* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Review For Exam notes
Wireless USB wikipedia , lookup
Parallel port wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Policies promoting wireless broadband in the United States wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Distributed firewall wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Computer security wikipedia , lookup
Wake-on-LAN wikipedia , lookup
TCP congestion control wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Deep packet inspection wikipedia , lookup
IEEE 802.11 wikipedia , lookup
Internet protocol suite wikipedia , lookup
Hypertext Transfer Protocol wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
UniPro protocol stack wikipedia , lookup
Wireless security wikipedia , lookup
Review For Exam 1 (February 8, 2012) © Abdou Illia – Spring 2012 Introduction to Systems Security Attackers Elite Hackers Systems attackers Script Kiddies Virus writers & releasers Corporate employees Cyber vandals Cyber terrorists Hacking intentional access without authorization or in excess of authorization Elite Hackers Characterized by technical expertise and dogged persistence, not just a bag of tools Use attack scripts to automate actions, but this is not the essence of what they do Could hack to steal info, to do damage, or just to prove their status 3 Systems attackers Elite Hackers (cont.) Black hat hackers break in for their own purposes White hat hackers can mean multiple things Strictest: Hack only by invitation as part of vulnerability testing Some hack without permission but report vulnerabilities (not for pay) Ethical hackers Hired by organizations to perform hacking activities in order to Test the performance of systems’ security Develop/propose solutions 4 Attackers Elite Hackers Systems attackers Script Kiddies Virus writers & releasers Corporate employees Script Kiddies “Kids” that use pre-written attack scripts (kiddie scripts) Called “lamers” by elite hackers Their large number makes them dangerous Noise of kiddie script attacks masks more sophisticated attacks Cyber vandals Cyber terrorists 5 Attackers Elite Hackers Systems attackers Script Kiddies Virus writers & releasers Corporate employees Virus Writers and Releasers Virus writers versus virus releasers Writing virus code is not a crime Only releasing viruses is punishable Cyber vandals Cyber terrorists 6 Attackers Elite Hackers Systems attackers Script Kiddies Virus writers & releasers Corporate employees Cyber vandals Cyber vandals Cyber terrorists Use networks to harm companies’ IT infrastructure Could shut down servers, slowdown eBusiness systems Cyber warriors Massive attacks* by governments on a country’s IT infrastructure Cyber terrorists Massive attacks* by nongovernmental groups on a country’s IT infrastructure Hackivists Hacking for political motivation * Multi-pronged attacks: release virus, active hacking, attacking Internet routers, etc. 7 Framework for Attacks Attacks Physical Access Attacks -Wiretapping Server Hacking Vandalism Dialog Attacks -Eavesdropping Impersonation Message Alteration Scanning (Probing) Social Engineering -Opening Attachments Password Theft Information Theft Penetration Attacks Break-in Denial of Service Malware -Viruses Worms 8 Dialog attack: Eavesdropping Intercepting confidential message being transmitted over the network Dialog Hello Client PC Bob Server Alice Hello Attacker (Eve) intercepts and reads messages 9 Dialog attack: Message Alteration Intercepting confidential messages and modifying their content Dialog Balance = $1 Client PC Bob Balance = $1,000,000 Balance = $1 Server Alice Balance = $1,000,000 Attacker (Eve) intercepts and alters messages 10 Dialog attack: Impersonation I’m Bob Hi! Let’s talk. Client PC Bob Attacker (Eve) Server Alice 11 Resources Access Control Break-in and Dialog attacks: Security Goal If eavesdropping, message alteration attacks succeeded, in which of the following ways the victims could be affected? a) Data files stored on hard drives might be deleted b) Data files stored on hard drives might be altered c) Corporate trade secret could be stolen d) Competitors might get the victim company’s licensed info e) Users might not be able to get network services for a certain period of time f) The network might slow down Confidentiality = Main goal in implementing defense systems against eavesdropping and message alteration. 