Security Issues in Internetworking

1
Security Issues in Internetworking
Internetworking - Module 16

• Internetworking leads to various security
  problems which are addressed by means of security
  protocols such as IPSec, mechanisms such as
  encryption, security devices such as firewalls
  and security policies

2
Important Issues

• Security Risks
• Firewalls
• Denial of Service Attacks
• Intrusion Detection
• NOTE This lecture contains material adapted
  from Cisco Systems training materials

3
Network Access Security Model
4
Security Protocol Layers

• The further down you go, the more transparent it
  is
• The further up you go, the easier it is to deploy

5
Services, Mechanisms, Algorithms
6
Usability and Security
Determine where on this line your organization
needs lie
7
Three Primary Reasons for Security Issues

• Technology weaknesses
• Configuration weaknesses
• Policy weaknesses

And people eager to take advantage of the
weaknesses
8
Technology Weaknesses

• TCP/IP protocol weaknesses
• Sendmail, SNMP, SMTP, DoS (Syn Flood)
• Operating system weaknesses
• UNIX, Windows NT, Windows 95, OS/2
• Network equipment weaknesses
• Password protection
• Lack of authentication
• Routing protocols
• Misconfigured firewall holes

OS
TCP/IP
Network Equipment
9
Configuration Weaknesses

• Unsecured user accounts
• System accounts with easily guessed passwords
• Misconfigured Internet services
• Unsecured default settings within products
• Misconfigured network equipment

Console
10
Policy Weaknesses

• Lack of written security policy
• Politics
• Business lacks continuity, cannot implement
  policy evenly
• Logical access controls not applied
• Security administration is lax, including
  monitoring and auditing
• Software and hardware installation and changes do
  not follow policy
• Disaster recovery plan is nonexistent

11
General Threat Types

• Eavesdropping
• Denial of service
• Unauthorized access
• Data manipulation
• Masquerade

• Session Replay
• Session hijacking
• Rerouting
• Repudiation
• Viruses, Trojan Horses, and Worms

12
Denial of Service

• TCP SYN attack
• Ping of Death
• WinNuke
• Land.c attack

CPU

• Prevents authorized people from using a service

13
Denial of Service Attacks

• Attacks which intend to overload computing
  resources or which intend to crash software
  entities and services are known as Denial of
  Service (DoS) attacks
• Examples
• TCP SYN Flooding
• TLS Client Hello Messages
• ICMP Echo Requests
• Sophisticated Firewalls can protect against some
  of these attacks

14
Unauthorized Access WareZ
Free software here!

• Accessing and placing unauthorized files or
  resources on another system
• GIFs
• Hacker tools
• Unlicensed versions of software

15
Intruders and Intrusion

• The objective of the intruder is to gain access
  to a system or to increase the range of
  privileges accessible on a system
• Masquerader an individual who is not authorized
  to use the computer and who penetrates systems
  access controls to exploit a legitimate users
  account
• Misfeasor a legitimate user who accesses data,
  programs, or resources for which such access is
  not authorized, or who is authorized for such
  access but misuse his.her privilege
• Clandestine User an individual who seizes
  supervisory control of the system and uses this
  control to evade auditing and access controls or
  to suppress audit information

16
Intrusion Detection

• Intrusion prevention tries to limit unauthorized
  access by using various techniques such as
  passwords, access control lists, etc.
• Even the best intrusion prevention systems can
  fail next best thing is detection of intrusion
  and taking of corrective action ejection of
  intruder
• This can even serve as a deterrent
• Can learn from intrusion events detected to
  prevent future intrusion

17
Profiles of Behavior of Intruders and Authorized
Users
18
Approaches to Intrusion Detection

• Statistical Anomaly Detection
• Involves the collection of data relating to
  behavior of legitimate users over a period of
  time. Applies statistical tests to determine
  with high confidence level if the behavior is not
  legitimate user behavior
• Rule-based detection
• Involves attempt to define a set of rules that
  can be used to decide that a given behavior is
  that of an intruder

19
Distributed Intrusion Detection

• Computing resources are distributed now
• If all computing resources collaborate in
  intrusion detection intrusion can be detected
  quickly

