Download 5: Network Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
Document related concepts

Wake-on-LAN wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Deep packet inspection wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Computer security wikipedia , lookup

Wireless security wikipedia , lookup

Lag wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Part 5: Network Security






Network Attacks
Intrusion Detection
Servers and Security
Authentication
Secure Communication
Cryptography Applications
1
Network Security Basics



Network security protocols have been designed and
deployed, early in the life of the open Internet
Network security is a complex arena, but most of the
simple protocols are effective, efficient and widely deployed
“Internet Threat Model:
The network is insecure and subject to attacks, the end
systems are secure.
 Assumes there are no viruses and other system level threats
 Solves the network insecurity problem, but leaves the more
important threat not addressed
2
Basic Network Attacks

Port Scans or mapping attacks (nmap)
 Create blueprint of network
 Find what listens to the network, what ports are
open
 Reconnaissance

Sniffing non-switched networks
Countermeasures:
IP filtering
Port Security on
Switches
 Many tools exist

ARP Spoofing
 Switched networks use “intelligent” switching of
packets
 Capture packets on switched networks

MAC flooding/ARP poisoning
 Overflow the MAC table in switches

MAC duplication
 Fool switches, similar to the ARP spoofing attack
3
Network and TCP attacks

Routing Attacks
 Attacking routers, NATs and firewalls
 Attacking BGP hosts
 Changing routes

DNS Attacks
 Provide false DNS information
 Pharming attacks

SYN Attacks
 Malicious headers, non conforming
responses

Countermeasures:
Routing Security (no
workstations for
routing, use “proper
routers)
Secure DNS
TCP has been
hardened and many
attacks do not work.
Various TCP attacks
 Bad packets, malformed headers
4
WiFi Attacks

Eavesdropping on WiFi networks
 Open radio network, cannot be prevented
 VPN and SSL usage is highly recommended

Evil Twin attack
 Set up access point with same SSID

WEP attack
 WEP is badly broken and is not secure

MAC spoofing
 Access MAC filtered networks (all paid networks)

WiFi seems to be “inherently insecure”, but use of
encryption can make it as secure as wired networks
 Standards keep changing and more security features keep getting
added
5
DoS

Overloading a resource with a flood of spurious traffic





Network routers
Servers
Network Stacks (e.g. the sync attack)
Authenticators
The DDoS attack uses zombies to generate traffic to a
particular victim resource
 No good solution exists
 A threat to the Internet Infrastructure
6
Intrusion Detection


A phrase used for a variety
of techniques to detect
malicious access
Basic techniques:
 Statistical Anomaly Detection
 Pattern Matching
 Deep packet inspection

More techniques
Honeypot
DMZ
Servers
Border
Router
Firewall
 File Integrity checkers
(Tripwire)

Some are quite intricate
advances and obscure
techniques
IDS
7
Intrusion Detection

IP Filtering
 Can stop many port scans from outside
 Cannot stop internal attacks from viral
infections

Packet Inspection
 Statistical checks and content checks
 cat “+” > ./rhosts

Honeypots

 One system only

Network based IDS
 Listens to packets

Layered approached
 Many techniques

 Open, often unpatched matching in

DMZ
 Used to see what attacks are happening

Host based IDS
Knowledge based
 updates
Bastion hosts
..more…
File Integrity
 Get hashes of files and store them, and
check against actual files
 Not too difficult to attack and disable
8
Firewalls

Firewalls are effective against some buffer overflow attacks
and some Trojan software
 Stops the silly tricks, lets the smart ones go

Firewalls can be implemented in hardware and software
 They each have their share of advantages


Firewalls can implement NAT = Network Hardware
Translation
Best reasons to have a firewall:
 Stops access to open ports where default, poorly configured servers
listen
 Stops access to several buffer overflow exploits
 NAT makes the computer essentially invisible to scanners
9
Software Firewalls





Built into the kernel, handles messaging into and out of the
machine
Can monitor programs that send data out, useful for
detecting malware (not effective)
Can close and/or monitor some open ports
Can have “smarts”
Disadvantages:
 Can be easily turned off by malware
 A lot of confusing warnings
 Cannot detect stealthy programs (e.g. one that piggybacks over the
email program or web browser)
 Incoming connection protection is doubtful, and can introduce more
vulnerabilities
10
Hardware Firewalls

Essentially a “NAT server”
 [NAT = network address translation]


Hides the machine at a fictitious IP address, all incoming
messages go to the firewall
Allows only outgoing connections from the machine
 Others can reply to the host, but cannot initiate communications to
the host
 Stops all network attacks
 Except the ones that can figure out how to mimic responses rather
than initiations (connection hijack attacks)

Disadvantages
 Cannot monitor outgoing traffic
 No “Smarts”
11
Denial of Service



Protection against DoS and DDoS
Hard to do, not many effective techniques
Packet filtering has to be done
 How to detect, what to throw?
 Fooling DoS detectors can cause DoS attacks

