An Overview of Computer and Network Security CS535, TE/CS 536 Network Security Spring 2005 –...
-
date post
18-Dec-2015 -
Category
Documents
-
view
222 -
download
1
Transcript of An Overview of Computer and Network Security CS535, TE/CS 536 Network Security Spring 2005 –...
An Overview of Computer and An Overview of Computer and Network SecurityNetwork Security
CS535, TE/CS 536 Network SecurityCS535, TE/CS 536 Network Security
Spring 2005 – Lecture 2Spring 2005 – Lecture 2
A Motivating Example
Requirements of an e-Commerce siteRequirements of an e-Commerce site PerformancePerformance
# of current transactions# of current transactions UsabilityUsability
Easy to follow GUIs, convenience Easy to follow GUIs, convenience SecuritySecurity
Secure transmission and storage of customer Secure transmission and storage of customer financial/personal datafinancial/personal data
Protect the Web servers and the enterprise network Protect the Web servers and the enterprise network from illegitimate accessfrom illegitimate access
Provide continuous/uninterrupted servicesProvide continuous/uninterrupted services
The Internet
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
OSI of ISOOSI of ISO
TransportTransport
InternetInternet
Data LinkData Link
PhysicalPhysical
Application LayerApplication Layer
Internet StackInternet Stack
Protocols Application layerApplication layer
HTTP, FTP, Telnet, SMTP, DNSHTTP, FTP, Telnet, SMTP, DNS Transport layerTransport layer
TCP, UDPTCP, UDP Internetworking layerInternetworking layer
IP, ICMP, ARP, RARPIP, ICMP, ARP, RARP Network interface (data link) layerNetwork interface (data link) layer
Ethernet, PPPEthernet, PPP Physical layerPhysical layer
Layered Store-and-forwardUser AUser A User BUser B
ApplicationApplication
TransportTransport
NetworkNetwork
LinkLink
Problems in implementing security Vulnerabilities arise from– Vulnerabilities arise from–
weak design (of system or protocols)weak design (of system or protocols) compromised entitycompromised entity
Heterogeneous networking technologies add to Heterogeneous networking technologies add to security complexitysecurity complexity
Higher-speed communication puts more Higher-speed communication puts more information at risk in given time periodinformation at risk in given time period
The Definition
SecuritySecurity
the possibility of successful yet undetected the possibility of successful yet undetected theft, tampering, and disruption of theft, tampering, and disruption of information and services is kept low or information and services is kept low or tolerabletolerable
Basic Security Services
AuthenticationAuthentication assurance that the communicating entity genuineassurance that the communicating entity genuine
Data ConfidentialityData Confidentiality protection of data from unauthorized accessprotection of data from unauthorized access
Data IntegrityData Integrity trustworthiness of data or resources (no modification or replay)trustworthiness of data or resources (no modification or replay)
AvailabilityAvailability ability to use the information or resource upon demand by an authorized ability to use the information or resource upon demand by an authorized entityentity
Non-repudiationNon-repudiationprotection against denial by sending or receiving entities of having protection against denial by sending or receiving entities of having communicationcommunication
Security Threats and Attacks
A threat is a A threat is a potentialpotential violation of security. violation of security. Flaws in design, implementation, and Flaws in design, implementation, and
operation.operation.
An attack is any An attack is any actionaction that violates that violates security.security. An adversaryAn adversary Passive and active attacksPassive and active attacks
Eavesdropping - Message Interception (Attack on Confidentiality)
Unauthorized access to informationUnauthorized access to information Packet sniffers and wiretappersPacket sniffers and wiretappers Illicit copying of files and programsIllicit copying of files and programs
S R
Eavesdropper
Integrity Attack - Tampering With Messages Stop the flow of the messageStop the flow of the message Delay and optionally modify the messageDelay and optionally modify the message Release the message again (replay)Release the message again (replay)
S R
Perpetrator
Authenticity Attack - Fabrication
Unauthorized assumption of other’s identityUnauthorized assumption of other’s identity Generate and distribute objects under this Generate and distribute objects under this
identityidentity
S R
Masquerader: from S
Attack on Availability Destroy hardware (cutting fiber) or softwareDestroy hardware (cutting fiber) or software Modify software in a subtle way Modify software in a subtle way Corrupt packets in transitCorrupt packets in transit
Blatant Blatant denial of servicedenial of service (DoS): (DoS): Crashing the serverCrashing the server Overwhelm the server (use up its resource)Overwhelm the server (use up its resource)
S R
Impact of Attacks
Theft of confidential informationTheft of confidential information Unauthorized use ofUnauthorized use of
Network bandwidthNetwork bandwidth Computing resourceComputing resource
Spread of false informationSpread of false information Disruption of legitimate servicesDisruption of legitimate services
All attacks can be related and are dangerous!All attacks can be related and are dangerous!
