Security Copyright 2003 Prentice-Hall Panko’s Business Data Networking and Telecommunications, 4 th edition

2 Types of Attackers Wizard Internet Hackers Highly capable attackers Amateurs (Script Kiddies) Light skills, but numerous and armed with automated attack programs (kiddie scripts) of increasing potency

3 Types of Attackers Criminals Theft of credit card numbers, trade secrets, and other sensitive information Sell the information or attempt extortion to prevent the release of the information Individual criminals Industrial and government espionage spies

4 Types of Attackers Employees Dangerous because of internal knowledge and access Often, large losses per incident due to theft, fraud, or sabotage

5 Types of Attackers Information Warfare and Cyberterrorism Massive attack by a government or terrorist group against a country’s IT infrastructure Attacks by amateur cyberterrorists are already starting to approach this level of threat

6 Types of Security Systems Attacker Taps into the Conversation: Tries to Read Messages, Alter Messages, Add New Messages Client PC Server Message Exchange Secure Communication System

7 Types of Security Systems Attack Prevention System Corporate Network Hardened Client PC Hardened Server With Permissions Internet Attacker Attack Message Attack Message Firewall

8 Attacks Requiring Protection Hacking Servers Access without permission or in excess of permission Attractive because of the data they store Hacking Clients Attractive because of their data or as a way to attack other systems by using the hacked client as an attack platform Soft targets compared to servers; most users are security novices

9 Attacks Requiring Protection Denial-of-Service (DoS) Attacks Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability Single Message DOS Attack (Crashes the Victim) ServerAttacker

10 Attacks Requiring Protection Denial-of-Service (DoS) Attacks Make the system unusable (crash it or make it run very slowly) by sending one message or a stream of messages. Loss of availability. Message Stream DOS Attack (Overloads the Victim) ServerAttacker

11 Denial-of-Service Attacks Distributed DOS (DDoS) Attack: Messages Come from Many Sources Server Message Stream Computer with Zombie Computer with Zombie Attacker Attack Command Attack Command

12 Attacks Requiring Protection Scanning Attacks To identify victims and ways of attacking them Attacker sends messages to select victims and attack methods Examines data that responses reveal IP addresses of potential victims What services victims are running; different services have different weaknesses Host’s operating system, version number, etc.

13 Attacks Requiring Protection Malicious Content Viruses Infect files; propagate by executing infected program Payloads may be destructive Worms; propagate by themselves Trojan horses (appear to be one thing, such as a game, but actually are malicious) Snakes: combine worm with virus, Trojan horses, and other attacks

14 Attacks Requiring Protection Malicious Content Illegal content: pornography, sexual or racial harassment Spam (unsolicited commercial ) Security group is often called upon to address pornography, harassment, and spam

15 Packet Filter Firewall Packet Filter Firewall IP-H TCP-H UDP-HApplication Message IP-HICMP Message Arriving Packets Permit Deny Corporate NetworkThe Internet Examines Packets in Isolation Fast but Misses Some Attacks

16 For Packets Containing TCP Segments: Rule 1 IF Interface = Internal AND (Source Port Number = 7056 OR Source Port Number = 8002 through 8007) THEN DENY Remark: Used by a well-known Trojan horse program. Access Control List Fragment

17 Access Control List Fragment Rule 2: IF Interface = External AND Destination Port Number = 80 AND Destination IP address = THEN PERMIT Remark: Going to a known webserver.

18 Access Control List Fragment Rule 3: IF Interface = External AND Destination Port Number = 80 AND Destination IP Address = NOT THEN DENY Remark: Going to an unknown webserver.

19 Access Control List Fragment Rule 4: IF Interface = External AND (SYN = AND FIN = Set) THEN DENY REMARK: Used in host scanning attacks and not in real transactions.

