Security in Networks— Their design, development, usage… Barbara Endicott-Popovsky CSSE592/491 In...

Security in Networks— Their design, development, usage…

Barbara Endicott-PopovskyCSSE592/491

In collaboration with:

Deborah Frincke, Ph.D.

Director, Center for Secure and Dependable Systems

University of Idaho

Both broad survey and focused Chapters 1-2 lay groundwork Chapters 3 –7 Software

• Chapter 7 – Contrast to standalone environments– Threats– Controls– Tools: Firewalls, Intrusion detection, Secure e-mail

Chapter 9 Privacy, ethics, the law Chapter 10 Cryptography – the how

Text Book

In this section of the course we will look at…

Networks—their design, development, usage• The Basics• Threats• Controls• Tools

• Firewalls• Intrusion Detection• Secure e-mail

Source: Pfleeger & Pfleeger

Agenda I. The Basics

II. Threats

III. Controls

IV. Tools


Terms• Topology• Media• Analog/digital• Protocols• LAN/WAN• Internet• Distributed System• API’s

I. The Basics


ISO/OSI Model


OSI Layer

Name Activity

7 Application User-level data

6 Presentation Standardized data appearance

5 Session Logical connection among parts

4 Transport Flow control

3 Network Routing

2 Data Link Reliable data deliver6y

1 Physical Actual communication across physical medium

TCP/IP vs. OSI


OSI Layer

Name Activity

7 Application User-level data

6 Presentation Standardized data appearance

5 Session Logical connection among parts

4 Transport Flow control

3 Network Routing

2 Data Link Reliable data deliver6y

1 Physical Actual communication across physical medium

TCP/IP


Layer Action Responsibilities

Application Prepare messages

User interaction, addressing

Transport Convert messages to packets

Sequencing, reliability, error connection

Internet Convert messages to datagrams

Flow control, routing

Physical Transmit datagrams as bits

Data communication

Issues

ISO/OSI: Slows things down

TCP/IP: More efficientOpen

Results: TCP/IP used over InternetIntroduces security issues


NOTE:Study this part of the Chapter

II. Threats Vulnerabilities Attackers Threats

• Precursors• In transit• Protocol flaws• Impersonation• Spoofing• Message Confidentiality / Integrity threats• Web Site Defacement• Denial of Service (DOS)• Distributed Denial of Service (DDOS)• Active or Mobile Code Threats• Complex Attacks


Vulnerabilities Anonymity

Many points of attacks—targets and origins

Sharing

Complexity of system

Unknown perimeter

Unknown path


Attackers

Kiddiescripters Industrial spies Information warfare Cyber terrorists “Hactivists” Wardrivers, etc.

Profile—see Mittnick


Threat Spectrum

Source: Deb Frincke

From CSI/FBI Report 2002• 90% detected computer security breaches

• 80% acknowledged financial losses

• 44% (223) were willing / able to quantify losses: $455M

• Most serious losses: theft of proprietary information and fraud• 26 respondents: $170M• 25 respondents: $115M

• 74% cited Internet connection as a frequent point of attack • 33% cited internal systems as a frequent point of attack

• 34% reported intrusions to law enforcement. (up from 16%-1996)

Source: Deb Frincke

More from CSI/FBI 2002 40% detected external penetration

40% detected DOS attacks.

78% detected employee abuse of Internet

85% detected computer viruses.

38% suffered unauthorized access on Web sites

21% didn’t know.

12% reported theft of information.

6% reported financial fraud (up from 3%-- 2000).

Source: Deb Frincke

Threats: Precursors

Port Scan Social Engineering Reconnaissance OS Fingerprinting Bulletin Boards / Chats Available Documentation


Threats: In Transit

Packet Sniffing Eavesdropping Wiretapping

Microwaves Satellites Fiber Wireless


Threats: Protocol Flaws


Public protocols

Flaws public

Human errors

Threats: Impersonation


Guessing Stealing

Wiretapping Eavesdropping

Avoid authentication Nonexistent authentication Known authentication Trusted authentication

Delegation MSN Passport

Threats: Spoofing


Masquerade

Session hijacking

Man-in-the Middle attack

Threats: Message Confidentiality/Integrity


Misdelivery

Exposure

Traffic flow analysis

Falsification of messages

Noise

Threats: Web Site Defacement


Buffer overflows

Dot-Dot and address problems

Server-Side include

Threats: Denial of Service (DOS)


Transmission failure

Connection floodingEcho-chargen

Ping of death

Smurf attack

Syn flood

Traffic redirection

DNS attackBIND

Service

Threats: Distributed Denial of Service (DDOS)


Trojan horses planted

Zombies attack

Threats: Active/Mobile Code (Code Pushed to the Client)


CookiesPer-session

Persistent

Scripts

Active codeHostile applet

Auto Exec by type

Threats: Complex Attacks


Script Kiddies

Building Blocks

III. Controls

Design Architecture

• Segmentation• Redundancy• Single points of failure

Encryptions• Link encryption• End-to-end encryption• VPN’s• PKI and Certificates• SSH and SSL encryption• IPSec• Signed code• Encrypted e-mail


Controls (cont’d.) Content Integrity

• Error correcting codes• Cryptographic Checksum

Strong Authentication• One-time password• Challenge-Response systems• Digital distributed authentication• Kerberos

Access controls• ACL’s on routers• Firewalls

Alarms and Alerts Honeypots Traffic Flow Security

• Onion routing


IV. Tools

Firewalls Intrusion Detection Systems Secure e-Mail


Firewalls

Packet filtering gateway Stateful inspection firewall Application proxy gateway Guard Personal firewalls


Intrusion Detection Systems Signature-based IDS

Heuristic IDS

Stealth mode


IDS Characteristics

Goals• Detect all attacks

• Little performance impacts

Alarm response• Monitor and collect data

• Protect

• Call administrator

Limitations• Avoidance strategies

• Sensitivity

• Only as good as the process/people


Secure e-Mail

Designs• Confidentiality—encryption

• Message integrity checks

Examples• PGP

• S/MIME


Security in Networks— Their design, development, usage… Barbara Endicott-Popovsky CSSE592/491 In...

Documents

Transcript of Security in Networks— Their design, development, usage… Barbara Endicott-Popovsky CSSE592/491 In...