Computer and Network Security John Kristoff jtkdepaul edu
- Slides: 66
Computer and Network Security John Kristoff jtk@depaul. edu +1 312 362 -5878 De. Paul University Chicago, IL 60604 IPD - November 3, 2001 John Kristoff - De. Paul University 1
What are you trying to secure? � Confidentiality � Avoid � Authentication snooping � Encryption? that you? � Nonrepudiation � Integrity � No � Deletes, changes � Backups � Access control off! � Reputation attacks IPD - November 3, 2001 denying it � Hands � Availability � (D)Do. S � Is � Name John Kristoff - De. Paul University = MUD 2
Internet security really bites � LOTS � Bad of hosts are hard to secure default configurations � Poor software implementations � Fixes/patches � Average � It rarely applied user/admin is security clueless is difficult to coordinate among sites � Any weak link can break the security chain IPD - November 3, 2001 John Kristoff - De. Paul University 3
Why doesn't telco security bite? Telco Internet � Central authority � Network � Billing intelligence records per call � Legalese understood � Wiretapping � Circuit laws connections IPD - November 3, 2001 � No central authority � End � No host intelligence packet accounting � Legalese � Privacy � Ease John Kristoff - De. Paul University fuzzy issues of anonymity 4
So where do you put security? IPD - November 3, 2001 John Kristoff - De. Paul University 5
Physical security � Trash bins � Social engineering � It's easier to trust a face/voice than a packet � Protect from the whoops! � Don't trip over the power cord � Don't spill your coffee � Hit the right switch � Software really can kill hardware IPD - November 3, 2001 John Kristoff - De. Paul University 6
End host security � The end-to-end argument � This is usually where the problem is � But, ultimately you want to protect data � End hosts are in control of data � Users are in control of hosts � Users often don't secure hosts sufficiently � There are LOT of hosts and LOTS of users IPD - November 3, 2001 John Kristoff - De. Paul University 7
Network security � Inspect � Boy, and act on packets as they go this is really hard! � Evasive tactics like tunneling get through � Uh-oh. . . encryption � What � Can � This am I breaking? I relay, inspect and act fast enough? might help, but its not a panacea IPD - November 3, 2001 John Kristoff - De. Paul University 8
Probably need layered defenses � The belt and suspenders approach � Attackers � Multiple � Use � If might hit a layer they can't break layers tend to slow attacks down the laws of statistics defense A stops 90% of all attacks, � And if defense B stops 90% of all attacks, � Then combined they may stop 99% of all attacks �(1 -. 9)*(1 -. 9) IPD - November 3, 2001 =. 01, 1 -. 01 =. 99 or 99% John Kristoff - De. Paul University 9
The network is just a highway � How do you secure the highway � Police � Toll patrol booths � Licensed � Vehicle � Rules � Are drivers inspections and standards of the road the highways completely safe now? IPD - November 3, 2001 John Kristoff - De. Paul University 10
Perimeter security " Separate trusted net from untrusted net " Define the boundary IPD - November 3, 2001 John Kristoff - De. Paul University 11
What network firewalls do � Define untrusted and trusted boundaries � Inspect traffic traversing firewall boundary � Limit communication traversing boundary � Help shield insecure hosts IPD - November 3, 2001 John Kristoff - De. Paul University 12
Network firewalls illustrated IPD - November 3, 2001 John Kristoff - De. Paul University 13
Key ideas �Firewalls �They're �They a network solution to a host problem don't solve the real problem and. . . �. . make it hard/impossible to do certain things �Ultimate control of hosts is out of our hands �Securing �But. . should be unnecessary a LOT of hosts is hard! network solutions are *sigh* necessary IPD - November 3, 2001 John Kristoff - De. Paul University 14
Packet filtering firewalls � Filter everything - not very useful � Filter by IP address � Filter by application type (TCP, UDP) � Filter on field/flag settings (source route) � Filter invalid packets (SYN/FIN packets) � Other pattern match IPD - November 3, 2001 John Kristoff - De. Paul University 15
Screened subnet implementation IPD - November 3, 2001 John Kristoff - De. Paul University 16
