Download Security “Tidbits” - The Stanford University InfoLab

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
Document related concepts

Net bias wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

Internet protocol suite wikipedia , lookup

Computer network wikipedia , lookup

AppleTalk wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Airborne Networking wikipedia , lookup

Buffer overflow protection wikipedia , lookup

Network tap wikipedia , lookup

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Buffer overflow wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Deep packet inspection wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Security “Tidbits”
Neil Daswani
Overview


The FLI Model
Infiltrations:
–
–

Viruses / Worms
Lessons Learned
Firewalls & Attacks
–
–
–
What is a firewall?
How do they work?
How to prevent attacks
Security Problems & Solutions
Prevention
Failure
(Process/Storage)
Lies
Infiltration
Physical Security
Uninterruptible Power
Authentication
Authorization
Non-Repudiation
Time-Stamping
Digital Signatures
Hardware Protection
Byzantine Agreement
Reputation Systems
Intrusion Detection
Anti-virus Software
Fail-Stop Digital
Signatures
Certificate
Revocation
Firewalls
Management
Recovery
Non-Stop Processes
Fault-Tolerance
Watchdog Processor
Replication, RAID
Backups
Fail-Over
Hot Swapping
Key Escrow
Auditing
Firewalls
“Common Sense” 
Morris Worm (1988)



Damage: 6000 computers in just a few hours
What: just copied itself; didn’t touch data
Exploited:
–
–
–
buffer overflow in fingerd (UNIX)
sendmail debug mode (exec arbitrary cmds)
dictionary of 432 frequently used passwords
Buffer Overflow Example
void sample_func (char *str) {
char buffer[16];
strcpy (buffer, str);
}
void main (int argc, char *argv) {
sample_func (argv[1]);
}
Morris Worm (1988)

Lessons Learned from Morris
–
–
–
–
–
Diversity is good.
Big programs have many exploitable bugs.
Choose good passwords.
Don’t shut down mail servers: did prevent worm
from spreading but also shut down defense
CERT was created to respond to attacks
Melissa (1999)


What: just copied itself; did not touch data
When date=time, “Twenty-two points, plus triple word
score, plus fifty points for using all my letters. Game’s over. I’m
outta here.”

Exploited:
–
–
MS Word Macros (VB)
MS Outlook Address Book (Fanout = 50)
“Important message from <user name> …”
Melissa (1999)

Lessons Learned:
–
–
–
–
–
Homogeneity is bad.
Users will click on anything.
Separation of applications is good.
Users “trusted” the message since it came from
someone they knew.
Don’t open attachments unless they are expected.
Other Viruses / Worms

CIH Chernobyl Virus, 1998, Taiwan:
–
–
–
–



Time bomb: April 26, or 26th of each month
Writes random garbage to disk start at sector 0
attempts to trash FLASH BIOS
Hides itself in unused spaces
Worm.ExploreZip, 1999: Melissa + zeroed out files
BubbleBoy, 1999: Melissa-like except doesn’t require
opening an attachment (ActiveX)
Love Bug, 2000: “I LOVE YOU” (like Melissa)
Code Red (2001)





Runs on WinNT 4.0 or Windows 2000
Scans port 80 on up to 100 random IP addresses
Resides only in RAM; no files
Exploits buffer overflow in Microsoft IIS 4.0/5.0
(Virus appeared one month after advisory went out)
Two flavors:
–
–


Code Red I: high traffic, web defacements, DDOS on
whitehouse.gov, crash systems
Code Red II: high traffic, backdoor install, crash systems
Three phases: propagation (1-19), flood (20-27),
termination (28-31)
Other victims: Cisco 600 Routers, HP JetDirect Printers
Code Red (2001)

Lessons Learned:
–
–
–
Don’t use IIS! ;)
Always keep software up-to-date
Proof-of-concept to hide other attacks?
Nimda (2001)

Multiple methods of spreading
(email, client-to-server, server-to-client, network
sharing)
–
–
–
Server-to-client: IE auto-executes readme.eml (that is attached
to all HTML files the server sends back to the client)
Client-to-server: “burrows”: scanning is local 75% of time
Email: readme.exe is auto executed upon viewing HTML email
on IE 5.1 or earlier
Nimda (2001)

Lessons Learned:
–
–
–
–
Install latest web server and browser patches (or
upgrade version altogether)
Don’t use MIME auto-execution
Disable JavaScript
Reject using applications that are routinely
exploited???
Just this week… BadTrans Worm



Spread via email; attacks Windows systems
Records (once per second) keystrokes,
usernames, & passwords into windows with
titles: LOG, PAS, REM, CON, TER, NET
Sends to
–
–
–
one of 20+ email addresses
one of 15+ from addresses
one of 15+ attachment names w/ 2 extensions
({.doc/.mp3/.zip},{.pif/.scr})
Firewalls