20
Architecture for Distributed Intrusion Detection
21
Agent Architecture
22
Data Manipulation Graffiti

• Painting over Web pages
• Replacing FTP files
• Replacing MOTD files

23
Session Susceptibilities
Intruder
I am John Send Cash
Johns Financial Institution
X

• Session hijacking
• Rerouting
• Repudiation

John
24
AAA ModelNetwork Security Architecture

• Authentication
• Who are you?
• I am user student and my password validateme
  proves it
• Authorization
• What can you do? What can you access?
• User student can access host NT_Server with
  Telnet
• Accounting
• What did you do? How long did you do it? How
  often did you do it?
• User student accessed host NT_Server with Telnet
  15 times

25
Authentication Methods and Ease of Use

• Token Cards/Soft Tokens (OTP)
• One-Time Password (OTP)
• S/Key (OTP for terminal login)
• Username/Password (aging)
• Username/Password
  (static)
• No Username or
  Password

Strong
Authentication
Weak
26
AuthenticationRemote Client Username and Password
Windows 95 Dialup Networking screenUsername and
Password fields
Security Server
Network Access Server
PSTN/ISDN
Windows 95 Remote Client
username/password (TCP/IP PPP)
27
AuthenticationOne-Time PasswordsS/Key

• List of one-time passwords
• Generated by S/Key program hash function
• Sent in cleartext over network
• Server must support S/Key

308202A8 30820211 A0030201 02020438 0500301B
310B3009 06035504 06130255 1E170D39 39313032
32313730 3634375A C84DFBC0 4C7BD4B1 F79FC2ED
30A02EA4
Security ServerSupports S/Key
308202A8 30820211 A0030201 02020438 0500301B
310B3009 06035504 06130255 1E170D39 39313032
32313730 3634375A C84DFBC0 4C7BD4B1 F79FC2ED
30A02EA4
S/Key Passwords
Workstation
S/Key Password(cleartext)
28
AuthenticationToken Cards and Servers
1.
2.
Uses algorithm based on PIN or time-of-day to
generate secure password

• Server uses same algorithm to decrypt password
• Sends password to network access server or
  security server to complete authentication

3.
OTP
4.
CiscoSecure
Token Server
29
Authentication via PPP Link
PPP
PPP
TCP/IPPPPClient
Network Access Server
PSTN or ISDN

• PAP Password Authentication Protocol
• Cleartext, repeated password
• Subject to eavesdropping and replay attacks
• CHAP Challenge Handshake Authentication
  Protocol
• Secret password, per remote user
• Challenge sent on link (random number)
• Challenge can be repeated periodically to prevent
  session hijacking
• The CHAP response is an MD5 hash of (challenge
  secret) provides authentication
• Robust against sniffing/replay attacks

30
AAA with a Local Security Database
NetworkAccessServer
3. NAS authenticates username and password in
local database
3
1
4. NAS authorizes user to access network based on
local database
4
2
5
5. NAS tracks user traffic and compiles
accounting records as specified in local database
1. User establishes PPP connection with NAS
2. NAS prompts user for username/password
31
Remote Alternatives TACACS and RADIUS
Security Server

• Two different protocols used to communicate
  between the security server and router, NAS, or
  firewall
• CiscoSecure supports both TACACS and RADIUS
• TACACS remains more secure and more scalable
  than RADIUS
• RADIUS has a robust API, strong accounting

CiscoSecure ACS
TACACS
RADIUS
Router
NeworkAccessServer
Firewall
32
TACACS/RADIUS Comparison
TACACS
RADIUS
Functionality
Separates AAA
Combines Authentication and Authorization
Dial
Transport Protocol
TCP
UDP
TACACS Client RADIUS Client
Challenge/Response
Bidirectional
Unidirectional
Full Support
No ARA No NetBEUI
Protocol Support
Campus
Confidentiality
Entire Packet- Encrypted
Password- Encrypted
TACACS Server
RADIUS Server
33
Kerberos-Authenticated Server-Client System

• Secret-key authentication protocol
• Primary use is to authenticate users and network
  services they use
• Uses 40-or 56-bit DES for encryption and
  authentication (weak by todays standards)
• Relies on trusted third party for key
  distribution (key distribution center)
• Embodies single login concept
• Expensive to administerlabor intensive

34
Problem Internet Access Security Risks

• Eavesdropping
• Denial of service
• Unauthorized access
• Data manipulation
• Session replay/hijacking
• Rerouting attacks
• Malicious destruction
• Lack of legal IP addresses

