Upload
caitlin-hunter
View
221
Download
2
Tags:
Embed Size (px)
Citation preview
Network Network SecuritySecurity
ProfessorProfessorDr. Adeel AkramDr. Adeel Akram
Introduction to Network Introduction to Network SecuritySecurity
Course TopicsCourse Topics
► Security basics:Security basics: services: integrity, services: integrity,
availability, availability, Authentication, etc., Authentication, etc., Basics of CryptographyBasics of Cryptography
attacks: interruption, attacks: interruption, modificationmodification
► Vulnerabilities and Vulnerabilities and Counter MeasuresCounter Measures Viruses, worms, Trojan Viruses, worms, Trojan
horses, backdoors, horses, backdoors, unused servicesunused services
► Exploits Exploits Buffer Overflow, port Buffer Overflow, port
scanning, NESSUS and scanning, NESSUS and related tools, incident related tools, incident handling and recovery handling and recovery
► Applications of Security Applications of Security System security, System security,
intrusion detection, intrusion detection, remote authorization remote authorization tools. tools.
Secure (commerce) Secure (commerce) Transactions over a Transactions over a network network
slide 3
Course Outline: Basic topicsCourse Outline: Basic topics► Security basics:Security basics:
Services integrity and availability, Authentication, etc.Services integrity and availability, Authentication, etc. Attacks, Interruption, modificationAttacks, Interruption, modification
► Vulnerabilities and Counter MeasuresVulnerabilities and Counter Measures Viruses, worms, Trojan horses, backdoorsViruses, worms, Trojan horses, backdoors
► Applications of Security Applications of Security System security, intrusion detection, remote authorization tools. System security, intrusion detection, remote authorization tools. Secure (commerce) Transactions over a networkSecure (commerce) Transactions over a network
► Bio AuthenticationBio Authentication Types of Bio Authentication, Finger Prints, Retina Scans, Voice, Types of Bio Authentication, Finger Prints, Retina Scans, Voice,
DNADNA Algorithms for Bio AuthenticationAlgorithms for Bio Authentication
► Cryptography: Cryptography: Symmetric Cryptography, block ciphers, public-key cryptography, Symmetric Cryptography, block ciphers, public-key cryptography,
number theory, hash functions, key exchange number theory, hash functions, key exchange
slide 4
Course Outline: Network Course Outline: Network SecuritySecurity
ArchitectureArchitecture Physical and link layerPhysical and link layer Network layerNetwork layer Transport layerTransport layer Application layer: DNS, RPC, NFSApplication layer: DNS, RPC, NFS Application layer: RoutingApplication layer: Routing Wireless networksWireless networks More secure protocols: DNSSEC, IPSEC, IPv6More secure protocols: DNSSEC, IPSEC, IPv6
slide 5
Course ObjectivesCourse Objectives
Introduction to concepts in Introduction to concepts in ► Computer and Network Security: Computer and Network Security:
To understand vulnerabilities, threats, and counter To understand vulnerabilities, threats, and counter measures present in computer and network systems.measures present in computer and network systems.
► Bio Authentication: Bio Authentication: To understand different types of human characteristics To understand different types of human characteristics
and algorithms that are used for authentication and algorithms that are used for authentication
► Internet and Web Security: Internet and Web Security: To understand TCP/IP and DNS security and have To understand TCP/IP and DNS security and have
some practical experience in attacking and defending some practical experience in attacking and defending networked systemsnetworked systems
slide 6
Course ObjectivesCourse Objectives
►Cryptography: Cryptography: To understand the formal tools To understand the formal tools
available for securing data and available for securing data and servicesservices
Understand fundamental algorithms in Understand fundamental algorithms in cryptology, risks and vulnerabilities of networked cryptology, risks and vulnerabilities of networked systems and network security, use existing systems and network security, use existing protocols for network security to develop secure protocols for network security to develop secure systems.systems.
slide 7
Text BooksText Books
► Network Security, Private Network Security, Private Communication in a Public Communication in a Public World, 2/E by World, 2/E by C. Kaufman, C. Kaufman, R. Perlman, M. Speciner, R. Perlman, M. Speciner, Phi Learning (2009) Phi Learning (2009)
► Most of the topics from this Most of the topics from this book will be followed during this book will be followed during this course. course.
► All relevant material will be All relevant material will be provided as notes or as part of provided as notes or as part of the class slides.the class slides.
slide 8
Text BooksText Books
► Cryptography and Network Cryptography and Network Security, by Security, by William William Stallings,Stallings, Prentice Hall, 4th Prentice Hall, 4th Edition, 2006Edition, 2006
► Few topics from this book will be Few topics from this book will be followed during this course. followed during this course.
