Computer Systems Security Security in Networks

1
Computer Systems SecuritySecurity in Networks

• Topic 1
• Pirooz Saeidi
• Source Pfleeger, Chapter 7

2
Security in Networks Agenda We will first
address

• The Basics of networks design, development and
  usage
• How networks differ from and are similar to
  stand-alone applications and environments
• Threats against networked applications,
  including
• Denial of service
• Web site defacements
• Malicious mobile code
• Protocol attack

3
Security in Networks AgendaWe will then look at

• Controls against attacks
• Physical security
• Policies procedures
• A range of technical errors
• Tools
• Firewalls Design, capabilities limitations
• Intrusion Detection Systems
• Secure e-mail

4
Terminology

• Single point of point of failure, fault tolerance
• Topology
• Media
• Analog/digital
• Protocols
• LAN/WAN
• Internet
• Distributed System
• APIs

5
Network Concepts

• Networks involve pieces and connections among
  them
• We can be vulnerable to single point of failure.
• Redundancy provides resilience or fault tolerance
  and prevents single failures

6
Environment of Use

• Parts of networks can be located in protected
  locations (LANs) but some parts can be exposed to
  total strangers (with different ownership or
  control).
• Networks can be described by several
  characteristics
• Anonymity, Automation, Distance, Opaqueness and
  Routing diversity

7
Environment of Use

• Anonymity
• Network removes clues such as appearance, voice..
• Automation
• Most intermediate points as well as end points
  may be machines with minimum human intervention.
• Distance
• human users can not usually say how far apart the
  sites are.

8
Environment of Use

• Opaqueness
• Location transparency
• Routing Diversity
• To improve reliability performance routing is
  usually dynamic. i.e. every time we may use a
  different path

9
Topologies Shape and Size

• Two extremes
• Two hosts connected by one path
• A very complex network, such as the Internet.
• These extremes highlight 3 aspects of networks
  that have strong influence on network security
• Boundary Distinguishes an element of network
  from an element outside it. But-
• listing all hosts connected to the Internet is
  impossible!
• Ownership difficult to know who owns which host
  in a network
• Control difficult to tell the control attributes
  of an arbitrary host in a network.

10
Media Types

• Cable
• UTP Low bandwidth(10 Mbs), signal degrades as it
  travels
• Coaxial (100Mbs) widely used on Ethernet. Can be
  amplified using repeaters.
• Optic Fibber up to 1000Mbs. A much better medium
  with less interference.
• Wireless Used for short distance (home/office
  networks)
• Microwave travel in straight line up to 30 miles

11
Media Types

• Infrared
• Short distance (up to 9 miles). Used by portable
  devices. It is a point-to-point signal so
  difficult to intercept. But subject to in the
  middle attacks in which the interceptor
  functions like a repeater.
• Satellite
• Placed in orbits.
• Naïve transponder everything it receives will be
  broadcast out again, over a long path (several
  hundred miles long-footprint).
• The smaller the footprint, the less risk of
  interception.

12
Protocols OSI Protocol Layer
SourcePfleegerPfleeger
13
Protocols TCP/IP
SourcePfleegerPfleeger
14
TCP/IP

• TCP/IP defined by protocols not layers. But can
  be thought of as a four layered structure.
• TCP implements a connected communications session
  on top of IP transport protocol.
• UDP is also an essential transport protocol.
• UDP is less reliable than TCP but it is a much
  faster and smaller protocol.

15
Example of Protocols
SourcePfleegerPfleeger
16
IP addresses

• 32-bit expressed as four 8-bit groups
• Also known by names (e.g. www.staffs.ac.uk),
  parsed from right to left.
• To resolve names the system performs lookups.
  Local hosts maintain a cache of domain name
  records.
• Later on we will notice that name resolution can
  be used in network attacks.

17
TCP/IP vs. ISO/OSI

• ISO/OSI Complex design, not very efficient
• TCP/IP More efficientOpen
• Results Internet uses TCP/IP But introduces
  security issues

18
Types of Networks

• LANs
• Small locally controlled and physically protected
• WANs
• Single control, covers large distance but
  physically exposed
• Internetworks (Internets)
• Many thousands of machines and millions of users
• Heterogeneous
• Physically and logically exposed.

