CHAPTER 6 Security in Networks 1

Objectives  differentiate the security needs in the network and in single,stand alone application and environment  identify threats against network applications, including denial of service, web site defacements, malicious code and protocol attacks  explain various controls against network attacks such as physical security, policies and procedures and range of technical controls  Explain about design, capabilities and limitation of the firewall  Define and describe the intrusion detection systems and secure s (c) by Syed Ardi Syed Yahya Kamal, UTM

The Network Concepts 3  When studying the chapter, student should know:  The type of networks (LAN, MAN, etc)  The size and shape  Media (cable, wireless, optical cable, etc)  Protocol (OSI layers, TCP/IP, etc)  Topologies (star, ring, etc)  Advantages of computing networks (resource sharing, distributing the workload, etc)

Threats in Networks  What makes a network vulnerable? CauseExplanation AnonymityAn attacker can mount an attack from thousand of miles away and safe behind electronic shield. Many point of attack – both targets and origins File stored in a network host can be access remotely by any user. Administrator can enforce many policies but one file being transferred through network, the policies means nothing. SharingBecause networks enable resource and workload sharing, more user have the potential to access networked systems. Complexity of systemOperating System is a complicated piece of software but it is not designed specifically for security. Unknown perimeterNetwork have no boundary. Resources on one network are accessible to the other network as well. Unknown pathMany paths can be used to accessed another host / computer. 4

Threats in Networks (cont)  We cannot list who attacks networks but we do know what the motives of attacking. MotivesExplanation ChallengeSomeone skilled in writing or using programs – the single most significant motivation for a network attacker is the intellectual challenge. “Can I defeat the network?” FameOther attackers seek recognition for their activities. Enjoy the personal thrill of seeing their attacks written up in the news media. Money and EspionageSeeking information on company’s product, clients etc. for financial reward IdeologyHactivism : operations that use hacking techniques against a target’s (network) with the intent of disrupting normal operations but not causing serious damage. Cyberterrorism : politically motivated hacking operation intended to cause grave harm such as loss of life or severe economic damage. 5

Threats in Networks (cont) 6  Threat precursor:  Port scan  Program that give an information about three things:  Which standard ports or services are running and responding?  What operating system is installed?  What applications and versions of applications are present?  Example:nmap scanner, netcat, Nessus, CyberCop Scanner  Social engineering  Involves using social skills and personal interaction to get someone to reveal security-relevant information and perhaps even do something that permits an attack.  "Hello, this is John Davis from IT support. We need to test some connections on the internal network. Could you please run the command ipconfig/all on your workstation and read to me the addresses it displays?" The request sounds innocuous. But unless you know John Davis and his job responsibilities well, the caller could be an attacker gathering information on the inside architecture.

Threats in Networks (cont) 7  Threat precursor (cont):  Reconnaissance  Gathering discrete bits of information from various sources and then putting them together like the pieces of a puzzle.  Eavesdropping – follow employees to lunch and listen in from nearby tables as coworkers discuss security matters.  Bulleting board and chats  Numerous underground bulleting boards and chat rooms support exchange of information.  Attackers can post their latest exploits and techniques and read what others have done.

Threats in Networks (cont) 8  Threat precursor (cont):  Availability of documentation  Vendor themselves sometimes distribute information that is useful to an attacker.  Microsoft produces a resource kit by which application vendors can investigate a Microsoft product in order to develop compatible, complementary applications.  Operating System and Application Fingerprinting  can mark the manufacturer and version  attacker might use a Telnet application to send meaningless messages to another application. Ports such as 80 (HTTP), 25 (SMTP), 110 (POP), and 21 (FTP) may respond with something like Microsoft ESMTP MAIL Service, Version: This reply tells the attacker which application and version are running.

Threats in Networks (cont) 9  Threats in transit:  Eavesdrop – implies overhearing without expending any extra effort.  Attacker monitoring all traffic passing through a node.  Wiretap – intercepting communications through some effort.  Passive wiretapping is just "listening," much like eavesdropping  Active wiretapping means injecting something into the communication  Someone could replace your communications with his own or create communications purported to be you.  Works differently depending on communication medium used.

