Embed Size (px)
DESCRIPTION
CHAPTER 6. Security in Networks. Objectives. differentiate the security needs in the network and in single ,stand alone application and environment identify threats against network applications, including denial of service, web site defacements, malicious code and protocol attacks - PowerPoint PPT Presentation
Citation preview
CHAPTER 6
Security in Networks
1
Objectives differentiate the security needs in the network and
in single ,stand alone application and environment identify threats against network applications,
including denial of service, web site defacements, malicious code and protocol attacks
explain various controls against network attacks such as physical security, policies and procedures and range of technical controls
Explain about design, capabilities and limitation of the firewall
Define and describe the intrusion detection systems and secure e-mails
(c) by Syed Ardi Syed Yahya Kamal, UTM 2004
2
The Network Concepts
3
When studying the chapter, student should know: The type of networks (LAN, MAN, etc) The size and shape Media (cable, wireless, optical cable, etc) Protocol (OSI layers, TCP/IP, etc) Topologies (star, ring, etc) Advantages of computing networks (resource
sharing, distributing the workload, etc)
Threats in Networks
What makes a network vulnerable?
Cause Explanation
Anonymity An attacker can mount an attack from thousand of miles away and safe behind electronic shield.
Many point of attack – both targets and origins
File stored in a network host can be access remotely by any user. Administrator can enforce many policies but one file being transferred through network, the policies means nothing.
Sharing Because networks enable resource and workload sharing, more user have the potential to access networked systems.
Complexity of system Operating System is a complicated piece of software but it is not designed specifically for security.
Unknown perimeter Network have no boundary. Resources on one network are accessible to the other network as well.
Unknown path Many paths can be used to accessed another host / computer.
4
Threats in Networks (cont) We cannot list who attacks networks but we do
know what the motives of attacking.Motives Explanation
Challenge Someone skilled in writing or using programs – the single most significant motivation for a network attacker is the intellectual challenge. “Can I defeat the network?”
Fame Other attackers seek recognition for their activities. Enjoy the personal thrill of seeing their attacks written up in the news media.
Money and Espionage Seeking information on company’s product, clients etc. for financial reward
Ideology Hactivism : operations that use hacking techniques against a target’s (network) with the intent of disrupting normal operations but not causing serious damage.
Cyberterrorism : politically motivated hacking operation intended to cause grave harm such as loss of life or severe economic damage.
5
Threats in Networks (cont)
6
Threat precursor: Port scan
Program that give an information about three things: Which standard ports or services are running and responding? What operating system is installed? What applications and versions of applications are present?
Example:nmap scanner, netcat, Nessus, CyberCop Scanner
Social engineering Involves using social skills and personal interaction to get
someone to reveal security-relevant information and perhaps even do something that permits an attack. "Hello, this is John Davis from IT support. We need to test some
connections on the internal network. Could you please run the command ipconfig/all on your workstation and read to me the addresses it displays?" The request sounds innocuous . But unless you know John Davis and his job responsibilities well, the caller could be an attacker gathering information on the inside architecture.
Threats in Networks (cont)
7
Threat precursor (cont): Reconnaissance
Gathering discrete bits of information from various sources and then putting them together like the pieces of a puzzle. Eavesdropping – follow employees to lunch and listen in
from nearby tables as coworkers discuss security matters.
Bulleting board and chats Numerous underground bulleting boards and chat
rooms support exchange of information. Attackers can post their latest exploits and techniques and
read what others have done.
Threats in Networks (cont)
8
Threat precursor (cont): Availability of documentation
Vendor themselves sometimes distribute information that is useful to an attacker. Microsoft produces a resource kit by which application vendors
can investigate a Microsoft product in order to develop compatible, complementary applications.
Operating System and Application Fingerprinting can mark the manufacturer and version
attacker might use a Telnet application to send meaningless messages to another application. Ports such as 80 (HTTP), 25 (SMTP), 110 (POP), and 21 (FTP) may respond with something like Microsoft ESMTP MAIL Service, Version: 5.0.2195.3779
This reply tells the attacker which application and version are running.
Threats in Networks (cont)
9
Threats in transit: Eavesdrop – implies overhearing without
expending any extra effort. Attacker monitoring all traffic passing through a node.
Wiretap – intercepting communications through some effort. Passive wiretapping is just "listening," much like
eavesdropping Active wiretapping means injecting something into
the communication Someone could replace your communications with his own
or create communications purported to be you. Works differently depending on communication medium
used.
