* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download 1 Introduction
		                    
		                    
								Survey							
                            
		                
		                
                            
                            
								Document related concepts							
                        
                        
                    
						
						
							Transcript						
					
					ASCA & ALCS Curriculum SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 SOHO NETWORKING SECURITY THREATS and Measures ASCA & ALCS Curriculum SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 Contents 1 2 3 4 5 6 7 Introduction ............................................................................................................................. 2 The First Security Threat – Virus ........................................................................................... 2 2.1 Introduction ..................................................................................................................... 2 2.2 Replication Strategies ..................................................................................................... 3 2.3 Avoiding Detection (out of syllabus) .............................................................................. 4 2.4 Virus Example – CIH...................................................................................................... 4 2.5 Solution – Anti-virus Software ....................................................................................... 5 The Second Security Threat – Worm...................................................................................... 5 3.1 Introduction ..................................................................................................................... 5 3.2 Replication Strategies ..................................................................................................... 6 3.3 Worm Example – Mydoom ............................................................................................ 6 3.4 Solution ........................................................................................................................... 6 The Third Security Threat –Trojan Horse .............................................................................. 7 4.1 Introduction ..................................................................................................................... 7 4.2 Replication Strategies ..................................................................................................... 7 4.3 Trojan Horse Example - Sub7......................................................................................... 8 4.4 Solution ........................................................................................................................... 8 The Fourth Security Threat – Spyware ................................................................................... 8 5.1 Introduction ..................................................................................................................... 8 5.2 Replication Strategies ..................................................................................................... 9 5.3 Spyware Example - Bonzi Buddy ................................................................................. 10 5.4 Solution - Anti-spyware programs ................................................................................ 10 The Fifth Security Threat –Unauthorised Access ................................................................. 11 6.1 Introduction ................................................................................................................... 11 6.2 Solution – Access and User Right Control ................................................................... 11 The Sixth Security Threat – Interception .............................................................................. 14 7.1 Introduction ................................................................................................................... 14 7.2 Sniffer Example - Ace Password Sniffer ...................................................................... 14 7.3 Solution – IPSec, VPN and WEP (technical details are out-of-syllabus) ..................... 15 -1- ASCA & ALCS Curriculum SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 Author’s remarks  Part of the materials in this set of handout is adapted from Wikipedia and Guide to Networking Essentials (2nd edition) published by Course Technology.  This set of materials is essentially developed by Chung, C.F. Jeffrey. 1 Introduction In this reference, the common security threats to SOHO networks and some real examples which can cause security threats are introduced. Suggestions for protecting systems from these threats and data recovery will also be given. As a SOHO network administrator, to keep the network safe and to keep the business information and data with concerns to confidentiality, integrity and availability are his/her main duties. Security threats not only damage computer hardware but also the most important asset of a business – the business information and personal data. The resulting business loss can be huge too. 2 2.1 The First Security Threat – Virus Introduction A computer virus is a type of program that can replicate itself by making (possibly modified) copies of it. The main criterion for classifying a piece of executable code as a virus is that it spreads itself by means of “hosts”. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or carrying it on a removable media. Additionally, viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer such as file server’s files. Viruses are sometimes confused with worms. A worm, however, can spread itself to other computers without needing to be transferred as part of a host. A virus is a type of program created by some programmers called “virus writers”. Virus writers can have various reasons for creating and spreading viruses. Viruses have been written as research projects, pranks, vandalism, to attack the products of specific companies, to distribute political messages, and to obtain financial gain from identity theft or spyware. Some virus writers consider their creations to be works of art, and see virus writing as a creative hobby. Therefore the damages causes by virus are mainly depending on the virus writer’s skill and wish. Virus can damage computer files and systems, steal information from you and even damage your computer hardware. Viruses can infect different types of hosts. The most common targets are executable files that contain application software or parts of the operating system. Viruses have also infected the executable boot sectors of floppy disks, script files of application programs, and documents that -2- ASCA & ALCS Curriculum SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 can contain macro scripts. Additionally, viruses can infect files in ways other than simply inserting a copy of their code into the code of the host program. For example, a virus can overwrite its host with the virus code, or it can use a trick to ensure that the virus program is executed when the user wants to execute the (unmodified) host program. Viruses have existed for many different operating systems, including MS-DOS, Mac OS and even Linux; however, the vast majority of viruses affect Microsoft Windows. 2.2 Replication Strategies In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user tries to start an infected program, the virus’ code may be executed first. Viruses can be divided into two types, on the basis of their behaviours when they get executed. Non-resident viruses immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself. Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file. Here is a sample of viruses replicate task: 1. 2. 3. 4. 5. 6. 7. 8. 9. Locate an unchecked executable file Check if the executable file has already been infected (if it is, return to the finder module of the virus) Append the virus code to the executable file Save the executable’s starting point Change the executable’s starting point so that it points to the start location of the newly copied virus code Save the old start location to the virus in a way so that the virus branches to that location right after its execution. Save the changes to the executable file Close the infected file Return to the finder so that it can find new files for the virus to infect. Resident viruses contain a replication module that is similar to the one that is employed by non-resident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can get called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer. -3- ASCA & ALCS Curriculum 2.3 SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 Avoiding Detection (out of syllabus) In order to avoid detection by users, some viruses employ different kinds of obfuscation. Some old viruses, especially on the MS-DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool antivirus software, however. Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files had many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file. Recent viruses avoid any kind of detection attempt by attempting to kill the tasks associated with the virus scanner before it can detect them. Here are some other methods to avoid detection by users or antivirus program: 1. 2. 3. 4. 5. 2.4 Stealth – Some viruses try to trick anti-virus software by intercepting its requests to the operating system. The virus can then return an uninfected version of the file to the antivirus software, so that it seems that the file is “clean”. Self-modification – Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for called virus signatures. Some viruses employ techniques that make detection by means of signatures difficult or impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus. Encryption with a variable key – A more advanced method is the use of simple encryption to encode the virus. In this case, a virus scanner cannot directly detect the virus using signatures. Fortunately, virus scanner can still detect the decrypting module, which makes indirect detection of the virus possible. Polymorphic code – Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses however, this decryption module is also modified on each infection. Metamorphic code – To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic. Virus Example – CIH CIH, also known as Chernobyl or Spacefiller, is a computer virus written by Chen Ing Hau of Taiwan. It is considered to be one of the most harmful widely circulated viruses, destroying all information on users’ systems and in some cases overwriting the system BIOS. To accomplish this, it overwrites the first megabyte (1024KB) of the hard drive with zeroes, beginning at sector -4- ASCA & ALCS Curriculum SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 0. This often deletes the contents of the partition table, and may cause the machine to hang. Then it will try to overwrite the Flash BIOS with junk also. 2.5 Solution – Anti-virus Software To protect our system from virus, we must install anti-virus software to our system. Anti-virus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software. To accomplish this, anti-virus software typically uses two different techniques: 1. Examining (scanning) the contents of the computer’s memory (its RAM, and boot sector) and the files stored on fixed or removable drives (hard drives, floppy drives), to look for known viruses matching definitions (e.g. virus signatures) in a virus dictionary 2. Identifying suspicious behaviours from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods. Some anti-virus software can also warn a user if a file is likely to contain a virus based on the file type; some antivirus vendors also claim the effective use of other types of heuristic analysis. Some anti-virus programs are also able to scan opened files in addition to sent and received emails “on the fly” in a similar manner. This practice is known as “on-access scanning”. Anti-virus software does not change the underlying capability of host software to transmit viruses. There have been attempts to do this but adoption of such anti-virus solutions can void the warranty for the host software. Users must therefore update their software regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to gain knowledge about the latest threats and hoaxes. Anti-virus software examples include Norton Antivirus, McAfee and Sophos. 