An Overview of Computer and Network Security CS535, TE/CS 536 Network Security Spring 2005 – Lecture 2
A Motivating Example n Requirements of an e-Commerce site u Performance F # of current transactions u Usability F Easy to follow GUIs, convenience u Security F Secure transmission and storage of customer financial/personal data F Protect the Web servers and the enterprise network from illegitimate access F Provide continuous/uninterrupted services
The Internet Application Presentation Session Transport Network Data Link Physical OSI of ISO Transport Internet Data Link Physical Application Layer Internet Stack
Protocols n Application layer u HTTP, FTP, Telnet, SMTP, DNS n Transport layer u TCP, UDP n Internetworking layer u IP, ICMP, ARP, RARP n Network interface (data link) layer u Ethernet, PPP n Physical layer
Layered Store-and-forward User A User B Application Transport Network Link
Problems in implementing security n Vulnerabilities arise from– u weak design (of system or protocols) u compromised entity n Heterogeneous networking technologies add to security complexity n Higher-speed communication puts more information at risk in given time period
The Definition n Security the possibility of successful yet undetected theft, tampering, and disruption of information and services is kept low or tolerable
Basic Security Services n Authentication assurance that the communicating entity genuine n Data Confidentiality protection of data from unauthorized access n Data Integrity trustworthiness of data or resources (no modification or replay) n Availability ability to use the information or resource upon demand by an authorized entity n Non-repudiation protection against denial by sending or receiving entities of having communication
Security Threats and Attacks n A threat is a potential violation of security. u Flaws in design, implementation, and operation. n An attack is any action that violates security. u An adversary u Passive and active attacks
Eavesdropping - Message Interception (Attack on Confidentiality) n Unauthorized access to information n Packet sniffers and wiretappers n Illicit copying of files and programs S R Eavesdropper
Integrity Attack - Tampering With Messages n Stop the flow of the message n Delay and optionally modify the message n Release the message again (replay) S R Perpetrator
Authenticity Attack - Fabrication n Unauthorized assumption of other’s identity n Generate and distribute objects under this identity S R Masquerader: from S
Attack on Availability n Destroy hardware (cutting fiber) or software n Modify software in a subtle way n Corrupt packets in transit n Blatant denial of service (DoS): u Crashing the server u Overwhelm the server (use up its resource) S R
Impact of Attacks n Theft of confidential information n Unauthorized use of u Network bandwidth u Computing resource n Spread of false information n Disruption of legitimate services All attacks can be related and are dangerous!
Close-knit Attack Family sniff for content traffic analysis - who is talking re-target jam/cut it capture & modify pretend re-target Passive attacks Active Attacks
Security Models of organizations n No security or security through obscurity n Host security u Application level u Problem: many hosts n Network security u Control access to hosts and services Organizations can be Targets of opportunity (TOO) or Targets of choice (TOC)
Security Policy and Mechanisms n Policy: a statement of what is/is not allowed. n Mechanism: a procedure, tool, or method of enforcing a policy. Implements functions that help prevent, detect, and respond to recovery from security attacks. n Security functions are typically made available to users as a set of security services through APIs or integrated interfaces.
Parameters of security policy (Operational Issues) n Cost-Benefit Analysis n Risk Analysis n Laws and Custom n People issues: e.g. change password every month? n Security architecture ; e.g. a layered approach.
Security Threats and Vulnerabilities TE/CS 536 Network Security Dr. Haroon Atique Babri, UMT Spring 2005 – Lecture 3 Adapted from Dr. Wenke Lee, Georgia Tech
The Security Life-Cycle n Threats n Policy n Specification n Design n Implementation n Operation and Maintenance
Taxonomy of Threats n Viruses and Worms n Web features, e.g. cookies (see text) n IP layer attacks n TCP layer attacks
Viruses n A small piece of software that attaches itself to a program (e.g. a spreadsheet) or document. n Each time the program runs, the virus runs. n When a virus runs, it looks for other any executable files in any directory and infects them and/or does something bad.
Virus – what does it look like Start of original code …X-1 Xjump to Y X+1… end of original code … Yfirst statement of virus code … statement X in original code Y+njump to X+1
The Rise of Viruses n The spread of PCs in late 1980s n Use of modem accessible computer bulletin boards to down load programs (or Trojan horses), e.g. games, spreadsheets. n Floppy disks
Types of Viruses n Executable u Infection phase: (1)Designed to get executed first when the host program runs. (2) Looks into memory, and if it finds another program on the disk, it adds its code to it. (3) The virus then launches the host program u Attack phase: activated by some sort of trigger, e.g. date, does something bad.
