An Overview of Computer and An Overview of Computer and Network SecurityNetwork Security

CS535, TE/CS 536 Network SecurityCS535, TE/CS 536 Network Security

Spring 2005 – Lecture 2Spring 2005 – Lecture 2

A Motivating Example

Requirements of an e-Commerce siteRequirements of an e-Commerce site PerformancePerformance

# of current transactions# of current transactions UsabilityUsability

Easy to follow GUIs, convenience Easy to follow GUIs, convenience SecuritySecurity

Secure transmission and storage of customer Secure transmission and storage of customer financial/personal datafinancial/personal data

Protect the Web servers and the enterprise network Protect the Web servers and the enterprise network from illegitimate accessfrom illegitimate access

Provide continuous/uninterrupted servicesProvide continuous/uninterrupted services

The Internet

ApplicationApplication

PresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

Data LinkData Link

PhysicalPhysical

OSI of ISOOSI of ISO

TransportTransport

InternetInternet

Data LinkData Link

PhysicalPhysical

Application LayerApplication Layer

Internet StackInternet Stack

Protocols Application layerApplication layer

HTTP, FTP, Telnet, SMTP, DNSHTTP, FTP, Telnet, SMTP, DNS Transport layerTransport layer

TCP, UDPTCP, UDP Internetworking layerInternetworking layer

IP, ICMP, ARP, RARPIP, ICMP, ARP, RARP Network interface (data link) layerNetwork interface (data link) layer

Ethernet, PPPEthernet, PPP Physical layerPhysical layer

Layered Store-and-forwardUser AUser A User BUser B

ApplicationApplication

TransportTransport

NetworkNetwork

LinkLink

Problems in implementing security Vulnerabilities arise from– Vulnerabilities arise from–

weak design (of system or protocols)weak design (of system or protocols) compromised entitycompromised entity

Heterogeneous networking technologies add to Heterogeneous networking technologies add to security complexitysecurity complexity

Higher-speed communication puts more Higher-speed communication puts more information at risk in given time periodinformation at risk in given time period

The Definition

SecuritySecurity

the possibility of successful yet undetected the possibility of successful yet undetected theft, tampering, and disruption of theft, tampering, and disruption of information and services is kept low or information and services is kept low or tolerabletolerable

Basic Security Services

AuthenticationAuthentication assurance that the communicating entity genuineassurance that the communicating entity genuine

Data ConfidentialityData Confidentiality protection of data from unauthorized accessprotection of data from unauthorized access

Data IntegrityData Integrity trustworthiness of data or resources (no modification or replay)trustworthiness of data or resources (no modification or replay)

AvailabilityAvailability ability to use the information or resource upon demand by an authorized ability to use the information or resource upon demand by an authorized entityentity

Non-repudiationNon-repudiationprotection against denial by sending or receiving entities of having protection against denial by sending or receiving entities of having communicationcommunication

Security Threats and Attacks

A threat is a A threat is a potentialpotential violation of security. violation of security. Flaws in design, implementation, and Flaws in design, implementation, and

operation.operation.

An attack is any An attack is any actionaction that violates that violates security.security. An adversaryAn adversary Passive and active attacksPassive and active attacks

Eavesdropping - Message Interception (Attack on Confidentiality)

Unauthorized access to informationUnauthorized access to information Packet sniffers and wiretappersPacket sniffers and wiretappers Illicit copying of files and programsIllicit copying of files and programs

S R

Eavesdropper

Integrity Attack - Tampering With Messages Stop the flow of the messageStop the flow of the message Delay and optionally modify the messageDelay and optionally modify the message Release the message again (replay)Release the message again (replay)

S R

Perpetrator

Authenticity Attack - Fabrication

Unauthorized assumption of other’s identityUnauthorized assumption of other’s identity Generate and distribute objects under this Generate and distribute objects under this

identityidentity

S R

Masquerader: from S

Attack on Availability Destroy hardware (cutting fiber) or softwareDestroy hardware (cutting fiber) or software Modify software in a subtle way Modify software in a subtle way Corrupt packets in transitCorrupt packets in transit

Blatant Blatant denial of servicedenial of service (DoS): (DoS): Crashing the serverCrashing the server Overwhelm the server (use up its resource)Overwhelm the server (use up its resource)

S R

Impact of Attacks

Theft of confidential informationTheft of confidential information Unauthorized use ofUnauthorized use of

Network bandwidthNetwork bandwidth Computing resourceComputing resource

Spread of false informationSpread of false information Disruption of legitimate servicesDisruption of legitimate services

All attacks can be related and are dangerous!All attacks can be related and are dangerous!

