Security Chapter 9 (October 2002) Copyright 2003 Prentice-Hall Panko’s Business Data Networking and Telecommunications, 4 th edition.

Security

Chapter 9 (October 2002)Copyright 2003 Prentice-Hall

Panko’s Business Data Networking and Telecommunications, 4th edition.

2

Figure 9.1: Types of Attackers

Wizard Internet Hackers Highly capable attackers

Amateurs (Script Kiddies) Light skills, but numerous and armed with

automated attack programs (kiddie scripts) of increasing potency

3


Criminals

Theft of credit card numbers, trade secrets, and other sensitive information

Sell the information or attempt extortion to prevent the release of the information

Individual criminals and organized crime

Industrial and government espionage spies

4


Employees

Dangerous because of internal knowledge and access

Often, large losses per incident due to theft, fraud, or sabotage

5


Information Warfare and Cyberterrorism

Massive attack by a government or terrorist group against a country’s IT infrastructure

Attacks by amateur cyberterrorists are already starting to approach this level of threat

6

Figure 9.3: Attacks Requiring Protection

Hacking Servers Access without permission or in excess of

permission Attractive because of the data they store

Hacking Clients Attractive because of their data or as a way to

attack other systems by using the hacked client as an attack platform

Soft targets compared to servers; most users are security novices

7


Denial-of-Service (DoS) Attacks

Make the system unavailable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability

Single Message DOS Attack(Crashes the Victim)

Server Attacker

8


Denial-of-Service (DoS) Attacks

Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability.

Message Stream DOS Attack(Overloads the Victim)

Server Attacker

9

Figure 9.4: Denial-of-Service Attacks

Distributed DOS (DDoS) Attack:Messages Come from Many Sources

Server

DoS Attack Packets

DoS Attack PacketsComputer with

Zombie

Computer withZombie

Attacker

AttackCommand

AttackCommand

10


Scanning Attacks To identify victims and ways of attacking them Attacker sends messages to select victims and

attack methods

Examines data that responses reveal IP addresses of potential victimsWhat services victims are running; different

services have different weaknessesHost’s operating system, version number, etc.

11


Malicious Content Viruses

Infect files; propagate by executing infected program

Payloads may be destructive Worms; propagate by themselves Trojan horses (appear to be one thing, such as a

game, but actually are malicious) Snakes: combine worm with virus, Trojan horses,

and other attacks

12


Malicious Content Illegal content: pornography, sexual or racial

harassment

Spam (unsolicited commercial e-mail)

Security group is often called upon to address pornography, harassment, and spam

13

Figure 9.2: Types of Security Systems

Attacker Taps into the Conversation:Tries to Read Messages,

Alter Messages, Add New Messages

Client PC Server

Message Exchange

Secure Communication System

14


Attack Prevention System

Corporate Network

HardenedClient PC

Hardened ServerWith Permissions

Internet

Attacker

AttackMessage

AttackMessage

Firewall

15

Figure 9.5: Packet Filter Firewall

PacketFilter

Firewall

IP-H

IP-H

TCP-H

UDP-H Application Message

Application Message

IP-H ICMP Message

Arriving Packets

Permit

Deny

Corporate Network The Internet

Examines Packets in IsolationFast but Misses Some Attacks

16

For Packets Containing TCP Segments:

Rule 1 IF Interface = Internal

AND (Source Port Number = 7056 OR Source Port Number = 8002 through 8007)

THEN DENY

Remark: Used by a well-known Trojan horse program.

Figure 9.6: Access Control List Fragment

17


Rule 2: IF Interface = External

AND Destination Port Number = 80

AND Destination IP address = 60.16.210.22

THEN PERMIT

Remark: Going to a known webserver.

18



AND Destination Port Number = 80

AND Destination IP Address = NOT 60.16.210.22

THEN DENY

Remark: Going to an unknown webserver.

19



AND (SYN = AND FIN = Set)

THEN DENY

REMARK: Used in host scanning attacks and not in real transactions.

