Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS 5950/6030 Network Security Class 29 (M, 11/7/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CS 5950/6030 Network Security Class 29 (M, 11/7/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing."— Presentation transcript:

1 CS 5950/6030 Network Security Class 29 (M, 11/7/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing. Third Edition by Pfleeger and Pfleeger. Using some slides (as indicated) courtesy of: Prof. Aaron Striegel — at U. of Notre Dame Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke — at U. Washington Prof. Jussipekka Leiwo — at Vrije Universiteit (Free U.), Amsterdam, The Netherlands Slides not created by the above authors are © by Leszek T. Lilien, 2005 Requests to use original slides for non-profit purposes will be gladly granted upon a written request.

2 2 7. Security in Networks... 7.2. Threats in Networks a)Introduction b)Network vulnerabilities c)Who attacks networks? d)Threat precursors e)Threats in transit: eavesdropping and wiretapping f)Protocol flaws g)Types of attacks 1) Impersonation 2) Spoofing 3) Message confidentiality threats 4) Message integrity threats 5) Web site defacement 6) Denial of service 7) Distributed denial of service 8) Threats to active or mobile code—PART 1 Class 28 © by Leszek T. Lilien, 2005

3 3 g-6. Denial of service (attack ov avail.) (1)  Service can be denied: A) due to (nonmalicious) failures  Examples:  Line cut accidentally (e.g., by a construction crew)  Noise on a line  Node/device failure (s/w or h/w failure)  Device saturation (due to nonmalicious excessive workload/ or traffic)  Some of the above service denials are short-lived and/or go away automatically (e.g., noise, some device saturations) B) due to denial-of-service (DoS) attacks = attacks on availab.  DoS attacks include: 1)Physical DoS attacks 2)Electronic DoS attacks © by Leszek T. Lilien, 2005

4 4 Denial of service (2) 1)Physical DoS attacks – examples:  Line cut deliberately  Noise injected on a line  Bringing down a node/device via h/w manipulation 2)Electronic DoS attacks – examples: (2a) Crashing nodes/devices via s/w manipulation  Many examples discussed earlier (2b) Saturating devices (due to malicious injection of excessive workload/ or traffic) Includes: (i) Connection flooding (ii)Syn flood (2c) Redirecting traffic Includes: (i) Packet-dropping attacks (incl. black hole attacks) (ii)DNS attacks © by Leszek T. Lilien, 2005

5 5 g-7. Distributed denial of service (attack on availability)  DDoS = distributed denial of service  Attack scenario: 1) Stage 1:  Attacker plants Trojans on many target machines  Target machines controlled by Trojans become zombies 2) Stage 2:  Attacker chooses victim V, orders zombies to attack V  Each zombie launches a separate DoS attack  Different zombies can use different DoS attacks  E.g., some use syn floods, other smurf attacks  This probes different weak points  All attacks together constitute a DDoS  V becomes overwhelmed and unavailable => DDoS succeeds [Fig. courtesy of B. Endicott-Popovsky] © by Leszek T. Lilien, 2005

6 6 g-8. Threats to active or mobile code (1)  Active code / mobile code = code pushed by server S to a client C for execution on C  Why S doesn’t execute all code itself? For efficiency.  Example: web site with animation  Implementation 1 — S executing animation  Each new animation frame must be sent from S to C for display on C => uses network bandwidth  Implementation 2 — S sends animation code for execution to C  C executes animation  Each new animation frame is available for dispaly locally on C  Implementation 2 is better: saves S’s processor time and network bandwidth © by Leszek T. Lilien, 2005

7 7 Threats to active or mobile code (2)  Isn’t active/mobile code a threat to client’s host? It definitely is a threat (to C-I-A)!  Kinds of active code: 1) Cookies 2) Scripts 3) Active code 4) Automatic execution by type 1) Cookies = data object sent from server S to client C that can cause unexpected data transfers from C to S Note: Cookie is data file not really active code! Cookies typically encoded using S’s key (C can’t read them) © by Leszek T. Lilien, 2005

