Ch t 7 N t k S itChapter 7: Network...

Modern Computer NetworksAn Open Source ApproachAn Open Source Approach

Ch t 7 N t k S itChapter 7: Network Security

Chapter 7: Network Security Modern Computer Networks 1

Content

7.1 Issues7.2 Data Securityy7.3 Firewall7 4 Intrusion Detection System7.4 Intrusion Detection SystemPitfalls and misleadingFurther readingsExercisesExercises


7.2 Data Securityy

CryptographDigital Signatureg gApplication Layer SecurityN t k L S itNetwork Layer Security


Cryptographyp g p

Secret Key AlgorithmPublic Key Algorithmy g


Secret Key Algorithmy g

S t i kSymmetric keyEncryption (public) key = Decryption (private) key

Basic elementsBasic elementsP-BOX: Transition cipherS-BOX: Substitution cipherS BOX: Substitution cipher

Product cipher

Encoder,8 to 3

Decoder,3 to 8

P1 P2 P3 P4

S3

S2

S1

S7

S6

S5

S11

S10

S9

P-BOX S-BOX

S4 S8 S12

Product Cipher


Data Encryption Standard (DES)yp ( )

O i i ll d l d b IBMOriginally developed by IBM Adopted by the US government in Jan. 1977E t d i bl k f 64 bit ith 56 bit kEncrypted in blocks of 64 bits with 56-bits keyA monoalphabetic substitution cipher using a 64-bit charactercharacter.

Same input produces same outputAlgorithmAlgorithm

Transposition16 iterations (with 56-bit key)16 iterations (with 56 bit key)32-bit swapInverse transposition


Encryption Procedure of DESyp64 bits

InputT=t1 t2 ... t64

Initial TranspositionIP

64 bits

L =R

T0

Key16 Iterations 48

64 bits64 bits

Li Ri-1 Ri=Li-1 f(Ri-1,Ki)

KeySelection

16 keys:K1,...,K16

Key48

64 bits

IP-1

64 bits

Output


Breaking DESg

56-bit key for international use but 128-bit key within USA56-bit key can be broken

Within 4 hours by super computers (1994)About 22 hours by a network of volunteers and a special purpose computer that was built for less that $250,000 (1999)(1999)Chinese Lottery

SolutionSolutionRun DES couple times, using different keys?Triple DES algorithm


Triple DES algorithm

Public Key Algorithmy g

First proposed by W.Diffie and M.E. HellmanAsymmetric keysy y

Encryption (public) key ≠ Decryption (private) key

The encryption algorithm E and theThe encryption algorithm E and the decryption algorithm D should meet the following requirementsfollowing requirements

D(E(P)) = PD(E(P)) = Pff fff fDifficult to deduce D from EDifficult to deduce D from E

E cannot be broken by a chosen plaintext attackE cannot be broken by a chosen plaintext attack


RSA Algorithmg

P d b Ri t Sh i d Adl t MIT iProposed by Rivest, Shamir, and Adleman at MIT in 1978RSARSA

Choose two large primes, p and q (> 1010100100))Compute n=p*q and z=(p-1)*(q-1)Compute n p q and z (p 1) (q 1)Choose a number relatively prime to z and call it dFind e such that e*d=1 mod z

Plaintext Plaintext PP, 0 , 0 ≤≤ P P ≤≤ n (664n (664--bit block is n ~ 10bit block is n ~ 10200200))encryption key = (encryption key = (nn,,ee)) decryption key = (decryption key = (nn,,dd))

Based on the difficulty of factoring large numbersBased on the difficulty of factoring large numbers

) (mod P C e n= ) (modC P d n=


Based on the difficulty of factoring large numbers.Based on the difficulty of factoring large numbers.

Why does RSA work?y

nn d= mod)) (mod P( PProve e

nPnPnn

qped

edd

=

=−− mod

modmod)) (mod P())1)(1mod((

e

nPnP

zed=

=

modmod

)mod(

PnP

== mod1

P=


Authentication

AuthenticationDigital Signatureg gMessage Digest


Authentication (cont.)( )

What’s Authentication?An unique digital IDgApplications

E-transaction via networksE-election via networksPrivacy Enhanced Mail (PEM)


Digital Signatureg g

3 RequirementsAuthentication

The receiver can verify the claimed identity of the sender. Non repudiationp

The sender cannot later repudiate the contents of the message.

IntegrityThe receiver cannot possibly have concocted the

fmessage itself.


