Download Network Security - University of Engineering and Technology

Document related concepts

TCP congestion control wikipedia , lookup

Deep packet inspection wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Internet protocol suite wikipedia , lookup

Distributed firewall wikipedia , lookup

Cross-site scripting wikipedia , lookup

Wireless security wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Computer security wikipedia , lookup

Transcript
Network Security
Professor
Adeel Akram
Network Security Architecture
Lecture Outline
► Attacks,
services and mechanisms
► Security attacks
► Security services
► Methods of Defense
► A model for Internetwork Security
► Internet standards and RFCs
Background
► Information
Security requirements have changed
in recent times
► Traditionally provided by physical and
administrative mechanisms
► Computer use requires automated tools to protect
files and other stored information
► Use of networks and communications links
requires measures to protect data during
transmission
Definitions
► Computer
Security - generic name for the
collection of tools designed to protect data and to
prevent hackers
► Network Security - measures to protect data
during their transmission
► Internet Security - measures to protect data
during their transmission over a collection of
interconnected networks
Our Emphasis in this Course
► Our
emphasis is on internet and network
security
► Consists of measures to discourage,
prevent, detect, and correct security
violations that involve the transmission of
information
► Requirements seem straightforward, but the
mechanisms used to meet them can be
quite complex …
Services, Mechanisms, Attacks
► Need
systematic way to define requirements
► Consider three aspects of information
security:
 security attack
 security mechanism
 security service
► Consider
in reverse order
Security Service
Is something that enhances the security of the data
processing systems and the information transfers of
an organization
► Intended to counter security attacks
► Make use of one or more security mechanisms to
provide the service
► Replicate functions normally associated with physical
documents e.g.
►




have signatures or dates
need protection from disclosure, tampering, or destruction
be notarized or witnessed
be recorded or licensed
Security Mechanism
►A
mechanism that is designed to detect, prevent,
or recover from a security attack
► No single mechanism that will support all functions
required
► However one particular element underlies many of
the security mechanisms in use: cryptographic
techniques
► Hence our review of this area
Security Attacks
► Any
action that compromises the security of
information owned by an organization
► Information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
► Have a wide range of attacks
► Can focus on generic types of attacks
 Note: often threat & attack mean same
Security Attacks
Security Attacks
► Interruption:
This is an attack on
availability
► Interception: This is an attack on
confidentiality
► Modification: This is an attack on integrity
► Fabrication: This is an attack on
authenticity
Security Goals
Confidentiality
Integrity
Availability
Summary: Attacks, Services and Mechanisms
► Security
Attack: Any action that
compromises the security of information.
► Security Mechanism: A mechanism that is
designed to detect, prevent, or recover from a
security attack.
► Security Service: A service that enhances
the security of data processing systems and
information transfers. A security service makes
use of one or more security mechanisms.
OSI Security Architecture
► ITU-T
X.800 Security Architecture for OSI
► Defines a systematic way of defining and
providing security requirements
► For us it provides a useful, abstract,
overview of concepts we will study
Security Services
► X.800
defines it as: a service provided by a
protocol layer of communicating open systems,
which ensures adequate security of the systems or
of data transfers
► RFC 2828 defines it as: a processing or
communication service provided by a system to
give a specific kind of protection to system
resources
Security Services (X.800)
► X.800
defines security services in 5 major
categories
 Authentication - assurance that the
communicating entity is the one claimed
 Access Control - prevention of the unauthorized
use of a resource
 Data Confidentiality –protection of data from
unauthorized disclosure
 Data Integrity - assurance that data received is
as sent by an authorized entity
 Non-Repudiation - protection against denial by
one of the parties in a communication
Security Services
►
Confidentiality (Privacy)
►
Authentication (Who created or sent the data)
►
Integrity (information has not been altered)
►
Non-repudiation (the order is final)
►
Access control (Prevent misuse of resources)
►
Availability (Permanence, non-erasure)
 Denial of Service Attacks
 Virus that deletes files
Security Mechanisms (X.800)
► Specific









