Upload
colin-carter
View
232
Download
0
Tags:
Embed Size (px)
Citation preview
SE571Security in Computing
Chap 7: Security in Networks
SE571 Security in Computing Dr. Ogara2
This Chapter Examines… Threats against networked
applications, including denial of service, web site defacements, malicious mobile code, and protocol attacks
Controls against network attacks: physical security, policies, procedures, and other technical controls
SE571 Security in Computing Dr. Ogara3
This Chapter Examines… Firewalls: design, capabilities,
limitations Intrusion detection systems Private e-mail: PGP and S/MIME
SE571 Security in Computing Dr. Ogara4
Research: Top 5 Network Security Threats for 2011
Users• Managed users
Employees/staff Managed and unmanaged devices – Laptops,
Smartphone• Unmanaged users
Guests Contractors Consultants Business partners
(Source: Bradford Network, 2011)
SE571 Security in Computing Dr. Ogara5
Research: Top 5 Network Security Threats for 2011
Mobile device proliferation• Smartphone – different models/different
companies• Tablets/iPads• EBook
IP everything – exponential growth in IP devices• Surveillance camera• Card readers
(Source: Bradford Network, 2011)
SE571 Security in Computing Dr. Ogara6
Research: Top 5 Network Security Threats for 2011
Consumerization of IT• Consumer markets driving IT• Personal devices growing rapidly and must
be supported by IT Virtualization
• Server applications in private cloud• Virtual desktop in virtual environment
(Source: Bradford Network, 2011)
SE571 Security in Computing Dr. Ogara7
Research: Consumerization of IT Survey 2011
Study sponsored by Dell KACE 741 IT professionals participated Employees using personal devices
(87%)• Email• Calendar• CRM/ERP
Employees using Smartphone (80%) Employees using personal PCs (69%) https://www.kace.com/resources/Consumerization-of-IT-Survey-2011
SE571 Security in Computing Dr. Ogara8
Network Security What are we protecting? Why are we protecting ? What are assets? What are threats? What are the controls?
SE571 Security in Computing Dr. Ogara9
Network Assets Network infrastructure Applications programs Data
SE571 Security in Computing Dr. Ogara10
Network Threats Interception
• Eavesdropping• Passive wiretapping
Modification• Active wiretapping• Falsification• Compromise of authenticity
Denial of service
SE571 Security in Computing Dr. Ogara11
Network Controls Firewalls Intrusion detection systems Secure email
SE571 Security in Computing Dr. Ogara12
Terminologies Network – a collection of
communicating hosts Node – single computing system in a
network Link – connection between two hosts Host – single computer in a network A workstation - an end-user
computing device, usually designed for a single user at a time
SE571 Security in Computing Dr. Ogara13
Terminologies Topology - the way a network is
configured, in terms of nodes and connections
Protocol – standard method for transmitting data and/or establishing communications between different devices
Protocol stack – is a layered architecture for communications
SE571 Security in Computing Dr. Ogara14
Network
SE571 Security in Computing Dr. Ogara15
Protocols Two popular protocol stacks for
implementing networks
I. Open Systems Interconnection (OSI)II. Transmission Control Protocol and
Internet Protocol (TCP/IP)
SE571 Security in Computing Dr. Ogara16
OSI Model Contains 7 layers Layers represent the different
activities that must be performed for actual transmission of a message
SE571 Security in Computing Dr. Ogara17
OSI Network Model
SE571 Security in Computing Dr. Ogara18
OSI Protocol Layer Levels
SE571 Security in Computing Dr. Ogara19
OSI Protocol Layer Levels What happens when you send
message to [email protected]?
