SE571 Security in Computing

SE571Security in Computing

Chap 7: Security in Networks

SE571 Security in Computing Dr. Ogara 2

This Chapter Examines… Threats against networked

applications, including denial of service, web site defacements, malicious mobile code, and protocol attacks

Controls against network attacks: physical security, policies, procedures, and other technical controls


This Chapter Examines… Firewalls: design, capabilities,

limitations Intrusion detection systems Private e-mail: PGP and S/MIME


Research: Top 5 Network Security Threats for 2011

Users• Managed users

Employees/staff Managed and unmanaged devices – Laptops,

Smartphone• Unmanaged users

Guests Contractors Consultants Business partners

(Source: Bradford Network, 2011)



Mobile device proliferation• Smartphone – different models/different

companies• Tablets/iPads• EBook

IP everything – exponential growth in IP devices• Surveillance camera• Card readers




Consumerization of IT• Consumer markets driving IT• Personal devices growing rapidly and must

be supported by IT Virtualization

• Server applications in private cloud• Virtual desktop in virtual environment



Research: Consumerization of IT Survey 2011

Study sponsored by Dell KACE 741 IT professionals participated Employees using personal devices

(87%)• Email• Calendar• CRM/ERP

Employees using Smartphone (80%) Employees using personal PCs (69%) https://www.kace.com/resources/Consumerization-of-IT-Survey-2011


Network Security What are we protecting? Why are we protecting ? What are assets? What are threats? What are the controls?


Network Assets Network infrastructure Applications programs Data


Network Threats Interception

• Eavesdropping• Passive wiretapping

Modification• Active wiretapping• Falsification• Compromise of authenticity

Denial of service


Network Controls Firewalls Intrusion detection systems Secure email


Terminologies Network – a collection of

communicating hosts Node – single computing system in a

network Link – connection between two hosts Host – single computer in a network A workstation - an end-user

computing device, usually designed for a single user at a time


Terminologies Topology - the way a network is

configured, in terms of nodes and connections

Protocol – standard method for transmitting data and/or establishing communications between different devices

Protocol stack – is a layered architecture for communications


Network


Protocols Two popular protocol stacks for

implementing networks

I. Open Systems Interconnection (OSI)II. Transmission Control Protocol and

Internet Protocol (TCP/IP)


OSI Model Contains 7 layers Layers represent the different

activities that must be performed for actual transmission of a message


OSI Network Model


OSI Protocol Layer Levels


OSI Protocol Layer Levels What happens when you send

message to [email protected]?

Physical Layer Data link Network layer

• Router sends message to destination router • Adds 2 headers (source and destination IP

address)


OSI Protocol Layer Levels Data link

• Network Interface Card (NIC) provides physical address called MAC (Media Access Control) address

• Two more headers added (source computer and router NIC address)

• Structure is called frame and contains destination MAC, source MAC and data


OSI Protocol Layer Levels Data link


OSI Protocol Layer Levels Network layer

• Router sends message to destination router • Adds 2 headers (source and destination IP

address) to data• These are called packets


TCP/IP Model Common in most wide area network

communications Defined by protocols not layers

although it is seen as 4 layers

1. Application2. Transport3. Internet4. Physical


TCP/IP Model It denotes two models although used

as a single acronym TCP implements a connected

communications session on top of the more basic IP transport protocol


TCP/IP Model


TCP Protocol Records and checks correct

sequencing of packets Retransmits missing or faulty packets Provides a stream of correct data in

proper order to the invoking application

Problem - retransmissions of faulty or missing packets take time and induce overhead


TCP Packet Data structure

• Includes a sequence number, an acknowledgment number for connecting the packets of a communication session, flags, and source and destination port numbers

Port - unique channel number by which computers can route their respective packets to each of them


Internet Services


Local Area Networks (LAN) Covers a small distance typically

within a single building Connects several small computers,

such as personal computers, as well as printers and perhaps some dedicated file storage devices


Local Area Networks (LAN)


Wide Area Networks (WAN) Single control – usually controlled by

one organization Covers a significant distance Physically exposed

Examples, campus area networks, metropolitan area networks


What Makes a Network Vulnerable? Anonymity

• Anonymous attackers Many points of attack—both targets

and origins • Less rigorous security

Sharing Complexity of system Unknown perimeter - untrusted

hosts in networks


Why do people attack networks Fame or recognition Money and espionage Organized crime Advance an ideology


Network Vulnerabilities, Targets and Controls

What are the targets? What are the vulnerabilities? What are the controls?


Vulnerabilities that target precursors to attack

Port scan• Gives external picture – open doors• Standard ports or services running?