Web Surfer
Internet
Perimeter Router
Firewall
Bastion Host Web Server FTP Server
35
Solution Perimeter Router Security

• Eavesdropping
• Control TCP/IP services
• IPSec Encryption
• Unauthorized access
• Firewall and Router AAA
• ACL filtering
• Lock and Key security
• Data manipulation
• ACL filtering

• Session replay
• Control TCP/IP services
• Rerouting attacks
• Peer router authentication
• Static Routes
• Denial of service
• TCP Intercept
• Malicious destruction
• ACL filtering
• Lack of internal IP addresses
• NAT
• PAT

Perimeter Router
36
What is a Firewall?

• A firewall is a system designed to prevent
  unauthorized access to or from a private network.
• Firewalls can be implemented in both hardware and
  software, or a combination of both.
• Firewalls are frequently used to prevent
  unauthorized Internet users from accessing
  private networks connected to the Internet,
  especially intranets.
• All messages entering or leaving the intranet
  pass through the firewall, which examines each
  message and blocks those that do not meet the
  specified security criteria.

37
Firewalls give a Security Perimeter Defense
38
What Firewalls Do?

• Probably the most important thing to recognize
  about a firewall is that it implements an Access
  Control Policy.
• If you don't have a good idea what kind of access
  you want to permit or deny, or you simply permit
  someone or some product to configure a firewall
  based on what they or it think it should do, then
  they are making policy for your organization as a
  whole.

39
What is a network firewall?

• The actual means by which this is accomplished
  varies widely, but in principle, the firewall can
  be thought of as a pair of mechanisms
• one which exists to block traffic, and
• the other which exists to permit traffic
• Some firewalls place a greater emphasis on
  blocking traffic, while others emphasize
  permitting traffic.

40
Packet-filtering Router
The packet-filtering rules allow a router to
permit or deny traffic based on a specific
service, since most service listeners reside on
well-known TCP/UDP port numbers. For example, a
Telnet server listens for remote connections on
TCP port 23 and an SMTP server listens for
incoming connections on TCP port 25.
41
Circuit-level gateway
42
Application-level Gateway
43
Proxy Servers

• Proxy acts as a server to the client and as a
  client to the server
• Proxies in effect break up the connection into
  two separate connections
• The server talks to the client, the client talks
  to the proxy server only
• Proxy servers are application specific. In order
  to support a new protocol via a proxy, a proxy
  must be developed for it.

44
Screened host firewall system (single-homed
bastion host)

• Implements both a Network Level Firewall (Packet
  Filtering Router) and Application Level Firewall
  (Bastion Host)
• Outside computers can only access the Bastion
  Host
• Inside computers may or may not use the Bastion
  Host to access outside network resources

45
Screened host firewall system (dual-homed bastion
host)

• Inside hosts are forced to use the proxy services
  of the Bastion Host to access Internet
• IP forwarding is disable on the Bastion Host
• outside computers are allowed to access only the
  Bastion Host or possibly the Information Server

46
Screened-subnet firewall system

• Creates a DMZ Network
• Two Packet Filtering Routers
• Outside computers can only access the Bastion
  Host or Information Server
• Inside computers can only access services using
  the Bastion host

47
A Connection Circumventing an Internet Firewall
48
Firewall Performance Connectivity Issues

• Firewalls add latency due to the processing at
  the firewall
• Many services (such as netmeeting, net2phone)
  might not work through a firewall
• Try using Linux Floppy-based Firewall floppy-fw

49
Eavesdropping and Session Replay Control
TCP/IP Services

• Block SNMP from the outside
• access-list 101 deny udp any any eq snmp
• Disable proxy arp
• no ip proxy-arp
• Disable IP source routing
• no ip source-route
• Disable echo, finger replies
• no service finger
• no service tcp-small-servers
• no service udp-small-servers

50
Eavesdropping Network-Layer Encryption
A to HR ServerEncrypted
All Other TrafficClear
HR Server
A
E-Mail Server
B
D

• Encrypts traffic between specific networks,
  subnets, or address/port pairs
• Specific to protocol, but media/interface
  independent
• Need not be supported by intermediate network
  devices
• Independent of intermediate topology

