Text of CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security
CSE2500 SYSTEM SECURITY & PRIVACY Introduction to Computer Network Security
Srini & NanditaCSE2500 System Security & Privacy2 Layout n Network Security - what is different from Computer Systems security? n Possible scenarios for network connections and their implication for security concerns n What is the principal mode of attack in networks and how you can defend them? Which part of network structure can we enforce security? How can we do it efficiently?
Srini & NanditaCSE2500 System Security & Privacy3 What we have seen so far? authentication Access control encryption
Srini & NanditaCSE2500 System Security & Privacy4 Internetwork Architecture? Wireless Stranger Wired Stranger Stranger Internet Server
Srini & NanditaCSE2500 System Security & Privacy5 Services of the server are Web servers Email servers FTP servers Web and email servers Web, email and FTP servers Modem servers Web, email, FTP and modem servers Web, email, file servers Etc.
Srini & NanditaCSE2500 System Security & Privacy6 Consider web server n What is the authentication here? n What is the access control here? n If these does not apply, what is the issue with respect to security?
Srini & NanditaCSE2500 System Security & Privacy7 Recap: Security Attacks - Taxonomy n Interruption attack on availability n Interception attack on confidentiality n Modification attack on integrity n Fabrication attack on authenticity The availability (and confidentiality) property need to be preserved how it can be threatened?
Srini & NanditaCSE2500 System Security & Privacy8 Model for network security Information channel Gate Keeper
Srini & NanditaCSE2500 System Security & Privacy9 Attacks are n Snooping or sniffing- Attacker observes network traffic without disturbing the transmission (passive) e.g. snooping for passwords n Sniffing software works by placing a systems network interface into promiscuous mode.
Srini & NanditaCSE2500 System Security & Privacy10 Attacks are n Denial of services make the server in-operative or inefficient e.g: ping (of death) Attack by flooding
Srini & NanditaCSE2500 System Security & Privacy11 Ping Attack The Hacker sends an ICMP Echo request to the target expecting an ICMP echo reply to be returned for each request. The hacker, because of the high bandwidth, can send more requests then the target can handle. Countermeasures No known defense ICMP ECHO Flooding Hacker INTERNET Server Packet 1 Packet 2 Packet 3 Packet 5 Packet 4 Packet n 128K Link T-1 Link Packet n
Srini & NanditaCSE2500 System Security & Privacy13 SYN Attack Attack Method: l Most hosts will only support 8-16 simultaneous communication channels. l The Hacker sends a sequence of SYN packets. Each SYN packet (about 120 /second) has a different and unreachable IP address. l This consumes all the communication channels and results in a denial to any TCP based service. Countermeasure: Expand the number of ports, reduce the time-out period, validate TCP request packets.
Srini & NanditaCSE2500 System Security & Privacy14 Attacks are n Impersonation stealing the identity of someone other party thinks that you are the true identity
Srini & NanditaCSE2500 System Security & Privacy15 Impersonation n Authentication at the IP layer is concerned with the identity of computer systems. n IP addresses are software configurable and the mere possession (or fraudulent use) of one enables communication with other systems. n Two such techniques to do this are address masquerading address spoofing
Srini & NanditaCSE2500 System Security & Privacy16 Address Masquerading
Srini & NanditaCSE2500 System Security & Privacy17 Address Spoofing n Also known as TCP sequence number attack. n First we need to understand how the three- way TCP handshake protocol works. handshake means- an assertion that indicates one partys readiness to send or receive data. When two systems share a hardware connection, two-way handshake is enough. Since TCP rides on IP an unreliable, connectionless protocol a three-way handshake is required.
Srini & NanditaCSE2500 System Security & Privacy18 Handshake in TCP Machine AMachine B SYN+ISN A SYN+ISN B + ACK(ISN A +1) ACK(ISN B +) Application Data SYN synchronize request ISN - Initial sequence number ACK acknowledgement for the ISN
Srini & NanditaCSE2500 System Security & Privacy19 TCP CONNECTION SYN=1 ACK=0 141521 win 4096 SYN = 1 ACK = 1 181521 141522 win 4096 SYN = 0 ACK = 1 181522 Segment 2 Segment 3 CLIENTSERVER THREE-WAY CONNECTION l Segment 1 shows the client sending a SYN segment with an Initial Sequence Number of 141521. The ISN is randomly generated. This is called an Active Open. The field win 4096 shows the advertised window size of the sending station while the field shows the receiving maximum segment size specified by the sender. SYN=1, ACK=0. l Segment 2 shows the server responding with a SYN segment of 181521 and ACK nowledging the clients ISN with ISN + 1. This is called a Passive Open. SYN=1,ACK=1 l Segment 3 shows the client responding by ACK nowledging the servers ISN with ISN + 1. SYN=0,ACK=1. l Data can now be transmitted. THREE-WAY CONNECTION Segment 1
Srini & NanditaCSE2500 System Security & Privacy20 Address Spoofing n Consider C (an intruder) want to impersonate the sender (say A) how? n Intruder C knows that B (receiver) trusts As users and let them execute commands through, say rsh (remote shell) service without them requiring a password. n Although C will not receive a single datagram in response from B whose replies will be routed to the real, but unavailable A. n C now somehow needs to predict the ISN of B that B would tell A during the handshake.
Srini & NanditaCSE2500 System Security & Privacy21 How to get the ISN? n ISN is a 32 bit clock that increases systematically with time. n If the clock increment is predictable and an attacker can see the value of any one ISN, he can probably predict the value of the next or a soon subsequent ISN with accuracy.
Srini & NanditaCSE2500 System Security & Privacy22 Predictable ISN can lead to n After knowing the ISN, wait for A to go down (say for maintenance) which is easy to detect (say by ping), then C sends B a counterfeit IP datagram containing its SYN and ISN; this B receives and believes to have originated from A. B replies with a SYN, its own ISN and an acknowledgement of Cs ISN (This reply is routed inconsequentially to A who is still unavailable to receive it.) C mean while predicts and acknowledges Bs ISN. It follows with an rsh command that coaxes B to give the attacker easier access from his true location. n C successfully opened a TCP connection and executed a command on B, without ever having received a single byte in return from B. It simply acted as if it had, enabled by Bs predictable ISN.
Srini & NanditaCSE2500 System Security & Privacy23 Method of defense n Avoid reliance on address-based authentication and trust mechanisms (like those used by rsh) n Use a screening router, a device that can intelligently filter network packets based on configurable rules. Although this cannot prevent spoofing, but can prevent Inbound attacks that originate from external networks (by discarding incoming datagrams with source address belonging to the internal address) Outbound attacks that originate inside of your own network (discarding outgoing datagrams with a source address from an external network).
Srini & NanditaCSE2500 System Security & Privacy24 Attacks are n Relaying a message to another host and it accepts as if it is trusted. Example: transfer of password files in a networked unix systems.
Srini & NanditaCSE2500 System Security & Privacy25 Message alteration n Message means the payload of the IP datagram, the router performs routine modifications to the IP datagram header, and sometimes fragments a datagram into several smaller ones (when the length exceeds a limit allowed by the underlying data link layer). n No need to suspect message alteration, but techniques such as check sum are not sufficient.
Srini & NanditaCSE2500 System Security & Privacy26 Message Delay and Denial n By gaining authorised control of a router or routing host, then modifying executable code or routing and