Week 15: Chapter 7

Week 15-1

Week 15: Chapter 7

• Security in Networks

Week 15-2

Week 15: Sec. 7.1 Network Concepts

• Networks can be anything from a simple LAN to an WAN. • The kinds of media used for communications is varied from

copper to optical fiber to microwave/satellite and air. • The agreed on set of rules governing communications is called

protocols. • The ISO has a architecture model composed of 7 layers. • The TCP/IP Protocol only has 5 layers (note I disagree with the

author of our text who says 4 layers). They are:Application - Layer 5 (FTP, Telnet, E-mail, HTTP)Transport - Layer 4 (UDP or TCP contains port addresses)Internet - Layer 3 (logical addresses IP)Network Interface - Layer 2 (MAC addresses - hardware frame)Physical - Layer 1 (signaling of bits)

Week 15-3

Week 15: Sec. 7.1 Network Concepts

Continued• Addressing:

The NIC (network interface card) 2 or 6 bytes - Network (Layer 2)The device IP address - 4 bytes (IPv4) 16 bytes (IPv6) - Internet (Layer 3)The port address - 2 bytes - Transport (Layer 4)

• Why have a separate NIC and IP address?

Week 15-4

Internet protocol stack• application: supporting network

applications– FTP, SMTP, HTTP

• transport: host-host data transfer– TCP, UDP

• internet: routing of datagrams from source to destination– IP, routing protocols

• network: data transfer between neighboring network elements– PPP, Ethernet

• physical: bits “on the wire”

application

transport

internet

network

physical

Week 15-5

Week 15: Sec. 7.2 Threats in Networks

• Network Security Issues:Anonymity - attacker can be on the other side of the planetMany points of attackresource and workload sharingComplexity of operating systemunknown perimeter

unknown path

• Who attacks Networks? (motive may be the clue)• Threat Precursors

– IP address scans– Port Scans

Week 15-6

Week 15: Sec. 7.2 Threats in Networks Continued

• Social EngineeringREFERENCES:THE ART OF DECEPTION – Kevin Mitnick, Wiley ISBN 0-471-23712-4 (Convicted Felon)HACKING EXPOSED – 4th ed. Page 589 - 590, 681-682, 173, 233.

• Steps used by social engineers to study a target are similar to those used by spies working for intelligence agencies. These steps are:

– (1) information gathering– (2) target selection– (3) target interdiction.

• The social engineer starts by gathering as much information about the organization as available. Information comes in a variety of forms, which include: (1) white (a.k.a open source), (2) gray (such as conference materials) and (3) black (such as internal documents – dumpster diving).

Week 15-7


• Social engineering attacks fall into one of four categories. These categories include:

– (1) ego attack

– (2) sympathy attack

– (3) intimidation attack

– (4) technical attack.

The "ego attack" targets someone who is frustrated with their current job. The attacker normally pretends to be law enforcement officer who makes the victim feel honored to help.

The "sympathy attack" normally plays on empathy and sympathy of the victim. The attacker pretends to be a fellow employee, contractor or vendor who needs some type of information urgently. The attacker usually suggests that he will lose his job or get into trouble if the victim does not provide assistance.

Week 15-8


• Social engineering attacks continued– The "intimidation attack" normally uses authority to coerce the victim into

cooperating with the attacker. The attacker pretends to be the CEO or law enforcement official. If the attacker pretends to be law enforcement official, he will inform the victim that they are conducting a secret investigation and they should not be discussed with anyone.

– The "technical attack" usually the attacker doesn't have direct contact with the victim. The attacker uses forged e-mail, phony Web sites, forged fax or other items (for example, software CDs) to establish contact with the victim. Phony Web sites can lure a victim to download new screen savers, popup add blockers or utilities. The attacker can embed JavaScript in the Web page's source code, which can upload documents or install software on the victims machine.

Social engineering attacks are the single greatest threat to enterprise security and the hardest to prevent.!!!