Authentication without Encryptionyp

Authentication only, but without message encryption

e.g., Message broadcast from authorized sourceSolutionSolution

Message Digest (MD)Use a secure (one(one way) hash function Hway) hash function H to compute aUse a secure (one(one--way) hash function Hway) hash function H to compute a fixedfixed--size tag H(M||Ssize tag H(M||SABAB)), called a message digestmessage digest for a given message M concatenated with a shared secret value SAB

For secret-key digital signature


MD5 message-digest algorithmg g g

S ifi d i RFC1321 d l d b R Ri t iSpecified in RFC1321, developed by Ron Rivest in 1992.Padded an arbitrary length message to multiples ofPadded an arbitrary length message to multiples of 512 bits, then produce a 128128--bit message digestbit message digestEvery bit of the hash code is a function of every bitEvery bit of the hash code is a function of every bit in the inputRivest’s conjectureRivest s conjecture

The difficulty of coming up with two messages having the same message digest is in the order of 264 operationsThe difficulty of finding a message with a given digest is on the order of 2128 operations


Application Layer Securitypp y y

Secure Socket Layer (SSL)Security Electronic Transaction (SET)y ( )


Secure Socket Layer (SSL)y ( )

Why SSL?Provide encryption layer between Application and y yTCP layers

ApplicationApplication

SSLSSL

TCPTCP

IPIP


What’s SSL?RFC 2246 :Transport Layer Security (TLS) protocol.Original development by Netscape in 1994Encrypt data with various algorithm

DES Triple DES RSA Digital SignatureDES, Triple DES, RSA, Digital SignatureSSL Contents

SSL server authenticationSSL server authenticationSSL client authenticationEncrypted SSL session


SSL Handshake

Cli S

SSL Client Hello

SSL Server Hello

Client Server

Server Certification

Request Client CertificationRequest Client Certification

SSL Handshake

Client Certification

ClientKeyExchange (RSA)

Certificate Verify

Ch Ci h S

DigitalSignature

ChangeCipherSpec

Finished

Encrypted data stream (DES)Encrypted Data


Security Electronic Transaction (SET)y ( )

Wh SET?Why SET?SSL is only for securing the communication data b t li t dbetween client and serverProblems with SSL

Cli t SSL SClient SSL ServerServer : illegal using the client’s credit cardClient : send un-authorization credit cardClient : send un authorization credit card

SET is a security mechanism for E-transaction via networks

The same procedure as traditional transaction, but with networking


Wh t’ SET?What’s SET?Development by VISA, MasterCard, IBM, Microsoft, and HP in 1996HP in 1996.Members

CardholderMerchantIssuer (Credit card bank)Acquirer (Bank)Acquirer (Bank)Certificate Authority , (CA)

Two types of paymentE-walletCredit card


SET M h iSET MechanismConfidentialityConfidentiality

Data with DES and RSAAuthenticationAuthentication

Di it l Si t ith RSADigital Signature with RSACardholder, Merchant, and Bank

IntegrityIntegrityIntegrityIntegrityDigital Envelope to exchange DES keyReceiver’s RSA public key(DES key)Receiver s RSA public key(DES key)

Non repudiationNon repudiationDigital Signature with RSA


g g

SET Operationp1

2,3

Merchant

MerchantInternet

Cardholder

E-wallet12

5

Merchant Server

CA

4

Internet

6,7 11

Internet

Payment Gateway

P.S 2341Credit Card

9

10


Acquirer (Bank)

Issuer/Credit Card Bank

8

Network Layer Securityy y

IP Security (IPSec) Virtual Private Network (VPN)( )


IPSec

Why IPSec?Provide interoperable,high quality, g ycryptographically-based security for IPv4 and IPv6 communication

Security servicesAccess controlAccess controlIntegrityAuthenticationAuthenticationConfidentiality


Components for IPSecp

Traffic securityAuthentication Header (AH)( )

IntegrityAuthentication

Encapsulation Security Payload (ESP)Confidentiality

Key management and distributionSimple Key-management for IP (SKIP)Simple Key management for IP (SKIP)Internet Key Exchange (IKE)


Key Concept: Security Associationy p y

One-way relationship between a sender and a receiver

F t h t it i tiFor two-way secure exchange, two security associations are required.

