Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Network security
Similar to Network security (20)
Recently uploaded
Recently uploaded (20)
Network security
- 2. Acknowledgments Material is sourced from: CISA® Review Manual 2011, © 2010, ISACA. All rights reserved. Used by permission. CISM® Review Manual 2012, © 2011, ISACA. All rights reserved. Used by permission. Many other Network Security sources http://www.csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Reviewers/Contributors: Todd Burri, Kahili Cheng Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
- 3. Objectives The student should be able to: Define attacks: script kiddy, social engineering, logic bomb, Trojan horse, phishing, pharming, war driving, war dialing, man-in-the-middle attack, SQL injection, virus, worm, root kit, dictionary attack, brute force attack, DOS, DDOS, botnet, spoofing, packet reply. Describe defenses: defense in depth, bastion host, content filter, packet filter, stateful inspection, circuit-level firewall, application-level firewall, de-militarized zone, multi-homed firewall, IDS, IPS, NIDS, HIDS, signature-based IDS, statistical-based IDS, neural network, VPN, network access server (RADIUS/TACACS), honeypot, honeynet, hash, secret key encryption, public key encryption, digital signature, PKI, vulnerability assessment Identify techniques (what they do): SHA1/SHA2, MD2/MD4/MD5, DES, AES, RSA, ECC. Describe and define security goals: confidentiality, authenticity, integrity, non- repudiation Define service’s & server’s data in the correct sensitivity class and roles with access Define services that can enter and leave a network Draw network Diagram with proper zones and security equipment
- 4. The Problem of Network Security The Internet allows an attacker to attack from anywhere in the world from their home desk. They just need to find one vulnerability: a security analyst need to close every vulnerability. Solution: Layered defense
- 5. Stages of a Cyber-Operation Target Identification Opportunistic Attack: focuses on any easy-to- break-into site Targeted Attack: specific victim in mind Searches for a vulnerability that will work.
- 6. Hacking Networks Reconnaissance Stage Physical Break-In Dumpster Diving Google, Newsgroups, Web sites Social Engineering Phishing: fake email Pharming: fake web pages WhoIs Database & arin.net Domain Name Server Interrogations Registrant: Microsoft Corporation One Microsoft Way Redmond, WA 98052 US Domain name: MICROSOFT.COM Administrative Contact: Administrator, Domain domains@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080 Technical Contact: Hostmaster, MSN msnhst@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080 Registration Service Provider: DBMS VeriSign, dbms-support@verisign.com 800-579-2848 x4 Please contact DBMS VeriSign for domain updates, DNS/Nameserver changes, and general domain support questions. Registrar of Record: TUCOWS, INC. Record last updated on 27-Aug-2006. Record expires on 03-May-2014. Record created on 02-May-1991. Domain servers in listed order: NS3.MSFT.NET 213.199.144.151 NS1.MSFT.NET 207.68.160.190 NS4.MSFT.NET 207.46.66.126 NS2.MSFT.NET 65.54.240.126 NS5.MSFT.NET 65.55.238.126
- 7. Hacking Networks Reconnaissance Stage War Driving: Can I find a wireless network? War Dialing: Can I find a modem to connect to? Network Scanning: What IP addresses, open ports, applications exist? Protocol Sniffing: What is being sent over communications lines?