Social engineering• Use of social skills and personal interaction

to get someone to reveal security-relevant information

Reconnaissance OS and application fingerprinting


Control of vulnerabilities Firewall “Hardened” (self-defensive)

applications Programs that reply with only what is

necessary Intrusion detection system Run few services as possible


Control of vulnerabilities Education, user awareness Policies and procedures Systems in which two people must

agree to perform certain security-critical functions


Network vulnerabilities that target authentication failures

Impersonation Guessing Eavesdropping Session hijacking Spoofing Man-in-the-middle attack


Control of vulnerabilities Strong, one-time authentication Virtual private network Encrypted authentication channel Education, user awareness Virtual private network Protocol analysis


Network vulnerabilities that target programming flaws

Buffer overflow Addressing errors Parameter modification, time-of-

check to time-of-use errors Server-side include

• Cookies• Malicious active code: Java, ActiveX • Malicious code: virus, worm, Trojan horse


Control of vulnerabilities Programming controls Intrusion detection system Personal firewall Two-way authentication Controlled execution environment Signed code


Network vulnerabilities that target confidentiality

Protocol flaw Malicious code: virus, worm, Trojan

horse Eavesdropping Passive wiretap Misdelivery Exposure within network Traffic flow analysis Cookie


Control of vulnerabilities Firewall Encryption Intrusion detection system Controlled execution environment Programming controls


Network vulnerabilities that target integrity

Protocol flaw Impersonation Active wiretap Falsification of message Noise Website defacement DNS attack


Control of vulnerabilities Firewall Encryption Intrusion detection system Controlled execution environment Audit Protocol analysis Strong authentication Error detection code Honey pot


Network vulnerabilities that target availability

Protocol flaw Transmission of component failure DNS attack Traffic redirection Distributed denial of service Connection flooding


Control of vulnerabilities Encryption Firewall Intrusion detection system Honey pot


Encryption Most important and versatile tool for

network security expert Important

• Privacy• Authenticity• Integrity• Limited access to data

Not a silver bullet Protects encrypted data only


Encryption Can be applied in two ways

• Link encryption • End-to-end encryption


Link Encryption Data is encrypted before the system

places them on the physical communications link

Encryption takes place in layer 1 or 2 of the OSI model

Encryption protects message during transit

Message is plaintext inside the hosts


Link Encryption Data exposed in sending host Data exposed in intermediate nodes Applied by sending host Invisible to user Host maintains encryption Encryption done in hardware Provides node authentication All or no data encrypted


Link Encryption


Link Encryption


End-to-End Encryption Security available from one end of

transmission to the other Encryption can be applied by either

hardware or software running on the computer

Encryption takes place at the highest level of OSI model – application and presentation


End-to-End Encryption Data encrypted in sending host Data encrypted in intermediate

nodes User applies encryption User selects encryption Either software or hardware

implementation User chooses to encrypt or not Provides user authentication


End-to-End Encryption


End-to-End Encryption


Virtual Private Networks Communication passes through an

encrypted tunnel User’s client establishes

communication with network firewall User and firewall negotiate a session

encryption key


Virtual Private Networks Firewall and user encrypt all traffic

between them Firewall authenticates user through

authentication server Firewall implements access control

(provide appropriate security privileges)


Virtual Private Networks


PKI and Certificates PKI is a process created to enable users to

implement public key cryptography Provides identification and access control

information to users• Create certificates associating user’s identity with

cryptographic key• Give out certificates from its database• Sign certificates thus adding credibility to authenticity of

certificates• Confirm or deny that certificate is valid• Invalidate certificates for users who are no longer allowed

to access or whose private key has been exposed


PKI and Certificates PKI sets up entities called certificate

authorities that implement PKI policy Assumption is certificate authorities are

trusted Functions of certificate authorities

• Manage public key certificates for their whole life cycle• Issue certificates by binding a user’s or system identity

to a public key with a digital signature• Schedule expiry dates for certificates• Ensure that certificates are revoked by publishing

certificate revocation list


SSH Encryption SSH stands for secure shell is a pair of

protocols (V1 and V2) Provides an authenticated and encrypted

path to a shell or operating system command interpreter

Protects against spoofing attacks and modification of data in communications

Protocol involves negotiation between local and remote sites for encryption algorithm (e.g. DES, IDEA, AES) and authentication


SSL Encryption SSL stands for Secure Socket Layer Also known as TLS – Transport Layer Security Protocol was originally designed by Netscape

to protect communication between web browser and server

It interfaces between apps(e.g. browser) and TCP/IP protocols to provide server authentication, client authentication and encrypted communication channel between client and server


SSL Encryption SSL protocol is the most widely used

secure communication protocol in the Internet

Only protects data between client’s browser and server


IPSec Stands for IP Security Protocol Similar to SSL i.e. supports

authentication and confidentiality Defines standard means for handling

encrypted data Designed to handle shortcomings of

IPv6 such as:• Spoofing• Eavesdropping• Session hijacking


IPSec Fundamental data structures are

• AH – authenticated header• ESP – Encapsulated Security Payload

Contains both authenticated and encrypted portion

Packets: (a) Conventional Packet; (b) IPSec Packet


Wireless security SSID – Service Set Identifier

• Authenticate remote computer WEP – Wired Equivalent Privacy

• Uses encryption to prevent eavesdropping and impersonation

• Uses encryption key for authentication• IEEE standard 802.11• Uses 64 and 128 bit encryption• Not effective against brute force attack