Threats in Networks (cont)
10
Impersonation: Impersonate another person or process In an impersonation, an attacker has several
choices Guess the identity and authentication details of the
target. Pick up the identity and authentication details through
eavesdropping or wiretapping. Use the target that will not be authenticated. Use a target whose authentication data are known.
11
Spoofing Guessing or otherwise obtaining the network
authentication credentials of an entity Examples of spoofing are:
masquerading, session hijacking man-in-the-middle attacks
12
Masquerade one host pretends to be another A variation of this attack is called phishing
send an e-mail message, perhaps with the real logo of Blue Bank, and an enticement to click on a link, supposedly to take the victim to the Blue Bank web site.
The enticement might be that your victim's account has been suspended (and need the account number and PIN to activate it), or some other legitimate-sounding explanation.
The link might be to your domain Blue-Bank.com, the link might say click here to access your account (where the click here link connects to your fraudulent site), or other trick with the URL to fool your victim, like www.redirect.com/bluebank.com.
13
Session Hijacking intercepting and carrying on a session begun by
another entity Suppose two entities have entered into a session but
then a third entity intercepts the traffic and carries on the session in the name of the other
The attacker steals a valid session ID which is used to get into the system and snoop the data
*Tools:Juggernaut
HuntIP Watcher
14
Man-in-the-Middle Attack one entity intrudes between two others difference between man-in-the-middle and
hijacking is that a man-in-the-middle usually participates from the start of the session, whereas a session hijacking occurs after a session has been established.
Tools:PacketCreator
Ettercap Dsniff
Cain e Abel
Message Confidentiality Threats
15
An attacker can easily violate message confidentiality (and perhaps integrity) because of the public nature of networks.
Eavesdropping and impersonation attacks can lead to a confidentiality or integrity failure.
Several other vulnerabilities that can affect confidentiality. Misdelivery Exposure Traffic Flow Analysis
Message Integrity Threats
16
the integrity or correctness of a communication is at least as important as its confidentiality.
Threats based on failures of integrity in communication. Falsification of Messages- an attacker can take
advantage of our trust in messages to mislead us change some or all of the content of a message replace a message entirely, including the date, time, and
sender/receiver identification
Noise -Signals sent over communications media are subject to interference from other traffic on the same media, as well as from natural sources
Fortunately, communications protocols have been intentionally designed to overcome the negative effects of noise
Web Site Vulnerabilities
17
Web site is especially vulnerable because it is almost completely exposed to the user
One of the most widely known attacks is the web site defacement attack
Web site defacement attack Buffer Overflows Dot-Dot-Slash Application Code Errors Server-Side Include
Denial of Service
18
There are many accidental and malicious threats to availability or continued service. Transmission Failure Connection Flooding
Echo-Chargen Ping of Death Smurf Syn Flood
Traffic Redirection DNS Attacks
Distributed Denial of Service
Smurf
19
Figure 7-16. Smurf Attack.
Distributed Denial of Service
20
Threats in Active or Mobile Code
Active code or mobile code is a general name for code that is pushed to the client for execution
related potential vulnerabilities: Cookies Scripts Active Code
Java Code ActiveX Controls
21
Network Security Controls
Design and Implementation Architecture
Segmentation -Segmentation reduces the number of threats, and it limits the amount of damage a single vulnerability can allow. a web server, to handle users' HTTP sessions application code, to present your goods and services for purchase a database of goods, and perhaps an accompanying inventory to the count of stock on hand and being requested from suppliers a database of orders taken
Segmented Architecture.
22
Figure 7-19. Segmented Architecture.
Redundancy -allowing a function to be performed on more than one node failover mode -the servers communicate with
each other periodically, each determining if the other is still active
Single Points of Failure-architecture should at least make sure that the system tolerates failure in an acceptable way
23
Encryption
encryption is powerful for providing privacy, authenticity, integrity, and limited access to data
Encryption in network applications : either between two hosts (link encryption) between two applications (end-to-end encryption)
24
link encryption -data are encrypted just before the system places them on the physical communications link
encryption occurs at layer 1 or 2 in the OSI model decryption occurs just as the communication arrives at and
enters the receiving computer Encryption protects the message in transit between two
computers, but the message is in plaintext inside the hosts the exposure occurs on the sender's or receiver's host or
workstation, protected by alarms or locked doors Link encryption is especially appropriate when the
transmission line is the point of greatest vulnerability. If all hosts on a network are reasonably secure but the communications medium is shared with other users or is not secure, link encryption is an easy control to use
25
Link Encryption
26
Figure 7-20. Link Encryption.