Physical Layer Data link Network layer
• Router sends message to destination router • Adds 2 headers (source and destination IP
address)
SE571 Security in Computing Dr. Ogara20
OSI Protocol Layer Levels Data link
• Network Interface Card (NIC) provides physical address called MAC (Media Access Control) address
• Two more headers added (source computer and router NIC address)
• Structure is called frame and contains destination MAC, source MAC and data
SE571 Security in Computing Dr. Ogara21
OSI Protocol Layer Levels Data link
SE571 Security in Computing Dr. Ogara22
OSI Protocol Layer Levels Network layer
• Router sends message to destination router • Adds 2 headers (source and destination IP
address) to data• These are called packets
SE571 Security in Computing Dr. Ogara23
TCP/IP Model Common in most wide area network
communications Defined by protocols not layers
although it is seen as 4 layers
1. Application2. Transport3. Internet4. Physical
SE571 Security in Computing Dr. Ogara24
TCP/IP Model It denotes two models although used
as a single acronym TCP implements a connected
communications session on top of the more basic IP transport protocol
SE571 Security in Computing Dr. Ogara25
TCP/IP Model
SE571 Security in Computing Dr. Ogara26
TCP Protocol Records and checks correct
sequencing of packets Retransmits missing or faulty packets Provides a stream of correct data in
proper order to the invoking application
Problem - retransmissions of faulty or missing packets take time and induce overhead
SE571 Security in Computing Dr. Ogara27
TCP Packet Data structure
• Includes a sequence number, an acknowledgment number for connecting the packets of a communication session, flags, and source and destination port numbers
Port - unique channel number by which computers can route their respective packets to each of them
SE571 Security in Computing Dr. Ogara28
Internet Services
SE571 Security in Computing Dr. Ogara29
Local Area Networks (LAN) Covers a small distance typically
within a single building Connects several small computers,
such as personal computers, as well as printers and perhaps some dedicated file storage devices
SE571 Security in Computing Dr. Ogara30
Local Area Networks (LAN)
SE571 Security in Computing Dr. Ogara31
Wide Area Networks (WAN) Single control – usually controlled by
one organization Covers a significant distance Physically exposed
Examples, campus area networks, metropolitan area networks
SE571 Security in Computing Dr. Ogara32
What Makes a Network Vulnerable?
Anonymity • Anonymous attackers
Many points of attack—both targets and origins • Less rigorous security
Sharing Complexity of system Unknown perimeter - untrusted
hosts in networks
SE571 Security in Computing Dr. Ogara33
Why do people attack networks
Fame or recognition Money and espionage Organized crime Advance an ideology
SE571 Security in Computing Dr. Ogara34
Network Vulnerabilities, Targets and Controls
What are the targets? What are the vulnerabilities? What are the controls?
SE571 Security in Computing Dr. Ogara35
Vulnerabilities that target precursors to attack
Port scan• Gives external picture – open doors• Standard ports or services running?
Social engineering• Use of social skills and personal interaction
to get someone to reveal security-relevant information
Reconnaissance OS and application fingerprinting
SE571 Security in Computing Dr. Ogara36
Control of vulnerabilities Firewall “Hardened” (self-defensive)
applications Programs that reply with only what is
necessary Intrusion detection system Run few services as possible
SE571 Security in Computing Dr. Ogara37
Control of vulnerabilities Education, user awareness Policies and procedures Systems in which two people must
agree to perform certain security-critical functions
SE571 Security in Computing Dr. Ogara38
Network vulnerabilities that target authentication failures
Impersonation Guessing Eavesdropping Session hijacking Spoofing Man-in-the-middle attack
SE571 Security in Computing Dr. Ogara39
Control of vulnerabilities Strong, one-time authentication Virtual private network Encrypted authentication channel Education, user awareness Virtual private network Protocol analysis
SE571 Security in Computing Dr. Ogara40
Network vulnerabilities that target programming flaws
Buffer overflow Addressing errors Parameter modification, time-of-
check to time-of-use errors Server-side include
• Cookies• Malicious active code: Java, ActiveX • Malicious code: virus, worm, Trojan horse
