Network Security - Computer Science

abdomendebonairΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

86 εμφανίσεις

Network Security

Attacks

Technical Solutions

Acknowledgments

Material is sourced from:


CISA® Review Manual 2011
, © 2010, ISACA. All rights reserved. Used by
permission.


CISM® Review Manual 2012
, © 2011, ISACA. All rights reserved. Used by
permission.


Many other Network Security sources


http://www.csrc.nist.gov/publications/drafts/800
-
118/draft
-
sp800
-
118.pdf


Author: Susan J Lincke, PhD


Univ. of Wisconsin
-
Parkside

Reviewers/Contributors: Todd Burri, Kahili Cheng


Funded by National Science Foundation (NSF) Course, Curriculum and
Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit,
Case Study, and Service Learning.

Any opinions, findings, and conclusions or recommendations expressed in this
material are those of the author(s) and/or source(s) and do not necessarily
reflect the views of the National Science Foundation.

Objectives

The student should be able to:


Define attacks: script kiddy, social engineering, logic bomb, Trojan horse,
phishing, pharming, war driving, war dialing, man
-
in
-
the
-
middle attack, SQL
injection, virus, worm, root kit, dictionary attack, brute force attack, DOS,
DDOS, botnet, spoofing, packet reply.


Describe defenses: defense in depth, bastion host, content filter, packet filter,
stateful

inspection, circuit
-
level firewall, application
-
level firewall, de
-
militarized zone, multi
-
homed firewall, IDS, IPS, NIDS, HIDS, signature
-
based IDS, statistical
-
based IDS, neural network, VPN, network access
server (RADIUS/TACACS), honeypot,
honeynet
, hash, secret key encryption,
public key encryption, digital signature, PKI, vulnerability assessment


Identify techniques (
what they do):
SHA1/SHA2, MD2/MD4/MD5, DES, AES,
RSA
, ECC
.


Describe and define security goals: confidentiality, authenticity, integrity, non
-
repudiation


D
efine service’s & server’s data in the correct sensitivity class and roles with
access


Define services that can enter and leave a network


Draw network Diagram with proper zones and security
equipment


The Problem of Network Security

The Internet allows an
attacker to attack from
anywhere in the world
from their home desk.


They just need to find one
vulnerability: a security
analyst need to close
every vulnerability.

Hacking Networks

Phase 1: Reconnaissance


Physical Break
-
In


Dumpster Diving


Google, Newsgroups,
Web sites


Social Engineering


Phishing: fake email


Pharming: fake web pages


WhoIs Database &
arin.net


Domain Name Server
Interrogations


Registrant:


Microsoft Corporation


One Microsoft Way


Redmond, WA 98052


US



Domain name: MICROSOFT.COM



Administrative Contact:


Administrator, Domain domains@microsoft.com


One Microsoft Way


Redmond, WA 98052


US


+1.4258828080


Technical Contact:


Hostmaster, MSN msnhst@microsoft.com


One Microsoft Way


Redmond, WA 98052 US


+1.4258828080



Registration Service Provider:


DBMS VeriSign, dbms
-
support@verisign.com


800
-
579
-
2848 x4


Please contact DBMS VeriSign for domain updates,
DNS/Nameserver


changes, and general domain support questions.



Registrar of Record: TUCOWS, INC.


Record last updated on 27
-
Aug
-
2006.


Record expires on 03
-
May
-
2014.


Record created on 02
-
May
-
1991.



Domain servers in listed order:


NS3.MSFT.NET 213.199.144.151


NS1.MSFT.NET 207.68.160.190


NS4.MSFT.NET 207.46.66.126


NS2.MSFT.NET 65.54.240.126


NS5.MSFT.NET 65.55.238.126

Hacking Networks

Phase 2: Scanning

War Driving
: Can I find a wireless network?

War Dialing
: Can I find a modem to connect to?

Network Mapping
: What IP addresses exist, and what
ports are open on them?

Vulnerability
-
Scanning Tools
: What versions of software
are implemented on devices?