Types of Viruses n Boot sector viruses u Boot sector is a small program that tells the computer how to load the rest of OS. u Transmitted through floppies u Good news: Huge sizes of today’s programs require CDs + Today’s OS protect the boot sector. u Bad news: with CD-RW becoming common, viruses now can spread across CDs
Viruses n Moves around in messages, replicate by automatically mailing itself to people in the victim’s address book. u Melissa (3/99): spread as a Word doc uploaded to an Internet newsgroup. u ILOVEYOU (5/00): code as an attachment; double clicking allowed it to execute; took advantage of VBA built in Microsoft Word.
Worms n A small piece of software that normally uses computer networks and security holes to replicate itself. n A copy of the worm scans the network for another machine that has a specific security hole, e.g. buffer overflow. n It copies itself to the new machine using the security hole and …
Worm – how it spreads (1) n Log into another machine by guessing passwords. n Account name/passwords might be stored in script files to allow a naïve user to access remote resources remotely.
Worm – how it spreads (2) n A copy of the worm scans the network for another machine that has a specific security hole, e.g. buffer overflow. n It copies itself to the new machine using the security hole and …
Famous Worms n Code Red: each copy scanned the Internet for Win NT or Win 2000 servers without the MS security patch installed, and copied itself to the server. Code Red was designed to do 3 things: u Replicate itself for first 20 days of each month u Replace Web pages on servers with a page: “Hacked by Chinese” u Launch attack on n Slammer: see handout
What to do n Virus checkers u check all files for the instruction sequences of known viruses F Polymorphic virus: changes order of instructions, or changes to functionally similar instructions each time it copies itself. u Take a snapshot of disk storage by recording file lengths or taking message digests of files F Virus can compress the program and then add itself to maintain original length.
What to do n Use security features provided by a language u Java sandbox u MS security patches ?
IP packet attacks (1) n Packet sniffing or snooping u Prevention: data encryption F link to link F source to destination.
IP Packet Attacks (2) - n IP Spoofing u A common first step to many threats. u Source IP address cannot be trusted! IP Payload IP Header SRC: source DST: destination SRC: DST: Is it really from Columbia University?
Similar to Mail (or ) From: XYZ Lahore To: ABC Sialkot Mail maybe better in the sense that there is a stamp put on the envelope at the location (e.g., town) of collection...
Most Routers Only Care About Destination Address xx xx.xx Rtr src: dst: Columbia Georgia Tech xxRtr src: dst: Stanford
IP Attacks (3) n Attack packets with spoofed IP address help hide the attacking source. n A smurf attack launched with your host IP address could bring your host and network to their knees. n Higher protocol layers (e.g., TCP) help to protect applications from direct harm, but not enough.
Current IPv4 Infrastructure n No authentication for the source n Various approaches exist to address the problem: u Router/firewall filtering u TCP handshake
Router Filtering n Decide whether this packet, with certain source IP address, should come from this side of network. n Not standard - local policy xx Rtr src: dst: Stanford Hey, you shouldn’t be here!
Router Filtering n Very effective for some networks (ISP should always do that!) u At least be sure that this packet is from some particular subnet n Problems: u Hard to handle frequent add/delete hosts/subnets or mobileIP u Upsets customers should legitimate packets get discarded u Need to trust other routers
TCP Handshake client server SYN seq=x SYN seq=y, ACK x+1 ACK y+1 connection established
TCP Handshake xx xx.xx Rtr Columbia Georgia Tech xxRtr src: dst: Stanford x seq=y, ACK x+1 The handshake prevents the attacker from establishing a TCP connection pretending to be
TCP Handshake n Very effective for stopping most such attacks but vulnerable n Problems: u The attacker can succeed if “y” can be predicted u Other DoS attacks are still possible (e.g., TCP SYN-flood)
IP Spoofing & SYN Flood n IP spoofing: X sends SYN message to victim R using S’s IP n R sends an acknowledgment (SYN-ACK) to client S but does not received the ACK message (half-open connection). n Half-open connections data structure on the victim server R eventually fills. R unable to accept new connections until the table is emptied out. n Normally a timeout for half-open connections allows R to recover. However, X can continue sending IP-spoofed packets requesting new connections faster than R can expire the pending connections.
icmp echo request icmp echo reply ping icmp echo request to a broadcast address: from victim attacker victim icmp echo request from all hosts to victim smurf
Smurf Attack n Generate ping stream (ICMP echo request) to a network broadcast address with a spoofed source IP set to a victim host n Every host on the ping target network will generate a ping reply (ICMP echo reply) stream, all towards the victim host n Amplified ping reply stream can easily overwhelm the victim’s network connection
Leaning about attacks and vulnerabilities n n n n n