8 8 Class 28 ended here © by Leszek T. Lilien, 2005

9 9 7. Security in Networks... 7.2. Threats in Networks a)Introduction b) Network vulnerabilities c) Who attacks networks? d) Threat precursors e) Threats in transit: eavesdropping and wiretapping f) Protocol flaws g) Types of attacks 1) Impersonation 2) Spoofing 3) Message confidentiality threats4) Message integrity threats 5) Web site attacks 6) Denial of service 7) Distributed denial of service 8) Threats to active or mobile code—PART 1 8) Threats to active or mobile code—PART 2 9) Scripted and complex attacks h)Summary of network vulnerabilities 7.3. Networks Security Controls a)Introduction b)Security threat analysis c)Impact of network architecture/design and implementation on security—PART 1 Class 28 Class 29 © by Leszek T. Lilien, 2005

10 10 Threats to active or mobile code (6) 2) Script – resides on server S; when executed on S upon command of client C, allows C to invoke services on S  Legitimate interaction of browser (run on C) w/ script (run by script interpreter on S)  On C:  Browser organizes user input into script params  Browser sends string with script name + script params to S (e.g., http://eStore.com/custID=97&part=5A&qy=2&...)  On S:  Named script is executed by script interpreter using provided params, invoking services called by script  Attacker can intercept interaction of browser w/ script  Attacker studies interaction to learn about it  Once browser & script behavior is understood, attacker can handcraft string sent fr. browser to script interpreter  Falsifies script names/parameters  Cf. incomplete mediation example with false price © by Leszek T. Lilien, 2005

11 11 Threats to active or mobile code (7)  Why is it easy to manipulate browser-script interaction?  Programmers often lack security knowledge  Don’t double-check script params  Some scripts allow including arbitrary files  Some scripts allow execution of arbitrary commands  They often assume that no users are malicious  Time pressure/management pressure  Scripting language CGI (Common Gateway Interface)  Enables a client web browser to request data from a program executed on the Web server [Wikipedia]  Not really a language – rather standard for passing data between C and S’s script interpreter  Example CGI string: http://www.tst.com/cgi-bin/query?%0a/bin/cat%20/etc/passwd  %nn represents ASCII special characters  E.g., %0A = line feed (new line), %20 = space (why need %20 denting space?) © by Leszek T. Lilien, 2005

12 12 Threats to active or mobile code (8)  HTTP w/o and with CGI [cf. http://www.comp.leeds.ac.uk/Perl/Cgi/what.html]  HTTP without CGI:  When Web browser looks up URL, browser contacts HTTP server with this URL  HTTP server looks at filename named in URL and sends that file back  Browser displays file in appropriate format  HTTP with CGI:  When file in certain directory is named in URL (sent by browser), file is not sent back but executed as CGI script (a pgm)  Whatever that CGI script outputs is sent back for browser to display.  CGI scripts are programs which can generate and send back anything: sound, pictures, HTML documents, and so on © by Leszek T. Lilien, 2005

13 13 Threats to active or mobile code (9)  Examples: escape-character attacks  Attack 1: CGI string instructs script interpreter to send copy of password file to client C: http://www.tst.com/cgi-bin/query?%0a/bin/cat%20/etc/passwd  Attack 2: CGI string includes substring that instructs script interpreter to remove all files from current dir:...  Other scripting solution: Microsoft’s active server pages (ASP)  Conclusions: Server shoud never trust anything received from a client!  Bec. the received string can be fabricated by attacker rather than being generated by legitimate pgm (e.g., browser) © by Leszek T. Lilien, 2005

14 14 Threats to active or mobile code (10) 3) Active code (Recall: code pushed by S to C for execution on C) As demand on server S’s computing power grows, S uses client C’s computing power  S downloads code to C (for execution on C), C executes it Two main kinds of active code: (a) Java code (Sun Microsystems) (b) ActiveX controls (Microsoft) (a)Java code  Designed to be truly machine-independent  Java pgm: machine-independent Java bytecode  Java bytecode executed on Java Virtual Machine (JVM)  JVM can be implemented for different platform and different components  E.g., JVM for Netscape browser © by Leszek T. Lilien, 2005