3 3.1 The Second Security Threat – Worm Introduction A computer worm is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers. In addition to replication, a worm may be designed to do a number of things, such as delete files on a host system or send documents via email. More recent worms may be multi-headed and carry other executables as a payload. However, even in the absence of such a payload, a worm can cause havoc just with the network traffic generated by its reproduction. Advanced worm, for example Mydoom, can even cause a noticeable worldwide Internet slowdown at the peak of its spread. -5- ASCA & ALCS Curriculum 3.2 SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 Replication Strategies In order to replicate itself, worm always install a backdoor in the infected computer, as was done by Mydoom. These zombie computers are used by spam senders for sending junk email or to cloak their website’s address. Spammers, person who sends “junk” e-mail messages, are thought to pay for the creation of such worms, and worm writers have been caught selling lists of IP addresses of infected machines, others try to blackmail companies with threatened denial-ofservice (DoS) attacks. The backdoors can also be exploited by other worms, such as Doomjuice, which spreads using the backdoor opened by Mydoom. 3.3 Worm Example – Mydoom Mydoom, also known as Novarg, Mimail.R and Shimgapi, is a computer worm affecting Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest spreading email worm ever as of January 2004. Mydoom is primarily transmitted via e-mail, appearing as a transmission error, with subject lines including "Error," "Mail Delivery System," "Test" or "Mail Transaction Failed" in different languages, including English and French. The mail contains an attachment that, if executed, resends the worm to email addresses found in local files such as a user’s address book. Mydoom also installs a backdoor on port 3127/tcp on the subverted PC to allow remote control by hackers and establishes a denial of service attack against the website of the controversial company SCO Group, timed to commence 1 February 2004. 3.4 Solution Some commonly adopted measures to stop worms from spreading are as follows: Anti-virus software – Anti-virus software can effectively identify, thwart and eliminate computer worms. Please refer to previous section for more information. Patch – Worm make use of bugs to spread. Operating System such as Windows needs to be regularly patched in order to gain knowledge and fix the latest bugs. Firewall – Firewall is a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Firewall is also called a packet filter which means it does not allow packets to pass through the firewall unless they match the rules. The firewall administrator may define the rules; or default built-in rules may apply. A more permissive setup could allow any packet to pass the filter as long as it does not match one or more “negative-rules”, or “deny rules”. Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, domain name of the source, and many other attributes. -6- ASCA & ALCS Curriculum SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 Therefore, we can filter all the network packets and traffics which we don’t want including the network packets created by worm. Hence we can successfully block worm, Trojan horse, back door, unauthorised assess and DoS attack. Examples of firewall are Norton Internet Security, ZoneAlarm. 4 4.1 The Third Security Threat –Trojan Horse Introduction Trojan horse, also known as Trojan, is a malicious program that is disguised as legitimate software. The term is derived from the classical myth of the Trojan horse. In the siege of Troy, the Greeks left a large wooden horse outside the city. The Trojans were convinced that it was a gift, and moved the horse to a place within the city walls. It turned out that the horse was hollow, containing Greek soldiers who opened the city gates of Troy at night, making it possible for the Greek army to pillage the city. Trojan horse programs work in a similar way: they may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed. Trojan horse programs cannot replicate themselves, in contrast to some other types of security threats, like viruses or worms. A Trojan horse can be deliberately attached to otherwise useful software by a cracker, or it can be spread by tricking users into believing that it is a useful program. Trojan Horses often contain spying functions, such as a packet sniffer, or backdoor functions that allow a computer, unknown to the owner, to be remotely controlled from the network by hackers, creating a “zombie computer”, resulting in data loss, data stolen and system damage. It’s basic difference from computer viruses is that a Trojan horse is technically a normal computer program and does not possess the means to spread itself. Originally Trojan horses were not designed to spread themselves. They relied on fooling people to allow the program to perform actions that they would otherwise not have voluntarily performed. Trojans of recent times also contain functions and strategies that enable their spreading. This moves them closer to the definition of computer viruses, and it becomes difficult to clearly distinguish such mixed programs between Trojan horses and viruses. 