Week 15-9


• Security Threat AnalysisInterception of dataunauthorized access to programs or data at remote hostmodifications to programs or data at remote host.communications impersonating a usercommunications repeating a previous communicationblocking of selected trafficblocking of all trafficrunning a program at remote host

• Threat Categories: wiretapping

impersonation

Week 15-10


• Spoofing masquerade session hijacking man-in-the-middle attack• message confidentiality violations• message integrity violations• Hacking• code integrity violations

Week 15-11


• DOS - Denial Of Service - Types of Attacks: 1. UDP flood - Hacker sends UDP packets with spoofed

return address links one systems character-generating (chargen port 19) to another system's UDP echo service (port 7) (ECS typically disables UDP port 7). As the chargen keeps sending characters to the other system the echo service keeps sending it back to where UDP traffic bounces back and forth.

2. ICMP flood - Hacker sends ICMP packets as fast as possible to target system.

3. Ping of death – Hacker sends a ping packets with data that totals more than 65,535 bytes.

Week 15-12


• DOS – Attacks continued4. Smurf - Hacker send a ICMP echo ping request to a

system with the return address spoofed. Or sends it to a large number of hosts i.e. like send it to the Engineering router (ecsrtr) with the request it send a broadcast request to all ECS systems to do a echo ping reply. The result is the spoofed address system is blasted off the Internet.

5. SYN flood - Hacker has a system send a TCP SYN (flag bit in connection packet) with a spoofed return address. The system responds to the spoofed address with a SYN-ACK (both flags bits set) now since the address is spoofed it never gets a ACK and so it waits and fills up its backlog queue. Possibility that it will allocate all its memory and crash.

Week 15-13


• DOS – Attacks continued6. Xmas Tree – Hacker sends a packet with all

the flag bits on.7. FIN flood – Hacker sends packets with FIN flag

bit set and spoofed return address. Server replies with FIN-ACK to the spoofed address and then attempts to disconnect the non existent session.

8. DNS attacks – Hacker poisons cache of DNS server

Week 15-14


Now a more evil DOS. This one is called DDOS for Distributed Denial Of Service.

• The "trinoo" distributed denial of service. trinoo.analysis

• The "TFN" distributed denial of service. tfn.html • The "TFN2" distributed denial of service

released on December 21, 1999. tfn2k.htmlFor more on TFN2 see: cert.org TFN2

• The "stacheldraht" distributed denial of service. stacheldraht.analysis

http://gaia.ecs.csus.edu/%7Edsmith/csc250/lecture_notes/wk12/trinoo.html

http://gaia.ecs.csus.edu/%7Edsmith/csc250/lecture_notes/wk12/trinoo.html

http://gaia.ecs.csus.edu/%7Edsmith/csc250/lecture_notes/wk12/tfn.html

http://gaia.ecs.csus.edu/%7Edsmith/csc250/lecture_notes/wk12/tfn.html

http://gaia.ecs.csus.edu/%7Edsmith/csc250/lecture_notes/wk12/tfn2k.html

http://www.cert.org/advisories/CA-1999-17.html

http://gaia.ecs.csus.edu/%7Edsmith/csc250/lecture_notes/wk12/stacheldraht.html

http://gaia.ecs.csus.edu/%7Edsmith/csc250/lecture_notes/wk12/stacheldraht.html

Week 15-15

Week 15: Sec. 7.3 Network Security

Controls • Encryption is one of the best defenses to attacks of

Security in Networks. • Link Encryption - data is encrypted just before it is

placed on the physical media or at the physical layer. Message is in plaintext inside hosts and intermediate hosts.

• End-to-End Encryption - data is encrypted at the highest layer, the application (best).

• In some cases both forms can be applied. I use putty (SSH) and VPN from any place outside the campus. So data is doubly encrypted on the public Internet.

Week 15-16


Controls • Virtual Private Networks (VPN) is a way to simulate a

private network over a public network such as the Internet.– Virtual because it depends on use of virtual connections

– Temporary connections that have no real physical presence, but consist of packets routed over various machines on the Internet on an ad hoc basis

– Secure virtual connections are created between machines and networks as follows:

• Two machines

• A machine and a network

• Two networks

Week 15-17


Controls • PKI and Certificates

– Often considered as a standard but in fact is set of policies, products and procedures

– Services• Create certificates associating user’s identity with public key

• Give out certificates from database

• Sign certificates (adding credibility or CA)

• Confirm or deny certificate valid

• Invalidate certificates for users or those who private key is exposed

– Registration authority which interfaces between user and CA

– PKI underdevelopment in many countries.