15 15 Threats to active or mobile code (11)  Java security  JVM includes built-in security manager  Java is strongly typed  Enforces type checking  Java pgms run in a sandbox  Sandbox = restricted resource domain from which pgm can’t escape  Java 1.2 had some vulnerabilities  Some of it security flaws were not design flaws  Result of security-usability tradeoff  Response to Java 1.1 — very solid but too restrictive for programmers  E.g., could not store permanently on disk, limited to procedures put into sandbox by security manager’s policy  Security flaws in JVM implementations  JVM in Netscape browser: no type checking for some data types  JVM in MS Internet Explorer: similar flaws © by Leszek T. Lilien, 2005

16 16 Threats to active or mobile code (12) Current: Java 5.0 (September 29, 2004) (internally known as Java 1.5) Hostile applet = downloadable Java code that can harm client’s system Can harm because: Not screened for security when dowloaded Typically runs with privileges of invoking user Preventing harm by Java applets: Control applets’ access to sensitive system resources Protect memory: prevent forged pointers and buffer overflows Clear memory before its reuse by new objects, must perform barbage collection Control interaplet communication & applets’ effects on environment © by Leszek T. Lilien, 2005

17 17 Threats to active or mobile code (13) (b) ActiveX controls  Allows to download object of arbitrary type from S to C  Risks of downloading ActiveX controls: After object of type T is downloaded:  If handler (or viewer) for type T is available, it is invoked to present object  E.g., after file.doc downloaded, MS Word is invoked to open file.doc  BIG security risk!  If no handler for type T exists on C, C asks S for handler for T then uses it to present object  E.g., attacker defines type.bomb After file.bomb is downloaded by C, C asks S for handler for type.bomb!  HUGE security risk! © by Leszek T. Lilien, 2005

18 18 Threats to active or mobile code (14)  Preventing (some) risks of downloading: Prevent arbitrary downloads  Authentication scheme to verify code origin  Downloaded code is digitally signed  Signature verified before execution  Problems with this scheme:  It does not verify correctness of code  Existing vulnerabilities allow ActiveX code to bypass authentication © by Leszek T. Lilien, 2005

19 19 Threats to active or mobile code (15) 4) Automatic execution by type = automatic invocation of file processing program implied by file type Two kinds of auto exec by type: (a) File type implied by file extension  e.g., MS Word automatically invoked for file.doc (happens also in other cases, e.g., for ActiveX controls) (b) File type implied by embedded type  File type is specified within the file  Example:  File named „class28” without extension has embedded info that its type is „pdf”  Double-clicking on class28 invokes Adobe Acrobat Reader Both kinds of auto exec by type are BIG security risks! © by Leszek T. Lilien, 2005

20 20 Threats to active or mobile code (16) Security risks for auto exec based on file type  Text files (without macros!)  Files with active content  Incl. text files with macros  Executable files Avoid automatic opening of files by built-in handlers  Whether it has extension or not  Whether implied by file extension or by embedded type Security Risk © by Leszek T. Lilien, 2005

21 21 g-9. Scripted and complex attacks 1) Scripted attacks = attacks using attack scripts  Attack scripts created by knowledgeable crackers BUT  Can be run even by ignorant script kiddies  Just download and run script code  Script selects victims, launches attack  Scripted attacks can cause serious damage  Even when run by script kiddies 2) Complex attacks = multi-component attacks using miscellanous forms of attacks as its building blocks  Bldng block example: wiretap for reconaissance, ActiveX attack to install Trojan, Trojan spies on sensitive data  Complex attacks can expand target set & increase damage [Fig. courtesy of B. Endicott-Popovsky] © by Leszek T. Lilien, 2005