security mechanisms:
Encipherment: Converting data into form that is not readable
Digital signatures: To check authenticity and integrity of data
Access controls: Enforcing access rights to resources
Data integrity
Authentication exchange
Traffic padding: Insertion of bits to frustrate traffic analysis
Routing control: Selection of secure routes
Notarization: Use of trusted third party for data exchange
.
Security Mechanisms (X.800)
► Pervasive
security mechanisms:
 trusted functionality: perceived to be correct
with respect to some criteria
 security labels:
 event detection: detection of security relevant
events
 security audit trails:
 security recovery:
Classify Security Attacks as
► Passive
attacks - eavesdropping on, or
monitoring of, transmissions to:
 obtain message contents, or
 monitor traffic flows
► Active




attacks – modification of data stream to:
masquerade of one entity as some other
replay previous messages
modify messages in transit
denial of service
Passive Attacks: Release of Message
Contents
Passive Attacks: Traffic Analysis
Active Attacks: Masquerade
Active Attacks: Replay
Active Attacks: Modification of Messages
Active Attacks: Denial of Service
Classify Security Attacks as
Model for Network Security .
Model for Network Security
►
Using this model requires us to:
1. Design a suitable algorithm for the security
transformation
2. Generate the secret information (keys) used by the
algorithm
3. Develop methods to distribute and share the secret
information
4. Specify a protocol enabling the principals to use the
transformation and secret information for a security
service
Model for Network Access Security .
Model for Network Access Security
►
Using this model requires us to:
1. select appropriate gatekeeper functions to
identify users
2. implement security controls to ensure only
authorised users access designated
information or resources
►
Trusted computer systems can be used to
implement this model
Methods of Defense
► Encryption
► Software
Controls (access limitations in a
data base, in operating system protect each
user from other users)
► Hardware Controls (smartcard)
► Policies (frequent changes of passwords)
► Physical Controls
Internet standards and RFCs
► The
Internet society
 Internet Architecture Board (IAB)
 Internet Engineering Task Force (IETF)
 Internet Engineering Steering Group (IESG)
Internet RFC Publication Process
Vulnerabilities in Network Protocols
Outline
► TCP/IP
Layering
► Names and Addresses
► Security Considerations for