Threats in Networks (cont) 10  Impersonation:  Impersonate another person or process  In an impersonation, an attacker has several choices  Guess the identity and authentication details of the target.  Pick up the identity and authentication details through eavesdropping or wiretapping.  Use the target that will not be authenticated.  Use a target whose authentication data are known.

11  Spoofing  Guessing or otherwise obtaining the network authentication credentials of an entity  Examples of spoofing are:  masquerading,  session hijacking  man-in-the-middle attacks

12  Masquerade  one host pretends to be another  A variation of this attack is called phishing  send an message, perhaps with the real logo of Blue Bank, and an enticement to click on a link, supposedly to take the victim to the Blue Bank web site.  The enticement might be that your victim's account has been suspended (and need the account number and PIN to activate it), or some other legitimate-sounding explanation.  The link might be to your domain Blue-Bank.com, the link might say click here to access your account (where the click here link connects to your fraudulent site), or other trick with the URL to fool your victim, like

13  Session Hijacking  intercepting and carrying on a session begun by another entity  Suppose two entities have entered into a session but then a third entity intercepts the traffic and carries on the session in the name of the other  The attacker steals a valid session ID which is used to get into the system and snoop the data *Tools: Juggernaut Hunt IP Watcher

14  Man-in-the-Middle Attack  one entity intrudes between two others  difference between man-in-the-middle and hijacking is that a man-in-the-middle usually participates from the start of the session, whereas a session hijacking occurs after a session has been established. Tools: PacketCreator Ettercap Dsniff Cain e Abel

Message Confidentiality Threats 15  An attacker can easily violate message confidentiality (and perhaps integrity) because of the public nature of networks.  Eavesdropping and impersonation attacks can lead to a confidentiality or integrity failure.  Several other vulnerabilities that can affect confidentiality.  Misdelivery  Exposure  Traffic Flow Analysis

Message Integrity Threats 16  the integrity or correctness of a communication is at least as important as its confidentiality.  Threats based on failures of integrity in communication.  Falsification of Messages- an attacker can take advantage of our trust in messages to mislead us  change some or all of the content of a message  replace a message entirely, including the date, time, and sender/receiver identification  Noise -Signals sent over communications media are subject to interference from other traffic on the same media, as well as from natural sources  Fortunately, communications protocols have been intentionally designed to overcome the negative effects of noise

Web Site Vulnerabilities 17  Web site is especially vulnerable because it is almost completely exposed to the user  One of the most widely known attacks is the web site defacement attack  Web site defacement attack  Buffer Overflows  Dot-Dot-Slash  Application Code Errors  Server-Side Include

Denial of Service 18  There are many accidental and malicious threats to availability or continued service.  Transmission Failure  Connection Flooding  Echo-Chargen  Ping of Death  Smurf  Syn Flood  Traffic Redirection  DNS Attacks  Distributed Denial of Service

Smurf 19 Figure Smurf Attack.

Distributed Denial of Service 20

Threats in Active or Mobile Code  Active code or mobile code is a general name for code that is pushed to the client for execution  related potential vulnerabilities:  Cookies  Scripts  Active Code  Java Code  ActiveX Controls 21

Network Security Controls  Design and Implementation  Architecture  Segmentation -Segmentation reduces the number of threats, and it limits the amount of damage a single vulnerability can allow.  a web server, to handle users' HTTP sessions  application code, to present your goods and services for purchase  a database of goods, and perhaps an accompanying inventory to the count of stock on hand and being requested from suppliers  a database of orders taken Segmented Architecture. 22 Figure Segmented Architecture.

 Redundancy -allowing a function to be performed on more than one node  failover mode -the servers communicate with each other periodically, each determining if the other is still active  Single Points of Failure-architecture should at least make sure that the system tolerates failure in an acceptable way 23

Encryption  encryption is powerful for providing privacy, authenticity, integrity, and limited access to data  Encryption in network applications :  either between two hosts (link encryption)  between two applications (end-to-end encryption) 24

 link encryption -data are encrypted just before the system places them on the physical communications link  encryption occurs at layer 1 or 2 in the OSI model  decryption occurs just as the communication arrives at and enters the receiving computer  Encryption protects the message in transit between two computers, but the message is in plaintext inside the hosts  the exposure occurs on the sender's or receiver's host or workstation, protected by alarms or locked doors  Link encryption is especially appropriate when the transmission line is the point of greatest vulnerability. If all hosts on a network are reasonably secure but the communications medium is shared with other users or is not secure, link encryption is an easy control to use 25

Link Encryption 26 Figure Link Encryption. Figure Message Under Link Encryption. Message Under Link Encryption.

