Athipathy Network Security

Network Security • • • • •

Relies on host and application security Networks allow computers to communicate Vulnerabilities are exposed to the world Network accessible vs. inaccessible programs Eavesdropping and network vulnerabilities

Basic Terminology • Boundary – Extend of the network – What is inside vs. outside

• Ownership – Who owns the network segment – Who owns hosts on the network segment – Connection does not imply ownership

• Control – Who controls software on network/hosts – Can administrator require patches?

Addresses • Hostname • IP Address • MAC Address – – – –

Media Access Control Address Hardware NIC card address Only accessible within local segment Used to identify entdpoints within segment

Vulnerability Causes • Anonymity – Electronic shield – Indirect attacks

• Many points of attack – Attack can come form many systems – Directionb of attack can change frequently

• Sharing – Many people accessing – Open and available system

Ports • Sub-address specifying where communication should occurr • Known ports for well known applications • Port 80: HTTP • Port 23: Telnet • Port 25: SMTP • Port 161: SNMP

Vulernability Causes (continued) • System complexity – What is the system really doing – Many extra CPU cycles – IRC server

• Unknown perimeter – What systems belong to the network?

• Unknown path – Attackers can follow many network paths

1

Vulernability Causes (continued) • Distributed Authentication – Windows 2000 – Equal and shared responsibility

Attacker Motives • Challenge/Power – Intellectual merit of the pursuit – Can they beat the system

• Fame – Calling cards and pseudonyms

• Money and espionage – Purchased services – Value of intellectual property

Attacker Motives (continued) • Ideology – Hactivism Web page modifications – Cyberterrorism Attempt to cause real harm and damage

Attack Preparation • Gather information • Port scan – – – – –

nmap Legality Reports which ports are active Identifies vulnerabilities Identifies externally visible configuration

• Social Engineering – Identify internal less visible configuration – IP Address and routes

Attack Preperation (continued) • Reconnaissance – Dumpster diving – Eavesdropping – Data collection

• OS and application fingerprinting – Analysis of stimulus response – Identify applications and versions – Identification of known vulnerabilities

Reconnaissance • Give out as little information as possible – Hide any information an attacker can use to identify vulnerabilities – Best defense

• Collect a bit of information at a time – Avoid clustering large numbers of suspicious events – Best offense

• Bulletin boards and chat • Availability of documentation

2

Electronic Eavesdropping • Wiretapping – More hostile/active term

• Packet sniffer – Collect data on network segment – Switched versus unswitched networks – snort/tcpdump

Electronic Eavesdropping (continued) • Other physical wire taps – Changes of impedence can detect

• Wireless broadcast – Yelling the information to everyone – What is 1000 feet away?

• Inductance – Read radiated signals off of wires

Impersonation • • • • •

Mechanisms for circumventing authentication Guessing identify and authentication details Eavesdropping or wiretapping Avoidance Lack of authentication

Impersonation (continued) • Use of well-known authentication – Well known passwords – Shared passwords

• Trusted authentication – .rlogin, .rhosts, etc.

– System reconnaisance – Guest or anonymous accounts

Spoofing • Pretending to be someone you are not • Masquerading – – – –

Typical IP address spoofing Steal an IP address Used to hide true location Mistyped URLs Common mistakes are bought up quickly nasa.com vs. nasa.gov

Spoofing (continued) • Session hijacking – Intercepting communication stream – Completing communication stream as if you were the original participant – Connections not correctly terminated Old modem pools Software timeout configuration Buffering

3

Spoofing (continued) • Man-in-the-middle attacks – – – –

Pass information back and forth between two hosts Act as middle man Capture and share everything Used to break encrypted traffic

Attacks on Confidentiality • Misdelivery – Mistyping or confusing names – Incorrect routing or aliases – Changing aliases

• Exposure – Reading of message in storage or during transmission

• Traffic flow analysis – Identification of message existence – Destination and source pairs

Attacks on Message Integrity • Falsification of messages – Too much trust in email and other electronic communication – Changes to part of message – Sending fake message – Replay of messages – Redirect a message

• Noise – Unintentional interference – Damages contents of message

Web Site Defacement • Methods for gaining active to selective components of a web site – Allows modification of files

• Buffer overflows – Stack smashing

• Dot-Dot and address problems – ../..

• Application code errors – Passing return values in URL

• Server side includes – Execute commands unexpectedly

Denial of Service • Transmission failure • Connection flooding – Echo-chargen – Ping of death – Smurf

• Syn flood – Never respond with Acks, filling buffer

Denial of Service (continued) • Traffic redirection – Redirect or delay traffic – Poor routes – Fill tables

• DNS attack – Redirect traffic, DOS

• Distributed denial of service – Code red

4

Threats to Mobile Code • Cookies – Fill up disk space – Cookies usually trusted

• Scripts – – – – –

Common Gateway Interface (CGI) Escape character interpretation Execute commands http://www.test.com/cgi-bin/query?%0a/bin/ cat%20/etc/passwd

Complex Attacks • Script kiddies – Use scripts put together by real hackers – Increasing the number of attacks enormously – Helps hide novel hackers

• Building blocks – Put multiple things together for more complex attacks

Wireless Security (continued) • Service Set Identifier (SSID) – Selects between access points – One level of access control

• Wired Equivalency Protocol (WEP) – – – –

40 or 128 bit keys 40 bit keys insecure Weakness in current protocol Initialization Vector (IV) is not refreshed in current hardware and is too short (24 bits) – Can be cracked readily

Threats to Mobile Code (continued) • Active code – – – – –

Java script ActiveX Run on client Do you trust them Suppose to provide security, but???

