* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Network Security
TCP congestion control wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Internet protocol suite wikipedia , lookup
Deep packet inspection wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Wireless security wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Computer security wikipedia , lookup
CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security Layout Network Security - what is different from Computer Systems security? Possible scenarios for network connections and their implication for security concerns What is the principal mode of attack in networks and how you can defend them? Which part of network structure can we enforce security? How can we do it efficiently? CSE2500 System Security & Privacy Srini & Nandita 2 What we have seen so far? authentication Access control encryption CSE2500 System Security & Privacy Srini & Nandita 3 Internetwork Architecture? Wired Stranger Internet Stranger Server Wireless Stranger CSE2500 System Security & Privacy Srini & Nandita 4 Services of the server are Web servers Email servers FTP servers Web and email servers Web, email and FTP servers Modem servers Web, email, FTP and modem servers Web, email, file servers Etc. CSE2500 System Security & Privacy Srini & Nandita 5 Consider web server What is the authentication here? What is the access control here? If these does not apply, what is the issue with respect to security? CSE2500 System Security & Privacy Srini & Nandita 6 Recap: Security Attacks - Taxonomy Interruption – attack on availability Interception – attack on confidentiality Modification – attack on integrity Fabrication – attack on authenticity The availability (and confidentiality) property need to be preserved – how it can be threatened? CSE2500 System Security & Privacy Srini & Nandita 7 Model for network security Gate Keeper Information channel CSE2500 System Security & Privacy Srini & Nandita 8 Attacks are Snooping or sniffing- Attacker observes network traffic without disturbing the transmission (passive) e.g. snooping for passwords Sniffing software works by placing a system’s network interface into promiscuous mode. CSE2500 System Security & Privacy Srini & Nandita 9 Attacks are Denial of services – make the server in-operative or inefficient e.g: ping (of death) Attack by flooding CSE2500 System Security & Privacy Srini & Nandita 10 ICMP ECHO Flooding Packet 4 Packet 2 Packet 5 Packet n Packet 1 INTERNET Packet n Packet 3 Hacker Server 128K Link T-1 Link Ping Attack The Hacker sends an ICMP Echo request to the target expecting an ICMP echo reply to be returned for each request. The hacker, because of the high bandwidth, can send more requests then the target can handle. Countermeasures No known defense CSE2500 System Security & Privacy Srini & Nandita 11 TCP SYN Flooding Hacker Target Host Unreachable IP Address Legitimate Client CSE2500 System Security & Privacy Srini & Nandita 12 SYN Attack Attack Method: Most hosts will only support 8-16 simultaneous communication channels. The Hacker sends a sequence of SYN packets. Each SYN packet (about 120 /second) has a different and unreachable IP address. This consumes all the communication channels and results in a denial to any TCP based service. Countermeasure: Expand the number of ports, reduce the time-out period, validate TCP request packets. CSE2500 System Security & Privacy Srini & Nandita 13 Attacks are Impersonation – stealing the identity of someone other party thinks that you are the true identity CSE2500 System Security & Privacy Srini & Nandita 14 Impersonation Authentication at the IP layer is concerned with the identity of computer systems. IP addresses are software configurable and the mere possession (or fraudulent use) of one enables communication with other systems. Two such techniques to do this are address masquerading address spoofing CSE2500 System Security & Privacy Srini & Nandita 15 Address Masquerading CSE2500 System Security & Privacy Srini & Nandita 16 Address Spoofing Also known as TCP sequence number attack. First we need to understand how the threeway TCP handshake protocol works. handshake means- an assertion that indicates one party’s readiness to send or receive data. When two systems share a hardware connection, two-way handshake is enough. Since TCP rides on IP – an unreliable, connectionless protocol – a three-way handshake is required. CSE2500 System Security & Privacy Srini & Nandita 17 Handshake in TCP SYN+ISN A SYN+ISN B+ ACK(ISNA+1) Machine A Machine B ACK(ISNB+) Application Data SYN – synchronize request ISN - Initial sequence number ACK – acknowledgement for the ISN CSE2500 System Security & Privacy Srini & Nandita 18 TCP CONNECTION CLIENT SERVER Segment 1 THREE-WAY CONNECTION Segment 2 Segment 3 THREE-WAY CONNECTION Segment 1 shows the client sending a SYN segment with an Initial Sequence Number of 141521. The ISN is randomly generated. This is called an Active Open. The field win 4096 shows the advertised window size of the sending station while the field <mss 1024> shows the receiving maximum segment size specified by the sender. SYN=1, ACK=0. Segment 2 shows the server responding with a SYN segment of 181521 and ACKnowledging the clients ISN with ISN + 1. This is called