Passive Attacks

Eavesdropping
: Listen to
packets from other
parties =
Sniffing

Traffic Analysis
: Learn
about network from
observing traffic patterns

Footprinting
: Test to
determine software
installed on system =
Network Mapping

Bob

Jennie

Carl

Hacking Networks:

Phase 3: Gaining Access

Network Attacks:


Sniffing
(Eavesdropping)


IP Address Spoofing


Session Hijacking


System Attacks:


Buffer Overflow


Password Cracking


SQL Injection


Web Protocol Abuse


Denial of Service


Trap Door


Virus, Worm, Trojan
horse,

Login: Ginger Password: Snap

Some Active Attacks

Denial of Service:
Message
did not make it; or service
could not run

Masquerading or Spoofing
:
The actual sender is not
the claimed sender

Message Modification
: The
message was modified in
transmission

Packet Replay
: A past packet
is transmitted again in
order to gain access or
otherwise cause damage

Denial of Service


Joe


Ann

Bill

Spoofing

Joe (Actually Bill)

Ann


Bill

Message

Modification


Joe

Ann

Packet Replay


Joe

Ann

Bill

Bill

Man
-
in
-
the
-
Middle Attack

10.1.1.1

10.1.1.2

10.1.1.3

(1) Login

(3) Password

(2) Login

(4) Password

SQL Injection


Java Original
: “SELECT * FROM
users_table WHERE username=” + “’” +
username + “’” + “ AND password = “ + “’” +
password + “’”;


Inserted Password
: Aa’ OR ‘’=’


Java Result
: “SELECT * FROM
users_table WHERE username=’anyname’
AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘;



Inserted Password
: foo’;DELETE FROM
users_table WHERE username LIKE ‘%


Java Result
: “SELECT * FROM
users_table WHERE username=’anyname’
AND password = ‘foo’; DELETE FROM
users_table WHERE username LIKE ‘%’



Inserted entry
: ‘|shell(“cmd /c echo “ &
char(124) & “format c:”)|’

Login:



Password:

Welcome to My System

NIST SP 800
-
118 Draft

Password Cracking:

Dictionary Attack & Brute Force

Pattern

Calculation

Result

Time to Guess

(2.6x10
18
/month)

Personal Info: interests, relatives

20

Manual 5 minutes

Social Engineering

1

Manual 2 minutes

American Dictionary

80,000

< 1 second

4 chars: lower case alpha

26
4

5x10
5

8 chars: lower case alpha

26
8

2x10
11

8 chars:

alpha

52
8

5x10
13

8 chars:

alphanumeric

62
8

2x10
14

3.4 min.

8 chars alphanumeric +10

72
8

7x10
14

12 min.

8 chars:

all keyboard

95
8

7x10
15

2 hours

12 chars:

alphanumeric

62
12

3x10
21

96 years

12 chars:

alphanumeric + 10

72
12

2x10
22

500 years

12 chars:

all keyboard

95
12

5x10
23

16 chars:

alphanumeric

62
16

5x10
28

Hacking Networks:

Phase 4: Exploit/Maintain Access

Backdoor

Trojan Horse

Spyware/Adware

Bots

User
-
Level Rootkit

Kernel
-
Level Rootkit

Replaces system

executables: e.g.

Login, ls, du

Replaces OS kernel:

e.g. process or file

control to hide

Control system:

system commands,

log keystrokes, pswd


Useful utility actually

creates a backdoor.

Slave forwards/performs

commands; spreads,

list email addrs, DOS

attacks

Spyware: Collect info:

keystroke logger,

collect credit card #s,

AdWare: insert ads,

filter search results

Botnets

Attacker

Handler

Bots: Host illegal movies,


music, pornography,


criminal web sites, …


Forward Spam for


financial gain

China

Hungary

Botnets: Bots

Zombies

Distributed Denial of Service


Zombies

Victim

Attacker

Handler

Can barrage a victim

server with requests,

causing the network

to fail to respond to anyone

Russia

Bulgaria

United

States

Zombies

Question


An attack where multiple computers send
connection packets to a server simultaneously
to slow the firewall is known as:

1.
Spoofing

2.
DDOS

3.
Worm

4.
Rootkit


Question


A man in the middle attack is
implementing which additional type of
attack:

1.
Spoofing

2.
DoS

3.
Phishing

4.
Pharming

Network Security

Network Defense

Encryption

Security: Defense in Depth

Border Router

Perimeter firewall

Internal firewall

Intrusion Detection System

Policies & Procedures & Audits

Authentication

Access Controls

Bastion Host

Computer fortified
against attackers


Applications turned
off


Operating system
patched


Security configuration
tightened

Attacking the Network

What ways do you see of getting in?

