View
222
Download
1
Category
Tags:
Preview:
Citation preview
Security
Chapter 9 (October 2002)Copyright 2003 Prentice-Hall
Panko’s Business Data Networking and Telecommunications, 4th edition.
2
Figure 9.1: Types of Attackers
Wizard Internet Hackers Highly capable attackers
Amateurs (Script Kiddies) Light skills, but numerous and armed with
automated attack programs (kiddie scripts) of increasing potency
3
Figure 9.1: Types of Attackers
Criminals
Theft of credit card numbers, trade secrets, and other sensitive information
Sell the information or attempt extortion to prevent the release of the information
Individual criminals and organized crime
Industrial and government espionage spies
4
Figure 9.1: Types of Attackers
Employees
Dangerous because of internal knowledge and access
Often, large losses per incident due to theft, fraud, or sabotage
5
Figure 9.1: Types of Attackers
Information Warfare and Cyberterrorism
Massive attack by a government or terrorist group against a country’s IT infrastructure
Attacks by amateur cyberterrorists are already starting to approach this level of threat
6
Figure 9.3: Attacks Requiring Protection
Hacking Servers Access without permission or in excess of
permission Attractive because of the data they store
Hacking Clients Attractive because of their data or as a way to
attack other systems by using the hacked client as an attack platform
Soft targets compared to servers; most users are security novices
7
Figure 9.3: Attacks Requiring Protection
Denial-of-Service (DoS) Attacks
Make the system unavailable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability
Single Message DOS Attack(Crashes the Victim)
Server Attacker
8
Figure 9.3: Attacks Requiring Protection
Denial-of-Service (DoS) Attacks
Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability.
Message Stream DOS Attack(Overloads the Victim)
Server Attacker
9
Figure 9.4: Denial-of-Service Attacks
Distributed DOS (DDoS) Attack:Messages Come from Many Sources
Server
DoS Attack Packets
DoS Attack PacketsComputer with
Zombie
Computer withZombie
Attacker
AttackCommand
AttackCommand
10
Figure 9.3: Attacks Requiring Protection
Scanning Attacks To identify victims and ways of attacking them Attacker sends messages to select victims and
attack methods
Examines data that responses reveal IP addresses of potential victimsWhat services victims are running; different
services have different weaknessesHost’s operating system, version number, etc.
11
Figure 9.3: Attacks Requiring Protection
Malicious Content Viruses
Infect files; propagate by executing infected program
Payloads may be destructive Worms; propagate by themselves Trojan horses (appear to be one thing, such as a
game, but actually are malicious) Snakes: combine worm with virus, Trojan horses,
and other attacks
12
Figure 9.3: Attacks Requiring Protection
Malicious Content Illegal content: pornography, sexual or racial
harassment
Spam (unsolicited commercial e-mail)
Security group is often called upon to address pornography, harassment, and spam
13
Figure 9.2: Types of Security Systems
Attacker Taps into the Conversation:Tries to Read Messages,
Alter Messages, Add New Messages
Client PC Server
Message Exchange
Secure Communication System
14
Figure 9.2: Types of Security Systems
Attack Prevention System
Corporate Network
HardenedClient PC
Hardened ServerWith Permissions
Internet
Attacker
AttackMessage
AttackMessage
Firewall
15
Figure 9.5: Packet Filter Firewall
PacketFilter
Firewall
IP-H
IP-H
TCP-H
UDP-H Application Message
Application Message
IP-H ICMP Message
Arriving Packets
Permit
Deny
Corporate Network The Internet
Examines Packets in IsolationFast but Misses Some Attacks
16
For Packets Containing TCP Segments:
Rule 1 IF Interface = Internal
AND (Source Port Number = 7056 OR Source Port Number = 8002 through 8007)
THEN DENY
Remark: Used by a well-known Trojan horse program.
Figure 9.6: Access Control List Fragment
17
Figure 9.6: Access Control List Fragment
Rule 2: IF Interface = External
AND Destination Port Number = 80
AND Destination IP address = 60.16.210.22
THEN PERMIT
Remark: Going to a known webserver.
18
Figure 9.6: Access Control List Fragment
Rule 3: IF Interface = External
AND Destination Port Number = 80
AND Destination IP Address = NOT 60.16.210.22
THEN DENY
Remark: Going to an unknown webserver.
