Network Security

SI540 Understanding Networked Computing

Network Security

Review • Compatibility testing › If you were responsible for building the reference implementation for a protocol for VoIP-client-todirectory-server communications, what would you build?

• Stakeholder interests and strategies › Imagine that a small developer is interested in developing a streaming media client, but does not have the resources to build and sell a complete system (including server) › Would this developer prefer that streaming media protocols be standardized or not?

2

Learning Objectives • Understand Security Goals • Understand Common Vulnerabilities • Understand Countermeasures and Their Limits

3

Some Sources of Problems • Accidents › Software and hardware bugs › Natural disasters › Human errors

• Adversaries › Hackers/Crackers/”Black Hats” › Hacker has a second meaning as “good programmer”

› Disgruntled employees › Malicious code: Viruses, Worms, and Trojan Horses

4

Terminology • Vulnerability › A weakness in your system that could be exploited by an adversary › More generally, something that could go wrong

• Threat › A scenario of what an adversary would do › More generally, something that could go wrong that you’re worried enough to do something about

• Countermeasure › Something you do to reduce risks from threats › Often by reducing vulnerabilities

5

Reliability and Security Goals • The next few slides consider each goal, considering both the vulnerabilities and the countermeasures that are available › High availability › Data persistence and integrity › Limit access to authorized users and uses

6

High Availability: Vulnerabilities • • • •

Off-line upgrade and maintenance Software crashes Equipment failure Denial-of-service (DOS) attack › Oversized ICMP packets (ping of death) › Flooding attacks › Target has to do more work than initiator (so usually “Distributed” DOS or DDOS attack) › SYN flood (TCP): Request many new TCP connections because each one causes recipient to do a lot of work › Echo floods: Send echo request to some “rebroadcaster,” all recipients reply to spoofed source address (the target of the attack)

7

High Availability: Countermeasures • On-line upgrade and maintenance • More application testing, more rapid bug reports and fixes • Equipment or application redundancy • Operational vigilance › For example, installing latest software patches

• Access controls • Firewalls 8

Availability Discussion • Which availability countermeasures would be appropriate for the following systems? › Home computer connected via cable modem running an FTP server so that you can access your files when you’re away › SI Computing file servers, used by all faculty, staff, and students › eBay web servers 9

Data Persistence: Vulnerabilities and Countermeasures • Hardware failure › Countermeasure: periodic backup

• Data change › Countermeasure: integrity checks (how?)

• Hardware obsolescence › Countermeasure: periodic copy of data to new device

• Data format obsolescence › Software to process may not be available › Countermeasures (see F02 midterm) › Periodic translation of data to new formats › Continual migration of processing software › Platform emulators

10

Access: Vulnerability • Want to limit access to some data › Don’t want students to have access to grade sheets › Don’t want “black hat” to have access to Amazon.com’s credit card database

• Without access controls, everyone has access to everything on a system › This was the norm for early personal computer operating systems 11

Access: Countermeasures • Step 1: Authentication: verify user’s identity › › › › ›

Somewhere you are (location) Something you know Something you can do Something you have Something you are

• Step 2: Authorization: limit what a user can do › Sometimes also called access control › Maintain a database of authorizations (access control lists) › Can organize by person/entity, defining which items each entity allowed to access › Or organize by items, defining which entities are allowed to access each item

12

Vulnerabilities in Location-Based Authentication/Authorization • Entity at that network address may not be who you think it is › Someone else may have physical access to the computer

• May not really be at that network address › For example, IP spoofing

13

Exploiting Location-Based Authentication: IP Spoofing • Suppose A “trusts” B › No password required if accessing A from B

• Z knocks out B through denial-of-service attack • TCP Connect from Z to A › But pretend to be at location B (give B’s IP address)

• A sends ACK to B › B doesn’t respond (because of DOS attack)

• Z sends commands to A › Still pretend to be at location B › Z ACKs A’s response, even though Z didn’t see it › Have to guess the right amount of data to ACK, and right amount of delay

14

Malicious Code Threats • Viruses › File infection: virus attaches itself to a file › Boot record infection: virus attaches itself to the boot instructions stored on a storage medium (e.g., hard drive) › Macro virus: virus attaches itself to a document associated with an application that support scripting

• Worms › Designed to copy itself from one computer to another over a network without human intervention