20 Access Control List Fragment Order Rules are executed in order If passed or denied by one rule, will not reach subsequent rules Mis-configuration is easy, opening the network to attack Always test a firewall by hitting it with attack messages to see if they are handled properly

21 Stateful Firewall Does not examine packets in isolation Examines each packet to see if it is part of an ongoing conversation Catches errors that packet filter firewalls cannot Refuses a TCP acknowledgement if an internal host has not opened a connection to that host Usually does not examine a packet in detail if the packet is part of an ongoing conversation This can miss attack packets Beyond what is In the book

22 Application (Proxy) Firewall SMTP ( ) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application 1. HTTP Request Client PC Webserver

23 Application (Proxy) Firewall SMTP ( ) Proxy FTP Proxy Application Firewall 2. Examined HTTP Request HTTP Proxy Browser Webserver Application Client PC Webserver

24 Application (Proxy) Firewall SMTP ( ) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application 3. HTTP Response Client PC Webserver

25 Application (Proxy) Firewall SMTP ( ) Proxy FTP Proxy Application Firewall HTTP Proxy Browser Webserver Application 4. Examined HTTP Response Client PC Webserver

26 Application (Proxy) Firewall Can examine the application message to filter packets by application content If hacker takes over the proxy firewall, has not taken over the internal clients, with which it only has indirect contact Internal client’s IP address is hidden. All packets sent back by the server have the address of the application proxy server. Need a separate proxy program for each application

27 Network Address Translation (NAT) 12 NAT Firewall Client From , Port From , Port Internet Server Host IP Addr … Port … IP Addr … Port … InternalExternal Translation Table

28 Network Address Translation (NAT) 43 NAT Firewall Client Internet Server Host To , Port To , Port Translation Table IP Addr … Port … IP Addr … Port … InternalExternal

29 Intrusion Detection Dump Intrusion Detection System 4. Analysis of Dump Internal Host Network Administrator Attacker Legitimate Host 1. Attack Packet 2. All Packets 3. Notification of Possible Attack 1. Legitimate Packet

30 Firewalls versus Intrusion Detection Firewalls permit or deny traffic based on filtering rules Intrusion detection systems (IDSs) only save and mark certain packets as suspicious; do not take action Some firewalls issue alterts when packets are dropped and most firewalls log all drops IDSs identify all suspicious packets, many of which turn out to be acceptable; firewall drop rules are more specific New Not in the book

31 Hardening Clients and Servers Known Weaknesses Known security weaknesses in operating systems and application programs Most download vendor patches to fix these known weaknesses Firms often fail to do so (vendors issue patches per week); must be installed on each server Host Firewalls Server firewalls and personal (client) firewalls

32 Hardening Clients and Servers Server Authentication Passwords Cracking with exhaustive search and dictionary attacks Strong passwords Super accounts

33 Hardening Clients and Servers Server Authentication Rules for Strong Passwords At least 8 characters long At least one change of case At least one digit (0-9) not at the end At least one non-alphanumeric character not at the end

34 Kerberos Authentication (Simplified) Kerberos Server Verifier Applicant 4. Ticket 1. Initial Sign On 2. Request Ticket 3. Ticket

35 Hardening Clients and Servers Server Authentication Biometric authentication Fingerprint: least expensive Iris: most accurate Face recognition: controversial in public places for mass identification Other forms of biometric identification Smart cards (ID card with microprocessor and data)

36 Hardening Clients and Servers Limiting Permissions on Servers (Ch. 10) Only permit access to some directories Limit permissions (what the user can do) there Like controlling access to a building; not allowed to go anywhere and remove items, etc.

37 Secure Communication System Client PC Server 1. Initial Negotiation of Security Parameters 2. Mutual Authentication 3. Key Exchange or Key Agreement 4. Subsequent Communication with Message-by-Message Confidentiality, Authentication, and Message Integrity

38 Symmetric Key Encryption for Confidentiality Plaintext “Hello” Encryption Method & Key Ciphertext “ ” Symmetric Key Interceptor Network Same Symmetric Key Party A Party B

39 Symmetric Key Encryption for Confidentiality Ciphertext “ ” Symmetric Key Interceptor Network Ciphertext “ ” Same Symmetric Key Party A Party B

40 Symmetric Key Encryption for Confidentiality Symmetric Key Interceptor Network Ciphertext “ ” Decryption Method & Key Plaintext “Hello” Same Symmetric Key Party A Party B

41 Public Key Encryption for Confidentiality Encrypt with Party B’s Public Key Party A Party B Decrypt with Party B’s Private Key