SE571 Security in Computing Dr. Ogara41
Control of vulnerabilities Programming controls Intrusion detection system Personal firewall Two-way authentication Controlled execution environment Signed code
SE571 Security in Computing Dr. Ogara42
Network vulnerabilities that target confidentiality
Protocol flaw Malicious code: virus, worm, Trojan
horse Eavesdropping Passive wiretap Misdelivery Exposure within network Traffic flow analysis Cookie
SE571 Security in Computing Dr. Ogara43
Control of vulnerabilities Firewall Encryption Intrusion detection system Controlled execution environment Programming controls
SE571 Security in Computing Dr. Ogara44
Network vulnerabilities that target integrity
Protocol flaw Impersonation Active wiretap Falsification of message Noise Website defacement DNS attack
SE571 Security in Computing Dr. Ogara45
Control of vulnerabilities Firewall Encryption Intrusion detection system Controlled execution environment Audit Protocol analysis Strong authentication Error detection code Honey pot
SE571 Security in Computing Dr. Ogara46
Network vulnerabilities that target availability
Protocol flaw Transmission of component failure DNS attack Traffic redirection Distributed denial of service Connection flooding
SE571 Security in Computing Dr. Ogara47
Control of vulnerabilities Encryption Firewall Intrusion detection system Honey pot
SE571 Security in Computing Dr. Ogara48
Encryption Most important and versatile tool for
network security expert Important
• Privacy• Authenticity• Integrity• Limited access to data
Not a silver bullet Protects encrypted data only
SE571 Security in Computing Dr. Ogara49
Encryption Can be applied in two ways
• Link encryption • End-to-end encryption
SE571 Security in Computing Dr. Ogara50
Link Encryption Data is encrypted before the system
places them on the physical communications link
Encryption takes place in layer 1 or 2 of the OSI model
Encryption protects message during transit
Message is plaintext inside the hosts
SE571 Security in Computing Dr. Ogara51
Link Encryption Data exposed in sending host Data exposed in intermediate nodes Applied by sending host Invisible to user Host maintains encryption Encryption done in hardware Provides node authentication All or no data encrypted
SE571 Security in Computing Dr. Ogara52
Link Encryption
SE571 Security in Computing Dr. Ogara53
Link Encryption
SE571 Security in Computing Dr. Ogara54
End-to-End Encryption Security available from one end of
transmission to the other Encryption can be applied by either
hardware or software running on the computer
Encryption takes place at the highest level of OSI model – application and presentation
SE571 Security in Computing Dr. Ogara55
End-to-End Encryption Data encrypted in sending host Data encrypted in intermediate
nodes User applies encryption User selects encryption Either software or hardware
implementation User chooses to encrypt or not Provides user authentication
SE571 Security in Computing Dr. Ogara56
End-to-End Encryption
SE571 Security in Computing Dr. Ogara57
End-to-End Encryption
SE571 Security in Computing Dr. Ogara58
Virtual Private Networks Communication passes through an
encrypted tunnel User’s client establishes
communication with network firewall User and firewall negotiate a session
encryption key
SE571 Security in Computing Dr. Ogara59
Virtual Private Networks Firewall and user encrypt all traffic
between them Firewall authenticates user through
authentication server Firewall implements access control
(provide appropriate security privileges)
SE571 Security in Computing Dr. Ogara60
Virtual Private Networks
SE571 Security in Computing Dr. Ogara61
PKI and Certificates PKI is a process created to enable users to
implement public key cryptography Provides identification and access control
information to users• Create certificates associating user’s identity with
cryptographic key• Give out certificates from its database• Sign certificates thus adding credibility to authenticity of
certificates• Confirm or deny that certificate is valid• Invalidate certificates for users who are no longer
allowed to access or whose private key has been exposed
SE571 Security in Computing Dr. Ogara62
PKI and Certificates PKI sets up entities called certificate
authorities that implement PKI policy Assumption is certificate authorities are
trusted Functions of certificate authorities
• Manage public key certificates for their whole life cycle
