• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
G53SEC 1 Network Security Hijacking, flooding, spoofing and ...
 

G53SEC 1 Network Security Hijacking, flooding, spoofing and ...

on

  • 901 views

 

Statistics

Views

Total Views
901
Views on SlideShare
901
Embed Views
0

Actions

Likes
0
Downloads
22
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • - So far talked about Computer Security theory Moving onto more practical aspects of security Networks - communication infrastructure for transmitting data between nodes in a distributed system OSI – layered abstract description for communications and computer network protocol design
  • Passive – just listens Traffic analysis – identifying communication patterns Linkability – messages coming from the same source who is talking to whom in mobile services – location of user Active – modifies messages, inserts new messages, corrupts network info Spoofing – messages come from forged sender addresses (also DNS cache poisoning) Squatting – attacker claims to be at victim’s location (phishing) – natwest.com.registry.cz
  • Attacker initiates genuine connection Receives a number from victim A impersonates someone else Someone else receives a reply Attacker guesses the new number and sends it back to victim Victim thinks its talking to the other user, but instead receives data from victim Prevention – firewall blocking traffic from outside which contain local addresses avoid address based authentication – crypto authentication better
  • Layer – collection of related functions providing services to layer above it and receives services from layer below it Useful for fitting various protocols into this framework IP stack – application – telnet, ftp, http - transport – TCP/UDP - IP/Internet - link –specific to hardware
  • Connectionless and stateless – each datagram treated as an independent entity
  • Confidentiality – as inner IP datagram is not visible - encrypted
  • Properties guaranteed by tcp – e.g. reliable delivery of data
  • Dial-in and WIFI – unprotected entry point not protected by Firewalls
  • Dial-in and WIFI – unprotected entry point not protected by Firewalls
  • Difficult to handle (e.g. ftp – firewall cannot link data sent back by server to the original request)
  • High level of security – as long as config is correct

G53SEC 1 Network Security Hijacking, flooding, spoofing and ... G53SEC 1 Network Security Hijacking, flooding, spoofing and ... Presentation Transcript

