NETWORK SECURITY

1
NETWORK SECURITY
Source Wired
2
Computer and Network Attack Taxonomy
Attackers Tools Access Access Access Access Results Results Objectives
Hackers User Command Implementation Vulnerability Unauthorized Access Process Files Corruption of Information Corruption of Information Challenge, Status
Spies Script or Program Design Vulnerability Unauthorized Use Data in Progress Disclosure of Information Disclosure of Information Political Gain
Terrorists Autonomous Agent Configuration Vulnerability Theft of Service Theft of Service Financial Gain
Corporate Raiders Toolkit Denial-of-Service Denial-of-Service Damage
Professional Criminals Distributed Tool
Vandals Data Tap
Time
Source Dissertation of John D. Howard, CMU, 1997
3
Group Task

• Get together on groups of 3-5 people
• Discuss an attack that one of your group members
  have experienced or heard about
• For that attack, mark within which cells the
  attack belongs
• Five minutes

4
Securing Resources
5
Threats to Security

• Physical security
• Access Security
• Unauthorized access into a computer
• Tapping into a data communications line
• Personnel
• Misuse by authorized personnel
• Natural Disaster
• Computer Viruses, Worms, Logic Bombs.
• Denial of Service Attacks

6
Security concepts/terminology

• Need to address following issues
• Secrecy/Privacy guarantee that information given
  will not be misused
• Authenticity data provided to user must be
  authentic (i.e., is it really coming from X?)
• Integrity data stored in system must not be
  corrupted.
• Non-repudiation A mechanism which prevents a
  user from denying a legitimate, billable charge.

7
Phishing
8
Which one would YOU trust?
9
Denial of Service -- UDP Flood Attack
Target System 1
Kai Larsen UDP Chargen TCP chargen server sends
a continual stream of characters until the client
terminates the connection UPD chargen servers
send a datagram containing a random number of
characters in response to each datagram sent by
a client
Hackers System
Target System 2
10
Denial of Service DNS Flood
DNS
Kai Larsen UDP Chargen TCP chargen server sends
a continual stream of characters until the client
terminates the connection UPD chargen servers
send a datagram containing a random number of
characters in response to each datagram sent by
a client
Hackers System
Target System
11
Denial of Service -- Smurf Attack
12
What to do about DOS Attacks

• Implement router filters
• Install patches
• Disable any unused or unneeded network services.
  
• Observe your system performance and establish
  baselines for ordinary activity. Use the baseline
  to gauge unusual levels of disk activity, CPU
  usage, or network traffic.
• Maintain multiple IP addresses, and redundant and
  fault tolerant network connections, and "hot
  spares.
• An excellent (and short) paper on DOS Attacks is
  located here.

13
User Identification and Authorization

• Passwords
• kept in encrypted file
• should be changed frequently
• automatic expiration
• Ultra-sensitive applications
• layered IDs (passwords at several levels)
• user profiles (restrictions on who can do what)
• access levels (read, write, execute, purge)
• combining menus and user profiles (let user see
  only those options available to her)

14
Time and Location Restrictions

• Establish time intervals during which transaction
  is allowed
• Certain transactions can run only from certain
  locations
• attach applications to terminals
• maintain terminal profile

• Additional precautions on switched ports with
  dial-in access
• call-back unit
• restricted hours
• safeguard telephone numbers
• manual authentication in high security
  installations

15
Other Methods

• Recognizing unauthorized access attempts
• after 3 failed attempts disallow log-in for 5
  minutes
• permit fake log-in after several failed attempts
• Automatic log-off
• log off anybody with no activity for 10 minutes
• authentication for every transaction
• Transaction logs
• every log-in is logged (date, time user id,
  unsuccessful attempts, terminal id, location)
• No method is foolproof. These are delaying
  tactics.

16
Securing Communications
Setting Europe Time 1940-45 How?
17
Data Encryption

• Symmetric Key Cryptography
• Data encryption standard (DES), Bureau of
  standards (based on symmetric key)
• 56-bit encryption key (now available in longer
  keys)
• uses 16 iterations of rearrangement and
  substitution combinations
• Its 72-quadrillion combinations were broken in
  1997 by a group using distributed computing
  (14,000 computers) lead by Colorado programmer
  Rocke Verser
• Public Key cryptography
• (the other approach, covered later)