13 Security Goals Three main security goals: Confidentiality of communications and proprietary information Integrity of corporate data Availability of network services and resources CIA 14 Brute-force password cracking Dictionary cracking vs. hybrid cracking Try all possible character combinations Longer passwords take longer to crack Combining types of characters makes cracking harder Alphabetic, no case (26 possibilities) Alphabetic, case (52) Alphanumeric All (letters and numbers) (62) keyboard characters (~80) 15 Figure 2-3: Password Length Password Length In Characters Alphabetic, No Case (N=26) Alphabetic, Case (N=52) Alphanumeric: Letters & Digits (N=62) All Keyboard Characters (N=~80) 1 26 52 62 80 2 (N2) 676 2,704 3,844 6,400 4 (N4) 456,976 7,311,616 14,776,336 40,960,000 6 308,915,776 19,770,609,664 56,800,235,584 2.62144E+11 8 2.08827E+11 5.34597E+13 2.1834E+14 1.67772E+15 10 1.41167E+14 1.44555E+17 8.39299E+17 1.07374E+19 Q: Your password policy is: (a) the password must be 6 character long, (b) the password should include only decimal digits and lower case alphabetic characters. What is the maximum number of passwords the attacker would try in order to crack a password in your system? 16 Dictionary and Hybrid cracking Dictionary cracking1 Try common words (“password”, “ouch,” etc.) There are only a few thousand of these Cracked very rapidly Hybrid cracking2 Used when dictionary cracking fails Common word with one or few digits at end, etc. 1 Also called dictionary attack 2 Also called to as hybrid attack 17 Basic Terminology Accidental Association Wireless device latching onto a neighboring Access Point when turned on. User may not even notice the association Malicious association Intentionally setting a wireless device to connect to a network Installing rogue wireless devices to collecting corporate info War driving Driving around looking for weak unprotected WLAN 18 IEEE 802.11 WLAN standards Unlicensed Band 802.11b 802.11a 2.4 GHz 5 GHz 802.11g 2.4 GHz 2.4 GHz or 5 GHz ≤11 Mbps ≤ 54 Mbps ≤ 54 Mbps Rated Speed Range (Indoor/Outdoor) 35m/100m # of channels 3 802.11n* ≤ 300 Mbps 25m/75m 25m/75m 50m/125m 12 13 14 * Under development Infinity 802.11b WLAN: 2.4 GHz-2.4835 GHz Frequency Spectrum AM Radio service band: 535 kHz-1705 kHz FM Radio service band: 88 MHz-108 MHz 0 Hz Service band 2.4 - 2.4835 GHz divided into 13 channels Each channel is 22 MHz wide Channels spaced 5 MHz apart Channel 1 centered on 2412 MHz. Channel 13 centered on 2472 MHz Transmissions spread across multiple channels 802.11b and 802.11g devices use only Channel 1, 6, 11 to avoid transmission overlap. AM radio channels have a 10KHz bandwidth FM radio channels: 200KHz bandwidth 19 802.11g uses Orthogonal Frequency Division Multiplexing (OFDM) modulation scheme to achieve higher speed than 802.11b 802.11 Wireless LAN (WLAN) Security Basic Operation: Main wired network for servers (usually 802.3 Ethernet) Wireless stations with wireless NICs Access points for spreading service across the site Access points are internetworking devices that link 802.11 LANs to 802.3 Ethernet LANs 20 802.11 Wireless LAN operation 802.11 refers to the IEEE Wireless LAN standards Ethernet Switch (2) 802.3 Frame Containing Packet (3) Access Point 802.11 Frame Containing Packet (1) Server Client PC Notebook With PC Card Wireless NIC 21 1. If the AP is 802.11n-compliant, it could communicate with the notebook even if the notebook has a 802.11a NIC. 802.11 Wireless LAN operation 2. The Wireless AP needs to have a 802.3 interface 3. The switch needs to have at least one wireless port. Ethernet Switch T F T T F (2) 802.3 Frame Containing Packet (1) 802.11 Frame Containing Packet Access Point (3) Server