The Internet

De
-
Militarized

Zone

Private Network

Border Router/Firewall

Commercial Network

Private Network

WLAN

Filters

Route Filter
: Verifies sources and destination of IP
addresses

Packet Filter
: Scans headers of packets and discards if
ruleset failed (e.g., Firewall or router)

Content Filter
: Scans contents of packets and discards if
ruleset failed (e.g., Intrusion Prevention System or
firewall)

The good, the bad &

the ugly…

Filter

The bad &

the ugly

The Good

Packet Filter Firewall

Web Request

Ping Request

FTP request

Email Connect Request

Web Response

Telnet Request

Email Response

SSH Connect Request

DNS Request

Email Response

Web

Response

Illegal Source IP Address

Illegal Dest IP Address

Microsoft NetBIOS Name Service

Firewall

Configurations

A

A

terminal

firewall

host

Router Packet Filtering
:

Packet header is inspected

Single packet attacks caught

Very little overhead in firewall: very quick

High volume filter

A

A

terminal

firewall

host

A

Stateful Inspection

State retained in firewall memory

Most multi
-
packet attacks caught

More fields in packet header inspected

Little overhead in firewall: quick

Firewall

Configurations

A

B

terminal

firewall

host

Circuit
-
Level Firewall
:

Packet session terminated and recreated


via a Proxy Server

All multi
-
packet attacks caught

Packet header completely inspected

High overhead in firewall: slow

A

B

terminal

firewall

host

A

Application
-
Level Firewall

Packet session terminated and recreated


via a Proxy Server

Packet header completely inspected

Most or all of application inspected

Highest overhead: slow & low volume

A

B

B

Router

External
DNS

IDS

Web
Server

E
-
Commerce

VPN

Server

IDS

Protected
Internal
Network

Zone

IDS

Database/File
Servers

Internet

Multi
-
Homed Firewall:

Separate Zones

Demilitarized Zone

With Proxy

Interface

Screened

Host

The router serves as a screen for the

Firewall, preventing Denial of Service

attacks to the Firewall.

Screening

Device

Firewall

Writing Rules

Policies

Network Filter Capabilities


Write Rules

Protected Network

Audit Failures

Corrections

Services and Servers

Workbook

Service

Sensitivity

Roles

Server

Grades

Confidential

For Graduates: Transcripts

For Current Students:

Advising, Students,
Faculty

StudentScholastic

Billing

Confidential,

For Current Students:

Registration, Accounting,
Advising

Payment: Students

StudentBilling

Web Pages

Public

Students, Employees,
Public

Web services

Path of Logical Access

How would access control be improved?

The Internet

De
-
Militarized

Zone

Private Network

Border Router/

Firewall

Router/Firewall

WLAN

Protecting the Network

The Internet

De
-
Militarized

Zone

Private Network

Border Router: Packet Filter

Bastion Hosts

Proxy server firewall

WLAN

Serviced Applications

Workbook

Applicatio
ns

Sources of
Entry

Servers

Required Controls (e.g.,
Encryption)

Grades
-

Graduates

University
Registration

Graduate
Scholastic

Confidentiality, Integrity,
Authentication

Grades


Current
Students

United States

Student
Scholastic

Confidentiality, Integrity,
Authentication

Billing

Payment:
International

Reports: Univ.

Student
Scholastic

Confidentiality,
Authentication, Integrity,
Non
-
repudiation

Web Pages

International

DMZ:

PublicFace

Router

External
DNS

Email

Public

Web
Server

E
-
Commerce

Firewall

Zone 1:

Student
Labs &
Files

Internet

Network Diagram

Workbook

Demilitarized Zone

Zone 2:

Faculty
Labs &
Files

Student
Records

Student
Billing

Transcripts

Student

Scholastic

Student

History

Zone 3:Student Data

Student

Billing

Intrusion Detection Systems (IDS)
Intrusion Prevention Systems (IPS)

Network IDS=NIDS


Examines packets for attacks


Can find worms, viruses, org
-
defined attacks


Warns administrator of attack


IPS=Packets are routed
through IPS

Host IDS=HIDS


Examines actions or resources
for attacks


Recognize unusual or
inappropriate behavior


E.g., Detect modification or
deletion of special files


Router

Firewall

IDS

IDS Intelligence Systems

Signature
-
Based:


Specific patterns are recognized
as attacks

Statistical
-
Based
:


The expected behavior of the
system is understood


If variations occur, they may be
attacks (or maybe not)

Neural Networks
:


Statistical
-
Based with self
-
learning
(or artificial intelligence)


Recognizes patterns

Attacks:

NastyVirus

BlastWorm

NastyVirus

NIDS:

ALARM!!!