19
Figure 9.6: Access Control List Fragment
Rule 4: IF Interface = External
AND (SYN = AND FIN = Set)
THEN DENY
REMARK: Used in host scanning attacks and not in real transactions.
60.14.27.9
1.To: 60.14.27.9; SYN FIN
2.From: 60.14.27.9; RST
20
Figure 9.6: Access Control List Fragment
Order Rules are executed in order
If passed or denied by one rule, will not reach subsequent rules
Misconfiguration is easy, opening the network to attack
Always test a firewall by hitting it with attack messages to see if they are handled properly
21
Stateful Firewall
Does not examine packets in isolation
Examines each packet to see if it is part of an ongoing conversation
Catches attacks that packet filter firewalls cannotRefuses a TCP acknowledgement if an internal
host has not opened a connection to that host
Usually does not examine a packet in detail if the packet is part of an ongoing conversation
This can miss attack packets
Beyond what isIn the book
22
Figure 9.7: Application (Proxy) Firewall
SMTP(E-Mail)Proxy
FTPProxy
Application Firewall
HTTPProxy
Browser WebserverApplication
1. HTTP Request
Client PC Webserver
2.InspectRequestMessage
23
Figure 9.7: Application (Proxy) Firewall
SMTP(E-Mail)Proxy
FTPProxy
Application Firewall
3. ExaminedHTTP Request
HTTPProxy
Browser WebserverApplication
Client PC Webserver
24
Figure 9.7: Application (Proxy) Firewall
SMTP(E-Mail)Proxy
FTPProxy
Application Firewall
HTTPProxy
Browser WebserverApplication
4. HTTPResponse
Client PC Webserver
5.Inspect
ResponseMessage
25
Figure 9.7: Application (Proxy) Firewall
SMTP(E-Mail)Proxy
FTPProxy
Application Firewall
HTTPProxy
Browser WebserverApplication
6. ExaminedHTTP Response
Client PC Webserver
26
Figure 9.7: Application (Proxy) Firewall
Can examine the application message to filter packets by application content
If hacker takes over the proxy firewall, has not taken over the internal clients, with which it only has indirect contact
Internal client’s IP address is hidden. All packets sent back by the server have the address of the application proxy server.
27
Figure 9.7: Application (Proxy) Firewall
SMTP(E-Mail)Proxy
FTPProxy
Application Firewall
HTTPProxy
Browser WebserverApplication
Client PC Webserver
There must be a proxy for each application
28
Figure 9.8: Network Address Translation (NAT)
1
2
NATFirewall
Client
From 172.47.9.6,Port 59789 From 60.168.34.2,
Port 63472
Internet
ServerHost
IP Addr
172.47.9.6
…
Port
59789
…
IP Addr
60.168.34.2
…
Port
63472
…
Internal ExternalTranslation Table
29
Figure 9.8: Network Address Translation (NAT)
43NAT
FirewallClient
Internet
ServerHost
To 172.47.9.6,Port 59789
To 60.168.34.2,Port 63472
Translation Table
IP Addr
172.47.9.6
…
Port
59789
…
IP Addr
60.168.34.2
…
Port
63472
…
Internal External
30
Figure 9.9: Intrusion Detection
Dump
IntrusionDetectionSystem
4. Analysis of Dump
InternalHost
NetworkAdministrator
Attacker
LegitimateHost
1. AttackPacket2. All Packets
3.Notificationof Possible
Attack
1. LegitimatePacket
31
Firewalls versus Intrusion Detection
Firewalls permit or deny traffic based on filtering rules
Intrusion detection systems (IDSs) only save and mark certain packets as suspicious; do not take action
IDSs identify all suspicious packets, many of which turn out to be acceptable; firewall drop rules are more specific
Some firewalls issue alerts when packets are dropped and most firewalls log all drops
NewNot in the book
32
Figure 9.10: Hardening Clients and Servers
Known Weaknesses Known security weaknesses in operating systems
and application programs Most download vendor patches to fix these known
weaknesses Firms often fail to do so (vendors issue 30-50
patches per week); must be installed on each server
Host Firewalls Server firewalls and personal (client) firewalls
33
Figure 9.10: Hardening Clients and Servers
Server Authentication Passwords
Cracking with exhaustive search and dictionary attacks
Strong passwords
Super accounts
Root in UNIX
Administrator in Windows
34
Figure 9.10: Hardening Clients and Servers
Server Authentication Rules for Strong Passwords
At least 8 characters long
At least one change of case
At least one digit (0-9) not at the end
At least one non-alphanumeric character (#@%^&*!) not at the end
35
Figure 9.11: Kerberos Authentication (Simplified)
KerberosServer
VerifierApplicant4. Ticket
1.Initial
Sign On
2. Request T
icket
3. Ticket
36
Figure 9.10: Hardening Clients and Servers
Server Authentication Biometric authentication
Fingerprint: least expensive
Iris: most accurate
Face recognition: controversial in public places for mass identification
Other forms of biometric identification
Smart cards (ID card with microprocessor and data)
37
Figure 9.10: Hardening Clients and Servers
Limiting Permissions on Servers (Ch. 10) Only permit access to some directories
Limit permissions (what the user can do) there
Like controlling access to a high-security building; not allowed to go anywhere and remove items, etc.