Close-knit Attack Family

sniff forcontent

traffic analysis- who is talking

re-targetjam/cut it

capture &modify

pretend

re-target

Passive attacks Active Attacks

Security Models of organizations

No security or security through obscurityNo security or security through obscurity Host security Host security

Application levelApplication level Problem: many hostsProblem: many hosts

Network security Network security Control access to hosts and servicesControl access to hosts and services

Organizations can be Targets of opportunity (TOO) Organizations can be Targets of opportunity (TOO) or Targets of choice (TOC)or Targets of choice (TOC)

Security Policy and Mechanisms PolicyPolicy: a statement of what is/is not allowed.: a statement of what is/is not allowed.

MechanismMechanism: a procedure, tool, or method of : a procedure, tool, or method of enforcing a policy. Implements functions that help enforcing a policy. Implements functions that help prevent, detect, and respond to recovery fromprevent, detect, and respond to recovery from security attacks.security attacks.

Security functions are typically made available to Security functions are typically made available to users as a set of users as a set of security servicessecurity services through APIs or through APIs or integrated interfaces.integrated interfaces.

Parameters of security policy(Operational Issues) Cost-Benefit AnalysisCost-Benefit Analysis Risk AnalysisRisk Analysis Laws and CustomLaws and Custom People issues: e.g. change password every People issues: e.g. change password every

month?month? Security architecture ; e.g. a layered Security architecture ; e.g. a layered

approach.approach.

Security Threats and Security Threats and VulnerabilitiesVulnerabilities

TE/CS 536 Network SecurityTE/CS 536 Network SecurityDr. Haroon Atique Babri, UMTDr. Haroon Atique Babri, UMT

Spring 2005 – Lecture 3Spring 2005 – Lecture 3

Adapted from Dr. Wenke Lee, Georgia TechAdapted from Dr. Wenke Lee, Georgia Tech

The Security Life-Cycle

ThreatsThreats PolicyPolicy SpecificationSpecification DesignDesign ImplementationImplementation Operation and MaintenanceOperation and Maintenance

Taxonomy of Threats

Viruses and WormsViruses and Worms Web features, e.g. cookies (see text)Web features, e.g. cookies (see text) IP layer attacksIP layer attacks TCP layer attacksTCP layer attacks

Viruses

A small piece of software that attaches itself A small piece of software that attaches itself to a program (e.g. a spreadsheet) or to a program (e.g. a spreadsheet) or document.document.

Each time the program runs, the virus runs.Each time the program runs, the virus runs. When a virus runs, it looks for other any When a virus runs, it looks for other any

executable files in any directory and infects executable files in any directory and infects them and/or does something bad.them and/or does something bad.

Virus – what does it look like

Start of original codeStart of original code……X-1X-1XX jump to Yjump to YX+1X+1……end of original codeend of original code……

YY first statement of virus codefirst statement of virus code……

statement X in original codestatement X in original codeY+nY+n jump to X+1jump to X+1

The Rise of Viruses

The spread of PCs in late 1980s The spread of PCs in late 1980s

Use of modem accessible computer bulletin Use of modem accessible computer bulletin boards to down load programs (or Trojan boards to down load programs (or Trojan horses), e.g. games, spreadsheets.horses), e.g. games, spreadsheets.

Floppy disks Floppy disks

Types of Viruses

ExecutableExecutable Infection phase: (1)Designed to get executed Infection phase: (1)Designed to get executed

first when the host program runs. (2) Looks first when the host program runs. (2) Looks into memory, and if it finds another program on into memory, and if it finds another program on the disk, it adds its code to it. (3) The virus then the disk, it adds its code to it. (3) The virus then launches the host programlaunches the host program

Attack phase: activated by some sort of trigger, Attack phase: activated by some sort of trigger, e.g. date, does something bad.e.g. date, does something bad.