Uniquely identified by an IP and SPIUniquely identified by an IP and SPISPI: security parameter index

ParametersParametersAuthentication algorithm, mode, key(s)Encryption algorithm, mode, transform, key(s)Encryption algorithm, mode, transform, key(s)Lifetime of the keys, security associationSecurity level, source IP, ...


y , ,

Authentication

RFC 1828 ifi th f MD5 fRFC 1828 specifies the use of MD5 for authentication.The MD5 algorithm is performed over the IP packet plus a secret key and then inserted into the IP packet.At the destination, the same calculation is performed on the IP packet plus the secret key and compared to the received value.Provides both authentication and data integrity.


g y


Two ways in which IP authentication service can be used

End-to-endEnd-to-intermediateEnd to intermediate

Router/End-to-intermediate

Router/FirewallIntranet

InternetInternet

d d h i iChapter 7: Network Security Modern Computer Networks 30

End-to-end authentication


0 8 16 31

Security Parameter Index (SPI)

ReservedLengthNext Header


ReservedLengthNext Header

0 8 16 31


Sequence Number Field


Sequence Number Field

Authentication Data (variable)Authentication Data (variable)

Length : Length of Authentication Data field in 32Length : Length of Authentication Data field in 32--bits words.bits words.i i d d ifi i i ii i d d ifi i i iSecurity Parameters index: Identifies a security association.Security Parameters index: Identifies a security association.


Encapsulating Security Payloadp g y y

Provide support for privacy and data integrity for IP packets.Two modes

Transport-mode ESP mechanism encrypts a transport-l tlayer segmentTunnel-mode ESP mechanism encrypts an entire IP packet

ESP HeaderESP HeaderSPIParameters dependent on the encryption algorithmParameters dependent on the encryption algorithm


Transport-Mode ESPp

Encrypt the data carried by IPESP header is inserted into the IP packet immediately prior to the transport layer header ( D ti ti O ti h d ito the transport-layer header (or Destination Option header is present)

Suspectable to traffic analysis on the transmittedSuspectable to traffic analysis on the transmitted packets

End-to-end transportEnd to end transport

T t l tIP Header Ext. Header ESP Header Transport layer segment

Unencrypted Encrypted


Tunnel-Mode ESP

Encrypt an entire IP packetCounter traffic analysis problemySource sends encrypted IP packet to firewallFirewall sends to destination firewallFirewall sends to destination firewallDestination firewall forwards to destination

IP Header Ext. Header ESP Header IP header + Transport layer segmentUnencrypted Encrypted


Authentication Plus Privacyy

Encryption before authenticationTransport-mode ESP

Authentication applies to the entire IP packet delivered to the ultimate destination

Tunnel-Mode ESPAuthentication applies to the entire IP packet delivered t th fi llto the firewall

IP Header Auth Header ESP Header Transport layer segment E-TIP Header Auth. Header ESP Header spo ye seg e

Scope of authenticationE T : Encapsulating Security Payload trailing fields


E-T : Encapsulating Security Payload trailing fields

Authentication Plus Privacy (cont.)y ( )

Authentication before encryptionOnly appropriate for tunnel mode ESPyAuthentication before encryption is better

AH is protected by ESPp yMore convenient to perform authentication on unencrypted data, then protected by encryption

IP-H IP-H Transport layer segment E-TESP-H A-H

Scope of authentication


Key managementy g

SKIPProposed by Sun Microsystemy yApply Diffie-Hellman key exchange algorithm to share private keyp yFor security, public key is authenticated by Certificate Authority (CA)y ( )

Need Public Key Infrastructure(PKI) support


Key management (cont.)y g ( )

ISAKMP/Oakley(IKE)Oakley defines key identificationy yISAKMP defines key distribution

Two phasespPhase 1: ISAKMP SA establishment

The two ISAKMP peer establish a secure, authenticated channel with which to communicateUnlike IPSec SA, ISAKMP SA is bi-directional

Phase 2: use ISAKMP SA to construct AH or ESP SAPhase 2: use ISAKMP SA to construct AH or ESP SA


Virtual Private Network (VPN)( )

Why VPN?Private data network for enterprisesLease line

X.25, Frame Relay , and ATM, y ,Custom-made service

Disadvantages of lease linegComplexity configurationHigh cost of network access equipments


VPN

What is VPN?Build private network communication on public network

How to implement VPNHow to implement VPNTunnelingEncryption & decryptionEncryption & decryptionKey management

th ti tiauthentication


Tunnelingg

L 2 t liLayer 2 tunnelingExtend the PPP model by allowing the L2 and PPP endpoints to reside on different devicesendpoints to reside on different devices

Save the long-term toll chargeUse Internet to transmit PPP frames

S t lti t lSupport multi-protocolIP, IPX, NetBEUI, AppleTalkTake advantage of PPP

PPTPL2TP

L 3 t liLayer 3 tunnelingIPSec


PPTP

Microsoft proposed protocolPPP frames are encapsulated in IP packetsTunnel modes

Client-initiatedClient creates PPTP connection to remote PPTP server directly

ISP initiatedISP-initiatedClient creates PPP session with access server of ISPAccess server of ISP make tunnel with remote PPTP serverccess se e o S a e tu e t e ote se e