Global traffic shaping
 Internet has no central control


Backbone Networks
Autonomous Systems
12
Network Application Security

Web server security





Attacks on web servers
Scripting attacks, injection attacks
Data compromise attacks
Denial of Service Attacks
Mail Server Security
 Spam filtering is essential
 Open relays, sendmail configurations
 Containing Hoaxes

DNS security
 DNS attacks and configuration

Database server security
 SQL checkers
 Scripting attacks
 Backdoors
13
ISP protection


Many forms of packet filtering
Ports are blocked
 For SMTP servers
 Inbound and outbound port blocks
 Some are done for profit

Traffic Shaping
 “Net Neutrality” debate
14
Network Security and Cryptography

Network Security makes heavy use of cryptography
 Different from system security

Cryptographic Algorithms
 Encryption, hashing, random numbers, identities

Cryptographic Protocols
 A set of steps executed by multiple parties such that no one trusts
each other, but if everyone is truthful, the end goal is reached
 “Self Enforcing Protocols”
 Authentication, Key Exchange, Challenge response, Message
Authentication Codes (MAC), secret sharing
15
“Secret” Communication

Alice send a message to Bob, encrypted using a key (k).
 Many encryption algorithms, known and trusted
 DES, 3DES, AES, IDEA
 An attacker cannot read the contents of the message

Alice also embeds a cryptographic hash in the message,
that is also encrypted with k as well as a timestamp or
sequence number
 Bob and ensure an attacker did not replace the message with a
random bit string, or is replaying an older message from Alice

Problem: Alice and Bob have to prearrange a key “k”
 Use PKI to exchange keys
 Watch out for MITM attacks
 Preinstalled keys can be used <<< more complicated than it seems
16
Authentication

Used to ensure Alice and Bob are sure about who they are
communicating with
 Also helps in key exchange






Passwords
Public Key based Protocols
Simple authentication (passwords, hash chains)
Multi Factor Authentication
PKI Authentication – used in SSL/IPSec
Certificate based Authentication
17
Authentication - passwords



Ubiquitous and insecure
A shared secret scheme, prone to leakage
Dictionary attacks, keyboard sniffing attacks, phishing
attacks
 PIN usage in debit cards – bad
 Biometrics – bad
18
Authentication – hash chains


SKEY
Create a chain of hashes:
Seed = S
H1 = h(S)
H2 = h(H1)
H3 = h(H2)
Server stores HN+1 and gives
the client the chain.
Client uses HN for 1st login
Client uses HN-1 for 2nd login
[A more practical scheme
using time is used in the
RSA secure-id card]
19
Authentication Challenge Response

Shared secret challenge response is secure if the shared
secret can be kept securely
Client and Server know a secret S
Challenge: Server sends to client a random number R
Response: Client responds with ES (R)

PKI based challenge response is better, covered in
Cryptography section.
20
Single Sign on Systems




Sign on once and access a variety of services
Eliminates multiple username/password problems
Passwords do not get propagated to service providers
Has met with limited success
 Microsoft passport is essentially dead
 Liberty Alliance is struggling
 Microsoft CardSpace is tying a fresh start

Cardspace is the only one using public keys and has
provisions for securely storing private keys on smartcards
 Late, but much needed

Kerberos is old technology but widely used in
organizations
21
Kerberos (three-headed guard dog)





A popular methods for single
sign on for organizations
Client authenticates with an
Authentication Service
Client contacts ticket granting
service to get a ticket for a
particular server
Client provides server with
ticket and server provides
client with service
Based on a lot of pre-arranged
shared secrets
Ticket
granting
server
authenticator
Kac
Kas
Ktc
client
Service
Provider
22
Simplified Kerberos Protocol


Client C contacts Kerberos K and
authenticates
Client asks for ticket to Server S
Kkc
Ticket
authenticator
granting
KERBEROS
server
Kks
Kkc
Tk, L, Kcs, “S”,
Kks
Tk, L, Kcs, “C”
Service
Provider
client

Client sends Server
Kks
Kcs
Tk, L, Kcs, “C” “C”, Tc

Server Acks,
Kcs
Tc + 1
Kcs
Tk : timestamp at K
L: Ticket Lifetime
Kkc, Kks: prearranged shared secrets
Kcs: temporary shared secret
23
Secure Communication: SSL or IPSec

SSL (Secure Sockets layer) is pervasive, IPSec is a
standard
 Most VPNs use IPSEC

End to end, security, with server authentication, and
optional client authentication




Servers have certificates issued by a CA
Client authenticates the server certificate, using challenge response
Clients can authenticate to server via certificates, or via password
Has a wide range of supported underlying algorithms for session
key, public key and hashes
24
SSL Protocol
SSL Protocol (basic)
Alice  Bob
Bob  Alice
Alice  Bob
Bob  Alice
Alice  Bob
Hello RA = <random number>
Hello <Bobs Certificate>, RB = <random number>
Prove it!
EK2B ( h (RA, RB))
EK1B (session key)
SSL Communications:
EKEY(message, EKEY( h (message)))
25
SSL



