Upload
arlene-crawford
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Security
Copyright 2003 Prentice-HallPanko’s Business Data Networking and Telecommunications, 4th edition
2
Types of Attackers
Wizard Internet Hackers Highly capable attackers
Amateurs (Script Kiddies) Light skills, but numerous and armed with
automated attack programs (kiddie scripts) of increasing potency
3
Types of Attackers
Criminals
Theft of credit card numbers, trade secrets, and other sensitive information
Sell the information or attempt extortion to prevent the release of the information
Individual criminals
Industrial and government espionage spies
4
Types of Attackers
Employees
Dangerous because of internal knowledge and access
Often, large losses per incident due to theft, fraud, or sabotage
5
Types of Attackers
Information Warfare and Cyberterrorism
Massive attack by a government or terrorist group against a country’s IT infrastructure
Attacks by amateur cyberterrorists are already starting to approach this level of threat
6
Types of Security Systems
Attacker Taps into the Conversation:Tries to Read Messages,
Alter Messages, Add New Messages
Client PC Server
Message Exchange
Secure Communication System
7
Types of Security Systems
Attack Prevention System
Corporate Network
HardenedClient PC
Hardened ServerWith Permissions
Internet
Attacker
AttackMessage
AttackMessage
Firewall
8
Attacks Requiring Protection
Hacking Servers Access without permission or in excess of
permission Attractive because of the data they store
Hacking Clients Attractive because of their data or as a way to
attack other systems by using the hacked client as an attack platform
Soft targets compared to servers; most users are security novices
9
Attacks Requiring Protection
Denial-of-Service (DoS) Attacks
Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability
Single Message DOS Attack(Crashes the Victim)
Server Attacker
10
Attacks Requiring Protection
Denial-of-Service (DoS) Attacks
Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability.
Message Stream DOS Attack(Overloads the Victim)
Server Attacker
11
Denial-of-Service Attacks
Distributed DOS (DDoS) Attack:Messages Come from Many Sources
Server
Message Stream
Message StreamComputer with
Zombie
Computer withZombie
Attacker
AttackCommand
AttackCommand
12
Attacks Requiring Protection
Scanning Attacks To identify victims and ways of attacking them Attacker sends messages to select victims and
attack methods
Examines data that responses reveal IP addresses of potential victimsWhat services victims are running; different
services have different weaknessesHost’s operating system, version number, etc.
13
Attacks Requiring Protection
Malicious Content Viruses
Infect files; propagate by executing infected program
Payloads may be destructive Worms; propagate by themselves Trojan horses (appear to be one thing, such as a
game, but actually are malicious) Snakes: combine worm with virus, Trojan horses,
and other attacks
14
Attacks Requiring Protection
Malicious Content Illegal content: pornography, sexual or racial
harassment
Spam (unsolicited commercial e-mail)
Security group is often called upon to address pornography, harassment, and spam
15
Packet Filter Firewall
PacketFilter
Firewall
IP-H
IP-H
TCP-H
UDP-H Application Message
Application Message
IP-H ICMP Message
Arriving Packets
Permit
Deny
Corporate Network The Internet
Examines Packets in IsolationFast but Misses Some Attacks
16
For Packets Containing TCP Segments:
Rule 1 IF Interface = Internal
AND (Source Port Number = 7056 OR Source Port Number = 8002 through 8007)
THEN DENY
Remark: Used by a well-known Trojan horse program.
Access Control List Fragment
17
Access Control List Fragment
Rule 2: IF Interface = External
AND Destination Port Number = 80
AND Destination IP address = 172.16.210.22
THEN PERMIT
Remark: Going to a known webserver.
18
Access Control List Fragment
Rule 3: IF Interface = External
AND Destination Port Number = 80
AND Destination IP Address = NOT 172.16.210.22
THEN DENY
Remark: Going to an unknown webserver.
19
Access Control List Fragment
Rule 4: IF Interface = External
AND (SYN = AND FIN = Set)
THEN DENY
REMARK: Used in host scanning attacks and not in real transactions.
