Network Security. Gang Wang Fall PDF

Network Security Gang Wang Fall 2016 The Problem of Network Security The Internet allows an attacker to attack from anywhere in the world from their home desk. They just need to find one vulnerability:
of 48
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Network Security Gang Wang Fall 2016 The Problem of Network Security The Internet allows an attacker to attack from anywhere in the world from their home desk. They just need to find one vulnerability: a security analyst need to close every vulnerability. Slides credit to Susan J Lincke 2 Pre-Attack: Network Scanning Nmap ( Network Mapper ) is an open source tool for network exploration and security auditing. Nmap uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, What operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use 3 Trinity using nmap (Matrix Reloaded) to discover that citypower uses vulnerable SSH software Source: h+ps:// 4 From 5 6 Checkout Z-Map Single machine, scan IPv4 address space in under 5 minutes IPv4: 32-bits IP, in total 4,294,967,296 IPv4 addresses 7 Network Attack: Gaining Access? Network Attacks: Sniffing (Eavesdropping) IP Address Spoofing Session Hijacking System Attacks: Buffer Overflow Password Cracking SQL Injection Web Protocol Abuse Denial of Service Trap Door Virus, Worm, Trojan Login: Ginger Password: Snap 8 Passive Attacks Eavesdropping (Sniffing) Listen to packets from other parties Traffic Analysis Learn about network from observing traffic patterns Alice Footprinting (Network Mapping) Test to determine software installed on system Eve Bob 9 Some Active Attacks Denial of Service Message did not make it; or service could not run Masquerading or Spoofing The actual sender is not the claimed sender Denial of Service Joe Bill Ann Spoofing Joe (Actually Bill) Message Modification The message was modified in transmission Man-in-the-middle Packet Replay A past packet is transmitted again in order to gain access or otherwise cause damage Message Modification Joe Ann Bill Ann Packet Replay Joe Ann Bill 10 Man-in-the-Middle Attack (3) Password (1) Login (2) Login (4) Password Botnets Attacker Command and Control C&C Botnets: Bots Zombies Bots: Host illegal movies, music, pornography, criminal web sites, Forward Spam for financial gain Distributed Denial of Service (DDOS) Attacker Command and Control C&C Zombies Victim Can barrage a victim server with requests, causing the network to fail to respond to anyone Zombies Common Attacks & Countermeasures Finding a way into the network Firewalls Exploiting software bugs, buffer overflows Intrusion Detection Systems (IDS) TCP hijacking IPSec Denial of Service Ingress filtering, IDS Packet sniffing Encryption (SSH, SSL, HTTPS) Social problems Education 14 How to defeat port scan? DEFENSE 15 Firewalls firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others. administered network public Internet firewall 16 Firewalls: Why Allow only authorized access to inside network (set of authenticated users/hosts) Prevent illegal modification/access of internal data. e.g., attacker replaces CIA s homepage with something else Prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP connections, no resources left for real connections 2 types of firewalls: Stateless packet filters Stateful packet filters 17 TCP 3-Way Handshake 18 Stateless packet filtering Should arriving packet be allowed in? Departing packet let out? Internal network connected to Internet via router firewall Router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits TCP 3-way handshake Stateful FW vs. stateless FW 19 Access Control Lists Allow HTTP initiated from inside ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs action source address dest address protocol source port dest port flag bit allow /16 outside of /16 TCP any allow outside of / /16 TCP 80 1023 ACK allow /16 allow outside of /16 outside of / /16 UDP UDP 53 deny all all all all all all Allow DNS inbound & outbound 20 Stateless packet filtering examples Policy No outside Web access. No incoming TCP connections, except those for institution s public Web server only. Prevent streaming audio/video from eating up the available bandwidth. Prevent your network from being used for a smurf DoS attack. Prevent your network from being tracerouted Firewall Setting Drop all outgoing packets to any IP address, port 80 Drop all incoming TCP SYN packets to any IP except , port 80 Drop all incoming UDP packets - except DNS and router broadcasts. Drop all ICMP packets going to a broadcast address (eg ). Drop all outgoing ICMP TTL expired