security lecture 4

1

Computer Security Computer Security

Lecture 4Security MechanismsSecurity Mechanisms

Syed NaqviSyed Naqvi

[email protected]@ieee.org

15 November 2010 Lecture 4: Security Mechanisms 2

Physical Security

♦ Physical Security

– keep the machine physically secure

– ensure its connections to other machines are secure

– ensure its environment is workablee.g. air conditioning is adequate

♦ Electromagnetic Threats

– consider computer system as a whole

– networking, peripherals, power supply

2


Physical Security

♦ Computers Operate as Systems– only as strong as the weakest link

– highly dependent on networks

– all components in system must be functional

– power supply is an often overlooked weakness

♦ Must Deal with Threats Systemically– treat computer system as a whole

– include its environment and its users


Physical Security

♦ Computer Room Security– Locks on doors

– Access lists and escort policy

– Maintenance personnel access and monitoring

♦ Workstation Security– Locks on workstations in public areas

– Positioning of viewable workstations screen in public areas

♦ Marking, storing, maintaining, and shipping electronic media

3


Layering of Security Mechanisms

Application

Middleware

OS Services

Transport

Network

Datalink

Physical

OS Kernel

Hardware

Application

Middleware

OS Services

Transport

Network

Datalink

Physical

OS Kernel

Hardware

Network

Low-level protocols

High-level protocols

Machine A Machine B


Malicious Code

♦ Set of instructions that causes a security policy to be violated

– Is an unintentional mistake that violates policy malicious code?(Tricked into doing that?)

– What about “unwanted” code that doesn’t cause a security breach?

♦ Generally relies on “legal” operations

– Authorized user could perform operations without violating policy

– Malicious code “mimics” authorized user

4


Malicious Code

♦ Trojan Horse– Trick user into executing malicious code

♦ Virus– Spreads by making copies of itself from program to program or

disk to disk.

♦ Worm– A program that travels independently over computer networks,

seeking uninfected sites.

♦ Logic-Time Bomb– Set off when a specified condition is met.


Trojan Horse

5


Trojan Horse

♦ Program with an overt (expected) and covert (unexpected) effect– Appears normal/expected

– Covert effect violates security policy

♦ User tricked into executing Trojan horse– Expects (and sees) overt behavior

– Covert effect performed with user’s authorization

♦ Trojan horse may replicate– Create copy on execution

– Spread to other users/systems


Virus

♦ Self-replicating code– A freely propagating Trojan horse

• some disagree that it is a Trojan horse

– Inserts itself into another file• Alters normal code with “infected” version

♦ Operates when infected code executed• If spread condition then

– For target files• if not infected then alter to include virus

• Perform malicious action

• Execute normal program

6


Virus – Types

♦ Boot Sector Infectors– Problem: How to ensure virus “carrier” executed?– Solution: Place in boot sector of disk

• Run on any boot

– Propagate by altering boot disk creation• Less common with few boots off floppies

♦ Executable infector– Malicious code placed at beginning of legitimate program (.COM

.EXE files)– Runs when application run– Application then runs normally

♦ Multipartite virus : boot sector + executable infector


Virus – Types/Properties♦ Terminate and Stay Resident

– Stays active in memory after application complete– Allows infection of previously unknown files

• Trap calls that execute a program– Can be boot sector infectors or executable infectors

♦ Stealth (an executable infector)– Conceal Infection

• Trap read to provide disinfected file• Let execute call infected file

♦ Encrypted virus• Prevents “signature” to detect virus• [Deciphering routine, Enciphered virus code, Deciphering Key]

♦ Polymorphism• Change virus code to something equivalent each time it propagates

7


Virus – Types/Properties

♦ Macro Virus – Composed of a sequence of instructions that is interpreted rather

than executed directly– Infected “executable” isn’t machine code

• Relies on something “executed” inside application data

♦ Otherwise similar properties to other viruses– Architecture-independent– Application-dependent


Worm

♦ Replicates from one computer to another

– Self-replicating: No user action required

– Virus: User performs “normal” action

– Trojan horse: User tricked into performing action

♦ Communicates/spreads using standard protocols

8


Logic Time Bomb♦ Logic bombs are malicious codes that cause some

destructive activity when a specified condition is met

♦ Unlike viruses, logic bombs do their damage right away, then stop.

♦ The trigger can be:– a specific data

– number of times the program is executed

– a predefined event such as a deletion of a certain record.

♦ May exist in the system for weeks or even months before it is detected/detonated.

♦ The damage is not caused, until a specified date or until the system has been booted a certain number of times.


