Fundamentals of Network Security 4. Network scanning and defense CryptoWorks21 • July 25 & 27, 2017 Dr Douglas Stebila https://www.douglas.stebila.ca/teaching/cryptoworks21
FundamentalsofNetworkSecurity4.Networkscanninganddefense
CryptoWorks21•July25&27,2017
Dr DouglasStebila
https://www.douglas.stebila.ca/teaching/cryptoworks21
FundamentalsofNetworkSecurity1. BasicsofInformationSecurity
– Securityarchitectureandinfrastructure;securitygoals(confidentiality,integrity,availability,andauthenticity);threats/vulnerabilities/attacks;riskmanagement
2. CryptographicBuildingBlocks– Symmetriccrypto:ciphers(stream,block),hashfunctions,message
authenticationcodes,pseudorandomfunctions– Publickeycrypto:publickeyencryption,digitalsignatures,keyagreement
3. NetworkSecurityProtocols&Standards– Indetail:publickeyinfrastructure,TLS– Overview:Networking,SSH,IPsec,Kerberos,WEP
4. NetworkScanningandDefence– Trafficsniffingandnetworkreconnaissance(mmap)– Networkprotection:firewallsandintrusiondetection
5. AccessControl&Authentication;WebApplicationSecurity– Accesscontrol:discretionary/mandatory/role-based;phases– Authentication:somethingyouknow/have/are/somewhereyouare– Websecurity:cookies,SQLinjection– Supplementalmaterial:Passwords
NETWORKSNIFFING,SCANNING,ANDRECONNAISSANCE
Terminology
TrafficsniffingPassiveeavesdroppingoncommunications• …withinanetwork
– wirelesssniffing,etc.– intrusiondetection
• …fromoutsidethenetwork– byupstreamnetwork
providers,etc.
Examplesoftware:• Wireshark
Scanning&reconnaissanceActivediscoveryofservicesavailableoncertainIPaddresses• usuallyusingautomated
tools• oftenforthepurposesof
identifyingserviceswithvulnerabilities
• firststepinmountinganattack
• alsousedbyadministratorstogetapictureoftheirownnetwork
PrimaryObjectivesofScanning
1. Determinethatahostisonline2. Portscanthesystemforactiveservices3. Scanthesystemforvulnerabilities
Thisisactiveinteractionwiththetarget,andshouldnotbedoneoutsideofatestenvironmentwithoutawrittenagreementwiththetarget!
Portscanning:Commonnetworkservices
• 25,110,143:SMTP,POP3,IMAP(e-mail)• 80,443:HTTP,HTTPS(websites)• 20/21:FTP(filetransfer)• 22,23:SSH,Telnet(remotelogin)• 53:DNS(domainnamelookups)• 3389:RemoteDesktopProtocol• 445:SMB(fileserver)
Nmap
Mostpopularportscanneravailable
Offersmanydifferentscanningtechniques:• Scanforhoststhatareup• TCPports• UDPports• OtherIPProtocolsCanidentifysoftware,version,someconfigurationdetails
nmap -A-T4127.0.0.1Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-29 14:39 EDTNmap scan report for localhost* (127.0.0.1)Not shown: 951 closed ports, 41 filtered portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 6.9 (protocol 2.0)| ssh-hostkey: | 1024 ff:96:e0:2c:89:fb:3a:90:5f:ac:a8:23:60:40:18:40 (DSA)| 2048 8c:9f:be:59:e7:f6:91:40:71:35:7a:f3:7d:be:97:be (RSA)|_ 256 89:4d:42:b1:ee:05:7f:97:23:7a:26:7c:f4:61:2e:5b (ECDSA)80/tcp open http Apache httpd 2.4.18 ((Unix))|_http-server-header: Apache/2.4.18 (Unix)88/tcp open kerberos-sec Heimdal Kerberos (server time: 2016-06-29 18:39:27Z)445/tcp open microsoft-ds?548/tcp open afp Apple AFP (name: picard; protocol 3.4; Mac OS X 10.9 - 10.11; MacBookPro10,1)| afp-serverinfo: | Server Flags: | Server Signature: true| Server Messages: false| Password Saving Prohibited: false| Password Changing: true| Copy File: true| Server Name: picard| Machine Type: MacBookPro10,1| AFP Versions: AFP3.4, AFP3.3, AFP3.2, AFP3.1, AFPX03631/tcp open ipp CUPS 2.1|_http-server-header: CUPS/2.1 IPP/2.13689/tcp open daap Apple iTunes DAAP 12.4.1.68888/tcp open http Apache httpd 2.4.18 ((Unix))|_http-server-header: Apache/2.4.18 (Unix)Service Info: OSs: Mac OS X, OS X; CPE: cpe:/o:apple:mac_os_x:10.9
VulnerabilityAssessmentToolsCollectionoftoolsfordeterminingpossiblesecurityholes
Port-scanning+additionalchecksonportsfor:• Softwarepackagesactually
running• Versionsofthosepackages• Possiblevulnerabilitieson
thesecombinations• Vulnerabilitydatabaseto
supportabove• Possiblyothercomponents
– Checkforweakpasswords– Checkforgeneralpatchlevels
Example• Portscanningmayfindport21
listening,ftp• OSfingerprint– Linux2.2
kernel• Servicequery– identifiesftp
aswu-ftpd version2.4.2• Whatspecificvulnerabilities
doeswu-ftpd 2.4.2have?