The SSL protocol is an implementation of the basic protocol
with lots of bells and whistles
Well designed
Attacks against the implementation have been found, but
have been fixed
 Current implementation is considered robust and safe

Features




Cipher Suite negotiation
Compatibility
Client and Server generated random numbers
No Challenge-Response actually needed (!)
26
SSL Protocol
ClientHello (224 bits)
ServerHello (224 bits)
Server Certificate
Verify Server Certificate
Generate Pre-MasterSecret [384-bits]
Cipher Negotiation
Send pre-master-secret,
encrypted with Server
Public Key
Generate “Key Material”
Generate “Key Material”
MUST BE THE SAME!
27
Hello

Client Hello
struct {
ProtocolVersion client_version;
Random random;
SessionID session_id;
CipherSuite cipher_suites;
CompressionMethod compression_methods; }

Server Hello
struct {
ProtocolVersion server_version;
Random random;
SessionID session_id;
CipherSuite cipher_suite;
CompressionMethod compression_method; }
28
Key Material
master_secret =
MD5(pre_master_secret + SHA('A' + pre_master_secret +
ClientHello.random + ServerHello.random)) +
MD5(pre_master_secret + SHA('BB' + pre_master_secret +
ClientHello.random + ServerHello.random)) +
MD5(pre_master_secret + SHA('CCC' + pre_master_secret +
ClientHello.random + ServerHello.random));
key_block =
MD5(master_secret + SHA('A' + master_secret + ServerHello.random +
ClientHello.random)) +
MD5(master_secret + SHA('BB' + master_secret + ServerHello.random +
ClientHello.random)) +
MD5(master_secret + SHA('CCC' + master_secret + ServerHello.random +
ClientHello.random)) + [...];
Key block is then partitioned into
“client write key”, “server write key”, “client MAC”, “server MAC”
29
Problems with SSL



CA public keys stored in browser, can be attacked
After an SSL connection is opened, a virus can use the
secure connection to defraud or steal information
Earlier known attacks
 Weak encryption
 Timing attacks
 Buffer overflow attacks
30
Email Privacy


Email is not private
Email privacy can be achieved with encryption
 Key exchange issues
 Public Key Management
 If we had certificates, email privacy would be easy to achive

Currently, sending/receiving encrypted email arouses
suspicion
 Workaround is steganography

Email privacy is supported via PGP and GPG
 Several commercial solutions that do not interoperate
 Hushmail
31
PGP - GPG




Pretty Good Privacy and Gnu Privacy Guard
Email and encrypted file systems
Public keys for email transport and signatures
“Web of Trust”
 Alice can sign Bob’s public key, if she knows Bob
 P2P version of certificate authorities



How private keys are generated and stored depends upon
the implementation
How public keys are distributed also depends upon
implementation
Signatures are supported
32
Spam


Spam is not just an irritant, it is a security risk
Spam is the carrier of choice for:







Viruses
Phishing attacks
Malformed URLs
Various fraudulent scams
Luring users to dangerous websites
More to come
Fighting spam is not working, due to many technical issues
 Compatibility
 Signed email can combat spam, but would create segregated email
communities
33
Email Signing


Digital signatures on email can identify sender and stop
spam and spoofed emails
DomainKey: A email signature scheme developed by
Yahoo and used by Yahoo Mail and Google Mail
 All mail sent via Yahoo or Google servers have a domainkey
signature
 Cannot be spoofed, signature cannot be lifted
 Yahoo and Google ensures spam is not sent from their servers (and
a few more)
 Ensuring all received mail has valid domainkey would make
spamming difficult
 Would also stop all email not originating from yahoo/google

Domainkey signatures are never checked as of now 
34
Security Policies



A catchall phrase that encompasses all rules and
enforcement used by an organization to ensure security
Has to be dynamic and flexible
Covers







Networking systems
Computer systems
User rights
Data policies
Resource usage policies
Email policies
File systems
35
More issues












Advisories
Patches
Attack recovery
Perimeter Safety
Service Security
Baseline Security
Physical Security
Transport Security
File systems
BGP and routing protocols
Hoaxes
Mobile Security
36
Related documents
William Stallings, Cryptography and Network Security 5/e
William Stallings, Cryptography and Network Security 5/e
No Slide Title
No Slide Title
Lecture 1 - WordPress.com
Lecture 1 - WordPress.com
Honeynet Project
Honeynet Project
Systems Security
Systems Security
Research Areas - The George Washington University
Research Areas - The George Washington University
dos_nanog
dos_nanog
Heart Attack - Coffee Regional Medical Center
Heart Attack - Coffee Regional Medical Center
Distributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS)
Chapter 1: Introduction to security
Chapter 1: Introduction to security