Week 15-18


Controls Average time required for exhaustive key search

Key Size (bits) Number of Alternative Keys

Time required at 106 Decryption/us

32 232 = 4.3 x 109 2.15 milliseconds

56 256 = 7.2 x 1016 10 hours

128 2128 = 3.4 x 1038 5.4 x 1018 years

168 2168 = 3.7 x 1050 5.9 x 1030 years

Week 15-19


Controls • SSH Encryption (version 1 obsolete) version 2 best.

Intended to replace utilities such as Telnet, rlogin and rsh.• Defined for Unix also several commercial or shareware

programs for Windows.• Protocol involves negotiation between local and remote

sites for the encryption algorithm to use and authentication method.

• Encryption algorithms AES, 3DES, IDEA, Blowfish and DES.• Authentication may be Kerberos or public key• Public key is asymmetric and slow so it is used only to

agree on the session key (symmetric and fast).

Week 15-20


Controls • SSL Encryption originally designed by Netscape and

copied by others.• Now called TLS (transport layer security). Interfaces

between applications and TCP/IP protocols to provide server authentication, optional client authentication, and encrypted communications channel between client and server.

• Client and server negotiate encryption for session and hashing.

• Protocol is simple but effective, widely used for secure communications on the Internet.

Week 15-21


Controls • IPSec – Defined by RFC 2401, mandatory in IPV6 uses

Internet Key Exchange (IKE)– Symmetric key cryptography is used for efficiency

– To exchange keys securely, a negotiation protocol is used that allows users to agree on authentication methods, encryption methods and the keys to use.

– It also specifies how long keys can be used before changing and how to accomplish key exchange.

• Can protect upper layer protocols (transport mode) | IP Header | AH Header | Payload |• Can protect entire payload (tunnel mode) | New IP Header | AH Header | IP Header | Payload |

Week 15-22


Controls • Authentication of Distributed Systems - MIT's Kerberos

System, OSF's Distributed Computing Environment DCE, European SESAME, CORBA

Week 15-23

Week 15: Sec. 7.3 Network Security Controls continued

• Access Controls - prevent unauthorized users by port control (automatic call back or limit places where access is allowed)

• ACLs on Routers • Firewalls • Alarms and Alerts • Honeypots & Honeynets Honeypots are they Legal? • Traffic Control - pad traffic on certain links or control

routing of traffic on different links. • Data Integrity - detect duplicate data or missing data or

errors in data. Error control methods, parity (poor), checksums (fair), cyclic redundancy check (best). Also MD5 checksum. Digital signatures and authenticated certificate.

http://gaia.ecs.csus.edu/%7Edsmith/csc250/lecture_notes/wk12/honeypots.html

http://gaia.ecs.csus.edu/%7Edsmith/csc250/lecture_notes/wk12/honeypots.html

Week 15-24

Week 15: Sec. 7.4 Firewalls

• Traditionally, a firewall is a wall separating two areas, in a building, a car, etc., to prevent fire from propagating from one area to another.– By extension, it is used to separate two networks, to

prevent hostile packets from one network from reaching the other.

– The most common firewall configuration protects a company’s private network from the Internet.

– Firewalling traditionally operates by inspecting packet headers and discarding packets with undesirable header info.

Week 15-25

Week 15: Sec. 7.4 Firewalls Continued

• Can be software or hardware device or both. • Two fundamental policies:

– Block certain traffic - allow all other – Only permit certain traffic - block all other

• Types - screening routers, proxy gateways and guards

• Only will work if no other connections to the outside.

• Firewalls are usually prime targets of hackers since they are most visible.

• SP2 for WinXP has firewall but?

Week 15-26

Week 15: Sec. 7.5 Intrusion Detection

Systems (IDS) • Monitors activity to identify malicious or suspicious

events. • Two types of IDSs: • Signature-based often called rule based. • Heuristic based or sometimes called anomaly based. • Ideally one should combine both types. • Host based IDS where it monitors a specific host. • Network based and monitors all or part of a network. • Which type should an installation have? Answer: BOTH! • Many devices are not a typical computer and don't

support a host IDS (print servers, web cameras, switches and hubs).