End-to-End Encryption  end-to-end encryption provides security from one end of a transmission to the other  encryption can be applied by a hardware device between the user and the host  the encryption can be done by software running on the host computer  encryption is performed at the highest levels (layer 7, application, or perhaps at layer 6, presentation) of the OSI model 27

End-to-End Encryption 28

Comparison of Link and End-to-End Encryption. 29 Link EncryptionEnd-to-End Encryption Security within hosts Data exposed in sending hostData encrypted in sending host Data exposed in intermediate nodes Data encrypted in intermediate nodes Role of user Applied by sending hostApplied by sending process Invisible to userUser applies encryption Host maintains encryptionUser must find algorithm One facility for all usersUser selects encryption Typically done in hardwareEither software or hardware implementation All or no data encryptedUser chooses to encrypt or not, for each data item Implementation concerns Requires one key per host pairRequires one key per user pair Provides node authenticationProvides user authentication

Virtual Private Networks  Link encryption can be used to give a network's users the sense that they are on a private network, even when it is part of a public network  the communication passes through an encrypted tunnel or tunnel 30

PKI and Certificates  A public key infrastructure, or PKI, is a process created to enable users to implement public key cryptography, usually in a large (and frequently, distributed) setting.  PKI offers each user a set of services, related to identification and access control, as follows :  Create certificates associating a user's identity with a (public) cryptographic key  Give out certificates from its database  Sign certificates, adding its credibility to the authenticity of the certificate  Confirm (or deny) that a certificate is valid  Invalidate certificates for users who no longer are allowed access or whose private key has been exposed 31

 PKI sets up entities, called certificate authorities, that implement the PKI policy on certificates.  The specific actions of a certificate authority include the following:  managing public key certificates for their whole life cycle  issuing certificates by binding a user's or system's identity to a public key with a digital signature  scheduling expiration dates for certificates  ensuring that certificates are revoked when necessary by publishing certificate revocation lists 32

SSH Encryption  SSH (secure shell) is a pair of protocols (versions 1 and 2), originally defined for Unix but also available under Windows 2000, that provides an authenticated and encrypted path to the shell or operating system command interpreter  The SSH protocol involves negotiation between local and remote sites for encryption algorithm (for example, DES, IDEA, AES) and authentication (including public key and Kerberos ). 33

SSL Encryption  The SSL (Secure Sockets Layer ) protocol was originally designed by Netscape to protect communication between a web browser and server  SSL interfaces between applications (such as browsers) and the TCP/IP protocols to provide server authentication, optional client authentication, and an encrypted communications channel between client and server.  To use SSL, the client requests an SSL session. The server responds with its public key certificate so that the client can determine the authenticity of the server 34

IPSec  IPSec is implemented at the IP layer  IPSec is somewhat similar to SSL, in that it supports authentication and confidentiality (in applications) or below it (in the TCP protocols).  it was designed to be independent of specific cryptographic protocols and to allow the two communicating parties to agree on a mutually supported set of protocols. 35

Packets: (a) Conventional Packet; (b) IPSec Packet. 36 Figure Packets: (a) Conventional Packet; (b) IPSec Packet.

 signed code.  A trustworthy third party appends a digital signature to a piece of code, supposedly connoting more trustworthy code. A signature structure in a PKI helps to validate the signature.  Encrypted  To protect the privacy of the message and routing information, we can use encryption to protect the confidentiality of the message and perhaps its integrity. 37

Strong Authentication  One-Time Password  ChallengeResponse Systems  Digital Distributed Authentication  Kerberos 38

Access Controls  Authentication deals with the who of security policy enforcement; access controls enforce the what and how  ACLs on Routers  Firewalls  Honeypots 39

(c) by Syed Ardi Syed Yahya Kamal, UTM

41 TargetVulnerability Precursors to attack Port scan Social engineering Reconnaissance OS and application fingerprinting Authentication failures Impersonation Guessing Eavesdropping Spoofing Session hijacking Man-in-the-middle attack Programming flaws Buffer overflow Addressing errors Parameter modification, time-of-check to time-of-use errors Server-side include Cookie Malicious active code: Java, ActiveX Malicious code: virus, worm, Trojan horse Malicious typed code Summary of Network Vulnerabilities

