Upload
hue
View
32
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Lecture 23 Network Security. CPE 401 / 601 Computer Network Systems. slides are modified from Jim Kurose and Keith Ross; Michael Shamos; Vinnie Costa; Mark Stamp; Dave Hollinger. by Peter Steiner, New York, July 5, 1993. Early Hacking – Phreaking. - PowerPoint PPT Presentation
Citation preview
Lecture 23
Network Security
CPE 401 / 601Computer Network Systems
slides are modified from Jim Kurose and Keith Ross; Michael Shamos; Vinnie Costa; Mark Stamp; Dave Hollinger
Network Security 2
by Peter Steiner, New York, July 5, 1993
In1957, a blind seven-year old, Joe Engressia Joybubbles, discovered a whistling tone that resets trunk lines Blow into receiver – free phone calls
Early Hacking – Phreaking
Cap’n Crunch cereal prizeGiveaway whistle produces 2600 MHz tone
Network Security 3
John Draper a.k.a. Captain Crunch “If I do what I do, it is onlyto explore a system”
In 1971, built Bluebox with Steve Jobs and Steve Wozniak
The Seventies
Network Security 4
Robert Morris worm - 1988 Developed to measure the size of the Internet
• However, a computer could be infected multiple times Brought down a large fraction of the Internet
• ~ 6K computers
Academic interest in network security
The Eighties
Network Security 5
Kevin Mitnick First hacker on FBI’s Most Wanted list Hacked into many networks
• including FBI Stole intellectual property
• including 20K credit card numbers In 1995, caught 2nd time
• served five years in prison
The Nineties
Network Security 6
Network Security
Code-Red Worm On July 19, 2001, more than 359,000 computers
connected to the Internet were infected in less than 14 hours
Spread
7
Sapphire Worm
was the fastest computer worm in history doubled in size every 8.5 seconds infected more than 90 percent of vulnerable
hosts within 10 minutes.
Network Security 8
On Dec 11, 2003 Attack on web and FTP servers of SCO
• a software company focusing on UNIX systems
SYN flood of 50K packet-per-second
SCO responded to more than 700 million attack packets over 32 hours
DoS attack on SCO
Network Security 9
Witty Worm 25 March 2004
reached its peak activity after approximately 45 minutes
at which point the majority of vulnerable hosts had been infected
World USA
Network Security 10
Nyxem Email Virus
Jan 15, 2006: infected about 1M computers within two weeks
At least 45K of the infected computers were also compromised by other forms of spyware or botware
Spread
Network Security 11
Security Trends
www.cert.org (Computer Emergency Readiness Team) Network Security 12
Explosive growth of desktops started in ‘80s No emphasis on security
• Who wants military security, I just want to run my spreadsheet!
Internet was originally designed for a group of mutually trusting users By definition, no need for security Users can send a packet to any other user Identity (source IP address) taken by default to be true
Explosive growth of Internet in mid ’90s Security was not a priority until recently
• Only a research network, who will attack it?
Concern for Security
Network Security 13
Alice and Bob are the good guys
Trudy is the bad guy Trudy is our generic “intruder” Who might Alice, Bob be?
… well, real-life Alices and Bobs Web browser/server for electronic transactions on-line banking client/server DNS servers routers exchanging routing table updates
The Cast of Characters
Network Security 14
Alice opens Alice’s Online Bank (AOB)
What are Alice’s security concerns?
If Bob is a customer of AOB, what are his security concerns?
How are Alice and Bob concerns similar? How are they different?
How does Trudy view the situation?
Alice’s Online Bank
Network Security 15
AOB must prevent Trudy from learning Bob’s balance Confidentiality (prevent unauthorized reading of information)
Trudy must not be able to change Bob’s balance
Bob must not be able to improperly change his own account balance Integrity (prevent unauthorized writing of information)
Alice’s Online Bank
Network Security 16
AOB’s information must be available when needed Availability (data is available in a timely manner when needed)
How does Bob’s computer know that “Bob” is really Bob and not Trudy?
When Bob logs into AOB, how does AOB know that “Bob” is really Bob? Authentication (assurance that other party is the claimed one)
Bob can’t view someone else’s account info Bob can’t install new software, etc.
Authorization (allowing access only to permitted resources)
Alice’s Online Bank
Network Security 17
Good guys must think like bad guys! A police detective
Must study and understand criminals
In network security We must try to think like Trudy We must study Trudy’s methods We can admire Trudy’s cleverness Often, we can’t help but laugh at Alice and Bob’s
carelessness But, we cannot act like Trudy
Think Like Trudy
Network Security 18
Security Services Enhance the security of data processing systems
and information transfers of an organization. Counter security attacks.
Security Attack Action that compromises the security of
information owned by an organization.
Security Mechanisms Designed to prevent, detect or recover from a
security attack.