Address Resolution Protocol
Internet Protocol
Transmission Control Protocol
FTP,Telnet, SMTP
Web Security (Next Lecture)
► Browser
Side Risks
► Server Side Risks
TCP/IP Layering
An Example
Encapsulation
user data
HTTP
client
HTTP hdr
TCP
TCP hdr
IP
IP hdr
Ethernet
driver
Eth. hdr
tr.
Ethernet
Demultiplexing
HTTP
FTP
…
…
DNS
SNMP
SMTP
TCP
UDP
IGMP
ICMP
IP
demuxing based on
the port number
in the TCP or UDP
header
demuxing based on the
protocol id in the IP header
RARP
ARP
Ethernet
driver
demuxing based on frame type
in the Ethernet header
Names and Addresses
IP Addresses
►Format
"A.B.C.D" where each letter is a byte
►Class A network : A.0.0.0
Zeroes are used to indicate that any number could be in that position
►Class
B network: A.B.0.0
►Class C network: A.B.C.0
►Broadcast addresses:
255.255.255.255
A.B.C.255
►Special
case
0.0.0.0 and A.B.C.0 can be either treated as a broadcast or discarded
Hardware (MAC) Addresses
► Every
interface has a unique and fixed
hardware address too
► Used by the data link layer
► In case of Ethernet, it is 48 bits long
► Mapping between IP addresses and MAC
addresses are done by ARP
Host Names
► Human
readable, hierarchical names, such as
www.uettaxila.edu.pk
► Every host may have several names
► Mapping between names and IP addresses is done
by the Domain Name System (DNS)
Address Resolution Protocol
ARP – Address Resolution Protocol
► Mapping
Request
.1
from IP addresses to MAC addresses
08:00:20:03:F6:42
.2
.3
.4
00:00:C0:C2:9B:26
.5
192.168.0
arp req | target IP: 192.168.0.5 | target eth: ?
Reply
.1
08:00:20:03:F6:42
.2
.3
.4
00:00:C0:C2:9B:26
.5
192.168.0
arp rep | sender IP: 192.168.0.5 | sender eth: 00:00:C0:C2:9B:26
ARP Spoofing
► An
ARP request can be responded by another host
Request
.1
08:00:20:03:F6:42
.2
.3
.4
00:00:C0:C2:9B:26
.5
192.168.0
arp req | target IP: 192.168.0.5 | target eth: ?
Reply
.1
08:00:20:03:F6:42
.2
.3
00:34:CD:C2:9F:A0 00:00:C0:C2:9B:26
.4
.5
192.168.0
arp rep | sender IP: 192.168.0.5 | sender eth: 00:34:CD:C2:9F:A0
ARP Spoofing .
► Used
for sniffing on switched LAN
Attacker
Victim
2. Send fake ARP
response to map
default router’s IP
to attacker’s MAC
Switch
1. Configure IP
forwarding
4. Sniff the
traffic from the
link
5. Packets are forwarded
from attacker’s machine
to actual default router
Outside
World
3. Victim sends
traffic based on
poisoned ARP cache
Default Router
ARP Spoofing Prevention ?
► Cryptographic
way
protection on the data is the only
 Not allow any untrusted node to read the contents of
your traffic
Internet Protocol
IP – Internet Protocol
Provides an unreliable, connectionless datagram delivery
service to the upper layers
► Its main function is routing
► It is implemented in both end systems and intermediate
systems (routers)
► Routers maintain routing tables that define the next hop
router towards a given destination (host or network)
► IP routing uses the routing table and the information in the
IP header (e.g., the destination IP address) to route a
packet
►
IP Security Problems
►
►
►
User data in IP packets is not protected in any way
 Anyone who has access to a router can read and
modify the user data in the packets
IP packets are not authenticated
 It is fairly easy to generate an IP packet with an
arbitrary source IP address
Traffic analysis
 Even if user data was encrypted, one could easily
determine who is communicating with whom by
just observing the addressing information in the IP
headers
IP Security Problems
►
Information exchanged between routers to maintain
their routing tables is not authenticated
 Correct routing table updates can be modified or
fake ones can be disseminated
 This may screw up routing completely leading to
loops or partitions
 It may also facilitate eavesdropping, modification,
and monitoring of traffic
 It may cause congestion of links or routers (i.e.,
denial of service)
Transmission Control Protocol
TCP – Transmission Control Protocol
► Provides
a connection oriented, reliable, byte
stream service to the upper layers
► Connection oriented:
 Connection establishment phase prior to data
transfer
 State information (sequence numbers, window
size, etc.) is maintained at both ends
TCP- Reliability
► Positive
acknowledgement scheme
(unacknowledged bytes are retransmitted after a
timeout)
► Checksum on both header and data
► Reordering of segments that are out of order
► Detection of duplicate segments
► Flow control (sliding window mechanism)
TCP Connection Establishment
Client
Server
SYNC
Listening
SYNS, ACKC
Store data
Wait
ACKS
Connected
TCP Sequence Numbers
► TCP
uses ISN (Initial Sequence Number) to
order the incoming packets for a connection
► Sequence numbers are 32 bits long
► The sequence number in a data segment
identifies the first byte in the segment
► Sequence numbers are initialized with a
“random” value during connection setup
► The RFC suggests that the ISN is
incremented by one at least every 4 ms
TCP SYN Attack
► An
attacker can impersonate a trusted host
(e.g., in case of r commands, authentication is
based on source IP address solely)
 This can be done guessing the sequence number in
the ongoing communication
 The initial sequence numbers are intended to be
more or less random
TCP SYN Attack
►
►
►
In Berkeley implementations, the ISN is incremented by
a constant amount
 128,000 once per second, and
 further 64,000 each time a connection is initiated
RFC 793 specifies that the 32-bit counter be
incremented by 1 about every 4 ms
 the ISN cycles every 4.55 hours
Whatever! It is not hopeless to guess the next ISN to
be used by a system
Launching a SYN Attack
► The
attacker first establishes a valid
connection with the target to know its ISN.
► Next it impersonates itself as trusted host T
and sends the connection request with ISNx
► The target sends the ACK with its ISNs to the
trusted host T
► The attacker after the expected time sends
the ACK with predicted ISNs’
Launching a SYN Attack
attacker
SYN = ISNX, SRC_IP = T
server
SYN = ISNS, ACK(ISNX)
ACK(ISNS), SRC_IP = T
SRC_IP = T, nasty_data
trusted host (T)
What about the ACK for T?
►
If the ACK is received by the trusted host T
 It will reject it, as no request for a connection was made by it
 RST will be sent and the server drops the connection
BUT!!!
►
►
The attacker can either launch this attack when T is down
Or launch some sort of DoS attack on T
 So that it can’t reply
TCP SYN Attack – How to Guess ISNS?
attacker
server
Dt
 ISNS’ (Attacker’s ISN) depends on ISNS and Dt
 Dt can be estimated from the round trip time
 Assume Dt can be estimated with 10 ms precision
TCP SYN Attack – How to Guess ISNS?
► Attacker
has an uncertainty of 1280 in the
possible value for ISNS’
► Assume each trial takes 5 s
► The attacker has a reasonable likelihood of
succeeding in 6400 s and a near-certainty
within one day!
How to Prevent it?
► Can
be prevented by properly configuring
the firewall
 Do not allow any communication from outside
using the address of some internal network
TCP SYN Flood
►
►
C
Attacker’s goal is to
overwhelm the
destination machine
with SYN packets with
spoofed IP
This results in:
 The server’s
connection queue
filling up causing DoS
Attack
 Or even if queue is
large enough, all ports
will be busy and the
service could not be
provided by the server
S
SYNC1
Listening
SYNC2
SYNC3
SYNC4
SYNC5
Store data
How to Avoid TCP SYN Flood
► Decrease
the wait time for half open connection
► Do not store the connection information
► Use SYN cookies as sequence numbers during
connection setup
► SYN cookie is some function applied on
 Dest IP, Source IP, Port numbers, Time and a
secret number
TCP Congestion Control
Source
Destination
• If packets are lost, assume congestion
– Reduce transmission rate by half, repeat
– If loss stops, increase rate very slowly
Design assumes routers blindly obey this policy
TCP Congestion Control-Competition
Source A
Source B
Destination
Destination
• Friendly source A give way to overexcited source B
– Both senders experience packet loss
– Source A backs off
– Source B disobeys protocol, gets better results!
DoS-Denial of Service Attacks
► Attempts
to prevent the victim from being able to
establish connections
► Accomplished by involving the victim in heavy
