Part 5: Network Security

1
Part 5 Network Security

• Network Attacks
• Intrusion Detection
• Servers and Security
• Authentication
• Secure Communication
• Cryptography Applications

2
Network Security Basics

• Network security protocols have been designed and
  deployed, early in the life of the open Internet
• Network security is a complex arena, but most of
  the simple protocols are effective, efficient and
  widely deployed
• Internet Threat ModelThe network is insecure
  and subject to attacks, the end systems are
  secure.
• Assumes there are no viruses and other system
  level threats
• Solves the network insecurity problem, but leaves
  the more important threat not addressed

3
Basic Network Attacks

• Port Scans or mapping attacks (nmap)
• Create blueprint of network
• Find what listens to the network, what ports are
  open
• Reconnaissance
• Sniffing non-switched networks
• Many tools exist
• ARP Spoofing
• Switched networks use intelligent switching of
  packets
• Capture packets on switched networks
• MAC flooding/ARP poisoning
• Overflow the MAC table in switches
• MAC duplication
• Fool switches, similar to the ARP spoofing attack

Countermeasures IP filtering Port Security on
Switches
4
Network and TCP attacks

• Routing Attacks
• Attacking routers, NATs and firewalls
• Attacking BGP hosts
• Changing routes
• DNS Attacks
• Provide false DNS information
• Pharming attacks
• SYN Attacks
• Malicious headers, non conforming responses
• Various TCP attacks
• Bad packets, malformed headers

Countermeasures Routing Security (no
workstations for routing, use proper
routers) Secure DNS TCP has been hardened and
many attacks do not work.
5
WiFi Attacks

• Eavesdropping on WiFi networks
• Open radio network, cannot be prevented
• VPN and SSL usage is highly recommended
• Evil Twin attack
• Set up access point with same SSID
• WEP attack
• WEP is badly broken and is not secure
• MAC spoofing
• Access MAC filtered networks (all paid networks)
• WiFi seems to be inherently insecure, but use
  of encryption can make it as secure as wired
  networks
• Standards keep changing and more security
  features keep getting added

6
DoS

• Overloading a resource with a flood of spurious
  traffic
• Network routers
• Servers
• Network Stacks (e.g. the sync attack)
• Authenticators
• The DDoS attack uses zombies to generate traffic
  to a particular victim resource
• No good solution exists
• A threat to the Internet Infrastructure

7
Intrusion Detection

• A phrase used for a variety of techniques to
  detect malicious access
• Basic techniques
• Statistical Anomaly Detection
• Pattern Matching
• Deep packet inspection
• More techniques
• File Integrity checkers (Tripwire)
• Some are quite intricate advances and obscure
  techniques

Honeypot
DMZ
Servers
BorderRouter Firewall
IDS
8
Intrusion Detection

• IP Filtering
• Can stop many port scans from outside
• Cannot stop internal attacks from viral
  infections
• Packet Inspection
• Statistical checks and content checks
• cat gt ./rhosts
• Honeypots
• Open, often unpatched matching in DMZ
• Used to see what attacks are happening
• File Integrity
• Get hashes of files and store them, and check
  against actual files
• Not too difficult to attack and disable

• Host based IDS
• One system only
• Network based IDS
• Listens to packets
• Layered approached
• Many techniques
• Knowledge based
• updates
• Bastion hosts
• ..more

9
Firewalls

• Firewalls are effective against some buffer
  overflow attacks and some Trojan software
• Stops the silly tricks, lets the smart ones go
• Firewalls can be implemented in hardware and
  software
• They each have their share of advantages
• Firewalls can implement NAT Network Hardware
  Translation
• Best reasons to have a firewall
• Stops access to open ports where default, poorly
  configured servers listen
• Stops access to several buffer overflow exploits
• NAT makes the computer essentially invisible to
  scanners

10
Software Firewalls

• Built into the kernel, handles messaging into and
  out of the machine
• Can monitor programs that send data out, useful
  for detecting malware (not effective)
• Can close and/or monitor some open ports
• Can have smarts
• Disadvantages
• Can be easily turned off by malware
• A lot of confusing warnings
• Cannot detect stealthy programs (e.g. one that
  piggybacks over the email program or web browser)
• Incoming connection protection is doubtful, and
  can introduce more vulnerabilities

11
Hardware Firewalls

• Essentially a NAT server
• NAT network address translation
• Hides the machine at a fictitious IP address, all
  incoming messages go to the firewall
• Allows only outgoing connections from the machine
• Others can reply to the host, but cannot initiate
  communications to the host
• Stops all network attacks
• Except the ones that can figure out how to mimic
  responses rather than initiations (connection
  hijack attacks)
• Disadvantages
• Cannot monitor outgoing traffic
• No Smarts

12
Denial of Service

• Protection against DoS and DDoS
• Hard to do, not many effective techniques
• Packet filtering has to be done
• How to detect, what to throw?
• Fooling DoS detectors can cause DoS attacks
• Global traffic shaping
• Internet has no central control
• Backbone Networks
• Autonomous Systems

13
Network Application Security

• Web server security
• Attacks on web servers
• Scripting attacks, injection attacks
• Data compromise attacks
• Denial of Service Attacks
• Mail Server Security
• Spam filtering is essential
• Open relays, sendmail configurations
• Containing Hoaxes
• DNS security
• DNS attacks and configuration
• Database server security
• SQL checkers
• Scripting attacks
• Backdoors

14
ISP protection

• Many forms of packet filtering
• Ports are blocked
• For SMTP servers
• Inbound and outbound port blocks
• Some are done for profit
• Traffic Shaping
• Net Neutrality debate

15
Network Security and Cryptography

• Network Security makes heavy use of cryptography
• Different from system security
• Cryptographic Algorithms
• Encryption, hashing, random numbers, identities
• Cryptographic Protocols
• A set of steps executed by multiple parties such
  that no one trusts each other, but if everyone is
  truthful, the end goal is reached
• Self Enforcing Protocols
• Authentication, Key Exchange, Challenge response,
  Message Authentication Codes (MAC), secret sharing

16
Secret Communication

• Alice send a message to Bob, encrypted using a
  key (k).
• Many encryption algorithms, known and trusted
• DES, 3DES, AES, IDEA
• An attacker cannot read the contents of the
  message
• Alice also embeds a cryptographic hash in the
  message, that is also encrypted with k as well as
  a timestamp or sequence number
• Bob and ensure an attacker did not replace the
  message with a random bit string, or is replaying
  an older message from Alice
• Problem Alice and Bob have to prearrange a key
  k
• Use PKI to exchange keys
• Watch out for MITM attacks
• Preinstalled keys can be used ltltlt more
  complicated than it seems

17
Authentication

• Used to ensure Alice and Bob are sure about who
  they are communicating with
• Also helps in key exchange
• Passwords
• Public Key based Protocols
• Simple authentication (passwords, hash chains)
• Multi Factor Authentication
• PKI Authentication used in SSL/IPSec
• Certificate based Authentication

18
Authentication - passwords

• Ubiquitous and insecure
• A shared secret scheme, prone to leakage
• Dictionary attacks, keyboard sniffing attacks,
  phishing attacks
• PIN usage in debit cards bad
• Biometrics bad

19
Authentication hash chains

• SKEY
• Create a chain of hashes
• Seed S
• H1 h(S)
• H2 h(H1)
• H3 h(H2)
• Server stores HN1 and gives the client the
  chain.

• Client uses HN for 1st login
• Client uses HN-1 for 2nd login
• A more practical scheme using time is used in
  the RSA secure-id card

20
Authentication Challenge Response

• Shared secret challenge response is secure if the
  shared secret can be kept securely
• Client and Server know a secret S
• Challenge Server sends to client a random number
  R
• Response Client responds with ES (R)
• PKI based challenge response is better, covered
  in Cryptography section.

21
Single Sign on Systems

• Sign on once and access a variety of services
• Eliminates multiple username/password problems
• Passwords do not get propagated to service
  providers
• Has met with limited success
• Microsoft passport is essentially dead
• Liberty Alliance is struggling
• Microsoft CardSpace is tying a fresh start
• Cardspace is the only one using public keys and
  has provisions for securely storing private keys
  on smartcards
• Late, but much needed
• Kerberos is old technology but widely used in
  organizations

22
Kerberos (three-headed guard dog)

• A popular methods for single sign on for
  organizations
• Client authenticates with an Authentication
  Service
• Client contacts ticket granting service to get a
  ticket for a particular server
• Client provides server with ticket and server
  provides client with service
• Based on a lot of pre-arranged shared secrets

Ticket granting server
authenticator
Kac
Kas
Ktc
ServiceProvider
client
23
Simplified Kerberos Protocol

• Client C contacts Kerberos K and authenticates
• Client asks for ticket to Server S
• Client sends Server
• Server Acks,

authenticator
Ticket granting server
KERBEROS
Kks
Kkc
Kkc
Tk, L, Kcs, S,
Kks
client
ServiceProvider
Tk, L, Kcs, C
Kcs
Kks
Kcs
Tk timestamp at KL Ticket LifetimeKkc, Kks
prearranged shared secretsKcs temporary shared
secret
Tk, L, Kcs, C
C, Tc
Kcs
Tc 1
24
Secure Communication SSL or IPSec

• SSL (Secure Sockets layer) is pervasive, IPSec
  is a standard
• Most VPNs use IPSEC
• End to end, security, with server authentication,
  and optional client authentication
• Servers have certificates issued by a CA
• Client authenticates the server certificate,
  using challenge response
• Clients can authenticate to server via
  certificates, or via password
• Has a wide range of supported underlying
  algorithms for session key, public key and hashes

