PSC CyberSecurity 3 Networks v1
-
Upload
powerglobe-course-material -
Category
Documents
-
view
15 -
download
3
description
Transcript of PSC CyberSecurity 3 Networks v1
Cri$cal Infrastructure Security: The Emerging Smart Grid
Cyber Security Lecture 4:
Network Vulnerabili$es & Mi$ga$ons Carl Hauser & Adam Hahn
Overview
• Network AHacks – DoS – Spoofing
• Mi$ga$ons – Cryptographic Protocols – Firewalls – Intrusion Detec$on
Overview
• Network AHacks – DoS – Spoofing
• Mi$ga$ons – Cryptographic Protocols – Firewalls – Intrusion Detec$on
Denial of Server (DoS) AHacks • Defini$on
– “DoS is an ac$on that prevents or impairs the authorized use of network systems, or applica$ons by exhaus$ng resources such as central processing unit (CPU), memory, bandwidth, and disk space”
• Techniques
– Malformed packet • malformed packet that triggers some soWware vulnerability/weakness causing a system crash
– Flooding • overwhelming system resources (e.g., network bandwidth, CPU speed)
– Protocol-‐based • Manipulate protocol state (e.g., TCP Reset)
• Other DoS Types
– DDoS – Distributed DoS – Reflec$on/Amplifica$on – Non-‐malicious – slashdoHed, flash crowd
Flooding • Goal: Overload the capacity of the network/system
– Network – consume resources (e.g., bandwidth) – System – exhaust system’s ability to process data
• Types – ICMP Flood
• ICMP Echo Request” messages -‐ oWen filtered • ICMP Des$na$on Unreachable -‐ not as commonly filtered
– UDP Flood • send large UDP packets to some system (e.g., DNS) • UDP connec$onless so no TCP handshake overhead
– HTTP Flood • sending legi$mate HTTP GET/POST messages to web server
Flooding -‐ Con$nued • TCP Syn Flood –
– How • AHacker sends large number of TCP Syn packets to server • Server creates half-‐open connec$on and sends Syn-‐Ack • Client doesn’t send Ack to open connec$on
– Result • AHack exhausts finite list of half-‐open connec$ons allowed by opera$ng system
– Defense • AWer server send Syn-‐Ack, removes entry from Syn queue • Stores “Syn cookies” which encodes IP addresses/ports, sequence numbers
• Prevents exhaus$on of Syn queue – Old aHack method, but may s$ll be a vulnerability on legacy control system devices
Malformed Packet
• Causes soWware or opera$ng system to crash – Usually result of soWware vulnerability/error
• Example – Ping of Death –
• ICMP “ping” packet > 216 bytes violates protocols • Caused buffer overflow/crashing of older Windows/Unix systems
– Teardrop • Targets incorrect reassembly of fragmented IP packets • Overlapping fragments caused opera$ng system to crash
Reflec$on • Reflec$on
– How • AHack system spoofs IP address of intermediate system • Intermediate system responds to target system • Vic$m thinks aHack originates from intermediate system, not aHacker
– Why • AHack less likely to be iden$fied • AHack bandwidth can be amplified
– Example protocols: • TCP handshake • UDP (DNS, NTP, SNMP)
– aHacker doesn’t have to set up sessions!
Reflec$on Example: TCP
Normal TCP Handshake
• Normal TCP Handshake
• TCP Syn spoofing – Spoofed Syn causes server to con$nually send
Syn-‐Acks to target system
DDoS • Distributed DoS
– U$lize large number of aHacking systems – Improves amount traffic sent by aHack – More difficult to prevent
• Can’t filter single system • Difficult to differen$ate aHack from normal traffic
• Control – Centralized
• Single aHack has control over large number of systems (e.g., botnet) • Example: hHp://blog.cloudflare.com/65gbps-‐ddos-‐no-‐problem/
– Distributed • AHacks launched by individual par$es (e.g., Anonymous) • OWen u$lize botnets to perform the DDOS • Example:
– hHp://bits.blogs.ny$mes.com/2012/11/15/anonymous-‐aHacks-‐israeli-‐web-‐sites/
More DDoS Examples
• 65 GB DoS aHack – hHp://blog.cloudflare.com/65gbps-‐ddos-‐no-‐problem/
– 65,000 systems with 1Mbps link (upstream)
• Amplifica$on – Assuming 60 byte request, 512 byte response – ~7617 systems required for the DoS aHack
Overview
• Network AHacks – DoS – Spoofing
• Mi$ga$ons – Cryptographic Protocols – Firewalls – Intrusion Detec$on
IP Spoofing
