Chapter 15: Network Security Principles of Computer Networks and Communications M. Barry Dumas and Morris Schwartz

Chapter 15:Network Security

Principles of Computer Principles of Computer Networks and CommunicationsNetworks and Communications

M. Barry Dumas and Morris SchwartzM. Barry Dumas and Morris Schwartz

Principles of Computer Networks and Communications

2Chapter 15

Objectives Describe the goals of network security and the issues most relevant to business Differentiate methods of attacks on corporate networks, provide protection strategies,

and discuss the elements of an effective security policy Illustrate how different types of firewalls function, and assess their effectiveness and

impact on network performance Differentiate between different types of attacks that might come from the Internet, and

provide pre- and post-infection security measures Discuss denial-of-service attacks, how they operate, and network defense strategies Explain techniques associated with social engineering, including differentiating

among pretexting, spam, spoofing, and phishing Describe the role of proxy servers in network security and assess their utility Explain the options and functionality of encryption systems Describe security issues associated with virtual private networks and the role of

network address translation Illuminate the added security complications inherent in wireless networks Provide criteria for assessing security compliance, including certification standards


3Chapter 15

Overview

Network security covers a wide range of concerns, including

Physical intrusion and disruption Software-based mischief and assaults Unauthorized transmission capture Terrorist attacks!

Thwarting these challenges that can come from internal and external sources

is the goal of network security.


4Chapter 15

Overview

Network security is Policy based Company specific

“Consider that security is not an all-or-nothing proposition.

Dealing with it adequately is an ongoing task that is bound to be substantial

in terms of time and cost.”


5Chapter 15

Overview

Why require security measures? Intrusion!

Any unauthorized network activity On corporate or wide area networks With the intent to disrupt operations To alter stored data or transmissions in any way

Goal Deter attacks on corporate networks Protect corporate transmissions from meaningful interception

intrusion prevention


6Chapter 15

Overview

What security measures are required?

First Identify types of threats anticipated Determine likelihood of occurrence Estimate probable cost to the company from

successful security breaches

A company should always undertake a risk assessment/risk analysis

before security measures are modified, enacted, or contemplated

Conduct a risk assessment (aka risk analysis)


7Chapter 15

Overview

Where/How should security measures be applied? From the risk assessment/risk analysis, determine

Personnel To monitor the network To contain threats

Methods Hardware Software Budget Implementation

Security methods must be effective Risk assessments and policies must be revisited to stay relevant


8Chapter 15

Security Perspectives

Not every disruption is a security breach Power outages due to acts of nature Damage from accidents Equipment failure

Even so . . .

Risk assessments should consider these

Action plans should respond to these


9Chapter 15


Five security issue perspectives (categorizing threats) Source

Internal (employee) or external (outside company) Type

Physical or electronic (e.g., illegal downloads) Intent

Mischievous (pranks) or malevolent (deliberate) Random or focused

Method Breaking and entering, hacking, spoofing, denial of service

Target Corporate networks, wireless networks, Internet


10Chapter 15


Threat prevention strategies based on source

Attacks from internal sourcesStrategy

Monitoring—recording employee activity (activity logs) Limiting access (authorization)

Physically restricting access from areas (locks, badges) Electronically restricting access (passwords)

Attacks from external sourcesStrategy

Devices Firewall—principle corporate blockade method Proxy servers—sit between user requests and corporate servers

Software Protocols to secure transmissions (encryption, tunneling) Anti-virus (detection/removal), anti-spam, anti-spyware, pop-up blockers


11Chapter 15


Generally speaking, security measures take two basic routes

Proactive Cordoning off corporate networks to prevent attacks

before they get into the network and take hold

Reactive Invoking procedures to remove threats that are inside the

network before they cause damage

Example: Firewalls!

Example: Virus removal software!


12Chapter 15


Intrusion detection systems (IDS)

Goal Focuses on network data or host activity

Network based—monitors packets by inspecting layer headers or applications data

Host based—monitors activity on host machine, looking for valid security certificates, signatures of known threats, suspicious sites

vs.