a Passive Open. SYN=1,ACK=1 Segment 3 shows the client responding by ACKnowledging the servers ISN with ISN + 1. SYN=0,ACK=1. Data can now be transmitted. CSE2500 System Security & Privacy Srini & Nandita 19 Address Spoofing Consider C (an intruder) want to impersonate the sender (say A) – how? Intruder C knows that B (receiver) trusts A’s users and let them execute commands through, say rsh (remote shell) service without them requiring a password. Although C will not receive a single datagram in response from B – whose replies will be routed to the real, but unavailable A. C now somehow needs to predict the ISN of B that B would tell A during the handshake. CSE2500 System Security & Privacy Srini & Nandita 20 How to get the ISN? ISN is a 32 bit clock that increases systematically with time. If the clock increment is predictable and an attacker can see the value of any one ISN, he can probably predict the value of the next or a soon subsequent ISN with accuracy. CSE2500 System Security & Privacy Srini & Nandita 21 Predictable ISN can lead to After knowing the ISN, wait for A to go down (say for maintenance) which is easy to detect (say by ping), then C sends B a counterfeit IP datagram containing its SYN and ISN; this B receives and believes to have originated from A. B replies with a SYN, its own ISN and an acknowledgement of C’s ISN (This reply is routed inconsequentially to A who is still unavailable to receive it.) C mean while predicts and acknowledges B’s ISN. It follows with an rsh command that coaxes B to give the attacker easier access from his true location. C successfully opened a TCP connection and executed a command on B, without ever having received a single byte in return from B. It simply acted as if it had, enabled by B’s predictable ISN. CSE2500 System Security & Privacy Srini & Nandita 22 Method of defense Avoid reliance on address-based authentication and trust mechanisms (like those used by rsh) Use a screening router, a device that can intelligently filter network packets based on configurable rules. Although this cannot prevent spoofing, but can prevent Inbound attacks that originate from external networks (by discarding incoming datagrams with source address belonging to the internal address) Outbound attacks that originate inside of your own network (discarding outgoing datagrams with a source address from an external network). CSE2500 System Security & Privacy Srini & Nandita 23 Attacks are Relaying a message to another host and it accepts as if it is trusted. Example: transfer of password files in a networked unix systems. CSE2500 System Security & Privacy Srini & Nandita 24 Message alteration Message means the payload of the IP datagram, the router performs routine modifications to the IP datagram header, and sometimes fragments a datagram into several smaller ones (when the length exceeds a limit allowed by the underlying data link layer). No need to suspect message alteration, but techniques such as check sum are not sufficient. CSE2500 System Security & Privacy Srini & Nandita 25 Message Delay and Denial By gaining authorised control of a router or routing host, then modifying executable code or routing and screening rules used by the code. need to apply proper authentication and access mechanisms to the routing systems. By overwhelming a routing device, or one of the communication end systems, with an inordinate amount of network traffic. easy to detect but difficult to prevent! CSE2500 System Security & Privacy Srini & Nandita 26 By Blocking (or Screening) External network Source: 108.3.54.92 Destination:130.194.225.92 Source: 130.194.225.52 Destination:130.194.225.92 CSE2500 System Security & Privacy Internal network 130.194.225.xxxx Accepted Blocked Accepted Source: 130.194.225.92 Destination:121.5.92.1 blocked Source: 108.3.54.92 Destination:121.92.5.52 Srini & Nandita 27 Network Communication OSI Reference Model Application related services Application (7) Application programs that use the network Presentation(6) Standardise data rep. to application layer Session(5) Transport(4) Network related services Network(3) Data Link(2) Physical(1) CSE2500 System Security & Privacy Srini & Nandita Manage sessions between applications Provide end-to-end error detection and correction Manage connections across network Provide reliable delivery across physical links Define characteristics of media 28 Generic Message Format Sender Identify Recipient Identity Message Length Message Data CSE2500 System Security & Privacy Srini & Nandita 29 Internet TCP/IP Model Programs: X window, mobile agents, Web applications, Email … Application Table of addresses, data and algorithms to perform reliable check Transport (TCP, UDP) Table of addresses and algorithms for handling the routing of data Network (IP) Digital signal (0,1) CSE2500 System Security & Privacy Sockets Physical Srini & Nandita 30 Network Layer – IP Datagram format (for reference) 4-bit 4-bit 8 bit Version header length type of service 16 bit 3 bit Identification flags 8-bit 8-bit time to live protocol 16-bit Total Length 13 –bit fragment offset 16-bit header checksum 32-bit Source address 32-bit Destination address Options(if any) and padding Data (variable length) CSE2500 System Security & Privacy Srini & Nandita 31 TCP segment (for reference) 16-bit Source port number 16-bit Destination port number 32-bit Sequence number 32 bit acknowledgement number 4-bit Header length 6-bit Reserved 6-bit Flags 16-bit TCP Checksum 16-bit Window Size 16-bit Urgent pointer Options(if any) and padding Data (variable length) CSE2500 System Security & Privacy Srini & Nandita 32 UDP datagram (for reference) 16- bit Source Port Number 16-bit Length 16-bit Destination Port Number 16-bit Checksum Data (variable length, if any) CSE2500 System Security & Privacy Srini & Nandita 33 Possible methods Simple denial of requests – though firewall useful to prevent address spoofing, masquerading Tailored software to each of the network services – called wrappers application oriented functionality can be implemented CSE2500 System Security & Privacy Srini & Nandita 34 Firewalls Screening router (also called as packet filtering) is an example of a firewall. We will look at the firewalls in more detail in another subject. CSE2500 System Security & Privacy Srini & Nandita 35 SMTP ROUTING External SMTP Server SMTP Routing 1. Route incoming/outgoing mail to bastion Host. 2. Use Exterior Router to restrict connections from external hosts to Bastion Host. 3. Use Interior Router to restrict connections from Bastion Host to specific internal servers. 4. Internal systems send mail to Bastion Host. INTERNET SMTP Sender/Recipient SMTP Server Bastion Host Exterior Router Perimeter Network FIREWALL Interior Router Internal Network SMTP Client CSE2500 System Security & Privacy Inside SMTP Server Srini & Nandita 36 TCP Wrapper The TCPWrapper is a utility program that can be "wrapped" around existing servers connected to the Internet. A Firewall can be placed between your internal network and the Internet to protect the entire internal network. The TCPWrapper is placed on an internal server and protects the services of that machine. The combination of firewall and TCPWrapper provides defense in-depth. The TCPWRapper was written by Wietse Venema and is used for: Logging request for service made through /etc/inetd.conf And intercepting and controlling TCP services that are started by /etc/inetd.conf. CSE2500 System Security & Privacy Srini & Nandita 37 TCP Wrapper Firewall TCP Wrapper INTERNET Router External User CSE2500 System Security & Privacy Srini & Nandita Bastion Host Internal Server38 TCP Wrapper Operation The TCPWrapper is installed on the internal server and inetd is configured to run TCPwrapper, tcpd, instead of the the real server. inetd is the internet protocol starter program that, upon detecting a service request, forks a process directly to the requested service. tcpd is is the TCPWrapper program that receives control from inetd when an internal server has been "wrapped". tcpd evaluates the request against two TCPWrapper configuration files /etc/hosts.allow tells tcpd which host to allow connections from. /etc/hosts.deny tells tcpd to deny all connections from that host. If no match is found the connection is allowed. tcpd completes its function then transfers control to the requested service. CSE2500 System Security & Privacy Srini & Nandita 39 TCP Wrapper Operation inetd TCP Wrapper /etc/hosts.allow inetd.conf Firewall Requested Service INTERNET Router tcpd tcpd Bastion Host telnet ftp rlogin udp, etc /etc/hosts.deny network services External User CSE2500 System Security & Privacy Srini & Nandita 40 TCP Wrapper Functions The TCPWrapper performs the following functions upon assuming control from inetd. Compares the incoming hostname and requested service with previously created host.allow an hosts.deny files. Performs a double-reverse lookup of the IP address to make sure the DNS entries for the IP address match the hostname. Logs the result with syslog. This provides a way to log services that are normally not logged, e.g., finger and systat. Optionally run a command, e.g., run finger to get a list of users on the connecting client computer. Optionally substitute a different version of the requested service daemon, e.g., the calling host may require a special extended service. Optionally send a banner to the connecting client. Passes control of the connection to the real network daemon. Reject the connection without providing a service. CSE2500 System Security & Privacy Srini & Nandita 41 Possible connections: Security? Wired Stranger Your PC Internet Stranger Firewall (optional) ISP server Wireless Stranger CSE2500 System Security & Privacy Srini & Nandita 42 Possible connections: Security? Your systems Wired stranger Web server Internet ftp server Stranger firewall Production Servers Wireless stranger CSE2500 System Security & Privacy Srini & Nandita 43 Possible connections: Security? Your systems Wired stranger Web server Internet stranger ftp server firewall Production Servers Wireless stranger CSE2500 System Security & Privacy Srini & Nandita 44 Possible connections: Security? Lan/ Wan Lan/ Wan Web Servers Internet firewall Lan/ Wan Back end Data Servers Lan/ Wan CSE2500 System Security & Privacy Srini & Nandita 45 Possible connections: Security? Lan/ Wan Web Servers Internet Lan /Wan Intranet Extranet Business Integration systems firewall Business Applications Back end Data Servers Call Centre Mobile users CSE2500 System Security & Privacy Srini & Nandita 46