- 8. Passive Attacks Eavesdropping: Listen to packets from other parties = Sniffing Traffic Analysis: Learn about network from observing traffic patterns Footprinting: Test to determine software installed on system = Network Mapping B PacketA C Bob Jennie Carl Login: Ginger Password: Snap
- 9. Hacking Networks: Gaining Access Stage Network Attacks: IP Address Spoofing Man-in-the-Middle System Attacks: Buffer Overflow Password Cracking SQL Injection Web Protocol Abuse Watering Hole Attack Trap Door Virus, Worm, Trojan horse a aa ab ac … ba bb … aaa aab aac …
- 10. Some Active Attacks Denial of Service: Message did not make it; or service could not run Masquerading or Spoofing: The actual sender is not the claimed sender Message Modification: The message was modified in transmission Packet Replay: A past packet is transmitted again in order to gain access or otherwise cause damage Denial of Service Joe Ann Bill Spoofing Joe (Actually Bill) Ann Bill Message Modification Joe Ann Packet Replay Joe Ann Bill Bill
- 11. Man-in-the-Middle Attack 10.1.1.1 10.1.1.2 10.1.1.3 (1) Login (3) Password (2) Login (4) Password
- 12. SQL Injection Java Original: “SELECT * FROM users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”; Inserted Password: Aa’ OR ‘’=’ Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘; Inserted Password: foo’;DELETE FROM users_table WHERE username LIKE ‘% Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’ Inserted entry: ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’ Login: Password: Welcome to My System
- 13. NIST SP 800-118 Draft Password Cracking: Dictionary Attack & Brute Force Pattern Calculation Result Time to Guess (2.6x1018 /month) Personal Info: interests, relatives 20 Manual 5 minutes Social Engineering 1 Manual 2 minutes American Dictionary 80,000 < 1 second 4 chars: lower case alpha 264 5x105 8 chars: lower case alpha 268 2x1011 8 chars: alpha 528 5x1013 8 chars: alphanumeric 628 2x1014 3.4 min. 8 chars alphanumeric +10 728 7x1014 12 min. 8 chars: all keyboard 958 7x1015 2 hours 12 chars: alphanumeric 6212 3x1021 96 years 12 chars: alphanumeric + 10 7212 2x1022 500 years 12 chars: all keyboard 9512 5x1023 16 chars: alphanumeric 6216 5x1028
- 14. Hacking Networks: Hiding Presence; Establishing Persistence Backdoor Trojan Horse Spyware/Adware Command & Control User-Level Rootkit Kernel-Level Rootkit Replaces system executables: e.g. Login, ls, du Replaces OS kernel: e.g. process or file control to hide Control system: system commands, log keystrokes, pswd Useful utility actually creates a backdoor. Slave forwards/performs commands; Spyware: Keystroke logger collects info: passwords, collect credit card #s, AdWare: insert ads, filter search results Spread & infect, list email addrs, DDOS attacks Bot
- 15. Distributed Denial of Service Zombies VictimAttacker Handler Can barrage a victim server with requests, causing the network to fail to respond to anyone Russia Bulgaria United States Zombies
- 16. Question An attack where multiple computers send connection packets to a server simultaneously to slow the firewall is known as: 1. Spoofing 2. DDOS 3. Worm 4. Rootkit
- 17. Question A man in the middle attack is implementing which additional type of attack: 1. Spoofing 2. DoS 3. Phishing 4. Pharming
- 19. Security: Defense in Depth Border Router Perimeter firewall Internal firewall Intrusion Detection System Policies & Procedures & Audits Authentication Access Controls
- 20. Bastion Host Computer fortified against attackers Applications turned off Operating system patched Security configuration tightened
- 21. Attacking the Network What ways do you see of getting in? The Internet De-Militarized Zone Private Network Border Router/Firewall Commercial Network Internal FirewallWLAN
- 22. Filters: Firewalls & Routers Route Filter: Verifies source/destination IP addresses Packet Filter: Scans headers of packets Content Filter: Scans contents of packet (e.g., IPS) Default Deny: Any packet not explicitly permitted is rejected Fail Safe or Fail Secure: If router fails, it fails shut The good, the bad & the ugly… Filter The bad & the ugly The Good
- 23. Packet Filter Firewall Web Request Ping Request FTP request Email Connect Request Web Response Telnet Request Email Response SSH Connect Request DNS Request Email Response Web Response Illegal Source IP Address Illegal Dest IP Address Microsoft NetBIOS Name Service
- 24. Campus Desire2Lear n Lab Health Services Register Library Students & Instructors Students & Instructors Nurses Public Web Public: Potential Students Graduates Login Confidential Private Public Legend Advisors & Registrars Informal Path of Logical Access PoS Staff
- 25. Step 1: Determine Services: Who, What, Where? Workbook Service (e.g., web, sales database) Source (e.g., home, world, local computer) Destination (local server, home, world, etc.) Registration, Desire2Learn Students and Instructors: Anywhere in the World Computer Service Servers Registration Registrars and Advisers: On campus Computer Service Servers Library databases On campus students and staff. Off-campus requires login Specific off-site library facilities Health Services On campus: nurses office Computer Service Servers External (Internet) web services On campus: Campus labs, dorms, faculty offices Anywhere in the world
- 26. Step 2: Determine Sensitivity of Services Workbook Service Name (E.g., web, email) Sensitivity Class (E.g., Confidential) Roles (E.g., sales, engineering) Server (*=Virtual) Desire2- Learn Private Current Students, Instructors Student_ Scholastic Registration Confidential Current Students, Registration, Accounting, Advising, Instructors Student_ Register Health Service Confidential Nurses Health_Servi ces Web Pages: activities, news, departments , … Public Students, Employees, Public Web_Services *
- 27. Isolation & Compartmentalization Compartmentalize network by Sensitivity Class & Role Segment Network into Regions = Zones E.g., DMZ, wireless, Payment Card Isolate Apps on Servers: physical vs. virtual (e.g. VMware) Virtual Servers combine onto one Physical server. has own OS and limited section of disk. Hypervisor software is interface between virtual system’s OS and real computer’s OS.