Intrusion prevention system (IPS)

Goal Isolates and quarantines suspect files Prevents access to particular sites Refuses to download/install certain files

Detect security threats (internal and external)

Take action to prevent threats from affecting the network

An IDS can also be an IPS


13Chapter 15

External Attacks and Firewalls

Firewall

Purpose Prevent intranet access by unauthorized parties Stop transmissions that could harm or compromise corporate data

or resource functioning Concept

Screens traffic coming into one network from another Combination of hardware and software

Corporate devices Dedicated computers (PCs or routers—usually without keyboards) Connected to but not part of internal networks


14Chapter 15


Firewall types

Packet filtering Check layer 3 network headers of packets from external networks Run on corporate border routers

Circuit level Check layer 4 transport headers Monitor connection-oriented session creation attempts by TCP

Application Check layer 5 application packet data for program-specific software Identify harmful tendencies in applications

All here are considered packet-filtering firewalls

All three in the same device = multilayer firewall


15Chapter 15


Firewall filtering modes

Admit/deny decisions are determined by a variety of criteria (rules) loaded into the firewall router

Rules can be based on IP addresses or domain names Port numbers Protocols Circuits or sessions Applications Other packet attributes, such as specific data patterns, words, or phrases

Two filtering modes (filtering rules) Deny all but explicit—Transmit only packets that meet specific rules Pass all but explicit—Transmit any packets that don’t match denial rules

Risky! New threats won’t be on the denial list.

Rules must be kept up to date

for filters to be effective.


16Chapter 15


Firewall connection states Stateful

Stores relevant aspects of each approved connection-oriented session in the router table

Packets are examined to see if they belong to the approved session

(stateful inspection) instead of being compared with the entire rule set

More efficient than firewalls that do not use stateful operation Can also be incorporated in network-layer packet filters

Stateless Do not maintain state tables Must treat each packet independently without regard to prior

experience (i.e., comparing every packet with every rule)


17Chapter 15

Security Attacks via the Internet

Malware What is it?

Software aimed at network or computer-related disruption Some examples

Viruses Denial-of-service attacks Web-site substitution

“In the end, the user is responsible for dealing with

the variety of threats posed.”


18Chapter 15


Malware “highlights”

Viruses Self-replicating; cannot propagate on their own

Worms Self-replicating; can propagate on their own

Trojan horses Cannot run on their own; must be executed

Spyware Tracking software; records activity down to the keystrokes

Adware Tracking software; presents advertisements based on usage


19Chapter 15


Viruses Self-replicating; cannot propagate on their own Spreads by infection, placing executable program code in a file Damage is done by the actions the viruses take

Displaying messages or pictures Modifying or erasing files (including deleting all files) Reformatting drives Crashing the computer

When the file is executed, the code reproduces itself and infects other computers

Hundreds of viruses exist and new ones are created every day!


20Chapter 15


Worms Self-replicating; can propagate on their own Do not need to attach themselves to other programs

(as viruses must) Usually designed to travel along with transmissions so they

rapidly spread Each machine they move to send out worm transmissions Worms tend to aim more at network disruption than

individual computer damageE-mail is a common medium of worms


21Chapter 15


Trojan horses Cannot run on their own; must be executed Cannot propagate Hide within legitimate software Typically activated when a user unsuspectingly

executes it believing it to be something else

More recently, viruses and especially worms, have been designed to carry trojans


22Chapter 15


Spyware Tracking software; records activity down to the keystrokes Watches activity on the computer without your knowledge or consent Recorded activity can be transmitted over the Internet to other parties Might try to steal account information, passwords, and other sensitive

information Resides in particular files Usually does not replicate

Adware Tracking software; presents advertisements based on usage Often considered a specific type of spyware Consent to load adware on a computer is sometimes embedded in

“terms of use” that accompany software

Web pages are common carriers of spyware


23Chapter 15


Malware antidotes

Firewalls Can stop many malware attacks

Properly configured e-mail servers Good at catching spyware and adware Can incorporate scanning software to trap viruses and worms

in attachments Operating systems

Can block pop-ups ISP e-mail systems

Might scan outgoing mail and incoming attachments

Anti-virus software Can detect malware in inbound and outbound attachments Can delete/quarantine files identified with malware

Blocking pop-ups might thwart adware but it will also block some legitimate traffic!

