Introduction to Network Security - Arash Habibi Lashkari

abusivetrainerNetworking and Communications

Nov 20, 2013 (3 years and 11 months ago)

115 views

Introduction to Network 
Security
Outlines:
•Who’s vulnerable
•Who’s attacking
•What are the kinds of attacks

Howdoweprotectourselves
How
 
do
?
we
?
protect
?
ourselves
•What do you do when you’ve been attacked
•LAB: Famous Attacks and Bots
By: ArashHabibiLashkari
Jul
y
 ‐2010
1Network Security –01
y
What is Network Security?
Network security addresses the vulnerabilities 
hihiii
to w
hi
c
h
 your organ
i
zat
i
on 
i
s uncover as a 
consequence of being connected to a network.
Network Security –012
Who’s vulnerable?
•Everyone in your organization who uses computers 
or networks in the process of doing their job
•Everyone in your organization who is affected by the 
information stored in computers
•Everyone in your organization
•Outsiders who rely on your organization –your 
t
cus
t
omers
Network Security –013
Who’s vulnerable?

BothServersandEnd

Usersaresubjecttoattack
Both
?
Servers
?
and
?
End
Users
?
are
?
subject
?
to
?
attack
.
–Web servers, E‐mail servers, File servers, 
CommunicationsserversNetworkdevices
Communications
?
servers

Network
?
devices
–End‐users receiving e‐mail, visiting web sites, 
downloadingfiles,participatinginonlineservices
downloading
?
files,
?
participating
?
in
?
online
?
services
Network Security –014
Who’s vulnerable?
•You are ex
p
osed to network securit
y
 threats b
y
:
pyy
–using e‐mail (e.g. viruses, worms)

usingweb

browsers(egmaliciousappletsand
using
?
web
browsers
?
(e
.
g

malicious
?
applets
?
and
?
scripts)

simplybeingconnectedtothenetwork(protocol
simply
 
being
?
connected
?
to
?
the
?
network
?
(protocol
?
hacks, breaking and entering)
Network Security –015
Who’s vulnerable?

20

year
?r
oldmanarrestedforbreakinginto
20
year
old
?
man
?
arrested
?
for
?
breaking
?
into
?
two computers of NASA’s Jet Propulsion 
Laboratory. 
•Hacking started in 1998

Onecomputerwasusedtohostchatroom
One
 
computer
?
was
?
used
?
to
?
host
?
chat
?
room
?
devoted to hacking

Thousandsofusernamesandpasswordswere
Thousands
 
of
?
usernames
?
and
?
passwords
?
were
?
stolen
Reuters News, July 12, 2000
Network Security –016
Who’s vulnerable?

ILOVEYOUVirus
ILOVEYOU
 
Virus
•MELISSA Virus
iki(“h)”)
•Anna Kourn
ik
ova V
i
rus 
(
?

Here you 
h
ave, ;o
)”
 
)
?
of  last week
•Denial of Service attack against Microsoft two 
weeks ago
•Home users with network connections –
dialu
p
 or dedicated
Network Security –017
p
Who’s attacking?

Attacksfromwithin
Attacks
 
from
?
within
–“Within” means originating from inside the 
LAN/intraneta

trustedsource

LAN/intranet

a
?
trusted
?
source
Network Security –018
Who’s attacking?

“Casestudieshaveshownthatavastma
j
orit
y
ofattacks
jy
originatefromwithinanorganization.Infact,some
studiesstatethatasmuchas70%ofallattacksfrom
someone
within
an
organization
or
from
someone
with
someone
within
an
organization
or
from
someone
with
insideinformation(suchasanex‐employee)”
Chris Brenton
,
 Mastering Network Securit
y
,
 c. 1999
,
 SYBEX Network Press, p.6.
Network Security –019
Who’s attacking?

Sometimesthedamageisdonewithoutintent
Sometimes
 
the
?
damage
?
is
?
done
?
without
?
intent
–People making mistakes 

Onlygiverootprivilegestopeoplewhoknowwhatthey
Only
 
give
?
root
?
privileges
?
to
?
people
?
who
?
know
?
what
?
they
?
are doing

Peo
p
le ex
p
erimentin
g
 with thin
g
s the
y
’ve heard 
ppggy
about
•“I was just testing this downloaded script....”
Network Security –0110
Who’s attacking?

Sometimesthedamageisdoneonpurpose
Sometimes
 
the
?
damage
?
is
?
done
?
on
?
purpose
–Malicious attacks from disgruntled people  (e.g. 
ex
?r
employees)
ex
employees)
–Snoop attacks from nosey co‐workers

Actsofvandalism

Acts
 
of
?
vandalism
–Espionage
Network Security –0111
Who’s attacking?

AttacksfromtheOutside
Attacks
 
from
?
the
?
Outside
–“Outside” means originating from 
anyone/anyplace
outsideofyourLAN/intranetan
anyone/anyplace
?
outside
?
of
?
your
?
LAN/intranet

an
?
unknown source.

Sometimesthedamageisdonewithoutintent....
Sometimes
 
the
?
damage
?
is
?
done
?
without
?
intent....
–Sometimes the damage is done on purpose.
Network Security –0112
Who’s attacking?