19
Other aspects of Networks

• Distributed Systems
• Computation spread across two or more computers
  in one of the following forms
• Client server architecture based on request
  reply protocol
• Peer-to-peer system a collection of equals

20
Other aspects of Networks

• APIs (Application Programming Interfaces)
• Define interfaces to modules or systems. Examples
  are
• GSSAPI or Generic Security Services API
• Based on the notion that callers have credentials
  to establish contexts to invoke security services
  for implementing confidentiality or integrity.
• CAPI or Cryptographic API
• A Microsoft API for cryptographic services
• User can invoke cryptographic algorithms of
  different strengths
• CAPI is a routine that calls for generic
  services without specifying any particular
  algorithm

21
Threats in Networks

• Network vulnerabilities
• Who are the attackers
• Types of threats
• Precursors
• In transit
• Protocol flaws
• Impersonation
• Spoofing
• Message Confidentiality / Integrity threats
• Web Site Defacement
• Denial of Service (DOS)
• Distributed Denial of Service (DDOS)
• Active or Mobile Code Threats
• Complex Attacks

22
What makes a Network Vulnerable?

• A network differs from a stand-alone environment
  in the following ways
• Anonymity
• Many points of attacks
• Sharing
• Complexity of system
• Unknown perimeter
• Unknown path

23
What makes a Network Vulnerable?

• Anonymity
• The attacker can disguise its origin by passing
  through many other hosts which do not necessarily
  have a host to host authentication.
• Many points of attacks
• Not all hosts administrators enforce the same
  rigorous security policies
• Sharing
• Access controls for single systems may be
  inadequate.

24
What makes a Network Vulnerable?

• Complexity of system
• A network control or operating system is more
  complex than single one
• Ordinary desktops are getting very powerful
• Most users do not know what their computers are
  really doing at any moment.
• The attacker takes advantage of this and makes
  the victims computer to perform some of the
  computation.

25
What makes a Network Vulnerable?

• Unknown Perimeter
• One host may be shared between two networks.

• A user on a host in network D may be unaware of
• Potential connections from users of networks A
  and B.
• A host in the middle of A and B belongs also
• to A,B,C and E.
• These networks may have different security rules.
  
• So which rule is the for shared hosts?!

SourcePfleegerPfleeger
26
What makes a Network Vulnerable?

• Unknown Path
• Network users usually do not have control over
  the routing of their messages.
• All these network characteristics increase
  security risks.

SourcePfleegerPfleeger
27
Who Attacks Networks?

• Earlier we have seen that the three components of
  attack are method, opportunity, and motive.
• The motives are varied and can give an idea who
  might attack the network. Examples are
• Challenge
• Fame
• Money and Espionage
• Ideology Cyberterrorism and hactivism (hacking
  against network targets)

28
Who Attacks Networks?Threat Precursors

• Methods of attack are varied. The attacker begins
  perpetration by finding out as much as possible
  about the target. Popular methods are
• Port Scan
• Social Engineering
• Reconnaissance
• Operating system Application Fingerprinting
• Bulletin Boards Chats
• Open documentations

29
Who Attacks Networks?Threat Precursors

• Port Scan
• A program that reports for a given IP address,
  which ports respond to messages and which known
  vulnerabilities are present. It tells the
  attacker three things
• Which standard services (ports) are running and
  responding.
• What OS is installed
• What applications and which versions are present.
• Port scanning tools are commercially available.
• In your tutorial you may look at
• nmap scanner (www.insecure.org/nmap), or
• netcat at http//netcat.sourceforge.net/

30
Who Attacks Networks?Threat Precursors

• Social Engineering
• Port scan gives the outside view of the network.
  Social skills can be used to learn about the
  inside of networks.
• For example the attacker can impersonate someone
  in high position. Humans like to help if asked
  politely!

31
Who Attacks Networks?Threat Precursors

• Reconnaissance
• Is a general term for collecting information
• After finding out what is open (port scan) and
  learning about internal details (SE) the attacker
  wants to know more details.
• Methods vary from dumpster diving (looking at
  rubbish at discarded items) to eavesdropping.

32
Who Attacks Networks?Threat Precursors

• Operating System Application Fingerprinting
• Obtain OS and application specific information.
  Some Port scan software can achieve this. For
  more information see
• www.insecure.org/nmap/nmap-fingerprinting-article.
  html
• Sometimes the application identifies itself.
  Ports such as 80(HTTP), 25(SMTP), 110(POP), and
  21 (FTP) may respond to clients with a message
  like
• Server Netscape-Commerce/1.15
• Your browser sent a non-HTTP compliant message
• This reply tells the attacker which application
  and version are running.

33
Who Attacks Networks?Threat Precursors

• Bulletin Boards and chat rooms support exchange
  of information (also between malicious hackers!).
• During the 18 month FBI sting operation (1999)
  a team led by W. Swallow befriended the
  attackers in chat rooms and gathered critical
  evidence on several attackers including 17 year
  old Mafiaboy who pled guilty to 58 charges
  related to denial of service attacks against
  Amazon.com, eBay and Yahoo.