22 22 h. Summary of network vulnerabilities  See Table 7-4, p. 426 – A classification of network vulnerabilities (not quite „clean” — overlapping classes) © by Leszek T. Lilien, 2005

23 23 7.3. Networks Security Controls  Outline a)Introduction b)Security threat analysis c)Impact of network architecture/design and implementation on security d)Encryption e)Content integrity f)Strong authentication g)Access controls h)Alarms and alerts i)Honeypots j)Traffic flow security k)Controls review © by Leszek T. Lilien, 2005

24 24 a.Introduction  We have seen many security controls:  In Section on Program Security (incl. s/w engineering issues)  In Section on OS Security  Many of these strategies are useful for network security © by Leszek T. Lilien, 2005

25 25 b. Security threat analysis (1)  Threat analysis steps : 1) Analyze system components and their interactions 2) Analyze possible damage to C-I-A 3) Hypothesize possible kinds of attacks  Network elements to be considered:  Local elements  Nodes / comm links / data storage / processes / devices / LANs  Non-local elements  Gateways / comm links / control resources / routers / network resources (e.g., databases) © by Leszek T. Lilien, 2005

26 26 Security threat analysis (2)  Network threats:  Accessing pgms or data at remote host  Modifying pgms or data at remote host  Running a pgm at a remote host  Interception of data in transit  Modifying data in transit  Insertion of data into communication traffic  Incl. replaying previous communication  Blocking selected/all traffic  Impersonation of entities  Attack enablers:  Size / anonymity / ignorance / misunderstanding  Complexity / motivation / programming skills © by Leszek T. Lilien, 2005

27 27 c. Impact of network architecture/ design & implement. on security (1)  Security principles for good analysis, design, implementation, and maintenance (as discussed in sections on Pgm Security and OS Security) apply to networks  Architecture can improve security by: 1) Segmentation 2) Redundancy 3) Single points of failure 4) Other means © by Leszek T. Lilien, 2005

28 28 Impact of network architecture/ design & implement. on security (2) 1)Segmentation  Architecture should use segmentation to limit scope of damage caused by network penetration by:  Reducing number of threats  Limiting amount of damage caused by single exploit  Enforces least privilege and encapsulation  Example 1: component segmentation  Placing different components of e-commerce system on different hosts  Esp. put on separate host most vulnerable system components  E.g., separate host for web server (w/ public access)  Exploit of one host does not disable entire system © by Leszek T. Lilien, 2005

29 29 Impact of network architecture/ design & implement. on security (3)  Example 2: access separation  Separating from each other:  Production system  Testing system  Development system  E.g., no developer has access to production system and no customer has access to development system © by Leszek T. Lilien, 2005

30 30 Impact of network architecture/ design & implement. on security (4) 2) Redundancy  Architecture should use redundancy to prevent losing availability due to exploit/failure of a single network entity  Example: having a redundant web server (WS) in a company  Types of redundancy include:  Cold spare – e.g., when WS fails, replace it manually with spare WS  Warm spare – e.g., failover mode = redundant WSs periodically check each other  Hot spare – e.g., 3 WSs configured to perform majority voting © by Leszek T. Lilien, 2005

31 31 End of Class 29 © by Leszek T. Lilien, 2005

Download ppt "CS 5950/6030 Network Security Class 29 (M, 11/7/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
CS 5950/6030 Network Security Class 30 (W, 11/9/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.

CS 5950/6030 Network Security Class 30 (W, 11/9/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.
Introduction to Web Database Processing

Introduction to Web Database Processing
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE

Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE
CS 5950/6030 Network Security Class 28 (F, 11/4/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.

CS 5950/6030 Network Security Class 28 (F, 11/4/05) Leszek Lilien Department of Computer Science Western Michigan University Based on Security in Computing.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Mgt 240 Lecture Website Construction: Software and Language Alternatives March 29, 2005.

Mgt 240 Lecture Website Construction: Software and Language Alternatives March 29, 2005.

Similar presentations

Ads by Google