Figure 7-21. Message Under Link Encryption.
Message Under Link Encryption.
End-to-End Encryption
end-to-end encryption provides security from one end of a transmission to the other
encryption can be applied by a hardware device between the user and the host
the encryption can be done by software running on the host computer
encryption is performed at the highest levels (layer 7, application, or perhaps at layer 6, presentation) of the OSI model
27
End-to-End Encryption
28
Comparison of Link and End-to-End Encryption.
29
Link Encryption End-to-End Encryption
Security within hosts
Data exposed in sending host
Data encrypted in sending host
Data exposed in intermediate nodes
Data encrypted in intermediate nodes
Role of user
Applied by sending host Applied by sending process
Invisible to user User applies encryption
Host maintains encryption User must find algorithm
One facility for all users User selects encryption
Typically done in hardware Either software or hardware implementation
All or no data encrypted User chooses to encrypt or not, for each data item
Implementation concerns
Requires one key per host pair
Requires one key per user pair
Provides node authentication
Provides user authentication
Virtual Private Networks Link encryption can be used to give a network's
users the sense that they are on a private network, even when it is part of a public network
the communication passes through an encrypted tunnel or tunnel
30
PKI and Certificates
A public key infrastructure, or PKI , is a process created to enable users to implement public key cryptography, usually in a large (and frequently, distributed) setting.
PKI offers each user a set of services, related to identification and access control, as follows : Create certificates associating a user's identity with a
(public) cryptographic key Give out certificates from its database Sign certificates, adding its credibility to the authenticity
of the certificate Confirm (or deny) that a certificate is valid Invalidate certificates for users who no longer are allowed
access or whose private key has been exposed
31
PKI sets up entities, called certificate authorities , that implement the PKI policy on certificates.
The specific actions of a certificate authority include the following: managing public key certificates for their whole
life cycle issuing certificates by binding a user's or system's
identity to a public key with a digital signature scheduling expiration dates for certificates ensuring that certificates are revoked when
necessary by publishing certificate revocation lists
32
SSH Encryption
SSH (secure shell) is a pair of protocols (versions 1 and 2), originally defined for Unix but also available under Windows 2000, that provides an authenticated and encrypted path to the shell or operating system command interpreter
The SSH protocol involves negotiation between local and remote sites for encryption algorithm (for example, DES, IDEA, AES) and authentication (including public key and Kerberos ).
33
SSL Encryption
The SSL (Secure Sockets Layer ) protocol was originally designed by Netscape to protect communication between a web browser and server
SSL interfaces between applications (such as browsers) and the TCP/IP protocols to provide server authentication, optional client authentication, and an encrypted communications channel between client and server.
To use SSL, the client requests an SSL session. The server responds with its public key certificate so that the client can determine the authenticity of the server
34
IPSec
IPSec is implemented at the IP layer IPSec is somewhat similar to SSL, in that it
supports authentication and confidentiality (in applications) or below it (in the TCP protocols).
it was designed to be independent of specific cryptographic protocols and to allow the two communicating parties to agree on a mutually supported set of protocols.
35
Packets: (a) Conventional Packet; (b) IPSec Packet.
36
Figure 7-27. Packets: (a) Conventional Packet; (b) IPSec Packet.
signed code . A trustworthy third party appends a digital
signature to a piece of code, supposedly connoting more trustworthy code. A signature structure in a PKI helps to validate the signature.
Encrypted E-mail To protect the privacy of the message and routing
information, we can use encryption to protect the confidentiality of the message and perhaps its integrity.
