security copyright 2003 prentice-hall panko’s business data networking and telecommunications, 4...

Security

Copyright 2003 Prentice-HallPanko’s Business Data Networking and Telecommunications, 4th edition

2

Types of Attackers

Wizard Internet Hackers Highly capable attackers

Amateurs (Script Kiddies) Light skills, but numerous and armed with

automated attack programs (kiddie scripts) of increasing potency

3

Types of Attackers

Criminals

Theft of credit card numbers, trade secrets, and other sensitive information

Sell the information or attempt extortion to prevent the release of the information

Individual criminals

Industrial and government espionage spies

4

Types of Attackers

Employees

Dangerous because of internal knowledge and access

Often, large losses per incident due to theft, fraud, or sabotage

5

Types of Attackers

Information Warfare and Cyberterrorism

Massive attack by a government or terrorist group against a country’s IT infrastructure

Attacks by amateur cyberterrorists are already starting to approach this level of threat

6

Types of Security Systems

Attacker Taps into the Conversation:Tries to Read Messages,

Alter Messages, Add New Messages

Client PC Server

Message Exchange

Secure Communication System

7

Types of Security Systems

Attack Prevention System

Corporate Network

HardenedClient PC

Hardened ServerWith Permissions

Internet

Attacker

AttackMessage

AttackMessage

Firewall

8

Attacks Requiring Protection

Hacking Servers Access without permission or in excess of

permission Attractive because of the data they store

Hacking Clients Attractive because of their data or as a way to

attack other systems by using the hacked client as an attack platform

Soft targets compared to servers; most users are security novices

9


Denial-of-Service (DoS) Attacks

Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability

Single Message DOS Attack(Crashes the Victim)

Server Attacker

10


Denial-of-Service (DoS) Attacks

Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability.

Message Stream DOS Attack(Overloads the Victim)

Server Attacker

11

Denial-of-Service Attacks

Distributed DOS (DDoS) Attack:Messages Come from Many Sources

Server

Message Stream

Message StreamComputer with

Zombie

Computer withZombie

Attacker

AttackCommand

AttackCommand

12


Scanning Attacks To identify victims and ways of attacking them Attacker sends messages to select victims and

attack methods

Examines data that responses reveal IP addresses of potential victimsWhat services victims are running; different

services have different weaknessesHost’s operating system, version number, etc.

13


Malicious Content Viruses

Infect files; propagate by executing infected program

Payloads may be destructive Worms; propagate by themselves Trojan horses (appear to be one thing, such as a

game, but actually are malicious) Snakes: combine worm with virus, Trojan horses,

and other attacks

14


Malicious Content Illegal content: pornography, sexual or racial

harassment

Spam (unsolicited commercial e-mail)

Security group is often called upon to address pornography, harassment, and spam

15

Packet Filter Firewall

PacketFilter

Firewall

IP-H

IP-H

TCP-H

UDP-H Application Message

Application Message

IP-H ICMP Message

Arriving Packets

Permit

Deny

Corporate Network The Internet

Examines Packets in IsolationFast but Misses Some Attacks

16

For Packets Containing TCP Segments:

Rule 1 IF Interface = Internal

AND (Source Port Number = 7056 OR Source Port Number = 8002 through 8007)

THEN DENY

Remark: Used by a well-known Trojan horse program.

Access Control List Fragment

17


Rule 2: IF Interface = External

AND Destination Port Number = 80

AND Destination IP address = 172.16.210.22

THEN PERMIT

Remark: Going to a known webserver.

18



AND Destination Port Number = 80

AND Destination IP Address = NOT 172.16.210.22

THEN DENY

Remark: Going to an unknown webserver.

19



AND (SYN = AND FIN = Set)

THEN DENY

REMARK: Used in host scanning attacks and not in real transactions.