- 28. External DNS Web Server E-Commerce Email Server Protected Internal Network Zone Database/File Servers Internet Multi-Homed Firewall: Separate Zones Demilitarized Zone Screened Host The router serves as a screen for the Firewall, preventing Denial of Service attacks to the Firewall. Screening Device: Router Private Payment Card Zone IPS IDS
- 29. Step 3: Allocate Network Zones Workbook Zone Services Zone Description (You may delete or add rows as necessary) Internet This zone is external to the organization. De-Militar- ized Zone Web, Email, DNS This zone houses services the public are allowed to access in our network. Wireless Network Wireless local employees This zone connects wireless/laptop employees/students (and crackers) to our internal network. They have wide access. Private Server Zone Databases This zone hosts our student learning databases, faculty servers, and student servers. Confidential Zone Payment card, health, grades info This highly-secure zone hosts databases with payment and other confidential (protected by law) information. Private user Zone Wired staff/ students This zone hosts our wired/fixed employee/classroom computer terminals. They have wide univ. & external access. Student Lab Zone Student labs This zone hosts our student lab computers, which are highly vulnerable to malware. They have wide access
- 30. Step 4: Define Controls Workbook Zone Server (*=Virtual) Service Required Controls (Conf., Integrity, Auth., Nonrepud., with tools: e.g., Encryption/VPN, hashing, IPS) De- Militarized Zone Web_ Services*, Email_Server DNS_Server Web, Email, DNS Hacking: Intrusion Prevention System, Monitor alarm logs, Anti-virus software within Email package. Wireless Network Wireless local users Confidentiality: WPA2 Encryption Authentication: WPA2 Authentication Private Server Zone StudentSch olastic Student_Fil es Faculty_File s Classroom software, Faculty & student storage. Confidentiality: Secure Web (HTTPS), Secure Protocols (SSH, SFTP). Authentication: Single Sign-on through TACACS Hacking: Monitor logs
- 31. Data Privacy Confidentiality: Unauthorized parties cannot access information (->Secret Key Encryption Authenticity: Ensuring that the actual sender is the claimed sender. (->Public Key Encryption) Integrity: Ensuring that the message was not modified in transmission. (->Hashing) Nonrepudiation: Ensuring that sender cannot deny sending a message at a later time. (->Digital Signature) Confidentiality Joe Ann Bill Authenticity Joe (Actually Bill) Ann Bill Integrity Joe Ann Non-Repudiation Joe Ann Bill
- 32. Confidentiality: Encryption – Secret Key Examples: DES, AES Encrypt Ksecret Decrypt Ksecret plaintext ciphertext plaintext Sender, Receiver have IDENTICAL keys Plaintext = Decrypt(Ksecret, Encrypt(Ksecret,Plaintext)) NIST Recommended: 3DES w. CBC AES 128 Bit
- 33. Confidentiality, Authentication, Non-Repudiation Public Key Encryption Examples: RSA, ECC, Quantum Encrypt Kpublic Decrypt Kprivate Key ownerJoe Encryption (e.g., RCS) Decrypt Kpublic Encrypt Kprivate Message, private key Digital Signature Key owner Authentication, Non-repudiationJoe Sender, Receiver have Complimentary Keys Plaintext = Decrypt(kPRIV, Encrypt(kPUB,Plaintext)) Plaintext = Decrypt(kPUB, Encrypt(kPRIV,Plaintext)) NIST Recommended: 2011: RSA 2048 bit
- 34. Confidentiality: Remote Access Security Virtual Private Network (VPN) often implemented with IPSec Can authenticate and encrypt data through Internet (red line) Easy to use and inexpensive Difficult to troubleshoot Susceptible to malicious software and unauthorized actions Often router or firewall is the VPN endpoint The Internet Firewall VPN Concentrator
