View
222
Download
1
Tags:
Embed Size (px)
Citation preview
CSE2500 SYSTEM SECURITY & PRIVACYCSE2500 SYSTEM SECURITY & PRIVACY
Introduction to Computer Introduction to Computer Network SecurityNetwork Security
Srini & NanditaCSE2500 System Security & Privacy 2
LayoutLayout
Network Security - what is different from Network Security - what is different from Computer Systems security?Computer Systems security?
Possible scenarios forPossible scenarios for network connections network connections and and their implication for their implication for security concernssecurity concerns
What is the principal mode of attack in What is the principal mode of attack in networks and how you can defend them?networks and how you can defend them?Which part of network structure can we enforce Which part of network structure can we enforce
security?security?How can we do it efficiently?How can we do it efficiently?
Srini & NanditaCSE2500 System Security & Privacy 3
What we have seen so far?What we have seen so far?
authentication
Access control
encryption
Srini & NanditaCSE2500 System Security & Privacy 4
Internetwork ArchitectureInternetwork Architecture??
Wireless Stranger
Wired Stranger
Stranger
Internet
Server
Srini & NanditaCSE2500 System Security & Privacy 5
Services of the server areServices of the server are
Web serversWeb serversEmail serversEmail serversFTP serversFTP serversWeb and email serversWeb and email serversWeb, email and FTP serversWeb, email and FTP serversModem serversModem serversWeb, email, FTP and modem serversWeb, email, FTP and modem serversWeb, email, file serversWeb, email, file servers Etc.Etc.
Srini & NanditaCSE2500 System Security & Privacy 6
Consider web serverConsider web server
What is the authentication here?What is the authentication here? What is the access control here?What is the access control here? If these does not apply, what is the If these does not apply, what is the
issue with respect to security?issue with respect to security?
Srini & NanditaCSE2500 System Security & Privacy 7
Recap: Security Attacks - TaxonomyRecap: Security Attacks - Taxonomy
Interruption – attack on Interruption – attack on availabilityavailability Interception – attack on Interception – attack on confidentialityconfidentiality Modification – attack on Modification – attack on integrityintegrity Fabrication – attack on Fabrication – attack on authenticityauthenticity
The availability (and confidentiality) The availability (and confidentiality) property need to be preserved – how it property need to be preserved – how it can be threatened?can be threatened?
Srini & NanditaCSE2500 System Security & Privacy 8
Model for network securityModel for network security
Information channelGate
Keeper
Srini & NanditaCSE2500 System Security & Privacy 9
Attacks areAttacks are
SnoopingSnooping or sniffing- Attacker or sniffing- Attacker observes network traffic without observes network traffic without disturbing the transmission (passive)disturbing the transmission (passive) e.g. snooping for passwordse.g. snooping for passwords
Sniffing software works by placing a Sniffing software works by placing a system’s network interface into system’s network interface into promiscuous mode.promiscuous mode.
Srini & NanditaCSE2500 System Security & Privacy 10
Attacks areAttacks are
Denial of services – make the server Denial of services – make the server in-operative or inefficientin-operative or inefficiente.g: e.g: ping (of death) Attack ping (of death) Attack by floodingby flooding
Srini & NanditaCSE2500 System Security & Privacy 11
Ping AttackPing Attack The Hacker sends an ICMP Echo request to the target The Hacker sends an ICMP Echo request to the target expecting an ICMP echo reply to be returned for each request.expecting an ICMP echo reply to be returned for each request. The hacker, because of the high bandwidth, can send more The hacker, because of the high bandwidth, can send more requests then the target can handle.requests then the target can handle.
CountermeasuresCountermeasures No known defenseNo known defense
ICMP ECHO Flooding
Hacker
INTERNET
Server
Packet 1
Packet 2
Packet 3
Packet 5
Packet 4
Packet n
128K LinkT-1 Link
Packet n
Srini & NanditaCSE2500 System Security & Privacy 12
TCP SYN Flooding
SYN=1 ACK=0 141521 win 4096 (unreachable address
SYN = 1 ACK = 1 181521 141522 win 4096(unreachable address)
Hacker
SYN = 1 ACK =1 181521 141687 win 4096(unreachable address)
SYN = 1 ACK = 1 181521 141723 win 4096(unreachable address)
SYN=1 ACK=0 141686 win 4096 (unreachable address)SYN=1 ACK=0 141721 win 4096 (unreachable address)
UnreachableIP Address
Legitimate Client is denied access
Legitimate Client
Target Host
Srini & NanditaCSE2500 System Security & Privacy 13
SYN AttackSYN Attack
Attack Method:Attack Method: Most hosts will only support 8-16 simultaneous Most hosts will only support 8-16 simultaneous
communication channels.communication channels. The Hacker sends a sequence of SYN packets. The Hacker sends a sequence of SYN packets.