• IP developed without authen$ca$on capabili$es (1970s) – Source address can be spoofed so receiver thinks sender was someone else
– S$ll seen frequently (usually with DoS aHacks) • Security Mechanisms:
– Routers – may filter packets with incorrect source IP addresses
– IPsec – provide authen$ca$on of IP packets – IPv6 – default support for IPsec
ARP Spoofing
• Recall – ARP – Address Resolu$on Protocol – Know the IP address, but not the MAC (link address) of a system
• Problem – ARP messages aren’t authen$cated – AHack can create malicious ARP Response claiming to be the systems with the requested IP
– Generally a race between aHacker and actual target • Security Mechanisms:
– Sta$c arp tables on hosts/network switches
ARP Spoofing
Attacker
Normal ARP ARP Req: who is 1.2.3.4
ARP Resp: 1.2.3.4 is
00:11:22:33:44:55
Dst Mac= 00:11:22:33:44:55
ARP Req: who is 1.2.3.4
ARP Resp: 1.2.3.4 is
00:11:22:33:44:55:66
ARP Resp: 1.2.3.4 is 11:11:11:11:11:11:11
Dst Mac= 11:11:11:11:11:11:11
Source
Spoofed ARP
ARP Req: who is 1.2.3.4
Destination IP: 1.2.3.4 MAC: 00:11:22:33:44:55
Destination IP: 1.2.3.4 MAC: 00:11:22:33:44:55
Other Spoofing • TCP – stateful connec$on
– Has sequence & acknowledgement numbers – Packets with incorrect sequence numbers will be rejected
• Inside current “Receive Window” – Sequence number (232 bit number) – Randomized Ini$al Sequence Numbers (ISNs) to prevent a users from guess
the number • Not helpful if the aHacker can view your TCP session and obtain current sequence
numbers
• BGP – Boarder Gateway Protocol – Malicious system can adver$se false rou$ng paths to hijack traffic – Examples
• hHp://www.cnet.com/news/how-‐pakistan-‐knocked-‐youtube-‐offline-‐and-‐how-‐to-‐make-‐sure-‐it-‐never-‐happens-‐again
• hHp://www.bgpmon.net/chinese-‐isp-‐hijacked-‐10-‐of-‐the-‐internet/ • hHp://www.bgpmon.net/turkey-‐hijacking-‐ip-‐addresses-‐for-‐popular-‐global-‐dns-‐
providers/ • hHp://www.bgpmon.net/the-‐canadian-‐bitcoin-‐hijack/
DNS Spoofing • Originally DNS didn’t have any authen$ca$on
– AHackers could spoof DNS response to get a user to visit a different system – If MITM aHack
• Simply manipulate DNS response – If Spoofing only (i.e. no ability to see current traffic)
• DNS request – unique 16 bit “Query ID” • If response Query ID != request Query ID -‐> disregard response • Before ~2008 Query ID was sequen$al
– AHacker could guess future query IDs and inject spoofed DNS responses
• Examples – China manipulated DNS records for sites
• hHp://www.computerworld.com/ar$cle/2516831/security0/china-‐s-‐great-‐firewall-‐spreads-‐overseas.html
– Turkey manipulated DNS to block TwiHer • hHp://www.theguardian.com/world/2014/mar/21/turkey-‐blocks-‐twiHer-‐prime-‐minister
• Security Mechanisms – Randomize DNS Query ID – Spoofed DNS response must also have correct Dst. Port – DNSSEC
DNS – Spoofing
Internet
RandomSite Network
Local Network
Root Name Server
Local Name Server
RandomSite.com Name Server
1 2 3
6
8 .Com Name Server
4 5
www.RandomSite.com
9
DNS HTTP
10
7
aHacker.com
Overview
• Network AHacks – DoS – Spoofing
• Mi$ga$ons – Cryptographic Protocols – Firewalls – Intrusion Detec$on
Security Protocols
Network (Ethernet)
Internet (IP)
Transport (TCP/UDP)
Applica$on (HTTP,DNS)
TCP/IP Stack Security Protocols
TLS
Internet (IPSEC)
HTTPS/ DNSSEC
Network (802.1x)
Transport (TCP/UDP)
Unsecure Secure
• Necessary to communicate securely across untrusted network – Provide integrity, confiden$ality, authen$city of communica$ons
– Based on previously discussed cryptographic mechanisms
Transport Layer Security (TLS)
TLS
• Previous Secure Sockets Layer (SSL) • Originally designed to support secure HTTP (HTTPS) – Runs over TCP – Datagram TLS – TLS equivalent for UDP – Currently used to secure many other protocols
• Provides: – Authen$ca$on/Integrity – uses MACs – Confiden$ality – encryp$on of messages
TLS/SSL Versions • Older
– SSL 1.0-‐2.0 – well known security vulnerabili$es – SSL 3.0 – weak key genera$on
• Government Approved (based on NIST SP 800-‐52 rev 1) – TLS 1.0 – not significantly different than SSLv3
• Only when dealing with business/public (not govt only comm.)