  • G53SEC Network Security Hijacking, flooding, spoofing and some honey
  • G53SEC
    • Overview of Today’s Lecture:
      • Threat Models
      • Communication Models
      • Protocol Design Principles
      • IPSec
      • SSL/TLS
      • DNS
      • Firewalls
      • IDS
      • Honeypots
  • G53SEC
    • Introduction :
      • Networks
      • Data sent from one node to another
      • Network protocols - transmission and its problems
      • OSI security architecture
        • Security Services, implemented by
        • Security Mechanisms (mostly cryptography)
      • Access Control – Firewalls
      • Intrusion Detection Systems
  • G53SEC
    • Threat Models :
      • Passive attackers
      • - eavesdropping / wiretapping / sniffing
      • - Traffic Analysis (e.g. linkability)
      • Active attackers
      • - Spoofing attacks (MiM, Phishing, e-mail)
      • - Squatting attacks (Phishing)
  • G53SEC
    • Communication Models :
      • In formal models protocol analysis
      • - internet – cloud
      • - messages can be seen/modified by anyone
      • Not best model for all security issues
      • In security analysis
        • Adversary can only read messages directly addressed to him/her
        • can spoof addresses
  • G53SEC
    • Examples of Security Analysis :
      • TCP session hijacking
      • - Due to address based authentication
        • 3 way handshake protocol
        • Attacker can't see output of this session
        • Attacker able to execute commands with another users privileges
  • G53SEC
    • Examples of Security Analysis :
      • TCP SYN flooding
      • - victim stores number sent by user
      • - attacker never finished 3 way handshake
      • - attacker initiates large number of SYN requests
      • - victim reaches its half-open connection limit
      • - Denial of service
      • - Prevention – modification to handshake protocol to be stateless
  • G53SEC
    • Protocol Design Principles :
      • Open Systems Interconnection model
      • Framework for layering network protocols
      • 7 layers
    OSI model Application Presentation Session Transport Network Link Physical
  • G53SEC
    • IP Security :
      • IP connectionless and stateless
      • provides a best-effort service
      • no guaranteed delivery of packets
      • no mechanism for maintaining order
      • NO security protection (IPv4)
      • In IPv6 – security architecture - IPsec
  • G53SEC
    • IP Security :
      • Optional in IPv4 and mandatory for IPv6
      • 2 major security mechanisms
      • - IP Authentication Header
      • - IP Encapsulation Security Payload
      • Does not contain mechanism to prevent traffic analysis
  • G53SEC
    • IP Security – Authentication Header :
      • Protects the integrity and authentication of IP packets
      • Does not protect confidentiality
      • Originally developed due to export restrictions of encryption mechanisms
      • Restrictions lifted, thus
      • Encapsulating Security Payloads now preferred to simplify IPsec implementation
  • G53SEC
    • IP Security – Encapsulating Security Payloads :
      • Provides:
      • - confidentiality
      • - data origin authentication
      • - some replay protection
      • - limited traffic flow confidentiality
      • Achieved by encryption of payload
      • Encapsulated within original IP packet
  • G53SEC
    • IP Security – Encapsulating Security Payloads :
      • transport mode
      • - a protocol frame is encapsulated
      • - and encrypted
      • - provides end-to-end protection of packets
      • - end hosts need to be IPsec aware
  • G53SEC
    • IP Security – Encapsulating Security Payloads :
      • tunnel mode
        • entire datagram treated as new payload
        • can be thought of as IP within IP
        • can be performed at security gateways
        • host need not be IPsec aware
        • provides traffic flow confidentiality
  • G53SEC
    • IP Security :
      • IPsec services use encryption
      • But are not tied to one particular key management protocol
      • Considers possibility of future flaws
    • Summary
      • IPsec provides transparent security for everyone using IP, without changing interface of IP
      • Provides host-to-host security but with an overhead
  • G53SEC
    • Secure Socket Layer/ Transport Layer Security :
      • TCP – a stateful connection oriented protocol
      • Performs address based entity authentication
      • Vulnerable to attacks – hijacking, flooding
      • Lacks strong cryptographic mechanisms
      • These were introduced in SSL by Netscape
      • TLS identical to SSL v.3
  • G53SEC
    • Secure Socket Layer/ Transport Layer Security :
    • SSL
      • Sits between application layer and TCP
      • Relies on properties guaranteed by TCP
      • Stateful and connection oriented
      • Contains handshake protocol where client and server agree on cipher suite
      • This is then used for secure transmisison
      • Most widely used Internet security protocol
  • G53SEC
    • Domain Name System :
      • www.nottingham.ac.uk – Domain name
      • 128.243.40.30 – IP address
      • Translation of domain name to IP address – DNS
      • Information maintained by DNS servers
      • DNS lookup – name -> IP address
      • DNS reverse lookup – IP address -> name
  • G53SEC
    • Domain Name System :
      • Attacker can corrupt DNS information
      • thus can redirect users to fake sites
      • or make sites seem unavailable – DoS attack
      • This gets even worse when corruption is propagated between DNS servers
      • Work on secure DNS service (DNSEC) underway
  • G53SEC
    • Firewalls :
      • Cryptographic mechanisms – confidentiality and integrity
      • Authentication protocols – verify sources of data