Each SYN packet (about 120 /second) has a Each SYN packet (about 120 /second) has a different and unreachable IP address. different and unreachable IP address.
This consumes all the communication channels This consumes all the communication channels and results in a denial to any TCP based service.and results in a denial to any TCP based service.
Countermeasure:Countermeasure: Expand the number of ports, reduce Expand the number of ports, reduce the time-out period, validate TCP request packets.the time-out period, validate TCP request packets.
Srini & NanditaCSE2500 System Security & Privacy 14
Attacks areAttacks are
ImpersonationImpersonation – stealing the identity – stealing the identity of someoneof someone other party thinks that you are the true other party thinks that you are the true
identityidentity
Srini & NanditaCSE2500 System Security & Privacy 15
ImpersonationImpersonation
Authentication at the IP layer is concerned Authentication at the IP layer is concerned with the identity of computer systems.with the identity of computer systems.
IP addresses are software configurable and IP addresses are software configurable and the the mere possessionmere possession (or fraudulent use) of (or fraudulent use) of one enables communication with other one enables communication with other systems.systems.
Two such techniques to do this areTwo such techniques to do this are address masqueradingaddress masquerading address spoofingaddress spoofing
Srini & NanditaCSE2500 System Security & Privacy 16
Address MasqueradingAddress Masquerading
Srini & NanditaCSE2500 System Security & Privacy 17
Address SpoofingAddress Spoofing
Also known as Also known as TCP sequence number TCP sequence number attack.attack.
First we need to understand how the three-First we need to understand how the three-way TCP handshake protocol works.way TCP handshake protocol works. handshakehandshake means- an assertion that indicates means- an assertion that indicates
one party’s readiness to send or receive data. one party’s readiness to send or receive data. When two systems share a hardware connection, When two systems share a hardware connection, two-way handshake is enough.two-way handshake is enough.
Since TCP rides on IP – an unreliable, Since TCP rides on IP – an unreliable, connectionless protocol – a three-way handshake connectionless protocol – a three-way handshake is required.is required.
18CSE2500 System Security & Privacy Srini & Nandita
Handshake in TCPHandshake in TCP
Machine A Machine B
SYN+ISN A
SYN+ISN B+ ACK(ISNA+1)
ACK(ISNB+)
Application Data
SYN – synchronize requestISN - Initial sequence numberACK – acknowledgement for the ISN
Srini & NanditaCSE2500 System Security & Privacy 19
TCP CONNECTIONTCP CONNECTION
SYN=1 ACK=0 141521 win 4096 <mss 1024>
SYN = 1 ACK = 1 181521 141522 win 4096<mss 1024>
SYN = 0 ACK = 1 181522
Segment 2
Segment 3
CLIENT SERVER
THREE-WAYCONNECTION
Segment 1 shows the client sending a SYN segment with an Initial Sequence Number of 141521. The ISN is randomly generated. This is called an Active Open. The field win 4096 shows the advertised window size of the sending station while the field <mss 1024> shows the receiving maximum segment size specified by the sender. SYN=1, ACK=0.
Segment 2 shows the server responding with a SYN segment of 181521 and ACKnowledging the clients ISN with ISN + 1. This is called a Passive Open. SYN=1,ACK=1
Segment 3 shows the client responding by ACKnowledging the servers ISN with ISN + 1. SYN=0,ACK=1.
Data can now be transmitted.
THREE-WAY CONNECTION
Segment 1
Srini & NanditaCSE2500 System Security & Privacy 20
Address SpoofingAddress Spoofing
Consider Consider CC (an intruder) want to impersonate (an intruder) want to impersonate the sender (say A) – how?the sender (say A) – how?