51
Unauthorized access, data manipulation, and
malicious destruction Securing PerimeterInbound

• Filter packets with internal address as source
• Filter packets with RFC-reserved addresses as
  source
• Filter bootp, TFTP, and traceroute
• Allow TCP connections initiated from internal
  network
• Allow all other incoming connections to DMZ
  servers only

Internet
Perimeter Router
52
Securing PerimeterOutbound

• Allow only packets with source address of
  internal network to Internet
• Filter any IP addresses that are not allowed out
  as defined by security policy

Internet
Perimeter Router
53
Lack of Legal IP Addresses Perimeter Router NAT
Translate Addresses
Internet
Campus
Unregistered Client
ArbitraryAddresses

• Hides internal IP addressing
• Internet-connected campus independent of
  Internet address limitations
• Internet access from unregistered clients without
  expensive renumbering

54
Perimeter Router PAT
Internet
One IP Address Used
64,000 Hosts (theoretical limit)

• Provides additional IP address expansion
• One IP address used for up to 64,000 hosts
  (theoretical limit)
• Remaps different port numbers to single IP
  address
• Securehides source address of clients using
  single IP address from the perimeter router

55
Rerouting attacks Routing Protocol Authentication

• MD5 authentication securesrouting updates
• Supported routing protocols
• OSPF
• RIPv2
• BGP

Campus
Signs Route Updates
Verifies Signature
Signature
Route Updates
56
Denial of Service attacks SYN Flooding
Description
SYN(May I talk to you?)
SYN, ACK(Yes)
(This port is left in open state)
SYN(On many more ports)

• Connection requests without return ACK
• Server allocates resources (memory buffers) for
  each request
• Server runs out of resources and crashes or hangs

57
Solution TCP Intercept
Request Intercepted
Connection Established
Connection Transferred

• Tracks, intercepts, and validates TCP connection
  requests
• Two modes intercept and monitor

58
IPSecInteroperable Encryption and Authentication
59
Public Key Infrastructure
Internet

• Certificate Authority (CA) verifies identity and
  signs digital certificate Certificate equivalent
  to an ID card
• Enables large-scale IPSec deployment
• Interoperate with Baltimore, Netscape, Verisign
  Onsite for IPSec and Entrust VPN Connector

60
Cryptosystem
Data Encryption Standard(DES) to encrypt data
Digital Signature Standard(DSS)to ensure the
identity of your peer Diffie-Hellman to do key
exchange securely
Key
21_at_4Q
Text
Encrypt
Signature
Data
61
DES Encryption
Key
Key
Shared Secret Key
Shared Secret Key
Encrypted Message
Clear Message
Clear Message
Encrypt
Decrypt

• Encryption turns cleartext into ciphertext
• Decryption restores cleartext from ciphertext
• Keys enable encryption and decryption

62
DSS Signature Generation
Router A
Routing Update
Hash Function
Signature
Routing Update
1. Router A hashes routing update
3. Router A appends signature and routing update,
sends to router B
Hash
Private

2. Router A encrypts hash using router As
private key, creates digital signature

Signature
63
DSS Signature Verification
Router B
Signature
Routing Update
Routing Update
4. Router B separates signature and routing
update
Hash Function
6. Router B hashes the routing update
Signature
5. Router B decrypts signature using router As
public key, obtains hash
Public


Hash
Hash
7. Router B compares hashes. If hashes are
equal, signature is authentic.
64
Diffie-Hellman Key Agreement

• Performs Authenticated key exchange

Private Value, XA Public Value, YA
Private Value, XB Public Value, YB
Alice
Bob
YA
YB
XA
XB
(YB ) mod p K (YA ) mod p K
65
MD5 Message Hash
Clear Message

• Variable-length input message

• MD5 message-digest algorithm
• Message hash used to ensure the message has not
  been altered
• Used with CHAP authentication, DSS

Hash Function
Hashed Message

• Fixed-length hashed output message

66
Virtual Private Networks
The Internet

• Creating a private network across the Internet
• For confidentiality (privacy)
• For non-TCP/IP protocols
• For control of traffic

67
Company to Internet VPN Example
The Internet

• Virtual private network

68
Tunneling Protocols

• L2FLayer 2 Forwarding
• Cisco Implementation
• PPTPPoint-to-Point Tunneling Protocol
• Microsoft
• L2TPLayer 2 Tunneling Protocol
• IETF Review
• Generic Routing Encapsulation
• Cisco Implementation