Normal

Honeypot & Honeynet

Honeypot
: A system with a special software application
which appears easy to break into

Honeynet
: A network which appears easy to break into


Purpose: Catch attackers


All traffic going to honeypot/net is suspicious


If successfully penetrated, can launch further attacks


Must be carefully monitored

External
DNS

IDS

Web
Server

E
-
Commerce

VPN

Server

Firewall

Honey

Pot

Data Privacy


Confidentiality
: Unauthorized
parties cannot access
information (
-
>Secret Key
Encryption


Authenticity
: Ensuring that
the actual sender is the
claimed sender. (
-
>Public Key
Encryption)


Integrity
: Ensuring that the
message was not modified in
transmission. (
-
>Hashing)


Nonrepudiation
: Ensuring
that sender cannot deny
sending a message at a later
time. (
-
>Digital Signature)

Confidentiality


Joe


Ann

Bill

Authenticity

Joe (Actually Bill)

Ann


Bill

Integrity


Joe

Ann

Non
-
Repudiation


Joe

Ann

Bill

Encryption


Secret Key

Examples: DES, AES

Encrypt

K
secret

Decrypt

K
secret

plaintext

ciphertext

plaintext

P = D(K
secret
, E(K
secret
,P))

NIST Recommended: 3DES w. CBC




AES 128 Bit

Public Key Encryption

Examples: RSA, ECC, Quantum

Encrypt

K
public



Decrypt

K
private


Key owner

Joe

Encryption

(e.g., RCS)

Decrypt

K
public


Encrypt

K
private

Message,
private key

Digital
Signature

Key

owner


Authentication,

Non
-
repudiation

Joe

P = D(k
PRIV
, E(k
PUB
,P))

P = D(k
PUB
, E(k
PRIV
,P))

NIST Recommended:


RSA 1024 bit

2011: RSA 2048 bit

Remote Access Security

Virtual Private Network (VPN)

often implemented with
IPSec


Can authenticate and encrypt data through Internet (red line)


Easy to use and inexpensive


Difficult to troubleshoot, less reliable than dedicated lines


Susceptible to malicious software and unauthorized actions


Often router or firewall is the VPN endpoint


The Internet


Firewall

VPN

Concentrator

Secure Hash Functions

Examples: SHA1, SHA2, MD2, MD4, MD5

Message

H

H

E

Message

H

Message

H

D

H

H

H

Compare

Message Authentication Code

Message

H

Message

Message

H

H

H

H

H

Compare

One Way Hash

K

K

K

K

Ensures the message was not modified during transmission

NIST Recommended: SHA
-
1, SHA
-
2



2011: SHA
-
2

Encrypted

K(Sender’s Private)


Digital Signature


Electronic Signature


Uses public key
algorithm


Verifies integrity of
data


Verifies identity of
sender: non
-
repudiation

Message

Msg Digest

Public Key Infrastructure (PKI)

Digital

Certificate


User: Sue

Public Key:

2456

1. Sue registers with

CA through RA

Certificate Authority

(CA)

Register(Owner, Public Key)

2.
Registration Authority

(RA) verifies owners

3. Send approved

Digital Certificates

5. Tom requests Sue’s DC


6. CA sends Sue’s DC


Sue

Tom

4. Sue sends

Tom message

signed with

Digital Signature

7. Tom confirms

Sue’s DS

Network Access Server


NAS: Network Access Server


Handles user authentication, access control and accounting


Calls back to pre
-
stored number based on user ID


Prone to hackers, DOS, misconfigured or insecure devices

RADIUS: Remote Access Dial
-
in User Service

TACACS: Terminal Access Control Access

1. Dial up and authenticate

2. Call back

RADIUS or

TACACS

3. Connect

Web Page Security

SQL Filtering: Filtering of web input for SQL
Injection

Encryption/Authentication: Ensuring
Confidentiality, Integrity, Authenticity, Non
-
repudiation

Web Protocol Protection: Protection of
State

Vulnerability Assessment


Scan servers, work stations, and control
devices for vulnerabilities


Open services, patching, configuration
weaknesses


Testing controls for effectiveness


Adherence to policy & standards


Penetration testing

Serviced Applications

Workbook

Applicatio
ns

Sources of
Entry

Servers

Required Controls (e.g.,
Encryption)

Grades


Current
Students

United States

Student
Scholastic

Confidentiality: Encryption

Integrity: Hashing, IDS

Authentication: VPN/IPsec, secure
passwords

Billing

Payment:
International

Reports: Univ.