Intruder Intruder CC knows that B (receiver) trusts A’s knows that B (receiver) trusts A’s users and let them execute commands users and let them execute commands through, say through, say rsh rsh (remote shell) service (remote shell) service without them requiring a password.without them requiring a password.
Although Although CC will not receive a single datagram will not receive a single datagram in response from B – whose replies will be in response from B – whose replies will be routed to the real, but unavailable A.routed to the real, but unavailable A.
CC now now somehow needs to predict the ISN of somehow needs to predict the ISN of BB that B would tell A during the handshake. that B would tell A during the handshake.
Srini & NanditaCSE2500 System Security & Privacy 21
How to get the ISN?How to get the ISN?
ISN is a 32 bit clock that increases ISN is a 32 bit clock that increases systematically with time.systematically with time.
If the clock increment is predictable If the clock increment is predictable and an attacker can see the value of and an attacker can see the value of any one ISN, he can probably predict any one ISN, he can probably predict the value of the next or a soon the value of the next or a soon subsequent ISN with accuracy.subsequent ISN with accuracy.
Srini & NanditaCSE2500 System Security & Privacy 22
Predictable ISN can lead toPredictable ISN can lead to
After knowing the ISN, wait for A to go down (say for After knowing the ISN, wait for A to go down (say for maintenance) which is easy to detect (say by maintenance) which is easy to detect (say by pingping), then), thenCC sends sends BB a counterfeit IP datagram containing its SYN a counterfeit IP datagram containing its SYN
and ISN; this and ISN; this BB receives and believes to have originated receives and believes to have originated from A.from A.
B B replies with a SYN, its own ISN and an replies with a SYN, its own ISN and an acknowledgement of acknowledgement of CC’s ISN (This reply is routed ’s ISN (This reply is routed inconsequentially to A who is still unavailable to inconsequentially to A who is still unavailable to receive it.)receive it.)
CC mean while predicts and acknowledges mean while predicts and acknowledges BB’s ISN. It ’s ISN. It follows with an follows with an rshrsh command that coaxes command that coaxes BB to give the to give the attacker easier access from his true location. attacker easier access from his true location.
CC successfully opened a TCP connection and executed a successfully opened a TCP connection and executed a command on command on BB, without ever having received a single byte , without ever having received a single byte in return from in return from BB. It simply acted as if it had, enabled by . It simply acted as if it had, enabled by BB’s predictable ISN.’s predictable ISN.
Srini & NanditaCSE2500 System Security & Privacy 23
Method of defenseMethod of defense
Avoid reliance on address-based authentication and Avoid reliance on address-based authentication and trust mechanisms (like those used by trust mechanisms (like those used by rshrsh))
Use a Use a screening routerscreening router, a device that can , a device that can intelligently filter network packets based on intelligently filter network packets based on configurable rules. Although this cannot prevent configurable rules. Although this cannot prevent spoofing, but can preventspoofing, but can preventInbound attacks that originate from external Inbound attacks that originate from external
networks (networks (by discarding incoming datagrams with by discarding incoming datagrams with source address belonging to the internal addresssource address belonging to the internal address))
Outbound attacks that originate inside of your Outbound attacks that originate inside of your own network (discarding outgoing datagrams own network (discarding outgoing datagrams with a source address from an external network).with a source address from an external network).
Srini & NanditaCSE2500 System Security & Privacy 24
Attacks areAttacks are
Relaying a message to another host Relaying a message to another host and it accepts as if it is trusted.and it accepts as if it is trusted.Example: transfer of password files in a Example: transfer of password files in a
networked unix systems.networked unix systems.
Srini & NanditaCSE2500 System Security & Privacy 25
Message alterationMessage alteration
Message means the payload of the IP Message means the payload of the IP datagram, the router performs routine datagram, the router performs routine modifications to the IP datagram header, modifications to the IP datagram header, and sometimes fragments a datagram into and sometimes fragments a datagram into several smaller ones (when the length several smaller ones (when the length exceeds a limit allowed by the underlying exceeds a limit allowed by the underlying data link layer).data link layer).
No need to suspect message alteration, but No need to suspect message alteration, but techniques such as check sum are not techniques such as check sum are not sufficient.sufficient.