60.14.27.9

1.To: 60.14.27.9; SYN FIN

2.From: 60.14.27.9; RST

20


Order Rules are executed in order

If passed or denied by one rule, will not reach subsequent rules

Misconfiguration is easy, opening the network to attack

Always test a firewall by hitting it with attack messages to see if they are handled properly

21

Stateful Firewall

Does not examine packets in isolation

Examines each packet to see if it is part of an ongoing conversation

Catches attacks that packet filter firewalls cannotRefuses a TCP acknowledgement if an internal

host has not opened a connection to that host

Usually does not examine a packet in detail if the packet is part of an ongoing conversation

This can miss attack packets

Beyond what isIn the book

22

Figure 9.7: Application (Proxy) Firewall

SMTP(E-Mail)Proxy

FTPProxy

Application Firewall

HTTPProxy

Browser WebserverApplication

1. HTTP Request

Client PC Webserver

2.InspectRequestMessage

23


SMTP(E-Mail)Proxy

FTPProxy


3. ExaminedHTTP Request

HTTPProxy


Client PC Webserver

24


SMTP(E-Mail)Proxy

FTPProxy


HTTPProxy


4. HTTPResponse

Client PC Webserver

5.Inspect

ResponseMessage

25


SMTP(E-Mail)Proxy

FTPProxy


HTTPProxy


6. ExaminedHTTP Response

Client PC Webserver

26


Can examine the application message to filter packets by application content

If hacker takes over the proxy firewall, has not taken over the internal clients, with which it only has indirect contact

Internal client’s IP address is hidden. All packets sent back by the server have the address of the application proxy server.

27


SMTP(E-Mail)Proxy

FTPProxy


HTTPProxy


Client PC Webserver

There must be a proxy for each application

28

Figure 9.8: Network Address Translation (NAT)

1

2

NATFirewall

Client

From 172.47.9.6,Port 59789 From 60.168.34.2,

Port 63472

Internet

ServerHost

IP Addr

172.47.9.6

…

Port

59789

…

IP Addr

60.168.34.2

…

Port

63472

…

Internal ExternalTranslation Table

29

Figure 9.8: Network Address Translation (NAT)

43NAT

FirewallClient

Internet

ServerHost

To 172.47.9.6,Port 59789

To 60.168.34.2,Port 63472

Translation Table

IP Addr

172.47.9.6

…

Port

59789

…

IP Addr

60.168.34.2

…

Port

63472

…

Internal External

30

Figure 9.9: Intrusion Detection

Dump

IntrusionDetectionSystem

4. Analysis of Dump

InternalHost

NetworkAdministrator

Attacker

LegitimateHost

1. AttackPacket2. All Packets

3.Notificationof Possible

Attack

1. LegitimatePacket

31

Firewalls versus Intrusion Detection

Firewalls permit or deny traffic based on filtering rules

Intrusion detection systems (IDSs) only save and mark certain packets as suspicious; do not take action

IDSs identify all suspicious packets, many of which turn out to be acceptable; firewall drop rules are more specific

Some firewalls issue alerts when packets are dropped and most firewalls log all drops

NewNot in the book

32

Figure 9.10: Hardening Clients and Servers

Known Weaknesses Known security weaknesses in operating systems

and application programs Most download vendor patches to fix these known

weaknesses Firms often fail to do so (vendors issue 30-50

patches per week); must be installed on each server

Host Firewalls Server firewalls and personal (client) firewalls

33


Server Authentication Passwords

Cracking with exhaustive search and dictionary attacks

Strong passwords

Super accounts

Root in UNIX

Administrator in Windows

34


Server Authentication Rules for Strong Passwords

At least 8 characters long

At least one change of case

At least one digit (0-9) not at the end

At least one non-alphanumeric character (#@%^&*!) not at the end

35

Figure 9.11: Kerberos Authentication (Simplified)

KerberosServer

VerifierApplicant4. Ticket

1.Initial

Sign On

2. Request T

icket

3. Ticket

36


Server Authentication Biometric authentication

Fingerprint: least expensive

Iris: most accurate

Face recognition: controversial in public places for mass identification

Other forms of biometric identification

Smart cards (ID card with microprocessor and data)

37


Limiting Permissions on Servers (Ch. 10) Only permit access to some directories

Limit permissions (what the user can do) there

Like controlling access to a high-security building; not allowed to go anywhere and remove items, etc.