38
Figure 9.2: Types of Security Systems
Attacker Taps into the Conversation:Tries to Read Messages,
Alter Messages, Add New Messages
Client PC Server
Message Exchange
Secure Communication System
39
Figure 9.12: Secure Communication System
Client PCServer
1. Initial Negotiation of Security Parameters
2. Mutual Authentication
3. Key Exchange or Key Agreement
4. Subsequent Communication withMessage-by-Message
Confidentiality, Authentication,and Message Integrity
40
Figure 9.13: Symmetric Key Encryption for Confidentiality
Plaintext“Hello”
EncryptionMethod &
Key
Ciphertext “11011101”
Symmetric Key
Interceptor
NetworkSame
SymmetricKey
Party A Party B
41
Figure 9.13: Symmetric Key Encryption for Confidentiality
Ciphertext “11011101”
Symmetric Key
Interceptor
Network
Ciphertext “11011101”
SameSymmetric
KeyParty A
Party B
???
42
Figure 9.13: Symmetric Key Encryption for Confidentiality
Symmetric Key
Interceptor
Network
Ciphertext “11011101” DecryptionMethod &
Key
Plaintext“Hello”
SameSymmetric
KeyParty A
Party B
43
Figure 9.14: Symmetric Key Encryption for Confidentiality
SharedSymmetric Key
Party A Party B
SharedSymmetric KeyIn Symmetric
Key Encryption,Both sides
Encrypt andDecrypt withThe Same
Symmetric Key
44
Figure 9.14: Public Key Encryption for Confidentiality
Encrypt withParty B’s Public Key
Party A Party B
Decrypt withParty B’s Private Key
45
Figure 9.14: Public Key Encryption for Confidentiality
Decrypt withParty A’s Private Key
Party A
Encrypt withParty A’s Public Key
Party B
46
Quiz
1. In two-way conversations encrypted with symmetric key encryption, how many keys are used?
2. In two-way conversations encrypted with Public key encryption, how many keys are used?
47
Quiz
3. In public key encryption for confidentiality, the sender always encrypts with the _____ key of the _____.
4. In public key encryption for confidentiality, the receiver always decrypts with the ___ key of the _____.
48
Symmetric Versus Public Key Encryption
Symmetric key encryption is very fast, so it can be used to encrypt long messages for confidentiality, including e-mail messages, website communication, database transactions, and almost all other user applications.
However, public key encryption can provide confidentiality for very short messages. We will see how this helps in transferring symmetric keys and in digital signatures.
49
Figure 9.15: Public Key Distribution for Symmetric Keys
Party A Party B
1. CreateSymmetric
Session Key
2. EncryptSession Key withParty B’s Public Key
4. DecryptSession Key with
Party B’s Private Key
3. Send the SymmetricSession Key
Encrypted WithParty B’s Public Key
50
Figure 9.15: Public Key Distribution for Symmetric Keys
Party A Party B
5. Subsequent Bulk EncryptionFor Confidentiality withSymmetric Session Key
For All Messages
51
Figure 9.16: MS-CHAP Challenge-ResponseAuthentication Protocol
ClientApplicant Server
Verifier
Challenge
1.Creates
ChallengeMessage
2.Sends Challenge Message
Note: Both the Client and the ServerKnow the Client’s Password
52
Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol
3. Applicant Creates the Response Message:
a) Adds Password toChallenge Message
b) Hashes the ResultantBit String
c) This Gives theResponse Message
Password Challenge
Response
Hashing
53
Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol
Password Challenge
Expected Response
Hashing
Transmitted Response
4. Applicant Sends Response Message
5.Verifier
Adds password to thechallenge message it sent.Hashes the combination.
