Week 9 Session 18
description
Transcript of Week 9 Session 18
-
1
1
Introduction to Security
2
Internal Threats
Human Error
Dishonest / disgruntled employees
Technical Sabotage
External Threats
Virus
Trojans / Worms / Malicious Code
Hackers / Intruders
What are Threats ?
-
2
3
Countermeasures
Patch Management System
Intrusion Prevention Systems
Intrusion Detection Systems
Anti-Virus
Content Management
Firewalls
VPN
PKI
4
The need for Security ?
InternetWeek: 50% of Corporations have had 30 or more penetrations, 60% lost up to $200K/intrusion
Federal Computing World: Over 50% of Federal agencies report unauthorized access (some are massive numbers)
FBI/Computer Security Institute: 48% of all attacks originated from within the organization
WarRoom Research Survey: 90% of Fortune 500 companies surveyed admitted to inside security breaches
-
3
5
Common IT Security Shortcomings
Enterprise wide patch management system
Intrusion Detection systems on both inside and outside of the perimeter
No firewalls / weak firewalls in place
All / few servers directly open to the internet
Outgoing email server doesnt require authentication
Partial Content management / prevention solution
Outdated / un-patched mail servers
6
Patch Management :Why reaction time matters
Reaction time is critical in preventing viruses and worms, which can cost organizations billions.
Forrester says that organizations typically require more than 300 days to fully deploy patches for most of these issues after the fix is available.
The race begins when the technical details of an issue (such as a security bulletin or release of exploit code) are made public.
Worm Number of days from release of exploit to worm appearance
Scalper (2002, FreeBSD)
(*early disclosure)11 days
Blaster (2003, Windows) 16 days
Code Red (2001, Windows) 24 days
Lion (2001, Linux) 53 days
Slapper (2002, Linux) 58 days
Melissa (1999, Windows) 64 days
Nimda (2001, Windows) 172 days
Slammer (2003, Windows) 180 days
Ramen (2001, Linux) 208 days
-
4
7
The SQL Slammer Worm:What Happened??
- MS SQL Vulnerability and patch released July, 2002
- Worm Released at 5:30 GMT,January 25, 2003
- Saturation point reached within 2 hours of start of infection
- 250,000 300,000 hosts infected
- Internet Connectivity affected worldwide
- Not easily detected by anti-virus since it did not write itself to disk
8
The SQL Slammer Worm:30 Minutes After Release
- Infections doubled every 8.5 seconds- Spread 100X faster than code red- At peak, scanned 55 million hosts per second.
-
5
9
The RPC Blaster Worm:What Happened??
- RPC Vulnerability and patch published by Microsoft on July 16th, 2003.
- Vulnerability affects NT 4.0, WinXP, Win2000, and Win2003 Server.
- Blaster worm released Monday August 11, 2003 Main target is only WinXP, Win2000.
- +330,000 hosts infected in less than a week
- Worm Variants AppearingLovsan.B, Lovsan.C
10
Lessons Learned
Applying patches must be done quickly and thoroughly
If vulnerability applies to clients these must be patched
One infected machine can scan and infect 1000s of victims
The network must be configured with QOS and have the intelligence to filter and control traffic when needed
Complements to patches such as Host-Based Security Agents must be considered
-
6
11
Electronic Commerce - Security
Securing the Internet Commerce is akin to Securing your business secrets and activities in real life
Security Concern have to be addressed at three levels
Security of the Host ( Where the business is hosted)
Security of the Server providing the service ( HTTP/Web Server)
Communication Environment
Network Environment
Transaction Security
Prof. Bharat Bhasker, Indian Institute of Management Lucknow -
12
Electronic Commerce - Host Security
Site Security Handbook - RFC 1244 details-- How to secure a Host computer from break-in
Seven Critical Principles--
Parsimony ( Simplest possible)
Remove services that are not required (HTTP,SMTP,POP3,IMAP...)
Remove all things from host that are not required
Compilers, NFS Daemons, Interpreters, Shells
Superuser (Root) privileges
Access Control ( Authentication, privilege system)
Accountability (Securely log actions for Ids)
Audit & Auditability ( Any change anywhere is the systems)
COPS, TAMU, TripWire
Notification ( CERTY, CIAC, Alarm Systems)
Recovery ( It may happen, How to cope on morning-after?)
Prof. Bharat Bhasker, Indian Institute of Management Lucknow -
-
7
13
Network Security -- Sniffing
On the wire messages can be read by
Sniffers and Network Analyzers - to monitor an area of ethernet that remains too busy. Traffic patterns, and network problems
Examples
esniff.c 300 line program, captures Userid Passwords on telnet and ftp sessions
TCPDump.c -- widely available public utility
Netman - various utilities for Net management available via anonymous ftp site.