38


Attacker Taps into the Conversation:Tries to Read Messages,

Alter Messages, Add New Messages

Client PC Server

Message Exchange

Secure Communication System

39

Figure 9.12: Secure Communication System

Client PCServer

1. Initial Negotiation of Security Parameters

2. Mutual Authentication

3. Key Exchange or Key Agreement

4. Subsequent Communication withMessage-by-Message

Confidentiality, Authentication,and Message Integrity

40

Figure 9.13: Symmetric Key Encryption for Confidentiality

Plaintext“Hello”

EncryptionMethod &

Key

Ciphertext “11011101”

Symmetric Key

Interceptor

NetworkSame

SymmetricKey

Party A Party B

41



Symmetric Key

Interceptor

Network


SameSymmetric

KeyParty A

Party B

???

42


Symmetric Key

Interceptor

Network

Ciphertext “11011101” DecryptionMethod &

Key

Plaintext“Hello”

SameSymmetric

KeyParty A

Party B

43


SharedSymmetric Key

Party A Party B

SharedSymmetric KeyIn Symmetric

Key Encryption,Both sides

Encrypt andDecrypt withThe Same

Symmetric Key

44

Figure 9.14: Public Key Encryption for Confidentiality

Encrypt withParty B’s Public Key

Party A Party B

Decrypt withParty B’s Private Key

45

Figure 9.14: Public Key Encryption for Confidentiality

Decrypt withParty A’s Private Key

Party A

Encrypt withParty A’s Public Key

Party B

46

Quiz

1. In two-way conversations encrypted with symmetric key encryption, how many keys are used?

2. In two-way conversations encrypted with Public key encryption, how many keys are used?

47

Quiz

3. In public key encryption for confidentiality, the sender always encrypts with the _____ key of the _____.

4. In public key encryption for confidentiality, the receiver always decrypts with the ___ key of the _____.

48

Symmetric Versus Public Key Encryption

Symmetric key encryption is very fast, so it can be used to encrypt long messages for confidentiality, including e-mail messages, website communication, database transactions, and almost all other user applications.

However, public key encryption can provide confidentiality for very short messages. We will see how this helps in transferring symmetric keys and in digital signatures.

49

Figure 9.15: Public Key Distribution for Symmetric Keys

Party A Party B

1. CreateSymmetric

Session Key

2. EncryptSession Key withParty B’s Public Key

4. DecryptSession Key with

Party B’s Private Key

3. Send the SymmetricSession Key

Encrypted WithParty B’s Public Key

50

Figure 9.15: Public Key Distribution for Symmetric Keys

Party A Party B

5. Subsequent Bulk EncryptionFor Confidentiality withSymmetric Session Key

For All Messages

51

Figure 9.16: MS-CHAP Challenge-ResponseAuthentication Protocol

ClientApplicant Server

Verifier

Challenge

1.Creates

ChallengeMessage

2.Sends Challenge Message

Note: Both the Client and the ServerKnow the Client’s Password

52

Figure 9.16: MS-CHAP Challenge-Response Authentication Protocol

3. Applicant Creates the Response Message:

a) Adds Password toChallenge Message

b) Hashes the ResultantBit String

c) This Gives theResponse Message

Password Challenge

Response

Hashing

53


Password Challenge

Expected Response

Hashing

Transmitted Response

4. Applicant Sends Response Message

5.Verifier

Adds password to thechallenge message it sent.Hashes the combination.

This should be the expectedresponse message.

54


Expected ResponseTransmitted Response = ?