Application Layer Gateway (ALG) � Also commonly called a proxy firewall � These permit no direct communication � Firewall � Very intercepts all traffic in each direction intelligent device. . . �. . . must understand what a user is doing � Difficult to install if it doesn't currently exist IPD - November 3, 2001 John Kristoff - De. Paul University 17
Proxy/ALG illustrated IPD - November 3, 2001 John Kristoff - De. Paul University 18
Other common firewall features � Stateful inspection � Network address translation (NAT) � Authenticaton � Dynamic (VPNs) triggers � Reporting, logging and IDS support IPD - November 3, 2001 John Kristoff - De. Paul University 19
Example: Linux ipchains Don't want to see packets with private IP addresses -A input -s 192. 168. 0. 0/255. 0. 0 -d 0. 0/0. 0 -j DENY -A input -s 172. 0. 0. 0/255. 240. 0. 0 -d 0. 0/0. 0 -j DENY -A input -s 10. 0/255. 0. 0. 0 -d 0. 0/0. 0 -j DENY Let SSH, established TCP connections, FTP data, UDP and BOOTP/DHCP in -A input -s 0. 0/0. 0 -d a. b. c. d/255. 255 22: 22 -p 6 -j ACCEPT -A input -s 0. 0/0. 0 -d a. b. c. d/255. 255 1024: 65535 -p 6 ! -y -j ACCEPT -A input -s 0. 0/0. 0 20: 20 -d 0. 0/0. 0 1024: 65535 -p 6 -y -j ACCEPT -A input -s 0. 0/0. 0 -d 0. 0/0. 0 1024: 65535 -p 17 -j ACCEPT -A input -s 0. 0/0. 0 -d 0. 0/0. 0 67: 67 -p 17 -j ACCEPT Drop any packets that don't have our source IP and log those attempts -A output -s 140. 192. 0. 1/255. 255 -d 0. 0/0. 0 -j DENY -l IPD - November 3, 2001 John Kristoff - De. Paul University 20
Example: Cisco ACL Block private IP addresses access-list 100 deny ip 192. 168. 0. 0. 255 any access-list 100 deny ip 172. 0. 0. 0 0. 15. 255 any access-list 100 deny ip 10. 0 0. 255 any Block reserved, loopback and Class E IP addresses access-list 100 deny ip 0. 0 0. 255 any access-list 100 deny ip 127. 0. 0. 0 0. 255 any access-list 100 deny ip 224. 0. 0. 0 31. 255 any Block source port of 111 from going anywhere access-list 100 deny tcp any eq sunrpc any access-list 100 deny udp any eq sunrpc any Allow DNS and TELNET (log it) to 1. 2. 3. 4, deny everything else access-list 100 permit tcp any host 1. 2. 3. 4 eq domain access-list 100 permit tcp any host 1. 2. 3. 5 eq telnet log IPD - November 3, 2001 access-list 100 deny ip any. John Kristoff - De. Paul University 21
What can't a network firewall stop? � Bad packets that look good � Denial � Well, � But of service (Do. S) attacks they can stop them at the firewall then the firewall has just been Do. S'd � Stupid user tricks � Things that go around the firewall � Things that don't cross the firewall boundary IPD - November 3, 2001 John Kristoff - De. Paul University 22
So you're saying. . . ? �It would be nice if all hosts could be secured �Network solutions can help �Malicious �A insiders can get by anything you got holistic approach is needed. Including: � Audits, detection and response � Education � Standards IPD - November 3, 2001 and best practices John Kristoff - De. Paul University 23
Intrusion Detection Systems � Interesting, � Provides but immature technology lots of data/information � Generally doesn't interfere with communications � Anything that improves security. . . IPD - November 3, 2001 John Kristoff - De. Paul University 24
What is IDS? � Ideally, immediately identifies successful attacks � Should have a immediate notification system � Out-of-band � Probably from the attack if possible can also monitor attack attempts too � Might have attack diagnosis, recommendation and/or automated attack mitigation response � Lofty goals: � 0% false positive rate � 0% false negative rate IPD - November 3, 2001 John Kristoff - De. Paul University 25
Privacy issues � Does � Are � Is an IDS violate privacy? packet headers (protocols) private? identification (an address) private? � Are packet contents private (payload)? � Are communications (flows/sessions) private? � Where is the IDS? � Who manages the IDS? � How is the IDS data handled and managed? IPD - November 3, 2001 John Kristoff - De. Paul University 26
Storage, mining and presentation � IDSs can collect LOTS of information � What is useful data? � What are you looking for? � Data correlation within/outside of the IDS? � What does the admin see? � Where � How and for how long do you keep data? do you secure access to IDS data? IPD - November 3, 2001 John Kristoff - De. Paul University 27
Host IDS � An integral part of an end-system � System � Kernel log monitor level packet monitor � Application �A specific very good place to put security � Distributed management issues � Not all end systems will support an IDS � Will be as useful as the end user is cluefull IPD - November 3, 2001 John Kristoff - De. Paul University 28