Whether firewall-, server-, or computer-based, anti-malware software must be kept up to date!


24Chapter 15


Denial-of-service (DoS) attacks Designed to shut down particular resources by

overwhelming them, denying their services to legitimate users

Not designed to destroy files or steal data Current variations depend on flooding resources

with packets

Many older DoS versions relied on exploiting weaknesses in protocol implementations. These no longer affect newer devices and systems.


25Chapter 15


Denial-of-service (DoS) attack forms TCP-based SYN flood

Takes advantage of TCP’s handshaking procedure for setting up a session (SYN/ACK packets)

Requester sends a great many session requests, each with a bogus IP address

Server ends up trying to send SYN/ACK packets to the bogus address, leaving a number of half-open connections

UDP-based flood Counterfeit UDP packets are sent requesting delivery to an application Server gets overwhelmed trying to reply with “destination unreachable”

messages Broadcast attack (Smurf attack)

Engages many hosts to (unknowingly) bombard another host Attacker spoofs the victim IP address and sends a broadcast ICMP

echo request to the unknowing participants Participants send responses to the victim IP address, overwhelming it


26Chapter 15


Denial-of-service (DoS) attack forms—older versions Teardrop attack

Sends packets whose offset values overlap Host crashes trying to perform impossible packet reassembly

Bonk attack Sends packets whose offset values are too large Host crashes trying to perform impossible packet reassembly

Ping of death Sends an ICMP echo request with packets larger than the

IP packet maximum (65,535 bytes) Host crashes when packet reassembly overflows a buffer

Land attack Sends a packet whose source and destination address are the same Host gets confused and tries to set up a connection with itself


27Chapter 15


Distributed Denial-of-service (DDoS) attack Actual attack is one of the DoS attacks Many hosts are unknowingly enlisted in the process Attack effectively comes from many computers Commonly activated by sending trojans to many computers When activated, the trojan installs code that allows the

computer to be controlled by a remote host (the attacker)

Because they are unaware of what they’re doing,the unsuspecting hosts participating in the attack

are called zombies.


28Chapter 15


Dealing with DoS and DDos attacks Before the attack

(for SYN floods) Configure border routers and other nodes to Limit the number of half-open sessions Keep time-outs short

(for UDP floods) Close unused UDP ports at the firewall and at hosts (for broadcast attacks) Configure devices not to respond (for older versions) Update systems and software to remove vulnerability

During the attack Try to block it before system shutdown

After the attack Very difficult to deal with Often an attack is not recognized until

damage has occurred and the attacked services have shut down

Restore the system

If you can’t find a way to block the flood, the shutdown

will be repeated!


29Chapter 15


Social engineering Tricking people or systems into providing confidential

information Social security number Bank account number Passwords Birthday

“Much security breach activity focuses on obtaining confidential, personal, private, or

other sensitive information.”


30Chapter 15


Social engineering schemes

Pretexting Claiming to be someone you’re not (under the “pretext” of being another) Pretending to be an agency representative (bank, police, social agency) and

then obtaining confidential information during the conversation

Spam Bulk e-mail May be solicited (opt in) or unsolicited

Spoofing Falsifying source addresses to lure one into revealing information

Phishing Trolling for confidential information by randomly sending out spoofed spam

Opt out is deliberately indicating you do not want to receive e-mail.


31Chapter 15


Dealing with social engineering schemes Never open an e-mail message

whose source subject looks suspicious Misspelled subject lines Subjects with symbols Missing subject

Never reply to a suspicious source Never open an attachment from a suspicious source Confirm suspicious e-mails from someone you know by

asking the sender for verification Keep your scanning software up to date Never provide confidential information in reply to

an unsolicited e-mail

The best way to avoid being dupedis to be on guard!


32Chapter 15


Hacker packet sniffing When hackers use a packet sniffer to break into networks and

their attached systems Hackers can obtain sensitive data and disrupt systems

Dealing with hacker packet sniffing For intranets

Secure wiring closets and unused network connections For Internets

Use encryption to render intercepted data meaningless

A packet sniffer is a device for eavesdropping on network traffic that includes software for discovering protocols being used.