Close-knit Attack Family
sniff forcontent
traffic analysis- who is talking
re-targetjam/cut it
capture &modify
pretend
re-target
Passive attacks Active Attacks
Security Models of organizations
No security or security through obscurityNo security or security through obscurity Host security Host security
Application levelApplication level Problem: many hostsProblem: many hosts
Network security Network security Control access to hosts and servicesControl access to hosts and services
Organizations can be Targets of opportunity (TOO) Organizations can be Targets of opportunity (TOO) or Targets of choice (TOC)or Targets of choice (TOC)
Security Policy and Mechanisms PolicyPolicy: a statement of what is/is not allowed.: a statement of what is/is not allowed.
MechanismMechanism: a procedure, tool, or method of : a procedure, tool, or method of enforcing a policy. Implements functions that help enforcing a policy. Implements functions that help prevent, detect, and respond to recovery fromprevent, detect, and respond to recovery from security attacks.security attacks.
Security functions are typically made available to Security functions are typically made available to users as a set of users as a set of security servicessecurity services through APIs or through APIs or integrated interfaces.integrated interfaces.
Parameters of security policy(Operational Issues) Cost-Benefit AnalysisCost-Benefit Analysis Risk AnalysisRisk Analysis Laws and CustomLaws and Custom People issues: e.g. change password every People issues: e.g. change password every
month?month? Security architecture ; e.g. a layered Security architecture ; e.g. a layered
approach.approach.
Security Threats and Security Threats and VulnerabilitiesVulnerabilities
TE/CS 536 Network SecurityTE/CS 536 Network SecurityDr. Haroon Atique Babri, UMTDr. Haroon Atique Babri, UMT
Spring 2005 – Lecture 3Spring 2005 – Lecture 3
Adapted from Dr. Wenke Lee, Georgia TechAdapted from Dr. Wenke Lee, Georgia Tech
The Security Life-Cycle
ThreatsThreats PolicyPolicy SpecificationSpecification DesignDesign ImplementationImplementation Operation and MaintenanceOperation and Maintenance
Taxonomy of Threats
Viruses and WormsViruses and Worms Web features, e.g. cookies (see text)Web features, e.g. cookies (see text) IP layer attacksIP layer attacks TCP layer attacksTCP layer attacks
Viruses
A small piece of software that attaches itself A small piece of software that attaches itself to a program (e.g. a spreadsheet) or to a program (e.g. a spreadsheet) or document.document.
Each time the program runs, the virus runs.Each time the program runs, the virus runs. When a virus runs, it looks for other any When a virus runs, it looks for other any
executable files in any directory and infects executable files in any directory and infects them and/or does something bad.them and/or does something bad.
Virus – what does it look like
Start of original codeStart of original code……X-1X-1XX jump to Yjump to YX+1X+1……end of original codeend of original code……
YY first statement of virus codefirst statement of virus code……
statement X in original codestatement X in original codeY+nY+n jump to X+1jump to X+1
The Rise of Viruses
The spread of PCs in late 1980s The spread of PCs in late 1980s
Use of modem accessible computer bulletin Use of modem accessible computer bulletin boards to down load programs (or Trojan boards to down load programs (or Trojan horses), e.g. games, spreadsheets.horses), e.g. games, spreadsheets.
Floppy disks Floppy disks
Types of Viruses
ExecutableExecutable Infection phase: (1)Designed to get executed Infection phase: (1)Designed to get executed
first when the host program runs. (2) Looks first when the host program runs. (2) Looks into memory, and if it finds another program on into memory, and if it finds another program on the disk, it adds its code to it. (3) The virus then the disk, it adds its code to it. (3) The virus then launches the host programlaunches the host program
Attack phase: activated by some sort of trigger, Attack phase: activated by some sort of trigger, e.g. date, does something bad.e.g. date, does something bad.