traffic 21 Stateful packet filtering (protocol state analysis) Stateless packet filter: admits packets that make no sense e.g., dest port = 80, ACK bit set, even though no TCP connection established: action source address dest address protocol source port dest port flag bit allow outside of / /16 TCP 80 1023 ACK Stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): can determine whether incoming, outgoing packets makes sense timeout inactive connections at firewall: no longer admit packets 22 Stateful packet filtering ACL augmented to indicate need to check connection state table before admitting packet Reject if not part of ongoing connections action source address allow /16 allow outside of /16 dest address outside of / /16 proto source port dest port TCP flag bit any check conn. table TCP 80 1023 ACK x allow /16 outside of /16 UDP allow outside of / /16 UDP 53 x deny all all all all all all Source address Dest address Source port Dest port Ongoing connections 23 Limitations of firewalls IP spoofing: router can t know if data really comes from claimed source If multiple applications need special treatment, each has own app gateway Tradeoff: degree of communication with outside world, level of security Many highly protected sites still suffer from attacks. Client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser 24 Common Attacks & Countermeasures Finding a way into the network Firewalls Exploiting software bugs, buffer overflows Intrusion Detection Systems (IDS) TCP hijacking IPSec Denial of Service Ingress filtering, IDS Packet sniffing Encryption (SSH, SSL, HTTPS) Social problems Education 25 Confusion: the attacker should not be able to predict changes in ciphertext by changing one char in the plaintext key Diffusion: the cipher should spread the info from the plaintext over the entire ciphertext Cipher-block chaining (CBC) ECB: Not secure 26 Intrusion detection systems internal network Multiple IDSs: different types of checking at different locations application Gateway (access control) firewall Internet 3 IDS sensors Web server FTP server DNS server demilitarized Zone: a low-security region Distribute sensors improve efficiency, granularity Need to communicate with outside 27 Intrusion detection systems packet filtering in firewalls: operates on TCP/IP headers only no correlation check among sessions IDS: intrusion detection system Deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) Examine correlation among multiple packets o port scanning o network mapping o DoS attack IDS: a device generates alerts when it observes potentially malicious traffic Passive monitoring Free, open source 28 Intrusion Prevention System IPS: a device that actively filters out suspicious traffic Network traffic flows through IPS Can terminate connections, blocking access of user accounts, IP addresses Respond to detected threats at real time E.g., delete malicious content E.g., apply patches E.g., reconfigure a firewall or router E.g., run executables in virtual environments Cisco global correlation IPS 7.0+ Reputation scores for the sources Reputation obtained from centralized databases 29 Signature based IDS Signature based IDS maintains a database of attack signatures Each signature is a set of rules pertaining to an intrusion activity A list of characteristics of a single or a series of packets One packet -- E.g., packet size, source, destination port numbers, protocol type, a string of bits in payload E.g., ICMP packet with data size 65,535 bytes ping of death Limitations: Blind to new attacks (false negatives) False alarms (false positives) Processing costs ever packet is compared to an extensive collection of signatures False posi*ve rate False nega*ve rate True posidve rate = 1 - FP True negadve rate = 1 - FN 30 Conficker (aka Downaup) worm encoded shellcode XOR key is 0xC4 Conficker worm decoded shellcode h+p:// 31 A SNORT IDS signature on Conficker.a worm Conficker worm (botnet) (9-15 millions computers affected) - exploits a stack corruption vulnerability - execute shellcode on affected Windows systems - download a copy of itself - infect the host and - continue spreading The rule covers the full static part of Conficker.A's shellcode. It starts with a CALL instruction which is part of the decryptor stub's GetPC sequence Ends with ac b0 b0 b4 fe eb eb, which decodes to * The next part would be an IP address that could vary and is not included h+p:// 32 How to detect previously known attacks 33 Anomaly based IDS [Dorothy Denning 86] Observe normal traffic first, then, Look for packet streams that are statistically