Operating System Security

♦ For an operating system to perform its intended tasks consistently and reliably, it must

– protect itself from tampering from users

– be able to prevent users from tampering with the programs of other users

– be able to safeguard users’ applications from accidental corruption

– be able to safeguard its own programs from accidental corruption

– be able to protect itself from power failures or other disasters

9


Operating System Security

♦ Formalized procedures for software acquisition

♦ Security clearances of prospective employees

♦ Formal acknowledgment by users of their responsibilities to the company

♦ Security group to monitor security violations

♦ Formal policy for taking disciplinary action against security violators

♦ Use of one-time passwords


UNIX Security: Best Practices

♦ pick password carefully, avoid– dictionary words

– names

– simple modifications of above

♦ change password periodically

♦ don't let people watch login

♦ lock display when unattended

♦ log off when leaving

♦ never ever give out password– even sys-admin should never need it

10


UNIX Security: Best Practices

♦ Remote access needs username/password

♦ Potential vulnerability depends on network path connection flows through

♦ Many connections pass plain text

– telnet particularly bad, rlogin/ftp bad too

♦ SSH encrypts data on network

– slogin for logins

– scp for file transfer


Windows Security: Best Practices♦ Perform real-world risk assessment♦ Develop a security policy♦ Plan an incident response♦ Block or disable everything that is not explicitly allowed♦ Always set a strong password and change it often♦ Install patches in a timely manner♦ Use least privilege when authorizing access♦ Limit trust♦ Monitor, log, and audit♦ Formulate and implement a security policy throughout the

organization♦ Users need to understand and follow the policy♦ Educate users of responsibilities

11


Windows Security: Best Practices

♦ Limit access of unauthorized personnel

♦ Use key-card access systems

♦ Monitor computers, files can be modified or hardware tampered with

♦ Keep servers in a locked location

♦ Disable floppy and CD-ROM based boot

♦ Remove unneeded network cards

♦ Remove unneeded modems

♦ Lock computer case and store key separately


Web Services

♦ Web designed for application to human interactions

♦ Web services is an effort to build a distributed computing platform for the Web.

♦ Web service applications are encapsulated, loosely coupled Web “components” that can bind dynamically to each other

12


Web Services Security – 1G

Transport Control Protocol (TCP)

Hypertext Transfer Protocol (HTTPS)

Secure Socket Layer Protocol (SSL)

symmetric crypto algorithms

key-exchange algorithm

♦ The TCP protocol provides a reliable communication between the requestor and the WS-provider supporting

♦ The SSL protocol provides a secure communication between the requestor and the WS-provider supporting


Web Services Security – 2G

Simple Object Access Protocol (SOAP)

WS-SecureConversation

WS-Security

13


Web Services Security – 2G♦ The SOAP protocol provides a loosely-coupled, language-neutral,

platform-independent way of linking applications across the Internet– Remote Procedure calls (RPC SOAP)

– Messaging between applications (Document-based SOAP)

♦ The WS-Security Specification protect sensitive data by– encrypting and signing them

– enclosing them in an XML form in SOAP messages

♦ The WS-SecureConversation specification is a security message-level protocol (similar to SSL)– use WS-Security to achieve confidentiality, authenticity, integrity

– use WS-Policy and WS-Trust specifications to achieve authorization and access control


Domain Name System (DNS)

♦ Virtually every application uses the

Domain Name System (DNS).

♦ DNS database maps:

– Name to IP address

www.darpa.mil = 128.9.176.20

– And many other mappings

(mail servers, IPv6, reverse…)

♦ Data organized as tree structure.

– Each zone is authoritative

for its local data.

RootRoot

eduedu milmil comcom

darpadarpaisiisi ciscociscousmcusmc

ngenge quanticoquantico

14


DNS Query & Response

Caching DNS Server

End-user

www.darpa.mil A?

www.darpa.mil A 128.9.128.127

Root DNS Server

Actually www.darpa.mil = 192.5.18.195. But how this could be determined?

mil DNS Server

darpa.mil DNS Server


DNS Vulnerabilities

♦ Original DNS design focused on data availability

– DNS zone data is replicated at multiple servers.

– A DNS zone works as long as one server is available.

• DDoS attacks against the root must take out 13 root servers.

♦ But the DNS design included no authentication.

– Any DNS response is generally believed.

– No attempt to distinguish valid data from invalid.

• Just one false root server could disrupt the entire DNS.

15


A Simple DNS Attack

Caching DNS Server

Doug’s Laptop

www.darpa.mil A?


Root DNS Server

mil DNS Server

darpa.mil DNS Server

Dan’s Laptop

Easy to observe UDP DNS query sent to well known server on well known port.


First response wins. Second response is silently dropped on the floor.