Types of Viruses

Boot sector virusesBoot sector viruses Boot sector is a small program that tells the Boot sector is a small program that tells the

computer how to load the rest of OS.computer how to load the rest of OS. Transmitted through floppiesTransmitted through floppies Good news: Huge sizes of today’s programs Good news: Huge sizes of today’s programs

require CDs + Today’s OS protect the boot require CDs + Today’s OS protect the boot sector. sector.

Bad news: with CD-RW becoming common, Bad news: with CD-RW becoming common, viruses now can spread across CDsviruses now can spread across CDs

E-mail Viruses

Moves around in e-mail messages, replicate Moves around in e-mail messages, replicate by automatically mailing itself to people in by automatically mailing itself to people in the victim’s e-mail address book.the victim’s e-mail address book. Melissa (3/99): spread as a Word doc uploaded Melissa (3/99): spread as a Word doc uploaded

to an Internet newsgroup.to an Internet newsgroup. ILOVEYOU (5/00): code as an attachment; ILOVEYOU (5/00): code as an attachment;

double clicking allowed it to execute; took double clicking allowed it to execute; took advantage of VBA built in Microsoft Word.advantage of VBA built in Microsoft Word.

Worms

A small piece of software that normally A small piece of software that normally uses computer networks and security holes uses computer networks and security holes to replicate itself.to replicate itself.

A copy of the worm scans the network for A copy of the worm scans the network for another machine that has a specific security another machine that has a specific security hole, e.g. buffer overflow.hole, e.g. buffer overflow.

It copies itself to the new machine using the It copies itself to the new machine using the security hole and …security hole and …

Worm – how it spreads (1)

Log into another machine by guessing Log into another machine by guessing passwords.passwords.

Account name/passwords might be stored in Account name/passwords might be stored in script files to allow a naïve user to access script files to allow a naïve user to access remote resources remotely.remote resources remotely.

Worm – how it spreads (2)

A copy of the worm scans the network for A copy of the worm scans the network for another machine that has a specific security another machine that has a specific security hole, e.g. buffer overflow.hole, e.g. buffer overflow.

It copies itself to the new machine using the It copies itself to the new machine using the security hole and …security hole and …

Famous Worms

Code Red: each copy scanned the Internet for Win Code Red: each copy scanned the Internet for Win NT or Win 2000 servers without the MS security NT or Win 2000 servers without the MS security patch installed, and copied itself to the server.patch installed, and copied itself to the server.

Code Red was designed to do 3 things:Code Red was designed to do 3 things: Replicate itself for first 20 days of each monthReplicate itself for first 20 days of each month Replace Web pages on servers with a page: “Hacked by Replace Web pages on servers with a page: “Hacked by

Chinese”Chinese” Launch attack on Launch attack on www.whitehouse.govwww.whitehouse.gov

Slammer: see handoutSlammer: see handout

What to do

Virus checkers Virus checkers check all files for the instruction sequences of check all files for the instruction sequences of

known virusesknown viruses Polymorphic virus: changes order of instructions, or Polymorphic virus: changes order of instructions, or

changes to functionally similar instructions each changes to functionally similar instructions each time it copies itself.time it copies itself.

Take a snapshot of disk storage by recording Take a snapshot of disk storage by recording file lengths or taking message digests of filesfile lengths or taking message digests of files Virus can compress the program and then add itself Virus can compress the program and then add itself

to maintain original length.to maintain original length.

What to do

Use security features provided by a Use security features provided by a language language Java sandboxJava sandbox MS security patches ?MS security patches ?

IP packet attacks (1)

Packet sniffing or snoopingPacket sniffing or snooping Prevention: data encryptionPrevention: data encryption

link to link link to link source to destination.source to destination.

IP Packet Attacks (2) -

IP Spoofing IP Spoofing A common first step to many threats.A common first step to many threats. Source IP address cannot be trusted!Source IP address cannot be trusted!

IP PayloadIP Header

SRC: sourceDST: destination

SRC: 128.59.10.8DST: 130.207.7.237

Is it really from Columbia University?

Similar to Mail (or E-mail)

From:XYZLahore

To:ABCSialkot

Mail maybe better in the sense that there is a stamp put on the envelope at the location (e.g., town) of collection...