Client PC 4. How many layers should the Wireless AP have to perform its job? F Notebook With PC Card Wireless NIC 22 Summary Question (1) Which of the following is among Wireless Access Points’ functions? a) Convert electric signal into radio wave b) Convert radio wave into electric signal c) Forward messages from wireless stations to devices in a wired LAN d) Forward messages from one wireless station to another e) All of the above f) Only c and d 23 MAC Filtering The Access Point could be configured to only allow mobile devices with specific MAC addresses Today, attack programs exist that could sniff MAC addresses, and then spoof them MAC Access Control List O9-2X-98-Y6-12-TR 10-U1-7Y-2J-6R-11 U1-E2-13-6D-G1-90 01-23-11-23-H1-80 …………………….. Access Point 24 IP Address Filtering The Access Point could be configured to only allow mobile devices with specific IP addresses Attacker could Get IP address by guessing based on companies range of IP addresses Sniff IP addresses IP Address Access Control List 139.67.180.1/24-139.67.180.30/24 139.67.180.75 139.67.180.80 139.67.180.110 …………………….. Access Point 25 SSID: Apparent 802.11 Security Service Set Identifier (SSID) It’s a “Network name” of up to 32 characters Access Points come with default SSID. Example: “tsunami” for Cisco or “linksys” for Linksys All Access Points in a WLAN have same SSID Mobile devices must know the SSID to “talk” to the access points SSID frequently broadcasted by the access point for ease of discovery. SSID in frame headers are transmitted in clear text SSID broadcasting could be disabled but it’s a weak security measure Sniffer programs (e.g. Kismet) can find SSIDs easily 26 Wired Equivalent Privacy (WEP) Standard originally intended to make wireless networks as secure as wired networks With WEP, mobile devices need a key used with an Initialization Vector to create a traffic key Typical WEP key length: 40-bit, 128-bit, 256-bit WEP key is shared by mobile devices and Access Points Problems: 1. 2. 3. 4. 5. shared keys create a security hole WEP is not turned-on by default WEP authentication process Wireless station sends authentication request to AP AP sends back a 128 bits challenge text in plaintext Wireless station encrypts challenge text with its WEP key and sends result to AP AP regenerate the WEP from received result, then compare WEP to its own WEP AP sends a success or failure message Open Source WEP Cracking software aircrack-ng weplab WEPCrack airsnort 27 802.11i and Temporal Key Integrity Protocol (TKIP) In 2004, the IEEE 802.11 working group developed a security standard called 802.11i to be implement in 802.11 networks. 802.11i tightens security through the use of the Temporal Key Integrity Protocol (TKIP) TKIP can be added to existing AP and NICs TKIP uses a 128-bit key (that changes) to encrypt the WEP. 28 Using Authentication server or Wi-Fi Protected Access (WPA) WPA is an early version of the 802.11i and 802.11x security standards 2. RADIUS Server / 1. Pass on Request to WAP Gateway Authentication RADIUS Server Request Applicant (Lee) 5. OK Use Key XYZ Access Point 4. Accept Applicant Key=XYZ Directory Server or Kerberos Server 3. Get User Lee’s Data (Optional; RADIUS Server May Store Authentication Data) RADIUS is an AAA (Authentication, Authorization, Accounting) protocol Once user authenticated, AP assigns user individual key, avoiding shared key. 29 Protocols used in WPA Authentication and data integrity in 802.11i and 802.11x rely on the Extensible Authentication Protocol (EAP) which has different options: Wireless Transport Layer Security (WTLS) protocol Server and mobile devices must have digital certificates Requires that Public Key Infrastructure (PKI) be installed to manage digital certificates Tunneled WTLS Digital certificates are installed on the server only Once server is securely authenticated to the client via its Certificate Authority, a secured tunnel is created. Server authenticates the client through the tunnel. Client could use passwords as mean of authentication 30 Soft Access Point* Usually, a