• Trojan Horses › Program that conceals its destructive purpose by pretending to perform a desirable function

15

Malicious Code Countermeasures • Prevention › Know where code comes from before executing › Check digital signature on the code

› Run code in "sandbox“ › A virtual machine on which unsafe instructions are not executed › Events on the virtual machine do not affect the real machine

• Detection › Notice changes › Scan for known bad code fragments 16

Malicious Code and OS/Application Diversity • Working in an environment that uses a variety of OSs and/or applications has several implications for malicious code: › More vulnerabilities › Each OS/app has a different set of weaknesses, requiring a different set of remedies

› Less damage from a problem › Malicious code that targets one system doesn’t affect the others

› Can use unaffected machines to work on fixing the problems 17

Malicious Code Discussion • Which kind of malicious code… › Is easiest to guard against? Why? › Spreads most quickly? Why?

• How would you manually clean a system that is infected with… › A Trojan horse? › A macro virus? › A boot sector virus? 18

Firewalls (Packet Filters) • Located at border between private and public networks › All traffic between the two must pass through the firewall

• Examines IP packets › › › ›

IP header TCP or UDP header (if using those protocols) TCP ACK flag (if TCP packet) TCP payload 19

Public hosts

Global Internet

Firewall

Internal hosts

Protected enclave 20

Firewalls (Packet Filters) • Discard some packets, selecting based on: › Which host is initiating the connection (e.g., public or private) › IP address or domain name (source or destination) › Protocol › Sender port number › Receiver port number › Packet content (“sniff” for words or phrases) › Connection status

21

What Can Firewalls Filter? • Based on the filtering capabilities described, which of the following can a firewall filter? › › › › › ›

Packets to or from specified IP address? Packets to or from specified domain name? All HTTP traffic? All email to [email protected]? All pornographic web pages? All web pages criticizing the government?

22

Proxy Servers • Located at border between private network and the firewall or public network › With a proxy server, the client never actually connects to outside network; instead the proxy makes the connection and relays allowable protocols/content to the client › Filters at the application layer (HTTP, FTP, Telnet, etc.)

23

Public hosts

Firewall

Global Internet

Firewall

Proxy Server

Internal hosts Internal hosts Protected enclave

Protected enclave 24

Proxy Servers • Proxy receives requests for certain applications › For example, an HTTP request for a particular URL

• Proxy checks if request is permitted › For example, users might not be allowed to access gambling sites from a corporate computer

• If request is okay, proxy passes request on to final destination › Otherwise, request is denied

• Proxy may also serve a caching function › If request can be handled locally, don’t bother to pass it on to final destination

25

Typical Firewall Configurations • Transparent › Allow incoming traffic to web server on port 80 › Allow incoming traffic to any machine on ports > 1023 › Allow outgoing traffic to any IP address, any port › Block all other packets

• Proxy as Bastion › In this configuration, the proxy is the only point of contact between the public and private networks › Allow incoming traffic to web server on port 80 and > 1023 › Allow outgoing traffic from Bastion/Proxy server on ports 23, 80 to any IP address › Block all other packets

Note: In this context, the direction of the traffic indicates which host is 26 responsible for opening the connection. Once open, data flows both ways.

More Permissive Configuration • Block incoming from known bad addresses › Avoids some IP spoofing attacks

• Block incoming known bad ports › E.g., multicast, if you’re not using multicast › E.g., napster

• Allow others • Security experts prefer policies that prohibit everything not explicitly permitted • Permitted unless prohibited enables more innovation › E.g., access to experimental new services

27

Vulnerability Assessment Tools • Check configurations for known weaknesses • Check for violations of organization’s security policy › For example, an individual office computer that allows modem connections

• Simulate known attacks

28

Intrusion Detection Tools • Monitor activity › Look for known “signatures” of cracking › Look for “unusual activity” › Requires some model of normal activity

• What to monitor › Host-based: logs of activity on individual machines › Network-based › “Promiscuous mode” intercepts all packets › Process them as fast as you can › Unlike packet filter, can look for patterns in sequences of packets

• Problem of false alarms › Each alarm requires human investigation

29

Summary • Understand Security Goals • Understand Common Vulnerabilities • Understand Countermeasures and Their Limits › › › ›

Malicious code Firewalls and proxy servers Vulnerability assessment Intrusion detection 30