Most Routers Only Care About Destination Address

128.59.10.xx

130.207.xx.xx

Rtr

Rtr

src:128.59.10.8dst:130.207.7.237

Columbia

Georgia Tech36.190.0.xx Rtr

src:128.59.10.8dst:130.207.7.237Stanford

IP Attacks (3) Attack packets with spoofed IP address help Attack packets with spoofed IP address help

hide the attacking source.hide the attacking source. A A smurfsmurf attack launched with your host IP attack launched with your host IP

address could bring your host and network address could bring your host and network to their knees.to their knees.

Higher protocol layers (e.g., TCP) help to Higher protocol layers (e.g., TCP) help to protect applications from direct harm, but protect applications from direct harm, but not enough.not enough.

Current IPv4 Infrastructure

No authentication for the sourceNo authentication for the source Various approaches exist to address the Various approaches exist to address the

problem:problem: Router/firewall filteringRouter/firewall filtering TCP handshakeTCP handshake

Router Filtering Decide whether this packet, with certain source IP Decide whether this packet, with certain source IP

address, should come from this side of network.address, should come from this side of network.

Not standard - local policy.Not standard - local policy.

36.190.0.xx Rtr

src:128.59.10.8dst:130.207.7.237Stanford

Hey, you shouldn’t be here!

Router Filtering Very effective for some networks (ISP Very effective for some networks (ISP

should always do that!)should always do that!) At least be sure that this packet is from some At least be sure that this packet is from some

particular subnetparticular subnet Problems:Problems:

Hard to handle frequent add/delete Hard to handle frequent add/delete hosts/subnets or mobileIP hosts/subnets or mobileIP

Upsets customers should legitimate packets get Upsets customers should legitimate packets get discardeddiscarded

Need to trust other routersNeed to trust other routers

TCP Handshake

client serverSYN seq=x

SYN seq=y, ACK x+1

ACK y+1

connectionestablished

TCP Handshake

128.59.10.xx

130.207.xx.xx

Rtr

RtrColumbia

Georgia Tech36.190.0.xx Rtr

src:128.59.10.8dst:130.207.7.237Stanford

x

seq=y, ACK x+1

The handshake prevents the attackerfrom establishing a TCP connection pretending to be 128.59.10.8

TCP Handshake

Very effective for stopping most such Very effective for stopping most such attacks but vulnerableattacks but vulnerable

Problems:Problems: The attacker can succeed if “y” can be The attacker can succeed if “y” can be

predictedpredicted Other DoS attacks are still possible (e.g., TCP Other DoS attacks are still possible (e.g., TCP

SYN-flood)SYN-flood)

IP Spoofing & SYN Flood

IP spoofing: X sends SYN message to victim R using S’s IPIP spoofing: X sends SYN message to victim R using S’s IP

R sends an acknowledgment (SYN-ACK) to client S but does R sends an acknowledgment (SYN-ACK) to client S but does not received the ACK message (half-open connection). not received the ACK message (half-open connection).

Half-open connections data structure on the victim server R Half-open connections data structure on the victim server R eventually fills. R unable to accept new connections until the eventually fills. R unable to accept new connections until the table is emptied out. table is emptied out.

Normally a timeout for half-open connections allows R to Normally a timeout for half-open connections allows R to recover. However, X can continue sending IP-spoofed packets recover. However, X can continue sending IP-spoofed packets requesting new connections faster than R can expire the requesting new connections faster than R can expire the pending connections. pending connections.

icmp echo requesticmp echo request

icmp echo replyicmp echo reply

pingping

icmp echo request to a broadcast address: from victimicmp echo request to a broadcast address: from victim

attackerattacker

victimvictimicmp echo request from all hosts to victimicmp echo request from all hosts to victim smurfsmurf

Smurf Attack

Generate Generate pingping stream (ICMP echo request) stream (ICMP echo request) to a network to a network broadcast addressbroadcast address with a with a spoofedspoofed source IPsource IP set to a victim host set to a victim host

Every host on the ping target network will Every host on the ping target network will generate a ping reply (ICMP echo reply) generate a ping reply (ICMP echo reply) stream, all towards the victim hoststream, all towards the victim host

Amplified ping reply stream can easily Amplified ping reply stream can easily overwhelm the victim’s network connectionoverwhelm the victim’s network connection

Leaning about attacks and vulnerabilities www.cve.mitre.orgwww.cve.mitre.org www.cert.orgwww.cert.org www.sans.orgwww.sans.org www.cisecurity.comwww.cisecurity.com www.security-focus.comwww.security-focus.com