6.If the Two are Equal,The Client Knows the

Password and isAuthenticated

55

Figure 9.17: Digital Signature

SenderReceiver

DS Plaintext

Add Digital Signature to Each MessageProvides Message-by-Message Authentication

Encrypted for Confidentiality

56

Figure 9.17: Digital Signature: Sender

DS

Plaintext

MD

Hash

Sign (Encrypt) MD withSender’s Private Key

To Create the Digital Signature:

1. Hash the plaintext to create

a brief message digest; This is

NOT the digital signature

2. Sign (encrypt) the message

digest with the sender’s private

key to create the digital

Signature

57

Figure 9.17: Digital Signature

SenderEncrypts Receiver

Decrypts

Send Plaintext plus Digital SignatureEncrypted with Symmetric Session Key

DS Plaintext

Transmission

58

Figure 9.17: Digital Signature: Receiver

DSReceived Plaintext

MDMD

1.Hash

2.Decrypt withTrue Party’sPublic Key

3.Are they Equal?

1. Hash the receivedplaintext with the samehashing algorithm the

sender used. This givesthe message digest

2. Decrypt the digitalsignature with the sender’spublic key. This also should

give the message digest.

3. If the two match, the message is authenticated;The sender has the true

Party’s private key

59

Figure 9.18: Public Key Deception

Impostor

“I am the True Person.”

“Here is TP’s public key.” (Sends Impostor’s public key)

“Here is authenticationbased on TP’s private key.”

(Really Impostor’s private key)

Decryption of message from Verifierencrypted with Impostor’s public key,

so Impostor can decrypt it

Verifier

Must authenticate True Person.

Believes now has TP’s public key

Believes True Personis authenticated

based on Impostor’s public key

“True Person,here is a message encrypted

with your public key.”

CriticalDeception

60

Digital Certificates

Digital certificates are electronic documents that give the true party’s name and public key

Applicants claiming to be the true party have their authentication methods tested by this public key

If they are not the true party, they cannot use the true party’s private key and so will not be authenticated

61

Digital Signatures and Digital Certificates

Public key authentication requires both a digital signature and a digital certificate to give the public key needed to test the digital signature

DS Plaintext

Applicant

Verifier

Certificate Authority

DigitalCertificate:True Party’sPublic Key

62

Figure 9.19: Public Key Infrastructure (PKI)

Verifier(Brown)

Certificate AuthorityPKI Server

Create &Distribute

(1) PrivateKey and

(2) DigitalCertificate Applicant (Lee)

Verifier(Cheng)

63


Verifier(Brown)


4.Certificatefor Brown

Applicant (Lee)

Verifier(Cheng)

3. RequestCertificatefor Brown

64


Verifier(Brown)


6. Check CertificateRevocation List (CRL)

For Lee’s Digital Certificate

Applicant (Lee)

5.Certificate

for Lee

Verifier(Cheng)

7. Revoked or OK

65

Figure 9.20: Security at Multiple Layers

Layer Example

ApplicationApplication-specific (for instance, passwords for adatabase program); Application (Proxy) Firewalls

Transport SSL (TLS), Packet Filter Firewalls

Internet IPsec, Packet Filter Firewalls

Data LinkPoint-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP)

Physical Physical locks on computers, Notebook Encryption

66

Figure 9.20: Security at Multiple Layers

Having security at multiple layers provides protection if one layer’s security fails

Having security at multiple layers also slows processing on the device

So provide protection in at least two layers but not in all layers

67

Figure 9.21: Creating Appropriate Security

Understanding Needs Need to make security proportional to risks

Organizations face different risks

Policies and Enforcement Policies bring consistency

Must be enforced.

Training in the importance of security and in protection techniques

Social engineering prevention training

68

Figure 9.21: Creating Appropriate Security

Policies and Enforcement Security audits: attack your system proactively

You must really be able to trust your testers

Incident handlingStopping the attackRestoring the systemProsecutionPlanning and practicing before the incident

PrivacyNeed to protect employee & customer privacy

Security Chapter 9 (October 2002) Copyright 2003 Prentice-Hall Panko’s Business Data Networking and Telecommunications, 4 th edition.

Documents

spam slide

service dos attacks

sabotage slide

infrastructure attacks

protection scanning

attack methods

message stream dos attack

victim serverattacker