37
Strong Authentication
One-Time Password ChallengeResponse Systems Digital Distributed Authentication Kerberos
38
Access Controls
Authentication deals with the who of security policy enforcement; access controls enforce the what and how ACLs on Routers Firewalls Honeypots
39
(c) by Syed Ardi Syed Yahya Kamal, UTM 2004
40
41
Target Vulnerability Precursors to attack •Port scan
•Social engineering •Reconnaissance •OS and application fingerprinting
Authentication failures •Impersonation •Guessing •Eavesdropping •Spoofing •Session hijacking •Man-in-the-middle attack
Programming flaws •Buffer overflow
•Addressing errors •Parameter modification, time-of-check to time-of-use errors •Server-side include •Cookie •Malicious active code: Java, ActiveX •Malicious code: virus, worm, Trojan horse •Malicious typed code
Summary of Network Vulnerabilities
42
Target Vulnerability Confidentiality •Protocol flaw
•Eavesdropping •Passive wiretap •Misdelivery •Exposure within the network •Traffic flow analysis •Cookie
Integrity •Protocol flaw
•Active wiretap •Impersonation •Falsification of message •Noise •Web site defacement •DNS attack
Availability •Protocol flaw
•Transmission or component failure •Connection flooding, e.g., echo-chargen, ping of death, smurf, syn flood •DNS attack •Traffic redirection •Distributed denial of service
Summary of Network Vulnerabilities
Firewalls
43
Firewall is a device that filters all traffic between a protected or “inside” network and a less trustworthy or “outside” network.
The purpose of a firewall is to keep “bad” things outside a protected environment.
To accomplish that, firewalls implement a security policy.
Firewalls (cont)
44
The design of firewall should maintain below qualities: Always invoked. Tamperproof. Small and simple enough for rigorous analysis.
Firewalls (cont)
45
Type of firewalls are depends on their capabilities. The type are: Packet filtering gateways or screening routers.
Most effective. Control packet from source to destination.
Stateful inspection firewalls. Maintains state infomation from one packet to
another in the input stream. Application proxies.
Simulate the (proper) effects of an application so that the application will receive only requests to act properly.
Firewalls (cont)
46
Type of firewalls (cont): Guards.
Sophisticated firewall. Decide what services to perform on the user’s behalf in accordance with its available knowledge.
Personal firewall. An application program that runs on a workstation to
block unwanted traffic, usually from the network.
Comparison of Firewall Types
47
Packet Filtering Stateful Inspection
Application Proxy Guard Personal Firewall
Simplest More complex Even more complex
Most complex Similar to packet filtering firewall
Sees only addresses and
service protocol type
Can see either addresses or data
Sees full data portion of packet
Sees full text of communication
Can see full data portion of packet
Auditing difficult Auditing possible Can audit activity Can audit activity Can and usually does audit activity
Screens based on connection rules
Screens based on information
across packetsin either header or
data field
Screens based on behavior of
proxies
Screens based on interpretation of
message content
Typically, screens based on
information in a single packet,
using header or data
Complex addressing rules
can make configuration
tricky
Usually preconfigured to
detect certain attack signatures
Simple proxies can substitute for
complex addressing rules
Complex guard functionality can limit assurance
Usually starts in "deny all
inbound" mode, to which user adds trusted addresses as they appear
Intrusion Detection Systems
An intrusion detection system (IDS ) is a device, typically another separate computer, that monitors activity to identify malicious or suspicious events
IDSs perform a variety of functions: monitoring users and system activity auditing system configuration for vulnerabilities and
misconfigurations assessing the integrity of critical system and data files recognizing known attack patterns in system activity identifying abnormal activity through statistical analysis managing audit trails and highlighting user violation of
policy or normal activity correcting system configuration errors installing and operating traps to record information about
intruders
48
Types of IDSs Signature-based intrusion detection systems
perform simple pattern-matching and report situations that match a pattern corresponding to a known attack type
Heuristic intrusion detection systems, also known as anomaly based
Intrusion detection devices can be network based or host based A network-based IDS is a stand-alone device attached
to the network to monitor traffic throughout that network;
a host-based IDS runs on a single workstation or client or host, to protect that one host.
49
Stealth Mode most IDSs run in stealth mode , whereby an IDS
has two network interfaces: one for the network (or network segment) being monitored and the other to generate alerts and perhaps other administrative needs
50
Goals for Intrusion Detection Systems An IDS could use someor allof the following
design approaches: Filter on packet headers Filter on packet content Maintain connection state Use complex, multipacket signatures Use minimal number of signatures with maximum
effect Filter in real time, online Hide its presence Use optimal sliding time window size to match
signatures
51
IDS Strengths and Limitations Intrusion detection systems are evolving products detect an ever-growing number of serious
problems.
its sensitivity which is difficult to measure and adjust
someone has to monitor its track record and respond to its alarms
52
EXERCISE
53
Discuss six reasons that makes network vulnerable.
One way an attacker can do to investigate and plan the attack is through reconnaissance. Explain about it.
What firewalls can and cannot block? Explain detail about Kerberos?