4.2 Replication Strategies As mentioned, Trojan horse programs cannot replicate themselves. So how a computer can be infected? Here are some examples:  Websites: You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of Trojans and other pests. Even using a secure web browser, such as Mozilla's Firefox or Opera, if Java is enabled, your computer has the potential of receiving a Trojan horse.  Instant message: Many get infected through files sent through various messengers. This is due to an extreme lack of security in some instant messengers, such of MSN messenger.  E-mail: Attachments on e-mail messages may contain Trojans. -7- ASCA & ALCS Curriculum 4.3 SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 Trojan Horse Example - Sub7 Sub7, or SubSeven, is the name of a popular Trojan or backdoor program. It is mainly used by script kiddies for causing mischief, such as hiding the computer cursor, changing system settings or loading up pornographic websites. However, it can also be used for more serious criminal applications, such as stealing credit card details with a keystroke logger. Sub7 is usually stopped by antivirus software and a firewall, and with popular operating systems providing these features built in, it may become less of a computer security problem. In common with other backdoor programs, Sub7 is distributed with a server and a client. The server is the program that victims must be enticed to run in order to infect their machines, and the client is the program with a GUI that the cracker runs on his own machine to control the server. Sub7 allows crackers to set a password on the server, theoretically so that once a machine is owned; no other crackers can take control of it. However, the Sub7 server also has a master password, allowing anyone who knows the master password to take over the machine. In older versions, the master password is now known to be 14438136782715101980 but this does not work on the most recent version. 4.4    5 5.1 Solution Anti-virus software – Anti-virus software can effectively identify, thwart and eliminate computer Trojan horse. Firewall – can filter all the network packets and traffics which we don’t want including the network packets created by worm. Hence we can successfully block worm, Trojan horse, back door, unauthorised assess and DoS attack. Precautions – Trojan horses can be protected against through end user awareness. If a user does not open unusual attachments that arrive unexpectedly, any unopened Trojan horses will not affect the computer. This is true even if you know the sender or recognize the source’s address. Even if one expects an attachment, scanning it with updated antivirus software before opening it is prudent. Files downloaded from file-sharing services such as BT are particularly suspicious, because (P2P) file-sharing services are regularly used to spread Trojan horse programs. The Fourth Security Threat – Spyware Introduction Spyware covers a broad category of malicious software designed to intercept or take partial control of a computer’s operation without the informed consent of that machine’s owner or legitimate user. While the term taken literally suggests software that secretly monitors the user, it has come to refer more broadly to software that subverts the computer’s operation for the benefit of a third party. -8- ASCA & ALCS Curriculum SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 Spyware differs from viruses and worms in that it does not usually self-replicate. Like many recent viruses, however, spyware - by design - exploits infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information which including financial information such as credit card numbers, monitoring of web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites. 5.2 Replication Strategies As mentioned, spyware programs cannot replicate themselves. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities. The most direct route by which spyware can get on a computer involves the user installing it. However, users are unlikely to install software if they know that it may disrupt their working environment and compromise their privacy. So many spyware programs deceive the user, either by piggybacking on a piece of desirable software, or by tricking the user to do something that installs the software without realizing it. For example, Bonzi Buddy, a spyware program targeted at children, claims that: He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE! Spyware can also come bundled with shareware or other downloadable software, as well as music CDs. The user downloads a program such as a music program or a file-trading and installs it; the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable software with installers that add spyware. A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. The security features of the design of the Internet Explorer web browser militate against allowing Web sites to initiate an unwanted download. Instead, a user action, such as clicking on a link, must normally trigger a download. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading “Yes” and “No”. No matter which “button” the user presses, a download starts, placing the spyware on the user’s system. -9- ASCA & ALCS Curriculum 5.3 SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 Spyware Example - Bonzi Buddy Figure 1. Bonzi Buddy’s user interface. Bonzi Buddy is an on-screen software agent from BONZI Software. It is a well-known example of spyware, with computer speed, privacy and ease of use all affected by installing the program. When someone installs Bonzi Buddy, his or her homepage gets set to www.bonzi.com. Bonzi Buddy can be installed automatically without user knowledge or consent via an ActiveX object in Internet Explorer. The user interface is a purple ape who swings across the screen. The ape tells jokes, reads facts, sings songs, checks the user's e-mail, and delivers voice advertisements. The interface used to be a green parrot; the interface was later changed to the ape interface. Children often install Bonzi Buddy, seeing the program as a fun toy instead of as an advertising program. 