- 35. Integrity: Secure Hash Functions Examples: HMAC, SHA-2, SHA-3 Message H K Message H MessageK H H Compare Secure Hash Message H Message Message H H H H H Compare HMAC K K Ensures the message was not modified during transmission NIST Recommended: SHA-2, SHA-3 H Transmitted Hash
- 36. Encrypted K(Sender’s Private) Non-Repudiation: Digital Signature Electronic Signature Uses public key algorithm Verifies integrity of data Verifies identity of sender: non- repudiation Message Msg Digest
- 37. Authentication: Public Key Infrastructure (PKI) Digital Certificate User: Sue Public Key: 2456 1. Sue registers with CA through RA Certificate Authority (CA) Register(Owner, Public Key) 2. Registration Authority (RA) verifies owners 3. Send approved Digital Certificates 5. Tom requests Sue’s DC 6. CA sends Sue’s DC Sue Tom 4. Sue sends Tom message signed with Digital Signature 7. Tom confirms Sue’s DS
- 38. Hacking Defense: Intrusion Detection/Prevention Systems (IDS or IPS) Network IDS=NIDS Examines packets for attacks Can find worms, viruses, or defined attacks Warns administrator of attack IPS=Packets are routed through IPS Host IDS=HIDS Examines actions or resources for attacks Recognize unusual or inappropriate behavior E.g., Detect modification or deletion of special files Router Firewall IDS
- 39. IDS/IPS Intelligence Systems Signature-Based: Specific patterns are recognized as attacks Statistical-Based: The expected behavior of the system is understood If variations occur, they may be attacks (or maybe not) Neural Networks: Statistical-Based with self-learning (or artificial intelligence) Recognizes patterns Attacks: NastyVirus BlastWorm NastyVirus NIDS: ALARM!!! 0 10 20 30 40 50 60 70 80 90 Mon. Tues. Wed. Thurs. Sales Personnel Factory Normal
- 40. Hacking Defense: Evaluating Applications Unified Threat Management = SuperFirewall = firewall + IPS + anti-virus + VPN capabilities Concerns are redundancy and bandwidth. Blacklist= restrict access to particular web sites, e.g., social and email sites Whitelist= permit access to only a limited set of web sites.
- 41. Hacking Defense: Honeypot & Honeynet Honeypot: A system with a special software application which appears easy to break into Honeynet: A network which appears easy to break into Purpose: Catch attackers All traffic going to honeypot/net is suspicious If successfully penetrated, can launch further attacks Must be carefully monitored External DNS IDS Web Server E-Commerce VPN Server Firewall Honey Pot
- 42. Hacking Defense: Vulnerability Assessment Scan servers, work stations, and control devices for vulnerabilities Open services, patching, configuration weaknesses Testing controls for effectiveness Adherence to policy & standards Penetration testing
- 43. Router External DNS Email Public Web Server E-Commerce Firewall Zone 1: Student Labs & Files Internet Step 5: Draw Network Diagram Workbook Demilitarized Zone Zone 2: Faculty Labs & Files Student Records Student Billing Transcripts Student Scholastic Student History Zone 3:Confidential Data Student Billing
- 44. Path of Logical Access How would access control be improved? The Internet De-Militarized Zone Private Network Border Router/ Firewall Router/Firewall WLAN
- 45. Protecting the Network The Internet De-Militarized Zone Private Network Border Router: Packet Filter Bastion Hosts Proxy server firewall WLAN
- 46. University Scenario: Dual in-line Firewalls
- 47. Writing Rules Policies Network Filter Capabilities Write Rules Protected Network Audit Failures Corrections Fail-Safe: If the filter fails, it fails closed Default Deny: If a specific rule does not apply, The packet is dropped.
