Telecommunications, Network,

1

• Chapter 7
• Telecommunications, Network,
• and Internet Security

2
Data Networks

• Data network structures
• Local area network
• Wide area networks
• Internet
• Intranet refers to the application of Internet
  technologies within an organization
• Extranet to differentiate between the external
  Internet and the internal intranet
• World Wide Web a set of services on the Internet
  that provides archives of information accessible
  via browsers and search engines

3
Local Area Network

• LAN transmission methods
• LAN media access methods
• LAN implementations
• Ethernet (802.3)
• Token Ring
• Wireless LAN (802.11)

4
Wide Area Network

• Modems dial-up
• ISDN integrated services digital network
• Point-to-point links
• xDSL
• Cable modem
• X.25
• Frame Relay
• ATM

5
Network Threats and Attacks

• Lots of research have been done by intelligent
  attackers and security practitioners to probe
  systems, understand their intricacies, and find
  new vulnerabilities or attack methods
• The results are usually implemented into a
  program or script
• With the predominance of WWW and search engine,
  any person interested in launching an attack can
  find the tools and information on how to do it
  easily
• A less experienced attacker (script kiddy) can
  launch comprehensive and detailed attacks without
  understanding the intricacies of how the attack
  works

6
Network Mapping and Port Scanning

• Network mapper
• To identify the targets operating systems
• E.g., nmap http//www.insecure.org/nmap/
• Port scanner
• To identify the listening ports on a target
  system
• By conducting a port scan, an attacker can
  identify the services running on the target
  system and then determine how best to attack it
• E.g., strobe, udp_scan, netcat, portpro, portscan

7
Vulnerability Scanning

• After identifying the targets system and
  services, the attacker can research what
  vulnerabilities are likely for the system and
  services, using some scanning tools.
• Some tools are open source, some are high-quality
  commercial tools for analyzing system
  vulnerabilities.

8
War dialing

• Attackers use tools called wardialers to find
  modems connected to systems using the telephone
  network.
• Wardialers dial telephone numbers in a defined
  block of numbers looking for computer modem
  tones. In some situations, the modem will not
  require a password to connect and the attacker
  will have access to the system.

9
Network Exploits(I) Sniffing

• Sniffers are useful tools for both the network
  manager and the attacker.
• A sniffer can be a hardware, or software running
  on a computer. It accepts all packets received on
  the network interface(s). When a network
  interface operates in this manner, it is
  configured for promiscuous mode
• Normally, it will drop those packets that are not
  destined for the local computer.
• Defenses
• Data encryption SSH, SSL
• Use Ethernet switches, and binding the port with
  IP addresses to avoid ARP spoofing.

10
Network Exploits(II) IP Spoofing

• IP spoofing is a process to alter the source
  destination of an IP packet to make it appear
  that the packet originated at another system.
• This can be used to initiate denial-of-service
  attack.
• IP spoofing makes it difficult to identify the
  real attacker.
• Defense
• Use anti-spoofing configuration on routers

11
Network Exploits(III) Session Hijacking

• Session hijacking (or TCP hijacking) allows the
  attacker to assume control over a network
  connection while kicking off the legitimate user.
• Usually need to monitor the TCP sequence number
• E.g., Hunt (by kra_at_cri.cz)
• Session hijacking tools are used against
  applications with persistent connections, such as
  Telnet, rlogin, or FTP.
• For more details, pls check
• http//www.csn.ul.ie/syfer/tutorials/sessionhijac
  king.htm

12
Denial-of-Service Attack

• An attack against the availability of a service
• Prevent legitimate users from being able to
  access the service
• Malformed Packet Attacks
• A few packets that are formatted in an unexpected
  manner
• Ping of death, WinNuke, Land, NewTear, etc.
• Packet Flood Attacks
• Send large number of packets to the target until
  it cannot respond to requests any longer
• SYN floods
• Smurf
• DDoS

13
TCP SYN Flooding

• Read http//www.cert.org/advisories/CA-1996-21.htm
  l (required!)
• Normal TCP connection setup
• The client system begins by sending a SYN message
  to the server. The server then acknowledges the
  SYN message by sending SYN-ACK message to the
  client. The client then finishes establishing the
  connection by responding with an ACK message.
• Half-open TCP connection
• the server system has sent an acknowledgment
  (SYN-ACK) back to client but has not yet received
  the ACK message
• The server has built in its system memory a data
  structure describing all pending connections.
  This data structure is of finite size, and it can
  be made to overflow by intentionally creating too
  many partially-open connections.
• Attack by creating TCP "half-open" connections
• The attacking system sends SYN messages to the
  victim server system these appear to be
  legitimate but in fact reference a client system
  that is unable to respond to the SYN-ACK
  messages.
• The final ACK message will never be sent to the
  victim server system.
• The half-open connections will eventually expire
  and the victim server system will recover.
  However, the attacking system can simply continue
  sending IP-spoofed packets requesting new
  connections faster than the victim system can
  expire the pending connections.