MultiplexingCall ID


Call ID

L2TP

Combine Cisco proposed L2F and PPTPMessage types

Control messageEstablishment, maintenance and clearing of tunnels and callsT itt d li bl t l h lTransmitted on reliable control channel

Data messageEncapsulate PPP frames being carried over the tunnelEncapsulate PPP frames being carried over the tunnelTransmitted on unreliable data channel

MultiplexingMultiplexingCall ID


Other issues

E ti d d tiEncryption and decryptionPreviously described

Key managementDescribed in IPsec section

AuthenticationUser authenticationUser authentication

Password,ID cardPAP, CHAP in PPP

Equipment authenticationX.509 certificate


VPN typesyp

Virtual Leased Line (VLL)Simplest type of VPNy

Virtual Private Routed Networks (VPRN)Works on network layerWorks on network layer

Virtual Private Dial Networks (VPDN)Virtual Private LAN Segment (VPLS)

Works on link layery


Virtual Leased Line (VLL)( )

Two CPE devices are connected by point to point link

CPE connects to ISP node via link layer connectionIP tunnels are set up between ISP nodes

Li k l tLink layer typeATM VCCF l i itFrame relay circuit

To a customer, it looks like if a single ATM VCC or F R l i it d t i t t thFrame Relay circuit were used to interconnect the CPE devices


VLL examplep

IPFrameRelay

Circuit

FrameRelay

Circuit

CPE

10.2.3.5ISP edge node

Backbone CPEISP edge node

10.2.3.610.2.3.5

IP tunnel

10.2.3.6

subnet = 10.2.3.4/30


Virtual Private Routed Network (VPRN)( )

P k t f di i i d t t th t k lPacket forwarding is carried out at the network layerA VPRN consists

A h f IP t l b t ISP tA mesh of IP tunnels between ISP routersRouting capabilities needed to forward site

A VPRN specific forwarding table is located at each ISP routerp g

BenefitMinimum complexity and configuration of CPE outers

Heavy works are done by ISP edge router

Disadvantagel bilitpoor scalability

Full mesh topology are not appropriate in the case of large number of ISP routers


ISPedge

router10.5.5.0/30

ISPedge

router

CPE CPE

10.6.6.0/30router router10.11.11.1/30

IPBackboneBackbone

ISPedge

t

VPRN example

router

10.11.11.4/30 10.11.11.7/30

CPE CPE 10.8.8.0/3010.7.7.0/30

IP tunnelstub link


backdoor link

Virtual Private Routed Network (VPRN)( )

Backup link is used in the case of failure of primary linkBackdoor link refers to a link between two customer sites that does not traverse the ISPcustomer sites that does not traverse the ISP network


Virtual Private Dial Network (VPDN) ( )

Remote user connect through an ad hoc tunnel into another site

User us connected to a public IP network via a dial-up PSTN or ISDN link

L2TP allows for the extension of user PPP session from an L2TP Access Concentratorsession from an L2TP Access Concentrator (LAC) to a remote L2TP Network Server (LNS)(LNS)


Tunneling mechanismsg

Compulsory tunnelingLAC extends a PPP session across a backbone using L2TP to a remote LNS

Dial and network access server act as LAC

Voluntary tunnelingAn individual host connects to a remote site usingAn individual host connects to a remote site using a tunnel originating on the host, with no involvement from intermediate network nodes


Compulsory tunneling examplep y g p

IPdial

ti

HOST

10 2 3 5NAS (LAC)

IPBackbone Corp. Network

GW (LNS)

connection

10 2 3 610.2.3.5 10.2.3.6

L2TP Tunnel

PPP session


Voluntary tunneling exampley g p

dial

HOST (LAC)NAS

IPBackbone Corp. Network

GW (LNS)

connection

10.2.3.5( )

10.2.3.6L2TP Tunnel with PPP session

ororIPSec Tunnel


Virtual Private LAN Segment (VPLS)g ( )

Emulation of a LAN segment using Internet facilitiesDifference from VPRN

Each VPLS edge node implements link layerEach VPLS edge node implements link layer bridging rather than network forwarding


VPLS examplepISPedgenode

ISPedgenode

10.5.5.1/24 10.5.5.2/24

CPE CPE

IPBackbone

ISPedgenode

10.5.5.3/24

CPE

IP tunnelstub link


stub link

Open Source Implementationp p

Frees/WanMain components

KLIPS (KerneL IP Security)kernel IPSECWork as a module in Linux kernelimplements AH, ESP, and packet handling within the kernel

PlutoPlutoIKE daemonimplements IKE, negotiating connections with otherimplements IKE, negotiating connections with other systems