Srini & NanditaCSE2500 System Security & Privacy 26
Message Delay and DenialMessage Delay and Denial
By gaining authorised control of a router or By gaining authorised control of a router or routing host, then modifying executable routing host, then modifying executable code or routing and screening rules used by code or routing and screening rules used by the code.the code. need to apply proper authentication and access need to apply proper authentication and access
mechanisms to the routing systems.mechanisms to the routing systems.
By overwhelming a routing device, or one of By overwhelming a routing device, or one of the communication end systems, with an the communication end systems, with an inordinate amount of network traffic.inordinate amount of network traffic. easy to detect but difficult to prevent!easy to detect but difficult to prevent!
27CSE2500 System Security & Privacy Srini & Nandita
By Blocking (or Screening)By Blocking (or Screening)
Accepted
Blocked
Accepted
blocked
Source: 108.3.54.92Destination:130.194.225.92
Source: 130.194.225.52Destination:130.194.225.92
Source: 108.3.54.92Destination:121.92.5.52
Source: 130.194.225.92Destination:121.5.92.1
Internal network130.194.225.xxxx
External network
Srini & NanditaCSE2500 System Security & Privacy 28
Network CommunicationNetwork CommunicationOSI Reference ModelOSI Reference Model
Applicationrelatedservices
Networkrelatedservices
Application programs that use the network
Manage connectionsacross network
Manage sessions between applications
Provide end-to-enderror detection and correction
Provide reliable deliveryacross physical links
Define characteristicsof media
Standardise data rep.to application layer
Application (7)
Presentation(6)
Session(5)
Transport(4)
Network(3)
Data Link(2)
Physical(1)
Srini & NanditaCSE2500 System Security & Privacy 29
Generic Message FormatGeneric Message Format
MessageData
SenderIdentify
RecipientIdentity
MessageLength
Srini & NanditaCSE2500 System Security & Privacy 30
Internet TCP/IP ModelInternet TCP/IP Model
Sockets
Programs: X window, mobile agents, Web applications, Email …
Digital signal (0,1)
Table of addresses and algorithms for handling the routing of data
Table of addresses, data and algorithms to perform reliable check
Application
Transport(TCP, UDP)
Physical
Network (IP)
Srini & NanditaCSE2500 System Security & Privacy 31
Network Layer – IP Datagram format Network Layer – IP Datagram format (for reference)(for reference)
16 bit 3 bit 13 –bit Identification flags fragment offset
Data (variable length)
32-bit Destination address
Options(if any) and padding
32-bit Source address
4-bit 4-bit 8 bit 16-bit Version header length type of service Total Length
8-bit 8-bit 16-bit time to live protocol header checksum
Srini & NanditaCSE2500 System Security & Privacy 32
TCP segment (for reference)TCP segment (for reference)
Data (variable length)
16-bit 16-bit TCP Checksum Urgent pointer
Options(if any) and padding
16-bit 16-bit Source port number Destination port number
32 bit acknowledgement number
4-bit 6-bit 6-bit 16-bitHeader length Reserved Flags Window Size
32-bit Sequence number
Srini & NanditaCSE2500 System Security & Privacy 33
UDP datagram (for reference)UDP datagram (for reference)
Data (variable length, if any)
16- bit 16-bit Source Port Number Destination Port Number
16-bit 16-bit Length Checksum
Srini & NanditaCSE2500 System Security & Privacy 34
Possible methodsPossible methods
Simple denial of requests – though Simple denial of requests – though firewallfirewall useful to prevent address spoofing, useful to prevent address spoofing,
masqueradingmasquerading Tailored software to each of the Tailored software to each of the
network services – called network services – called wrapperswrappers application oriented functionality can be application oriented functionality can be
implementedimplemented
Srini & NanditaCSE2500 System Security & Privacy 35
FirewallsFirewalls
Screening router (also called as packet Screening router (also called as packet filtering) is an example of a firewall.filtering) is an example of a firewall.
We will look at the firewalls in more We will look at the firewalls in more detail in another subject.detail in another subject.
Srini & NanditaCSE2500 System Security & Privacy 36
FIREWALL
INTERNET
Exterior Router
Internal Network
Perimeter Network
Interior Router
Bastion Host
SMTP Routing1. Route incoming/outgoing mail to bastion Host.2. Use Exterior Router to restrict connections from
external hosts to Bastion Host.3. Use Interior Router to restrict connections from
Bastion Host to specific internal servers.4. Internal systems send mail to Bastion Host.