14
Smurf Denial-of-Service Attack

• Read http//www.cert.org/advisories/CA-1998-01.htm
  l (required!)
• Two components
• the use of forged ICMP echo request packets (IP
  Spoofing)
• the direction of packets to IP broadcast
  addresses
• On IP networks, a packet can be directed to an
  individual machine or broadcast to an entire
  network.
• When a packet is sent to an IP broadcast address
  from a machine on the local network, that packet
  is delivered to all machines on that network.
• When a packet is sent to that IP broadcast
  address from a machine outside of the local
  network, it is broadcast to all machines on the
  target network (as long as routers are configured
  to pass along that traffic).
• In the "smurf" attack, attackers are using ICMP
  echo request packets directed to IP broadcast
  addresses from remote locations to generate
  denial-of-service attacks.
• Three parties the attacker, the intermediary,
  and the victim
• The attacker creates forged packets (ICMP echo
  request) that contain the spoofed source address
  of the attacker's intended victim.
• The intermediary receives an ICMP echo request
  packet directed to the IP broadcast address of
  their network.
• If the intermediary does not filter ICMP traffic
  directed to IP broadcast addresses, many of the
  machines on the network will receive this ICMP
  echo request packet and send an ICMP echo reply
  packet back.
• They send replies to the victim's machine. The
  victim is subjected to network congestion that
  could potentially make the network unusable.
• Solutions
• Disable IP-directed broadcasts at the routers.
• Configure the operating system to prevent the
  machine from responding to ICMP packets sent to
  IP broadcast addresses.

15
DDoS

• Early DoS attack technology involved simple tools
  that generated and sent packets from a single
  source aimed at a single destination.
• Today, the most common DoS attack type involves
  sending a large number of packets to a
  destination causing excessive amounts of
  endpoint, and possibly transit, network bandwidth
  to be consumed. Such attacks are commonly
  referred to as packet flooding attacks.
• TCP floods A stream of TCP packets with various
  flags set are sent to the victim IP address. The
  SYN, ACK, and RST flags are commonly used.
• ICMP echo request/reply (e.g., ping floods) A
  stream of ICMP packets are sent to a victim IP
  address.
• UDP floods A stream of UDP packets are sent to
  the victim IP address.
• From 1999, multiple source DoS, or DDoS, tools
  began to be deployed trinoo, TFN2K, mstream,
  t0rnkit, carko, Code Red II, Nimda worm
• Distributed Denial-of-Service
• Optional reading
• http//www.cert.org/archive/pdf/DoS_trends.pdf

16
Stack-based Buffer Overflow

• Will be introduced in detail in the next lecture.

17
Password Cracking

• Most systems and applications authenticate the
  user using a static password.
• Most operating systems store the passwords in an
  encrypted (hashed) form.
• To crack the passwords
• Acquisition of the password database (without
  shadow, its easy with shadow, may use buffer
  overflow)
• Knowledge of the password encryption algorithm
• Having a program that can encrypt and compare the
  passwords (dictionary attack or brute-force)
• E.g., Crack 5.0a, john the ripper, pwdump2
  L0phtcrack
• It is important to define a strong password
  policy.

18
Trojan Horses and Rootkits

• The Trojan horse appears to serve some useful
  purpose, yet it is really just disguising the
  malicious operation.
• A rootkit is a more powerful Trojan horse.
• The attacker must first get root access, then use
  the rootkit to keep that access by preventing an
  administrator from finding the access.
• It typically contain a large number of Trojan
  horse programs that replace or patch critical
  system programs. They blind the administrators
  and convince them that nothing is out of the
  ordinary.
• Kernel-level rootkit is even more powerful and
  difficult to handle.

19
Security Technology and Tools

• Data Encryption
• Data encryption can be accomplished at several
  levels.
• It hides the information from unauthorized
  access.
• It alerts us when the integrity of the message
  has been corrupted.

20
Firewalls

• A method of protecting one network from another
  untrusted network.
• A firewall has two components one to block
  traffic and another to allow authorized traffic
  through
• Firewalls can be packet filters, proxies, or a
  combination of the two.
• Packet filtering focuses on analyzing the packets
  and comparing them to a set of rules to determine
  if the packet should be allowed through or
  blocked.
• A proxy acts as a middleman in the connection
  process. The users session establishes a
  connection to the proxy, which in turn
  establishes a connection to the external system.