Network IDS � An add-on to the communications system � Generally � May passive and invisible to the ends see things a host IDS cannot easily see � Fragmentation, � May not understand network traffic � Unknown � May other host attacks (correlation) protocols/applications, encryption miss things that don't cross its boundary IPD - November 3, 2001 John Kristoff - De. Paul University 29
Anomaly detection �A form of artificial intelligence � Learn � If what is normal for a network/system an event is not normal, generate alert � May � For catch new attacks not seen before a simple, but effective example see: � Detecting Backdoors, Y. Zhang and V. Paxson, 9 th USENIX Security Symposium � An area of active research IPD - November 3, 2001 John Kristoff - De. Paul University 30
Signature matching � Know what an attack looks like and look for it � Very easy to implement � Low false positive rate � Most current IDSs are of this type � Easy to fool � Signatures IPD - November 3, 2001 must be added/updated regularly John Kristoff - De. Paul University 31
Honeypots �A system that welcomes attacks � Unbeknownst to the attacker generally � The system is very closely monitored � Can be used to test new technology/systems � Generally � Helpful � Be educational in nature as trend monitor for that system type careful honeypot doesn't become liability IPD - November 3, 2001 John Kristoff - De. Paul University 32
Possible IDS failure modes � Fragmentation, � Requires � Inability state and high-speeds lots of CPU, memory and bandwidth to decode message/transaction � t^Hrr^Hm 56^H^H � Background //^H -u^Hrf noise � Tunnelling/encryption � IDS path evasion � Stupid user tricks IPD - November 3, 2001 John Kristoff - De. Paul University 33
The poor man's Network IDS � Setup a router subnet and unix host � Block all outgoing/incoming packets � access-list 100 deny ip any log � Log packets (filter matches) with syslog � Use perl/grep/uniq/. . . to build simple reports � Total violations: 468 � Top source host: badguy. org � Top dest. TCP port: 21 (ftp) IPD - November 3, 2001 John Kristoff - De. Paul University 34
The poor man's host IDS � Use � Turn snort (http: //www. snort. org) or. . . on all logging and do log reporting � Install fake service and monitor � tcp_wrappers, � Use diff (or equivalent), monitor file changes � Keep � Use back officer friendly copies of data/configs elsewhere Tripwire or equivalent IPD - November 3, 2001 John Kristoff - De. Paul University 35
Encryption or Fodszqujpo �Try to make something readable, unreadable �Usually math intensive �Plain text to cipher text to plain text �Need strong algorithms and secure keys � Public � How � Key versus private keys do you exchange keys securely? escrow, recovery and trusted 3 rd parties IPD - November 3, 2001 John Kristoff - De. Paul University 36
Shared secret key �Each �The party knows the secret key decrypts the cipher text � Book = Ulysses � Key = 7, 23, 4 �. . . or page 7, line 23, word 4 �Ulysses �How is the secret key, don't tell anyone! do the trusted parties learn the key? IPD - November 3, 2001 John Kristoff - De. Paul University 37
Shared secret key illustrated IPD - November 3, 2001 John Kristoff - De. Paul University 38
Public key cryptography �Advertise your well known public key � Everyone � Once �Private � Only uses it to encrypt messages to you encrypted, no one can decrypt it key you have the private key � Private �Keyrings key decrypts the public key encryption and secure public key distribution IPD - November 3, 2001 John Kristoff - De. Paul University 39
Public key illustrated IPD - November 3, 2001 John Kristoff - De. Paul University 40
Pretty Good Privacy (PGP) �Crypto �Uses software for mail, files and disks public (and private) key technology �Supports �Public �Free digital signatures key servers maintain public keys for non-commercial use �http: //web. mit. edu/network/pgp. html IPD - November 3, 2001 John Kristoff - De. Paul University 41
Virtual Private Networks (VPNs) �Make �Use an insecure public network secure Internet instead of building your own net �Secure/encrypted �Endpoints �Sound �Many tunnels between endpoints must be secure like a host security problem? Yep. challenges and trade-offs IPD - November 3, 2001 John Kristoff - De. Paul University 42
VPNs illustrated IPD - November 3, 2001 John Kristoff - De. Paul University 43