Types of Viruses
Boot sector virusesBoot sector viruses Boot sector is a small program that tells the Boot sector is a small program that tells the
computer how to load the rest of OS.computer how to load the rest of OS. Transmitted through floppiesTransmitted through floppies Good news: Huge sizes of today’s programs Good news: Huge sizes of today’s programs
require CDs + Today’s OS protect the boot require CDs + Today’s OS protect the boot sector. sector.
Bad news: with CD-RW becoming common, Bad news: with CD-RW becoming common, viruses now can spread across CDsviruses now can spread across CDs
E-mail Viruses
Moves around in e-mail messages, replicate Moves around in e-mail messages, replicate by automatically mailing itself to people in by automatically mailing itself to people in the victim’s e-mail address book.the victim’s e-mail address book. Melissa (3/99): spread as a Word doc uploaded Melissa (3/99): spread as a Word doc uploaded
to an Internet newsgroup.to an Internet newsgroup. ILOVEYOU (5/00): code as an attachment; ILOVEYOU (5/00): code as an attachment;
double clicking allowed it to execute; took double clicking allowed it to execute; took advantage of VBA built in Microsoft Word.advantage of VBA built in Microsoft Word.
Worms
A small piece of software that normally A small piece of software that normally uses computer networks and security holes uses computer networks and security holes to replicate itself.to replicate itself.
A copy of the worm scans the network for A copy of the worm scans the network for another machine that has a specific security another machine that has a specific security hole, e.g. buffer overflow.hole, e.g. buffer overflow.
It copies itself to the new machine using the It copies itself to the new machine using the security hole and …security hole and …
Worm – how it spreads (1)
Log into another machine by guessing Log into another machine by guessing passwords.passwords.
Account name/passwords might be stored in Account name/passwords might be stored in script files to allow a naïve user to access script files to allow a naïve user to access remote resources remotely.remote resources remotely.
Worm – how it spreads (2)
A copy of the worm scans the network for A copy of the worm scans the network for another machine that has a specific security another machine that has a specific security hole, e.g. buffer overflow.hole, e.g. buffer overflow.
It copies itself to the new machine using the It copies itself to the new machine using the security hole and …security hole and …
Famous Worms
Code Red: each copy scanned the Internet for Win Code Red: each copy scanned the Internet for Win NT or Win 2000 servers without the MS security NT or Win 2000 servers without the MS security patch installed, and copied itself to the server.patch installed, and copied itself to the server.
Code Red was designed to do 3 things:Code Red was designed to do 3 things: Replicate itself for first 20 days of each monthReplicate itself for first 20 days of each month Replace Web pages on servers with a page: “Hacked by Replace Web pages on servers with a page: “Hacked by
Chinese”Chinese” Launch attack on Launch attack on www.whitehouse.govwww.whitehouse.gov
Slammer: see handoutSlammer: see handout
What to do
Virus checkers Virus checkers check all files for the instruction sequences of check all files for the instruction sequences of
known virusesknown viruses Polymorphic virus: changes order of instructions, or Polymorphic virus: changes order of instructions, or
changes to functionally similar instructions each changes to functionally similar instructions each time it copies itself.time it copies itself.
Take a snapshot of disk storage by recording Take a snapshot of disk storage by recording file lengths or taking message digests of filesfile lengths or taking message digests of files Virus can compress the program and then add itself Virus can compress the program and then add itself
to maintain original length.to maintain original length.
What to do
Use security features provided by a Use security features provided by a language language Java sandboxJava sandbox MS security patches ?MS security patches ?
IP packet attacks (1)
Packet sniffing or snoopingPacket sniffing or snooping Prevention: data encryptionPrevention: data encryption
link to link link to link source to destination.source to destination.
IP Packet Attacks (2) -
IP Spoofing IP Spoofing A common first step to many threats.A common first step to many threats. Source IP address cannot be trusted!Source IP address cannot be trusted!
IP PayloadIP Header
SRC: sourceDST: destination
SRC: 128.59.10.8DST: 130.207.7.237
Is it really from Columbia University?
Similar to Mail (or E-mail)
From:XYZLahore
To:ABCSialkot
Mail maybe better in the sense that there is a stamp put on the envelope at the location (e.g., town) of collection...