33Chapter 15

Proxies

Proxy server—basic operation What it is

The proxy server acts as an intermediary, sitting between the client and the requested server

How it works A client requesting a file that resides on a particular server

actually gets connected to the proxy server The proxy server requests the file from (the real server) and

supplies it to the client The client is never actually directly connected with the

requested server

Proxy servers typically act for web servers


34Chapter 15

Proxies

Proxy server—guardian of corporate networks Security

Keeps a direct doorway to the corporate network closed Performance

Sizeable cache enables the proxy server to satisfy repeat web page (file) requests without involving the web server

Filtering Proxy servers can filter sensitive or offensive material from web

pages or block the pages all together Formatting

Proxy servers can reformat pages to fit particular devices (e.g., small screens of PDAs or cell phones)

Common Gateway Interface (CGI) enables direct client/server transactions,enabling particular users to directly access a site that is otherwise blocked.


35Chapter 15

Encryption

Plaintext The original unencrypted document

Ciphertext The encrypted document

“The idea behind encryption is a simple one— obfuscate the data so that it will not be

intelligible to anyone but the intended recipient.”

Cipher derives from various languages, all of which leave it meaning

zeroempty

nothing


36Chapter 15

Encryption

Encryption

Is done by algorithm

Algorithms are manipulations based on rules to disguise the plaintext

Examples A substitution code where one symbol is substituted for

by another (e.g., replacing every alphabet letter with the one following)

Use of a key that, when applied, converts plaintext to ciphertext; the same key (or another key) is required to convert the ciphertext back into plaintext


37Chapter 15

Encryption

Key ciphers

Most relevant to computer systems Mathematical algorithms use keys to

encrypt plaintext and decrypt ciphertext Two versions of key ciphers

1. Asymmetric keys Both a public and a private key are in play

2. Symmetric keys Sender and receive use same key


38Chapter 15

Encryption

1. Asymmetric keys Both a public and a private key are in play Both must be used to complete the transmission Example

A wants to send a ciphertext to B B publishes a public key

that A uses to encrypt the plaintext After it is encrypted, in can be decrypted only with

B’s private key (which only B has)

Even if A’s signal is intercepted, it cannot

be understood without the private key.


39Chapter 15

Encryption

1. Asymmetric keys—similar process Digital signature—provides

Authentication Message is actually from the party it appears to be from

Non-repudiation Prevents the sender from claiming it did not send the

message Digital signature—process

For A to send a digital signature to B, A publishes a public key and uses A’s own private key to encrypt the message

B then uses A’s public key to decrypt the message and verify that it must have been sent from A


40Chapter 15

Encryption

2. Symmetric keys Sender and receive use same key

(sender to encrypt; receiver to decrypt) Because there is only one key, it must be kept

private from everyone except the authorized sender and receiver

Major weakness Getting the key to the receiver (risk of interception)

Symmetric keys work best for internal use within company networks, orvia a third-party key manager


41Chapter 15

Encryption

Key management via third parties Digital certificate

Most reliable method for online key exchange Copy of a key that is digitally signed by a trusted third party Verifies that the key is authentic

The key it contains is genuine The key comes from the named source

“Key-based systems, whether asymmetric or symmetric, face the problem of reliable key exchange.”

Certificate authority (CA)


42Chapter 15

Encryption

Digital certificates—What’s in it?

1. Serial number

2. Name and key of its owner (sender)

3. Certificate’s valid dates (from/to expiration)

4. Name and digital signature of the CA

5. Algorithm used to create the CA’s signature

CA is certificate authority


43Chapter 15

Encryption

Digital certificates—in practice

1. A sender applies to a CA for a certificate2. CA transmits its public key to the applicant3. Sender uses CA’s public key to encrypt its own key

and sends it to the CA4. CA issues a certificate for the owner5. Sender transmits the encrypted message, with the certificate

attached, to the recipient6. Recipient uses CA’s public key to decrypt the certificate,

uncovering the sender’s key and using it to decrypt the message. Recipient can use that same key or its own certificate to send a reply.