5.4 Solution - Anti-spyware programs Many programmers and commercial firms have released products designed to remove or block spyware. Anti-spyware programs can combat spyware in two ways: real-time protection, which prevents spyware from being installed and scanning and removal of spyware. Scanning and removal is usually simpler, and so many more programs have become available which do so. The program inspects the contents of the Windows registry, the operating system files, and installed programs, and removes files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans incoming network data and disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Anti-spyware program needs to be regularly updated in order to gain knowledge about the latest spywares. An anti-spyware program example is Lavasoft's Ad-Aware. - 10 - ASCA & ALCS Curriculum 6 6.1 SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 The Fifth Security Threat –Unauthorised Access Introduction Through its authorization service, an operating system protects computer resources by only allowing resource consumers that have been granted authority to use them. Examples of resources are individual files or data items, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer programs and other devices on the computer. So why do we need authorization to access various sorts of resources? Simply put, we may not want expensive computer resources, such as colour laser printers, being accessed by everyone. We do not want our intranet which contains internal information be accessed by public and we do not want our students be allowed to install software in the school network, etc. 6.2 Solution – Access and User Right Control Access and user right control includes authentication, authorization and audit. Those means can be implemented through the use of biometric scans, metal locks, digital signatures, encryption, and monitoring (by humans and automated systems), etc. Authorization may be implemented using role based access control, access control lists. RoleBased Access Control (RBAC) is an approach to restricting system access to authorized users. Within an organization, roles are created for various job functions. The permission to perform certain operations or permissions are assigned to specific roles. Members of staff, or other system users, are assigned particular roles, and through those role assignments acquire the permissions to perform particular system functions. Since users are not assigned permissions directly, but only acquire them through their role(s), management of individual user rights becomes a matter of simply assigning the appropriate roles to the user (see Figure 2), which simplifies common operations such as adding a user, or changing a user's department. Figure 2. Example of role based access control. - 11 - ASCA & ALCS Curriculum SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 Access control list (ACL) is a list used to enforce privilege separation. It is a means of determining the appropriate access rights to a given object depending on certain aspects of the process that is making the request, principally the process’s user identity. The list is a data structure, usually a table, containing entries that specify individual user or group rights to specific system objects, such as a program, a process, a file or a directory. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights to the object, such as read from, write to or execute an object. Figure 3 shows the access control list for a file (“bob.gif”) in MS Windows. Figure 3. Example of access control list. The difference between ACL and RBAC is that RBAC is used in traditional discretionary access control systems in that it assigns permissions to specific operations with meaning in the organization, rather than to low level system objects. The assignment of permission to perform a particular operation is meaningful, because the operations are fine grained and themselves have meaning within the application. Authentication concerns ways to ensure users are who they say they are and who attempts to perform functions in a system is in fact the user who is authorized to do so. - 12 - ASCA & ALCS Curriculum SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 If a computer system is supposed to be used only by those authorized users, it must be able to detect and exclude any unauthorized usage. Access to the computer system is usually controlled by an authentication procedure to establish with some degree of confidence the identity of the user, thence granting those privileges as may be authorized to that identity. To accomplish this, authentication, such as user login, biometric scans and digital signatures must be implemented. User login – users using their own login name, password and even biometric scans such as finger print to login into the system and identify themselves. Hence suitable authorization and permission will be granted depends on their identity. Digital signatures – is a type of method for authenticating digital information analogous to ordinary physical signatures on paper, but implemented using techniques from the field of public-key cryptography. A digital signature method generally defines two complementary algorithms, one for signing and the other for verification, and the output of the signing process is also called a digital signature. Digital signature’s public-key cryptosystems allow anybody to identify themselves and sending message using the public key. A signature allows the