• Auto exec by type – Fake extension – .doc file is really .exe – True type embedded in document

Wireless Security • Concern principally focuses on broadcast nature of wireless • At access point connection becomes wired • Access control is difficult – Anyone can connect – Range is far 330 ft. indoors 1000 ft. outdoors

Wireless Usage • Illegal connectivity • Use of bandwidth • Illegal activities – Launch pad for spam – Launch pad for intrusions

• All traces point to the victimized companies wireless network – Legal ramifications – Time and cost of investigation

• VERY difficult to identify outside individual

5

Wireless Security Trends

Wireless Security Trends (continued)

• War driving

• Improved encryption in 802.11b

– Hackers search an area for access points – Requires a laptop and simple software

– Hardware manufacturers are developing hardware with changing frame pointers

• Enhanced security in future 802.11 specifications

• War chalking – Identification of access point locations through chalk symbols – Characteristics of access point are represented

War Chalking Symbols

Wireless Access Point Placement SSID

Open Node

• Internally, centrally located access points • Not 100% coverage • Avoids leakage of signal

Bandwidth Closed Node

SSID

Access W Contact Bandwidth

SSID WEP Node

Wireless Access Point Placement (continued) • • • •

Externally located Can provide 100% coverage Enormous leakage potential What sits 1000 ft. away from the building

Other Wireless Security Measures • Disable broadcast of SSID – Attacker must identify SSID – Can be used as secondary password

• IP Address Filtering – Requires that an attacker know what IP Addresses are valid – Essentially will only slow attacker down

• MAC Address Filtering – Only known machines may connect

• Enable logging at the access point – Allows monitoring of connection activity

Access Road

6

IPSec • • • • • • •

Internet Protocol Security Can be used with wireless and wired networks End to end encryption Stronger encryption and authentication than WEP More interoperable than LEAP Prevents roaming Time consuming setup

Network Protections • MAC addresses and IP Addresses – Filtering based on IP Addresses or MAC addresses – MAC addresses are harder to impersonate

• Firewalls • Multi-level security – Trusted network interfaces – Segregated network – Dual network configuration

Extensible Authentication Protocol • Extensible Authentication Protocol (EAP) • Lightweight EAP -> Cisco • Provides per user, per session keys (EAP-TLS) – Helps resolve weakness of WEP keys

• Designed for port-based authentication – Prevents unapproved system connections – Port to port encryption

• Requires username and password just to access network

Encryption Strategies • Link encryption – Encryption done at low level of protocol – Application doesn't know it occurs – Data exposed at intermediate routers

• End to end encryption – Occurs at application layer – Better protection as protocol isn't aware of actual data – Data never exposed

• Port authentication

Virtual Private Networks • VPN • Encrypted tunnel – Tunneling

• Uses link encryption • Negotiated between remote host and firewall • User's host becomes a part of the organizations network

Signed Code • Limits viruses, trojans, other malicous code • Uses PKI – Public key infrastructure – Public key escrow system – Maintained by verisign

• Code is signed with keys verifying author • Not infallible – Keys inadvertently given to non-microsoft employees

7

Strong Authentication • One time passwords – SecurID card – Used in conjunction with other authentication in case card is lost – Limits effect of wiretapping and spoofing

Digital distributed authentication • • • •

Nonhuman entities PGP used to exchange symmetric keys How to distribute large #'s of public keys? How to do so securely?

• Challenge response systems – More complex device – Enter challenge ID passed by system – Enter response to server

Kerberos • Authentication in distributed systems • PGP used to exchange symmetric keys • Ticket-based concept – Encrypted data structure – User, resource, permissions, duration, etc.

Kerberos (continued) • Stores passwords on server – Server encrypts session key using password – Workstation must decrypt with user's entered password value

• Advantages – – – – –

• Provides one time access to resource

Kerberos (continued) • Disadvantages – Requires continuous availability of trusted ticket granting server – Authenticity of servers requires a trusted relationship between the ticket-granting server and every server – Requires timely transactions – Subverted systems can replay passwords – Password guessing works – Does not scale well – Kerberos is a complete solution

No passwords sent over network Cryptographic protection against spoofing Limited period of validity Timestamps to prevent replay attacks Mutual authentication

Segmentation • • • •

No, not memory segmentation Segmentation of duties assigned to machines Segmentation of networks and subnetworks Only expose to outside world what you must – Web server (e-commerce) – Have seperate internal web server – Database of orders seperate and segregated