42 Public Key Encryption for Confidentiality Decrypt with Party A’s Private Key Party A Encrypt with Party A’s Public Key Party B

43 MS-CHAP Challenge-Response Authentication Protocol Applicant Verifier Challenge 1. Creates Challenge Message 2. Sends Challenge Message Note: Both the Client and the Server Know the Client’s Password

44 MS-CHAP Challenge-Response Authentication Protocol 3. Applicant Creates the Response Message: a)Adds Password to Challenge Message b)Hashes the Resultant Bit String c) This Gives the Response Message PasswordChallenge Response Hashing

45 MS-CHAP Challenge-Response Authentication Protocol PasswordChallenge Expected Response Hashing Transmitted Response 4. Applicant Sends Response Message 5. Verifier Adds password to the challenge message it sent. Hashes the combination. This should be the expected response message.

46 MS-CHAP Challenge-Response Authentication Protocol Expected ResponseTransmitted Response = ? 6. If the Two are Equal, The Client Knows the Password and is Authenticated

47 Digital Signature Sender Receiver DSPlaintext Add Digital Signature to Each Message Provides Message-by-Message Authentication

48 Digital Signature: Sender DS Plaintext MD Hash Sign (Encrypt) MD with Sender’s Private Key To Create the Digital Signature: 1.Hash the plaintext to create a brief message digest; This is NOT the digital signature 2. Sign (encrypt) the message digest with the sender’s private key to create the digital Signature

49 Digital Signature Sender Encrypts Receiver Decrypts Send Plaintext plus Digital Signature Encrypted with Symmetric Session Key DSPlaintext Transmission

50 Digital Signature: Receiver DSReceived Plaintext MD Hash Decrypt with True Party’s Public Key 3. Are they Equal? Hash the received plaintext with the same hashing algorithm the sender used. This gives the message digest 2. Decrypt the digital signature with the sender’s public key. This also should give the message digest. 3. If the two match, the message is authenticated; The sender has the true Party’s private key

51 Public Key Deception Impostor “I am the True Person.” “Here is TP’s public key.” (Sends Impostor’s public key) “Here is authentication based on TP’s private key.” (Really Impostor’s private key) Decryption of message from Verifier encrypted with Impostor’s public key, so Impostor can decrypt it Verifier Must authenticate True Person. Believes now has TP’s public key Believes True Person is authenticated based on Impostor’s public key “True Person, here is a message encrypted with your public key.” Critical Deception

52 Digital Certificates Digital certificates are electronic documents that give the true party’s name and public key Applicants claiming to be the true party have their authentication methods tested by this public key If they are not the true party, they cannot use the true party’s private key and so will not be authenticated

53 Public Key Infrastructure (PKI) Verifier (Brown) Certificate Authority PKI Server Create & Distribute (1)Private Key and (2) Digital Certificate Applicant (Lee) Verifier (Cheng)

54 Public Key Infrastructure (PKI) Verifier (Brown) Certificate Authority PKI Server 4. Certificate for Brown Applicant (Lee) Verifier (Cheng) 3. Request Certificate for Brown

55 Public Key Infrastructure (PKI) Verifier (Brown) Certificate Authority PKI Server 6. Check Certificate Revocation List (CRL) For Lee’s Digital Certificate Applicant (Lee) 5. Certificate for Lee Verifier (Cheng) 7. Revoked or OK

56 Security at Multiple Layers LayerExample Application Application-specific (for instance, passwords for a database program); Application (Proxy) Firewalls TransportSSL (TLS), Packet Filter Firewalls InternetIPsec, Packet Filter Firewalls Data Link Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) PhysicalPhysical locks on computers, Notebook Encryption

57 Security at Multiple Layers Having security at multiple layers provides protection if one layer’s security fails Having security at multiple layers also slows processing on the device So provide protection in at least two layers but not in all layers

58 Creating Appropriate Security Understanding Needs Need to make security proportional to risks Organizations face different risks Policies and Enforcement Policies bring consistency Training in the importance of security and in protection techniques Social engineering prevention training

59 Creating Appropriate Security Policies and Enforcement Security audits: attack your system proactively You must really be able to trust your testers Incident handling Restoring the system Prosecution Planning and practicing Privacy Need to protect employee & customer privacy