► All relevant material will be All relevant material will be provided as notes or as part of provided as notes or as part of the class slides.the class slides.
slide 9
Text BooksText Books
► Network Security Network Security Essentials, by Essentials, by William William Stallings,Stallings, Prentice Hall, 2nd Prentice Hall, 2nd Edition, 2003Edition, 2003
► Few topics from this book will be Few topics from this book will be followed during this course. followed during this course.
► All relevant material will be All relevant material will be provided as notes or as part of provided as notes or as part of the class slides.the class slides.
slide 10
Other BooksOther Books
►Ross Anderson’sRoss Anderson’s “Security Engineering”“Security Engineering” Focuses on design principles for secure Focuses on design principles for secure
systemssystems Examples of banking, nuclear command and Examples of banking, nuclear command and
control, burglar alarmscontrol, burglar alarms
►““The Shellcoder’s Handbook”The Shellcoder’s Handbook” Practical how-to manual for hacking attacksPractical how-to manual for hacking attacks Not a required text, but will be extremely Not a required text, but will be extremely
useful for the practical implementation of useful for the practical implementation of buffer overflow attacksbuffer overflow attacks
slide 11
Occasional Assigned ReadingOccasional Assigned Reading
►Kevin Mitnick’s Kevin Mitnick’s “The Art of Intrusion”“The Art of Intrusion” Real-world hacking storiesReal-world hacking stories Good illustration for many concepts in this Good illustration for many concepts in this
coursecourse
►Start reading Start reading “Smashing the Stack For “Smashing the Stack For Fun and Profit”Fun and Profit” by Aleph One (from by Aleph One (from Phrack hacker magazine)Phrack hacker magazine) Understanding it will provide essential Understanding it will provide essential
knowledge for exploiting and protecting OS knowledge for exploiting and protecting OS stack vulnerabilitiesstack vulnerabilities
slide 12
slide 13
Main Themes of the CourseMain Themes of the Course
►Vulnerabilities of networked applicationsVulnerabilities of networked applications Worms, denial of service attacks, malicious Worms, denial of service attacks, malicious
code arriving from the network, attacks on code arriving from the network, attacks on infrastructure infrastructure
►Defense technologiesDefense technologies Protection of information in transit: Protection of information in transit:
cryptography, application- and transport-cryptography, application- and transport-layer security protocols layer security protocols
Protection of networked applications: Protection of networked applications: firewalls and intrusion detectionfirewalls and intrusion detection
Main Themes of the CourseMain Themes of the Course
►Study a few deployed systems in Study a few deployed systems in detail: from design principles to gory detail: from design principles to gory implementation detailsimplementation details Kerberos, SSL/TLS, IPsecKerberos, SSL/TLS, IPsec
slide 14
slide 15
What This Course is What This Course is NotNot AboutAbout
►NotNot a comprehensive course on a comprehensive course on computer securitycomputer security
►NotNot a course on ethical, legal or a course on ethical, legal or economic issueseconomic issues No file sharing, DMCA, free speech issuesNo file sharing, DMCA, free speech issues
►Only brief overview of cryptographyOnly brief overview of cryptography
slide 16
What This Course is What This Course is NotNot AboutAbout
►Only some issues in systems securityOnly some issues in systems security No access control, OS security, language-No access control, OS security, language-
based security based security Very little about secure hardwareVery little about secure hardware Will cover buffer overflow: #1 cause of Will cover buffer overflow: #1 cause of
remote penetration attacksremote penetration attacks
slide 17
Syllabus (1): Security Syllabus (1): Security MechanismsMechanisms
►Basics of cryptographyBasics of cryptography Symmetric and public-key encryption, Symmetric and public-key encryption,
certificates, cryptographic hash functions, certificates, cryptographic hash functions, pseudo-random generatorspseudo-random generators
►Authentication and key establishmentAuthentication and key establishment Case study: KerberosCase study: Kerberos
► IP securityIP security Case study: IPsec protocol suiteCase study: IPsec protocol suite
►Web securityWeb security Case study: SSL/TLS (Transport Layer Security)Case study: SSL/TLS (Transport Layer Security)
slide 18
Syllabus (2): Attacks and Syllabus (2): Attacks and DefensesDefenses
►Buffer overflow attacksBuffer overflow attacks►Network attacksNetwork attacks
Distributed denial of serviceDistributed denial of service Worms and virusesWorms and viruses Attacks on routing and DNS infrastructureAttacks on routing and DNS infrastructure
►Defense toolsDefense tools Firewalls and intrusion detection systemsFirewalls and intrusion detection systems
►Wireless securityWireless security►Spam and phishingSpam and phishing
slide 19
Peek at the Dark SidePeek at the Dark Side
The only reason we will be learning about attack techniques is to build better defenses
Don’t even think about using this knowledge to attack anyone
slide 20
MotivationMotivationhttps://
slide 21
Excerpt From “General Terms of Excerpt From “General Terms of Use”Use”
YOU ACKNOWLEDGE THAT NEITHER WELLS FARGO, ITS AFFILIATES NOR ANY OF THEIR RESPECTIVE EMPLOYEES, AGENTS, THIRD PARTY CONTENT PROVIDERS OR LICENSORS WARRANT THAT THE SERVICES OR THE SITE WILL BE UNINTERRUPTED OR ERROR FREE; NOR DO THEY MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES OR THE SITE, OR AS TO THE TIMELINESS, SEQUENCE, ACCURACY, RELIABILITY, COMPLETENESS OR CONTENT OF ANY INFORMATION, SERVICE, OR MERCHANDISE PROVIDED THROUGH THE SERVICES AND THE SITE.