Administrator interface


Main flowchart of Frees/Wan/

START

init_module()

ipsec init()ipsec_init()

cleanup_module()


ipsec_tdbinit()

ipsec_radijinit()

pfkey_init()

register_netdevice_notifier()

Flowchart of ipsec_init( )ESP

NO

YES

inet add protocol

( )

Part I

AH

inet_add_protocol(&esp_protocol)

YES

i dd l

IPCOMP

NO

YES

inet_add_protocol(&ah_protocol)

inet_add_protocol(&comp_protocol)


ipsec tunnel init

Flowchart of ipsec_init( )

Part II

ipsec_tunnel_init_device()

Part II

SYSCTL YESSYSCTL YES

ipsec_sysctl_register( )NO

RETURN


Function descriptionp

ipsec_tdbinit( )Initailize tunnel description blockTDB is used for record information of communication

Source IP, destination IP, error message, current t tstatus…

ipsec_radijinit( )Initialize a radix tree structure for routing table of IPSec

pfkey_init( )Key distribution and management for two communication endpoints


Function descriptionp

i t td i tifi ( )register_netdevice_notifier( )Register ipsec as a virtual network interface

Should be mapped to a physical interfaceShould be mapped to a physical interface

inet_add_protocol ( )Register protocol to inetd depends on the command given g p p gby administrator

ipsec_rev( )Protocol handler

ipsec_tunnel_init_device( )U d t d fi ti f i d iUsed to define operations of ipsec devices

ipsec_sysctl_register( )Used if sysctl command is received


Used if sysctl command is received

Flowchart of PlutoSTART

initialization

wait for eventwait for event

timertimer event?

YES

NO

invoke packet

invoke timer handler

invoke packet handler


7.3 Firewall

IntroductionNetwork layer: packet filtery pApplication layer: TIS—Trusted Information SystemSystem


Introduction of Firewall

A system or group of systems that enforces an access control policy between two networks

Redirects request to actual serverqHide intranet servers from internetAccess logs invasion detection and alarmsAccess logs, invasion detection and alarms


What can a firewall protect against?p g

Protect against unauthenticated interactive logins from the “outside” worldRecord and monitor status of the protected networknetwork

suspicious data accessM it b l i t ti f th t t dMonitor abnormal instruction of the protected network

Intrusion detectionAgainst network-borne attack


Firewall categoriesg

Network layer firewallApplication layer firewallpp y


Network layer firewally

W k th t k l f OSI d lWorks on the network layer of OSI modelPacket filter

Based on the header of the IP packet and rules defined by administratorFields checked

Protocol IDSource IP addressDestination IP addressSource TCP/UDP portDestination TCP/UDP port


Screened Host Firewall

i

allow

Internet

Baston HostIP filtering router

Private Network

disallow


Screened host firewall

B ti h tBastion hostA exposed gateway machine

highly defended and secured strong point thathighly-defended and secured strong point that can resist attack

Router operationRouter operationTraffic from Internet to bastion host is permittedAll traffic from inside to Internet are rejected unless itAll traffic from inside to Internet are rejected unless it comes from bastion host

AdvantageSimple router filtering rules

Disadvantage


Packet can go inside directly

Screened subnet Firewall

Baston Host

Internet PrivateN t kInternet

IP filtering router IP filtering routerNetworkDMZ


Screened subnet firewall

DMZ (demilitarized zone)An area between inside firewall and outside firewall

Inside firewall refers to router located in private networkOutside firewall refers to Internet access router

Hosts in private network are protected by two or more firewallsfirewalls

Create private network and DMZ by two routersAd tAdvantage

No site in private network is exposed to InternetR t l d t i t t k h b tt ti


Router closed to private network has better routing performance than bastion host

Application layer firewallpp y

Works on the application layer of OSI modelProxy serverProxy server


Dual-Homed gatewayg y

Internet Private NetworkInternet

Dual-Homed Gateway

Private Network

IP routing andforwarding disabled


Dual - Homed gatewayg y

Dual – Homed gatewayA highly secured host that runs proxy softwareg y yBlock all IP traffic between two networkRouting and forwarding capability are disabledRouting and forwarding capability are disabled


Open Source Implementation- Netfilterp p

What is netfilter?A set of checkpoints in the packet’s traversal of the protocol stackstack

The checkpoints are called hooks

Actions taken on hooksActions taken on hooksNF_ACCEPTNF DROPNF_DROPNF_STOLENNF QUEUE_QNF_REPEAT