Aspects of Security
Network Security 19
Enhance security of data processing systems and information transfers
Authentication Assurance that the communicating entity is the
one claimed
Authorization Prevention of the unauthorized use of a resource
Availability Data is available in a timely manner when needed
Security Services
Network Security 20
Confidentiality Protection of data from unauthorized disclosure
Integrity Assurance that data received is as sent by an
authorized entity
Non-Repudiation Protection against denial by one of the parties in a
communication
Security Services
Network Security 21
Security Attacks
Informationsource
Informationdestination
Normal Flow
Network Security 22
Security Attacks
Informationsource
Informationdestination
Interruption
Attack on availability(ability to use desired information or
resources) Network Security 23
Denial of Service
Internet
PerpetratorVictim
ICMP echo (spoofed source address of victim) Sent to IP broadcast address
ICMP echo reply
ICMP = Internet Control Message Protocol
Innocentreflector sites
Smurf Attack
1 SYN
10,000 SYN/ACKs – Victim is dead
Network Security 24
Security Attacks
Informationsource
Informationdestination
Interception
Attack on confidentiality
(concealment of information)Network Security 25
Packet Sniffing
Packet Sniffer
Client
Server
Network Interface Card allows only packets for this MAC address
Every network interface card has a unique 48-bit Media Access Control (MAC) address, e.g. 00:0D:84:F6:3A:10 24 bits assigned by IEEE; 24 by card vendor
Packet sniffer sets his card to promiscuous mode to allow all packets
Network Security 26
Security Attacks
Informationsource
Informationdestination
Fabrication
Attack on authenticity(identification and assurance of origin of information)
Network Security 27
IP addresses are filled in by the originating host
Using source address for authentication r-utilities (rlogin, rsh, rhosts etc..)
IP Address Spoofing
• Can A claim it is B to the server S?
• ARP Spoofing
• Can C claim it is B to the server S?
• Source Routing
InternetInternet
2.1.1.1 C
1.1.1.1 1.1.1.2A B
1.1.1.3 S
Network Security 28
Security Attacks
Informationsource
Informationdestination
Modification
Attack on integrity(prevention of unauthorized changes)
Network Security 29
When is a TCP packet valid? Address / Port / Sequence Number in window
How to get sequence number? Sniff traffic Guess it
• Many earlier systems had predictable Initial Sequence Number
Inject arbitrary data to the connection
TCP Session Hijack
Network Security 30
Security Attacks
Message interception
Trafficanalysis
eavesdropping, monitoring transmissions
Passive attacks
Masquerade Denial ofservice
some modification of the data stream
Active attacks
Replay Modification of message contents
Network Security 31
Model for Network Security
Network Security 32
Feature designed to Prevent attackers from violating security policy Detect attackers’ violation of security policy Recover, continue to function correctly even if
attack succeeds.
No single mechanism that will support all services Authentication, authorization, availability,
confidentiality, integrity, non-repudiation
Security Mechanism
Network Security 33
It is about secure communication Everything is connected by the Internet
There are eavesdroppers that can listen on the communication channels
Information is forwarded through packet switches which can be reprogrammed to listen to or modify data in transit
Tradeoff between security and performance
What is network security about ?
Network Security 34
Unix Network Security
Some basic approaches:
1. Do nothing and assume requesting system is secure.
2. Require host to identify itself and trust users on known hosts.
3. Require a password (authentication) every time a service is requested.
36Network Security
Traditional Unix Security (BSD)
Based on option 2 – trust users on trusted hosts. if the user has been authenticated by a
trusted host, we will trust the user.
Authentication of hosts based on IP address! doesn’t deal with IP spoofing
37Network Security
Reserved Ports
Trust only clients coming from trusted hosts with source port less than 1024. Only root can bind to these ports.
We trust the host. The request is coming via a trusted service
(a reserved port) on the host.
38Network Security
Potential Problem
Anyone who knows the root password can replace trusted services.
Not all Operating Systems have a notion of root or reserved ports!
It’s easy to impersonate a host that is down.
39Network Security
Services that use the BSD security model
lpd – line printing daemon.
rshd – remote execution.
rexec – another remote execution.
rlogin – remote login.
40Network Security
BSD Config Files
/etc/hosts.equiv list of trusted hosts.
/etc/hosts.lpd trusted printing clients.
~/.rusers user defined trusted hosts and users.
41Network Security
lpd security
check client's address for reserved portand
check /etc/hosts.equiv for client IP
orcheck /etc/hosts.lpd for client IP
42Network Security
rshd, rexecd, rlogind security
As part of a request for service a username is sent by the client.
The username must be valid on the server!
43Network Security
rshd security
1. check client’s address for reserved port if not a reserved port, reject request
2. Check password entry on server for specified user
if not a valid username, reject request
3. check /etc/hosts.equiv for client’s IP address if found – process request
4. check users ~/.rhosts for client's IP address if found – process request, otherwise reject
44Network Security
rlogind security
Just like rshd.
If trusted host (user) not found prompts for a password.
45Network Security
rexecd security
client sends username and password to server as part of the request
plaintext
1. check for password entry on server for user name.
2. encrypt password and check for match.
46Network Security
Special Cases
If username is root requests are treated as a special case:
look at /.rhosts
often disabled completely
47Network Security
TCP Wrapper
TCP wrapper is a simple system that provides some firewall-like functionality
A single host is isolated from the rest of the world really just a few services
Functionality includes logging of requests for service and access control.
48Network Security
TCP Wrapper Picture
49
TCP basedServers
TCPPorts
The World
TCP wrapper
(tcpd)
Single Host
Network Security
tcpd
Tcpd checks out incoming TCP connections before the real server gets the connection
tcpd can find out source IP address and port number (authentication)
A log message can be generated indicating service name, client address and time of
connection
tcpd can use client addresses to authorize each service request.
50Network Security
Typical tcpd setup
inetd (the SuperServer) is told to start tcpd instead of the real server
tcpd checks out the client by calling getpeername on descriptor 0
tcpd decides whether or not to start the real server (by calling exec)
51Network Security
tcpd configuration
The configuration files for tcpd specify which hosts are allowed/denied which services
Entire domains or IP networks can be permitted or denied easily
tcpd can be told to perform RFC931 lookup to get a username
52Network Security