Summer 2003 © 2000-2003, Richard A. Stanley WPI EE579T_GD/1 #1 EE579T / CS525T Network Security 1: Course Overview and Computer Security Review Prof. Richard A. Stanley
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #1
EE579T / CS525TNetwork Security
1: Course Overview and Computer Security Review
Prof. Richard A. Stanley
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #2
Overview of Tonight’s Class
• Administration
• Is network security a problem, or just an interesting topic?
• What is different between computer security and network security?
• Review of computer security
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #3
Administration
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #4
Some Observations
• Language is important. Some examples gleaned from exams:– loose (an adverb) vs. lose (a verb)
– sever (a verb) vs. severe (an adverb)
– supper computer vs. super computer (presumably, this is one that won’t eat your lunch?)
• It is a good idea to pay attention to the grammar and spelling hints Word offers
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #5
More Observations
• It is essential to pay attention to the little things. Exams were filled with correct, complex mathematical operations whose results were wrong because of simple arithmetical errors. Ditto for circuit diagrams.– I applied generosity in these cases, as I am
teaching concepts. The real world won’t.
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #6
Occam’s Razor
• Occam's Razor is a principle attributed to the 14th century logician and Franciscan friar, William of Occam
• “Entities should not be multiplied unnecessarily.”– For science: “When you have two competing
theories which make exactly the same predictions, the one that is simpler is the better.”
http://math.ucr.edu/home/baez/physics/General/occam.html
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #7
When Shall We Meet?
• Preference has been expressed for 3-7 PM or 4-8 PM– I can’t do all the classes at these times, but we
can do many of them that way– To do this, it will be easier to meet on Tuesday,
as in the fall I will have a 6-9 PM class on Mondays
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #8
Course Text
• Network Security Essentials, 2nd Ed., William Stallings, Prentice Hall, 2002 ISBN 0-13-035128-8
• Additional material will be in the form of handouts and pointers to research materials
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #9
Course Web Page
• For the moment, is a victim of security!– As we are on a different course schedule from
the campus, slides for this class will bear the suffix “_GD”
– Working on another location ASAP--you will be advised as soon as I have it locked down
• Slides will be made available before class, barring any unfortunate problems
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #10
Grading
• Course exam (30%)
• Homework (20%)
• Class participation (20%)
• Course project (30%)
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #11
Policies
• Homework is due at the class following the one in which it is assigned. It will be accepted--with a one grade penalty--up to the second class after that in which it is assigned, but not after that, except in truly emergency situations. By definition, emergencies do not occur regularly.
• There is a difference between working in teams and submitting the same work. If work is a team product, it must be clearly labeled as such.
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #12
Is Network Security Really an Important Problem?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #13
Network Security: What’s the Big Deal?
• Not a new problem
• Not just a creation of the press
• Not just for rocket scientists
• As professionals, failure to understand and implement appropriate security can come back to haunt you in terms of liability and reputation
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #14
Computer Securityversus
Network Security
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #15
Computer security involves preventing, detecting, and responding to unauthorized
actions on a computer system.
Network security means the same thing for a group of
networked computers
To understand network security, you must first understandcomputer security. There is no “easy” way around this.
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #16
One View
Computer Security
NetworkSecurity
WWWSecurity
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #17
Points to Ponder
• 90% of businesses reported attacks against their networks in 2002
• 80% reported financial losses• 44% were able to quantify their losses, averaging
more than $2M per organization• Majority of misuse formerly came from
authorized users, but external attacks rising in frequency and severity for fifth year in a row.
Source: "Issues and Trends: 2003 CSI/FBI Computer Crime and Security Survey"
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #18
What’s the Problem?
• Financial liability– Due diligence– Simple negligence– Gross negligence
• Goodwill
• One bad press release cancels 1000 attaboys
This is a “you bet your business” issue
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #19
Why Networks Matter• If computers cannot be secured individually,
the network cannot be secure
• Networking makes the most individually secure computer on the network only as secure as the least individually secure computer on the network.
• Networking offers new vulnerabilities
• Speed of mischief increases exponentially
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #20
And Most Especially...
• Mobile code is a basic staple of the internet, and other networks as well– This a wholly new paradigm
• Users are not usually aware of mobile code
• Novelty and convenience trump security every time– Consider the dancing pigs
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #21
Analogy• One can easily define the security perimeter of a
single computer. You can probably even literally “put your arms around it.”
• One cannot easily define the perimeter of a group of networked computers, except under a set of trivial conditions that are meaningless in practice.
• So, where to put the security? And HOW to make it happen?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #22
Role of Technology
• Technology is a useful tool, not a panacea.
• A clear policy, evenly enforced, is the most critical element of success.
• Don’t ignore the fundamentals.– Caterpillar’s entire network was compromised
by not revoking a former employee’s password.
• Perfection does not exist in the real world
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #23
In theory, there is no difference between theory and practice.
In practice, there is. Yogi Berra
Why Isn’t This Topic More Theoretical?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #24
Remember the Security Theorem
• Proving a computer to be secure required:– Knowledge of the security of each state
transition – An exhaustive catalog of all possible states– Knowledge of the initial conditions
• Now, how do we apply this approach to a network with changing topology?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #25
Why Is A Proof Elusive?