- 48. Firewall Configurations A A terminal firewall host Router Packet Filtering: Packet header is inspected Single packet attacks caught Very little overhead in firewall: very quick High volume filter A A terminal firewall host A Stateful Inspection State retained in firewall memory Most multi-packet attacks caught More fields in packet header inspected Little overhead in firewall: quick
- 49. Firewall Configurations A B terminal firewall host Circuit-Level Firewall: Packet session terminated and recreated via a Proxy Server All multi-packet attacks caught Packet header completely inspected High overhead in firewall: slow A B terminal firewall host A Application-Level Firewall Packet session terminated and recreated via a Proxy Server Packet header completely inspected Most or all of application inspected Highest overhead: slow & low volume A B B
- 50. Web Page Security SQL Filtering: Filtering of web input for SQL Injection Encryption/Authentication: Ensuring Confidentiality, Integrity, Authenticity, Non- repudiation Web Protocol Protection: Protection of State
- 51. Summary of Controls Conf- ident. Integ- rity Authen. Non- repud. Anti- Hack Encryption Protocols: S-HTTP, HTTPS, SSL, SSH2, PGP, S/MIME x ? ? Virtual Private Network (VPN): IPsec x x x Wireless: WPA2, TKIP, IEEE 802.11i x x x Hashing: HMAC, SHA, MD5 x Digital Signature x x Public Key Infrastructure x x x Centralized Access Control: RADIUS, TACACS x Kerberos x x Authentication: biometric, flash drive, token x
- 52. Conf- ident. Integ- rity Authen. Non- repud. Anti- Hack Firewall, App. or web firewall x Mobile device mgmt x Antivirus, Endpoint Security x Event Logs/SIEM x Intrusion Detection/Prevention Systems x Unified Threat Mgmt x Vulnerability Assessment x Risk, Policy Mgmt x Honeypot/Honeynet x Email security mgmt x x Bastion host x
- 53. Question A map of the network that shows where service requests enter and are processed 1. Is called the Path of Physical Access 2. Is primarily used in developing security policies 3. Can be used to determine whether sufficient Defense in Depth is implemented 4. Helps to determine where antivirus software should be installed
- 54. Question The filter with the most extensive filtering capability is the 1. Packet filter 2. Application-level firewall 3. Circuit-level firewall 4. State Inspection
- 55. Question The technique which implements non- repudiation is: 1. Hash 2. Secret Key Encryption 3. Digital Signature 4. IDS
- 56. Question Anti-virus software typically implements which type of defensive software: 1. Neural Network 2. Statistical-based 3. Signature-based 4. Packet filter
- 57. Question MD5 is an example of what type of software: 1. Public Key Encryption 2. Secret Key Encryption 3. Message Authentication 4. PKI
- 58. Question A personal firewall implemented as part of the OS or antivirus software qualifies as a: 1. Dual-homed firewall 2. Packet filter 3. Screened host 4. Bastion host
- 59. HEALTH FIRST CASE STUDY Designing Network Security Jamie Ramon MD Doctor Chris Ramon RD Dietician Terry Licensed Practicing Nurse Pat Software Consultant
- 60. Defining Services which can Enter and Leave the Network Service Source (e.g., home, world, local computer) Destination (local server, home, world, etc.)
- 61. Defining Services and Servers Workbook Service (e.g., web, sales database) Source (e.g., home, world, local computer) Destination (local server, home, world, etc.) Registration, Desire2Learn Students and Instructors: Anywhere in the World Computer Service Servers Registration Registrars and Advisers: On campus Computer Service Servers Library databases On campus students and staff. Off-campus requires login Specific off-site library facilities Health Services On campus: nurses office Computer Service Servers External (Internet) web services On campus: Campus labs, dorms, faculty offices Anywhere in the world
- 62. Define Services & Servers Which data can be grouped together by role and sensitivity/criticality? Service Name Sensitivity Class. Roles with Access Server Name Confidential – Management Public – Web Pages Privileged – Contracts
- 63. Evaluating Service Classes & Roles Workbook Service Name (E.g., web, email) Sensitivity Class (E.g., Confidential) Roles (E.g., sales, engineering) Server (*=Virtual) Desire2- Learn Private Current Students, Instructors Student_ Scholastic Registration Confidential Current Students, Registration, Accounting, Advising, Instructors Student_ Register Health Service Confidential Nurses Health_Servi ces Web Pages: activities, news, departments , … Public Students, Employees, Public Web_Services *
- 64. Defining Zones and Controls Compartmentalization: Zone = Region (E.g., DMZ, wireless, internet) Servers can be physical or virtual Zone Service Server Required Controls (Conf., Integrity, Auth., Nonrepud., with tools: e.g., Encryption/VPN)