18

• 31798603996994715581310583186337934867429744958612

19
How much is?
1 Billion
30 bits (9 zeros)
Source http//www.kokogiak.com/ megapenny/default
.asp
20
How much is?
10 Billion
40 bits (12 zeros)
21
How much is?
1 Quadrillion
50 bits (15 zeros)
22
How much is?
1 Quintillion
60 bits (18 zeros)
23
How much is?
1 Octillion
128 bits (38 zeros)
Previous collection (enlarged for your benefit)
24
How much is?
Number of pennies that can fit inside the Universe
300 bits (90 zeros)
Thanks to Alexander Voronovich for help with
calculation
25

• RSA Laboratories currently recommends key sizes
  of 1024 bits for corporate use and 2048 bits for
  extremely valuable keys like the root key pair
  used by a certifying authority

2048 bits (616 zeros)
Source http//www.rsasecurity.com/rsalabs/node.as
p?id2218 Downloaded 04/06/06
26
Symmetric Key Encryption
Encrypted message DSPEZHKE
27
Data encryption based on symmetric key (A very
old method)

• Divide plain text into groups of 8 characters.
  Pad with blanks at end (if necessary)
• Select an 8-character key
• Rearrange plain text by interchanging adjacent
  characters (first with second, third with fourth)
• Translate each character into a number (A-1, B-2,
  C-3, ....., Z-26, blank-0)
• Add the numbers of the key (Step 2) to the
  results of above step.

28
Data encryption based on symmetric key(contd.)

• Divide each sum by 27 and keep remainder
• Translate remainder back into character to yield
  the cipher text.
• At the receiving end
• Perform the reverse operation (i.e., the same
  set of steps in reverse order) to restore the
  original text.

29
Example

• DATA _COM
• ADATC_MO rearrange characters
• 01 04 01 20 03 00 13 15
  translate
• 16 18 15 20 15 03 15 12
  key vals.
• 17 22 16 40 18 03 28 27
  sum
• 17 22 16 13 18 03 01 00
  mod 27
• Q V P M R C A _
  result

30
PAP Direct Password (Password authentication
protocol)
Its me, and heres my PASSWORD.
Carrier Services
Remote LAN Access Server
LAN

• Simple password access
• Vulnerable to snooping

(Source Ascend Corp)
31
CHAP Secured Password Exchange (Challenge
authentication protocol)
?
Carrier Services

• Uses challenge-based encrypted password
• Makes snooping much less effective

(Source Ascend Corp)
32
Token

• 3. Token device
• generates one-
• time password

password
Token Device

• Several types of token systems
• Token generates exclusive one-time password
• Requires possession of token device and PIN

Source Ascend Corp.
33
Kerberos
Kerberos
TGS
2
3
4
1
4
Server
Client
5
Description of Protocol Step 1. The Client
sends the Kerberos server a request for a ticket
to the Ticket Granting Service (TGS). Step
2. The Kerberos server returns a TGS ticket
encrypted with the user's password. If the user
types in the correct password, the ticket is
decrypted to get tickets from the TGS for various
services. Step 3. The Client sends a
request to the TGS for a ticket to a service such
as telnet on a particular host. Included in this
message is the Kerberos ticket establishing the
Client's identity. This message is encrypted
using a session key which is included in the TGS
ticket. Step 4. The TGS returns a session
key for use between the Client and the service as
well as a ticket which is used to convince the
Server that the Client is authorized to use this
service. The session key is also sent to the
Server. Step 5. Client uses the ticket and
the session key to communicate with the server.
34
Public Key Cryptography (A brilliant idea
proposed in 1976)
35
Generating Keys
Public Key
Private Key
36
Example Public Key
-----BEGIN PGP PUBLIC KEY BLOCK----- Version
PGPfreeware 7.0.3 for non-commercial use
lthttp//www.pgp.comgt mQGiBDvxSuQRBADwvXMXRZBlJpz
ja9Dc3LVjxORM5tWsrPfQdVca2ATYXuFlq/d WdQzyvtc02e4R
pTBeeA/X3UCtAhDxKN1QxB08qosV0tQ4XLmwcbazBsZySJQRv2
S 0CygJiNltxZgCk4KVciZHQzXW3OU8UKU7fTsUHkw9qhu1dF
cXoVyqj1PQCg/5u 8zconmVM7z0ivM9y0us9zocD/j5/G2/t
b6b3n3S9KIEo7fTLXytsIp2bN53Kmxx DnIFhXTIb0i3k7JvvQ
i7v7akPbdrRrNmc49hYZsYzTIjLDoSzz/A516Rjpp3u/8 7DH
ZJp3XL60QRfVAYzUeq62PweBgEKcBBaHAe7ylS7ozqENdXe2l6
X8sNJjoLmbJ oiqSBADEEt4GRI5/jB5m9QyDBv6h2yTn/J3Ofb
6YXc6jlGdUMfCtJtE83EYxetJW qb306epyns6DhbjyR0wdOp9
bkt4gOOnDjx01Jcs4ZxaV73daLdnETxOWdTj6aNw5 WB4xnGB
Dd6pb2GFx37a29WtlciKqfCPq37gpYOH4tmpzrvP47QqS2FpIF
IuIFQu IExhcnNlbiA8a2FpLmxhcnNlbkBjb2xvcmFkby5lZHU
iQBYBBARAgAYBQI78Urk CAsDCQgHAgEKAhkBBRsDAAAAAAoJ
EOKthI8QozYkJf4An0dsntidqj/NcjtcQQwU 03ehxQDoAJ9k
tKDWo8s4OpVr2q4ZFXIqm8yerkCDQQ78UrkEAgA9kJXtwh/CBd
y orrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstD
qZSt90xkhkn4DIO9 ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSW
c39uK50T8X8dryDxUcwYc58yWb/Ffm7 /ZFexwGq01uejaClcj
rUGvC/RgBYKX0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yI sxx
8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEst
Sr/POGxKUAY EY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAk
bTCD1mpF1Bn5x8vYlLIhkmuqui XsNV6TILOwACAgf8DeWZPsT
T1hmXuDLNgq6ga2m3XDkyrn0D8Xo99GsK6Kcw40 phiat4Xp
jgrR9rWxV9F4lfdbp5TZgKrOjvkQ3LRUZW3joL8iuUgWxednC/
ZS2hQa YWgDUPSw1u76JbgocbwWyjMj/1Q/iehAZcMicPulPo4
vugTuOdEUNHAyhhxCDJSC TofJ0nvj5qOwdLiNU/73xrrckt5
QPTnn3Y9mYm3cFYnG2XhUp2PIzk8US0eUXL dhFVWVQRRa1Jt
sk5gOYLPB0H34DjT5CJ7a4ujy4wzR83Mxh1/mmzjVD6QqiIbU
w 8QJiXBcinwpf9B8/8LfC0eFEHTDU9QmeVDJIy4kATAQYEQIA
DAUCO/FK5AUbDAAA AAAKCRDirYSPEKM2JAgBAJ4wmc/dZOl7Q
CYiTHDM9nScqqymLgCg8/eca5JDodSE UqaAm5zi2diYKs
w3hs -----END PGP PUBLIC KEY BLOCK-----
Private key looks similar, but with different
information
37
(No Transcript)
38
Imagine a chest with two locks
now Imagine that you have the ability to
generate such chests at will, and that they all
react the same way to the keys belonging to itas
long as you have ONE key (either public or
private, you can generate the chest)
39
So, you want to send a secret text to your
friend, Billy-Bob?
You
Billy-Bob
40
Public Key Cryptography

• Sender encrypts message M into E(M) by applying
  public key or encryption key (E) of receiver
• Receiver decrypts E(M) by applying her private
  key or decryption key (D)
• i.e, D(E(M)) M
• Based on one-way (or trap door) functions which
  are easy to compute in one direction but not in
  the other.
• E Encryption or public key
• D Decryption or private key

41
But how do you prove to your friend, Billy-Bob
that you are YOU? (you already have his public
key)
Use your own Private Key to generate an empty
chest
You
Billy-Bob
42
Electronic signatures(Another brilliant idea!)

• How do you convince your bank that you are
  indeed the sender of a message?
• Say Alice (A) is sending message to Bank (B)
• Alice applies her decryption key
• Alice applies banks encryption key
• Sends message to bank
• Bank applies its decryption key first
• Bank applies Alices encryption key
• Based on the idea that keys are commutative, ie.

43
PGP (Pretty Good Privacy)(a.k.a. Phils pretty
good software)http//www.pgp.com

• Software written by Phil Zimmerman (of Boulder
  fame!)
• Implements public key cryptography
• Available in public domain (on most Unix
  systems)
• Basic commands
• pgp -h (for help)
• pgp -kg (to create your key)
• pgp -e text_file her_user_id (to encrypt with
  recipients public key)
• pgp ciphertextfile (to decrypt ciphertextfile)
• pgp -ka keyfile ( to add contents of a key
  file to your key ring)

44
Aircraft Downing in China

• The airplane is basically a really big flying
  tape recorder
• Virtually anything transmitted through the air
  would be within reach
• dozens of sensitive antennae pick up signals
  from radar, radio, cell phones, perhaps even
  e-mail
• Source The Daily Camera, April 4th, 2001