SMTP ROUTING
SMTP Server
SMTP Sender/Recipient
ExternalSMTP Server
SMTP Client Inside SMTP Server
Srini & NanditaCSE2500 System Security & Privacy 37
TCP WrapperTCP Wrapper
The TCPWrapper is a utility program that can be "wrapped" around existing servers connected to the Internet.
A Firewall can be placed between your internal network and the Internet to protect the entire internal network.
The TCPWrapper is placed on an internal server and protects the services of that machine.
The combination of firewall and TCPWrapper provides defense in-depth.
The TCPWRapper was written by Wietse Venema and is used for: Logging request for service made through /etc/inetd.confAnd intercepting and controlling TCP services that are started
by /etc/inetd.conf.
Srini & NanditaCSE2500 System Security & Privacy 38
TCP WrapperTCP Wrapper
Internal Server
External User
INTERNET
RouterBastion Host
FirewallTCP Wrapper
Srini & NanditaCSE2500 System Security & Privacy 39
TCP Wrapper OperationTCP Wrapper Operation
The TCPWrapper is installed on the internal server and inetd is configured to run TCPwrapper, tcpd, instead of the the real server. inetd is the internet protocol starter program that, upon
detecting a service request, forks a process directly to the requested service.
tcpd is is the TCPWrapper program that receives control from inetd when an internal server has been "wrapped". tcpd evaluates the request against two TCPWrapper configuration files
/etc/hosts.allow tells tcpd which host to allow connections from.
/etc/hosts.deny tells tcpd to deny all connections from that host.
If no match is found the connection is allowed. tcpd completes its function then transfers control to the requested
service.
Srini & NanditaCSE2500 System Security & Privacy 40
TCP Wrapper OperationTCP Wrapper Operation
External User
INTERNET
inetd
/etc/hosts.allow
/etc/hosts.deny
tcpd
inetd.conf
telnetftprloginudp, etc
network services
RequestedService
tcpd
Router Bastion Host
Firewall
TCP Wrapper
Srini & NanditaCSE2500 System Security & Privacy 41
TCP Wrapper FunctionsTCP Wrapper Functions
The TCPWrapper performs the following functions upon assuming control from inetd.
Compares the incoming hostname and requested service with previously created host.allow an hosts.deny files.
Performs a double-reverse lookup of the IP address to make sure the DNS entries for the IP address match the hostname.
Logs the result with syslog. This provides a way to log services that are normally not logged, e.g., finger and systat.
Optionally run a command, e.g., run finger to get a list of users on the connecting client computer.
Optionally substitute a different version of the requested service daemon, e.g., the calling host may require a special extended service.
Optionally send a banner to the connecting client.Passes control of the connection to the real network daemon.Reject the connection without providing a service.
Srini & NanditaCSE2500 System Security & Privacy 42
Possible connections: Security?Possible connections: Security?
InternetFirewall
(optional)
Your PCWired Stranger
Wireless Stranger
StrangerISP server
Srini & NanditaCSE2500 System Security & Privacy 43
Possible connections: Security?Possible connections: Security?
ProductionServers
Internet
firewall
Web server
Wired stranger
Wireless stranger
Stranger
ftp server
Your systems
Srini & NanditaCSE2500 System Security & Privacy 44
Possible connections: Security?Possible connections: Security?
ProductionServers
Internet
firewall
Web server
Wireless stranger
stranger
ftp server
Your systems
Wired stranger
Srini & NanditaCSE2500 System Security & Privacy 45
Possible connections: Security?Possible connections: Security?
Internet
Back endData Servers
Web Servers
Lan/Wanfirewall
Lan/Wan
Lan/Wan
Lan/Wan
Srini & NanditaCSE2500 System Security & Privacy 46
Possible connections: Security?Possible connections: Security?
BusinessIntegratio
nsystems
BusinessIntegratio
nsystems
Lan/Wan
Internet
Intranet
Extranet
Back endData Servers
Mobile users
Web Servers
CallCentre
BusinessApplications
Lan/Wan
firewall