slide 22
““Privacy and Security”Privacy and Security”
“As a Wells Fargo customer, your privacy and security always come first.” Privacy policy for individuals Online privacy policy Our commitment to online security Online and computer security tips How we protect you General terms of use
slide 24
What Do What Do YouYou Think? Think?
What do What do youyou think should be included in think should be included in
““privacy and security” for an e-privacy and security” for an e-commerce website?commerce website?
??
slide 25
Desirable Security PropertiesDesirable Security Properties
►AuthenticityAuthenticity►ConfidentialityConfidentiality► IntegrityIntegrity►AvailabilityAvailability►Accountability and non-repudiationAccountability and non-repudiation►FreshnessFreshness►Access controlAccess control►Privacy of collected informationPrivacy of collected information► Integrity of routing and DNS infrastructureIntegrity of routing and DNS infrastructure
slide 26
What Drives the Attackers?What Drives the Attackers?
► Put up a fake financial website, collect Put up a fake financial website, collect users’ logins and passwords, empty out users’ logins and passwords, empty out their accountstheir accounts
► Insert a hidden program into unsuspecting Insert a hidden program into unsuspecting users’ computers, use them to spread spamusers’ computers, use them to spread spam
► Subvert copy protection, gain access to Subvert copy protection, gain access to music and video filesmusic and video files
► Stage denial of service attacks on websites, Stage denial of service attacks on websites, extort moneyextort money
► Wreak havoc, achieve fame and glory in the Wreak havoc, achieve fame and glory in the blackhat communityblackhat community
Network StackNetwork Stack
peoplepeople
applicationapplication
sessionsession
transporttransport
networknetwork
data linkdata link
physicalphysical
IPIP
TCPTCP
email, Web, NFSemail, Web, NFS
RPCRPC
802.11802.11
Sendmail, FTP, NFS bugs, chosen-protocol and version-rollback attacks
SYN flooding, RIP attacks,sequence number prediction
IP smurfing and otheraddress spoofing attacks
RPC worms, portmapper exploits
WEP attacks
Only as secure as the single weakest layer…… or interconnection between the layers
RFRFRF fingerprinting, DoS
Phishing attacks, usability
slide 27
slide slide 2828
Network DefensesNetwork Defenses
Cryptographic primitivesCryptographic primitives
Protocols and policiesProtocols and policies
ImplementationsImplementations
Building Building blocksblocks
BlueprintBlueprintss
SystemsSystems
RSA, DSS, SHA-RSA, DSS, SHA-1…1…
TLS, IPsec, TLS, IPsec, access control…access control…
Firewalls, Firewalls, intrusionintrusiondetection…detection…
… … allall defense mechanisms must work correctly and securely defense mechanisms must work correctly and securely
End usersEnd usersPeoplePeople Password Password managers, managers, company company policies…policies…
slide 29
Correctness versus SecurityCorrectness versus Security
► System System correctness:correctness: system satisfies specificationsystem satisfies specification
For reasonable input, get reasonable outputFor reasonable input, get reasonable output
► System System security:security: system properties preserved in face of attacksystem properties preserved in face of attack
For For ununreasonable input, output not completely reasonable input, output not completely disastrousdisastrous
► Main difference: Main difference: active interference from active interference from adversaryadversary
► Modular design may increase vulnerability …Modular design may increase vulnerability …► … … but also increases security (small TCB)but also increases security (small TCB)
slide 30
Bad NewsBad News
► Security often not a primary considerationSecurity often not a primary consideration Performance and usability take precedencePerformance and usability take precedence
► Feature-rich systems may be poorly understoodFeature-rich systems may be poorly understood► Implementations are buggyImplementations are buggy
Buffer overflows are the “vulnerability of the decade”Buffer overflows are the “vulnerability of the decade” Cross-site scripting and other Web attacksCross-site scripting and other Web attacks
► Networks are more open and accessible than ever Networks are more open and accessible than ever Increased exposure, easier to cover tracksIncreased exposure, easier to cover tracks
► Many attacks are not even technical in natureMany attacks are not even technical in nature Phishing, impersonation, etc.Phishing, impersonation, etc.
