place in these steps
  • Attacker chooses a convenient attack (e.g.
    exploiting buffer overflow, e-mail attachment,..)
    to plant a a trojan horse on a target machine.
  • The attacker repeats this process with many
    targets which will then become what is known as a
    zombie.
  • At some point the attacker choose a victim and
    sends a signal to all zombies launch an attack.

64
Distributed Denial of Service(DDoS)
  • Now the victim, instead of trying to defend
    against one DoS must try to counter n attacks
    from n zombies at once.
  • Zombies can use different attacks. e,.g syn
    flood, smurf

Source FleegerPfleeger)
65
Threats to Active or Mobile Code
  • Code can be pushed to client for execution.
  • A cookie is a data object (not code) that can
    store clients details such as IP address,
    connection details and provides context to
    servers.
  • Most of the time the client can not tell what
    does a cookie contain.
  • Attackers (impersonating as a server) can
    intercept and retrieve cookies.
Write a Comment
User Comments (0)
About PowerShow.com