21
Packet Filter

• Packet filter firewalls operate at layer 3
  (network layer). Decisions on whether to allow or
  deny the packet are made by examining the packet
  header for the following information
• Source IP address
• Destination IP address
• Source port (UDP, TCP)
• Destination port (UDP, TCP)
• Acknowledgement bit (TCP)
• Packet filters are prone to spoofing of source
  and destination addresses and ports.

22
Packet Filter
23
Application Proxy Servers

• Application-level gateway, or proxy server
• Proxy servers act as a relay between the source
  and destination systems.
• Application proxies support authentication very
  well and are often combined with caching services
  to reduce network congestion.
• There must be a specific proxy for each type of
  service. E.g. a telnet proxy cannot be used for
  FTP service.

24
Application Proxy Servers
25
Circuit-Level Gateway

• Similar to the proxy, there is no direct
  connection between the systems. But at different
  layer.
• SOCKS RFC 1928
• A protocol for handling TCP traffic through a
  proxy server, can be used with virtually any TCP
  application
• Tow components SOCKS server and SOCKS client
• It enables hosts on one side of a SOCKS server to
  gain access to hosts on the other side of a SOCKS
  server, without requiring direct IP-reachability.
• It checks incoming and outgoing packets and hides
  the IP addresses of client applications.

26
Circuit-Level Gateway
27
Firewall Platforms

• Host-based Gateway
• Use an operating system platform like Unix,
  Linux, and MS Windows to provide the underlying
  operating resources.
• Appliance
• Use specialized hardware, often running some form
  of proprietary operating system.
• Desktop Firewalls
• Reside on the users workstation and provides
  firewall services between the host and the
  network.

28
Firewall Limitations

• cannot protect from attacks bypassing it
• eg sneaker net, utility modems, trusted
  organisations, trusted services (eg SSL/SSH)
• cannot protect against internal threats
• eg disgruntled employee
• cannot protect against transfer of all virus
  infected programs or files
• because of huge range of O/S file types

29
Remote Access Security

• Remote access technologies consist of any
  technology and application that allow a user
  access to the organizational network when he does
  not has a physical LAN connection.
• Security elements
• Authentication login credentials
• Access restrictions what resources the user can
  access
• Time restrictions when and for what duration
• Connection restrictions limits of simultaneous
  connections per user, consecutive failed login
  attempts
• Protocol restrictions restrict what protocols
  and services are available

30
Link-level Security

• Remote access services must include the ability
  to authenticate a user and establish a reliable
  connection.
• Point-to-Point Protocol (PPP) can be used for
  establishing the connection.
• The following protocols can be used for
  authentication
• Password Authentication Protocol (PAP) RFC1334
  (in 1992)
• Use a handshake between the client and the
  server. User ID and password are transmitted in
  cleartext.
• Challenge Handshake Protocol (CHAP) RFC1334
• Use a three-way handshake. Upon connection, the
  server sends the connecting system a random
  challenge. The client than encrypts the challenge
  with its password.
• Extensible Authentication Protocol (EAP) RFC2284
  (in 1998)
• A general protocol for PPP authentication which
  supports multiple authentication mechanisms.

31
Securing Network Services

• In 1980s, Sun Microsystems developed the
• Network Information Service (NIS)
• Network File Systems (NFS)
• Remote Procedure Call (RPC)
• Allow networked workstations to operate as if
  they were a single system.
• HP, DEC, and IBM all implemented NIS, NFS, RPC on
  their UNIX implementations.

32
Remote Procedure Call (RPC)

• RPC provides the ability to execute a function on
  another computer in a reasonably transparent
  fashion. It allows for distributed programs.
• RPC authentication
• Client programs must be able to authenticate
  themselves to an RPC server before the server
  executes the requested function.
• There are several different RPC authentication
  mechanisms
• AUTH_NONE no authentication, anonymous access
• AUTH_UNIX the RPC clients send the Unix UID and
  GID to the server. The server implicitly trusts
  the user is who he claims to be.
• AUTH_DES authentication based on public key
  cryptography and DES, not widely available except
  in Sun Microsystems implementations
• AUTH_KERB authentication based on Kerberos, but
  depends on a Kerberos server being available in
  the network

33
Secure RPC

• Sun Microsystems later developed Secure RPC to
  address the security weaknesses.
• Use Diffie-Hellman key exchange mechanism and DES
  for encrypting information sent over the network.
• When coupled with higher-level protocols like
  NFS, Secure RPC can create a very secure network.
• Secure RPC authentication
• Use Diffie-Hellman key exchange.
• Each Secure RPC entity has a public and private
  key, both of which are stored on the Secure RPC
  server. The public key is stored unencrypted the
  secret key is stored encrypted with the entitys
  password.