• Issue certificates by binding a user’s or system identity to a public key with a digital signature
• Schedule expiry dates for certificates• Ensure that certificates are revoked by publishing
certificate revocation list
SE571 Security in Computing Dr. Ogara63
SSH Encryption SSH stands for secure shell is a pair of
protocols (V1 and V2) Provides an authenticated and encrypted
path to a shell or operating system command interpreter
Protects against spoofing attacks and modification of data in communications
Protocol involves negotiation between local and remote sites for encryption algorithm (e.g. DES, IDEA, AES) and authentication
SE571 Security in Computing Dr. Ogara64
SSL Encryption SSL stands for Secure Socket Layer Also known as TLS – Transport Layer
Security Protocol was originally designed by
Netscape to protect communication between web browser and server
It interfaces between apps(e.g. browser) and TCP/IP protocols to provide server authentication, client authentication and encrypted communication channel between client and server
SE571 Security in Computing Dr. Ogara65
SSL Encryption SSL protocol is the most widely used
secure communication protocol in the Internet
Only protects data between client’s browser and server
SE571 Security in Computing Dr. Ogara66
IPSec Stands for IP Security Protocol Similar to SSL i.e. supports
authentication and confidentiality Defines standard means for handling
encrypted data Designed to handle shortcomings of
IPv6 such as:• Spoofing• Eavesdropping• Session hijacking
SE571 Security in Computing Dr. Ogara67
IPSec Fundamental data structures are
• AH – authenticated header• ESP – Encapsulated Security Payload
Contains both authenticated and encrypted portion
Packets: (a) Conventional Packet; (b) IPSec Packet
SE571 Security in Computing Dr. Ogara68
Wireless security SSID – Service Set Identifier
• Authenticate remote computer WEP – Wired Equivalent Privacy
• Uses encryption to prevent eavesdropping and impersonation
• Uses encryption key for authentication• IEEE standard 802.11• Uses 64 and 128 bit encryption• Not effective against brute force attack
SE571 Security in Computing Dr. Ogara69
Wireless security WPA and WPA2– WIFI Protected Access
• Addresses known security deficiencies in WEP• IEEE standard 802.11i• Uses encryption key that is unchanged until
user enters new key at the client and access point
• Encryption key is changed automatically at each packet (Temporal Key Integrity Program)
SE571 Security in Computing Dr. Ogara70
Honeypots Computer system open to attackers Goal
• Watch what attackers do• Lure attackers in order to study their habits• Divert attackers attention so as to leave
your system alone
SE571 Security in Computing Dr. Ogara71
Firewalls Device that filters traffic between
protected/inside network and less trustworthy/outside network
Purpose• Keep bad things outside the protected
environment• Use security policies to limit access from
outside
SE571 Security in Computing Dr. Ogara72
Types of Firewalls Packet filtering gateways or
screening routers Stateful inspection firewalls Application proxies Guards Personal firewalls
SE571 Security in Computing Dr. Ogara73
Packet Filtering Gateway Most effective Control access based on packet
address or transport protocol such as HTTP
SE571 Security in Computing Dr. Ogara74
Stateful Inspection Firewall Maintains state information from one
packet to another in the input stream
SE571 Security in Computing Dr. Ogara75
Application Proxy Firewall
Packet filters look only at the headers of packets, not at the data inside the packets
SE571 Security in Computing Dr. Ogara76
Guard Firewall
Receives protocol data units, interprets them, and passes through the same or different protocol data units that achieve either the same result or a modified result
SE571 Security in Computing Dr. Ogara77
Personal Firewall
Application program that runs on a workstation to block unwanted traffic, usually from the network
Protect a (sub)network of multiple hosts result
May complement the work of a conventional firewall by screening the kind of data a single host will accept
SE571 Security in Computing Dr. Ogara78
Denial of Service Connection flooding
• Echo-Chargen Chargen is protocol used to generate packets Attacker makes host A to generate echo packets
to host B and host B replies to the echos Host A and B generates endless loop
• Ping of Death Attacker sends flood of pings to intended host Pings saturate victim’s bandwidth
