CSE2500 SYSTEM SECURITY

1
CSE2500 SYSTEM SECURITY PRIVACYIntroduction
to Computer Network Security
2
Layout

• Network Security - what is different from
  Computer Systems security?
• Possible scenarios for network connections and
  their implication for security concerns
• What is the principal mode of attack in networks
  and how you can defend them?
• Which part of network structure can we enforce
  security?
• How can we do it efficiently?

3
What we have seen so far?
authentication
Access control
encryption
4
Internetwork Architecture?
Wired Stranger
Server
Wireless Stranger
5
Services of the server are

• Web servers
• Email servers
• FTP servers
• Web and email servers
• Web, email and FTP servers
• Modem servers
• Web, email, FTP and modem servers
• Web, email, file servers
• Etc.

6
Consider web server

• What is the authentication here?
• What is the access control here?
• If these does not apply, what is the issue with
  respect to security?

7
Recap Security Attacks - Taxonomy

• Interruption attack on availability
• Interception attack on confidentiality
• Modification attack on integrity
• Fabrication attack on authenticityThe
  availability (and confidentiality) property need
  to be preserved how it can be threatened?

8
Model for network security
Gate Keeper
Information channel
9
Attacks are

• Snooping or sniffing- Attacker observes network
  traffic without disturbing the transmission
  (passive)
• e.g. snooping for passwords
• Sniffing software works by placing a systems
  network interface into promiscuous mode.

10
Attacks are

• Denial of services make the server in-operative
  or inefficient
• e.g ping (of death) Attack by flooding

11
ICMP ECHO Flooding
Packet 4
Packet 2
INTERNET
Packet 5
Packet 1
Packet n
Packet 3
Packet n
Server
Hacker
128K Link
T-1 Link

• Ping Attack
• The Hacker sends an ICMP Echo request to the
  target expecting an ICMP echo reply to be
  returned for each request.
• The hacker, because of the high bandwidth, can
  send more requests then the target can handle.
• Countermeasures
• No known defense

12
TCP SYN Flooding
Target Host
13
SYN Attack

• Attack Method
• Most hosts will only support 8-16 simultaneous
  communication channels.
• The Hacker sends a sequence of SYN packets. Each
  SYN packet (about 120 /second) has a different
  and unreachable IP address.
• This consumes all the communication channels and
  results in a denial to any TCP based service.
• Countermeasure Expand the number of ports,
  reduce the time-out period, validate TCP request
  packets.

14
Attacks are

• Impersonation stealing the identity of someone
• other party thinks that you are the true identity

15
Impersonation

• Authentication at the IP layer is concerned with
  the identity of computer systems.
• IP addresses are software configurable and the
  mere possession (or fraudulent use) of one
  enables communication with other systems.
• Two such techniques to do this are
• address masquerading
• address spoofing

16
Address Masquerading
17
Address Spoofing

• Also known as TCP sequence number attack.
• First we need to understand how the three-way TCP
  handshake protocol works.
• handshake means- an assertion that indicates one
  partys readiness to send or receive data. When
  two systems share a hardware connection, two-way
  handshake is enough.
• Since TCP rides on IP an unreliable,
  connectionless protocol a three-way handshake
  is required.

18
Handshake in TCP
Machine A
Machine B
SYNISN A
SYNISN B ACK(ISNA1)
ACK(ISNB)
Application Data
SYN synchronize request ISN - Initial sequence
number ACK acknowledgement for the ISN
19

• TCP CONNECTION

CLIENT
SERVER
Segment 1
SYN1 ACK0 141521 win 4096 ltmss 1024gt
THREE-WAY CONNECTION
SYN 1 ACK 1 181521 141522 win 4096ltmss 1024gt
Segment 2
Segment 3
SYN 0 ACK 1 181522
THREE-WAY CONNECTION

• Segment 1 shows the client sending a SYN segment
  with an Initial Sequence Number of 141521. The
  ISN is randomly generated. This is called an
  Active Open. The field win 4096 shows the
  advertised window size of the sending station
  while the field ltmss 1024gt shows the receiving
  maximum segment size specified by the sender.
  SYN1, ACK0.
• Segment 2 shows the server responding with a SYN
  segment of 181521 and ACKnowledging the clients
  ISN with ISN 1. This is called a Passive Open.
  SYN1,ACK1
• Segment 3 shows the client responding by
  ACKnowledging the servers ISN with ISN 1.
  SYN0,ACK1.
• Data can now be transmitted.