soft AP is a laptop loaded with cracking software Soft AP allow the hacker to get passwords, MAC address, etc. Ethernet Switch (2) 802.3 Frame Containing Packet (3) Access Point (1) Notebook With PC Card Wireless NIC Server * Also called Rogue Access Point Client PC Soft AP 31 TCP/IP Internetworking Layered Communications: Encapsulation – De-encapsulation Application programs on different computers cannot communicate directly There is no direct connection between them! They need to use an indirect communication system called layered communications or layer cooperation Browser HTTP Request Web App Transport Transport Internet Internet Data Link Data Link Physical User PC Physical Webserver 33 Layer Cooperation on the User PC Encapsulation on the sending machine Embedding message received from upper layer in HTTP a new message request Encapsulation of HTTP request in data field of a TCP segment Application HTTP req. Transport HTTP req. TCP-H Internet HTTP req. TCP-H IP-H HTTP req. TCP-H IP-H PPP-H Data Link User PC PPP-T Physical TCP segment IP Packet Frame 34 Layer Cooperation on the Web server De-encapsulation Frame Other layers pass successive data fields (containing next-lower layer messages) up to the next-higher layer HTTP request HTTP req. TCP segment HTTP req. TCP-H IP Packet HTTP req. TCP-H IP-H PPP-T HTTP req. TCP-H IP-H PPP-H Application Transmission media Transport Internet Data Link Webserver 35 Questions 1. What is encapsulation? On what machine does it occur: sending or receiving machine? 2. If a layer creates a message, does that layer or the layer below it encapsulate the message? 3. What layer creates frames? Segments? Packets? 4. Which of the following network communication models is used on the Internet? a) The OSI model b) The HTML model c) The TCP/IP model d) The IP model 36 IP Packet Bit 0 0100 IP Version 4 Packet Header Version Length (4 bits) (4 bits) QoS (8 bits) Bit 31 Total Length (16 bits) Identification (16 bits) Flags Time To Live Protocol (8 bits) 1=ICMP, 6=TCP,17=UDP (8 bits) Fragment Offset (13 bits) Header Checksum (16 bits) Source IP Address (32 bits) Destination IP Address (32 bits) Options (if any) Padding Data Field QoS: Also called Type of Service, indicates the priority level the packet should have Identification tag: to help reconstruct the packet from several fragments Flags: indicates whether packet could be fragmented or not (DF: Don't fragment), indicates whether more fragments of a packet follow (MF: More Fragments or NF: No More Fragments) Fragment offset: identify which fragment this packet is attached to TTL: Indicates maximum number of hops (or routers) the packet could pass before a hop discards it. Header checksum: to check for errors in the headers only 37 Questions What is the main version of the Internet Protocol in use today? What is the other version? What does a router do with an IP packet if it decrements its TTL value to zero? Assume that a router received an IP packet with the Protocol in header set to 6. What Transport layer protocol is used in the message: TCP, UDP, or ICMP? 38 Subnet 1 IP Fragmentation Subnet 2 When a packet arrives at a router, the router selects the port and subnet to forward the packet to If packet too large for the subnet to handle, router fragments the packet; ie. Divides packet’s data field into fragments Gives each fragment same Identification tag value, i.e. the Identification tag of original packet First fragment is given Fragment Offset value of 0 Subsequent fragments get Fragment Offset values consistent with their data’s place in original packet Last fragment’s Flag is set to “No More Fragments” Destination host reassemble fragments based on the offsets. Identification (16 bits) Flags Fragment Offset (13 bits) 39 Firewalls and Fragmented IP Packet Fragmentation makes it hard for firewalls to filter individual packets TCP or UDP header appears only in the first fragment Firewall might drop the first fragment, but not subsequent fragments Some firewalls drop all fragmented packets Router 2. Second