unusual E.g., unusual percentage of ICMP packets E.g., sudden exponential growth in port scans and ping echo requests Advantage: can detect new attacks (in theory) Disadvantage: Need to have a lot of training data to see what normal is hard to distinguish normal from abnormal activities (e.g., stealthy malware) Can be used for detecting frauds, insider trading Not as common as signature-based IDS 34 Network layer security protocol Designed for IPv6, backwards-compatible for IPv4 IPSEC 35 What are the attack models and security goals in IP protocol? IP forgery attacks Attacker forges an IP address Eavesdropping attacks Attacker learns the content of IP packets [Goal 1] Authenticity of IP addresses (AH and ESP) [Goal 2] Confidentiality of IP packets Payload of IP packets (ESP) Header of IP packets (tunneling mode in IPSec) Why hide an IP address? 36 Authentication Header (AH) Encapsulating Security Payload (ESP) AH protocol [Light mode]: provides source authentication, data integrity no confidentiality ESP Protocol [Full mode]: provides source authentication, data integrity, and confidentiality AH header inserted between IP header, data field. ICV (integrity check value) Payload encrypted More complex than AH Identifier, protocol type, sequence number, ICV, digital signature, IP header AH header data (e.g., TCP, UDP segment) IP datagram with an AH header 37 Tunneling Mode vs. Transport Mode Tunneling mode encapsulates the IP header, i.e., generates a new IP header and treats the old one as part of datagram payload e.g., for anonymity purpose (hides real destination IP addresses) Transport mode is simpler (does not generate new IP header) Authentication header (AH) Encapsulating security payload (ESP) Transport Mode AH+Transport (new AH header) ESP+Transport (payload encryption as well) Tunneling Mode AH+Tunneling (new AH header, new IP header) ESP+Tunneling (payload encryption as well) 38 ESP with Tunnel mode or Transport mode 39 Key management in IPSec Tow approaches: manual and automated Manual: system admins manually configure hosts with crypto algorithms and secret keys Pre-shared keys Only suitable for small, low-risk environments Automated: crypto algorithms and keys are obtained automatically Internet Key Exchange protocol (IKE) Uses public key cryptography to distribute keys Suitable for large, high-risk environments 40 VPN 41 Virtual private networks (VPN) VPN: end-to-end secure connections over public Internet Using authentication and encryption to protect payload Creates virtual channels of connected entities host-to-host Host-gateway Gateway-to-gateway VPN can work on different network layers PGP (application layer) SSL (transport layer) IPSec (network layer) PPTP (data link layer) application transport network link physical h+p:// 42 Tunneling Tunneling is to encapsulate one type of packet into another DNS tunneling: e.g., encapsulating arbitrary data into DNS packets HTTP tunneling: e.g., encapsulating SMTP traffic in HTTP traffic Sender and receiver agree on format, interpretation Deep packet inspection may detect tunnels Probability distribution of payload E.g., firewall only allows HTTP traffic, Encapsulate SMTP traffic in HTTP packets 43 Encapsulate SMTP into HTTP packet SMTP packet For HTTP packet for SMTP packet For Internet SMTP packet For payload HTTP packet for PPTP (point-to-point tunneling protocol) - VPN at data link layer Protects frames on the network Create tunnel to hide entire payload of frames Encapsulation of data-link frame & IP datagram application transport Included in Windows OS No inherent encryption capabilities Encryption can be added to obtain data confidentiality (in true VPN) Alternative: L2TP (layer-2 tunneling protocol) segment datagram frame network link physical 45 PPTP cont d h+p:// 46 PPTP encapsulation (outbound traffic from laptop) Ethernet MAC (to ISP s router) Without VPN: IP datagram (to final-destination) payload Encryption with shared key with VT VPN server Ethernet MAC (to VT s LAN router ) IP datagram (to final-destination) IP datagram (to VT s VPN server) Ethernet MAC (to ISP s router) For getting out of the ISP s network 47 VPN pros and cons Advantages of VPN Security - confidentiality, integrity, authentication Leverage existing network infrastructure ease of deployment Disadvantage of VPN Process overhead (encryption, encapsulation) VPN must encrypt, encapsulate every packet High workload for VPN gateways Each frame contains few useful payload bytes Incompatible with network address translation (NAT) 48
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks