Ch15

guideflannelServers

Dec 4, 2013 (4 years and 28 days ago)

121 views

1

Network Security

Course: CIS 3003

Fundamental of

Information Technology


2

Objectives


Various types of attacks


Measures of security


3

Morris Worm


Occurred in 1988. Developed by Robert
Morris.


Does not have payload; does not perform
other operations other than propagate itself.


Self replicating code brought down major
universities, U.S. military, and research facility.


Computer Emergency Response Team (CERT)
established and sponsored by DARPA after the
massive outage caused by the worm.

4

Computer Emergency Response
Team (CERT)


Respond to problems


Report incidents


Research security technologies


Educate users about security


Work with other International CERTs


5

CERT


US
-
CERT (R for Readiness) established in 2003
by Homeland Security Department of U.S.
Works closely to the first CERT established in
response to Morris attack in 1998.


http://www.us
-
cert.gov/



http://www.cert.org/



Other CERT outside U.S.


Africa CERT:
http://cert
-
africa.org/


Asia CERT:
http://www.apcert.org/


Europe CERT:
http://www.enisa.europa.eu/




6

Who is a threat?


Hackers: White hat, black hat, script kiddie.


Spammers send unsolicited emails. 50% of
emails are spams.


Rogue employees use legitimate access to
intentionally cause harm.


Corporate or national spies between rivals.


Cyberterrorists attacks on important Internet
websites or critical infrastructures controlled
by computers.


7

Types


Viruses and worms


Denial
-
of
-
service attacks


Identity and password theft


Data interception and modification


Critical infrastructure attacks


8

Viruses


Malicious code embedded within a seemingly
legitimate program that only becomes active
when the program is executed.


For example, a file attached to an e
-
mail may
contains a virus that can be executed when
the file downloads or the user double
-
clicks
the link.


9

Melissa Virus


Macro virus embedded in a word document
attached in an email.


Executed when an user opens an infected
word file.


The virus emails itself to first 50 people in the
user’s Outlook program.



10

Worm


Self
-
propagating and self
-
replicating without
any action by an user. Spreads very quickly
within minutes.


Exploit existing vulnerability (security hole) in
operating system, browsers, and other
applications.


Infamous worms: Nimda, Code Red, Slammer,
Blaster, Sasser.



11

Infamous worms


Code Red exploits a vulnerability of Microsoft
IIS server and seeks to infect other IIS server.
Used to deface website and mount denial
-
of
-
service attacks.


Slammer exploits buffer overflow of
Microsoft
SQL Server Data Engine. The overflow bugs
allows arbitary code executed.


Blaster exploits
buffer overflow of
Microsoft
remote procedure call.



12

Infamous worms

cont’d


Sasser exploits vulnerable port in the
Microsoft operating systems Windows XP and
Windows 2000.


Nimda was released on September 18, 2001,
exactly one week after September 11, 2001. It
propagated itself through email, network
resource share, website, IIS, and backdoor left
by Code Red. It affected Windows 95, 98, Me,
NT, 2000, and XP.



13

Social Engineering


Hoax viruses use social engineering
techniques to make users take some action
that simulates the actual effects of a virus


For example, virus hoaxes warn users that
opening any message with a certain phrase in
the title would erase the users’ hard drives


The effect of a hoax is thousands and
thousands of users forwarding the e
-
mail
warning, similar to the effects of a real worm


14

Denial
-
of
-
Service Attack


Floods a targeted computer with so many
requests that it cripples functionality.


Easy to perpetrate and hard to prevent ; does
not require a hacker to gain unauthorized
access, but simply overwhelms a system with
requests.


If a Web site receives too many requests, it
will not be available for other users who want
access.


15

Examples of DoS attacks


Ping: Server response to a reachability inquiry.


Smurf attack exploits standard default behavior to
broadcast ping request.


SYN packet in TCP: Server responses to a SYN
request and waits the non
-
existing client to
establish a TCP connection.


Large POST transmission to servers.


Mangled IP packets intend to confuse servers.


Direct peers in a P2P network to a target site.