• A secure network must be secure under all conditions of operation
• This demands proof that there is no condition under which it could operate that is insecure, i.e. the negative proposition.
• However, formal logic teaches us it is impossible to prove a negative
• Q.E.D.
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #26
Computer Security Review
Or: How I Learned to Stop Worrying and Love Uncertainty
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #27
Security Requirements
• Customers expect “reasonably secure” handling of their sensitive data
• The Devil is in the details– What is “reasonable?”– What is “secure?”– What data is “sensitive?”– When is it your responsibility?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #28
A Curious Property of Information
• Information is the only thing that can be stolen and still leave the owner in possession of it
• This poses some serious problems, which the course will address
• Networks increase the seriousness of the problem, as compared to single computers
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #29
The Security Dilemma
• Security is something most users want, but that most know little about
• Security gets in the way of using the network
• The tighter the security, the harder the system is to use, and the more likely it is that the users will bypass security measures
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #30
The Totally Secure System
• Is relatively simple to build
• Is provably secure
• Is useless for any practical purposes
Our job is to learn how to design computer networks to provide the necessary level of security without
going overboard.
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #31
Security Needs, Threats
• Confidentiality• Integrity• Availability• Authenticity• Reliability and safety• Vulnerability
assessment• Risk management
• Interception• Modification• Denial of service• Spoofing• Dangerous conditions• Exploitation of
unguarded conditions• Wasted resources
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #32
Security Objectives
A – I - C
Integrity & Authenticit
y
Confidentiality
Availability
Protect, detect and recover from insecurities
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #33
Security = Asset protection
Protect
Detect
CorrectManage
Risk Analysis
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #34
Identification & Authentication
• Identification– A unique entity descriptor
• Authentication– verifying the claimed identification
• These are crucial to network security
These are two sides of the same coin, but they are NOT the same thing
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #35
Password
• Most commonly used
• Relatively easy to compromise or break
• Many threats
• Usability issues
• First line of defense, but not a very solid one
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #36
Password Problems
• Security/sharing• System is only as secure as the weakest link• Vulnerable to brute force attack
– Dictionary attacks easy, in any language
– Other intelligent searches
– Exhaustive attacks
• Password file vulnerable• Spoofing, man-in-the middle
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #37
Authentication
• Validates you are who you claim to be– Something you know– Something you have– Something you are– Something you do– Somewhere you are
• An intruder who has the authentication keys looks just like the real user!
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #38
Something You Know
• Password
• PIN
• Some other piece of information (e.g. your mother’s maiden name -- very popular)
• NB: anyone who obtains this information is -- so far as the computer knows -- you. Is there a problem here?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #39
Something You Have
• Physical token– Physical key– Magnetic card– Smart card– Calculator
• What if you lose it?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #40
Something You Are• Biometrics
– Fingerprints– Face geometry– Voiceprints– Retinal scanning– Hand geometry
• False positives, negatives
• User acceptance
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #41
Something You Do
• Mechanical tasks– Signature (pressure, speed)– Joystick
• False positives, negatives
• Potential for forgery, replay, etc.
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #42
Somewhere You Are
• Limit use by user location
• Vet location by GPS, etc.
• Reliability, dependability, complexity
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #43
But First: Security Awareness
• View the world as if you had to design a security solution for whatever situation you are in
• Even paranoiacs have real enemies
• Assumptions are your enemy
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #44
Access Control
• Provides limits on who can do what with objects on the computer
• Can’t happen without identification and authentication
• Is not the same as identification and authentication
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #45
Subjects and Objects
• Remember your English grammar
• Subjects act
• Objects are acted upon
• These roles are not graven in stone– If you hit the ball, you are the subject– If the ball hits you, you are the object
• It is just the same in computer science
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #46
Access Control Model
Subject RequestReferenceMonitor Object
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #47
Reference Monitor
• Makes access control work
• You can tell it– What a subject is allowed to do– What may be done with an object
• In order to specify these things, you need to know all the possibilities, or you need to define things narrowly so that what you don't know doesn’t become allowed
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #48
Access Control Matrix
• A = set of access operations permitted• S = set of subjects• O = set of objects
M M so s S o O M Aso
, ,
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #49
Security Model Types
• Formal (high-assurance computing)– Bell-LaPadula– Biba– Chinese Wall
• Informal (policy description)– Clark-Wilson
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #50
Bell-LaPadula
• Describes access policies and permissions
• S is the set of subjects
• O is the set of objects
• A is the set of access operations = {execute, read, append, write}={e,r,a,w}
• L is the set of security levels with partial ordering
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #51
BLP State Set
• B x M x F is the state set • B = P(S x O x A) is the set of current
accesses
• M = Mso is the set of access permission matrices
• F Ls x Lc x Lo is the set of security level assignments, c dominates s
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #52
Basic Security Theorem
• A state transition is secure if both the initial and the final states are secure, so
• If all state transitions are secure and the initial system state is secure, then every subsequent state will also be secure, regardless of which inputs occur. (Proof)
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #53
Security Kernel
• Can implement security policy according to the selected model(s)
• Is best implemented at the lowest possible level
• Depends on processor design features for implementation
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #54
Bell-LaPadula: So What?