- 65. Defining Zones Workbook Zone Services Zone Description (You may delete or add rows as necessary) Internet This zone is external to the organization. De-Militar- ized Zone Web, Email, DNS This zone houses services the public are allowed to access in our network. Wireless Network Wireless local employees This zone connects wireless/laptop employees/students (and crackers) to our internal network. They have wide access. Private Server Zone Databases This zone hosts our student learning databases, faculty servers, and student servers. Confidential Zone Payment card, health, grades info This highly-secure zone hosts databases with payment and other confidential (protected by law) information. Private user Zone Wired staff/ students This zone hosts our wired/fixed employee/classroom computer terminals. They have wide univ. & external access. Student Lab Zone Student labs This zone hosts our student lab computers, which are highly vulnerable to malware. They have wide access
- 66. Defining Controls for Services Workbook Zone Server (*=Virtual) Service Required Controls (Conf., Integrity, Auth., Nonrepud., with tools: e.g., Encryption/VPN, hashing, IPS) De- Militarized Zone Web_ Services*, Email_Server DNS_Server Web, Email, DNS Hacking: Intrusion Prevention System, Monitor alarm logs, Anti-virus software within Email package. Wireless Network Wireless local users Confidentiality: WPA2 Encryption Authentication: WPA2 Authentication Private Server Zone StudentSch olastic Student_Fil es Faculty_File s Classroom software, Faculty & student storage. Confidentiality: Secure Web (HTTPS), Secure Protocols (SSH, SFTP). Authentication: Single Sign-on through TACACS Hacking: Monitor logs
- 67. Router External DNS Email Public Web Server E-Commerce Firewall Zone 1: Student Labs & Files Internet Draw the Network Diagram Demilitarized Zone Zone 2: Faculty Labs & Files Student Records Student Billing Transcripts Student Scholastic Student History Zone 3:Student Data Student Billing
- 68. MS Visio Diagram
- 69. Reference Slide # Slide Title Source of Information 7 Passive Attacks CISA: page 331,333, 352 9 Some Active Attacks CISA: page 330, 332, 352 10 Man-in-the –Middle Attack CISA: page 331 12 Password Cracking: dictionary Attack & Brute Force CISA: page 330 14 Botnets CISA: page 330 15 Distributed Denial of Service CISA: page 330 23 Packet Filter Firewall CISA: page 353, 354 24 Firewall Configurations CISA: page 353 – 355 25 Firewall Configurations CISA: page 354 26 Multi-Homed Firewall: Separate Zones CISA: page 355 33 Intrusion Detection Systems (IDS) Intrusion Prevention System (IPS) CISA: page 355, 356 34 IDS Intelligence Systems CISA: page 356 35 Honeypot & Honeynet CISA: page 356, 357 37 Encryption – Secret Key CISA: page 357 38 Public Key Encryption CISA: page 357, 358 39 Remote Access Security CISA: page 361 40 Secure Hash Functions CISA: page 359, 361, 362 41 Digital Signature CISA: page 359 42 Public Key Infrastructure (PKI) CISA: page 359, 360
Editor's Notes
- Text on the right is an example of a ‘whois’ query. It is not a good idea to name the administrative contact. News/web sites are useful for learning about different subsidiaries, staff names or positions, new merges (potentially with less security). Dumpster diving can sometimes produce internal documentation – use a shredder.
- After the cracker knows something about the company, often the second stage would be to learn the network and computer configurations. War Driving: Listening with a high-powered receiver for wireless LAN signals. Tools indicate the power level, encryption type, and protocol details. War Dialing: Dials numbers within a range looking for a modem to answer. Network Mapping: Polls computers for which services they support Vulnerability Scanning Tools: Polls computers to learn services, service versions, configurations
- Network Mapping = Footprinting, same as on previous page. Traffic Analysis: Does a lot of traffic go between Point A and Point B, or Point C? Is it encrypted? This might be a concern if you are the military.
- Once a cracker knows the configuration of the network, it is possible to launch an attack to get in. The dog is ‘sniffing’ the login and password identification. These attacks will be defined on further slides. Note that they are of two varieties: attacks to the network, and attacks to the system.
- Denial of service (DOS): Prevent service. E.g. flood a network with traffic so legitimate traffic can’t get through Spoofing: cracker alters the ‘from’ address in the packet header to look like a trusted entity Packet replay: common method of gaining unauthorized access – e.g. sniffer observes a remote logon, repeats it Message Modification: Bill changes Joe’s original message, which was intended for Ann.