      • Access control at network level – firewalls
      • Firewall
      • “ A network device controlling traffic between two parts of a network”
  • G53SEC
    • Firewalls :
      • Generally installed between LAN and Internet
      • or between different LANs
      • or on individual hosts
      • Should control traffic to and from a protected network
      • But ALL traffic has to go through it in order for it to be effective
      • e.g. issue Dial-in lines and Wifi LANs
  • G53SEC
    • Firewalls :
      • Defend a protected network against parties accessing services that should only be available internally
      • Can also restrict access from inside to outside services (e.g. IRC, P2P)
      • Virtual Private Network
        • - A secure connection between two gateways
      • Network Address Translation
      • - hides internal machines with private addresses
  • G53SEC
    • Firewalls :
      • Packet filters:
      • Specify which packets are allowed or dropped
      • Rules based on source and destination IP address
      • and TCP and UDP port numbers
      • possible for both inbound and outbound
      • Can be implemented in a router examining packet headers
  • G53SEC
    • Firewalls :
      • Packet filters - Issues:
      • Only crude rules enforced
      • Certain common protocols are difficult to handle
      • We can have blanket rules (e.g. block all port 21 traffic)
      • We cannot have dynamically defined rules
  • G53SEC
    • Firewalls :
      • Stateful Packet filters:
      • Understand requests and replies
      • Can support policies for a wider range of protocols than simple packet filters
      • Again can be done in routers (fast and cheap)
      • iptables – a Linux implementation
  • G53SEC
    • Firewalls :
      • Circuit-Level Proxies:
      • rules similar to packet filters
      • allowed connections generate new connections from firewall to destination
      • rarely used in practice these days
      • functionally similar to stateful packet filters but with lower performance
  • G53SEC
    • Firewalls :
      • Application-Level Proxies:
      • Client - > Server
      • Client -> Proxy -> Server-> Proxy -> Client
      • Another instance of controlled invocation
      • e.g. Mail proxy – filters emails for spam, viruses, etc…
      • Proxy server – only entity seen by the outside world
      • Transparent to users
  • G53SEC
    • Firewalls :
      • Application-Level Proxies:
      • Typically run on a hardened PC
      • Provide close control over content
      • Offer high level of security
      • Issues
      • Large overhead per connection
      • More expensive than packet filters
      • Configuration complex
      • A separate proxy server required for each service to be protected
  • G53SEC
    • Firewalls :
      • Policies:
      • Permissive – allow everything except dangerous services
      • easy to make a mistake or forget something
      • Restrictive – block everything except designated useful services
      • More secure but if blocked something that is needed – DoS
  • G53SEC
    • Firewalls :
      • Location of firewall important
      • Demilitarised Zone (DMZ) – selective access to services from both inside and outside networks
      • Firewall issues:
      • No protection against insider threats
      • May cause inconvenience
      • Tunnelling
      • Encrypted traffic cannot be examined
  • G53SEC
    • Intrusion Detection Systems :
      • Cryptographic mechanisms help, but…
      • Impossible to prevent all attacks
      • DoS attacks
      • Insider Attacks
      • Badly configured firewalls
      • Already happening attacks not detectable
      • -> Intrusion Detection Systems
  • G53SEC
    • Intrusion Detection Systems :
      • Consists of a number of sensors (network or host)
      • Sensors collect various data
      • Data is analysed
      • Intrusion reported
      • and possibly reactions triggered
  • G53SEC
    • Intrusion Detection Systems :
      • Misuse Detection
      • - looks for attack signatures
      • - signatures – patterns of network traffic
      • - e.g. no. of failed login attempts
      • - only as good as its database of attack signatures
      • - new attacks -> signature needs to be created
      • - IDS needs to update its database
  • G53SEC
    • Intrusion Detection Systems :
      • Anomaly Detection
      • - Statistical / Behaviour-based detection
      • - uses statistical techniques
      • - first ‘normal’ behaviour is established as baseline
      • - during operation if behaviour of monitored system deviates from baseline and exceeds a threshold ->
      • -> alarm is issued
  • G53SEC
    • Intrusion Detection Systems :
      • Anomaly Detection
      • - Possibility of detecting novel attacks
      • - However only detects anomalies
      • - Anomaly is not necessarily an attack
      • - Attack is not necessarily anomalous
      • - False positives (false alarm)
      • - False negatives (attack detected as normal)
  • G53SEC
    • Intrusion Detection Systems :
      • Network based IDS
      • - attack signatures of network traffic
      • - e.g. SNORT, Firestorm
      • Host Based IDS
      • - attack signatures from system activity
      • Most effective IDS systems to date combine the two.
  • G53SEC
    • Vulnerability Assessment and Honeypots :
      • Vulnerability Assessment
      • - examines the security state of a network or a host
      • - info on open ports, package version, etc..
      • Honeypots
      • - a resource to track attackers and to learn and gather evidence about their activities
      • - designed to mimic real systems
      • - low and high interaction hneypots
  • G53SEC
    • Summary:
      • Networking Protocols
      • Firewalls
      • Intrusion Detection