recipient of a message to be confident that the sender is indeed who he or she claims to be. Hence suitable authorization and permission will be granted depends on their identity. The public-key cryptography which digital signature is using is a form of cryptography which generally allows users to communicate securely without having prior access to a shared secret key, by using a pair of cryptographic keys, designated as public key and private key, which are related mathematically. In public key cryptography, the private key is generally kept secret, while the public key may be widely distributed. In a sense, one key “locks” a lock; while the other is required to unlock it. It should not be possible to deduce the private key of a pair given the public key. The most obvious value of a public key encryption system is confidentiality; a message which a sender encrypts using the recipient’s public key can only be decrypted by the recipient’s paired private key. Public-key digital signature algorithms can be used for sender authentication. For instance, a user can encrypt a message with his own private key before sending it. If another user can successfully decrypt it using the corresponding public key, this provides assurance that the first user (and no other) sent it. These characteristics are useful for many other applications, like digital cash, passwordauthenticated key agreement, multi-party key agreement, etc. Audit – audit trail is a record of transactions or communications related to a single person, account or other entity (see Figure 4). It shows who has accessed a computer system and what operations he or she has performed during a given period of time. To keep an audit trail, we can make use of the audit function provided by the operating system or some audit software. - 13 - ASCA & ALCS Curriculum SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 Figure 4. Example of audit trail. 7 7.1 The Sixth Security Threat – Interception Introduction Interception means someone intercept the network packet in the middle of the network during the packet transmitting process. The one who intercepted the packet can read, delete or even retransmit after editing the message in the packet or the packet itself. This is a serious threat to data security. To accomplish interception, we can make use of some software programs or computer hardware called sniffer. They can intercept and log traffic passing over a computer network. As data stream back and forth over the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the corresponding specifications. Besides wired sniffer, we also have wireless sniffer. A wireless sniffer captures the packets sent from a computer through the computer’s wireless network card to an access point or another computer. It captures these packets as raw data with the packet information header. 7.2 Sniffer Example - Ace Password Sniffer Ace Password Sniffer is a powerful password sniffer and password monitoring utility. Ace Password Sniffer can listen on LAN and capture passwords of any network user. Currently Ace - 14 - ASCA & ALCS Curriculum SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 Password Sniffer can monitor and capture passwords through FTP, POP3, HTTP, SMTP, and Telnet, etc. Figure 5 gives a snapshot of the running of the software. Figure 5. Password sniffer. 7.3 Solution – IPSec, VPN and WEP (technical details are out-of-syllabus) To avoid data being eavesdropped during transmission, data can be encrypted before transmission so that any intercepted data cannot be interpreted easily. For wireless radio network like IEEE-802.11g, we may use Wired Equivalent Privacy (WEP), one of the schemes to achieve a secure wireless networks in a certain degree. WEP was intended to provide comparable confidentiality to a traditional wired network, hence the name. - 15 - ASCA & ALCS Curriculum SOHO Network Management and Security - Security threats and measures V1.1 17/05/2007 WEP is part of the IEEE 802.11 standard ratified in September 1999. WEP uses the stream cipher RC4 (see http://en.wikipedia.org/wiki/RC4_cipher for an introduction of RC4) for confidentiality and the CRC-32 checksum for integrity. Note that in 2001, a research revealed the encryption key in RC4 could be discovered by analyzing large number of messages encrypted with this key. This in turn becomes a potential weakness in WEP. A more secured scheme for encrypting data transmitted over a radio network is wi-fi protected access (WPA and WPA2). For wired network, we can use IP security (IPSec). IPSec is a set of cryptographic protocols for securing Internet Protocol (IP) communications by encrypting and/or authenticating all IP packets. There are two IPSec components, they are Encapsulating Security Payload (ESP) which provides authentication, data confidentiality and message integrity, and Authentication Header (AH) which provides authentication and message integrity, but does not offer confidentiality. Originally AH was only used for integrity and ESP was used only for encryption; authentication functionality was added subsequently to ESP. To achieve additional security, we can use Virtual Private Network (VPN). VPN use tunnelling protocols to provide the necessary confidentiality (preventing snooping), sender authentication (preventing identity spoofing), and message integrity (preventing message alteration) to achieve the privacy intended. When properly chosen, implemented, and used, such techniques can provide secure communications over unsecured networks. Because such choice, implementation and use are not trivial, there are insecure VPN schemes on the market. One secure VPN implementation uses Layer 2 Tunnelling Protocol and IPSec together (L2TP/IPSec). So far, no one can intercept the transmitting data packet in a L2TP/IPSec VPN connection. - 16 -
 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                            