NessusVulnerabilityReportIdentifiesactiveservicesandtheirversions,matchesagainstdatabaseofknownvulnerabilities,thentestsforexploitabilityusingplugins.
Zmap
• Canperformhigh-speedscanningofentireInternet
• ScanforasingleportoneveryIPv4Internetaddress(232 addresses)inapprox.45minutesonahighspeednetworkconnectionwithasinglecomputer
• Usefulforacademicresearch,e.g.,collectingcertificatesfromallSSLwebserversonport443
• Alsousefulforattackerstosearchforvictims• https://zmap.io
Shodan:vulnerabilitysearchengine
NETWORKPROTECTION:FIREWALLS
Firewalls• Technicalpreventativesecuritycontrol
• Placedattheinterfacebetweentwonetworkswithdifferingsecurityrequirements
• Aimstocontroltheflowofnetworktrafficbetweenaprotectednetworkandothernetworks.
• FrequentlyusedtopreventunauthorizedInternetusersfromaccessingprivatenetworks(Intranet).– Allmessagesenteringorleavingtheintranetpassthroughthefirewall– Eachmessageisexamined,andthosethatdonotmeetthespecified
securitycriteriaareblocked.
• Canbeimplementedinhardware,software,oracombinationofboth.
Firewalltypes
Packetfilters• Primitive,highperformancefirewalls
• Examinesdataassociatedwithlowerlevelsofnetworkstack• e.g.IPsource/destinationaddress,TCPportnumber
• Doesnotunderstandtheupperlayers
Applicationfilter• Performsdeeppacketinspectiontovalidateapplicationdata• e.g.preventanyvirtualprivatenetworkconnections
Firewalls:Simplepacketfilters• Operatesatthenetworkortransportlayer
• Examineeachpacketindependentlyofotherpackets– Eveniftheyarepartofthesameconnection
• Decideswhethertopassordropeachpacketbasedoninformationinpacketheaders,suchas– IPheaderfields(SourceorDestinationIPAddresses)– TheProtocol(UDP,TCPorICMP)– TCP/UDPportnumbers(SourceorDestinationPortNumbers)– Directionthepacketistravelling(into/outoftheinternalnetwork)
IPv4andTCPheaders
• Whichfieldsshouldafirewalluseforfiltering?
Source: Tuomas Aura http://research.microsoft.com/en-us/um/people/tuomaura/teaching/network-security-firewall.pdf
Simplepacketfilters• Aruletablespecifieshowtofilternetworktraffic:
– Eachruleconsistsofconditionsandanaction– Foreachpacket,thefirstmatchingrule isfound– Twopossibleactions:alloworblock
• Exampleruletable:inboundtraffictoemail(SMTP)server1.2.3.10
Source: Tuomas Aura http://research.microsoft.com/en-us/um/people/tuomaura/teaching/network-security-firewall.pdf
Simplepacketfilters
• Decisionmakingcanalsoconsiderthedirectionthepacketsaretravelling:– Ingressfiltering:filteringinboundtraffic– Egressfiltering:filteringoutboundtraffic
• Toreducethepossibilityoftransmittingpacketswithspoofedaddresses,asimpleruletoimplementis:– Ingressfiltering:dropinboundpacketswithsourceaddressesthatbelongtothelocalnetwork
– Egressfiltering:dropoutboundpacketswithsourceaddressesthatarenotlocal
Stateful packetfilters• Stateful packetfilters operateinthesamewayassimple
packetfilters– examiningheadersandcomparingtorulesettoseeifthepacket
transmissionisallowedunderthefirewallrules
• Butstateful packetfiltersaremore‘intelligent’thansimplepacketfilters:– Alsokeepa‘statetable’notingthestateofeachconnection:– Istheconnectionbeingestablished,inuse,orterminated?