20


Order Rules are executed in order

If passed or denied by one rule, will not reach subsequent rules

Mis-configuration is easy, opening the network to attack

Always test a firewall by hitting it with attack messages to see if they are handled properly

21

Stateful Firewall

Does not examine packets in isolation

Examines each packet to see if it is part of an ongoing conversation

Catches errors that packet filter firewalls cannotRefuses a TCP acknowledgement if an internal

host has not opened a connection to that host

Usually does not examine a packet in detail if the packet is part of an ongoing conversation

This can miss attack packets

Beyond what isIn the book

22

Application (Proxy) Firewall

SMTP(E-Mail)Proxy

FTPProxy

Application Firewall

HTTPProxy

Browser WebserverApplication

1. HTTP Request

Client PC Webserver

23


SMTP(E-Mail)Proxy

FTPProxy


2. ExaminedHTTP Request

HTTPProxy


Client PC Webserver

24


SMTP(E-Mail)Proxy

FTPProxy


HTTPProxy


3. HTTPResponse

Client PC Webserver

25


SMTP(E-Mail)Proxy

FTPProxy


HTTPProxy


4. ExaminedHTTP Response

Client PC Webserver

26


Can examine the application message to filter packets by application content

If hacker takes over the proxy firewall, has not taken over the internal clients, with which it only has indirect contact

Internal client’s IP address is hidden. All packets sent back by the server have the address of the application proxy server.

Need a separate proxy program for each application

27

Network Address Translation (NAT)

1

2

NATFirewall

Client

From 172.47.9.6,Port 31789 From 192.168.34.2,

Port 13472

Internet

ServerHost

IP Addr

172.47.9.6

…

Port

31789

…

IP Addr

192.168.34.2

…

Port

13472

…

Internal ExternalTranslation Table

28

Network Address Translation (NAT)

43NAT

FirewallClient

Internet

ServerHost

To 172.47.9.6,Port 31789

To 192.168.34.2,Port 13472

Translation Table

IP Addr

172.47.9.6

…

Port

31789

…

IP Addr

192.168.34.2

…

Port

13472

…

Internal External

29

Intrusion Detection

Dump

IntrusionDetectionSystem

4. Analysis of Dump

InternalHost

NetworkAdministrator

Attacker

LegitimateHost

1. AttackPacket2. All Packets

3.Notificationof Possible

Attack

1. LegitimatePacket

30

Firewalls versus Intrusion Detection

Firewalls permit or deny traffic based on filtering rules

Intrusion detection systems (IDSs) only save and mark certain packets as suspicious; do not take action

Some firewalls issue alterts when packets are dropped and most firewalls log all drops

IDSs identify all suspicious packets, many of which turn out to be acceptable; firewall drop rules are more specific

NewNot in the book

31

Hardening Clients and Servers

Known Weaknesses Known security weaknesses in operating systems

and application programs Most download vendor patches to fix these known

weaknesses Firms often fail to do so (vendors issue 30-50

patches per week); must be installed on each server

Host Firewalls Server firewalls and personal (client) firewalls

32


Server Authentication Passwords

Cracking with exhaustive search and dictionary attacks

Strong passwords

Super accounts

33


Server Authentication Rules for Strong Passwords

At least 8 characters long

At least one change of case

At least one digit (0-9) not at the end

At least one non-alphanumeric character (#@%^&*!) not at the end

34

Kerberos Authentication (Simplified)

KerberosServer

VerifierApplicant4. Ticket

1.Initial

Sign On

2. Request T

icket

3. Ticket

35


Server Authentication Biometric authentication

Fingerprint: least expensive

Iris: most accurate

Face recognition: controversial in public places for mass identification

Other forms of biometric identification

Smart cards (ID card with microprocessor and data)

36


Limiting Permissions on Servers (Ch. 10) Only permit access to some directories

Limit permissions (what the user can do) there

Like controlling access to a building; not allowed to go anywhere and remove items, etc.

37

Secure Communication System

Client PCServer

1. Initial Negotiation of Security Parameters

2. Mutual Authentication

3. Key Exchange or Key Agreement

4. Subsequent Communication withMessage-by-Message

Confidentiality, Authentication,and Message Integrity

38

Symmetric Key Encryption for Confidentiality

Plaintext“Hello”

EncryptionMethod &

Key

Ciphertext “11011101”

Symmetric Key

Interceptor

NetworkSame

SymmetricKey

Party A Party B

39



Symmetric Key

Interceptor

Network


SameSymmetric

KeyParty A

Party B

40


Symmetric Key

Interceptor

Network

Ciphertext “11011101” DecryptionMethod &

Key

Plaintext“Hello”

SameSymmetric

KeyParty A

Party B

41

Public Key Encryption for Confidentiality

Encrypt withParty B’s Public Key

Party A Party B

Decrypt withParty B’s Private Key

42

Public Key Encryption for Confidentiality

Decrypt withParty A’s Private Key

Party A

Encrypt withParty A’s Public Key

Party B

43

MS-CHAP Challenge-ResponseAuthentication Protocol

ApplicantVerifier

Challenge

1.Creates

ChallengeMessage

2.Sends Challenge Message

Note: Both the Client and the ServerKnow the Client’s Password

44

MS-CHAP Challenge-Response Authentication Protocol

3. Applicant Creates the Response Message:

a) Adds Password toChallenge Message

b) Hashes the ResultantBit String

c) This Gives theResponse Message

Password Challenge

Response

Hashing

45


Password Challenge

Expected Response

Hashing

Transmitted Response

4. Applicant Sends Response Message

5.Verifier

Adds password to thechallenge message it sent.Hashes the combination.