Whatdotheyhopetogain?
What
 
do
?
they
?
hope
?
to
?
gain?
–bragging rights, simply to say “I did it!”

theft of information
–theft of service

theft of real assets
/
mone
y
/y
–defacement/vandalism
–destruction of data
–corruption of data
Network Security –0113
Who’s attacking?

Whatdotheyhopetogain,
continued
What
 
do
?
they
?
hope
?
to
?
gain,
?
continued
–corruption of operational systems controlled by 
com
p
uters 
(p
hone s
y
stem
,
 TV s
y
stems
,
 etc.
)
p(py,y,)
–denial of service

plant

botswhichcanberemotelyactivatedand
plant
 
bots
?
which
?
can
?
be
?
remotely
?
activated
?
and
?
controlled to accomplish any of the attacks listed 
above using your machine as the host
Network Security –0114
What are the kinds of attacks?

DenialofService(
DoS
)attacks
Denial
 
of
?
Service
?
(
DoS
)
?
attacks
–DoSattacks have one goal –to knock your service 
offthenet
off
?
the
?
net
.
•Crash your host
•Flood 
y
our host
y
•Flood the network connecting to your host
Network Security –0115
What are the kinds of attacks?

Viruses

Viruses
–A computer virus attaches itself to files on the target 
machine
–Master Boot Sector/Boot Sector viruses
–File viruses, Macro viruses
–Stealth viruses, Polymorphic viruses
–Hoax Viruses
http://www.mcafee.com/anti‐virus 
http://www.symantec.com/avcenter
Network Security –0116
What are the kinds of attacks?

Trojans,WormsandBackdoors
Trojans,
 
Worms
?
and
?
Backdoors
–Trojans are programs that appear to perform a desirable 
and necessary function that perform functions unknown to 
(andprobablyunwantedby)theuser
(and
?
probably
?
unwanted
?
by)
?
the
?
user
.  
–Worms are memory resident viruses.  Unlike a virus, which 
seeds itself in the computer's hard disk or file system, a 
worm will only maintain a functional copy of itself in active 
memory.
Network Security –0117
What are the kinds of attacks?

Worms fre
q
uentl
y
 “slee
p
” until some event tri
gg
ers their 
qypgg
activity ‐send password file to hacker, send copy of 
registry to hacker.
WdTjftlthdbhih

W
orms an
d
 
T
ro
j
ans are 
f
requen
tl
y me
th
o
d

b
y w
hi
c
h
 
Backdoors are enabled on a system.

Backdoorsallowhiddenaccessandcontrolofasystem
Backdoors
 
allow
?
hidden
?
access
?
and
?
control
?
of
?
a
?
system
(e.g. Back Orifice, BO2K, SubSeven).
Network Security –0118
What are the kinds of attacks?

Scanners

Scanners
–Programs that automatically detect security weaknesses in 
remote or local hosts.
–Tells the hacker:
•What services are currently running
•What users own those services
•Whether anonymous logins are supported
•Whether certain network services require 
authentification
Network Security –0119
What are the kinds of attacks?
•Password Crackers
–Some actually try to decrypt.... 
–Most simply try “brute force” or intelligent “brute force”
Diiddfiiil

Di
ct
i
onary wor
d
s, 
d
ays o
f
 year, 
i
n
i
t
i
a
l
s
•Social Engineering

ThisisMISIneedtofixyour
e
mail
boxwhat

syour

This
 
is
?
MIS

I
?
need
?
to
?
fix
?
your
?
e
?r
mail
?
box

whats
?
your
?
password?”
Network Security –0120
What are the kinds of attacks?

Sniffers
Sniffers
–Devices that capture network packets
Extremelydifficulttodetectbecausetheyare

Extremely
 
difficult
?
to
?
detect
?
because
?
they
?
are
?
passive
Network Security –0121
What are the kinds of attacks?

Botnets

Botnets
A botnetor robot network is a group of computers running a 
com
p
uter a
pp
lication controlled and mani
p
ulated onl
y
 b
y
 
ppppyy
the owner or the software source. The botnetmay refer to 
a legitimate network of several computers that share 
programprocessingamongstthem
program
?
processing
?
amongst
?
them
.
IRC

Bot
P
2
p
?r
BotandHTTP
?r
Bot
IRC
Bot

P
2
p
Bot
?
and
?
HTTP
Bot
Network Security –0122
How do we protect ourselves?

Oneproductcannotprovidefullprotection
One
 
product
?
cannot
?
provide
?
full
?
protection
•The computer networking environment 
consistsoftoomanydifferentsubsystemsfor
consists
?
of
?
too
?
many
?
different
?
subsystems
?
for
?
one product to provide full protection  
Network Security –0123
How do we protect ourselves?
–Ethernet protocol
–IP protocol
–TCP protocol
–Routing protocols
–Operating Systems
–Presentation protocols ‐HTML, DHTML, XHTML, 
XML
XML
–Remote Program execution protocols ‐VBS, ASP, 
DCOMCORBAJavaScriptJavaApplets
Jini
DCOM

CORBA

JavaScript

Java
?
Applets

Jini
–Applications ‐MS Outlook, Netscape 
Communicator
,
 servers 
(
MS IIS
,
 etc.
)
Network Security –0124
,
(
,)
How do we protect ourselves?