34
Network Information Services (NIS)

• NIS is a distributed database system allowing
  network users the capability to share password
  files, group files, host tables, and other files
  over the network.
• The files appear to be available on every
  computer, but they actually store on only a
  single computer called the NIS server.
• With NIS, a large network can be managed more
  easily because all of the account and
  configuration information needs to be stored on
  only a single machine.

35
Limitations with NIS

• NIS stores the encrypted password values in the
  passwd map, which can be downloaded by any user.
• Spoofing NIS
• NIS clients get information from a NIS server
  through RPC calls.
• Under early SunOS version of the NIS service, it
  was possible for an attacker to supply his own
  version of the password file to a login request,
  therefore access to the system.

36
NIS

• NIS provides increased security.
• Each NIS domain has one and only one NIS root
  domain server. It contains the master copy of the
  information stored in the NIS root domain.
• There may also be NIS server for sub-domains.
• Entities that communicate using NIS are called
  NIS principals. Each NIS principal has a public
  key and a secret key stored on an NIS server.
  All communications between NIS servers and NIS
  principals use Secure RPC.

37
Virtual Private Networks (VPN)

• WANs are used to build private networks for
  organizations to transfer their private data.
• X.25 ? Frame Relay ? ATM
• Very expensive
• Internet connections are comparatively cheap, but
  it is a publicly shared network.
• Eavesdropping, packet manipulation, spoofing,
• VPN addresses these security concerns by
  implementing encryption, data integrity, and
  authentication.
• The VPN consortium (http//www.vpnc.org/)
  supports the following standards
• Point-to-Point Tunneling Protocol (PPTP)
• IPSec with encryption
• Layer 2 Tunneling Protocol (L2TP) over IPSec

38
PPTP

• Based on Microsofts Remote Access Services
  (RAS), first included in Windows NT.
• PPTP is a layer 2 protocol, also containing
  data-link information. PPP is often used over
  PPTP.
• With PPTP, authentication is done using PPP with
  CHAP, PAP, or EAP.

39
IPSec

• IPSec is a collection of protocols forming an
  extension to the Internet Protocol. It provides
  authentication and encryption services.
• The specification is quite complex
• defined in numerous RFCs RFC 2401/2402/2406/2408
  
• It is mandatory in IPv6, optional in IPv4
• Three protocols are used to provide the IPSec
  services
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)
• Internet Key Exchange (IKE) (RFC 2409)

40
IPSec
41
IPSec Services

• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets
• Confidentiality
• Limited traffic flow confidentiality

42
IPSec Services
43
Security Association

• IPSec provides many options for performing
  network encryption and authentication
• Lots of information to manage
• SA security association
• a relationship between two or more entities that
  describes how the entities will use security
  services to communicate securely
• Unidirectional
• Identified by a randomly chosen unique number
  called SPI (security parameter index) and the IP
  address of the destination

44
IPSec Authentication Header (AH)

• provides support for data integrity
  authentication of IP packets
• end system/router can authenticate user/app
• prevents address spoofing attacks
• prevents replay attacks by tracking sequence
  numbers
• Authentication is based on use of a MAC
• HMAC-MD5-96 or HMAC-SHA-1-96
• parties must share a secret key

45
IPSec Ahtentication Header
46
Scope of AH Authentication
Transport mode, IPv4 The AH is inserted after
the original IP header and before the IP payload.
Authentication covers the entire packet,
excluding mutable fields in the IPv4 header that
are set to zero for MAC calculation. Tunnel mode,
IPv4 The entire original IP packet is
authenticated, and the AH is inserted between the
original IP header and a new outer IP header. The
inner IP header carries the ultimate source
destination addresses, while outer IP header
contain different IP addresses.
47
IPSec Encapsulating Security Payload (ESP)

• provides message content confidentiality
  limited traffic flow confidentiality
• can optionally provide the same authentication
  services as AH
• supports range of ciphers, modes, padding
• DES, Triple-DES, RC5, IDEA, CAST, etc
• CBC most common
• pad to meet blocksize, for traffic flow

48
IPSec ESP Format
49
Scope of ESP Encryption and Authentication
Transport Mode ESP The ESP header is inserted
into the IP packet immediately prior to the
transport-layer header, and an ESP trailer is
placed after the IP packet. Tunnel Mode ESP The
ESP header is prefixed to the packet, and then
the packet plus the ESP trailer is encrypted.
50
Transport and Tunnel Modes

• Both AH and ESP support two modes of use
• Transport mode
• Provide protection to the payload of an IP
  packet.
• Used for end-to-end communication between two
  hosts
• Tunnel mode
• Provide protection to the entire IP packet.
• After the AH or ESP fields are added to the IP
  packet, the entire packet is treated as the
  payload of new outer IP packet with a new outer
  IP header.
• Commonly used on security gateways or firewalls.