slide 31
Better NewsBetter News
► There are a lot of defense mechanismsThere are a lot of defense mechanisms We’ll study some, but by no means all, in this courseWe’ll study some, but by no means all, in this course
► It’s important to understand their limitationsIt’s important to understand their limitations ““If you think cryptography will solve your problem, If you think cryptography will solve your problem,
then you don’t understand cryptography… and you then you don’t understand cryptography… and you don’t understand your problem” don’t understand your problem” -- Bruce Schneier-- Bruce Schneier
Many security holes are based on misunderstandingMany security holes are based on misunderstanding
► Security awareness and user “buy-in” helpSecurity awareness and user “buy-in” help► Other important factors: usability and Other important factors: usability and
economicseconomics
slide 32
Reading AssignmentReading Assignment
►Review Kaufman, section 1.5Review Kaufman, section 1.5 Primer on networkingPrimer on networking
►Start reading buffer overflow materials Start reading buffer overflow materials on the course website (CMS)on the course website (CMS) ““Smashing the Stack for Fun and Profit”Smashing the Stack for Fun and Profit”
► http://web.uettaxila.edu.pk/CMS/AUT2010/http://web.uettaxila.edu.pk/CMS/AUT2010/teNSbsteNSbs
Why study computer Why study computer security?security?
► (1) Computer security is fundamental to individual (1) Computer security is fundamental to individual privacy.privacy.
► Many of us keep personal data on our accounts: Many of us keep personal data on our accounts: emails, bookmarks, coursework.emails, bookmarks, coursework.
► Many of us use the network to send personal data Many of us use the network to send personal data or retrieve personal data.or retrieve personal data.
► Many remote computers keep personal data for us: Many remote computers keep personal data for us: financial data and accounts, medical history.financial data and accounts, medical history.
► We want to protect these resources.We want to protect these resources.
slide 33
Why study computer Why study computer security?security?
► (2) Our society is increasingly reliant on the proper operation (2) Our society is increasingly reliant on the proper operation of networked computer systems, and integrity of their data.of networked computer systems, and integrity of their data. Financial and commercial operations, medical operations, Financial and commercial operations, medical operations,
meteorological, government, social welfare, and so one. meteorological, government, social welfare, and so one. (not to mention the Internet itself.)(not to mention the Internet itself.)
► The protection of these systems is as vital as our dependence The protection of these systems is as vital as our dependence on the services they provide.on the services they provide.
► An understanding to their limitations is vital.An understanding to their limitations is vital.► Exploited systems have resulted in people’s deaths. Exploited systems have resulted in people’s deaths.
(Unavailable forecasts have caused a ship at sea to be lost.)(Unavailable forecasts have caused a ship at sea to be lost.)
slide 34
What is cryptology?What is cryptology?
► Greek: “krypto” = hideGreek: “krypto” = hide► Cryptology – science of hiding Cryptology – science of hiding
= cryptography + cryptanalysis + = cryptography + cryptanalysis + steganographysteganography
► Cryptography – secret writingCryptography – secret writing► Cryptanalysis – analyzing (breaking) secretsCryptanalysis – analyzing (breaking) secrets
CryptanalysisCryptanalysis is what attacker does is what attacker does
DecipherDecipher or or DecryptionDecryption is what legitimate is what legitimate receiver doesreceiver does
slide 35
SteganographySteganography
► ““Covered” messagesCovered” messages► Technical SteganographyTechnical Steganography
Invisible ink, shaved heads, microdotsInvisible ink, shaved heads, microdots
► Linguistic SteganographyLinguistic Steganography ““Open code” – secret message appears Open code” – secret message appears
innocentinnocent► ““East wind rain” = war with USAEast wind rain” = war with USA
Hide message in low-order bits in GIFHide message in low-order bits in GIF
slide 36
Cryptology and SecurityCryptology and Security
Cryptology is a branch of Cryptology is a branch of mathematicsmathematics..