• One compromise should not open everything

8

Redundancy • • • •

Multiple web servers Load balancing Redirection should one fail Mirrored but unused duplicates

Access Control • Lists of accepted/rejected hosts • Smart routers – Fooled by IP address spoofing

• Software firewalls – portsentry – ipchains

– Patch before making available

• Multiple hosts/routers/network connections • FedEx/UPS Strike • Avoid single points of failure

hosts.deny • • • • • • • • • • • • • • • •

ALL: 193.194.87.230 ALL: 64.24.195.92 ALL: 61.83.24.126 ALL: 211.113.17.35 ALL: 12.253.55.27 ALL: 193.205.140.86 ALL: 80.129.183.126 ALL: 12.84.242.219 ALL: 211.74.48.208 ALL: 24.190.19.1 ALL: 216.7.109.122 ALL: 64.75.130.177 ALL: 64.175.71.146 ALL: 137.229.26.168 ALL: 209.149.130.191 ALL: 24.151.1.190

ipchains • • • • • • • • • • •

ipchains --list Chain input (policy ACCEPT): target prot opt source destination ports DENY all ----l- pD9EAF753.dip.t-dialin.net anywhere n/a DENY all ----l- 61.170.156.13 anywhere n/a DENY all ----l- cs24174138-36.satx.rr.com anywhere n/a DENY all ----l- 198.191-201-80.adsl.skynet.be anywhere n/a DENY all ----l- ES152246.user.veloxzone.com.br anywhere n/a DENY all ----l- 61.48.40.144 anywhere n/a Chain forward (policy ACCEPT): Chain output (policy ACCEPT):

• TCP wrappers

hosts.allow • • • •

ALL : 10.10.10. : ALLOW ALL : 169.226.2.22 : ALLOW ALL : 169.226.2.88 : ALLOW ALL : 169.226.2.89 : ALLOW

• localhost.5440 : 169.226.1.101 : ALLOW • localhost.5442 : 169.226.1.42 : ALLOW • ALL : [email protected]. : ALLOW • ALL : [email protected]. : ALLOW • ALL : [email protected]. : ALLOW • ALL : [email protected]. : ALLOW • ALL : [email protected]. : ALLOW • ALL : ALL : deny

Honeypots • Misdirection – Bait – Trap

• Used to learn hacker's techniques – Allows for better defenses – Learn identity of specific hacker

9

Honeypots (continued) • Gives hacker something to focus on other than your real servers – An open system – A system with the"goods" on it

• honeyd • Virtual honeypots – virtual networks of machines

Firewalls • Primary job is filtering – As opposed to addressing, as with routers

• • • •

Blocks accesses from outside hosts Remote hosts cannot access local hosts Can limit remote IP addresses accessible Can limit accessible ports

Onion Routing • Prevents traffic flow analysis • Indirectly sent messages • Use at least two intermediaries – No one in the middle know original sender or final destination

• Wrap message within message – Encrypted

Firewalls (continued) • Generally will only allow certain pre-configured traffic types through – Each traffic type is allocated to a standard port – Only traffic on specific ports is allowed

• All activity goes through firewall • Single network connection to outside world

– Both internally and externally

Firewalls (continued) • Minimal systems – Fewer vulnerabilities – Optimized for task – No user accounts...

Firewalls (continued) • Requirements – Always invoked – Tamperproof – Small and simple for rigorous analysis

• Software firewalls – ipchains

• Modus operandi – Default permit – Default deny – Conflicted within community

10

Packet Filtering Gateway • Filters packet based on addresses – Source address – Destination address – Destination port

• Can impact router performance

Stateful Inspection Firewall • Tracks sequences of packets – Maintains state (context) information

• Identifies attacks built from many small packets • Packet filtering firewall would miss such attacks

– Keep seperate – Inside (network-wise) of router

• Should not examine packet contents

Application Proxy • Bastion host • Looks inside packets and insures commands are acceptable before passing them to server – Pretends to be true server

• Can be configured to reject actions – Accept others – Can filter pieces of data streams Output of file listing

Guard • Similar to a proxy firewall – Often fuzzy difference

• Generally much more sophisticated – Much more compute intensive analysis

• Limit users to certain number of mail messages per day • Pass incoming files through virus checker

• Can perform additional logging/monitoring • Don't need to modify every system

Personal Firewall • Software firewall • ipchains, ZoneAlarm, etc.. • Runs on the computer it protects – More limited than network firewall

• Follows rules specified by user • Blocks unrequested data/accesses

Firewall Capabilities • Must control entire perimeter • Do not protect data outside perimeter • Visible external component – Attracts attention – Multiple levels of defense

• Must be properly configured – Configuration must be updated

• Excercise minimal control over allowed data

11

Web Security • Secure Socket Layer (SSL) – Provides an encryption layer on top of TCP – HTTP can operate on top of SSL (HTTPS) – All http transactions are sent clear text by default

• Transport Layer Security (TLS) – Attempt to standardize SSL

• Ensure only files and scripts on your server that you want available are visible – All others should be protected

• Data should be protected from users who might now where to look and what filenames to use

12