• Bell and LaPadula provided a formal proof that a computer could be made provably secure under a specified set of conditions
• They postulated and proved rules for acting on information within a computer that preserved security
• This had not been done before
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #55
Operating System Security
Hardware
OS Kernel
Operating System
Services
Applications
Network security depends to a great degree on the security provided by the operating system.
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #56
TOCTTOU
• A tropical bird?
• Time Of Check To Time Of Use
• Critical security parameter in many instances, to avoid replay attacks, etc.
• Important in most security systems
• A particularly vexing problem in networks
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #57
Database Security
Technology isn’t everything!
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #58
Data vs. Information
• Data represents information
• Information is the interpretation of data
This is not as obvious as it appears on the surface!
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #59
Databases
• Collection of data
• Provides information to users– DBMS manages database– Think of information, vs. data in OS
• Consistency demanded– Internal--data follow prescribed rules– External--entries are correct
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #60
Database Vulnerabilities
• Inference (example)
• Aggregation– Inference (e.g. linking tables)– Cardinal (e.g. phone book in toto)
• Data integrity
• Trojan HorsesOn a network, the database(s) are often distributed.
This makes protecting the information even more challenging.
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #61
Statistical Database Security
• Aggregation and inference– Tracker attacks– Countermeasures
• suppress obviously sensitive info
• disguise data--randomly swap entries
• add small random perturbations
• static analysis
• All have disadvantages for legitimate users
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #62
All Sorts of Other Security Concerns
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #63
Controls
• Centralized– Simple to conceive and implement– Bottleneck
• Decentralized– May be more efficient– Difficult to implement and maintain
Where to put security tasks and enforcement in a network?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #64
Network Security and the Law: What You Need to Know
• What is illegal
• What are the elements of proof
• What constitutes evidence
• How to protect the evidence
• Whom to call
• When to call them
• What to tell them
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #65
Why Do You Care?• Computer crime is one of -- if not THE --
fastest growing crime categories
• “That’s where the money is”
• Fraud loss in Southern NY area alone, Jan ‘95 to Jan ‘03: over $800,000,000
• This isn’t just victimless, white-collar crime: nearly 2/3 of those arrested were carrying automatic weapons
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #66
Personnel Security
• Most computer security issues arise from authorized users.
• Management has responsibility to assure due diligence exercised in screening staff
• Who should be screened?
• What should be checked?
• Legal issues
• Network issues with this?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #67
Physical Access• Access control
– People– Things
• Protection against forcible attack• Concentric controlled perimeters
– Harder with desktops than with mainframes
• Entry logs• How to do over a network?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #68
Physical Security
• Fortress concept– Controlled access– Concentric perimeters
• Linked to access control
• Exits need special attention
• Sensitive facilities need special treatment
• Network implications?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #69
Electrical Power• Power quality issues
– surge suppression– interference– regulation– grounding
• Continuity issues– Uninterrupted power– Emergency power
?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #70
Environmental Issues
• Heating and air conditioning
• Humidity control
• Physical protection of ducts
• Monitoring and emergency shutdown
• What if all the network elements don’t use the same approach or standards?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #71
Disaster Control
• Risk assessment
• Fire– Different classes are important– Automatic fire suppression systems– Individual extinguishers– Media protection, recovery– Exits
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #72
Disaster Recovery
• Company-owned facilities
• Rented service bureau facilities
• Shared backup with another company
• Hot site
• Shell site
• Which to use depends on criticality of service continuity
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #73
Back Up
• Essential to continuous operations
• Frequency depends on criticality
• ALWAYS store off-site
• Transport to/from site is an issue– Physical– Electronic
• Goodness of backup needs to be tested
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #74
Line Security
• Cable integrity
• No multiple drops
• Use multiple conductor cables
• Phantom circuits treacherous
• Crosstalk
• Grounding and shielding
• Protection
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #75
Electronic Security
• Emanations (acoustic, RF, etc.)– Measuring– Assessing risk
• Technical surveillance– How to do it– Assessing risk
• Network issues?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #76
Detection and Surveillance
• Threat monitoring
• Trend analysis
• Investigation
• Auditing
• Corrective action
• Hard to do at a single site. How to do when a distributed function?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #77
Threat Assessment• Threat likelihood can be estimated from
historical data
• Often, the result must be modified by an experience factor (Finagle’s factor?)
• This is a subject on which much data and methodology exists; but it may not apply to your situation.
• How does one do this on a network?
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #78
Summary• Computer security is a real need in real
systems
• Without computer security, network security is a pipedream
• Network security is an even more difficult problem than computer security, for a number of reasons
• Absolute security does not exist
Summer 2003© 2000-2003, Richard A. Stanley
WPI EE579T_GD/1 #79
Assignment for Next Class
• Read course text, Chapters 1 and 2