processing
 like sending the TCP SYN packets to all ports of
the victim and avoiding new connection
establishment
► DoS attacks are much easier to accomplish than
gaining administrative access
Exploiting Ping Command for
Smurf DoS Attack
DoS
Source
1 ICMP Echo Req
Src: DoS Target
Dest: brdct addr
gateway
3 ICMP Echo Reply
Dest: DoS Target
DoS
Target
• Send ping request to subnet-directed broadcast address with
spoofed IP (ICMP Echo Request)
• Lots of responses:
– Every host on target network generates a ping reply (ICMP Echo Reply)
to victim
– Ping reply stream can overload victim
Smurf DoS Attack Prevention
► Have
adequate bandwidth and redundant paths
► Filter ICMP messages to reject external packets to
broadcast address
FTP – File Transfer Protocol
client
user
interface
user
server
protocol
interpreter
data
transfer
function
file system
control connection
(FTP commands and replies)
protocol
interpreter
data connection
data
transfer
function
file system
FTP – File Transfer Protocol
► Typical
FTP commands:
 RETR filename – retrieve (get) a file from the
server
 STOR filename – store (put) a file on the server
 TYPE type – specify file type (e.g., A for ASCII)
 USER username – username on server
 PASS password – password on server
► FTP
is a text (ASCII) based protocol
…
FTP – File Transfer Protocol
server
client
% ftp www.uettaxila.edu.pk
<TCP connection setup to port 21 of www.uettaxila.edu.pk >
“220 www.uettaxila.edu.pk FTP server (version 5.60) ready.”
Connected to www.uettaxila.edu.pk
Name: abc
“USER abc”
“331 Password required for user abc.”
Password: pswd
“PASS pswd”
“230 User abc logged in.”
Problems with FTP
► FTP
information exchange is in clear text
 The attacker can easily eavesdrop and get the
secret information
 The attacker can also know the software
version of FTP running to exploit the
vulnerabilities of that particular version
FTP Bounce Scans
►
►
FTP has a feature to open connection with victim
machine on the request from attacker machine
Machine A (Attacker) can request to check for the
open ports on the target machine X (Victim)
FTP Server
Attacker
►
Newer version of FTP does not support
this forwarding feature
Victim to be
scanned
Telnet
► Provides
► Works
remote login service to users
between hosts that use different
operating systems
► Uses option negotiation between client and
server to determine what features are
supported by both ends
Telnet
Telnet client
kernel
Telnet server
login shell
kernel
terminal
driver
TCP/IP
TCP/IP
TCP connection
user
pseudoterminal
driver
Telnet Session Example
► Single
character at a time
Telnet Example
server
client
% telnet ahost.com.pk
Connected to ahost.com.pk
Escape character is ‘^]’.
<TCP connection setup to port 23 of ahost.com.pk>
<Telnet option negotiation>
“UNIX(r) System V Release 4.0”
“Login:”
Login: s
“s”
Login: st
“t”
…
Login: student
…
“t”
“Password:”
Password: c
…
Password: cab123
“c”
…
“3”
<OS greetings and shell prompt, e.g., “%”>
…
Problems with Telnet
► Information
exchange is in clear text
 The attacker can easily eavesdrop and get the
information like username and passwords
 The attacker can also know the version to
exploit the vulnerabilities of that particular
version
SMTP – Simple Mail Transfer Protocol
sending host
user
agent
mails to
be sent
user
local
MTA
SMTP
relay
MTA
TCP connection SMTP
TCP port 25
relay
MTA
SMTP
receiving host
local
MTA
user
agent
user
user
mailbox
SMTP
relay
MTA
SMTP
► SMTP
is a text (ASCII) based protocol
► MTA
transfers mail from the user to the
destination server
► MTA relays are used to relay the mail from
other clients
► MTAs
use SMTP to talk to each other
► All the messages are spooled before sending
SMTP Message Flow
sending MTA (mail.uettaxila.edu.pk)
receiving MTA (smtp.yahoo.com)
<TCP connection establishment to port 25>
“HELO mail.uettaxila.edu.pk.”
“250 smtp.yahoo.com Hello mail.uettaxila.edu.pk., pleased to meet you”
“MAIL from: [email protected]”
“250 [email protected]... Sender ok”
“RCPT to: [email protected]”
“250 student2@yahoo… Recipient ok”
“DATA”
“354 Enter mail, end with a “.” on a line by itself”
<message to be sent>
.
“250 Mail accepted”
“QUIT”
“221 smtp.yahoo.com delivering mail”
©Copyright 2004. Amir Qayyum. All rights
reserved
87
SMTP Security Problems
► Designed
in an era where internet security was
not much of an issue
 No security at the base protocol
► Designed around the idea of “cooperation” and
“trust” between servers
 Susceptible to DoS attacks
►Simply
flood a mail server with SMTP connections
or SMTP instructions.
SMTP Security Problems
► SMTP
does not provide any protection of e-mail
messages
 Does not ask sender to authenticate itself.
 Messages can be read and modified by any
of the MTAs involved
 Fake messages can easily be generated (email forgery)
 Does not check what and from whom it is
relaying the message
SMTP Security Problems Example
% telnet frogstar.hit.com.pk 25
Trying...
Connected to frogstar.hit.com.pk.
Escape character is ‘^[’.
220 frogstar.hit.com.pk ESMTP Sendmail 8.11.6/8.11.6;
Mon, 10 Feb 2003 14:23:21 +0100
helo abcd.com.pk
250 frogstar.hit.com.pk Hello [152.66.249.32], pleased to meet you
mail from: [email protected]
250 2.1.0 [email protected]... Sender ok
rcpt to: [email protected]
250 2.1.5 [email protected]... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Your fake message goes here.
.
250 2.0.0 h1ADO5e21330 Message accepted for delivery
quit
221 frogstar.hit.com.pk closing connection
Connection closed by foreign host.
%
Be Careful, Though!
Return-Path: <[email protected]>
Received: from frogstar.hit.com.pk ([email protected]
[152.66.248.44])
by mail.ebizlab.hit.com.pk (8.12.7/8.12.7/Debian-2)
with ESMTP id h1ADSsxG022719
for <[email protected]>; Mon, 10 Feb 2003 14:28:54 +0100
Received: from abcd.com.pk ([152.66.249.32])
by frogstar.hit.com.pk (8.11.6/8.11.6) with SMTP id h1ADO5e21330
for [email protected]; Mon, 10 Feb 2003 14:25:41 +0100
Date: Mon, 10 Feb 2003 14:25:41 +0100
From: [email protected]
Message-Id: <[email protected]>
To: undisclosed-recipients:;
X-Virus-Scanned: by amavis-dc
Status:
Your fake message goes here.
Domain Name Server
DNS – Domain Name Server
►
►
The DNS is a distributed database that provides
mapping between hostnames and IP addresses
The DNS name space is hierarchical
 Top level domains gTLDs: com, edu, gov, int, mil,
net, org, ccTLDs like ae, …, pk, … zw
 Top level domains may contain second level
domains
e.g., edu within pk, co within uk, …
 Second level domains may contain third level
domains, etc.
Domain Name Server
► Usually
(not always) a name server knows the IP
address of the top level name servers
► If a domain contains sub-domains, then the name
server knows the IP address of the sub-domain
name servers
► When a new host is added to a domain, the
administrator adds the (hostname, IP address)
mapping to the database of the local name server
DNS – Domain Name Server
authority.uettaxila.edu.pk = ?
application
202.83.173.61
local
name srv
authority.uettaxila.edu.pk = ?
IP of ns in pk
top level
name srv
name srv
in pk
 A single DNS reply may include several
(hostname, IP address) mappings (Resource
Records)
 Received information is cached by the name
server
name srv
in edu.pk
name srv in
uettaxila.edu.pk
DNS spoofing
► The
cache of a DNS name server is poisoned
with false information
► How to do it?
 Assume that the attacker wants
www.anything.com.pk to map to his own
IP address 202.83.173.59
DNS Spoofing - Approach 1
► Attacker
submits a DNS query
“www.anything.com.pk=?” to
ns.victim.com.pk
► A bit later it forges a DNS reply
“www.anything.com.pk=202.83.173.59”
► UDP makes forging easier but the
attacker must still predict the query ID
DNS Spoofing – Approach 2
► Attacker
has access to ns.attacker.com.pk
 The attacker modifies its local name server such that it
responds a query “www.attacker.com.pk=?” with
“www.anything.com.pk=202.83.173.59”
 The attacker then submits a query
“www.attacker.com.pk=?” to ns.victim.com.pk
 ns.victim.com.pk sends the query
“www.attacker.com.pk=?” to ns.attacker.com.pk
 ns.attacker.com.pk responds with
“www.anything.com.pk=202.83.173.59”
Questions
???????????????
???????????????
????
[email protected]