Packet selection is done by IP Tables


y

Open Source Implementation- Netfilterp p

Hooks in packet traversalNF_IP_PRE_ROUTING ROUTEA C D

NF_IP_LOCAL_INNF IP FORWARD ROUTENF_IP_FORWARDNF_IP_POST_ROUTINGNF IP LOCAL OUT

ROUTE

NF_IP_LOCAL_OUT B E

Local Process


Open Source Implementation - iptablesp p p

Rule structureStruct ipt_entryy

struct ipt_ipnf-cachetarget_offsetnext_offsetcomefromstruct ipt_counters

Strcut ipt_entry_matchStruct ipt_entry_target


Open Source Implementation- TISp p

Set of programs to facilitate the network firewallSoftware components

SmapSmapSMTP service

NetaclNetaclTELNET service, finger, and Access control list

ftp gw http gw rlogin gw telnet gwftp-gw, http-gw, rlogin-gw,telnet-gwProxy server for FTP,http,rlogin, and telnet


Http-Gwp

A proxy server with proxy capability for http,gopher,and ftpMay cooperate with squid

http-gw has no caching capabilityhttp-gw has no caching capabilitySquid act as a caching Web proxy

M filt ifi URL itMay filter specific URLs or sites


Netperm-tablep

Common configuration file for TISRule matching is from top to bottom, left to g p ,rightExample of http gw part of Netperm tableExample of http-gw part of Netperm-tablehttp-gw: userid roothttp-gw: directory /www_datahttp-gw: timeout 60p ghttp-gw: permit-hosts 177.3.4.* http-gw: deny-hosts *


http-gw: deny-hosts

STARTbind listen

YES

- DAEMON accept

NO(inetd) NO(parent)

ReadConfiguration

Get user's http

fork=0YES(child)

http example of

Trusted information system (TIS)

Get user s httprequest

Forward httprequest Trusted information system (TIS)request

Receive httpresponse

text/htmlBlock transfer

betweenconnections

NO

Content filterwith FSM

YES


END

7.4 Intrusion Detection Systemy

IntroductionIntrusionProtectionO S I l t ti S tOpen Source Implementation- Snort


Network Intrusion

What’s network intrusion?Intrude a system via networks such as, Internet yand Intranet

===== Welcome ======Login: Unsafe

Server

Login: UnsafePassword: HereYouAre


Why network intrusion?For funGather information or resource of the target systemyDamage data and filesCrash target systemCrash target system


Intrusion Procedure

GatherGatherInformation

GatherInformation

IntrudeIntrude

Crack targetCrack target

Get InformationGet InformationEmbed backdoor

for next coming

Embed backdoorfor next comingfor next coming

Clear logClear log


Intrusion Waysy

MonitoringPassword CrackinggSecurity HolesM li i C dMalicious CodeDenial of ServiceScanning


Monitoringg

Wh t’ M it i ?What’s Monitoring?Monitor the MAC frame, IP packet, and

li ti l i f ti f th t t tapplication layer information of the target systemTo get MAC addressTo get TCP/IP informationTo get TCP/IP informationTo get username and passwordTo get some useful informationg

ToolsSniffitSniffit, http://reptile.rug.ac.be/~coder/sniffit/sniffit.htmlNetXray,


y,

Password Crackingg

H t k dHow to crack passwordGuessBrute force with dictionary file

Unix, /etc/passwd and /etc/shadow , pfilesWindows 2000 SAM fileWindows 2000, SAM file

Plain text transmission without encryptionTools

Netcat, http://www.atstake.com/research/tools/nc11nt.zipWWWHack http://packetstorm securify com/Crackers/wwwhack zip


WWWHack, http://packetstorm.securify.com/Crackers/wwwhack.zipL0phtCrack, http://www.l0pht.com/l0phtcrack/dist/l0phtcrack25.exeJohn-16d.zip, http://www.openwall.com/john

Security Holesy

What’s security hole?Bugs of systems, applications, or protocols g y

Types of security holeBuffer overflowBuffer overflowInput Validation ErrorC fi ti EConfiguration ErrorSystem bugSoftware bugProtocol bug


Buffer overflow

Put more data to the specified bufferPut more data to the specified bufferCause buffer overflowP i t t th k d fil // t th k d filPoint to the cracked file //execute the cracked file

Put more data to buffer

void called(){

Put more data to bufferthen cause buffer overflowand point to the crackedfile address

. . . char buffer[200]; . . .

}

stack pointer

buffer (200 bytes)

stack pointer

buffer (200 bytes). . .. . .

. . .

. . .

return address cracked file address

. . . . . .