20
Address Spoofing

• Consider C (an intruder) want to impersonate the
  sender (say A) how?
• Intruder C knows that B (receiver) trusts As
  users and let them execute commands through, say
  rsh (remote shell) service without them requiring
  a password.
• Although C will not receive a single datagram in
  response from B whose replies will be routed
  to the real, but unavailable A.
• C now somehow needs to predict the ISN of B that
  B would tell A during the handshake.

21
How to get the ISN?

• ISN is a 32 bit clock that increases
  systematically with time.
• If the clock increment is predictable and an
  attacker can see the value of any one ISN, he
  can probably predict the value of the next or a
  soon subsequent ISN with accuracy.

22
Predictable ISN can lead to

• After knowing the ISN, wait for A to go down (say
  for maintenance) which is easy to detect (say by
  ping), then
• C sends B a counterfeit IP datagram containing
  its SYN and ISN this B receives and believes to
  have originated from A.
• B replies with a SYN, its own ISN and an
  acknowledgement of Cs ISN (This reply is routed
  inconsequentially to A who is still unavailable
  to receive it.)
• C mean while predicts and acknowledges Bs ISN.
  It follows with an rsh command that coaxes B to
  give the attacker easier access from his true
  location.
• C successfully opened a TCP connection and
  executed a command on B, without ever having
  received a single byte in return from B. It
  simply acted as if it had, enabled by Bs
  predictable ISN.

23
Method of defense

• Avoid reliance on address-based authentication
  and trust mechanisms (like those used by rsh)
• Use a screening router, a device that can
  intelligently filter network packets based on
  configurable rules. Although this cannot prevent
  spoofing, but can prevent
• Inbound attacks that originate from external
  networks (by discarding incoming datagrams with
  source address belonging to the internal address)
• Outbound attacks that originate inside of your
  own network (discarding outgoing datagrams with a
  source address from an external network).

24
Attacks are

• Relaying a message to another host and it
  accepts as if it is trusted.
• Example transfer of password files in a
  networked unix systems.

25
Message alteration

• Message means the payload of the IP datagram, the
  router performs routine modifications to the IP
  datagram header, and sometimes fragments a
  datagram into several smaller ones (when the
  length exceeds a limit allowed by the underlying
  data link layer).
• No need to suspect message alteration, but
  techniques such as check sum are not sufficient.

26
Message Delay and Denial

• By gaining authorised control of a router or
  routing host, then modifying executable code or
  routing and screening rules used by the code.
• need to apply proper authentication and access
  mechanisms to the routing systems.
• By overwhelming a routing device, or one of the
  communication end systems, with an inordinate
  amount of network traffic.
• easy to detect but difficult to prevent!

27
By Blocking (or Screening)
Accepted Blocked Accepted blocked
28
Network CommunicationOSI Reference Model
Application programs that use the network
Application related services
Application (7)
Standardise data rep. to application layer
Presentation(6)
Manage sessions between applications
Session(5)
Provide end-to-end error detection and correction
Transport(4)
Network related services
Network(3)
Manage connections across network
Data Link(2)
Provide reliable delivery across physical links
Physical(1)
Define characteristics of media
29
Generic Message Format
Recipient Identity
Message Length
Sender Identify
Message Data
30
Internet TCP/IP Model
Programs X window, mobile agents, Web
applications, Email
Application
Sockets
Table of addresses, data and algorithms to
perform reliable check
Transport (TCP, UDP)
Table of addresses and algorithms for handling
the routing of data
Network (IP)
Physical
Digital signal (0,1)
31
Network Layer IP Datagram format (for reference)
4-bit 4-bit 8 bit
16-bit
Version header length type of
service Total Length