51
IPSec Key Management

• handles key generation distribution
• typically need 2 pairs of keys
• 2 per direction for AH ESP
• manual key management
• sysadmin manually configures every system
• automated key management
• automated system for on demand creation of keys
  for SAs in large systems
• has Oakley ISAKMP elements

52
IPSec Oakley

• a key exchange protocol
• based on Diffie-Hellman key exchange
• adds features to address weaknesses
• cookies, groups (global params), nonces, DH key
  exchange with authentication
• can use arithmetic in prime fields or elliptic
  curve fields

53
IPSec ISAKMP

• Internet Security Association and Key Management
  Protocol
• provides framework for key management
• defines procedures and packet formats to
  establish, negotiate, modify, delete SAs
• independent of key exchange protocol, encryption
  alg, authentication method

54
L2TP

• Microsoft and Cisco co-developed L2TP as an open
  standard for secure multi-protocol routing.
• It is a layer 2 protocol with stringent
  authentication, including the use of
  certificates.
• Typically, L2TP packet is encapsulated with IPSec
  ESP and AH, followed by another PPP encapsulation
  for transmission over the data-link layer.

55
SSL and TLS

• Secure Socket Layer (SSL)
• transport layer security service
• originally developed by Netscape
• version 3 designed with public input
• subsequently became Internet standard known as
  TLS (Transport Layer Security)
• uses TCP to provide a reliable end-to-end service
• SSL has two layers of protocols

56
SSL Architecture
57
SSL Architecture

• SSL session
• an association between client server
• created by the Handshake Protocol
• define a set of cryptographic parameters
• may be shared by multiple SSL connections
• SSL connection
• a transient, peer-to-peer, communications link
• associated with 1 SSL session

58
SSL Record Protocol

• confidentiality
• using symmetric encryption with a shared secret
  key defined by Handshake Protocol
• IDEA, RC2-40, DES-40, DES, 3DES, Fortezza,
  RC4-40, RC4-128
• message is compressed before encryption
• message integrity
• using a MAC with shared secret key
• similar to HMAC but with different padding

59
SSL Change Cipher Spec Protocol

• one of 3 SSL specific protocols which use the SSL
  Record protocol
• a single message
• causes pending state to become current
• hence updating the cipher suite in use

60
SSL Alert Protocol

• conveys SSL-related alerts to peer entity
• severity
• warning or fatal
• specific alert
• unexpected message, bad record mac, decompression
  failure, handshake failure, illegal parameter
• close notify, no certificate, bad certificate,
  unsupported certificate, certificate revoked,
  certificate expired, certificate unknown
• compressed encrypted like all SSL data

61
SSL Handshake Protocol

• allows server client to
• authenticate each other
• to negotiate encryption MAC algorithms
• to negotiate cryptographic keys to be used
• comprises a series of messages in phases
• Establish Security Capabilities
• Server Authentication and Key Exchange
• Client Authentication and Key Exchange
• Finish

62
TLS (Transport Layer Security)

• IETF standard RFC 2246 similar to SSLv3
• with minor differences
• in record format version number
• uses HMAC for MAC
• a pseudo-random function expands secrets
• has additional alert codes
• some changes in supported ciphers
• changes in certificate negotiations
• changes in use of padding

63
Application Layer Security

• Secure Electronic Transactions (SET)
• Privacy Enhanced Mail (PEM)
• Secure Hypertext Transfer protocol (S-HTTP/HTTPS)
• S/MIME

64
Network Availability and Network Disaster
Recovery Planning

• Network Reliability
• Star topology
• The failure of a single link doesnt affect other
  links.
• The hub/switch is the weak link, can be improved
  by redundant power supplies, backplane, control
  logic.
• Ring topology
• In token-ring, a link failure or node failure
  will fail the whole network.
• In MAN or WAN, ring topology is reliable and
  common.
• Bus topology
• A link failure will fail the entire network.