25
SSL Protocol

• SSL Protocol (basic)
• Alice ? Bob Hello RA ltrandom numbergt
• Bob ? Alice Hello ltBobs Certificategt, RB
  ltrandom numbergt
• Alice ? Bob Prove it!
• Bob ? Alice EK2B ( h (RA, RB))
• Alice ? Bob EK1B (session key)
• SSL Communications
• EKEY(message, EKEY( h (message)))

26
SSL

• The SSL protocol is an implementation of the
  basic protocol with lots of bells and whistles
• Well designed
• Attacks against the implementation have been
  found, but have been fixed
• Current implementation is considered robust and
  safe
• Features
• Cipher Suite negotiation
• Compatibility
• Client and Server generated random numbers
• No Challenge-Response actually needed (!)

27
SSL Protocol
ClientHello (224 bits)
ServerHello (224 bits)Server Certificate
Verify Server CertificateGenerate
Pre-Master-Secret 384-bits
Cipher Negotiation
Send pre-master-secret, encrypted with Server
Public Key
Generate Key Material
Generate Key Material
MUST BE THE SAME!
28
Hello

• Client Hellostruct ProtocolVersion
  client_version Random random SessionID
  session_id CipherSuite cipher_suites Compress
  ionMethod compression_methods
• Server Hello struct ProtocolVersion
  server_version Random random SessionID
  session_id CipherSuite cipher_suite
  CompressionMethod compression_method

29
Key Material

• master_secret
• MD5(pre_master_secret SHA('A'
  pre_master_secret
• ClientHello.random
  ServerHello.random))
• MD5(pre_master_secret SHA('BB'
  pre_master_secret
• ClientHello.random
  ServerHello.random))
• MD5(pre_master_secret SHA('CCC'
  pre_master_secret
• ClientHello.random
  ServerHello.random))
• key_block
• MD5(master_secret SHA('A'
  master_secret ServerHello.random
• ClientHello.random))
• MD5(master_secret SHA('BB'
  master_secret ServerHello.random
• ClientHello.random))
• MD5(master_secret SHA('CCC'
  master_secret ServerHello.random
• ClientHello.random)) ...
• Key block is then partitioned into client write
  key, server write key, client MAC, server
  MAC

30
Problems with SSL

• CA public keys stored in browser, can be attacked
• After an SSL connection is opened, a virus can
  use the secure connection to defraud or steal
  information
• Earlier known attacks
• Weak encryption
• Timing attacks
• Buffer overflow attacks

31
Email Privacy

• Email is not private
• Email privacy can be achieved with encryption
• Key exchange issues
• Public Key Management
• If we had certificates, email privacy would be
  easy to achive
• Currently, sending/receiving encrypted email
  arouses suspicion
• Workaround is steganography
• Email privacy is supported via PGP and GPG
• Several commercial solutions that do not
  interoperate
• Hushmail

32
PGP - GPG

• Pretty Good Privacy and Gnu Privacy Guard
• Email and encrypted file systems
• Public keys for email transport and signatures
• Web of Trust
• Alice can sign Bobs public key, if she knows Bob
• P2P version of certificate authorities
• How private keys are generated and stored depends
  upon the implementation
• How public keys are distributed also depends upon
  implementation
• Signatures are supported

33
Spam

• Spam is not just an irritant, it is a security
  risk
• Spam is the carrier of choice for
• Viruses
• Phishing attacks
• Malformed URLs
• Various fraudulent scams
• Luring users to dangerous websites
• More to come
• Fighting spam is not working, due to many
  technical issues
• Compatibility
• Signed email can combat spam, but would create
  segregated email communities

34
Email Signing

• Digital signatures on email can identify sender
  and stop spam and spoofed emails
• DomainKey A email signature scheme developed by
  Yahoo and used by Yahoo Mail and Google Mail
• All mail sent via Yahoo or Google servers have a
  domainkey signature
• Cannot be spoofed, signature cannot be lifted
• Yahoo and Google ensures spam is not sent from
  their servers (and a few more)
• Ensuring all received mail has valid domainkey
  would make spamming difficult
• Would also stop all email not originating from
  yahoo/google
• Domainkey signatures are never checked as of now
  ?

35
Security Policies

• A catchall phrase that encompasses all rules and
  enforcement used by an organization to ensure
  security
• Has to be dynamic and flexible
• Covers
• Networking systems
• Computer systems
• User rights
• Data policies
• Resource usage policies
• Email policies
• File systems

36
More issues

• Advisories
• Patches
• Attack recovery
• Perimeter Safety
• Service Security
• Baseline Security
• Physical Security
• Transport Security
• File systems
• BGP and routing protocols
• Hoaxes
• Mobile Security