Week 15-27

Week 15: Sec. 7.5 (IDS) Continued

• Best IDS is the "Stealth Mode" - attacker doesn't even know. • Responding to Alerts – requires human. • Problems with IDS are they are not perfect and they make

mistakes. • Alerting on something not really an attack - "false positive". • Or not raising the alarm for a real attack - "false negative". • Recent announcement by 2 vendors for a combined firewall

and IDS. The device is called Intrusion Prevention Device (IPD or IPS). Must be robust to handle all traffic and yet examine contents of packets.

• Our Sonic Wall Pro model 300 firewall fails above 128,000 connections. And that's only looking at ports and IPs, NOT the packet contents.

• Our ECS IDS only 950Mhz Pentium II and it only collects 85% of traffic.

Week 15-28


________________ _____________ | Campus Cisco | | Campus | | PIX Firewall |<----->| VPN Server |<---> INTERNET |_______________| |_____________| |------------- CSUS North Router ______|_______ | CSUS South | | Router | |_____________| | ______|_______ | ECS Switch | | HP Procurve | |_____________| | | |__________________

Week 15-29


| | |________________ | | |<--- sensor #1 _____|________ _____|________ ______|_______ | ECSFire 1 | | ECSFire 2 | | OXUS (IDS) | | SonicWall | | SonicWall | | Linux/Snort | |_____________| |______________| |_____________| | | | | | | | ______________ | | | | | | | | | ECS Main | | | |__| Switch |_| | | |____________________| | | |______________|

________________ _____________

Week 15-30

Week 15: Sec. 7.6 Secure E-mail

• Threats to electronic mail– message interception (confidentiality)– message interception (blocked delivery)– message content modification– message origin modification (faked sender message origin)– message content forgery by outsider– message origin forgery by outsider– message content forgery by recipient– message origin forgery by recipient– denial of message transmission (repudiation)

• Requirements and Solutions– Message confidentiality (message not exposed en route)– Message integrity (what receiver sees is what was sent)– Sender authenticity (receiver confident who sender was)– Nonrepudiation (sender cannot deny sending message)

Week 15-31

Week 15: Sec. 7.6 Secure E-mail Continued

• Design goal - encrypted e-mail would travel as ordinary messages so current Internet e-mail would not require changes.

• PGP (pretty good privacy) one example of encrypted e-mail. • Say Bob and Alice want to exchange secure e-mail (algorithm

uses public, private and session keys just like many other encryption programs) so they exchange public keys and agree on encryption algorithm.

1. Bob creates random session key Sk

2. Encrypts e-mail message with session key {M}Sk

3. Encrypts session key with Alice's public key {Sk}Apub4. Generates digital signature MD5 of message and encrypts it with Bob’s private key

{MD5}Bpri5. Attach encrypted session key and encrypted hash to encrypted message.6. Send message to Alice. {M}Sk + {Sk}Apub + {MD5}Bpri

Week 15-32

Week 15: Sec. 7.7 Summary of Network

Security Algorithm Key

SizeNumber of Rounds

Mathematical Operations

Applications

DES 56 Bits 16 XOR, fixed S-boxes

SET Kerberos

Triple DES 112 or 168 Bits

48 XOR, fixed S-boxes

Financial Key PGP S/MIME

IDEA 126 16 XOR, variable S boxes, add

Blowfish 40 - 448

16 Add. Sub. XOR, rotation

CAST-128 40 to 128 bits

16 Add. Sub. XOR, rotation

PGP

Week 15-33


Security Algorithm Key

SizeNumber of Rounds

Mathematical Operations

Applications

AES 128 Bits 10 XOR, fixed S-boxes, Add

SSH, Federal Gov

AES 192 Bits 12 XOR, fixed S-boxes, Add

AES 256 Bits 14 XOR, fixed S boxes, Add

Week 15-34


Security • Encryption is most powerful tool.• Access control such as authentication or

limited access points. • Firewalls or encryption gateways. • IDS is a must for any organization, both hosts

and network. • To determine the most vulnerable points in a

network put yourself in the place of a hacker and think of the easiest ways to access data. “Think outside of the box”

Week 15: Chapter 7

Documents

Transcript of Week 15: Chapter 7