Download EE579S Computer Security

EE579T / CS525T
Network Security
11: Intrusion Detection Systems;
Wireless Security
Prof. Richard A. Stanley
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #1
Overview of Tonight’s Class
• Review last week’s lesson
• Final Exam
– On the web page
– Due to me electronically in 2 weeks (26 Apr)
• Project Scheduling
– Presentations on 15 April
– Keep presentations to 25 minutes including Q&A
– Let’s have volunteers for each time slot, keeping in mind your
work schedules
• Intrusion detection systems
• Wireless security
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #2
Summary
• SNMP is widely-used for managing clients
distributed across a network
• SNMPv1 is simple, effective, and provides
the majority of SNMP service in the field
• SNMPv2 adds some functionality to v1
• SNMPv3 is a security overlay for either
version, not a standalone replacement
• SNMP security is a major issue!
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #3
Intrusion Detection Systems
• Oddly enough, these are systems designed
to detect intrusions into protected systems
• Security intrusion (per RFC 2828):
– A security event, or a combination of multiple
security events, that constitutes a security
incident in which an intruder gains, or attempts
to gain, access to a system (or system resource)
without having authorization to do so.
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #4
What’s a Security Incident?
• A security event that involves a security violation. (See:
CERT, GRIP, security event, security intrusion, security
violation.)
• In other words, a security-relevant system event in which
the system's security policy is disobeyed or otherwise
breached.
• "Any adverse event which compromises some aspect of
computer or network security." [R2350]
Source: RFC 2828, page 152; emphasis added
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #5
Why Do We Need This?
• With the exception of authentication
systems, most of the defenses we have
studied up to now are directed towards
intruders coming from outside the firewall
• These systems are not perfect--some
intruders will get through
• Moreover, defenses such as firewalls cannot
protect against intruders on the inside
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #6
Intrusion Detection Functions
• Monitor protected networks and computers
in real time (or as close to real time as is
practicable)
• Detect security incidents
– Requires a policy, and a way for the IDS to
know what that policy is
• Respond
– Raise an alarm
– Send some automated response to the attacker
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #7
IDS vs. Auditing
• Audits tend to be a posteriori
– But an IDS can be seen as performing a
constant, near real time audit function
• To perform an audit, you need to know what
the policy is
– Audits measure departures from the policy
norms
– Audits depend on system logs
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #8
Early IDS’s
• Emulated the audit function
– Crawled the logs, looking for deviations from
policy-permitted actions
– Intent was to speed up the audit, making it
nearly real time
– Still a useful approach
• IDS technology has been around only since
the early 1990’s; not too mature
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #9
IDS Uses
• Monitor system usage
– Determine access, usage patterns
– Plan for capacity engineering
• Monitor specific problem areas
• Serve as a deterrent
– Sort of like the “burglar alarm” label on a
house, even if there is really no alarm
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #10
Log Files
• Are evidence if an intrusion occurs
– Must be stored in their original, unmodified
form, otherwise inadmissible in court
– Provide data from which trends can be deduced
– Can be subjected to forensic analysis
– Probably needed to assess level of system
compromise/damage and to restore to state
prior to intrusion
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #11
Legal Issues - 1
• Privacy of your employees
– Courts have held that employees have little
expectation of privacy in the workplace,
especially if told so at the outset
• email can be monitored at work by employer
• phone calls can be monitored at work by employer
• doing either of these things outside the workplace
violates the wiretap statutes (18 USC § 2516, etc.)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #12
Legal Issues - 2
• What if the IDS discovers illegal acts being
performed on/by your network?
– Employees using the network for illegal
activities
– Outsiders having planted zombie programs so
that your system attacks others
– What is your responsibility and liability?
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #13
Legal Issues - 3
• This may be a Catch-22 issue
– If an attacker is using your system, law
enforcement may want you to continue to allow
that to happen so they can apprehend the
attacker
• If you interrupt the attack, could be interpreted as
obstruction of justice
– But, if you allow the attack to continue, you
may be liable for damages to those attacked
• Get legal advice--beforehand!
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #14
What About Automated
Response?
• Tempting capability
• If attacking your system is illegal, what
makes your attack on the attacker in
response less illegal?
• What if you are, or are acting on behalf of, a
governmental entity and the attacker is also
a governmental entity?
– Casus belli
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #15
IDS Architecture
Management
Console
Sensor
Sensor
Sensor
Sensor
Sensor
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #16
Console
• Monitors and controls sensors
– Sets policy, alarm levels, etc.
– Stores logs
• Must have secure communications with
sensors
– Encrypted connection
– Out of band (OOB)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #17
IDS Types
• Network-based (NIDS)
– Monitors the network backbone
• Network node-based (NNIDS)
– Monitors network nodes, not the backbone
• Host-based (HIDS)
– This is the “log crawler” that started it all
• Gateway (GIDS)
– NIDS in series with the network
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #18
What Can It See?
• Network packets
• OS API calls
• System logs
• How do we merge this data to detect
intrusions?