Fragment 4. TCP Data IP Field Header Attacker 1.34.150.37 No TCP Header 1. First Fragment TCP Data Field IP Header 3. TCP Header Only in First Fragment 5. Firewall 60.168.47.47 Can Only Filter TCP Header in First Fragment 40 TCP Segment Bit 0 Bit 31 Source Port Number (16 bits) Destination Port Number (16 bits) Sequence Number (32 bits) Acknowledgment Number (32 bits) Header Length (4 bits) Reserved (6 bits) Flag Fields: ACK, SYN,… (6 bits) TCP Checksum (16 bits) Window Size (16 bits) Urgent Pointer (16 bits) Data Port number: identifies sending and receiving application programs. Sequence number: Identifies segment’s place in the sequence. Allows receiving Transport layer to put arriving TCP segments in order. Acknowledgement number: identifies which segment is being acknowledged Flag fields: Six one-bit flags: ACK, SYN, FIN, RST, URG, PSH. Can be set to 0 (off) or 1 (on). e.g. SYN=1 means a request for connection/synchronization. 41 Q: If the ACK flag is set to 1, what other field must also be set to allow the receiver know what TCP segment is being acknowledged? TCP and use of Flags Flag Fields (6 bits) URG ACK SYN FIN RST PSH TCP is a connection-oriented protocol Sender and receiver need to establish connection Sender and receiver need to agree to “talk” Flags are used for establishing connection Sender requests connection opening: SYN flag set to 1 If receiver is ready to “talk”, it responds by a SYN/ACK segment Sender acknowledges the acknowledgment If PC sender does not get ACK, it resends the segment Webserver Transport Process Transport Process 1. SYN (Open) 2. SYN, ACK (1) (Acknowledgment of 1) 3. ACK (2) 3-way Handshake Note: With connectionless protocols like UDP, there is no flags. Messages are 42 just sent. If part of sent messages not received, there is no retransmission. Communication during a normal TCP Session Q1: How many segments are sent in a normal TCP communication opening? ____ Q2: How many segments are sent in a normal TCP communication closing? ____ Note: At any time, either process can send a TCP RST (reset) segment with RST bit set to 1 to drop the connection (i.e. to abruptly end the connection). 43 SYN/ACK Probing Attack 1. Probe 60.168.47.47 2. No SYN (Open): Makes No Sense! SYN/ACK Segment IP Hdr RST Segment Attacker 1.34.150.37 5. 60.168.47.47 is Live! 4. Source IP Addr= 60.168.47.47 Victim 60.168.47.47 3. Go Away! Sending SYN/ACK segments helps attackers locate “live” targets Older Windows OS could crash when they receive a SYN/ACK probe 44 Source Port Number (16 bits) Destination Port Number (16 bits) TCP and use of Port numbers Port Number identify applications Well-known ports (0-1023): used by major server applications running at root authority. HTTP web service=80, Telnet=23, FTP=21, SMTP email =25 Registered ports (1024-49151): Used by client and server applications. Ephemeral/dynamic/private ports (49152-65535) Not permanently assigned by ICANN. Web server applications www:80 FTP:21 SMTP:25 Operating System Socket notation: IP address:Port # Computer hardware RAM chip HD Processor 45 Questions A host sends a TCP segment with source port number 25 and destination port number 49562. 1) Is the source host a server or a client? Why? 2) If the host is a server, what kind of service does it provide? 3) Is the destination host a server or a client ? Why? 46 TCP and Port spoofing Attackers set their application to use well-known port despite not being the service associated with the port Most companies set their firewall to accept packet to and from port 80 Attackers set their client program to use well-know port 80 47 Questions 1. What is IP Fragmentation? Does IP fragmentation make it easier for firewall to filter incoming packets? Why? 2. What is SYN/ACK probing attack? 3. What kind of port numbers do major server applications, such as email service, use? 4. What kind of port numbers do client applications usually use? 5. What is socket notation? 6. What is port spoofing? 7. How many well-known TCP ports are vulnerable to being scanned, exploited, or attacked? 48