- 10.1.1.1 (2/3) are IP addresses The red computer here is pretending to be 10.1.1.1, and forward confidential information to 10.1.1.1.
- This example shows that people can fool your generated programmed SQL statement by inserting unexpected logins and passwords. This may be done by adding conditions, additional SQL statements, or by accessing the OS command line. Always sanitize your input.
- Calculation = &lt;number of possible characters&gt; to the &lt;password length&gt; power Result is maximum number of guesses needed to find the right password. This is taken from NIST, and assumes many computers are used in parallel to crack a password. Think criminal effort potentially using bots.
- Once the cracker has entered, they can expand their access and hide their break-in. A RootKit hides itself in the OS. For example, when you list processes, the malware is not listed. The RootKit may delete specific logs, or open a backdoor, to enable the attacker to enter easily. A Trojan Horse is software that is useful, but hides its malware intentions. For example, a game may be passed all around the internet, but may include spyware or adware (or other malware) within it. Bots are computers that have been taken over, and are now being used by the attacker for whatever purpose they would like.
- The terms ‘bot’ and ‘zombie’ are apparently interchangeable. A ‘botnet’ is a large number of bots (or zombies) used for DDOS attacks.
- 2 = Distributed Denial of Service
- 1
- Defense in depth is like layers of an onion – to get in you must go through multiple defenses. Think of the effectiveness of multiple layers of defense years ago with the castle shown. Then consider the defenses shown for a computer on the right.
- A bastion host is just a computer, server or system that is locked down against intruders. It is configured to have maximized security (strict firewall rules, well-patched) and minimized potential avenues of attack (minimal applications).
- What is the easiest way to get into this network? It may not be through the firewalls. It may be through the dial-up access, CDs or DVD drives, or WLANs. Also notice that a good network will be divided into sections. The De-Militarized Zone here is for public access. The Private Network is for internal access, and requires going through 2 firewalls, each with filtering.
- (From CISM) The Packet Filter may scan for source or destination IP addresses (computer IDs) and port addresses (service IDs).
- A Packet Filter firewall looks at the incoming packets. Some of them may be requests for connections, or responses to our connections. Normally PCs only initiate connections, such as web or email. Therefore, web and email requests we would expect to travel in the other direction (from PC to Internet). Most of these requests are illegal. Most likely a cracker is attempting to break into a server, or a PC which is willing to act as one. Other attacks include uses of invalid IP addresses, such as an IP address representing the internal network (pretending to originate from the inside of the network). In this case, the only packets that should make it through are replies to our web requests and email requests to a mail server.
- A screened host means a firewall with a border router that screens obvious attacks, such as network mapping. Multi-homed means that it has multiple zones to filter for. In this case there are 3 zones: Internet, DMZ and internal network. Notice the color scheme: Black/Brown: network security servers Green: Public services Yellow/orange: More security Red: Most secure – confidential information
- The tools in parenthesis provide the features specified.
- Symmetric encryption: each participant uses the same (shared secret) key. In the equation, P=Plaintext, E=Encryption, D=Decryption NIST = National Institute for Standards and Technology, an American department of recommendations.
- Asymmetric encryption: each user has a public key and a private key. They are not easily mathematically related; that is, having the public key will not enable someone to calculate the private key. However a message encrypted with one can be decrypted with the other. The private key can also be used as a digital signature (next slide). This encryption technique can be used to send encrypted information or to authenticate a packet as originating from the sender, as shown above in the top and bottom examples, respectively. Public key encryption is a wonderful technique. However, it is processor-intensive, and not useful for longterm data communications sessions. Therefore, it is often used to provide a Secret key between two endpoints, and then the Secret key is used thereafter.
- A VPN creates an encrypted point-to-point path between two computers. Here the line in red is encrypted. Often it uses Public Key Encryption to communicate a Secret Key, then uses Secret Key encryption to encrypt the session data.
- Hashes implement Integrity. A message is hashed and the hash (H) is sent along with the message. When received, the message is hashed again and the two hashes are compared. Small changes to a message will result in large changes to the hash, so if the message was altered this method will detect it, although it won’t identify what those changes were. In the first case (MAC), the Hash is calculated using an associated secret key (K). In the second case (One-way hash), a standard-calculated hash is encrypted (E) using a secret key (K) Note that the message itself is not encrypted – it only gets a sophisticated checksum. MD = Message Digest SHA = Secure Hash Algorithm
- A Digital Signature is used for authentication, integrity, and non-repudiation. It serves the same purpose as signing a contract with ink – but digitally. The private key is used in creating a hash of the message, which provides both integrity and nonrepudiation.