• Browser Exploit Against SSL/TLS (BEAST) vulnerability – TLS 1.1 – fixes some issues with CBC mode, other fixes – TLS 1.2 – specify SHA-‐2 (256,512 bit) hash func$ons
TLS Protocol Stack
Type: Handshake
• Stateful connec$on • Handshake used to communicate/agree on various parameters – TLS/SSL versions – Ciphers – Cer$ficates – Pre-‐master secret – Master secret – Session ID
TLS Handshake
Proposes 1) version, 2) ciphers, 3) session ID, 4) random number
Specifies: 1) version, 2) cipher, 3) random number
Server cer$ficate Public key parameters
Change cipher suite (encrypted in future)
Change cipher suite (encrypted in future)
Client cer$ficate (op$onal)
Premaster secret
TLS Ciphers
• Cipher contains set of crypto algorithms necessary to perform following func$ons: – Key exchange algorithm
• E.g. RSA, Diffie Hellman, ECDH
– Bulk encryp$on algorithm • Stream(RC4, etc.), Block(3DES, DES, AES, etc.)
– Data Integrity/Auth. • MAC algorithms, HMAC with (MD5, SHA1, SHA256)
IPsec
IPsec • Commonly used to build “secure” VPNs
– Host to host, network to network, host to network
• Encryp$on and authen$ca$on at the network layer
• Func$ons – Security Associa$ons
• algorithms and parameters used in encryp$on – Authen$ca$on Header (AH) – Deprecated…
• connec$onless authen$ca$on and integrity – Encapsulated Security Payload (ESP)
• Provides confiden$ality, authen$ca$on, integrity
Benefits
• Provide confiden$ality, integrity, authen$ca$on of all IP packets (routable traffic) – Transparent to users
• Can move crypto processing oWen moved to network routers/devices rather than the system
Security Associa$ons
• One way rela$onship between sender and receiver about security protocol parameters – Algorithms and keys used to protect the communica$on – Need two SAs for two way communica$on
• Includes – Security Parameter Index (SPI)
• iden$fier for the SA – IP des$na$on address
• des$na$on endpoint of the SA – Crypto algorithms/keys
• SA establishment relies on ISAKMP protocol
ESP Modes -‐ Examples
Trusted Network A Trusted Network B
IPsec (Tunnel)
External Hosts Unsecure Connec$on External Hosts
IPsec (Transport)
TLS vs IPsec
• Connec$on Establishment – IPSec – pre-‐established “Security Associa$ons” to agree on ciphers, etc.
• Addi$onal overhead – TLS – u$lizes handshake to nego$ate between client/server
• Vulnerable to MitM “downgrade” aHacks
• Trust Establishment – IPSec – pre-‐established during SA
– TLS – based on • trusted cer$ficate authority
• pre-‐shared cer$ficates
IEC 62351
• Data and communica$ons security standard for power systems
• Provides standard for – IEC 62351-‐9 – Key management
• X509 cer$ficates for devices • Group Domain of Interpreta$on (GDOI)
– Symmetric key management – Based on trusted key server
– TLS for message encryp$on – RSA based digital signatures for message authen$ca$on
hHp://iectc57.ucaiug.org/wg15public/Public%20Documents/White%20Paper%20on%20Security%20Standards%20in%20IEC%20TC57.pdf
Overview
• Network AHacks – DoS – Spoofing – Tampering
• Mi$ga$ons – Cryptographic Protocols – Firewalls – Intrusion Detec$on
Firewalls
• Why? – Separate more cri$cal/less cri$cal networks
• Restrict Internet traffic to systems – Enforce desired traffic flows/security policies
• How? Single system that all traffic must pass through – Enforces rules on all traffic
• Ingress – data coming in to network • Egress -‐ data leaving network
Firewall Types
• Firewall Types – Packet Filtering
• Stateful inspec$on – Applica$on-‐Layer proxy
• Operate a different layers in the TCP/IP stack
TCP
UDP
HTTP
DNP
DNS
TCP/IP Stack
IP
ICMP
Network/Link
Internet Transport
Applica$
on
Packet Filtering • Generally operate at the Network/Internet/Transport
layers • Configura$on includes
– “Default Policy” for traffic that doesn’t match rule • Discard/Drop – prohibit the packet • Forward/Accept – allow the packet
– “Rules” to match packets • Packet matching informa$on
– Source/Des$na$on IP – Source/Des$na$on Port – Protocol (e.g., TCP/UDP)
• Ac$on – Accept/Deny
– Called “Stateful Inspec$on” if aware of TCP connec$ons
TCP
UDP
HTTP