This should be the expectedresponse message.

46


Expected ResponseTransmitted Response = ?

6.If the Two are Equal,The Client Knows the

Password and isAuthenticated

47

Digital Signature

SenderReceiver

DS Plaintext

Add Digital Signature to Each MessageProvides Message-by-Message Authentication

48

Digital Signature: Sender

DS

Plaintext

MD

Hash

Sign (Encrypt) MD withSender’s Private Key

To Create the Digital Signature:

1. Hash the plaintext to create

a brief message digest; This is

NOT the digital signature

2. Sign (encrypt) the message

digest with the sender’s private

key to create the digital

Signature

49

Digital Signature

SenderEncrypts Receiver

Decrypts

Send Plaintext plus Digital SignatureEncrypted with Symmetric Session Key

DS Plaintext

Transmission

50

Digital Signature: Receiver

DSReceived Plaintext

MDMD

1. 2.

Hash Decrypt withTrue Party’sPublic Key

3.Are they Equal?

Hash the receivedplaintext with the samehashing algorithm the

sender used. This givesthe message digest

2. Decrypt the digitalsignature with the sender’spublic key. This also should

give the message digest.

3. If the two match, the message is authenticated;The sender has the true

Party’s private key

51

Public Key Deception

Impostor

“I am the True Person.”

“Here is TP’s public key.” (Sends Impostor’s public key)

“Here is authenticationbased on TP’s private key.”

(Really Impostor’s private key)

Decryption of message from Verifierencrypted with Impostor’s public key,

so Impostor can decrypt it

Verifier

Must authenticate True Person.

Believes now has TP’s public key

Believes True Personis authenticated

based on Impostor’s public key

“True Person,here is a message encrypted

with your public key.”

CriticalDeception

52

Digital Certificates

Digital certificates are electronic documents that give the true party’s name and public key

Applicants claiming to be the true party have their authentication methods tested by this public key

If they are not the true party, they cannot use the true party’s private key and so will not be authenticated

53

Public Key Infrastructure (PKI)

Verifier(Brown)

Certificate AuthorityPKI Server

Create &Distribute

(1) PrivateKey and

(2) DigitalCertificate Applicant (Lee)

Verifier(Cheng)

54


Verifier(Brown)


4.Certificatefor Brown

Applicant (Lee)

Verifier(Cheng)

3. RequestCertificatefor Brown

55


Verifier(Brown)


6. Check CertificateRevocation List (CRL)

For Lee’s Digital Certificate

Applicant (Lee)

5.Certificate

for Lee

Verifier(Cheng)

7. Revoked or OK

56

Security at Multiple Layers

Layer Example

ApplicationApplication-specific (for instance, passwords for adatabase program); Application (Proxy) Firewalls

Transport SSL (TLS), Packet Filter Firewalls

Internet IPsec, Packet Filter Firewalls

Data LinkPoint-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP)

Physical Physical locks on computers, Notebook Encryption

57

Security at Multiple Layers

Having security at multiple layers provides protection if one layer’s security fails

Having security at multiple layers also slows processing on the device

So provide protection in at least two layers but not in all layers

58

Creating Appropriate Security

Understanding Needs Need to make security proportional to risks

Organizations face different risks

Policies and Enforcement Policies bring consistency

Training in the importance of security and in protection techniques

Social engineering prevention training

59

Creating Appropriate Security

Policies and Enforcement Security audits: attack your system proactively

You must really be able to trust your testers

Incident handlingRestoring the systemProsecutionPlanning and practicing

PrivacyNeed to protect employee & customer privacy

security copyright 2003 prentice-hall panko’s business data networking and telecommunications, 4...

Documents

message stream dos attack

sabotage slide

attack methods

service dos attacks

infrastructure attacks

protection scanning

victim serverattacker

stream of messages