- 3rd party authentication is used for authentication and non-repudiation. Steps 1-3 establish the Digital Certificate (DC). Steps 4-7 send a message which is verified using the Digital Certificate CA=Certificate Authority RA=Registration Authority
- The difference between and IDS and IPS is that the IDS reports on something but does not filter it. The IPS filters and prevents attacks. An IDS may react to an attack by sending disconnect packets for a connection. While IPS definitely sounds better, the implementation may be difficult. Not all things that look like attacks are attacks – therefore, optimizing an IDS/IPS is necessary to get rid of false positives and false negatives – or normal events looking like attacks and vice versa. A HIDS is always on one computer, scanning that one computer. The NIDS monitors traffic in a network.
- Anti-virus software is an example of Signature-based Software. Above you can see that for the graph, on Wed, we had some unusual traffic that needs looking into.
- A Honeypot or Honeynet has no useful purpose other than to catch attackers. It may be used as a form of an IDS. While it sounds fun and interesting, they need to be maintained and monitored: if an attacker does gain entry, they now can attack from within the network.
- Penetration testing can test from outside the network to determine what vulnerabilities remain.
- Notice the color coding and the zones.: Green: Public Yellow: Some confidentiality concern. Often located on a separate server from other colors and other functions. Internal rating. Orange: More security required. Private. Red: Most security required. Confidential. Sometimes two processes with different roles may have separate servers or VMwares, to minimize break-into both servers, if break-in into one occurs.
- The Path of Logical Access shows where requests enter and are processed. Two paths of logical access are shown, via brown arrows through WLAN and to server, and red arrows through laptop and server. Visitors from the internet must get through a firewall, then either the logical access controls (LAC) in the database servers in the demilitarized zone (DMZ), or through a second firewall and the LAC in the internal network’s servers. Entering via the wireless LAN bypasses all that (except for the internal LAC), as does using a disk or flash drive. The latter (wireless/portable media access) shows that this organization depends on physical controls and internal access control mechanisms (including employee trustworthiness) to prevent unauthorized use by those means. This leaves the private network server and the printer vulnerable.
- Here the WLAN and dial-up interface must go through a firewall before accessing the private network – good idea!!!
- ‘Rules’ means the settings on your defenses; what will the firewall allow past, what will cause the intrusion detection system (IDS) to react, etc. Rules are going to depend on the capabilities of your equipment and the goals and/or risk appetite of the organization, as reflected in policy.
- Here the red is the packet header being inspected, and the green is the part of the packet which is not inspected. When an A is displayed in the firewall, this means that the firewall has state information about each connection and can detect more anomalies. For example, connection-oriented protocols require you to connect before sending data. If data is received before the connection is established, then obviously the data is bad. In the Stateful Inspection, the state of Disconnected, Connected is maintained. In some cases, many states are possible.
- Here the firewalls create separate connections with the two endpoints, thus maintaining extensive state information about each. Notice that the amount of the packet inspected (red) is a larger portion of the packet than with previous firewalls. Obviously, the best firewall would inspect all of the packet. However, the more it inspects, the more processing power the filtering requires. Thus, very good firewalls handle smaller packet volumes.
- HTML is stateless. That is, information about the connection and data transactions have to be held by the endpoint computers. This can be exploited by a skilled hacker. Cookies and client-side scripts are two examples. In some cases, servers do not retain state but instead send information in a request which can be manipulated by the client before being returned. This is another form of attack.
- 3 is correct. 1: It is actually called the Path of Logical Access
- 2 – Application-level firewall
- 3 – Digital Signature
- 3 – Signature-based
- 3 - Messag
- Bastion host would have other requirements: up-to-date patches, applications turned off. A dual-homed firewall requires access to two networks. A screened host refers to a firewall with an external router screening it.
- The Firewall will let certain locations and services enter and leave the network
- Notice the color coding and the zones.: Green: Public Yellow: Some confidentiality concern. Often located on a separate server from other colors and other functions. Internal rating. Orange: More security required. Private. Red: Most security required. Confidential. Sometimes two processes with different roles may have separate servers or VMwares, to minimize break-into both servers, if break-in into one occurs.