Potential VPN problem IPD - November 3, 2001 John Kristoff - De. Paul University 44
IP Security (IPSec) �Standardized by IETF �Authentication Header (AH) � Authenticates �Encapsulating � Encrypts �Internet Security Payload (ESP) data before transmission Key Exchange (IKE) � Governs �IPSec sender and packet contents exchange of keys between end hosts is often used in VPNs IPD - November 3, 2001 John Kristoff - De. Paul University 45
Kerberos �Popular for network based authentication �Also for authorization �Also used to encrypt network traffic �Uses the concept of issuing tickets to users �Uses centralized server for management � Must �Been be secure of course! around for awhile, becoming popular IPD - November 3, 2001 John Kristoff - De. Paul University 46
Network Address Translation �Meant �NAT to be a IPv 4 address depletion solution is wrongly applied as a security solution �Deployment �Using �NAT �If �I of NAT has hurt the Internet NAT is expensive breaks many things you have addresses, don't use NAT don't like NAT - can you tell? IPD - November 3, 2001 John Kristoff - De. Paul University 47
NAT illustrated IPD - November 3, 2001 John Kristoff - De. Paul University 48
Enough already, how do we hack? �We'll focus on over the network attacks �Password � Brute cracking force, keystroke capture, sniff �OS/Application � Buffer �Protocol overflows, cgi-bin attacks, email exploits abuses � Spoofs, �Denial attacks hijacks, redirects, man-in-the-middle of service attacks IPD - November 3, 2001 John Kristoff - De. Paul University 49
Anatomy of a typical compromise �Do some reconnaissance work, scan, probe �Launch the exploit �Maintain �Fix compromised access with backdoors system so no one else gets in �Use/abuse �Make system it look like you were never there �Sometimes a few of these steps are skipped IPD - November 3, 2001 John Kristoff - De. Paul University 50
Network scanning/mapping �PING, �DNS traceroute information �rpcinfo -p <hostname> �nmap �nbtstat, net use commands �Search engines, newsgroups, web sites �If you're on the Internet, you've been scanned IPD - November 3, 2001 John Kristoff - De. Paul University 51
Session hijacking �Pretend �Take �You to be someone you're not over or insert commands into a session may need to � Know IP addresses � Predict � Keep � Run TCP sequence numbers one end of the real session busy blind for awhile IPD - November 3, 2001 John Kristoff - De. Paul University 52
Session hijacking illustrated IPD - November 3, 2001 John Kristoff - De. Paul University 53
Password cracking �Encrypted passwords can be broken � If nothing else, by brute force � Don't �Sending let passwords be the only line of defense logins in plain text over net is bad! � Many apps do this (e. g. FTP, TELNET) � Even HTTP! �Things like kerberos, SSL and SSH help a lot IPD - November 3, 2001 John Kristoff - De. Paul University 54
Viruses and worms �Programs whose goal is to spread �. . . and possibly cause you a great deal of grief �Worms are common (e. g. ILOVEYOU) �Viruses infect other programs �Somehow � Proves � Some � e. g. code has to be executed users are too trusting feature-full apps are becoming problems Microsoft getting burned regularly here IPD - November 3, 2001 John Kristoff - De. Paul University 55
Weak input validation �Buffer overflows and format string attacks � strcpy(destvar, �Try �If srcvar) type of stuff to get your overflowed data to execute program was running as root/Admin. . . �. . . and �It's you can successfully overflow a buffer. . . probably game over for said system. �Remote overflows are very possible/popular IPD - November 3, 2001 John Kristoff - De. Paul University 56
Denial of service (Do. S) attacks �Prevents �SYN or impairs standard service flooding �SMURF attacks �Distributed �Source �How �No Do. S attacks address spoofing helps attacker to discern valid data from Do. S packets? perfect solution exists today IPD - November 3, 2001 John Kristoff - De. Paul University 57
Do. S attack illustrated IPD - November 3, 2001 John Kristoff - De. Paul University 58
DDo. S attack illustrated IPD - November 3, 2001 John Kristoff - De. Paul University 59
Partial (D)Do. S solutions �Gotta find the sources - not trivial if spoofed! �Ingress/egress �ICMP traceback (itrace) �Packet �Rate marking (pushback) limiting �Shunning �Work filtering and black hole routing with upstream provider IPD - November 3, 2001 John Kristoff - De. Paul University 60