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #19
Host-Based
• Sits on a host as a background task
• Monitors (potentially)
– traffic to and from the host
– OS API calls
– system logs
• Adds to processing load on the host, so host
must be able to support the extra load
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #20
Network-based
• NIDS sensors placed on network backbone
– Can view only packet traffic passing by, much
like a classic passive sniffer
– Does not place processing load on network, but
the NIDS platform must be capable of dealing
with network traffic speeds
• Software can usually handle 100 Mbps
• Hardware only 2-3 times faster
• If network is faster, looks only at subset of packets
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #21
Network Node-based
• Used to inspect intrusions directly into
network nodes
– Effectively a blending of HIDS and NIDS
– Used to protect mission-critical machines
– Again, a background process on existing nodes,
so node must be able to handle added
processing load
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #22
Gateway
• In series with network
– Often set to block prohibited traffic
automatically
– Think of it as an in-network firewall with an
extended rule set
– Must be able to keep up with network load
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #23
Intrusion Protection Systems
• Latest trend in IDS technology
• Idea is to use what the IDS identifies to
change the network rules ad hoc, in theory
preventing further exploitation
• Very similar to GIDS
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #24
IPS Issues
• Attack signatures generally known only a
posteriori
• Heuristic analysis has not worked very well
in other venues, such as virus detection
• How long to maintain the “new” rules
before reverting to the original ones?
• Exploitation of the IPS
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #25
Deployment
• Putting in an IDS is a complex and timeconsuming affair
– Typically, start simple and add functionality as
you learn more about the network
– NIDS tends to see more and load network least
– Follow up with HIDS on selected hosts,
perhaps NNIDS on critical nodes
• Policy has to be in place first
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #26
Attack Signatures
• Critical to success of any IDS
• Must be maintained, just like virus
signatures
– You want some visibility into this
– Do you want strangers deciding what is an
attack on your critical systems?
• Some IDS’s let you write/modify
signatures, others do not
• CVE: http://www.cve.mitre.org/
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #27
IDS Deployment
• First, design the IDS sensor and
management layout
• Next, deploy the IDS
– Test the network for normal operation
– Test the IDS
• Run packaged attacks to see if all are detected
• Document performance and repeat test regularly
– Tune the IDS
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #28
Sampling of IDS Products
• RealSecure:
http://www.iss.net/products_services/enterp
rise_protection/rsnetwork/sensor.php
• NFR: http://www.nfr.net/
• Snort: http://www.snort.org/
• SnortSnarf:
http://www.silicondefense.com/software/sn
ortsnarf/
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #29
IDS Summary
• IDS’s can be useful in monitoring networks
for intrusions and policy violations
• Up-to-date attack signatures and policy
implementations essential
• Many types of IDS available, at least one as
freeware
• Serious potential legal implications
• Automated responses to be avoided
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #30
Wireless Network Security
• Wireless networks growing at a rapid pace
– Gartner Group predicts wireless installations
will multiply >7X by 2007 to over 31M
• Business drivers
–
–
–
–
Installation cost and time
Mobility
Flexibility
Operating costs
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #31
Wireless Inherently Insecure
• Wired networks contain (or try) signals to a
wired path, which must be physically
tapped to compromise line security
– Possible to physically discover the tap
• Wireless networks deliberately broadcast
data into space, where it can be intercepted
by anyone with proper receiver
– Data tap impossible to discover
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #32
This Isn’t New News
• Since early days, wireless vendors strove to
provide privacy equivalent to that available
on the wired network
– WEP = wired equivalent privacy
– This is not a high standard to meet
• They succeeded, but that wasn’t good
enough for user requirements
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #33
Wireless Security Issues
•
•
•
•
How does a wireless network work?
How can you “join up?”
What about the encryption?
Can it really be secure?
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #34
How It Works
• Clients send probes
• Access points broadcast beacons and, often,
their Server Set ID (SSID)
• When a client finds an access point with an
acceptable signal level and a matching
SSID, a connection is established
• Many networks are built precisely to
facilitate connection by “foreign” users
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #35
Wireless LAN Elements
[AP]
[STA]
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #36
Origins of WEP
• Marketing and Political Issues:
– Developed as part of a wireless LAN research
project at Apple Computer, Inc..
– Eavesdropping was perceived as a barrier to
market acceptance.
– Apple sells into a worldwide market so solution
had to be exportable.
– NSA only allowed 40-bit encryption to be
exported.
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #37
Origins of WEP (cont.)
• Technical Issues:
– Eavesdropping on wireless link => privacy and
authentication problems.
– Multiple network protocols (in 1993) =>
solution required at data link layer.
– Data link layer is “best effort” => crypto-state
(other than shared key) must accompany each
frame.
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #38
WEP Solution
• Apple had unlimited RC4 license from
RSA, Inc.
• Method and apparatus for variableoverhead cached encryption, US Patent
5,345,508 applied for 23 Aug 1993, granted
6 Sept 1994.
• Licensed for export in mid-1994.
