Upload
cbchellani
View
212
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Network Security
Citation preview
Introduction toNetwork Security
Guest LectureDebabrata Dash
OutlineSecurity VulnerabilitiesDoS and D-DoSFirewallsIntrusion Detection Systems
Security VulnerabilitiesSecurity Problems in the TCP/IP Protocol Suite Steve Bellovin - 89Attacks on Different LayersIP AttacksICMP AttacksRouting AttacksTCP AttacksApplication Layer Attacks
Why?TCP/IP was designed for connectivityAssumed to have lots of trust
Host implementation vulnerabilitiesSoftware had/have/will have bugsSome elements in the specification were left to the implementers
Security Flaws in IPThe IP addresses are filled in by the originating hostAddress spoofingUsing source address for authenticationr-utilities (rlogin, rsh, rhosts etc..)Internet2.1.1.1C1.1.1.11.1.1.2AB1.1.1.3SCan A claim it is B to the server S?ARP SpoofingCan C claim it is B to the server S?Source Routing
Security Flaws in IPIP fragmentation attackEnd hosts need to keep the fragments till all the fragments arrive
Traffic amplification attackIP allows broadcast destinationProblems?
Ping FloodAttacking SystemInternetBroadcast Enabled NetworkVictim System
ICMP AttacksNo authenticationICMP redirect messageCan cause the host to switch gatewaysBenefit of doing this?Man in the middle attack, sniffingICMP destination unreachableCan cause the host to drop connectionICMP echo request/replyMany more http://www.sans.org/rr/whitepapers/threats/477.php
Routing AttacksDistance Vector RoutingAnnounce 0 distance to all other nodesBlackhole trafficEavesdropLink State RoutingCan drop links randomlyCan claim direct link to any other routersA bit harder to attack than DVBGPASes can announce arbitrary prefixASes can alter path
TCP AttacksIssues?Server needs to keep waiting for ACK y+1Server recognizes Client based on IP address/port and y+1
TCP Layer AttacksTCP SYN FloodingExploit state allocated at server after initial SYN packetSend a SYN and dont reply with ACKServer will wait for 511 seconds for ACKFinite queue size for incomplete connections (1024)Once the queue is full it doesnt accept requests
TCP Layer AttacksTCP Session HijackWhen is a TCP packet valid?Address/Port/Sequence Number in windowHow to get sequence number?Sniff trafficGuess itMany earlier systems had predictable ISNInject arbitrary data to the connection
TCP Layer AttacksTCP Session PoisoningSend RST packetWill tear down connectionDo you have to guess the exact sequence number?Anywhere in window is fineFor 64k window it takes 64k packets to resetAbout 15 seconds for a T1
Application Layer AttacksApplications dont authenticate properlyAuthentication information in clearFTP, Telnet, POPDNS insecurityDNS poisoningDNS zone transfer
An ExampleFinger Finger @S showmount e Send 20 SYN packets to S
Attack when no one is around What other systems it trusts? Determine ISN behaviorShowmount -eSYN
An Example Finger @S showmount e Send 20 SYN packets to S SYN flood T Attack when no one is around What other systems it trusts? Determine ISN behavior T wont respond to packetsSyn floodX
An Example Finger @S showmount e Send 20 SYN packets to S SYN flood T Send SYN to S spoofing as T Send ACK to S with a guessed number Attack when no one is around What other systems it trusts? Determine ISN behavior T wont respond to packets S assumes that it has a session with TXSYNSYN|ACKACK
An Example Finger @S showmount e Send 20 SYN packets to S SYN flood T Send SYN to S spoofing as T Send ACK to S with a guessed number Send echo + + > ~/.rhosts Attack when no one is around What other systems it trusts? Determine ISN behavior T wont respond to packets S assumes that it has a session with T Give permission to anyone from anywhereX++ > rhosts
OutlineSecurity VulnerabilitiesDoS and D-DoSFirewallsIntrusion Detection Systems
Denial of ServiceObjective make a service unusable, usually by overloading the server or network
Consume host resourcesTCP SYN floodsICMP ECHO (ping) floods
Consume bandwidthUDP floodsICMP floods
Denial of ServiceCrashing the victimPing-of-DeathTCP options (unused, or used incorrectly)
Forcing more computationTaking long path in processing of packets
Simple DoSAttackerVictimVictimVictim The Attacker usually spoofed source address to hide origin Easy to block
Coordinated DoSAttackerVictimVictimVictimAttackerAttacker The first attacker attacks a different victim to cover up the real attack The Attacker usually spoofed source address to hide origin Harder to deal with
Distributed DoS
Distributed DoSThe handlers are usually very high volume serversEasy to hide the attack packetsThe agents are usually home users with DSL/CableAlready infected and the agent installedVery difficult to track down the attackerHow to differentiate between DDoS and Flash Crowd?Flash Crowd Many clients using a service legimitalySlashdot EffectVictoria Secret WebcastGenerally the flash crowd disappears when the network is floodedSources in flash crowd are clustered