How do I secure Windows? �echo Y | del c: *. * Just kidding. . . �Keep up to date on patches � Run Windows Update �Remove unnecessary protocols like NETBIOS �Be very wary of running unknown programs �Do not use file/print sharing �Install and use virus protection, security tools IPD - November 3, 2001 John Kristoff - De. Paul University 61
How do I secure UNIX/Linux? �Remove unnecessary services � Empty � Start out inetd. conf if possible removing rc. d scripts and programs �Keep up to date on patches �Avoid RPC, wu-ftpd, BIND, sendmail � And �Use others that continue to have probs security tools IPD - November 3, 2001 John Kristoff - De. Paul University 62
How do I secure network devices? �Remove �Disable �Install �Put unnecessary services directed broadcasts spoofing filters device IP on secured management net �Secure routing protocols �Secure logs, time sync, snmp, etc. �Keep up to date on system software IPD - November 3, 2001 John Kristoff - De. Paul University 63
How do I secure. . . ? �Web servers �FTP servers �Mail (SMTP/POP/IMAP) servers �Printers, webcams, toasters �Others. . . ? IPD - November 3, 2001 John Kristoff - De. Paul University 64
Any last bit of advice? �Use the Network Time Protocol (NTP) �syslog �SSH is your friend �Learn �Find like you've never syslog'd before and make use of perl a good mailing lists/digests/URLs �Know your netstat -an |more output �Please do not attack De. Paul's network IPD - November 3, 2001 John Kristoff - De. Paul University 65
References http: //networks. depaul. edu/security/ http: //condor. depaul. edu/~jkristof/ news: //news. depaul. edu/dpu. security http: //www. cert. org http: //www. sans. org http: //www. cerias. purdue. edu http: //www. neohapsis. com http: //www. securityfocus. com IPD - November 3, 2001 John Kristoff - De. Paul University 66
- Lisa meyers children
- Wireless security in cryptography
- Private security
- Computer and network security
- Osi security architecture
- Security guide to network security fundamentals
- Electronic mail security in network security
- Security guide to network security fundamentals
- Security guide to network security fundamentals
- Computer & network security
- Network topologies
- Edu.sharif.edu
- Security policy and integrated security in e-commerce
- 5g americas
- Network security design
- Module 3: information and network security
- Modulo table
- Security mechanisms in cryptography
- Number theory in cyber security
- Firewall base layer
- Authentication in cryptography and network security
- Intruders in cryptography
- Primitive root of a number in cryptography
- Cryptography and network security 6th edition pdf
- Cryptography and network security pearson
- Source
- Cryptography and network security 4th edition
- Euler's theorem in cryptography and network security
- Finite fields in cryptography and network security
- Digital signature in cryptography and network security
- Modular arithmetic in cryptography and network security
- Pgp in cryptography and network security
- Top-down network design
- Network and security greensboro
- Euler's theorem in cryptography and network security
- Malicious software in cryptography
- Introduction to cryptography and network security
- Rsa algorithm in cryptography and network security
- Introduction to cryptography and network security
- Legal, social, ethical and professional issues in computing
- Legal and ethical issues in computer security
- Ethique quiz
- Computer security principles and practice
- Computer security principles and practice solutions
- Legal and ethical issues in computer security
- Computer security principles and practice 4th edition
- Computer fraud and security
- Csi computer crime and security survey
- Computer security safety ethics and privacy
- Computer security principles and practice
- Difference between datagram and virtual circuit network
- Features of peer to peer network and client server network
- Network centric computing
- Visa international security model diagram
- Cnss security model คือ
- Seven touchpoints for software security
- Computer hardware and network maintenance
- Token ring and token bus
- Computer networks vs distributed systems
- What is computer network and its applications
- Wlan meaning
- Palo alto networks certified network security engineer
- Network security protocols
- William stallings network security essentials 5th edition
- Message authentication is not concerned with
- Playfair cipher
- Network security monitoring open source