Security is about Security is about peoplepeople..
slide 37
TerminologyTerminology
EncryptEncrypt DecryptDecryptPlaintextCiphertext
Plaintext
Alice BobEve
Insecure Channel
C = E(P)P = D(C)E must be invertible
slide 38
CryptographyCryptography
►Always involves 2 things:Always involves 2 things: TransformationTransformation SecretSecret
slide 39
Alice and BobAlice and Bob
EncryptEncrypt DecryptDecryptPlaintextCiphertext
Plaintext
KE KD
Alice BobC = E(KE, P) = EKE (P)
P = D(KD, C) = DKD (C)
If KE = KD it is symmetric encryptionIf KE KD it is asymmetric encryption
Encryption Key Decryption Key
slide 40
Substitution CipherSubstitution Cipher
► C = EC = EKK(p) (p)
CCii = K[p = K[pii]]
► Key is alphabet mapping:Key is alphabet mapping:a a J, b J, b L, ... L, ...
► Suppose attacker knows algorithm but not Suppose attacker knows algorithm but not key, how many keys to try?key, how many keys to try? 26!
If every person on earth tried one per second, it would take 5B years.
slide 41
Monoalphabetic CipherMonoalphabetic Cipher
“ “XBW HGQW XS ACFPSUWG FWPGWXF XBW HGQW XS ACFPSUWG FWPGWXF CF AWWKZV CDQGJCDWA CD BHYJD CF AWWKZV CDQGJCDWA CD BHYJD DJXHGW; WUWD XBW ZWJFX PHGCSHF DJXHGW; WUWD XBW ZWJFX PHGCSHF YCDA CF GSHFWA LV XBW KGSYCFW YCDA CF GSHFWA LV XBW KGSYCFW SI FBJGCDQ RDSOZWAQW OCXBBWZA SI FBJGCDQ RDSOZWAQW OCXBBWZA IGSY SXBWGF.”IGSY SXBWGF.”
slide 42
Frequency AnalysisFrequency Analysis
““XBW HGQW XS ACFPSUWG FWPGWXF CF AWWKZV CDQGJCDWA XBW HGQW XS ACFPSUWG FWPGWXF CF AWWKZV CDQGJCDWA CD BHYJD DJXHGW; WUWD XBW ZWJFX PHGCSHF YCDA CF CD BHYJD DJXHGW; WUWD XBW ZWJFX PHGCSHF YCDA CF GSHFWA LV XBW KGSYCFW SI FBJGCDQ RDSOZWAQW GSHFWA LV XBW KGSYCFW SI FBJGCDQ RDSOZWAQW OCXBBWZA IGSY SXBWGF.”OCXBBWZA IGSY SXBWGF.”
W: 20W: 20 ““NormalNormal”” English: English:
C: 11C: 11 e e 12%12%
F: 11F: 11 t t 9%9%
G: 11G: 11 a a 8%8%
slide 43
Pattern AnalysisPattern Analysis
““XBe HGQe XS ACFPSUeG FePGeXF CF AeeKZV CDQGJCDeA XBe HGQe XS ACFPSUeG FePGeXF CF AeeKZV CDQGJCDeA CD BHYJD DJXHGe; eUeD XBe ZeJFX PHGCSHF YCDA CF CD BHYJD DJXHGe; eUeD XBe ZeJFX PHGCSHF YCDA CF GSHFeA LV XBe KGSYCFe SI FBJGCDQ RDSOZeAQe GSHFeA LV XBe KGSYCFe SI FBJGCDQ RDSOZeAQe OCXBBeZA IGSY SXBeGF.”OCXBBeZA IGSY SXBeGF.”
XBe = XBe = ““thethe””
Most common trigrams in English:Most common trigrams in English:
the = 6.4%the = 6.4%
and = 3.4%and = 3.4%
slide 44
GuessingGuessing
“ “the HGQe tS ACFPSUeG FePGetF CF the HGQe tS ACFPSUeG FePGetF CF AeeKZV CDQGJCDeA CD hHYJD DJtHGe; AeeKZV CDQGJCDeA CD hHYJD DJtHGe; eUeD the ZeJFt PHGCSHF YCDA CF eUeD the ZeJFt PHGCSHF YCDA CF GSHFeA LV the KGSYCFe SI FhJGCDQ GSHFeA LV the KGSYCFe SI FhJGCDQ RDSOZeAQe OCthheZA IGSY StheGF.”RDSOZeAQe OCthheZA IGSY StheGF.”