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #39
WEP Encryption
IV
Initialization
Vector (IV)
Key Sequence
Seed
+
Secret Key
PRNG
RC4()
Cache
(MAX_MSG_SZ)
Ciphertext
+
Plaintext
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #40
IEEE 802.11’s use of WEP
• IEEE runs by Robert’s Rules; “one man,
one vote”
• Simple majority required to add text, 75%
vote to change text in draft standard
• WEP introduced in March 1994
• Strong pushback in committee regarding
cost and overhead of encryption
• Dilution of proposal; privacy made optional
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #41
WEP Security Problems
• Papers submitted to 802.11 committee
highlight the problems with WEP; “Unsafe
at any Key Size” presented in October 2000
• 802.11 Task Group I formed to solve WEP
security problems
• Press gets wind of the issue
• Public domain attacks; “war driving”
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #42
WEP Security Problems (cont.)
• Passive attacks to decrypt traffic based on
statistical analysis
• Active ‘known plaintext’ attack to inject new
traffic from unauthorized mobile stations
• Active attacks to decrypt traffic, based on tricking
the access point
• Dictionary-building attack; real-time automated
decryption of all traffic after a day’s sampling
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #43
802.11 Task Group I
• Long term security architecture for 802.11
• Based on 802.1X authentication standard
and two new encryption protocols (TKIP
and CCMP)
– Labeled Robust Security Network (RSN)
• Uses Upper Layer Authentication (ULA)
protocols outside the scope of 802.11i (e.g.
EAP/TLS, PEAP)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #44
Robust Security Network
Includes:
• Better key derivation/distribution based on 802.1X
– For TKIP: per message 128 bit key derivation
• Improved encryption (TKIP, CCMP)
• Stronger keyed Message Integrity Checks
– Custom MIC for TKIP with 22 bit effective strength
– Strong AES based MIC for CCMP
• IV sequencing to control message replay
– 44 bits to avoid re-keying (4 bits for QoS)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #45
RSN Data Privacy Protocols
• Temporal Key Integrity Protocol (TKIP)
– a cipher suite enhancing the WEP protocol on pre-RSN
hardware
• Counter Mode/CBC-MAC Protocol
– based on AES and Counter-Mode/CBC-MAC (CCM)
– Mandatory for RSN compliance
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #46
802.1X
• Originally designed as port-based network
access control for PPP
• Provides support for a centralized
management model
• Primary encryption keys are unique to each
station and generated dynamically
• Provides support for strong upper layer
authentication
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #47
802.1X Architectural Framework
• Employs Extensible Authentication Protocol
(EAP)
– EAP built around challenge-response paradigm
– operates at network layer = flexibility
• Provides transport for ULA protocols
– EAP/TLS, PEAP, EAP-TTLS, LEAP
• Two sets of keys dynamically generated
– Session Keys, Group Keys
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #48
Authentication and Key Mgmt.
Controlled Port
Wired LAN
Services
Unauthorized Port
Supplicant
Authenticator
AP
Authentication
Server
STA
Uncontrolled Port
AS
EAPoL
RADIUS
EAP
Spring 2005
© 2000-2005, Richard A. Stanley
EAP
EE579T/11 #49
Existing Solutions & Other Methods
• MAC address filtering
• Access Point Placement
• Virtual Private Networks (VPNs)
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #50
Enter The Wi-Fi Alliance
• Wi-Fi Alliance – nonprofit International
association formed in 1999
• 176 member companies as of today
• Mission: Certify interoperability of Wireless
LAN products based on IEEE 802.11
specification
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #51
Wi-Fi Protected Access - WPA
• WPA is a response by the industry to offer strong
and immediate security solution that would
replace WEP
• It is a subset of 802.11i draft standard and is going
to maintain forward compatibility
• Main idea - “Bring what is ready now to the
market”
• Increases the level of security for Wireless LAN
• It is a standards-based, interoperable security
specification
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #52
WPA
• Provides user authentication
– Central authentication server (like RADIUS)
– Via 802.1x and EAP
• Improves data encryption
– Temporal Key Integrity Protocol (TKIP)
• Eventually will support full 802.11i
compliance
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #53
802.11i Status?
• Many devices fielded since 2003 have
silicon implementations in them to support
full 802.11i
– Supports AES
– Other features
– Firmware updates should turn on features
• Standard ratified in late 2004
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #54
NetStumbler
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #55
Exploitation Tools
•
•
•
•
Wardriving: http://www.wardriving.com/
Warchalking: http://www.warchalking.org/
Airsnort: http://airsnort.shmoo.com/
WEPCrack:
http://wepcrack.sourceforge.net/
What other little
“gifts” await us?
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #56
Best Practice for now
• WEP is better than nothing; change keys
often
• Physical placement of Access Points
• Upgrade firmware and drivers on APs and
Wireless Cards as they are released
• VPN (treat wireless users as you would
dial-in users)
• Check for 802.1x support before buying
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #57
Wireless Security Summary
• It’s a problem, owing to the nature of
wireless transmission
• So far, security implementations have left a
lot to be desired
• Project presentations will provide added
details
• Growth is explosive, both in legitimate and
illegitimate wireless activity
Spring 2005
© 2000-2005, Richard A. Stanley
EE579T/11 #58