www.bestitdocuments.com

1
Internet Security
2
Outline

• Whats the problem?
• How prevalent are security attacks?
• Denial of Service attacks
• Spoofing
• Network applications exposures
• Prevention
• Detection
• Follow up
• Top 12 recommendations

3
Problems

• Complexity of systems
• Patchwork of untrustworthy parts
• Even mature subsystems (Unix, Windows, Word)
  poorly understood
• All systems have errors (buffer overflows,
  unchecked input, inadequate testing )
• Humans are part of the system
• Rapid change introduction of new parts changes
  environment (active content, streaming content)
• Security is in tension with ease of use and
  friendliness, so unpopular

4
Network Vulnerabilities

• ARP cache flooding
• DHCP spoofing
• DNS cannot be trusted
• Little IP address authentication
• Integrity checks are minimal
• Denial of service attacks are easy to stage
• Security not part of original network design
• Changing things (to improve security) breaks
  compatibility

5
DoS flood attacks

• Flooding to provide Denial of Service (DoS)
• DoS attacks deny resources of a remote host or
  networks that would otherwise be used by
  legitimate users
• Flooding attacks overwhelm victims CPU, memory
  or network resources by sending large numbers of
  spurious requests.
• Difficult to tell good requests from bad so
  hard to defend against
• To load network attacker sends small packets as
  fast as possible since most devices are limited
  by packet processing rate and not bandwidth

6
SYN floods

• Attacker loads victims cpu by sending stream of
  TCP SYN packets to a listening TCP port
• For each SYN packet victim must search through
  existing connections if no match allocate a new
  data structure for connection
• Number of connections may be limited in victims
  host, so host can be overwhelmed
• Victim also re-sends SYN/ACK until time limit

7
Distributed Attacks

• More powerful attacks leverage multiple hosts to
  send the SYNs
• i.e. attacker compromises many hosts, installs a
  small attack daemon (bots) on each
• Compromises via buffer overflows, 1 year old
  patchable web server Unicode bug, poorly written
  CGI scripts, etc.
• Attack can then be coordinated from multiple
  hosts focusing on a single victim host

8
IP spoofing

• To conceal identity, thus forestalling an
  effective response, attackers forge (spoof) the
  IP source address of each packet they send
• Often select the IP address at random
• Attack appears to be coming from a third party
• Also can reflect attacks through innocent third
  parties
• Protection
• Dynamic size for connection table
• Decrease timeout for partial connections
• Prevent spoofing across routers

9
ICMP

• RFC 792, clarified in RFCs 1122, 1256, 1349,
  1812
• Smurf
• Spoof source address
• Uses broadcast address to get amplification
• i.e. every host on subnet responds to same source
• e.g. can provoke host unreachable, ttl exceeded
• Dont allow ICMP to go to broadcast address
• Rate limit or block most ICMPs
• BUT lose ping traceroute, watch out for MTU
  discover

10
UDP Security

• Services can often be spoofed as the source of a
  request
• The connectionless nature makes it hard for
  firewalls to protect
• direction of connection not easily determined
• must examine packet contents in application
  dependent fashion

11
ARP

• First host to respond to ARP broadcast wins
• Thus a bad guy can respond quickly and poison
  the recipients cache
• E.g. bad guy can pretend to be router
• No fix.

12
Dynamic Host Configuration Protocol

• DHCP built on UDP, ports 67/68 (see RFC 2131)
• Client is dynamically assigned (leased) an IP
  configuration (IP address, gateway, DNS server,
  domain name etc.)
• Server controls allocation of addresses
• Client must renew periodically
• Can greatly increase ease of configuration
  flexibility decrease maintenance
• BUT
• single client (using spoofed addresses) may use
  up all available IP addresses
• Does not prevent someone using unassigned address
• Rogue machine can respond claim to be router,
  DNS hence intercept all traffic

13
Domain Name Service DNS

• Built on UDP, port 53 (see RFC 1591)
• Maps host names to IP addresses back
• Hierarchical structure - no server for all hosts
• All domains have authoritative name server
• Root name servers maintain server list for all
  subdomains
• Once translated, mapping is cached
• ICANN administers top level domains
• Example, get IP address of www.sun.com
• Check local cache
• Query .com nameserver, get referral to
  ns.sun.com
• Query ns.sun.com
• Cache result return IP address

14
DNS insecurity

• 21 Jan 2001 Yahoo.com Microsoft.com traffic
  redirected. A faulty DNS table appears to be to
  blame for redirecting traffic to MyDomains.com
• Systems may change and the cache is wrong
• Cache may be poisoned by an attacker
• No authorization for change requests
• Attacker can administratively change
  authoritative nameserver and there are few
  checks to prevent it

15
SNMPv1

• Built on UDP
• Community name is passed as clear text

16
Telnet RFC 854

• Built on TCP
• sends passwords in clear text
• often target of sniffers collecting passowrds
• session unencrypted - session may be hijacked
• Use ssh instead
• not all hosts (e.g. some network devices) support
  ssh

17
Prevention

• Need defense in depth.
• Firewalls, filtering router ACLs
• Vulnerability scans
• Look for hosts with OS at a level that can be
  compromised
• Look for ports/applications that should not be
  open
• ISS, freeware from www.nessus.org
• Dont overprotect
• Waste of resources (direct cost)
• Reduced functionality (indirect cost)
• Dont leave backdoor open
• Think like an attacker or find someone who can

18
Filters

• Simple filtering done by Access Control Lists
  (ACLs) in routers
• Filter to deny access to dangerous stuff
• Or Deny all and allow access to approved stuff
• Filters based on header information
• Source/destination address/port
• Protocol
• Rules apply interface direction

19
Firewalls

• Specialized for filtering without routing duties
• Usually easier to configure, have auditing,
  logging, auditing
• Can use for privacy to hide internal network
  addresses
• Many firewalls can maintain state, i.e. maintain
  virtual sessions for UDP and close port when
  connection closes
• Some firewalls can look inside data in packets to
  discover application (e.g. to disallow ActiveX
  controls)
• With all the extra function there can be
  performance issues for high speed networks.

20
Detection

• Host based intrusion detection instrument OS,
  applications, e.g. tripwire (look at what has
  changed), web page defacement detection
• Network based intrusion detection
• Passively sniff on packets and look at flows.
• Look for list suspicious ports/protocols being
  accessed, when, by whom, for how long/much. Keep
  logs going back months
• Possible inappropriate use IRC, Gnutella,
  Napster
• Remote control BackOrifice, subseven, netbus
• dDoS tfn, trinoo
• Look for attack signatures, may look in packet
  contents compare bits with known patterns
• Look for scan signatures like seq of ports, or
  seq of hosts
• Can provide pre-knowledge of signatures of known
  attacks
• Needs constant updates
• Can look for abnormal behavior
• Netflow, ISS, freeware from www.snort.org

21
Notification follow up

• After discovering, have to alert someone by
  pager, email
• Have to worry about false positives
• Need a clear procedure in place for dealing with
  intrusions
• Have to notify management
• May have to take down re-install OS etc.
• May have to cut off from Internet while clean up
• May have to field questions from funding agency,
  press, law enforcement agencies
• Have to do a post-mortem improve processes
• All of the above are painful, want to avoid if
  possible.

22
Requirements

• Make sure the firewall/ACLs are installed,
  working maintained
• Security patches current installed in timely
  manner
• Remove use of clear text passwords (telnet gt
  ssh, email, FTP)
• Change default vendor passwords
• Regularly test security systems processes