EthDump - Sniffer that runs under DOS anonFTP site
Security Threats
Passwords - encryption may not help (Replay attack)
Financial Accounts information
Private data - Cap Weinberger indicted based on email in Iran-Contra
Low level Protocol Information
Prof. Bharat Bhasker, Indian Institute of Management Lucknow -
14
Network Security -- Sniffing
Prevention
Network Segmentation Hubs -- Multi-port Repeaters
Switches
Bridges ( Filter traffic)
Router - Too radical for sniffing problem but helps by creating subnets
Trust Circles and Barriers between secure and insecure segments
Avoiding transmission of passwords --
Rlogin family of protocols -- .rhosts and /etc/hosts.equiv (prone to ARP & DNS spoofing)
Encryption with Time stamps
Challenge based Authentication
Entire Session/Connection encryption such as SSL
-
8
15
Network Security --Spoofing
Hardware Address - NIC has 48 bit unique card address Bridges examine the frames and can modify the source/destination address
PREVENTION - Intelligent Hubs in secure locations, Active/Filtering Hubs
Address Resolution Protocol (ARP) Spoofing- who own this IP address? Inadvertent (Two servers with same IP address alternatively come up)
malicious attacks - IP based authorization and trust, turn the m/c off and insert your laptop with the address.
PREVENTION
Stop using ARP - make all IP ether mappings permanent
Or, make important addresses permanent
arp -a lists arp cache on a m/c
arp -d delete from cahe
arp -s permanent entry
Hardware Barriers - Routers, trusted hosts on a separate subnet
Prof. Bharat Bhasker, Indian Institute of Management Lucknow - CSI-99
16
Network Security --Spoofing
ARP Spoofing- Detection
Network-Level Detection
Periodic polling against a standard database of IP, h/w address, name, location - raise alerts
SNMP agent based monitoring
RMON Protocol -- RFC 1271
BTNG ( Beholder the Next Gen) is an RMON agent- avail from Delft Univ
Ticklet an SNMP based monitoring and management system
arpmon (Ohio-state) , ArpWatch (lbl)
Prof. Bharat Bhasker, Indian Institute of Management Lucknow - CSI-
-
9
17
Electronic Commerce - Secure the Fort (Firewalls)
Digging a deep moat around your palace
Design forced everyone to entering or leaving the palace to pass through a single drawbridge.
Companies can have several LANs, but the connection to outside world is restricted through a limited doorways, called Firewalls
Firewalls have two components
Two routers
Application gateways
The route to outside world exist through this passageway.
First router is used for incoming packet filtering
The second internal router for outgoing packet filtering along with application gateway acts as additional screening for limited offered services
Prof. Bharat Bhasker, Indian Institute of Management Lucknow -
18
Firewalls
Packet Filter
Application Level Firewall
Packets from inside the network are passed outside unchanged
This makes a packet filter susceptible to spoofing
Packets passed through the firewall are rewritten with the firewalls IP address
All internal IP addresses are completely hidden
Prof. Bharat Bhasker, Indian Institute of Management Lucknow -
-
10
19
Firewalls
What Can a Firewall Do?
Control access based on:
Source , Destination ,Service (or Sub-Service), Time, Day, or Date, User
Audit Trails for security audits
Notification of events
Usually Real Time
Multi use passwords are a problem
Same password used every time
If guessed or stolen, the system will be compromised
Integration of strong authentication via one-time-use Password technology
A unique password is generated for each connection
Prof. Bharat Bhasker, Indian Institute of Management Lucknow -
20
Electronic Commerce - Secure the Fort (Firewalls)
Prof. Bharat Bhasker, Indian Institute of Management Lucknow -
-
11
21
Electronic Commerce - Secure the Fort (Firewalls)
22
Additional Measures
Good and effective Anti-Virus Server and Anti-Spam Server on the gateway
Install Intrusion Detection Software on the internal as well as external networks
Implement firewalls
Good Content Management as well as traffic management system
Network Monitoring and management software.
-
12
23
How do I achieve secure communications in a public network?
We use the Internet to . . .
Send email
Make purchases
Distribute software
Inventory control & order entry
But we have some concerns - How do we . . .
Know a person is who they claim to be?
Know Im connected to an authentic merchant?
Protect the privacy of my communications?
Know if information has been tampered with?
Prove later that someone sent me the message?
24
Four Security Needs for Network Communications
?ClaimsNot
SentNot
Received
Privacy / Confidentiality Integrity
Authentication Non-repudiation
Interception Modification
Fabrication
Is my communication private? Has my communication been altered?