16

Distributed

Denial
-
of
-
Service Attack


17

DDoS Preventive measures


Software patch: piece of code that is from
software vendor and addresses particular
vulnerability.


Security software that monitors presence of
mal
-
ware.


Distribution of traffic loads


Traffic monitor software to detect significant
change in traffic flow.

18

Identity and Password Theft


Hacker technique of assuming the identity of
an authorized network user, often by
obtaining a network or system password


Hackers obtain passwords in a variety of ways:


Trash cans, snooping


Solicit from help desk


Software tools guessing weak passwords.


Phishing: malicious webpage or email pretend to
be from trust worthy company such as a bank.


19

Example Phishing


20

Legitimate HTTPS website


21

Google auto correction


22

Data Interception


Eavesdropping at the physical communication
medium such as twist pair Ethernet cable,
coaxial cable, fiber optic, or wireless medium.


Wireless medium is easiest to intercept.


Rogue hotspot provides Internet access to
obtain sensitive data of users.


Wi
-
Fi sniffing detect unsecured hot spot and
weak or no encrypted data.




23

Critical Infrastructure Attacks


Internet infrastructure


The Internet’s DNS


Power grids: every thing depends on
electricity. Smart grid exposes power grid to
network attacks.


Telecommunications systems


Cell phone networks


Stock market networks


ATM networks


24

Network Security Strategies


Encryption


Access control


Authentication


25

Encryption


To encrypt data, a transmitting computer
mathematically manipulates data according to
a predetermined algorithm called a cipher.


If someone accesses this encrypted data
during transmission, the message will be
unreadable.


Once the data reaches its destination, a
receiving computer can unscramble it; in
other words, the computer can decrypt the
data


26

Simple Encryption


Add/Substract is the cipher.


“2” is the key


Eavesdropper cannot tell the actual number.

27

Symmetric Encryption


Same key used to encrypt and decrypt
message.


Key strength is 2
n

where
n

is number of bits
used in the key.


2
128

provides 3.4

10
38

possible combinations.


Key needs to be known by both parties prior.
Transmitting key poses a security risk.


Logistical issues when communicate with many
individuals.

28

Public key encryption


Public and private key pair


Private key is never transmitted over network.


Trusted third
-
party certificate authority (CA)
verifies the public key belongs to the owner.

29

Transport Layer Security (TLS)


Secure Sockets Layer (SSL)


De facto standard for web communication.


Used by HTTPS protocol.


Latest version:
RFC 5246


Client uses CA to verify the certificate issued
by the server.


Uses RC4 cipher and many other ciphers.


30

TLS


31

TLS Public Key


Public key obtained from certificate authority.


Public key is used to encrypt a symmetric key
that a client generated.


The symmetric key is then used to encrypt
sensitive data exchanged between the client
and server.


Security of asymmetric encryption and
efficiency of symmetric encryption.


32

RC4 cipher


Symmetric


XOR; fast and simple to implement


Key stream should never be reused again.



33

Wired Equivalent Privacy (WEP)


Designed to provide security to wireless
Internet. Part of original 802.11 standard.


Easy to break


Its key stream has 64 bits.


40 bits is unique WEP key to a Wi
-
Fi access point.
WEP key is manually entered to access the Wi
-
Fi
access point and rarely changed.


24 bits randomly generated. The 24
-
bit key likely
repeats itself every 4096 packets.


FBI broke it in three minutes in 2005.

34

Wi
-
Fi Protected Access (WPA)


Temporal Key Integrity Protocol (TKIP)


Replace the WEP. Used while 802.11i was
developed. Access points before 2003 do not
support newer security measures.


Key length is 128
-
bit.


Has integrity check to detect message
tempering.


AP resets key streams when detects rapid
incorrect error checking inquiries.


35

802.11i or WPA
-
2


Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol
(CCMP)


More complex algorithm used to generate the
key stream.