Malicious Code

What’s Malicious Code?Computer programs are written specifically to g ycause mischief or, worse, cause damage to infected computersTwo types of Malicious Code

BackdoorBackdoor (i.e., Trojan Horses)VirusVirus


Backdoor, i.e.,Trojan Horses Unlike a virus, but Trojan horse does not replicate jitself.Stay in the target systemy g y

Masquerade as a legitimate programInflict damageReport information to the remote attackerAllow remote attacker takes control of the target


ViVirusSelf-replicatingDestructType of virus

Marco virusCOM and EXE virusBoot virusBoot virusJoke virus Java Malicious CodeJava Malicious CodeActiveX Malicious Code VBScript、JavaScript and HTML virus.


Examples:First Internet Virus

“I W ” b R b T M i J 1988“Internet Worm” by Robert T. Morris Jr., 1988.Famous virus via email

“I love you” 2000I love you , 2000. Attack Microsoft IIS

“Code Red”, 2001.Code Red , 2001.“Nimda”, 2001.

Virus listhttp://www.wildlist.org/


Denial of Service

What’s DoS?Not a intrusion attack, but deny services of target y gsystemExhaust target resourcesgStop providing services


How does DoS do?TCP SYN flood with IP spoofing attackgICMP reply flood attackPing of DeathPing of DeathTeardrop attackUDP flood attackUDP flood attackDDoS – Distributed DoS

Hi h f tt k t li t d t tHierarchy of attacker, master, client, and target


DD SDD S Di t ib t d D SDi t ib t d D SDDoS DDoS –– Distributed DoSDistributed DoSLaunch coordinated UDP flood DoS attacks from many sourcesHierarchy of attacker, master, client, and target

Att k th I t dAttacker, the IntruderA small number of servers, or mastersA large number of clients or daemonsA large number of clients, or daemonsTarget, the victim

Two of the tools have seen are known as Trinoo (or trin00)Tribe Flood Network (or TFN), and TFN2K


Attacker

commandport 27665/TCP

command commandrequest: port 27444/UDPreply: port 31335/UDP

MasterMaster

p y p

1 UDP flood attack

attack attack

1. UDP flood attack2. TCP SYN flood attack3. ICMP echo request flood attack4. M attack5. Targa3 attack

AgentAgentAgent

Target Target Target Target


Scanningg

What’s scanning?Dawn of attackingScanning services and security holes of the target only, but not real attackingScanning typesScanning types

Local scanningCOPSTIGER

R t iRemote scanningSATAN (Security Administrator’s Tool for Analyzing Networks)SAINT (S it Ad i i t t ’ I t t d N t k T l)


SAINT (Security Administrator’s Integrated Network Tool)Fluxay

Examples of attackingp g

Security Hole Attack Type

sendmail Failure to Handle DoSExceptional Conditions

Wu-ftpd 2.6 Buffer overflow Remote exploit

Group Apache 1 3 12

Design error Remote and local exploits1.3.12 exploits

Piranha with Redhat 6.2

Configuration error Remote exploit

Linux “man” Malicious

Access validation error Local exploit


Protection

Prevent (Encryption, Authentication)Refer to 7.2.1 and 7.2.2

Access control (firewall)Refer to 7 3Refer to 7.3

Detection (monitoring, scanning)Audit (Auditing)


Detection

D t ti tDetection typesMonitoring

N t k b d itNetwork-based monitorDetection of DoS attack

H b d iHost-based monitorTools

Tripwire http://www tripwiresecurity comTripwire, http://www.tripwiresecurity.comRealSecure, http://www.iss.net

Scanning

Scanning for known patternsPrevent virus and backdoor


Prevent virus and backdoor programs

Audit

R di t l i d it l t d tRecording system login and security related eventPrevent intrusionTrace intrusionTrace intrusion

Audit records operationsAnalyzingMaintenanceBackup

ToolsToolsStalker, http://www.haystack.comIDES/NIDES, http://www.sri.comUnix’s Syslog Watchdog, http://www.infstream.com/var/adm/sulog file


/var/adm/sulog file

Open Source Implementation- Snortp p

Three modesSniffer

Read and decode network packets Packet loggergg

Log packets to diskIntrusion detection systemy

Analyze traffic based on pre-defined rulesPerform actions based upon what it sees


Snort Commands

C d liCommand line :snort -[options] <filters>

SnifferSniffer./snort -v

R n snort and sho IP andRun snort and show IP and TCP/UDP/ICMP headers

Packet logger./snort -dev -l ./log

Collect packets and places it in log deirctory


deirctoryIntrusion detection system

./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf

Snort Rules

A powerful description languageSnort takes action based upon rule typeyDivide into two sections :

Rule headeraction, protocol source and destination IP address, port information

Rule optionAlert messageWhich part of packet should be inspectedWhich part of packet should be inspected


Writing Snort Rulesg

Rule headeralert tcp any any - > 192.168.1.0/24 111

action protocol Source address and port number

destination address and port number

Rule option

and port number and port number

Rule option(content : “|00 01 86 a5|” ; msg : “mounted access” ;)

alert messageinspective part


Open Source Implementation- Snort p p(cont.)