S = S = ““oo””
slide 45
GuessingGuessing
“ “the HGQe to ACFPoUeG FePGetF CF the HGQe to ACFPoUeG FePGetF CF AeeKZV CDQGJCDeA CD hHYJD DJtHGe; AeeKZV CDQGJCDeA CD hHYJD DJtHGe; eUeD the ZeJFt PHGCoHF YCDA CF eUeD the ZeJFt PHGCoHF YCDA CF GoHFeA LV the KGoYCFe oI FhJGCDQ GoHFeA LV the KGoYCFe oI FhJGCDQ RDoOZeAQe OCthheZA IGoY otheGF.”RDoOZeAQe OCthheZA IGoY otheGF.”
otheGF = otheGF = ““othersothers””
slide 46
GuessingGuessing
“ “the HrQe to ACsPoUer sePrets Cs the HrQe to ACsPoUer sePrets Cs AeeKZV CDQrJCDeA CD hHYJD DJtHre; AeeKZV CDQrJCDeA CD hHYJD DJtHre; eUeD the ZeJst PHrCoHs YCDA Cs eUeD the ZeJst PHrCoHs YCDA Cs roHseA LV the KroYCse oI shJrCDQ roHseA LV the KroYCse oI shJrCDQ RDoOZeAQe OCthheZA IroY others.”RDoOZeAQe OCthheZA IroY others.”
““sePretssePrets”” = = ““secretssecrets””
slide 47
GuessingGuessing
“ “the HrQe to ACscoUer secrets Cs the HrQe to ACscoUer secrets Cs AeeKZV CDQrJCDeA CD hHYJD DJtHre; AeeKZV CDQrJCDeA CD hHYJD DJtHre; eUeD the ZeJst cHrCoHs YCDA Cs eUeD the ZeJst cHrCoHs YCDA Cs roHseA LV the KroYCse oI shJrCDQ roHseA LV the KroYCse oI shJrCDQ RDoOZeAQe OCthheZA IroY others.”RDoOZeAQe OCthheZA IroY others.”
““ACscoUerACscoUer”” = = ““discoverdiscover””
slide 48
GuessingGuessing
“ “the HrQe to discover secrets is the HrQe to discover secrets is deeKZV iDQrJiDed iD hHYJD DJtHre; deeKZV iDQrJiDed iD hHYJD DJtHre; eveD the ZeJst cHrioHs YiDd is eveD the ZeJst cHrioHs YiDd is roHsed LV the KroYise oI shJriDQ roHsed LV the KroYise oI shJriDQ RDoOZedQe OithheZd IroY others.”RDoOZedQe OithheZd IroY others.”
slide 49
Monoalphabetic CipherMonoalphabetic Cipher
““The urge to discover secrets is deeply The urge to discover secrets is deeply ingrained in human nature; even the ingrained in human nature; even the least curious mind is roused by the least curious mind is roused by the promise of sharing knowledge withheld promise of sharing knowledge withheld from others.”from others.”
- John Chadwick, - John Chadwick,
The Decipherment of Linear BThe Decipherment of Linear B
slide 50
Why was it so easy?Why was it so easy?
► Doesn’t hide statistical properties of Doesn’t hide statistical properties of plaintextplaintext
► Doesn’t hide Higher statistics, i.e. Doesn’t hide Higher statistics, i.e. relationships in plaintext (EE cannot relationships in plaintext (EE cannot match dg)match dg)
► English (and all natural languages) are English (and all natural languages) are very redundantvery redundant
► Compress English with zip – about 1:6Compress English with zip – about 1:6
slide 51
How to make it harder?How to make it harder?►Hide statistical properties:Hide statistical properties:
Encrypt “e” with 12 different symbols, Encrypt “e” with 12 different symbols, “t” with 9 different symbols, etc.“t” with 9 different symbols, etc.
Add nulls, remove spacesAdd nulls, remove spaces
►Polyalphabetic cipherPolyalphabetic cipher Use different substitutionsUse different substitutions
►TranspositionTransposition Scramble order of lettersScramble order of letters
slide 52
Network SecurityNetwork Security
►Most Computers require some kind of Most Computers require some kind of information sharing.information sharing.
►Common mode of information sharing Common mode of information sharing with other computers vary from with other computers vary from Sneaker Nets to High Speed Networks.Sneaker Nets to High Speed Networks.
