2/24/2000 Will Lennon1

Internet Security

Based on Learning Tree Course #468:

Internet and Intranet Security: A Comprehensive Introduction

February 20, 2001 Will Lennon2

Security ModelObjectives vs. Threats

Information Source

Information Destination

Normal Flow

Authenticity vs. Masquerade

Integrity vs. Modification

Privacy vs. Interception

Availability vs. Interruption

February 20, 2001 Will Lennon3

Authenticity vs. Masquerade

• Personal Authenticity (Logins)restrict access to unauthorized users

• Interior Authenticity (DHCP, IPSec)restrict access to unauthorized hosts

• Exterior Authenticity (firewalls)restrict access to internal services

February 20, 2001 Will Lennon4

Authenticity vs Masquerade

3 ways to establish personal identity:

• Something you know (Passwords)• Something you have (Keys)• Something you are (Biometrics)

February 20, 2001 Will Lennon5

Personal Authenticity vs. Masquerade

Passwords attacks:

• Guessing (spouse, pets, child)• Cracking passwords (dictionary attacks)• Snooping passwords (network analyzers)• Social Engineering (Deception)• Trojan Horses

February 20, 2001 Will Lennon6

Personal Authentication methods

• One-time lists• Repeated hashing (S/Key, OPIE)• Electronic tokens• Challenge-Response Schemes (CHAP)

February 20, 2001 Will Lennon7

Interior Authentication: IPSec

• Generic security mechanism for IPv6• A security association is created between two

parties• Provides privacy services as well as

authentication• Included in most modern O.S.s

February 20, 2001 Will Lennon8

Exterior Authentication: Firewalls

Packet Filters• Stateless Packet Filters• State-full Packet Filters

Proxies• Application Proxy• Circuit-Level Gateways

February 20, 2001 Will Lennon9

Sanity CheckNetwork 1:147.117.xx.xx

Network 2:192.168.88.xx

From: 192.168.88.11To: 192.168.88.33

From: 147.117.32.65To: 192.168.88.33

Insane: blocked

Sane: Pass

Router

February 20, 2001 Will Lennon10

Stateless Packet FiltersNetwork 1:147.117.xx.xx

Network 2:192.168.88.xx

Telnet

SMTP

Telnet (port 23): Block

SMTP (port 25): Pass

Router

February 20, 2001 Will Lennon11

Stateless Packet Filter Refinements: TCP

• Block incoming packets without ACK to block connections initiated by external hosts

• Doesn’t work for UDPSYN

SYN + ACK

ACK

Client Server

TCP Handshake

February 20, 2001 Will Lennon12

Problems with Stateless Packet Filtering

• IP Fragmentation

• Protocols with variable port numbers

• Non-standard use of standard ports

February 20, 2001 Will Lennon13

Circuit-Level Gateway

OutsideHost

InsideHost

1 2

3

1: Inside Host connects to TCP port on Gateway2: Gateway connects to Outside Host3: Gateway passes messages transparently

Gateway

February 20, 2001 Will Lennon14

Screened Subnet Topology

WWW

FTPServer

WWWServer

InternalNetwork

Screening Router(Packet Filter)

DMZ

DWOS

Proxy

February 20, 2001 Will Lennon15

Chapman Architecture

WWW

FTPServer

WWWServer

InternalNetwork

Screening Router(Packet Filter)

Screening Router

DMZ

DWOS

BastionHost

February 20, 2001 Will Lennon16

Privacy vs. Interception

3 ways to maintain information privacy:

• Hide the existence -> steganography• Hide the content -> access control• Hide the meaning -> encryption

February 20, 2001 Will Lennon17

Cryptography / Encryption

Encryptor DecryptorHello a#k3Wj Hello

Key A Key B

Two types of cryptographic algorithms exist:

1) Secret Key (aka Symmetrical) Key A == Key B DES, 3DES, Blowfish, RC5, IDEA, Skipjack

2) Public Key (aka Symmetrical) Key A != Key B RSA, DSA

Hash Functions: MD5, SHA

February 20, 2001 Will Lennon18

Public Key Encryption Example

?

Alice: “I want to send you a secret message.”

Ahab: “Encrypt it with my public key: s6sd2KlUq.”

Alice: “Here’s the message: iqm3k2lsjesk

Ahab: “Got it.”

Alice Ahab

February 20, 2001 Will Lennon19

Virtual Private Networks (VPNs)

• VPN is an encrypted tunnel through which all data passes between two endpoints

• Endpoints are usually firewalls• Encryption technology varies, often negotiated

using IPSec

Net 1Internet

VPN Net 2

February 20, 2001 Will Lennon20

Integrity vs. Modification

Use a Hash Function to assure Integrity.

A Hash Sum or message digest is:

• data dependent• irreversible • collision free Hash

Function

Hash Sum

Message

February 20, 2001 Will Lennon21

Cryptography for Personal Messages

MD5 Hash(Integrity) Hash Sum Encrypt

(Authenticity)

Digital Signature

Sender’sPrivate Key

Digital Signature

Message

Message Encrypt(Privacy)

EncryptedPrivate

Message

Receiver’sPublic Key

February 20, 2001 Will Lennon22

Availability vs. Interruption

Bombs:• Files that have undesirable behavior

Viruses:• Designed to propagate themselves• Limited to a particular OS or application• Must be attached to another piece of software

Worms:• Similar to viruses but are stand-alone software

February 20, 2001 Will Lennon23

Availability vs. Interruption

• Electro-Magnetic Pulse (EMP)HERF gun: High Energy Radiated Frequency

• Data Flood: -->traceOn(“”)• Broadcast Storms: “Smurf Attack”• Bombardment Attacks: SYN flood• Duplicate IP Address problem

February 20, 2001 Will Lennon24

SYN Flood

SYN

SYN + ACK

ACK

Client Server

Server opens a new port,sends response, and waitsfor client to acknowledge

Client repeated sends SYN messages.Client never sends the ACK message.Server’s ports quickly become full.

February 20, 2001 Will Lennon25

Smurf Attack

Victim1.2.3.4

Relays

Zombies

Attack Station

PingTo: 255.255.255.255From: 1.2.3.4

ZombiesZombiesZombiesZombiesRelaysRelaysRelaysRelays

Start

Ping ResponseTo: 1.2.3.4From: w.x.y.z

February 20, 2001 Will Lennon26

Requirements for Good Security

• Security Policy• Security Technology• Activity Logging• Incidence Response Plan • Enforcement