44Chapter 15

Virtual Private Networks

Virtual private network (VPN) Way to transmit secure data over a network that may

not be secure Created by tunneling

This technique is used to send one network’s packets through another network using secure protocols, without those packets having to conform to the other network’s protocols

How tunneling works One network’s packets are encapsulated within the

protocols of another network Encapsulating protocols are removed on exit


45Chapter 15


Virtual private network (VPN)— protocol sets

Internet protocol security (IPsec) Point-to-point tunneling protocol (PPTP) Layer 2 tunneling protocol (L2TP) Multiprotocol label switching (MPLS)

Most frequently used


46Chapter 15


Virtual private network (VPN) Internet protocol security (IPsec)

Developed by IETF Group of open standards used to create VPNs Operates at the network layer Two IPsec modes

Transport Layer 3 payload is encrypted; IP header is not Used for protected end-to-end between two hosts

Tunnel Both Layer 3 payload and header are encrypted Used for protected transmission between two nodes,

one of which is not a host

End points are a weakness

Hackers might read trafficbefore encryption occurs or after emerging from tunnel


47Chapter 15

Network Address Translation

Network address translation (NAT)

Originally designed as a short-term solution for the dwindling availability of IPv4 addresses

NAT maps a single public IP address to many internal (private) IP addresses

With proper protocols installed in the NAT router, internal hosts gain a measure of security from malicious external sources

Unless specific protocol support is included, NAT routers will obstruct TCP connection attempts and UDP traffic initiated from outside the organization

With a NAT-enabled border router, there is no direct route between an external source and an internal host


48Chapter 15

Wireless Security

Wireless network—security goals

Same as wired networks Protecting against

Disruption of service Interception of private or sensitive data Corruption of private or sensitive data Mischief

With one addition

Tempting target as backdoorinto the wired network


49Chapter 15

Wireless Security

Wireless network—security measures

(1999) Wired equivalent privacy (WEP) Encryption between stations or between a station and an access point 64-bit encryption using RC4 stream cipher All WLAN members share the same static 40-bit key,

which is concatenated with a 24-bit initialization vector (IV) (2002) WiFi protected access (WPA)

Incorporated WEP features 172-bit encryption (key size: 128 bits, IV size: 48 bits) using RC4 Improved security with the temporal key integrity protocol (TKIP)

that dynamically changes the key before encryption (2004) 802.11i (certified as WPA2)

Official replacement for WEP 172-bit encryption (key size: 128 bits, IV size: 48 bits) Replaced RC4 stream cipher with

advanced encryption standard (AES) block cipher

Not very secure!

Good for home/home office

Good for corporate


50Chapter 15

Compliance and Certification Standards for Computer Security (2004) Common criteria (CC)

International effort that combined three pre-existing standards Trusted Computer System Evaluation Criteria (TCSEC)

U.S. standard (aka “Orange Book”) (1985- U.S. National Computer Center) Canadian Trusted Computer Product Evaluation Criteria (CTCPEC)

Canadian government (1989) Information Technology Security Evaluation Criteria (ITSEC)

European standard (1990) Provides guidelines for establishing security claims and comparing

products Protection profile (PP)—focuses on security product users Security target (ST)—focuses on product/system functions and a target of

evaluation (TOE) to determine hardware/software compliance Provides assistance for creating security specifications (PPs and STs)

Security functional requirements (SFRs)—list of security functions for documenters

Security assurance requirements (SARs)—steps for achieving compliance Evaluation assurance levels (EALs)—testing has been performed


51Chapter 15

Compliance and Certification Standards for Computer Security [2001] FIPS

Security Requirements for Cryptographic Modules National Institute of Standards and Technology (NIST)

(2001)

Intended to assess product ability to protect government IT systems

Products that pass are given validation certificates for the level certified


52Chapter 15

Cyberlaw

Cyberlaw observations Technology changes faster than do laws and regulations Legislation designed to deal with older communication techniques (e.g., print and

telephone) does not apply well to high-speed networks, associated databases, and the Internet

Net neutrality—opposing views Status quo

Users should be in control of what they view as well as what applications they use on the Internetvs.

Current Internet should be replaced With tiered fees and access based on bandwidth requirements

“Cyberlaw refers to legislation and regulation as applied to

computer-assisted communication.”

Documents

Chapter 15: Network Security Principles of Computer Networks and Communications M. Barry Dumas and Morris Schwartz