34
Threats in Transit

• Eavesdropping
• Packet Sniffing
• Wiretapping
• Microwaves
• Satellites
• Fiber
• Wireless

35
Threats in Transit Eavesdropping and Wiretapping

• Eavesdropping overhearing without putting extra
  effort. E.g. monitoring all traffic passing
  through a node.
• Wiretapping intercepting communication with some
  effort. E.g. by injecting something into
  communication.
• Wiretapping works differently depending on
  communication medium used.

36
Threats in Transit- Cable

• A device called packet sniffer can retrieve all
  packets on a LAN.
• Attackers can also tap wires by a process called
  inductance to read radiated signals.
• Data on a WAN can be heavily multiplexed and more
  than 1 signal can be carried at a given time.
  More difficult for wiretappings.

37
Threats in Transit- Optical Fiber

• Difficult to tap
• However data may be available more easily at
  places such as repeaters, splices or connections
  from computing equipment to the fibre.

38
Threats in Transit- Wireless

• Signals can be picked up easily from several
  miles
• Interception through active or passive
  wiretapping.
• Encryption is not always used for wireless
  communication and those built in wireless devices
  are not strong.
• The encryption standard is Wired Equivalent
  Privacy (WEP).

39
Threats in Transit- Wireless

• WEP is a stream cipher using a 40- or 104-bit
  key.
• Surveys reveal that WEP has been disabled in 85
  of installations due to difficulty in
  configuration and encryption management.
• Design of encryption makes it easy to crack WEP
  cipher

40
Threats in Transit- Wireless

• The second threat is the possibility of rouge use
  of a connection.
• With DHCP (Dynamic Host Control Protocol) a
  client negotiates a one-time IP address and
  connectivity with the host.
• These IP addresses are shared among users.
• Authentication of hosts here is a major problem
  and most networks that do not authenticate may
  lead to Theft of Service.

41
Wiretapping Summary

• Wiretap vulnerabilities
• Source PfleegerPfleeger

42
Threats- Protocol Flaws

• TCP connections are established through sequence
  numbers.
• Client sends a sequence number to open
  connection.
• Sever responds with the servers sequence number
  .
• If someone guesses a clients next sequence
  number then he/she could impersonate the client
  in an interchange.
• Sequence numbers are incremented regularly so
  they are easy to predict!

43
Threats- Impersonationtaking advantage of
vulnerabilities

• Guessing (default passwords GUST, ADMIN, etc)
• Stealing authentication when they are passed and
  exposed in a network.
• Wiretapping
• Eavesdropping
• Avoid authentication when a flaw can be exploited
  (e.g. password buffer overflow)
• Nonexistent authentication (e.g. anonymous or
  guest password)
• Well-Known authentication (e.g. SNMP uses a
  community string password- a group name to which
  multiple users belong)
• Trusted authentication
• Delegation of identification to other trusted
  sources
• Unix .rhosts, .login, and etc/hosts/equiv
  indicate hosts or users that are trusted to other
  hosts
• MSN Passport

44
Threats Spoofing

• When attacker falsely carries on one end of
  network interchange. Examples are
• Masquerade
• One host pretends to be another-
• URL confusion, domain name confusion
• Session hijacking
• Intercepting and carrying on a session by another
  entity. e.g. hijacking a remote telnet session
  that was initiated by system administrator.
• Man-in-the Middle attack

45
Man-in-the Middle attack

• As seen in tutorials the perpetrator intercepts
  requests to the key server and then asks for your
  partners public key. He/she then passes his/her
  own key to you.
• He/she intercepts, decrypts, reads and
  re-encrypts using that public key.

SourcePfleegerPfleeger
46
Threats- Message Confidentialitycan be
compromised by

• Misdelivery
• Human errors in destination names
• Exposure
• In temporary buffers, routers , etc
• Traffic Flow Analysis
• The high volume traffic between two nodes may
  infer speculations (politics, price fixing, etc.)
• Both content and header information must be
  protected.

47
Threats Website Defacement

• Downloaded web site code (HTTP) enable attacker
  to get the blueprints to a website
• The common web site vulnerabilities are
• Buffer overflow
• Dot-dot problems
• Application code errors
• Server-side include problems

48
Website Defacement-Buffer Overflow

• The attacker feeds a program far more data that
  it expects to receive.
• Buffer size exceeds and the excess data spill
  over neighbouring code and data locations.

49
Website Defacement- Dot-Dot and Address Problems

• .. is predecessor and ../.. is grandparent
  of current location.
• Someone entering file names can travel back up
  the directory one .. at a time.
• Server may return private files if certain URLs
  are passed to it.