42 TargetVulnerability Confidentiality Protocol flaw Eavesdropping Passive wiretap Misdelivery Exposure within the network Traffic flow analysis Cookie Integrity Protocol flaw Active wiretap Impersonation Falsification of message Noise Web site defacement DNS attack Availability Protocol flaw Transmission or component failure Connection flooding, e.g., echo-chargen, ping of death, smurf, syn flood DNS attack Traffic redirection Distributed denial of service Summary of Network Vulnerabilities

Firewalls 43  Firewall is a device that filters all traffic between a protected or “inside” network and a less trustworthy or “outside” network.  The purpose of a firewall is to keep “bad” things outside a protected environment.  To accomplish that, firewalls implement a security policy.

Firewalls (cont) 44  The design of firewall should maintain below qualities:  Always invoked.  Tamperproof.  Small and simple enough for rigorous analysis.

Firewalls (cont) 45  Type of firewalls are depends on their capabilities. The type are:  Packet filtering gateways or screening routers.  Most effective. Control packet from source to destination.  Stateful inspection firewalls.  Maintains state infomation from one packet to another in the input stream.  Application proxies.  Simulate the (proper) effects of an application so that the application will receive only requests to act properly.

Firewalls (cont) 46  Type of firewalls (cont):  Guards.  Sophisticated firewall. Decide what services to perform on the user’s behalf in accordance with its available knowledge.  Personal firewall.  An application program that runs on a workstation to block unwanted traffic, usually from the network.

Comparison of Firewall Types 47 Packet FilteringStateful InspectionApplication ProxyGuardPersonal Firewall SimplestMore complexEven more complexMost complexSimilar to packet filtering firewall Sees only addresses and service protocol type Can see either addresses or data Sees full data portion of packet Sees full text of communication Can see full data portion of packet Auditing difficultAuditing possibleCan audit activity Can and usually does audit activity Screens based on connection rules Screens based on information across packetsin either header or data field Screens based on behavior of proxies Screens based on interpretation of message content Typically, screens based on information in a single packet, using header or data Complex addressing rules can make configuration tricky Usually preconfigured to detect certain attack signatures Simple proxies can substitute for complex addressing rules Complex guard functionality can limit assurance Usually starts in "deny all inbound" mode, to which user adds trusted addresses as they appear

Intrusion Detection Systems  An intrusion detection system (IDS ) is a device, typically another separate computer, that monitors activity to identify malicious or suspicious events  IDSs perform a variety of functions:  monitoring users and system activity  auditing system configuration for vulnerabilities and misconfigurations  assessing the integrity of critical system and data files  recognizing known attack patterns in system activity  identifying abnormal activity through statistical analysis  managing audit trails and highlighting user violation of policy or normal activity  correcting system configuration errors  installing and operating traps to record information about intruders 48

 Types of IDSs  Signature-based intrusion detection systems perform simple pattern-matching and report situations that match a pattern corresponding to a known attack type  Heuristic intrusion detection systems, also known as anomaly based  Intrusion detection devices can be network based or host based  A network-based IDS is a stand-alone device attached to the network to monitor traffic throughout that network;  a host-based IDS runs on a single workstation or client or host, to protect that one host. 49

 Stealth Mode  most IDSs run in stealth mode, whereby an IDS has two network interfaces: one for the network (or network segment) being monitored and the other to generate alerts and perhaps other administrative needs 50

 Goals for Intrusion Detection Systems  An IDS could use someor allof the following design approaches:  Filter on packet headers  Filter on packet content  Maintain connection state  Use complex, multipacket signatures  Use minimal number of signatures with maximum effect  Filter in real time, online  Hide its presence  Use optimal sliding time window size to match signatures 51

 IDS Strengths and Limitations  Intrusion detection systems are evolving products  detect an ever-growing number of serious problems.  its sensitivity which is difficult to measure and adjust  someone has to monitor its track record and respond to its alarms 52

EXERCISE 53  Discuss six reasons that makes network vulnerable.  One way an attacker can do to investigate and plan the attack is through reconnaissance. Explain about it.  What firewalls can and cannot block?  Explain detail about Kerberos?