SE571 Security in Computing Dr. Ogara79
Denial of Service Connection flooding
• Smurf – Attacker sends broadcast echo requests to the network with victim’s return address
• Syn flood – Attacker sends many SYN requests and never responds with ACKs thereby filling the victim’s SYN_RECV queue
• Teardrop – Attacker sends series of data grams that can not be reassembled properly
SE571 Security in Computing Dr. Ogara80
Denial of Service Traffic redirection
Attackers disrupt routers traffic redirection DNS attacks
Attackers redirect routing of traffic by overtaking domain server or causing it to cache spurious entries (DNS cache poisoning)
E.g. An attack in 2005 used a flaw in a Symantec firewall to allow a change in DNS records used by Windows machines. The poisoned DNS cache redirected users to advertising sites
SE571 Security in Computing Dr. Ogara81
Distributed Denial of Service
Also called DDoS Attacker discretely plants Trojan
horse into machine e.g. through email attachment
Attacker repeats process using many targets (Zombie)
Attacker sends a signal to all Zombies to launch an attack against a victim (n attacks from n Zombies)
SE571 Security in Computing Dr. Ogara82
Distributed Denial of Service
SE571 Security in Computing Dr. Ogara83
Intrusion Detection Systems Also called IDS Device that monitors activities to identify
malicious and suspicious events Functions
• Monitor users and system activity• auditing system configuration for vulnerabilities and
misconfigurations • assessing the integrity of critical system and data files • recognizing known attack patterns in system activity • identifying abnormal activity through statistical analysis • managing audit trails and highlighting user violation of
policy or normal activity • correcting system configuration errors
SE571 Security in Computing Dr. Ogara84
Intrusion Detection Systems
SE571 Security in Computing Dr. Ogara85
Types of IDS Signature based
• perform simple pattern-matching and report situations that match a pattern corresponding to a known attack type
Heuristic/Anomaly based• build a model of acceptable behavior and flag exceptions
to that model
A network-based IDS is a stand-alone device attached to the network to monitor traffic throughout that network while a host-based IDS runs on a single workstation or client to protect that one host
SE571 Security in Computing Dr. Ogara86
Goals of IDS Filter on packet headers Filter on packet content Maintain connection state Use complex, multipacket signatures Use minimal number of signatures
with maximum effect
SE571 Security in Computing Dr. Ogara87
Goals of IDS Filter in real time, online Hide its presence Use optimal sliding time window size
to match signatures
SE571 Security in Computing Dr. Ogara88
Strengths of IDS IDSs detect an ever-growing number
of serious problems Adding their signatures to the IDS
model helps them to improve over time
Easier and cheaper to manage
SE571 Security in Computing Dr. Ogara89
Limitations of IDS Similar IDS may have identical
vulnerabilities Difficult to measure and adjust its
sensitivity Must be monitored and alarms
responded to otherwise it is useless
SE571 Security in Computing Dr. Ogara90
Secure Email Email is important in ecommerce Email is a medium of
communications
SE571 Security in Computing Dr. Ogara91
Email Requirements Message confidentiality (the message
is not exposed en route to the receiver)
Message integrity (what the receiver sees is what was sent)
Sender authenticity (the receiver is confident who the sender was)
Nonrepudiation (the sender cannot deny having sent the message)
SE571 Security in Computing Dr. Ogara92
Threats to Email message interception (confidentiality) message interception (blocked delivery) message interception and subsequent
replay message content modification message origin modification message content forgery by outsider message origin forgery by outsider message content forgery by recipient message origin forgery by recipient denial of message transmission
SE571 Security in Computing Dr. Ogara93
Design for Encrypted Email Developed by Internet Society Allows for security enhanced
messages Works for both asymmetric and
symmetric encryptions Standard supports multiple
encryption algorithms• DES, 3DES and AES for confidentiality• RSA and Diffe-Hellman for key exchange
SE571 Security in Computing Dr. Ogara94
Overview encrypted email processing
SE571 Security in Computing Dr. Ogara95
Encrypted Email-Secured Message