20
Access Control List Fragment
Order Rules are executed in order
If passed or denied by one rule, will not reach subsequent rules
Mis-configuration is easy, opening the network to attack
Always test a firewall by hitting it with attack messages to see if they are handled properly
21
Stateful Firewall
Does not examine packets in isolation
Examines each packet to see if it is part of an ongoing conversation
Catches errors that packet filter firewalls cannotRefuses a TCP acknowledgement if an internal
host has not opened a connection to that host
Usually does not examine a packet in detail if the packet is part of an ongoing conversation
This can miss attack packets
Beyond what isIn the book
22
Application (Proxy) Firewall
SMTP(E-Mail)Proxy
FTPProxy
Application Firewall
HTTPProxy
Browser WebserverApplication
1. HTTP Request
Client PC Webserver
23
Application (Proxy) Firewall
SMTP(E-Mail)Proxy
FTPProxy
Application Firewall
2. ExaminedHTTP Request
HTTPProxy
Browser WebserverApplication
Client PC Webserver
24
Application (Proxy) Firewall
SMTP(E-Mail)Proxy
FTPProxy
Application Firewall
HTTPProxy
Browser WebserverApplication
3. HTTPResponse
Client PC Webserver
25
Application (Proxy) Firewall
SMTP(E-Mail)Proxy
FTPProxy
Application Firewall
HTTPProxy
Browser WebserverApplication
4. ExaminedHTTP Response
Client PC Webserver
26
Application (Proxy) Firewall
Can examine the application message to filter packets by application content
If hacker takes over the proxy firewall, has not taken over the internal clients, with which it only has indirect contact
Internal client’s IP address is hidden. All packets sent back by the server have the address of the application proxy server.
Need a separate proxy program for each application
27
Network Address Translation (NAT)
1
2
NATFirewall
Client
From 172.47.9.6,Port 31789 From 192.168.34.2,
Port 13472
Internet
ServerHost
IP Addr
172.47.9.6
…
Port
31789
…
IP Addr
192.168.34.2
…
Port
13472
…
Internal ExternalTranslation Table
28
Network Address Translation (NAT)
43NAT
FirewallClient
Internet
ServerHost
To 172.47.9.6,Port 31789
To 192.168.34.2,Port 13472
Translation Table
IP Addr
172.47.9.6
…
Port
31789
…
IP Addr
192.168.34.2
…
Port
13472
…
Internal External
29
Intrusion Detection
Dump
IntrusionDetectionSystem
4. Analysis of Dump
InternalHost
NetworkAdministrator
Attacker
LegitimateHost
1. AttackPacket2. All Packets
3.Notificationof Possible
Attack
1. LegitimatePacket
30
Firewalls versus Intrusion Detection
Firewalls permit or deny traffic based on filtering rules
Intrusion detection systems (IDSs) only save and mark certain packets as suspicious; do not take action
Some firewalls issue alterts when packets are dropped and most firewalls log all drops
IDSs identify all suspicious packets, many of which turn out to be acceptable; firewall drop rules are more specific
NewNot in the book
31
Hardening Clients and Servers
Known Weaknesses Known security weaknesses in operating systems
and application programs Most download vendor patches to fix these known
weaknesses Firms often fail to do so (vendors issue 30-50
patches per week); must be installed on each server
Host Firewalls Server firewalls and personal (client) firewalls
32
Hardening Clients and Servers
Server Authentication Passwords
Cracking with exhaustive search and dictionary attacks
Strong passwords
Super accounts
33
Hardening Clients and Servers
Server Authentication Rules for Strong Passwords
At least 8 characters long
At least one change of case
At least one digit (0-9) not at the end
At least one non-alphanumeric character (#@%^&*!) not at the end
34
Kerberos Authentication (Simplified)
KerberosServer
VerifierApplicant4. Ticket
1.Initial
Sign On
2. Request T
icket
3. Ticket
35
Hardening Clients and Servers
Server Authentication Biometric authentication
Fingerprint: least expensive
Iris: most accurate
Face recognition: controversial in public places for mass identification
Other forms of biometric identification
Smart cards (ID card with microprocessor and data)
36
Hardening Clients and Servers
Limiting Permissions on Servers (Ch. 10) Only permit access to some directories
Limit permissions (what the user can do) there
Like controlling access to a building; not allowed to go anywhere and remove items, etc.