Parse command initial programline

p gvariable

initial specifiedinterface

If not specifyconfig data

Set log directory

no rules,iffi l i exitsniffing or logging

i f f


Open interface for reading packets

Open Source Implementation- Snort p p(cont.)

set packet processorprocessor

initial allIf using initial all plugin modules

If using rule systems

set safe UID and GID

set default alert function

Specify commandline alertalert function

i h

line alert


assign each interface a thread

Attack vs. ProtectProtection

Encryption Authentication Access control

Audit Monitor Scan

Monitoring preventMonitoring prevent

Password crackS it t D R d D t tSecurity holes

prevent Decrease Record Detect

Scanning Prevent Record Detect

Atta

Malicious Code

Record Detect Detect

DoS Decrease Record Detect

ck

DoS Decrease Record Detect

Social Engineering


Pitfalls and misleadingg

Private key vs. public keyWhy RSA works?ySecurity of DES and Triple DESSSL SETSSL vs. SETHigh-level firewall vs. low-level firewallg


Further readingsg

[1] Dorothy E Denning Peter J Denning "Internet Besieged" Addison Wesley Oct[1] Dorothy E. Denning, Peter J. Denning, "Internet Besieged", Addison Wesley, Oct 1997[2] SecurityFocus, "SecurityFocus.com", http://www.securityfocus.com[3] Cryptographic Algorithms, "DES",[3] Cryptographic Algorithms, DES , http://www.ssh.fi/tech/crypto/algorithms.html#DES[4] Cryptographic Algorithms, "IDEA", http://www.ssh.fi/tech/crypto/algorithms.html#IDEA[5] C t hi Al ith "RSA"[5] Cryptographic Algorithms, "RSA", http://www.ssh.fi/tech/crypto/algorithms.html#RSA[6] Cryptographic Algorithms, "Diffie-Hellman", http://www.ssh.fi/tech/crypto/algorithms.html#Diffie-Hellmanp yp g[7] MIT distribution site for PGP, "Welcome to the MIT Distribution Center for PGP (Pretty Good Privacy)", http://web.mit.edu/network/pgp.html[8] The Secure Shell Community Site, "The Secure Shell Community Site", http://www ssh orghttp://www.ssh.org[9] R. Rivest, "The MD5 Message-Digest Algorithm", Apr 1992, http://sunsite.auc.dk/RFC/rfc/rfc1321.html


Further readingsg

[10] S K t d R Atki “S it A hit t f th I t t P t l ”[10] S. Kent and R. Atkinson, “Security Architecture for the Internet Protocol,” IETF RFC 2401,November 1998[11] B. Gleeson, A. Lin, J. Heinanen, G. Armitage and A. Malis, “ A Framework for IP Based Virtual Private Networks,” IETF RFC 2764, February 2000[12] M. Curtin and M.J Ranum, ”Internet Firewalls: Frequently Asked Questions,” http://www.interhack.net/pubs/fwfaq/


Exercises

Wh t’ th i ti f ti f h it ti f DES t ?What’s the primary encryption function of each iteration of DES system?Figure out the breaking time of key size 32, 56, 128, and 168 bits, if single decryption time are 1 us and 10-6 us, respectively.In a p blic ke s stem sing RSA ith p blic ke is e 5 n 35 The tr dIn a public key system using RSA with public key is e=5, n=35. The trudy intercepts the ciphertext C=10. What’s the plaintext M?The encryption scheme used for UNIX passwords is one way, it is not possible to reverse it Therefore would it be accurate to say that this is inpossible to reverse it. Therefore, would it be accurate to say that this is, in fact, a hash code rather than an encryption of the password?What’s requirements of digital signature?What’s the difference between network and application layer firewall?What s the difference between network and application layer firewall?What’s the differences between virtual lease line,virtual private routed network, virtual private dial network, and virtual private LAN segment?How to achieve authentication and privacy simultaneously by usingHow to achieve authentication and privacy simultaneously by using authentication header and encapsulation security payload in IPSec? What’s the procedure of DDoS attack? What’s the attack procedure of “Nimda” virus in October 2001?


Ch t 7 N t k S itChapter 7: Network...

Documents

Transcript of Ch t 7 N t k S itChapter 7: Network...