Student
Scholastic

Confidentiality: Encryption,
HTTPs

Authentication: VPN/
IPsec

Integrity, Hashing, IDS

Non
-
repudiation: Digital
Signature

Summary of Network Controls

Network Security Techniques


Encryption: Public and Private
key, Wireless WPA2


Virtual Private Network (VPN):
Secure communications tunnel


Secure Hashing


Digital Signature


Bastion Host Configuration


Certificate Authority: PKI

Network Protection Devices


Firewall: Packet, Stateful,
Circuit, Application
-
Level


Proxy server


Demilitarized Zone (DMZ)


Intrusion Detection System


Intrusion Prevention System


Network access server
(RADIUS or TACACS)


Honeypot, honeynet


Secure Protocols


SSL: Secure web


SSH: Secure telnet/rlogin or
file transfer


S/MIME: Secure email


Secure Information Mgmt: Log
mgmt

Question


A map of the network that shows where service
requests enter and are processed

1.
Is called the Path of Physical Access

2.
Is primarily used in developing security policies

3.
Can be used to determine whether sufficient
Defense in Depth is implemented

4.
Helps to determine where antivirus software
should be installed

Question


The filter with the most extensive filtering
capability is the

1.
Packet filter

2.
Application
-
level firewall

3.
Circuit
-
level firewall

4.
State Inspection


Question


The technique which implements non
-
repudiation is:

1.
Hash

2.
Secret Key Encryption

3.
Digital Signature

4.
IDS

Question


Anti
-
virus software typically implements
which type of defensive software:

1.
Neural Network

2.
Statistical
-
based

3.
Signature
-
based

4.
Packet filter

Question


MD5 is an example of what type of
software:

1.
Public Key Encryption

2.
Secret Key Encryption

3.
Message Authentication

4.
PKI

Question


A personal firewall implemented as part
of the OS or antivirus software qualifies
as a:

1.
Dual
-
homed firewall

2.
Packet filter

3.
Screened host

4.
Bastion host

HEALTH FIRST CASE STUDY

Designing Network Security

Jamie Ramon MD

Doctor

Chris Ramon RD

Dietician

Terry

Licensed

Practicing Nurse

Pat

Software Consultant

Define Services & Servers


Which data can be grouped together by
role and sensitivity/criticality?

Service

Name

Sensitivity

Class
.

Roles

with

Access

Server

Name

















Confidential


Management

Public



Web Pages

Privileged


Contracts

Defining Services which can
Enter and Leave the Network

Service

Source

(e.g., home,
world, local
computer)

Destination

(local server,
home, world,
etc.)













Defining Zones and Controls

Compartmentalization:


Zone = Region (E.g., DMZ, wireless,
internet)


Servers can be physical or virtual

Zone

Service



Server

Required Controls

(Conf., Integrity, Auth.,
Nonrepud
.,
with tools: e.g., Encryption/VPN)

















Router

External
DNS

Email

Public

Web
Server

E
-
Commerce

Firewall

Zone 1:

Student
Labs &
Files

Internet

Draw the Network Diagram

Demilitarized Zone

Zone 2:

Faculty
Labs &
Files

Student
Records

Student
Billing

Transcripts

Student

Scholastic

Student

History

Zone 3:Student Data

Student

Billing

Reference

Slide #

Slide Title

Source of Information

7

Passive Attacks

CISA: page 331,333, 352

9

Some Active Attacks

CISA: page 330, 332, 352

10

Man
-
in
-
the

Middle Attack

CISA: page 331

12

Password Cracking: dictionary Attack & Brute Force

CISA: page 330

14

Botnets

CISA: page 330

15

Distributed Denial of Service

CISA: page 330

23

Packet Filter Firewall

CISA: page 353, 354

24

Firewall Configurations

CISA: page 353


355

25

Firewall Configurations

CISA: page 354

26

Multi
-
Homed Firewall: Separate Zones

CISA: page 355

33

Intrusion Detection Systems (IDS)

Intrusion Prevention System (IPS)

CISA: page 355, 356

34

IDS Intelligence Systems

CISA: page 356

35

Honeypot & Honeynet

CISA: page 356, 357

37

Encryption


Secret Key

CISA: page 357

38

Public Key Encryption

CISA: page 357, 358

39

Remote Access Security

CISA: page 361

40

Secure Hash Functions

CISA: page 359, 361, 362

41

Digital Signature

CISA: page 359

42

Public Key Infrastructure (PKI)

CISA: page 359, 360