Security Basics
description
Transcript of Security Basics
-
3YSTEMSAND)NTERNET)NFRASTRUCTURE3ECURITY
II
.ETWORKAND3ECURITY2ESEARCH#ENTER$EPARTMENTOF#OMPUTER3CIENCEAND%NGINEERING0ENNSYLVANIA3TATE5NIVERSITY5NIVERSITY0ARK0!
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Security Basics
CSE598K/CSE545 - Advanced Network SecurityProf. McDaniel - Spring 2008
1
-
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
A cautionary tale ...
2
"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
-
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Network Security Network security covers a spectrum of security from
global protections to single port firewalls.
This course will sample from amongst these.
3
Global Security(BGP)
Enterprise Security(VPNs)
Host Security(Personal Firewalls)
LargerSmaller
-
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Network vs. Web The network is a service ...
A conduit for data to be passed between systems. Layers services (generally) to allow flexibility. Highly scalable. This is a public channel.
The Web is an application
This is an application for viewing/manipulating content. The services are unbounded by services, e.g., Java. This can either be public (as in CNNs website), or private (as
in enterprise internal HR websites).
4
-
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
The E2E Argument Idea: most systems require end-to-end communication
service, but low-level features have costs (performance) incurred by all users ... thus ...
It is important that the features provided at a low level remain very simple ... yielding ...
Smart endpoints ... dumb minimal network
Consequence: the network is simple and not very receptive to new (often complicated) security services being added into them. Need to implement security as a service (e.g., bump in the stack--IPsec)
5
-
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Challenges The network is ...
administered unevenly and often poorly hard to change very simple unreliable ...
Not designed to be secure.6
-
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Security Terms Guarantees
Confidentiality Integrity Non-repudability Availability
Attacks
Passive vs. active Denial of service Traffic analysis
7
Make sure you have these in your head!
-
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Case Study: Host Access The first systems used telnet as the primary
utility for accessing systems remotely.
Telnet connects across the network on port tcp/23 Remotely allows a user access to the login prompt
Username/passwords are supplied, allowed access to shell
Everything is sent in cleartext across the network (eavesdropping)
even the password!
8
-
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
RSH/RCP Remote shell (rsh) was introduced as a means of
allowing remote access without having to login.
Users would assert their identity implicitly in the call, and could invoke whatever scripts were allowed by that machine.
-c run whatever scripts were needed
The /etc/hosts.equiv file indicates which machines should be allowed to invoke whatever users they want.
The ~/.rhosts file allows users to identify trusted hosts
9
-
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
Problems? Of course both of these models were terrible from a
security standpoint
Users could be asserted Traffic could be eavesdropped Passwords could be guessed
Sadly, the standard in remote access until about 2000.10
-
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
SSH Secure shell (ssh) - an alternate to telnet that looks
and feels just like telnet!
The difference is that it transparently uses cryptographic keys to provide for confidentiality, integrity, and authentication
Concepts: Each machine has an identity
recorded by each user Ever user has an identity
Stored in each users home directory They perform mutual authentication at startup, negotiate session
keys, and use it to secure all the session communication
11
-
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
SSH Server Configuration files
/etc/ssh/ssh_host_key.pub (pub identifies host) ~/.ssh authorized_keys2 (pub user keys)
Client Configuration files ~/.ssh/known_hosts2 (pub keys of known hosts) ~/.ssh/id_dsa (priv key of user)
12
-
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
SSH Authentication
13
Client
(1) SSH_MSG_USERAUTH_REQUEST
(user, service ....)
(2) SSH_MSG_USERAUTH_INFO_REQUEST
(user, authtype, prompt, challenge, ...)
(3) SSH_MSG_USERAUTH_INFO_RESPONSE
(user, response, ..)
Server
-
CSE598K/CSE545 - Advanced Network Security - McDaniel Page
What it means? Security model of ssh:
I can configure a .rhosts if you want, but no longer forgable Note: you can still use password if host not configured
You authenticate hosts based on first interaction Build a map of known identities over time, warned when the
identity changes (typically upon reinstall, or refresh - most ignore)
Cant solve: Password cracking
Traffic analysis
Covert channels
Thus: limited but highly usable way to access hosts.14