37
Secure Communication System
Client PCServer
1. Initial Negotiation of Security Parameters
2. Mutual Authentication
3. Key Exchange or Key Agreement
4. Subsequent Communication withMessage-by-Message
Confidentiality, Authentication,and Message Integrity
38
Symmetric Key Encryption for Confidentiality
Plaintext“Hello”
EncryptionMethod &
Key
Ciphertext “11011101”
Symmetric Key
Interceptor
NetworkSame
SymmetricKey
Party A Party B
39
Symmetric Key Encryption for Confidentiality
Ciphertext “11011101”
Symmetric Key
Interceptor
Network
Ciphertext “11011101”
SameSymmetric
KeyParty A
Party B
40
Symmetric Key Encryption for Confidentiality
Symmetric Key
Interceptor
Network
Ciphertext “11011101” DecryptionMethod &
Key
Plaintext“Hello”
SameSymmetric
KeyParty A
Party B
41
Public Key Encryption for Confidentiality
Encrypt withParty B’s Public Key
Party A Party B
Decrypt withParty B’s Private Key
42
Public Key Encryption for Confidentiality
Decrypt withParty A’s Private Key
Party A
Encrypt withParty A’s Public Key
Party B
43
MS-CHAP Challenge-ResponseAuthentication Protocol
ApplicantVerifier
Challenge
1.Creates
ChallengeMessage
2.Sends Challenge Message
Note: Both the Client and the ServerKnow the Client’s Password
44
MS-CHAP Challenge-Response Authentication Protocol
3. Applicant Creates the Response Message:
a) Adds Password toChallenge Message
b) Hashes the ResultantBit String
c) This Gives theResponse Message
Password Challenge
Response
Hashing
45
MS-CHAP Challenge-Response Authentication Protocol
Password Challenge
Expected Response
Hashing
Transmitted Response
4. Applicant Sends Response Message
5.Verifier
Adds password to thechallenge message it sent.Hashes the combination.
This should be the expectedresponse message.
46
MS-CHAP Challenge-Response Authentication Protocol
Expected ResponseTransmitted Response = ?
6.If the Two are Equal,The Client Knows the
Password and isAuthenticated
47
Digital Signature
SenderReceiver
DS Plaintext
Add Digital Signature to Each MessageProvides Message-by-Message Authentication
48
Digital Signature: Sender
DS
Plaintext
MD
Hash
Sign (Encrypt) MD withSender’s Private Key
To Create the Digital Signature:
1. Hash the plaintext to create
a brief message digest; This is
NOT the digital signature
2. Sign (encrypt) the message
digest with the sender’s private
key to create the digital
Signature
49
Digital Signature
SenderEncrypts Receiver
Decrypts
Send Plaintext plus Digital SignatureEncrypted with Symmetric Session Key
DS Plaintext
Transmission
50
Digital Signature: Receiver
DSReceived Plaintext
MDMD
1. 2.
Hash Decrypt withTrue Party’sPublic Key
3.Are they Equal?
Hash the receivedplaintext with the samehashing algorithm the
sender used. This givesthe message digest
2. Decrypt the digitalsignature with the sender’spublic key. This also should
give the message digest.
3. If the two match, the message is authenticated;The sender has the true
Party’s private key
51
Public Key Deception
Impostor
“I am the True Person.”
“Here is TP’s public key.” (Sends Impostor’s public key)
“Here is authenticationbased on TP’s private key.”
(Really Impostor’s private key)
Decryption of message from Verifierencrypted with Impostor’s public key,
so Impostor can decrypt it
Verifier
Must authenticate True Person.
Believes now has TP’s public key
Believes True Personis authenticated
based on Impostor’s public key
“True Person,here is a message encrypted
with your public key.”
CriticalDeception
52
Digital Certificates
Digital certificates are electronic documents that give the true party’s name and public key
Applicants claiming to be the true party have their authentication methods tested by this public key
If they are not the true party, they cannot use the true party’s private key and so will not be authenticated
53
Public Key Infrastructure (PKI)
Verifier(Brown)
Certificate AuthorityPKI Server
Create &Distribute
(1) PrivateKey and
(2) DigitalCertificate Applicant (Lee)
Verifier(Cheng)
54
Public Key Infrastructure (PKI)
Verifier(Brown)
Certificate AuthorityPKI Server
4.Certificatefor Brown
Applicant (Lee)
Verifier(Cheng)
3. RequestCertificatefor Brown
55
Public Key Infrastructure (PKI)
Verifier(Brown)
Certificate AuthorityPKI Server
6. Check CertificateRevocation List (CRL)
For Lee’s Digital Certificate
Applicant (Lee)
5.Certificate
for Lee
Verifier(Cheng)
7. Revoked or OK
56
Security at Multiple Layers
Layer Example
ApplicationApplication-specific (for instance, passwords for adatabase program); Application (Proxy) Firewalls
Transport SSL (TLS), Packet Filter Firewalls
Internet IPsec, Packet Filter Firewalls
Data LinkPoint-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP)
Physical Physical locks on computers, Notebook Encryption
57
Security at Multiple Layers
Having security at multiple layers provides protection if one layer’s security fails
Having security at multiple layers also slows processing on the device
So provide protection in at least two layers but not in all layers
58
Creating Appropriate Security
Understanding Needs Need to make security proportional to risks
Organizations face different risks
Policies and Enforcement Policies bring consistency
Training in the importance of security and in protection techniques
Social engineering prevention training