Anti

virussoftware
Anti
virus
?
software
–Personal Anti‐virus SW on your machine 
Makesureitissettoscanallexecutables

Make
?
sure
?
it
?
is
?
set
?
to
?
scan
?
all
?
executables

compressed files, e‐mail, e‐mail attachments, web 
pages
pages
–Keep your virus information files up to date!!!
Network Security –0125
How do we protect ourselves?
•Firewalls
–“A combination of hardware and software resources 
positioned between the local (trusted) network and 
[an
untrusted
network]Thefirewallensuresthatall
[an
?
untrusted
network]
.  
The
?
firewall
?
ensures
?
that
?
all
?
communication between an organization's network 
and the Internet connection conforms to the 
organiation'ssecritpolicFireallstrackand
organi
z
ation's
 
sec
u
rit

polic
y.  
Fire
w
alls
 
track
?
and
?
control communications, deciding whether to pass, 
reject, encrypt, or log communications.” 
Checkpoint Firewall‐1 Administration Guide
Network Security –0126
How do we protect ourselves?

TypesofFirewalls
Types
 
of
?
Firewalls
–Static Packet Filtering ‐a.k.a. Access Control Lists
DynamicPacketFiltering
aka

Stateful

Dynamic
 
Packet
?
Filtering
??r
a
.
k
.
a

Stateful
Inspection”

Proxy

慫a䅰灬楣at楯i䝡teway

Proxy
 

a
.
k
.
a

Application
?
Gateway
•Non‐Transparent
•Tr
a
n
spa
r
e
n
t
aspaet
Network Security –0127
Howdoweprotect
How
 
do
?
we
?
protect
?
ourselves?
Network Security –0128
How do we protect ourselves?
•Toda
y
’s firewalls are multi‐
p
ur
p
ose network securit
y
 
y
ppy
platforms:

CVP (Content Vector Protocol)
–UFP (URL Filter Protocol)
–Bandwidth Management
–VPN (Virtual Private Networking)
–Intrusion Detection (MAD)
Network Security –0129
How do we protect ourselves?

E

mailServerfilters
E
mail
?
Server
?
filters
–Provide anti‐virus protection for e‐mail passing 
through the server
–Integrate directly with the E‐mail Server software ‐
MS Exchange, Lotus Notes, Netscape, cc:Mail, etc.

Example products: McAfee GroupShield, Trend 
Micro ScanMail
Network Security –0130
How do we protect ourselves?

Webbasedprotectionfilters
Web
 
based
?
protection
?
filters
–Web Server protection

Protectswebserverfromhacking(eg
AppShield
Protects
 
web
?
server
?
from
?
hacking
??
(e
.
g

AppShield
(Sanctum Inc.))

Web Access Control
•Restricts web sites to which you can connect.  Can 
protect you by not allowing you to go to malicious web 
it(
WbSENSE
)
s
it
es  
(
e.g. 
W
e
bSENSE
)
 
Network Security –0131
How do we protect ourselves?

HiddenManipulation

ConfigurationSubversion
Hidden
 
Manipulation
•Parameter Tampering
•Cookie Poisonin
g
Configuration
 
Subversion
•Buffer Overflow
•Vendor assisted hackin
g
 
g
•Stealth Commanding
•Forceful Browsing
g
through 3rd‐party software 
vulnerabilities
•BackDoorsand Debug 
Options
Network Security –0132
How do we protect ourselves?

VPNtechnologies
VPN
 
technologies
–Access Control 
•Who can talk to us through the network?
–Authentication
•How do we know you're who you say you are?
Itit

I
n
t
egr
it
y
•How can we guarantee that what we receive is what 
you sent?
–Confidentiality
•How can we guarantee that no one else can read this 
information?
Network Security –0133
information?
How do we protect ourselves?

IntrusionDetectionSystems
Intrusion
 
Detection
?
Systems
–Suspicious Pattern Detection
•Looks for known patterns of types of traffic that are 
common to electronically "casing the joint"
–Bit Pattern Signature Detection

Looksforknownsignaturesofattacks

Looks
 
for
?
known
?
signatures
?
of
?
attacks
?
–Anomaly Detection ‐the AI approach
•Monitors network for a period of time to establish a 
statistical norm for traffic on the network.  Generates 
alarms when abnormal traffic occurs
Network Security –0134
What do you do when you’ve been 
hacked?
hacked?
•Too bi
g
 of a to
p
ic to 
g
o into here.... but it’s a vital 
gpg
part of network security.
Whatcanyoudotoensurethecompromise

What
 
can
?
you
?
do
?
to
?
ensure
?
the
?
compromise
?
has been abated?
Howdoyouidentifywhat

sbeenchanged?

How
 
do
?
you
?
identify
?
whats
?
been
?
changed?
–What did you lose?
Wht?

Wh
a
t
 can you recover
?
Network Security –0135
Questions
Questions
•Five famous attacks
•Five famous Bots
36Network Security –01