► In order to secure individual In order to secure individual computers, Network Security is the computers, Network Security is the essential part.essential part.
slide 53
Network Layer VulnerabilitiesNetwork Layer Vulnerabilities
►We'll discuss IPv4, although other protocols can be used at this We'll discuss IPv4, although other protocols can be used at this levellevel►IP featuresIP features
Network addressesNetwork addressesIP spoofingIP spoofingFragmentationFragmentation
►IP Components:IP Components:ICMPICMP
►Transport layer components dependent on IP:Transport layer components dependent on IP:UDPUDPTCPTCP
slide 54
IP AddressesIP Addresses►Format "A.B.C.D" where each letter is a byteFormat "A.B.C.D" where each letter is a byte►Class A network : A.0.0.0 Class A network : A.0.0.0
Zeroes are used to indicate that any number could be in that Zeroes are used to indicate that any number could be in that positionposition
►Class B network: A.B.0.0Class B network: A.B.0.0►Class C network: A.B.C.0Class C network: A.B.C.0►Broadcast addresses:Broadcast addresses:
255.255.255.255255.255.255.255A.B.C.255A.B.C.255
►Special caseSpecial case0.0.0.0 and A.B.C.0 can be either treated as a broadcast or 0.0.0.0 and A.B.C.0 can be either treated as a broadcast or
discardeddiscarded
slide 55
Other IP AddressesOther IP Addresses
► Multicast (class D)Multicast (class D) 224.0.0.0 to 239.255.255.255224.0.0.0 to 239.255.255.255
► Class E (experimental, reserved, i.e., Class E (experimental, reserved, i.e., wasted)wasted) 240.0.0.0 to 254.255.255.255240.0.0.0 to 254.255.255.255
slide 56
JunctionsJunctions
►Router (gateway)Router (gateway)Works at the network layer (e.g., IP)Works at the network layer (e.g., IP)Joins subnetsJoins subnetsTries to send packets on the best routeTries to send packets on the best route
►Performs Performs routingrouting
►FirewallFirewallPacket filter that enforces policies (through its filtering)Packet filter that enforces policies (through its filtering)
►Can be transparent and non-addressableCan be transparent and non-addressableA firewall is not necessarily used as a router (might have only twoA firewall is not necessarily used as a router (might have only two
interfaces), but it mayinterfaces), but it mayA router is not necessarily a firewallA router is not necessarily a firewallSome configurations have firewalls behind routersSome configurations have firewalls behind routers
slide 57
Special NetworksSpecial Networks
►Private non-routable networksPrivate non-routable networks192.168.0.0192.168.0.0172.16.0.0172.16.0.010.0.0.010.0.0.0
►Loopback networkLoopback network127.0.0.0127.0.0.0Typically only 127.0.0.1 is usedTypically only 127.0.0.1 is used
slide 58
CIDR AddressesCIDR Addresses
►Classless Inter-Domain RoutingClassless Inter-Domain RoutingClasses A, B, C too rigidClasses A, B, C too rigidAdd flexibility on a bit level instead of byte levelAdd flexibility on a bit level instead of byte level
►W.X.Y.Z/BW.X.Y.Z/BB is the number of bits that constitute the B is the number of bits that constitute the
network addressnetwork address/8 is class A/8 is class A/16 is class B/16 is class B/24 is class C/24 is class C
slide 59
IP PacketIP Packet
►Source IPSource IP►Destination IPDestination IP►ChecksumChecksum
slide 60
IP SpoofingIP Spoofing
►Any station can send packets pretending to be from any IP Any station can send packets pretending to be from any IP addressaddress►Replies will be routed to the appropriate subnetReplies will be routed to the appropriate subnet
Route asymmetryRoute asymmetrySo, attacker might not get replies if spoofing a host on a different So, attacker might not get replies if spoofing a host on a different
subnetsubnet►For some attacks this is not importantFor some attacks this is not important
►AnalogyAnalogyNothing prevents you from physically mailing a letter with an invalid return Nothing prevents you from physically mailing a letter with an invalid return
address, or someone else’s, or your own. address, or someone else’s, or your own. Likewise, packets can be inserted in the network with invalid or other IP Likewise, packets can be inserted in the network with invalid or other IP
addresses.addresses.
