Basic Concepts

dashingincestuousSecurity

Feb 22, 2014 (3 years and 3 months ago)

71 views

Security

Chapter 9 (October 2002)

Copyright 2003 Prentice
-
Hall

Panko’s
Business Data Networking and
Telecommunications, 4
th

edition.

2

Figure 9.1: Types of Attackers


Wizard Internet Hackers


Highly capable attackers


Amateurs (Script Kiddies)


Light skills, but numerous and armed with
automated attack programs (kiddie scripts) of
increasing potency

3

Figure 9.1: Types of Attackers


Criminals


Theft of credit card numbers, trade secrets, and
other sensitive information


Sell the information or attempt extortion to prevent
the release of the information


Individual criminals and organized crime


Industrial and government espionage spies

4

Figure 9.1: Types of Attackers


Employees


Dangerous because of internal knowledge and
access


Often, large losses per incident due to theft, fraud,
or sabotage

5

Figure 9.1: Types of Attackers


Information Warfare and Cyberterrorism


Massive attack by a government or terrorist group
against a country’s IT infrastructure


Attacks by amateur cyberterrorists are already
starting to approach this level of threat

6

Figure 9.3: Attacks Requiring Protection


Hacking Servers


Access without permission or in excess of
permission


Attractive because of the data they store


Hacking Clients


Attractive because of their data or as a way to
attack other systems by using the hacked client as
an attack platform


Soft targets compared to servers; most users are
security novices

7

Figure 9.3: Attacks Requiring Protection


Denial
-
of
-
Service (DoS) Attacks


Make the system unavailable (crash it or make it
run very slowly) by sending one message or a
stream of messages. Loss of availability

Single Message DOS Attack

(Crashes the Victim)

Server

Attacker

8

Figure 9.3: Attacks Requiring Protection


Denial
-
of
-
Service (DoS) Attacks


Make the system unusable (crash it or make it run
very slowly) by sending one message or a stream
of messages. Loss of availability.

Message Stream DOS Attack

(Overloads the Victim)

Server

Attacker

9

Figure 9.4: Denial
-
of
-
Service Attacks

Distributed DOS (DDoS) Attack:

Messages Come from Many Sources

Server

DoS Attack Packets

DoS Attack Packets

Computer with

Zombie

Computer with

Zombie

Attacker

Attack

Command

Attack

Command

10

Figure 9.3: Attacks Requiring Protection


Scanning Attacks


To identify victims and ways of attacking them


Attacker sends messages to select victims and
attack methods


Examines data that responses reveal


IP addresses of potential victims


What services victims are running; different
services have different weaknesses


Host’s operating system, version number, etc.

11

Figure 9.3: Attacks Requiring Protection


Malicious Content


Viruses


Infect files; propagate by executing infected
program


Payloads may be destructive


Worms; propagate by themselves


Trojan horses (appear to be one thing, such as a
game, but actually are malicious)


Snakes: combine worm with virus, Trojan horses,
and other attacks

12

Figure 9.3: Attacks Requiring Protection


Malicious Content


Illegal content: pornography, sexual or racial
harassment


Spam (unsolicited commercial e
-
mail)


Security group is often called upon to address
pornography, harassment, and spam

13

Figure 9.2: Types of Security Systems

Attacker Taps into the Conversation:

Tries to Read Messages,

Alter Messages, Add New Messages

Client PC

Server

Message Exchange

Secure Communication System

14

Figure 9.2: Types of Security Systems

Attack Prevention System

Corporate Network

Hardened

Client PC

Hardened Server

With Permissions

Internet

Attacker

Attack

Message

Attack

Message

Firewall

15

Figure 9.5: Packet Filter Firewall

Packet

Filter

Firewall

IP
-
H

IP
-
H

TCP
-
H

UDP
-
H

Application Message

Application Message

IP
-
H

ICMP Message

Arriving Packets

Permit

Deny

Corporate Network

The Internet

Examines Packets in Isolation

Fast but Misses Some Attacks

16


For Packets Containing TCP Segments:


Rule 1


IF Interface = Internal


AND (Source Port Number = 7056 OR Source Port
Number = 8002 through 8007)


THEN DENY


Remark: Used by a well
-
known Trojan horse
program.

Figure 9.6: Access Control List Fragment

17

Figure 9.6: Access Control List Fragment


Rule 2:


IF Interface = External


AND Destination Port Number = 80


AND Destination IP address = 60.16.210.22


THEN PERMIT


Remark: Going to a known webserver.

18

Figure 9.6: Access Control List Fragment


Rule 3:


IF Interface = External


AND Destination Port Number = 80


AND Destination IP Address = NOT 60.16.210.22


THEN DENY


Remark: Going to an unknown webserver.

19

Figure 9.6: Access Control List Fragment


Rule 4:


IF Interface = External


AND (SYN = AND FIN = Set)


THEN DENY


REMARK: Used in host scanning attacks and not in
real transactions.

60.14.27.9

1.

To: 60.14.27.9; SYN FIN

2.