16 bit
3 bit
13 bit
Identification
flags fragment offset
8-bit 8-bit
16-bit
time to live protocol
header checksum
32
TCP segment (for reference)
16-bit
16-bit
Source port number
Destination port number
32-bit Sequence number
32 bit acknowledgement number
4-bit 6-bit 6-bit
16-bit Header
length Reserved Flags
Window Size
16-bit
16-bit TCP
Checksum
Urgent pointer
Options(if any) and padding
Data (variable length)
33
UDP datagram (for reference)
16- bit
16-bit Source Port Number
Destination Port Number
16-bit
16-bit Length
Checksum
Data (variable length, if any)
34
Possible methods

• Simple denial of requests though firewall
• useful to prevent address spoofing, masquerading
• Tailored software to each of the network
  services called wrappers
• application oriented functionality can be
  implemented

35
Firewalls

• Screening router (also called as packet
  filtering) is an example of a firewall.
• We will look at the firewalls in more detail in
  another subject.

36
SMTP ROUTING
External SMTP Server
SMTP Routing 1. Route incoming/outgoing mail to
bastion Host. 2. Use Exterior Router to restrict
connections from external hosts to Bastion
Host. 3. Use Interior Router to restrict
connections from Bastion Host to specific
internal servers. 4. Internal systems send mail
to Bastion Host.
INTERNET
SMTP Sender/Recipient
SMTP Server
Exterior Router
Bastion Host
Perimeter Network
FIREWALL
Interior Router
Internal Network
SMTP Client
Inside SMTP Server
37

• TCP Wrapper

• The TCPWrapper is a utility program that can be
  "wrapped" around existing servers connected to
  the Internet.
• A Firewall can be placed between your internal
  network and the Internet to protect the entire
  internal network.
• The TCPWrapper is placed on an internal server
  and protects the services of that machine.
• The combination of firewall and TCPWrapper
  provides defense in-depth.
• The TCPWRapper was written by Wietse Venema and
  is used for
• Logging request for service made through
  /etc/inetd.conf
• And intercepting and controlling TCP services
  that are started by /etc/inetd.conf.

38

• TCP Wrapper

TCP Wrapper
Internal Server
39
TCP Wrapper Operation

• The TCPWrapper is installed on the internal
  server and inetd is configured to run TCPwrapper,
  tcpd, instead of the the real server.
• inetd is the internet protocol starter program
  that, upon detecting a service request, forks a
  process directly to the requested service.
• tcpd is is the TCPWrapper program that receives
  control from inetd when an internal server has
  been "wrapped". tcpd evaluates the request
  against two TCPWrapper configuration files
• /etc/hosts.allow tells tcpd which host to allow
  connections from.
• /etc/hosts.deny tells tcpd to deny all
  connections from that host.
• If no match is found the connection is allowed.
• tcpd completes its function then transfers
  control to the requested service.

40

• TCP Wrapper Operation

External User
41

• TCP Wrapper Functions

• The TCPWrapper performs the following functions
  upon assuming control from inetd.
• Compares the incoming hostname and requested
  service with previously created host.allow an
  hosts.deny files.
• Performs a double-reverse lookup of the IP
  address to make sure the DNS entries for the IP
  address match the hostname.
• Logs the result with syslog. This provides a way
  to log services that are normally not logged,
  e.g., finger and systat.
• Optionally run a command, e.g., run finger to get
  a list of users on the connecting client
  computer.
• Optionally substitute a different version of the
  requested service daemon, e.g., the calling host
  may require a special extended service.
• Optionally send a banner to the connecting
  client.
• Passes control of the connection to the real
  network daemon.
• Reject the connection without providing a service.

42
Possible connections Security?
Wired Stranger
Firewall (optional)
Wireless Stranger
43
Possible connections Security?
Your systems
Wired stranger
firewall
Production Servers
Wireless stranger
44
Possible connections Security?
Your systems
Wired stranger
firewall
Production Servers
45
Possible connections Security?
Lan/ Wan
Web Servers
Lan/ Wan
Lan/ Wan
firewall
Back end Data Servers
Lan/ Wan
46
Possible connections Security?
Lan/ Wan
Web Servers
Business Integration systems
firewall
Lan /Wan
Back end Data Servers
Business Applications
Mobile users