slide 61
IP Spoofing with IP Spoofing with AmplificationAmplification
►Use broadcasts pretending to originate from victimUse broadcasts pretending to originate from victim►All replies go back to victimAll replies go back to victim►This may use any IP protocol (ICMP, TCP, UDP)This may use any IP protocol (ICMP, TCP, UDP)
Any application or service that replies using these protocolsAny application or service that replies using these protocolsFamous attack: Smurf (using ICMP) DoSFamous attack: Smurf (using ICMP) DoS
►CERT® Advisory CA-1998-01 Smurf IP Denial-of-Service CERT® Advisory CA-1998-01 Smurf IP Denial-of-Service AttacksAttacks
►Many othersMany others►Smurf Amplifier Registry: http://www.powertech.no/smurf/Smurf Amplifier Registry: http://www.powertech.no/smurf/
slide 62
ICMPICMP
►Internet Control Message Protocol (IP management)Internet Control Message Protocol (IP management)►Error handling and debugging protocolError handling and debugging protocol►Not authenticated!Not authenticated!►Encapsulated inside an IP headerEncapsulated inside an IP header►Message types:Message types:
40 assigned40 assigned255 possible255 possibleabout two dozen in useabout two dozen in use
►References: References: Network Intrusion Detection,Network Intrusion Detection,http://www.iana.org/assignments/icmp-parametershttp://www.iana.org/assignments/icmp-parameters
slide 63
Basic ICMP Message TypesBasic ICMP Message Types
►0 Echo Reply0 Echo Reply►3 Destination Unreachable3 Destination Unreachable►4 Source Quench4 Source Quench►5 Redirect5 Redirect►8 Echo8 Echo►11 Time Exceeded11 Time Exceeded►12 Parameter Problem12 Parameter Problem►13 Timestamp13 Timestamp►14 Timestamp Reply14 Timestamp Reply►15 Information Request15 Information Request►16 Information Reply16 Information Reply
slide 64
ICMP EchoICMP Echo►a.k.a. Pinga.k.a. Ping►Destination replies (using the "source IP" of the original message) with Destination replies (using the "source IP" of the original message) with "echo reply""echo reply"►Data received in the echo message must be returned in the echo replyData received in the echo message must be returned in the echo reply►How can this be abused?How can this be abused?
slide 65
Scans and ReconScans and Recon
►If an attacker wants to map your network, the trivial If an attacker wants to map your network, the trivial way is way is
to ping all the IP addresses in your network...to ping all the IP addresses in your network...►Therefore, if you allow pings, your network is Therefore, if you allow pings, your network is exposed.exposed.
slide 66
Smurf AttackSmurf Attack
►Ping a broadcast address, with the (spoofed) IP of a victim as Ping a broadcast address, with the (spoofed) IP of a victim as source addresssource address►All hosts on the network respond to the victimAll hosts on the network respond to the victim►The victim is overwhelmedThe victim is overwhelmed►Keys: Amplification and IP spoofingKeys: Amplification and IP spoofing►Protocol vulnerability; implementation can be “patched” by Protocol vulnerability; implementation can be “patched” by violating the protocol specification, to ignore pings to broadcast violating the protocol specification, to ignore pings to broadcast addressesaddresses►ICMP echo just used for convenienceICMP echo just used for convenience
All ICMP messages can be abused this wayAll ICMP messages can be abused this way"Fraggle" is the equivalent, using UDP instead of ICMP"Fraggle" is the equivalent, using UDP instead of ICMP
slide 67
Other Ping AbuseOther Ping Abuse
►Tribe, a.k.a. The "Tribe Flood Network" distributed Tribe, a.k.a. The "Tribe Flood Network" distributed denial of service attack tooldenial of service attack tool►Use ICMP echo request and reply as a secret Use ICMP echo request and reply as a secret communication channel to issue commands to communication channel to issue commands to infected computersinfected computers
Attackers reversed the normal usage of reply and request Attackers reversed the normal usage of reply and request messagesmessages
►Reply messages used to issue commands and bypass Reply messages used to issue commands and bypass firewallsfirewalls
►http://staff.washington.edu/dittrich/misc/tfn.analysishttp://staff.washington.edu/dittrich/misc/tfn.analysis
slide 68
Why Do You Need Pings?Why Do You Need Pings?
►To troubleshoot when something doesn’t To troubleshoot when something doesn’t workwork►=> if everything works then you don’t need => if everything works then you don’t need pings, especially pings from outside your pings, especially pings from outside your network...network...►CAN-1999-0523 (under review)CAN-1999-0523 (under review)
ICMP echo (ping) is allowed from arbitrary hosts. ICMP echo (ping) is allowed from arbitrary hosts.
slide 69
About These SlidesAbout These Slides
► You are free to copy, distribute, display, and perform the You are free to copy, distribute, display, and perform the work; and to make derivative works, under the following work; and to make derivative works, under the following conditions.conditions. You must give the original author and other contributors creditYou must give the original author and other contributors credit The work will be used for personal or non-commercial educational The work will be used for personal or non-commercial educational
uses only, and not for commercial activities and purposesuses only, and not for commercial activities and purposes For any reuse or distribution, you must make clear to others the For any reuse or distribution, you must make clear to others the
terms of use for this workterms of use for this work Derivative works must retain and be subject to the same Derivative works must retain and be subject to the same
conditions, and contain a note identifying the new contributor(s) conditions, and contain a note identifying the new contributor(s) and date of modificationand date of modification
► Thanks to the support of Symantec Thanks to the support of Symantec CorporationCorporation
slide 70
QuestionsQuestions
??????????????????????????????????????????????????????
[email protected]@uettaxila.ed
u.pku.pk