OutlineSecurity VulnerabilitiesDoS and D-DoSFirewallsIntrusion Detection Systems
FirewallsLots of vulnerabilities on hosts in networkUsers dont keep systems up to dateLots of patchesLots of exploits in wild (no patch for them)Solution?Limit access to the networkPut firewalls across the perimeter of the network
Firewalls (contd)Firewall inspects traffic through itAllows traffic specified in the policyDrops everything elseTwo TypesPacket Filters, ProxiesInternetInternal NetworkFirewall
Packet FiltersPacket filter selectively passes packets from one network interface to anotherUsually done within a router between external and internal networksscreening router
Can be done by a dedicated network elementpacket filtering bridgeharder to detect and attack than screening routers
Packet Filters Contd.Data AvailableIP source and destination addressesTransport protocol (TCP, UDP, or ICMP)TCP/UDP source and destination portsICMP message typePacket options (Fragment Size etc.)Actions AvailableAllow the packet to go throughDrop the packet (Notify Sender/Drop Silently)Alter the packet (NAT?)Log information about the packet
Packet Filters Contd.Example filtersBlock all packets from outside except for SMTP serversBlock all traffic to a list of domainsBlock all connections from a specified domain
Typical Firewall Configuration Internal hosts can access DMZ and Internet External hosts can access DMZ only, not Intranet DMZ hosts can access Internet only Advantages? If a service gets compromised in DMZ it cannot affect internal hostsInternetIntranetDMZXX
Example Firewall RulesStateless packet filtering firewallRule (Condition, Action)Rules are processed in top-down orderIf a condition satisfied action is taken
Sample Firewall RuleDst PortDst AddrProtoAck Set?ActionSrc PortSrc AddrDirRuleAllow SSH from external hosts to internal hostsTwo rulesInbound and outboundHow to know a packet is for SSH?Inbound: src-port>1023, dst-port=22Outbound: src-port=22, dst-port>1023Protocol=TCPAck Set?Problems?
Default Firewall RulesEgress FilteringOutbound traffic from external address DropBenefits?Ingress FilteringInbound Traffic from internal address DropBenefits?Default DenyWhy?AnyDst PortDenyAnyAnyExtAnyExtOutEgressDst AddrProtoAck Set?ActionSrc PortSrc AddrDirRule
Packet FiltersAdvantagesTransparent to application/userSimple packet filters can be efficientDisadvantagesUsually fail openVery hard to configure the rulesDoesnt have enough information to take actionsDoes port 22 always mean SSH?Who is the user accessing the SSH?
AlternativesStateful packet filtersKeep the connection statesEasier to specify rulesMore popularProblems?State explosionState for UDP/ICMP?
AlternativesProxy FirewallsTwo connections instead of oneEither at transport levelSOCKS proxyOr at application levelHTTP proxyRequires applications (or dynamically linked libraries) to be modified to use the proxy
Proxy FirewallData AvailableApplication level informationUser informationAdvantages?Better policy enforcementBetter loggingFail closedDisadvantages?Doesnt perform as wellOne proxy for each applicationClient modification
OutlineSecurity VulnerabilitiesDoS and DDoSFirewallsIntrusion Detection Systems
Intrusion Detection SystemsFirewalls allow traffic only to legitimate hosts and servicesTraffic to the legitimate hosts/services can have attacksCodeReds on IISSolution?Intrusion Detection SystemsMonitor data and behaviorReport when identify attacks
Types of IDSHost-basedNetwork-basedSignature-basedAnomaly-based
Signature-based IDSCharacteristicsUses known pattern matching to signify attackAdvantages?Widely availableFairly fastEasy to implementEasy to updateDisadvantages?Cannot detect attacks for which it has no signature
Anomaly-based IDS CharacteristicsUses statistical model or machine learning engine to characterize normal usage behaviorsRecognizes departures from normal as potential intrusions Advantages?Can detect attempts to exploit new and unforeseen vulnerabilitiesCan recognize authorized usage that falls outside the normal pattern Disadvantages?Generally slower, more resource intensive compared to signature-based IDSGreater complexity, difficult to configureHigher percentages of false alerts
Network-based IDSCharacteristicsNIDS examine raw packets in the network passively and triggers alertsAdvantages?Easy deploymentUnobtrusiveDifficult to evade if done at low level of network operationDisadvantages?Fail OpenDifferent hosts process packets differentlyNIDS needs to create traffic seen at the end hostNeed to have the complete network topology and complete host behavior
Host-based IDSCharacteristicsRuns on single hostCan analyze audit-trails, logs, integrity of files and directories, etc.AdvantagesMore accurate than NIDSLess volume of traffic so less overheadDisadvantagesDeployment is expensiveWhat happens when host get compromised?
SummaryTCP/IP security vulnerabilitiesSpoofingFlooding attacksTCP session poisoningDOS and D-DOSFirewallsPacket FiltersProxyIDSSignature and Anomaly IDSNIDS and HIDS