Wireless security WPA and WPA2– WIFI Protected Access

• Addresses known security deficiencies in WEP• IEEE standard 802.11i• Uses encryption key that is unchanged until

user enters new key at the client and access point

• Encryption key is changed automatically at each packet (Temporal Key Integrity Program)


Honeypots Computer system open to attackers Goal

• Watch what attackers do• Lure attackers in order to study their habits• Divert attackers attention so as to leave

your system alone


Firewalls Device that filters traffic between

protected/inside network and less trustworthy/outside network

Purpose• Keep bad things outside the protected

environment• Use security policies to limit access from

outside


Types of Firewalls Packet filtering gateways or

screening routers Stateful inspection firewalls Application proxies Guards Personal firewalls


Packet Filtering Gateway Most effective Control access based on packet

address or transport protocol such as HTTP


Stateful Inspection Firewall Maintains state information from one

packet to another in the input stream


Application Proxy Firewall

Packet filters look only at the headers of packets, not at the data inside the packets


Guard Firewall

Receives protocol data units, interprets them, and passes through the same or different protocol data units that achieve either the same result or a modified result


Personal Firewall

Application program that runs on a workstation to block unwanted traffic, usually from the network

Protect a (sub)network of multiple hosts result

May complement the work of a conventional firewall by screening the kind of data a single host will accept


Denial of Service Connection flooding

• Echo-Chargen Chargen is protocol used to generate packets Attacker makes host A to generate echo packets

to host B and host B replies to the echos Host A and B generates endless loop

• Ping of Death Attacker sends flood of pings to intended host Pings saturate victim’s bandwidth


Denial of Service Connection flooding

• Smurf – Attacker sends broadcast echo requests to the network with victim’s return address

• Syn flood – Attacker sends many SYN requests and never responds with ACKs thereby filling the victim’s SYN_RECV queue

• Teardrop – Attacker sends series of data grams that can not be reassembled properly


Denial of Service Traffic redirection

Attackers disrupt routers traffic redirection DNS attacks

Attackers redirect routing of traffic by overtaking domain server or causing it to cache spurious entries (DNS cache poisoning)

E.g. An attack in 2005 used a flaw in a Symantec firewall to allow a change in DNS records used by Windows machines. The poisoned DNS cache redirected users to advertising sites


Distributed Denial of Service Also called DDoS Attacker discretely plants Trojan

horse into machine e.g. through email attachment

Attacker repeats process using many targets (Zombie)

Attacker sends a signal to all Zombies to launch an attack against a victim (n attacks from n Zombies)


Distributed Denial of Service


Intrusion Detection Systems Also called IDS Device that monitors activities to identify

malicious and suspicious events Functions

• Monitor users and system activity• auditing system configuration for vulnerabilities and

misconfigurations • assessing the integrity of critical system and data files • recognizing known attack patterns in system activity • identifying abnormal activity through statistical analysis • managing audit trails and highlighting user violation of

policy or normal activity • correcting system configuration errors


Intrusion Detection Systems


Types of IDS Signature based

• perform simple pattern-matching and report situations that match a pattern corresponding to a known attack type

Heuristic/Anomaly based• build a model of acceptable behavior and flag exceptions to

that model

A network-based IDS is a stand-alone device attached to the network to monitor traffic throughout that network while a host-based IDS runs on a single workstation or client to protect that one host


Goals of IDS Filter on packet headers Filter on packet content Maintain connection state Use complex, multipacket signatures Use minimal number of signatures

with maximum effect


Goals of IDS Filter in real time, online Hide its presence Use optimal sliding time window size

to match signatures


Strengths of IDS IDSs detect an ever-growing number

of serious problems Adding their signatures to the IDS

model helps them to improve over time

Easier and cheaper to manage


Limitations of IDS Similar IDS may have identical

vulnerabilities Difficult to measure and adjust its

sensitivity Must be monitored and alarms

responded to otherwise it is useless


Secure Email Email is important in ecommerce Email is a medium of

communications


Email Requirements Message confidentiality (the message

is not exposed en route to the receiver)

Message integrity (what the receiver sees is what was sent)

Sender authenticity (the receiver is confident who the sender was)

Nonrepudiation (the sender cannot deny having sent the message)


Threats to Email message interception (confidentiality) message interception (blocked delivery) message interception and subsequent replay message content modification message origin modification message content forgery by outsider message origin forgery by outsider message content forgery by recipient message origin forgery by recipient denial of message transmission


Design for Encrypted Email Developed by Internet Society Allows for security enhanced

messages Works for both asymmetric and

symmetric encryptions Standard supports multiple

encryption algorithms• DES, 3DES and AES for confidentiality• RSA and Diffe-Hellman for key exchange


Overview encrypted email processing


Encrypted Email-Secured Message

Documents

SE571 Security in Computing