69
What Is a Security Policy?

• A security policy is a formal statement of the
  rules by which people who are given access to an
  organization's technology and information assets
  must abide. (RFC 2196, Site Security Handbook)

70
Why Create a Security Policy?
Reasons for a policy include its ability to

• Audit the current network security posture
• Set the framework for security implementation
• Define allowed and not allowed behaviors
• Help determine necessary tools and procedures
• Communicate consensus and define roles
• Define how to handle security incidents

71
What Should the Security Policy Contain?

• Statement of Authority and Scope
• Acceptable Use Policy
• Identification and Authentication Policy
• Internet Use Policy
• Campus Access Policy
• Remote Access Policy
• Incident Handling Procedure

72
Example XYZ Network Security Policy

• Intended Audience
• Scope of Security Policy
• Legal Authority of Security Policy
• Policy Stakeholders Responsibilities
• Network Administrator Responsibilities
• Security Policy Maintenance Procedure
• Implementation Procedure

73
Monitor and Maintain Security
Audit your system to maintain security

• Patches and bug fixes
• Policies and Procedures
• New technology threats
• Security Awareness
• Incident Handling

Monitor and Maintain
Internet
74
Security Audit and Maintenance

• Develop a solid site-security plan and security
  policies, including audits
• Perform new system installation audits
• Conduct regular system audits
• Perform random audit checks
• Conduct ongoing audits and maintenance
• Conduct the audits with available audit tools

75
Improving the Security Posture

• Monitor vendor websites for announcements about
  patches, maintenance releases, and new versions
• Evaluate product changes in the lab environment
  before installing them in the enterprise
• Perform regular and frequent analysis of attack
  profiles
• Reconfigure the network as needed based on the
  analysis of attack profiles

76
Network Security Case Studies
Restrictive
Closed
Open
Security Policy
Enterprise Network Security
Application Security
77
Case 1 Open Security Policy
Permit everything that is not explicitly denied

• Easy to configure and administer
• Easy for network users
• Security cost 70 per desktop

78
Case 1 Open Security Policy (cont.)
Minimum Enterprise Security
Public Server
Branch Office
Gateway Router
Internet
56 kbps
ISDN
ISDN
Public Network
Async
Campus
WAN Router
Dial-In Users
Async
Async
Corporate HQ
NetworkAccessServer
79
Case 1 Open Security Policy(cont.)

• Authentication
• PAP (remote clients and branch offices)
• Passwords (campus and dial-in)
• Access control
• Access lists in WAN and gateway routers
• No standalone firewalls
• No encryption

80
Case 2 Restrictive Security Policy
Combination of specific permissions and specific
restrictions

• More difficult to configure and administer
• More difficult for network users
• Security cost 250 per desktop

81
Case 2 Restrictive Security Policy (cont.)
Medium Enterprise Security
Public Server
Branch Office
Gateway Router
Internet
56 kbps
Frame Relay
Public Network
Frame Relay
Async
Campus
WAN Router
Dial-In Users
ISDN
Async
ISDN
NetworkAccessServer
AAA/TokenServer
82
Case 2 Restrictive Security Policy (cont.)

• Authentication
• One-time passwords (dial-in and Internet)
• Passwords (campus)
• Access control
• Access lists in WAN and gateway routers
• Firewall between Internet and enterprise
• Route authentication (branch offices and campus)
• Encryption on branch office links

83
Case 3 Closed Security Policy
That which is not explicitly permitted is denied

• Most difficult to configure and administer
• Most difficult for network users
• Security cost 350 per desktop

84
Case 3 Closed Security Policy (cont.)
Maximum Enterprise Security
Public Server
Branch Office
Gateway Router
Internet
T1
Frame Relay
Public Network
Frame Relay
Async
Campus
WAN Router
Dial-In Users
ISDN
Async
ISDN
NetworkAccessServer
Smart Card
CertificateAuthority
85
Case 3 Closed Security Policy (cont.)

• Authentication
• Digital certificates (dial-in, branch, and
  campus)
• Access control
• Access lists in WAN and gateway routers
• Firewall between Internet and enterprise
• Route authentication (branch offices and campus)
• Encryption (dial-in, branch office, and some
  campus)

86
Case Study Summary