Based on Advanced Encryption Standard
http://csrc.nist.gov/publications/fips/fips197/fips
-
197.pdf





36

Access Control


Physical security


Passwords


Firewalls


37

Firewall


An access control device


Installed between a secure private network
and a non
-
secure public network to regulate
access to and from the private network


Can be implemented in hardware or software


Users can configure access control
requirements that must be met before the
firewall will permit access to a network or
system


38

Firewall in a network


39

Packet Filtering


Firewall intercepts packets and inspects
header contents, including the source IP
address, destination IP address, source port,
and destination port.


A incoming packet with an IP address residing
behind the firewall indicates a malicious packet.


The firewall then either permits or blocks the
packet from entering the network


One downside: firewall must inspect every
packet that traverses it


40

Stateful Packet Filtering


A more intelligent form of packet filtering that
notes when an incoming response is expected
after an outgoing request is made


The stateful packet filtering firewall knows to
expect traffic transmitted from a certain IP
address or port, and can allow this traffic to go
through.


If an unexpected packet arrives and indicates that
it is a response to an outgoing solicitation, the
packet is blocked.


41

Network Address Translation


Firewall converts the IP address of every
outgoing packet into a shared IP address
before the traffic is sent over a network


Prevents bidirectional transmission


Only connections that are initiated on a local,
private network are established


Any communication that originates on a public
network is stopped by the NAT firewall, which
automatically prevents malicious attacks like
worms from entering the protected network


42

Application Proxy Firewalls


The most complex type of firewall.


Filters information based on the application
data itself.


Rather than filtering packets based on
allowing or denying HTTP traffic, an
application firewall looks at the application
content and distinguishes between normal
and unexpected HTTP traffic.


43

Good password practices


Mix letter (upper and lower case), number,
and punctuation.


26 characters or 52 upper and lower cases.


10 digits


33 punctuation marks and symbols include space.


No dictionary words. No login name.


7 or more characters. (26+10+33)
7
= 7.4

10
12


Easy to remember but hard for other to guess.


Do not reuse passwords.



44

Physical security


Many security breaches involve insiders within
a company, organization, university, or home


Routine physical safeguards include door locks
for rooms that house servers and network
equipment (including wiring closets), and
providing adequate building security.


45

Authentication methods


Login name/password


Digital certificates used in HTTPS


Token Based Identifier


Biometric Identifier


46

Token Based Identifier


Token generates a one
-
time password that can
be entered manually or transmitted wirelessly
or through a USB connection to a computer.


Token key is entered in addition to the user
login name and password. Physically
possessing a token is necessary to login.

47

Biometric Identifier


Use biological characteristics unique to
individual and remain relative the same
through a person’s life.


Examples:


Fingerprint


Retina and Iris


DNA


Facial recognition


Voice recognition


48

Fingerprint Scanner


Even twins do not share
the same finger print.


Finger print may be
lifted from objects and
used to trick the reader.


FBI approved finger
print scanner that
rejects fake finger or
finger removed from
the body.





49

Iris and Retina Scanner


blood vessel pattern of
retina and muscle
pattern of iris.


Retina scan shine a
bright light to the pupil
to see retina.


Eye disease could
change the patterns.


Iris scanner reveals the
detail pattern of iris
from few inches away.





50

Facial Recognition


Describe human face by
certain metrics that
depends on underlying
bone structure.


Accuracy affected by
the lightening, angle of
the face, expression.


Used in airport security
to identify possible
terrorists.



51

DNA Profile


DNA identifies presence
of an individual in a
crime scene.


DNA database for
known criminal
offenders.


New methods requires
very few sample.







52

Voice Recognition


Match patterns of
voices.


Speaker recognition
identifies individual in
an surveillance
conversation.


Affected by accent of
the speaker.




53

Summary


Attack of a network is done in the form of
virus, worm, social engineering, phishing,
distributed denial of service, data
interception, and attack physical
infrastructure.


Protect a network with encryption, limited
access, and authentication.

54

Summary
cont’d


802.11i is an encryption protocol for Wi
-
Fi
network.


Limit access from outside through use of
firewalls that detects.


Authentication through digital certificate,
simple user name and password, token, or
unique biometric markers.