This should be the expectedresponse message.
54
Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol
Expected ResponseTransmitted Response = ?
6.If the Two are Equal,The Client Knows the
Password and isAuthenticated
55
Figure 9.17: Digital Signature
SenderReceiver
DS Plaintext
Add Digital Signature to Each MessageProvides Message-by-Message Authentication
Encrypted for Confidentiality
56
Figure 9.17: Digital Signature: Sender
DS
Plaintext
MD
Hash
Sign (Encrypt) MD withSender’s Private Key
To Create the Digital Signature:
1. Hash the plaintext to create
a brief message digest; This is
NOT the digital signature
2. Sign (encrypt) the message
digest with the sender’s private
key to create the digital
Signature
57
Figure 9.17: Digital Signature
SenderEncrypts Receiver
Decrypts
Send Plaintext plus Digital SignatureEncrypted with Symmetric Session Key
DS Plaintext
Transmission
58
Figure 9.17: Digital Signature: Receiver
DSReceived Plaintext
MDMD
1.Hash
2.Decrypt withTrue Party’sPublic Key
3.Are they Equal?
1. Hash the receivedplaintext with the samehashing algorithm the
sender used. This givesthe message digest
2. Decrypt the digitalsignature with the sender’spublic key. This also should
give the message digest.
3. If the two match, the message is authenticated;The sender has the true
Party’s private key
59
Figure 9.18: Public Key Deception
Impostor
“I am the True Person.”
“Here is TP’s public key.” (Sends Impostor’s public key)
“Here is authenticationbased on TP’s private key.”
(Really Impostor’s private key)
Decryption of message from Verifierencrypted with Impostor’s public key,
so Impostor can decrypt it
Verifier
Must authenticate True Person.
Believes now has TP’s public key
Believes True Personis authenticated
based on Impostor’s public key
“True Person,here is a message encrypted
with your public key.”
CriticalDeception
60
Digital Certificates
Digital certificates are electronic documents that give the true party’s name and public key
Applicants claiming to be the true party have their authentication methods tested by this public key
If they are not the true party, they cannot use the true party’s private key and so will not be authenticated
61
Digital Signatures and Digital Certificates
Public key authentication requires both a digital signature and a digital certificate to give the public key needed to test the digital signature
DS Plaintext
Applicant
Verifier
Certificate Authority
DigitalCertificate:True Party’sPublic Key
62
Figure 9.19: Public Key Infrastructure (PKI)
Verifier(Brown)
Certificate AuthorityPKI Server
Create &Distribute
(1) PrivateKey and
(2) DigitalCertificate Applicant (Lee)
Verifier(Cheng)
63
Figure 9.19: Public Key Infrastructure (PKI)
Verifier(Brown)
Certificate AuthorityPKI Server
4.Certificatefor Brown
Applicant (Lee)
Verifier(Cheng)
3. RequestCertificatefor Brown
64
Figure 9.19: Public Key Infrastructure (PKI)
Verifier(Brown)
Certificate AuthorityPKI Server
6. Check CertificateRevocation List (CRL)
For Lee’s Digital Certificate
Applicant (Lee)
5.Certificate
for Lee
Verifier(Cheng)
7. Revoked or OK
65
Figure 9.20: Security at Multiple Layers
Layer Example
ApplicationApplication-specific (for instance, passwords for adatabase program); Application (Proxy) Firewalls
Transport SSL (TLS), Packet Filter Firewalls
Internet IPsec, Packet Filter Firewalls
Data LinkPoint-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP)
Physical Physical locks on computers, Notebook Encryption
66
Figure 9.20: Security at Multiple Layers
Having security at multiple layers provides protection if one layer’s security fails
Having security at multiple layers also slows processing on the device
So provide protection in at least two layers but not in all layers
67
Figure 9.21: Creating Appropriate Security
Understanding Needs Need to make security proportional to risks
Organizations face different risks
Policies and Enforcement Policies bring consistency
Must be enforced.
Training in the importance of security and in protection techniques
Social engineering prevention training
68
Figure 9.21: Creating Appropriate Security
Policies and Enforcement Security audits: attack your system proactively
You must really be able to trust your testers
Incident handlingStopping the attackRestoring the systemProsecutionPlanning and practicing before the incident
PrivacyNeed to protect employee & customer privacy
Recommended