A more Complex Attack

ns.attacker.com

DARPA Caching Server

Remote attacker

Query www.attacker.com

Response www.attacker.com A 128.9.128.127attacker.com NS ns.attacker.comattacker.com NS www.google.comns.attacker.com A 128.9.128.2www.google.com A 128.9.128.127

Any DARPA Computer

Query www.google.com

www.google.com= 128.9.128.127

16


The Problem with DNS …

♦ Resolver can not distinguish between valid and invaliddata in a response.

♦ The idea is to add source authentication

– Verify the data received in a response is equal to the data entered by the zone administrator.

– Must work across caches and views.

– Must maintain a working DNS for old clients.


A Solution …

♦ Each DNS zone signs its data using a private key.– Recommend signing done offline in advance

♦ Query for a particular record returns:– The requested resource record set.

– A signature (SIG) of the requested resource record set.

♦ Resolver authenticates response using public key.– Public key is pre-configured or learned via a sequence of key

records in the DNS hierarchy.

17


Secure DNS Query & Response

Caching DNS Server

End-user

www.darpa.mil

www.darpa.mil = 192.5.18.195

Plus (RSA) signature by darpa.milAttacker can not forge this answer without the darpa.mil private key.

Authoritative DNS Servers

IETF DNS Security Extensions define the process for including signatures and keys in DNS


Firewalls♦ Firewalls are used to prevent intruders on the Internet from

making unauthorized access and denial of service attacks to your network.

♦ A firewall is a router, gateway, or special purpose computer that examines packets flowing into and out of the organization’s network (usually via the Internet or corporate Intranet), restricting access to that network.

♦ The two main types of firewalls are packet level firewallsand application-level firewalls.

18


Packet Level Firewalls♦ A packet-level firewall (or packet filter) examines the

source and destination address of packets that pass through it, only allowing packets that have acceptable addresses to pass.

♦ Since each packet is examined separately, the firewall can’t understand what the sender’s goal is.

♦ Packet filters may be vulnerable to IP spoofing, accomplished by changing the source address on incoming packets from their real address to an address inside the organization’s network.

♦ While packet filters have strengthened their security since the first cases of IP spoofing, IP spoofing remains a problem.


Application Level Firewalls

♦ An application level firewall or application gatewayacts as an intermediate host computer, separating a private network from the rest of the Internet, but it works on specific applications, such as Web site access.

♦ The application gateway acts as an intermediary between the outside client making the request and the destination server responding to that request, hiding individual computers on the network behind the firewall.

♦ Because of the increased complexity of what they do, application level firewalls require more processing power than packet filters which can impact network performance.

19


Demilitarized Zone (DMZ)♦ DMZ (demilitarized zone) sits between perimeter network

and internal network. It is separated by firewalls on both sides. It contains:– InternetInformation Server (IIS)

It provides the core Web services and communicates to Internet clients by using HTTP and HTTPS.

– DNS(Domain Naming System) services.– All servers in the DMZ can also communicate with internal

network.

♦ DMZ and firewall control the access to internal network segments, this can increase security of internal network when a hacker compromises a Web server.


DMZ in a Network …

20


Virtual Private Network (VPN)

Virtual private networks (VPN) provide an encrypted connection between a user's distributed sites over a public network (e.g., the Internet). By contrast, a private network uses dedicated circuits and possibly encryption.



21




Benefits of VPN

Traditional Private Networks:

♦ High fixed cost

♦ Low variable costs

(with respect to varying capacity)

♦ Collection of VPNs sharing a common communication channel are cheaper to build than the equivalent collection of smaller physically discrete networks.

22


Requirements for VPN

♦ Opaque packet transport– VPN traffic no relation to rest of IP backbone traffic– VPN may use private IP address

♦ Data security– By customer ( firewall + encryption)– Secure managed VPN service by providers

♦ Quality of service– Leased and dial-up lines provide guarantee on the bandwidth

and latency

♦ Tunneling mechanism– A way to implement opaque transport and security


VPN Types

♦ Remote Access VPN

♦ Intranet VPN

♦ Extranet VPN

23


Remote Access VPN


Intranet VPN

24


Extranet VPN


VPN – Pros & Cons

♦ Advantages:– Greater scalability– Easy to add/remove users– Reduced long-distance telecommunications costs– Mobility– Security

♦ Disadvantages – Lack of standards– Understanding of security issues– Unpredictable Internet traffic– Difficult to accommodate products from different

vendors

25


Now some practice …

♦ Divide yourself into 2 groups.

♦ Each group is required to prepare a set of security mechanisms for a newly established SME of 10 persons:– 1 General Manager

– 1 Administrative Secretary

– 1 Business Manager

– 2 IT Managers

– 5 Developers

♦ Each group has to present their solutions

♦ Other group will identify the short comings and critics to the plans

security lecture 4

Documents