50
Dot-Dot and Address Problems(Example)

• Passing the following URL causes the server to
  return requested file autoexec.nt, enabling
  attacker to modify or delete it.

http//URL/null.htw?CiWebHitsFile /../../../..wi
nnt/system32/ autoexec.nt
SourcePfleegerPfleeger
51
Website Defacement- Application Code Errors

• Server passes context strings to the client (e.g.
  price of an online purchase),
• making the users browser reply with the full
  context.
• Client (attacker) can modify this string (e.g.
  reduce the price)

52
Website Defacement- Server side Include (SSI)

• Web pages can be organized to invoke a certain
  function automatically
• SSI is an HTTP comment that directs the web
  server to dynamically generate data for the web
  page.
• Attacker can remotely execute commands to change
  permissions, etc.
• Example the SSI command exec
• lt!-exec cmd/usr/bin/telnet -gt will open a
  Telnet session from the server running in the
  name of the server.

53
Threats- Denial of Service (DOS)- Availability
Attacks

• So far we addressed confidentiality or integrity
  problems.
• Availability attacks are often called Denial of
  Service and are significant in networks. DOS
  takes many forms such as
• Transmission Failure
• Connection Flooding
• Syn Flood
• Traffic Redirection
• DNS Attacks

54
DOS Connection Flooding

• Send as much data as connection can handle.
• More complex attacks can exploit Internet
  protocol ICMP or Internet Control Message
  Protocols.
• ICMP protocols normally are used for system
  diagnostics and include
• ping, tests reachability
• echo, requires destination to return data sent
• destination unreachable, indicates a destination
  address can not be accessed
• source quench, when the destination is getting
  saturated it requests the sender to decrease the
  traffic rate of messages to a router or host and
  source may suspend sending packets for a while.

55
Connection Flooding Echo-Chargen example

• Chargen is a protocol that generates a stream of
  packets and is used to test network capacity.
• Attacker sets up a chargen process on host A that
  generates packets as echo packets with a
  destination of host B.
• Host B replies by echoing them back to host A.
• These interactions between A and B can be put
  into endless loops on both sides.
• The attacker can make B both the source and
  destination address of the first packet
  resulting in B hanging in a loop constantly
  creating and replying to its own messages!

56
Connection Flooding Ping of Death example

• Attacker sends a flood of pings to the intended
  victim.
• Attacks are limited by smallest bandwidth on the
  attack route
• The attacker needs to be on higher bandwidth
  connection.
• The ping packets will saturate the victims
  bandwidth.

57
Connection FloodingSmurf example

• Smurf attack is a variation of ping attack
• The attacker chooses a network of unwitting
  victims
• Attacker broadcasts echo request to network with
  victims return address.
• Victim is saturated with echo replies.

58
Connection FloodingSmurf example

• Smurf Attack

Source PfleegerPfleeger
59
DOSSyn Flood Attack

• Sessions in TCP protocols use three-way TCP
  handshake.
• Each TCP packet has flag bits such as SYN and
  ACK bits.

SourcePfleegerPfleeger
60
Syn Flood Attack

• The destination maintains a SYN_RECV queue to
  track those items a SYN-ACK has been sent but no
  corresponding ACK has yet been received.
• The attacker can deny service to the target by
  sending many SYN requests and never responding
  with ACK, resulting overflow in the SYN_RECV
  queue.

61
Traffic redirection

• Compromised router may advertise the best path
  to every other address in the network.
• All traffic redirected to it, flooding it,
  disrupting communication.

62
DNS Attacks

• Overtaking a name server
• Causing it to cache spurious entries and
• redirecting the routing of any traffic to result
  in denial of service.

63
Distributed Denial of Service(DDoS)

• Attack takes place in these steps
• Attacker chooses a convenient attack (e.g.
  exploiting buffer overflow, e-mail attachment,..)
  to plant a a trojan horse on a target machine.
• The attacker repeats this process with many
  targets which will then become what is known as a
  zombie.
• At some point the attacker choose a victim and
  sends a signal to all zombies launch an attack.

64
Distributed Denial of Service(DDoS)

• Now the victim, instead of trying to defend
  against one DoS must try to counter n attacks
  from n zombies at once.
• Zombies can use different attacks. e,.g syn
  flood, smurf

Source FleegerPfleeger)
65
Threats to Active or Mobile Code

• Code can be pushed to client for execution.
• A cookie is a data object (not code) that can
  store clients details such as IP address,
  connection details and provides context to
  servers.
• Most of the time the client can not tell what
  does a cookie contain.
• Attackers (impersonating as a server) can
  intercept and retrieve cookies.