EP-3E Source NYT, April 4th, 2001
45
FIREWALLS
INTERNET
A firewall is a mechanism used to protect a
trusted network from an untrusted network. It
implements the site's security policy and is the
single point in your network through which all
communications between the trusted and untrusted
network must pass.
46
Packet Filtering Firewalls
-- Incorporate packet filters in the router
software -- Reject/accept packets based on rules
Filter Action Internal Port
External Port Comment Rule
Host Host
1
block HACKER
deny access to

2 allow Mail 25
connect to
mail
gateway
-- Generally anything not expressly permitted
is prohibited.
47
Application-Level Gateways (or Proxy Servers)
-- Use software applications to filter traffic
for various services. -- Program acts like a
gateway (or proxy server), and -- Logs traffic
and forwards only the legitimate traffic. -- Do
not need rules as with packet level filters,
but -- Need a specialized program for each
service (e.g. mail proxy, http proxy, etc.). --
Operates at higher layer of OSI protocol. --
WeaknessRuns on top of OS and subject to holes
in OS.

48
Screened-host Gateway
This firewall combines the features of
packet-level filtering (through the router) and
application-level gateways.
49
Internet Security Protocols
S-MIME Secure Multipurpose Internet Mail
Extensions. SSL Secure Socket Layer. SSL is a
protocol for transmitting encrypted data over
TCP/IP networks. S-HTTP Secure HTTP. Security
extension to HTTP to protect individual
transaction requests and responses. SET Secure
Electronic Transaction. Developed by Visa and
MasterCard to support bank card payments
involving multiple parties (card holder,
merchant, acquirer, issuer).
50
Secure Web Transactions
Symmetric algorithms are faster than public key
algorithms, but public key algorithms are
required to maintain privacy during the exchange
of the faster symmetric keys. To preserve both
efficiency and privacy, secure Web transactions
begin with a public key exchange, followed by
the exchange of a session key that follows a
faster, symmetric algorithm.
51
Digital Certificate
Is the cyberspace equivalent of a drivers
license. Way of authenticating yourself to other
party.

• SSL authentication is done by X.509 certificates.
  
• Certificates are issued by certification
  authorities (CAs), e.g. Verisign, GTE
  Cybertrust,etc., which act as trusted third
  parties.
• Each certificate contains
• information about the certificate's format.
• a unique serial number.
• information about the algorithm used to sign the
  certificate.
• the name of the CA which issued the certificate.
• the validity period of the certificate.
• identifying information about the "subject," or
  the entity to whom the
• certificate belongs,the subject's public key,
  and the issuers signature.

52
How SECURE ELECTRONIC TRANSACTIONS (SET) WORK
Card Issuer
Acquiring Bank
Customer
Merchant
53
Problems with Encryption

• The Battle of Leyte Gulf (October 23-26 1944)
• American navy forces split into two, each
  steaming to meet separate Japanese forces
  (located far away from each other)
• Task Force 38 and Task Force 34 (commanded by
  Admiral Halsey)
• Admiral Nimitz (in Pearl Harbor) was wondering
  about Task Force 34s position, sent message
  Where is Task Force 34?
• Cryptographer stuffed message, and sent it as
• Turkey trots to water XX Where repeat where is
  Task Force 34 XX The world wonders.
• Halseys cryptographer, forgetting to remove all
  the stuffing, sent the following message to the
  bridge
• Where repeat where is Task Force 34 XX The world
  wonders.

54
Tennysons The Charge of the Light Brigade

• Half a league, half a league, Half a league
  onward,All in the valley of Death Rode the six
  hundred."Forward, the Light Brigade!"Charge for
  the guns!" he saidInto the valley of Death
  Rode the six hundred.

55
Tennysons The Charge of the Light Brigade

• Flash'd all their sabres bare,Flash'd as they
  turn'd in air,Sabring the gunners
  there,Charging an army, while All the world
  wonder'd
• Then they rode back, but not Not the six
  hundred.

56
Key Security Points

• High-level security consists of multiple system
  components
• User identification
• Access verification
• Security administration
• Combine multiple security mechanisms for
  desired level of
• security
• Both dial-up security and backbone security are
  important.
• Individual responsibility is essential!

Source Ascend Corp.
57
Security Resources

• CERT Computer Emergency
• Response Team
• CSI Computer Security
• Institute
• ISSA Information Systems
• Security Association
• TruSecure Corporation
• (formerly National Computer
• Security Association)
• FIRST Forum of Incident
• Response and Security Teams

http//www.cert.org/ 1-412-268-7090 http//ww
w.gocsi.com 1-415-905-2626
http//www.issa-intl.org/ 1-708-699-6441
http//www.trusecure.com 1-717-258-1816
http//www.first.org
Source Ascend Corp.