Most Routers Only Care About Destination Address
128.59.10.xx
130.207.xx.xx
Rtr
Rtr
src:128.59.10.8dst:130.207.7.237
Columbia
Georgia Tech36.190.0.xx Rtr
src:128.59.10.8dst:130.207.7.237Stanford
IP Attacks (3) Attack packets with spoofed IP address help Attack packets with spoofed IP address help
hide the attacking source.hide the attacking source. A A smurfsmurf attack launched with your host IP attack launched with your host IP
address could bring your host and network address could bring your host and network to their knees.to their knees.
Higher protocol layers (e.g., TCP) help to Higher protocol layers (e.g., TCP) help to protect applications from direct harm, but protect applications from direct harm, but not enough.not enough.
Current IPv4 Infrastructure
No authentication for the sourceNo authentication for the source Various approaches exist to address the Various approaches exist to address the
problem:problem: Router/firewall filteringRouter/firewall filtering TCP handshakeTCP handshake
Router Filtering Decide whether this packet, with certain source IP Decide whether this packet, with certain source IP
address, should come from this side of network.address, should come from this side of network.
Not standard - local policy.Not standard - local policy.
36.190.0.xx Rtr
src:128.59.10.8dst:130.207.7.237Stanford
Hey, you shouldn’t be here!
Router Filtering Very effective for some networks (ISP Very effective for some networks (ISP
should always do that!)should always do that!) At least be sure that this packet is from some At least be sure that this packet is from some
particular subnetparticular subnet Problems:Problems:
Hard to handle frequent add/delete Hard to handle frequent add/delete hosts/subnets or mobileIP hosts/subnets or mobileIP
Upsets customers should legitimate packets get Upsets customers should legitimate packets get discardeddiscarded
Need to trust other routersNeed to trust other routers
TCP Handshake
client serverSYN seq=x
SYN seq=y, ACK x+1
ACK y+1
connectionestablished
TCP Handshake
128.59.10.xx
130.207.xx.xx
Rtr
RtrColumbia
Georgia Tech36.190.0.xx Rtr
src:128.59.10.8dst:130.207.7.237Stanford
x
seq=y, ACK x+1
The handshake prevents the attackerfrom establishing a TCP connection pretending to be 128.59.10.8
TCP Handshake
Very effective for stopping most such Very effective for stopping most such attacks but vulnerableattacks but vulnerable
Problems:Problems: The attacker can succeed if “y” can be The attacker can succeed if “y” can be
predictedpredicted Other DoS attacks are still possible (e.g., TCP Other DoS attacks are still possible (e.g., TCP
SYN-flood)SYN-flood)
IP Spoofing & SYN Flood
IP spoofing: X sends SYN message to victim R using S’s IPIP spoofing: X sends SYN message to victim R using S’s IP
R sends an acknowledgment (SYN-ACK) to client S but does R sends an acknowledgment (SYN-ACK) to client S but does not received the ACK message (half-open connection). not received the ACK message (half-open connection).
Half-open connections data structure on the victim server R Half-open connections data structure on the victim server R eventually fills. R unable to accept new connections until the eventually fills. R unable to accept new connections until the table is emptied out. table is emptied out.
Normally a timeout for half-open connections allows R to Normally a timeout for half-open connections allows R to recover. However, X can continue sending IP-spoofed packets recover. However, X can continue sending IP-spoofed packets requesting new connections faster than R can expire the requesting new connections faster than R can expire the pending connections. pending connections.
icmp echo requesticmp echo request
icmp echo replyicmp echo reply
pingping
icmp echo request to a broadcast address: from victimicmp echo request to a broadcast address: from victim
attackerattacker
victimvictimicmp echo request from all hosts to victimicmp echo request from all hosts to victim smurfsmurf
Smurf Attack
Generate Generate pingping stream (ICMP echo request) stream (ICMP echo request) to a network to a network broadcast addressbroadcast address with a with a spoofedspoofed source IPsource IP set to a victim host set to a victim host
Every host on the ping target network will Every host on the ping target network will generate a ping reply (ICMP echo reply) generate a ping reply (ICMP echo reply) stream, all towards the victim hoststream, all towards the victim host
Amplified ping reply stream can easily Amplified ping reply stream can easily overwhelm the victim’s network connectionoverwhelm the victim’s network connection
Leaning about attacks and vulnerabilities www.cve.mitre.orgwww.cve.mitre.org www.cert.orgwww.cert.org www.sans.orgwww.sans.org www.cisecurity.comwww.cisecurity.com www.security-focus.comwww.security-focus.com