DNP
DNS
TCP/IP Stack
IP
ICMP
Network/Link
Internet Transport
Applica$
on
Packet Filtering Example Rules • Only allow control traffic to DNP slave (IP:1.2.3.4, TCP 20000)
– External – IP range of external systems – Remember: source ports for TCP connec$ons usually use ephemeral
ports range (high number)
Rule DirecLon Src Addr Src Port Dst Addr Dst Port Prot Conn State AcLon
1 In External -‐-‐-‐-‐ 1.2.3.4 20000 TCP New, Established Permit
2 Out 1.2.3.4 20000 External -‐-‐-‐-‐ TCP Established Permit
3 Both Any Any Any Any Any New, Established Deny
Applica$on Firewall
TCP
UDP
HTTP
DNP
DNS
TCP/IP Stack
IP
ICMP
Network/Link
Internet Transport
Applica$
on
• Designed specifically for applica$on layer protocol
• Example: – Web Applica$on firewalls – SCADA applica$on filtering
• DNP3 -‐ Objects • IEC 61850 – Goose messages
Overview
• Network AHacks – DoS – Spoofing – Tampering
• Mi$ga$ons – Cryptographic Protocols – Firewalls – Intrusion Detec$on
Intrusion Detec$on
• Intrusion Detec$on System (IDS) – Iden$fies aHacker aHempts to gain unauthorized access to networks or systems
• Components – Sensors – collect data (e.g., network packets, log files, system calls) – Analyzer – receives input from sensors and analyzes it for
IDS Categories • Sensor Types
– Host-‐based (HIDS) – sensors collect data from hosts for malicious processes, network stack ac$vity, modified files, etc.
– Network-‐based (NIDS) – sensors collect data from network – Hybrid – combine informa$on from both network and hosts
• Analysis Types – Signature-‐based – use set of know aHack paHerns that are compared with current sensor data (e.g., Snort)
– Anomaly based – compare current data to collec$on of past data, assumes devia$on from past paHerns (or anomalies) are aHacks
– Specifica$on-‐based – create “specifica$on” of known, correct system opera$on.
Anomaly-‐based Detec$on • Overview:
– Develop model of normal behavior and compare incoming events
• Approaches – Sta$s$cal model or machine learning approach to categorizing traffic
as normal or malicious
• Strength – Can detect new/unknown aHacks!!!
• Weakness – Many benign anomalies (e.g., network reconfigura$on, system
upgrades, new programs) – Excessive False Posi$ves (Base Rate Fallacy) – AHacks that are not anomalies?
Basic Detec$on Theory
• IDS requires small – False posi$ves
• wastes money/resources inves$ga$ng non-‐aHack – False nega$ves
• missed aHack results in viola$on of security policy – Base Rate Fallacy
• Small number of intrusions, vs large number of non-‐malicious traffic • Accurate IDS will s$ll raise large number of false posi$ves
• IDS performance can be represented by a receiver opera$ng characteris$cs (ROC) curve
ANack Present
ANack IdenLfied
False Posi$ve
False Nega$ve
True Nega$ve
True Posi$ve
Yes No
Yes
No
False Posi$ve
True
Posi$ve
0.0 1.0
1.0
0.0
Signature-‐based Detec$on • Overview:
– maintain collec$on of known paHerns of malicious data, compare incoming network traffic to paHerns
• Strength – Low False Posi$ve rate (if rules created correctly)
• Weakness – Can’t detect novel (0-‐day) aHacks, detec$on only works when it has previous
• Example: – Snort IDS
Snort IDS • Open-‐ source Signature based IDS
• Modes – Passive – only detect aHacks – Inline – can block packets
• Intrusion preven$on
• Architecture – Decoder
• decode protocol layers, structure packet for analysis – Detec$on Engine
• analyzes packet vs set of rules – Logger/Alerter
• perform necessary response
Snort Rules • Ac$on: what do to when you iden$fy a packet
– Examples: alert, log, pass, drop, reject, ac$vate, etc • Protocol, Port, IP Address, Direc$on
– Example: “tcp any any -‐> 192.168.1.0/24 111” • Op$ons
– General – informa$on without impact on detec$on • Examples: msg, ref(URL), classtype, priority
– Payload – specify packet payload informa$on • Example: content, offset, pcre, hHp_header,
– Non-‐payload – specify non-‐payload data • Example: Hl, seq, ack,
– Post-‐detec$on – specify rules for aWer rule operates • Example: resp, react, session
• More info here (hHp://manual.snort.org/node27.html)