Who am I dealing with? Who sent/received it and when?
-
13
25
How do we solve the 4 Security Needs?
Cryptography
Secret Key
Public Key
Specialized uses of cryptography:
Digital Signature
Digital Certificates
Secret Public
Digital
Certificate
26
Secret Key Cryptography
Cryptography involves: encryption
decryption
Secret Key cryptography: Data is encrypted &
decrypted using the same Secret Key
Also known asSymmetric Key
DES is an example of a secret key algorithm
Secret
Secret Keyalgorithm
Secret
Secret Keyalgorithm
-
14
27
Secret Key Cryptography
Its fast, but . . .
How do I get my secret key to my recipient?
Do I have a different secret key for everyone with whom I communicate?
INTERNET
If one key is compromised, all copies of that key must be replaced
Does not scale well
28
Two keys = key pair Mathematically related,
but not identical, public & private key pairs
Public Keys are widely distributed
Private Keys are held securely by owners
Data encrypted with one key can be decrypted only with the other key of the pair
a.k.a. Asymmetric KeyRSA is an example of a public
key algorithm
Public Keyalgorithm
Private
Public Keyalgorithm
Public Key Cryptography
Public
-
15
29
Public Key Cryptography
Its slower, but . . .
I dont have to distribute a secret key because I have my Private Key
Everyone with whom I communicate can know my Public Key
INTERNET Theres only one copy of
the Private Key
Scales well
30
Digital Signature
Everyone has a Signature Key Pair
1) A provides copy of Public Key to B
2) A signs information using Private Key
3) B verifies signature using As Public Key
Public Key
Signed Data
A B
Private Key signs data
Public Key verifies signature on data
Public Key may be sent with the signed data
(either
method)
Public Network or Directory
-
16
31
A Closer Look atDigital Signature
Digital Signature: Electronic (digital) stamp
appended to data before sending The result of encrypting the Hash
of the data to be sent on the network Any change (to data or signature) will
cause the signature verification to fail
Hash - or Digest: Speeds up the signing (encrypting) process One-way conversion of the data to a fixed length field that
uniquely represents the original data
So, using a diagram . . .
Data with electronic stamp
32
ElectronicData
DigitalSignature
ElectronicData
HashFunction
SigningFunction
Hash Result
Private of A
Signed Data
Digital Signing of the Data
Only Private Key holder can sign
-
17
33
Anyone can verify
ElectronicData Hash
Function Hash Result
Valid compareYes / No ?
Signed Data
VerifyFunction
Hash ResultDigitalSignature
Publicof A
Digital Signature Verification
So the receiver can compare hashes to verify the signature
34
Security Solutions
Some security mechanisms: Secret Key encryption
Public Key encryption
Digital signature
Hashing
How can these security mechanisms solvethe four communications security needs?
Confidentiality
Integrity
Authentication
Non-repudiation
-
18
35
My Signature & Date
Confidentiality Integrity
AuthenticationNon-Repudiation
Digital
Signature
Encryption:
Secret key
Public key
Digital Signature???
Solving the 4 Security Needs
36
Authentication
Identification:
How you tell someone who you are
Authentication:
How you prove to someone you are who
you say you are
-
19
37
How Do I Solve Authentication?
Physical Solutions: Something you know
Password, combination to safe
Something you have Key, token, badge
Something you are Signature, iris pattern, fingerprint
Electronic Solution:
So, why does B trust
As Public Key?
Digital
Certificates
38
Digital Certificates
. . . Because a trusted third party has authenticated that the Public Key belongs to A:
Certification Authority (CA)
When A provides proof of identity,
the Certification Authority
creates a signed message
containing As name and
public key:
Digital Certificate
Signed Message
containing
As Name
&Public Key
-
20
39
Why trust a Digital Certificate?
A Digital Certificate becomes a
passport that proves your
identity and authenticates you
A passport is issued by a trusted Government -when another Government sees it, they trust it
A Digital Certificate issued by a
trusted CA, again licensed by the
government and can also be
trusted
40
Certification Authority
Certification Authority assumes the responsibility of authenticating Certificate identity information
Like a Government for passports
CA authentication techniques: Check against existing records
Employee databases
Examine typical identification Passport, license
Background check Government databases
CA authenticates, issues & manages Certificates
-
21
41
Information Checkpoint
My Signature & Date
Confidentiality Integrity
AuthenticationNon-Repudiation
Digital
Signature
Encryption:
Secret key
Public key
How do we solve the 4 security needs?
Digital Signature Digital Certificates