From: 60.14.27.9; RST

20

Figure 9.6: Access Control List Fragment


Order


Rules are executed in order


If passed or denied by one rule, will not reach
subsequent rules


Misconfiguration is easy, opening the network to
attack


Always test a firewall by hitting it with attack
messages to see if they are handled properly

21

Stateful Firewall


Does not examine packets in isolation


Examines each packet to see if it is part of an
ongoing conversation


Catches attacks that packet filter firewalls cannot


Refuses a TCP acknowledgement if an internal
host has not opened a connection to that host


Usually does not examine a packet in detail if the
packet is part of an ongoing conversation


This can miss attack packets

Beyond what is

In the book

22

Figure 9.7: Application (Proxy) Firewall

SMTP

(E
-
Mail)

Proxy

FTP

Proxy

Application Firewall

HTTP

Proxy

Browser

Webserver

Application

1. HTTP Request

Client PC

Webserver

2.

Inspect

Request

Message

23

Figure 9.7: Application (Proxy) Firewall

SMTP

(E
-
Mail)

Proxy

FTP

Proxy

Application Firewall

3. Examined

HTTP Request

HTTP

Proxy

Browser

Webserver

Application

Client PC

Webserver

24

Figure 9.7: Application (Proxy) Firewall

SMTP

(E
-
Mail)

Proxy

FTP

Proxy

Application Firewall

HTTP

Proxy

Browser

Webserver

Application

4. HTTP

Response

Client PC

Webserver

5.

Inspect

Response

Message

25

Figure 9.7: Application (Proxy) Firewall

SMTP

(E
-
Mail)

Proxy

FTP

Proxy

Application Firewall

HTTP

Proxy

Browser

Webserver

Application

6. Examined

HTTP Response

Client PC

Webserver

26

Figure 9.7: Application (Proxy) Firewall


Can examine the application message to filter
packets by application content


If hacker takes over the proxy firewall, has not
taken over the internal clients, with which it
only has indirect contact


Internal client’s IP address is hidden. All
packets sent back by the server have the
address of the application proxy server.

27

Figure 9.7: Application (Proxy) Firewall

SMTP

(E
-
Mail)

Proxy

FTP

Proxy

Application Firewall

HTTP

Proxy

Browser

Webserver

Application

Client PC

Webserver

There must be a proxy for each application

28

Figure 9.8: Network Address Translation (NAT)

1

2

NAT

Firewall

Client

From 172.47.9.6,

Port 59789

From 60.168.34.2,

Port 63472

Internet

Server

Host

IP Addr

172.47.9.6



Port

59789



IP Addr

60.168.34.2



Port

63472



Internal

External

Translation Table

29

Figure 9.8: Network Address Translation (NAT)

4

3

NAT

Firewall

Client

Internet

Server

Host

To 172.47.9.6,

Port 59789

To 60.168.34.2,

Port 63472

Translation Table

IP Addr

172.47.9.6



Port

59789



IP Addr

60.168.34.2



Port

63472



Internal

External

30

Figure 9.9: Intrusion Detection

Dump

Intrusion

Detection

System

4. Analysis of Dump

Internal

Host

Network

Administrator

Attacker

Legitimate

Host

1. Attack

Packet

2. All Packets

3.

Notification

of Possible

Attack

1. Legitimate

Packet

31

Firewalls versus Intrusion Detection


Firewalls permit or deny traffic based on filtering rules


Intrusion detection systems (IDSs) only save and mark
certain packets as suspicious; do not take action


IDSs identify all suspicious packets, many of which
turn out to be acceptable; firewall drop rules are more
specific


Some firewalls issue alerts when packets are dropped
and most firewalls log all drops

New

Not in the book

32

Figure 9.10: Hardening Clients and Servers


Known Weaknesses


Known security weaknesses in operating systems
and application programs


Most download vendor patches to fix these known
weaknesses


Firms often fail to do so (vendors issue 30
-
50
patches per week); must be installed on each
server


Host Firewalls


Server firewalls and personal (client) firewalls

33

Figure 9.10: Hardening Clients and Servers


Server Authentication


Passwords


Cracking with exhaustive search and dictionary
attacks


Strong passwords


Super accounts


Root in UNIX


Administrator in Windows

34

Figure 9.10: Hardening Clients and Servers


Server Authentication


Rules for Strong Passwords


At least 8 characters long


At least one change of case


At least one digit (0
-
9) not at the end


At least one non
-
alphanumeric character
(#@%^&*!) not at the end

35

Figure 9.11: Kerberos Authentication
(Simplified)

Kerberos

Server

Verifier

Applicant

4. Ticket

1.

Initial

Sign On

3. Ticket

36

Figure 9.10: Hardening Clients and Servers


Server Authentication


Biometric authentication


Fingerprint: least expensive


Iris: most accurate


Face recognition: controversial in public places
for mass identification


Other forms of biometric identification


Smart cards (ID card with microprocessor and data)

37

Figure 9.10: Hardening Clients and Servers


Limiting Permissions on Servers (Ch. 10)


Only permit access to some directories


Limit permissions (what the user can do) there


Like controlling access to a high
-
security building;
not allowed to go anywhere and remove items, etc.

38

Figure 9.2: Types of Security Systems

Attacker Taps into the Conversation:

Tries to Read Messages,

Alter Messages, Add New Messages

Client PC

Server

Message Exchange

Secure Communication System