• Stateful packetfiltersexaminethestateinthecontextoftheoftheconversation– Ifheadervaluescontradicttheexpectedstate,thepacketwillbe
dropped
Applicationproxygateway• Applicationlevelgateway filterstrafficbasedonapplication
data– Canexamineapplicationdata,notjustheaderinfosuchasprotocol
andportnumbers
• Knownasanapplicationproxy becausethefirewallneedstoactonbehalfoftheclient.– Allconnectionsterminateonthefirewall.– Insteadofadirectconnection fromclienttoserver,theapplication
proxieshaveaninternalandexternalinterface.– Twoconnectionsaremade:connectionfromclienttoproxyand,if
requestispermitted,connectionfromproxytorequesteddestination– Theproxyacceptstheincomingconnection,analyzes contentsof
packetandprotocoltobeused,determinesifrulesallowconnectionand,ifconnectionispermitted,initiatesaconnection
Applicationproxygateway• Usuallyconfiguredtosupportonlyspecificapplications or
specificfeaturesofanapplication:– eachapplication(email,webbrowser)musthaveitsownproxy
(specificgateway)inthefirewall– Ifproxiesaredesignedspecificallyforthatprotocol,theyunderstand
whetherthetrafficflowingisfollowingtheprotocolandallowedbythepolicyrules
• Applicationlayerfirewallshaveproxiesforthemostcommonlyusedprotocols
Applicationproxygateway
Telnet
FTP
HTTP
Proxy Servers
External Host Internal Host
Internal Network
Application Level Gateway
InternalConnection
External Network
ExternalConnection
Applicationproxygateway• Strengths:
– Providespotentialforbestsecuritythroughcontrolofapplicationlayerdata/commands
– Betterloggingandauditoftraffic– Allowscontentfilteringanduserauthentication
• Weaknesses:– Slowerthanpacketfilters– requirestimetoexaminepacketdatain
details,somaybeunsuitableforreal-timeapplications– Limitedsupportfornewapplications– additionaltimerequirement
forvendortowritenewgatewaysfornewapplications– Requiresoneadditionalconnection(includingprocessingresources)
foreachnewconnection
Simplefirewallarchitecture
Firewall
Internal network
DNS server
Web server
Email server
Client PCs
Internet
DMZfirewallarchitecture
Exterior firewall
“Demilitarized zone”
Internal network
Interior firewall
DNS server
Web server
Email server
Internet
Client PCs
Challengeswithfirewalls
Technical• Trade-off:
– Simplepacketfiltershavehighperformance
– Applicationlevelgatewaysoffermorecomprehensivefiltering
• Hardtoconfigure• Needtobekeptuptodate
Non-technical• Firewall!=Security
– Perimetersecurityisoftenbypassed
• Traininghumanoperators
NETWORKPROTECTION:INTRUSIONDETECTION
Intrusiondetection
• Intrusiondetectionsoftwareaimstodetectattemptstoscanorbreakintonetworks
• Monitorslogsandsniffspacketsinrealtimetodetect– trafficthatmatchesknownattacksignatures– anomaliescomparedtonormalbehaviour– stateful analysisofprotocolandprogrambehaviour
• E.g.,Snort
IntrusionDetectionandPrevention
• IntrusionDetectionSystem(IDS)– Technicaldetectivesecuritycontrol
• IntrusionDetectionandPreventionSystem(IPS)– Putsinplacepreventativecontrolsfollowingdetection
• Components– Sensors– Analysers– Interfaces
TypesofIntrusionDetectionSystems
ApplicationIDS• behaviourofapplications
HostIDS• characteristicsofhost
NetworkIDS• networktraffic
InfrastructureIDS• outputfromoneormoreoftheabove
Classificationbasedoninputdata:
Network-basedIntrusionDetectionSystem(NIDS)
Host-basedIntrusionDetectionSystem
Typesofanalyses
• detects patternorsignaturematchingknownmisuseorthreat
Signature- ormisuse-baseddetection
• detectsdeviationfromnormal• NetworkBehaviourAnalysis• Stateful PacketInspection
Anomaly-baseddetection
• combinessignature-basedandanomaly-based
Specification-baseddetection
Limitationsofanalysistypes
• Ineffectiveagainstnovel(zero-day)attackswheremisusepatternisunknown
• Quicktodeploy• Highermaintenancecost
Signature- ormisuse-baseddetection
• Requirestrainingorlearning“normal”profile• Abletodetectnovelattacks• Generallylimitedtoacademicuse
Anomaly-baseddetection
• Bestofbothworlds
Specification-baseddetection
ChallengeswithIDSes
Technical• Scalability
– Sensorplacement– inline,tap,spanning-port
– Remotesites– correlation,
• Accuracy– Falsepositiveandnegatives– HighlyinaccurateIDSmay
leadtocomplacency– TuningtheIDS– toosensitive
ortootolerant
• Freshness– Signaturesofnovelattacks
Non-technical• Knowledgeofenvironment
– Servicesprovided– Positioningoffilters
• Traininghumanoperators
Snort:open-sourceNIDS
1. Tapnetworktrafficandfeedthroughpacketsniffer
2. Applyrulestodetectattacks
• Snortrulesareextremelyflexibleandareeasytomodify,unlikemanycommercialNIDS
Firewallsvs.IDSes
• Complementarytechnologies• Shouldbepairedanddeployedtogethertoprovidepreventativeanddetectivecontrols
Firewall:preventsviolationsof
policy
IDS:detectsviolationsofthe
policy
Practical
Portscanning• Usenmap toscantheports
onyourcomputertoseewhatservicesarerunning
• Important:donotusenmaptoscanserverswithoutpermission!
Practicals availableathttps://www.douglas.stebila.ca/teaching/cryptoworks21