Two major technologies:
–
–

Packet Filters
Proxies
Related technologies
–
–
Network Address Translation (NAT)
Virtual Private Networks (VPN)
Packet Filtering Routers

Filter on:
–
–
–
–
–

Stateful vs. Stateless Inspection
–

IP Source, IP Dest, Protocol (TCP, UDP, ICMP)
TCP/UDP Source & Dest Ports
ICMP Message Type (req,reply,time exceed)
Packet Size
NICs
i.e., UDP DA/DP checking
Simple Protocol Checking
–
i.e., Format Checking, Disconnect “anonymous” FTP x-fers
Packet Filtering

Advantages
–
–
–

One router can protect entire network
Simple filtering is efficient
Widely available
Disadvantages
–
–
–
Hard to configure & test
Reduces router performance
Can’t enforce some policies (i.e., user-level)
Proxies





Security vs. Caching Proxies
SOCKS: proxy construction toolkit
Trusted Information Systems Firewall Toolkit
(TIS FWTK: Telnet, FTP, HTTP, rlogin, X11)
Most used to control use of outbound services
Can also be used to control inbound services
(reverse proxying)
Proxies

Advantages
–
–
–

Logging, Caching, Intelligent Filtering
User-level authentication
Guards against weak IP implementations
Disadvantages
–
–
–
Lag behind nonproxied services
Requires different servers for each service
Usually requires modifications to client applications
Firewall Architectures

Dual-Homed Host
–

Screening Router w/ Bastion Host
–
–

Services can only be proxied
Security by packet filtering
Bastion host is single point of failure
Screened Subnet
–
–
Ext Router, Perimeter, Bastion Host, Interior Router
Internal ethernet packets protected from perimeter
Example Attacks



IP Spoofing
TCP SYN Flood
SMURF Attack
–

ICMP Ping w/ max payload to broadcast address
D-DOS Attack
–
Infiltrate, set up sleepers, attack at once
References





White-Hat Security Arsenal, A. Rubin
Security Engineering, R. Anderson
www.webtorials.com, Gary Kessler
Building Internet Firewalls, E. Zwicky, et. Al.
Counter Hack, E. Skoudis
Network Address Translation (NAT)



Translates network addresses & ports
Does not provide additional “security”
Possibilities:
–
–
–
–
One external address per internal address
Dynamically assign external address
Map multiple internal to one external (port sharing)
Dynamically assign external addresses and ports
Network Address Translation (NAT)

Advantages
–
–
–

Helps enforce control over outbound connections
Helps restrict incoming traffic
Helps conceal internal network configuration
Disadvantages
–
–
–
–
Not good for UDP (guess session lifetimes)
Doesn’t deal with embedded IP addresses
Interferes with authentication & encryption
Interferes with logging & packet filtering
Virtual Private Networks

Advantages:
–
–

Provides overall encryption
Allows use of protocols that are hard to secure any
other way
Disadvantages:
–
–
Involves “dangerous” network connections
Extends the network that must be protected
Related documents
Deployed and Emerging Security Systems for the Internet
Deployed and Emerging Security Systems for the Internet
SAVAH: Source address validation with Host Identity Protocol
SAVAH: Source address validation with Host Identity Protocol
ppt
ppt
Firewalls - Eastern Michigan University
Firewalls - Eastern Michigan University
Screened-host firewall
Screened-host firewall
William Stallings, Cryptography and Network Security 3/e
William Stallings, Cryptography and Network Security 3/e
William Stallings, Cryptography and Network Security 3/e
William Stallings, Cryptography and Network Security 3/e
William Stallings, Cryptography and Network Security 3/e
William Stallings, Cryptography and Network Security 3/e
Topic 2: Lesson 3 Intro to Firewalls
Topic 2: Lesson 3 Intro to Firewalls
ppt
ppt
William Stallings, Cryptography and Network Security 3/e
William Stallings, Cryptography and Network Security 3/e
www.bestitdocuments.com
www.bestitdocuments.com
No Slide Title
No Slide Title
Packet Classification
Packet Classification
Skating on Stilts
Skating on Stilts
Defense in Depth / Firewalls Presentation
Defense in Depth / Firewalls Presentation
- Andrisoft
- Andrisoft
Packet Sniffers
Packet Sniffers
Defense in Depth / Firewalls Presentation
Defense in Depth / Firewalls Presentation
Linux Utility Module for Security- Accepted without
Linux Utility Module for Security- Accepted without
CSCI6268L20
CSCI6268L20
TU3_2-3O - icalepcs 2005
TU3_2-3O - icalepcs 2005